Oracle ADF Code Corner: How-to configure OID for authentication in WebLogic Server
How-to configure OID for authentication in WebLogic Server
A frequent question posted on the Oracle Technology
Network (OTN) forum for Oracle JDeveloper 11 is how to configure the
Oracle Internet Directory (OID) as an authentication provider in WebLogic
Server. This how-to document aims to answer this question for container
managed authentication and authorization.
Written by Frank Nimphius,
Oracle Corporation
26-Oct-2008
Introduction
Oracle WebLogic Server provides a plugable security architecture in which
authentication providers handle user identification. One of the native authentication
providers in WebLogic server is for a generic LDAP server. Oracle Internet Directory
(OID) is a LDAP v3 compliant server and can be configured with WLS for authentication.
There a plans to provide a specific OID provider in a later version of Oracle
WebLogic server. Until the the generic LDAP server provider will do.
Choosing a WebLogic Server Domain
Two possible choices of Oracle WebLogic server domains exist for which you
may want to configure Oracle Internet Directory (OID): the integrated WebLogic
server or a stand alone WebLogic server. In this how-to document, the configuration
is explained for a stand alone WebLogic server instance. It is important to
note that Oracle Internet Directory (OID) cannot be used with the integrated
WebLogic server in Oracle JDeveloper 11 to authenticate applications that have
ADF Security enabled. The reason for this is that during application testing,
the content of the jazn-data.xml is deployed to the WebLogic Server instance.
All users and user groups that are configured in the jazn-data.xml will be created
in WLS, existing users and user groups of the same name are removed and re-created.
This only works with the embedded LDAP server in WLS.
Configuring WLS
Launch the Oracle WebLogic server domain to configure. If it is the integrated
WLS server domain in Oracle JDeveloper 11, start the server from the Run
| Start Server Instance. Open a Web browser and point it to http://localhost:7001/console
(or 7101 if using the embedded server instance), assuming that the server is
installed on the local machine. Connect to the WLS console with the administrator
account, which by default is weblogic/weblogic.
In the WLS console, click the Security Realm in the Domain
Structure area. In the opened page, click the default realm, myrealm,
to open the realm configuration page. Click the Providers tab
to access the authentication provider dialog.
On the authentication provider page, click the New button
to create a new provider.
Type OID as a name to identify the instance or choose a name
of your choice. Choose LDAPAuthenticator as the authentication
provider type and press OK.
Select the new authentication provider instance to navigate to the configuration
page.
Keep the default settings for now. It is important not to change the Control
Flag until you have verified that the OID configuration is valid. If
the OID provider should be the only authentication provider, make sure the weblogic
server user account and its granted groups memberships are created in OID. Otherwise
the WLS domain wouldn't start up properly. Select the Provider Specific
tab.
Edit the following properties in the Provider Specific configuration:
Attribute
Value
Description
Propagate Cause For Login Exception
Check
Propagates exceptions thrown by OID, like password expired exceptions,
to WLS so they show in the console and the logs
Principal
cn=orcladmin
An administrator account to connect to OID
Host
<the OID hostname>
Use Retrieved User Name as Principal
Check
Specifies whether or not the user name retrieved from the LDAP server
should be used as the Principal in the Subject.
Credential
orcladmin password
Password to authenticate the OID admin account
Confirm Credential
orcladmin password
Group Base DN
<oid group search base>
The value of the "Group Search Base" attribute in OID. The value
looks like cn=Groups, dc=us,dc=oracle,dc=com and can be looked
up in the OIDDAS administration dialog.
User Base DN
<oid user search base>
The value of the "Uroup Search Base" attribute in OID. The value
looks like cn=users, dc=us,dc=oracle,dc=com and can be looked up in the
OIDDAS administration dialog.
Port
389
The OID port, 389 by default
Press Save when finished. You need to restart the WebLogic
server instance for the changes to take effect. Note that authentication providers
in a WLS domain are chained. This means that user authentication needs to run
successfully through all authentication providers. This is why I suggested to
keep the "optional" flag set for the new provider. Authentication
providers that are optional are allowed to fail without the server startup or
user authentication to fail.
Once the server is up again, connect to the WebLogic server. In the WLS console,
click the Security Realm in the Domain Structure
area. In the opened page, click the default realm, myrealm,
to open the realm configuration page. Click the Providers tab
to access the authentication provider dialog. Select the Users and Groups
tab to see a list of users and groups contained in the configured authentication
providers. You should see usernames from the OID configuration, which implicitly
verifies that the configuration is working.
If the OID instance is configured successfully, you can change the Control
Flag. If the OID authentication is sufficient for an application to
identify the user, then choose the Sufficient flag. Sufficient
means that if a user can be authenticated against OID, no further authentication
is processed. Required means that the authentication provider
must succeed even if another provider already authenticated the user.
Bookmark
