This discussion is archived
12 Replies Latest reply: Oct 4, 2010 1:49 PM by 638959 RSS

LDAP authenticator setting in Weblogic 10

768384 Newbie
Currently Being Moderated
Hi there,

I am a newbie to weblogic. I am migrating an application from OAS to Weblogic 10. The application is using LDAP for login. I am havng a trouble to set up those users in weblogic console.

Here is what I did:

in web.xml:
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>*</url-pattern>
<http-method>*</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>UserRole</role-name>
</auth-constraint>
</security-constraint>
<security-role>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>RegularUser</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<role-name>UserRole</role-name>
</security-role>

In Weblogic.xml
<?xml version="1.0" encoding="windows-1252"?>
<weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-web-app http://www.bea.com/ns/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd" xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
<security-role-assignment>
<role-name>UserRole</role-name>
<externally-defined/>
</security-role-assignment>
</weblogic-web-app>

In Weblogic console, I created a new realm called RegularUser and setup LDAP authenticator. User Base DN is ou=axxx,dc=bxxx,dc=cxx. I can see those users already in the user list.

Did I miss any step?

Thanks
  • 1. Re: LDAP authenticator setting in Weblogic 10
    Faisal Khan Expert
    Currently Being Moderated
    Can you paste your config.xml?

    How did u deploy your Application?
    Did u select Custom Roles at the time of deployment?

    -Faisal
  • 2. Re: LDAP authenticator setting in Weblogic 10
    RenévanWijk Oracle ACE
    Currently Being Moderated
    When you look at the documentation of the element externallu defined:

    Specifies that a particular security role is defined globally in a
    security realm; WebLogic Server uses this security role as the
    principal name, rather than looking it up in a global realm.
    When the security role and its principal-name mapping are
    defined elsewhere, this is used as an indicative placeholder.

    If understand this correctly this means that your UserRole will be used for the Principal Name.
    Do you have any users or groups in your LDAP configured which are called UserRole, if not
    it is better to use the element principal-name and mapped the users and groups to the role, for example,
    <security-role-assignment>
      <role-name>UserRole</role-name>
      <principal-name>SomeGroupDefinedInYourLDAPServer</principal-name>
      <principal-name>SomeUserDefinedInYourLDAPServer</principal-name>
    </security-role-assignment>
  • 3. Re: LDAP authenticator setting in Weblogic 10
    768384 Newbie
    Currently Being Moderated
    René, Thanks.

    How do I map users and group in LDAP (ou=a, dc=b, dc=c) to a group called UserRole?
  • 4. Re: LDAP authenticator setting in Weblogic 10
    768384 Newbie
    Currently Being Moderated
    Thanks, Faisal.

    Here is my config.xml. Do I need to select Custom Roles at the time of deployment? I manually deployed the application in console.

