Validating LDAP Group Membership for WCS Contributors

Overview

If you are integrating WebCenter Sites with LDAP it becomes necessary to create a lot of LDAP Groups that map onto WebCenter Sites ACLs and Roles.

If a user reports access issues we need a simple way to validate if they have the necessary access. Below are two options that we use regularly on the www.oracle.com and java.com projects.


Option 1: Create a JSP that outputs the users Roles/ACLs

Below is the code for a fairly simple JSP that displays the logged in user's Roles & ACLs. Obviously to get to this point the user needs to be able to login - if they are having serious access issues then they may not even be able to get this far.

Within the team we have extended the concept below to also validate the users ACLs and Groups against a list of desired groups for their access level. This makes the troubleshooting and requesting access process self-service for contributors. We use Oracle Identity Management to administer all LDAP access.

<%@ taglib prefix="cs" uri="futuretense_cs/ftcs1_0.tld"

%><%@ taglib prefix="ics" uri="futuretense_cs/ics.tld"
%><%@ taglib prefix="ccuser" uri="futuretense_cs/ccuser.tld"
%><%@ taglib prefix="usermanager" uri="futuretense_cs/usermanager.tld" 
%><%@ taglib prefix="render" uri="futuretense_cs/render.tld"
%><%@ taglib prefix="rolelist" uri="futuretense_cs/rolelist.tld"
%><cs:ftcs>

<h2>User Data</h2>
<table border="1">

<%-- Output basic details about the logged in user --%>
<tr><td>UserName</td><td> <%=ics.GetSSVar("username")%></td></tr>
<usermanager:getloginuser varname="useridvalue" />
<tr><td>User DN</td><td> <%=ics.GetVar("useridvalue")%></td></tr>

<%-- Get the user's Roles --%>
<usermanager:getuserfromname username='<%=ics.GetSSVar("username")%>' objvarname="user" />
<ccuser:getsiteroles name="user" site='<%=ics.GetSSVar("pubid")%>' objvarname="roleobject1"/>
<rolelist:getall name="roleobject1" varname="roles"/>
<% String[] userRoles = ics.GetVar("roles").split(","); %>
<tr><td>Roles</td><td><%= Arrays.toString(userRoles) %></td></tr>

<%-- Get the user's ACLs --%>
<render:callelement elementname="FutureTense/Apps/AdminForms/Common/ACLString" scoped="global">
<render:argument name="userid" value='<%=ics.GetVar("useridvalue")%>'/>
</render:callelement>
<% String[] userAcls = ics.GetVar("aclString").replaceAll("\\s","").split(","); %>
<tr><td>ACLs</td><td><%=Arrays.toString(userAcls) %></td></tr>

</table>

</cs:ftcs>

Screenshot of LDAP User Details report


Option 2: Query LDAP with ldapsearch

If the user is completely unable to login then you may need to resort to checking LDAP directly. The ldapsearch unix command is a lifesaver here. Just enter your corresponding values for <host>, <binddn> and <userdn> below.

ldapsearch -h <host> -p 389 -b "<binddn>" -s sub "uniquemember=<userdn>" dn -x

Example: 

ldapsearch -h ldaphost.example.com -p 389 -b "cn=WebCenterSites,cn=Groups,dc=example,dc=com" -s sub "uniquemember=cn=mark_smith,l=emea,dc=example,dc=com" dn -x


Comments:

Post a Comment:
Comments are closed for this entry.
About

Oracle Product Development IT Collaborative Applications Services (CAS) is responsible for Collaboration and Content Management based systems at Oracle.

The PDIT-CAS Blog aggregates and organizes content produced by PDIT CAS team members responsible for delivery of major corporate websites like oracle.com, java.com, cloud.oracle.com, my.oracle.com, community.oracle.com etc.

Content in this blog captures best practices, tips and tricks and guidance that the team members gain from leveraging Oracle technology to solve real world problems being faced by Oracle IT.

Search

Archives
« March 2015
SunMonTueWedThuFriSat
1
2
3
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today