Sunil's Notes: federatedrepository

Showing posts with label federatedrepository. Show all posts

User Management using Federated repository

If your WAS server is configured to use the Federated repository then you can add or delete users and groups. You have following three options for doing that.

Programmatic User management APIs

The administrative console

wsadmin commands

Important Note: Federated user repository is the only option if you want ability to add, delete user and groups. The Standalone LDAP registry or local operating system user registry or custom user registry are readonly registries

Mapping attributes between LDAP and WebSPhere Portal

Perform the following steps to map attributes between WebSphere Portal and your LDAP server; if you have multiple LDAP servers, you will need to perform these steps for each LDAP server:

Run one of the following tasks to check that all defined attributes are available in the configured LDAP user registry
- Stand alone: ConfigEngine.sh wp-validate-standalone-ldap-attribute-config
- Federated: ConfigEngine.sh wp-validate-federated-ldap-attribute-config

Open the config trace file to review the following output for the PersonAccount and Group entity type:
The following attributes are defined in WebSphere Portal but not in the LDAP server
This list contains all attributes that are defined in WebSphere Portal but not available in the LDAP. Flag attributes that you do not plan to use in WebSphere Portal as unsupported. Map the attributes that you plan to use to the attributes that exist in the LDAP; you must also map the uid, cn, firstName, sn, preferredLanguage, and ibm-primaryEmail attributes if they are contained in the list..
The following attributes are flagged as required in the LDAP server but not in WebSphere Portal
This list contains all attributes that are defined as "MUST" in the LDAP server but not as required in WebSphere Portal. You should flag these attributes as required within WebSphere Portal; see the step below about flagging an attribute as either unsupported or required.
The following attributes have a different type in WebSphere Portal and in the LDAP server
This list contains all attributes that WebSphere Portal might ignore because the data type within WebSphere Portal and within the LDAP server do not match.

Enter a value for one of the following sets of parameters in the wkplc.properties file to correct any issues found in the config trace file:
The following parameters are found under the LDAP attribute configuration heading:

* standalone.ldap.id
* standalone.ldap.attributes.nonSupported
* standalone.ldap.attributes.nonSupported.delete
* standalone.ldap.attributes.mapping.ldapName
* standalone.ldap.attributes.mapping.portalName
* standalone.ldap.attributes.mapping.entityTypes

Run one of the following tasks to update the LDAP user registry configuration with the list of unsupported attributes and the proper mapping between WebSphere Portal and the LDAP user registry:
- Standalone :ConfigEngine.sh wp-update-standalone-ldap-attribute-config
- Federated: ConfigEngine.sh wp-update-federated-ldap-attribute-config

Adding LDAP server to Federated repository

I wanted to add LDAP user repository to the default federated repository. Once i configure this i should be able to use the users defined in my LDAP server to login into the Portal Server.
I followed these steps to add LDAP server in my default Federated repository

First Setup LDAP Server using the instructions in Setting up LDAP Server post. Actually i do have a backup of VMWare with LDAP setup and configured along with WPS 6.1. So if i mess up configuration i can always go to my backup

Start both server1 and WebSphere_Portal server if they are not already started.

Open the wp_add_federated_ids.properties file, which is configuration template file that we can use to add IBM Directory server in the federated repository. I changed it to reflect my configuration like this


# ***************************************************************** 
#                                                                   
# Licensed Materials - Property of IBM                              
#                                                                   
# 5724-L21                                                          
#                                                                   
# Copyright IBM Corp. 2008  All Rights Reserved.                    
#                                                                   
# US Government Users Restricted Rights - Use, duplication or       
# disclosure restricted by GSA ADP Schedule Contract with           
# IBM Corp.                                                         
#                                                                   
# ***************************************************************** 

###############################################################################
###############################################################################
##
##
## VMM Federated LDAP Properties - 
## for creating/updating the LDAP configuration in VMM
## wp-create-ldap
## wp-update-federated-ldap - confirm that federated.ldap.id and federated.ldap.host matches the repository you want to update.
##
##
###############################################################################
###############################################################################


