Define Provider-specific Information

Define provider-specific information for each external authentication provider you have added to the WebLogic Server active security realm.

1. Make sure you have locked the active security realm from other users (see Lock the WebLogic Server Active Security Realm).
2. Make sure you have gathered the necessary configuration information from the external authentication provider (see Prepare the External Authentication Provider for STA Authentication).
3. In the Settings for myrealm control bar, select the Providers tab.
4. In the Authentication Providers table, select the active link for the provider you want to configure.
   
5. In the control bar, select the Configuration tab, and then the Provider Specific.
   
6. Complete the screen attributes using the values you gathered from the external authentication provider. These values must match the directory schema and other configuration attributes specific to that provider.

   Following are guidelines for attributes required for a basic configuration. Depending on your site requirements, you may need to enter values for other attributes as well.

   • Host—IP address of the external authentication server
   • Port—Port number on which the external authentication server is listening. Typically this is 389.
   • Principal—Distinguished Name of the user account on the external provider that WebLogic Server will use to connect to the external authentication server.
   • Credential and Confirm Credential—Password for the Principal user
   • SSLEnabled—Select this check box if communication between WebLogic Server and the external authentication server will be through SSL. You must perform additional configuration tasks to fully enable this feature. See Configure SSL for Communications for details.
   • User Base DN—Base distinguished name (DN) of the tree that contains users.
   • User From Name Filter—Filter WebLogic Server should use to find users
   • User Object Class—LDAP object class that stores users
   • Group Base DN—Base distinguished name (DN) of the tree that contains groups
   • Group From Name Filter—Filter WebLogic Server should use to find groups
   • Group Object Class—LDAP object class that stores groups
   • Connection Timeout—The default value is 0, which indicates no timeout limit. Oracle recommends setting this value to a nonzero value, such as 60 (expressed in seconds).
   • Follow Referrals—Select this check box if the external authentication provider is configured to use referrals to other authentication servers. If an external authentication provider uses LDAP referrals, you must ensure that the Follow Referrals attribute is selected on the Provider Specific screen This attribute is selected by default, but Oracle recommends y
7. When you have finished entering screen values, click Save. Proceed to Set the JAAS Control Flag.
   The following examples show sample values for an OpenLDAP and a Microsoft Active Directory provider, respectively. The values you enter will be different, but these examples may assist you.

Example E-1 Sample Provider-specific Values for an OpenLDAP Provider

Host: 10.123.456.789
Port: 389
Principle: cn=root,o=staOpen,dc=mycompany,dc=com
Credential: OpenLDAP root password>
Confirm credential:  OpenLDAP root password
SSL Enable: not selected
User Base DN:  ou=users,o=staOpen,dc=mycompany,dc=com
All Users Filter: 
User From Name Filter: (&(cn=%u)(objectclass=posixAccount))
User Search Scope:  subtree
User Name Attribute:  cn
User Object Class:  posixAccount
Use Retrieve User Name as Principle:  selected
Group Base DN:  ou=groups,o=staOpen,dc=mycompany,dc=com
All Groups Filter: 
Group From Name Filter:  (&(cn=%g)(objectclass=groupOfUniqueNames))
Group Search Scope:  subtree
Group Membership Searching:  unlimited
Max Group Membership Search Level:  0
Ignore Duplicate Membership:  not selected
Static Group Name Attribute: cn
Static Group Object Class:  groupOfUniqueNames
Static Member URL Attribute: uniquemember
Static Group DNs from Member DN Filter:  (&(uniqueMember=%M)(objectclass=groupOfUniqueNames))
Dynamic Group Name Attribute: 
Dynamic Group Object Class: 
Dynamic Member URL Attribute: 
User Dynamic Group DN Attribute: 
Connection Pool Size:  6
Connect Timeout:  60
Connection Retry Limit:  1
Parallel Connect Delay:  0
Results Time Limit: 0
Keep Alive Enabled:  not selected
Follow Referrals: selected
Bind Anonymously On Referrals:  not selected
Propagate Cause For Login Exception: selected
Cache Enabled: selected
Cache Size: 32
Cache TTL:  60
GUID Attribute: entryuuid

Example E-2 Sample Provider-specific Values for an Active Directory Provider

Host: 10.123.456.789
Port: 389
Principle: CN=StaLdapUser,OU=Users,O=STA,DC=oracle,DC=com
Credential: LDAP (SAM) password
Confirm credential:  LDAP (SAM) password>
SSL Enable: not selected
User Base DN:  OU=Users,O=STA,DC=mycompany,DC=com
All Users Filter: 
User From Name Filter: (&(cn=%u)(objectclass=user))
User Search Scope:  subtree
User Name Attribute:  cn
User Object Class:  user
Use Retrieve User Name as Principle:  selected
Group Base DN:  OU=Groups,O=STA,DC=oracle,DC=com
All Groups Filter:  
Group From Name Filter:  (&(cn=%g)(objectclass=group))
Group Search Scope:  subtree
Group Membership Searching:  unlimited
Max Group Membership Search Level:  0
Ignore Duplicate Membership:  not selected
Use Token Groups for Group Membership Lookup:  not selected
Static Group Name Attribute: cn
Static Group Object Class:  group
Static Member URL Attribute: member
Static Group DNs from Member DN Filter:  (&(member=%M)(objectclass=group))
Dynamic Group Name Attribute: >
Dynamic Group Object Class:  
Dynamic Member URL Attribute: 
User Dynamic Group DN Attribute: 
Connection Pool Size:  6
Connect Timeout:  60
Connection Retry Limit:  1
Parallel Connect Delay:  0
Results Time Limit: 0
Keep Alive Enabled:  not selected
Follow Referrals: selected
Bind Anonymously On Referrals:  not selected
Propagate Cause For Login Exception: selected
Cache Enabled: selected
Cache Size: 32
Cache TTL:  60
GUID Attribute: objectguid