Wednesday, March 9, 2011

User cannot find / view any content in UCM from custom WebCenter application

At a customer, we deployed a custom Portal application which is used for an Intranet and Extranet
One user does not see any content in the Portal.


Users are registered in an Oracle Virtual Directory (OVD) for authentication.
Users are registered in an Oracle Internet Directory (OID) for authorization.
Groups are registered in the same OID.
The custom Portal application and UCM point to the OID for user store and group membership
WebCenter Framework


For viewing content, two groups are defined in OID, one for employees (for the Intranet) and one for customers (for the Extranet)
Analysis showed that the user cannot see any content in UCM as well.
The profile of the user does not show that the user is member of the group Employees, to which he is added in OID.
The UCM server log and server output did not show anything which could lead to the cause of the issue.

To be better abled to view what is logged, I added th line UseRedirectedOutput=true to the UCM config.cfg (located in \server\config).
I also check which Active Sections were defined in the System Audit Information page of UCM (Administration | System Audit Information)
Only the sections system, idocscript, requestaudit, resourceloader were active (which is pretty standard I think)
Since we had some problems regarding a specific user account, I added userprofile and userstorage, selected save and restarted UCM to make the changes effective.

Thanks to the UseRedirectedOutput, a IdcServerNT.log was created in the \server\bin folder. After logging in as the defective user, we saw the following:

userstorage  Thread-1  Start user storage query for user
userstorage  Thread-1  Created user object for user
userstorage  Thread-1  Expired=false isNewUser=true for
userstorage  Thread-1  Loaded record from database for
userstorage  Thread-1  Retrieving attributes (type=EXTERNAL) for
userstorage  Thread-1  Provider PortalLDAPProvider matches dUserSourceOrgPath
userstorage  Thread-1  Checking Default UserProvider PortalLDAPProvider
userstorage  Thread-1  LdapProvider.checkCredentials() started
userstorage  Thread-1  user:
userstorage  Thread-1  authenticateUser: false
userstorage  Thread-1  User is new to this provider.
userstorage  Thread-1  DN cn=john.doe.,cn=Users,dc=PORTAL,dc=COM found in local data.
userstorage  Thread-1  Unable to load extended info for cn=john.doe.,cn=Users,dc=PORTAL,dc=COM. Reason: !csLdapUnableToBindToObject

We noticed a couple of things.
First of all, the DN of the user contains a period after his name. This is not the way the user is registered in OVD or OID. Therefore, the line stating that th extended info cannot be loaded is correct.
Second, UCM states it loaded a record from the database and uses dUserSourceOrgPath in some way.

A query on the USERS table in the OCSERVER schema learned that the dUserSourceOrgPath contained the DN with the additional period, which is used by the LDAP Provider.
An update of this column fixed the issue.

But how was the situation created?
Apparently the creation of the user in OID was incorrect once (including the period) but the entry in OID was deleted and recreated correctly.
But in between these changes, the user had logged onto the system, creating the record in the USERS table, with the incorrect dUserSourceOrgPath :(
So if you change the DN of a user (or any other replicated attributes like full name or email address) be aware of the fact that UCM holds that data in a local table.