13 Replies Latest reply: Jul 2, 2008 10:57 AM by 666705 RSS

    Configuring Active Directory with Weblogic 8.1 SP4

    666705
      Hello

      I have added an Active Directory Authenticator in Weblogic 8.1 SP4. I am able to see the groups in "Users and Groups" section of Portal Administration but it is not fetching users under these groups. Can anyone please help me out

      Thanks
        • 1. Re: Configuring Active Directory with Weblogic 8.1 SP4
          666705
          Hi,

          Can you please post the exact exception(If there is any).I have configured Active Directory Authenticator successfully with Bea weblogic 814.

          Workaround:
          You need to configure the Users Tab in the weblogic admin console.Need to enter the user base dn and User Name Attribute Field Example:

          OU=beateam,DC=companybea,DC=com and
          user name attribute field = sAMAccountName

          Thanks
          Bishnu
          • 2. Re: Configuring Active Directory with Weblogic 8.1 SP4
            666705
            Hi Bishnu

            Thanks for your help. In my case, the value of user base dn is 'ou=users,dc=TESTING,dc=COM' but Which value should i provide to User Name Attribute Field. Should it be name of any particular user or any expression.

            Please help

            Thanks
            Amir
            • 3. Re: Configuring Active Directory with Weblogic 8.1 SP4
              666705
              Amir,

              In active directory by default there is "sAMAccountName" username attribute.You can give this name it shoud work.


              Thanks
              • 4. Re: Configuring Active Directory with Weblogic 8.1 SP4
                666705
                Hi bishnu

                Previously I was using 'cn' for username attribute. I have replaced it with "sAMAccountName" but it had no effect.

                In my admin portal "Users and Groups" section the tree is showing Groups (Security Groups, Security Groups - Local Domain etc) but it is not showing any user.
                • 5. Re: Configuring Active Directory with Weblogic 8.1 SP4
                  666705
                  Hi Bishnu

                  Below are my setting. Please review if you can find any error

                  User Tab
                  ---------
                  User Object Class:     user
                  User Base DN:          ou=users,dc=TESTING,dc=COM
                  User Name Attribute:     cn
                  User From Name Filter:     (&(cn=%u)(objectclass=user))

                  Group Tab
                  ----------
                  Group Base DN:          dc=TESTING,dc=COM
                  Group Object Class:     group

                  Group From Name Filter:     (&(cn=%g)(objectclass=group))

                  Please help

                  Thanks
                  Amir
                  • 6. Re: Configuring Active Directory with Weblogic 8.1 SP4
                    666705
                    Amir,

                    Please modify your entry according to the below sample

                    Active Directory :
                    Host:the ip of the machine where Active Directory is installed
                    Port:389
                    Principal :CN=Administrator,CN=Users,DC=samplebea,DC=com
                    Users:
                    User Name Attribute :sAMAccountName
                    User Base DN:OU=beateam,DC=samplebea,DC=com
                    Groups:
                    Group Base DN:OU=beateam,DC=samplebea,DC=com
                    Also make the control flag of the ActiveDirectoryAuthenticator and DefaultAuthenticator equals to SUFFICIENT and restart the server.

                    That should work. If there is any error or exception please post that.

                    Regards
                    Bishnu
                    • 7. Re: Configuring Active Directory with Weblogic 8.1 SP4
                      666705
                      Hi Bishnu

                      I have tried these settings but when I restart the sever and checked "Users and Group" section, there is no tree of groups (in both 'DefaultAuthenticator & ActiveDirectoryAuthenticator'). Whereas with previous settings it was showing groups in tree. On selecting 'ActiveDirectoryAuthenticator' it prompts an error saying "-An unrecoverable error has been encounter while building the Group Hierarchy cache. Defaulting to text entry mode."

                      In left it shows a textfield asking for 'Enter Group Name'. If I enter "users" (my intended group name) and press "select" button following exception trace is shown

                      Error 500--Internal Server Error
                      netscape.ldap.LDAPException: error result (32); 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
                           'DC=TESTING,DC=COM'
                      ; matchedDN = DC=TESTING,DC=COM
                           at netscape.ldap.LDAPConnection.checkMsg(LDAPConnection.java:4855)
                           at netscape.ldap.LDAPConnection.checkSearchMsg(LDAPConnection.java:2619)
                           at netscape.ldap.LDAPConnection.search(LDAPConnection.java:2591)
                           at weblogic.security.providers.authentication.LDAPAtnDelegate.listGroups(LDAPAtnDelegate.java:1393)
                           at weblogic.security.providers.authentication.LDAPAuthenticatorImpl.listGroups(LDAPAuthenticatorImpl.java:127)
                           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                           at java.lang.reflect.Method.invoke(Method.java:324)
                      .....
                      • 8. Re: Configuring Active Directory with Weblogic 8.1 SP4
                        666705
                        With reference to me previous post, below are the complete configurations that generated the error explained in previous post

                        General
                        -------
                        Control Flag: SUFFICIENT

