I have several questions regarding this topic.
When I try to Federate Repositories, there are several options available, including the SUFFIX. In this field we can specify one or more suffixes. According to IBM documentation (https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.0/com.ibm.isam.doc/wrp_stza_ref/reference/ref_server_suffix.html), I can add multiple entries in the same LDAP connection one per line (although it does not say how to separate them, I assume that is how it must be configured).
The questions I have are the following:

1. What is the difference between having 2 Federated repositories to the same LDAP server, each using a different SUFFIX, or 1 Federated Repository with 2 SUFFIXES?
2. What happens if I already imported users from a repository (for example, using LDAP) and then later on I change the configuration, and import the same users (for, example change the connection from LDAP to LDAPS). Do I get duplicated users? Should I remove the users before re-configuring the Federated Repository?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Joao,

If you want to specify multiple suffixes for a federated repository, you would specify the "suffix" parameter multiple times in the [server:<xxx>] stanza:

suffix = cn=users,dc=example,dc=com
suffix = cn=moreusers,dc=example,dc=com

I'm not sure if there's a functional difference between configuring 2 repositories x 1 suffix or 1 repository x 2 suffix but I'm pretty sure it will be more efficient to configure 1 repository and add all the suffixes.  This will reduce connections required for sure.  To be clear, I have never set up 2 repository definitions to the same directory... I have always just configured multiple suffixes where that was needed.

Changing the connection configuration for a federated directory should not affect imported users.  An Access Manager user is linked to its directory entry by its DN (the suffix of that DN identifies which federated directory in resides in).  If you change the DN of users in the connected directory that is going to cause issues.  You will end up with orphaned "secUser" entries in the primary directory.

If you're looking into using Federated Directories, you might also want to look at "basic users" at the same time.  When basic user function is enabled, you don't need to import users at all.

This lab might help: https://www.securitylearningacademy.com/course/view.php?id=4522

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon September 28, 2020 12:28 PM
From: Joao Goncalves
Subject: Federating Repositories

I have several questions regarding this topic.
When I try to Federate Repositories, there are several options available, including the SUFFIX. In this field we can specify one or more suffixes. According to IBM documentation (https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.0/com.ibm.isam.doc/wrp_stza_ref/reference/ref_server_suffix.html), I can add multiple entries in the same LDAP connection one per line (although it does not say how to separate them, I assume that is how it must be configured).
The questions I have are the following:

1. What is the difference between having 2 Federated repositories to the same LDAP server, each using a different SUFFIX, or 1 Federated Repository with 2 SUFFIXES?
2. What happens if I already imported users from a repository (for example, using LDAP) and then later on I change the configuration, and import the same users (for, example change the connection from LDAP to LDAPS). Do I get duplicated users? Should I remove the users before re-configuring the Federated Repository?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

In terms of synchronization with the Federated Repositories, how do I tell the system the update frequency, or how to ask for an ondemand synchronization? I searched everywhere for this information and cannot find it!

Regarding the basic users, that is exactly what I am doing, and it is working fine in our the environment.

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Mon September 28, 2020 01:04 PM
From: Jon Harry
Subject: Federating Repositories

Hi Joao,

If you want to specify multiple suffixes for a federated repository, you would specify the "suffix" parameter multiple times in the [server:<xxx>] stanza:

suffix = cn=users,dc=example,dc=com
suffix = cn=moreusers,dc=example,dc=com

I'm not sure if there's a functional difference between configuring 2 repositories x 1 suffix or 1 repository x 2 suffix but I'm pretty sure it will be more efficient to configure 1 repository and add all the suffixes.  This will reduce connections required for sure.  To be clear, I have never set up 2 repository definitions to the same directory... I have always just configured multiple suffixes where that was needed.

Changing the connection configuration for a federated directory should not affect imported users.  An Access Manager user is linked to its directory entry by its DN (the suffix of that DN identifies which federated directory in resides in).  If you change the DN of users in the connected directory that is going to cause issues.  You will end up with orphaned "secUser" entries in the primary directory.

