Using OpenLDAP with WebLogic Server

This was originally posted on my dev2dev blog August 12th, 2007.

A customer I was working with this week had some difficulty using Active Directory in conjunction with WebLogic Server Security.  I've always used the Embedded LDAP server that ships with WLS as my user and group store since most of my work is just demos and prototypes, but I thought this would be an excellent opportunity to see what it is like to configure an external LDAP provider.  Since I don't have easy access to Active Directory, I decided to use OpenLDAP.  I am an LDAP newbie and was surprised at the lack of results that I received searching on google for my LDAP 101, but I was able to piece enough information together from wikipedia and other articles to get me going.

Install and configure OpenLDAP

OpenLDAP is typically used on *nix systems, but my laptop runs Windows XP.  I was able to find someone that makes a Windows Distribution and I retrieved version 2.2.29.  It's very straight forward to download and install it as a Windows Service.  Similar to Apache's httpd.conf file, the sldapd.conf in the base directory is the master configuration file.

I had to change two things about my file.  At the top, I added support for additional schemas based on advice on an email thread.  It seems like it is very common to use the inetOrgPerson object class based off of my limited shoulder surfing at customer sites, so I added support for that and one other one named cosine.

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
ucdata-path ./ucdata
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/inetorgperson.schema

At the very bottom of the sldapd.conf file, you should see a few other things to configure.


database    bdb
#suffix "dc=my-domain,dc=com"
suffix "dc=bea,dc=com"
rootdn "cn=Manager,dc=bea,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory ./data
# Indices to maintain
index objectClass eq

So what this section says is that OpenLDAP will use BDB as it's database and store the information in the data directory.  These are defaults.  This was helpful to know as I messed up my database a few times playing around with various settings and could always just stop OpenLDAP, delete the data directory and start OpenLDAP to start from a clean slate.  The default suffix for entries typically follows the domain name conventions, so in this case I used bea.com where the DC stands for Domain Component.  This site has additional definitions for the other LDAP abbreviations like CN (Common Name) and SN (Sir Name).  The default for the root user name is Manager and the password defaults to secret.  Of course in a real production setting you would want to encrypt this password, but for my demo purposes, this works fine.  Now I started the Windows Service, executed a netstat command and observed that I was now listening on the LDAP port of 389 and was up and running.

Add Users and Groups

When you first start OpenLDAP, there is no user/group structure provided, you have to add those entries yourself.  LDAP uses the LDIF format to import and export entries into LDAP.    I was able to find some examples and modify them to have a user/group structure that worked for my example purposes.  Like I said, I'm an LDAP newbie, so do not consider this a recommended structure for your enterprise, but it worked for me to store both users and groups in a very basic way.  I'll show you a tool that you can use later to do this visually, but it's helpful to know what's going on under the covers so you understand what the tool is doing.


dn: dc=bea,dc=com
dc: bea
objectClass: top
objectClass: domain

dn: ou=people,dc=bea,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit

dn:cn=jbayer,ou=people,dc=bea,dc=com
objectClass:inetOrgPerson
cn:jbayer
sn:Bayer
uid:jbayer
userPassword:weblogic

dn: ou=groups,dc=bea,dc=com
ou: groups
objectClass: top
objectClass: organizationalUnit

dn: cn=groupA,ou=groups,dc=bea,dc=com
objectClass: top
objectClass: groupOfNames
cn: groupA
member: cn=jbayer,ou=people,dc=bea,dc=com


Above are the contents of a file I called base.ldif.  Here I define two organization units, people and groups.  Under people I have a user single user named jbayer and under groups I have one group named groupA, of which jbayer is a member.  To import this into OpenLDAP, I just use the ldapadd command as shown below.

