12 Oracle JCA Adapter for LDAP

The Oracle LDAP adapter provides bi-directional connectivity with LDAP V3- compliant directory servers. The chapter provides information on how to model the LDAP adapter as a reference to perform CRUD (Create, Read, Update and Delete) operations and how to model the LDAP adapter as an inbound publication service on a directory server. Information describing various users, applications, files, printers, and other resources accessible from a network is often collected into a special database called an LDAP directory. Access to LDAP directories is a basic requirement of enterprise workflows. The LDAP Adapter Configuration Wizard provides a graphical and intuitive interface to model LDAP services to send requests to and receive responses from LDAP servers.

Figure 12-1 LDAP Adapter Architecture Diagram

Figure 12-1 illustrates how the Oracle LDAP Adapter exposes synchronous and asynchronous service interfaces that can be used to execute CRUD operations on a target directory server. It illustrates how the Oracle LDAP Adapter can poll for change events from a source directory server and publish these events, thereby acting as a publication service. The LDAP Adapter also provides a DSML synchronous service which takes a DSMLv2 request, executes it on the target directory server and returns the DSMLv2 response.

The LDAP Adapter provides an extensive solution for configuring and connecting to the LDAP Server in a SOA SCA environment. The runtime component provides physical connectivity to the external LDAP Server. It can act as a reference, supporting Outbound services sending requests to the LDAP Server. It can also act as a service, supporting Inbound Services polling to change events on the LDAP Server.

This chapter includes the following sections:

12.1 LDAP Concepts

LDAP (Lightweight Directory Access Protocol), is an Internet protocol for accessing information directories. A directory service is a distributed database application designed to manage the entries and attributes in a directory. LDAP runs over TCP/IP. LDAP enables clients to access different directory services based on entries. It makes the entries, along with their attributes and values, available to users and other applications, on a controlled-access basis.

The Oracle Adapter for LDAP provides rich support for LDAPv3 defined operations in addition to support for extensions. It also supports DSMLv2 and can be used as a DSML gateway service. The adapter can be configured to listen and publish change events from a source directory server. In addition, the adapter guarantees once and only once message delivery, high-availability, policy-based retry and fault-handling, automatic fail-over and several other features.

12.1.1 LDAP Entries, Attributes and Values

An LDAP directory contains entries that contain information pertaining to an entity. Each of the entry's attributes has a name and one or more values. The names of attributes are most often mnemonic strings, such as cn for common name, or mail for email address. For example, a company might have an employee directory. Each entry in the employee directory represents an employee. The employee entry contains such information as the name, e-mail address, and phone number. See the following example:

cn: John Doe
mail: johndoe@mydomain.com
mail: jdoe@mydomain.com
telephoneNumber: 471-6000 x.1234

Each part of the descriptive information, such as an employee's name, is known as an attribute. In the example, the Common Name (cn) attribute, represents the name of the employee. The other attributes are mail and telephoneNumber.

Each attribute can have one or more values. For example, an employee entry can contain a mail attribute whose values are johndoe@mydomain.com and jdoe@oracle.com. In the previous example, the mail attribute contains two mail values.

12.1.2 LDAP Directory Structure

The organization of a directory is a tree structure. The topmost entry in a directory is known as the root entry. This entry normally represents the organization that owns the directory.

Entries at the higher level of hierarchy represent larger groupings or organizations. Entries under the larger organizations represent smaller organizations that make up the larger ones.

The leaf nodes (or entries) of the tree structure represent the individual persons or resources.

12.1.3 Distinguished Names and Relative Distinguished Names

An entry is made up of a collection of attributes that have a unique identifier called a distinguished name (DN). A DN consists of a name that uniquely identifies the entry at that hierarchical level.

In the example below, John Doe and Jane Doe are different common names (cn) that identify different entries at that same level.

A DN is also a fully qualified path of names that trace the entry back to the root of the tree. For example, the distinguished name of the John Doe entry is:

 cn=John Doe, ou=People, dc=mydomain.com

A relative distinguished name (RDN) is a component of the distinguished name. For example, cn=John Doe, ou=People is a RDN relative to the root RDN dc=mydomain.com.

DNs are used to describe the fully qualified path to an entry while an RDN is used to describe the partial path to the entry relative to another entry in the tree.Figure 12-2 illustrates an example of an LDAP directory structure with distinguished names and relative distinguished names.

Figure 12-2 The LDAP Hierarchy Tree

12.1.4 LDAP Service and Service Client

A directory service is a distributed database application designed to manage the entries and attributes in a directory. A directory service also makes the entries and attributes available to users and other applications. The Oracle Internet Directory server is an example of a directory service. Other directory services include Oracle Directory Server Enterprise Edition and Microsoft Active Directory.

A directory client accesses a directory service using the LDAP protocol. A directory client can use one of several client APIs available in order to access the directory service.

12.1.5 Referrals

The Oracle LDAP Adapter APIs query the results of a search based unspecified referral criteria. The search results can consist of a number of referrals.A referral is an entity that is used to redirect a client's request to another server. A referral contains the names and locations of other objects.

For example, an LDAP server sends a referral to the client to indicate that the information that the client has requested can be found at another location (or locations), possibly at another server or several servers.

The referral contains the URL of the LDAP server that holds the actual entry. The LDAP URL contains the server's host/port and an object's DN.

12.1.6 Aliases

The Oracle LDAP Adapter APIs query the results of a search based on specified alias dereferencing criteria.

An alias is an entity that is used to define the position of an entry within the current Directory Information Tree. An alias holds the DN of the entry that contains the information.

12.2 LDAP Adapter Configurations

The section given an overview of various LDAP Adapter configurations.

12.2.1 Controls

Controls provide a mechanism for extending existing operations in LDAP. Controls can be passed along with request operations in the LDAP adapter.