    <?xml version='1.0' encoding='UTF-8'?>
    <domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
    <name>myTestDomain</name>
    <domain-version>10.3.3.0</domain-version>
    <security-configuration>
    <name>myTestDomain</name>
    <realm>
    <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
    <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
    <sec:active-type>AuthenticatedUser</sec:active-type>
    </sec:authentication-provider>
    <sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
    <sec:name>RegularUsers</sec:name>
    <sec:control-flag>OPTIONAL</sec:control-flag>
    <wls:host>holdap1.abc.org</wls:host>
    <wls:user-object-class>user</wls:user-object-class>
    <wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
    <wls:principal>ldapviewsd</wls:principal>
    <wls:user-base-dn>ou=a,dc=b,dc=c</wls:user-base-dn>
    <wls:credential-encrypted>{AES}5dVfr76v1nSUvb8iMBO5e1WxZG5BA/M3MWZvNxDVMO4=</wls:credential-encrypted>
    <wls:user-from-name-filter>(&amp;(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
    <wls:group-base-dn>ou=a,dc=b,dc=c</wls:group-base-dn>
    <wls:group-from-name-filter>(&amp;(cn=%g)(objectclass=group))</wls:group-from-name-filter>
    <wls:static-group-object-class>group</wls:static-group-object-class>
    <wls:static-member-dn-attribute>member</wls:static-member-dn-attribute>
    <wls:static-group-dns-from-member-dn-filter>(&amp;(member=%M)(objectclass=group))</wls:static-group-dns-from-member-dn-filter>
    </sec:authentication-provider>
    <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
    <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
    <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
    <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
    <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
    <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
    <sec:name>myrealm</sec:name>
    <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
    <sec:name>SystemPasswordValidator</sec:name>
    <pas:min-password-length>8</pas:min-password-length>
    <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
    </sec:password-validator>
    </realm>
    <realm>
    <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
    <sec:name>RewardsUser</sec:name>
    <sec:control-flag>SUFFICIENT</sec:control-flag>
    <wls:host>holdap1.abc.org</wls:host>
    <wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
    <wls:principal>ldapviewsd</wls:principal>
    <wls:user-base-dn>ou=a,dc=b,dc=c</wls:user-base-dn>
    <wls:credential-encrypted>{AES}6mfAIvAqFASMkZ4yHygBe3AODqNyzYyLLePzCI2HTE0=</wls:credential-encrypted>
    <wls:user-from-name-filter>(&amp;(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
    <wls:group-base-dn>ou=a,dc=bdc=c</wls:group-base-dn>
    <wls:max-sid-to-group-lookups-in-cache>1500</wls:max-sid-to-group-lookups-in-cache>
    </sec:authentication-provider>
    <sec:deploy-role-ignored>false</sec:deploy-role-ignored>
    <sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
    <sec:deploy-credential-mapping-ignored>false</sec:deploy-credential-mapping-ignored>
    <sec:security-dd-model>CustomRoles</sec:security-dd-model>
    <sec:combined-role-mapping-enabled>true</sec:combined-role-mapping-enabled>
    <sec:name>RewardsUser</sec:name>
    <sec:delegate-m-bean-authorization>false</sec:delegate-m-bean-authorization>
    </realm>
    <default-realm>myrealm</default-realm>
    <credential-encrypted>{AES}AOnncmyo+t9U78VAJHcbv8uiDUVggDlU55WY5xh6NukBIg3m2MK0In76UwCRuKdlVzHp9uWx/4uYZpkVQmq9Hqk3fTRZRx4dIuyU07siwupmYdq1UHttcgTIwqqKoaWn</credential-encrypted>
    <node-manager-username>weblogic</node-manager-username>
    <node-manager-password-encrypted>{AES}Yx0pabvYpXxQr7K7YRVB5B0f3Kyy8Lpn0cu1WQCXve8=</node-manager-password-encrypted>
    </security-configuration>
    <server>
    <name>AdminServer</name>
    <server-debug>
    <debug-scope>
    <name>weblogic.security.atn</name>
    <enabled>true</enabled>
    </debug-scope>
    <debug-scope>
    <name>weblogic.security.atz</name>
    <enabled>true</enabled>
    </debug-scope>
    <debug-security-atn>true</debug-security-atn>
    <debug-security-atz>true</debug-security-atz>
    <debug-security-saml-atn>true</debug-security-saml-atn>
    <debug-security-saml2-atn>true</debug-security-saml2-atn>
    </server-debug>
    <listen-address></listen-address>
    </server>
    <embedded-ldap>
    <name>myTestDomain</name>
    <credential-encrypted>{AES}Iidvc9S3UqScbvwktaeOZMYr4V9BQ4aU/T5z+npeFwiYEzUZi6iLF59pfpCNI0DQ</credential-encrypted>
    </embedded-ldap>
    <configuration-version>10.3.3.0</configuration-version>
    <app-deployment>
    <name>rewards</name>
    <target>AdminServer</target>
    <module-type>ear</module-type>
    <source-path>servers\AdminServer\upload\rewards.ear</source-path>
    <security-dd-model>DDOnly</security-dd-model>
    </app-deployment>
    <admin-server-name>AdminServer</admin-server-name>
    </domain>
  • 5. Re: LDAP authenticator setting in Weblogic 10
    RenévanWijk Oracle ACE
    Currently Being Moderated
    For example, we define our security view in the application, i.e. in the web.xml when are configuring a web application
    <security-constraint>
            <web-resource-collection>
                <web-resource-name>All</web-resource-name>
                <url-pattern>faces/*</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                <role-name>MANAGER</role-name>
                <role-name>EMPLOYEE</role-name>
            </auth-constraint>
            <user-data-constraint>
                <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
    </security-constraint>
    <login-config>
            <auth-method>FORM</auth-method>
            <form-login-config>
                <form-login-page>/loginsecure.jspx</form-login-page>
                <form-error-page>/loginsecure.jspx</form-error-page>
            </form-login-config>
    </login-config>
    <security-role>
            <role-name>MANAGER</role-name>
    </security-role>
    <security-role>
            <role-name>EMPLOYEE</role-name>
    </security-role>
    In this case we have defined two roles for the URL /faces/*. So now when a user tries
    to approach this URL, the application server detects this and sends the loginsecure
    page to ask the user for a username and password. These are send back to the
    application server and now your LDAP comes in play. The LDAP server contains
    the some user or some group to which this username and password belongs.

