This was originally posted on my dev2dev blog August 12th, 2007.
A customer I was working with this week had some difficulty using Active Directory in conjunction with WebLogic Server Security. I've always used the Embedded LDAP server that ships with WLS as my user and group store since most of my work is just demos and prototypes, but I thought this would be an excellent opportunity to see what it is like to configure an external LDAP provider. Since I don't have easy access to Active Directory, I decided to use OpenLDAP. I am an LDAP newbie and was surprised at the lack of results that I received searching on google for my LDAP 101, but I was able to piece enough information together from wikipedia and other articles to get me going.
OpenLDAP is typically used on *nix systems, but my laptop runs Windows XP. I was able to find someone that makes a Windows Distribution and I retrieved version 2.2.29. It's very straight forward to download and install it as a Windows Service. Similar to Apache's httpd.conf file, the sldapd.conf in the base directory is the master configuration file.
I had to change two things about my file. At the top, I added support for additional schemas based on advice on an email thread. It seems like it is very common to use the inetOrgPerson object class based off of my limited shoulder surfing at customer sites, so I added support for that and one other one named cosine.
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
At the very bottom of the sldapd.conf file, you should see a few other things to configure.
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
# Indices to maintain
index objectClass eq
When you first start OpenLDAP, there is no user/group structure provided, you have to add those entries yourself. LDAP uses the LDIF format to import and export entries into LDAP. I was able to find some examples and modify them to have a user/group structure that worked for my example purposes. Like I said, I'm an LDAP newbie, so do not consider this a recommended structure for your enterprise, but it worked for me to store both users and groups in a very basic way. I'll show you a tool that you can use later to do this visually, but it's helpful to know what's going on under the covers so you understand what the tool is doing.
C:\Program Files\OpenLDAP>ldapadd.exe -f base.ldif -xv -D "cn=Manager,dc=bea,dc=com" -w secret
ldap_initialize( <DEFAULT> )
adding new entry "dc=bea,dc=com"
adding new entry "ou=people,dc=bea,dc=com"
adding new entry "cn=jbayer,ou=people,dc=bea,dc=com"
adding new entry "ou=groups,dc=bea,dc=com"
adding new entry "cn=groupA,ou=groups,dc=bea,dc=com"
By default, WebLogic Server uses an security realm called myrealm that uses the Embedded LDAP server configured with the Default Authenticator. In order to add OpenLDAP as a source, you have to configure an additional Authentication Provider to the realm. Here are the steps for configuring WLS 10, although the steps are similar with other WLS versions.
Group Base DN: ou=groups,dc=bea,dc=com
Static Group Object Class: groupOfNames
User Base DN: ou=people,dc=bea,dc=com
User Object Class: inetOrgPerson
Confirm Credential: secret
Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=groupOfNames))
User From Name Filter: (&(cn=%u)(objectclass=inetOrgPerson))
Group From Name Filter: (&(cn=%g)(objectclass=groupOfNames))
Now you can save and Active the session. WebLogic Server needs to be restarted for changes in the Authenticator to take effect, but before you restart there is one other change we have to make. Authenticators have an attribute named Control Flag. The value is either
OPTIONAL. See the help in the console for detailed explanation of these values. The Default Authenticator has a default value of
REQUIRED that should be changed to either
OPTIONAL in order for users that are only OpenLDAP to be able to login to with the WebLogic Security Framework without also having to be in Embedded LDAP.
In this case, instead of explicitly naming all of the users you want in that role in each web applications deployment descriptors which is not a very good practice for an enterprise, the role SecuredUser will be assumed to be a Global Role defined in your realm's Roles and Policies -> Global Roles. In the console, you can assign the Global Role SecuredUser to all users with membership in groupA for example.
What if you want to find out additional LDAP attributes other than users and groups and use them in your applications? In a subsequent post I plan on showing how to use an LDAP control to do that or use the Unified User Profile feature of WebLogic Portal to automatically stuff those values in the user profile.