Configuring the user registry
To use an external security provider, you must add the provider to the federated repository. Several types of repositories are supported, including the local operating system registry, a standalone Lightweight Directory Access Protocol (LDAP) registry, a standalone custom registry, and federated repositories.
About this task
The default installation of IBM® Business Process Manager provides a federated repository that contains the WebSphere® Application Server file registry.
The following steps show an example of configuring an LDAP security provider (such as Microsoft Active Directory) with the federated repository. For more information about how to configure other supported repositories, such as IBM Security Directory Suite (formerly IBM Tivoli Directory Server), refer to the Configuring LDAP as the user account registry section of the IBM Business Process Manager V7.5 Production Topologies IBM Redbook.Note: IBM recommends that you configure the
LDAP security provider using a federated repository (also referred to as virtual member
manager).
Restriction:
- You must search for users by the user ID in stand-alone LDAP user repositories. Searching for users by user first name or last name is not supported in this configuration.
- If you are using Active Directory as a user repository, and you search for a user name that contains a letter with a diacritical mark, the search will ignore the diacritical mark and will return all user names that contain the character, regardless of whether the character has a diacritical mark. For example, a search on user names that contain the letter e with an accent mark will return not just those user names, but also user names that include e with any other accent mark or e with no accent mark.
Important: The connection with an embedded Enterprise
Content Management (ECM) system might be lost if users are deleted and recreated. Refer to Administering the technical user for the IBM BPM document
store.
In the LDAP configuration, you can specify one or multiple login properties,
such as uid and mail, to allow users to log in to WebSphere Application
Server. To give an example, for the following LDAP
entry: uid=john1; cn=John Doe; mail=john@company.com, if you specified
uid and mail as the login properties, the user can log in with
john1 and john@company.com but not with John Doe. Values of login properties must be unique across
all repositories participating in a realm. For example, do not use cn as a login
property because it might not be unique. The first login property must also be stable. For example,
mail is not a stable property because its value can change for events such as a
marriage or divorce. The login properties are specified by using the WebSphere Application
Server administrative console.
Note: The first login
property becomes the user name in the IBM Business Process Manager database. This property must not change. If you change the first login property, it results in
the creation of a new user name and a duplicate user entry in the IBM Business Process Manager database. In the example, john1 is the value
of the first login property and is the user name in the IBM Business Process Manager database. But, if the first login property
changes from uid to mail, the next time the user is synchronized,
another entry is created for the user name john@company.com in the IBM Business Process Manager database. Additionally, the next time John
logs in, he will not see any of the tasks that were assigned to him prior to the change as he is now
considered a new (unrelated) user.