Active Directory Support
By ACShorten on Aug 09, 2013
Over the last few days I have had a few questions on our Active Directory support and the use of the cisusers group in the product.
As a J2EE product our products rely on the container to provide integration between security repositories and the application. This is the case with Active Directory. To configure our product to use the Active Directory as a security repository for authentication purposes the following process should be used:
- Configure the WebLogic Security Provider for Active Directory with the relevant interface. This is performed within Oracle WebLogic exclusively. Refer to the http://docs.oracle.com/cd/E28280_01/web.1111/e13707/atn.htm#i1216261
- One thing you need to consider is whether you want your AD repository to be your exclusive repository. Oracle WebLogic allows you to specify multiple security repositories with rules to govern the order and relevance of the individual repositories. More details about this are discussed in http://docs.oracle.com/cd/E28280_01/web.1111/e13707/atn.htm#i1204259. This is important as if you want AD to be your exclusive repository then you must define the user (default is system) you use for starting/stopping and administration for your WebLogic instance. If you do not want to define administrators in AD then you can chain the internal repository with your AD repository. I have seen customers doing this where they define different security repositories for internal users, for adminstrators and for CSS users.
- By default, the group cisusers, is provided to denote the users that are authorized to use the product. This is the default not the only value that you can use.
- Any group you want to use must not have any embedded blanks.
- To change the group in OUAF V4.x use configureEnv[.sh] -a utility and alter the Web Security Role and Web Principal Name to the group you want to use. Use initialSetup[.sh] to reflect the change.
- To change the group in OUAF V2.x create custom templates for web.xml.* and weblogic.xml.* to change the group. Edit the custom templates you created and replace cisusers with the group name you want to use. Use initialSetup[.sh] to reflect the change in your configuration.
- You need to specify the group in your LDAP query for the AD security provider to denote the subset of users to check against.
- Optionally, for the LDAP import interface you also need to supply the new group in the LDAP query to denote the subset of users to import. Refer to LDAP Integration for Oracle Utilities Application Framework based product (Doc Id: 774783.1).