Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Open LDAP Authentication Provider: Provider Specific

Configuration Options     Related Tasks     Related Topics

Use this page to define the provider specific configuration for this Open LDAP Authentication provider.

Configuration Options

Name Description
Host

The host name or IP address of the LDAP server.

MBean Attribute:
LDAPServerMBean.Host

Changes take effect after you redeploy the module or restart the server.

Port

The port number on which the LDAP server is listening.

MBean Attribute:
LDAPServerMBean.Port

Minimum value: 1

Maximum value: 65534

Changes take effect after you redeploy the module or restart the server.

Principal

The Distinguished Name (DN) of the LDAP user that WebLogic Server should use to connect to the LDAP server.

Note: The value you enter for principal must be an LDAP administrator who has the privilege to search users and groups in Open LDAP. If the LDAP administrator does not have privileges to search Open LDAP, an LDAP exception with error code 50 is generated.

MBean Attribute:
LDAPServerMBean.Principal

Changes take effect after you redeploy the module or restart the server.

Credential

The credential (usually a password) used to connect to the LDAP server.

If this password has not been set, WebLogic Server generates a password at startup, initializes the attribute, and saves the configuration to the config.xml file. If you want to connect to the embedded LDAP server using an external LDAP browser and the embedded LDAP administrator account (cn=Admin), change this attribute from the generated value.

MBean Attribute:
LDAPServerMBean.Credential

Changes take effect after you redeploy the module or restart the server.

SSLEnabled

Specifies whether the SSL protocol should be used when connecting to the LDAP server.

MBean Attribute:
LDAPServerMBean.SSLEnabled

Changes take effect after you redeploy the module or restart the server.

User Base DN

The base distinguished name (DN) of the tree in the LDAP directory that contains users.

MBean Attribute:
LDAPAuthenticatorMBean.UserBaseDN

Changes take effect after you redeploy the module or restart the server.

All Users Filter

If the attribute (user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.

Note: Wildcards are permitted in the filter specification. However, using multiple wildcards in a given filter has a negative performance impact on the LDAP server, so Oracle recommends that you limit their use.

MBean Attribute:
LDAPAuthenticatorMBean.AllUsersFilter

Changes take effect after you redeploy the module or restart the server.

User From Name Filter

If the attribute (user name attribute and user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.

Note: Wildcards are permitted in the filter specification. However, using multiple wildcards in a given filter has a negative performance impact on the LDAP server, so Oracle recommends that you limit their use.

MBean Attribute:
LDAPAuthenticatorMBean.UserFromNameFilter

Changes take effect after you redeploy the module or restart the server.

User Search Scope

Specifies how deep in the LDAP directory tree the LDAP Authentication provider should search for users.

Valid values are subtree and onelevel.

MBean Attribute:
LDAPAuthenticatorMBean.UserSearchScope

Changes take effect after you redeploy the module or restart the server.

User Name Attribute

The attribute of an LDAP user object that specifies the name of the user.

MBean Attribute:
LDAPAuthenticatorMBean.UserNameAttribute

Changes take effect after you redeploy the module or restart the server.

User Object Class

The LDAP object class that stores users.

MBean Attribute:
LDAPAuthenticatorMBean.UserObjectClass

Changes take effect after you redeploy the module or restart the server.

Use Retrieved User Name as Principal

Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal in the Subject.

MBean Attribute:
LDAPAuthenticatorMBean.UseRetrievedUserNameAsPrincipal

Changes take effect after you redeploy the module or restart the server.

Group Base DN

The base distinguished name (DN) of the tree in the LDAP directory that contains groups.

MBean Attribute:
LDAPAuthenticatorMBean.GroupBaseDN

Changes take effect after you redeploy the module or restart the server.

All Groups Filter

An LDAP search filter for finding all groups beneath the base group distinguished name (DN). If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the Group schema.

Note: Wildcards are permitted in the filter specification. However, using multiple wildcards in a given filter has a negative performance impact on the LDAP server, so Oracle recommends that you limit their use.

MBean Attribute:
LDAPAuthenticatorMBean.AllGroupsFilter

Changes take effect after you redeploy the module or restart the server.

Group From Name Filter

An LDAP search filter for finding a group given the name of the group. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.

Note: Wildcards are permitted in the filter specification. However, using multiple wildcards in a given filter has a negative performance impact on the LDAP server, so Oracle recommends that you limit their use.

