Administration Console Online Help

    Previous Next  Open TOC in new window 
Content starts here

Active Directory Authentication Provider: Provider Specific

Configuration Options     Related Tasks     Related Topics

Use this page to define the provider specific configuration for this Active Directory Authentication provider.

Configuration Options

Name Description
Group Base DN

The attribute of an LDAP user object that specifies the Distinguished Names (DNs) of dynamic groups to which the user belongs.

MBean Attribute:
ActiveDirectoryAuthenticatorMBean.GroupBaseDN

Changes take effect after you redeploy the module or restart the server.

User Name Attribute

The attribute of an LDAP user object that specifies the name of the user.

MBean Attribute:
ActiveDirectoryAuthenticatorMBean.UserNameAttribute

Changes take effect after you redeploy the module or restart the server.

Results Time Limit

The maximum number of milliseconds for the LDAP server to wait for results before timing out. If this attribute is set to 0, there is no maximum time limit.

MBean Attribute:
LDAPServerMBean.ResultsTimeLimit

Changes take effect after you redeploy the module or restart the server.

Dynamic Member URL Attribute

The attribute of the dynamic LDAP group object that specifies the URLs of the members of the dynamic group.

MBean Attribute:
LDAPAuthenticatorMBean.DynamicMemberURLAttribute

Changes take effect after you redeploy the module or restart the server.

Parallel Connect Delay

The delay in seconds when making concurrent attempts to connect to multiple LDAP servers. If this attribute is set to 0, connection attempts are serialized. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. If this attribute is not set and an LDAP server is unavailable, an application may be blocked for a long time. If this attribute is greater than 0, another connection is started after the specified time.

MBean Attribute:
LDAPServerMBean.ParallelConnectDelay

Changes take effect after you redeploy the module or restart the server.

Static Group Object Class

The name of the LDAP object class that stores static groups.

MBean Attribute:
ActiveDirectoryAuthenticatorMBean.StaticGroupObjectClass

Changes take effect after you redeploy the module or restart the server.

Ignore Duplicate Membership

Determines whether duplicate members are ignored when adding groups. The attribute cycles in the Group membership.

MBean Attribute:
ActiveDirectoryAuthenticatorMBean.IgnoreDuplicateMembership

Changes take effect after you redeploy the module or restart the server.

Follow Referrals

Specifies that a search for a user or group within the Active Directory Authentication provider will follow referrals to other LDAP servers or branches within the LDAP directory. By default, this attribute is enabled.

MBean Attribute:
LDAPServerMBean.FollowReferrals

Changes take effect after you redeploy the module or restart the server.

Port

The port number on which the Active Directory LDAP server is listening.

MBean Attribute:
LDAPServerMBean.Port

Minimum value: 1

Maximum value: 65534

Changes take effect after you redeploy the module or restart the server.

User Base DN

The base Distinguished Name (DN) of the tree in the LDAP directory that contains users.

MBean Attribute:
ActiveDirectoryAuthenticatorMBean.UserBaseDN

Changes take effect after you redeploy the module or restart the server.

Propagate Cause For Login Exception

Specifies whether the providers should propagate the cause of the LoginException.

MBean Attribute:
LoginExceptionPropagatorMBean.PropagateCauseForLoginException

Changes take effect after you redeploy the module or restart the server.

Credential Encrypted

The credential (generally a password) used to authenticate the LDAP user that is defined in the Principal attribute

MBean Attribute:
LDAPServerMBean.CredentialEncrypted

Changes take effect after you redeploy the module or restart the server.

Group Search Scope

Specifies how deep in the LDAP directory tree to search for groups. Valid values are subtree and onelevel.

MBean Attribute:
LDAPAuthenticatorMBean.GroupSearchScope

Changes take effect after you redeploy the module or restart the server.

User Object Class

The LDAP object class that stores users.

MBean Attribute:
LDAPAuthenticatorMBean.UserObjectClass

Changes take effect after you redeploy the module or restart the server.

