Architektur

Mapping Active Directory attributes in FMW

The Oracle Platform Security Services (OPSS) provides an abstraction layer for securing standard JEE applications, ADF applications and FMW Components such as the SOA Suite and Webcenter. By default, all user and role data is stored in the embedded LDAP directory from Weblogic, but other providers such as Active Directory and Open LDAP can be configured.

 

OPSS

Products such as the Oracle Human Workflow and BPM will access these providers using the OPSS layer, which will abstract the access logic to the different providers; OPSS consumers don’t have to know if the user information is in OID, a flat file or in Active Directory.  If multiple providers are configured in the same domain, the attribute “virtualize” will have to be set to true in order to inform OPSS to retrieve the user information from the different sources.  Using this configuration with Active Directory has a drawback; OPSS will only map certain basic Active Directory attributes such as name, telephone, manager and email. But in many projects it is necessary to have access to other fields such as division,  givenName and the extensionAttributes.

The first option to solve this problem is to use Oracle Virtual Directory. With it, it is possible to define the access to different identity stores and the mappings of the   corresponding objects. But there is another option to map these Active Directory attributes without OVD. When a providers is defined in weblogic, it’s access details are also registered in the file <DOMAIN_HOME>/lib/config/fmwconfig/jps.config.

<serviceInstance name=“idstore.ldap“ provider=“idstore.ldap.provider“>
            <property name=“idstore.config.provider“ value=“oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider“/>
            <property name=“CONNECTION_POOL_CLASS“ value=“oracle.security.idm.providers.stdldap.JNDIPool“/>
            <property name=“username.attr“ value=“sAMAccountName“/>
            <property name=“user.login.attr“ value=“sAMAccountName“/>
                                                      <property name=“virtualize“ value=“true“/>
<property name=“PROPERTY_ATTRIBUTE_MAPPING“ value=“owners=extensionAttribute14:MIDDLE_NAME=pwdLastSet“ />
        </serviceInstance>
 

 An additional attribute called PROPERTY_ATTRIBUTE_MAPPING can be added inside the service instance declaration. It allows the definition of mappings where the right value is the active directory attribute and the left value is where this attribute has to be mapped to.

References:

http://docs.oracle.com/cd/E21764_01/webcenter.1111/e12405/wcadm_security_id_store.htm
http://docs.oracle.com/cd/E21764_01/core.1111/e10043/underjps.htm