Sunday, May 04, 2008

Complex ACL filters with OVD

Access Control Rules are a very important aspect to get right when setting up Oracle Virtual Directory. But at the same time, I guess they are probably the most complex configuration option, especially if you haven't had some hard core LDAP experience before.

In Using OVD Filtered Directories for LDAP Authentication, I talked about using ACLs to restrict access to certain parts of a directory: each Access Control Rule has a filter setting, which is an LDAP filter that specifies which directory entries the rule applies to.

However I also discovered that using complex (multiple term) Access Control Rule filters is a great way to kill the OVD server process.
NB:it bombs with a java.lang.NullPointerException, and it is necessary to go and manually remove the offending filter from the $OVD_HOME/conf/acls.os_xml file on the server before it will startup again.


Say, for example, you wanted to grant access to entries for the ITGroup and HR departments. In RFC 4515 LDAP search filter terms, we can write this simply as:
(|(departmentNumber=ITGroup)(departmentNumber=HR))



But as mentioned, this will kill your OVD server (OVD 10.1.4.0.1 build 06.07.19).

There is a simple work-around though, by reverting to simple set theory and write multiple rules. In other words, granting (|(departmentNumber=ITGroup)(departmentNumber=HR)) is equivalent to two rules applied in sequence:
  • Grant: (departmentNumber=ITGroup)
  • Grant: (departmentNumber=HR)

No comments: