Can I synchronize users passwords with Oracle Portal Single Sign On??
-
Tuesday, February 12, 2008 12:36 PM
I think that oracle portal users are different that oracle database users. is it??
I would like to synchronize passwords users of Active directory to Oracle Portal SSO (Single Sign On) but I don't know how.
I supose with a password extensions (in DOT NET) but how?? I have to call a Oracle API? with LDAP??
I'm lost about it.
Thanks
Ramon Torras
Barcelona,Spain
Answers
-
Thursday, February 14, 2008 9:07 AM
Hey Ramon
I deployed the OpenLDAP XMA to a v3 OID instance and it worked fine. If you need to change the OpenLDAP XMA to do extactly what you want - you can get the source (via SVN) from http://sourceforge.net/projects/openldap-xma
There is already an implemented passwordreset extension (passwordreset.cs). If your instance of OID uses SSL you should not have to change the XMA, if not you will need to switch off secure connections in the source and re-compile. Additionally if you use self-signed certs you might have problems connecting. If so check out this post to see if adding the cert to the ILM service account 'trusted root certs' helps. http://www.puttyq.com/?p=79
HTH
-Almero
All Replies
-
Wednesday, February 13, 2008 9:44 PM
I think the Oracle Portal uses the Oracle Internet Directory (OID). Although you may need to tweak the MA, you can configure it to access and manage OID identities using the OpenLDAP MA. This can be modified to support password synchronization also.
-
Thursday, February 14, 2008 8:21 AM
Thanks a lot,
I learn more about this and you're on right. Oracle portal uses OID but OID uses LDAP v3.
Your Link OpenLDAP MA supports till v 2.x. do It works anyway??
You suggest that I make a Password extension with this api?
Thanks
-
Thursday, February 14, 2008 9:07 AM
Hey Ramon
I deployed the OpenLDAP XMA to a v3 OID instance and it worked fine. If you need to change the OpenLDAP XMA to do extactly what you want - you can get the source (via SVN) from http://sourceforge.net/projects/openldap-xma
There is already an implemented passwordreset extension (passwordreset.cs). If your instance of OID uses SSL you should not have to change the XMA, if not you will need to switch off secure connections in the source and re-compile. Additionally if you use self-signed certs you might have problems connecting. If so check out this post to see if adding the cert to the ILM service account 'trusted root certs' helps. http://www.puttyq.com/?p=79
HTH
-Almero
-
Thursday, February 14, 2008 10:27 AM
Thanks
You're great guy. I was lost before this post.
I will get this code in Csharp.
Bye
-
Thursday, February 14, 2008 10:40 AM
Now worries Ramon - that's what we are here for.
If you need any further help with the extension please drop us a line.
Cheers
-
Monday, February 18, 2008 3:36 PM
If you plan on modfiying the OpenLDAP ma... I would check out the Getting starting docs....
There are 3 docs in there that show you the basics of the ECMA.
HTH,
Joe
-
Tuesday, February 19, 2008 6:19 PM
Instead of synchronizing passwords, we decided to use OID's Active Directory External Authentication Plug-in.
We populated some AD-related attributes in OID,(objectClass, orclSAMAccountName, orclUserPrincipalName, krbPrincipalName) and ran the oidspadi.sh utility to configure the plug-in, SSO seems to be working fine.
this is discussed at: http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir003.htm#CHDIEJEF
We are successfully using OID/Portal/SSO with a version of the OpenLDAP XMA. But there were a few difficulties:
1) You need to index the modifytimestamp in OID in order for delta imports to work.
2) OID does not seem to support any method for paging results, so you have to set OID's maximum Query Entry Return Limit (orclsizelimit) to a number high enough to return your whole population.
3) OID does respond as expected to the default OpenLDAP XMA delta search query. If you don't modify this query, a lot more records than intended are returned.
4) OID does not return objectClass attributes in a reliable order, which creates a problem for ILM. If your objects will be members of any more than one or two obectClasses, you will likely want to modify OpenLDAP XMA import file generation code to work-around this problem.
5) The Oracle Portal is very dependent on group membership for operation. Provisioning to and re-importing groups from OID without errors requires some modification of the OpenLDAP XMA code because of the way OID modifies the case when it reports back the uniquemember attribute.
6) Most complete solutions will require some provisioning code, which is not specifically part of the XMA. There are some special provisioning issues for LDAP directories since objects generally have multiple objectClass attribute values.
You will find discussions for most of these issues in the archives of this forum.
I hope that helps.
Al Keniston
Middlesex Community College, Massachusetts -
Tuesday, February 19, 2008 6:21 PMSorry, number 3 should read:
3) OID does NOT respond as expected
Al
.png){kind=spacer}
