Setting up Active Directory Lightweight Directory Service as a Weblogic Authentication Provider
By Christopher Karl Chan on Feb 04, 2012
Setup of a LDS/ADAM Active Directory LDAP server on Weblogic for use with Oracle BPM 11g 126.96.36.199 Feature Pack.
There may be many reasons why it might be beneficial or necessary to configure a separate LDAP for your BPM/SOA suite implementation. Corporate LDAPs are often huge, slow, ill maintained, restricted to change and even full of circular references.
One of my customers were setting up their environments for current latest version of Oracle BPM 11g. One of the steps was to configure a directory to handle both authentication and user groups. The chosen LDAP of choice was a poor sister of Active Directory called LDS. I say poor because it is not exactly the same and the AD weblogic providers are designed to work with the elder brother. Therefore the standard procedure of setting up a AD provider just didn't work with LDS, because of some missing attributes in LDS. But I made it work anyway. This is how I did it.
Active Directory LDS/ADAM
Active Directory (AD) is a directory service provided by Microsoft which uses the Lightweight Access Protocol (LDAP). AD servers are commonly called Domain controllers. A less well known relative of AD is the Lightweight Directory Service (AD LDS) which was previously know as Active Directory Application Mode (ADAM).
By default, a service instance supports querying against a single LDAP identity store. You can configure the service to support a virtualized identity store which queries multiple LDAP identity stores. This feature, known as identity virtualization
Which Authentication Provider?
Weblogic already has an embedded LDAP which we use to login to the console. In our particular case we want to keep using this and also another we have been given. Weblogic provides many authentication providers to cover most bases, and even the possibility to create your own. The AD provider works fine for a normal AD. However to make authentication work with LDS we need to use the base LDAP authenticator. When we are finished we can still login to the BPM Workspace using the user weblogic defined in the embedded LDAP and a user defined in LDS.
Create a new LDAP Authenticator
Login to the weblogic console as an admin user (e.g weblogic). Navigate to Authentication Provider setup and select the type as LDAPAuthenticator
Home >Summary of Servers >AdminServer >Summary of Servers >Summary of Security Realms >myrealm >Realm Roles >DEV >Summary of Security Realms >myrealm >Providers
Click OK. Then click on the new BPM_LDAPAuthenticator you just created and change the Control Flag to SUFFICIENT. Then click on the save button
Click on the Provider Specific Tab
Update the values of the fields of the provider. Update all the values in one go before you click save. Below are some sample values. They will be different for your own LDAP. You should use an LDAP explorer UI tool to check how yours is setup. These are initial settings. We will look into tuning when we have it working.
Click the reorder button and use the arrow to move the new authenticator to be the second on the list.
Save the changes .
Restart Admin and SOA servers.
Login to the weblogic console again as an admin user (as above)
Navigate to where the users and group are defined
Home >BPM_LDAPAuthenticator >Providers >BPM_LDAPAuthenticator >Providers >Summary of Security Realms >myrealm >Providers >Users and Groups
Check the a user in LDS exists and then click on the link to see the details for this userLogin
Click on the Groups tab to see the groups the user is a member of
Confirm that the console shows that the user is a member of group that you know it belongs to
NB: If you cannot see both the user and the group then you must check the settings above. Fix them and restart the servers again. As a last resort it may also be necessary to delete the authenticator and recreate it again using the steps above.
Enabling Identity Virtuaization
Login to the Enterprise Manager console of the SOA server http://<servername>:<soaport>/em
Navigate to Security Provider Configuration as shown in the below screenshot
Click on the Configure button and the green plus sign to add a new property. The name is virtualize and the value is true.
Setting up the generic LDAP authenticator to communicate as Active Directory
NB: This last step is only needed if you are using a lightweight Active Directory (i.e LAD/ADAM)
Go to the file system and open the file <Domain Home>/config/fmwconfig/jps-config.xml in a text editor.
Search for the text <property value="true" name="virtualize"/>
If this does not exist then restart the Admin and SOA servers
Update the configuration of jps-config.xml to add the following configurations. The text in red is new text to be added. The name below BPM_LDAPAuthenticator is the name of the new LDAPAuthenticator you have chosen above.
<serviceInstance provider="idstore.ldap.provider" name="idstore.ldap">
<property value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider" name="idstore.config.provider"/>
<property value="oracle.security.idm.providers.stdldap.JNDIPool" name="CONNECTION_POOL_CLASS"/>
<property value="true" name="virtualize"/>
<serviceInstance name="BPM_LDAPAuthenticator" provider="idstore.ldap.provider">
<property name="idstore.type" value="ACTIVE_DIRECTORY" />
Restart the Admin and SOA weblogic servers.
Final Functional Testing
Now login to the BPM Workspace console with the weblogic user and and user seeded in LDS. If that works then go grab a cup of tea, you are done for now.!!