Pages

Monday, January 30, 2012

Managing Integration issues with IPM, Weblogic, AD and more.

While IPM works with Active Directory, understanding the limitations is imperative. When it is configured as part of a security realm in Web Logic Server, IPM can only utilize the provider that is listed at the top of the security realm.  This is a major issue especially with users in multiple domains. Such IPM limitation is an issue even with the latest version of Webcenter imaging 11gR1 (11.1.1.5)

Oracle’s foremost suggestion is due to the is to implement yet another product called Oracle Virtual Directory, which is a part of Oracle Identity Management 11g.  One of the core capabilities of this product is to objectify user identity across multiple directories. If Identity Management is setup, then a provider can be created within WebLogic server which uses OVD, which would in turn be used by IPM.

 As many companies may not want to shell big $s just to satisfy the issue on hand, a feasible option is, in one of the domains to create all the groups to be used for IPM and add users from the other domains into those groups.  For example, in XX.net domain, create all groups and then add users from the other domains into the respective groups.

 More realistically, we can get IPM working against multiple domains by creating separate service account in each domain for Weblogic and ensure it can connect to Active Directory and read user account information.
 You can test this by modifying the provider that we were configuring.  For eg. Changed the host name to XX.company.net and changed the principal (user account) to be the DN of Weblogic-XX.  After doing so and restarting the ECM_domain_AdminServer service, you should be able to read the list of user accounts successfully.

 Also, a suggestion I made to use SAMAccountName as the User Name Attribute as opposed to cn as this more closely represents what users are accustomed to logging in with.

                                       Oracle I/PM Security Overview

Thanks to the contributors, Ed Copelin and Dave Sagendorf.
Reference documentation
http://docs.oracle.com/cd/E17904_01/admin.1111/e12782/c02_security.htm#CDDICJBG
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)