# The id specifies a unique identifier for the repository within the cell
# Characters that are not allowed in normal XML strings ( &  <   >  "   '   ) cannot be used in the repository ID.
federated.ldap.id=adminldap

# Specifies the host name of the primary LDAP server. This host name is either an IP address or a domain name service (DNS) name.
federated.ldap.host=localhost

# Specifies the LDAP server port.
federated.ldap.port=389

# Specifies the distinguished name for the application server to use when binding to the LDAP repository.
federated.ldap.bindDN=uid=wpsbind,cn=users,dc=ibm,dc=com

# Specifies the password for the application server to use when binding to the LDAP repository.
federated.ldap.bindPassword=wpsbind

# Specifies the type of LDAP server to which you connect
# Supported values on WAS 6.1: IDS4, IDS51, IDS52, IDS6, SECUREWAY
# Note: If your LDAP server version is not listed, enter the value for the highest listed version of your server
# Supported values on WAS 7: IDS
federated.ldap.ldapServerType=IDS6

# The LDAP base entry.
federated.ldap.baseDN=dc=ibm,dc=com

############################################
#
# LDAP entity types
#
# The supported entity types are 
# Group
# default searchFilter = 
# default objectClasses = groupOfNames
# default objectClassesForCreate = groupOfNames
# default searchBases = 
# PersonAccount
# default searchFilter = 
# default objectClasses = inetOrgPerson
# default objectClassesForCreate = inetOrgPerson
# default searchBases = 
#
############################################

# Entity type Group

# The search filter that you want to use to search the entity type.
# VMM uses this filter as an addition during search requests in your environment
# The syntax is like a standard LDAP searchfilter like (objectclass=groupOfUniqueNames) 
# In general this value can be left blank
federated.ldap.et.group.searchFilter=(objectclass=groupOfUniqueNames) 

# One or more object classes (separated by ';') for the entity type.
federated.ldap.et.group.objectClasses=groupOfUniqueNames

# The object class(es) to use when an entity type is created. If the value of this parameter is the same as the objectClass parameter, you do not need to specify this parameter.
federated.ldap.et.group.objectClassesForCreate=

# The search base or bases to use while searching the entity type.
federated.ldap.et.group.searchBases=cn=groups,dc=ibm,dc=com


# Entity type PersonAccount

# The search filter that you want to use to search the entity type.
# VMM uses this filter as an addition during search requests in your environment
# The syntax is like a standard LDAP searchfilter like (objectclass=inetOrgPerson) 
# In general this value can be left blank
federated.ldap.et.personaccount.searchFilter=(objectclass=inetOrgPerson)

# One or more object classes (separated by ';') for the entity type.
federated.ldap.et.personaccount.objectClasses=inetOrgPerson

# The object class(es) (separated by ';') to use when an entity type is created. If the value of this parameter is the same as the objectClass parameter, you do not need to specify this parameter.
federated.ldap.et.personaccount.objectClassesForCreate=

# The search base or bases to use while searching the entity type.
federated.ldap.et.personaccount.searchBases=cn=users,dc=ibm,dc=com

#########################
# Group member attributes
#########################

# The name of the LDAP attribute that is used as the group member attribute. For example, member or uniqueMember.
federated.ldap.gm.groupMemberName=uniqueMember

# The group object class that contains the member attribute. For example, groupOfNames or groupOfUnqiueNames.
# If you do not define this parameter, the member attribute applies to all group object classes.
federated.ldap.gm.objectClass=groupOfUniqueNames

# The scope of the member attribute. The valid values for this parameter include the following:
# direct - The member attribute only contains direct members.
# nested - The member attribute that contains the direct members and the nested members.
federated.ldap.gm.scope=direct

# If you create a group without specifying a member, a dummy member will be filled in to avoid creating an exception about missing a mandatory attribute.
federated.ldap.gm.dummyMember=uid=dummy


