1 2 Previous Next 20 Replies Latest reply: Jun 11, 2013 2:31 AM by Lucas W. RSS

    External LDAP user mapping with UCM role

    Lucas W.
      Hello WebCenter Content masters,

      I am having some trouble mapping a LDAP group to UCM role.
      Let me explain the situation.

      I have an external LDAP (Apache DS) with two groups (groupofuniquenames), "Administrators" and "Test", and two users "ldap_admin" and "ldap_user". ldap_admin is a uniqueMember of Administrators and ldap_test a uniqueMember of Test.

      In the UCM, I created a custom role "Test" with "RWD" privileges on "Public" group.

      I assume the external LDAP has been successfully configured as an LDAP Authenticator in the Providers- Tab of myrealm settings, since I can see the groups and users from the external LDAP, and they can log in the UCM with their user id and password.

      However, ldap_user cannot perform check-in operations, and on his profile page, the role is "guest,authenticated".
      And when I switch ldap_user from Test group to Administrators group, the role is then "guest,authenticated,admin,sysmanager,refineryadmin,rmaadmin,pcmadmin,ermadmin".
      So it appears the Administrators group is correctly mapped, but not the Test group.

      I try to apply the advices given in these two threads :
      External LDAP user only has search priviledge in UCM
      Not able to map External Users to Roles in Webcenter Content 11g

      I created a credential map "externalLdapMap", completed the provider.hda file and put the mapping "Test, Test". I also tried with "Test, contributor" as I was not sure about the first mapping.
      Either way, after restarting the UCM server, I am still not able to grant write privilege to a user not in the Administrators group.

      Did I miss something in the process?
      Thank you for your attention, and of course any help would be greatly appreciated.
      L.
        • 1. Re: External LDAP user mapping with UCM role
          Jiri.Machotka-Oracle
          a) you should not need the Credential Mapping (you roles' names match, don't they?)
          b) see http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#CDDEFDBE
          "In almost all cases, a WebCenter Content production system identity store must be reassociated with an external LDAP authentication providers rather than use the embedded LDAP server. Once the new LDAP authentication provider is configured, then you migrate users from the embedded LDAP provider to the new LDAP provider. For information on WebCenter Content configuration for external LDAP providers, see Oracle WebCenter Content Installation Guide."
          (unfortunately, I was never able to locate where is this info located in the other manual)
          But, I seem to find it here: http://datalinks.nl/wordpress/?p=1131
          • 2. Re: External LDAP user mapping with UCM role
            Lucas W.
            a) That's what I thought. And yes the names do match. I checked many times to be sure about this.

            b) I precisely followed the instructions in the blog post you linked. The embedded LDAP only contains the default users, plus a custom one with admin privileges.
            • 3. Re: External LDAP user mapping with UCM role
              Srinath Menon-Oracle
              Hi ,

              By default when a group on LDAP is assigned to user , then the same would be shown as role on UCM .

              This is irrespective of whether the credential map is created or not .

              In your case when the user logs in from AD / LDAP whats the set of tracing shows - add jps*,userstorage along with Full verbose tracing to get the details .

