User registry considerations

A user registry or repository authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization.

User registries store user account information, such as user ID and password, accessed during authentication. User repositories store user profiles and preference information. A user registry or repository is used to:

• Authenticate a user using basic authentication, identity assertion, or client certificates

• Retrieve user and group information to perform security-related administrative functions such as mapping users and groups to security roles

By default, IBM WebSphere Portal is installed with a federated repository with a built-in file repository. The federated repository allows us to add various user registries, realm support for Virtual Portals, and/or property extensions to create a single, working unit. The available user registries we can add to the federated repository are LDAP user registries, database user registries, and custom user registries.

Using the built-in file repository is not recommended in a production environment. After adding another repository and choosing the administrative users from that repository, we should remove the file repository.

We can create a user base that can be federated over multiple repositories:

• LDAPs
• DBs
• custom user registries
• Additional attributes in a separate store if the corporate LDAP directory is read-only

Before combining multiple user registries...

• Distinguished names must be unique for a realm over all registries. For example, if...
  uid=wpsadmin,o=myco

  ...exists in LDAP1, it must not exist in LDAP2, LDAP3, or DB1.

• The shortname, for example wpsadmin, should be unique for a realm over all registries.

• The base distinguished names for all registries used within a realm must not overlap; for example, if LDAP1 is...
  c=us,o=myco

  ...LDAP2 should not be...

  o=myco

• Do not leave the base entry blank for any of the registries used within a realm.

• If IBM Domino will be one of the user registries in a multiple registry configuration and will share a realm with another user registry, ensure the groups are stored in a hierarchical format in the Domino Directory as opposed to the default flat-naming structure. For example, the flat-naming convention is cn=groupName and the hierarchical format is cn=groupName,o=root.

• The user must exist in a user registry and not within the property extension configuration; otherwise, the user cannot be a member of the realm.

After adding all user registries to the federated repository, to set a specific user registry as the default, edit wkplc.properties and set values for default LDAP, then run...

ConfigEngine.bat wp-set-entitytypes

See

• User registry options
  
• Virtual Member Manager integration
  
• Realm support
  
• Property extension
  

Parent Plan to install WebSphere Portal

Related reference:

Directory Search