LDAP Directories and ADF Model
247 views
Skip to first unread message
John Flack
Aug 12, 2014, 11:48:38 AM8/12/14
to adf-met...@googlegroups.com
I'm working on a provisioning application that is supposed to update our LDAP directory - ours is OpenLDAP, but theoretically a solution should work for any directory that supports standard LDAP. What are you all doing:
Write a POJO to read and write the directory, and expose it as a data control? If this, do you have a favorite API? I'm looking at Apache's.
Write a programmatic View Object? This would also probably need use of an API.
I've seen some JBDC drivers that supposedly let you treat a directory as if it were a database - you might be able to create some Entity Objects, View Objects and an Application Module for this.
Forget updating directly with ADF - use DBMS_LDAP in the database?
Other solutions?
Write a POJO to read and write the directory, and expose it as a data control? If this, do you have a favorite API? I'm looking at Apache's.
Write a programmatic View Object? This would also probably need use of an API.
I've seen some JBDC drivers that supposedly let you treat a directory as if it were a database - you might be able to create some Entity Objects, View Objects and an Application Module for this.
Forget updating directly with ADF - use DBMS_LDAP in the database?
Other solutions?
Jean-Marc Desvaux
Aug 12, 2014, 12:23:55 PM8/12/14
to adf-met...@googlegroups.com
John,
We use DBMS_LDAP + packages and views.
It's simple and convenient.
Jean-Marc
mauro.flores.g
Aug 12, 2014, 12:35:46 PM8/12/14
to adf-met...@googlegroups.com
Hi John.
I personally like to build a POJO using Oracle Platform Secure Services (OPSS APIS), this way you use the security provider connected to your WebLogic and don't need to worry about the Provider it self, it is also certified to be used in WebLogic, the create a Data Control and that gives a "module" ready to reuse.
Kind Regards
Kind Regards
Mauro
John Flack
Aug 12, 2014, 2:14:21 PM8/12/14
to adf-met...@googlegroups.com
Joe Greenwald replied to me privately, and I hope he doesn't mind if I post it, because it may be of interest to the group:
The new LDAP adapter in SOA Suite 12c can do this declaratively.
http://docs.oracle.com/middleware/1213/adapters/develop-soa-adapters/adptr_ldap.htm
You could create a simple service composite in SOA Suite and then create a Web Service Data control based on that service in ADF.
This is assuming, of course, that you have SOA Suite ;-)
joe
I've also seen a good post from Maarten Smeets of AMIS about this at:
http://technology.amis.nl/2014/08/08/oracle-soa-suite-12c-ldapadapter-tutorial/?utm_source=rss&utm_medium=rss&utm_campaign=oracle-soa-suite-12c-ldapadapter-tutorial
But for me, the SOA solution won't work - we aren't licensed for SOA Suite, and not likely to get it.
Thank you to Jean-Marc and Mauro for your answers - keep them coming.
http://technology.amis.nl/2014/08/08/oracle-soa-suite-12c-ldapadapter-tutorial/?utm_source=rss&utm_medium=rss&utm_campaign=oracle-soa-suite-12c-ldapadapter-tutorial
But for me, the SOA solution won't work - we aren't licensed for SOA Suite, and not likely to get it.
Thank you to Jean-Marc and Mauro for your answers - keep them coming.
John Flack
Aug 29, 2014, 11:00:23 AM8/29/14
to adf-met...@googlegroups.com
Just an update - I decided to try to create programmatic view objects with the UnboundID LDAP SDK for Java. Got it working (and I'll probably blog about it). But as Wilfred said on another thread - programmatic VOs are NOT easy. If I had it to do again, I might decide differently.
raman nanda
Aug 29, 2014, 4:19:21 PM8/29/14
to adf-met...@googlegroups.com
Hi,
Have you considered using iamfortress? It provides you easy to use API's and implements advanced constructs such as ARBAC, RBAC, SOD, etc. It works on top of openldap server. All you have to do is write an EL provider to drive security for your application. Rest can be managed by the bundled fortress applications.
Regards,
Ramandeep
--
--
You received this message because you are subscribed to the ADF Enterprise Methodology Group (http://groups.google.com/group/adf-methodology). To unsubscribe send email to adf-methodolo...@googlegroups.com
All content to the ADF EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the ADF EMG with a link to the Google Group (http://groups.google.com/group/adf-methodology).
---
You received this message because you are subscribed to the Google Groups "ADF Enterprise Methodology Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to adf-methodolo...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
John Flack
Aug 29, 2014, 4:32:05 PM8/29/14
to adf-met...@googlegroups.com
UnboundID API was the least of my problems - was pretty easy to use and worked great. The tough part was getting it to work in a VO. I've heard that there are packages that expose an LDAP directory for update via web services - that might work well with ADF's support for making data controls as web service clients. But I'm not sure our system administrator would be too happy about installing one because of security concerns.
Remember - this is a provisioning application through which we will update our LDAP directory. We have no problem using weblogic's built-in support for our directory for authentication and authorization. It WAS recommended that we just use a third-party provisioning application, but we already had a database that contains information about most of our contacts - some of which also need usernames and passwords for our applications. We didn't want to send our users to another application to do this part of the job.
