One of the great features of Oracle IRM 11g is being able to automatically link your users from LDAP. Â This way you don’t have to manage the user’s in two places or write any custom synchronization code between them. Â The LDAP integration is done through the providers WebLogic. Â A word of warning about this integration is that you need to have your LDAP provider setup in WebLogic before logging into IRM for the first time. Â You also need to have your LDAP provider as the first item in the list before logging in.
My reason for typing this out is because it burned me for a few hours trying to figure out what was going on. Â The first user that logs into IRM is set to be the administrator. Â This person creates the contexts, roles, etc. and assigns all the privileges. Â For most implementations people normally use the built in weblogic user that is created during installation. Â This is where I went terribly wrong. IRM binds the GUID of this user to the IRM database repository. Â This is obviously much stronger than binding just the username or the DN of the user but also can cause crinkled skulls when trying to debug.
So, I logged into the server as weblogic, got the tabs and pages I expected so I figured I would setup my LDAP provider. I went into WebLogic and created the provider. Â In a development environment I normally set the internal provider first and then the LDAP provider second. Â Even though I take a hit in performance, in a development environment I prevent myself from being locked out of the server. I was now able to authenticate but IRM wasn’t letting me into the interface. Â After talking to the dev team they told me the LDAP provider had to be the first one in the list as thats all they look at when authenticating the user. Â No problem pop it up to the top of the list.
Now I can authenticate into IRM and get into the irm_rights pages, but I don’t have any of the other tabs to manage the server. Â The GUID that my weblogic user is tied to is now second on the providers list and the GUID of the weblogic user in my LDAP server doesn’t match the local GUID. Shit, so now my administrator user can’t be reached because he’s second in the provider list and I can’t set any other administrators because if I move that provider back to the top of the list the LDAP users don’t appear since IRM only looks at the first one.
Lessons learned and a reinstall to fix.