Question & Answer
Question
I've set up federated repositories with an LDAP as well as a file-based registry. In the WAS Admin Console, I can display users and groups from both LDAP and the file-based registry. However, I can't add LDAP users to my local filebase test group
Answer
Short answer: no, it's not possible. VMM does not support "cross repository" membership between LDAP and Filebase Repositories
Long answer: Group memberships are stored within the repositories (fileRegistry.xml, LDAP, DB, etc.) themselves, not on WAS. There's no standardized means for a repository to define group members that exist in a different repository. If WAS were to have a feature to add users to groups across repositories, it would need to have some proprietary means of defining group memberships externally to the repositories -- WAS does not have this. I think this would not be a good feature as it would break LDAPv3 specification and it would make the administration of the repositories themselves more difficult: most IT departments have separate administrative personnel for their LDAPs, and if their WAS admins were going and defining group memberships that were not visible to the LDAP admin, this would cause a lot of confusion.
There is one exception to this rule: certain DB repositories do support ways of defining group members that exist in other repositories. This only works for DBs. This will not work for LDAPs (including Microsoft Active Directory with multiple domains) or the local file registry.
If the DB repository supports members from other repositories, you must specify the repositoriesForGroups parameter to add the unique repository IDs of those repositories to the DB repository. The group configuration for the LDAP repository is ignored when you specify the repositoriesForGroups parameter -- it will only use the DB for group definitions.
For example, if you want the groups in the database repository to accept the members from an LDAP repository, you need to set the configuration parameter repositoriesForGroups of the LDAP repository to the repository ID of the database repository.
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdYPAA0","label":"Security->User Registry->LDAP->Federated Repositories"}],"ARM Case Number":"TS003561550","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
21 May 2020
UID
ibm16213261