本文介绍如何在Oracle WebLogic Server中配置Oracle Internet Directory (OID)作为LDAP认证提供者,包括设置OID认证提供者的步骤和关键配置选项。
Oracle WebLogic Server provides a plugable security architecture in which authentication providers handle user identification. One of the native authentication providers in WebLogic server is for a generic LDAP server. Oracle Internet Directory (OID) is a LDAP v3 compliant server and can be configured with WLS for authentication.
Configuring WLS
Launch the WLS Console as the administrator
In the WLS console, click the Security Realm in the Domain Structure area. In the opened page, click the default realm, myrealm, to open the realm configuration page. Click the Providers tab to access the authentication provider dialog.
On the authentication provider page, click the New button to create a new provider.
Type OID as a name to identify the instance or choose a name of your choice. Choose LDAPAuthenticator as the authentication provider type and press OK.
Select the new authentication provider instance to navigate to the configuration page.
Keep the default settings for now. It is important not to change the Control Flag until you have verified that the OID configuration is valid. If the OID provider should be the only authentication provider, make sure the weblogic server user account and its granted groups memberships are created in OID. Otherwise the WLS domain wouldn’t start up properly. Select the Provider Specific tab.
Edit the following properties in the Provider Specific configuration:
| Attribute | Value | Description | |
|---|---|---|---|
| Propagate Cause for Login Exception | Check | Propagates exceptions thrown by OID, like password expired exceptions, to WLS so they show in the console and the logs | |
| Principal | cn=orcladmin | An administrator account to connect to OID | |
| Host | <the OID hostname> | ||
| Use Retrieved User Name as Principal | Check | Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal in the Subject | |
| Credential | orcladmin password | Password to authenticate the OID admin account | |
| Confirm Credential | orcladmin password | ||
| Group Base DN | <oid group search base> | The value of the “Group Search Base” attribute in OID. The value looks like cn=Groups,dc=us,dc=oracle,dc=com and can be looked up in the ODM hierarchy | |
| User Base DN | <oid user search base> | The value of the “Group Search Base” attribute in OID. The value looks like cn=users, dc=us,dc=oracle,dc=com and can be looked up in the ODM hierarchy | |
| Port | 389 | The OID port, 389 by default |
Press Save when finished. You need to restart the WebLogic server instance for the changes to take effect. Note that authentication providers in a WLS domain are chained. This means that user authentication needs to run successfully through all authentication providers. This is why I suggested to keep the “optional” flag set for the new provider. Authentication providers that are optional are allowed to fail without the server startup or user authentication to fail.
Once the server is up again, connect to the WebLogic server. In the WLS console, click the Security Realm in the Domain Structure area. In the opened page, click the default myrealm, myrealm, to open the realm configuration page. Click the Providers tab to access the authentication provider dialog. Select the Users and Groups tab to see a list of users and groups contained in the configured authentication providers. You should see usernames from the OID configuration, which implicitly verifies that the configuration is working.
If the OID instance is configured successfully, you can change the Control Flag. If the OID authentication is sufficient for an application to identify the user, then choose the Sufficient flag. Sufficient means that if a user can be authenticated against OID, no further authentication is processed. Required means that the authentication provider must succeed even if another provider already authenticated the user.
扫一扫
24万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
