There are three components for LDAP security:
LDAP security objects
The LDAP Tree Structure
The Distinguished Name
The LDAP objects used for authentication are as follows:
Organizational Unit (OU): objectClass organizationalUnit (OU)
An Organizational Unit object is similar to a Window directory. For LDAP, it typically holds either Group objects or User objects.
Group (CN): objectClass group (CN) [also posixGroup]
In the same way an Organizational Unit is similar to a directory, a Group object is similar to a file. The Group object contains a member attribute that is a list of Distinguished Names that define the users in that group.
User (CN): objectClass user (CN) [also organizationalPerson]
Also similar to a file, the User object describes a single person within the LDAP structure. Unlike a Group, a User does not contain a list. Instead, its attributes describe a user in as much detail as necessary.
The structure of LDAP entries match the familiar tree structure for directories and files found in both UNIX and Windows. When you configure the Base Group and Principal during Weblogic server configuration, it will be critical that you use the tree structure to build the object's Distinguished Name.
The Distinguished Name is a value associated with each LDAP object to distinguish it from all of the other objects. This value is based on the tree structure described above. To build a Distinguished Name you basically work your way from the object you are naming to the top of the tree, so the Distinguished Name for user John Doe might be:
CN=johndoe,OU=Users,OU=VSMGUI,DC=yourfirm,DC=com
The object type is normally upper-case in the DN, but lower-case is also valid. For the name of the object, the case needs to exactly match the case of the actual name. In addition, there should be no spaces between the commas and the object types. The only spaces that should exist in a DN are those that exist in the name of the object; therefore the DN for the VSM Admins might be:
CN=VSM Admins,OU-Groups,OU=VSMGUI,DC=yourfirm,DC=com
There is a restriction in Weblogic concerning valid DNs. Certain characters that can potentially be added to a DN are not allowed by the Weblogic server. These characters are Comma (,), Plus Sign (+), Quotes (”), Backslash (\), Angle Brackets (< and >), and Semicolon (;).
Of these, the most common is the comma, especially if the user name is of the form Smith, John. This usually happens in Active Directory, although any DN can have one of these characters. This is important because one of the users is always set up as the Principal, the user that allows access to the LDAP Server. If your DNs contain any of these characters, then the Principal must be added as a special user with a different corresponding DN.
Notes:
Based on the customer environment, it is likely that the default configuration described above will not fit into the LDAP layout scheme defined for different organizations. For example, group information may be in a completely separate sub-tree, so that Groups may exist in a directory where groups are defined and may be named VSMGUI Groups. The Users might be in a completely separate sub-tree and be named VSMGUI Users. The Organizational Unit VSMGUI may not need to be defined at all. These changes in location will create a different DN for the fields in the Weblogic Configuration, and will have to be set accordingly.
There are two separate ways to set up the users. Typically you will want to add the names of users that already exist to a new Organizational Unit, and make that the User Base Directory. If you prefer, you can also set the User Base Directory to any container-type LDAP object, making all users that are members of that group available to use VSM GUI.
Setting up the values in the LDAP server will typically require a person that has security access to the LDAP server. If you are setting up a new server, you should be able to access the LDAP server as an administrator.
Pay particular attention to the DN values (Principal, User Base DN, and Group Base DN), and ensure that the Name Filter values correctly define the Attribute and Object Class values. Everything must align perfectly with the Active Directory values in order for authentication to properly work.