Weblogic 12c Authentication Using External LDAP (Oracle Unified Directory)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
you hello everyone prasad amla here in this video I will show you how to configure web logic policy authentication using external LDAP and I will be using a UD today's oracle unified directory as my external adapt for this panel I am assuming that you already have your wave logic policy domain created and y UD installed and configured with some test users in it if you want to know how to install on configure o UD please have a look at my video I'll leave the link in the description before starting the configuration let me discuss about supported LDAP servers compatible with WebLogic - L see so WebLogic policy supports Oracle internet directory Oracle virtual directory or to unify directory I plan a directory server Microsoft Active Directory open and adapt normally directory and we also have generated a potent occation provider next we need to know about control flags also known as Jazz control flags that is Java authentication and authorization service which play an important role in authentication provider configuration so there are four control flags required requisite sufficient and optional required flag is always called and must pass the authentication test and authentication flow continues down the list irrespective of success or failure recruited flag is similar to required where it is always called and required to pass the authentication test but if it fails authentication flow will not continue down the list it flows down only if the authentication is successful next we have sufficient flag where it's not required to pass the authentication test and if the test is successful it will not continue down the list it continues only in case of failure loss flag is optional which is also not required to pass the test and authentication continues down the list irrespective of success or failure now let me show you my LDAP that is UD Here I am using Apache directory studio you can use any LDAP client or to you your LDAP content I have some test users created in my body and have one group called as administrators and I have wls admin user ID added to my your administrators group our goal here is to confer this value D with WebLogic so that we can log into WebLogic administration console using the any user ID that is part of this administrators group during the configuration we need to provide user base VN and group base VN which are nothing but the containers for your users and groups in my case the user base VN would be U is equal to people DC is equal to WL s DC is equal to calm and my group's base VN would be or U is equal to groups DC is equal to WL s bc is equal to calm so I have my WebLogic domain already created and started my admin server so let me log in to my logic administration console that is PDO l6w LS 12c for one seven thousand one slash console so I log in using the embedded the WebLogic credentials so this is my WebLogic administration consoles our home page here you need to navigate to security realms and then my rearm and then provide a stab here you will see default authentication now providers so we need to create our way you do authentication provider here so click on lock and edit here and then click on new so provide a name for your authentication provider I will call - D Authenticator and then you need to select Oracle unified directory Authenticator as a type of your authentication provider so you have many options here so depending on the LDAP you are using you need to select the respective what type so in my case I am using Oracle unified directory as my back-end LDAP so I will use Oracle unify directory Authenticator as my authentication provider type so once you select the type can click ok so now your authentication provider is created you need to configure your authentication provider now so select your newly created authentication provider and then navigate to provide a specific tab here you need to provide the details of your Oh uni so in my case the host name would be PD Oh l6w LS 12c and then my port number is one three eight nine where I have my ID running principle is nothing but the administrator user ID with which you log into your UD so in my case it is C n is equal to directory manager and then you need to provide the password for your directory manager if you have a CL enabled LDAP then you need to select this SSL enabled checkbox here next you have user base VM as I mentioned so in my case the base VN would be oh u is equal to people DS is equal to WS DC is equal to con so let me copy this next we have all users filter so this is the LDAP expression used to search all users in the LDAP so in our case it would be a UID is equal to star and then object class is equal to person so if you perform LDAP search with this search filter you will get all the users present in your LDAP next you have user from name filter so this will be similar to all users filter but instead of UID is equal to star you will have UID is equal to percent hu so this percentage U is just a placeholder for your username which will be picked up from the login page so next you have user search scope so you will have sub tree on one level so if you want to search only one level from your base DN you can select one level or if you want to search all the sub trees inside your LDAP directory structure you can select sub tree so I'll leave the default sub tree as it is next you need to provide the user name attribute so this is the attribute where your username is stored in your LDAP so in our case it would be UID so that is if you select any user ID so this is the attribute where your username is stored so you need to provide this particular attribute name okay so in our case it would be UID so let me change that and then user object classes person next coming to the group section you have group space VN in our case it would be O u is equal to groups BC is equal to WL s DC is equal to calm so let me copy that and paste it here next you will have all groups filter this is not mandatory you don't need to provide anything so next we have group from name filter so this value is used to search for group from its name that is CN is equal to percentage G represents the group name for groups we have two object classes group of unique names and group of URLs group of