###############################################################################
##
##     Advanced Properties
##
###############################################################################

#
# Group config
#

# The name of the membership attribute. For example, memberOf in an active directory server and ibm-allGroups in IDS.
federated.ldap.gc.name=ibm-allGroups

# Updates the group membership if the member is deleted or renamed. Some LDAP servers, for example, Domino server, do not clean up 
# the membership of the user when a user is deleted or renamed. If you choose these LDAP server types in the ldapServerType property, 
# the value of this parameter is set to true. Use this parameter to change the value. The default value is false.
federated.ldap.gc.updateGroupMembership=

# The scope of the membership attribute. The valid values for this parameter include the following:
# direct - The membership attribute only contains direct groups.
# nested - The membership attribute that contains the direct groups and the nested groups.
# all - The membership attribute contains direct groups, nested groups, and dynamic members.
# The default value is direct.
federated.ldap.gc.scope=direct


# The implementation class name for the repository adapter.
# The default value is com.ibm.ws.wim.adapter.ldap.LdapAdapter
federated.ldap.adapterClassName=com.ibm.ws.wim.adapter.ldap.LdapAdapter

# Indicates if sorting is supported or not. The default value is false.
federated.ldap.supportSorting=false

# Indicates if transactions are supported or not. The default value is false.
federated.ldap.supportTransactions=false

# Specifies if the external ID is unique. The default value is true.
federated.ldap.isExtIdUnique=true

# Indicates if external names are supported or not. The default value is false.
federated.ldap.supportExternalName=false

# Specifies whether secure socket communication is enabled to the LDAP server.
# When enabled (sslEnabled=true), the Secure Sockets Layer (SSL) settings for LDAP are used.  
# The default value is false.
federated.ldap.sslEnabled=false

# Specifies the name of the application server SSL configuration (like mySSLconfig) to be used for SSL enabled LDAP server.
# Application Server SSL config names can be found in Websphere application Server Admin console at Security-SSL certificate and key management
# This property is used to specify a non default SSL configuration if federated.ldap.sslEnabled=true is set
federated.ldap.sslConfiguration=

# Specifies whether to map X.509 certificates into a LDAP directory by exact distinguished name or certificate filter.
# Specify the certificate filter to use the specified filter for the mapping, if client certificate authentication is used
# for portal server.
# Valid values include: EXACT_DN, CERTIFICATE_FILTER
federated.ldap.certificateMapMode=EXACT_DN

# Specifies the filter certificate mapping property for the LDAP filter, if client certificate authentication is used
# for portal server. 
# The syntax or structure of this filter is: LDAP attribute=${Client certificate attribute} (for example, uid=${SubjectCN})
# The filter is used to map attributes in the client certificate to entries within the LDAP repository.
federated.ldap.certificateFilter=

# Indicates if paging is supported or not default is false.
federated.ldap.supportPaging=false

# Indicates the authentication method to use. The default value is simple. Valid values include: none or strong.
federated.ldap.authentication=simple

# Indicates the property name used for login. Common values include: uid or cn
federated.ldap.loginProperties=uid

# The LDAP referral. The default value is ignore. Valid values include: ignore, follow, throw, or false.
federated.ldap.referral=ignore

# Controls how aliases are dereferenced. The default value is always. Valid values include:
#       always - always deference aliases
# never - never deference aliases
# finding - deference aliases only during name resolution
# searching - deference aliases only after name resolution
federated.ldap.derefAliases=always

# The connection pool. The default value is false.
federated.ldap.connectionPool=false

# The connection timeout measured in seconds. The default value is 0.
federated.ldap.connectTimeout=0

# Indicates the polling interval for testing the primary server availability.
# The value of this parameter is specified in minutes. The default value is 15.
federated.ldap.primaryServerQueryTimeInterval=15

# Indicates to return to the primary LDAP server when it is available. The default value is true.
federated.ldap.returnToPrimaryServer=true