              Thanks,
              Srinath
              • 4. Re: External LDAP user mapping with UCM role
                Lucas W.
                Here is what I got from the server output (I removed the stack traces and event dates) when I log in with the ldap_user assigned to Test group :
                *server output*
                userstorage     Retrieving user data (isLoadAttributes=true, credentialData is not null) for ldap_user
                userstorage     Start user storage query for user ldap_user.
                userstorage     Created user object for user ldap_user
                userstorage     Finished user name determination, user=ldap_user, expired=false, isNewUser=true, hasAttributesLoaded=false, authtype=null
                userstorage     Loaded record from database for ldap_user
                userstorage     Retrieving attributes (type=EXTERNAL) for ldap_user
                userstorage     User not found in default/preferred provider
                userstorage     Adding JpsUserProvider
                userstorage     Returning 1 results
                userstorage     Checking UserProvider JpsUserProvider
                jps     authenticateUser: false
                jps     User is new to this provider.
                jps     Begin search for user
                jps     IdStore: oracle.security.idm.providers.wlsldap.WLSLDAPIdentityStore@367b19a
                jps     Search Filter: (uid=ldap_user)
                userstorage     User not found in UserProvider JpsUserProvider
                userstorage     Checked credentials (isLoadAttributes=true) for ldap_user
                userstorage     Provider did not provide attributes.
                userstorage     Load attributes from database for ldap_user
                userstorage     Database->Roles=guest Accounts=#0023none for ldap_user
                userstorage     Check state of attributes (isLoadAttributes=true)
                userstorage     No attributes loaded for ldap_user
                userstorage     Updating shared cached copy for user ldap_user
                userstorage     UserTempCache updated with user data for ldap_user
                userstorage     Retrieved Roles=guest,authenticated Accounts=#0023none for ldap_user
                userstorage     Query of info, provider required 0 milliseconds.
                userstorage     At exit, user storage access count is 0
                userstorage     Caller assigned Roles=guest,authenticated Accounts=#0023none for ldap_user
                userstorage     storeUserDatabaseProfileData copyAll=false, doAdminFields=false, alwaysSave=false, userDataFromDb=true
                userstorage     At enter, user storage access count is 1
                userstorage     Retrieving user data (isLoadAttributes=true, credentialData is not null) for ldap_user
                userstorage     Start user storage query for user ldap_user.
                userstorage     Finished user name determination, user=ldap_user, expired=false, isNewUser=false, hasAttributesLoaded=false, authtype=EXTERNAL
                userstorage     Retrieving attributes (type=EXTERNAL) for ldap_user
                userstorage     User not found in default/preferred provider
                userstorage     Adding JpsUserProvider
                userstorage     Returning 1 results
                userstorage     Checking UserProvider JpsUserProvider
                jps     authenticateUser: false
                jps     User is new to this provider.
                jps     Begin search for user
                jps     IdStore: oracle.security.idm.providers.wlsldap.WLSLDAPIdentityStore@367b19a
                jps     Search Filter: (uid=ldap_user)
                userstorage     User not found in UserProvider JpsUserProvider
                userstorage     Checked credentials (isLoadAttributes=true) for ldap_user
                userstorage     Provider did not provide attributes.
                userstorage     Load attributes from database for ldap_user
                userstorage     Database->Roles=guest Accounts=#0023none for ldap_user
                userstorage     Check state of attributes (isLoadAttributes=true)
                userstorage     No attributes loaded for ldap_user
                userstorage     Updating shared cached copy for user ldap_user
                userstorage     Retrieved Roles=guest,authenticated Accounts=#0023none for ldap_user
                userstorage     Query of provider required 0 milliseconds.
                userstorage     At exit, user storage access count is 0
                userstorage     Caller assigned Roles=guest,authenticated Accounts=#0023none for ldap_user
                userstorage     storeUserDatabaseProfileData copyAll=false, doAdminFields=false, alwaysSave=false, userDataFromDb=true
                userstorage     At enter, user storage access count is 1
                userstorage     Retrieving user data (isLoadAttributes=true, credentialData is not null) for ldap_user
                userstorage     Start user storage query for user ldap_user.
                userstorage     Finished user name determination, user=ldap_user, expired=false, isNewUser=false, hasAttributesLoaded=false, authtype=EXTERNAL
                userstorage     Retrieving attributes (type=EXTERNAL) for ldap_user
                userstorage     User not found in default/preferred provider
                userstorage     Adding JpsUserProvider
                userstorage     Returning 1 results
                userstorage     Checking UserProvider JpsUserProvider
                jps     authenticateUser: false
                jps     User is new to this provider.
                jps     Begin search for user
                jps     IdStore: oracle.security.idm.providers.wlsldap.WLSLDAPIdentityStore@367b19a
                jps     Search Filter: (uid=ldap_user)
                userstorage     User not found in UserProvider JpsUserProvider
                userstorage     Checked credentials (isLoadAttributes=true) for ldap_user
                userstorage     Provider did not provide attributes.
                userstorage     Load attributes from database for ldap_user
                userstorage     Database->Roles=guest Accounts=#0023none for ldap_user
                userstorage     Check state of attributes (isLoadAttributes=true)
                userstorage     No attributes loaded for ldap_user
                userstorage     Updating shared cached copy for user ldap_user
                userstorage     Retrieved Roles=guest,authenticated Accounts=#0023none for ldap_user
                userstorage     Query of provider required 0 milliseconds.
                userstorage     At exit, user storage access count is 0
                userstorage     Caller assigned Roles=guest,authenticated Accounts=#0023none for ldap_user
                userstorage     storeUserDatabaseProfileData copyAll=false, doAdminFields=false, alwaysSave=false, userDataFromDb=true
                userstorage     At enter, user storage access count is 1
                userstorage     Retrieving user data (isLoadAttributes=true, credentialData is not null) for ldap_user
                userstorage     Start user storage query for user ldap_user.
                userstorage     Finished user name determination, user=ldap_user, expired=false, isNewUser=false, hasAttributesLoaded=false, authtype=EXTERNAL
                userstorage     Retrieving attributes (type=EXTERNAL) for ldap_user
                userstorage     User not found in default/preferred provider
                userstorage     Adding JpsUserProvider
                userstorage     Returning 1 results
                userstorage     Checking UserProvider JpsUserProvider
                jps     authenticateUser: false
                jps     User is new to this provider.
                jps     Begin search for user
                jps     IdStore: oracle.security.idm.providers.wlsldap.WLSLDAPIdentityStore@367b19a
                jps     Search Filter: (uid=ldap_user)
                userstorage     User not found in UserProvider JpsUserProvider
                userstorage     Checked credentials (isLoadAttributes=true) for ldap_user
                userstorage     Provider did not provide attributes.
                userstorage     Load attributes from database for ldap_user
                userstorage     Database->Roles=guest Accounts=#0023none for ldap_user
                userstorage     Check state of attributes (isLoadAttributes=true)
                userstorage     No attributes loaded for ldap_user
                userstorage     Updating shared cached copy for user ldap_user
                userstorage     Retrieved Roles=guest,authenticated Accounts=#0023none for ldap_user
                userstorage     Query of provider required 16 milliseconds.
                userstorage     At exit, user storage access count is 0
                userstorage     Caller assigned Roles=guest,authenticated Accounts=#0023none for ldap_user
                userstorage     storeUserDatabaseProfileData copyAll=false, doAdminFields=false, alwaysSave=false, userDataFromDb=true
                userstorage     At enter, user storage access count is 1
                >

