Federated repositories

Federated repositories enable you to use multiple repositories with WebSphere® Application Server. These repositories, which can be file-based repositories, LDAP repositories, or a sub-tree of an LDAP repository, are defined and theoretically combined under a single realm. All of the user repositories that are configured under the federated repository functionality are invisible to WebSphere Application Server.

When you use the federated repositories functionality, all of the configured repositories, which you specify as part of the federated repository configuration, become active. It is required that the user ID, and the distinguished name (DN) for an LDAP repository, be unique in multiple user repositories that are configured under the same federated repository configuration. For example, there might be three different repositories that are configured for the federated repositories configuration: Repository A, Repository B, and Repository C. When user1 logs in, the federated repository adapter searches each of the repositories for all of the occurrences of that user. If multiple instances of that user are found in the combined repositories, an error message displays.

In addition, the federated repositories functionality in WebSphere Application Server supports the logical joining of entries across multiple user repositories when the Application Server searches and retrieves entries from the repositories. For example, when an application calls for a sorted list of people whose age is greater than twenty, WebSphere Application searches all of the repositories in the federated repositories configuration. The results are combined and sorted before the Application Server returns the results to the application.

Unlike the local operating system, stand-alone LDAP registry, or custom registry options, federated repositories provide user and group management with read and write capabilities. When you configure federated repositories, you can use one of the following methods to add, create, and delete users and groups:
Important: If you configure multiple repositories under the federated repositories realm, you must also configure supported entity types and specify a base entry for the default parent. The base entry for the default parent determines the repository location where entities of the specified type are placed on write operations by user and group management. See Configuring supported entity types in a federated repository configuration for details.
  • Use the user management application programming interfaces (API). For more information, refer to articles under Developing with virtual member manager in this documentation.
  • Use the administrative console. To manage users and groups within the administrative console, click Users and Groups > Manage Users or Users and Groups > Manage Groups. For information on user and group management, click the Help link. Click Users and Groups. To manage users and groups for a specific domain in a multiple security domain environment, click Security > Global security > Security Domains > domain_name. Under Security Attributes, expand User Realm, and click Customize for this domain. Select the Realm type as Federated repositories. Click Apply and Save to the master configuration. On Security domains panel that appears, click the domain_name again to go to the domain configuration panel. Under User realm, click the Manage users or Manager Groups links that are displayed now. These links to manage users and groups for a specific domain are displayed only after you save the federated repositories configuration for the domain.
  • Use the wsadmin commands. For more information, see the WIMManagementCommands command group for the AdminTask object topic.

If you do not configure the federated repositories functionality or do not enable federated repositories as the active repository, you cannot use the user management capabilities that are associated with federated repositories. You can configure an LDAP server as the active user registry and configure the same LDAP server under federated repositories, but not select federated repositories as the active user repository. With this scenario, authentication takes place using the LDAP server, and you can use the user management functionality for the LDAP server that is available for federated repositories.

The following table compares the federated repository functionality that is available in WebSphere Application Server Version 8.5 with the registry functionality that remains unchanged from previous versions of the Application Server.
Table 1. Federated repositories versus user registry implementations .

This table lists federated repositories versus user registry implementations.
Federated repositories User registry

Supports multiple types of repositories such as file-based, LDAP, database, and custom. In WebSphere Application Server Version 8.5, file-based and LDAP repositories are supported by the administrative console. However, the federated repositories functionality does not support local operating system implementations.

With this service release, the federated repositories functionality supports local operating system implementations.

For database and custom repositories, you can use the wsadmin command-line interface or the configuration application programming interfaces (API).

[z/OS]WebSphere Application Server federated repositories support a z/OS® LDAP server with an SDBM backend (resource access control facility (RACF®)).

 Supports multiple types of registries such as the local operating system, a stand-alone LDAP registry, and a stand-alone custom registry.
Supports multiple repositories in a realm within a cell. Supports one registry only in a realm within a cell.
Provides read and write capabilities for the repositories that are defined in the federated repository configuration. Provides read only capability for the registries.
Provides account and password policy support as defined by the registry type. However, this support is not provided by the federated repository functionality. Provides account and password policy support as defined by the registry type.
Supports identity profiles. Does not support identity profiles.
Uses the custom UserRegistry implementation. Uses the custom UserRegistry implementation.