Weblogic Authentication via external LDAP provider

Intro:
Note on how to setup external LDAPAuthentication provider for weblogic, hopefully people who read this find this usefull.  

Weblogic comes with a Default internal LDAP Authentication provider. This is fine for a couple of domains, usually the egineer who sets the environment up, uses a script with 1 default username and password. This is something you would not like to have in your Production environment, especially if your environment contains multiple domains making it harder to maintain (user management for each domain). In that case you would like to have a centralized (clustered) LDAP solution where you do your user management.

Weblogic supports out of the box the at least the following external LDAP providers:

- Active Directory (microsofts LDAP solution)
- Open LDAP (open source stuff)
- Apache Directory Service (Apache LDAP server)

In this article I will user Weblogic 11g (10.3.5) and Apache Directory Service 2.0 and Apace Directory Studio v 2.0 (for LDAP maintenance). 
I am assuming you already installed weblogic and have setup a domain which currently uses the Weblogic Default Authentication provider. You can download the Apache LDAP Software for free at the following URL: (great products by the way )

http://directory.apache.org/apacheds/downloads.html for Apache Directory Service

http://directory.apache.org/studio/downloads.html for Apache Directory Studio

 

Install Apache Directory Server

I am using the Binary Linux 32bit download :) just download and follow the standard installation wizzard. The instructions on the site are pretty straight forward, however here a short installation instruction:

after downloading and unpacking you will have a file like: apacheds-2.0.0-M10-64bit.bin , do a chmod 750 apacheds-2.0.0-M10-64bit.bin and execute the binary, you will be presented with a wizzard that looks like this:

apache DS wizzard1

..I ran the installer as ROOT…and started it by 

/etc/init.d/apacheds-2.0.0-M10-default start

Ps if you have problems starting the server with the RPM/.DEB installation try downloading and running the ZIP file with the binaries which is also downloadable.

Add weblogic user to LDAP

If you like to use a LDAP user that is able to login to the weblogic admin console, this user needs to be part of the Administrators group which by default has the admin role in weblogic.
A user which has this role can access the weblogic admin console.
You can create this user in Apache Directory (LDAP) Server with the Active Directory Studio (this excellent LDAP browser is able to also connect to other LDAP servers).

Create a connection:

LDAP–> New Connection

 local ldap connection

Fill in the default values:

<ip or hostname of where you have your server running>, PORT is default 10389

–> Next, then fill in your default Apache Directory Server username/ password: username: uid=admin,ou=system password = secret (change this asap)

adc default username password

 

The next 2 steps in the wizzard I use the default values. Once connected you will see the LDAP tree, it will look something like this:

 

ldap tree

 

Now create a user in the users OU. I do this by right clicking an existing user, copy it and paste it under the users ou. Then I right click the pasted entity and rename it, see picture below:

uid rename

Luckily Apache Directory Server contains by default an Administrators group,so you do not need to create this group. But you need to add your newly created user to this group. You can do this by expanding the groups–> Administrators and right click the unique member property of the administrator group. Copy and paste it:

add user to group

For the second Unique member of this group you change the value to the DN of the user you created earlier: uid=chris,ou=users,ou=system

Schermafbeelding 2013 02 06 om 20 58 15

you did your LDAP part…..now configure Weblogic to make use of this LDAP Authenticator.

Add LDAP Authenticator to Weblogic

In your weblogic console, go to –> Security Realms –> select your realm, –> click on the Providers TAB and choose the 1st tab Authentication

wl console add auth provider

Click on the new Button, choose any name you like, but select the LDAP Authenticator in the dropdown menu below

 

ldap authenticator

Click on OK…now you have to restart your WL Admin server. Then go back to your security Realm –> Provider and select the LDAP Authenticator you just created.

 

Schermafbeelding 2013 02 06 om 21 28 24

In the Configuration TAB and sub TAB COMMON put the control FLAG to SUFFICIENT
Then on the Configuration TAB select the SUB tab Provider Specific

Now you have to configure your LDAP Authenicator, there are 3 parts interesting: configuration of the host (with credentials) , configuration of users, configuration of groups. 

Config of host

ldap1

If you left everything like the way it was (see previous screens), then the values would be: host: 192.168.189.101, PORT 10389, Principal uid=admin, ou=system, Credential: secret

Configure Users

Schermafbeelding 2013 02 06 om 21 22 33

just fill in ou=users,ou=system in the User BASE DN field, leave everything else as is.

Configure Groups

 

Schermafbeelding 2013 02 06 om 21 24 53

just fill in ou=groups,ou=system in the Group BASE DN field, leave everything else as is.

Save your stuff, and then restart your server again…I know, this sucks…

Now check if you can see the users of your LDAP in your weblogic console. Login to your weblogic console, go to your security REALM and select the Users and GROUP tab.

Schermafbeelding 2013 02 06 om 21 38 58

There you will see the LDAP user you just created, also note that the user is coming from your provider you created a couple of steps earlier…see 3rd column. Now check if your user is part of the Administrator group by click on the user from your ldap provider. Select the groups Tab and you will see that your user is part of the Administrators group.

Schermafbeelding 2013 02 06 om 21 41 18

So this is great, if you have come this far…you can be pretty sure this will work fine. You can disable the default Authenitcator provider and only use the one you created with this article, or (this is preferable) reorder your Authentication providers so that the One you created is the 1st one…If for some reason your LDAP is not available you have the Weblogic (internal) default authenticator as fallback.

Here a screenshot on how to reorder your LDAP Authenticators.

Schermafbeelding 2013 02 06 om 21 44 46

  1. Howdy! I could have sworn I’ve been to this web site before but after going through
    many of the articles I realized it’s new to me. Anyhow, I’m definitely
    pleased I discovered it and I’ll be book-marking it and
    checking back often!

Leave a Comment