I am using active directory to authenticate users with web logic. I have configured LDAP setting on console. The users are getting displayed on Users and Groups tab on weblogic console. But the application is not recognizing user for authentication.
Below is my web.xml:
After redeploying the application, windows pop up comes up asking the credentials. I am giving the same credential that I gave in weblogic console to connect to LDAP. But I am not able to pass the authentication. Window pop up keeps me asking for credential and after few attempts 401 unautheriozed error displayed on web page. Kindly help me out.
Please specify some arbitrary Role Name (instead of *) in the element <role-name> under <auth-constraint> and <security-role as this is purely logical for mapping between Application Descriptor and Weblogic Descriptor.I am pasting the sample web.xml and weblogic.xml here to make the compliant with role mapping:-
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>Saml Source Site Application</display-name>
<description>These pages are only accessible by authorized users.</description>
<description>These are the roles who have access.</description>
<description>This is how the user data must be transmitted.</description>
<description>These are the roles who have access</description>
Here in weblogic.xml principal-name is the username who needs to be authenticated or Group name users's of which should be allowed to access the application.This should be places along-with the web.xml.
Once this is done deploy the application and test.
What is the group-name/username you have mentioned in the weblogic.xml for <principal-name>Administrators</principal-name>.
Could you please paste your weblogic.xml?
If you mapped Administrator as given in the example then could you try using the credential that you use to login to Weblogic Admin Console and let me know if you are able to login?
That will confirm that application configuration is fine and working with default Authenticator?
Moreover the Group-name/username you had specified in the <principal-name>Administrators</principal-name>..so you see that user-naem/Group-name under User & Groups in the Weblogic Admin Console.If that user is not visible in Admin Console then configure a user which is visible and test?
Another thing is that the user name that I have configured in console is not visible under Users and Groups tab. I don't know why but I am able to see some users there.
I am not sure where I am commiting mistake. What I understood is that by doing above configuration(adding principal name in weblogic.xml) we are using container security authentication that uses default authenticator. But I don't know what to do to make my LDAP authenticator works.
Please suggest the next course of action.
I really don't understand the below lines. Request you to eleborate it again. Moreover the Group-name/username you had specified in the <principal-name>Administrators</principal-name>..so you see that user-naem/Group-name under User & Groups in the Weblogic Admin Console.If that user is not visible in Admin Console then configure a user which is visible and test?
One more thing I want to highlight here in that under Users and Groups >weblogic > group; we see that the group name is administrators. So this name is mapped to the principal name defined in the weblogic.xml. But when ever I go to LDAP user and click on group, i got below exception:
An unexpected exception has occurred processing your request
*Message: [Security:090278]Error listing member groups Vivek Kaushal*
*Stack Trace: weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090278]Error listing member groups Vivek Kaushal at weblogic.security.providers.authentication.LDAPAtnDelegate.listMemberGroups(LDAPAtnDelegate.java:2190) at weblogic.security.providers.authentication.LDAPAuthenticatorImpl.listMemberGroups(LDAPAuthenticatorImpl.java:168) at weblogic.security.providers.authentication.LDAPAuthenticatorMBeanImpl.listMemberGroups(LDAPAuthenticatorMBeanImpl.java:307) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at weblogic.management.jmx.modelmbean.WLSModelMBean.invoke(WLSModelMBean.java:437) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836) at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449) at java.security.AccessController.doPrivileged(Native Method) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447) at weblogic.management.mbeanservers.internal.JMXContextInterceptor.invoke(JMXContextInterceptor.java:263) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449) at java.security.AccessController.doPrivileged(Native Method) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447) at*
The users and Groups are pulled into the weblogic server in the basis if the "User Base DN" and "Group Base DN"configured duing the Authentication Provider and the user which you use to connect/bind to the LDAP/AD may or may not be available under the same User Base DN configured in the Authentication Provider.So the user and Groups which are available under the configured DN's will only be pulled in to Weblogic and those only can be used to provide Authentication purpose.
Now in order to check which all the user are available under User Base DN and Groups under Group base DN.Go to Admin Console-->Security Realm--->myrealm--->Providers---><<Your provider name>>--->Provider Specific
and check the User Base DN and Group Base DN there.
then connect to your LDAP Directory using Jxplorer or any Directory Explorer and go to that tree location as per the DN name configured and check which all the users are availabe there and check for the Group Base DN which all the groups are available there.These are the Users and Groups which will be pulled in to the Weblogic Server and can be used for Authentication.
User configured in Pronciple Name in the Provider Confguration is only for Connecting/Binding to the LDAP Directory and if you want that users also to be pulled into the Weblogic Server,Then Identify the DN for the user in LDAP and configure the same in User Base DN and restart your server you will be able to see the user in Weblogic Users list which are pulled from AD.
NOTE:- if the DN for the user is CN=orcladmin,OU=Service Users,DC=oracle,DC=com then the User Base DN which needs to be configured is OU=Service Users,DC=oracle,DC=com so that all the users under this DN can be pulled.
The same applies for pulling thr Groups into the Weblogic Server through Authentication Provider while configuring Groups Base DN based in which all the Groups will be pulled in to the Weblogic Server.
