Using OpenLDAP with WebLogic Server
By james.bayer on Aug 12, 2007
This was originally posted on my dev2dev blog August 12th, 2007.
A customer I was working with this week had some difficulty using Active Directory in conjunction with WebLogic Server Security. I've always used the Embedded LDAP server that ships with WLS as my user and group store since most of my work is just demos and prototypes, but I thought this would be an excellent opportunity to see what it is like to configure an external LDAP provider. Since I don't have easy access to Active Directory, I decided to use OpenLDAP. I am an LDAP newbie and was surprised at the lack of results that I received searching on google for my LDAP 101, but I was able to piece enough information together from wikipedia and other articles to get me going.
Install and configure OpenLDAP
OpenLDAP is typically used on *nix systems, but my laptop runs Windows XP. I was able to find someone that makes a Windows Distribution and I retrieved version 2.2.29. It's very straight forward to download and install it as a Windows Service. Similar to Apache's httpd.conf file, the sldapd.conf in the base directory is the master configuration file.
I had to change two things about my file. At the top, I added support for additional schemas based on advice on an email thread. It seems like it is very common to use the inetOrgPerson object class based off of my limited shoulder surfing at customer sites, so I added support for that and one other one named cosine.
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
At the very bottom of the sldapd.conf file, you should see a few other things to configure.
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
# Indices to maintain
index objectClass eq
Add Users and Groups
When you first start OpenLDAP, there is no user/group structure provided, you have to add those entries yourself. LDAP uses the LDIF format to import and export entries into LDAP. I was able to find some examples and modify them to have a user/group structure that worked for my example purposes. Like I said, I'm an LDAP newbie, so do not consider this a recommended structure for your enterprise, but it worked for me to store both users and groups in a very basic way. I'll show you a tool that you can use later to do this visually, but it's helpful to know what's going on under the covers so you understand what the tool is doing.
Using an LDAP Browser
Configure WebLogic Server
By default, WebLogic Server uses an security realm called myrealm that uses the Embedded LDAP server configured with the Default Authenticator. In order to add OpenLDAP as a source, you have to configure an additional Authentication Provider to the realm. Here are the steps for configuring WLS 10, although the steps are similar with other WLS versions.
- Login to the WLS console - my example servier is at http://localhost:7001/console with user weblogic and password weblogic
- Browse to Security Realms->myrealm
- Click on the Providers tab
- Browse to the Authentication section
- Click the Lock and Edit button
- Click the new button and select OpenLDAPAuthenticator and give it a name, I chose openLDAPAuthenticator
- Click on the newly created Authenticator and select the Provider Specific tab
- I changed the following settings from the provider specific defaults based on the values I loaded in the ldif file shown earlier:
One Major Gotcha - Setting the Default Authenticator to something other than "Required"
Now you can save and Active the session. WebLogic Server needs to be restarted for changes in the Authenticator to take effect, but before you restart there is one other change we have to make. Authenticators have an attribute named Control Flag. The value is either
OPTIONAL. See the help in the console for detailed explanation of these values. The Default Authenticator has a default value of
REQUIRED that should be changed to either
OPTIONAL in order for users that are only OpenLDAP to be able to login to with the WebLogic Security Framework without also having to be in Embedded LDAP.
Secure a web application
In this case, instead of explicitly naming all of the users you want in that role in each web applications deployment descriptors which is not a very good practice for an enterprise, the role SecuredUser will be assumed to be a Global Role defined in your realm's Roles and Policies -> Global Roles. In the console, you can assign the Global Role SecuredUser to all users with membership in groupA for example.
What if you want to find out additional LDAP attributes other than users and groups and use them in your applications? In a subsequent post I plan on showing how to use an LDAP control to do that or use the Unified User Profile feature of WebLogic Portal to automatically stuff those values in the user profile.