X

PaaS Partner Community

  • November 23, 2015

WebLogic Console and BPM Worklist. Authentication using OpenLDAP by Maarten Smeets

Jürgen Kress
PaaS Partner Adoption


clip_image002In this blog I will illustrate how you can configure Weblogic Server to use OpenLDAP as authentication provider and to allow OpenLDAP users to login to the Oracle BPM Worklist application. In a previous blog I have already shown how to do Weblogic Authentication with ApacheDS (LDAP and Weblogic; Using ApacheDS as authentication provider for Weblogic). In this blog I will use OpenLDAP to also do BPM Worklist authentication.


Why use OpenLDAP?

Oracle Platform Security Services (OPSS) supports the use of several authentication providers. See: http://docs.oracle.com/cd/E23943_01/core.1111/e10043/devuserole.htm#JISEC2474. OpenLDAP is the only open source provider available in this list.

  • Microsoft Active Directory
  • Novell eDirectory
  • Oracle Directory Server Enterprise Edition
  • Oracle Internet Directory
  • Oracle Virtual Directory
  • OpenLDAP
  • Oracle WebLogic Server Embedded LDAP Directory
  • Microsoft ADAM
  • IBM Tivoli

When you can use a certain provider for Weblogic authentication, this does not automatically mean you also use this user in Fusion Middleware applications which use JPS such as the BPM Worklist application. Possible authentication providers in Weblogic Server cover a wider range of servers and mechanisms than can be used in JPS out of the box.

What causes this limitation? Well, most Fusion Middleware Applications (all as far as I’ve seen) can only look at the first LDAP provider for authentication. This is usually the default authenticator (Weblogic Embedded LDAP server). When I add another LDAP authenticator, it will be ignored. The solution is straightforward; use a single LDAP. Of course if you don’t want that, you can also virtualize several LDAPs and offer them as a single LDAP for the application to talk to. The most common solutions for this are; Oracle Virtual Directory (OVD, http://docs.oracle.com/cd/E12839_01/oid.1111/e10036/basics_10_ovd_what.htm) and LibOVD. Oracle Virtual Directory is a separate product. LibOVD is provided with Weblogic Server but does not have its own web-interface and is limited in functionality (and configuration is more troublesome in my opinion). When (for example for ApacheDS) you specify the generic LDAPAuthenticator and not a specific one such as for OpenLDAP, you need to specify an idstore.type in the jps-config.xml in DOMAINDIR\config\fmwconfig. This idstore.type is limited to the list below: Read the complete article here.

SOA & BPM Partner Community

For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn image[7][2][2][2] Facebook clip_image002[8][4][2][2][2] Wiki

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.