OUD Virtual Attributes are not Merged when a user is a Member of Several Groups (Doc ID 2928260.1)

Last updated on MARCH 06, 2023

Applies to:

Symptoms

Multiple virtual attributes are created to assign various "ds-privilege-name:values" to various groups. It is found that if a user is a member of several groups then only one set of virtual attributes will be assigned.

Example:

1) Create first virtual Attribute with:
"attribute-type: ds-privilege-name"

2) and values:
"ldif-import" & "ldif-export;" <<--if the semi-colon is not actually part of the command, then remove it

3) then assign to:
"group-dn: cn=ldifPriv,ou=groups,c=COUNTRY"

4) Create second virtual Attribute with:
"attribute-type: ds-privilege-name"

5) and values:
"backend-backup & backend-restore;" <<--if the semi-colon is not actually part of the command, then remove it

6) and assign to
"group-dn: cn=ServPriv,ou=groups,c=COUNTRY"

If a user is a member of "cn=ldifPriv,ou=groups,c=COUNTRY" AND "cn=ServPriv,ou=groups,c=COUNTRY", it is expected that the user should get a UNION of all the virtual attributes (ds-privilege-name) with values: ldif-import, ldif-export, backend-backup & backend-restore.

Instead the user is assign virtual attributes based on the first group that applies. This user will only get ldif-import & ldif-export privileges.

There is no apparent conflict which would preclude the multiple virtual attributes from being active concurrently.

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.