2 Replies Latest reply on Jun 6, 2011 11:10 AM by Faisal WebLogic Wonders

    Active Directory and Role Mapping

    scoldham
      I am running weblogic 10.3.3.0 and I believe I have a properly configured security realm (named libertyRealm) which provides authentication using principles from our Windows server 2008 AD environment. As part of the configuration, I have created a condition in the admin global role such that any user in the group WeblogicAdmins should have the admin role applied. Most everything seems to be working.

      But, for some reason I do not understand, it does not appear that the Role mapping on the AD groups is applying. The console gives me a warning that the group does not exist when I create the condition mentioned above, however, I can know that weblogic can see the AD group because when I look under the realm's groups in the admin console, all the groups from my group base dn show.

      A symptom of the error is that the neither admin console nor any manged node will start with the AD user that is in my WeblogicAdmins group after I switch . The log verifies that the user authenticates successfully, but I get what equates to an access denied error on attempted server start.

      In short: How do I map WLS global roles to an AD group / user? / What am I doing wrong?

      Below is a masked copy of both the sample errors and my domain's security configuration.

      ####<May 31, 2011 9:54:07 AM EDT> <Notice> <Security> <weblogicadmindev.domain.tld> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1306850047780> <BEA-090082> <Security initializing using security realm libertyRealm.>
      ####<May 31, 2011 9:54:07 AM EDT> <Notice> <Security> <weblogicadmindev.domain.tld> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1306850047895> <BEA-090083> <Storing boot identity in the file: /u01/oracle/middleware/domains/liberty_dev/servers/AdminServer/security/boot.properties>
      ####<May 31, 2011 9:54:08 AM EDT> <Critical> <Security> <weblogicadmindev.domain.tld> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1306850048046> <BEA-090404> <User weblogicdevadmin is not permitted to boot the server; The server policy may have changed in such a way that the user is no longer able to boot the server.Reboot the server with the administrative user account or contact the system administrator to update the server policy definitions.>
      ####<May 31, 2011 9:54:08 AM EDT> <Critical> <WebLogicServer> <weblogicadmindev.domain.tld> <AdminServer> <Main Thread> <<WLS Kernel>> <> <> <1306850048050> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: User weblogicdevadmin is not permitted to boot the server; The server policy may have changed in such a way that the user is no longer able to boot the server.Reboot the server with the administrative user account or contact the system administrator to update the server policy definitions.
      weblogic.security.SecurityInitializationException: User weblogicdevadmin is not permitted to boot the server; The server policy may have changed in such a way that the user is no longer able to boot the server.Reboot the server with the administrative user account or contact the system administrator to update the server policy definitions.
      at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:1009)
      at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
      at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
      at weblogic.security.SecurityService.start(SecurityService.java:141)
      at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
      at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
      at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
      >
      ####<May 31, 2011 9:54:08 AM EDT> <Notice> <WebLogicServer> <weblogicadmindev.domain.tld> <AdminServer> <Main Thread> <<WLS Kernel>> <> <> <1306850048097> <BEA-000365> <Server state changed to FAILED>
      ####<May 31, 2011 9:54:08 AM EDT> <Error> <WebLogicServer> <weblogicadmindev.domain.tld> <AdminServer> <Main Thread> <<WLS Kernel>> <> <> <1306850048098> <BEA-000383> <A critical service failed. The server will shut itself down>
      ####<May 31, 2011 9:54:08 AM EDT> <Notice> <WebLogicServer> <weblogicadmindev.domain.tld> <AdminServer> <Main Thread> <<WLS Kernel>> <> <> <1306850048101> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
      ####<May 31, 2011 9:54:08 AM EDT> <Info> <WebLogicServer> <weblogicadmindev.domain.tld> <AdminServer> <Main Thread> <<WLS Kernel>> <> <> <1306850048114> <BEA-000236> <Stopping execute threads.>

      <security-configuration>
      <name>liberty_dev</name>
      <realm>
      <sec:authentication-provider xsi:type="wls:default-authenticatorType">
      <sec:control-flag>SUFFICIENT</sec:control-flag>
      </sec:authentication-provider>
      <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
      <sec:active-type>AuthenticatedUser</sec:active-type>
      </sec:authentication-provider>
      <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
      <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
      <sec:adjudicator xsi:type="wls:default-adjudicatorType">
      <wls:require-unanimous-permit>false</wls:require-unanimous-permit>
      </sec:adjudicator>
      <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
      <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
      <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
      <sec:name>myrealm</sec:name>
      <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
      <sec:name>SystemPasswordValidator</sec:name>
      <pas:min-password-length>8</pas:min-password-length>
      <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
      </sec:password-validator>
      </realm>
      <realm>
      <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
      <sec:name>universityAuthenticator</sec:name>
      <sec:control-flag>SUFFICIENT</sec:control-flag>
      <wls:host>domain.tld</wls:host>
      <wls:user-object-class>user</wls:user-object-class>
      <wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
      <wls:principal>sensenet\wlbind</wls:principal>
      <wls:user-base-dn>ou=FSA,dc=**,dc=domain,dc=tld</wls:user-base-dn>
      <wls:credential-encrypted>{AES}***=</wls:credential-encrypted>
      <wls:user-from-name-filter>(&amp;(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
      <wls:all-users-filter>(memberOf=cn=**,ou=**,dc=domain,dc=tld)</wls:all-users-filter>
      <wls:group-base-dn>ou=**,dc=domain,dc=tld</wls:group-base-dn>
      <wls:use-retrieved-user-name-as-principal>true</wls:use-retrieved-user-name-as-principal>
      </sec:authentication-provider>
      <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType">
      <sec:name>libertyMapProvider</sec:name>
      </sec:role-mapper>
      <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType">
      <sec:name>libertyAuthorization</sec:name>
      </sec:authorizer>
      <sec:credential-mapper xsi:type="wls:default-credential-mapperType">
      <sec:name>libertyCredentialMapper</sec:name>
      <sec:credential-mapping-deployment-enabled>false</sec:credential-mapping-deployment-enabled>
      </sec:credential-mapper>
      <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType">
      <sec:name>WebLogicCertPathProvider</sec:name>
      </sec:cert-path-provider>
      <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
      <sec:deploy-credential-mapping-ignored>false</sec:deploy-credential-mapping-ignored>
      <sec:name>libertyRealm</sec:name>
      </realm>
      <default-realm>myrealm</default-realm>
      <anonymous-admin-lookup-enabled>false</anonymous-admin-lookup-enabled>
      <credential-encrypted>{AES}***</credential-encrypted>
      <node-manager-username>do2jcEJcnH</node-manager-username>
      <node-manager-password-encrypted>{AES}***=</node-manager-password-encrypted>
      <cross-domain-security-enabled>false</cross-domain-security-enabled>
      </security-configuration>

      Any assistance is appreciated.
        • 1. Re: Active Directory and Role Mapping
          scoldham
          After turning up debugging logs and doing some more in depth troubleshooting, it appears that my problem may be related to the behavior of the built in XACML role mapping provider.

          It is apparent in the debug logs that the role mapper does not even attempt to match the condition which maps the AD group to the admin role. Given this, is there any way ,outside of using a custom role mapping provider, that the built in XACML role mapping provider can be configured to check for group conditions involving groups that are not in the embedded ldap?
          • 2. Re: Active Directory and Role Mapping
            Faisal WebLogic Wonders
            You can refer this

            http://weblogic-wonders.com/weblogic/2010/06/04/how-to-modify-weblogic-default-roles-and-policies/