2 Replies Latest reply on Oct 30, 2011 10:54 AM by biemond

    OPSS errors with virtualize attribute in LDAP


      I want to retrieve the user attributes for a user in ADF on weblogic PS3 , so far Ok.
      I got the user attributes of the internal weblogic ldap user .

      Now I also want to do this from an Active Directory user , so I configured the AD authentication provider and I can see the user and groups.
      When I log in with a AD user I can see this error ( login was successful , but no user attributes )

      oracle.security.idm.ObjectNotFoundException: No User found matching the criteria
           at oracle.security.idm.providers.stdldap.util.DirectSearchResponse.initSearch(DirectSearchResponse.java:173)
           at oracle.security.idm.providers.stdldap.util.NonPagedSearchResponse.<init>(NonPagedSearchResponse.java:52)
           at oracle.security.idm.providers.stdldap.util.LDAPRealm.searchUsers(LDAPRealm.java:430)
           at oracle.security.idm.providers.stdldap.LDIdentityStore.searchUser(LDIdentityStore.java:439)
           at oracle.security.idm.providers.stdldap.LDIdentityStore.searchUser(LDIdentityStore.java:488)
           at nl.amis.security.opss.OpssBean.<init>(OpssBean.java:47)

      This is correct, so I set the virtualize attribute

      <serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
      <property name="idstore.config.provider" value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>
      <property name="CONNECTION_POOL_CLASS" value="oracle.security.idm.providers.stdldap.JNDIPool"/>
           <property name="virtualize" value="true"/>

      The Virtual directory is working but now I got no user attributes with the internal wls user and the ad user

      this is the error.

      <VDELogger> <warn> You must use SSL port for this adapter or configure ssladapter with an adapter which uses SSL port.
      oracle.security.idm.IMException: Not supported
           at oracle.security.idm.providers.libovd.LibOVDIdentityStore.getUserPropertyNames(LibOVDIdentityStore.java:751)
           at oracle.security.idm.providers.libovd.LibOVDUser.getAllUserProperties(LibOVDUser.java:613)
           at nl.amis.security.opss.OpssBean.<init>(OpssBean.java:50)
           at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
           at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
           at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
           at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
           at java.lang.Class.newInstance0(Class.java:355)
           at java.lang.Class.newInstance(Class.java:308)
           at oracle.adfinternal.controller.beans.ManagedBeanFactory.newInstance(ManagedBeanFactory.java:175)

      My code to retrieve the attributes.

      ADFContext adfCtx = ADFContext.getCurrent();
      SecurityContext secCntx = adfCtx.getSecurityContext();

      this.username = secCntx.getUserName();

      for (String role : secCntx.getUserRoles()) {
      this.roles = this.roles + role + ", ";

      try {
      JpsContext jpsCtx =
      IdentityStoreService service = jpsCtx.getServiceInstance(IdentityStoreService.class);

      IdentityStore idStore = service.getIdmStore();

      User user = idStore.searchUser(secCntx.getUserName());
      if (user != null) {
      UserProfile userProfile = user.getUserProfile();

      PropertySet propSet = userProfile.getAllUserProperties();

      Iterator it = propSet.getAll();
      while (it.hasNext()) {
      Property prop = (Property)it.next();
      this.attributes =
      this.attributes + "property: " + prop.getName();
      Iterator it2 = prop.getValues().iterator();
      while (it2.hasNext()) {
      Object val = it2.next();
      this.attributes =
      this.attributes + " values: " + val.toString() +
      } catch (JpsException e) {
      } catch (IMException e) {

        • 1. Re: OPSS errors with virtualize attribute in LDAP
          Can you clarify the requirement - does the ADF application need to user for user profile information from both DefaultAuthenticator and AD? If querying AD is sufficient, then virtualize=true is overkill and not needed.
          Ensure that the ordering of the authn providers and the control flag settings in WLS console is correct. Refer to this blog post for more details http://fusionsecurity.blogspot.com/2011/08/couple-of-things-you-need-to-know-about.html
          All you may have to do is make the AD authn provider the first one in list (as long as the control flags are the same).

          The error you are seeing is because
          - the AD is configured using SSL
          - the code that got triggered with virtualize=true has different keystore requirements and it doesn't find the correct configuration.

          • 2. Re: OPSS errors with virtualize attribute in LDAP

            Indeed, I made the AD authenticator my first one and then it works, I can retrieve the attributes.

            It has nothing to do with SSL and AD but with virtualize , idm will switch to OVD mode and then is trying to retrieve attributes of a user.
            I used a decompiler and I saw that this is not implemented in OVD and I saw the warning.

            see my blogpost