![[8.5.5.8 or later]](../ng_v8558.gif)
This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.
Federation of user registries
User registry federation is used when user and group information is spread across multiple registries. For example, the information might be in two different LDAPs, in two subtrees of the same LDAP, in a file, or the users are of a system. The information might even be in a custom user data repository. With registries federated, you can search and use these distributed user information in a unified manner with continuous store of information. Using federated registry, you can use the unified view for authentication and authorization of users in Liberty.
Note: Quick start security (quickStartSecurity) cannot be federated with other user
registries such as the LDAP, basic, SAF, and custom registries.
How are user registries federated?
LDAP registries are federated by default. If more than one LDAP registry is configured in the server.xml, then the registries are automatically federated and no additional configuration is needed. They can be two separate LDAPs or two subtrees in the same LDAP.If one or more LDAP registries are configured with one or more of
basic, SAF, or custom registries, those registries are also federated without any
additional configuration. The following example shows a basic registry federated
with an LDAP:
<server description="Federation">
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>servlet-3.0</feature>
<feature>ldapRegistry-3.0</feature>
</featureManager>
<basicRegistry id="basic" realm="SampleBasicRealm">
<user name="admin" password="password" />
<user name="user1" password="password" />
<user name="user2" password="password" />
<group name="memberlessGroup" />
<group name="adminGroup">
<member name="admin"/>
</group>
<group name="users">
<member name="user1"/>
<member name="user2"/>
</group>
</basicRegistry>
<ldapRegistry id="LDAP1" realm="SampleLdapIDSRealm" host="LDAPHOST1.ibm.com" port="389" ignoreCase="true"
baseDN="o=ibm,c=us"
ldapType="IBM Tivoli Directory Server"
searchTimeout="8m"
recursiveSearch="true">
</ldapRegistry>
</server>
If
you want to federate two basic registries or a basic registry with a SAF or custom
registry, you can do so by including the federatedRegistry-1.0 in
addition to the appSecurity-2.0 feature as shown in the following
example.
<feature>appSecurity-2.0</feature>
<feature>federatedRegistry-1.0</feature>
The
following example shows the federation of two basic
registries:<server description="Federation">
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>federatedRegistry-1.0</feature>
</featureManager>
<basicRegistry id="basic1" realm="SampleBasicRealm1">
<user name="admin" password="password" />
<user name="user1" password="password" />
<user name="user2" password="password" />
<group name="memberlessGroup" />
<group name="adminGroup">
<member name="admin"/>
</group>
<group name="users">
<member name="user1"/>
<member name="user2"/>
</group>
</basicRegistry>
<basicRegistry id="basic2" realm="SampleBasicRealm2">
<user name="user3" password="password123" />
<user name="user4" password="password123" />
<group name="memberlessGroup2" />
<group name="users2">
<member name="user3"/>
<member name="user4"/>
</group>
</basicRegistry>
</server>