# The value of search page size. This is the number of entries per page. The default is 50.
federated.ldap.searchPageSize=

# The value of the search count limit.
federated.ldap.searchCountLimit=500

# The value of the search time limit measured in miliseconds.       
federated.ldap.searchTimeLimit=120000

# Indicates to translate RDN or not. The default value is false.
federated.ldap.translateRDN=false

# The maximum number of context instances that can be maintained concurrently by the context pool.
# The default value is 20.
federated.ldap.cp.maxPoolSize=20

###############################################################################
###############################################################################
##
##
## End - VMM Federated LDAP Properties
##
##
###############################################################################
###############################################################################

Once the wp_add_federated_ids.properties file is setup we need to validate the values entered in the file. So execute this configuration task
./ConfigEngine.sh validate-federated-ldap -DWasPassword=wasadmin -DparentProperties=/software/WebSphere/wp_profile/ConfigEngine/config/helpers/wp_add_federated_ids.properties

If the validation task is successful then execute wp-create-ldap task to apply the configuration
./ConfigEngine.sh wp-create-ldap -DWasPassword=wasadmin -DparentProperties=/software/WebSphere/wp_profile/ConfigEngine/config/helpers/wp_add_federated_ids.properties

Once the configuration task is completed successfully, restart the WebSphere_Portal and Server1.

Now you should be able to login into portal using one of the users in LDAP server. Now you can verify your new LDAP repository by executing the ./ConfigEngine.sh wp-query-repository -DWasPassword=wasadmin Configuration task. You should list of repositories like this

Federated repository default file based implementation

When you install WebSphere Portal by default the Application security is enabled and it is configured to use Federated Repository. You can take a look at this by login into WebSphere Application Server Admin console and Go to Security -> Secure administration, applications, and infrastructure. You will get this screen

Now click on the COnfigure button next to Federated Repository. It will take you to the Federated Repositories configurations screen. On this screen you will notice that there is one repository in the "Repositories in the realm" list, which is file based repository. THat means the users are stored in the File based repository.

If you want you can take a look at how the configuration is actually stored.

The file based repository information is stored in wp_profile/config/cells/DefaultNode/fileRegistry.xml file. This is how it looks like by default


<?xml version="1.0" encoding="UTF-8"?>
<sdo:datagraph xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:sdo="commonj.sdo" xmlns:wim="http://www.ibm.com/websphere/wim">
  <wim:Root>
    <wim:entities xsi:type="wim:PersonAccount">
      <wim:identifier externalId="c233f13f-663d-4292-baf0-989e2ef805a4" externalName="uid=wasadmin,o=defaultWIMFileBasedRealm"
          uniqueId="c233f13f-663d-4292-baf0-989e2ef805a4" uniqueName="uid=wasadmin,o=defaultWIMFileBasedRealm"/>
      <wim:parent>
        <wim:identifier uniqueName="o=defaultWIMFileBasedRealm"/>
      </wim:parent>
      <wim:createTimestamp>2008-11-15T19:23:49.811Z</wim:createTimestamp>
      <wim:modifyTimestamp>2009-04-04T10:43:02.788-07:00</wim:modifyTimestamp>
      <wim:password>U0hBLTE6NWtqbHV1b3hjY2FwOmtzLzVMSHFQUkpCQ1R4ZGlIak8yRDRBdUlkYz0K</wim:password>
      <wim:uid>wasadmin</wim:uid>
      <wim:cn>wasadmin</wim:cn>
      <wim:sn>wasadmin</wim:sn>
    </wim:entities>
    <wim:entities xsi:type="wim:Group">
      <wim:identifier externalId="db0469c8-487a-4610-83de-c063f4652389" externalName="cn=wpsadmins,o=defaultWIMFileBasedRealm"
          uniqueId="db0469c8-487a-4610-83de-c063f4652389" uniqueName="cn=wpsadmins,o=defaultWIMFileBasedRealm"/>
      <wim:parent>
        <wim:identifier uniqueName="o=defaultWIMFileBasedRealm"/>
      </wim:parent>
      <wim:createTimestamp>2008-11-15T19:25:08.265Z</wim:createTimestamp>
      <wim:cn>wpsadmins</wim:cn>
      <wim:members>
        <wim:identifier uniqueName="uid=wasadmin,o=defaultWIMFileBasedRealm"/>
      </wim:members>
    </wim:entities>
  </wim:Root>
</sdo:datagraph>

