5-12 Securing Oracle WebLogic Server ■ AllGroupsFilter ■ GroupFromNameFilter ■ StaticGroupNameAttribute for static groups ■ DynamicGroupNameAttribute for dynamic groups For example, if the LDAP directory structure of the group object class uses a group name attribute of type uid, you must change the Authentication provider attributes as shown in Table 5–5 . The required changes are shown in bold. For more information about configuring group name attributes, see the following topics in the Oracle WebLogic Server Administration Console Help ■ Configure the Oracle Internet Directory Authentication provider ■ Configure the Oracle Virtual Directory Authentication provider

5.4.7.2 Configuring Static Groups

The Oracle Internet Directory and Oracle Virtual Directory Authentication providers are configured by default with the following settings for static groups: ■ Static group object class name of groupofuniquenames ■ Static member DN attribute of type uniquemember However, the directory structure of the Oracle Internet Directory or Oracle Virtual Directory LDAP server with which you are configuring either of these Authentication providers may instead define the following for static groups: ■ Static group object class name of groupofnames ■ Static member DN attribute of type member If the LDAP database schema contains the static group object class name of groupofnames, and the static member DN attribute of type member, you need to change the Oracle Internet Directory or Oracle Virtual Directory Authentication provider attribute settings as shown in Table 5–6 . The required changes are shown in bold . Table 5–5 Required Changes for the Group Name Attribute Type Attribute Name Default Setting Required Changes StaticGroupNameAttribute cn uid DynamicGroupNameAttribute cn uid AllGroupsFilter cn=|objectclass=groupofU niqueNamesobjectclass=orcldyn amicgroup uid=|objectclass=groupofUni queNamesobjectclass=orcldynamicg roup GroupFromNameFilter |cn=gobjectclass=groupof UniqueNamescn=gobjectcl ass=orcldynamicgroup |uid=gobjectclass=groupofUn iqueNamesuid=gobjectclass= orcldynamicgroup Configuring Authentication Providers 5-13 For more information about configuring static groups, see the following topics in the Oracle WebLogic Server Administration Console Help: ■ Configure the Oracle Internet Directory Authentication provider ■ Configure the Oracle Virtual Directory Authentication provider

5.4.8 Configuring Failover for LDAP Authentication Providers

You can configure an LDAP provider to work with multiple LDAP servers and enable failover if one LDAP server is not available. Use the Host attribute found in the Administration Console on the Configuration Provider Specific page for the LDAP Authentication provider to specify the names of the additional LDAP servers. Each host name may include a trailing space character and a port number. In addition, set the Parallel Connect Delay and Connection Timeout attributes for the LDAP Authentication provider: ■ Parallel Connect Delay—Specifies the number of seconds to delay when making concurrent attempts to connect to multiple servers. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. This setting might cause your application to block for an unacceptably long time if a host is down. If the value is greater than 0, another connection setup thread is started after the specified number of delay seconds has passed. If the value is 0, connection attempts are serialized. ■ Connection Timeout—Specifies the maximum number of seconds to wait for the connection to the LDAP server to be established. If the set to 0, there is no maximum time limit and WebLogic Server waits until the TCPIP layer times out to return a connection failure. Set to a value over 60 seconds depending upon the configuration of TCPIP. The following examples present scenarios that occur when an LDAP Authentication provider is configured for LDAP failover.

5.4.8.1 LDAP Failover Example 1

In the following scenario, an LDAP Authentication provider is configured with three servers in its Host attribute: directory.knowledge.com:1050, people.catalog.com, and 199.254.1.2. The status of the LDAP servers is as follows: ■ directory.knowledge.com:1050 is down ■ people.catalog.com is up ■ 199.254.1.2 is up Table 5–6 Attribute Settings for Static Groups in the Oracle Internet Directory and Oracle Virtual Directory Authentication Providers Attribute Default Setting Required Changes StaticGroupObjectClass groupofuniquenames groupofnames StaticMemberDNAttribute uniquemember member AllGroupsFilter cn=|objectclass=groupofU niqueNamesobjectclass=orcldyn amicgroup cn=|objectclass=groupofnameso bjectclass=orcldynamicgroup GroupFromNameFilter |cn=gobjectclass=groupof UniqueNamescn=gobjectcl ass=orcldynamicgroup |cn=gobjectclass=groupofnames cn=gobjectclass=orcldynamicgroup