Active Directory Support

Over the last few days I have had a few questions on our Active Directory support and the use of the cisusers group in the product.

As a J2EE product our products rely on the container to provide integration between security repositories and the application. This is the case with Active Directory. To configure our product to use the Active Directory as a security repository for authentication purposes the following process should be used:

  • Configure the WebLogic Security Provider for Active Directory with the relevant interface. This is performed within Oracle WebLogic exclusively. Refer to the http://docs.oracle.com/cd/E28280_01/web.1111/e13707/atn.htm#i1216261
    • One thing you need to consider is whether you want your AD repository to be your exclusive repository. Oracle WebLogic allows you to specify multiple security repositories with rules to govern the order and relevance of the individual repositories. More details about this are discussed in http://docs.oracle.com/cd/E28280_01/web.1111/e13707/atn.htm#i1204259. This is important as if you want AD to be your exclusive repository then you must define the user (default is system) you use for starting/stopping and administration for your WebLogic instance. If you do not want to define administrators in AD then you can chain the internal repository with your AD repository. I have seen customers doing this where they define different security repositories for internal users, for adminstrators and for CSS users.
  • By default, the group cisusers, is provided to denote the users that are authorized to use the product. This is the default not the only value that you can use.
    • Any group you want to use must not have any embedded blanks.
    • To change the group in OUAF V4.x use configureEnv[.sh] -a utility and alter the Web Security Role and Web Principal Name to the group you want to use. Use initialSetup[.sh] to reflect the change.
    • To change the group in OUAF V2.x create custom templates for web.xml.* and weblogic.xml.* to change the group. Edit the custom templates you created and replace cisusers with the group name you want to use. Use initialSetup[.sh] to reflect the change in your configuration.
  • You need to specify the group in your LDAP query for the AD security provider to denote the subset of users to check against.
  • Optionally, for the LDAP import interface you also need to supply the new group in the LDAP query to denote the subset of users to import. Refer to LDAP Integration for Oracle Utilities Application Framework based product (Doc Id: 774783.1).
Comments:

Thanks Anthony, this information is very helpful, I have a question on “ If you do not want to define administrators in AD then you can chain the internal repository with your AD repository. I have seen customers doing this where they define different security repositories for internal users, for adminstrators and for CSS users.”

Our current setup is like this in sequence
1. CustomLDAPprovider
2. DefaultAuthenticator  Came with OUAF
3. DefaultIdentityAsserter  Came with OUAF

We want to configure in a way that , SYSTEM account will not be in LDAP , So the way we envision this to work is to have SYSTEM ( and other admin accounts ) authenticated by Weblogic and all other users authenticated via LDAP

So what option should I be setting on control flag for these providers , Please advice

Posted by guest on September 21, 2013 at 04:39 AM EST #

The security providers are provided by Oracle WebLogic not OUAF. The WebLogic security manual in "Configuring Authentication Providers" discusses how to setup multiple providers to daisy chain them. Use the SUFFICIENT setting to allow users to be in at least one of the providers. Other settings are available.

Posted by acshorten on February 11, 2014 at 04:06 PM EST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Anthony Shorten
Hi, I am Anthony Shorten, I am the Principal Product Manager for the Oracle Utilities Application Framework. I have been working for over 20+ years in the IT Business and am the author of many a technical whitepaper, manual and training material. I am one of the product managers working on strategy and designs for the next generation of the technology used for the Utilities and Tax markets. This blog is provided to announce new features, document tips and techniques and also outline features of the Oracle Utilities Application Framework based products. These products include Oracle Utilities Customer Care and Billing, Oracle Utilities Meter Data Management, Oracle Utilities Mobile Workforce Management and Oracle Enterprise Taxation and Policy Management. I am the product manager for the Management Pack for these products.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
9
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today