This discussion is archived
13 Replies Latest reply: Oct 30, 2012 6:40 AM by user5636757 RSS

external LDAP directory (Apache Directory Server) with WebLogic server

user5636757 Newbie
Currently Being Moderated
Hi,
I've done this before but this time it's not working because I've changed all configurations this time as they are supposed to be in my view.
I am configuring external LDAP directory (Apache Directory Server) with WebLogic server.

This is how my configurations look:

<sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
<sec:name>apache_ds_identity_store</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:port>10389</wls:port>
<wls:user-object-class>inetOrgPerson</wls:user-object-class>
<wls:principal>uid=admin,ou=system</wls:principal>
<wls:user-base-dn>ou=users,ou=system</wls:user-base-dn>
<wls:credential-encrypted>{AES}KA//VoKcnAbT1y26JoDi1i+j5OHhTtLd8IfgwZPDQYQ=</wls:credential-encrypted>
<wls:user-from-name-filter>(&amp;(uid=*)(objectclass=inetOrgPerson))</wls:user-from-name-filter>
<wls:all-users-filter>(&amp;(uid=*)(objectclass=inetOrgPerson))</wls:all-users-filter>
<wls:group-base-dn>ou=groups,ou=system</wls:group-base-dn>
<wls:group-from-name-filter>(&amp;(cn=*)(objectclass=groupOfUniqueNames))</wls:group-from-name-filter>
<wls:all-groups-filter>(&amp;(cn=*)(objectclass=groupOfUniqueNames))</wls:all-groups-filter>
<wls:static-group-object-class>groupOfUniqueNames</wls:static-group-object-class>
<wls:static-member-dn-attribute>uniqueMember</wls:static-member-dn-attribute>
<wls:static-group-dns-from-member-dn-filter></wls:static-group-dns-from-member-dn-filter>
</sec:authentication-provider>

However my server doesn't start. It says:

Caused By: oracle.security.jps.service.idstore.IdentityStoreException: JPS-00056: Failed to create identity store service instance idstore.ldap.provider:idstore.ldap. Reason: oracle.security.jps.JpsRuntimeException: JPS-00027: internal error You configured a generic WLS LDAPAuthenticator.
The identity store type cannot be determined. Please choose an LDAP Authentication provider that matches your LDAP server.
     at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getIdStoreConfig(LdapIdentityStoreProvider.java:199)
     at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.access$300(LdapIdentityStoreProvider.java:74)
     at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider$NoLibOvd.getInstance(LdapIdentityStoreProvider.java:246)
     at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getInstance(LdapIdentityStoreProvider.java:118)
     at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getInstance(LdapIdentityStoreProvider.java:74)
     Truncated. see log file for complete stacktrace

I searched forums and found some suggestions like:
1. reordering providers - currently this is my first provider and then default provider. If I make it 2nd provider then server starts but I can't get group information. I get another exception. I'll put that also in my 2nd post.
2. using specific providers - there is no provider for Apache DS so generic should be okay.

Any idea? Thanks!

Edited by: user5636757 on Oct 23, 2012 4:28 AM
  • 1. Re: external LDAP directory (Apache Directory Server) with WebLogic server
    user5636757 Newbie
    Currently Being Moderated
    It has something to do with my configurations only.

    Some more information:
    User I connect to LDAP server: uid=admin,ou=system
    All my application users are in: ou=users,ou=system
    All my application groups are in: ou=users,ou=system
    Currently users are not associated to groups in directory...
    Object class for user is: inetOrgPerson
    Object class for group is: groupOfUniqueNames


    Thanks.
  • 2. Re: external LDAP directory (Apache Directory Server) with WebLogic server
    RaviJegga Expert
    Currently Being Moderated
    Hi
    1. Oh, very simple. I am hoping this should be the reason and below stuff should fix your issue. These 2 lines in error give some hint:
    oracle.security.jps.JpsRuntimeException: JPS-00027: internal error You configured a generic WLS LDAPAuthenticator.
    The identity store type cannot be determined. Please choose an LDAP Authentication provider that matches your LDAP server.

