Using OUD as a WebLogic Authentication Provider

By Sylvain Duloutre on Jan 20, 2014

Each WebLogic security realm must have at least one authentication provider configured. The default authentication provider (defaultAuthenticator) uses an embedded LDAP directory server to store user credentials & group membership.

Using an external authentication provider

The file-based embedded LDAP store does not scale when the number of users and group to manae grow. However, many customners favoir a centralized administration for users and groups, so you can declare an external authentication provider. The default authenticator is kept for “emergency” only to store Weblogic administrator in case the external authenticator cannot be reached as it is possible to control authenticator priority and criticality.

OUD as a Weblogic authentication provider

Such use case is certified since WebLogic 10.3.5; OUD can be used to store users and groups. Furthermore, it is possible to export existing users & groups from embedded LDAP to OUD for seamless transition.

When OUD is used an an external authentication provider, it is recommended to disable user lockout provided by WebLogic and rather rely on the password policy provided at the OUD level.

Configuring OUD as an authentication Provider

1. In the Weblogic Console, go to Security Realms/ RealName/ Providers/ Authentication Page
2. Click New to add a new Authentication Provider
3. Enter a name for the provider and choose IplanetAuthenticator as the type
4. Click OK
5. In the Security Realms / RealName / Providers/ Authentication page, click the name of the provider you created, and select the Configuration / Provider Specific page
6. Configure connection attributes for OUD and search bases as appropriate
7. Update the field labeled GUID Attribute at the bottom of the page to value entryuuid
8. Click Save
   

Reusing existing users & groups from embedded LDAP

To export users and groups from embedded LDAP:

First, modify credentials of the embedded LDAP server: Click <Domain> under Domain Structure on the left panel. On the right panel, click Security tab then Embedded LDAP tab, change credentials, Save and restart WebLogic

Then, perform a LDAP search on the Weblogic port as cn=admin using above credentials e.g.

ldapsearch -p 7001 -D “cn=admin” -w <password> -b “ou=myrealm,dc=<domain>” “(|(objectclass=wlsUser)(objectclass=groupOfURLs)(objectclass=groupOfUniqueNames))

Here is an exemple of entries:

dn: cn=Administrators,ou=groups,ou=myrealm,dc=dommemberURL:ldap:///ou=groups,ou=myrealm,dc=dom??sub?(&(objectclass=per son)(wlsMemberOf=cn=Administrators,ou=groups,ou=myrealm,dc=dom))
objectclass: groupOfURLs cn: Administrators

dn: uid=weblogic,ou=people,ou=myrealm,dc=dom
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: wlsUser
cn: weblogic
sn: weblogic
userpassword: {ssha}5ZFkp4qHIzfrGe8AV3naJOndwzTXC2W/
wlsMemberOf: cn=Administrators,ou=groups,ou=myrealm,dc=dom

By default, user entries are stored in oud=people while groups are stored in ou=groups in the embedded LDAP server. As you can see, the search base in the LDAP URL defining dynamic groups (e.g. Administrators) is incorrect as it searches user entries in the group container. This must be changed prior to importing entries in OUD to the following value:

memberURL:ldap:///ou=people,ou=myrealm,dc=dom??sub?(&(objectclass=per son)(wlsMemberOf=cn=Administrators,ou=groups,ou=myrealm,dc=dom))

To import entries in OUD,

1. extend OUD schema with wlsUser objectclass and wlsmemberOf attribute
   Note that I’ve not found the official oid for wlsmemberOf and wlsUSer so I ‘ve used fake oid in the schema belowattributeTypes: ( 1.3.6.1.4.1.1000 NAME (‘wlsMemberOf’) SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ‘WLS’)
   objectclasses: (1.3.6.1.4.1.1001 NAME ‘wlsUser’ SUP top MAY (wlsMemberOf) X-ORIGIN ‘WLS’)
2. Create suffix holding oud=<myreal>,dc=<domain>
3. Allow pre-encoded password import in OUD
   dsconfig set-password-policy-prop –policy-name Default\ Password\ Policy –set allow-pre-encoded-passwords:true
   
4. Allow multiple structural objectclasses per entry in OUD
   dsconfig set-global-configuration-prop –set single-structural-objectclass-behavior:accept
5. Import entries in OUD using dsimport
   

Optimizing Group membership evaluation

Weblogic can determine group membership based on a configurable attribute present in user entries. If not set in the provider specific configuration (User Dynamic Group DN property), it determines membership by evaluating the URLs present in the dynamic group.

