6 Replies Latest reply on Oct 2, 2012 3:16 PM by wgkorb-JavaNet

    WLS 12c & Active Directory - multiple Group Base DN values?

    wgkorb-JavaNet
      I am trying to configure WLS 12.1 to authenticate to our Active Directory environment. I am having a problem due to the design of the AD tree, which of course, cannot be changed.

      Specifically, the base DN for group searches needs to have more than one value. Let me explain why.

      The structure of the tree is more or less like this:

      dc=lcl,
      dc=domain,
      ou=users
      ou=permission groups
      ou=role groups
      ...

      Note that all users are under the users OU, but groups are in one of two different OUs, depending on whether they are a "role" group (i.e. they define what role an employee has in the company) or a "permission" group (i.e. they define what permissions a user has).

      I have the group base DN set to "ou=permission groups,dc=domain,dc=lcl", but when a user is a member of a role group, that group cannot be searched for since it is in the other OU.

      If I change the group base DN to dc=domain,dc=lcl, then that should in theory search both subtrees (along with a while bunch of subtrees that don't contain any groups), but when I go into the Users and Groups and click on my own username, then click on the Groups tab, it spins for literally 2-3 minutes and when it returns, it only lists groups that are in my memberOf attributes, and none of those where I am a member of a group that is a member of another group.

      For example, there are groups named A, B, and C. A & B are in the role groups OU; C is in the permission groups OU. I am a member of A & B, and B is a member of C. Therefore, I should be a member of all three groups, but I am only listed as a member of A & B.

      Is there a way to configure WLS to search two subtrees, two base DNs, if you will?

      Failing that, what are my options here?

      Is there a way that I can turn on debug logging that will show what WLS is doing in regards to calls to the AD server?

      Thanks,
      Bill
        • 1. Re: WLS 12c & Active Directory - multiple Group Base DN values?
          wgkorb-JavaNet
          I found the debug settings for security->atn & atz, so I am now seeing debugging output, but all I'm seeing is "authenticate failed for user wkorb", though oddly enough, about five lines before that it said "login succeeded for username wkorb". I suspect the login succeeded means that my password was correct, but the authenticate failed means that it can't find me in the group that has access to the webapp in question.

          Bill
          • 2. Re: WLS 12c & Active Directory - multiple Group Base DN values?
            Faisal WebLogic Wonders
            You can configure multiple authenticators pointing to different OU.
            What is the control flag of the default authenticator? You need to change it to OPTIONAL/SUFFICIENT.

            I need to check if there is an option to configure filters for groups...
            • 3. Re: WLS 12c & Active Directory - multiple Group Base DN values?
              wgkorb-JavaNet
              OK, so now I have an AD-roles provider and an AD-permissions provider. The only difference between the two providers is the Base DN for group searches.

              A related question.

              I assumed that once I had this working I could add an AD permission group called "weblogic-admins" and I could then add that AD group to the internal WLS Administrators group, thus granting admin privilege via our AD infrastructure. However, I cannot figure out how to add my AD group to the Administrators group.

              Is that the correct way to approach this, or do I need to use some other technique? Or is it not possible?

              Thanks,
              Bill
              • 4. Re: WLS 12c & Active Directory - multiple Group Base DN values?
                wgkorb-JavaNet
                Well, I spoke too soon. Using the two different providers was still not finding all of my group memberships, so I started doing a bit more research on the cause of the 2-3 minute delay when performing group searches.

                Here's what I found: it's due to some referrals that the AD server is returning.

                For example, I ran this ldapsearch query:

                -----
                44$ ldapsearch -h dc.domain.lcl \
                -b 'dc=domain,dc=lcl' \
                -D 'CN=Service Account,ou=Service Accounts,dc=domain,dc=lcl' \
                -w ********** \
                '(&(sAMAccountName=Weblogic-Prod-Admin-P)(objectclass=group))' \
                member

                CN=Weblogic-Prod-Admin-P,OU=Applications,OU=Permission Groups,DC=domain,DC=LCL
                member=CN=Webmaster-Prod-Admin-R,OU=Applications,OU=Role Groups,DC=domain,DC=LCL

                ldap_search: Operations error
                ldap_search: additional info: 000004DC: LdapErr: DSID-0C0906E8, comment: In
                order to perform this operation a successful bind must be completed on the
                connection., data 0, v1db1
                -----

                So it returned the correct results immediately, but then delayed for another 30 seconds before coming back with those error messages.

