By Juergenkress-Oracle on Nov 23, 2015
In this blog I will illustrate how you can configure Weblogic Server to use OpenLDAP as authentication provider and to allow OpenLDAP users to login to the Oracle BPM Worklist application. In a previous blog I have already shown how to do Weblogic Authentication with ApacheDS (LDAP and Weblogic; Using ApacheDS as authentication provider for Weblogic). In this blog I will use OpenLDAP to also do BPM Worklist authentication.
Why use OpenLDAP?
Oracle Platform Security Services (OPSS) supports the use of several authentication providers. See: http://docs.oracle.com/cd/E23943_01/core.1111/e10043/devuserole.htm#JISEC2474. OpenLDAP is the only open source provider available in this list.
- Microsoft Active Directory
- Novell eDirectory
- Oracle Directory Server Enterprise Edition
- Oracle Internet Directory
- Oracle Virtual Directory
- Oracle WebLogic Server Embedded LDAP Directory
- Microsoft ADAM
- IBM Tivoli
When you can use a certain provider for Weblogic authentication, this does not automatically mean you also use this user in Fusion Middleware applications which use JPS such as the BPM Worklist application. Possible authentication providers in Weblogic Server cover a wider range of servers and mechanisms than can be used in JPS out of the box.
causes this limitation? Well, most Fusion Middleware Applications (all
as far as I’ve seen) can only look at the first LDAP provider for
authentication. This is usually the default authenticator (Weblogic
Embedded LDAP server). When I add another LDAP authenticator, it will be
ignored. The solution is straightforward; use a single LDAP. Of course
if you don’t want that, you can also virtualize several LDAPs and offer
them as a single LDAP for the application to talk to. The most common
solutions for this are; Oracle Virtual Directory (OVD, http://docs.oracle.com/cd/E12839_01/oid.1111/e10036/basics_10_ovd_what.htm)
and LibOVD. Oracle Virtual Directory is a separate product. LibOVD is
provided with Weblogic Server but does not have its own web-interface
and is limited in functionality (and configuration is more troublesome
in my opinion). When (for example for ApacheDS) you specify the generic
LDAPAuthenticator and not a specific one such as for OpenLDAP, you need
to specify an idstore.type in the jps-config.xml in
DOMAINDIR\config\fmwconfig. This idstore.type is limited to the list
below: Read the complete article here.
For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.