If included with the operation request message, you can use control information to provide additional information about the way the operation should be processed. Request Control Format

The format of a request control is name-criticality-value tuples:


controlName|controlOid is the unique name/oid of the control that must be passed along with a request operation.

criticality is a boolean attribute that signifies the behavior if the control passed along with a request is not supported by the target directory server.You can optionally provide a value string that represents values that can be passed to a request control. LDAP Control Restrictions

There are several restrictions in using LDAP controls with the LDAP Adapter:

  • An unsupported control with criticality as true raises an exception and the LDAP operation is not executed on the target directory server.

  • Controls that are only applicable to an operation are executed. If not applicable, then the controls passed along with the operation are ignored.

  • Some controls are only applicable to a single operation whereas some controls are relevant to multiple operations. For example, subtreeDeleteRequestControl is only applicable to the delete operation whereas assertionRequestControl is applicable to all operations.

  • Controls that are not understood by the LDAP Adapter are treated as generic. The behavior of such controls is not well defined.

  • Only request controls are supported. The LDAP Adapter does not support Response controls.

See Table 12-1 for a list of Directory Servers, controls and LDAP Adapter operations.

Table 12-1 Supported Directory Server Controls and LDAP Adapter Operations

Operations Controls (Name) Controls (OID) Microsoft Active Directory ODSEE(Oracle Directory Server Enterprise Edition) OID




Not Supported











Not Supported


Not Supported




Not Supported

Not Supported

Not Supported











Not Supported

Not Supported











Not Supported

Not Supported








No control listed in wizard




- Non Default Control Configuration for Design Time Wizard

The LDAP Adapter configuration wizard enables you to attach request controls along with an operation.The Attach Control screen operates in the following manner:

  • By default, only the controls applicable to an operation and supported by the connected directory server are listed in the wizard.

  • Example: assertionRequest and SubtreeDelete are controls applicable to the delete operation; but if the target directory server does not support the subtree delete operation, only the assertionRequest is listed.

  • You can choose to add from other supported controls. These controls are treated as generic and you should test these controls thoroughly as the runtime behavior of these controls is not well-defined. Control Availability

By default, only a few frequently used control names are displayed within the LDAP Configuration Wizard. If you want the Wizard to display the control names for non-named controls, you must follow these manual steps to update control definitions and provide the appropriate names and details.

  1. In a terminal window, change to the SOA Adapters JDeveloper plugin library directory:
    cd <install-dir>/soa/plugins/jdeveloper/integration/adapters/lib
  2. Unjar the LDAP Adapter jar.
    cd <install-dir>/soa/plugins/jdeveloper/integration/adapters/lib oracle/tip/adapter/ldap/config/control-oid.properties 
  3. Edit oracle/tip/adapter/ldap/config/control-oid.properties to provide the control and relevant details you want to provide.
  4. Jar the file up again to include the changes.
    jar -uvf LdapAdapter.jar  oracle/tip/adapter/ldap/config/control-oid.properties
  5. Restart JDeveloper.

12.2.2 LDAP Browser

Use the LDAP Browser Page to show the Directory Information Tree (DIT). The Browser is called from LDAP Configuration Adapter wizard when you select Browse. See Figure 12-3.

Figure 12-3 The LDAP Browser Shown in Context

To choose an entry, select the entry in the DIT and click the OK button. The selected entry is used further in the LDAP Adapter Configuration wizard as a baseDN for a Search operation you perform, the Entry Change Notification operation or as a template for the Add operation. Attribute Viewer

To see attributes related to an item, double-click the selected entry.

The Attribute viewer displays in a two-column layout. The left column contains the attribute descriptions (or names), the right column contains the attribute values. Each line represents a name-value pair. The section immediately previous, the attributes table displays the distinguished name of the current entry. See Figure 12-4.

Figure 12-4 The LDAP Configuration Wizard Browser Attribute Viewer

The directory information tree of the LDAP directory is displayed in its natural hierarchical structure. The first hierarchy level contains the base entries. When expanding an entry its direct children are fetched from directory. While browsing the directory, the LDAP Browser attempts to find if a fetched entry has children. Entries without children cannot be expanded.

By default, large browse results are folded into virtual folders each with 100 entries. The displayed tree is thus smaller. The number of fetched items is limited by 1000 items for performance improvements. To operate with folders with over 1000 records you can use the Search operation. See Figure 12-5.

Figure 12-5 The LDAP Adapter Configuration Wizard LDAP Browser Directory Folding

The Search operation is an alternative approach that you can use when browser does not load the expected entries.You can search the DIT by specifying a single search attribute and value. The search is processed over the whole subtree. There is no limitation on the quantity of search results.

In the left combo-box. you can select the Search attribute from the list of commonly used attributes: cn, givenName, mail, member, objectClass, sn, telephoneNumber, uniqueMember.

Use the option Groups to specify that the Search is processed among the entries that are groups.

Use the option Users to indicate that the search are processed among the entries that are persons, accounts, or users.

Enter the search value in the right input field. Use '*' as wildcard as needed.

Figure 12-6 LDAP Configuration Wizard Browser Showing Supplying a Wildcard to the Search Operation within the LDAP Browser

To start the search operation, select the green triangle button on the right side.In the left combobox, select FilterType.LDAPFilter to set the LDAP search filter in the right field manually.

Figure 12-7 LDAP Configuration Wizard Browser Showing Supplying a Filter to the Search Operation within the LDAP Browser

12.3 Oracle LDAP Adapter Features

The LDAP protocol and the LDAP adapter provide fast read-access to directory information.

The LDAP Adapter supports both inbound and outbound messages and includes the following features, as detailed in this section:.

12.3.1 Configuring the LDAP Adapter

You use the LDAP Configuration Wizard to configure the LDAP Adapter, to model LDAP services through contextual options and browsing on the LDAP directory schema. The LDAP Adapter wizard requires a connection to the target LDAP directory server which can you configure in the following manner.

