- iPlanet Authentication provider
- Active Directory Authentication provider
- Open LDAP Authentication provider
- Novell Authentication provider
- generic LDAP Authentication provider
- Choose an LDAP Authentication provider that matches your LDAP server and create an instance of the provider in your security realm.
- Configure the provider-specific attributes of the LDAP Authentication provider, which you can do through the Administration Console. For each LDAP Authentication provider, there are attributes that:
- Enable communication between the LDAP server and the LDAP Authentication provider. For a more secure deployment, BEA recommends using the SSL protocol to protect communications between the LDAP server and WebLogic Server. Enable SSL with the SSLEnabled attribute.
- Configure options that control how the LDAP Authentication provider searches the LDAP directory.
- Specify where in the LDAP directory structure users are located.
- Specify where in the LDAP directory structure groups are located.
- Define how members of a group are located.
- Configure performance options that control the cache for the LDAP server. Use the Configuration: Provider Specific and Performance pages for the provider in the Administration Console to configure the cache.
FAILOVER
You can configure an LDAP provider to work with multiple LDAP servers and enable failover if one LDAP server is not available. For this, Change the Host attribute in the security_realm > Providers > provider_specific page, to contain a list of hostnames and ports (localhost:389, remotehost:389). When using failover, the Parallel Connect Delay and Connection Timeout attributes have to be set for the LDAP Authentication provider:
- Parallel Connect Delay—Specifies the number of seconds to delay when making concurrent attempts to connect to multiple servers. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. This setting might cause your application to block for an unacceptably long time if a host is down. If the value is greater than 0, another connection setup thread is started after the specified number of delay seconds has passed. If the value is 0, connection attempts are serialized.
- Connection Timeout—Specifies the maximum number of seconds to wait for the connection to the LDAP server to be established. If the set to 0, there is no maximum time limit and WebLogic Server waits until the TCP/IP layer times out to return a connection failure. Set to a value over 60 seconds depending upon the configuration of TCP/IP.
NOTE
If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. You can either create an Administrators group in the LDAP directory, and include your user in that group, or use an existing group and add the group to the admin role in the WebLogic Administration Console. For more information refer to Weblogic documentation: Configuring LDAP providers.
Hi Abhi,
ReplyDeleteMy name is Gonzalo, I need to modify the safety of the password of LDAP in Weblogic. I can´t use an external LDAP.
Can you help me?
Thanks.
Hi Gonzalo,
ReplyDeleteCan you be more specific on what you mean by "safety of the password"?
abhi
Hi Abhi,
ReplyDeleteI'm Gonzalo again, thanks for your answer.
I would like to create specific password policies for Weblogic's embedded LDAP, like password expiry, set account lockout time, password minimun length, passwords in history, etc.
I have seen that LDAP provides mechanisms to perform password policies by modifiying some parameters of the LDAP, like pwdMaxAge, pwdExpireWarning, pwdCheckSyntax, pwdMinLength, etc, but I don't know how to modify WebLogic's embedded LDAP to perform this.
I would like to know how to implement these password policies, and if I have to modify LDAP with an external tool like LDAPManager.
I have realized that with DefaultAuthenticatorProvider, weblogic can only verify a minimum password length restriction.
Is it possible to implement these password policies in Weblogic's embedded LDAP, without move to another LDAP provider?
Thanks in advance
Hi Gonzalo,
ReplyDeleteI did not use Weblogic Embedded LDAP before. But from what I see, there no option to set the password properties as you want. I looked at using external LDAP editor as they say in the bea site http://e-docs.bea.com/wls/docs92/secmanage/ldap.html#wp1102168, without much luck. You may want to play around with it. But the Weblogic authenticator MBean does not support additional password properties as you can see here.(http://e-docs.bea.com/wls/docs91/javadocs_mhome/weblogic/security/providers/authentication/DefaultAuthenticatorMBean.html). Guess using an external provider would be the easier option. Sorry, couldn't be of more help.
abhi
Abhi is right,
ReplyDeleteyou need to use external provider.
Abhi is right,
ReplyDeleteyou need to use external LDAP
do you have sample of web app which is using the LDAPAuthenticator to login the user? (JAAS)
ReplyDeleteHi abhi
ReplyDeleteI have created a new security realm and configured the LDAP Authenticator for my LDAP Server in the WLS. And after restarting i'm able to see the users and groups from LDAP.
But the Users are not visible in the PORTAL Admin console. Can you suggest me how to bring in the user to the Portal Admin Console.
Hi abhi,
ReplyDeleteDoes weblogic's LDAP authenticator provides capabilities to create groups and users
If not, do you have any workaround for the same
thanks,
Rakesh
Quick question for the guru, I have weblogic authenticating up against my active directory and evrything works great. The only issue I have is I cannot get my users to change there passwords, do I have to have SSL enabled on my servers or is there a way around it. Or do you have any ideas, I have created a link for the user to go out and change his password but when the user changes it nothing happens and his password remains the same.
ReplyDeleteThnak you
Mike
hi Abhi...
ReplyDeleteI have established the LDAP Connectivity successfully.
I am working to establish LDAPS Connectivity from Weblogic Server to Sun One Directory Server (5.2).
1) I created a certificate request from SUN One's Console. Obtained Certificate from CA.
2) Installed the Certificate in the Sun One directory Server
3) Imported the root certificate obtained in a keystore using command (keytool -import -alias rootca -trustcacerts -file server_ldap_root.cer -keypass weblogic -keystore support.jks -storepass support)
4) Gave the path of this keystore created in Weblogic.'Custom Trust keystores' block.
5) Ticked and Enabled the SSL Listening port of Weblogic(8.1 SP5)
Still while trying to connect to Sun One Server.. I am getting an error
JSSESocketFactory.makeSocket masumas01.corp.amdocs.com:8529, Remote host closed connection during handshake. Error number: 91, Exception toString: netscape.ldap.LDAPException: JSSESocketFactory.makeSocket masumas01.corp.amdocs.com:8529, Remote host closed connection during handshake (91), Exeption MatchedDN: null, Exeption StackTrackTrace:[Ljava.lang.StackTraceElement;@bbaf09
Am i missing smth ?????
Hi abhi,
ReplyDeletei am using windows based ldap authentication for one of my application, I have created java class for ldap authentication as posted here,but i need to use it in bea weblogic9.0. So please help me to use ldap authentication in weblogic.
/*Java Claas for LDAP Authentication */
please help me, how to use windows based ldap authentication in weblogic9.0
Thank you
Vishwanath
hi abhi,
ReplyDeletethis is soumik
Hi,
I am using weblogic 8.1 portal server.I have configured it with open LDAP server for authenticating users.
I can do authentication for my portal application of the users through embeded (internal) LDAP but we need to authenticate users from open LDAP also.I need help regarding that only.
There are some users in embeded LDAP and some in open LDAP.all of the users should get authenticated with the weblogic .
I can see the users in open LDAP thru the security realm in my weblogic server but cann't use them for authentication.
any help will be regarded with high spirits.
my mail id is
soumik.basu@lntinfotech.com
hi,
ReplyDeleteI want configurations about weblogic through embededLDap configuration plz give a detailed steps as early as possible....my mail id is saibaba.mavilla@gmail.com
What is the default LDAP password?
ReplyDeleteis it the domain's password ?
thanks
D
Hi All,
ReplyDeleteI need to know two things:
1.how to fetch the my realm information to human readable data any type like excel or word etc?
2.How to configure my ldap server as MS AD,exactly like MIKE's environment?I think MIKE can help me out on this issue.
Currently I am working on WINDOWS platform.
You can write me on biswajitpriyadarshi@gmail.com or at biswajitpriyadarshi@yahoo.co.in
Thanks all and waiting for your swift and valuable suggestions........
Hey, lots of questions on your head. Not a good idea to not answer your audience.
ReplyDelete- I was about to ask a question
Hi Abhilash,
ReplyDeleteI am working on Weblogic Server 12c with 2 host machines, every thing was working fine with creation and starting of managed servers, clusters, node manager, OHS and others.
For configuring the Authentication provided, I created a new LDAP LDAPAuthenticator.
When I try to start the Weblogic Admin Server I get the following
Every time Weblogic Server is FORCE_SHUTTING_DOWN.
Due to this I am not able to start the Weblogic Admin Server.
I corrected the boot.properties file for username and password
credentials.
How do i remove the newly created LDAPAuthenticator, which is the root
cause for server error ? How can I restore back my original settings
of Admin Server since it was installed and working fine.
Thanks
Ajaz Ahmed