                Then I added the -R (don't follow referrals) and -v (verbose) options, and ran the same query:

                -----
                48$ ldapsearch -R -v -h dc.domain.lcl -b 'dc=domain,dc=lcl' \
                -D 'CN=Service Account,ou=Service Accounts,dc=domain,dc=lcl' \
                -w ********** \
                '(&(sAMAccountName=Weblogic-Prod-Admin-P)(objectclass=group))' \
                member

                ldap_open( dc.domain.lcl, 389 )
                filter pattern: (&(sAMAccountName=Weblogic-Prod-Admin-P)(objectclass=group))
                returning: member
                filter is: ((&(sAMAccountName=Weblogic-Prod-Admin-P)(objectclass=group)))
                CN=Weblogic-Prod-Admin-P,OU=Applications,OU=Permission Groups,DC=domain,DC=LCL
                member=CN=Webmaster-Prod-Admin-R,OU=Applications,OU=Role Groups,DC=domain,DC=LCL

                Unfollowed reference(s)
                ref: ldap://DomainDnsZones.domain.LCL/DC=DomainDnsZones,DC=domain,DC=LCL

                Unfollowed reference(s)
                ref: ldap://ForestDnsZones.domain.LCL/DC=ForestDnsZones,DC=domain,DC=LCL

                Unfollowed reference(s)
                ref: ldap://domain.LCL/CN=Configuration,DC=domain,DC=LCL
                1 matches
                -----

                Results returned immediately, and it reported there were three referrals (two of which look like they are going after DNS entries and the third after AD/LDAP configuration information). So the problem appears to be that my service account doesn't have permission to search those other DNs that came back in the referrals. That shouldn't be a problem as there would be no user or group information there, anyway, so I decided to try changing the provider configuration to not follow referrals. I unchecked the "Follow Referrals" setting in the Provider Specific tab of my AD provider, activated my changes, and restarted WLS, and now when I click on the Groups tab of my account, it renders instantaneously, but instead of listing my group memberships, it indicates that we're now seeing an exception:

                -----
                An unexpected exception has occurred processing your request
                Message:      
                netscape.ldap.LDAPReferralException: referral (0); Success ldap://DomainDnsZones.domain.LCL/DC=DomainDnsZones,DC=domain,DC=LCL
                Stack Trace:      java.lang.RuntimeException: netscape.ldap.LDAPReferralException: referral (0); Success ldap://DomainDnsZones.domain.LCL/DC=DomainDnsZones,DC=domain,DC=LCL at weblogic.security.providers.authentication.LDAPAtnNameList.handleUnexpectedLDAPException(LDAPAtnNameList.java:179) at weblogic.security.providers.authentication.LDAPAtnMemberGroupsNameList.advance(LDAPAtnMemberGroupsNameList.java:122) at weblogic.security.providers.utils.ListerManager.advance(ListerManager.java:233) at weblogic.security.providers.authentication.LDAPAtnDelegate.advance(LDAPAtnDelegate.java:1210) at weblogic.security.providers.authentication.LDAPAuthenticatorImpl.advance(LDAPAuthenticatorImpl.java:67) at weblogic.security.providers.authentication.ActiveDirectoryAuthenticatorMBeanImpl.advance(ActiveDirectoryAuthenticatorMBeanImpl.java:242) at
                etc.
                -----

                So apparently turning off referrals isn't an option if your AD server sends referrals? So what's the point of that option if it doesn't work? Is this a WLS bug?

                Thanks,
                Bill
                • 5. Re: WLS 12c & Active Directory - multiple Group Base DN values?
                  Faisal WebLogic Wonders
                  While I was there with Oracle Support there were few bugs related to referrals in older versions of WLS, not sure if its there in 12c but it will be worth checking with Oracle Support...
                  • 6. Re: WLS 12c & Active Directory - multiple Group Base DN values?
                    wgkorb-JavaNet
                    Faisal,

                    Thanks for your reply. Yeah, I was thinking it was about time to open a support case on this one. I'll do so and post my findings here for future reference.

                    Bill