Monday, June 25, 2012

WebLogic/SOA 11g LDAP Integration

I think it is common subject but we had a bit of different requirement where we had all Web Logic servers (dev/test/prod and osm/osb/odi/soa) connected to same Active directory and based on user's activity we wanted to provide different rights to different server.


Basic Configuration
  • Create users/roles in LDAP (Administrator and Monitors). We can create more groups (e.g. AdminChannelUsers,AppTesters,CrossDomainConnectors,Deployers,Operators,OracleSystemGroup) but for demo purpose, just keeping it to two.
  • Configure WLS for AD authentication provider

 


 

 Change the DefaultAuthenticator to Sufficient


Change Custom AD Authenticator to Sufficient


Please provide AD information for connection, user and group tree path. I used Softerra LDAP client to verify the values for connection user tree path and groups/roles tree path.

LDAP Connection



User base


 Group base
 

  • Problem with this approach: if user had Administrator rights, he would be Administrator in all weblogic servers


Advanced Configuration
This configuration is to make sure if all weblogic servers are configured with same AD/LDAP server, user gets different access to different server based on role and membership defined in LDAP.

  • We created fmw_prod_Administrators, fmw_prod_Monitors, fmw_dev_Administrators and fmw_dev_Monitors
  • Created users and membership in LDAP
    • masteradmin with fmw_prod_Administrators and fmw_dev_Administrators roles
    • auditor with fmw_prod_Monitors and fmw_dev_Monitors
    • developer with fmw_dev_Administrators 
  • Configure Role Mapping in WLS production 
 
 
 

 


  • Similar way WLS development can be configured with fmw_dev_Administrators and fmw_dev_Monitors
  • This way masteradmin will have admin rights on both server, but developer user will have admin rights only on dev server

4 comments:

Unknown said...

Hi,Creating a well designed site can give you a lot of pride in Web Design Cochin. However, the one thing that matters is conversion. Try out different designs and see which ones result in more action whether it is email sign-ups, social media shares, or sales. Thanks..........

Gary said...

Hi,
I'm able to do the ocnfigurations and list the users and groups in weblogic console.But when i try to Edit the global role and add the user in any of the roles,i get a message which says " does not exist". Can any one tell me what can be the probable cause for this.

Thanks

btsridhar said...
This comment has been removed by the author.
mavilo said...

Hi, I configured the AD authentication and I can login with AD user without problem, but I always have administration permissions, even if I set the permission of Deployer in the Roles and Policies Tab.
Do you know why all users of a AD Group have Admin rights?
Thank you