User registries
A user registry holds user account information, such as a user ID and password, that can be accessed during authentication. WAS and WebSphere Portal support three types of user registries:
- LDAP user registries
- Custom User Registry interface:
Used to access non-LDAP user registries that are plugged in to WAS authentication. The database user registry configuration is an example.
- Third-party authentication using Trust Association Interceptors (TAIs). The third-party authentication provider determines the challenge mechanism and authentication method.
In the LDAP and custom registry configurations, WebSphere Portal shares the same authentication registry as WAS.
A datastore that is used to store user account information is called a user registry. A datastore that is used to store user profile and preference information is called a user repository. Two different terms (user registry and user repository) are used because it is possible for the datastores to be different. However, it is also possible for a user registry and a user repository to be based on the same underlying datastore. For example, an LDAP directory typically contains user ID and password information but can also store additional profile information such as e-mail addresses and telephone numbers of users. Therefore, the LDAP directory is both a user registry and a user repository.
In the LDAP configuration of WebSphere Portal, an LDAP directory is used as both a user registry and a user repository. However, if the LDAP directory cannot store all the profile information, the WebSphere Portal database can be used as a database user registry for storing additional profile information. In the database user registry configuration, the WebSphere Portal database is used as both a user registry and a user repository.
In the customer-supplied custom user registry configuration, the custom registry is used as a user registry. It can also be used as a user repository and is typically used in a read-only manner. The WebSphere Portal database can be used as a database user registry for storing additional profile information that cannot be stored in the custom registry.
The LDAP configuration is recommended for an enterprise that prefers to adhere to its existing LDAP structure. Installation of this authentication model requires an LDAP directory, preferably on a separate machine from WebSphere Portal. IBM Directory Server is packaged with WebSphere Portal.
In a non-LDAP configuration, WAS serves as the challenge mechanism for WebSphere Portal, and a database registry holds user account information. WAS Global Security offers full support to this configuration as a Custom User Registry provided by WebSphere Portal. When users log in, WAS authenticates them through the WebSphere Portal-provided Custom User Registry.
Member Manager is a component of WebSphere Portal that manages data for users and groups. If the user is not found in the authentication registry, authentication fails. The lookup must succeed for the user to successfully log in to WebSphere Portal. This is a production-ready, out-of-the-box environment that requires little configuration to implement.
To enable WebSphere Portal to work with an LDAP server or a database user registry configuration, run the appropriate configuration task.
The supported authentication registries and corresponding WAS and WebSphere Portal settings are summarized in the following table:
Member Manager Authentication registry Description LDAP LDAP user registry When the authentication registry is an LDAP server, Member Manager supports creating new user entries in the authentication registry and updating the user ID and password in the registry. User profile information is split between LDAP and a database, based on XML files that configure the Member Manager component. Includes LDAP with an optional database user registry.
non-LDAP, database user registry WebSphere Portal-supplied Custom User Registry WebSphere Portal provides a custom User Registry implementation for the internal WebSphere Portal database. Under this configuration, the authentication registry is part of the Member Manager, and user profile information is stored in the same database. Member Manager supports creating new user entries in the database registry and updating the user ID and password in the registry. Other (non-LDAP, non-database) Customer-supplied Custom User Registry When the authentication registry is some other datastore that is unknown to Member Manager, Member Manager does not create new user entries or update existing user entries in the authentication registry. In this case, manually configure WAS security and install your custom user registry. WebSphere Portal cannot configure WAS Global Security in this case. User profile information is held in the database and in the custom user registry.
Instructions for configuring WebSphere Portal with a customer-supplied custom user registry are not available at this time. This information is scheduled to be published on the WebSphere Portal support page at
See also
- Authentication
- Configure for LDAP without realm support
- Configure for LDAP with realm support
- Database user registry
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.