Federated repositories limitations
Configure LDAP servers in a federated repository
The LDAP connection connectTimeout default value is 20 seconds. LDAP should respond within 20 seconds for any request from WebSphere Application Server. If we cannot connect to the LDAP within this time, make sure that the LDAP is running. A connection error displays at the top of the LDAP configuration panel when the connection timeout exceeds 20 seconds.
Coexisting with ISAM
For Security Access Manager to coexist with a federated repositories configuration, the following limitations apply:
- We can configure only one LDAP repository under federated repositories, and that LDAP repository configuration must match the LDAP server configuration under ISAM.
- The distinguished name for the realm base entry must match the LDAP distinguished name (DN) of the base entry within the repository.
In WebSphere Application Server, ISAM recognizes the LDAP user ID and LDAP DN for both authentication and authorization. The federated repositories configuration does not include additional mappings for the LDAP user ID and DN.
- The federated repositories functionality does not recognize the metadata specified by ISAM.
When users and groups are created under user and group management, they are not formatted using the ISAM metadata. The users and groups must be manually imported into ISAM before we use them for authentication and authorization.
Limitation for configuring active directories with their own federated repository realms
To use the administrative console to perform a wildcard search for all available users on two Active Directories, and to prevent multiple entries exceptions with all built-in IDs, first configure each Active Directory with it's own federated repository realm. However, we cannot use the administrative console to configure each Active Directory with it's own federated repository realm. We can instead use a wsadmin script similar to the following:
$AdminTask createIdMgrRealm {-name AD1realm}
$AdminTask addIdMgrRealmBaseEntry {-name AD1realm -baseEntry o=AD1}
$AdminTask createIdMgrRealm {-name AD2realm}
$AdminTask addIdMgrRealmBaseEntry {-name AD2realm -baseEntry o=AD2}
$AdminConfig save
Limitation for repository ID in federated repositories configuration
In a federated repositories configuration, the repository ID must not exceed a length of 36 characters. If the repository ID exceeds 36 characters, an error may occur while retrieving or storing data, especially if the property extension repository is configured.
Related
- Manage the realm in a federated repository configuration
- Standalone LDAP registry settings
- IdMgrRealmConfig