Skip Headers
Oracle® Retail Integration Bus Implementation Guide
Release 14.1
E57321-01
  Go To Table Of Contents
Contents

Previous
Previous
 
 

A External LDAP Configuration

WebLogic ships with a default internal Light-weight Directory Access Protocol (LDAP) authentication provider. In an environment where a couple of domains exist, an administrator can set up users and groups in an internal LDAP provider and use these parameters during login and authentication. Alternatively, in an environment that contains multiple domains, managing/maintaining users and groups can be a difficult task. Oracle recommends that you use a centralized LDAP server to manage/maintain the users and groups. This chapter describes the steps you should take to configure the Oracle Internet Directory (OID) and the Active Directory (AD) LDAP based authentication provider in WebLogic.

Introducing the Oracle Internet Directory (OID)

An online directory is a specialized database that stores and retrieves collections of information about objects. The information can represent any resources that require management, for example:

  • Employee names, titles, and security credentials

  • Information about partners

  • Information about shared resources such as conference rooms and printers

The information in the directory is available to different clients, such as single sign-on solutions, e-mail clients, and database applications. Clients communicate with a directory server by means of the LDAP. The Oracle Internet Directory is an LDAP directory that uses an Oracle database for storage.

Introducing the Microsoft Active Directory (AD)

An Active Directory (AD) is a directory service implemented by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Active Directory is a special-purpose database — it is not a registry replacement. The directory is designed to handle a large number of read and search operations and a significantly smaller number of changes and updates. Active Directory data is hierarchical, replicated, and extensible. Because it is replicated, you do not want to store dynamic data, such as corporate stock prices or CPU performance.In Windows 2000, Active Directory has three partitions. These are also known as naming contexts: do-main, schema, and configuration. The domain partition contains users, groups, contacts, computers, organizational units, and many other object types. Because Active Directory is extensible, you can also add your own classes and/or attributes. The schema partition contains classes and attributes definitions. The configuration partition includes configuration data for services, partitions, and sites.

Architecture Overview

The architecture diagram describes the configuration of an OID and AD LDAP-based authentication provider used by applications deployed in an WebLogic server environment.

The diagram displays a sample environment and consists of the following:

  • The WebLogic Server running on port 7001

  • The WebLogic Administration Console used to configure authentication providers

  • The WebLogic Embedded LDAP server with a control flag setting of SUFFICIENT

  • An OID LDAP-based identity store running on port 3060 with a control flag setting of SUFFI-CIENT

  • The WebLogic config.xml that stores the authentication provider configuration

By default, the WebLogic server uses a security realm with the name ”myrealm” that uses an embedded LDAP server (two default users WebLogic & OracleSystemUser) that acts as data store for Authentication, Authorization, Credential Mapping and Role Mapping Provider.

Configuring the Oracle Internet Directory (OID) as an Authentication Provider in WebLogic

To configure the OID as an authentication provider in WebLogic, take the following steps:

  1. Login to WebLogic Console -> Security Realm -> myrealm.

  2. Select tab Providers -> Authentication -> Default Provider (DefaultAuthenticator).
    Change the Control Flag (JAAS Flag) parameter from REQUIRED to SUFFICIENT and click Save.

  3. Click New to add a new Authentication Provider.

  4. Enter OIDAuthentication as the Name of the new provider. Select OracleInternetDirectoryAuthenticator as Type and then click OK.

  5. Change the Control Flag to SUFFICIENT for the OIDAuthentication Provider added and click Save.

  6. Select the Provider Specific tab and enter your OID server details.

    1. The first section contains the Connection settings for the OID server. Use the appropriate values based on where the OID is hosted and the credentials:

      Name Value Purpose
      Host: server.example.com The OID host name
      Port: 3060 The standard OID listening port
      Principal: cn=orcladmin,cn=Users,dc=idc,dc=oracle,dc=com The LDAP user that logs into OID on behalf of your authentication provider
      Credentials:
      Password for the principal user
      Confirm Credentials:
      Confirmation of the password
      SSL Enabled: Unchecked Enables or disables SSL connectivity


    2. The second section contains the Users settings for the OID provider. Use appropriate values:

      Name Value Purpose
      User Base DN: cn=Users,dc=idc,dc=oracle,dc=com The root (base DN) of the LDAP tree where searches are performed for user data
      All Users Filter: (&(cn=*)(objectclass=person)) -- Leave as default The LDAP search filter that is used to show all the users below the User Base DN
      User From Name Filter: (&(cn=%u)(objectclass=person)) -- Leave as default The LDAP search filter used to find the LDAP user by name
      User Search Scope: Leave as default Specifies how deep in the LDAP tree to search for users
      User Name Attribute: Leave as default The attribute of the LDAP user that specifies the user name
      User Object Class: Leave as default The LDAP object class that stores users
      Use Retrieved User Name as Principal: Checked Specifies if the user name retrieved from the LDAP directory will be used as the Principal in the Subject


    3. The third section contains the Groups settings for the OID provider. Use appropriate values:

      Name Value Purpose
      Group Base DN: cn=Groups,dc=idc,dc=oracle,dc=com The root (base DN) of the LDAP tree where searches are per-formed for group data
      All Groups Filter: (&(cn=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup))) -- Leave as default The LDAP search filter that is used to show all the groups below the Group Base DN
      Group From Name Filter: (|(&(cn=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=orcldynamicgroup))) -- Leave as default The LDAP search filter used to find the LDAP group by name
      Group Search Scope: Leave as default Specifies how deep in the LDAP tree to search for groups
      Group Member-ship Searching: Leave as default Specifies whether group searches into nested groups are limited or unlimited
      Max Group Member-ship Search Level: Leave as default Specifies how many levels of group membership can be searched. This setting is only valid if GroupMembershipSearching is set to limited
      Ignore Duplicate Membership: Unchecked Determines whether duplicates members are ignored when adding groups.


