OraNA :: Oracle News Aggregator

Another Oracle OpenWorld has come and gone. The weather in San Francisco was absolutely spectacular. I know a few out-of-towners that slipped out early for a cruise on the bay to enjoy the weather and the view.

We also had a great time meeting up with various Grey Sparling customers that had made it to OpenWorld. In fact, I got to meet a few different folks face to face for the first time while answering questions after the "Troubleshooting PeopleSoft" session that George Guy and I did!

Congratulations to George for surviving his first user conference presentation after being a PeopleSoft customer for so long. Although I think George was a little nervous because his wife was in the audience. I know that would make me nervous; mostly from fear of the conversation afterwards ("how can you talk for an hour in front of hundreds of people, but not be more social when we go to a party?" :-).

There were a number of times during OpenWorld this year that I wanted to be in two (or even three) places at once for different sessions going on. Which is a good thing overall (better than looking at the sessions and seeing nothing of interest for a given time slot), but it still would be nice to be able to catch all of the sessions of interest. Part of that was due to the scheduling this year; attendees had asked for more networking time so there were more open times without sessions going on. It'll be interesting to see whether or not that sticks around next year.

One session that I missed, but has gotten good feedback was Paco Aubrejuan's first big session as General Manager of the PeopleSoft business unit within Oracle. Paco has been part of PeopleSoft/Oracle for a number of years, so there's some good continuity there. I know that he was very excited to have so much good content to show off. PeopleTools 8.50 and all of the 9.1 applications are definitely looking good.

Various other bloggers had some good OpenWorld content as well. The official PeopleTools blog got some good blog posts with Dave Bain putting up some good Java/PeopleCode integration tips and Jeff Robbins posting the slides from his two part session on the PeopleTools Roadmap.

Brent Martin (who we met face to face for the first time this year) of ERP Associates takes the prize for the most PeopleSoft content posted while the conference was still going on.

Our friends over at MiPro Consulting got a few blog posts in as well.

Even the analyst community provided some good content on their weblogs. Jim Holincheck from Gartner had writeups from his 3 days at OpenWorld. Bruce Richardson from AMR Research also had some interesting observations. Denis Pombriant of Beagle Research discusses Oracle's Social CRM announcements, as does Paul Greenberg, who even shows some screenshots of his social networking within Oracle Mix.

Expect to see a few links added here as we compile the rest of our copious notes from the conference and get those posted :-)

I've had a few conversations recently about the strangeness of LDAP query syntax so I thought a post some useful information and links here. You might not have had the need to know anything about LDAP query syntax as part of working with PeopleSoft though. PeopleSoft's delivered LDAP integration does a good job of providing some rich functionality (authenticating users, caching profiles, role memberships, etc.) without forcing you to deal with LDAP query syntax.

LDAP Queries generated by PeopleTools

For example, in the PeopleSoft Authentication Map page ( PeopleTools -> Security -> Directory -> Authentication Map ) you can select which attribute in the directory (such as sAMAccountName) should be used for looking up the user trying to log in. Under the covers, the following LDAP query string is generated (if chrisheller is trying to login):

(sAMAccountName=chrisheller)

That's a pretty simple example though. Looking up the group membership in order to do PeopleSoft role assignment for a user shows slightly more complex LDAP queries.

• Novell's eDirectory wants (&(objectclass=groupOfNames)(uniquemember=chrisheller))
  
• Active Directory wants (&(objectclass=group)(member=chrisheller))
• Oracle and Netscape want (&(objectclass=groupOfUniqueNames)(uniquemember=chrisheller))
  

These get generated for you automatically in the delivered PeopleCode. There are some other more complicated examples, but those get the basics across.

LDAP Query Syntax

Instead of having the queries written in a form similar to how you might speak, (attribute1=value1)&(attribute2=value2), the operator ('&' for AND, '!' for NOT, '|' for OR) gets pulled to the front and the whole thing wrapped in parentheses. A good reference is Microsoft's page on MSDN for search filter syntax, which even includes how do things like bitwise comparisons in LDAP queries. Another good article is Unlocking the LDAP Search Filter which has some good explanations to go along with the syntax.

Another good way to get familiar with some of the possibilities for LDAP queries is to look at other examples that have been posted on the internet. JiJiTechnologies has a nice list of some example LDAP search queries. For example, here is a query that returns users that do not have a manager in the directory.

(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(!manager=*))

and here is a query that returns accounts that will expire in a certain amount of time (see below for more on generating datetime values for LDAP queries)

(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(!accountExpires=0)
(!accountExpires=9223372036854775807)(!accountExpires<=currentTime )(accountExpires<=givenTime))

What can I do with a custom LDAP query?

Well, you might want to do some custom LDAP processing yourself from PeopleCode. Maybe you want to audit the manager entry in the LDAP directory with what is stored within your PeopleSoft HCM database. You might generate LDAP queries like the following to check on a one-by-one basis

(&(sAMAccountName=chrisheller)(manager=CN=larrygrey,OU=Employees,DC=greysparling,DC=com))

(or you might dump the employee/manager attributes from the directory in bulk instead).