My repository has only one user uid=wasadmin,o=defaultWIMFileBasedRealm because there is only one entry under <wim:entities xsi:type="wim:PersonAccount"> element. Also there is only one entry under <wim:entities xsi:type="wim:Group">
element for cn=wpsadmins,o=defaultWIMFileBasedRealm group. If you sign up additional users then those entries would be created in this file.
THe password of the user is stored in the fileRegistry and it is SHA-1 algoritham. ANd it is hash that is valid for 1 day only.

The wimconfig.xml is another important file that is stored in wp_profile/config/cells/DefaultNode/wim/config directory. It has global information about the federated repository things like algorithm for password encryption, what all user repositories are part of the federated repository, etc. By default it looks like this


<sdo:datagraph xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:config="http://www.ibm.com/websphere/wim/config" xmlns:sdo="commonj.sdo">
  <config:configurationProvider maxPagingResults="500" maxSearchResults="4500" maxTotalPagingResults="1000"
      pagedCacheTimeOut="900" pagingEntityObject="true" searchTimeOut="600000">
    <config:dynamicModel xsdFileName="wimdatagraph.xsd"/>
    <config:supportedEntityTypes defaultParent="o=defaultWIMFileBasedRealm" name="Group">
      <config:rdnProperties>cn</config:rdnProperties>
    </config:supportedEntityTypes>
    <config:supportedEntityTypes defaultParent="o=defaultWIMFileBasedRealm" name="OrgContainer">
      <config:rdnProperties>o</config:rdnProperties>
      <config:rdnProperties>ou</config:rdnProperties>
      <config:rdnProperties>dc</config:rdnProperties>
      <config:rdnProperties>cn</config:rdnProperties>
    </config:supportedEntityTypes>
    <config:supportedEntityTypes defaultParent="o=defaultWIMFileBasedRealm" name="PersonAccount">
      <config:rdnProperties>uid</config:rdnProperties>
    </config:supportedEntityTypes>
    <config:repositories xsi:type="config:FileRepositoryType" adapterClassName="com.ibm.ws.wim.adapter.file.was.FileAdapter"
        id="InternalFileRepository" supportPaging="false" messageDigestAlgorithm="SHA-1">
      <config:baseEntries name="o=defaultWIMFileBasedRealm"/>
    </config:repositories>
    <config:realmConfiguration defaultRealm="defaultWIMFileBasedRealm">
      <config:realms delimiter="/" name="defaultWIMFileBasedRealm" securityUse="active">
        <config:participatingBaseEntries name="o=defaultWIMFileBasedRealm"/>
        <config:uniqueUserIdMapping propertyForInput="uniqueName" propertyForOutput="uniqueName"/>
        <config:userSecurityNameMapping propertyForInput="principalName" propertyForOutput="principalName"/>
        <config:userDisplayNameMapping propertyForInput="principalName" propertyForOutput="principalName"/>
        <config:uniqueGroupIdMapping propertyForInput="uniqueName" propertyForOutput="uniqueName"/>
        <config:groupSecurityNameMapping propertyForInput="cn" propertyForOutput="cn"/>
        <config:groupDisplayNameMapping propertyForInput="cn" propertyForOutput="cn"/>
      </config:realms>
    </config:realmConfiguration>
    <config:pluginManagerConfiguration>
      <config:topicSubscriberList>
        <config:topicSubscriber topicSubscriberName="DefaultDAViewProcessor" topicSubscriberType="ModificationSubscriber">
          <config:className>com.ibm.ws.wim.plugins.orgview.impl.DefaultDAViewProcessorImpl</config:className>
        </config:topicSubscriber>
      </config:topicSubscriberList>
      <config:topicRegistrationList>
        <config:topicEmitter topicEmitterName="com.ibm.ws.wim.ProfileManager.create">
          <config:preExit>
            <config:notificationSubscriberList/>
            <config:modificationSubscriberList>
              <config:modificationSubscriber>
                <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
                <config:realmList>All</config:realmList>
              </config:modificationSubscriber>
            </config:modificationSubscriberList>
          </config:preExit>
          <config:inlineExit inlineExitName="createInViewExplicit">
            <config:modificationSubscriberList>
              <config:modificationSubscriber>
                <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
                <config:realmList>All</config:realmList>
              </config:modificationSubscriber>
            </config:modificationSubscriberList>
          </config:inlineExit>
