Weblogic Server comes with an Embedded LDAP Server which acts as the Default Provider for authentication, authorization and rolemapping.Since authentication is based on JAAS ( Java Authentication and Authorization Service), we can have external providers as well.These providers can be Out Of the Box Providers provided by WLS or Custom Providers which can be plugged in. I’ll discuss that in some other article.
These are some of the providers
WLS does provide an out of the box provider for Active Directory.
These are the steps to configure it.
Step 1). Open Active Directory Console
Step 3). Assign it to Administrator Group. This is required as Active Directory gives connection only to Admin User.
Step 4). Go to Weblogic Server and Create an Active Directory Authentication Provider
Step 5) Under Provider Specific, provide the following values, leave the others as default.
Propagate Cause For Login Exception ( checked)
Principal :CN=aduser,CN=Users,DC=faisal,DC=bea,DC=com
User Base Dn : CN=Users,DC=faisal,DC=bea,DC=com
Credential : XXXXXX
Group Base Dn: CN=Users,DC=faisal,DC=bea,DC=com
You should see the following in the config.xml
<sec:authentication-provider xsi:type=”wls:active-directory-authenticatorType”>
<sec:name>ActiveDirectory</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:principal>CN=aduser,CN=Users,DC=faisal,DC=bea,DC=com</wls:principal>
<wls:user-base-dn>CN=Users,DC=faisal,DC=bea,DC=com</wls:user-base-dn>
<wls:credential-encrypted>{3DES}YoOwqSH1jxsOlvUmAYOENw==</wls:credential-encrypted>
<wls:group-base-dn>CN=Users,DC=faisal,DC=bea,DC=com</wls:group-base-dn>
</sec:authentication-provider>
Step 6) Change the control flag of the Active Directory Authenticator and the Default Authenticator to SUFFICIENT
Step 7) Restart your server. Go to myrealm. You should be able to see the users and groups from the Active Directory.
Thanks for the post on configuring the active directory authenticator.
I have a question: How do I determine the ‘Principal’ value for my environment? I tried using the one that worked for you and changing the values to be my username and my server, etc. but my connection failed.
My Active Directory server is controlled by another group. I have the ability to connect to it for authentication and I can view it using the ‘Active Directory Explorer’ which I obtained from the MS site. I simply put my server name and my login creds and the tool connects and shows a huge ldap tree. I see my login username as the value of the attribute sAMAccountName, but it is not a DN type syntax. It is a DirectoryString type syntax in the ldap browser.
Any ideas?
Thanks.
Bill
Kindly post in our forums.
https://weblogic-wonders.com/weblogic/forum/
I am sure we will be able to help you out.
Cheers!!
Have you come across a way of getting AD to return more than 1000 records to Weblogic. The default MaxPageSize in AD is set to 1000, so if you have more than that many users then it only returns the first 1000 based on the date they were created. There is meant to be a way to get AD to return paged results, but I’ve not found it yet. Just wondered if you’d come across this yet?
Regards
Dan
Hi Dan,
I havent come across a way either.
The only way to get AD return more that 1000 users is by increasing the MaxPageSize which you are already aware of.
Thanks for posting.
Cheers!
Faisal
Hi Faisal,
Can we configure ADAM/AzMan with weblogic instead of Active Directory?
If yes, do you think there will be any difference in configuration.
Please reply me.
Thanks,
Mangesh Khairnar.
Hi Magnesh,
We can configure ADAM with WLS using the LDAPAuthenticator. I remember doing it once for one of my customer long time back.
We just need to use the appropriate filters.
Let me know if you need help in configuring it.
Cheers!
Faisal
Thanks Faisal,
Can we use SPNEGO (kerberos) with LDAPAuthenticator (for ADAM)?
I need to implement SSO with ADAM in weblogic, is it possible?
I already have SSO working with Active Directory, now I need to do the same with ADAM, it will be great help if you guide me through this process.
Thanks,
Mangesh Khairnar.
Hi Magnesh,
I havent done it before so wont be able to comment.
Does your ADAM act as a domain controller?
The best way to know if it will work is by trying out the configuration.
Let me know if you need any help.
If it works, we can create an article on it and post on wonders.
