Setting up Active Directory Lightweight Directory Service as a Weblogic Authentication Provider

Setup of a  LDS/ADAM Active Directory  LDAP server on Weblogic for use with Oracle BPM 11g Feature Pack.

There may be many reasons why it might be beneficial or necessary to configure a separate LDAP for your BPM/SOA suite implementation. Corporate LDAPs are often huge, slow, ill maintained, restricted to change and even full of circular references.   

One of my customers were setting up their environments for current latest version of Oracle BPM 11g. One of the steps was to configure a directory to handle both authentication and user groups. The chosen LDAP of choice was a poor sister of Active Directory called LDS. I say poor because it is not exactly the same and the AD weblogic providers are designed to work with the elder brother. Therefore the standard procedure of setting up a AD provider just didn't work with LDS, because of some missing attributes in LDS. But I made it work anyway. This is how I did it.

Active Directory LDS/ADAM

Active Directory (AD) is a directory service provided by  Microsoft which uses the Lightweight Access Protocol (LDAP). AD servers are commonly called Domain controllers. A less well known relative of AD is the Lightweight Directory Service (AD LDS) which was previously know as Active Directory Application Mode (ADAM).

Identity Virtualization

By default, a service instance supports querying against a single LDAP identity store. You can configure the service to support a virtualized identity store which queries multiple LDAP identity stores. This feature, known as identity virtualization

Which Authentication Provider?

Weblogic already has an embedded LDAP which we use to login to the console. In our particular case we want to keep using this and also another we have been given. Weblogic provides many authentication providers to cover most bases, and even the possibility to create your own.  The AD provider works fine for a normal AD. However to make authentication work with LDS we need to use the base LDAP authenticator. When we are finished we can still login to the BPM Workspace using the user weblogic defined in the embedded LDAP and a user defined in LDS.

Create a new LDAP Authenticator

Login to the weblogic console as an admin user (e.g weblogic). Navigate to Authentication Provider setup and select the type as LDAPAuthenticator

Home >Summary of Servers >AdminServer >Summary of Servers >Summary of Security Realms >myrealm >Realm Roles >DEV >Summary of Security Realms >myrealm >Providers

Add New Authenticator

Click OK. Then click on the new BPM_LDAPAuthenticator you just created and change the Control Flag to SUFFICIENT. Then click on the save button 


Click on the Provider Specific Tab                

Update the values of the fields of the provider. Update all the values in one go before you click save. Below are some sample values. They will be different for your own LDAP. You should use an LDAP explorer UI tool to check how yours is setup. These are initial settings. We will look into tuning when we have it working.

Click Save 

Click the reorder button and use the arrow to move the new authenticator to be the second on the list. 

Save the changes .

Restart Admin and SOA servers.

Login to the weblogic console again as an admin user (as above)

Navigate to where the users and group are defined 

Home >BPM_LDAPAuthenticator >Providers >BPM_LDAPAuthenticator >Providers >Summary of Security Realms >myrealm >Providers >Users and Groups

Check the a user in LDS exists and then click on the link to see the details for this userLogin

Click on the Groups tab to see the groups the user is a member of

Confirm that the console shows that the user is a member of group that you know it belongs to

NB: If you cannot see both the user and the group then you must check the settings above. Fix them and restart the servers again. As a last resort it may also be necessary to delete the authenticator and recreate it again using the steps above.

Enabling Identity Virtuaization

Login to the Enterprise Manager console of the SOA server http://<servername>:<soaport>/em

Navigate to Security Provider Configuration as shown in the below screenshot 

Click on the Configure button and the green plus sign to add a new property. The name is virtualize and the value is true.

Click OK.

 Setting up the generic LDAP authenticator to communicate as Active Directory

NB: This last step is only needed if you are using a lightweight Active Directory (i.e LAD/ADAM)

Go to the file system and open the file <Domain Home>/config/fmwconfig/jps-config.xml in a text editor. 

Search for the text <property value="true" name="virtualize"/>

If this does not exist then restart the Admin and SOA servers

Update the configuration of jps-config.xml to add the following configurations. The text in red is new text to be added. The name below  BPM_LDAPAuthenticator is the name of the new LDAPAuthenticator you have chosen above.

<serviceInstance provider="idstore.ldap.provider" name="idstore.ldap">

            <property value="" name="idstore.config.provider"/>

            <property value="" name="CONNECTION_POOL_CLASS"/>

            <property value="true" name="virtualize"/>

<serviceInstanceRef ref="BPM_LDAPAuthenticator"/>


<serviceInstance name="BPM_LDAPAuthenticator" provider="idstore.ldap.provider">

<property name="idstore.type" value="ACTIVE_DIRECTORY" />


Restart the Admin and SOA weblogic servers.

Final Functional Testing

Now login to the BPM Workspace console with the weblogic user and and user seeded in LDS. If that works then go grab a cup of tea, you are done for now.!!


Thank you. This was helpful.

Posted by guest on July 02, 2012 at 12:28 AM PDT #


I have configured SQLProvider in Weblogic Realm. Also modified jps-config.xml as described in I am using version (windows installation) of OracleBPM11g. Though I have set the SQL Provider as first with SUFFICIENT control flag but still from Oracle BPM Administration Link I am not able to see the users from DB.
Those are visible in EM.

Posted by arindam on September 13, 2012 at 10:18 AM PDT #

Hi arindam,

You can only use LibOVD (virtualization) with LDAP authenticators (like is being done here). It won't work with an LDAP and a SQL provider. Then you will have to use the full version Oracle Virtual Directory that is able to merge the two into one virtual directory that weblogic will use. If you are just using the ONE SQL provider then this should work with the BPM workspace if you have set this up correctly



Christopher Karl Chan

Posted by Christopher katl Chan on November 20, 2012 at 05:03 AM PST #


I have a question regarding compatibility between UCM 10g/WebCenter Content 11g and Active Directory 2012. A customer is right now using both UCM 10g and WCC 11g with Windows Server 2008 R2 and Active Directory. They will, however, soon upgrade to windows 7 and Active Directory 2012. Any compatibility issues we should be aware of?


Posted by David on July 11, 2013 at 02:48 AM PDT #

Hi Chris,
I also see an option in weblogic to integrated active directory directly instead of using LDAP.
Can you let me know if we can use this and how to modify config xml accordingly incase we are using AD?


Posted by guest on July 11, 2013 at 08:10 AM PDT #

Hi David,

This blog post is about Authentication Providers in a BPM scope.

Your customer should be fine using a standard Active Directory provider in weblogic to connect to Active Directory 2012



Posted by Christopher Karl Chan on July 16, 2013 at 05:29 AM PDT #


If you need to add a weblogic Active Directory Authentication Provider (instead of the LDAP provider above) and set it up in a similar fashion.

You should NOT update config.xml manually (if you can help it), since any errors will prevent the Admin server from starting!!


Posted by Christopher Karl Chan on July 16, 2013 at 05:36 AM PDT #

Hi Chris,

Thanks - so in case we are using active directory directly, we need not change the jps-config.xml as described in this case right?
by default, it will log on to BPM worklist (without configuring anything in jps-config.xml)

Can you suggest me the best practice to connect to active directory in OBPM 11g (and if possible throw some light on how to cluster configure BPM 11g or SOA environment)?


Posted by Alice on July 24, 2013 at 06:56 AM PDT #


If you configure your Active Directory (AD) Authentication Provider correctly then your users in AD will be able to login to the BPM workspace 11g.

However there are a few details you must configure.

* The AD provider must be configured to find your group of users (similar configuration to above), so the provider can find these users during authentication.
*The provider must either be the first on the list of providers OR you have to enable libOVD and SUFFCIENT (as I have described above).

It is fairly straight forward to install a clustered installation of BPM suite 11g. However you should refer to the Enterprise Deployment Guide, since there lots of considerations depending on your requirements.

Database or OID/OVD ploicy store (if you are in production)
Coherance configuration for deployment
Load balancing (hardware/Weblogic proxy)


Posted by Christopher Karl Chan on July 24, 2013 at 07:42 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed

Christopher Karl Chan

Christopher is a Principal Solutions Architect in the FMW Architects team aka the A-Team.
The A-Team is the central, technical, outbound team as part of the FMW Development organization working with Oracle's largest and most important customers.

Locations of visitors to this page


« August 2016