By Sylvain Duloutre on Jan 20, 2014
Each WebLogic security realm must have at least one authentication provider configured. The default authentication provider (defaultAuthenticator) uses an embedded LDAP directory server to store user credentials & group membership.
Using an external authentication provider
The file-based embedded LDAP store does not scale when the number of users and group to manae grow. However, many customners favoir a centralized administration for users and groups, so you can declare an external authentication provider. The default authenticator is kept for “emergency” only to store Weblogic administrator in case the external authenticator cannot be reached as it is possible to control authenticator priority and criticality.
OUD as a Weblogic authentication provider
Such use case is certified since WebLogic 10.3.5; OUD can be used to store users and groups. Furthermore, it is possible to export existing users & groups from embedded LDAP to OUD for seamless transition.
When OUD is used an an external authentication provider, it is recommended to disable user lockout provided by WebLogic and rather rely on the password policy provided at the OUD level.
Configuring OUD as an authentication Provider
- In the Weblogic Console, go to Security Realms/ RealName/ Providers/ Authentication Page
- Click New to add a new Authentication Provider
- Enter a name for the provider and choose IplanetAuthenticator as the type
- Click OK
- In the Security Realms / RealName / Providers/ Authentication page, click the name of the provider you created, and select the Configuration / Provider Specific page
- Configure connection attributes for OUD and search bases as appropriate
- Update the field labeled GUID Attribute at the bottom of the page to value entryuuid
- Click Save
Reusing existing users & groups from embedded LDAP
To export users and groups from embedded LDAP:
First, modify credentials of the embedded LDAP server: Click <Domain> under Domain Structure on the left panel. On the right panel, click Security tab then Embedded LDAP tab, change credentials, Save and restart WebLogic
Then, perform a LDAP search on the Weblogic port as cn=admin using above credentials e.g.
ldapsearch -p 7001 -D “cn=admin” -w <password> -b “ou=myrealm,dc=<domain>” “(|(objectclass=wlsUser)(objectclass=groupOfURLs)(objectclass=groupOfUniqueNames))
Here is an exemple of entries:
dn: cn=Administrators,ou=groups,ou=myrealm,dc=dommemberURL:ldap:///ou=groups,ou=myrealm,dc=dom??sub?(&(objectclass=per son)(wlsMemberOf=cn=Administrators,ou=groups,ou=myrealm,dc=dom))
objectclass: groupOfURLs cn: Administrators
dn: uid=weblogic,ou=people,ou=myrealm,dc=dom
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: wlsUser
cn: weblogic
sn: weblogic
userpassword: {ssha}5ZFkp4qHIzfrGe8AV3naJOndwzTXC2W/
wlsMemberOf: cn=Administrators,ou=groups,ou=myrealm,dc=dom
By default, user entries are stored in oud=people while groups are stored in ou=groups in the embedded LDAP server. As you can see, the search base in the LDAP URL defining dynamic groups (e.g. Administrators) is incorrect as it searches user entries in the group container. This must be changed prior to importing entries in OUD to the following value:
memberURL:ldap:///ou=people,ou=myrealm,dc=dom??sub?(&(objectclass=per son)(wlsMemberOf=cn=Administrators,ou=groups,ou=myrealm,dc=dom))
To import entries in OUD,
- extend OUD schema with wlsUser objectclass and wlsmemberOf attribute
Note that I’ve not found the official oid for wlsmemberOf and wlsUSer so I ‘ve used fake oid in the schema belowattributeTypes: ( 1.3.6.1.4.1.1000 NAME (‘wlsMemberOf’) SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ‘WLS’)
objectclasses: (1.3.6.1.4.1.1001 NAME ‘wlsUser’ SUP top MAY (wlsMemberOf) X-ORIGIN ‘WLS’) - Create suffix holding oud=<myreal>,dc=<domain>
- Allow pre-encoded password import in OUD
dsconfig set-password-policy-prop –policy-name Default\ Password\ Policy –set allow-pre-encoded-passwords:true
- Allow multiple structural objectclasses per entry in OUD
dsconfig set-global-configuration-prop –set single-structural-objectclass-behavior:accept - Import entries in OUD using dsimport
Optimizing Group membership evaluation
Weblogic can determine group membership based on a configurable attribute present in user entries. If not set in the provider specific configuration (User Dynamic Group DN property), it determines membership by evaluating the URLs present in the dynamic group.
This property can be set to isMemberOf as this attribute is provided OOTB by OUD. It can also be set towlsMemberOf when every dynamic group used is based on this attribute.