Friday, December 7, 2012

Webcenter - Users from Multiple LDAP Providers

Scenario: 

A Company has 3 different LDAP providers for their user repository , and they want to assign roles and give access to all users in WebCenter Portal / Webcenter Spaces.

Possibilities :  

Webcenter had a restriction previously, as that it can only fetch users from the first LDAP provider in the security realm.Though users from the second LDAP providers is made available to weblogic layer of security, webcenter cannot get them.  This was a huge limitation, but now its fixed.

Eg: As in below picture , though both ,OID and Default authenticator are configured in weblogic's security realm and their JAAS control flag is set to SUFFICIENT , Webcenter can only take up users from OID and not Default Authenticator.











 

 

 Solution :  

Now we do have a fix for this restriction

 Step 1 - Configure all your LDAP Providers in Security realm , make their JAAS Flag as SUFFICIENT and re-order them to the top.

 Step 2- Restart the weblogic server and check whether you have all the users in Weblogic's users and groups section.

 Step 3- Browse to $DOMAIN_HOME/config/fmwconfig/jps-config.xml
 and find the following tag

 <serviceInstance name=idstore.ldap provider=idstore.ldap.provider>
 <property name="idstore.config.provider" 
        value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>           
  <property name=CONNECTION_POOL_CLASS 
        value=oracle.security.idm.providers.stdldap.JNDIPool/> 
 </serviceInstance>

Step 4 - Add the following property tag , which enables multiple LDAP queries ,
<property name="virtualize" value="true"/>
 
Step 5- After changes the tag looks like this

 <serviceInstance name=idstore.ldap provider=idstore.ldap.provider>
 <property name="idstore.config.provider" 
      value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>           
<property name=CONNECTION_POOL_CLASS 
      value=oracle.security.idm.providers.stdldap.JNDIPool/> 
<property name="virtualize" value="true"/> 
</serviceInstance>
 
Step 6- Restart the Admin and managed servers.
 
Step 7- Users from all LDAP is available in Webcenter, to check ,log in to  
portal administration ,browse to security tab, enter * in search users and click go.
You would see users from all the LDAP Providers :-)







Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)