Configuring Oracle WebLogic Server Authentication Using Sun Directory Server

This OBE tutorial describes and shows you how to enable a third party directory server, such as the Sun directory server, as a source for Oracle WebLogic Server authentication.

Approximately 1 hour

Topics

This OBE tutorial covers the following topics:

Place the cursor over this icon to load and view all the screenshots for this tutorial. (Caution: Because this action loads all screenshots simultaneously, the response time may be more depending on your Internet connection.)

Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.

The screenshots will not reflect the specific environment that you use. They are provided to give you an idea of where to locate the specific functionality in Oracle WebLogic Server.

Overview

By default, users, groups, and roles are stored within Oracle WebLogic Server's embedded Lightweight Directory Access Protocol (LDAP) store, which is hosted on the Administration Server. The authentication is handled internally using the embedded LDAP. In this OBE, you learn how to move users and groups from the embedded LDAP to the Sun directory server, and then use the new Sun authentication provider rather than the default authentication provider to authenticate users. However, the roles and policies are still maintained within the embedded LDAP server.

Back to Topic List

Scenario

The Dizzyworld system architects want to integrate the standard LDAP corporate directory server with Oracle WebLogic Server.

Back to Topic List

Verifying the Prerequisites

Before you start the tasks, make sure that your system environment meets the following requirements:

Software Requirements

The system should have Oracle WebLogic Server 10.3 installed. You must also install and configure Sun Directory Server 6.2 using default options. To install and configure Sun DS 6.2, perform the following basic steps:

You must also install and configure the LDAP browser using the default options. To install the LDAP browser, perform the following basic steps:

Setup Requirements

You should have completed the following OBEs:

Back to Topic List

Viewing Default Users, Groups, and Roles from Administration Console, and Modifying the Embedded LDAP Credentials


To view users, groups, and roles from Administration Console, perform the following steps:

1.

Log in to Administration Console.

 

2.

Click Security Realms, and then click myrealm.

 

3.

Under Settings for myrealm, click the Users and Groups tab. You see the default users and groups by clicking the Users and Groups subtabs.

 

4.

Click the Roles and Policies tab. Expand Global Roles > Roles. You see all the default Roles.

 

To modify the credentials of the embedded LDAP server, perform the following steps:

1.

Click dizzyworld under Domain Structure on the left panel. Under Settings for dizzyworld on the right panel, click the Security tab followed by the Embedded LDAP tab.

 

2.

Click the Lock & Edit button under Change Center on the left panel.

 

3.

Change the Credential field value to welcome1. Enter the same value under Confirm Credential. Click the Save button. Click Activate Changes under Change Center on the left panel. After the changes are activated, you need to restart the Administration Server. To restart the Administration Server, click View changes and restarts under Change Center on the left panel. Click the Restart Checklist tab, select AdminServer(admin), and click Stop. Start the Administration Server using the startWebLogic.sh script.

 

 

Back to Topic List

Configuring the LDAP Browser to Connect to the Sun Directory Server and Embedded LDAP Store

To configure the LDAP browser to connect to the Sun directory server and the embedded LDAP server, perform the following steps:

1.

Launch LDAP browser (make sure that the PATH environment variable has the location of JDK/bin included in it.).

 

2.

Create a New Session by clicking the New button. On the Name tab, specify WLS Embedded LDAP. On the Connection tab, specify the following values. Click Save.

 

3.

Create a New Session by clicking the New button. On the Name tab, specify SunDS and on the Connection tab, specify the following values. Click Save.

 

4.

Connect to the Embedded LDAP server by selecting the WLS Embedded LDAP entry from the Session List and clicking Connect. You can now view the users, groups, and roles stored in the Embedded LDAP server.

 

Back to Topic List

 

Exporting Users and Groups from the Embedded LDAP Server and Importing Them into the Sun Directory Server Using the LDAP Browser

Using the LDAP browser, export users and groups from the Oracle WebLogic Server embedded LDAP store. Modify the suffix (DN), and then import the users and groups into the Sun directory server. To achieve this, perform the following steps:

1.

Click the ou=groups node in the LDAP browser, and then, choose LDIF > Export from the menu. Select All children and specify the location to export to as /home/oracle/groups.ldif. Click the Export button. Click OK on the message window stating that 8 entries have been exported.

 

2.

Click the ou=people node in the LDAP browser, and then choose LDIF > Export from the menu. Select All children and specify the location to export to as /home/oracle/people.ldif. Click the Export button. Click OK on the message window stating that 2 entries have been exported.

 

3.

Edit groups.ldif and people.ldif using gedit (or vi). Perform Search and Replace. Replace ou=myrealm, dc=dizzyworld, and ou=myrealm, dc=dizzyworld with dc=us,dc=oracle,dc=com (22 occurrences in the groups.ldif file and 3 occurrences in people.ldif file). Save the files, groups.ldif and people.ldif.

