This discussion is archived
6 Replies Latest reply: Oct 30, 2012 6:37 AM by user5636757 RSS

can't login to WLS console with directory's user

user5636757 Newbie
Currently Being Moderated
I've configured Apache DS LDAP server in WebLogic server. It's all done. I can see users and groups in WLS console. I can also see groups for a user (as they are defined in LDAP server). However I can't login to WLS console with users defined in LDAP server. What could be the reason?

http://docs.oracle.com/cd/E17904_01/webcenter.1111/e12405/wcadm_security_id_store.htm#BGBDHHGA
section 28.5 Moving the Administrator Account to an External LDAP Server:
If the Fusion Middleware administrator account, or any other appropriate user in LDAP, is in an LDAP group called "Administrators", then this account should be sufficient to manage the server...

Well, I've Administrators group in my LDAP server and there are users added to this group - I can confirm this from WLS console also... However still those users can't login to WLS console. What could be the issue?

I also tried this - 28.5.2 Changing the Administrator Group Name - associated Admin role to a custom group - still users of this custom group can't login to WLS console...

Thanks.
  • 1. Re: can't login to WLS console with directory's user
    Ganesh.. Explorer
    Currently Being Moderated
    Hi,
    The user name attribute in the LDAP Authentication provider must be same as the relative distinguished name of the users present in LDAP.
  • 2. Re: can't login to WLS console with directory's user
    Mohammed Rayan-Oracle Journeyer
    Currently Being Moderated
    Have you checked whether the authentication fails at the weblogic authentication layer or at the authorization layer?
    Please turn on the debug flags from the console or using the below debugs for the authentication,authorization and role mapper.

    weblogic.debug.DebugSecurityAtn=true
    weblogic.debug.DebugSecurityAtz=true
    weblogic.debug.DebugSecurityRoleMap=true


    Replicate the issue after applying the above debug and verify if the subjectl is getting populated correctly with the required principals.


    For example:

    <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
    Principal: weblogic
    Principal: Administrators
    Private Credential: weblogic
  • 3. Re: can't login to WLS console with directory's user
    user5636757 Newbie
    Currently Being Moderated
    user9170366 wrote:
    Hi,
    The user name attribute in the LDAP Authentication provider must be same as the relative distinguished name of the users present in LDAP.
    Do you mean this attribute?
    <wls:user-name-attribute>uid</wls:user-name-attribute>

    I changed value of it to this as per your suggestion (if I understood it correctly):
    <wls:user-name-attribute>ou=users,ou=system</wls:user-name-attribute>

    However now I don't see users as well in WLS console and login doesn't work with directory's users as before...
  • 4. Re: can't login to WLS console with directory's user
    user5636757 Newbie
    Currently Being Moderated
    809364 wrote:
    Have you checked whether the authentication fails at the weblogic authentication layer or at the authorization layer?
    Please turn on the debug flags from the console or using the below debugs for the authentication,authorization and role mapper.

    weblogic.debug.DebugSecurityAtn=true
    weblogic.debug.DebugSecurityAtz=true
    weblogic.debug.DebugSecurityRoleMap=true


    Replicate the issue after applying the above debug and verify if the subjectl is getting populated correctly with the required principals.


    For example:

    <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
    Principal: weblogic
    Principal: Administrators
    Private Credential: weblogic
    I did what you suggested. It does give more details:


