{"id":2127,"date":"2018-02-19T12:38:48","date_gmt":"2018-02-19T17:38:48","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=2127"},"modified":"2018-02-26T12:52:02","modified_gmt":"2018-02-26T17:52:02","slug":"weblogic-ldap-authentication","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=2127","title":{"rendered":"WebLogic LDAP Authentication"},"content":{"rendered":"<p><strong>Configuring an LDAP Authentication provider in WebLogic (version 11g used in this documentation)<\/strong><\/p>\n<ul>\n<li>In configuring LDAP authentication, I add a new authentication provider but continue to use the local provider for the system account under which WebLogic is launched. Partially because I don\u2019t really use WebLogic (there\u2019s an Oracle app with its own management site that runs within WebLogic \u2013 very small number of users, so our configuration is in no way optimized), but partially because using a network-sourced system account can prevent your WebLogic instance from launching. If your config isn\u2019t right, or if the network is down, or a firewall gets in the way, or the LDAP server is down \u2026. Your WebLogic fails to launch because its system ID is not validated.<\/li>\n<\/ul>\n<p><strong>WebLogic Configuration<\/strong><\/p>\n<p>Lock &amp; Edit the site so we can make changes.\u00a0On the left-hand pane, scroll down &amp; find Security Realms<\/p>\n<p>Go into your realm, select the \u201cproviders\u201d tab. Supply a name for the provider (I included \u201cLDAP\u201d in the name to ensure it was clear which provider this was \u2013 may even want to specify something like \u201cCompanyXLDAPAuthProvider\u201d)<\/p>\n<p>Select type \u201cLDAPAuthenticator\u201d for generic LDAP (I was using Sun DSEE, and moved to Oracle OUD without changing the authenticator type). Click OK to create.<\/p>\n<p>Change the control flag on your default authenticator. Click the hyperlink for the default provider. On the \u201cCommon\u201d tab, change the \u201cControl Flag\u201d to \u201cSUFFICIENT\u201d and save.<\/p>\n<p>Click the hyperlink for the newly created provider. On the \u201cCommon\u201d tab, change the \u201cControl Flag\u201d to \u201cSUFFICIENT\u201d and save.<\/p>\n<p>Select the \u201cProvider specific\u201d tab.<\/p>\n<p><strong>Connection<\/strong><\/p>\n<p>Host:\u00a0\u00a0\u00a0\u00a0 &lt;your LDAP server&gt;<\/p>\n<p>Port:\u00a0\u00a0\u00a0\u00a0\u00a0 636<\/p>\n<p>Principal:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &lt;Your system account, provided when you request access to the LDAP directory&gt;<\/p>\n<p>Credentials:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &lt;Your system account password&gt;<\/p>\n<p>Confirm Credentials:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &lt;same as credentials&gt;<\/p>\n<p>SSLEnabled:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Check this box (for testing purposes, i.e. if you are unable to connect with these instructions as provided, you can set the port to 389 and <em>not<\/em> check this box to help with troubleshooting the problem. But production authentication needs to be done over SSL)<\/p>\n<p><strong>Users<\/strong><\/p>\n<p>User Base DN:\u00a0 \u00a0 &lt;get this from your LDAP admin. Ours is &#8220;ou=people,o=CompanyX&#8221;)<\/p>\n<p>All User Filter:\u00a0\u00a0\u00a0 (&amp;(objectClass=inetOrgPerson))<\/p>\n<p><em>For applications with a single group restricting valid users, you can use the filter: (&amp;(objectClass=inetOrgPerson)(isMemberOf=cn=GroupNameHere,ou=groups,o=CompanyX))<\/em><\/p>\n<p>Users from name filter:\u00a0 (&amp;(uid=%u)(objectClass=inetOrgPerson))<\/p>\n<p>User Search Type:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 subtree (onelevel may be fine, but verify with your LDAP administrator)<\/p>\n<p>User Name Attribute:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 uid<\/p>\n<p>User Object Class:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 inetOrgPerson<\/p>\n<p>Use Retrieved User Name as Principal \u2013 I didn\u2019t select this, don\u2019t really know what it does<\/p>\n<p><strong>Groups<\/strong><\/p>\n<p>Group Base DN:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0&lt;another one to get from your LDAP admin. Ours is &#8220;ou=groups,o=CompanyX&#8221;&gt;<\/p>\n<p>All Groups Filter:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (&amp;(objectClass=groupOfUniqueNames))<\/p>\n<p><em>If your group names all have the same prefix, you could limit \u201call\u201d groups to just your groups with a filter like (&amp;(objectClass=groupOfUniqueNames)(cn=MyApp*))<\/em><\/p>\n<p>Group from name filter: (&amp;(cn=%g)(objectclass=groupofuniquenames))<\/p>\n<p>Group search scope:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 subtree (again, onelevel may be fine)<\/p>\n<p>Group membership searching:\u00a0 \u00a0 &lt;We select &#8216;limited&#8217; because there are\u00a0<em>no<\/em> nested groups in the LDAP directories. If you need to resolve nested group memberships, this and the next value will be different&gt;<\/p>\n<p>Max group membership search level:\u00a0\u00a0\u00a0\u00a0\u00a0 0<\/p>\n<p>Ignore duplicate membership:\u00a0\u00a0\u00a0\u00a0 Doesn\u2019t really matter as we don\u2019t have duplicates. I left this unchecked.