If you're looking into using Federated Directories, you might also want to look at "basic users" at the same time.  When basic user function is enabled, you don't need to import users at all.

This lab might help: https://www.securitylearningacademy.com/course/view.php?id=4522

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon September 28, 2020 12:28 PM
From: Joao Goncalves
Subject: Federating Repositories

I have several questions regarding this topic.
When I try to Federate Repositories, there are several options available, including the SUFFIX. In this field we can specify one or more suffixes. According to IBM documentation (https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.0/com.ibm.isam.doc/wrp_stza_ref/reference/ref_server_suffix.html), I can add multiple entries in the same LDAP connection one per line (although it does not say how to separate them, I assume that is how it must be configured).
The questions I have are the following:

1. What is the difference between having 2 Federated repositories to the same LDAP server, each using a different SUFFIX, or 1 Federated Repository with 2 SUFFIXES?
2. What happens if I already imported users from a repository (for example, using LDAP) and then later on I change the configuration, and import the same users (for, example change the connection from LDAP to LDAPS). Do I get duplicated users? Should I remove the users before re-configuring the Federated Repository?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Joao,

Federated Repositories are not synchronized.  Access Manager calls out to these repositories at runtime to lookup user information and check passwords.  No data is moved.

Jon.

P.S. There is a capability in our Directory Suite product called Federated Directory Service which *does* perform synchronization to a central directory - but the functionality in Access Manager is not the same thing despite the confusingly similar name.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon September 28, 2020 01:20 PM
From: Joao Goncalves
Subject: Federating Repositories

In terms of synchronization with the Federated Repositories, how do I tell the system the update frequency, or how to ask for an ondemand synchronization? I searched everywhere for this information and cannot find it!

Regarding the basic users, that is exactly what I am doing, and it is working fine in our the environment.

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Mon September 28, 2020 01:04 PM
From: Jon Harry
Subject: Federating Repositories

Hi Joao,

If you want to specify multiple suffixes for a federated repository, you would specify the "suffix" parameter multiple times in the [server:<xxx>] stanza:

suffix = cn=users,dc=example,dc=com
suffix = cn=moreusers,dc=example,dc=com

I'm not sure if there's a functional difference between configuring 2 repositories x 1 suffix or 1 repository x 2 suffix but I'm pretty sure it will be more efficient to configure 1 repository and add all the suffixes.  This will reduce connections required for sure.  To be clear, I have never set up 2 repository definitions to the same directory... I have always just configured multiple suffixes where that was needed.

Changing the connection configuration for a federated directory should not affect imported users.  An Access Manager user is linked to its directory entry by its DN (the suffix of that DN identifies which federated directory in resides in).  If you change the DN of users in the connected directory that is going to cause issues.  You will end up with orphaned "secUser" entries in the primary directory.

If you're looking into using Federated Directories, you might also want to look at "basic users" at the same time.  When basic user function is enabled, you don't need to import users at all.

This lab might help: https://www.securitylearningacademy.com/course/view.php?id=4522

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon September 28, 2020 12:28 PM
From: Joao Goncalves
Subject: Federating Repositories

I have several questions regarding this topic.
When I try to Federate Repositories, there are several options available, including the SUFFIX. In this field we can specify one or more suffixes. According to IBM documentation (https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.0/com.ibm.isam.doc/wrp_stza_ref/reference/ref_server_suffix.html), I can add multiple entries in the same LDAP connection one per line (although it does not say how to separate them, I assume that is how it must be configured).
The questions I have are the following:

1. What is the difference between having 2 Federated repositories to the same LDAP server, each using a different SUFFIX, or 1 Federated Repository with 2 SUFFIXES?
2. What happens if I already imported users from a repository (for example, using LDAP) and then later on I change the configuration, and import the same users (for, example change the connection from LDAP to LDAPS). Do I get duplicated users? Should I remove the users before re-configuring the Federated Repository?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Thanks for the information, but this raises another questions!
When ISAM validates a user it checks some Federated Repository to see if he defined there. If he does, it is copied onto the local regsitry. If not, moves to the next repository, until it finds the user? How do I specify the search sequence?