    2. When you create an External Security Provider, you get bunch of options to choose from within AD itself like Active Directory, LDAP, Microsoft AD etc etc. And this selected values goes as the main tag something like xsi:type="wls:xxxxxx". Compare this value from your old config.xml file and this new setting that you did just now. They may be different. Just stop the server. Edit config.xml file and just modify this setting. Hopefully all other parameters are same. Now start the Domain.
    <sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
    ...All the settings which are pretty much same when you redid this....
    </sec:authentication-provider>
    On my side, I have something like this and it works :). So choose the type as close as possible to your external AD Provider.
    xsi:type="wls:active-directory-authenticatorType"
    Thanks
    Ravi Jegga
  • 3. Re: external LDAP directory (Apache Directory Server) with WebLogic server
    user5636757 Newbie
    Currently Being Moderated
    Ravi Jegga wrote:
    Hi
    1. Oh, very simple. I am hoping this should be the reason and below stuff should fix your issue. These 2 lines in error give some hint:
    oracle.security.jps.JpsRuntimeException: JPS-00027: internal error You configured a generic WLS LDAPAuthenticator.
    The identity store type cannot be determined. Please choose an LDAP Authentication provider that matches your LDAP server.

    2. When you create an External Security Provider, you get bunch of options to choose from within AD itself like Active Directory, LDAP, Microsoft AD etc etc. And this selected values goes as the main tag something like xsi:type="wls:xxxxxx". Compare this value from your old config.xml file and this new setting that you did just now. They may be different. Just stop the server. Edit config.xml file and just modify this setting. Hopefully all other parameters are same. Now start the Domain.
    <sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
    ...All the settings which are pretty much same when you redid this....
    </sec:authentication-provider>
    On my side, I have something like this and it works :). So choose the type as close as possible to your external AD Provider.
    xsi:type="wls:active-directory-authenticatorType"
    Thanks
    Ravi Jegga
    Thanks Ravi.
    1. There is no specific provider for Apache DS so LDAP Authenticator should work - and it has worked before for me on some other server - configuration is not with me however.
    2. As I don't have my previous configurations, I don't know what was there before.

    From error, it looks like provider type is incorrect but it's NOT... Do you see any issue in 'provider specific' configurations?

    Thanks.

    Edited by: user5636757 on Oct 23, 2012 9:25 AM
  • 4. Re: external LDAP directory (Apache Directory Server) with WebLogic server
    RaviJegga Expert
    Currently Being Moderated
    Hi
    I hope you may have already tried this. I understand Apache DS do not have any specific provider with WLS. But instead of generic "wls:ldap-authenticatorType", just give a shot to use others like Active-Directory or iPlanet. All this is just to instantiate that provider. Once done, then your actual properties will come into picture like ad host, port, admin user, password, user/group base dn etc.

    This is just my imagination. May be behind the screens, they have like Abstract Java Class named like LdapAuthenticatorType, with one constructor that prevents to instantiate this class and throws above error. But this has bunch of sub-classes for each type of LDAP provider. So try using randomly one of them as close as possible and give it a shot. I know this may not make much sense but worth a try.

    Thanks
    Ravi Jegga
  • 5. Re: external LDAP directory (Apache Directory Server) with WebLogic server
    user5636757 Newbie
    Currently Being Moderated
    Okay, let me try that. I haven't tried this...

    If I change order and make it 2nd provider after default provider, I get following exception when I try to open groups for a user:

    An unexpected exception has occurred processing your request
    Message:      
    [Security:090278]Error listing member groups admin
    Stack Trace:      weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090278]Error listing member groups admin at weblogic.security.providers.authentication.LDAPAtnDelegate.listMemberGroups(LDAPAtnDelegate.java:2181) at weblogic.security.providers.authentication.LDAPAuthenticatorImpl.listMemberGroups(LDAPAuthenticatorImpl.java:168) at weblogic.security.providers.authentication.LDAPAuthenticatorMBeanImpl.listMemberGroups(LDAPAuthenticatorMBeanImpl.java:307) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at weblogic.management.jmx.modelmbean.WLSModelMBean.invoke(WLSModelMBean.java:437) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836) at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449) at java.security.AccessController.doPrivileged(Native Method) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447) at weblogic.management.mbeanservers.internal.JMXContextInterceptor.invoke(JMXContextInterceptor.java:263) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449) at java.security.AccessController.doPrivileged(Native Method) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447) at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:444) at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:323) at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11$1.run(JMXConnectorSubjectForwarder.java:663) at java.security.AccessController.doPrivileged(Native Method) at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11.run(JMXConnectorSubjectForwarder.java:661) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363) at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder.invoke(JMXConnectorSubjectForwarder.java:654) at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1427) at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72) at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1265) at java.security.AccessController.doPrivileged(Native Method) at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1367) at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788) at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source) at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222) at javax.management.remote.rmi.RMIConnectionImpl_1035_WLStub.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:993) at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544) at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380) at $Proxy195.listMemberGroups(Unknown Source) at com.bea.console.utils.security.UserUtils.getParentGroupNames(UserUtils.java:271) at com.bea.console.actions.security.users.UserGroupsAction.execute(UserGroupsAction.java:74) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044) at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:91) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2116) at com.bea.console.internal.ConsolePageFlowRequestProcessor.processActionPerform(ConsolePageFlowRequestProcessor.java:261) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:556) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:853) at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:631) at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:158) at com.bea.console.internal.ConsoleActionServlet.process(ConsoleActionServlet.java:262) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414) at com.bea.console.internal.ConsoleActionServlet.doGet(ConsoleActionServlet.java:134) at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1199) at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.executeAction(ScopedContentCommonSupport.java:686) at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.renderInternal(ScopedContentCommonSupport.java:266) at com.bea.portlet.adapter.scopedcontent.StrutsStubImpl.render(StrutsStubImpl.java:107) at com.bea.netuix.servlets.controls.content.NetuiContent.preRender(NetuiContent.java:292) at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:428) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:727) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:146) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361) at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208) at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162) at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:388) at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:258) at com.bea.netuix.servlets.manager.UIServlet.doGet(UIServlet.java:211) at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:196) at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:251) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at com.bea.console.utils.MBeanUtilsInitSingleFileServlet.service(MBeanUtilsInitSingleFileServlet.java:47) at weblogic.servlet.AsyncInitServlet.service(AsyncInitServlet.java:130) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209) at weblogic.work.ExecuteThread.run(ExecuteThread.java:178) Caused by: netscape.ldap.LDAPException: error result (32); NO_SUCH_OBJECT: failed for MessageType : SEARCH_REQUEST Message ID : 8 SearchRequest baseDn : 'ou=groups, o=example.com' filter : '(&(uniqueMember=0.9.2342.19200300.100.1.1=admin,2.5.4.11=system)(objectClass=groupofuniquenames))' scope : whole subtree typesOnly : false Size Limit : no limit Time Limit : no limit Deref Aliases : never Deref Aliases attributes : 'cn' org.apache.directory.shared.ldap.model.message.SearchRequestImpl@b1083eef: ERR_268 Cannot find a partition for ou=groups, o=example.com; No such object at netscape.ldap.LDAPConnection.checkMsg(LDAPConnection.java:4871) at netscape.ldap.LDAPConnection.checkSearchMsg(LDAPConnection.java:2635) at netscape.ldap.LDAPConnection.search(LDAPConnection.java:2607) at weblogic.security.providers.authentication.LDAPAtnDelegate.listMemberGroups(LDAPAtnDelegate.java:2167) ... 116 more
  • 6. Re: external LDAP directory (Apache Directory Server) with WebLogic server
    user5636757 Newbie
    Currently Being Moderated
    Strangely when I changed to active-directory-authenticatorType, it didn't create any issue while starting server. Thanks Ravi.
    However I still don't get groups of users...
  • 7. Re: external LDAP directory (Apache Directory Server) with WebLogic server
    RaviJegga Expert
    Currently Being Moderated
    Ok. This is good progress. Can you atleast see the users from your external AD in weblogic console. If yes, then you are good so far. Now coming to Groups not listing, look at the group base dn. Setting base dn's for user and group is little tricky.