                and when ldap_user is assigned to Administrators group :
                *server output*
                userstorage     Retrieving user data (isLoadAttributes=true, credentialData is not null) for ldap_user
                userstorage     Start user storage query for user ldap_user.
                userstorage     Finished user name determination, user=ldap_user, expired=true, isNewUser=false, hasAttributesLoaded=false, authtype=EXTERNAL
                userstorage     Loaded record from database for ldap_user
                userstorage     Retrieving attributes (type=EXTERNAL) for ldap_user
                userstorage     User not found in default/preferred provider
                userstorage     Adding JpsUserProvider
                userstorage     Returning 1 results
                userstorage     Checking UserProvider JpsUserProvider
                jps     authenticateUser: false
                jps     User is new to this provider.
                jps     Begin search for user
                jps     IdStore: oracle.security.idm.providers.wlsldap.WLSLDAPIdentityStore@367b19a
                jps     Search Filter: (uid=ldap_user)
                userstorage     User not found in UserProvider JpsUserProvider
                userstorage     Checked credentials (isLoadAttributes=true) for ldap_user
                userstorage     Provider did not provide attributes.
                userstorage     Load attributes from database for ldap_user
                userstorage     Database->Roles=guest Accounts=#0023none for ldap_user
                userstorage     Check state of attributes (isLoadAttributes=true)
                userstorage     No attributes loaded for ldap_user
                userstorage     Updating shared cached copy for user ldap_user
                userstorage     UserTempCache updated with user data for ldap_user
                userstorage     Retrieved Roles=guest,authenticated Accounts=#0023none for ldap_user
                userstorage     Query of info, provider required 0 milliseconds.
                userstorage     At exit, user storage access count is 0
                userstorage     Caller assigned Roles=guest,authenticated,admin,sysmanager,refineryadmin,rmaadmin,pcmadmin,ermadmin Accounts=#0023none,#0023all for ldap_user
                userstorage     storeUserDatabaseProfileData copyAll=false, doAdminFields=false, alwaysSave=false, userDataFromDb=true
                userstorage     At enter, user storage access count is 1
                userstorage     Retrieving user data (isLoadAttributes=true, credentialData is not null) for ldap_user
                userstorage     Start user storage query for user ldap_user.
                userstorage     Finished user name determination, user=ldap_user, expired=false, isNewUser=false, hasAttributesLoaded=false, authtype=EXTERNAL
                userstorage     Retrieving attributes (type=EXTERNAL) for ldap_user
                userstorage     User not found in default/preferred provider
                userstorage     Adding JpsUserProvider
                userstorage     Returning 1 results
                userstorage     Checking UserProvider JpsUserProvider
                jps     authenticateUser: false
                jps     User is new to this provider.
                jps     Begin search for user
                jps     IdStore: oracle.security.idm.providers.wlsldap.WLSLDAPIdentityStore@367b19a
                jps     Search Filter: (uid=ldap_user)
                userstorage     User not found in UserProvider JpsUserProvider
                userstorage     Checked credentials (isLoadAttributes=true) for ldap_user
                userstorage     Provider did not provide attributes.
                userstorage     Load attributes from database for ldap_user
                userstorage     Database->Roles=guest Accounts=#0023none for ldap_user
                userstorage     Check state of attributes (isLoadAttributes=true)
                userstorage     No attributes loaded for ldap_user
                userstorage     Updating shared cached copy for user ldap_user
                userstorage     Retrieved Roles=guest,authenticated Accounts=#0023none for ldap_user
                userstorage     Query of provider required 0 milliseconds.
                userstorage     At exit, user storage access count is 0
                userstorage     Caller assigned Roles=guest,authenticated,admin,sysmanager,refineryadmin,rmaadmin,pcmadmin,ermadmin Accounts=#0023none,#0023all for ldap_user
                userstorage     storeUserDatabaseProfileData copyAll=false, doAdminFields=false, alwaysSave=false, userDataFromDb=true
                userstorage     At enter, user storage access count is 1
                userstorage     Retrieving user data (isLoadAttributes=true, credentialData is not null) for ldap_user
                userstorage     Start user storage query for user ldap_user.
                userstorage     Finished user name determination, user=ldap_user, expired=false, isNewUser=false, hasAttributesLoaded=false, authtype=EXTERNAL
                userstorage     Retrieving attributes (type=EXTERNAL) for ldap_user
                userstorage     User not found in default/preferred provider
                userstorage     Adding JpsUserProvider
                userstorage     Returning 1 results
                userstorage     Checking UserProvider JpsUserProvider
                jps     authenticateUser: false
                jps     User is new to this provider.
                jps     Begin search for user
                jps     IdStore: oracle.security.idm.providers.wlsldap.WLSLDAPIdentityStore@367b19a
                jps     Search Filter: (uid=ldap_user)
                userstorage     User not found in UserProvider JpsUserProvider
                userstorage     Checked credentials (isLoadAttributes=true) for ldap_user
                userstorage     Provider did not provide attributes.
                userstorage     Load attributes from database for ldap_user
                userstorage     Database->Roles=guest Accounts=#0023none for ldap_user
                userstorage     Check state of attributes (isLoadAttributes=true)
                userstorage     No attributes loaded for ldap_user
                userstorage     Updating shared cached copy for user ldap_user
                userstorage     Retrieved Roles=guest,authenticated Accounts=#0023none for ldap_user
                userstorage     Query of provider required 0 milliseconds.
                userstorage     At exit, user storage access count is 0
                userstorage     Caller assigned Roles=guest,authenticated,admin,sysmanager,refineryadmin,rmaadmin,pcmadmin,ermadmin Accounts=#0023none,#0023all for ldap_user
                userstorage     storeUserDatabaseProfileData copyAll=false, doAdminFields=false, alwaysSave=false, userDataFromDb=true
                userstorage     At enter, user storage access count is 1
                userstorage     Retrieving user data (isLoadAttributes=true, credentialData is not null) for ldap_user
                userstorage     Start user storage query for user ldap_user.
                userstorage     Finished user name determination, user=ldap_user, expired=false, isNewUser=false, hasAttributesLoaded=false, authtype=EXTERNAL
                userstorage     Retrieving attributes (type=EXTERNAL) for ldap_user
                userstorage     User not found in default/preferred provider
                userstorage     Adding JpsUserProvider
                userstorage     Returning 1 results
                userstorage     Checking UserProvider JpsUserProvider
                jps     authenticateUser: false
                jps     User is new to this provider.
                jps     Begin search for user
                jps     IdStore: oracle.security.idm.providers.wlsldap.WLSLDAPIdentityStore@367b19a
                jps     Search Filter: (uid=ldap_user)
                userstorage     User not found in UserProvider JpsUserProvider
                userstorage     Checked credentials (isLoadAttributes=true) for ldap_user
                userstorage     Provider did not provide attributes.
                userstorage     Load attributes from database for ldap_user
                userstorage     Database->Roles=guest Accounts=#0023none for ldap_user
                userstorage     Check state of attributes (isLoadAttributes=true)
                userstorage     No attributes loaded for ldap_user
                userstorage     Updating shared cached copy for user ldap_user
                userstorage     Retrieved Roles=guest,authenticated Accounts=#0023none for ldap_user
                userstorage     Query of provider required 16 milliseconds.
                userstorage     At exit, user storage access count is 0
                userstorage     Caller assigned Roles=guest,authenticated,admin,sysmanager,refineryadmin,rmaadmin,pcmadmin,ermadmin Accounts=#0023none,#0023all for ldap_user
                userstorage     storeUserDatabaseProfileData copyAll=false, doAdminFields=false, alwaysSave=false, userDataFromDb=true
                userstorage     At enter, user storage access count is 1
                >