MBean Attribute:
LDAPAuthenticatorMBean.GroupFromNameFilter

Changes take effect after you redeploy the module or restart the server.

Group Search Scope

Specifies how deep in the LDAP directory tree to search for groups. Valid values are subtree and onelevel.

MBean Attribute:
LDAPAuthenticatorMBean.GroupSearchScope

Changes take effect after you redeploy the module or restart the server.

Group Membership Searching

Specifies whether group searches into nested groups are unlimited or limited. Valid values are unlimited and limited.

For configurations that use only the first level of nested group hierarchy, this attribute allows improved performance during user searches by limiting the search to the first level of the group. If a limited search is specified, the Max Group Membership Search Level attribute must be specified. If an unlimited search is specified, the Max Group Membership Search Level attribute is ignored.

Note that when Use Token Groups For Group Membership Lookup is used during authentication, all the groups are returned in a single call, and the recursion limits and depth limits do not apply. They will apply in management operations.

MBean Attribute:
LDAPAuthenticatorMBean.GroupMembershipSearching

Changes take effect after you redeploy the module or restart the server.

Max Group Membership Search Level

Specifies how many levels of group membership can be searched. This setting is valid only if GroupMembershipSearching is set to limited. Valid values are 0 and positive integers. For example, 0 indicates only direct group memberships will be found, and a positive number indicates the number of levels to search.

Possible values are:

0 - Indicates only direct groups will be found. That is, when searching for membership in Group A, only direct members of Group A will be found. If Group B is a member of Group A, the members will not be found by this search.

Any positive number - Indicates the number of levels to search. For example, if this attribute is set to 1, a search for membership in Group A will return direct members of Group A. If Group B is a member of Group A, the members of Group B will also be found by this search. However, if Group C is a member of Group B, the members of Group C will not be found by this search.

Note that when Use Token Groups For Group Membership Lookup is used during authentication, all the groups are returned in a single call, and the recursion limits and depth limits do not apply. They will apply in management operations.

MBean Attribute:
LDAPAuthenticatorMBean.MaxGroupMembershipSearchLevel

Changes take effect after you redeploy the module or restart the server.

Ignore Duplicate Membership

Determines whether duplicate members are ignored when adding groups. The attribute cycles in the Group membership.

MBean Attribute:
LDAPAuthenticatorMBean.IgnoreDuplicateMembership

Changes take effect after you redeploy the module or restart the server.

Static Group Name Attribute

The attribute of a static LDAP group object that specifies the name of the group.

MBean Attribute:
LDAPAuthenticatorMBean.StaticGroupNameAttribute

Changes take effect after you redeploy the module or restart the server.

Static Group Object Class

The name of the LDAP object class that stores static groups.

MBean Attribute:
LDAPAuthenticatorMBean.StaticGroupObjectClass

Changes take effect after you redeploy the module or restart the server.

Static Member DN Attribute

The attribute of a static LDAP group object that specifies the distinguished names (DNs) of the members of the group.

MBean Attribute:
LDAPAuthenticatorMBean.StaticMemberDNAttribute

Changes take effect after you redeploy the module or restart the server.

Static Group DNs from Member DN Filter

An LDAP search filter that, given the distinguished name (DN) of a member of a group, returns the DNs of the static LDAP groups that contain that member. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.

MBean Attribute:
LDAPAuthenticatorMBean.StaticGroupDNsfromMemberDNFilter

Changes take effect after you redeploy the module or restart the server.

Dynamic Group Name Attribute

The attribute of a dynamic LDAP group object that specifies the name of the group.

MBean Attribute:
LDAPAuthenticatorMBean.DynamicGroupNameAttribute

Changes take effect after you redeploy the module or restart the server.

Dynamic Group Object Class

The LDAP object class that stores dynamic groups.

MBean Attribute:
LDAPAuthenticatorMBean.DynamicGroupObjectClass

Changes take effect after you redeploy the module or restart the server.

Dynamic Member URL Attribute

The attribute of the dynamic LDAP group object that specifies the URLs of the members of the dynamic group.

MBean Attribute:
LDAPAuthenticatorMBean.DynamicMemberURLAttribute

Changes take effect after you redeploy the module or restart the server.

User Dynamic Group DN Attribute

If such an attribute does not exist, WebLogic Server determines if a user is a member of a group by evaluating the URLs on the dynamic group. If a group contains other groups, WebLogic Server evaluates the URLs on any of the descendants (indicates parent relationship) of the group.

