This section describes how to configure and link the SQL repository definition file, userProfile.xml
, and the LDAP repository’s ldapUserProfile.xml
file for the purpose of creating an LDAP-based user directory.
Set up implicit repository linking for the two repositories. Implicit linking is a technique in which linked profile items share a unique property in both repositories, and linking is performed dynamically through code. In early versions of the Personalization module, implicit linking was the recommended technique for splitting profile data among repositories of different types; in ATG 6 and later, this technique was superseded by the composite repository configuration described in Setting Up a Composite Profile Repository. Using implicit linking is still required, however, if you want to set up an LDAP-based user directory, and information about it is included in this manual for that purpose.
Follow the directions in Linking SQL and LDAP Repositories. In particular, make sure you perform the steps in the subsection Configuring Personalization Module Components for Linked Repositories.
Follow the directions exactly to set up the
user
view.Determine the attributes you will use as the
entryId
andparentId
LDAP attributes.These must be attributes that exist in one of the object classes given as the object classes of a
user
. For example, the default LDAP repository implementation shows that a user has the object classestop
,person
,organizationalPerson
, andinetorgPerson
. Pick or create an attribute in one of these object classes to act as anentryId
. Do the same thing forparentId
.The
parentId
attribute holds theentryId
of an object’s parent object. For example, assume that the organizational unitPeople
(ou=People,dc=atg.com
) has theentryId
4
. Also assume there is a user in thePeople
organization whoseuserid
isjohnq
.Johnq
will have anentryId
of5
, for example, and aparentId
of4
. Make LDAP properties out of these attributes (see example).Note: In some directory servers, this relationship is already set up. However, you may not be able to find
entryId
andparentId
as attributes of any object class. The process described here should work successfully regardless of whether you can find the attributes.If this relationship is not already defined in your brand of directory server, follow the instructions above to add the necessary attributes to your schema. Then set the values of those attributes for each organization and user that you want to expose in your Oracle Commerce Platform environment. Make sure that the values set up the relationship pattern outlined above: the root organizational unit has a particular
entryId
and an emptyparentId
. Then, all child organizational units and users of the root organization have uniqueentryIds
and aparentId
that is the same as the root organization’sentryId
.Turn the default
organization
SQL item descriptor into a linked item descriptor. Do this by using XML combination to add a new property,ldapOrganization
, to theorganization
item descriptor. This property looks very much like the sampleldapUser
property described in Linking SQL and LDAP Repositories.Also, you must add a new view called
organizationalUnit
to theldapUserProfile.xml
file. See the sampleuserProfile.xml
below for details. This configuration is produced by using the example in Linking SQL and LDAP Repositories as a model and substituting theorganization
item descriptor foruser
in the instructions. Pick a particular item descriptor in the LDAP repository which represents an LDAP organization.Note: There is sometimes more than one object class that represents an organization in an LDAP system. For example, some people consider a domain to be a type of organization (
dc=atg.com
). In addition, a typical LDAP installation contains the object classesorganization
andorganizationalUnit
. As an Oracle Commerce Platform installation uses only one item descriptor for all organizations, there can be only one LDAP object class which represents implicitly linked organizations. The default isorganizationalUnit
, as this is the most commonly used LDAP organizational structure. Note that the root organization must also be an organizational unit.OrganizationalUnit
is in the default installation—you can select any one object class to represent organizations in LDAP. Unfortunately, you cannot use your domain as your root organization for the reasons listed above. The key point is that there can be only one object class which corresponds to an organization in the Oracle Commerce Platform.Make sure there is a root organization in the Oracle Commerce Platform that is linked to your chosen LDAP root organization. This step needs to be performed only if
useGSARepositoryIdAsPrimaryKey
is true (see the description of the ProfileUserDirectory component, and the important notes that follow it, for more information). IfuseGSARepositoryIdAsPrimaryKey
is false, the SQL repository root organization will be created for you the first time it is accessed.If no root organization exists in your SQL repository, create an organization item whose
uniqueIdPropertyLocal
property value matches theuniqueIdPropertyRemote
property value of the LDAP repository item that corresponds to your chosen LDAP root organization. See Linking SQL and LDAP Repositories for explanations of these terms.Example: Assume you pick the organization with the DN “
ou=People,dc=atg.com
” in LDAP as your root LDAP organization. You’ve set up your LDAP repository’sorganization
item descriptor to have a property,name
, that corresponds to the LDAP attributeou
. If you used the instructions here as a guide, you would have an item in theorganizationalUnit
item descriptor of your LDAP repository whosename
isPeople
. You would also set up your SQL repositoryorganization
item descriptor to have a property namedldapOrganization
that is aRepositoryLinkPropertyDescriptor
. In the example, theuniqueIdPropertyLocal
isname
, and theuniqueIdPropertyRemote
is alsoname
. In order to link a SQL repository item with the previously mentioned LDAP item, all you would have to do would be to create a SQL repositoryorganization
item whosename
isPeople
. TheRepositoryLinkPropertyDescriptor
does the rest.If there is a pre-existing root organization in your SQL repository, modify the default root organization to point to the LDAP root organization.
The following steps show how to modify the default root organization:
In the ACC, select People and Organizations > Profile Repository.
Perform a query for items of type
Organization
.Edit the organization with the ID
root
, changing itsname
property to the name of your selected LDAP root organization, for examplePeople
.
Alternatively, use a SQL editor to change the entry in the
dps_organization
table whoseorg_id
isroot
. Change thename
property toPeople
.Make sure your LDAP database is using a password encryption scheme supported by the
NDSPasswordHasher
component.In addition, make sure that the
passwordHasher
property of thePropertyManager
component points to theNDSPasswordHasher
component as follows:passwordHasher=/atg/adapter/ldap/NDSPasswordHasher
And then set the encryption property of this component to the appropriate value (
clearText
, SHA, or SSHA), for example:encryption=SSHA
Notes:
If you change your password encryption scheme, you must then regenerate the passwords for all existing users in your LDAP database. This is because all existing users already have their passwords stored in the database and encrypted with the old scheme.
If you use an LDAP server other than Oracle Directory Server, you must create and configure a custom password hasher component rather than using
NDSPasswordHasher
. For more information, see LDAP Password Encryption in the LDAP Repositories chapter of the Repository Guide.