12 Replies Latest reply: Oct 4, 2010 3:49 PM by 638959 RSS

    LDAP authenticator setting in Weblogic 10

    user1001811
      Hi there,

      I am a newbie to weblogic. I am migrating an application from OAS to Weblogic 10. The application is using LDAP for login. I am havng a trouble to set up those users in weblogic console.

      Here is what I did:

      in web.xml:
      <security-constraint>
      <display-name>Example Security Constraint</display-name>
      <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>*</url-pattern>
      <http-method>*</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>UserRole</role-name>
      </auth-constraint>
      </security-constraint>
      <security-role>

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>RegularUser</realm-name>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/loginerror.jsp</form-error-page>
      </form-login-config>
      </login-config>
      <role-name>UserRole</role-name>
      </security-role>

      In Weblogic.xml
      <?xml version="1.0" encoding="windows-1252"?>
      <weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-web-app http://www.bea.com/ns/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd" xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
      <security-role-assignment>
      <role-name>UserRole</role-name>
      <externally-defined/>
      </security-role-assignment>
      </weblogic-web-app>

      In Weblogic console, I created a new realm called RegularUser and setup LDAP authenticator. User Base DN is ou=axxx,dc=bxxx,dc=cxx. I can see those users already in the user list.

      Did I miss any step?

      Thanks
        • 1. Re: LDAP authenticator setting in Weblogic 10
          Faisal Khan
          Can you paste your config.xml?

          How did u deploy your Application?
          Did u select Custom Roles at the time of deployment?

          -Faisal
          • 2. Re: LDAP authenticator setting in Weblogic 10
            René van Wijk
            When you look at the documentation of the element externallu defined:

            Specifies that a particular security role is defined globally in a
            security realm; WebLogic Server uses this security role as the
            principal name, rather than looking it up in a global realm.
            When the security role and its principal-name mapping are
            defined elsewhere, this is used as an indicative placeholder.

            If understand this correctly this means that your UserRole will be used for the Principal Name.
            Do you have any users or groups in your LDAP configured which are called UserRole, if not
            it is better to use the element principal-name and mapped the users and groups to the role, for example,
            <security-role-assignment>
              <role-name>UserRole</role-name>
              <principal-name>SomeGroupDefinedInYourLDAPServer</principal-name>
              <principal-name>SomeUserDefinedInYourLDAPServer</principal-name>
            </security-role-assignment>
            • 3. Re: LDAP authenticator setting in Weblogic 10
              user1001811
              René, Thanks.

              How do I map users and group in LDAP (ou=a, dc=b, dc=c) to a group called UserRole?
              • 4. Re: LDAP authenticator setting in Weblogic 10
                user1001811
                Thanks, Faisal.

                Here is my config.xml. Do I need to select Custom Roles at the time of deployment? I manually deployed the application in console.