Thanks,
Faisal
Thanks Faisal,
Can we implement SPNEGO (kerberos) with LDAPAuthenticator (for ADAM)?
I need to implement the SSO with ADAM in weblogic, is it possible?
I already have SSO working with Active Directory, now I need to do it with ADAM. It will be great help if you guide me through this implementation.
Thanks,
Mangesh Khairnar.
sure we can do that.
-Faisal
Hi Faisal,
I am trying to configure ADAM using LDAPAuthenticator provider.
But getting a following error while going to “Users and Groups” tab:
LdapErr: DSID-0C090336, comment: AcceptSecurityContext error, data 2030, vece
Following is the ADAM store I am trying to access:
msldap://dev2:50000/CN=GPAzManStore,OU=abc,O=pqr,C=xyz
Following is the sample Confing.xml part for this configuration, can you please suggest where exactly I am making mistake:
LDAP-Auth
OPTIONAL
false
dev2
50000
user
sAMAccountName
cn=admin, ou=abc, o=pqr, c=xyz
ou=abc, o=pqr, c=xyz
{3DES}Si8r8SiRQ18=
(&(sAMAccountName=%u)(objectclass=user))
ou=abc, o=pqr, c=xyz
(&(member=%g)(objectclass=group))
group
member
(&(member=%M)(objectclass=group))
Thanks,
Mangesh Khairnar.
Hi Magnesh,
What is the error you are getting in the weblogic server logs?
Can you export the ldif one user ( say admin and paste it here)
Also paste the error you are getting in the server logs.
Thanks,
Faisal
Hi Faisal,
Thanks for your reply.
Finally I was able to resolve the issue which I shared with you earlier, it was a issue related to wrong DN and filter. I corrected it and was able to get the ADAM users in weblogic console (I used Active Directory Authentication Provider).
But now I am facing another problem, I am able to get the users which I newly added to ADAM, but I am still unable to get the users which I added in ADAM from Active Directory schema.
Also I am unable to get the users from AzMan store which I added in ADAM.
Do you have any idea around this?
Thanks,
Mangesh Khairnar.
Hi Magnesh,
I did not get a clear picture. Mayb we can have a screehsharing session.
Did u check the user base dn? are the users from the same base dn?
Thanks,
Faisal
Hi Faisal,
Let me give you a clear idea:
I have a active directory with following base dn:
DC=itshastra,DC=local
I have created an ADAM store with following base dn:
OU=GuardianPro,O=itshastra,C=local
In this ADAM I have AzMan Store:
CN=GPAzManStore,OU=GuardianPro,O=itshastra,C=local
Now in weblogic console I am getting the users which I newly created in ADAM, but not getting the referenced users from Active Directory (in third party LDAP browser I can see those users with objeCtclass=foreignSecurityPrincipal). Also the same thing happening with the AzMan store users.
Hope I have given you an clear idea, it will be great if you could suggest any clue or else if it is possible to you, we can have a screen sharing session on Monday.
Thanks,
Mangesh Khairnar.
Hi Mangesh,
I got a fair idea.
We can try out a few things on Monday.
Looks like we might have to use a filter on WLS.
Thanks,
Faisal
I am not a fan of WebLogic, but it came bundled with an application our company bought. When I setup LDAP authentication for any other web server/application, the application typically manages the login. I supply the LDAP server location and details. I do NOT have to provide a specific principle for login, the authenticator uses the user’s credentials to connect to LDAP, and either passes for fails.
I do not want to embed a principle and password in WebLogic as I have to age passwords and restart the darn server everytime I update the principle’s password. Why can’t WebLogic use the person logging in to authenticate?
Hi Stewart,
When Weblogic Starts up, it tries to establish a connection with the LDAP Server using the credentials you provide in the authentication provider configuration.
If you don’t want to provide credentials, you can allow anonymous login on the LDAP Server.
Now, allowing users to log in to the application using LDAP Creds. For this you need to do the role mapping.
https://weblogic-wonders.com/weblogic/2010/06/04/how-to-modify-weblogic-default-roles-and-policies/
Let me know if you have any queries.
Thanks,
Faisal
Hi Faisal,
I am trying to configure eNovell directory in weblogic console. So, That users can use the same LDAP password to log into the weblogic console.