  1. Drag and drop the LDAP Adapter component from the Components window to the Exposed Services or to the External References swimlane. The LDAP configuration wizard Welcome and Service name screen appears.
  2. The Welcome and Service Name screen appears. Enter the name of a service. Click Next. The Service Connection screen appears

    If a connection is not available, use Create New Connection to create a new Connection. Figure 12-22 LDAP Adapter Configuration Wizard Service Connection Screen,

  3. The Create a New Connection dialog allows a user to connect to the target LDAP server.

    On this screen, you can supply the Network parameters required to reach the target directory server. Enter the following:

    • Connection name: String value to bind this connection with which to bind this information.

    • Connection type: Currently only LdapV3 is supported (which is the default.)

    • Host name: name or the IP address of the machine where the LDAP server is running.

    • Port: Where the LDAP service is running.Use the SSL port if the encryption method is SSL.

    • Encryption method:

      • No encryption: Unencrypted channel.

      • use ssl: SSL connection.

      • use startTLS: Secure channel over an unencrypted connection.

      • Truststore: Path of the trust store that are used for server authentication.

      • Truststore password: Password to access the truststore.

      Authentication parameters to bind to the given directory server.

      • Anonymous: Bind anonymously to the directory server to which the network parameters point. Note, you must enable anonymous bind on the target directory server, which is a non-default configuration on most LDAP servers.

      • Simple Authentication: Username/password authentication.

      Test connection. Test the connection configuration in the LDAP Adapter Configuration wizard. Test connection establishes a connection to the directory server with the configured network parameters and binds to the directory server using the configured authentication parameters.

12.3.2 JNDI Connection Pool Properties for the LDAP Adapter

Table 12-2 provides JNDI connection pool properties for the LDAP Adapter.

Table 12-2 JNDI Connection Pool Properties for the LDAP Adapter

Property Name Description Default Required


Distinguished Name required to bind to directory server. Example, cn=orcladmin

cn=Directory Manager

Yes (Needed when using an authentication method other than anonymous.)


Host name of the directory server.




JNDI string location pointing to a valid XA data source. Example: jdbc/SOADataSource


Yes (if the LDAP Adapter has to be used on the inbound direction.)


Sets the operation timeout. If the response is not received from the directory server in the timeout period, the operation is abandoned and an exception is raised. Example: 1000




Password of the directory server.


Yes (Needed when using an authentication method other than anonymous.)


Port on which directory server is running..




Host name of the directory server.




Port where the LDAP service is running.




SecurityProvider is the provider url which the SSL context should use. Example: ldaps://myhost.example.com:636




Key management protocol. Example: SSLl


No, required only if useSSL or startTLS is selected.


 If set to true, the client blindly trusts any certificated that the server might present.


No, required only if useSSL or startTLS is selected. Set this to false if server certificate has to be validated with truststore.


Specifies the password needed to access the trust store contents.




Specifies file system path to the trust store file that the client uses for server authentication.


No. required only if SSL or startTLS is used.

trustStoreProvider Name

The Java provider name. Example: JKS


No, required only if SSL or startTLS is used.


Specifies if a secure channel must be established




Specifies if startTLS might be turned on for secure communication later on within a plain non-ssl connection.


No, do not set this to true when useSSL is set to true. This need to be enabled when non-ssl plain port is used for server connection.


Replace the default values with the actual values that you got from the supported target directory server installations and redeploy LdapAdapter with the updated deployment plan.

12.3.3 Outbound Operations

The LDAP Adapter supports the following operations outbound from the LDAP Adapter.

  • Add

  • Delete

  • Modify

  • ModifyDN

  • Compare

  • Search

  • DSML


The LDAP Adapter does not provide any transaction support for outbound operations. Add Operation

The Add operation adds an entry with a given DN and a set of attributes. It returns an error if the entry to add already exists, or if the given operation could not be completed.

To use the LDAP Configuration Wizard Add operation:

  1. Select the Add Operation from the Operation Type Screen. The LDAP Adapter Configuration Wizard Add Screen appears.

    Figure 12-8 The LDAP Adapter Configuration Wizard Add Screen

  2. Select either Use existing entry as a template, or Define structure of the entry to be added (the default). If you choose Use existing entry as a template, click the rectangle to the right to browse for an existing template. If you select Use existing entry as a template, all object classes and attributes of the existing entry are used to define the add request. You can add/remove objectclasses/attributes to modify the add request format.
  3. In the Select Object Class to Add section, the list on the left displays all the Object Classes to add. Select an object class to add in the column on the left and move to the right hand column. You can select one or more object classes. On Add, the selected object classes are displayed in the right. You can select object classes you want to remove by selecting and clicking the Remove arrow button for that class.
  4. You can select more attributes from the Attributes list. You can add mandatory attributes of the selected object classes to the selected attributes automatically. When you select of an item from the selected object classes, attributes belonging to that object class is displayed in the available attributes item list.

    Attributes that do not have any of the corresponding object classes included are automatically removed. You can remove attributes using the remove arrow button.

  5. The Add Suppress Entry Screen appears. Use the Add Suppress Entry Screen to ensure that if an entry exists, and if you are trying to add the entry again, you can suppress such errors.
  6. Click Next.
  7. The Finish screen displays the names of the LDAP Service WSDL, xsd and jca files. Delete Operation

The LDAP Delete operation deletes an entry with a given DN.You can optionally add controls along with the LDAP Delete request. The Delete operation returns an error if the given entry cannot be deleted or does not exist. It also returns an error if a critical control attached with the request message is not supported by the target Directory Server.

To use the Delete operation:

  1. Select the Delete Operation from the Operation Type Screen. The Delete (Suppress Entry) screen appears.

    Figure 12-9 The LDAP Adapter Configuration Wizard Delete Screen

  2. The Delete Screen appears. Select the Suppress entry doesn't exist checkbox if you do not want errors to appear if the entry to delete does not exist. Click Next.
  3. The Attach Controls screen appears. See Figure 12-10.