                <?xml version='1.0' encoding='UTF-8'?>
                <domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
                <name>myTestDomain</name>
                <domain-version>10.3.3.0</domain-version>
                <security-configuration>
                <name>myTestDomain</name>
                <realm>
                <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
                <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
                <sec:active-type>AuthenticatedUser</sec:active-type>
                </sec:authentication-provider>
                <sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
                <sec:name>RegularUsers</sec:name>
                <sec:control-flag>OPTIONAL</sec:control-flag>
                <wls:host>holdap1.abc.org</wls:host>
                <wls:user-object-class>user</wls:user-object-class>
                <wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
                <wls:principal>ldapviewsd</wls:principal>
                <wls:user-base-dn>ou=a,dc=b,dc=c</wls:user-base-dn>
                <wls:credential-encrypted>{AES}5dVfr76v1nSUvb8iMBO5e1WxZG5BA/M3MWZvNxDVMO4=</wls:credential-encrypted>
                <wls:user-from-name-filter>(&amp;(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
                <wls:group-base-dn>ou=a,dc=b,dc=c</wls:group-base-dn>
                <wls:group-from-name-filter>(&amp;(cn=%g)(objectclass=group))</wls:group-from-name-filter>
                <wls:static-group-object-class>group</wls:static-group-object-class>
                <wls:static-member-dn-attribute>member</wls:static-member-dn-attribute>
                <wls:static-group-dns-from-member-dn-filter>(&amp;(member=%M)(objectclass=group))</wls:static-group-dns-from-member-dn-filter>
                </sec:authentication-provider>
                <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
                <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
                <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
                <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
                <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
                <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
                <sec:name>myrealm</sec:name>
                <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
                <sec:name>SystemPasswordValidator</sec:name>
                <pas:min-password-length>8</pas:min-password-length>
                <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
                </sec:password-validator>
                </realm>
                <realm>
                <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
                <sec:name>RewardsUser</sec:name>
                <sec:control-flag>SUFFICIENT</sec:control-flag>
                <wls:host>holdap1.abc.org</wls:host>
                <wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
                <wls:principal>ldapviewsd</wls:principal>
                <wls:user-base-dn>ou=a,dc=b,dc=c</wls:user-base-dn>
                <wls:credential-encrypted>{AES}6mfAIvAqFASMkZ4yHygBe3AODqNyzYyLLePzCI2HTE0=</wls:credential-encrypted>
                <wls:user-from-name-filter>(&amp;(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
                <wls:group-base-dn>ou=a,dc=bdc=c</wls:group-base-dn>
                <wls:max-sid-to-group-lookups-in-cache>1500</wls:max-sid-to-group-lookups-in-cache>
                </sec:authentication-provider>
                <sec:deploy-role-ignored>false</sec:deploy-role-ignored>
                <sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
                <sec:deploy-credential-mapping-ignored>false</sec:deploy-credential-mapping-ignored>
                <sec:security-dd-model>CustomRoles</sec:security-dd-model>
                <sec:combined-role-mapping-enabled>true</sec:combined-role-mapping-enabled>
                <sec:name>RewardsUser</sec:name>
                <sec:delegate-m-bean-authorization>false</sec:delegate-m-bean-authorization>
                </realm>
                <default-realm>myrealm</default-realm>
                <credential-encrypted>{AES}AOnncmyo+t9U78VAJHcbv8uiDUVggDlU55WY5xh6NukBIg3m2MK0In76UwCRuKdlVzHp9uWx/4uYZpkVQmq9Hqk3fTRZRx4dIuyU07siwupmYdq1UHttcgTIwqqKoaWn</credential-encrypted>
                <node-manager-username>weblogic</node-manager-username>
                <node-manager-password-encrypted>{AES}Yx0pabvYpXxQr7K7YRVB5B0f3Kyy8Lpn0cu1WQCXve8=</node-manager-password-encrypted>
                </security-configuration>
                <server>
                <name>AdminServer</name>
                <server-debug>
                <debug-scope>
                <name>weblogic.security.atn</name>
                <enabled>true</enabled>
                </debug-scope>
                <debug-scope>
                <name>weblogic.security.atz</name>
                <enabled>true</enabled>
                </debug-scope>
                <debug-security-atn>true</debug-security-atn>
                <debug-security-atz>true</debug-security-atz>
                <debug-security-saml-atn>true</debug-security-saml-atn>
                <debug-security-saml2-atn>true</debug-security-saml2-atn>
                </server-debug>
                <listen-address></listen-address>
                </server>
                <embedded-ldap>
                <name>myTestDomain</name>
                <credential-encrypted>{AES}Iidvc9S3UqScbvwktaeOZMYr4V9BQ4aU/T5z+npeFwiYEzUZi6iLF59pfpCNI0DQ</credential-encrypted>
                </embedded-ldap>
                <configuration-version>10.3.3.0</configuration-version>
                <app-deployment>
                <name>rewards</name>
                <target>AdminServer</target>
                <module-type>ear</module-type>
                <source-path>servers\AdminServer\upload\rewards.ear</source-path>
                <security-dd-model>DDOnly</security-dd-model>
                </app-deployment>
                <admin-server-name>AdminServer</admin-server-name>
                </domain>
                • 5. Re: LDAP authenticator setting in Weblogic 10
                  René van Wijk
                  For example, we define our security view in the application, i.e. in the web.xml when are configuring a web application
                  <security-constraint>
                          <web-resource-collection>
                              <web-resource-name>All</web-resource-name>
                              <url-pattern>faces/*</url-pattern>
                          </web-resource-collection>
                          <auth-constraint>
                              <role-name>MANAGER</role-name>
                              <role-name>EMPLOYEE</role-name>
                          </auth-constraint>
                          <user-data-constraint>
                              <transport-guarantee>NONE</transport-guarantee>
                          </user-data-constraint>
                  </security-constraint>
                  <login-config>
                          <auth-method>FORM</auth-method>
                          <form-login-config>
                              <form-login-page>/loginsecure.jspx</form-login-page>
                              <form-error-page>/loginsecure.jspx</form-error-page>
                          </form-login-config>
                  </login-config>
                  <security-role>
                          <role-name>MANAGER</role-name>
                  </security-role>
                  <security-role>
                          <role-name>EMPLOYEE</role-name>
                  </security-role>
                  In this case we have defined two roles for the URL /faces/*. So now when a user tries
                  to approach this URL, the application server detects this and sends the loginsecure
                  page to ask the user for a username and password. These are send back to the
                  application server and now your LDAP comes in play. The LDAP server contains
                  the some user or some group to which this username and password belongs.

