Configuring the user registry
To use an external security provider, you must add the provider to the federated
repository. Only the federated repositories configuration is supported. All other types of
repositories are deprecated, including the local operating system registry, stand-alone Lightweight
Directory Access Protocol (LDAP) registry, and stand-alone custom registry.
About this task
The default installation of IBM® Business Automation Workflow provides a federated repository that contains the WebSphere® Application Server file registry.
The following steps show an example of configuring an LDAP security provider (such as Microsoft Active Directory) with the federated repository. For more information about how to configure other supported repositories, such as IBM Security Directory Suite (formerly IBM Tivoli Directory Server), refer to the Configuring LDAP as the user account registry section of the IBM Business Process Manager V7.5 Production Topologies IBM Redbook.Note: IBM recommends that you configure the
LDAP security provider that uses a federated repository (also referred to as virtual member
manager).
Restriction:
- You must search for users by the user ID in stand-alone LDAP user repositories (deprecated). Searching for users by user first name or last name is not supported in this configuration.
- If you are using Active Directory as a user repository, and you search for a user name that contains a letter with a diacritical mark, the search ignores the diacritical mark and returns all user names that contain the character, regardless of whether the character has a diacritical mark. For example, a search on user names that contain the letter e with an accent mark returns not just those user names, but also user names that include e with any other accent mark or e with no accent mark.
Important: Enterprise Content Management (ECM) considerations:
- The connection with an embedded Enterprise Content Management (ECM) system might be lost if users are deleted and re-created. Refer to Administering the technical user for the BPM document store.
- If you are using Active Directory as a user repository, and perform the step of changing the
mapping of the Federated Repository
uid
property to use the user repositoryuserPrincipalName
attribute instead of the defaultsamAccountName
attribute, you must set the following JVM argument.
For more information, see Configuring the JVM.-Dcom.filenet.security.vmmProvider.upnAsUserShortName=true
In the federated repositories LDAP configuration, you can specify one or multiple
login properties, such as
uid
and mail
, to allow users to log in
to WebSphere Application
Server. To give an
example, for the following LDAP entry: uid=john1; cn=John Doe;
mail=john@company.com
, if you specified uid
and mail
as
the login properties, the user can log in with john1 and john@company.com but not with John Doe.
Values of login properties must be unique across all repositories participating in a realm. For
example, do not use cn
as a login property because it might not be unique. The
first login property must also be stable. For example, mail
is not a stable
property because its value can change for events such as a marriage or divorce. The login properties
are specified by using the WebSphere Application
Server administrative console.
Note: The first login property becomes the user name in the IBM Business Automation Workflow database. This
property must not change. If you change the first login property, it results in the creation of a
new user name and a duplicate user entry in the IBM Business Automation Workflow database. In the
example, john1 is the value of the first login property and is the user name in the IBM Business Automation Workflow database. But, if the
first login property changes from
uid
to mail
, the next time the
user is synchronized, another entry is created for the user name john@company.com in the IBM Business Automation Workflow database.
Additionally, the next time John logs in, he will not see any of the tasks that were assigned to him
before the change as he is now considered a new (unrelated) user.