Securing WebLogic Server

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Managing the Embedded LDAP Server

WebLogic Server includes an embedded LDAP server that acts as the default security provider data store for the WebLogic Authentication, Authorization, Credential Mapping, and Role Mapping providers.The following sections explain how to manage the embedded LDAP server:

 


Configuring the Embedded LDAP Server

The embedded LDAP server contains user, group, group membership, security role, security policy, and credential map information. By default, each WebLogic Server domain has an embedded LDAP server configured with the default values set for each type of information. The WebLogic Authentication, Authorization, Credential Mapping, and Role Mapping providers use the embedded LDAP server as their data store. If you use any of these providers in a new security realm, you may want to change the default values for the embedded LDAP server to optimize its use in your environment.

Note: The performance of the embedded LDAP server is best with fewer than 50,000 users. If you have more users, consider using a different LDAP server and Authentication provider.

See Configure the embedded LDAP server in the Administration Console online help.

The data file and change log file used by the embedded LDAP server can potentially grow quite large. You can configure maximum sizes for these files with the following weblogic.Server command line arguments:

 


Embedded LDAP Server Replication

The WebLogic Server embedded LDAP server for a domain consists of a master LDAP server, maintained in the domain’s Administration Server, and a replicated LDAP server maintained in each Managed Server in the domain. When changes are made using a Managed Server, updates are sent to the embedded LDAP server on the Administration Server. The embedded LDAP server on the Administration Server maintains a log of all changes. The embedded LDAP server on the Administration Server also maintains a list of Managed Servers and the current change status for each one. The embedded LDAP server on the Administration Server sends appropriate changes to each Managed Server and updates the change status for each server. This process occurs when an update is made to the embedded LDAP server on the Administration Server. However, depending on the number of updates, it may take several seconds or more for the change to be replicated to the Managed Server.

You can configure the behavior of the embedded LDAP server on the Administration Server and the Managed Servers in a domain using the Administration Console. On the Domain: Security: Embedded LDAP Server page in the Administration Console, you can set these attributes:

See Configure the embedded LDAP server in the Administration Console online help.

Note: Deleting and modifying the configured security providers through the WebLogic Administration Console may require manual clean up of the embedded LDAP server. Use an external LDAP browser to delete unnecessary information.

 


Viewing the Contents of the Embedded LDAP Server from an LDAP Browser

To view the contents of the embedded LDAP server through an LDAP browser:

  1. Download and install an external LDAP browser. You can find one LDAP browser at the following location:
  2. http://www-unix.mcs.anl.gov/~gawor/ldap/

    In this procedure it is assumed that you are using this LDAP browser; other LDAP browsers may differ in detail.

  3. In the WebLogic Server Administration Console, change the credential for the embedded LDAP server:
    1. Expand Domain > Security > Embedded LDAP.
    2. In the Credential field, enter the new credential.
    3. In the Confirm Credential field, enter the new credential again.
    4. Click Save.
    5. Reboot WebLogic Server.
Caution: Changing the credential can affect the operation of the domain. Do not perform this step on a production server.
  1. Start the LDAP browser. To start the LDAP Browser/Editor mentioned in step 1, use this command:
  2. lbe.sh

  3. In the LDAP browser, configure a new connection in the LDAP browser:
    1. Select the QuickConnect tab.
    2. Set the host field to localhost.
    3. Set the port field to 7001 (7002 if SSL is being used).
    4. Set the Base DN field to dc=mydomain where mydomain is the name of the WebLogic Server domain you are using.
    5. Uncheck the Anonymous Bind option.
    6. Set the User DN field to cn=Admin.
    7. Set the Password field to the credential you specified in Step 2.
  4. Click the new connection.
  5. Use the LDAP browser to navigate the hierarchy of the embedded LDAP server.

Note: You can also view the contents of the embedded LDAP server by exporting its data and reviewing the exported file. See Exporting and Importing Information in the Embedded LDAP Server.

