The configuration is relatively simple, and is performed mostly in the WLS administration
console, located at http://yourserver:7001/console.
console, located at http://yourserver:7001/console.
• Log on as a WLS administrative user, such as “weblogic”, and navigate to the Security Realms
section of the console.
section of the console.
• Click “myrealm” on the right.
• Open the Providers tab.
• Select the “New” button to create a new provider. Name it “ActiveDirectory” and select
ActiveDirectoryAuthenticator as the type.
ActiveDirectoryAuthenticator as the type.
• Click on the new provider. You should see the settings page, similar to the following:
• The Control Flag should have defaulted to OPTIONAL, not “Sufficient” as depicted here. Do
not change it yet.
not change it yet.
• Click on the Provider Specific tab to see more settings. On this tab, provide the details to
connect to the Active Directory server.
Connection
In the Connection section, provide the hostname and port number for the Active Directory
server, along with the CN and password for the administrative user. Note that you must provide
the CN of this user, not the full DN, i.e. administrator as opposed to
cn=administrator,cn=Users,dc=webcenter,dc=au,dc=oracle,dc=com.
Users
In the Users section, we provide information about how to find user accounts in Active
Directory. The User Base DN is the DN of the container where users are stored. Here, this is
“cn=Users,dc=webcenter,dc=au,dc=oracle,dc=com”.
The All Users Filter can be left blank, or you can specify a query like “(objectclass=user)” as
depicted.
The User From Name Filter must be updated to reflect the correct attribute for user account
names in Active Directory. It should be set to “(&(sAMAccountName=%u)(objectclass=user))”.
Leave the User Search Scope as “subtree”.
Set the User Name Attribute to “sAMAccountName”. This is the attribute in the directory where
the user account name is stored.
The User Object Class should be set to “user”.
Finally, make sure you check the User Retrieved User Name as Principal option.
Groups
In the Groups section, update the Group Base DN to reflect where you want to search for groups
in Active Directory. In the following example, “dc=webcenter,dc=au,dc=oracle,dc=com”. Note
here if you are using the old UCM convention of separating roles and accounts into different
containers, accounts will appear listed as roles. Accounts will need to be renamed (prefixed) with
a unique sequence or character to enable the correct mapping within the JPS provider within
UCM/URM. The suggested character for prefixing is a “@” sign.
connect to the Active Directory server.
Connection
In the Connection section, provide the hostname and port number for the Active Directory
server, along with the CN and password for the administrative user. Note that you must provide
the CN of this user, not the full DN, i.e. administrator as opposed to
cn=administrator,cn=Users,dc=webcenter,dc=au,dc=oracle,dc=com.
Users
In the Users section, we provide information about how to find user accounts in Active
Directory. The User Base DN is the DN of the container where users are stored. Here, this is
“cn=Users,dc=webcenter,dc=au,dc=oracle,dc=com”.
The All Users Filter can be left blank, or you can specify a query like “(objectclass=user)” as
depicted.
The User From Name Filter must be updated to reflect the correct attribute for user account
names in Active Directory. It should be set to “(&(sAMAccountName=%u)(objectclass=user))”.
Leave the User Search Scope as “subtree”.
Set the User Name Attribute to “sAMAccountName”. This is the attribute in the directory where
the user account name is stored.
The User Object Class should be set to “user”.
Finally, make sure you check the User Retrieved User Name as Principal option.
Groups
In the Groups section, update the Group Base DN to reflect where you want to search for groups
in Active Directory. In the following example, “dc=webcenter,dc=au,dc=oracle,dc=com”. Note
here if you are using the old UCM convention of separating roles and accounts into different
containers, accounts will appear listed as roles. Accounts will need to be renamed (prefixed) with
a unique sequence or character to enable the correct mapping within the JPS provider within
UCM/URM. The suggested character for prefixing is a “@” sign.
• Check the Use Token Groups for Group Membership Lookup checkbox. This is used for nested
group resolution. The remainder of the settings can be left as the defaults.
jps-config
It is necessary to make a change to one of the WLS configuration files since the account name
attribute has been changed.
group resolution. The remainder of the settings can be left as the defaults.
jps-config
It is necessary to make a change to one of the WLS configuration files since the account name
attribute has been changed.
• Open the jps-config.xml file, located under your domain directory in the config\fmwconfig
subdirectory.
subdirectory.
• Find the serviceInstance entry for idstore.ldap.provider and add the two properties shown
below in red.
<serviceInstances>
<!-- JPS WLS LDAP Identity Store Service Instance -->
<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
<property name="idstore.config.provider"
value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>
<property name="username.attr" value="sAMAccountName"/>
<property name="user.login.attr" value="sAMAccountName"/>
</serviceInstance>
below in red.
<serviceInstances>
<!-- JPS WLS LDAP Identity Store Service Instance -->
<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
<property name="idstore.config.provider"
value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>
<property name="username.attr" value="sAMAccountName"/>
<property name="user.login.attr" value="sAMAccountName"/>
</serviceInstance>
• Save your settings, and restart WLS (the admin server and any managed servers that are
running).
running).
• After WLS has restarted, log back in to the administration console at
http://yourserver:7001/console and return to the myrealm security realm. Click on the Users and
Groups tab.
If the settings are correct, Active Directory users are listed in the Users table. Note that the value
in the Provider column indicates the source of the users
http://yourserver:7001/console and return to the myrealm security realm. Click on the Users and
Groups tab.
If the settings are correct, Active Directory users are listed in the Users table. Note that the value
in the Provider column indicates the source of the users
• .If no users are seen, check the configuration settings again. Also check the AdminServer log
for any reasonably helpful error message to help determine which setting needs to be updated.
for any reasonably helpful error message to help determine which setting needs to be updated.
• Once any errors are corrected, go back into the myrealm security realm again, and edit both
your ActiveDirectory and DefaultAuthenticator providers to change their Control Flag to
SUFFICIENT.
your ActiveDirectory and DefaultAuthenticator providers to change their Control Flag to
SUFFICIENT.
• Reorder the providers so that ActiveDirectory is the first in the list.
• Restart the WLS admin server and any managed servers one more time. You should now be
able to log in to UCM/URM using an Active Directory username and password.
These are the steps that I used to configured AD with UCM and for me it is working fine . Just
verify if one of the steps mentioned has been missed out .
able to log in to UCM/URM using an Active Directory username and password.
These are the steps that I used to configured AD with UCM and for me it is working fine . Just
verify if one of the steps mentioned has been missed out .
No comments:
Post a Comment