 


C:\Program Files\OpenLDAP>ldapadd.exe -f base.ldif -xv -D "cn=Manager,dc=bea,dc=com" -w secret
ldap_initialize( <DEFAULT> )
add dc:
bea
add objectClass:
top
domain
adding new entry "dc=bea,dc=com"
modify complete

add ou:
people
add objectClass:
top
organizationalUnit
adding new entry "ou=people,dc=bea,dc=com"
modify complete

add objectClass:
inetOrgPerson
add cn:
jbayer
add sn:
Bayer
add uid:
jbayer
add userPassword:
weblogic
adding new entry "cn=jbayer,ou=people,dc=bea,dc=com"
modify complete

add ou:
groups
add objectClass:
top
organizationalUnit
adding new entry "ou=groups,dc=bea,dc=com"
modify complete

add objectClass:
top
groupOfNames
add cn:
groupA
add member:
cn=jbayer,ou=people,dc=bea,dc=com
adding new entry "cn=groupA,ou=groups,dc=bea,dc=com"


Using an LDAP Browser

Since doing all this command line stuff isn't very visual, you can also use this Java LDAP Browser to view/modify OpenLDAP entries and to validate that your entries got imported correctly.  Dowload the tool and use connection settings similar to mine shown below (click the thumbnail to get a larger view), which should result in you being able to connect and browse the tree.  You can also use this tool to add and edit entries, but I won't cover that here.  Edocs also has instructions on how you can use this same tool to browse the Embedded LDAP server that comes with WLS.

 

openLdapConfig ldapBrowser [3]

Configure WebLogic Server

By default, WebLogic Server uses an security realm called myrealm that uses the Embedded LDAP server configured with the Default Authenticator.  In order to add OpenLDAP as a source, you have to configure an additional Authentication Provider to the realm.  Here are the steps for configuring WLS 10, although the steps are similar with other WLS versions.


  1. Login to the WLS console - my example servier is at http://localhost:7001/console  with user weblogic and password weblogic
  2. Browse to Security Realms->myrealm
  3. Click on the Providers tab
  4. Browse to the Authentication section
  5. Click the Lock and Edit button
  6. Click the new button and select OpenLDAPAuthenticator and give it a name, I chose openLDAPAuthenticator
  7. Click on the newly created Authenticator and select the Provider Specific tab
  8. I changed the following settings from the provider specific defaults based on the values I loaded in the ldif file shown earlier:


Group Base DN:  ou=groups,dc=bea,dc=com
Static Group Object Class: groupOfNames
User Base DN: ou=people,dc=bea,dc=com
User Object Class: inetOrgPerson
Principal: cn=Manager,dc=bea,dc=com
Host: localhost
Credential: secret
Confirm Credential: secret
Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=groupOfNames))
User From Name Filter: (&(cn=%u)(objectclass=inetOrgPerson))
Group From Name Filter: (&(cn=%g)(objectclass=groupOfNames))

One Major Gotcha - Setting the Default Authenticator to something other than "Required"

Now you can save and Active the session.  WebLogic Server needs to be restarted for changes in the Authenticator to take effect, but before you restart there is one other change we have to make.  Authenticators have an attribute named Control Flag.  The value is either REQUIRED, REQUISITE, SUFFICIENT, or OPTIONAL.  See the help in the console for detailed explanation of these values.  The Default Authenticator has a default value of REQUIRED that should be changed to either SUFFICIENT or OPTIONAL in order for users that are only OpenLDAP to be able to login to with the WebLogic Security Framework without also having to be in Embedded LDAP.

After restarting, log back into the console, browse to your realm and select the Users and Groups tab.  You should see the user you added.  If you select a user from OpenLDAP you should be able to change their password as well as see their group membership if everything is configured properly.

 

jbayer 

Secure a web application

You can try it out by creating a simple web app with a security-constraint element in web.xml entry as follows that defines a role named SecuredUser and uses it to protect all resources in the web app:


<security-constraint>
<web-resource-collection>
<web-resource-name>restricted</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SecuredUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SecuredRealm</realm-name>
</login-config>
<security-role>
<role-name>SecuredUser</role-name>
</security-role>

Then in your weblogic.xml define element to add an security-role-assignment element to a specific user.


<wls:security-role-assignment>
<wls:role-name>SecuredUser</wls:role-name>
<wls:principal-name>jbayer</wls:principal-name>
</wls:security-role-assignment>

If you would rather use LDAP groups to specify the role assignment, which is much more likely to be the case, then you would use a section like this in your weblogic.xml.


