OTN Home > Oracle WebLogic Server 12.2.1.0 Documentation > Administration Console Online Help > Configure the Oracle Virtual Directory Authentication provider

Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Configure the Oracle Virtual Directory Authentication provider

Before you begin


You use Oracle Virtual Directory Authentication provider to access user and group information stored in the Oracle Virtual Directory LDAP V3 service.

Note that each security realm must have one at least one Authentication provider configured. The Control Flag attribute determines how the LoginModule for each Authentication provider is used in the authentication process. For more information, see Set the JAAS control flag.

If the Oracle Virtual Directory Authentication provider is the only Authentication provider configured in the security realm, make sure that the LDAP user who boots WebLogic Server is added to a group that is assigned to the Admin role. Otherwise, WebLogic Server cannot be booted. If the Oracle Virtual Directory Authentication provider fails to connect to the LDAP server, or throws an exception, make sure the configuration settings for this provider are set correctly as described in the steps that follow. For more information about these configuration settings, see Configuring Users and Groups in the Oracle Internet Directory and Oracle Virtual Directory Authentication Providers.

All Authentication providers included in WebLogic Server support identity domains. If the identity domain attribute is set on the Oracle Virtual Directory Authentication provider, only users who are defined in that identity domain can be authenticated. For more information, see Configuring Security.

To configure the Oracle Virtual Directory Authentication provider:

  1. If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
  2. In the left pane, select Security Realms and click the name of the realm you are configuring (for example, myrealm).
  3. Select Providers > Authentication and click New.

    The Create a New Authentication Provider page appears.
  4. In the Name field, enter a name for the Oracle Virtual Directory Authentication provider.
  5. From the Type drop-down list, select OracleVirtualDirectoryAuthenticator and click OK.
  6. Select Providers > Authentication and click the name of the new Oracle Virtual Directory Authentication provider to complete its configuration.
  7. On the Configuration page for the Oracle Virtual Directory Authentication provider, set the desired values on the Common tab. If you are configuring multiple Authentication providers, refer to Set the JAAS control flag.
  8. Select the Provider Specific tab.
  9. In the section labeled Connection, specify the following:
    • The host and port of the machine hosting the Oracle Virtual Directory LDAP server
    • The credentials of the LDAP user that WebLogic Server should use for making a connection
  10. If the connection to Oracle Virtual Directory uses SSL, select SSLEnabled. For more information, see Enabling an LDAP Authentication Provider for SSL.
  11. In the section labeled Users, adjust the following settings as necessary to match the directory structure for users in the Oracle Virtual Directory LDAP server:
    1. Make sure User Base DN correctly specifies the LDAP directory structure for users. The default for Oracle Virtual Directory users is cn=users,dc=us,dc=oracle,dc=com.
    2. If the user name attribute for the user object class in the LDAP directory structure is a type other than cn, change that type in the settings for each of the following attributes: All Users Filter, User From Name Filter, and User Name Attribute. For example, if the user name attribute type is uid, change All Users Filter to (&(uid=*)(objectclass=person))).

      Note: When specifying an LDAP search filter for users or groups, wildcards are accepted. However, using multiple asterisk wildcards, particularly for a user or group name attribute, has a negative performance impact on the LDAP server.

  12. In the section labeled Groups, adjust the following settings as necessary to match the directory structure for groups in the Oracle Virtual Directory LDAP server. (Example changes are shown in bold.)
    1. If the group name attribute for the static group object in the LDAP directory structure is a type other than cn, change that type in the settings for the All Groups Filter and Group From Name Filter attributes.

      For example, if the static group name attribute is type uid, change All Groups Filter to (&(uid=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup))), and change Group From Name Filter to (|(&(uid=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=orcldynamicgroup))).

    2. If the group name attribute for the dynamic group object in the LDAP directory structure is a type other than cn, change that type in the settings for the All Groups Filter and Group From Name Filter attributes.

      For example, if the dynamic group name attribute is type uid, change All Groups Filter to (&(uid=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup))), and change Group From Name Filter to (|(&(cn=%g)(objectclass=groupofUniqueNames))(&(uid=%g)(objectclass=orcldynamicgroup))).

    3. If the static group object class name in the LDAP directory structure is groupofnames (instead of groupofuniquenames), and the static member DN attribute is of type member (instead of uniquemember), change the objectclass element in the All Groups Filter and Group From Name Filter attributes.

      For example, set All Groups Filter as (&(cn=*)(|(objectclass=groupofnames)(objectclass=orcldynamicgroup))), and set Group From Name Filter as (|(&(cn=%g)(objectclass=groupofnames))(&(cn=%g)(objectclass=orcldynamicgroup))).

  13. In the section labeled Static Groups, make the following changes, if necessary, to match the schema definition of static groups in the Oracle Virtual Directory LDAP server:
    1. If the group name attribute type of the static group object class is a type other than cn, specify that type in Static Group Name Attribute. Note that the type you specify must be consistent with the name attribute type specified in the All Groups Filter and Group From Name Filter attributes.
    2. Change Static Group Object Class to groupofnames, if necessary, and make sure it matches the class name specified in the All Groups Filter and Group From Name Filter attributes.
    3. If Static Group Object Class is groupofnames, change Static Member DN Attribute to member.
  14. In the section labeled Dynamic Groups, make sure Dynamic Group Name Attribute matches the name attribute type specified in the All Groups Filter and Group From Name Filter attributes.
  15. In the field labeled GUID attribute, the attribute name you specify depends on whether Oracle Virtual Directory has a mapping for this attribute name. The mapping specifies a name for this attribute that is renamed from the one defined in the LDAP server with which Oracle Virtual Directory is connected. Enter a value in this field as follows:
    • If a mapping exists, specify the name that is defined in the mapping. For example, if the GUID attribute is renamed in the mapping to OVDguid, specify OVDguid in this field.
    • If a mapping does not exist, specify the name that is defined in the LDAP server. For example, if Oracle Virtual Directory is connected to Sun iPlanet Directory, which defines the GUID attribute name as nsuniqueid, specify nsuniqueid in this field.

    The default value is orclguid. For more information about attribute name mapping in Oracle Virtual Directory, see Understanding Oracle Virtual Directory Mapping in Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.

  16. Click Save to save your changes.
  17. In the Change Center, click Activate Changes. If you Enable automatic realm restart, you do not need to restart WebLogic Server for updates to take effect.

Back to Top