Administration Console Online Help

You use Oracle Internet Directory Authentication provider to access user and group information stored in the Oracle Internet Directory LDAP V3 service.

Note that each security realm must have one at least one Authentication provider configured. The Control Flag attribute determines how the LoginModule for each Authentication provider is used in the authentication process. For more information, see Set the JAAS control flag.

If the Oracle Internet Directory Authentication provider is the only Authentication provider configured in the security realm, make sure that the LDAP user who boots WebLogic Server is added to a group that is assigned to the Admin role. Otherwise, WebLogic Server cannot be booted. If the Oracle Internet Directory Authentication provider fails to connect to the LDAP server, or throws an exception, make sure the configuration settings for this provider are set correctly as described in the steps that follow. For more information about these configuration settings, see Configuring Users and Groups in the Oracle Internet Directory and Oracle Virtual Directory Authentication Providers.

To configure the Oracle Internet Directory Authentication provider:

If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
In the left pane, select Security Realms and click the name of the realm you are configuring (for example, myrealm).
Select Providers > Authentication and click New.
The Create a New Authentication Provider page appears.
In the Name field, enter a name for the Oracle Internet Directory Authentication provider.
From the Type drop-down list, select OracleInternetDirectoryAuthenticator and click OK.
Select Providers > Authentication and click the name of the new Oracle Internet Directory Authentication provider to complete its configuration.
On the Configuration page for the Oracle Internet Directory Authentication provider, set the desired values on the Common tab. If you are configuring multiple Authentication providers, refer to Set the JAAS control flag.
Select the Provider Specific tab.
In the section labeled Connection, specify the following:
- The host and port of the machine hosting the Oracle Internet Directory LDAP server
- The credentials of the LDAP user that WebLogic Server should use for making a connection
In the section labeled Users, adjust the following settings as necessary to match the directory structure for users in the Oracle Internet Directory LDAP server:
1. Make sure User Base DN correctly specifies the LDAP directory structure for users. The default for Oracle Internet Directory users is cn=users,dc=us,dc=oracle,dc=com.
2. If the user name attribute for the user object class in the LDAP directory structure is a type other than cn, change that type in the settings for each of the following attributes: All Users Filter, User From Name Filter, and User Name Attribute. For example, if the user name attribute type is uid, change All Users Filter to (&(uid=*)(objectclass=person))).
In the section labeled Groups, adjust the following settings as necessary to match the directory structure for groups in the Oracle Internet Directory LDAP server. (Example changes are shown in bold.)
1. If the group name attribute for the static group object in the LDAP directory structure is a type other than cn, change that type in the settings for the All Groups Filter and Group From Name Filter attributes.
  For example, if the static group name attribute is type uid, change All Groups Filter to (&(uid=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup))), and change Group From Name Filter to (|(&(uid=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=orcldynamicgroup)))
2. If the group name attribute for the dynamic group object in the LDAP directory structure is a type other than cn, change that type in the settings for the All Groups Filter and Group From Name Filter attributes.
  For example, if the dynamic group name attribute is type uid, change All Groups Filter to (&(uid=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup))), and change Group From Name Filter to (|(&(cn=%g)(objectclass=groupofUniqueNames))(&(uid=%g)(objectclass=orcldynamicgroup))).
3. If the static group object class name in the LDAP directory structure is groupofnames (instead of groupofuniquenames), and the static member DN attribute is of type member (instead of uniquemember), change the objectclass element in the All Groups Filter and Group From Name Filter attributes.
  For example, set All Groups Filter as (&(cn=*)(|(objectclass=groupofnames)(objectclass=orcldynamicgroup))), and set Group From Name Filter as (|(&(cn=%g)(objectclass=groupofnames))(&(cn=%g)(objectclass=orcldynamicgroup))).
In the section labeled Static Groups, make the following changes, if necessary, to match the schema definition of static groups in the Oracle Internet Directory LDAP server:
1. If the group name attribute type of the static group object class is a type other than cn, specify that type in Static Group Name Attribute. Note that the type you specify must be consistent with the name attribute type specified in the All Groups Filter and Group From Name Filter attributes.
2. Change Static Group Object Class to groupofnames, if necessary, and make sure it matches the class name specified in the All Groups Filter and Group From Name Filter attributes.
3. If Static Group Object Class is groupofnames, change Static Member DN Attribute to member.
In the section labeled Dynamic Groups, make sure Dynamic Group Name Attribute matches the name attribute type specified in the All Groups Filter and Group From Name Filter attributes.
Click Save to save your changes.
In the Change Center, click Activate Changes and then restart WebLogic Server.

Administration Console Online Help

Configure the Oracle Internet Directory Authentication provider