active directory Archive

Configuring Active Directory Authenticator with Weblogic Server

Weblogic Server comes with an Embedded LDAP Server which acts as the Default Provider for authentication, authorization and rolemapping.Since authentication is based on JAAS ( Java Authentication and Authorization Service), we can have external providers as well.These providers can be Out Of the Box Providers provided by WLS or Custom Providers which can be plugged in. I’ll discuss that in some other article.

These are some of the providers


WLS does provide an out of the box provider for Active Directory.
These are the steps to configure it.
Step 1). Open Active Directory Console

Step 2). Create a User

Step 3). Assign it to Administrator Group. This is required as Active Directory gives connection only to Admin User.

Step 4). Go to Weblogic Server and Create an Active Directory Authentication Provider

Step 5) Under Provider Specific, provide the following values, leave the others as default.

Propagate Cause For Login Exception ( checked)
Principal :CN=aduser,CN=Users,DC=faisal,DC=bea,DC=com
User Base Dn : CN=Users,DC=faisal,DC=bea,DC=com
Credential : XXXXXX
Group Base Dn: CN=Users,DC=faisal,DC=bea,DC=com

You should see the following in the config.xml

<sec:authentication-provider xsi:type=”wls:active-directory-authenticatorType”>
<sec:name>ActiveDirectory</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:principal>CN=aduser,CN=Users,DC=faisal,DC=bea,DC=com</wls:principal>
<wls:user-base-dn>CN=Users,DC=faisal,DC=bea,DC=com</wls:user-base-dn>
<wls:credential-encrypted>{3DES}YoOwqSH1jxsOlvUmAYOENw==</wls:credential-encrypted>
<wls:group-base-dn>CN=Users,DC=faisal,DC=bea,DC=com</wls:group-base-dn>
</sec:authentication-provider>

Step 6) Change the control flag of the Active Directory Authenticator and the Default Authenticator to SUFFICIENT

Step 7) Restart your server. Go to myrealm. You should be able to see the users and groups from the Active Directory.

Create Active Directory Authentication Provider from WLST

connect(‘weblogic’,’weblogic’,’t3://localhost:7001′)
edit()
startEdit(-1,-1,’false’)
cmo.getSecurityConfiguration().getDefaultRealm().createAuthenticationProvider(‘ADAuthenticator’, ‘weblogic.security.providers.authentication.ActiveDirectoryAuthenticator’)
cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider(‘ADAuthenticator’).setControlFlag(‘OPTIONAL’)
cd(‘/SecurityConfiguration’)
cd(‘base_domain’)
cd(‘Realms/myrealm/AuthenticationProviders’)
cd(‘ADAuthenticator’)
cmo.setGroupBaseDN(‘CN=Users,DC=faisal,DC=bea,DC=com’)
cmo.setUserBaseDN(‘CN=Users,DC=faisal,DC=bea,DC=com’)
cmo.setAllGroupsFilter(‘(objectclass=group)’)
cmo.setPrincipal(‘CN=Administrator,CN=Users,DC=faisal,DC=bea,DC=com’)
cmo.setCredential(‘Passw0rd’)
cmo.setPort(389)
cmo.setHost(‘localhost’)
save()
activate()