WebCenter Content (WCC) User is Authorized from Second LDAP Provider when the User is in Multiple LDAP Providers (Doc ID 2444145.1)

Last updated on MARCH 22, 2024

Applies to:

Symptoms

User is authorized from second LDAP Provider when the user is in multiple LDAP providers (e.g., Oracle Identity Manager (OID) is first LDAP provider and Active Directory (AD) is second LDAP provider).

When users not in multiple LDAP providers they are authorized correctly from their correct LDAP provider.

A. Example Setup

1. OID is first, AD is second, and Default is third.

2. Virtualization is setup to get roles from multiple providers.

This setup is described in the following Knowledge Note:

3.  Providers were in config.xml in the following order

<sec:authentication-provider xsi:type="wls:oracle-internet-directory-authenticatorType">

<sec:name>OID</sec:name>

...

<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">

<sec:name>MyAD</sec:name>

...

<sec:authentication-provider xsi:type="wls:default-authenticatorType">

<sec:name>DefaultAuthenticator</sec:name>

...

4.  Providers were in adapters.os_xml in the following order and all set to SUFFICIENT

<ldap id="OID" version="0">

<ldap id="MyAD" version="0">

<ldap id="DefaultAuthenticator" version="0">

5.  testuser_oid and testuser_both in OID are assigned OIDGroup1

6.  testuser_ad and testuser_both in AD are assigned ADGroup1

B.  The following behavior is observed when logging into CS native UI.

1. If a username (e.g., testuser_ad) is only in AD and not in OID , then they are getting their assigned groups from AD.

2. If a username (e.g., testuser_oid) is only in OID and not in AD, then they are getting their assigned groups from OID.

3. If a username (e.g., testuser_both) are in OID and AD, then they are getting their assigned groups from first provider in WebLogic Server (WLS) Console (i.e., OID)

4. However, if the OID provider is deleted and added again (e.g., NewOID) as first provider, then testuser_both is getting authorized with the second provider (e.g., AD ).

Also, testuser_oid is still authorized with OID and testuser_ad is still authorized with AD as expected.

Reviewed WLS console and config.xml and verified providers were in the following order:  OID, AD, Default

Looked at adapters.os_xml and found the providers in the following interesting order:

   <ldap id="MyAD" version="0">

   <ldap id="DefaultAuthenticator" version="0">

   <ldap id="NewOID" version="0">

5. As a test, the adapters.os_xml was manually modified to move NewOID to the top.  The provider order in adapters.os_xml was the following afterwards: OID, AD, Default.  Then, restarted AdminServer and managed servers. 

 Logged into CS native UI as testuser_both and the user was authorized with the first provider OID.

Changes

In WLS Console, deleted the first provider and added it again at later date.  Reordered the providers and set it as the first LDAP provider again. 

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.