External user registry overview

You can configure IBM® InfoSphere® Information Server to authenticate users based on an existing external user registry, such as a local operating system user registry or a Lightweight Directory Access Protocol (LDAP) user registry.

InfoSphere Information Server supports all external registries that are supported by IBM WebSphere® Application Server Network Deployment and IBM WebSphere Application Server Liberty Profile. For more information about user registries that WebSphere Application Server supports, see the WebSphere Application Server documentation:

IBM WebSphere Application Server Network Deployment 8.5: http://publib.boulder.ibm.com/infocenter/wasinfo/v8r5/topic/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_useregistry.html

The following figures show an InfoSphere Information Server topology where the services tier and metadata repository tier are located on one computer. In the first figure, InfoSphere Information Server and IBM WebSphere Application Server are both configured to use the local operating system user registry. In the second figure, InfoSphere Information Server and IBM WebSphere Application Server are both configured to use an external LDAP user registry.

This figure is described in surrounding text. — Figure 1. Example of an InfoSphere Information Server architecture that uses the local operating system user registry

When you use an external user registry, WebSphere Application Server communicates with that user registry. The InfoSphere Information Server directory service communicates with the WebSphere Application Server user registry. It does not communicate with the external user registry directly. By going through WebSphere Application Server to access the external user registry, InfoSphere Information Server takes advantage of the capabilities in WebSphere Application Server for handling various kinds of external user registries.

When you use an external user registry, you create users and groups through the administration tools for that user registry. InfoSphere Information Server looks to the external user registry for user names, passwords, group definitions, and group memberships. Password restrictions are imposed by the user registry.

If you are configuring WebSphere Application Server clustering for scalability or high-availability, you cannot configure InfoSphere Information Server to use the local operating system user registry. Instead, configure an LDAP user registry or the internal user registry.

Even when you configure InfoSphere Information Server to use an external user registry, certain user information is still maintained in the internal user registry. Specifically, the internal user registry always stores the security roles that are assigned to users and groups, as well as attributes that are not passed through by WebSphere Application Server, such as e-mail addresses and business addresses. The internal user registry is always available and working in the background.