Discussions
Categories
- 17.9K All Categories
- 3.4K Industry Applications
- 3.4K Intelligent Advisor
- 73 Insurance
- 537.3K On-Premises Infrastructure
- 138.6K Analytics Software
- 38.6K Application Development Software
- 6K Cloud Platform
- 109.6K Database Software
- 17.6K Enterprise Manager
- 8.8K Hardware
- 71.2K Infrastructure Software
- 105.3K Integration
- 41.6K Security Software
WebLogic integration with Active Directory for authentication provider
I am configuring WebLogic 12c with Active Directory as a Provider and have few questions if someone has done a WebLogic integration with Active Directory.
For the WebLogic Provider configuration 1), 2), 3)
1) Host: For the hostname of the Active Directory Domain Controller, can we put multiple hosts, comma separated? Since there are multiple domain controllers.
2) User DN: Can we provide the base DN of the users in AD (like DN=Users, dc=example,dc=com). Is this top level DN allowed? (Note, we tested with one user first and provided his particular DN. Since the users are spread across various OU we wanted to make sure authentication works fine for one user, which does work fine)
3) Group DN: Do we require a special group in AD where all the users can be put in? And this group needs to be put in the Group info in the WebLogic configuration in the Provider settings?
For weblogic.xml configuration
4) One of the step is configuring weblogic.xml file. Here we have provided username of a particular user and his particular DN, for a test and authentication works fine with below settings. However these settings are for a particular user. What needs to be put in for "principal-name" so that all/other users can also login? Similarly what needs to be put in for "role-name"?
<wls:security-role-assignment>
<wls:role-name>Valid Users</wls:role-name>
<wls:principal-name>userabc</wls:principal-name>
</wls:security-role-assignment>
Best Answer
-
I am not sure if the settings have changed for 12c but some help with an older version is
https://blogs.oracle.com/ardaeralp/configure-oracle-identity-manager-adldap-authentication
About users DN - you can very well point it to your base dn like dc=corp,dc=com ... and have a filter to limit searches to user objects like (objectclass=user). . Same goes for Group DN
Principle account is a service account of sorts and usually the DN of that account.
Answers
-
The details are provided in the following documentation :
https://docs.oracle.com/cd/E21764_01/web.1111/e13707/atn.htm#SECMG203
set the Domain Controllers attribute to
LISTand specify the names of the domain controllers in the Domain Controller List attribute for the trusted domains that you want to be used. Consider also whether to use explicit names for the local machine and local domain controller or if you want to use placeholders in the list for those. You can use the following placeholders in the Domain Controller List attribute: -
We will try using the LIST for Domain controllers. An example would help here.
Also if someone could provide what principal-name, role to be used for weblogic.xml?
-
I am not sure if the settings have changed for 12c but some help with an older version is
https://blogs.oracle.com/ardaeralp/configure-oracle-identity-manager-adldap-authentication
About users DN - you can very well point it to your base dn like dc=corp,dc=com ... and have a filter to limit searches to user objects like (objectclass=user). . Same goes for Group DN
Principle account is a service account of sorts and usually the DN of that account.