<\/p>\n<p><strong>Static groups<\/strong><\/p>\n<p>Static group Attribute name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cn<\/p>\n<p>Static group Object Class:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 groupOfUniqueNames<\/p>\n<p>Static Member DN Attribute:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 uniqueMember<\/p>\n<p>Static Group DNs from Member filter:\u00a0\u00a0\u00a0\u00a0 (&amp;(uniquemember=%M)(objectclass=groupofuniquenames))<\/p>\n<p><strong>Dynamic Groups<\/strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <em>this section is left blank\/defaults as we don\u2019t use dynamic groups<\/em><\/p>\n<p><strong>General<\/strong><\/p>\n<p>Connection Pool Size:\u00a0\u00a0\u00a0\u00a0 Ideal value dependent on your anticipated application load \u2013 default of 6 is a good place to start.<\/p>\n<p>Connect timeout:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Default is 0. I don\u2019t know if this is something particular to WebLogic, but I generally use a 15 or 30 second timeout. If the server hasn\u2019t responded in that period, it is not going to respond and there\u2019s no need to hang the thread waiting.<\/p>\n<p>Connection Retry Limit: Default is 1, this should be sufficient but if you see a lot of connection errors, either increase the connect timeout or increase this retry limit<\/p>\n<p>Parallel Connect Delay:\u00a0 0 (default) is fine<\/p>\n<p>Result time limit:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0 (default) is OK. On my the LDAP server, there is no time limit for searches. Since WebLogic is making very simple searches, you <em>could<\/em> put a limit in here to retry any search that takes abnormally long<\/p>\n<p>Keep Alive Enabled:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Please do not enable keep alive unless you have a specific need for it. Bringing up a new session uses slightly more time\/resources on your app server than re-using an existing connection <em>but<\/em> that keep alive is a LOT of extra \u201chey, I\u2019m still here\u201d pings against the LDAP servers<\/p>\n<p>Follow Referrals:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Un-check this box unless your LDAP admin tells you referrals are in use and\u00a0<em>should<\/em> be followed.<\/p>\n<p>Bind Anonymously on referrals:\u00a0 Leave unchecked if you are not following referrals. If referrals are used and followed &#8211; ask the LDAP admin how to bind<\/p>\n<p>Propagate cause for logon exception:\u00a0\u00a0\u00a0\u00a0\u00a0 I check this box because I *want* the ugly LDAP error code that explains why the logon failed (49 == bad user\/password pair; 19 == account locked out). But no *need* to check the box<\/p>\n<p>Cache Related Settings:\u00a0 This is something that would require more knowledge of WebLogic than I have ?<\/p>\n<p>If you enable caching, you may not see changes for whatever delta-time is the cache duration. So, the defaults of enabling cache &amp; retaining it for 60 seconds wouldn\u2019t really create a problem. If you set the cache duration to one day (a silly setting to make the problem cache can create clear) \u2026. If I logged into your application at 2PM, did a whole bunch of work, went home, came back the next morning &amp; saw my \u201cyour password is about to expire\u201d warning \u2026 so go out to the password portal and change my password. Reboot, get logged back into my computer \u2026. and try to access your application, I will get told my password is invalid. I could try again, even type what I *know* is my password into notepad &amp; paste it into your app \u2026 still not able to log on. My old password, were I to try it, would work \u2026 but otherwise I\u2019d have to wait until after 2PM before my new password would work.<\/p>\n<p>Group membership changes could be a problem too \u2013 with the same 24 hour cache, if I am a valid user of your application who signs in at 2PM today, but my job function changes tomorrow morning &amp; my access is revoked \u2026 I will still have application access until the cache expires. I am not sure if WebLogic does negative caching \u2013 basically if I am *not* a user, try to sign in and cannot because I lack the group membership &amp; get an access request approved *really quickly* to become a group member, I may still be unable to access the application until the \u201cLisa is not a member of group XYZ\u201d cache expires. If WebLogic does not do negative caching, then this scenario is not an issue.