    Usually, we use a third party simple AD Client like jxplorer to connect to AD and browse all the contents. Search for any known user and group. Then from that user/group properties, we copy like dn value and use that after narrowing it in weblogic console. Narrowing means, giving top parent hierarchy that has all sub-groups listed like that. I hope you got the point.

    Now if you still cannot see neither users or groups in weblogic console, but you can connect successfully to AD, this clearly means AD Connection is fine. But DN values needs to be revisited in weblogic console for that external AD.

    Thanks
    Ravi Jegga
  • 8. Re: external LDAP directory (Apache Directory Server) with WebLogic server
    user5636757 Newbie
    Currently Being Moderated
    Ravi Jegga wrote:
    Ok. This is good progress. Can you atleast see the users from your external AD in weblogic console. If yes, then you are good so far. Now coming to Groups not listing, look at the group base dn. Setting base dn's for user and group is little tricky.

    Usually, we use a third party simple AD Client like jxplorer to connect to AD and browse all the contents. Search for any known user and group. Then from that user/group properties, we copy like dn value and use that after narrowing it in weblogic console. Narrowing means, giving top parent hierarchy that has all sub-groups listed like that. I hope you got the point.

    Now if you still cannot see neither users or groups in weblogic console, but you can connect successfully to AD, this clearly means AD Connection is fine. But DN values needs to be revisited in weblogic console for that external AD.

    Thanks
    Ravi Jegga
    Thanks Ravi.
    Yes, I see my directory's users and groups in weblogic.

    It's somewhere wrong in connecting these two (users and groups). It gives exception when I browse groups of user.
    It could be incorrect configurations in weblogic or incorrect settings in directory as well.

    In directory, this is how I am mapping users and groups:

    ou=system
    --->ou=groups
    ------>cn=group1 [its important attributes are: cn=group1 and <b>uniqueMember=user1</b>
    --->ou=users
    ------>uid=user1 [it's important attributes are: uid=user1, cn=firstname, sn=lastname]
    Is this correct way of associating users with groups in LDAP server?
    I'll recheck configuration of providers & update.

    Thanks.

    Edited by: user5636757 on Oct 24, 2012 6:16 AM

    Edited by: user5636757 on Oct 24, 2012 6:19 AM

    Edited by: user5636757 on Oct 24, 2012 6:20 AM

    Edited by: user5636757 on Oct 24, 2012 9:24 AM
  • 9. Re: external LDAP directory (Apache Directory Server) with WebLogic server
    user5636757 Newbie
    Currently Being Moderated
    Okay, so this was culprit for exception:
    <wls:static-group-dns-from-member-dn-filter>(&(uniquemember=%M)(objectclass=groupofuniquenames))</wls:static-group-dns-from-member-dn-filter>

    I had blank before. With this default value, it's not throwing exception.

    However it still doesn't show groups for user. Looks like my LDAP server doesn't have correct data...

    Thanks!

    Edited by: user5636757 on Oct 24, 2012 9:25 AM
  • 10. Re: external LDAP directory (Apache Directory Server) with WebLogic server
    user5636757 Newbie
    Currently Being Moderated
    I think now everything depends on correct users and groups setup in LDAP server.

    I can't login to weblogic console using LDAP server's user because probably user has to be in Administrator group to access console...
  • 11. Re: external LDAP directory (Apache Directory Server) with WebLogic server
    user5636757 Newbie
    Currently Being Moderated
    Guys, an an update, now I see correct group for a user in WLS console.

