This topic outlines known limitations and important information
for configuring federated repositories.
Configuring federated repositories in a mixed-version environment
In
a mixed-version deployment manager cell that contains both Version 6.1.x and
Version 5.x or 6.0.x nodes, the following limitations apply for configuring
federated repositories:
- You can configure only one Lightweight Directory Access Protocol (LDAP)
repository under federated repositories, and the repository must be supported
by Version 5.x or 6.0.x.
- You can specify a realm name that is compatible with prior versions only.
The host name and the port number represent the realm for the LDAP server
in a mixed-version nodes cell. For example, machine1.austin.ibm.com:389.
- You must configure a stand-alone LDAP registry; the LDAP information in
both the stand-alone LDAP registry and the LDAP repository under the federated
repositories configuration must match. During node synchronization, the LDAP
information from the stand-alone LDAP registry propagates to the Version 5.x
or 6.0.x nodes.
Important: Before node synchronization, verify
that Federated repositories is identified in the Current realm definition
field. If Federated repositories is not identified, select Federated repositories from
the Available realm definitions field and click Set as current. Do
not set the stand-alone LDAP registry as the current realm definition.
- You cannot configure an entry mapping repository or a property extension
repository in a mixed-version deployment manager cell.
Configuring LDAP servers in a federated
repository
The LDAP connection connectTimeout default value
is 20 seconds. LDAP should respond within 20 seconds for any request from
WebSphere Application Server. If you cannot connect to your LDAP within this
time, make sure that your LDAP is running. A connection error displays at
the top of the LDAP configuration panel when the connection timeout exceeds
20 seconds.
Coexisting with Tivoli Access Manager
For Tivoli Access Manager to coexist with a federated repositories configuration,
the following limitations apply:
- You can configure only one LDAP repository under federated repositories,
and that LDAP repository configuration must match the LDAP server configuration
under Tivoli Access Manager.
- The distinguished name for the realm base entry must match the LDAP distinguished
name (DN) of the base entry within the repository. In WebSphere Application
Server, Tivoli Access Manager recognizes the LDAP user ID and LDAP DN for
both authentication and authorization. The federated repositories configuration
does not include additional mappings for the LDAP user ID and DN.
- The federated repositories functionality does not recognize the metadata
that is specified by Tivoli Access Manager. When users and groups are created
under user and group management, they are not formatted using the Tivoli Access
Manager metadata. The users and groups must be manually imported into Tivoli
Access Manager before you use them for authentication and authorization.