LDAP servers can be configured to use as authenticator in Weblogic Server. In order to efficiently use an LDAP server, it must be possible to uniquely identify LDAP objects. GUID (global universal identifier) attributes can be used as unique identifier for an LDAP object. There are several specific and some more generic LDAP authentication providers available for Weblogic Server. The specific authentication providers have default GUID (global universal identifier) attributes (see here at ‘Use of GUID and LDAP DN Data in WebLogic Principals’). When using the generic Weblogic Server LDAPAuthenticator, there is no default GUID attribute. In order for LDAP caching to work and to allow browsing of group memberships for users, the GUID attribute needs to be defined. The entryUUID is a good candidate for this since every LDAP server should support it. See RFC 4530. Also see here.
In my example, I’ve used the user ‘maarten’ to authenticate myself with when logging into Weblogic Server. The user ‘maarten’ is member of the groups Administrators and DummyGroup. The debug information was acquired by setting the DebugSecurityAtn flag as described here. Weblogic Server 220.127.116.11.0 was used and ApacheDS 2.0.0 as LDAP server. For the configuration of ApacheDS/Weblogic Server, I’ve used the following: http://technology.amis.nl/2014/08/03/ldap-weblogic-using-apacheds-authentication-provider/.
In the below example, the GUID attribute is set to ‘entryUUID’. As you can see, the GUID is correctly determined and there where no errors during authentication. Read the complete article here.
For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center.