Administration Console Online Help

Oracle Internet Directory Authentication Provider: Provider Specific

Configuration Options     Related Tasks     Related Topics

Use this page to define the provider specific configuration for this Oracle Internet Directory Authentication provider.

Configuration Options

Name	Description
Host	The host name or IP address of the LDAP server. MBean Attribute: LDAPServerMBean.Host
Port	The port number on which the LDAP server is listening. MBean Attribute: LDAPServerMBean.Port Minimum value: 1 Maximum value: 65534
Principal	The Distinguished Name (DN) of the LDAP user that WebLogic Server should use to connect to the LDAP server. Note: The value you enter for principal must be an LDAP administrator who has the privilege to search users and groups in Oracle Internet Directory. If the LDAP administrator does not have privileges to search Oracle Internet Directory, an LDAP exception with error code 50 is generated. MBean Attribute: LDAPServerMBean.Principal
Credential	The credential (usually a password) used to connect to the LDAP server. If this password has not been set, WebLogic Server generates a password at startup, initializes the attribute, and saves the configuration to the config.xml file. If you want to connect to the embedded LDAP server using an external LDAP browser and the embedded LDAP administrator account (cn=Admin), change this attribute from the generated value. MBean Attribute: LDAPServerMBean.Credential Changes take effect after you redeploy the module or restart the server.
SSLEnabled	Specifies whether the SSL protocol should be used when connecting to the LDAP server. MBean Attribute: LDAPServerMBean.SSLEnabled
User Base DN	The base distinguished name (DN) of the tree in the LDAP directory that contains users. MBean Attribute: LDAPAuthenticatorMBean.UserBaseDN
All Users Filter	An LDAP search filter for finding all users beneath the base user distinguished name (DN). Note: If you change the user name attribute to a type other than cn, you must duplicate that change in the User From Name Filter and User Name Attribute attributes. For example, to change the user name attribute to uid, specify the search filter as (&(uid=*)(objectclass=person)). If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema. Note also that you should limit the use of wildcards in filter expressions. Wildcards are permitted, but using multiple wildcards in a given filter expression can have a negative performance impact on the LDAP server. MBean Attribute: LDAPAuthenticatorMBean.AllUsersFilter Changes take effect after you redeploy the module or restart the server.
User From Name Filter	An LDAP search filter for finding a user given the name of the user. The user name attribute specified in this filter must match the one specified in the All Users Filter and User Name Attribute attributes. For example, to change the user name attribute to uid, specify the search filter as (&(uid=%u)(objectclass=person)). If the attribute (user name attribute and user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema. Note also that you should limit the use of wildcards in filter expressions. Wildcards are permitted, but using multiple wildcards in a given filter expression can have a negative performance impact on the LDAP server. MBean Attribute: LDAPAuthenticatorMBean.UserFromNameFilter Changes take effect after you redeploy the module or restart the server.
User Search Scope	Specifies how deep in the LDAP directory tree the LDAP Authentication provider should search for users. Valid values are subtree and onelevel. MBean Attribute: LDAPAuthenticatorMBean.UserSearchScope
User Name Attribute	The attribute of an LDAP user object class that specifies the name of the user. The user name attribute specified must match the one specified in the All Users Filter and User From Name Filter attributes. For example, if the user name attribute is changed from cn to uid, you must duplicate that change in the All Users Filter and User From Name Filter attributes. MBean Attribute: LDAPAuthenticatorMBean.UserNameAttribute Changes take effect after you redeploy the module or restart the server.
User Object Class	The LDAP object class that stores users. MBean Attribute: LDAPAuthenticatorMBean.UserObjectClass Changes take effect after you redeploy the module or restart the server.
Use Retrieved User Name as Principal	Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal in the Subject. MBean Attribute: LDAPAuthenticatorMBean.UseRetrievedUserNameAsPrincipal
Check User Enabled Attribute	Specifies whether to check if the user is enabled, e.g. check the OrclIsEnabled attribute value from the Oracle Internet Directory LDAP server. The default value is false. MBean Attribute: OracleInternetDirectoryAuthenticatorMBean.CheckUserEnabledAttribute
Group Base DN	The base distinguished name (DN) of the tree in the LDAP directory that contains groups. MBean Attribute: LDAPAuthenticatorMBean.GroupBaseDN
All Groups Filter	An LDAP search filter for finding all groups beneath the base group distinguished name (DN). The static group object class should be modified, as necessary, based on the settings for the Static Group Object Class and Static Member DN Attribute attributes. If the name attribute of a static group object or dynamic group object is changed, this search filter must be revised accordingly. For example, if the name attribute specified in the Static Group Name Attribute attribute is changed from cn to uid, this filter should be specified as (&(uid=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup))). If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the Group schema. Note also that you should limit the use of wildcards in filter expressions. Wildcards are permitted, but using multiple wildcards in a given filter expression can have a negative performance impact on the LDAP server. MBean Attribute: LDAPAuthenticatorMBean.AllGroupsFilter Changes take effect after you redeploy the module or restart the server.