 


Exporting and Importing Information in the Embedded LDAP Server

You can export and import data from the embedded LDAP server using either the WebLogic Server Administration Console or an LDAP browser. To export and import data with the Console, use the Migration page of each security provider. See Export data from a security provider and Import data into a security provider in the Administration Console online help.

WARNING: When you use the Administration Console Migration tab to export security data, the export process deletes any existing files in the target directory with the .dat extension. Always export security data to an empty directory.

This section describes how to use an LDAP browser to export and import data stored in the embedded LDAP server. Table 9-1 summarizes where data is stored in the hierarchy of the embedded LDAP server.

Table 9-1 Location of Security Data in the Embedded LDAP Server
Security Data
Embedded LDAP Server DN
Users
ou=people,ou=myrealm,dc=mydomain
Groups
ou=groups,ou=myrealm,dc=mydomain
Security roles
ou=ERole,ou=myrealm,dc=mydomain
Security policies
ou=EResource,ou=myrealm,dc=mydomain

To export security data from the embedded LDAP server using the LDAP Browser/Editor:

  1. Enter the following command at a command prompt to start the LDAP Browser/Editor:
  2. lbe.sh

  3. Specify the data to be exported (for example, to export users specify ou=people,ou=myrealm,dc=mydomain).
  4. Select the LDIF > Export option.
  5. Select Export all children.
  6. Specify the name of the file into which the data will be exported.

To import security data into the embedded LDAP server using the LDAP Browser/Editor:

  1. Enter the following command at a command prompt to start the LDAP browser:
  2. lbe.sh

  3. Specify the data to be imported (for example, to import users, specify ou=people,ou=myrealm,dc=mydomain).
  4. In the LDAP Browser/Editor, select the LDIF > Import option.
  5. Select Update/Add.
  6. Specify the name of the file from which the data will be imported.

 


LDAP Access Control Syntax

The embedded LDAP server supports the IETF LDAP Access Control Model for LDAPv3. This section describes how that access control is implemented within the embedded LDAP server. You can apply these rules directly to entries within the directory as intended by the standard or you can configure and maintain them by editing the access control file (acls.prop).

Note: The default behavior of the embedded LDAP server is to allow access only from the Admin account in WebLogic Server. The WebLogic security providers use only the Admin account to access the embedded LDAP server. If you are not planning to access the embedded LDAP server from an external LDAP browser or if you are planning only to use the Admin account, you do not need to edit the acls.prop file and can ignore the information in this section.

The Access Control File

The access control file (acls.prop) maintained by the embedded LDAP server contains the complete list of access control lists (ACLs) for an entire LDAP directory. Each line in the access control file contains a single access control rule. An access control rule is made up of the following components:

Listing 9-1 shows a sample access control file.

Listing 9-1 Sample acl.props File
[root]|entry#grant:r,b,t#[all]#public
ou=Employees,dc=octetstring,dc=com|subtree#grant:r,c#[all]#public:
ou=Employees,dc=octetstring,dc=com|subtree#grant:b,t#[entry]#public:
ou=Employees,dc=octetstring,dc=com|subtree#deny:r,c#userpassword#public:
ou=Employees,dc=octetstring,dc=com|subtree#grant:r#userpassword#this:
ou=Employees,dc=octetstring,dc=com|subtree#grant:w,o#userpassword,title
,
description,
postaladdress,telephonenumber#this:
cn=schema|entry#grant:r#[all]#public:

Access Control Location

Each access control rule is applied to a given location in the LDAP directory. The location is normally a distinguished name (DN) but the special location [root] can be specified in the acls.prop file if the access control rule applies to the entire directory.

If an entry being accessed or modified on the LDAP server does not equal or reside below the location of the access control rule, the given access control rule is not evaluated further.

Access Control Scope

The following access control scopes are defined:

If an entry in the directory is covered by conflicting access control rules (for example, where one rule is an Entry rule and the other is a Subtree rule), the Entry rule takes precedence over rules that apply because of the Subtree rule.

Access Rights

Access rights apply to an entire object or to attributes of the object. Access can be granted or denied. Either of the actions grant or deny may be used when you create or update the access control rule.