    ####<29-Oct-2012 16:35:21 o'clock GMT> <Debug> <SecurityAtn> <mydesktop> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <b64aa9a9b2744705:-3c0ed640:13aac74223a:-8000-0000000000000682> <1351528521632> <BEA-000000> <LDAP Atn Login username: jon>
    ####<29-Oct-2012 16:35:21 o'clock GMT> <Debug> <SecurityAtn> <mydesktop> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <b64aa9a9b2744705:-3c0ed640:13aac74223a:-8000-0000000000000682> <1351528521632> <BEA-000000> <authenticate user:jon>
    ####<29-Oct-2012 16:35:21 o'clock GMT> <Debug> <SecurityAtn> <mydesktop> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <b64aa9a9b2744705:-3c0ed640:13aac74223a:-8000-0000000000000682> <1351528521632> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://localhost:10389 ldapVersion:3 bindDN:"uid=admin,ou=system"}>
    ####<29-Oct-2012 16:35:21 o'clock GMT> <Debug> <SecurityAtn> <mydesktop> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <b64aa9a9b2744705:-3c0ed640:13aac74223a:-8000-0000000000000682> <1351528521632> <BEA-000000> <getDNForUser search("ou=users,ou=system", "(&(&(uid=jon)(objectclass=inetOrgPerson))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
    ####<29-Oct-2012 16:35:21 o'clock GMT> <Debug> <SecurityAtn> <mydesktop> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <b64aa9a9b2744705:-3c0ed640:13aac74223a:-8000-0000000000000682> <1351528521632> <BEA-000000> <DN for user jon: null>
    ####<29-Oct-2012 16:35:21 o'clock GMT> <Debug> <SecurityAtn> <mydesktop> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <b64aa9a9b2744705:-3c0ed640:13aac74223a:-8000-0000000000000682> <1351528521632> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://localhost:10389 ldapVersion:3 bindDN:"uid=admin,ou=system"}>
    ####<29-Oct-2012 16:35:21 o'clock GMT> <Debug> <SecurityAtn> <mydesktop> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <b64aa9a9b2744705:-3c0ed640:13aac74223a:-8000-0000000000000682> <1351528521632> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://localhost:10389 ldapVersion:3 bindDN:"uid=admin,ou=system"}>
    ####<29-Oct-2012 16:35:21 o'clock GMT> <Debug> <SecurityAtn> <mydesktop> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <b64aa9a9b2744705:-3c0ed640:13aac74223a:-8000-0000000000000682> <1351528521632> <BEA-000000> <getDNForUser search("ou=users,ou=system", "(&(&(uid=jon)(objectclass=inetOrgPerson))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
    ####<29-Oct-2012 16:35:21 o'clock GMT> <Debug> <SecurityAtn> <mydesktop> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <b64aa9a9b2744705:-3c0ed640:13aac74223a:-8000-0000000000000682> <1351528521632> <BEA-000000> <DN for user jon: null>
    ####<29-Oct-2012 16:35:21 o'clock GMT> <Debug> <SecurityAtn> <mydesktop> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <b64aa9a9b2744705:-3c0ed640:13aac74223a:-8000-0000000000000682> <1351528521632> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://localhost:10389 ldapVersion:3 bindDN:"uid=admin,ou=system"}>
    ####<29-Oct-2012 16:35:21 o'clock GMT> <Debug> <SecurityAtn> <mydesktop> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <b64aa9a9b2744705:-3c0ed640:13aac74223a:-8000-0000000000000682> <1351528521632> <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User jon denied
         at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
         at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
         at sun.reflect.GeneratedMethodAccessor705.invoke(Unknown Source)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
         at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
         at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
         at sun.reflect.GeneratedMethodAccessor789.invoke(Unknown Source)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
         at $Proxy36.login(Unknown Source)
         at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:89)
         at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
         at $Proxy54.authenticate(Unknown Source)
         at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
         at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
         at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:251)
         at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:200)
         at weblogic.servlet.security.internal.FormSecurityModule.processJSecurityCheck(FormSecurityModule.java:258)
         at weblogic.servlet.security.internal.FormSecurityModule.checkUserPerm(FormSecurityModule.java:213)
         at weblogic.servlet.security.internal.FormSecurityModule.checkAccess(FormSecurityModule.java:96)
         at weblogic.servlet.security.internal.ChainedSecurityModule.checkAccess(ChainedSecurityModule.java:79)
         at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:82)
         at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2213)
         at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
         at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
    >
  • 5. Re: can't login to WLS console with directory's user
    user5636757 Newbie
    Currently Being Moderated
    I need to figure out why after this:

    ####<29-Oct-2012 16:35:21 o'clock GMT> <Debug> <SecurityAtn> <mydesktop> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <b64aa9a9b2744705:-3c0ed640:13aac74223a:-8000-0000000000000682> <1351528521632> <BEA-000000> <getDNForUser search("ou=users,ou=system", "(&(&(uid=jon)(objectclass=inetOrgPerson))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>

    I am getting this:

    ####<29-Oct-2012 16:35:21 o'clock GMT> <Debug> <SecurityAtn> <mydesktop> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <b64aa9a9b2744705:-3c0ed640:13aac74223a:-8000-0000000000000682> <1351528521632> <BEA-000000> <DN for user jon: null>
  • 6. Re: can't login to WLS console with directory's user
    user5636757 Newbie
    Currently Being Moderated
    Finally it's working.
    Here is the conclusion...

    In this post (Re: external LDAP directory (Apache Directory Server) with WebLogic server I was given suggestion to use 'ad configuration' for Apache DS which fixed my 'server not starting' issue but I think that solution was causing this 'authentication issue'.

    I changed provider type to generic again (<sec:authentication-provider xsi:type="wls:ldap-authenticatorType">) and moved it below default authenticator (this removed my 'server not starting' issue) and now it all works.

    ####<29-Oct-2012 16:35:21 o'clock GMT> <Debug> <SecurityAtn> <mydesktop> <DefaultServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <b64aa9a9b2744705:-3c0ed640:13aac74223a:-8000-0000000000000682> <1351528521632> <BEA-000000> <getDNForUser search("ou=users,ou=system", "(&(&(uid=jon)(objectclass=inetOrgPerson))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>


    'userAccountControl:1.2.840.113556.1.4.803' - whatever it is, it's AD specific (if I am not wrong) and there I got the clue - n then removed AD with generic in provider type and changed provider order and all works :)

    This is how my log looks now:

    <BEA-000000> <getDNForUser search("ou=users,ou=system", "(&(uid=ankur)(objectclass=person))", base DN & below)>
    ####<30-Oct-2012 12:43:16 o'clock GMT> <Debug> <SecurityAtn> <mydesktop> <DefaultServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <b64aa9a9b2744705:-16fac609:13ab19bd11f:-8000-00000000000000a7> <1351600996897>

    <BEA-000000> <DN for user ankur: uid=ankur,ou=users,ou=system>


    Thanks everyone!

    Edited by: user5636757 on Oct 30, 2012 6:37 AM