          <config:postExit>
            <config:modificationSubscriberList>
              <config:modificationSubscriber>
                <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
                <config:realmList>All</config:realmList>
              </config:modificationSubscriber>
            </config:modificationSubscriberList>
            <config:notificationSubscriberList/>
          </config:postExit>
        </config:topicEmitter>
        <config:topicEmitter topicEmitterName="com.ibm.ws.wim.ProfileManager.delete">
          <config:preExit>
            <config:notificationSubscriberList/>
            <config:modificationSubscriberList>
              <config:modificationSubscriber>
                <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
                <config:realmList>All</config:realmList>
              </config:modificationSubscriber>
            </config:modificationSubscriberList>
          </config:preExit>
          <config:inlineExit inlineExitName="deleteInViewExplicit">
            <config:modificationSubscriberList>
              <config:modificationSubscriber>
                <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
                <config:realmList>All</config:realmList>
              </config:modificationSubscriber>
            </config:modificationSubscriberList>
          </config:inlineExit>
          <config:postExit>
            <config:modificationSubscriberList>
              <config:modificationSubscriber>
                <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
                <config:realmList>All</config:realmList>
              </config:modificationSubscriber>
            </config:modificationSubscriberList>
            <config:notificationSubscriberList/>
          </config:postExit>
        </config:topicEmitter>
        <config:topicEmitter topicEmitterName="com.ibm.ws.wim.ProfileManager.update">
          <config:preExit>
            <config:notificationSubscriberList/>
            <config:modificationSubscriberList>
              <config:modificationSubscriber>
                <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
                <config:realmList>All</config:realmList>
              </config:modificationSubscriber>
            </config:modificationSubscriberList>
          </config:preExit>
          <config:postExit>
            <config:modificationSubscriberList>
              <config:modificationSubscriber>
                <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
                <config:realmList>All</config:realmList>
              </config:modificationSubscriber>
            </config:modificationSubscriberList>
            <config:notificationSubscriberList/>
          </config:postExit>
        </config:topicEmitter>
        <config:topicEmitter topicEmitterName="com.ibm.ws.wim.ProfileManager.get">
          <config:preExit>
            <config:notificationSubscriberList/>
            <config:modificationSubscriberList>
              <config:modificationSubscriber>
                <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
                <config:realmList>All</config:realmList>
              </config:modificationSubscriber>
            </config:modificationSubscriberList>
          </config:preExit>
          <config:inlineExit inlineExitName="getInViewExplicit">
            <config:modificationSubscriberList>
              <config:modificationSubscriber>
                <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
                <config:realmList>All</config:realmList>
              </config:modificationSubscriber>
            </config:modificationSubscriberList>
          </config:inlineExit>
          <config:postExit>
            <config:modificationSubscriberList>
              <config:modificationSubscriber>
                <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
                <config:realmList>All</config:realmList>
              </config:modificationSubscriber>
            </config:modificationSubscriberList>
            <config:notificationSubscriberList/>
          </config:postExit>
        </config:topicEmitter>
        <config:topicEmitter topicEmitterName="com.ibm.ws.wim.authz.ProfileSecurityManager">
          <config:preExit>
            <config:notificationSubscriberList/>
            <config:modificationSubscriberList>
              <config:modificationSubscriber>
                <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
