SOA Suite 12c introduced a number of new adapters. One of them is the LDAP Adapter. In several earlier articles on this blog (for example https://technology.amis.nl/2014/08/08/oracle-soa-suite-12c-ldapadapter-tutorial/ by Maarten Smeets), we have described how to set up and configure the LDAP adapter and how to use it in conjunction with the ApacheDS open source LDAP directory. Of course, this adapter is also supported with Microsoft Active Directory and Oracle’s OID, OVD and OUD.
In this article, I take the next step with the LDAP Adapter. I will demonstrate how to create a SOA composite that queries an LDAP directory for the details of a specific user account. This article continues where my earlier post – SOA Suite 12c: Creating user accounts in ApacheDS using the LDAP adapter (inspired by Maarten Smeets) – left off. I will assume the same set up, with ApacheDS as the LDAP Directory and the configuration of the LDAP Adapter connection already performed.
I want to create a service operation that takes a user id (uid attribute) as input and returns a selected set of details from the entry for that user in the LDAP directory. Here is an example of such an LDAP entry:
The service call – request and response – is executed in SoapUI:
and the resulting flow trace in the EM FMW Control:
The SOA Composite application is very simple – one additional component compared to the previous article: the outbound LDAP adapter reference binding, configured to search for LDAP details:
LDAP Adapter binding for Search operation
Let us check the configuration of this adapter binding.
Select the IDE connection and the JNDI name for the LDAP Adapter run time connection:
Select the Search operation.
Configure the search operation:
Select the attributes that this search should return. Only select attributes that apply to the object class(es) that the entries implement:
Accept defaults on the next two pages:
and
and finally, press Finish:
Data Structures and Transformations
The XSD generated as a result of the adapter binding configuration looks like this:
The LdapService has been extended with a two-way operation:
supported by an extended XSD definition:
The transformation for the search filter in the request message (from inbound request to the LDAP adapter):
The code for the query:
the baseDN (the tree under which the search should be executed) is set to the ExternalStaff “folder” in the saibot.airport “partition”
The filter string is composed according the LDAP specifications (about which there is plenty material on the internet, none of it trivial it seems – see for example LDAP Filter Tutorial). The filter is set to
concat(‘(&(objectClass=person)(uid=’,/ns0:FindUserAccountRequest/ns0:UserId,’))’) which resolves to strings such as (&(objectClass=person)(uid=hendrik.ido)) – which is LDAP speak for find all entries of objectClass person and the uid attribute set to the string value hendrik.ido.
and the transformation of the query result to the response
Note: we could perhaps have extracted a more elegant organizationUnitName and managerId. At the moment, some LDAP internals are exposed in these values.
The routing rule in the Mediator is configured like this:
Resources
Source code for this article: https://github.com/lucasjellema/soasuitehandbook/tree/master/ch18/LDAPAccessor.
Hi Lucas Jellema,
Thanks for the nice article.
I am trying to search members belong to the AD group.
I have two groups 1) GroupA (has 1600 members) 2) GroupB (has only 3 members).
The code is able to retrieve members for GroupB but getting below error for GroupA.
“Decoding Error: The attribute description “member;range=0-1499” could not be parsed because it contains an invalid character “=” at position 12″
could you please tell how can I use range filter and get all members.
HI, thanks for great share, can you please describe modify option in ldap adaptor i want to change user password stored in OUD by this adaptor.. thanks in advanced.
Hi Lucas,
I hope you check comments from readers actively. I have been struggling to use LDAP Adapter although I followed your tutorial.
I am trying to search users. baseDN and searchFilter values that I used in my SOA project are correct. Weblogic Server setup was also done as shown. But somehow I’ve got the following error. What am I missing?
{“RestFaultElement”:
{“summary”:”Exception occurred when binding was invoked.
Exception occurred during invocation of JCA binding:
JCA Binding execute of Reference operation ‘search’ failed due to: LDAP_ERROR_MALFORMED_CONTROL.
Ldap Adapter request control is malformed.
An error occurred while parsing the request control. “1.2.840.113556.1.4.473:false”
control string should be formatted as controlName1|controlOID:criticality:prop1:value1:prop2:value2;
Please examine the log file to determine the problem.\n\”.
The invoked JCA adapter raised a resource exception.\nPlease examine the above error message carefully to determine a resolution.\n”,”code”:null,”detail”:null}}
Hi Sapmp1155
I Do not check very regularly and I am afraid this article is too long in my past to be able to give you an immediate answer. I hope the logfiles are of more use than I am.
kind regards
Lucas
That is alright. I will find a way. I greatly appreciate your immediate/honest reply. Your post was still helpful. Thank you for your contribution to the world.
Hi Lucas, Maarten,
I’ve been able to successfully implement integration with the LDAPAdapter from SOA Suite / OSB, querying users and also updating their attributes, following your tutorials 🙂
My only issue at the moment, which I’d hope perhaps you’ve had to face with before, is concerning binary/byte attributes of Microsoft Active Directory, namely the thumbnailPhoto attribute which Outlook uses to display a user account’s picture. When implementing a LDAPAdapter reference to update a LDAP record from a SOA Composite or OSB, the web service wrapper produces a XSD file to use with the JCA adapter configuration which is treating this thumbnailPhoto attribute like any other attribute, namely a String element. The nightmare is that there doesn’t seem to be any sort of string encoding which could be used to successfully upload the user account’s picture from a web service integration point of view… The value does get updated in the AD attribute but it doesn’t produce a valid picture from the AD point of view.
I’ve tried the Base64 encoding approach over the picture file but no success. All bloody examples on the Internet concerning programmatic update of that Microsoft Active Directory attribute refer to PowerShell commands that use byte arrays >_>
Thank you. Regards,
Tiago
Thanks for the nice article.
LDAP Search Filter location is : https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html