                To me, there is no differences excepted that while in Administrators group, the admin role is still assigned even if the user is not found.
                And this +"Created user object for user ldap_user"+ when ldap_user is in Test group.

                Should I do some changes on the JpsUserProvider in the UCM? I never configured it, all is set to default.

                edit: searching for clue about the +"Created user object for user ldap_user"+, I found this thread describing the same issue : https://cn.forums.oracle.com/forums/thread.jspa?threadID=2502041
                But still no solution...

                Edited by: Luke ska walker on Apr 18, 2013 4:18 PM
                • 5. Re: External LDAP user mapping with UCM role
                  Lucas W.
                  Sorry for double-post, but I cannot understand why I manage to log in, but role is not properly assigned.
                  Should I do something with the UCM's JpsUserProvider instead of the weblogic's one? since the logs keep telling me User not found in UserProvider JpsUserProvider.
                  Though I thought configuring weblogic provider would be enough...
                  • 6. Re: External LDAP user mapping with UCM role
                    Jiri.Machotka-Oracle
                    I'd try to remove/disable the
                    LDAP Authenticator in the Providers
                    It should not be necessary for the scenario and probably messes things up.
                    • 7. Re: External LDAP user mapping with UCM role
                      Lucas W.
                      But the users I am testing comes from the external LDAP, so I need the LDAP Authenticator provider (I do not want to manage the users withe the embedded LDAP).

                      In weblogic administration console, in Security Realm > myrealm > Providers, I have :
                      DemoLDAPAuthenticator / Provider that performs LDAP authentication
                      DefaultAuthenticator / WebLogic Authentication Provider
                      DefaultIdentityAsserter / WebLogic Identity Assertion provider

                      DemoLDAPAuthenticator has control flag set to sufficient, and its settings seem correct as I can see the users coming from DemoLDAPAuthenticator in the Users & Group tab. And for example, I see "Parent Groups: Test" in the group tab for "ldap_user".

                      But still, when I log in UCM, ldap_user gets the guest role, even though I created the Test role with RWD privileges in the User Admin applet.
                      • 8. Re: External LDAP user mapping with UCM role
                        Jiri.Machotka-Oracle
                        Pls. ignore my previous post. I thought (wrongly) you defined a LDAP provider at the UCM side. Of course, this one you will need.