    The Attach Controls Screen provides you the ability to attach controls to provide additional constraints to the Delete operation. You can either Attach Controls or Click Next. If you want to attach controls, that are supported by LDAP Adapter and the target directory server, select the Is Attached check box, to include the control along with the delete request operation. If you need more information about controls, refer to the controls section of LDAP Adapter configurations.

    Figure 12-10 The LDAP Configuration Wizard Delete Attach Controls Screen Showing Delete Controls Added

  4. Click Next. The Finish screen displays the names of the LDAP Service WSDL, xsd and jca files. Modify Operation

The LDAP Modify operation alters an existing entry in the Directory Server.

Types of alterations performed with Modify include: Add, Delete, and Replace.

  • Add: Creates the attribute if it does not exist, and adds the specified values. If the attribute already exists, the specified value is added to the attribute values. The Add operation must contain at least one value, and all values of the attribute must be unique.

  • Delete: Deletes specified values from the attribute. If no values are specified, or if all existing values of the attribute are specified, the attribute is removed. Mandatory attributes cannot be removed.

  • Replace: Creates the attribute if necessary, and replaces all existing values of the attribute with the specified values. If you want to keep any existing values of a multi-valued attribute, you must include these values in the replace operation. A replace operation with no value removes the entire attribute if it exists, and is ignored if the attribute does not exist.No changes are made to the directory unless all the operations succeed. If the connection fails during a modification, it is unpredictable if the modification occurred.

To use the LDAP Configuration Wizard Modify operation:

  1. Select the Modify Operation from the Operation Type Screen. The Modify Operation screen appears.

    Figure 12-11 The LDAP Configuration Wizard Modify Select Object Classes Page

  2. Select from the list of Object classes on this page. From the list of Available attributes to Modify, select attributes that can be modified, and move them to Selected. You can also remove them from selected by using the left arrow key. Click Next.

  3. The Attach Controls Page appears. See Figure 12-12.

    Use the green plus to add custom controls, or controls provided by the target Directory Server. An example is shown below. Select controls needed, and provide values by entering in the Values column.


    Consult your target directory server documentation for supported controls. Check the relevant operation in this chapter before attaching a control. The LDAP Adapter might not support all controls supported by the target directory server.

    Figure 12-12 The LDAP Configuration Wizard Modify Attach Controls Page

  4. Click Next. The Modify Finish screen displays the names of the LDAP Service WSDL, xsd and jca files. ModifyDN Operation

The LDAP ModifyDN operation can be used to change the distinguished name of an entry in the Directory Server. It can also alter the RDN of the entry and/or it can move the entry below a new parent. If the target entry has subordinate entries, then it may be used to move or rename that subtree.

To use the ModifyDN operation:

  1. Select the ModifyDN Operation from the Operation Type screen.The LDAP Adapter Configuration Wizard ModifyDN Screen appears. See Figure 12-13.

    Figure 12-13 The LDAP Adapter Configuration Wizard ModifyDN Screen

  2. Select the Delete old RDN check box if you want to delete the old RDN. If you want to modify the DN, but do not want to delete the old RDN, do not check this box. Click Next after either choice.
  3. The Attach Controls page appears. See Figure 12-14.

    The Attach Controls screen provides you the ability to choose and attach controls to provide additional constraints to modifying the DN.

    Available controls are specific to your Directory Server. If you choose to attach controls, select the green plus symbol to add controls. Select controls you need, and provide values by entering them in the Values column. Consult your target Directory Server documentation for supported controls. Check the relevant operation in the “controls section of LDAP Adapter configurations” before attaching a control. The LDAP Adapter may not support all controls supported by the target directory server.

  4. When this chooser appears, you can either add controls that are supported by your target Directory Server, or you can add custom controls.

    Figure 12-14 LDAP Adapter Configuration Wizard Attach Controls Chooser Screen

  5. Choose either controls supported by the target Directory Server or a Custom Control.

    If you have chosen to attach controls, a page similar to the following appears, which shows both the custom new control and a control that matches those available on the Directory Server ("MatchedValues...") added as controls.

    Figure 12-15 LDAP Configuration Wizard Attach Controls Page

  6. Click Next.
  7. The Finish screen displays the names of the LDAP Service WSDL, xsd and jca files. Compare Operation

The LDAP Compare operation determines whether a specified entry contains a given attribute value.

To use the LDAP Adapter Compare Operation:

  1. Select the Compare Operation from the LDAP Adapter Operation Type screen.

    Figure 12-16 LDAP Configuration Wizard Operation Type Screen, showing Compare Selected

  2. Click Next.
  3. The Finish screen displays the names of the LDAP Service WSDL, xsd and jca files. Search Operation

The LDAP Adapter Search operation can be used to identify entries in the Directory Server that match a given set of criteria. It may return zero or more entries, and also zero or more referrals. The Search operation includes the following criteria.

  • The base DN, which specifies the location in the DIT in which to perform the search.

  • The search scope, which specifies the scope of entries at or below the base DN to consider when processing the search.

  • The dereference policy to use if any aliases are encountered during processing.

  • The size limit, which specifies the maximum number of entries that should be returned from the search (or –1 for no limits on the search results).

  • The time limit, which specifies the maximum length of time in seconds that the server should spend processing the search (or zero if there should not be a maximum number of entries).

  • The types only flag, which indicates whether the entries returned should include attribute types only or both types and values.

  • The search filter, which specifies the criteria to use to identify matching entries.

  • The search attributes that indicate which attributes should be included in matching entries

  • Controls you can attach along with the search request, and return an error if a critical control attached with the request message is not supported by the target Directory Server.


In the current version, binary types are not supported and attribute values are always encoded as utf8 Strings.