All Groups Filter

An LDAP search filter for finding all groups beneath the base group distinguished name (DN). If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the Group schema.

MBean Attribute:
LDAPAuthenticatorMBean.AllGroupsFilter

Changes take effect after you redeploy the module or restart the server.

Connection Retry Limit

Specifies the number of times to attempt to connect to the LDAP server if the initial connection failed.

MBean Attribute:
LDAPServerMBean.ConnectionRetryLimit

Changes take effect after you redeploy the module or restart the server.

SSLEnabled

Specifies whether the SSL protocol should be used when connecting to the Active Directory LDAP server.

MBean Attribute:
LDAPServerMBean.SSLEnabled

Changes take effect after you redeploy the module or restart the server.

User Dynamic Group DN Attribute

If such an attribute does not exist, WebLogic Server determines if a user is a member of a group by evaluating the URLs on the dynamic group. If a group contains other groups, WebLogic Server evaluates the URLs on any of the descendants (indicates parent relationship) of the group.

MBean Attribute:
LDAPAuthenticatorMBean.UserDynamicGroupDNAttribute

Changes take effect after you redeploy the module or restart the server.

Static Group Name Attribute

The attribute of a static LDAP group object that specifies the name of the group.

MBean Attribute:
LDAPAuthenticatorMBean.StaticGroupNameAttribute

Changes take effect after you redeploy the module or restart the server.

Dynamic Group Object Class

The LDAP object class that stores dynamic groups.

MBean Attribute:
LDAPAuthenticatorMBean.DynamicGroupObjectClass

Changes take effect after you redeploy the module or restart the server.

Connect Timeout

The maximum time in seconds to wait for the connection to the LDAP server to be established. If this attribute is set to 0, there is not a maximum time limit.

MBean Attribute:
LDAPServerMBean.ConnectTimeout

Changes take effect after you redeploy the module or restart the server.

Principal

The Distinguished Name (DN) of the Active Directory LDAP user that WebLogic Server should use to connect to the Active Directory LDAP server.

MBean Attribute:
LDAPServerMBean.Principal

Changes take effect after you redeploy the module or restart the server.

User Search Scope

Specifies how deep in the LDAP directory tree the Active Directory Authentication provider should search for users.

Valid values are subtree and onelevel.

MBean Attribute:
LDAPAuthenticatorMBean.UserSearchScope

Changes take effect after you redeploy the module or restart the server.

Dynamic Group Name Attribute

The attribute of a dynamic LDAP group object that specifies the name of the group.

MBean Attribute:
LDAPAuthenticatorMBean.DynamicGroupNameAttribute

Changes take effect after you redeploy the module or restart the server.

Use Retrieved User Name as Principal

Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal in the Subject.

MBean Attribute:
LDAPAuthenticatorMBean.UseRetrievedUserNameAsPrincipal

Changes take effect after you redeploy the module or restart the server.

Host

The host name or IP address of the Active Directory LDAP server.

MBean Attribute:
LDAPServerMBean.Host

Changes take effect after you redeploy the module or restart the server.

Credential

The credential (usually a password) used to connect to the Active Directory LDAP server.

If this password has not been set, WebLogic Server generates a password at startup, initializes the attribute, and saves the configuration to the config.xml file. If you want to connect to the embedded LDAP server using an external LDAP browser and the embedded LDAP administrator account (cn=Admin), change this attribute from the generated value.

MBean Attribute:
LDAPServerMBean.Credential

Changes take effect after you redeploy the module or restart the server.

Bind Anonymously On Referrals

By default, the Active Directory Authentication provider uses the same DN and password used to connect to the LDAP server when following referrals during a search. If you want to connect as an anonymous user, enable this attribute.

MBean Attribute:
LDAPServerMBean.BindAnonymouslyOnReferrals

Changes take effect after you redeploy the module or restart the server.

Static Group DNs from Member DN Filter

An LDAP search filter that, given the distinguished name (DN) of a member of a group, returns the DNs of the static LDAP groups that contain that member.