unique names is the object class for static groups and group of URLs is for dynamic groups so we provide both object classes combined using or operator so let me copy this value into your notepad so that you can see it properly so this is the value we provide so BA our groups are identified using CN is equal to percentage G and then we have two object classes object loss is equal to group of unique names for static groups and then object class is equal to group of URLs for our dynamic groups next we have group search scope we can leave subtree next we will have two sections for static groups and dynamic groups so you need to provide their respective settings so for static routes you'll have static group name attribute that is nothing but a cm so if you go to your LDAP so under select your group name and then the group name will be stored in attribute called as CN so you need to provide this particular attribute name as your static group name attribute and then you have static group object class so this will be respective to your LDAP so for UD the static group object class is group of unique names similarly the dynamic group object class is group of URLs and then the dynamic group name attribute will be same for static and dynamic groups that is are nothing but CN next you have member DNA tributo for our static groups this is nothing but the attribute where your members of that particular group are stored so in case of static groups it would be unique number so if you go to a railed app so this is the attribute all your members are stored so this attribute is multi-value to attribute you can store as many members as you like in this particular attribute name so you need to provide that particular attribute name here next we have static group deals from member D and filter so this is similar to your user from name or group from name filter so in this case it would be unique number is equal to percent HM percentage ma is nothing but the member of that particular group and then you need to provide the object class so for static groups it would be group of unique names for dynamic groups the members will be stored using an URL attribute that is nothing but member you are these are the settings you need to provide for your Authenticator so you can save these settings and then activate your changes next you need to change the control flag for your default Authenticator to sufficient so let's do that so let's go to our providers and then select default Authenticator and then change the control flag to sufficient and after changing this you need to restart your administration server so I will quickly restart my admin server and get back when the admin server is restarted successfully okay now my admin server is restarted let me login to my administration console using my embedded logic credentials again okay now if you navigate to security RIANZ maria users and groups you should be able to see the users and groups from external wrap that is a worry in my case so as you can see we have all the users visible here so the connection and retrieval of users and groups from your rom external wrap is working as expected next navigate to roles and policies tab and then global roles and then expand roles click on View role conditions for admin role here we need to make sure that administrators group name is added as you can see by default administrators group is added so this means that all the users in this particular group of your LDAP will have administrator access to your WebLogic administration console if you want other roles as well like monitor or operator create the groups in yodok the same name and add those groups in respective roles under your global roles now we need to restrict using embedded WebLogic ID and use external LDAP for authentication to do that we need to change the control flag of were you do Authenticator to required and move it to the top in the list of authentication provider so let's get back to your providers tab and change a control flag for your Ori Authenticator to required and then move your voice indicator to the top of the list so select reorder button here and then select your way you do Authenticator and move it to the top save your settings activate your changes and after doing this we need to restart our admin server so let me do that quickly so before starting your admin server you need to modify the credentials in your boudoir properties and provide the credentials from your external wrap that is void so let me modify my boudoir properties under my servers admin server security and then boudoir properties so I will change my username to wls admin which is the user in my external LDAP that is why UD and then I will provide the password for that I guess the password is Oracle so save your board or properties and then start your admin server okay my adminserver is restarted now so let me log into my administration console again this time I will be logging in using my WL s admin ID that is my boy you do user as you can see we are logged in using our prom external LDAP user as we have restricted the embedded LDAP for authentication so if you log in using the WebLogic user ID you should get authentication error so let's check it out so let's log out and use our old embedded WebLogic ID and password you should get authentication denied error and that's it you know have configured WebLogic 12c authentication using external LDAP that is UD and you have restricted the embedded app authentication if you have any question please post them in the comments and please have a look at my blog on this topic for step-by-step instructions on screen shots I will leave the link in the description hope you liked the video and found it helpful if we did please hit that like button down below and subscribe to my youtube channel for more videos on various sorrell where technologies that's it for now have a good day and see you in the next one
Info
Channel: Prasad Domala
Views: 19,825
Rating: undefined out of 5
Keywords: Fusion middleware, weblogic 12c, external authentication, Weblogic LDAP Authentication, weblogic OID integration, weblogic OUD integration, weblogic LDAP integration, weblogic control flags, authentication providers, JAAS control flags
Id: 1FqEzQkd6eU
Channel Id: undefined
Length: 14min 53sec (893 seconds)
Published: Mon Oct 10 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.