This topic outlines known limitations and important information
for configuring federated repositories.
Configuring federated repositories in a mixed-version
environment
In a mixed-version deployment manager cell that
contains both Version 6.1.x and Version 5.x or 6.0.x nodes, the following
limitations apply for configuring federated repositories:
- You can configure only one Lightweight Directory Access Protocol
(LDAP) repository under federated repositories, and the repository
must be supported by Version 5.x or 6.0.x.
- You can specify a realm name that is compatible with prior versions
only. The host name and the port number represent the realm for the
LDAP server in a mixed-version nodes cell. For example, machine1.austin.ibm.com:389.
- You must configure a stand-alone LDAP registry; the LDAP information
in both the stand-alone LDAP registry and the LDAP repository under
the federated repositories configuration must match. During node synchronization,
the LDAP information from the stand-alone LDAP registry propagates
to the Version 5.x or 6.0.x nodes.
Important: Before node
synchronization, verify that Federated repositories is identified
in the Current realm definition field. If Federated repositories is
not identified, select Federated repositories from the Available
realm definitions field and click Set as current. Do not set
the stand-alone LDAP registry as the current realm definition.
- You cannot configure an entry mapping repository or a property
extension repository in a mixed-version deployment manager cell.
Configuring LDAP servers in
a federated repository
The LDAP connection connectTimeout default
value is 20 seconds. LDAP should respond within 20 seconds for any
request from WebSphere Application Server. If you cannot connect to
your LDAP within this time, make sure that your LDAP is running. A
connection error displays at the top of the LDAP configuration panel
when the connection timeout exceeds 20 seconds.
Coexisting with Tivoli Access Manager
For Tivoli Access Manager to coexist with a federated repositories
configuration, the following limitations apply:
- You can configure only one LDAP repository under federated repositories,
and that LDAP repository configuration must match the LDAP server
configuration under Tivoli Access Manager.
- The distinguished name for the realm base entry must match the
LDAP distinguished name (DN) of the base entry within the repository.
In WebSphere Application Server, Tivoli Access Manager recognizes
the LDAP user ID and LDAP DN for both authentication and authorization.
The federated repositories configuration does not include additional
mappings for the LDAP user ID and DN.
- The federated repositories functionality does not recognize the
metadata that is specified by Tivoli Access Manager. When users and
groups are created under user and group management, they are not formatted
using the Tivoli Access Manager metadata. The users and groups must
be manually imported into Tivoli Access Manager before you use them
for authentication and authorization.
Limitation for repository ID in federated
repositories configuration
In a federated repositories configuration,
the repository ID must not exceed a length of 36 characters. If the
repository ID exceeds 36 characters, an error may occur while retrieving
or storing data, especially if the property extension repository is
configured.
![[Updated in August 2011]](../../deltaend.gif)
aug2011
z/OS LDAP server with RACF not supported
WebSphere
Application Server federated repositories DO NOT support a
z/OS LDAP server with an SDBM backend (resource access control facility
(RACF)).
![[Updated in August 2011]](../../deltaend.gif)
aug2011