To use the outbound Search operation:

  1. Select the Search operation from the Operation Type screen. See Figure 12-17.

    Figure 12-17 LDAP Configuration Wizard Operation Type Page with Search Selected

  2. The LDAP Configuration Wizard Search Configuration Page appears. See Figure 12-18.

    Use the Search (Request Configuration) Page to provide search information relating to search scope, search referrals, and search alias dereferencing.

    Figure 12-18 The LDAP Adapter Configuration Search Configuration Wizard Search Request Configuration Page

  3. At the top of the screen, above the other sections, indicate the default search base and default search filter. Provide the search base in the Default Search base text box. Note that Default Search BaseDN and Default Search Filter are considered only when these attributes are not defined in the LdapSearchRequest.
    The following is added in Search Operation schema xsd.
    <element name="searchRequest">
    			<element name="baseDN" type="string" default="dc=oracle,dc=com"/>
    			<element name="searchFilter" type="string" default="(objectClass=*)"/>

    Select the Browse button to open the directory information tree browser dialog, which can help you specify a search base. See LDAP Browser for more information.

    This is the base DN that defines the source of events. Selecting this DN means you want to notify events under it.

  4. In the Default Search filter text box, supply a Search filter to filter the entries that can be returned for a search operation. The filter can be a string representation of a search filter.
  5. Search scope defines the Search scope within the tree. This has to be defined at service deployment to control any malignant search request from controlling server resources.

    Check with your Directory Server before using this option. Scope can be:

    • Whole subtree-Select this to indicate a scope of all entries within the subtree.

    • First child only-Select this to indicate a scope of one level below the search base only.

    • Root only-Select this to indicate one event only at the search base.

  6. The next section is Search Referrals. A referral is a response returned to the LDAP Adapter that instructs the Adapter to contact another LDAP server to perform the search operation the LDAP Adapter requested.

    In the Referrals section, select one of the following:

    • Ignore-Select to have the LDAP Adapter ignore the referral and returns whatever search operation on the local sever returned.

    • Throw Exception-Select to have the LDAP server not chase the referral, nor does it complete the search by returning results from the local server. Instead, the Server throws an exception on which an action can be initiated.

    • Follow-Select to follow a referral server. These are alternate locations where additional entries may be searched/matched as part of a search request. By default, the LDAP Adapter ignores all referral suggestions unless explicitly asked to follow or throw an exception. (This search can potentially take longer duration and should be a non-blocking activity.)

    • Hop Limit - Select to indicate number of alternate locations participating in search referral. This should be a positive integer. The default value is 1.

  7. The next section, which deals with the LDAP server behavior for handling alias entries while processing the search, specifically with dereferencing alias entries, is Search alias dereferencing. Select one of the following:
    • Never-Select this to indicate the server should not dereference any aliases that it encounters.

    • Searching- Select this to indicate that the server should dereference any aliases that it might encounter while examining candidate entries, but it should not dereference the base entry if it happens to be an alias entry.

    • Finding-Select this to indicate that the server should dereference the base entry if it happens to be an alias entry, but it should not dereference any alias entries that may be encountered while examining candidate entries.

    • Always-Select this to indicate that the server should dereference the base entry if the entry happens to be an alias entry, and should dereference any entries that might be encountered while examining candidates.

    Click Next to proceed to the next Page or Finish to finish the Search Operation configuration.

  8. If you clicked Next, the LDAP Search (Response Attributes) Page is displayed. See Figure 12-19.

    Use the Search (Response Attributes) Page to configure the Search operation response parameters, using the object classes available on the target LDAP Directory Server.

    Figure 12-19 The LDAP Adapter Configuration Wizard Search (Response Attributes) Page

  9. Select an object class or classes from the Available object classes list box, which displays all object classes available in the schema of the connected target Directory Server.
  10. All attributes belonging to the selected object class or classes are displayed in the Available attributes list box. Select from Available attributes and click the arrow to move an available attribute or attributes to Selected.

    If you selected more than one object class, the union of all the attributes are displayed; common attributes are not displayed twice.

    Figure 12-20 shows an example.

    Figure 12-20 LDAP Adapter Configuration Wizard Search (Response Attributes) Page Example Use

  11. Click Next. The Search Configuration Parameters Page appears. See Figure 12-21.

    Figure 12-21 The LDAP Adapter Configuration Wizard Search Configuration Parameters Page

  12. Indicate the following configuration parameters on this page:
    • Attributes Delimiter-Provide a string literal value to delimit the attributes selected by the user.

    • Time Limit-Maximum time the server should wait before returning the results. This is an integer value in seconds with default value as 0 for no time limit.

    • Size Limit-Maximum number of events or entries that could be returned in search results. This is an integer value with the default value as 1000. Set –1 for no limits on the number of events or entries in search results.

    • Types only-Select this checkbox if you want to return only the name of the attributes and not both names and values of attributes.

    Click Next to proceed to the next page.

  13. The Attach Controls Page is displayed. Here you can attach controls to provide further constraints to the LDAP Search Operation. Use the plus to add custom controls, or the controls provided by the target Directory Server. Attach controls that are needed, and provide values by entering in the Values column.


    Consult your target directory server documentation for supported controls. Check the relevant operation in the “controls section of LDAP Adapter configurations” before attaching a control. The LDAP Adapter might not support all controls supported by the target directory server.
  14. The Finish screen displays the names of the LDAP Service WSDL, xsd and jca files. DSML Operation

DSML operations express LDAP requests and responses as XML document fragments. Use the LDAP Adapter DSML screen to specify an execute a DSML request and to optionally enter a Maximum request size for that DSML request on the LDAP Operations Screen.

To use the DSML Execute Request:

  1. Specify DSML on the LDAP Operation Type Screen.

  2. The DSML Screen appears. See Figure 12-22.

    On this screen, optionally enter the Maximum DSML Request Size. Set this property if you want to control the maximum number of requests that can participate in a DSML batch request. The incoming DSML request is executed if and only if the total number of contained requests is less than this number.

