It's all about Weblogic..!!

May 29, 2010

Configuring Active Directory with Weblogic Server:

Filed under: * Security — streethawkz @ 12:39 am
.
.
Configuring Active Directory with Weblogic Server:
.
.
In the example below :
.
slab.xxx.com is the Domain name
streethawk is the Domain Controller
Users is a Container ( Default )
.
puneeth3 is a user created under container “ User “
.
.

.

— puneeth3 is a user in AD ( i.e the principal in WLS — we ll talk abt it in the next slide ).

Below are the configurations that need to be done at WebLogic end :

Create a new domain

Click on “ Security Realms “ –> myrealm — > “ Providers ” tab –> click on “ New “ and create a new Authenticator ( say  AD_Authenticator )

Note : The type selected for the new authenticator is “ ActiveDirectoryAuthenticator “

Now click on “ AD_Authenticator “ and select the Control Flag as  ” Sufficient ” .

Click on “ Provider Specific “ and make the following changes :

.
.
.

Host – The host name or IP address of the LDAP server.

Port -The port number on which the LDAP server is listening. Between 1 – 65534. Default is 389

Principal – The Distinguished Name (DN) of the LDAP user that WebLogic Server should use to connect to the LDAP server ( i.e any user on ActiveDirectory. Note : It is not a must that this user has admin rights in AD )

Credential – The credential (usually a password) used to connect to the LDAP server.If this password has not been set, WebLogic Server generates a password at startup, initializes the attribute, and saves the configuration to the config.xml file. If you want to connect to the embedded LDAP server using an external LDAP browser and the embedded LDAP administrator account (cn=Admin), change this attribute from the generated value

.

User Base DN  – The base distinguished name (DN) of the tree in the LDAP directory that contains users

Group Base DN – The base distinguished name (DN) of the tree in the LDAP directory that contains groups.

For our example :

Host :             10.xxx.xxx.xxx

Port :              389

Principal :       puneeth3

Credential :  ********

User Base DN : cn=Users,dc=slab,dc=bea,dc=com

Group Base DN : cn=Users,dc=slab,dc=bea,dc=com
.
Now click on “ Security Realm “ –> “ myrealm “ –> “ Providers “ –> “ Default Authenticator “ –> change the control flag to “ Sufficient “
.
–> now click on “ Roles and Policies “ tab –> expand “ Global Roles “ –> “ Roles “ –> click on “ view role conditions “ next to “ Admin “ role ( as shown below )
.
.
.
After you click on “ View Role Conditions” –> Click on “ Add Conditions “ –> Select “ User “ under the “ Predicate List “ –> Next –> Type in the user in AD eg: puneeth3 in “ User Argument Name “ and click on Add –> Finish.
.
.
.
Now logout of the console and login with user name as puneeth3.
You should be able to login now…!!!🙂
.
Click on “ Users and Groups “ under “ myrealm “ –> you should be able to see all the users present in AD_Authenticator and the defaultAuthenticator.
.
.
.
.
You can also create new users. –> Click on Groups –> Select Administrator ( as shown below )
This user will be created in the DefaultAuthenticator. ( NOT on ActiveDirectory ).
.
.
.
.
.
.
You should now be able to login with the new user created as well…!!  :)
.
.
* Note : if you want to view users in Oraganizational Unit “ streethawk “ and its groups make the following changes in AD_Authenticator :
.
User Base DN :   ou=streethawk,dc=slab,dc=bea,dc=com
Group Base DN :   ou=streethawk,dc=slab,dc=bea,dc=com
.
* Note : If you want to view users in Oraganizational Unit “ streethawk “ and all the groups in AD make the following changes in AD_Authenticator :
.
User Base DN :   ou=streethawk,dc=slab,dc=bea,dc=com
Group Base DN : dc=slab,dc=bea,dc=com
.
.
NOTES :
.
1. ou=streethawk, dc=slab, dc=bea, dc=com —>  spaces should not make any difference.
.
2. cn=puneeth , ou=streethawk , dc=slab , dc=bea , dc=com —> spaces should not make any difference.
.
3. You can use ipconfig /all to find out the Host name.
.
4. If SLABS is the host name you can use it for Host but principal can be SLABS\puneeth3. ( Go to the properties tab of the user in AD –>> Account –> and check for the ” User Logon Name ” )
.
5. In Active Directory (AD) (or any LDAP directory), objects are referred to by Distinguished Name (DN).
.
The parts of a distinguished name, delimited by commas, represent where in the AD heirarchy the object exists.
cn     –   Common Name
ou     –   Organizational Unit
dc     –   Domain Component
.
6. Common Name is used to identify several classes of objects, namely user objects, computer objects, container objects, and group objects.
.
7. The most common container is the default “cn=Users” container.
.
If user “cn=puneeth” is in the “Users” container, then the DN will be: cn=puneeth,cn=Users,dc=MyDomain,dc=com
.
The Relative Distinguished Name RDN) of the user is “cn=puneeth”.
.
The RDN is the highest level part of the DN, which identifies the object in it’s parent container.
.
The parent container for “cn=puneeth” is the container “cn=Users,dc=MyDomain,dc=com”.
.
The RDN of this container is “cn=Users”.
.
8. One of the differences between a CN container and a OU container is you can only apply GPOs to OUs, not to CNs
.
9. The following table shows the naming attribute for common classes of objects in Active Directory.
.
Object Class…………————>>>>………….Naming attribute
user…………………..————>>>>………….cn (Common Name)
group…………………————>>>>…………. cn (Common Name)
computer……………————>>>>…………. cn (Common Name)
container……………————>>>>…………. cn (Common Name)
organizational unit.————>>>>…………. ou (Organizational Unit)
domain………………————>>>>…………. dc (Domain Component)

36 Comments »

  1. Configuring the Active Directory Authentication Provider to Improve Performance

    To configure an Active Directory Authentication provider to use the tokenGroups option, set the following attributes (found in the Administration Console on the Active Directory Authentication provider’s Configuration > Provider Specific page):

    Use Token Groups for Group Membership Lookup—Indicates whether to use the Active Directory tokenGroups lookup algorithm instead of the standard recursive group membership lookup algorithm. By default, this option is not enabled.

    Note:
    Access to the tokenGroups option is required (meaning, the user accessing the LDAP directory must have privileges to read the tokenGroups option and the tokenGroups option must be in the schema for user objects).

    Enable SID to Group Lookup Caching—Indicates whether or not SID-to-group name lookup results are cached. This setting only applies if the Use Token Groups for Group Membership Lookup option is enabled.

    Max SID To Group Lookups In Cache—The maximum size of the Least Recently Used (LRU) cache for holding SID to group lookups. This setting applies only if both the Use Token Groups for Group Membership Lookup and Enable SID to Group Lookup Caching options are enabled.

    Comment by streethawkz — July 26, 2010 @ 11:08 am

  2. To list users of a particular group, you can use the following query :

    All Users Filter: (&(memberOf=cn=puneeth_testgroup,cn=Users,dc=slab,dc=bea,dc=com))

    User From Name Filter: (&(cn=%u)(objectclass=user))

    where puneeth_testgroup is a group name.

    Comment by streethawkz — July 27, 2010 @ 9:37 pm

    • How to list users from more than one group.

      For listing single users from a single group, I can use the query given by you in Comment 2. But for multiple groups ? Is it possible at all ?

      Kind Regards
      Selvam S

      Comment by Selvam — February 10, 2012 @ 4:50 pm

  3. To assign roles for specific users to the Admin console, we can use the following query in provider specific and assign roles in ” Roles & Policies tab” :

    User From Name Filter:(&(|(samaccountname=name1)(samaccountname=name2))(objectclass=user))

    Comment by streethawkz — September 29, 2010 @ 7:35 pm

  4. Good explaining for a someone without too much AD knowledge.
    Eric

    Comment by EricvdS — May 18, 2011 @ 8:36 am

  5. wonderful article

    Comment by lkafle — June 27, 2011 @ 10:32 am

  6. […] . . Configuring Active Directory with Weblogic Server: . . In the example below : . slab.xxx.com is the Domain name streethawk is the Domain Controller Users is a Container ( Default ) . puneeth3 is a user created under container “ User “ . . . — puneeth3 is a user in AD ( i.e the principal in WLS — we ll talk abt it in the next slide ). Below are the configurations that need to be done at WebLogic end : – Create a new domain – Click on “ Secu … Read More […]

    Pingback by Configuring Active Directory with Weblogic Server: (via It’s all about Weblogic..!!) « lava kafle kathmandu nepal — June 27, 2011 @ 2:47 pm

  7. perfect article love it for LDAP in weblogic server

    Comment by Lava Kafle — July 5, 2011 @ 9:31 am

  8. can i get first and lastnames from AD as well, i only get loginnames by repeating this

    Comment by hessu — July 28, 2011 @ 3:47 pm

    • No, Its just the display name of the user ( that is set in AD ) that will appear in WLS ” Users and Groups “

      Comment by streethawkz — July 28, 2011 @ 3:58 pm

  9. Hello,
    I get the below error – any advice please?

    #### <>
    #### <>
    #### <>
    #### <>
    #### <> <[Security:090302]Authentication Failed: User test2 denied
    javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User test2 denied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:199)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
    at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
    at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:91)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:61)
    at $Proxy17.login(Unknown Source)
    at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:89)
    at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:80)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:61)
    at $Proxy19.authenticate(Unknown Source)
    at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:366)
    at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:256)
    at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:205)
    at weblogic.servlet.security.internal.FormSecurityModule.processJSecurityCheck(FormSecurityModule.java:245)
    at weblogic.servlet.security.internal.FormSecurityModule.checkUserPerm(FormSecurityModule.java:200)
    at weblogic.servlet.security.internal.FormSecurityModule.checkAccess(FormSecurityModule.java:91)
    at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:82)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:1946)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:1916)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
    Thanks,
    Arch

    Comment by Arch — August 9, 2011 @ 6:17 pm

  10. Authentication Failed: User test2 denied shows that ur user does not have right to the AD server you are using. look at AD server and use other tools to connect . it alos looks that you have used JAAS so use jaas.conf

    Comment by lkafle — August 10, 2011 @ 9:34 am

  11. I’ve been trying, but my user base dn must to be dc=xxxx,dc=com and only limit groups with a cn. The result is a very slow performance, making the users not to login, because of the big delay.

    Is there any way to solve this?

    Comment by incanus — November 4, 2011 @ 9:52 pm

  12. if LDAP server is offline then how can we get through weblogic… any idea?

    Comment by dharmirpatel — December 6, 2011 @ 4:47 pm

  13. yes at that time we have to use multi level authentication true , so if first fails it automatically takes on to second authentication handler

    Comment by lkafle — December 6, 2011 @ 5:04 pm

    • Do not set the control flag of external LDAP as ” Required “.

      It is good to set control flag to ” Optional ” or ” Sufficient ” for all the authentication providers. So that we will be able to access the console using the user ” weblogic ” which would be present in embedded LDAP ( i.e default Authenticator ) even when ext LDAP / AD is down.

      Comment by streethawkz — December 6, 2011 @ 10:36 pm

  14. thnaks Streethawkz for illustrating details about the required and sufficient flags for LDAP thanks again

    Comment by lkafle — December 7, 2011 @ 7:20 am

  15. How to use this to authenticate users in JAVA code?

    Comment by Sunil — June 27, 2012 @ 4:54 pm

  16. I know this post is kinda old but I have an issue that needs resolution ASAP so I thought I’d give it a shot. I’m working with 4 different OUs in AD. My groups that will be mapped to roles in OBIEE exist in 1 AD. The users are scattered in the 3 other OUs but have been mapped to the groups in the first OU (not sure how but that’s what I’ve been told!). How do I bring these users and groups into OBIEE to be able to do what I need to do as far as permissions go?

    Comment by JG — October 17, 2012 @ 6:21 pm

    • As far as I understand, you have a group which has users from different OUs.. ok so configure AD with wls such that you retrieve all the users from that particular group – you can use filters in provider specific tab to do this… Now go to.roles and policies on wls console and map the roles u need to this group… That should be it…

      I m.nt sure abt obiee but from wls end this is what u need to do…

      Sent from my HTC OneX

      Comment by streethawkz — October 17, 2012 @ 6:34 pm

      • Thanks for the quick response. OBIEE is also WLS based now so it should be the same. The OU with the groups does not have the users inside of it though so if I just bring the OU with the groups in it, I can’t see the users. I do however see the groups in the WLS Console. Thoughts?

        Comment by JG — October 17, 2012 @ 6:40 pm

        • You can retrieve individual users by making changes in the filters tab in provider specific page…. Instead of * give ur username in filters and check if that user is retrieved.. if yes then u can use & operator and retrieve only the users u need….

          Also, if u r not able to retrieve the users from the groups I doubt if users are mapped properly with groups… Check with ur AD admin 1s…

          U can use an external ldap browser to validate the same

          Sent from my HTC OneX

          Comment by streethawkz — October 17, 2012 @ 6:45 pm

  17. Ok, so even if the users don’t exist in the OU with the groups in it, and the users from the other OUs have been mapped somehow to those groups in the first OU, then I should be able to see those users within WLS after integrating only the OU with the groups? Thanks a ton by the way for all your help!

    Comment by JG — October 17, 2012 @ 6:51 pm

    • I doubt if such a mapping is possible.. bt if it is we should be able to retrieve such users from this group….

      I ll try this at my end tonit if possible and will let u knw…

      Sent from my HTC OneX

      Comment by streethawkz — October 17, 2012 @ 7:00 pm

      • That would be very helpful. I will wait for your response.

        Comment by JG — October 17, 2012 @ 7:05 pm

      • Were you able to figure that out?

        Comment by JG — October 19, 2012 @ 9:18 pm

  18. Hi Streethawkz,
    Could you please help to explain the difference of “All Users Filter” and “User From Named Filter”? and give some example to explain this?

    Much appreciated.
    Jie

    Comment by Jie — December 11, 2012 @ 1:32 pm

  19. To find the DN of a user try :

    dsquery user -name

    To find DN of a group :

    dsquery group -name

    Comment by streethawkz — August 23, 2013 @ 7:14 pm

  20. Hi, i need to list users from several OU inside another OU. How can i do this?

    Comment by dasetova — August 30, 2013 @ 8:38 pm

  21. great explaination, I owe you a lot.

    Comment by shiva — December 26, 2013 @ 10:36 pm

  22. If an intruder busts into the premises by opening the lock, you will curse
    the locksmith and firm that layouted the lock. Forty years
    is a long spell without a return GOP visit, and the city has plenty more
    to showcase now”. Though the “not starting” problem concerns
    me, the entire Subaru ownership experience has been very positive.

    Comment by http://youtube.com/watch?v=kDkcRs2rBxk — March 1, 2014 @ 1:32 pm

  23. Hi,

    In Weblogic 10 i have configured to authenticate user using custom login module which accepts Active Directory User Name and Password and authenticates user and it is working as expected.
    But now customer wants Direct redirection to application’s home page when he clicks on login page without entering user name and password when he is trying to access application second time. Once user authenticated by AD user name and password next time it should read password from his AD account and allow user to login.

    Can any one help me what settings i have to enable in weblogic to allow user to login to application by reading AD account username and password.

    Regards,
    Kirti

    Comment by Kirti — April 27, 2014 @ 8:39 pm

  24. Hi,
    I tried configuring the Jdev’s Integrated weblogic server with MS AD and was able to do that successfully ,due which the users and groups were listed in the weblogic console.
    Now when i try to edit the Roles and ploicies and try to add any of the AD users ,i get an error message stating that ” does not exist”
    Can any one let me know wat can be the probable cause for that .

    Thanks

    Comment by Garima — May 30, 2014 @ 7:02 pm

  25. http://support.microsoft.com/kb/555636

    Comment by streethawkz — August 13, 2014 @ 11:08 pm

  26. Thank you, and Thank you for unlimited times

    Comment by esmaeil namazi — August 23, 2016 @ 11:05 am

  27. Thanks for wonderful update :

    How can we control the users access based on the user base dn.

    my users base dn : DC=corp,dc=***corp,dc=net and i have filter
    (&(memberOf=CN=***_***ARUSERS,OU=global,OU=security groups,OU=***,DC=corp,dc=***corp,dc=net)) .

    But still users which are not part of this group are able to login to the application .

    How can i stop users to access the application who are not part of the group.

    Comment by Rgh — September 29, 2016 @ 8:30 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: