An Oracle blog about Consulting Security Corner

  • July 21, 2010

Can You Use The Shadow Join Adapter With OVD-EUS

Guest Author

This year (Oracle year's start in June) - I'm really trying to dedicate myself to saving keystrokes.

As a follow-up to my post on minimizing schema changes in AD when using OVD-EUS - a customer asked if you could use Shadow Join to eliminate schema changes with OVD-EUS.

The Shadow Join is a default join-type in OVD that allows OVD to redirect data updates for certain attributes to be sent to OID or ODSEE instead of the enterprise directory. It's different than a traditional join (like simple join) in that a simple join, you are linking existing data sources such as HR database and AD. But with Shadow Join - you have applications that need to extend schema but you don't want to extend the enterprise directory. OVD will then intercept the updates and create a special entry in OID/ODSEE (on demand) to store these extended attributes and link it with the entry in the enterprise directory.

Unfortunately with OVD-EUS - you cannot use shadow join to eliminate the schema changes.

Shadow Join however, works fine with most (all as far as I know) other Oracle applications that require schema changes on the user record such as Oracle Access Manager 10g.

The reason why Shadow Join doesn't work with OVD-EUS is that the user password hash must be stored in the AD user record and we use an extended attribute - orclCommonAttribute for this. If you wanted to store it in another directory - that is possible by using OID-EUS with DIP. This way DIP intercepts the password change and sends it to OID to be stored.

Posted via email from Virtual Identity Dialogue

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.