This property can be set to isMemberOf as this attribute is provided OOTB by OUD. It can also be set towlsMemberOf when every dynamic group used is based on this attribute.

ODSM Silent Install

By Sylvain Duloutre on Jul 10, 2014

If you plan to manage Oracle Unified Directory (OUD) with Oracle Directory Services Manager (ODSM), you must install and configure it as described in the Installation Guide. The installation process described rely on a Graphical User Interface.

Here is the equivalent procedure in silent mode so that you can incorporate it in a script or automated procedure:
To make it short, you need to install OUD as described in this post, configure an application server (WebLogic), then install the ADF framework, install ODSM and add it to a weblogic domain then start WebLogic.

#1 Weblogic installation 

– download weblogic 10.3.6 from http://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-main-097127.html
– locate wls1036_generic.jar in the delivery
– create a input file (WEBLOGIC_silent.xml) for Weblogic install (properties in bold to be customized, assuming that you install the middleware components in /local/myinstall)

<?xml version="1.0" encoding="UTF-8"?>
<bea-installer> 
<input-fields>
<data-value name="BEAHOME" value="/local/myinstall" />
<data-value name="USER_INSTALL_DIR"  value="/local/myinstall" />
<data-value name="INSTALL_NODE_MANAGER_SERVICE"   value="no" />
<data-value name="COMPONENT_PATHS" value="WebLogic Server/Core Application Server|WebLogic Server/Administration Console|WebLogic 
Server/Configuration Wizard and Upgrade Framework|WebLogic Server/Web 2.0 HTTP Pub-Sub Server|WebLogic Server/WebLogic JDBC Drivers|WebLogic 
Server/Third Party JDBC Drivers|WebLogic Server/WebLogic Server Clients|WebLogic Server/WebLogic Web Server Plugins|WebLogic Server/UDDI 
and Xquery Support|WebLogic Server/Server Examples" />
<data-value name="LOCAL_JVMS" value="/usr/lang/JAVA/jdk7_u45/linux-x64"/>
</input-fields>
</bea-installer>

– run
wls1036_generic.jar -mode=silent -silent_xml=./WEBLOGIC_silent.xml

#2 Install ADF

– download the Oracle Application Development Framework from Oracle Technology Network (OTN) at the following location: http://www.oracle.com/technetwork/developer-tools/adf/downloads/index.html
– locate and unzip appdev.zip to target directory e.g. /local/myinstall/appdev_unzip
– create an input file (oui_install.rsp ) to install appdev (properties in bold to be customized)

[ENGINE]

#DO NOT CHANGE THIS.

Response File Version=1.0.0.0.0

[GENERIC]

#Set this to true if you wish to specify a directory where latest 
updates are downloaded. This option would use the software updates from 
the specified directory

SPECIFY_DOWNLOAD_LOCATION=false

#

SKIP_SOFTWARE_UPDATES=true

#If the Software updates are already downloaded and available on your 
local system, then specify the path to the directory where these patches 
are available and set SPECIFY_DOWNLOAD_LOCATION to true

SOFTWARE_UPDATES_DOWNLOAD_LOCATION=

#Provide the Oracle Home location. The location has to be the immediate 
child under the specified Middleware Home location. The Oracle Home 
directory name may only contain alphanumeric , hyphen (-) , dot (.) and 
underscore (_) characters, and it must begin with an alphanumeric 
character. The total length has to be less than or equal to 128 
characters. The location has to be an empty directory or a valid SOA 
Oracle Home.

ORACLE_HOME=/local/myinstall/Oracle_appdev

#Provide existing Middleware Home location.

