OPSS: How to Grant a Specific Group to a Weblogic Domain Role Using DN (Distinguished Name) Instead of CN (Common Name) ? (Doc ID 2858916.1)

Last updated on MARCH 01, 2023

Applies to:

Goal

There was a limitation in OPSS in the way that entries as LDAP user or groups are uniquely identified. This is done using CN (common name) which is a common name in LDAP Servers and not unique attribute as DN (Distinguished Name).
This affects in LDAP entries that have same name (common name). So, OPSS is not able to unique identify the group as both groups uses same name.

Taken reference "2 OPSS Security Store WLST Commands".

Release 12.2.1.4:
Fusion Middleware WLST Command Reference for Infrastructure Security
2 OPSS Security Store WLST Commands
grantAppRole and revokeAppRole

Lets take next sample with two groups in LDAP Server (OUD sample) with same group name "cn=Admin".

One is defined under "ou=IT,ou=Groups,dc=<DC3>,dc=<DC2>,dc=<DC1>".

Second defined under "ou=HR,ou=Groups,dc=<DC3>,dc=<DC2>,dc=<DC1>". As shown on next images:

cn=Admin,ou=HR,ou=Groups,dc=<DC3>,dc=<DC2>,dc=<DC1> group:

cn=Admin,ou=IT,ou=Groups,dc=<DC3>,dc=<DC2>,dc=<DC1> group:

So, based on this LDAP/group structure commands (grantAppRole and revokeAppRole) cannot identified if grant/revoke will apply on which specific "Admin" group.

For sample: grantAppRole

grantAppRole(appStripe="<APSSSTRIPE>", appRoleName="<APP_ROLE_NAME>",principalClass="weblogic.security.principal.WLSGroupImpl",principalName="Admin")

grantAppRole(appStripe="<APSSSTRIPE>", appRoleName="<APP_ROLE_NAME>",principalClass="weblogic.security.principal.WLSGroupImpl",principalName="Admin")

This technical note guides to use group DN(Distinguished Name) which is unique in the LDAP structure, so grant/revoke can implement over specific group not matter there are two o more grous with same CN (Common Name).

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.