Administration Console Online Help
Active Directory Authentication
Provider-->Details
Tasks Related Topics
Overview
This page has additional attributes for the Active Directory Authentication provider.
- Use Token Groups for Group Membership Lookup—Indicates whether to use the Active Directory
TokenGroups
attribute lookup algorithm instead of the standard recursive group membership lookup algorithm.
Active Directory TokenGroups
attribute holds the entire flattened group membership for a user as an array of SID values. The SID values are specially indexed in the Active Directory LDAP server and yield extremely fast lookup response.
By default, this attribute is not enabled.
Note: Access to the TokenGroups
attribute is required (meaning, the user accessing the LDAP directory must have privileges to read the TokenGroups
attribute and the TokenGroups
attribute must be in the schema for user objects).
- Enable SID to Group Lookup Caching—Indicates whether or not SID to group name lookup results are cached. This attribute only applies if the Use Token Groups for Group Membership Lookup attribute is enabled.
- Max SID To Group Lookups In Cache—The maximum size of the Least Recently Used (LRU) cache for holding SID to group lookups. This attribute applies only if both the Use Token Groups for Group Membership Lookup and Enable SID to Group Lookup Caching attributes are enabled.
The approximate memory utilization for each entry in the cache is as follows:
- SID—These entries are generally 28 bytes in length.
- groupName—This entry is the size of the biggest group names.
- Group Membership Searching—Controls whether group searches are limited in depth or unlimited. This attribute controls how deeply a search should recursive into nested groups. For configurations that use only the first level of nested group hierarchy, this attribute allows improved performance during user searches by limiting the search to the first level of the group.
- If a limited search is specified, the Max Group Membership Search Level attribute must be specified.
- If an unlimited search is specified, the Max Group Membership Search Level attribute is ignored.
- Max Group Membership Search Level—Controls the depth of a group membership search if the Group Membership Searching attribute is specified. Possible values are:
- 0—Indicates only direct groups will be found. That is, when searching for membership in Group A, only direct members of Group A will be found. If Group B is a member of Group A, the members will not be found by this search.
- Any positive number—Indicates the number of levels to search. For example, if this attribute is set to 1, a search for membership in Group A will return direct members of Group A. If Group B is a member of Group A, the members of Group B will also be found by this search. However, if Group C is a member of Group B, the members of Group C will not be found by this search.
- Use Retrieved User Name as Principal—Specifies that the user name retrieved from the LDAP directory should be added as the principal instead of the username supplied for authentication.
- Enable Group Membership Lookup Hierarchy Caching—Indicates whether group membership hierarchies found during recursive membership lookup are cached. Each subtree found will be cached. The cache holds the groups to which a group is a member. This attribute only applies if the Group Membership attribute is enabled. The default is false.
- Max Group Hierarchies in Cache—The maximum size of the LRU cache that holds group membership hierarchies. This attribute only applies if the Enable Group Membership Lookup Hierarchy Caching attribute is enabled.
The approximate memory utilization for each entry in the cache is as follows:
- groupName—This entry is the size of the biggest group names.
- Groups—This entry contains the flattened group membership for a particular group. For example, if a group flattens to 300 groups, there will be 300 group names in this entry. In the case where a group is not a member of any other group, this entry has no value.
- Group Hierarchy Cache TTL—The number of seconds cached entries stay in the cache. The default is 60 seconds.
- Follow Referrals—Specifies that a search for a user or group within the Active Directory Authentication provider will follow referrals to other LDAP servers or branches within the LDAP directory. By default, this attribute is enabled.
- Bind Anonymously On Referrals—By default, the Active Directory Authentication provider uses the same DN and password used to connect to the LDAP server when following referrals during a search. If you want to connect as an anonymous user, enable this attribute. Contact your LDAP system administrator for more information.
- Results Time Limit—The maximum number of milliseconds for the LDAP server to wait for results before timing out. If this attribute is set to 0, there is not maximum time limit. The default is 0.
- Connect Timeout—The maximum time in seconds to wait for the connection to the LDAP server to be established. If this attribute is set to 0, there is not a maximum time limit. The default is 0.
- Parallel Connect Delay—The delay in seconds when making concurrent attempts to attempt to multiple LDAP servers. If this attribute is set to 0, connection attempts are serialized. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. If this attribute is not set and an LDAP server is unavailable, an application may be blocked for a long time. If this attribute is greater than 0, another connection is started after the specified time.
- Connection Retry Limit—Specifies the number of Times Server should try to establish a connection if LDAP Throws Exception while creating a LDAP Connection.
Tasks
Configuring an LDAP Authentication Provider
Related Topics
Introduction to WebLogic Security
Managing WebLogic Security
Securing WebLogic Resources
Programming WebLogic Security
Developing Security Providers for WebLogic Server
Securing a Production Environment
The Security topics in the WebLogic Server 8.1 Upgrade Guide
Security FAQ
The Security page in the WebLogic Server documentation