                        Active Directory
                        ----------------
                        Host: IP of server where AD is installed
                        Port: 389
                        Principal:CN=Administrator,CN=Users,DC=TESTING,DC=COM
                        Credential: password

                        Users
                        ------
                        User Object Class: user
                        User Name Attribute: sAMAccountName
                        User Base DN: OU=users,DC=TESTING,DC=COM
                        User From Name Filter: (&(objectclass=user))

                        Groups
                        -------
                        Group Base DN: OU=users,DC=GHQTESTING,DC=COM
                        Group From Name Filter: (&(cn=%g)(objectclass=group))
                        Static Group Object Class: group
                        Static Group Name Attribute: cn

                        Membership
                        ----------
                        Static Member DN Attribute: member
                        Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=group))


                        Looking forward for your help
                        Thanks
                        Amir
                        • 9. Re: Configuring Active Directory with Weblogic 8.1 SP4
                          666705
                          Hi

                          I'm kinda getting the same error message. But i'm running on the 9.2 version.

                          Anyways I have been able to access one Organizational Unit in my LDAP directory.
                          But i'm trying also to connect to a secound one. But this fails.

                          Get get precisly the same error message. I was wondering if anyone had an idea what causes the problem.
                          • 10. Re: Configuring Active Directory with Weblogic 8.1 SP4
                            666705
                            Hi every one

                            I have configured the AD but now it is showing all the groups and repeating same set of users in all groups.

                            Please help me out

                            Thanks
                            • 11. Re: Configuring Active Directory with Weblogic 8.1 SP4
                              666705
                              Hi All,

                              I am configuring Active Directionary with Weblogic 8,1 SP6. We have application running on weblogic server and company central LDAP directionary. Our aim is to use an userid stored in the central LDAP to loing in the application.

                              I configed my weblogic server to link to the central LDAP. THe very first question is whether I can assign a group in weblogic default authentication provider to an user in the central LDAP. Now I can list users from both providers but only can list gruops in weblogic embedded LDAP.

                              I tried the following two setting:

                              <weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
                              ControlFlag="SUFFICIENT"
                              Credential="{3DES}apq3M/nRorNTLncvInk2CA=="
                              DisplayName="ABC"
                              GroupBaseDN="OU=Users,OU=ccc_ldn,OU=ccc_gb,OU=ccc,DC=eur,DC=nsroot,DC=net"

                              GroupFromNameFilter="(|(&(cn=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=groupOfURLs)))"
                              Host="eurdcln001.eur.nsroot.net"
                              Name="Security:Name=myrealmCiti"
                              Principal="cn=yl56661,OU=Users,OU=ccc_ldn,OU=ccc_gb,OU=ccc,DC=eur,DC=nsroot,DC=net"
                              Realm="Security:Name=myrealm"

                              StaticGroupDNsfromMemberDNFilter="(&(uniquemember=%M)(objectclass=groupofuniquenames))"
                              StaticGroupObjectClass="groupofuniquenames"

                              UserBaseDN="OU=Users,OU=ccc_ldn,OU=ccc_gb,OU=ccc,DC=eur,DC=nsroot,DC=net"
                              UserFromNameFilter="(&(uid=%u)(objectclass=person))"
                              UserNameAttribute="sAMAccountName"
                              UserObjectClass="user"/>

                              and

                              <weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
                              ControlFlag="SUFFICIENT"
                              Credential="{3DES}apq3M/nRorNTLncvInk2CA=="
                              DisplayName="ABC"
                              GroupBaseDN="OU=Users,OU=ccc_ldn,OU=ccc_gb,OU=ccc,DC=eur,DC=nsroot,DC=net"
                              Host="eurdcln001.eur.nsroot.net"
                              Name="Security:Name=myrealmCiti"
                              Principal="cn=yl56661,OU=Users,OU=ccc_ldn,OU=ccc_gb,OU=cit,DC=eur,DC=nsroot,DC=net"
                              Realm="Security:Name=myrealm"
                              UserBaseDN="OU=Users,OU=ccc_ldn,OU=ccc_gb,OU=ccc,DC=eur,DC=nsroot,DC=net"
                              UserFromNameFilter="(&(cn=%u)(objectclass=user))"
                              UserNameAttribute="sAMAccountName" UserObjectClass="user"/>

                              Any one knows the answers, please help.

                              Thanks
                              • 12. Re: Configuring Active Directory with Weblogic 8.1 SP4
                                666705
                                Your group base DN is same as the user base DN. That doesn't look correct. That could be the reason why you are not pulling any groups from AD. Double check your group base DN with your AD team and try it again without modifying any other attributes under "Groups" tab.

                                And I don't think its possible to add a group in Embedded LDAP to a user in AD, the group also has to be in the AD. And BTW, even if both users and groups are in AD, the Principal you are using to connect to AD should have permissions to modify settings in the AD, usually you get a read-only access.
                                • 13. Re: Configuring Active Directory with Weblogic 8.1 SP4
                                  666705
                                  actually

                                  User Name Attribute: and User From Name Filter shoudl be same to filter work

                                  e.g., User Name Attribute: mail
                                  User From Name Filter:(&(mail=%u)(objectclass=user))