    Figure 12-22 The LDAP Adapter Configuration DSML Configuration Page

  3. Click Next. The DSML Operation Finish screen appears, showing the LDAP WSDL, jca and xsd files.

12.3.4 Inbound LDAP Adapter Features

The LDAP Adapter supports publishing events from a Directory Server. Specifically, it supports one way inbound interactions, asynchronous event publishing from the directory server through the asynchronous notification model.

The LDAP Adapter listens for events such as addition, deletion, or modification of an entry in the directory information tree and publishes such events. The LDAP event consumer singleton connects and listens for changes on the directory server according to a chosen strategy and processes/publishes such events to LDAP Adapter clients.

By default, the LDAP Adapter publishes events in the order they are received from the directory server.

The LDAP Adapter provides two type of inbound activities: LDAP Adapter Entry Change Notification

Entry Change Notification enables you to obtain entries that are created or modified on a source directory server. The result contains the modified entry along with information about the type of modification.

This mechanism is based on a timestamp-based search; it does not require any external configuration and is supported by most Directory Servers. With time-based search, a search is done for all entries after a base time stamp. The base time stamp is updated for subsequent timestamp-based searches.

In search, the LDAP Adapter returns results up unto the latest time stamp, it then updates the base time stamp to the latest time stamp. The time interval you configured indicates when the next iteration of the timestamp-based search for all events next occurs.

Time stamp-based search only provides notifications of added or modified entries. With Entry Change Notification, there is no provision to find out deleted entries. This mechanism only notifies about the changed entry that is, it indicates if an entry has been changed, and does not divulge details of the changes that occurred.

There is no way to differentiate between a modify and modifyDN operation as there is no provision to find out deleted entries.

Specifically, Entry Change Notification does not provide notification when an entry enters or leaves the scope of a result set due to a modifyDN operation or when a Modify operation acts on a attribute value that is used in a search filter.

Time-stamp based search does not work with multi-master setups of the Directory Server because the time stamp is generated using the clock on each of the servers and can therefore appear in a non-linear order on a given replica.

Because Entry Change Notification uses Timestamp-based search, which is based on the operational attributes createTimestamp and modifyTimestamp, these attributes should be available, indexed and functional in the directory server for timestamp based search to work properly.

You might see the Unavailable Critical Extension exception in the LDAP Adapter client logs, if any of these attributes are not indexed and functioning correctly.

Refer to your directory server documentation to help ensure these attributes are indexed properly, so they are available during the time stamp search.


PageSize configuration does not work when connecting to the Oracle Internet Directory server and should not be used with that server. If configured, the number of events happening over the pageSize limit are not processed. LDAP Adapter Entry Change Notification Configuration Wizard Flow

Follow these steps to configure Entry Change Notification:

  1. Once you create a connection (see Configuring the LDAP Adapter), click Next. The Operation Type screen is displayed.

    Figure 12-23 LDAP Adapter Configuration Wizard Operation Type Screen

  2. Select Entry Change Notification.
  3. Click Next. The Entry Change Notification screen is displayed. See Figure 12-6.

    Here, you can define the scope of events to which the adapter must listen.

  4. On the Entry Change Notification screen, click Browse to open the directory information tree browser dialog. See LDAP Browser for more information.
  5. In the Search Field area, enter a search filter in string format. For more information on LDAP search filters, see LDAP Search Filters.
  6. Use the Event Source radio buttons to choose among the following selections (A search scope defines how deep to search within the search base).
    • Whole subtree: search the base object and the entire subtree of which the base object distinguished name is the topmost object.

    • Subtree only: search only this subtree.

    • First child only: search from the root to the first child.

    • Root only: search the root of the LDAP hierarchy only.

  7. Choose an Event Type: Add, Modify, or All.

    Figure 12-24 LDAP Adapter Configuration Wizard Entry Change Notification Screen

  8. Click Next. On the next screen, select the attributes to return as part of the changed entries. See Figure 12-7.

    Figure 12-25 LDAP Adapter Configuration Wizard Entry Change Notification Screen

  9. The Object classes list box displays all object classes starting with the characters specified in the available object classes' text field. Choose an object class from the list. (Select multiple object classes by CTRL+select).

    All attributes belonging to the object class are displayed in the Available Attributes list box below. Same attributes belonging to multiple object classes are displayed only once.

  10. Select one or more attributes and use the move buttons (> <) to select/unselect return attributes. (using CTRL+select). The Response Attributes, once selected, do not contain any duplicates. The wizard ignores adding an already-added element.

    Click Next. The following screen enables you to provide the attributes values.

  11. In the Attributes Delimiter field provide a regular expression value that can be used to delimit the attributes you select if you cannot use the ‘,’ as delimiter.
  12. In the Polling Interval field, an integer with default value set to 10 seconds, you can provide the polling interval to indicate the interval before conducting subsequent searches for new events.
  13. In the Time Limit field provide an integer value in seconds with default value as 0 seconds. This is the maximum time the LDAP server should wait before returning results.
  14. In the Size Limit field, provide an integer value. This value represents the maximum number of entries returned as part of a search operation. You can also configure this attribute on the Directory Server as well. The lower of the two values takes effect. The SizeLimit value is enforced within a single page. The default value is 1000. A value of 0 or less implies that the server does not enforce a size limit.
  15. In the PageSize field, enter the maximum number of events that should be published in a page. The sizeLimit attribute implies events within a page and not the total number of entries returned across all the pages in a search. The default value for this value is -1, implying an unlimited pageSize.
    If a search is expected to return 12,000 entries and Size Limit is set to 1000, a total of only 1000 entries will be returned. In this scenario, if Size Limit is set to zero and Page Size is set to 500, the search returns all 12,000 entries in pages of 500 entries each, with the last page containing only 200 entries.
  16. Types only if not checked, the LDAP Adapter returns the names and values of the attributes; otherwise, it returns only the names of the attributes.
  17. Click Next. The Finish screen appears.