MIDDLEWARE_HOME=/local/myinstall

#

CONFIG_WIZARD_RESPONSE_FILE_LOCATION=0

[SYSTEM]

[APPLICATIONS]

[RELATIONSHIPS]

– install appdev (path in bold to be customized)

/local/myinstall/appdev_unzip/appdev/Disk1/runInstaller -silent -response ./oui_install.rsp -invPtrLoc /local/myinstall/appdev_unzip/oraInst.loc  -jreLoc /usr/lang/JAVA/jdk7_u45/linux-x64 -waitforcompletion

#3 Create Weblogic domain for ODSM

– Create template file (e.g create_domain.py) and customize the properties in bold.

#!/usr/bin/python

import os, sys

readTemplate(r'/local/myinstall/wlserver_10.3/common/templates/domains/wls.jar')
cd(r'/Security/base_domain/User/weblogic')
cmo.setPassword('welcome1')
cd(r'/Server/AdminServer')
cmo.setName('AdminServer')
cmo.setListenPort(7001)
cmo.setListenAddress('mylocalhost')
create('AdminServer','SSL')
cd('SSL/AdminServer')
cmo.setEnabled(true)
cmo.setListenPort(7002)
cmo.setHostnameVerificationIgnored(true)
cmo.setHostnameVerifier(None)
cmo.setTwoWaySSLEnabled(false)
writeDomain(r'/local/myinstall/WEBLOGIC_domains/ODSM')
closeTemplate()
exit()

– Run the following command to create the ODSM domain:

/local/myinstall/oracle_common/common/bin/wlst.sh /local/myinstall/create_domain.py

#4 Configure ODSM

– create template file (e.g config_odsm.py) and customize properties in bold

#!/usr/bin/python

import os, sys

readDomain('/local/myinstall/WEBLOGIC_domains/ODSM')
addTemplate(r'/local/myinstall/Oracle_OUD/common/templates/applications/oracle.odsm_11.1.1.5.0_template.jar')
updateDomain()
closeDomain()
exit()

– Run the following command:

/local/myinstall/oracle_common/common/bin/wlst.sh /local/myinstall/config_odsm.py

#5 Start Weblogic domain

/local/myinstall/WEBLOGIC_domains/ODSM/bin/startWebLogic.sh

Using execution context ID (ECID)

Execution context ID (ECID) is a unique identifier to correlate events or requests associated with the same transation across several components.

The ECID value for a particular request is generated at the first layer and is passed down to the subsequent layers. The ECID value is logged (and auditable) in each product involved in the transaction. ECID allows an administrator to track the end-to-end flow of a particular request across the product stack.

ECID are supported by OUD and can be used to track LDAP requests from the client down to the ultimate LDAP server processing the request (inclusing LDAP access layer/proxy if any).

When performing a LDAP operation, a client can pass a ECID using the LDAP control extension 2.16.840.1.113894.1.8.31 . This ECID is logged by OUD. The OUD server generates a ECID in case none is present in the incoming request.

ECID are logged in the “Oracle Access Logger”. By default, this logger is disabled. To enable it, run the command below:

dsconfig set-log-publisher-prop \
         –publisher-name Oracle\ Access\ Logger \
         –set enabled:true\
–hostname localhost\
–port <admin port>\
–bindDN cn=Directory\ Manager \
–bindPassword ****** \
–no-prompt

Here is a sniplet of the Oracle access log:

[2012-08-16T16:10:26.770+02:00] [OUD] [TRACE] [OUD-24641559] [PROTOCOL] [host: prehnite] [nwaddr: 10.166.70.62] [tid: 25] [userId: sduloutr] [ecid: 10.166.70.62:37126:1345126226770:39,0] [category: REQ] [conn: -1] [op: 80] [msgID: 81] [dn: o=example] [type: synchronization] MODIFY

The administrator can then search the logs using a particular ECID value. Audit logs can be queried for a given ECID through Oracle BI Publisher’s audit reports. For example, if you send an LDAP request to Oracle Virtual Directory front-ending Oracle Unified Directory, an ECID associated with the LDAP request is present in the OVD diagnostic logs and audit logs; similarly, when the query reaches OUD, OUD includes the same ECID in its diagnostic logs and audit reports.