Then users are only created in the local registry if they attempt to login. How do I create ACLs for them if they are not synchronized?

If the user was removed from the Federated Repository, how long does it stay on the local repository? Forever?

If instead of having Basic Users if I have Full Users, then the user is not authenticated against the Federated Repository, but instead is validated against the local repository! There must be a synchronization process, otherwise, I will be validating users that have been removed from the Remote Federated Repository but kept in the local repository, and this is a security problem!

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Mon September 28, 2020 03:01 PM
From: Jon Harry
Subject: Federating Repositories

Joao,

Federated Repositories are not synchronized.  Access Manager calls out to these repositories at runtime to lookup user information and check passwords.  No data is moved.

Jon.

P.S. There is a capability in our Directory Suite product called Federated Directory Service which *does* perform synchronization to a central directory - but the functionality in Access Manager is not the same thing despite the confusingly similar name.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon September 28, 2020 01:20 PM
From: Joao Goncalves
Subject: Federating Repositories

In terms of synchronization with the Federated Repositories, how do I tell the system the update frequency, or how to ask for an ondemand synchronization? I searched everywhere for this information and cannot find it!

Regarding the basic users, that is exactly what I am doing, and it is working fine in our the environment.

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Mon September 28, 2020 01:04 PM
From: Jon Harry
Subject: Federating Repositories

Hi Joao,

If you want to specify multiple suffixes for a federated repository, you would specify the "suffix" parameter multiple times in the [server:<xxx>] stanza:

suffix = cn=users,dc=example,dc=com
suffix = cn=moreusers,dc=example,dc=com

I'm not sure if there's a functional difference between configuring 2 repositories x 1 suffix or 1 repository x 2 suffix but I'm pretty sure it will be more efficient to configure 1 repository and add all the suffixes.  This will reduce connections required for sure.  To be clear, I have never set up 2 repository definitions to the same directory... I have always just configured multiple suffixes where that was needed.

Changing the connection configuration for a federated directory should not affect imported users.  An Access Manager user is linked to its directory entry by its DN (the suffix of that DN identifies which federated directory in resides in).  If you change the DN of users in the connected directory that is going to cause issues.  You will end up with orphaned "secUser" entries in the primary directory.

If you're looking into using Federated Directories, you might also want to look at "basic users" at the same time.  When basic user function is enabled, you don't need to import users at all.

This lab might help: https://www.securitylearningacademy.com/course/view.php?id=4522

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon September 28, 2020 12:28 PM
From: Joao Goncalves
Subject: Federating Repositories

I have several questions regarding this topic.
When I try to Federate Repositories, there are several options available, including the SUFFIX. In this field we can specify one or more suffixes. According to IBM documentation (https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.0/com.ibm.isam.doc/wrp_stza_ref/reference/ref_server_suffix.html), I can add multiple entries in the same LDAP connection one per line (although it does not say how to separate them, I assume that is how it must be configured).
The questions I have are the following:

1. What is the difference between having 2 Federated repositories to the same LDAP server, each using a different SUFFIX, or 1 Federated Repository with 2 SUFFIXES?
2. What happens if I already imported users from a repository (for example, using LDAP) and then later on I change the configuration, and import the same users (for, example change the connection from LDAP to LDAPS). Do I get duplicated users? Should I remove the users before re-configuring the Federated Repository?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Joao,

If users are full users then a local search is done to find user's private ISAM entry in primary directory which (based on DN) indicates which federated directory the real user entry exists in. So not sequential search of federated directories required.

For basic users, directories are searched sequentially. In fact, by default, all directories are searched to make sure there are no duplicate users.

If duplicate checking is disabled then search order becomes important. You can manually specify order or let system learn based on where most users are found.

All these settings are in ldap.conf file.

For basic users, user is never synchronised to local directory. You can't add a basic user directly to an ACL. You authorise basic users by adding them to groups. Groups to be used in ACLs must imported to ISAM.