    Now we need to tell the WebLogic Security Framework what this recognized user
    or group may do in our application. That is why we have defined the roles.
    By using the deployment override weblogic.xml we can map the principle (user or group)
    to a role defines in the application, for example, say the LDAP server has a user called
    someone and a group called employees. To map these principles to the defined roles
    in our application we can add the following to the weblogic.xml file:
    <security-role-assignment>
            <role-name>EMPLOYEE</role-name>
            <principal-name>employees</principal-name>
    </security-role-assignment>
    <security-role-assignment>
            <role-name>MANAGER</role-name>
            <principal-name>someone</principal-name>
    </security-role-assignment>
    Thus the roles are defined by your web.xml file (your application) while the user and groups
    are defined in the LDAP server.
  • 6. Re: LDAP authenticator setting in Weblogic 10
    638959 Newbie
    Currently Being Moderated
    Hi Rene, I'm facing the same problem. If I configure the principal in weblogic.xml, similar to <principal-name>someone</principal-name>, it works fine, the user 'someone' logs in successfully.

    However, for enterprise application, it's too much work if I have to add every person in weblogic.xml, is there any other solution? I've set up a role in my LDAP that corresponds to the role defined <auth-constraint/> in web.xml, but it does not work. It'll be great if you could shed some light here, thanks!
  • 7. Re: LDAP authenticator setting in Weblogic 10
    sandeep_singh Pro
    Currently Being Moderated
    Instead of adding each user within the principal name you can use the group name and add all the users in that group.
    e.g. : make a group in LDAP say: SOMEONE_GROUP
    assign the role that you want to give to this group and add all the users like someone to this SOMEONE_GROUP and then you can use the group name as the principal name:
    <principal-name>SOMEONE_GROUP</principal-name>

    Thanks,
    Sandeep
  • 8. Re: LDAP authenticator setting in Weblogic 10
    638959 Newbie
    Currently Being Moderated
    Hi Sandeep, thanks for your advice, but I'm a WLS newbie, can you provide more details on how to assign the role to the LDAP group?

    in my LDAP, I've set up a group 'myGroup' with two members 'mark' and 'andy', the ldif section is as follows

    dn: cn=myGroup,ou=groups,o=com,c=us
    objectClass: top
    objectClass: groupOfNames
    member: cn=mark,ou=users,o=com,c=us
    member: cn=andy,ou=users,o=com,c=us
    cn: myGroup

    how to assign a role to 'myGroup' in WLS? I can see 'myGroup' in myrealm->users and groups, but when I drill down to 'myGroup', there's no role assignment tab :(

    Thanks!
  • 9. Re: LDAP authenticator setting in Weblogic 10
    RenévanWijk Oracle ACE
    Currently Being Moderated
    In weblogic.xml
    <security-role-assignment>
            <role-name>YOUR_ROLE</role-name>
            <principal-name>myGroup</principal-name>
    </security-role-assignment>
  • 10. Re: LDAP authenticator setting in Weblogic 10
    sandeep_singh Pro
    Currently Being Moderated
    You will have to go to:
    Home >> Summary of Security Realms >> myrealm >> Roles and Policies tab:
    Expand the Global Roles tree:
    take any of the available roles , let us say: Admin
    Click on the view and modify roles:
    under Roles Condition : Click on Add Condition :
    From the List: select Groups
    Then Under the Group name type: mygroup
    Click Add
    Then Choose : "or" as the to add the multiple groups to a single role.

    Click on save.
    you might have to restart the server after making changes to the roles.

    Thanks,
    Sandeep
  • 11. Re: LDAP authenticator setting in Weblogic 10
    768384 Newbie
    Currently Being Moderated
    I have fixed the issue. As I found in the documentation, FORM authentication has to use default realm.

    Thank you all for the help anyway.
  • 12. Re: LDAP authenticator setting in Weblogic 10
    638959 Newbie
    Currently Being Moderated
    finally that works! thanks a lot Sandeep and Rene!!!

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points