WebLogic LDAP Integration(Oracle Unified Directory)
WebLogic supports Default Authenticator by default for authentication. The default authenticator is an embedded LDAP server and simple to use. The username/password and Groups can be added directly inside the WebLogic console. But what if the number of WebLogic users are increasing or user accessing an application that running on WebLogic are increasing.
Also if an organization maintains the user details in an LDAP directory and duplicating the same users in WebLogic is a time-consuming and maintanance task. When the user relieves from the Organization then it gets deleted from the LDAP server but the user must be deleted from the WebLogic server manually. It is a double task to WebLogic admin.WebLogic LDAP Integration is a good solution if you are facing any of the above issues. The main purpose is we don’t need to maintain an additional LDAP server for WebLogic authentication.
As shown in the below image, WebLogic supports many authentication providers. In this section, I explained how to integrate WebLogic with Oracle Unified Directory, a directory server.
Note: WebLogic required a username and password to login. The user belongs to a group ‘Administrator’ to do admin works.
Oracle Unified Directory 188.8.131.52
Integrate WebLogic with Oracle Unified Directory:
1. Make sure you have Users & Groups present in the LDAP server. The below image is taken from an LDAP browser (ODSM). These shows a list of users under an Organization Unit called MyOrg and a group under an Organization Unit called MyGroup. The users ‘govindan’ & ‘pgn’ are members of Group ‘Administrator.’
I made these group as the STATIC LDAP group. Please look at following link about how these hierarchical structures were made in LDAP. Also note the CN, OU, UID and Object Class of each entry in this link
Lets gets started WebLogic LDAP Integration., 🙂
2. Login into WebLogic Console. For example, http://localhost:7001/console
3. Click on the Security Reals and select MyRealm
4. Click on the Providers tab. Click the button New
5. Input a Name and select the Type as OracleUnifiedDirectoryAuthenticator. Choose the LDAP type corresponding to your LDAP Server
6. Click on the LDAP we just created
7. Change the Control Flag to Sufficient. Click on the link More Info next to the drop down to know about each Control Flag value
8. Click on the Provider Specific tab and input the LDAP Details. Click the Save button once done. You will see the successful green color text appears on the top of the page.
I have created a static Group, so I used Static groups here. Change the setting according to your setup. How I created these users and static Group in LDAP
Host: localhost (LDAP Server Host Name)
Port: Port (LDAP Server Port Number)
Principal: cn=Directory Manager
User Base DN: ou=MyOrg,dc=catgovind,dc=com
All Users Filter: (objectclass=*)
Users from Name Filter: (objectclass=*)
User Name Attribute: uid
User Object Class: MyOrg
Group Base DN: ou=MyGroup,dc=catgovind,dc=com
Group From Name Filter: (objectclass=*)
Group From Name Filter: (objectclass=groupOfNames)
Static Group Name Attribute: cn
Static Group Object Class: groupOfNames
Static Member DN Attribute: uniquemember
Static Group DNs from Member DN Filter: (objectclass=groupOfNames)
9. Reorder the Provider: Click on the Security Realms >> MYRealm >> Providers >> Authentication >> Click on the button ReOrder
10. Select the LDAP we just created >> Move it to first >> Click Ok
9. Restart the WebLogic Server and Login into WebLogic >>Security Realms >> MyRealm >> User and Groups >> Users. The users ‘govindan’ and ‘pgn’ came from LDAP. Also, notice the Description, provider, and Group. All of them come from LDAP.
That’s it. The WebLogic LDAP integration is done now.
Test the WebLogic with an LDAP user
10. Logout the WebLogic and Login as an LDAP user
11. The user ‘govindan’ belongs to Administrator group so he could do admin work in WebLogic
The views expressed on this blog are my personal views and do not necessarily reflect the views of my employer.
Please feeling free to reach me on any comments and feedbacks you have. Would be more than glad to listen and reply 🙂