After configuring it I can see a lot of user and groups under user and group, which belongs to the newly created Authenticator Provider. But when I am clicking on those user I am not seeing any groups associated with them and I am not seeing any option to allocate a group to them. For e.g when we create a user in weblogic, we can allocate group to that user after clicking on groups under that particular user. Groups like Admin, Monitor etc etc…..
Also, the user which are from Novell edirectory can not log in using their LDAP password.
Could you please help me in solving these 2 problems.
Thanks in Advance !!!!!
Hi Pradeep,
You need to modify the default roles and policies so that novel users can log in.
This should help
https://weblogic-wonders.com/weblogic/2010/06/04/how-to-modify-weblogic-default-roles-and-policies/
Secondly, you dont have the option to allocate groups to external ldap users from the weblogic console.
It depends on the DN where the users are for its group information to appear in the WLS Console.
Create a ou in your present user base dn and keep the users there and specify the user base dn pointing to that ou.
I can help you if you can let me know your directory structure…
Thanks,
Faisal
Thanks Faisal !!!! Thanks a Bunch !!!!
Your views are really helpful to me, I will do some work and definitely ask you for further help. Can I have your email ID where I can send you the details .
really thanks alot for this post, its help me alooooooot 🙂
Excellent aritcle. Thank you very much for sharing this.
I was able to confirgure LDAP/Active Directory, but can you expalin, how do i add AD users to Weblogic built in Administrators, Deployers or Monitors roles?
Would really appreciate if you can explain how.
Thanks & Regards
Sonnet
Hi Sonnet,
Thanks for your appreciation!
You can follow this post to add AD users to weblogic roles.
https://weblogic-wonders.com/weblogic/2010/06/04/how-to-modify-weblogic-default-roles-and-policies/
Let me know if you need any clarification.
Thanks,
Faisal
Thank you very much, Faisal. I was able to modify the Admin “role condition” and add a particular user from the Active Directory, and I am able to login as the AD user. However, it won’t recognize a group. for example, I have a group setup as WSL_Admin, which I am a member of. I can edit the condition as (“WLS_Admin” or “Administrator”), but I can’t log in. I have verified the user is not locked and the group exists. I am a bit baffled.
Have you verified whether a member of a group can login as an Admin or Deployer role?
Thanks once again for such great knowledge articles. Much appreciated.
Sonnet
Very helpful article!
One question if you can help:
I have 2 AD providers that totally have more than 1000 groups. In one of them I have already set the maxpagesize = 5000 using NTDSUtil.exe
Why in the console I see total 1000 groups when for sure I have more? Any idea?
Thanx in advance!
Spyros
Not sure, you need to capture the network packets and check what ldap query is being fired and what response is sent. That will give you an idea.
thanks for this wonderful article,
i have followed your steps and was able to get the users defined in Active Directory,but i failed to retrieve the group information from Active Directory.In weblogic admin console groups tab of users i am getting an exception as below
weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090278]Error listing member groups Saiju S at weblogic.security.providers.authentication.LDAPAtnDelegate.listMemberGroups(LDAPAtnDelegate.java:2181) at weblogic.security.providers.authentication.LDAPAuthenticatorImpl.listMemberGroups(LDAPAuthenticatorImpl.java:168) at weblogic.security.providers.authentication.ActiveDirectoryAuthenticatorMBeanImpl.listMemberGroups(ActiveDirectoryAuthenticatorMBeanImpl.java:206) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at weblogic.management.jmx.modelmbean.WLSModelMBean.invoke(WLSModelMBean.java:437) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836) at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449) at java.security.AccessController.doPrivileged(Native Method) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447) at weblogic.management.mbeanservers.internal.JMXContextInterceptor.invoke(JMXContextInterceptor.java:263) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449) at java.security.AccessController.doPrivileged(Native Method) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447) at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:444) at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:323) at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11$1.run(JMXConnectorSubjectForwarder.java:663) at java.security.AccessController.doPrivileged(Native Method) at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11.run(JMXConnectorSubjectForwarder.java:661) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363) at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder.invoke(JMXConnectorSubjectForwarder.java:654) at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1427) at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72) at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1265) at java.security.AccessController.doPrivileged(Native Method) at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1367) at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788) at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source) at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222) at javax.management.remote.rmi.RMIConnectionImpl_1035_WLStub.