Thursday 18 December 2008

Configuring WLS With MS Active Directory

Following are my notes on configuring Oracle's WebLogic Server 10.3 to use an Microsoft Active Directory server for authentication. Usual disclaimer: your mileage may vary.

For a good starting point as comparison of what options to configure, see the following blogs that consider configuration of WLS for OID or openLDAP:

Frank Nimphius's How-to configure OID for authentication in WebLogic Server
Edwin Biemond's Using OpenLDAP as security provider in WebLogic

Steps

In the WLS console select Security Realms under the Domain Structure, then myrealm, followed by the Providers tab, then Authentication tab.

Select New. In the Create a New Authentication Provider page, enter a name and select ActiveDirectoryAuthenticator from the drop down, then Ok.

Select your new Authenticator, then the Configuration tab -> Provider Specific tab.

Enter the following values:
  • [default] Keep Alive Enabled: disabled
  • User Name Attribute: sAMAccountName
  • Principal: distinguished Name (DN) of the Active Directory LDAP user ie. DN=LdapAdmin,OU=Users,DC=sagecomputing,DC=com,DC=au
  • Host: your hostname
  • [default] All Users Filter: null
  • [default] Users Search Scope: subtree
  • [default] All Groups Filter: null
  • [default] Static Member DN Attribute: member
  • [default] Group From Name Filter: (&(cn=%g)(objectclass=group))
  • [default] Bind Anonymously on Referrals: disabled
  • [default] Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=group))
  • [default] Results Time Limit: 0
  • Credential: ldap user password (as per that of the principal above)
  • Confirm Credential: ldap user password (as per that of the principal above)
  • [default] Group Search Scope: subtree
  • [default] Cache Size: 32
  • User From Name Filter: (&(sAMAccountName=%u)(objectclass=user))
  • [default] Dynamic Member URL Attribute: null
  • [default] Connection Retry Limit: 1
  • [default] Connect Timeout: 0
  • [default] User Dynamic Group DN Attribute: null
  • [default] Static Group Name Attribute: cn
  • User Base DN: OU=Users,DC=sagecomputing,DC=com,DC=au
  • [default] Use Token Groups For Group Membership Lookup: disabled
  • [default] Port: 389
  • [default] Follow Referrals: enabled
  • [default] Propagate Cause For Login Exception: disabled
  • [default] User Object Class: user
  • [default] Cache TTL: 60
  • Use Retrieved User Name as Principal: enabled
  • [default] Dynamic Group Object Class: null
  • [default] SSL Enabled: disabled
  • Group Base DN: OU=Groups,DC=sagecomputing,DC=com,DC=au
  • [default] Cache Enabled: enabled
  • [default] Parallel Connect Delay: 0
  • [default] Ignore Duplicate Membership: 0
  • [default] Static Group Object Class: group
  • [default] Group Membership Searching: unlimited
  • [default] Max Group Membership Search Level: 0
You'll need to change the non-default values to suit your environment.

Ensure to restart WLS.

If you reselect the myrealm with the WLS console, under the Users & Groups tab, Users you should see a list of users derived from the Active Directory server, and under the Gorups tab a set of groups derived from the Active Directory server.

Finally return to the WLS console and select the new authenticator provider, and on Configuration tab and Common tab change the Control Flag poplist to Sufficient.

12 comments:

Unknown said...

Hi
i configure my WLS to add Active Directory provider

and Users and Groups fetched successfully

and CF to sufficient

now how to configue WLS to use this provider OR how to make my application use it

i apply ADF security to use LDAP and add identety store then add role then map this role to WLS users role from weblogic.xml

but users not authorized (error login)

thanks

Chris Muir said...

Hi

Unfortunately the ADF Security doesn't do everything it needs to in JDev 11g build 5188. Please read Andrejus Baranovskis's Practical ADF Security Deployment on WebLogic Server blog entry for more info on what you need to do.

(and in fact I'll be trying his blog entry out, including Steve Muench's article that Andrejus's referenced tomorrow!)

Good luck.

Regards,

CM.

Chris Muir said...

As follow up this OTN post may give you assistance. As per my comment:

"In Frank's blog entry regarding setting up OID against WLS, in the very last part of his blog entry, he says set the WLS OID Authenticator Control Flag = Sufficient. While I'd done this, it's also necessary to re-order the Authenticators such that your custom authenticator occurs before the 2 default authenticators DefaultAuthenticator and DefaultIdentityAsserter."

Hope this helps.

CM.

Unknown said...

Hi Chris

*)
i re-order authenticators
but still

*)
when i apply ADF security tool i chose LDAP, is must using XML (as i think Andrejus use)


*)
i configure my security to current default server within Jdeveloper
not standalone WLS
is it need migration? i dont know but i dont think that.

thanks very much

Chris Muir said...

Sorry, I don't understand your question. Can you be more clear please, or post to the OTN JDev forum for more assistance.

CM.

Eric said...

Excellent post. Thanks for the help.

Unknown said...

I just followed your post, but getting below error... please help me.

Jul 1, 2009 12:08:03 PM EDT Notice Security BEA-090082> Security initializing using security realm myrealm.
weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection
at weblogic.security.providers.authentication.LDAPAtnDelegate.getConnection(LDAPAtnDelegate.java:3154)

Chris Muir said...

Siva, the error says it can't get a connection. This suggests WLS can't connect to your LDAP server.

CM.

Unknown said...

Hi Siva:

Two suggestions: A) make use of a network traffic monitor such as wireshark to see exactly the messages back and forth. Note that sometimes the exceptions are wrapped and you'll get a misleading error. B) Change the format for the principal name to: DOMAIN-NAME\USER-NAME

Hope this helps,
Albert

Chetan Jain said...

Hi,

Can you please let me know what is the SAMAccount name in this case .

Is it a attribute or a default(Super )user in the AD.

I want to create a new attribute for my users in the AD,However i am not able to understand how to do it.
I need to list the users with the another attribute and not with the cn.

Any pointer is highly appreciable.

Chris Muir said...

Hi Chetu

If memory serves correctly, yes, SAMAccount is an AD attribute.

Sorry I can't give you more assistance on configuring AD as I don't have skills in that area.

CM.

Charlie said...

Hi
First of all You have to check it out your server DN for each thing. In my case the DN (Distingushed Name) was CN=Administrator,DC=PP,DC=com instead of OU=Administrator as i thought before. Also i had to change User Name Attribute for cn.
Thanks for the post.
Cheers