Note: When this attribute is set, the value for Dynamic Group Name Attribute must be valid and cannot be null.

MBean Attribute:
LDAPAuthenticatorMBean.UserDynamicGroupDNAttribute

Changes take effect after you redeploy the module or restart the server.

Connection Pool Size

The LDAP connection pool size. Default is 6.

MBean Attribute:
LDAPServerMBean.ConnectionPoolSize

Connect Timeout

The maximum time in seconds to wait for the connection to the LDAP server to be established. If this attribute is set to 0, there is no maximum time limit.

The default setting is 0. This default value can result in a slowdown in WebLogic Server execution if the LDAP server is unavailable. In addition, if WebLogic Server has multiple LDAP Authentication providers configured, the failure to connect to one LDAP server may block the use of the other LDAP Authentication providers.

Oracle recommends that you specify a non-zero value; for example, 60 seconds.

If multiple hosts are specified in Host, this value sets the total timeout for making a connection among all those hosts. To set a timeout for an individual connection, use the -Dweblogic.security.providers.authentication.ldap.socketTimeout=seconds security parameter for the JVM in which WebLogic Server runs. Specifying the connect timeout in conjunction with the socket timeout is useful for configuring failover for an LDAP Authentication provider.

MBean Attribute:
LDAPServerMBean.ConnectTimeout

Changes take effect after you redeploy the module or restart the server.

Connection Retry Limit

Specifies the number of times to attempt to connect to the LDAP server if the initial connection failed.

MBean Attribute:
LDAPServerMBean.ConnectionRetryLimit

Changes take effect after you redeploy the module or restart the server.

Parallel Connect Delay

The delay in seconds when making concurrent attempts to connect to multiple LDAP servers.

If this attribute is set to 0, connection attempts are serialized. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. If this attribute is not set and an LDAP server is unavailable, an application may be blocked for a long time. If this attribute is greater than 0, another connection is started after the specified time.

MBean Attribute:
LDAPServerMBean.ParallelConnectDelay

Changes take effect after you redeploy the module or restart the server.

Results Time Limit

The maximum number of milliseconds for the LDAP server to wait for results before timing out. If this attribute is set to 0, there is no maximum time limit.

MBean Attribute:
LDAPServerMBean.ResultsTimeLimit

Changes take effect after you redeploy the module or restart the server.

Keep Alive Enabled

Specifies whether to prevent LDAP connections from timing out.

MBean Attribute:
LDAPAuthenticatorMBean.KeepAliveEnabled

Changes take effect after you redeploy the module or restart the server.

Follow Referrals

Specifies that a search for a user or group within the LDAP Authentication provider will follow referrals to other LDAP servers or branches within the LDAP directory. By default, this attribute is enabled.

MBean Attribute:
LDAPServerMBean.FollowReferrals

Changes take effect after you redeploy the module or restart the server.

Bind Anonymously On Referrals

By default, the LDAP Authentication provider uses the same DN and password used to connect to the LDAP server when following referrals during a search. If you want to connect as an anonymous user, enable this attribute.

MBean Attribute:
LDAPServerMBean.BindAnonymouslyOnReferrals

Changes take effect after you redeploy the module or restart the server.

Propagate Cause For Login Exception

Specifies whether the providers should propagate the cause of the LoginException.

MBean Attribute:
LoginExceptionPropagatorMBean.PropagateCauseForLoginException

Changes take effect after you redeploy the module or restart the server.

Cache Enabled

Specifies whether a cache is used with the LDAP server

MBean Attribute:
LDAPServerMBean.CacheEnabled

Changes take effect after you redeploy the module or restart the server.

Cache Size

The size of the cache (in kilobytes) that is used with the LDAP server

MBean Attribute:
LDAPServerMBean.CacheSize

Minimum value: 0

Changes take effect after you redeploy the module or restart the server.

Cache TTL

The time-to-live of the cache (in seconds) that is used with the LDAP server

MBean Attribute:
LDAPServerMBean.CacheTTL

Minimum value: 0

Changes take effect after you redeploy the module or restart the server.

GUID Attribute

Specifies the name of the GUID attribute defined in the OpenLDAP Directory Services LDAP server. The default value is entryuuid.

MBean Attribute:
OpenLDAPAuthenticatorMBean.GuidAttribute

Changes take effect after you redeploy the module or restart the server.

Related Tasks

Related Topics


Back to Top