    4. Click Save.

  7. Click Reorder to change the order of your configured authentication providers. In order to ensure that the new OID authenticator is recognized as authentication provider, you must reorder your list of authentication providers so that the OID authentication provider is first in the list.


  8. Select the OIDAuthentication and use the arrows on the right to move it into the first position. Click OK.

Verifying the Oracle Internet Directory (OID) Configuration

To verify the OID configuration, take the following steps:

  1. Restart the WebLogic Server for your changes to take effect.

  2. Using the WebLogic Administration Console, select Security Realms > myrealm > Users and Groups tab. The Users sub-tab should be selected by default. The circled users are created in OID and can verify the Provider – OIDAuthentication provider.
    Click the Groups tab to see the list of groups the server can see. The highlighted groups are created in OID and can verify the Provider – OIDAuthentication provider.

Configuring Active Directory (AD) as an Authentication Provider in WebLogic

To configure the AD as an authentication provider in WebLogic, take the following steps:

  1. Login to WebLogic Console -> Security Realm -> myrealm.

  2. Select tab Providers -> Authentication -> Default Provider (DefaultAuthenticator).Change the Control Flag (JAAS Flag) from REQUIRED to SUFFICIENT and click Save.

  3. Click New to add a new Authentication Provider.Enter MSADAuthenticator as the Name. Select ActiveDirectoryAuthenticator as the Type and click OK.

  4. Change the Control Flag to SUFFICIENT for the MSADAuthenticator Provider added and click Save.
    Select Provider Specific tab and enter the Active Directory (AD) server details.

    1. The first section contains the Connection settings for the AD server. Use appropriate values based on where AD is hosted and the credentials:

      Name Value Purpose
      Host: server.example.com The AD host name
      Port: 389 The standard AD listening port
      Principal: cn=webadmin,cn=Users,dc=us,dc=oracle,dc=com The LDAP user that logs into AD on behalf of your authentication provider
      Credentials:
      Password for the principal user
      Confirm Credentials:
      Confirmation of the password
      SSL Enabled: Unchecked Enables or disables SSL connectivity


    2. The second section contains the Users settings for the AD provider. Use appropriate values:

      Name Value Purpose
      User Base DN: cn=Users,dc=us,dc=oracle,dc=com The root (base DN) of the LDAP tree where searches are performed for user data
      All Users Filter: (&(cn=*)(objectclass=person)) The LDAP search filter that is used to show all the users below the User Base DN
      User From Name Filter: (&(cn=%u)(objectclass=user)) The LDAP search filter used to find the LDAP user by name
      User Search Scope: Leave as default Specifies how deep in the LDAP tree to search for users
      User Name Attribute: Leave as default The attribute of the LDAP user that specifies the user name
      User Object Class: Leave as default The LDAP object class that stores users
      Use Retrieved User Name as Principal: Unchecked Specifies if the user name retrieved from the LDAP directory will be used as the Principal in the Subject


    3. The third section contains the Groups settings for the AD provider. Use appropriate values:

      Name Value Purpose
      Group Base DN: cn=Groups,dc=us,dc=oracle,dc=com The root (base DN) of the LDAP tree where searches are performed for group data
      All Groups Filter: (&(cn=*)(|(objectclass=group))) The LDAP search filter that is used to show all the groups below the Group Base DN
      Group From Name Filter: (&(cn=%g)(objectclass=group)) The LDAP search filter used to find the LDAP group by name
      Group Search Scope: Leave as default Specifies how deep in the LDAP tree to search for groups
      Group Member-ship Searching: Leave as default Specifies whether group searches into nested groups are limited or unlimited
      Max Group Membership Search Level: Leave as default Specifies how many levels of group membership can be searched. This setting is only valid if GroupMembershipSearching is set to limited
      Ignore Duplicate Membership: Unchecked Determines whether duplicates members are ignored when adding groups.


    4. Click Save.

  5. Click Reorder to change the order of your configured authentication providers. In order to ensure that MSAD authenticator is recognized as authentication provider, you must reorder your list of authentication providers so that the MSAD authentication provider is first in the list.
    Select the MSADAuthenticator and use the arrows on the right to move it into the first position. Click OK.

  6. Click Reorder to change the order of your configured authentication providers. In order to ensure that MSAD authenticator is recognized as authentication provider, you must reorder your list of authentication providers so that the MSAD authentication provider is first in the list.

  7. Select the MSADAuthenticator and use the arrows on the right to move it into the first position. Click OK.

Verifying the Active Directory (AD) Configuration

To verify the AD configuration, take the following steps:

  1. Restart the WebLogic Server for your changes to take effect.

  2. Using the WebLogic Administration Console, select Security Realms > myrealm > Users and Groups tab. The Users sub-tab should be selected by default. The circled users are created in AD and can verify the Provider – MSADAuthenticator provider.
    Click the Groups tab to see the list of groups the server can see. The highlighted groups are created in AD and can verify the Provider – MSADAuthenticator provider.