<\/p>\n<p>So you <em>might<\/em> be able to lower utilization on your app server &amp; my LDAP server by enabling cache (if your app, for instance, re-auths the object **each time the user changes pages** or something, then caching would be good). If you are just checking authentication and authorization on logon \u2026 probably not going to do much to lower utilization. But certainly keep the cache TTL low (like minutes, not days).<\/p>\n<p>GUID Attribute:\u00a0 nsUniqueID<\/p>\n<p><strong>Establishing The SSL Trust<\/strong><\/p>\n<p>For encryption to be negotiated with the LDAP servers, you need to have a keystore that includes the public keys from the CA used to sign the LDAP server cert. Obtain the base 64 encoded public keys either from the PKI admin or the LDAP admin. Place these file(s) on your server \u2013 I use the \/tmp\/ directory since they are no longer needed after import.<\/p>\n<p>From the domain structure section, select: Environment=&gt;Servers and select your server. On the &#8220;Configuration&#8221; tab, click the keystores sub-tab. If you are not already using a custom trust, you need to change they keystore type to use a custom trust (and specify a filename in a path to which the WebLogic account has access &#8211; keystore type is JKS and the password is whatever you are going to make the keystore password). If you *are* already using a custom trust, just record the file name of the custom trust keystore.<\/p>\n<p>Use keytool to import the CA keys to the file specified in the custom trust. The following examples use a root and signing CA from my company, the CA chain which signs our LDAP SSL certs.<\/p>\n<p>.\/keytool -import -v -trustcacerts -alias WIN-ROOT -file \/tmp\/WIN-ROOT-CA.b64 -keystore \/path\/to\/the\/TrustFile.jks -keypass YourKeystorePassword -storepass YourKeystorePassword<\/p>\n<p>.\/keytool -import -v -trustcacerts -alias WIN-WEB -file \/tmp\/WIN-WEB-CA.b64 -keystore \/path\/to\/the\/TrustFile.jks -keypass YourKeystorePassword -storepass YourKeystorePassword<\/p>\n<p>*** Under advanced, I had to check off &#8220;Use JSSE SSL&#8221; for SSL to work. Without that checked off, I got the following error in the log:<\/p>\n<p><em>####&lt;Feb 23, 2018 10:11:36 AM EST&gt; &lt;Notice&gt; &lt;Security&gt; &lt;server115.CompanyX.com&gt; &lt;AdminServer&gt; &lt;[ACTIVE] ExecuteThread: &#8217;12&#8217; for queue: &#8216;weblogic.kernel.Default (self-tuning)&#8217;&gt; &lt;&lt;WLS Kernel&gt;&gt; &lt;&gt; &lt;58b1979606d98df5:292a2ff6:161c336d0ba:-8000-0000000000000007&gt; &lt;1519398696289&gt; &lt;BEA-090898&gt; &lt;Ignoring the trusted CA certificate &#8220;CN=WIN-WEB-CA,DC=CompanyX,DC=com&#8221;. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.&gt;<\/em><\/p>\n<p><em>####&lt;Feb 23, 2018 10:11:36 AM EST&gt; &lt;Notice&gt; &lt;Security&gt; &lt;server115.CompanyX.com&gt; &lt;AdminServer&gt; &lt;[ACTIVE] ExecuteThread: &#8217;12&#8217; for queue: &#8216;weblogic.kernel.Default (self-tuning)&#8217;&gt; &lt;&lt;WLS Kernel&gt;&gt; &lt;&gt; &lt;58b1979606d98df5:292a2ff6:161c336d0ba:-8000-0000000000000007&gt; &lt;1519398696289&gt; &lt;BEA-090898&gt; &lt;Ignoring the trusted CA certificate &#8220;CN=WIN-Root-CA&#8221;. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.&gt; <\/em><\/p>\n<p>An alternate solution would be to update your WebLogic instance \u2013 there are supposedly patches, but not sure which rev and it wasn\u2019t worth trial-and-erroring WebLogic patches for my one WebLogic instance with a dozen users.<\/p>\n<p>Whew, now save those changes. Activate changes &amp; you will probably need to restart your WebLogic service to have the changes go into effect. You can go into the roles &amp; add LDAP groups as &#8212; specifically, I added our LDAP group&#8217;s CN to the administrators WebLogic role.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Configuring an LDAP Authentication provider in WebLogic (version 11g used in this documentation) In configuring LDAP authentication, I add a new authentication provider but continue to use the local provider for the system account under which WebLogic is launched. Partially because I don\u2019t really use WebLogic (there\u2019s an Oracle app with its own management site &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[295,303,523],"class_list":["post-2127","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-authentication","tag-ldap","tag-weblogic"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/2127","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2127"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/2127\/revisions"}],"predecessor-version":[{"id":2128,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/2127\/revisions\/2128"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2127"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2127"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}