                  Now we need to tell the WebLogic Security Framework what this recognized user
                  or group may do in our application. That is why we have defined the roles.
                  By using the deployment override weblogic.xml we can map the principle (user or group)
                  to a role defines in the application, for example, say the LDAP server has a user called
                  someone and a group called employees. To map these principles to the defined roles
                  in our application we can add the following to the weblogic.xml file:
                  <security-role-assignment>
                          <role-name>EMPLOYEE</role-name>
                          <principal-name>employees</principal-name>
                  </security-role-assignment>
                  <security-role-assignment>
                          <role-name>MANAGER</role-name>
                          <principal-name>someone</principal-name>
                  </security-role-assignment>
                  Thus the roles are defined by your web.xml file (your application) while the user and groups
                  are defined in the LDAP server.
                  • 6. Re: LDAP authenticator setting in Weblogic 10
                    638959
                    Hi Rene, I'm facing the same problem. If I configure the principal in weblogic.xml, similar to <principal-name>someone</principal-name>, it works fine, the user 'someone' logs in successfully.

                    However, for enterprise application, it's too much work if I have to add every person in weblogic.xml, is there any other solution? I've set up a role in my LDAP that corresponds to the role defined <auth-constraint/> in web.xml, but it does not work. It'll be great if you could shed some light here, thanks!
                    • 7. Re: LDAP authenticator setting in Weblogic 10
                      sandeep_singh
                      Instead of adding each user within the principal name you can use the group name and add all the users in that group.
                      e.g. : make a group in LDAP say: SOMEONE_GROUP
                      assign the role that you want to give to this group and add all the users like someone to this SOMEONE_GROUP and then you can use the group name as the principal name:
                      <principal-name>SOMEONE_GROUP</principal-name>

                      Thanks,
                      Sandeep
                      • 8. Re: LDAP authenticator setting in Weblogic 10
                        638959
                        Hi Sandeep, thanks for your advice, but I'm a WLS newbie, can you provide more details on how to assign the role to the LDAP group?

                        in my LDAP, I've set up a group 'myGroup' with two members 'mark' and 'andy', the ldif section is as follows

                        dn: cn=myGroup,ou=groups,o=com,c=us
                        objectClass: top
                        objectClass: groupOfNames
                        member: cn=mark,ou=users,o=com,c=us
                        member: cn=andy,ou=users,o=com,c=us
                        cn: myGroup

                        how to assign a role to 'myGroup' in WLS? I can see 'myGroup' in myrealm->users and groups, but when I drill down to 'myGroup', there's no role assignment tab :(

                        Thanks!
                        • 9. Re: LDAP authenticator setting in Weblogic 10
                          René van Wijk
                          In weblogic.xml
                          <security-role-assignment>
                                  <role-name>YOUR_ROLE</role-name>
                                  <principal-name>myGroup</principal-name>
                          </security-role-assignment>
                          • 10. Re: LDAP authenticator setting in Weblogic 10
                            sandeep_singh
                            You will have to go to:
                            Home >> Summary of Security Realms >> myrealm >> Roles and Policies tab:
                            Expand the Global Roles tree:
                            take any of the available roles , let us say: Admin
                            Click on the view and modify roles:
                            under Roles Condition : Click on Add Condition :
                            From the List: select Groups
                            Then Under the Group name type: mygroup
                            Click Add
                            Then Choose : "or" as the to add the multiple groups to a single role.

                            Click on save.
                            you might have to restart the server after making changes to the roles.

                            Thanks,
                            Sandeep
                            • 11. Re: LDAP authenticator setting in Weblogic 10
                              user1001811
                              I have fixed the issue. As I found in the documentation, FORM authentication has to use default realm.

                              Thank you all for the help anyway.
                              • 12. Re: LDAP authenticator setting in Weblogic 10
                                638959
                                finally that works! thanks a lot Sandeep and Rene!!!