                        Have you tried what happens if you login with users from the external LDAP to Weblogic Console or EM? Is there any scenario how to test whether roles assigned in the external LDAP are working in WLS/EM?
                        • 9. Re: External LDAP user mapping with UCM role
                          Lucas W.
                          Well, the "ldap_admin" user, member of group "Administrators" (in the external LDAP), can log into the weblogic admin console and EM.

                          With users from the group "Test", I got the following error message :
                          User is not authorized to login to WebLogic Domain. User should be part of one or more Administrative roles to be able to login.

                          The only role assignment that seems to work (I say "seems" because in UCM the user still has the role "guest" in his profile) is for users from the group "Administrators".

                          edit: I am not familiar with the Security Realms > myrealm > Roles & Policies tab > Realm Roles sub-tab so my quest might be irrelevant, but should I do something there to resolve this concern?

                          Edited by: Luke ska walker on Apr 19, 2013 4:46 PM
                          • 10. Re: External LDAP user mapping with UCM role
                            Jiri.Machotka-Oracle
                            Guest is a role given in UCM even to non-authenticated users; i.e. if you have no role assigned, you will be treated as a guest.

                            I think "Administrators" work because WLS already contains a group called "Administrators" in the security realm.

                            If you don't get an answer I will try to come back and ask a colleague who is more experienced in administrating WLS than I.

                            In the meantime, you can try to work around the issue by creating a group called "Test" in the realm - you still won't be able to login with these users to WLS/EM (unless you give them "Administrators", too - you might do it within the group, I guess), but I wonder whether it will assign the role also for UCM.
                            • 11. Re: External LDAP user mapping with UCM role
                              Lucas W.
                              Thank you for your time.
                              jiri.machotka wrote:
                              I think "Administrators" work because WLS already contains a group called "Administrators" in the security realm.
                              That's what I thought too, so I tried what you suggested, creating a "Test" group directly in the realm (and even add the Administrators in the Membership tab).
                              But with no success.
                              I created a user in the group Test[DefaultAuthenticator], and his role is properly assigned in the UCM.
                              And the ldap_user in the group Test[LDAPAuthenticator] still is considered as a guest.


                              Additionally, there is something strange about the Administrators groups.

                              The user member of the group Administrators[LDAPAuthenticator] gets the following roles assigned :
                              guest,authenticated,admin,sysmanager,refineryadmin,rmaadmin,pcmadmin,ermadmin

                              Compared to a user member of the group Administrators[DefaultAuthenticator] who gets :
                              Administrators,admin,refineryadmin,rmaadmin,pcmadmin,ermadmin,sysmanager,guest,authenticated

                              I must admit I am having a hard time trying to figure out how this role mapping is done...
                              • 12. Re: External LDAP user mapping with UCM role
                                Srinath Menon-Oracle
                                Hi Luke ,

                                Can you drop me a mail so that we can schedule a webex and walk through the issue ?

                                Thanks,
                                Srinath
                                • 13. Re: External LDAP user mapping with UCM role
                                  Lucas W.
                                  Sure thing. Thank you.


                                  Just to keep you guys informed, I configured a LDAPAuthenticator on another weblogic server (with also another UCM server), running on a different server. And I ended up having the same issue.

                                  I am starting to think I must forget one step or something...
                                  So can I ask you confirm that, after creating roles in WebCenter Content User Admin applet with same name as LDAP group, I should only configure the provider in the weblogic console (Security Realms > myrealm), and that there is no need to fiddle with the WebCenter content administration panel (Administration > Providers > JpsUserProvider) ?
                                  • 14. Re: External LDAP user mapping with UCM role
                                    William Phelps
                                    In looking down this thread, I don't see the answer to two questions about the external LDAP setup, so now I'll ask them:

                                    - In WLS, in the security realm setup, is the "Providers" list, which provider is listed FIRST? The "default authenticator" or your custom one? In order to use your external LDAP for authentication and authorization, your custom provider must be listed first (at the top). Role assignments can only come from the first provider in the list. You would still be able to see users/groups in WLS from the external LDAP, but that's all - you would just see the list. The authorization would not be recognized.

                                    - Did you also set your "default authenticator" control flag to "sufficient"? OOTB, it's "required", and would cause issues.
                                    1 2 Previous Next