Forum Stats

  • 3,871,930 Users
  • 2,266,354 Discussions
  • 7,911,004 Comments

Discussions

No application role with LibOVD in WebCenter Portal

1727305
1727305 Member Posts: 2
edited Feb 14, 2014 3:15AM in WebLogic Portal

Hello everyone,

We have a WebCenter Portal application with secured ressources. Everything is working fine with one AD authenticator which provide authentications and enterprise roles.

However, our goal is to have two different LDAP : one for authentication (AD) and one for groups (ADAM).

We have two authenticators, one for each. They are SUFFICIENT and the default authenticator is too. The ADAMAuthenticator is declared first, as I read that user informations are retrieved from the first one.

<sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
        <sec:name>ADAMAuthenticator</sec:name>
        <sec:control-flag>SUFFICIENT</sec:control-flag>
     ...
</sec:authentication-provider>
      <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
        <sec:name>ADAuthenticator</sec:name>
        <sec:control-flag>SUFFICIENT</sec:control-flag>
     ...
<sec:authentication-provider xsi:type="wls:default-authenticatorType">
        <sec:control-flag>SUFFICIENT</sec:control-flag>

In the jps-config.xml, we added the "virtualize=true" attribute.

<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
            <description>LDAP Identity Store Service Instance</description>
            <property name="CONNECTION_POOL_CLASS" value="oracle.security.idm.providers.stdldap.JNDIPool"/>
            <property name="idstore.config.provider" value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>
            <serviceInstanceRef ref="ADAMAuthenticator"/>
            <property name="virtualize" value="true"/>
        </serviceInstance>

        <serviceInstance name="ADAMAuthenticator" provider="idstore.ldap.provider">
            <property name="idstore.type" value="ACTIVE_DIRECTORY" />
        </serviceInstance>

We executed the commands to create a Join Adapter, with the ADAM adapter (which contains groups) as primary.

In the WebLogic console, we can see the groups from the ADAMAuthenticator for the users.

In the portal, authentication works fine, but there are no roles except the default ones (authenticated-role, anonymous, ...). I declared Enterprise Role which for LDAP groups and Application Role that are mapped on Enterprise Role.

Is my configuration correct ? Or did I miss something ?

Edit : In the system-jazn-data.xml file, application roles are declared like this :

<app-role>
                        <name>Administrator</name>
                        <display-name>Webcenter Administrator</display-name>
                        <description>Webcenter Administrator Role</description>
                        <guid>3CA81B81948811E3BFB71F8E8023E81F</guid>
                        <class>oracle.security.jps.service.policystore.ApplicationRole</class>
                        <members>
                            <member>
                                <class>weblogic.security.principal.WLSGroupImpl</class>
                                <name>S_IRESO_Administrateurs</name>
                            </member>
                        </members>
</app-role>

The configuration with libOVD works fine in WebCenter Content (UCM) where we can see user roles.

Thanks

Answers

This discussion has been closed.