How to configure OID Authentication in Weblogic

Oracle WebLogic Server provides a plugable security architecture in which authentication providers handle user identification. One of the native authentication providers in WebLogic server is for a generic LDAP server. Oracle Internet Directory (OID) is a LDAP v3 compliant server and can be configured with WLS for authentication.

 

Configuring WLS
Launch the WLS Console as the administrator

 

In the WLS console, click the Security Realm in the Domain Structure area. In the opened page, click the default realm, myrealm, to open the realm configuration page. Click the Providers tab to access the authentication provider dialog.

 

On the authentication provider page, click the New button to create a new provider.

Type OID as a name to identify the instance or choose a name of your choice. Choose LDAPAuthenticator as the authentication provider type and press OK.

 

Select the new authentication provider instance to navigate to the configuration page.

 

Keep the default settings for now. It is important not to change the Control Flag until you have verified that the OID configuration is valid. If the OID provider should be the only authentication provider, make sure the weblogic server user account and its granted groups memberships are created in OID. Otherwise the WLS domain wouldn’t start up properly. Select the Provider Specific tab.

 

Edit the following properties in the Provider Specific configuration:

 

Attribute Value Description

Propagate Cause for Login Exception	Check	Propagates exceptions thrown by OID, like password expired exceptions, to WLS so they show in the console and the logs
Principal	cn=orcladmin	An administrator account to connect to OID
Host	<the OID hostname>
Use Retrieved User Name as Principal	Check	Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal in the Subject
Credential	orcladmin password	Password to authenticate the OID admin account
Confirm Credential	orcladmin password
Group Base DN	<oid group search base>	The value of the “Group Search Base” attribute in OID. The value looks like cn=Groups,dc=us,dc=oracle,dc=com and can be looked up in the ODM hierarchy
User Base DN	<oid user search base>	The value of the “Group Search Base” attribute in OID. The value looks like cn=users, dc=us,dc=oracle,dc=com and can be looked up in the ODM hierarchy
Port	389	The OID port, 389 by default

 

Press Save when finished. You need to restart the WebLogic server instance for the changes to take effect. Note that authentication providers in a WLS domain are chained. This means that user authentication needs to run successfully through all authentication providers. This is why I suggested to keep the “optional” flag set for the new provider. Authentication providers that are optional are allowed to fail without the server startup or user authentication to fail.

 

Once the server is up again, connect to the WebLogic server. In the WLS console, click the Security Realm in the Domain Structure area. In the opened page, click the default myrealm, myrealm, to open the realm configuration page. Click the Providers tab to access the authentication provider dialog. Select the Users and Groups tab to see a list of users and groups contained in the configured authentication providers. You should see usernames from the OID configuration, which implicitly verifies that the configuration is working.

 

If the OID instance is configured successfully, you can change the Control Flag. If the OID authentication is sufficient for an application to identify the user, then choose the Sufficient flag. Sufficient means that if a user can be authenticated against OID, no further authentication is processed. Required means that the authentication provider must succeed even if another provider already authenticated the user.