You are here:>>>Weblogic 12c Authentication Using External LDAP (Oracle Unified Directory)

Weblogic 12c Authentication Using External LDAP (Oracle Unified Directory)

Video Tutorial

In this post I will show you how to integrate external LDAP (Oracle Unified Directory) with Weblogic 12c as authentication provider.

Please watch the video for detailed explanation and demo of integration steps.

Weblogic 12c supported authentication providers

  • Weblogic 12c comes with below authentication providers
    • Oracle Internet Directory Authentication provider
    • Oracle Virtual Directory Authentication provider
    • Oracle Unified Directory Authentication provider
    • iPlanet Authentication provider
    • Active Directory Authentication provider
    • Open LDAP Authentication provider
    • Novell Authentication provider
    • Generic LDAP Authentication provider

JAAS Control Flags

JAAS control flag determines how authentication providers behaves in the login sequence

External LDAP / OUD Details Required

  • Make sure you have below LDAP specific details handy before configuring Weblogic. I have mentioned the values of my environment below. Modify them accordingly.
    • Users Base DN: ou=People,dc=wls,dc=com
    • Groups Base DN: ou=Groups,dc=wls,dc=com
    • LDAP Host Name: pdol6wls12c
    • LDAP Port: 1389
    • Bind DN: cn=Directory Manager
    • Bind Password: ******

Weblogic 12c External Authentication Configuration

  • Our goal of doing this configuration is to login to Weblogic Administration Console using “wlsadmin” ID which is present in external LDAP (OUD). I have a group called as “Administrators” in LDAP/OUD and “wlsadmin” ID is part of that group
  • Start Weblogic Domain and login to WLS Administration Console using below URL

  • Navigate to Security Realms -> myrealm -> Providers Tab
  • Click on New. Provide name for the authenticator (OUD Authenticator) and select type as “OracleUnifiedDirectoryAuthenticator” and click OK
  • Select the newly created authenticator and navigate to “Provider Specific” tab. Provide below details and click Save.
    • Host: pdol6wls12c
    • Port: 1389
    • Principal: cn=Directory Manager
    • Credential & Confirm Credential: *******
    • Users Base DN: ou=People,dc=wls,dc=com
    • All Users Filter: (&(uid=*)(objectclass=person))
    • Users From Name Filter: (&(uid=%u)(objectclass=person))
    • User Name Attribute: uid
    • User Object Class: person
    • Groups Base DN: ou=Groups,dc=wls,dc=com
    • Group From Name Filter: (|(&(cn=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=groupOfURLs)))
    • Static Group Name Attribute: cn
    • Static Group Object Class: groupofuniquenames
    • Static Member DN Attribute: uniquemember

  • Select “Default Authenticator” and change the Control Flag to “SUFFICIENT”
  • Restart WeblogicAdministration Server
  • Login to Weblogic Administration Console using old credentials after restart.
  • Navigate to “Security Realms -> myrealm ->Users and Groups” tab and verify if external LDAP/OUD users and groups are populated.
  • Navigate to “Security Realms -> myrealm ->Roles and Policies” tab and expand “Global Roles -> Roles” and select “View Role Conditions” for Admin Role
  • Make sure Administrators group is added on “edit Global Role” page
  • Logout of the console and login using “wlsadmin” user which is an external LDAP/OUD user
  • If you want to restrict authentication using embedded LDAP and use only external LDAP, follow below stepschange the Control Flag to “REQUIRED”
  • Select “OUD Authenticator” and change the Control Flag to “REQUIRED”
  • Navigate to Security Realms -> myrealm -> Providers Tab and click on “Reorder” button to reorder authentication providers as below
  • Stop WeblogicAdministration Server
  • Modify username and password in boot.properties to reflect user from external LDAP/OUD

  • Start WeblogicAdministration Server
  • Now logging in with LDAP/OUD user (wlsadmin) should be successful and with embedded weblogic user should fail

Thats It !! You now know how to configure external LDAP with Weblogic 12c as authentication provider.

Hope you found this post helpful. If you have any questions please post in the comments section. Please watch my video for detailed explanation and demo.

2016-12-08T18:20:42+00:00

About the Author:

I am a Senior Cloud Professional specialized in AWS Cloud with 11 years of IT experience. I am enthusiastic about Serverless Architecture. I am an expert in Oracle Fusion Middleware.

2 Comments

  1. lucid December 7, 2016 at 11:13 PM - Reply

    Thank for screenshots.

  2. karthik January 5, 2017 at 11:34 PM - Reply

    Hi Prasad, am karthik your blog is very helpful for me to weblogic
    i have a doubt in ldap with oud after creating the users in the oud i have restarted the weblogic server and i seen the created users but while am assigning the moniter role to that user its not working its only taking the admin role only please any explanation for that

    Thanking you

Leave A Comment