Each LDAP access right is discrete. One right does not imply another right. The rights specify the type of LDAP operations that can be performed.

Attribute Permissions

The following permissions apply to actions involving attributes.

Table 9-2 Attribute Permissions
Permission
Description
r Read
Read attributes. If granted, permits attributes and values to be returned in a Read or Search operation.
w Write
Modify or add attributes. If granted, permits attributes and values to be added in a Modify operation.
o Obliterate
Modify and delete attributes. If granted, permits attributes and values to be deleted in a Modify operation.
s Search
Search entries with specified attributes. If granted, permits attributes and values to be included in a Search operation.
c Compare
Compare attribute values. If granted, permits attributes and values to be included in a Compare operation.
m Make
Make attributes on a new LDAP entry below this entry.

The m permission is required for all attributes placed on an object when it is created. Just as the w and o permissions are used in the Modify operation, the m permission is used in the Add operation. The w and o permissions have no bearing on the Add operation and m has no bearing on the Modify operation. Since a new object does not yet exist, the a and m permissions needed to create it must be granted to the parent of the new object. This requirement differs from w and o permissions which must be granted on the object being modified. The m permission is distinct and separate from the w and o permissions so that there is no conflict between the permissions needed to add new children to an entry and the permissions needed to modify existing children of the same entry. In order to replace values with the Modify operation, a user must have both the w and o permissions.

Entry Permissions

The following permissions apply to entire LDAP entries.

Table 9-3 Entry Permissions
Permission
Description
a Add
Add an entry below this LDAP entry. If granted, permits creation of an entry in the DIT subject to control on all attributes and values placed on the new entry at the time of creation. In order to add an entry, permission must also be granted to add at least the mandatory attributes.
d Delete
Delete this entry. If granted, permits the entry to be removed from the DIT regardless of controls on attributes within the entry.
e Export
Export entry and all subentries to new location.
If granted, permits an entry and its subentries (if any) to be exported; that is, removed from the current location and placed in a new location subject to the granting of suitable permission at the destination.
If the last RDN is changed, Rename permission is also required at the current location.
In order to export an entry or its subentries, there are no prerequisite permissions to the contained attributes, including the RDN attribute. This is true even when the operation causes new attribute values to be added or removed as the result of the changes to the RDN.
i Import
Import entry and subentries from specified location.
If granted, permits an entry and its subentries (if any) to be imported; that is, removed from one location and placed at the specified location (if suitable permissions for the new location are granted).
When you import an entry or its subentries, the contained attributes, including the RDN attributes, have no prerequisite permissions. This is true even when the operation causes new attribute values to be added or removed as the result of the changes to RDN.
n RenameDN
Change the DN of an LDAP entry. Granting the Rename permission is necessary for an entry to be renamed with a new RDN, taking into account consequential changes to the DN of subentries. If the name of the superior entry is unchanged, the grant is sufficient.
When you rename an entry, there are no prerequisite permissions for the contained attributes, including the RDN attributes. This is true even when the operation causes new attribute values to be added or removed as the result of the changes of RDN.
b BrowseDN
Browse the DN of an entry. If granted, this permission permits entries to be accessed using directory operations that do not explicitly provide the name of the entry.
t ReturnDN
Allows DN of entry to be disclosed in an operation result. If granted, this permission allows the distinguished name of the entry to be disclosed in the operation result.

Attributes Types

The attribute types to which an access control rule applies should be listed in the ACL where necessary. The following keywords are available:

If the keyword [all] and another attribute are both specified within an ACL, the more specific permission for the attribute overrides the less specific permission specified by the [all] keyword.

Subject Types

Access control rules can be associated with a number of subject types. The subject of an access control rule determines whether the access control rule applies to the currently connected session.

The following subject types are defined:

Grant/Deny Evaluation Rules

The decision whether to grant or deny a client access to the information in an entry is based on many factors related to the access control rules and the entry being protected. Throughout the decision making process, these guiding principles apply:


  Back to Top       Previous  Next