    Here is how my configuration look:

    <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
    <sec:name>apache_ds_identity_store</sec:name>
    <sec:control-flag>SUFFICIENT</sec:control-flag>
    <wls:port>10389</wls:port>
    <wls:user-object-class>inetOrgPerson</wls:user-object-class>
    <wls:user-name-attribute>uid</wls:user-name-attribute>
    <wls:principal>uid=admin,ou=system</wls:principal>
    <wls:user-base-dn>ou=users,ou=system</wls:user-base-dn>
    <wls:credential-encrypted>{AES}KA//VoKcnAbT1y26JoDi1i+j5OHhTtLd8IfgwZPDQYQ=</wls:credential-encrypted>
    <wls:user-from-name-filter>(&amp;(uid=%u)(objectclass=inetOrgPerson))</wls:user-from-name-filter>
    <wls:all-users-filter>(&amp;(uid=*)(objectclass=inetOrgPerson))</wls:all-users-filter>
    <wls:group-base-dn>ou=groups,ou=system</wls:group-base-dn>
    <wls:group-from-name-filter>(&amp;(cn=%g)(objectclass=groupOfUniqueNames))</wls:group-from-name-filter>
    <wls:all-groups-filter>(&amp;(cn=*)(objectclass=groupOfUniqueNames))</wls:all-groups-filter>
    <wls:static-group-object-class>groupOfUniqueNames</wls:static-group-object-class>
    <wls:static-member-dn-attribute>uniqueMember</wls:static-member-dn-attribute>
    <wls:static-group-dns-from-member-dn-filter>(&amp;(uniqueMember=%M)(objectclass=groupOfUniqueNames))</wls:static-group-dns-from-member-dn-filter>
    </sec:authentication-provider>


    Nothing special, all default values only...


    In LDAP directory, I associated user to group with uniqueMember property of group.
    In Apache DS, there was already an entry for admin user in Administrator group, which was bit unusual, I think that was causing problem, I removed that and now it works - in WLS console, shows Administrator group for other users added in uniqueMember property of Administrator group.


    Only issue remains is, I still can't login to WLS console with any of my directory user.

    Edited by: user5636757 on Oct 26, 2012 3:45 AM

    Edited by: user5636757 on Oct 26, 2012 5:31 AM
  • 12. Re: external LDAP directory (Apache Directory Server) with WebLogic server
    803725 Newbie
    Currently Being Moderated
    In Order to login to console uisng the LDAP users you would need to assign Admin or Deployer or Operator or Monitor role (Depending upon the level of access you wanted to grant the users) to the Group(s) or the specific user(s) whome you want allow access to the console.

    For that

    Login to the console

    Navigate to DOMAIN_STRCTURE--->Security Realms--->myrealm---->Roles and Policies--->Global Roles (expand)----->Roles(expand)

    If wanted to give them Admin privileges

    CLick on "View Role Condition" in front of the Admin Role an click on "Add Conditions" by default the Drop down will show Group ,click next

    Write the name of the Group and click on "Add" Button and click on "Finish" you will see the role condition created.

    Now click on Save button.

    Logout of the console and try login again using ausers belonging to he group and check if you are able to login.

    You can add specific user as well instead of a Group and that only user will be grnated Admin Role.

    HTH

    Regards,
    Vijay
  • 13. Re: external LDAP directory (Apache Directory Server) with WebLogic server
    user5636757 Newbie
    Currently Being Moderated
    V Kumar wrote:
    In Order to login to console uisng the LDAP users you would need to assign Admin or Deployer or Operator or Monitor role (Depending upon the level of access you wanted to grant the users) to the Group(s) or the specific user(s) whome you want allow access to the console.

    For that

    Login to the console

    Navigate to DOMAIN_STRCTURE--->Security Realms--->myrealm---->Roles and Policies--->Global Roles (expand)----->Roles(expand)

    If wanted to give them Admin privileges

    CLick on "View Role Condition" in front of the Admin Role an click on "Add Conditions" by default the Drop down will show Group ,click next

    Write the name of the Group and click on "Add" Button and click on "Finish" you will see the role condition created.

    Now click on Save button.

    Logout of the console and try login again using ausers belonging to he group and check if you are able to login.

    You can add specific user as well instead of a Group and that only user will be grnated Admin Role.

    HTH

    Regards,
    Vijay
    Thanks Vijay. It's fixed now. It was this issue - Re: can't login to WLS console with directory's user

    Thanks anyway!

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points