If a user is removed from federated directory then they can no longer use Access Manager. Their password is not stored in Access Manager.

If the user object for a full user is removed from the federated directory then you will have an orphaned entry in Access Manager primary directory. This entry can not be used to login - it is useless without the user object.

There's no process to check all full users looking for orphaned entries although I think if the system tries to use one it will detect as orphan and remove at that point.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon September 28, 2020 03:24 PM
From: Joao Goncalves
Subject: Federating Repositories

Thanks for the information, but this raises another questions!
When ISAM validates a user it checks some Federated Repository to see if he defined there. If he does, it is copied onto the local regsitry. If not, moves to the next repository, until it finds the user? How do I specify the search sequence?

Then users are only created in the local registry if they attempt to login. How do I create ACLs for them if they are not synchronized?

If the user was removed from the Federated Repository, how long does it stay on the local repository? Forever?

If instead of having Basic Users if I have Full Users, then the user is not authenticated against the Federated Repository, but instead is validated against the local repository! There must be a synchronization process, otherwise, I will be validating users that have been removed from the Remote Federated Repository but kept in the local repository, and this is a security problem!

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Mon September 28, 2020 03:01 PM
From: Jon Harry
Subject: Federating Repositories

Joao,

Federated Repositories are not synchronized.  Access Manager calls out to these repositories at runtime to lookup user information and check passwords.  No data is moved.

Jon.

P.S. There is a capability in our Directory Suite product called Federated Directory Service which *does* perform synchronization to a central directory - but the functionality in Access Manager is not the same thing despite the confusingly similar name.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon September 28, 2020 01:20 PM
From: Joao Goncalves
Subject: Federating Repositories

In terms of synchronization with the Federated Repositories, how do I tell the system the update frequency, or how to ask for an ondemand synchronization? I searched everywhere for this information and cannot find it!

Regarding the basic users, that is exactly what I am doing, and it is working fine in our the environment.

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Mon September 28, 2020 01:04 PM
From: Jon Harry
Subject: Federating Repositories

Hi Joao,

If you want to specify multiple suffixes for a federated repository, you would specify the "suffix" parameter multiple times in the [server:<xxx>] stanza:

suffix = cn=users,dc=example,dc=com
suffix = cn=moreusers,dc=example,dc=com

I'm not sure if there's a functional difference between configuring 2 repositories x 1 suffix or 1 repository x 2 suffix but I'm pretty sure it will be more efficient to configure 1 repository and add all the suffixes.  This will reduce connections required for sure.  To be clear, I have never set up 2 repository definitions to the same directory... I have always just configured multiple suffixes where that was needed.

Changing the connection configuration for a federated directory should not affect imported users.  An Access Manager user is linked to its directory entry by its DN (the suffix of that DN identifies which federated directory in resides in).  If you change the DN of users in the connected directory that is going to cause issues.  You will end up with orphaned "secUser" entries in the primary directory.

If you're looking into using Federated Directories, you might also want to look at "basic users" at the same time.  When basic user function is enabled, you don't need to import users at all.

This lab might help: https://www.securitylearningacademy.com/course/view.php?id=4522

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon September 28, 2020 12:28 PM
From: Joao Goncalves
Subject: Federating Repositories

I have several questions regarding this topic.
When I try to Federate Repositories, there are several options available, including the SUFFIX. In this field we can specify one or more suffixes. According to IBM documentation (https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.0/com.ibm.isam.doc/wrp_stza_ref/reference/ref_server_suffix.html), I can add multiple entries in the same LDAP connection one per line (although it does not say how to separate them, I assume that is how it must be configured).
The questions I have are the following:

1. What is the difference between having 2 Federated repositories to the same LDAP server, each using a different SUFFIX, or 1 Federated Repository with 2 SUFFIXES?
2. What happens if I already imported users from a repository (for example, using LDAP) and then later on I change the configuration, and import the same users (for, example change the connection from LDAP to LDAPS). Do I get duplicated users? Should I remove the users before re-configuring the Federated Repository?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------