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:993) at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544) at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380) at $Proxy354.listMemberGroups(Unknown Source) at com.bea.console.utils.security.UserUtils.getParentGroupNames(UserUtils.java:271) at com.bea.console.actions.security.users.UserGroupsAction.execute(UserGroupsAction.java:74) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044) at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:91) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2116) at com.bea.console.internal.ConsolePageFlowRequestProcessor.processActionPerform(ConsolePageFlowRequestProcessor.java:261) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:556) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:853) at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:631) at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:158) at com.bea.console.internal.ConsoleActionServlet.process(ConsoleActionServlet.java:262) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414) at com.bea.console.internal.ConsoleActionServlet.doGet(ConsoleActionServlet.java:134) at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1199) at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.executeAction(ScopedContentCommonSupport.java:686) at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.renderInternal(ScopedContentCommonSupport.java:266) at com.bea.portlet.adapter.scopedcontent.StrutsStubImpl.render(StrutsStubImpl.java:107) at com.bea.netuix.servlets.controls.content.NetuiContent.preRender(NetuiContent.java:292) at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:428) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:727) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:146) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361) at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208) at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162) at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:388) at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:258) at com.bea.netuix.servlets.manager.UIServlet.doGet(UIServlet.java:211) at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:196) at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:251) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at com.bea.console.utils.MBeanUtilsInitSingleFileServlet.service(MBeanUtilsInitSingleFileServlet.java:47) at weblogic.servlet.AsyncInitServlet.service(AsyncInitServlet.java:130) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209) at weblogic.work.ExecuteThread.run(ExecuteThread.java:178) Caused by: netscape.ldap.LDAPException: Referral connect failed: failed to connect to server ldap://cop.oracle.com/CN=Users,DC=cop,DC=oracle,DC=com (91); Cannot connect to the LDAP server; Failed to follow referral at netscape.ldap.LDAPConnection.referralConnect(LDAPConnection.java:4946) at netscape.ldap.LDAPConnection.performReferrals(LDAPConnection.java:5127) at netscape.ldap.LDAPConnection.checkSearchMsg(LDAPConnection.java:2644) at netscape.ldap.LDAPConnection.search(LDAPConnection.java:2607) at weblogic.security.providers.authentication.LDAPAtnDelegate.listMemberGroups(LDAPAtnDelegate.java:2167) … 116 more
Can you help me in solving this and get the groups infromation as well from Active Directory
Can you enable SecurityATN Debug and paste the relevant part of log here?
Hi,
Did this issue ever get resolved? We are facing a similar problem.
Many thanks,
John
Do you have any further instrux on connecting WL to AD LDS? I’ve tried creating to authenticators but neither are working. Below are my config.xml entries along with the error from WL when trying to login to the application.
DugActiveDirectoryAuthenticator
SUFFICIENT
SRV07
CN=weblogic,CN=Users,O=NEOSYS,C=US
CN=Users,O=NEOSYS,C=US
{AES}68Xd572ui1xuNwVa/hEml8l8lGWcr1oXP8l4YuQqZgg=
CN=Users,O=NEOSYS,C=US
–
DugLDAPAuthenticator
SUFFICIENT
SRV07
users
CN
CN=weblogic,CN=Users,O=NEOSYS,C=US
CN=Users,O=NEOSYS,C=US
{AES}wvGfvUgwAaSfuXmvf6bMw4OqDS5n1Yqe0kvoSNFQ0AY=
(&(uid=%u)(objectclass=users))
CN=Users,O=NEOSYS,C=US
can you send you ad scheme, config.xml and server logs with securityATN debug enabled at [email protected]?
Hi Guys
I saw you have great discussion on topic we need. Have you got an answer can Weblogic sso (snego) be configured with ADAM?
Have you make it work in the end?
Thanks
Natalya
Hi Natalya,
I havent configured ADAM for SPNEGO authentication yet.
Do you log in to your client machine from users in ADAM? Is it acting as a domain controller?
What is your architechture like?
Thanks,
Faisal
Hi Faisal,
Thanks for the above post.
In my company we have a build in AD.
I am doing a POC in which i need to configure this AD in weblogic.