 

4.

Log in to Sun Java Web Console as root/<root_pwd> (the root user password is oracle in this illustration.). Click Directory Services Control Center (DSCC). Log in using Directory Service Manager/Password as admin/welcome1. Click Manage Registered Directory Servers. Click the directory server named <hostname>:389 (edrsr39p1:389 in this illustration). Click the Schema tab. Click the Attributes subtab.

 

5.

Create a new user-defined attribute. On the Attributes tab, click the Add button under User-Defined Attributes. Create a new attribute (wlsMemberOf) using the following values:

 

6.

Create a new user-defined object class. Click the Object Classes tab, and then click the Add button under User-Defined Object Classes. Create a new object class (wlsUser) using the following values. Add the user-defined attribute (wlsMemberOf) to the user-defined object class (wlsUser).

 

7.

Connect to the Sun directory server using the LDAP browser by selecting the Sun DS entry from the Session List and clicking the Connect button. Click the dc=us, dc= oracle, dc=com node, and import the groups.ldif file and the people.ldif file using LDIF > Import. Log in to Sun Java Console and view the users and groups imported using the LDAP browser.

 

8.

Edit the Administrators group and add uid=admin, ou=people, dc=us, dc=oracle, dc=com to the uniqueMember attribute.

Double-click the ou=groups node. Click the cn=Administrators node, and then click the Edit Entry button. Click the Add button next to the Group Member(uniqueMember) attribute. Select uid=admin under the ou=people node and click OK. Entry uid=admin, ou=people, dc=us, dc=oracle, dc=com gets added to the uniqueMember attribute value. Click OK.

 

 

Back to Topic List

Creating a New Sun Directory Server Authentication Provider and Reordering the Default Authentication Provider

To create a new Sun directory server authentication provider and to reorder the default authentication provider, perform the following steps:

1.

Launch Oracle WebLogic Server Administration Console. Log in using admin/welcome1. Click Security Realms under Domain Structure. Click myrealm. Click the Providers tab.

 

2.

Click the Lock & Edit button under Change Center. Click the New button under Authentication Providers. Enter the name of the provider as SunDSProvider with the type as IPlanetAuthenticator. Click OK.

 

3.

Click SunDSProvider. Change the Control Flag property value to Sufficient. Click Save. Click the Provider Specific tab. Add or modify the following values for the listed properties:

  • Principal: cn=Directory Manager
  • Use Retrieved User Name as Principal: Selected
  • Credential: welcome1
  • Confirm Credential: welcome1
  • Group base DN: ou=groups,dc=us,dc=oracle,dc=com
  • User base DN: ou=people,dc=us,dc=oracle,dc=com

Click Save.

 

4.

Click Security Realms under Domain Structure. Click myrealm. Click the Providers tab. Click DefaultAuthenticator. Change the Control Flag property value to Sufficient. Click Save.

 

5.

Click the Providers link using the locator links displayed at the top of the page. Click the Reorder button. Select SunDSProvider and using the Up arrow, move it to the top of the list. Click OK.

 

6.

Apply all the changes that you have made so far by using the Activate Changes option. Click Activate Changes under Change Center. Click View changes and restarts under Change Center. Click the Restart Checklist tab. Select the check box next to AdminServer(admin). Click the Stop button. Start the Admin Server using the startWebLogic.sh script. When prompted for the username and password for WebLogic Server, enter admin/welcome1.

 

Back to Topic List

 

Testing User Authentication Using the Sun Directory Server

To test user authentication using the Sun directory server, perform the following steps:

1.

Log in to Sun Java Web Console as root/<root_pwd> (the root user password is oracle in this illustration.). Click Directory Services Control Center (DSCC). Log in using Directory Service Manager/Password as admin/welcome1. Click Browse Directory Data. Choose the directory server named <hostname>:389 (edrsr39p1:389 in this illustration). Click OK. Double-click the ou=people node. Click the uid=admin node and click the Edit Entry button. Change the Password and Confirm Password field values to welcome2. Click OK.

 

2.

Restart AdminServer and log in using the new credentials for the admin user. Navigate to the terminal window where you ran the startWebLogic.sh script and stop the AdminServer using ctr-c. Start the AdminServer using the startWebLogic.sh script on the same terminal window. When prompted for the username and password, enter admin/welcome2. AdminServer starts with the new credentials using authentication from the Sun directory server. Also, log in to Administration Console using the admin/welcome2 credentials.

 

Back to Topic List

In this tutorial, you should have learned how to:

Verify the prerequisites

Back to Topic List

 

Back to Topic List

Place the cursor over this icon to hide all screenshots.