<wls:security-role-assignment>
<wls:role-name>SecuredUser</wls:role-name>
<wls:externally-defined/>
</wls:security-role-assignment>

In this case, instead of explicitly naming all of the users you want in that role in each web applications deployment descriptors which is not a very good practice for an enterprise, the role SecuredUser will be assumed to be a Global Role defined in your realm's Roles and Policies -> Global Roles.  In the console, you can assign the Global Role SecuredUser to all users with membership in groupA for example.

What if you want to find out additional LDAP attributes other than users and groups and use them in your applications?  In a subsequent post I plan on showing how to use an LDAP control to do that or use the Unified User Profile feature of WebLogic Portal to automatically stuff those values in the user profile.

Comments:

I followed the steps in the tutorial. I have SQL Authenticator(Default Authenticator) as OPTIONAL and the new OpenLDAP Authenticator as REQUIRED Now I have the problem that I can not sign with the new user (jbayer) in WLS <02-jun-2009 17H44' CEST> <02-jun-2009 17H44' CEST> What are the groups that should belong to the user to log in as administrator WLS? Is this possible? Thank you

Posted by Víctor Glez. on June 03, 2009 at 02:15 AM PDT #

Victor, only users in certain roles such as Admin or Operator can start the server, and to map to those roles, you need to be in certain Groups in the Authentication Provider. This is documented here: http://download.oracle.com/docs/cd/E12839_01/wls/docs103/secwlres/secroles.html#wp1221588 Did you put your jbayer user in the Administrators group or modify your Admin role to include jbayer?

Posted by James Bayer on June 03, 2009 at 04:15 AM PDT #

Hi James I have the same problem, but how can i modify the roles if i can't start the server?? I had only a administrator and now i can't start because i have this problem

Posted by Javier on July 15, 2009 at 01:49 AM PDT #

Javier, Try to revert to the embedded LDAP (Default Authenticator) user that was in your server's boot.properties file at the time the domain was created. By default this is named "weblogic" unless you change it. Then you should be able to start the server and make any adjustments to the roles, etc with the users from the Open LDAP Authenticator.

Posted by James Bayer on July 15, 2009 at 02:03 AM PDT #

I'd been fiddling with the LDAP settings all day trying to get this working . I hadn't realised that the gotcha with the Default Authenticator had been causing the problems all along and that the settings I'd been using were fine. Thanks very much for posting this article, saved me a sleepless night!

Posted by Steve Neal on August 25, 2009 at 03:36 PM PDT #

Hi James, This is very good article for ldap newbie like me, we were search for moving from iplanet directory to open source directory like OpenLdap with weblogic 9.2. This give a overview how we can start with. Cheers, Prashant

Posted by Prashant on November 26, 2009 at 06:20 PM PST #

Hey James :) Long time no see ! Hope you're doing well in the windy city. I'm currently working on integrating OpenLDAP with a WLS 10. (by the way, I thought it was a good subject for my blog, and then I found yours which deals with pretty much the same thing I was going to write about :) ) In your example, you're hitting the group "ou=people,dc=bea,dc=com" as the User Base DN to retrieve the users which will be visible in your domain. My concern is about subgroups. Following your example, I would like to authorize only the people whith a Group-A membership to appear in the console (in my case, the general "people" group has more than 100 000 entries ...) There's so many configurations possible, that I'm wondering whether, by any chance, you had to fit a similar requirement. A workaround would be to flag, with a specific attribute, all the users belonging to Group-A and then filter them with "User From Name Filter" field but it would imply that the whole list has still to be read, which is what I'd like to avoid. I'm still working on it, I guess I'll find a solution, but if you have any clue for me to save time, that would be cool. Thanks and nice work, as usual, friend :) Kind regards.

Posted by Maxence Button on December 01, 2009 at 11:30 PM PST #

Maxence, I really don't think the size of the org should matter too much as I think the console paginates the users. For example, I'm pretty confident that the entire Oracle internal LDAP directory is used with WebLogic Server. Now if your requirement is definitely not to even show other users in the console regardless of which role you map to them, then as you mention I think the User From Name Filter might work for you. You would have to ask someone like Josh Bregman to be sure, but I'm pretty confident that the LDAP servers can handle that filter efficiently. Let me know if you find out the solution. Good luck, James

Posted by james.bayer on December 02, 2009 at 07:31 AM PST #

Hi, just run on this very interesting blog. Would like to ask you if this architecture would help me from crashing my ldap server. My openLdap whenever a code error in my apps opens more than 500 connection at a min it crashes, so i guess it would be a better approach WL connect to ldap once and handle all the request. Is that possible?Thanks in advance.