But when i am creating a new provider as ActiveDirectoryAuthenticator, weblogic asks me to restart the server. Upon doing this i am getting below error :
“All of the servers selected are currently in a state which is incompatible with this operation or are not associated with a running Node Manager or you are not authorized to perform the action requested. No action will be performed”
Please let me know if you need any more information.
Hi Neeraj,
I guess you don’t have the permission to restart the server.
How are you logged in as? Do you use node manager to start stop servers?
we have set up a APEX application that is presented from weblogic we folloewd the Oracle documentation and all works we now want to add CAC authentication to the application we have forms and reports running from the weblogic instance with SSL and CAC (WLS-FORMS and WLS-REPORTS) but the APEX is not (WLS-APEX) i have set them up each with their own server
Hi Faysal,
The post is useful. I have a similar error as listed above by Saiju. I enabled the debug. I am able to connect to the LDAP server through an open source tool called LDAP Admin. I am concerned that Weblogic is unable to connect.
Could you please help me.
#### <Administration Console encountered the following error: weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection
at weblogic.security.providers.authentication.LDAPAtnDelegate.getConnection(LDAPAtnDelegate.java:3492)
at weblogic.security.providers.authentication.LDAPAtnDelegate.getConnection(LDAPAtnDelegate.java:3479)
at weblogic.security.providers.authentication.LDAPAtnDelegate.listUsers(LDAPAtnDelegate.java:2267)
at weblogic.security.providers.authentication.LDAPAuthenticatorImpl.listUsers(LDAPAuthenticatorImpl.java:178)
at weblogic.security.providers.authentication.ActiveDirectoryAuthenticatorMBeanImpl.listUsers(ActiveDirectoryAuthenticatorMBeanImpl.java:227)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at weblogic.management.jmx.modelmbean.WLSModelMBean.invoke(WLSModelMBean.java:437)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:791)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)
at weblogic.management.mbeanservers.internal.JMXContextInterceptor.invoke(JMXContextInterceptor.java:263)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)
at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:444)
at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:323)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11$1.run(JMXConnectorSubjectForwarder.java:663)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11.run(JMXConnectorSubjectForwarder.java:661)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder.invoke(JMXConnectorSubjectForwarder.java:654)
at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1486)
at javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:96)
at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1327)
at java.security.AccessController.doPrivileged(Native Method)
at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1426)
at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:847)
at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:201)
at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:299)
at javax.management.remote.rmi.RMIConnectionImpl_1211_WLStub.invoke(Unknown Source)
at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:1017)
at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544)
at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380)
at $Proxy72.listUsers(Unknown Source)
at com.bea.console.utils.security.UserUtils.getUsers(UserUtils.java:78)
at com.bea.console.actions.security.users.UserTableAction.getCollection(UserTableAction.java:100)
at com.bea.console.actions.security.ManagementBaseTableAction.execute(ManagementBaseTableAction.java:82)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044)
at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:91)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2116)
at com.bea.console.internal.ConsolePageFlowRequestProcessor.processActionPerform(ConsolePageFlowRequestProcessor.java:261)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:556)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:853)
at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:631)
at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:158)
at com.bea.console.internal.ConsoleActionServlet.process(ConsoleActionServlet.java:262)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at com.bea.console.internal.ConsoleActionServlet.doGet(ConsoleActionServlet.java:134)
at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1199)
at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1129)
at com.bea.portlet.adapter.scopedcontent.framework.internal.PageFlowUtilsBeehiveDelegate.strutsLookupInternal(PageFlowUtilsBeehiveDelegate.java:43)
at com.bea.portlet.adapter.scopedcontent.framework.PageFlowUtils.strutsLookup(PageFlowUtils.java:108)
at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.executeAction(ScopedContentCommonSupport.java:707)
at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.renderInternal(ScopedContentCommonSupport.java:265)
at com.bea.portlet.adapter.scopedcontent.StrutsStubImpl.render(StrutsStubImpl.java:103)
at com.bea.netuix.servlets.controls.content.NetuiContent.preRender(NetuiContent.java:292)
at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:428)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:727)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:146)
at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:399)
at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361)
at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208)