Group From Name Filter	An LDAP search filter for finding a group given the name of the group. The static group object class should be modified, as necessary, based on the settings for the Static Group Object Class and Static Member DN Attribute attributes. If the name attribute of a static group object or dynamic LDAP group object is changed, this filter must be revised accordingly. For example, if the name attribute specified in the Dynamic Group Name Attribute attribute is changed from cn to uid, this filter should be specified as (|(&(cn=%g)(objectclass=groupofUniqueNames))(&(uid=%g)(objectclass=orcldynamicgroup))). If this attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema. Note also that you should limit the use of wildcards in filter expressions. Wildcards are permitted, but using multiple wildcards in a given filter expression can have a negative performance impact on the LDAP server. MBean Attribute: LDAPAuthenticatorMBean.GroupFromNameFilter Changes take effect after you redeploy the module or restart the server.
Group Search Scope	Specifies how deep in the LDAP directory tree to search for groups. Valid values are subtree and onelevel. MBean Attribute: LDAPAuthenticatorMBean.GroupSearchScope
Group Membership Searching	Specifies whether group searches into nested groups are unlimited, limited or off. Valid values are unlimited, limited and off. For configurations that use only the first level of nested group hierarchy, this attribute allows improved performance during user searches by turning off the group search or limiting the group search level. If a limited search is specified, the Max Group Membership Search Level attribute must be specified. If an unlimited search is specified, the Max Group Membership Search Level attribute is ignored. If an off is specified, the Max Group Membership Search Level attribute is ignored. Note that when Use Token Groups For Group Membership Lookup is used during authentication, all the groups are returned in a single call, and the recursion limits and depth limits do not apply. They will apply in management operations. MBean Attribute: LDAPAuthenticatorMBean.GroupMembershipSearching
Max Group Membership Search Level	Specifies how many levels of group membership can be searched. This setting is valid only if GroupMembershipSearching is set to limited. Valid values are 0 and positive integers. For example, 0 indicates only direct group memberships will be found, and a positive number indicates the number of levels to search. Possible values are: 0 - Indicates only direct groups will be found. That is, when searching for membership in Group A, only direct members of Group A will be found. If Group B is a member of Group A, the members will not be found by this search. Any positive number - Indicates the number of levels to search. For example, if this attribute is set to 1, a search for membership in Group A will return direct members of Group A. If Group B is a member of Group A, the members of Group B will also be found by this search. However, if Group C is a member of Group B, the members of Group C will not be found by this search. Note that when Use Token Groups For Group Membership Lookup is used during authentication, all the groups are returned in a single call, and the recursion limits and depth limits do not apply. They will apply in management operations. MBean Attribute: LDAPAuthenticatorMBean.MaxGroupMembershipSearchLevel
Ignore Duplicate Membership	Determines whether duplicate members are ignored when adding groups. The attribute cycles in the Group membership. MBean Attribute: LDAPAuthenticatorMBean.IgnoreDuplicateMembership
Static Group Name Attribute	The attribute of a static LDAP group object that specifies the name of the group. If the name attribute of the static LDAP group object is changed -- for example, from cn to uid -- that change must be duplicated in the All Groups Filter and Group From Name Filter attributes. MBean Attribute: LDAPAuthenticatorMBean.StaticGroupNameAttribute Changes take effect after you redeploy the module or restart the server.
Static Group Object Class	The name of the LDAP object class that stores static groups. MBean Attribute: LDAPAuthenticatorMBean.StaticGroupObjectClass Changes take effect after you redeploy the module or restart the server.
Static Member DN Attribute	The attribute of a static LDAP group object that specifies the distinguished names (DNs) of the members of the group. MBean Attribute: LDAPAuthenticatorMBean.StaticMemberDNAttribute Changes take effect after you redeploy the module or restart the server.
Static Group DNs from Member DN Filter	An LDAP search filter that, given the distinguished name (DN) of a member of a group, returns the DNs of the static LDAP groups that contain that member. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema. MBean Attribute: LDAPAuthenticatorMBean.StaticGroupDNsfromMemberDNFilter Changes take effect after you redeploy the module or restart the server.
Dynamic Group Name Attribute	The attribute of a dynamic LDAP group object that specifies the name of the group. If the name attribute of the dynamic LDAP group object is changed -- for example, from cn to uid -- that change must be duplicated in both the All Groups Filter and Group From Name Filter attributes. MBean Attribute: LDAPAuthenticatorMBean.DynamicGroupNameAttribute
Dynamic Group Object Class	The LDAP object class that stores dynamic groups. MBean Attribute: LDAPAuthenticatorMBean.DynamicGroupObjectClass Changes take effect after you redeploy the module or restart the server.
