+

Search Tips   |   Advanced Search

User registry considerations

A user registry or repository authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization.

User registries store user account information, such as user ID and password, accessed during authentication. User repositories store user profiles and preference information. A user registry or repository is used to:

  • Authenticate a user using basic authentication, identity assertion, or client certificates

  • Retrieve user and group information to perform security-related administrative functions such as mapping users and groups to security roles

By default, IBM WebSphere Portal is installed with a federated repository with a built-in file repository. The federated repository allows us to add various user registries, realm support for Virtual Portals, and/or property extensions to create a single, working unit. The available user registries we can add to the federated repository are LDAP user registries, database user registries, and custom user registries.

Using the built-in file repository is not recommended in a production environment. After adding another repository and choosing the administrative users from that repository, we should remove the file repository.

We can create a user base that can be federated over multiple repositories:

  • LDAPs
  • DBs
  • custom user registries
  • Additional attributes in a separate store if the corporate LDAP directory is read-only

Before combining multiple user registries...

  • Distinguished names must be unique for a realm over all registries. For example, if...

      uid=wpsadmin,o=myco

    ...exists in LDAP1, it must not exist in LDAP2, LDAP3, or DB1.

  • The shortname, for example wpsadmin, should be unique for a realm over all registries.

  • The base distinguished names for all registries used within a realm must not overlap; for example, if LDAP1 is...

      c=us,o=myco

    ...LDAP2 should not be...

      o=myco

  • Do not leave the base entry blank for any of the registries used within a realm.

  • If IBM Domino will be one of the user registries in a multiple registry configuration and will share a realm with another user registry, ensure the groups are stored in a hierarchical format in the Domino Directory as opposed to the default flat-naming structure. For example, the flat-naming convention is cn=groupName and the hierarchical format is cn=groupName,o=root.

  • The user must exist in a user registry and not within the property extension configuration; otherwise, the user cannot be a member of the realm.

After adding all user registries to the federated repository, to set a specific user registry as the default, edit wkplc.properties and set values for default LDAP, then run...

    ConfigEngine.bat wp-set-entitytypes


See


Parent Plan to install WebSphere Portal

Related reference:

Directory Search