    Figure 12-26 LDAP Adapter Configuration Wizard Change Notification Finnish Screen

The Change Log Notification event provides a detailed log of modifications that were done on entries in Directory Server.

The event includes change details and reconstructs the request message that was executed on the source server that led to this change. This event is particularly useful if the same request is to be replayed on a target server. The Change Log Notification is a very powerful feature in that it provides details on activities.

You can use Change Log Notification to incrementally synchronize a source LDAP directory with other sub-systems. As this mechanism is not part of the LDAP specification, you should check your Directory Server's implementation and the Oracle certification matrix before using this feature, as it might require specific configuration on the source Directory Server before you can use it.

Change Log Notification is not available on a server instance that is configured as either a dedicated directory server or a dedicated replication server. Change Log Notification LDAP Adapter Configuration Wizard Flow

Follow these general steps to configure Change Log Notification. The steps assume you have performed prior steps in the general flow, and you are now at the Operations Type Screen.

  1. Select Change Log Notification on the Operations Type Screen. Click Next.
  2. If the Directory Server does not support the Change Log notification mechanism, a warning dialog is displayed.
  3. The Change Log Notification Screen appears.
    • Select the Notification Strategy from the options. Notification strategy indicates the change log plugin that is used to query for the change log. This selection defaults to the currently connected Directory Server.

    • If you do not select an existing Notification Strategy, select the Custom Plugin option.. When you select this, it opens a textbox where you can provide the class name of their custom changelog plugin, Polling interval, SizeLimit and TimeLimit.

    • Select from the following Change Type options:

      • Add: Returns the changeNumber , changeType(Add) and DSML add requests that were executed on the source directory server in a specified poll interval.

      • Delete: Returns the changeNumber, changeType(Delete) and DSML delete requests that were executed on the source directory server in a specified poll interval.

      • Modify: Returns the changeNumber, changeType(Modify) and DSML modify requests that were executed on the source directory server in a specified poll interval.

      • Modify DN: Returns the changeNumber, changeType(moddn) and DSML moddn requests that were executed on the source directory server in a specified poll interval.

      • All: Returns the changeNumber, changeType(Add,Delete,Modify,moddn) and DSML requests of Add, Delete, Modify, ModifyDN events that were executed on the source directory server in a specified poll interval.

    • Polling Interval: Polling time interval in seconds before conducting subsequent searches for new events.

    • Time Limit: Maximum time in seconds the server should wait before returning results.

    • Size Limit: Maximum number of events that should be published in one attempt. Default integer value is 1000.

    • Page Size: Maximum number of events that should be published in a page. Default Integer value is 0 (no paging).

  4. Click Next. The Finish screen appears. Change Log Notification Errors

The following table lists Change Log Notification Errors.

Error Name Description Status


Inbound adapter service's connection to the Directory Server is down. This is an LdapConnectionException

Remote Fault with appropriate error message. Adapter should retry the connection to the Directory Server.


Change log mechanism is not supported by the target Directory Server. This is an LdapValidationException

Fatal exception and inbound service stops.


The change number is invalid or not recognized by the Directory Server. Contact your Directory Server administrator. Provide a valid change number. The change number may be invalid or purged and no longer recognized.You can manually provide a new change number in the database.

This is an LdapValidationException

This leads to a fatal exception because the inbound service does not identify the initial change number and hence cannot start processing.


Validation fails while activating the endpoint due to one or more activation spec errors.

This is an LdapValidationException

Binding fault.


Specified Size Limit Was exceeded.



Specified Time Limit was exceeded.



During runtime, error/status codes that are raised by an LDAP server does not get sent back to the client or displayed in the server. Entry Change Notification Error Conditions

The following table lists possible errors related to entry change notification through the LDAP Adapter. Included are the error name, a description of the error name and the status the in which the configuration is left after the error is reported.

Table 12-3 Entry Change Notification Error Conditions

Error Name Description Status


Inbound adapter service's connection to the DS is down. This is an LdapConnectionException.

Remote Fault with appropriate error message. The LDAP Adapter should retry the connection to the DS.


Malformed baseDN in event scope. This is an LdapValidationException.

Binding fault.


Search filter is malformed according to string representation of ldap filters. See http://www.ietf.org/rfc/ rfc2254.txt

This is an LdapValidationException.

Binding fault.


Adapter inbound service configuration is invalid due to one or more reasons.

This is an LdapValidationException.

Binding fault with the appropriate message indicating the violation.


Validation fails while activating the endpoint due to one or more activation spec errors.

This is an LdapValidationException.

Binding fault.


Occurs if there was an error while processing an event received from the directory server.

This is an LdapRetriableResourceException.

The fault is retried according to configured retry parameters and rejected once the appropriate retries are done.

12.3.5 Logging

The following logs are available for the LDAP Adapter. You can view these Runtime Loggers from the WebLogic Console. The logging level for each is inherited from the parent.

  • oracle.soa.adapter.ldap.inbound

  • oracle.soa.adapter.ldap.outbound

  • oracle.soa.adapter.ldap.connection

  • oracle.soa.adapter.ldap.transaction

12.3.6 Security

The LDAP Adapter must sign-on with valid security credentials. To enable this, the Oracle WebLogic Server supports both container-managed and application-managed sign-on.

Container managed sign-on enables a user to sign-on to Oracle WebLogic server and to access the Enterprise Information System through the resource adapter without having to sign-in separately to the Enterprise Information System.

Because the Oracle WebLogic server and the LDAP Enterprise Information System maintain independent security realms, this is achieved by using credentials mapping. Oracle WebLogic Server security principals are mapped to the corresponding credentials required to access the Enterprise Information System. The Adapter deployment descriptor does not need to store sensitive credential information.

