Introduction
Do you have some dynamic groups on your Directory?
Are you puzzled on how to get these privileges into your WebCenter Portal/Spaces/Content -a.k.a. UCM?
This blog post will cover how to configure your WebCenter Content system to use dynamic-group-based memberships.
Main Article
Oracle WebCenter products run on the WebLogic Server. Out-of the-box, WebLogic is configured to use its Embedded LDAP Server Identity Store. Most enterprises run their own Directory Server. Therefore, WebLogic’s Identity Store will need to be configured to use an external LDAP server by creating a New Authentication Provider in the Security Realm as shown the following URL: http://docs.oracle.com/cd/E12839_01/webcenter.1111/e12405/wcadm_security.htm#BGBHHGEH
The example below shows a Sun One Authentication Provider (screenshot from the WebLogic Server Administration Console).
From the same WLS Administration Console, we could see that both a static and a dynamic group is being obtained from the External LDAP server for our sample user.
However, when doing a WebCenter Content login, –a.k.a. UCM Login-, we see that only the static group was obtained.
Why are the dynamic groups not showing up on the WebCenter products?
WebCenter products do run on a WebLogic Server. However, user creation, authentication, and authorization is managed using Oracle Platform Services Security (OPSS). OPSS uses a different mechanism to gather Directory Server information when compared to the native WLS providers for an external LDAP server.
Static groups explicitly name their member entries. An entry that defines a static group uses the groupOfNames or groupOfUniqueNames object class and contains the DN of each member as a value of the member or uniqueMember attribute respectively. The member attribute contains a DN against which the server checks to establish group membership. For example,
dn: cn=Product Management Users,ou=Groups, dc=oracle,dc=com objectClass: top objectClass: groupofuniquenames uniqueMember: uid=LUser,ou=People, dc=oracle,dc=com uniqueMember: uid=NUser,ou=People, dc=oracle,dc=com
Dynamic groups specify a filter, and all entries that match the filter are members of the group. These groups are dynamic because membership is defined each time the filter is evaluated. The definition entry of a dynamic group belongs to the groupOfUniqueNames and groupOfURLs object classes. The group members are listed by one or more filters represented as LDAP URL values of the memberURL attribute. For example,
dn: cn=Product Development Users,ou=Groups, dc=oracle,dc=com memberURL: ldap:///dc=oracle,dc=com??sub?(&(ou=Product Development)) objectClass: top objectClass: groupofuniquenames objectClass: groupofurls
The OPSS API queries the LDAP server for groups with users identified by the uniquemember objectclass. This explain why the WLS Administration Consoles shows both static and dynamic groups and the WebCenter Content Server UI only shows static groups.
How to get dynamic groups to appear in WebCenter
Since the OPSS API queries the LDAP server for groups with users identified by their uniquemember, we need to configure an additional step to virtualize dynamic groups into virtual static groups. Therefore, the OPSS API queries will return both static and dynamic groups.
There are two ways to achieve this:
(i)Using an External Oracle Virtual Directory
(ii)Using internal OPSS libraries for OVD
In this blog post, I will cover the option using an external OVD. A solution using internal OPSS libraries for OVD will be covored on a separate blog post.
When using an external Oracle Virtual Directory (OVD) instance, an OVD Provider needs to be registered in WLS. Additionally the OVD DynamicGroups plug-in need to be enabled. This allows Oracle Virtual Directory to process LDAP objectclasses that are both groupofuniquenames and groupofurls (referred to as a “dynamic group”) and convert it into a virtual static group, or groupofuniquenames equivalent. The plug-in works by monitoring returned LDAP objects and detects objects where the memberurl attribute is present and the objectclass is both groupofuniquenames and groupofurls.
When detected, the plug-in automatically processes any memberurl values and adds the results to the uniquemember attribute. This dynamic object processing allows administrators to define groups that hold both static members and dynamic members while maintaining compatibility with applications that may not normally support the groupofurls objectclass.
Follow the section 4.2.11 DynamicGroups Plug-In from the Oracle® Fusion Middleware Administrator’s Guide for Oracle Virtual Directory 11g for its configuration: http://docs.oracle.com/cd/E23549_01/oid.1111/e10046/und_plug.htm#BABBBFDD
When using OVD and its DynamicGroups Plug-In, a WebCenter login operation will bring both static and dynamic groups:
Using internal OPSS libraries for OVD to get dynamic groups to appear in WebCenter
Stay tuned! In my next blog post, I will cover how to get dynamic groups to work without having to use an External Oracle Virtual Directory instance.
All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission