SOA Suite 12c: Querying LDAP directories using the LDAP Adapter

7

SOA Suite 12c introduced a number of new adapters. One of them is the LDAP Adapter. In several earlier articles on this blog (for example https://technology.amis.nl/2014/08/08/oracle-soa-suite-12c-ldapadapter-tutorial/ by Maarten Smeets), we have described how to set up and configure the LDAP adapter and how to use it in conjunction with the ApacheDS open source LDAP directory. Of course, this adapter is also supported with Microsoft Active Directory and Oracle’s OID, OVD and OUD.

In this article, I take the next step with the LDAP Adapter. I will demonstrate how to create a SOA composite that queries an LDAP directory for the details of a specific user account. This article continues where my earlier post – SOA Suite 12c: Creating user accounts in ApacheDS using the LDAP adapter (inspired by Maarten Smeets) – left off. I will assume the same set up, with ApacheDS as the LDAP Directory and the configuration of the LDAP Adapter connection already performed.

I want to create a service operation that takes a user id (uid attribute) as input and returns a selected set of details from the entry for that user in the LDAP directory. Here is an example of such an LDAP entry:

image

The service call – request and response – is executed in SoapUI:

image

and the resulting flow trace in the EM FMW Control:

image

The SOA Composite application is very simple – one additional component compared to the previous article: the outbound LDAP adapter reference binding, configured to search for LDAP details:

image

LDAP Adapter binding for Search operation

Let us check the configuration of this adapter binding.

SNAGHTML5ce1d7

Select the IDE connection and the JNDI name for the LDAP Adapter run time connection:

SNAGHTML5d5c44

Select the Search operation.

SNAGHTML5da748

Configure the search operation:

SNAGHTML5e011a

Select the attributes that this search should return. Only select attributes that apply to the object class(es) that the entries implement:

SNAGHTML5eb0c9

Accept defaults on the next two pages:

SNAGHTML5ee2f0

and

SNAGHTML5efbdd

and finally, press Finish:

SNAGHTML5f29b0

 

Data Structures and Transformations

The XSD generated as a result of the adapter binding configuration looks like this:

image

The LdapService has been extended with a two-way operation:

image

supported by an extended XSD definition:

image

The transformation for the search filter in the request message (from inbound request to the LDAP adapter):

image

The code for the query:

the baseDN (the tree under which the search should be executed) is set to the ExternalStaff “folder” in the saibot.airport “partition”

image

The filter string is composed according the LDAP specifications (about which there is plenty material on the internet, none of it trivial it seems – see for example LDAP Filter Tutorial). The filter is set to

concat(‘(&(objectClass=person)(uid=’,/ns0:FindUserAccountRequest/ns0:UserId,’))’) which resolves to strings such as (&(objectClass=person)(uid=hendrik.ido)) – which is LDAP speak for find all entries of objectClass person and the uid attribute set to the string value hendrik.ido.

 

image

and the transformation of the query result to the response

image

Note: we could perhaps have extracted a more elegant organizationUnitName and managerId. At the moment, some LDAP internals are exposed in these values.

The routing rule in the Mediator is configured like this:

image

 

Resources

Source code for this article: https://github.com/lucasjellema/soasuitehandbook/tree/master/ch18/LDAPAccessor.

About Author

Lucas Jellema, active in IT (and with Oracle) since 1994. Oracle ACE Director and Oracle Developer Champion. Solution architect and developer on diverse areas including SQL, JavaScript, Kubernetes & Docker, Machine Learning, Java, SOA and microservices, events in various shapes and forms and many other things. Author of the Oracle Press book Oracle SOA Suite 12c Handbook. Frequent presenter on user groups and community events and conferences such as JavaOne, Oracle Code, CodeOne, NLJUG JFall and Oracle OpenWorld.

7 Comments

  1. Hi Lucas Jellema,

    Thanks for the nice article.

    I am trying to search members belong to the AD group.
    I have two groups 1) GroupA (has 1600 members) 2) GroupB (has only 3 members).
    The code is able to retrieve members for GroupB but getting below error for GroupA.

    “Decoding Error: The attribute description “member;range=0-1499” could not be parsed because it contains an invalid character “=” at position 12″

    could you please tell how can I use range filter and get all members.

  2. HI, thanks for great share, can you please describe modify option in ldap adaptor i want to change user password stored in OUD by this adaptor.. thanks in advanced.

  3. Hi Lucas,

    I hope you check comments from readers actively. I have been struggling to use LDAP Adapter although I followed your tutorial.
    I am trying to search users. baseDN and searchFilter values that I used in my SOA project are correct. Weblogic Server setup was also done as shown. But somehow I’ve got the following error. What am I missing?

    {“RestFaultElement”:
    {“summary”:”Exception occurred when binding was invoked.
    Exception occurred during invocation of JCA binding:
    JCA Binding execute of Reference operation ‘search’ failed due to: LDAP_ERROR_MALFORMED_CONTROL.
    Ldap Adapter request control is malformed.
    An error occurred while parsing the request control. “1.2.840.113556.1.4.473:false”
    control string should be formatted as controlName1|controlOID:criticality:prop1:value1:prop2:value2;
    Please examine the log file to determine the problem.\n\”.
    The invoked JCA adapter raised a resource exception.\nPlease examine the above error message carefully to determine a resolution.\n”,”code”:null,”detail”:null}}

    • Lucas Jellema on

      Hi Sapmp1155

      I Do not check very regularly and I am afraid this article is too long in my past to be able to give you an immediate answer. I hope the logfiles are of more use than I am.

      kind regards

      Lucas

      • That is alright. I will find a way. I greatly appreciate your immediate/honest reply. Your post was still helpful. Thank you for your contribution to the world.

  4. Tiago Vidigal on

    Hi Lucas, Maarten,

    I’ve been able to successfully implement integration with the LDAPAdapter from SOA Suite / OSB, querying users and also updating their attributes, following your tutorials 🙂

    My only issue at the moment, which I’d hope perhaps you’ve had to face with before, is concerning binary/byte attributes of Microsoft Active Directory, namely the thumbnailPhoto attribute which Outlook uses to display a user account’s picture. When implementing a LDAPAdapter reference to update a LDAP record from a SOA Composite or OSB, the web service wrapper produces a XSD file to use with the JCA adapter configuration which is treating this thumbnailPhoto attribute like any other attribute, namely a String element. The nightmare is that there doesn’t seem to be any sort of string encoding which could be used to successfully upload the user account’s picture from a web service integration point of view… The value does get updated in the AD attribute but it doesn’t produce a valid picture from the AD point of view.

    I’ve tried the Base64 encoding approach over the picture file but no success. All bloody examples on the Internet concerning programmatic update of that Microsoft Active Directory attribute refer to PowerShell commands that use byte arrays >_>

    Thank you. Regards,
    Tiago