This topic outlines known limitations and important information
for configuring federated repositories.
Configuring federated repositories in a mixed-version
environment
In a mixed-version deployment manager cell that
contains both Version 6.1.x and Version 5.x or 6.0.x nodes, the following
limitations apply for configuring federated repositories:
- You can configure only one Lightweight Directory Access Protocol
(LDAP) repository under federated repositories, and the repository
must be supported by Version 5.x or 6.0.x.
- You can specify a realm name that is compatible with prior versions
only. The host name and the port number represent the realm for the
LDAP server in a mixed-version nodes cell. For example, machine1.austin.ibm.com:389.
- You must configure a stand-alone LDAP registry; the LDAP information
in both the stand-alone LDAP registry and the LDAP repository under
the federated repositories configuration must match. During node synchronization,
the LDAP information from the stand-alone LDAP registry propagates
to the Version 5.x or 6.0.x nodes.
Important: Before node
synchronization, verify that Federated repositories is identified
in the Current® realm definition field. If Federated
repositories is not identified, select Federated repositories from
the Available realm definitions field and click Set as current.
Do not set the stand-alone LDAP registry as the current realm definition.
- You cannot configure an entry mapping repository or a property
extension repository in a mixed-version deployment manager cell.
Configuring LDAP servers in a federated repository
The
LDAP connection connectTimeout default value is 20 seconds.
LDAP should respond within 20 seconds for any request from WebSphere® Application Server. If you cannot
connect to your LDAP within this time, make sure that your LDAP is
running. A connection error displays at the top of the LDAP configuration
panel when the connection timeout exceeds 20 seconds.
Coexisting with Tivoli Access
Manager
For Tivoli Access Manager to coexist with a federated
repositories configuration, the following limitations apply:
- You can configure only one LDAP repository under federated repositories,
and that LDAP repository configuration must match the LDAP server
configuration under Tivoli Access Manager.
- The distinguished name for the realm base entry must match the
LDAP distinguished name (DN) of the base entry within the repository.
In WebSphere Application Server, Tivoli Access
Manager recognizes the LDAP user ID and LDAP DN for both authentication
and authorization. The federated repositories configuration does not
include additional mappings for the LDAP user ID and DN.
- The federated repositories functionality does not recognize the
metadata that is specified by Tivoli Access Manager. When users
and groups are created under user and group management, they are not
formatted using the Tivoli Access Manager metadata.
The users and groups must be manually imported into Tivoli Access
Manager before you use them for authentication and authorization.
Limitation for changing the realm name for federated
repositories in a multiple security domain environment
When
you configure a multiple security domain for IBM® WebSphere Application Server Version 7.0,
you must configure the realm name for a federated repository before
you assign the federated repository to any domains.
After you
assign the federated repository to a security domain, you cannot change
its realm name using the administrative console because the change
only reflects in the global security.xml file and not in the domain-security.xml
file. This situation results in two different realm names that are
used by the same registry.
If you must change the realm name
for the federated repository after it has been assigned to a security
domain, use the updateIdMgrRealm and configureAppWIMUserRegistry commands
to change the realm name in the domain-security.xml file.
Limitation for configuring active directories with
their own federated repository realms
In order to use the
administrative console to perform a wildcard search for all available
users on two Active Directories, and to prevent multiple
entries exceptions with all built-in IDs, you must first configure
each Active Directory with it's own federated repository realm.
However,
you cannot use the administrative console to configure each Active
Directory with it's own federated repository realm. You can instead
use a wsadmin script similar to the following:
$AdminTask createIdMgrRealm {-name AD1realm}
$AdminTask addIdMgrRealmBaseEntry {-name AD1realm -baseEntry o=AD1}
$AdminTask createIdMgrRealm {-name AD2realm}
$AdminTask addIdMgrRealmBaseEntry {-name AD2realm -baseEntry o=AD2}
$AdminConfig save