User registry considerations
A user registry or repository authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization.
User registries store user account information, such as user ID and password, accessed during authentication. User repositories store user profiles and preference information. A user registry or repository is used to:
- Authenticate a user using basic authentication, identity assertion, or client certificates
- Retrieve user and group information to perform security-related administrative functions such as mapping users and groups to security roles
By default, IBM WebSphere Portal is installed with a federated repository with a built-in file repository. The federated repository allows us to add various user registries, realm support for Virtual Portals, and/or property extensions to create a single, working unit. The available user registries we can add to the federated repository are LDAP user registries, database user registries, and custom user registries.
Using the built-in file repository is not recommended in a production environment. After adding another repository and choosing the administrative users from that repository, we should remove the file repository.
We can create a user base that can be federated over multiple repositories:
- LDAPs
- DBs
- custom user registries
- Additional attributes in a separate store if the corporate LDAP directory is read-only
Before combining multiple user registries...
- Distinguished names must be unique for a realm over all registries. For example, if...
uid=wpsadmin,o=myco
...exists in LDAP1, it must not exist in LDAP2, LDAP3, or DB1.
- The shortname, for example wpsadmin, should be unique for a realm over all registries.
- The base distinguished names for all registries used within a realm must not overlap; for example, if LDAP1 is...
c=us,o=myco
...LDAP2 should not be...
o=myco
- Do not leave the base entry blank for any of the registries used within a realm.
- If IBM Domino will be one of the user registries in a multiple registry configuration and will share a realm with another user registry, ensure the groups are stored in a hierarchical format in the Domino Directory as opposed to the default flat-naming structure. For example, the flat-naming convention is cn=groupName and the hierarchical format is cn=groupName,o=root.
- The user must exist in a user registry and not within the property extension configuration; otherwise, the user cannot be a member of the realm.
After adding all user registries to the federated repository, to set a specific user registry as the default, edit wkplc.properties and set values for default LDAP, then run...
ConfigEngine.bat wp-set-entitytypes
See
Parent Plan to install WebSphere PortalRelated reference:
Directory Search