I spent the better part of the morning trying to get WebLogic 10.3 to startup and authenticate using ActiveDirectory instead of our old 8.1 custom realm. I finally did a little searching and found this great post which allowed me discover that I needed to set the control flags to Sufficient instead of Required. Thanks.
UPDATE – May 24, 2012 – Chris Muir, the author of the original post, moved his blog to Oracle. To preserve the helpful content in case his old blog disappears, I have posted it below.
Following are my notes on configuring Oracle’s WebLogic Server 10.3 to use an Microsoft Active Directory server for authentication. Usual disclaimer: your mileage may vary.
For a good starting point as comparison of what options to configure, see the following blogs that consider configuration of WLS for OID or openLDAP:
Frank Nimphius’s How-to configure OID for authentication in WebLogic Server
Edwin Biemond’s Using OpenLDAP as security provider in WebLogic
In the WLS console select Security Realms under the Domain Structure, then myrealm, followed by the Providers tab, then Authentication tab.
Select New. In the Create a New Authentication Provider page, enter a name and select ActiveDirectoryAuthenticator from the drop down, then Ok.
Select your new Authenticator, then the Configuration tab -> Provider Specific tab.
Enter the following values:
- [default] Keep Alive Enabled: disabled
- User Name Attribute: sAMAccountName
- Principal: distinguished Name (DN) of the Active Directory LDAP user ie. DN=LdapAdmin,OU=Users,DC=sagecomputing,DC=com,DC=au
- Host: your hostname
- [default] All Users Filter: null
- [default] Users Search Scope: subtree
- [default] All Groups Filter: null
- [default] Static Member DN Attribute: member
- [default] Group From Name Filter: (&(cn=%g)(objectclass=group))
- [default] Bind Anonymously on Referrals: disabled
- [default] Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=group))
- [default] Results Time Limit: 0
- Credential: ldap user password (as per that of the principal above)
- Confirm Credential: ldap user password (as per that of the principal above)
- [default] Group Search Scope: subtree
- [default] Cache Size: 32
- User From Name Filter: (&(sAMAccountName=%u)(objectclass=user))
- [default] Dynamic Member URL Attribute: null
- [default] Connection Retry Limit: 1
- [default] Connect Timeout: 0
- [default] User Dynamic Group DN Attribute: null
- [default] Static Group Name Attribute: cn
- User Base DN: OU=Users,DC=sagecomputing,DC=com,DC=au
- [default] Use Token Groups For Group Membership Lookup: disabled
- [default] Port: 389
- [default] Follow Referrals: enabled
- [default] Propagate Cause For Login Exception: disabled
- [default] User Object Class: user
- [default] Cache TTL: 60
- Use Retrieved User Name as Principal: enabled
- [default] Dynamic Group Object Class: null
- [default] SSL Enabled: disabled
- Group Base DN: OU=Groups,DC=sagecomputing,DC=com,DC=au
- [default] Cache Enabled: enabled
- [default] Parallel Connect Delay: 0
- [default] Ignore Duplicate Membership: 0
- [default] Static Group Object Class: group
- [default] Group Membership Searching: unlimited
- [default] Max Group Membership Search Level: 0
You’ll need to change the non-default values to suit your environment.
Ensure to restart WLS.
If you reselect the myrealm with the WLS console, under the Users & Groups tab, Users you should see a list of users derived from the Active Directory server, and under the Gorups tab a set of groups derived from the Active Directory server.
Finally return to the WLS console and select the new authenticator provider, and on Configuration tab and Common tab change the Control Flag poplist to Sufficient.