Sunday, January 27, 2013

Active Directory user management with the IdentityStore framework of FMW

With the IdentityStore framework of Fusion Middleware you can change or create any user or role in almost every LDAP server. With this framework the authenticated user change their own password from ADF or in your own ADF Admin page you can create an user with its roles without knowing LDAP or know what LDAP server is used.

IdentityStore framework will automatically detect the configured WebLogic LDAP servers. Default is the internal WebLogic LDAP and this is also the first authenticator. You can also add other LDAP servers like Microsoft Active Directory or Oracle Internet Directory. For this you need to set the virtualize property with true as value to the idstore.ldap serviceInstance entry.
In this case I will set the AD Authenticator as first authenticator and don't use virtualize property, this way I can retrieve all the LDAP attributes and know for sure that new users are created in AD and not in the local WebLogic LDAP.

To create an user or change a password in AD we need to use LDAPS ( port 636 and not 389 ).  Else you will get this error javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190E49, problem 5003 (WILL_NOT_PERFORM), data 0 ];

This means we need to configure SSL.

The first step is to import the AD ca key and the AD public key to the local WebLogic TrustStore keystore.

keytool.exe -importcert -trustcacerts -alias ad_ca -file C:\2008-ca.cer -keystore C:\oracle\JDEV11~1.6\WLSERV~1.3\server\lib\DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase

Trust this certificate? [no]: yes

keytool.exe -importcert -trustcacerts -alias ad_pub -file C:\2008-pub.cer -keystore C:\oracle\JDEV11~1.6\WLSERV~1.3\server\lib\DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase

We also need to set the Hostname verification to None.

Create the AD Authenticator and also put all Control Flag to Sufficient ( also the default Authenticator )

We need to use LDAPS so use 636 as Port and enable SSL

Restart the Weblogic server and check if you can see all the AD users and the AD roles in the WebLogic Console .

Here is the java code to change the password of the AD user

Here is the code to create an AD User with a password, add an AD role to this user and set the UserAccountControl to 66048.

Here you can download the demo application at github


  1. Edwin, we got the application up and running against an OUD (Oracle Unified Directory) using an open LDAP Identity provider.

    We hit an issue when we attempt to change the password with the message:

    oracle.ods.virtualization.service.VirtualizationException: Virtualization Session closed

    have you seen this error before?

    1. Hi,

      are you using openldap for OUD , is there no OID provider ? and does it work in normal LDAP browser with a ldif file.


  2. Hi Edwin,
    I created a BAM adapter in jdeveloper,Imported it into OSB server via osb console. On creating business service from jca I am not getting jca in transport protocol drop down list. If i try to generate service directly from jca i am getting "Transport provider with id 'jca' is not registered".


    1. Hi,

      Don't think bam is supported in the OSB 11g, you should check the documentation.


  3. Hi, Edwin,
    We are trying to figure out the best way to utilize authorization groups in AD with Weblogic to control access to Apex applications with the Listener 2.0.2. One approach seems to be implementing Shibboleth (SAML 2) to access group membership assertions, but would it not be possible to use the above AD integration to also obtain group memberships. In our case we are not interested in creating users, but rather accessing group attributes. Does Weblogic have the level of integration with AD needed to access group memberships in AD? Can someone point us to a good resource for determining how to do this?