Introduction
This blog post will cover how to get dynamic groups to work with Oracle WebCenter without having to use an External Oracle Virtual Directory instance.
Background information on Dynamic Groups and Oracle WebCenter could be found on the Part 1 of 2 blog post. It also covers how the OVD DynamicGroups Plug-in works as well as its use with an external OVD instance.
Main Article
WebCenter’s user creation, authentication, and authorization is managed using Oracle Platform Services Security (OPSS). The OPSS API queries the LDAP server for groups with users identified by the uniquemember objectclass. The DynamicGroups Plug-in works by monitoring returned LDAP objects and detects objects where the memberurl attribute is present, it automatically processes any memberurl values and adds the results to the uniquemember attribute.
1) This Apply Patch 12680524 on top of your FMW 11.1.1.5 Mid-tier Home. This patch will fix two classes on your <Middleware_home>/oracle_common/modules/oracle.ovd_11.1.1/plugins.jar library. If you do not have access to this patch, please request so via an Oracle Support Service Request.
2) Configuring the JPS WLS Identity Store Service for Multiple LDAP
The virtualize property is used to configure the service for multi-LDAP look-ups. This property can be either true (multi-LDAP lookup) or false (single-LDAP lookup). The default is false.
You could either configure it via Fusion Middleware Control or by direct manipulation of the jps-config.xml file.
Via Fusion Middleware Control, take these steps:
i. Select the WebLogic domain in the navigation pane on the left.
ii. Navigate to Security, then Security Provider Configuration.
iii. Expand the Identity Store Provider section of the page.
iv. Click Configure (corresponding to “Configure parameters for User and Role APIs to interact with identity store”).
v. The Identity Store Configuration page appears.
vi. Under Custom Properties, click Add.
vii. Add the new property as follows:
Property Name=virtualize
Value=true
viii. Click OK.
Via direct manipulation of the jps-config.xml file.
In <Middleware_home>/user_projects/domains/<your_ecm_domain>/config/fmwconfig/jps-config.xml add the virtualize property line shown below:
BEFORE:
<!-- JPS WLS LDAP Identity Store Service Instance --> <serviceInstance name="idstore.ldap" provider="idstore.ldap.provider"> <property name="idstore.config.provider" value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/> <property name="CONNECTION_POOL_CLASS" value="oracle.security.idm.providers.stdldap.JNDIPool"/> </serviceInstance>
AFTER:
<!-- JPS WLS LDAP Identity Store Service Instance --> <serviceInstance name="idstore.ldap" provider="idstore.ldap.provider"> <property name="idstore.config.provider" value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/> <property name="CONNECTION_POOL_CLASS" value="oracle.security.idm.providers.stdldap.JNDIPool"/> <property name="virtualize" value="true"/> </serviceInstance>
For reference you may visit Section 7.3 Configuring the Identity Store Service from the Oracle® Fusion Middleware Application Security Guide 11g Release 1 (11.1.1).
3)Configure the OVD DynamicGroup Plug-in by creating a DynamicGroup Section, including it in the default list, and setting the OVD DefaultAutheticator flag to false. Then restart your WLS domain.
Config File: <Middleware_home>/user_projects/domains/<your_ecm_domain>/config/fmwconfig/ovd/default/adapters.os_xml
3.1) Add the following plugin section after the UserManagement plug-in and before the VirtualAttribute plug-in:
<plugin>
<name>DynamicGroup</name>
<class>oracle.ods.virtualization.engine.chain.plugins.DynamicGroups.DynamicGroups</class>
<initParams>
<param name=”globalsearch” value=”false”/>
<param name=”fetchBothStaticAndDynamicGps” value=”true”/>
<param name=”transformdn” value=”true”/>
<param name=”usersearchbase” value=”##### user search base for your environment #####”/>
</initParams>
</plugin>
3.2) Add the DynamicGroup plugin in the default section:
BEFORE:
<default>
<plugin name=”UserManagement”/>
<plugin name=”VirtualAttribute”/>
<plugin name=”HideEntry”/>
</default>
AFTER:
<default>
<plugin name=”DynamicGroup”/>
<plugin name=”UserManagement”/>
<plugin name=”VirtualAttribute”/>
<plugin name=”HideEntry”/>
</default>
3.3) Disable the DefaultAuthenticator by setting the active flag to false:
BEFORE:
<ldap id=”DefaultAuthenticator” version=”0″>
<root>##### root for your environment #####</root>
<active>true</active>
<serverType>WLS_OVD</serverType>
<routing>
…
AFTER:
<ldap id=”DefaultAuthenticator” version=”0″>
<root>##### root for your environment #####</root>
<active>false</active>
<serverType>WLS_OVD</serverType>
<routing>
…
You are all set now! Give it a try by performing a Login onto WebCenter Content –a.k.a. UCM- as an External LDAP user and confirm that both static & dynamic groups are shown in the user profile page.
All content listed on this page is the property of Oracle Corp. Redistribution not allowed without written permission