Pages

Monday, October 27, 2008

Using OpenLDAP as security provider in WebLogic

The post of Frank Nimphius on OTN over using OID as security provider in WebLogic inspired me to use OpenLDAP instead of OID. I will be using the standard LDAPAuthenticator for OpenLDAP too. Here are my steps to make it work.

Here is the ldif file I used.

First we create a organisation unit called groups

Do the same for persons
Add some persons to the persons organisation unit.

We can create a new group called ICT in the groups organisation unit and add the just created persons as member attributes.

Go to the default security realm and a new LDAPAuthenticator provider called OpenLDAP

Select the OpenLDAP provider and go to the Provider Specific tab where we will change some properties.

These are the openldap settings
  • User Name Attribute: sn
  • Principal: o=sgi,c=us
  • Enable Propagate Cause For Login Exception
  • Host: localhost
  • User Object Class: person
  • Static Member DN Attribute: member
  • Group From Name Filter: (&(cn=%g)(objectclass=groupofNames))
  • Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=groupofNames))
  • Enable Use Retrieved User Name as Principal
  • Credential: your ldap password
  • Confirm Credential: your ldap password
  • Group Base DN: ou=groups, o=thecompany, o=sgi,c=us
  • User From Name Filter: (&(sn=%u)(objectclass=person))
  • Static Group Name Attribute: cn
  • User Base DN: ou=persons, o=thecompany, o=sgi,c=us
  • Static Group Object Class: groupofNames
Restart Weblogic and go the users and groups tab of the default security realm

13 comments:

  1. Hi,

    We are currently working on Migration project where application will Migrate from Jboss 5.1 to WebLogic 10.3. In JBoss the configured Realm as below in server.xml file:



    Also we have below configuration in web.xml for our Web Application


    Security Constraint

    Protected Area
    /*


    manager



    BASIC


    manager


    It works perfect with Jboss. Can you please let me know where I can do similar configuration in web logic 10.3?

    I know we can done this using Admin console but not sure which property from server.xml will mapped to which field in Web Logic conf.xml?

    I have also seen here - http://www.coderanch.com/t/421099/BEA-Weblogic/web...en-LDAP-authentication#1857651 but still got some issues.

    ReplyDelete
  2. Hi,

    I can't see the jboss xml , but you want to use openldap for your user management but you can also use the internal ldap of weblogic.

    then create the user and roles in the myrealm security.
    or add an openldap authenticator in the providers. and put all the providers on sufficient control flag.

    thanks

    ReplyDelete
  3. Hi Edwin,

    I have problems with connect to OpenLDAP by WebLogic server.
    I prepared ldap database like in your example but with only one difference. It is one the top. I have, instead of your o=sgi,c=us, dc=maxcrc,dc=com. The rest of database is the same like your.
    To connect to OpenLDAP I`m using these values:
    host: Ozi-Komputer (it is my host)
    port: 389
    Principal: cn=manager, dc=maxcrc, dc=com
    Credential:

    but it doesn`t work. I don`t know why because I`m using the same values in other LDAP clients (eg. phpLDAPadmin, LDAP Browser) and it works.
    I tried to set the values (in slapd.conf) of sockbuf_max_incoming and sockbuf_max_incoming_auth but it still not work.

    If you would have a little time to look at my situation I would be very thankful.
    In link below I placed OpenLDAP log, screen from LDAP Browser and slapd.conf.

    Thanks in advanced!

    ReplyDelete
  4. Sorry. This is this link:

    http://www.sendspace.com/file/dcehff

    ReplyDelete
    Replies
    1. Hi,

      Can you show me the weblogic security logging ( enable debug on security and set wls loglevels to trace), this should give me some glues and did you use the standard ldap provider or the openldap one. Nowadays you have the openldap one.

      also show me the escaped xml of the ldap provider config in the weblogic config.xml

      thanks

      Delete
  5. Hi Edwin,

    http://www.sendspace.com/file/3vxi8i

    In this package there are 4 screens from my WebLogic server security realm and a part of config.xml file with settings of my realm providers.
    I hope that`s what you mean. If not I will send you other info and config setting.

    Thanks in advance!

    ReplyDelete
  6. Maybe this could be helpful...

    When WebLogic AdminServer is starting this massage appears:



    I tried to set SSL port in provider settings in WebLogic but it not work to.

    ReplyDelete
    Replies
    1. Sorry,

      this is the message:

      Warning Security BEA-099117 The LDAP authentication provider named "OpenLDAP" failed to make connection to ldap server at ldaps://Ozi-Komputer:389, the error cause is: Connection reset.

      Delete
    2. Hi,

      you got ssl enabled and still using the default port 389 instead of using the ldaps port ( 636 ), please first disable ssl
      and I see in the config.xml that amp is used instead of & , but dont think this is a issue ( probably just escaped xml )

      thanks

      Delete
    3. Ok. Now everything is fine and works :-)

      There was two errors... First one was SSL Enabled checkbox, but before I have tried configure without fill in this box.

      The second one was with WebLogic settings. It was the same problem like in this post:
      https://forums.oracle.com/forums/thread.jspa?threadID=718812&tstart=-1

      I had to change 3 values (ThreadPoolSize, ThreadPoolPercentSocketReaders and SelfTuningThreadPoolSizeMi) in WebLogic configuration.

      As I wrote before, now everything is ok :-)

      Thaks Edwin for you help and interest in my problems :-)

      Regards.

      Delete
  7. Hi Edwin,
    Thanks for the steps..We could able to authenticate the user with Open LDAP by following them.

    We have the issue on authorization for the ADF application which was perfectly working fine with Embedded LDAP.

    Any pointers will really help us..

    Thanks in Advance.

    Regards
    Sudhakar

    ReplyDelete
    Replies
    1. Hi,

      it should work , do you see the openldap user and its roles in the myrealm security. and check the control flag , all authenticators should have sufficient as value. you can also make it the first authenticator.

      thanks

      Delete
  8. Hi ,

    I am trying to integrate weblogic with IPA server(similar to open ldap) and able to list user/groups of IPA server under weblogic user/groups section under My-realm.

    But I am not able to login with IPA users in weblogic console then I am getting below error:

    Authentication Denied

    The username or password has been refused by WebLogic Server. Please try again.

    Please help me to look into this.

    ReplyDelete