In enterprises, LDAP servers are often used to store user credentials and groups and share them among applications. Oracle SOA Suite 12c introduces a new technology adapter; the LDAPAdapter which allows easy integration with LDAP servers. In this blog post I will provide a quick and easy howto on installation of an LDAP server and browser (ApacheDS and Apache Directory Studio). I will also describe the configuration required to use the LDAPAdapter and provide an example BPEL process which allows creation of new users in the ApacheDS LDAP server by means of webservice calls.
Setting up the LDAP server
Installing an LDAP server
For this example I’ll use ApacheDS as LDAP server and Apache Directory Studio as LDAP browser. First download and install Apache Directory Studio from http://directory.apache.org/studio/. Next create an LDAP server. Click the LDAP server tab in the bottom left corner and click New Server.
Select ApacheDS 2.0.0 and click finish.
Now you can start the server by selecting it and clicking the green play button.
Create a connection to the LDAP server
Next to the LDAP Servers tab, there is a Connections tab. Create a new connection. Use localhost and port 10389.
Click Next and fill in the following credentials: Bind DN or User: uid=admin,ou=system and Bind password: secret.
You can now connect to your newly created server and browse it.
Target the adapter
In Weblogic Server you need to configure a connection factory in the adapter configuration. First login to Weblogic console and click on the LdapAdapter.
The adapter is by default not targeted. You should specify a target if you want to use it. In my case (JDeveloper integrated Weblogic server) only one target can be selected: DefaultServer. Set the target and save.
Configure the connection factory
Go to the configuration of the LdapAdapter, Outbound Connection Pools.
I decided to configure eis/ldap/master. Click on that and provide the required settings (see screenshot).
The first time when configuring a connection factory for an adapter, Weblogic asks for the name of the configuration plan to use. It’s a good practice to use a name which makes clear for which adapter the configuration is (or put it in a separate directory per adapter). For example PlanLdap.xml.
After the configuration is complete, restart the server. The LdapAdapter cannot be updated like the DbAdapter. It is more similar to the BamAdapter in behavior. The adapter is deployed upon server start. Upon deployment, a configuration change is applied.
Configuring the LdapAdapter
Create an application, create an empty project with a synchronous BPEL 2.0 process. In the composite editor, drag the new LDAP adapter to the References lane to start configuring. The default password is still secret.
Using the browse button (magnifying glass after the JNDI Name field). You can select the eis/ldap/master. If you can’t, you forgot to target the adapter.
Choose ‘Add’ as the outbound operation. Use the following classes: inetOrgPerson and person. Use uid, userPassword as fields.
Now you can Next, Finish to the end of the wizard and fill in details of the BPEL process calling the LDAP Server.
Seeing it work
I’ve created a small BPEL process which calls the adapter. Since it’s relatively easy I will not provide screenshots for it. Mind the following though: the userPassword should be at least 5 characters and should not contain the username. I’ve chosen ‘Welcome01’ for this. The dn should be as can be seen in the below screenshot example. You can create it by means of concatenation. Using the Test Webservice screen from Fusion Middleware Control, we can see my service can successfully call the LDAP server.
In Apache Directory Studio you can confirm the user actually has been created.
Check to see if a user is actually created in the LdapServer! The LdapAdapter will return success even if it has failed (or the server did not return a correct failure result). For example after a successful request, I could see in the domain log file entries like:
org.opends.sdk.ConstraintViolationException: Constraint Violation: CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUEST Message ID : 6 Add Request : Entry dn[n]: uid=maartenmaarten,ou=users,ou=system objectClass: inetOrgPerson objectClass: person uid: maartenmaarten userPassword: '0x6D 0x61 0x61 0x72 0x74 0x65 0x6E 0x6D 0x61 0x61 0x72 0x74 0x65 0x6E ' sn: maartenmaarten cn: maartenmaarten : Password shouldn't contain parts of the username at org.opends.sdk.ErrorResultException.wrap(ErrorResultException.java:164) at com.sun.opends.sdk.ldap.AbstractLDAPFutureResultImpl.setResultOrError(AbstractLDAPFutureResultImpl.java:159) at com.sun.opends.sdk.ldap.LDAPClientFilter$1.addResult(LDAPClientFilter.java:93) at com.sun.opends.sdk.ldap.LDAPClientFilter$1.addResult(LDAPClientFilter.java:73)
The user was not created in this case. In a process flow you can of course also use the LdapAdapter again to search for the user you have just created to confirm it was successful.
In this quick howto I have used the example of adding a user by means using the new Oracle SOA Suite 12c LdapAdapter. Of course there are many situations in which this adapter will useful and the adapter is capable of much more then what I’ve just described. Read for example http://docs.oracle.com/middleware/1213/adapters/develop-soa-adapters/adptr_ldap.htm#TKADP2901. Other use cases for the adapter could be if you have users stored in different systems and want to create users in all of them by means of a single service call or if you want to use information (such as groups or e-mail addresses) available from a provided LDAP server. Using the LdapAdapter, you can provide an abstraction to certain LDAP operations by means of services and make the LDAP server part of the integration effort instead of leaving it out or having to build custom integrations for it.