Dynamic Member URL Attribute	The attribute of the dynamic LDAP group object that specifies the URLs of the members of the dynamic group. MBean Attribute: LDAPAuthenticatorMBean.DynamicMemberURLAttribute Changes take effect after you redeploy the module or restart the server.
User Dynamic Group DN Attribute	If such an attribute does not exist, WebLogic Server determines if a user is a member of a group by evaluating the URLs on the dynamic group. If a group contains other groups, WebLogic Server evaluates the URLs on any of the descendants (indicates parent relationship) of the group. Note: When this attribute is set, the value for Dynamic Group Name Attribute must be valid and cannot be null. MBean Attribute: LDAPAuthenticatorMBean.UserDynamicGroupDNAttribute Changes take effect after you redeploy the module or restart the server.
Connection Pool Size	The LDAP connection pool size. Default is 6. MBean Attribute: LDAPServerMBean.ConnectionPoolSize
Connect Timeout	The maximum time in seconds to wait for the connection to the LDAP server to be established. If this attribute is set to 0, there is not a maximum time limit. The default setting is 0. This default value can result in a slowdown in WebLogic Server execution if the LDAP server is unavailable. In addition, if WebLogic Server has multiple LDAP Authentication providers configured, the failure to connect to one LDAP server may block the use of the other LDAP Authentication providers. Oracle recommends that you specify a non-zero value; for example, 60 seconds. If multiple hosts are specified in Host, this value sets the total timeout for making a connection among all those hosts. To set a timeout for an individual connection, use the -Dweblogic.security.providers.authentication.ldap.socketTimeout=seconds security parameter for the JVM in which WebLogic Server runs. Specifying the connect timeout in conjunction with the socket timeout is useful for configuring failover for an LDAP Authentication provider. MBean Attribute: LDAPServerMBean.ConnectTimeout
Connection Retry Limit	Specifies the number of times to attempt to connect to the LDAP server if the initial connection failed. MBean Attribute: LDAPServerMBean.ConnectionRetryLimit
Parallel Connect Delay	The delay in seconds when making concurrent attempts to connect to multiple LDAP servers. If this attribute is set to 0, connection attempts are serialized. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. If this attribute is not set and an LDAP server is unavailable, an application may be blocked for a long time. If this attribute is greater than 0, another connection is started after the specified time. MBean Attribute: LDAPServerMBean.ParallelConnectDelay
Results Time Limit	The maximum number of milliseconds for the LDAP server to wait for results before timing out. If this attribute is set to 0, there is no maximum time limit. MBean Attribute: LDAPServerMBean.ResultsTimeLimit
Keep Alive Enabled	Specifies whether to prevent LDAP connections from timing out. MBean Attribute: LDAPAuthenticatorMBean.KeepAliveEnabled
Follow Referrals	Specifies that a search for a user or group within the LDAP Authentication provider will follow referrals to other LDAP servers or branches within the LDAP directory. By default, this attribute is enabled. MBean Attribute: LDAPServerMBean.FollowReferrals
Bind Anonymously On Referrals	By default, the LDAP Authentication provider uses the same DN and password used to connect to the LDAP server when following referrals during a search. If you want to connect as an anonymous user, enable this attribute. MBean Attribute: LDAPServerMBean.BindAnonymouslyOnReferrals Changes take effect after you redeploy the module or restart the server.
Propagate Cause For Login Exception	Specifies whether the providers should propagate the cause of the LoginException. MBean Attribute: LoginExceptionPropagatorMBean.PropagateCauseForLoginException Changes take effect after you redeploy the module or restart the server.
Cache Statistics Enabled	Specifies whether the statistics of the cache is enabled. MBean Attribute: LDAPServerMBean.EnableCacheStatistics Changes take effect after you redeploy the module or restart the server.
Cache Enabled	Specifies whether a cache is used with the LDAP server MBean Attribute: LDAPServerMBean.CacheEnabled
Cache Size	The size of the cache (in kilobytes) that is used with the LDAP server MBean Attribute: LDAPServerMBean.CacheSize Minimum value: 0
Cache TTL	The time-to-live of the cache (in seconds) that is used with the LDAP server MBean Attribute: LDAPServerMBean.CacheTTL Minimum value: 0
Cache Statistics Enabled	Specifies whether to enable statistics of the cache. MBean Attribute: LDAPAuthenticatorMBean.EnableCacheStatistics
GUID Attribute	Specifies the name of the GUID attribute defined in the Oracle Internet Directory LDAP server. The default value is orclguid. MBean Attribute: OracleInternetDirectoryAuthenticatorMBean.GuidAttribute Changes take effect after you redeploy the module or restart the server.
Identity Domain	The name of the identity domain. MBean Attribute: IdentityDomainAuthenticatorMBean.IdentityDomain

Related Tasks

• Configure the Oracle Internet Directory Authentication provider
• Configure authentication and identity assertion providers
• Manage security providers

Related Topics

• Understanding Security for Oracle WebLogic Server
• Configuring LDAP Authentication Providers
• Configuring Failover for LDAP Authentication Providers
• Example of Configuring the Oracle Internet Directory Authentication Provider
• Administering Security for Oracle WebLogic Server
• Developing Security Providers for WebLogic Server