The LDAP Adapter authenticates with LDAP server using simple authentication (Simple Bind). For example, it binds username and password to the directory server.

It does not have support for SASL or any other authentication mechanisms.

LDAP Adapter does not consider additional password policies such as expiry, retries and so on that are provided by the server to which it is connected. Creating Outbound Credential Mappings

Outbound credential mappings enable you to map WebLogic Server user names to user names in the Enterprise Information System (EIS) to which you want to connect using a resource adapter. You can use default outbound credential mappings for all outbound connection pools in the resource adapter or you can specify particular outbound credential mappings for individual connection pools.

As an alternative to providing the bindDN and password in the ConnectionFactory properties, you can do the following to create credential mappings:

  1. Open the Connection Pool in WebLogic console.
  2. Navigate toDeployments, LdapAdapter, Configuration, Outbound Connection Pools, expand javax.resource.cci.ConnectionFactory, and select the pool that you created.
  3. Click on theAuthentication tab and ensure that Resource Authentication Source is set to Container.
    If it is not Container and you set it now, click Save.
  4. Navigate toDeployments, LdapAdapter, Security, and Outbound Credential Mappings .
  5. Click New, and check the ConnectionFactory JNDI for which you want to configure the credentials.
  6. Select Default User and select Next.
  7. Enter the Enterprise Information System User name as the bindDN information, for example, cn=Directory Manager and enter the password for the bindDN. for example, welcome.
  8. Click Finish.
  9. Update the LdapAdapter Deployment.

The Credential Mappings you supply take precedence over the bindDN and password properties you have configured in the ConnectionFactory, if you configured any. Use this connection factory as you would use any LDAP connection factory.

After you completed the last step, you have configured the Enterprise Information System User Name and Password that you wanted to use to map the WebLogic Server User.

12.3.7 LDAP over SSL

Secured Sockets Layer, or SSL, provides a secure and encrypted channel for communication between the client and the server. See Figure 12-27 for an overall view of SSL in the LDAP over SSL environment.


You can change user passwords only over SSL. Check your Active Directory Endpoint settings and switch to use SSL. When you change the user password over SSL, you may get an error when the password complexity is too low. For example, the password does not have uppercase/lowercase/digits/non-alphanumeric characters or the password is too short. Either disable the password complexity setting in Active Directory or use a complex password.

In environments in which sensitive data is transferred to remote servers (for example, sending credit card information to HTTP servers), the issue of security is very important. Security in these cases primarily refers to two requirements:

  • Trust in the remote server with which you are exchanging data.

  • Protection from third parties trying to intercept the data

The LDAP Adapter's use of SSL certificates and encryption satisfy these two security requirements.

To gain the trust of clients in SSL environments, servers obtain certificates (typically, X.509 certificates) from recognized certificate authorities. Every client trusts a few parties. If the server is one of these trusted parties, or if the server's certificate was issued by one of these trusted parties, there is trust, even indirectly. This is also known as server authentication. The LDAP Adapter provides this type of server- authentication SSL handshake.

Since there is no notion of a rejected message in the LDAP Adapter, the LDAP Adapter has to raise a non-retriable exception.


LDAP Adapter only supports server authentication or server-side authentication. It doesn’t support dual authentication, where LDAP server authenticates client certificate with its truststore.

See Figure 12-28 for a representation of the use of certificates and a trusted store.

Figure 12-28 Using Certificates and Trusted Store with SSL

12.3.8 Payload Size Threshold

You can set the Payload size threshold in the composite.xml as a binding property on the adapter service.

By default, there is no limit on the payload size threshold. However, the LDAP adapter enforces the rule that any message published to Fusion Middleware must be less than the payload size threshold limit. Violating messages are rejected. Because there is no notion of a rejected message in the LDAP Adapter, the Adapter raises a non-retriable exception instead. Results are not going to alter in a re-try scenario so there is no point in retrying the payloadSizeThreshold.

12.3.9 High Availability

The LDAP adapter is highly available and propagates a change once and only once without message loss. The LDAP Adapter is deployed as a singleton in an active cluster. This implies that at any given time, only a single instance of the LDAP Adapter receives notifications from directory servers. The High Availability Support is applicable for inbound operations only. The LDAP Adapter does not provide any transaction support for outbound operations.

12.3.10 LDAP Adapter Exception Handling

LDAP Adapter Exceptions consist of the following types of exceptions:

  • Inbound Retriable Exceptions

  • Non-Retriable Inbound Exceptions

  • Outbound Retriable Exceptions

  • Outbound Non-retriable Exceptions Inbound Retriable Exceptions

Inbound retriable exceptions are usually connection-related. The LDAP Adapter retries until a connection or the retriable exception condition is corrected.

The following binding properties apply to such exceptions. If retry properties are not specified, retry occurs indefinitely.

Table 12-4 Inbound Retriable JCA LDAP Adapter Properties

Property Name Allowed Description



Maximum number of retries before rejection.


Measured in seconds

Time interval between retries.


Positive integer

Retry interval growth factor.



Maximum value of retry interval.



Upper limit of the entire accumulated duration of all retries; that is, a hard limit. Inbound Non-Retriable Exceptions

Rejection Handlers define the course of action in this case. Outbound Retriable Exceptions

The LDAP Adapter performs retries according to configured binding properties. If these binding properties are not specified, the retry is carried out by fault policies, if they are included as part of the composite.

The following properties govern outbound retriable exceptions.

Table 12-5 Outbound Retriable LDAP Adapter JCA Properties

Property Name Allowed Description



Maximum number of retries before rejection.


Measured in seconds

Time interval between retries.


Positive integer

Retry interval growth factor.



Maximum value of retry interval.



Upper limit of the entire accumulated duration of all retries; that is, a hard limit.



Maximum number of retries before rejection.


Measured in seconds

Time interval between retries. Outbound Non-Retriable Exceptions

Fault policies are executed if a non-retriable outbound fault occurs.