Each WebLogic security realm must have at least one authentication provider configured. The default authentication provider (defaultAuthenticator) uses an embedded LDAP directory server to store user credentials & group membership.
Using an external authentication provider
The file-based embedded LDAP store does not scale when the number of users and group to manae grow. However, many customners favoir a centralized administration for users and groups, so you can declare an external authentication provider. The default authenticator is kept for "emergency" only to store Weblogic administrator in case the external authenticator cannot be reached as it is possible to control authenticator priority and criticality.
OUD as a Weblogic authentication provider
Such use case is certified since WebLogic 10.3.5; OUD can be used to store users and groups. Furthermore, it is possible to export existing users & groups from embedded LDAP to OUD for seamless transition.
When OUD is used an an external authentication provider, it is recommended to disable user lockout provided by WebLogic and rather rely on the password policy provided at the OUD level.
Configuring OUD as an authentication Provider
Reusing existing users & groups from embedded LDAP
To export users and groups from embedded LDAP:
First, modify credentials of the embedded LDAP server: Click <Domain> under Domain Structure on the left panel. On the right panel, click Security tab then Embedded LDAP tab, change credentials, Save and restart WebLogic
Then, perform a LDAP search on the Weblogic port as cn=admin using above credentials e.g.
ldapsearch -p 7001 -D "cn=admin" -w <password> -b "ou=myrealm,dc=<domain>" "(|(objectclass=wlsUser)(objectclass=groupOfURLs)(objectclass=groupOfUniqueNames))
Here is an exemple of entries:
objectclass: groupOfURLs cn: Administrators
By default, user entries are stored in oud=people while groups are stored in ou=groups in the embedded LDAP server. As you can see, the search base in the LDAP URL defining dynamic groups (e.g. Administrators) is incorrect as it searches user entries in the group container. This must be changed prior to importing entries in OUD to the following value:
To import entries in OUD,
Optimizing Group membership evaluation
Weblogic can determine group membership based on a configurable attribute present in user entries. If not set in the provider specific configuration (User Dynamic Group DN property), it determines membership by evaluating the URLs present in the dynamic group.
This property can be set to isMemberOf as this attribute is provided OOTB by OUD. It can also be set to wlsMemberOf when every dynamic group used is based on this attribute.