We're using WebSphere 8.5 and have a federated repository which uses ldap and database for user authentication. The ldap is set up using the 'ldap repository' and the database is set up using the 'Custom Repository'. We have been using our custom repository for database authentication for a long time so we're pretty confident it is working correctly. We have also made sure that all users and groups are unique across the different repositories.
We're having an application (let's call it myApp) which have a security role (say CoolRole). If a user belongs to the cool user group (CoolGroup) he may run the application otherwise he can't. Since we have users in both ldap and in the database that should be able to run the application we have two groups (CoolGroup-ldap & CoolGroup-db). We also have a run-as role (coolestRole).
We map both our groups in 'Security role to user/group mapping' and then map the run-as role to a specific someone in the database.
This works sometimes but not always! More often than not we get an error saying the user does not have the correct role and the logs shows an IndexOutOfBounds exception. The overall behaviour in WebSphere is also a bit suspect. Sometimes we get an error when we try to list the users or groups and sometimes we get no result from a search pattern that should generate one or more matches. If we repeat the same search we eventually get a result.
We have a security domain setup which contains the federated repository. On the global level we use the default settings which is also a federated repository but contains the file based repository.
Are we missing something or are we trying to do something that is not fully supported? Is it a bug, and if so are there any ways to get around the problem?