User registry
User registries and repositories store user account and profile information, such as...
- user IDs and passwords
- email addresses
- phone numbers
- title
- department
Both can be used for...
- basic authentication
- identity assertion
- client certificates
WebSphere Portal is bundled with a federated repository containing a single built-in file repository.
You to add the following to the federated repository...
- LDAP, DB, and custom user registries
- Realm support for virtual portals
- Property and attribute extensions
The built-in file repository is not recommended in a production environment and should be removed after configuring a new default repository.
Transfer existing administrative users to the new repository before deleting the built-in fie repository.
For read-only LDAP directories, we can save additional attributes in a separate store
To set a specific user registry as the default...
ConfigEngine.sh wp-set-entitytypes
Before combining multiple user registries, review the registries for the following limitations and correct any issues:
- Distinguished names must be unique for a realm over all registries within a realm.
For example, if...
uid=wpsadmin,o=yourco
...exists in LDAP1, it must not exist in LDAP2, LDAP3, or DB1.
- The shortname, for example wpsadmin, should be unique for a realm over all registries.
- The base distinguished names for all registries used within a realm must not overlap; for example, if LDAP1 is...
c=us,o=yourco
...LDAP2 should not be o=yourco.
- Do not leave the base entry blank for any of the registries used within a realm.
- If Lotus Domino will be one of the user registries in a multiple registry configuration, store groups in a hierarchical format as opposed to the default flat-naming structure.
For example, the flat-naming convention is...
cn=groupName
...and the hierarchical format is...
cn=groupName,o=root
- The user must exist in a user registry and not within the property extension configuration; otherwise, the user cannot be a member of the realm.
If you have an application that does not support the federated repository, you can switch to a standalone LDAP user registry or a standalone custom user registry.
- Overview of user registry options
WebSphere Portal provides a variety of security configuration tasks. In the past, there was one task, which did not let you recover from errors or allow the user registry to meet your growing business needs. Now there are multiple tasks, which allow you to fine-tune your system to meet your business needs.
- Realm support
A realm is a collection of users or groups from one or more branches of your repository tree. Those branches can be part of a single repository, for example an LDAP user registry, or it can be a combination of multiple user registries. A realm is then mapped to a virtual portal to allow the realm's user population to log in to the virtual portal. This functionality allows you to define areas within WebSphere Portal that only a limited set of users can access.
- Property extension
The Property Extension, formerly known as the lookaside database, allows you to store additional user attributes into a database store without touching your backend user registry. You can use the Property Extension if your LDAP is read-only but you have a requirement that allows users to specify an additional attribute such as Timezone.
You can store this additional attribute in the database store. You can also add additional attributes for an application if you cannot change your repository Schema.
Parent topic:
Plan for WebSphere Portal