Maybe you want to the delivered LDAP authentication to only login users that won't have their account expire in the next day. You could change the delivered PeopleCode in FUNCLIB_LDAP.LDAPAUTH.FieldDefault to include that check as part of the LDAP query used (note that this is a customization; there is not a place for you to add this without customizing).

As part of our Desktop Single Signon for PeopleSoft product, we also provide the ability to use attributes in an LDAP directory as part of the process of mapping a network login to a PeopleSoft account. In the LDAP configuration there are "prepend" and "append" hooks in place to be able to modify the LDAP query that our code generates.

The feature was originally added because of a PeopleSoft customer that only wanted Single Signon to apply to users that were required to login with a Smartcard. If the user's account wasn't setup to require a Smartcard to login, then they wanted Single Signon to not establish their PeopleSoft session, and instead leave them at the PeopleSoft login page.

The attribute in Active Directory that contains the needed information is called userAccountControl. Unfortunately, this attribute is actually a bitfield, so we have to apply the bitwise operators that I mentioned above. In the Single Signon configuration they added a prepend value of (&(userAccountControl:1.2.840.113556.1.4.803=262144) and the append value of ) (that's a single parentheses to close off the query).

At runtime, the generated LDAP query would have been (sAMAccountName=chrisheller), but with the prepend and append values added in, the query becomes (&(userAccountControl:1.2.840.113556.1.4.803=262144)(sAMAccountName=chrisheller)).

In case you haven't memorized the MSDN documentation link from above yet (it'll be on the midterm), the ":1.2.840.113556.1.4.803" part is the bitwise AND operator, which we are applying to the userAccountControl attribute. The 262144 is the decimal value for the "Smart card required for login" setting (also known as ADS_UF_SMARTCARD_REQUIRED). Here is a good list of the various different bitvalues that can be in the userAccountControl field.

So now when the LDAP query runs as part of the Single Signon user mapping, if the user's account does not mandate Smartcard login, then the LDAP query will not return a match, which means that the user will not be automatically logged in to PeopleSoft.

Converting date/time values between Active Directory and PeopleCode

I have some PeopleCode written for this, but it's getting late so I'll save that for another post. If you're interested in it, leave a comment. For now, I'll just leave it as saying that this writeup on Active Directory's Integer8 attributes by Richard Mueller was extremely helpful in coming with it.

When I started at PeopleSoft we had offices in downtown Walnut Creek. Downtown Walnut Creek was nice because there were well over 100 restaurants and bars within walking distance of the office.

Eventually we had to move the headquarters about 20 miles south down to Pleasanton because the company was growing too fast to be able to obtain office space in downtown Walnut Creek. The PeopleSoft offices in Pleasanton were nice buildings, but there wasn't too much within walking distance. Downtown Pleasanton (which is nice), was just a bit too far to drive and parking isn't always easy there. The only times that I ever made it into downtown Pleasanton was for dinners with customers or analysts. Even the official PeopleSoft drinking establishment in Pleasanton, the Hopyard (famous for the "Wall of Foam"), was not within walking distance of the offices.

So, it was a bit amusing to find out today that Workday, whose current offices are just up the road from the old PeopleSoft Walnut Creek headquarters building, are now planning on moving down to Pleasanton in a few months. It's deja vu all over again.

No word on where exactly they are moving, but I took a quick check on CB Richard Ellis's website (they use PeopleSoft at CBRE), and discovered a nice place for them at 4305 Hacienda Drive. That picture might not look familiar to you (unless you worked there :-), but it is another set of buildings that PeopleSoft owned that are just one block down the street from the PeopleSoft/Oracle headquarters.

What's really interesting is that I'm pretty sure that PeopleSoft owned those buildings outright(1) when the Oracle acquisition closed, so it's possible that Oracle still owns those(2) and is just leasing them via CB Richard Ellis. So Oracle could end up renting office space to Workday just down the street from the current PeopleSoft/Oracle offices!

Wouldn't that be something? :-)




(1) Those buildings are the ones that PeopleSoft had to kick a few customers out of when the buildings were purchased. PeopleSoft bought the buildings (this was 3 additional buildings at the 4305 Hacienda location) because of growth requirements, and had to (slowly) kick out the various companies that leased office space there. Unfortunately a few of those companies were actual PeopleSoft customers. Ooops....

(2) Not likely though. Oracle sold half of the buildings at the PeopleSoft headquarters campus to Kaiser Permanente a few years back. So, they probably would have sold the rest of the PeopleSoft real estate holdings after the acquisition.

Also, earlier this year, Oracle sold the rest to Kaiser, but are leasing them back while they build a new building on some additional space that PeopleSoft used to own. So, they're actually slowly moving closer to the 580 freeway.