Configuring Dynamic LDAP Groups with IPlanetAuthenticator on Weblogic Server

IPlanet LDAP Server implements dynamic ldap groups by having schema as objectclass = groupOfURLs. A groupOfURLS class can have multiple memberURL attributes, each one consisting of an LDAP URL that enumerates a set of objects in the directory. The members of the group would be the union of these sets.

In the example below, TestDynamic Group has a single memberURL attribute

memberURL ldap:///dc=oracle,dc=com??sub?(&(objectclass=person)(description=dynUser))

All users having the description as dynUser belong to this group.

In this article we will learn to configure Weblogic Sever with iPlanet Authenticator having dynamic ldap groups.

Create a User in the iPlanet Server.


Go to Advance Properties of the user

Click on Add Attribute and select description

Give the description as dynUser and click OK.

Create a Group


Select Members, Dynamic Members, click Add
Give the following ldap url
Click Test

Create an iPlanetAuthenticator on Weblogic Server

Under Provider Specific

Port:500 (the port at which your ldap server is running)
User Base DN:ou=People,dc=oracle,dc=com
Group Base DN:ou=Groups,dc=oracle,dc=com
Credential: password

Leave the others as default.
IPlanet Authenticator has the default settings to determine dynamic group membership.

Restart the server, go to Security Realm and click on Users tab.

Check the group faisal belongs to.

Dynamic Membership is successfully determined by Weblogic Server.


Comments are closed.