Thursday, August 8, 2013

The importance of "orclguid" in Oracle Virtual Directory

This post will discuss the steps to configure the orclguid within Oracle Virtual Directory (OVD).  It is especially important when integrating OVD with Oracle Access Manager (OAM) and Weblogic Server (WLS).  I see many customers omitting this configuration which leads to errors in OAM.  


All Lightweight Directory Access Protocol (LDAP) repositories contain a global unique identifier (guid) for every entry.  OVD is no different; it also has a guid object called the orclguid.  When configuring OVD with LDAP repositories it is important to map the LDAP's guid object with Oracle's guid object.  This however, is not configured by default.  In order to do this you will need to configure the VirtualAttribute plug-in for your adapter.

For more information please take a look at the OVD plug-in section in the documentation.

Forgetting this step may cause errors with respect to a) Authentication Failures and b) Identity propagation. For example, in Active Directory (AD) the guid object is called objectGuid, if this is not mapped to an orclGuid you will have issues when trying to propagate the users identity.

High-Level Steps

Once you have determined what the guid object is for your back-end LDAP repository, you will need to use the VirtualAttribute plug-in to map the two attributes. In our example above, the mapping will take the form: 


where objectguid is the guid object for AD.

If you have multiple LDAP back-ends, then you will need to configure the VirtualAttribute plug-in for each one.  Below are some screen shots that shows where you need to configure the plug-in.

Select the plug-in tab within the Adapter configuration...

Create a new Virtual Attribute plug-in with the parameters shown...

The OVD Provider in WLS, the 'orclguid' is already set as the GUID Attribute.   If not, make sure that the value of 'orclguid' is listed as below...

That's it!  The 'orclguid' will now be passed to OAM/WLS for each object with OVD.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.