Login information and group memberships (identity) often are centrally managed in Enterprises. Many systems use this information to, for example, achieve Single Sign On (SSO) functionality. Surprisingly, access to the Weblogic Server Console is often not centrally managed. This is caused by a common misconception that achieving centrally managed Weblogic Server Console authentication/authorization is difficult. As a result, often there are many local Weblogic Server users or everyone uses system users. Both workarounds have obvious disadvantages.
If you can obtain user and group information from a centrally managed authorization/authentication provider, you only need to manage those users there. As an additional benefit, the developers only need to keep track of a single password instead of a password per server. This increases security and developer productivity. Also it reduces operational cost. Your server landscape could for example look like the image below where minimal effort is required for user administration while still implementing a separation of concerns between development/test and acceptance/production. This separation is usually a requirement when different people are responsible for the environments and/or environments are on different network segments.
An LDAP server is often used to manage identity. Usually there is already a managed directory service provider present in an organization such as Oracle Directory Server or Microsoft Active Directory which contains users, groups and login credentials. In Weblogic Server you can configure authentication providers to allow usage of such servers to allow access to the Weblogic Server Console.
The complexity of using an external LDAP provider as authenticator for Weblogic Server, is often overestimated, especially if a configuration does not work as expected. What can you do to find out what’s wrong? In this article I will provide suggestions on how authentication using an external LDAP server can be debugged in order to lower the bar to apply this configuration pattern.
Debugging authentication using Weblogic Server Console
The below decision tree can help with debugging configuration issues in a Weblogic Server. The steps are also described in the text below in more detail. The tree is specific to a configuration where you can login with users from the DefaultAuthenticator (Weblogic embedded LDAP server) and from an external authentication provider. Read the complete article here.
For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center.