Follow this topic to manage the realm in a federated repository
configuration.
Results
Configuring federated repositories in a mixed-version
environmentIn a mixed-version deployment manager cell
that contains both Version 6.1.x and Version 5.x or 6.0.x nodes, the
following limitations apply for configuring federated repositories:
- You can configure only one Lightweight Directory Access Protocol
(LDAP) repository under federated repositories, and the repository
must be supported by Version 5.x or 6.0.x.
- You can specify a realm name that is compatible with prior versions
only. The host name and the port number represent the realm for the
LDAP server in a mixed-version nodes cell. For example, machine1.austin.ibm.com:389.
- You must configure a stand-alone LDAP registry; the LDAP information
in both the stand-alone LDAP registry and the LDAP repository under
the federated repositories configuration must match. During node synchronization,
the LDAP information from the stand-alone LDAP registry propagates
to the Version 5.x or 6.0.x nodes.
Important: Before node
synchronization, verify that Federated repositories is identified
in the Current realm definition field. If Federated repositories is
not identified, select Federated repositories from the Available
realm definitions field and click Set as current. Do not set
the stand-alone LDAP registry as the current realm definition.
- You cannot configure an entry mapping repository or a property
extension repository in a mixed-version deployment manager cell.
Configuring LDAP servers in a federated repositoryThe
LDAP connection connectTimeout default value is 20 seconds.
LDAP should respond within 20 seconds for any request from WebSphere
Application Server. If you cannot connect to your LDAP within this
time, make sure that your LDAP is running. A connection error displays
at the top of the LDAP configuration panel when the connection timeout
exceeds 20 seconds.
Coexisting with Tivoli Access ManagerFor
Tivoli Access Manager to coexist with a federated repositories configuration,
the following limitations apply:
- You can configure only one LDAP repository under federated repositories,
and that LDAP repository configuration must match the LDAP server
configuration under Tivoli Access Manager.
- The distinguished name for the realm base entry must match the
LDAP distinguished name (DN) of the base entry within the repository.
In WebSphere Application Server, Tivoli Access Manager recognizes
the LDAP user ID and LDAP DN for both authentication and authorization.
The federated repositories configuration does not include additional
mappings for the LDAP user ID and DN.
- The federated repositories functionality does not recognize the
metadata that is specified by Tivoli Access Manager. When users and
groups are created under user and group management, they are not formatted
using the Tivoli Access Manager metadata. The users and groups must
be manually imported into Tivoli Access Manager before you use them
for authentication and authorization.