Noe the Group Membership for the Users needs to be configured at teh LDAP level as you cannot associate the LDAP Groups or Default Groups to the LDAP user in the Weblogic Console Duynamically.
Now if the user CN=orcladmin,OU=Service Users,DC=oracle,DC=com is configured to be member of Group CN=Managers,OU=Service Groups,DC=oracle,DC=com then in order to pull the user and Group in to the WL the Gruup Base DN and User Base DN should be as below:-
User Base DN:- OU=Service Users,DC=oracle,DC=com
Group Bse DN:- OU=Service Groups,DC=oracle,DC=com
With this configuration you would see Alll users which resides under the User Base DN and All groups which resides under the Group Base DN listed in the Weblogic Server ysers and Group tab.
Now when you have pulled all the user and Groups from the AD in the WLS how can you use them in your application?
In application weblogic.xml <principal-name> can be either username which exists in WLS listed user or a Group.
Now say you configured
This will tell application that only orcladmin shoudl be authenticated.So while authentication the request will go to WLS Security realm and check whether WLS have this as a user or group if thsi is a user dies this exist in the users list ,if yes. where should I go to get the password for the user to authenticate,whether this is user belonging to Default Authenticator or LDAP Authenticator.
If this is Belonging to LDAP Authenticator how should I connect to the LDAP server.Ok I need to check the Connection Parameter so it picks the Connection Paraneters as Hostname,Port,Principal Name,Password from LDAP authenticator configuration and connect to the LDAP server.
Now there are huge number of users embedded in the trees and where shoud I need to look for this users?
It will go inside the user base DN and find it there and once found checks for the Password whether it is valid or not and if valid comes back thorugh the same route and authenticated the user.
And if you Configured
Which is a Group and the username you used to authenticate in application is orcladmin the request will be delogated to LDAP server same to confirm whether the users is Memebr of the Group Manager in the AD and once confirmed after going to Group BASE DN it will go back to the same User Base DN ,locate the users and confirm the credentials and autenticate the user.
Now Configuring the Group Name as <principal-name> is beneficial in scalability as if later on you have got more users who shoud be allowed to access the application you can give Them membership of the Managers group in LDAP server and they will be allowed to access the Application without any changes in the weblogic.xml for addin their name in list of users who are allowed access.
So for the Intial testing if you have not configured any Group In LDAP server and had not Put any member to that Group you need to configure the User Base DN appropriately and then once the users are available in Weblogic Console Users list then configure the name of the users in <principal-name> in weblogic.xml adn then test whether the user is able to acces the application.
I have checked the group for some of the users who are listed under Users and Groups tab but group are not defined for them. Now what I understood from your mail is that without group we can set the user name in <principal-name> element.
OR is it possible that we define a group and add all users to it and then try accessing using group name in <principal-name> element.
In another directory structure, we have multiple group being displayed for a user listed in Users and Groupd tab. Now will any of the group work when i use it in <principal-name>.
Thanks again for being so descriptive. You are really helping me out. I hope that I will be able to make it with your help.
Yes you can configure a Group and add all the users into that Group and configure the same Group in weblogic.xml.
Now if you configure a Group named Managers in LDAP which had users named userA,userB,userC added to it then all these three users will be allowed to access the application and the credentials which you would need to add when prompted by the application are
Username:- usersA or userB or userC (Not the Group Name)
Password:- associated with the user
Groups are defined in weblogic.xml as principal name to allow access to a bunch of people who have the membership in this Group and Group name itself will not be used to login.
Now in case userA is the independent user and you do not want it to be added to the Group then you can wither specify the single username as principal name and only that particular user will be allowed to access the application.
I finally did it for a single user. Thanks for that. Below are my change:
In User Base DN, I gave complete DN of a single user only which makes the user to be available in the Users and Groups tab. I clicked that user, went to its group, copied the group name and pasted it in <principal-name> of weblogic.xml. Then I hit the application and authentication works fine. Thanks for your help again.
But the work is half done only.
First thing is that Active Directory, in any case, can't be modified i.e. no group can be set there. And when I go the Group tab I see 1000 groups there which means that all the users come under these groups. In order to configure that we have to write all the groups name in the weblogic.xml<if i am not wrong> which is not the right way of doing it as first we will have lenthy xml file and second in future group can also be added.
In this situation what will you suggest. Is there any master group name that can be used.
I don't think there is any any other way to achive this through this approach using principal name.
You have to configure the a Group to contain all the users or all the Groups in AD and map the same to control access to the application .as principal name ,in weblogic.xml.
If you are implementing access control for application and you need AD to achive the same then I believe you have to acquire the control on AD and implement the required Groups and add users to the same.
I have to acheive only authentication and not autherization.
Another finding that I wanted to share is that authentication works only when the complete DN is given. And works for all the groups that the user has i.e. we can use any of the group in weblogic.xml to make it run.
The problem comes when I use the DN other than the complete name, say I use filter to display the user whose name starts with Ankit and Amit. I get thee users whose one group is also same. So I per my understanding, if I give the comoon group name in the weblogic.xml and try to authenticate then it should work, but it doesn't.
And another thing is that I also get the different group for same user when DN is changed which is strange. And also don't know the role of GROUPS here as group of user is takeing into account here.
Is this a known behaviour and do we have any resolution for it.