A user registry or repository authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization.
User registries store user account information, such as user ID and password, that can be accessed during authentication. User repositories store user profiles and preference information. A user registry or repository is used to:
- Authenticate a user using basic authentication, identity assertion, or client certificates
- Retrieve user and group information to perform security-related administrative functions such as mapping users and groups to security roles
By default, IBM® Lotus® Quickr™ for WebSphere Portal is installed with a federated repository with a built-in file repository. The federated repository allows you to add various user registries, realm support for Virtual Portals, and/or property extensions to create a single, working unit. The available user registries that you can add to the federated repository are LDAP user registries, database user registries, and custom user registries.
Using the built-in file repository is not recommended in a production environment. After adding another repository and choosing the administrative users from that repository, you should remove the file repository.
Based on the federated repository, Lotus Quickr allows you to create a user base that can be federated over multiple repositories: LDAP, DB, and/or custom user registry. It also allows you to define additional attributes in a separate store if your corporate LDAP directory is read-only.
If you are using a federated repository, you must plan on where you want to store new users and groups. By default, new users and groups are stored in the default file repository. If using multiple LDAP user registries and/or database user registries, you must figure out which user registry you want to define as your default user registry where new users and groups are stored. After you add all user registries to your federated repository, you can run the wp-set-entitytypes
task to set a specific user registry as the default location.
Before combining multiple user registries, review the registries for the following limitations and correct any issues:
- Distinguished names must be unique for a realm over all registries. For example, if uid=wpsadmin,o=yourco exists in LDAP1, it must not exist in LDAP2, LDAP3, or DB1.
- The shortname, for example wpsadmin, should be unique for a realm over all registries.
- The base distinguished names for all registries used within a realm must not overlap; for example, if LDAP1 is c=us,o=yourco, LDAP2 should not be o=yourco.
- Do not leave the base entry blank for any of the registries used within a realm.
- If IBM Lotus Domino® will be one of your user registries in a multiple registry configuration and will share a realm with another user registry, ensure that the groups are stored in a hierarchical format in the Domino Directory as opposed to the default flat-naming structure. For example, the flat-naming convention is cn=groupName and the hierarchical format is cn=groupName,o=root.
- The user must exist in a user registry and not within the property extension configuration; otherwise, the user cannot be a member of the realm.
If you have an application that does not support the federated repository, you can switch to a standalone LDAP user registry or a standalone custom user registry.
Overview of user registry options: qp85
IBM Lotus Quickr for WebSphere Portal provides a variety of security configuration tasks. In the past, there was one task, which did not let you recover from errors or allow your user registry to meet your growing business needs. Now there are multiple tasks, which allow you to fine-tune your system to meet your business needs.
Realm support: qp85
A realm is a collection of users or groups from one or more branches of your repository tree. Those branches can be part of a single repository, for example an LDAP user registry, or it can be a combination of multiple user registries. A realm is then mapped to a Virtual Portal to allow the realm's user population to log in to the Virtual Portal. This functionality allows you to define areas within Lotus Quickr that only a limited set of users can access.
Property extension: qp85
The Property Extension, formerly known as the lookaside database, allows you to store additional user attributes into a database store without touching your backend user registry. You can use the Property Extension if your LDAP is read-only but you have a requirement that allows users to specify an additional attribute such as Timezone. You can store this additional attribute in the database store. You can also add additional attributes for an application if you cannot change your repository Schema.
Parent topic: Planning considerations: qp85