                <config:realmList>All</config:realmList>
              </config:modificationSubscriber>
            </config:modificationSubscriberList>
          </config:preExit>
          <config:inlineExit inlineExitName="getInViewExplicit">
            <config:modificationSubscriberList>
              <config:modificationSubscriber>
                <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
                <config:realmList>All</config:realmList>
              </config:modificationSubscriber>
            </config:modificationSubscriberList>
          </config:inlineExit>
          <config:postExit>
            <config:modificationSubscriberList>
              <config:modificationSubscriber>
                <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
                <config:realmList>All</config:realmList>
              </config:modificationSubscriber>
            </config:modificationSubscriberList>
            <config:notificationSubscriberList/>
          </config:postExit>
        </config:topicEmitter>
      </config:topicRegistrationList>
    </config:pluginManagerConfiguration>
    <config:authorization
        isSecurityEnabled="true" useSystemJACCProvider="false" importPolicyFromFile="true"
        isAttributeGroupingEnabled="true" defaultAttributeGroup="default" 
        jaccPolicyClass="com.ibm.sec.authz.provider.CommonAuthzPolicy" 
        jaccRoleMappingClass="com.ibm.sec.authz.provider.CommonAuthzRoleMapping" 
        jaccPolicyConfigFactoryClass="com.ibm.sec.authz.provider.CommonAuthzPolicyConfigurationFactory" 
        jaccRoleMappingConfigFactoryClass="com.ibm.sec.authz.provider.CommonAuthzRoleMappingConfigurationFactory"
        jaccRoleToPermissionPolicyId="WIM Policy"
        jaccPrincipalToRolePolicyId="WIM Policy"
        jaccRoleToPermissionPolicyFileName="wim-policy.xml"
        jaccPrincipalToRolePolicyFileName="wim-rolemapping.xml">
        <config:attributeGroups>
            <config:groupName>general</config:groupName>
            <config:attributeNames>cn</config:attributeNames>
            <config:attributeNames>sn</config:attributeNames>
            <config:attributeNames>uid</config:attributeNames>
        </config:attributeGroups>
        <config:attributeGroups>
            <config:groupName>sensitive</config:groupName>
            <config:attributeNames>password</config:attributeNames>
        </config:attributeGroups>
        <config:attributeGroups>
            <config:groupName>unchecked</config:groupName>
            <config:attributeNames>identifier</config:attributeNames>
            <config:attributeNames>createTimestamp</config:attributeNames>
            <config:attributeNames>modifyTimestamp</config:attributeNames>
            <config:attributeNames>entitlementInfo</config:attributeNames>
        </config:attributeGroups>
    </config:authorization>
  </config:configurationProvider>
</sdo:datagraph>

Important Note : Always take a backup of wimconfig.xml before changing the federated repository. theoretically You should be able to restore the federated repository by using this file if something goes wrong

What is Federated User Repository

Before WAS 6.1 if you wanted to use multiple LDAPs, or combination of LDAP and database as user repository then only option that you had was to create a custom user repository. And developing custom user repository is very complex. Starting from WAS 6.1 you can use Federated User Repository, which allows you to map entries from multiple individual user repositories into a single virtual repository.

The federated repository consists of a single named realm, which is a set of independent user repositories. Each repository may be an entire external repository or, in the case of LDAP, a subtree within that repository. The root of each repository is mapped to something called a base entry within the federated repository, which is basically a starting point within the hierarchical namespace of the virtual realm.To the WebSphere Application Server runtime, there is still only one registry, and thus, all applications in the cell still share this one single registry

A federated repository contains a realm that can consist of identities in:

* The file-based repository that is built into the system.
* One or more external LDAP repositories.
* A JDBC accessible database repository.

http://www.ibm.com/developerworks/websphere/techjournal/0701_ilechko/0701_ilechko.html