Remember - this is a provisioning application through which we will update our LDAP directory. We have no problem using weblogic's built-in support for our directory for authentication and authorization. It WAS recommended that we just use a third-party provisioning application, but we already had a database that contains information about most of our contacts - some of which also need usernames and passwords for our applications. We didn't want to send our users to another application to do this part of the job.
Alejandro T. L
Aug 29, 2014, 4:33:28 PM8/29/14
to adf-met...@googlegroups.com
Hi John,
May I ask what made you decide to go for UnboundID LDAP SDK for Java rather than the OPSS API? Unless you are not using ADF Security I would like to know the reasons why did you decided to go for this other solution.
Regards
Alejandro Tovar Lanz
____________________
Oracle Webcenter & ADF
Consultant
M: 0779 - 2482387
____________________
this is to avoid signature trimming. Please ignore.
John Flack
Aug 29, 2014, 4:49:41 PM8/29/14
to adf-met...@googlegroups.com
I was not aware of OPSS having any APIs for updating the directory. Even if it does, does ADF have extra support for updates through OPSS - like pre-built ADF BC or pre-built data controls. or a declarative interface? If not, is it any easier to use OPSS's API than UnboundID's, because either way, you gotta write some Java.
Securing the applications isn't really the problem we're trying to solve. Also, our directory provides authentication and authorization for some non-ADF applications.
Securing the applications isn't really the problem we're trying to solve. Also, our directory provides authentication and authorization for some non-ADF applications.
You received this message because you are subscribed to the ADF Enterprise Methodology Group (http://groups.google.com/group/adf-methodology). To unsubscribe send email to adf-methodology+unsubscribe@googlegroups.com
All content to the ADF EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the ADF EMG with a link to the Google Group (http://groups.google.com/group/adf-methodology).
---
You received this message because you are subscribed to the Google Groups "ADF Enterprise Methodology Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to adf-methodology+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
--
You received this message because you are subscribed to the ADF Enterprise Methodology Group (http://groups.google.com/group/adf-methodology). To unsubscribe send email to adf-methodology+unsubscribe@googlegroups.com
All content to the ADF EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the ADF EMG with a link to the Google Group (http://groups.google.com/group/adf-methodology).
---
You received this message because you are subscribed to the Google Groups "ADF Enterprise Methodology Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to adf-methodology+unsubscribe@googlegroups.com.
raman nanda
Sep 2, 2014, 9:15:48 AM9/2/14
to adf-met...@googlegroups.com
Hi,
a) OPSS does support updates. Here is the link which shows different scenarios.
b) It is easier than UnboundID's API as there are several built in methods to do common operations for search and update and the way it identifies entities such as User, Role and Policies reduces the lines of code that you would have to write. It is provider agnostic, You could just switch the providers without changing a line of code. You get Oracle support and not have to worry about purchasing any additional support.
Regards,'
Ramandeep
You received this message because you are subscribed to the ADF Enterprise Methodology Group (http://groups.google.com/group/adf-methodology). To unsubscribe send email to adf-methodolo...@googlegroups.com
All content to the ADF EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the ADF EMG with a link to the Google Group (http://groups.google.com/group/adf-methodology).
---
You received this message because you are subscribed to the Google Groups "ADF Enterprise Methodology Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to adf-methodolo...@googlegroups.com.
Florin Marcus
Oct 16, 2014, 2:59:15 PM10/16/14
to adf-met...@googlegroups.com
Hi John,
@Comparison between OPSS and UnboundID LDAP SDK
The single significant difference between OPSS and UnboundID LDAP SDK for Java I can think of: with OPPS you have a single point of configuration: a new Authentication Provider in Weblogic.
On the other hand, using UnboundID LDAP SDK for Java your code is still generic, but from a deployment point of view, you will have to configure everything twice: once inside Authentication Provider and a second time inside UnboundID LDAP configuration files. But that's far from saying that one choice is obviously better than the other.
@ OPSS without ADF
OPSS is not tight-coupled with ADF. You can run OPSS from standalone java applications (myself, I am running JUnit Tests against my OPSS logic ), or you can integrate OPSS with any Java web application .
@ OPSS is generic, but it comes with terms and conditions
Oracle doesn't say this directly, but OPSS is limited to LDAP-based security systems. When using DB-based security (SQLAuthenticationProvider), you need to use MBEANS API.
Regards,
Florin
You received this message because you are subscribed to the ADF Enterprise Methodology Group (http://groups.google.com/group/adf-methodology). To unsubscribe send email to adf-methodolo...@googlegroups.com
All content to the ADF EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the ADF EMG with a link to the Google Group (http://groups.google.com/group/adf-methodology).
---
You received this message because you are subscribed to the Google Groups "ADF Enterprise Methodology Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to adf-methodolo...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
--
You received this message because you are subscribed to the ADF Enterprise Methodology Group (http://groups.google.com/group/adf-methodology). To unsubscribe send email to adf-methodolo...@googlegroups.com
All content to the ADF EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the ADF EMG with a link to the Google Group (http://groups.google.com/group/adf-methodology).
---
You received this message because you are subscribed to the Google Groups "ADF Enterprise Methodology Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to adf-methodolo...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages