java search
Loading
Help improve Java Search

Thursday, November 16, 2006

Configuring LDAP in Weblogic

WebLogic Server does not support or certify any particular LDAP servers. Any LDAP v2 or v3 compliant LDAP server should work with WebLogic Server. The LDAP Authentication providers in this release of WebLogic Server (v9.2) are configured to work readily with the SunONE (iPlanet), Active Directory, Open LDAP, and Novell NDS LDAP servers. You can use an LDAP Authentication provider to access other types of LDAP servers. Choose either the LDAP Authentication provider (LDAPAuthenticator) or the existing LDAP provider that most closely matches the new LDAP server and customize the existing configuration to match the directory schema and other attributes for your LDAP server. The server comes with the following Authentication Providers, which help to configure different LDAP servers
  • iPlanet Authentication provider
  • Active Directory Authentication provider
  • Open LDAP Authentication provider
  • Novell Authentication provider
  • generic LDAP Authentication provider
Follow these steps to configure LDAP in Weblogic:
  1. Choose an LDAP Authentication provider that matches your LDAP server and create an instance of the provider in your security realm.
  2. Configure the provider-specific attributes of the LDAP Authentication provider, which you can do through the Administration Console. For each LDAP Authentication provider, there are attributes that:
    1. Enable communication between the LDAP server and the LDAP Authentication provider. For a more secure deployment, BEA recommends using the SSL protocol to protect communications between the LDAP server and WebLogic Server. Enable SSL with the SSLEnabled attribute.
    2. Configure options that control how the LDAP Authentication provider searches the LDAP directory.
    3. Specify where in the LDAP directory structure users are located.
    4. Specify where in the LDAP directory structure groups are located.
    5. Define how members of a group are located.
  3. Configure performance options that control the cache for the LDAP server. Use the Configuration: Provider Specific and Performance pages for the provider in the Administration Console to configure the cache.

FAILOVER

You can configure an LDAP provider to work with multiple LDAP servers and enable failover if one LDAP server is not available. For this, Change the Host attribute in the security_realm > Providers > provider_specific page, to contain a list of hostnames and ports (localhost:389, remotehost:389). When using failover, the Parallel Connect Delay and Connection Timeout attributes have to be set for the LDAP Authentication provider:
  • Parallel Connect Delay—Specifies the number of seconds to delay when making concurrent attempts to connect to multiple servers. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. This setting might cause your application to block for an unacceptably long time if a host is down. If the value is greater than 0, another connection setup thread is started after the specified number of delay seconds has passed. If the value is 0, connection attempts are serialized.
  • Connection Timeout—Specifies the maximum number of seconds to wait for the connection to the LDAP server to be established. If the set to 0, there is no maximum time limit and WebLogic Server waits until the TCP/IP layer times out to return a connection failure. Set to a value over 60 seconds depending upon the configuration of TCP/IP.

NOTE
If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. You can either create an Administrators group in the LDAP directory, and include your user in that group, or use an existing group and add the group to the admin role in the WebLogic Administration Console. For more information refer to Weblogic documentation: Configuring LDAP providers.

17 comments:

  1. Hi Abhi,
    My name is Gonzalo, I need to modify the safety of the password of LDAP in Weblogic. I can´t use an external LDAP.

    Can you help me?

    Thanks.

    ReplyDelete
  2. Hi Gonzalo,
    Can you be more specific on what you mean by "safety of the password"?

    abhi

    ReplyDelete
  3. Hi Abhi,

    I'm Gonzalo again, thanks for your answer.

    I would like to create specific password policies for Weblogic's embedded LDAP, like password expiry, set account lockout time, password minimun length, passwords in history, etc.

    I have seen that LDAP provides mechanisms to perform password policies by modifiying some parameters of the LDAP, like pwdMaxAge, pwdExpireWarning, pwdCheckSyntax, pwdMinLength, etc, but I don't know how to modify WebLogic's embedded LDAP to perform this.

    I would like to know how to implement these password policies, and if I have to modify LDAP with an external tool like LDAPManager.

    I have realized that with DefaultAuthenticatorProvider, weblogic can only verify a minimum password length restriction.

    Is it possible to implement these password policies in Weblogic's embedded LDAP, without move to another LDAP provider?

    Thanks in advance

    ReplyDelete
  4. Hi Gonzalo,
    I did not use Weblogic Embedded LDAP before. But from what I see, there no option to set the password properties as you want. I looked at using external LDAP editor as they say in the bea site http://e-docs.bea.com/wls/docs92/secmanage/ldap.html#wp1102168, without much luck. You may want to play around with it. But the Weblogic authenticator MBean does not support additional password properties as you can see here.(http://e-docs.bea.com/wls/docs91/javadocs_mhome/weblogic/security/providers/authentication/DefaultAuthenticatorMBean.html). Guess using an external provider would be the easier option. Sorry, couldn't be of more help.

    abhi

    ReplyDelete
  5. Abhi is right,

    you need to use external provider.

    ReplyDelete
  6. Abhi is right,

    you need to use external LDAP

    ReplyDelete
  7. do you have sample of web app which is using the LDAPAuthenticator to login the user? (JAAS)

    ReplyDelete
  8. Hi abhi

    I have created a new security realm and configured the LDAP Authenticator for my LDAP Server in the WLS. And after restarting i'm able to see the users and groups from LDAP.
    But the Users are not visible in the PORTAL Admin console. Can you suggest me how to bring in the user to the Portal Admin Console.

    ReplyDelete
  9. Hi abhi,

    Does weblogic's LDAP authenticator provides capabilities to create groups and users

    If not, do you have any workaround for the same

    thanks,

    Rakesh

    ReplyDelete
  10. Quick question for the guru, I have weblogic authenticating up against my active directory and evrything works great. The only issue I have is I cannot get my users to change there passwords, do I have to have SSL enabled on my servers or is there a way around it. Or do you have any ideas, I have created a link for the user to go out and change his password but when the user changes it nothing happens and his password remains the same.

    Thnak you
    Mike

    ReplyDelete
  11. hi Abhi...
    I have established the LDAP Connectivity successfully.
    I am working to establish LDAPS Connectivity from Weblogic Server to Sun One Directory Server (5.2).
    1) I created a certificate request from SUN One's Console. Obtained Certificate from CA.
    2) Installed the Certificate in the Sun One directory Server
    3) Imported the root certificate obtained in a keystore using command (keytool -import -alias rootca -trustcacerts -file server_ldap_root.cer -keypass weblogic -keystore support.jks -storepass support)

    4) Gave the path of this keystore created in Weblogic.'Custom Trust keystores' block.

    5) Ticked and Enabled the SSL Listening port of Weblogic(8.1 SP5)

    Still while trying to connect to Sun One Server.. I am getting an error
    JSSESocketFactory.makeSocket masumas01.corp.amdocs.com:8529, Remote host closed connection during handshake. Error number: 91, Exception toString: netscape.ldap.LDAPException: JSSESocketFactory.makeSocket masumas01.corp.amdocs.com:8529, Remote host closed connection during handshake (91), Exeption MatchedDN: null, Exeption StackTrackTrace:[Ljava.lang.StackTraceElement;@bbaf09

    Am i missing smth ?????

    ReplyDelete
  12. Hi abhi,
    i am using windows based ldap authentication for one of my application, I have created java class for ldap authentication as posted here,but i need to use it in bea weblogic9.0. So please help me to use ldap authentication in weblogic.
    /*Java Claas for LDAP Authentication */




    please help me, how to use windows based ldap authentication in weblogic9.0


    Thank you
    Vishwanath

    ReplyDelete
  13. hi abhi,
    this is soumik

    Hi,
    I am using weblogic 8.1 portal server.I have configured it with open LDAP server for authenticating users.
    I can do authentication for my portal application of the users through embeded (internal) LDAP but we need to authenticate users from open LDAP also.I need help regarding that only.
    There are some users in embeded LDAP and some in open LDAP.all of the users should get authenticated with the weblogic .
    I can see the users in open LDAP thru the security realm in my weblogic server but cann't use them for authentication.

    any help will be regarded with high spirits.

    my mail id is
    soumik.basu@lntinfotech.com

    ReplyDelete
  14. hi,
    I want configurations about weblogic through embededLDap configuration plz give a detailed steps as early as possible....my mail id is saibaba.mavilla@gmail.com

    ReplyDelete
  15. What is the default LDAP password?
    is it the domain's password ?

    thanks
    D

    ReplyDelete
  16. Hi All,

    I need to know two things:
    1.how to fetch the my realm information to human readable data any type like excel or word etc?
    2.How to configure my ldap server as MS AD,exactly like MIKE's environment?I think MIKE can help me out on this issue.
    Currently I am working on WINDOWS platform.

    You can write me on biswajitpriyadarshi@gmail.com or at biswajitpriyadarshi@yahoo.co.in

    Thanks all and waiting for your swift and valuable suggestions........

    ReplyDelete
  17. Hey, lots of questions on your head. Not a good idea to not answer your audience.

    - I was about to ask a question

    ReplyDelete