Skip to Main Content
Forums

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

authn and authz issues with OUD

fchagnonMar 11 2014 — edited Mar 13 2014

I have an application that supports LDAP as a means of authentication and authorization. I would like to have it use our OUD-based identity store. This is not an open system; I have no control over the client's behaviour, so any tweaking I do to make it work must be done on the server side.

Authentication Issue:

If I just enter a username "firstname.lastname" (as is our convention), the application sends this string verbatim to OUD and fails. 

[11/Mar/2014:14:49:34 -0400] CONNECT conn=67 from=xxx.xxx.xxx.xxx:44715 to=xxx.xxx.xxx.xxx:1636 protocol=LDAPS


[11/Mar/2014:14:49:34 -0400] BIND REQ conn=67 op=0 msgID=1 type=SIMPLE dn="firstname.lastname"


[11/Mar/2014:14:49:34 -0400] BIND RES conn=67 op=0 msgID=1 result=1 message="The provided value "firstname.lastname" could not be parsed as a valid distinguished name because it contained an RDN containing an empty attribute name" etime=23

This is predictable as the application is not smart enough to expand this username to something smart like "uid=firstname.lastname,ou=People,dc=example,dc=com". However, if I authenticate with this full qualified DN, authentication succeeds.

I don't don't expect my users to remember this ugly DN string. Is there anyway I can tweak the OUD side to accept these types of shortened aliases? Or am I verging on OVD territory here?

Authorization Issue:

The application is capable of mapping it's internal authorization levels to LDAP groups. The problem here is that it uses searches for memberOf (AD) or groupMembership (Novell) attributes in order to ascertain group membership, rather than the conventional memberUid or ismemberOf.

[11/Mar/2014:14:49:59 -0400] SEARCH REQ conn=71 op=1 msgID=2 base="uid=firstname.lastname,ou=People,dc=example,dc=com" scope=baseObject filter="(objectclass=user)" attrs="memberOf,groupMembership"


[11/Mar/2014:14:49:59 -0400] SEARCH RES conn=71 op=1 msgID=2 result=0 nentries=0 etime=0

The result of course is that group membership is not properly found, and thus authorizations are not assigned.

I understand that I can create a virtual attribute, based on ismemberof, but called memberof, which should be able to add support for this query but I cannot find a working recipe to properly add this functionality.

Has anyone done anything like this before?

Running OUD 11.1.2.1.0

Thanks.

Fred
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Apr 10 2014
Added on Mar 11 2014
#11g, #identity-management, #ldap, #oracle-unified-directory-oud-oracle-directory-server-enterprise-edition-sun-dsee
3 comments
2,415 views