at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162)
at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:465)
at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:291)
at com.bea.netuix.servlets.manager.UIServlet.doGet(UIServlet.java:231)
at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:216)
at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:275)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)
at com.bea.console.utils.MBeanUtilsInitSingleFileServlet.service(MBeanUtilsInitSingleFileServlet.java:64)
at weblogic.servlet.AsyncInitServlet.service(AsyncInitServlet.java:125)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:242)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:216)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:132)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:338)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3288)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3254)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2163)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2089)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2074)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1513)
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:254)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: java.lang.reflect.InvocationTargetException
at weblogic.security.providers.authentication.LDAPAtnDelegate$LDAPFactory.newInstance(LDAPAtnDelegate.java:4166)
at weblogic.security.utils.Pool.newInstance(Pool.java:37)
at weblogic.security.utils.Pool.getInstance(Pool.java:33)
at weblogic.security.providers.authentication.LDAPAtnDelegate.getConnection(LDAPAtnDelegate.java:3487)
… 128 more
Caused by: netscape.ldap.LDAPException: Connection refused: connect (91); Cannot connect to the LDAP server
at weblogic.security.providers.authentication.LDAPAtnDelegate$AtnLDAPSocketFactory.makeSocket(LDAPAtnDelegate.java:4702)
at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source)
at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source)
at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source)
at netscape.ldap.LDAPConnSetupMgr.openConnection(Unknown Source)
at netscape.ldap.LDAPConnThread.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at weblogic.security.providers.authentication.LDAPAtnDelegate$LDAPFactory.newInstance(LDAPAtnDelegate.java:4141)
… 131 more
Caused by: java.net.ConnectException: Connection refused: connect
at java.net.DualStackPlainSocketImpl.connect0(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:69)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:157)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:391)
at java.net.Socket.connect(Socket.java:579)
at java.net.Socket.connect(Socket.java:528)
at java.net.Socket.(Socket.java:425)
at java.net.Socket.(Socket.java:208)
at weblogic.security.providers.authentication.LDAPAtnDelegate$AtnLDAPSocketFactory.makeSocket(LDAPAtnDelegate.java:4691)
… 140 more
>
Thanks,
Rajesh
issue resolved after the call with Rajesh.
Hi Faysal/Rajesh,
I am getting the same issue when i configured iPlanet coustm provider. could you please let me the solutions for the same.
issue:
<Console encountered the following error weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection
Caused by: java.lang.reflect.InvocationTargetException
at weblogic.security.providers.authentication.LDAPAtnDelegate$LDAPFactory.newInstance(LDAPAtnDelegate.java:4166)
Hi,
Is it mandatory to assign the AD user to Administrator Group? We have some limitation regarding the company security policies that prevent us to do this.
Please let me know if there is any alternative.
Thanks in advance.
No its is not mandatory.. we did this so that the AD user gets Weblogic roles..
I have an ADF application ,which I want to authenticate using Active Directory. I have been able to configure the ActiveDirectory Provider successfully in the Integrated Weblogic server for Jdev ,due which I can list all the roles and the Users in the weblogic console. But when i run the application and try to login using any of those AD users,it gives a pop-up stating “Specify correct username and password”. The AD users are active and password has been reset for them
Hi Garima,
I am not sure how ADF roles map to Weblogic server roles.
You will have to get in touch with and ADF expert.
If you want to see what is going wrong on Weblogic, you can go to Server > Debug > expand weblogic > expand security > check ATN and ATZ
The logs will give you an idea..
Hope this helps.
Regards,
Faisal
Hello
I have another issue. I should authenticate the users of my application through Active Directory (user existence and pasword validation) but I want to ignore the user group returned by Active Directory and obtain the group of the user through a call to a web service. How can I do this throug an Active Directory Authenticator? What else can I do?
Thank you in advance for your help
Regards,
Angeliki
you will have to write a custom authenticator for this purpose..
Hi Faisal
I have AD server set up in windows with user names and pws. I have base DN created in AD. Now I need to use LDAP in weblogic. What are the steps. I am trying to set up leap in console, I need to give leap server name(which is AD) and then base dn and the group name and password. Which password is this. When we create group in ad, we do not create password. We just create group using list of users. Users will have individual password but not the group. Any response is appreciated. Any url reference will be good.
Hi,
The password is of the principal user, the one that gives connection to LDAP Server.
Thanks,
Faisal