MBean Attribute:
ActiveDirectoryAuthenticatorMBean.StaticGroupDNsfromMemberDNFilter

Changes take effect after you redeploy the module or restart the server.

Cache TTL

The time-to-live of the cache (in seconds) that is used with the Active Directory LDAP server

MBean Attribute:
LDAPServerMBean.CacheTTL

Minimum value: 0

Changes take effect after you redeploy the module or restart the server.

Static Member DN Attribute

The attribute of the LDAP static group object that specifies the distinguished names (DNs) of the members of the group.

MBean Attribute:
ActiveDirectoryAuthenticatorMBean.StaticMemberDNAttribute

Changes take effect after you redeploy the module or restart the server.

All Users Filter

If the attribute (user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.

MBean Attribute:
LDAPAuthenticatorMBean.AllUsersFilter

Changes take effect after you redeploy the module or restart the server.

Use Token Groups For Group Membership Lookup

Indicates whether to use the Active Directory TokenGroups attribute lookup algorithm instead of the standard recursive group membership lookup algorithm.

To use this attribute, your Active Directory server must be running in Native Mode and you must have implemented security groups in Active Directory.

MBean Attribute:
ActiveDirectoryAuthenticatorMBean.UseTokenGroupsForGroupMembershipLookup

Changes take effect after you redeploy the module or restart the server.

Cache Size

The size of the cache (in kilobytes) that is used with the Active Directory LDAP server

MBean Attribute:
LDAPServerMBean.CacheSize

Minimum value: 0

Changes take effect after you redeploy the module or restart the server.

User From Name Filter

If the attribute (user name attribute and user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.

MBean Attribute:
ActiveDirectoryAuthenticatorMBean.UserFromNameFilter

Changes take effect after you redeploy the module or restart the server.

Cache Enabled

Specifies whether a cache is used with the Active Directory LDAP server

This is a cache of the LDAP requests.

MBean Attribute:
LDAPServerMBean.CacheEnabled

Changes take effect after you redeploy the module or restart the server.

Group From Name Filter

LDAP search filter for finding a group given the name of the group. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.

MBean Attribute:
ActiveDirectoryAuthenticatorMBean.GroupFromNameFilter

Changes take effect after you redeploy the module or restart the server.

Group Membership Searching

Specifies whether group searches into nested groups are unlimited or limited. Valid values are unlimited and limited.

For configurations that use only the first level of nested group hierarchy, this attribute allows improved performance during user searches by limiting the search to the first level of the group. If a limited search is specified, the Max Group Membership Search Level attribute must be specified. If an unlimited search is specified, the Max Group Membership Search Level attribute is ignored.

Note that when Use Token Groups For Group Membership Lookup is used during authentication, all the groups are returned in a single call, and the recursion limits and depth limits do not apply. They will apply in management operations.

MBean Attribute:
LDAPAuthenticatorMBean.GroupMembershipSearching

Changes take effect after you redeploy the module or restart the server.

Max Group Membership Search Level

Specifies how many levels of group membership can be searched. This setting is valid only if GroupMembershipSearching is set to limited. Valid values are 0 and positive integers. For example, 0 indicates only direct group memberships will be found, and a positive number indicates the number of levels to search.

Possible values are:

0 - Indicates only direct groups will be found. That is, when searching for membership in Group A, only direct members of Group A will be found. If Group B is a member of Group A, the members will not be found by this search.

Any positive number - Indicates the number of levels to search. For example, if this attribute is set to 1, a search for membership in Group A will return direct members of Group A. If Group B is a member of Group A, the members of Group B will also be found by this search. However, if Group C is a member of Group B, the members of Group C will not be found by this search.

Note that when Use Token Groups For Group Membership Lookup is used during authentication, all the groups are returned in a single call, and the recursion limits and depth limits do not apply. They will apply in management operations.

MBean Attribute:
LDAPAuthenticatorMBean.MaxGroupMembershipSearchLevel

Changes take effect after you redeploy the module or restart the server.

Related Tasks

Related Topics


  Back to Top