Posted by npissan on June 21, 2011 at 08:39 PM PDT #

Nick, I'm not sure how many OpenLDAP connections would be opened by default by the WLS Open LDAP Authenticator. You could ask in the OTN WLS Security forum or Oracle Support for clarification.
http://forums.oracle.com/forums/forum.jspa?forumID=581&start=0

Thanks,

James

Posted by james.bayer on June 21, 2011 at 11:17 PM PDT #

Hi James
I successfully integrated the Novell e-directory and weblogic 9.2.2.
I am able to see all the user and group from novell in weblogic console.
Now, I have 2 cases:
Case 1: When I am giving admin roles to a user called abc (abc is a member of group called admins in Novell). I can log into the console successfully.
Case 2: I removed the admin role of user called abc, and gave admin role to group called admins. Now, when I am trying to log into console using the credentials of abc ( 'abc' is member of 'admins' in Novell). I am getting access denied. I did some research and found that weblogic is sending query to novell and getting authentication, but its not trying to get authorization. I mean its not sending query to Novell to find out, which group abc belongs to?
Do you know how to resolve it? I am stuck with it from last 2 months. I will really appreciate if you can help me out.

Please let me know if you need more detail on it.

Thanks in Advance !!!

Posted by Pradeep on July 05, 2011 at 01:10 AM PDT #

FYI: abc is just like user jbayer and admins is like group, groupA in your case.
Also, for giving admin roles I am going to Security realms-->my realm-->Roles and Policies-->relam roles--> Global roles--->Roles-->Admin
Add conditions-->Group(select)-->Next-->Group Argument Name--> Add--> finish

Please let me know if you need more detail on it.

Thanks in Advance !!!

Posted by pradeep on July 05, 2011 at 01:11 AM PDT #

Pradeep,

You can enable more verbose logging for the WLS security sub-system to see the WLS perspective of what is happening. It's likely that the authenticator is not correctly configured to return the groups for each user, but is configured to list all the groups. I recommend working with Oracle Support to work through this as it can be somewhat tedious if you're not familiar with LDAP syntax. You could also try posting in the WLS Security OTN forum:
http://forums.oracle.com/forums/forum.jspa?forumID=581
I recommend that you describe the LDAP layout and how you have the authenticator configured. I'm really not an expert in this area so Support/OTN will better serve you.

Thanks, James

Posted by james.bayer on July 05, 2011 at 01:22 AM PDT #

Thanks James, for your quick and positive response.
I already enabled the debug flag for security ( atz and atn). That is how I found that its getting authentication but failed on authorization.
Also, I opened SR to oracle but they are very slow for support cases.
Anyways, thanks for the blog, it is really informative.
Keep it up !!!

Posted by Pradeep on July 05, 2011 at 01:36 AM PDT #

Hi,

I am new to LDAP.

I have installed OpenLDAP in RedHatLinux 5.4, while adding new user it gives below error,
ldap_add: Protocol error (2)
additional info: no attributes provided

And tell me how can I cross check the users with LDAP browser.

Thanks
Vivek

Posted by Vivek on July 25, 2011 at 09:18 PM PDT #

Vivek, I don't know my LDAP all that great either. I recommend looking at this post that shows a nice LDAP Explorer http://blogs.oracle.com/jamesbayer/entry/look_inside_weblogic_server_emand perhaps posting your question with OpenLDAP experts like StackOverflow or similar. Good luck, James

Posted by james.bayer on July 26, 2011 at 04:27 AM PDT #

Post a Comment:
Comments are closed for this entry.
About

James Bayer Image
I was formerly a Product Manager on the WebLogic Server team based out of Oracle HQ. You can find my new blog at http://iamjambay.com.
Follow Me on Twitter
Oracle WebLogic

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today