4 Replies Latest reply on Jul 16, 2015 10:58 PM by Sasi Nagireddy

    Internal and External Active Directory configuration

    rbeet88

      Hi Guys

       

      My client has a requirement whereby they have a bunch of internal and external users.

       

      They want us to implement Active Directory (on Windows) for both sets of users, so something like an Internal AD and External AD... but they also need us to apply data-level security across the External communities (as the external users span many different organisations)

       

      What is the general consensus on the best of doing this? Can both AD's be configured in WebLogic as the authentication/authorisation provider, and if so, does anyone have any idea on the likely performance?

       

      Thanks,

      Richard

        • 1. Re: Internal and External Active Directory configuration
          Gianni Ceresa

          Hi,

          You can configure 2 or more AD in weblogic, it works as an authentication chain and for each authentication provider you have a flag to define if it's enough, mandatory etc.

          For performance it's not really a issue, you can set the internal one as first and say it's enough, so if the user is found there you don't check the other AD, external users can wait a microsecond longer

          For data-level security you make that based on approles, so you map groups to approles and in that way you can easily say: internal full data access, external users limited access.

          • 2. Re: Internal and External Active Directory configuration
            rbeet88

            Hi Gianni,


            Thanks for your response. Great - we were also of the opinion that two ADs could be configured in WebLogic, so I appreciate your clarification.

             

            So you wouldn't expect any additional performance implications on the data-level security as a direct impact of the External AD? I agree, logging into the application should be fine (I will hold to your microsecond quote... ) but we just had a few question marks regarding the performance of the query itself. Do you envisage any issues here? Any more so than data-level security without AD?

             

            Thanks,

            Richard

            • 3. Re: Internal and External Active Directory configuration
              Gianni Ceresa

              What kind of rules would you use as data-level security?

              Row-level security is based on rules using variables (session variable in general).

               

              So the only security concern you can have is how slow would your init block setting the variables you are going to use? The good thing is that they are executed once only, so it will not be a really big issue.

              Of course I expect your external AD to still be a good AD, and not an AD lost on the other side of the planet going through 15 VPN connections with 56Kbps bandwidth.

               

              The performances of queries with data-security applied also depend on how the columns used in your rule are linked with the rest of your model.

              In the end the possible performance issues are related to the model itself but I don't see a huge impact because of external AD used (and again the init block setting variables run only once per session, so it's a limited impact).

              • 4. Re: Re: Internal and External Active Directory configuration
                Sasi  Nagireddy

                Hello,

                 

                Performance @AD Level we will not have any issues, we have configured 2 types of authenticators in providers and we don't see any performance issue there.You can configure the two parameters with these values as oracle recommended

                 

                 

                Group Membership Searching  :- limited
                Max Group Membership Search Level :-  1

                Thanks,

                Sasi Nagireddy.