My colleague Maarten Smeets recently published a very good article on the first steps with the SOA Suite 12c LDAP adapter (https://technology.amis.nl/2014/08/08/oracle-soa-suite-12c-ldapadapter-tutorial). He inspired me to take my own first and next steps – and I need those for the Oracle SOA Suite 12c Handbook that I am currently writing. My very first step in this area was the installation and configuration of ApacheDS server on Linux and the ApacheDS Directory Studio (described in this article https://technology.amis.nl/2014/10/22/getting-started-with-apacheds-ldap-server-and-directory-studio/) and the use of JXplorer to browse LDAP directories (as introduced by another colleague Aldo Schaap – https://technology.amis.nl/2013/02/05/21036/).
In this article, I am going a little beyond these initial steps. I will provide some details that Maarten did not disclose. At the end, I will publish a web service from a SOA Composite that can be invoked to add new user to my ApacheDS LDAP server and also assign a manager to this new user. I struggled a little bit with the partition concept in ApacheDS – although in the end just closely looking at the log-console in the Directory Studio helped a lot in understanding what I had to specify in the input to the LDAP Adapter.
This article – https://technology.amis.nl/2014/10/22/getting-started-with-apacheds-ldap-server-and-directory-studio/ – describes how to install ApacheDS and ApacheDS Directory Studio – and how to create a custom partition saibot.airport. I am using the end result of that article as my starting point for this one.
Create some LDAP entries
Under my custom partition saibot.airport I have created three organizationalUnits: groups, ExternalStaff, InternalStaff. It is my intention to create users that are not on the payroll of Saibot Airport – but that still need to recorded in the LDAP server – under the node ExternalStaff. Under InternalStaff are the people directly employed by Saibot Airport. Under groups will be the enterprise groups (or roles) that we discern in the organization. One such group has been defined: Administrators – based on the LDAP object groupOfUniqueNames. Maarten Smeets describes in this article – https://technology.amis.nl/2014/08/03/ldap-weblogic-using-apacheds-authentication-provider/#prettyPhoto– how ApacheDS can be used as a Security Provider for a WebLogic domain.
Configure the LDAP Adapter connection pool
Just like Maarten describes, we need to prepare a connection in the LDAP Adapter deployment in the WebLogic server. This connection is configured to connect to a specific LDAP directory server – in this case my ApacheDS Server. In the LDAP Adapter configuration we can later on refer to this connection by its logical JNDI name. The connection will then be established to whatever LDAP instance is referenced by the connection in the run time environment into which the SOA composite is deployed.
From the list of Deployment in the WebLogic domain in which the SOA Suite 12c runtime is running, click on LDAP Adapter (note: if the LDAP Adapter is currently not targeted to the (managed) server running the SOA Suite runtime, then you should configure this server as a target for this LDAP Adapter deployment – Maarten describes this in his article):
In the window that opens, click on the tab Configuration and then on the subtab Outbound Connection Pools. Click on the New button.
On the first page, there is not a lot of choice. Press Next.
On the second page, specify the JNDI name for the adapter connection. This name will be referenced in all LDAP Adapter bindings that want to access the same LDAP Saibot Airport directory.
Set this name to eis/ldap/SaibotLdap.
In the list of connections under the Connection Factory, you will find the newly created connection. Click on it to set the properties for connecting to the ApacheDS directory:
The Outbound Connection properties are presented. The properties to edit are indicated:
- bindDN: uid=admin,ou=system
- hostname: soa2admin2
- password: secret
- port: 10389
At this point you may get into a familiar dialog about saving the changes to a deployment plan; perform the suggested steps to create the deployment plan for the LDAP Adapter configuration.
After the configuration is complete, restart the server.
Create an LDAP connection in JDeveloper
For configuring the the LDAP Adapter in JDeveloper I need to have a connection available to the ApacheDS directory. On the Resource palette, create a new LDAP Connection, configured as follows:
The password is secret. Press OK to complete.
The new connection should be shown in the palette:
The SOA Composite application to manipulate the LDAP directory
It is my intention to create a SOA Composite that reaches out to the LDAP directory to create new user accounts. These users are for now added as External Staff. A manager can – but does not need to be – specified. At this point I do not create group memberships.
The steps I went through:
- Create a new SOA Application with a SOA project – both called LDAPAccessor
- Add an outbound LDAP Adapter binding – configured for the Add operation
- Create the WSDL and supporting XSD for the LDAPService exposed by the composite
- Create a Service binding in the SOA composite based on this WSDL
- Add a Mediator component to the composite – linking the Service binding to the LDAP Adapter binding
- Configure the Mediator with a newly created XSL Map to transform between the incoming request to the input required by the add operation in the LDAP adapter
The final result looks like this:
The WSDL and XSD look like this:
Configuring the LDAP Adapter binding
Drag the LDAP Adapter to the SOA composite:
Set the name for the outbound adapter binding reference:
Select the IDE connection to the LDAP server and configure the JNDI name for the LDAP Adapter connection (eis/ldap/SaibotLdap):
Select the Add operation:
Select the Object Classes to add (I believe that when you selected multiple object classes, they have to be in the same object hierarchy):
Also select the attributes that will be added to the new object classes. In this case select mail, manager, mobile, uid and userPassword.
Do not check the checkbox:
(or do check it if you feel like it)
You have reached the last page of the wizard – click Finish:
Data Structures and Transformation
The XSD published by the LDAP Adapter Configuration Wizard – that we need to map to – is as follows:
The XSL Map for transforming from request to this XML structure is fairly simple – although the contents for some element is not trivial:
Look at the derivation of the value of the Distinguished Name (dn). Here we concatenate the uid (based on the UserId in the request message) with the (hard coded) identification: ou=ExternalStaff,o=saibot.airport
The value for the manager is also derived in a special way: after testing if a ManagerId is passed in the request message, the value sent to the LDAP Adapter is composed from the uid (the ManagerId in the request message) and the same hard coded parent node/dc context: ou=ExternalStaff,o=saibot.airport.
Deploy and Run
The composite is complete. Deploy it to the SOA Suite run time. Then, invoke it:
Create a test message – to add user Margaret Knowles:
The response comes in – well not actually a response but an acknowledgement of the reception of the one way service call:
When we check in the Directory Studio, the new user is available:
Next, invoke the service with a request to create a user who has a manager:
And sure enough, the user is created with the manager attribute appropriately set:
Note: Connect to the LDAP directory using JXplorer
When using JXplorer, I can connect to my custom partition in the ApacheDS server with these connection details:
host (in my case): soa2admin2
Base DN (== my custom partition: saibot.airport
Security Level: User + Password
User DN: uid=admin,ou=system
The LDAP tree looks similar of course in this tool:
Introduction to ApacheDS: http://krams915.blogspot.nl/2011/01/ldap-apache-directory-studio-basic.html
Source code for this article: https://github.com/lucasjellema/soasuitehandbook/tree/master/ch18/LDAPAccessor.
One thought on “SOA Suite 12c: Creating user accounts in ApacheDS using the LDAP adapter (inspired by Maarten Smeets)”
How can i add an existing user to a group in ldap
Comments are closed.