Tuesday 31 March 2015

Enterprise Manager Cloud Control (OEM) ldap service test

An ldap service test in OEM

Strange, a straightforward ldap service test fails consistently with a "LDAP Address Search Failed. invalid attribute description" as result of the test.

Enabling tracing on the OID reveals something strange: it doesn't actually honor the ldap search filter, or so it seems with the default test. I see always:

INFO :gslfseADoSearch BASE = cn=Users,dc=svb,dc=org FILTER = (objectclass=*) #REQDATTR = 0 SCOPE = 0 REQDATTRS = TIMELIMIT = 0 SIZELIMIT = 0 DEREF = 3

Even though we entered a completely different search filter, e.g. "(&(cn=orcladmin))"

Problem

What the test performs is not an ldapsearch followed by an ldapcompare. If that is the case, perhaps we should not have it search. If we modify the search to be the object itself. We are not starting a search at base "cn=Users, dc=example, dc=com" for object "cn=orcladmin", we start the search at base "cn=orcladmin, cn=Users, dc=example, dc=com". Then the filter doesn't matter as it will never return more then one entry - no filtering required.

Solution

LDAP Search Filter => mail=orcladmin
LDAP Search Base  => cn=orcladmin, cn=Users, dc=example, dc=com
LDAP Compare Attribute Name => uid
LDAP Compare Attribute Value => orcladmin

And then if we verify the service test, we get a "success".
Posted by at 3 comments:

Thursday 12 March 2015

Cannot change WebCenter Spaces role memberships #2

To complement my earlier posting, Cannot change WebCenter Spaces role memberships, Support finally came around to confirm the issue.

It is raised as bug Bug 20662946 : IF UNIQUEMEMBER OF A USER IN A ROLE IS DELETE ERRORS OCCUR IN WCP

Abstract:
WebCenter role membership object in OID is using the uniquemember attribute to keep track of its members. The formatting of uniquemember is not compliant to specification as it should have been the RDN of the user.
Due to invalid RDN formatting, the uniquemember is identified as dangling (orphan) attribute by the OID diagnostics tool - which in case this OID diagnostics tool is run with the fix option enabled - can lead a to broken WebCenter where memberships no longer can be modified.
Posted by at No comments:
Subscribe to: Posts (Atom)

Tuesday 31 March 2015

Enterprise Manager Cloud Control (OEM) ldap service test

An ldap service test in OEM

Strange, a straightforward ldap service test fails consistently with a "LDAP Address Search Failed. invalid attribute description" as result of the test.

Enabling tracing on the OID reveals something strange: it doesn't actually honor the ldap search filter, or so it seems with the default test. I see always:

INFO :gslfseADoSearch BASE = cn=Users,dc=svb,dc=org FILTER = (objectclass=*) #REQDATTR = 0 SCOPE = 0 REQDATTRS = TIMELIMIT = 0 SIZELIMIT = 0 DEREF = 3

Even though we entered a completely different search filter, e.g. "(&(cn=orcladmin))"

Problem

What the test performs is not an ldapsearch followed by an ldapcompare. If that is the case, perhaps we should not have it search. If we modify the search to be the object itself. We are not starting a search at base "cn=Users, dc=example, dc=com" for object "cn=orcladmin", we start the search at base "cn=orcladmin, cn=Users, dc=example, dc=com". Then the filter doesn't matter as it will never return more then one entry - no filtering required.

Solution

LDAP Search Filter => mail=orcladmin
LDAP Search Base  => cn=orcladmin, cn=Users, dc=example, dc=com
LDAP Compare Attribute Name => uid
LDAP Compare Attribute Value => orcladmin

And then if we verify the service test, we get a "success".
Posted by at 3 comments:

Thursday 12 March 2015

Cannot change WebCenter Spaces role memberships #2

To complement my earlier posting, Cannot change WebCenter Spaces role memberships, Support finally came around to confirm the issue.

It is raised as bug Bug 20662946 : IF UNIQUEMEMBER OF A USER IN A ROLE IS DELETE ERRORS OCCUR IN WCP

Abstract:
WebCenter role membership object in OID is using the uniquemember attribute to keep track of its members. The formatting of uniquemember is not compliant to specification as it should have been the RDN of the user.
Due to invalid RDN formatting, the uniquemember is identified as dangling (orphan) attribute by the OID diagnostics tool - which in case this OID diagnostics tool is run with the fix option enabled - can lead a to broken WebCenter where memberships no longer can be modified.
Posted by at No comments:
Subscribe to: Posts (Atom)