5-6 Securing Oracle WebLogic Server An LDAP Authentication provider can also be used to access other LDAP servers. However, you must either use the LDAP Authentication provider LDAPAuthenticator or choose a pre-defined LDAP provider and customize it. See Section 5.4.3, Accessing Other LDAP Servers.

5.4.1 Requirements for Using an LDAP Authentication Provider

If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory: ■ By default in WebLogic Server, the Admin role includes the Administrators group. Create an Administrators group in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group. The Active Directory LDAP directory has a default group called Administrators. Add the user who will be booting WebLogic Server to the Administrators group and define Group Base Distinguished Name DN so that the Administrators group is found. ■ If you do not want to create an Administrators group in the LDAP directory for example, because the LDAP directory uses the Administrators group for a different purpose, create a new group or use an existing group in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role.

5.4.2 Configuring an LDAP Authentication Provider: Main Steps

To configure an LDAP Authentication provider: 1. Choose an LDAP Authentication provider that matches your LDAP server and create an instance of the provider in your security realm. For information, see the following topics: ■ If you are using the WebLogic Server Administration Console, see Configure Authentication and Identity Assertion providers in the Oracle WebLogic Server Administration Console Help. ■ If you are using the WebLogic Scripting Tool WLST, see Managing Security Data WLST Online in Oracle WebLogic Scripting Tool. This section also explains how to use WLST to switch from one LDAP authentication provider to another. 2. Configure the provider-specific attributes of the LDAP Authentication provider, which you can do through the Administration Console. For each LDAP Authentication provider, attributes are available to: a. Enable communication between the LDAP server and the LDAP Authentication provider. For a more secure deployment, Oracle recommends Note: If the LDAP user who boots WebLogic Server is not properly added to a group that is assigned to the Admin role, and the LDAP authentication provider is the only authentication provider with which the security realm is configured, WebLogic Server cannot be booted. Configuring Authentication Providers 5-7 using the SSL protocol to protect communications between the LDAP server and WebLogic Server. Enable SSL with the SSLEnabled attribute. b. Configure options that control how the LDAP Authentication provider searches the LDAP directory. c. Specify where in the LDAP directory structure users are located. d. Specify where in the LDAP directory structure groups are located. e. Define how members of a group are located. f. Set the name of the global universal identifier GUID attribute defined in the LDAP server. g. Set a timeout value for the connection to the LDAP server. The LDAPServerMBean.ConnectTimeout attribute for all LDAP Authentication providers has a default value of zero. This default setting can result in a slowdown in WebLogic Server execution if the LDAP server is unavailable. In addition, if WebLogic Server has multiple LDAP Authentication providers configured, the failure to connect to one LDAP server may block the use of the other LDAP Authentication providers. Oracle recommends that you set the LDAPServerMBean.ConnectTimeout attribute to a non-zero value; for example, 60 seconds. You can set this value via either the WebLogic Server Administration Console or WLST. You can also set this value in the config.xml file by adding the following configuration parameter for the LDAP Authentication provider: wls:connect-time60wls:connect-time 3. Configure performance options that control the cache for the LDAP server. Use the Configuration Provider Specific and Performance pages for the provider in the Administration Console to configure the cache. See Section 5.4.10, Improving the Performance of WebLogic and LDAP Authentication Providers. For more information, see: ■ Section 5.4.3, Accessing Other LDAP Servers Note: If you are configuring either the Oracle Internet Directory or Oracle Virtual Directory Authentication provider, see Section 5.4.7, Configuring Users and Groups in the Oracle Internet Directory and Oracle Virtual Directory Authentication Providers. This section explains how to match the authentication provider attributes for users and groups to the LDAP directory structure. Note: Oracle recommends that you do not edit the config.xml file directly. Note: If the LDAP Authentication provider fails to connect to the LDAP server, or throws an exception, check the configuration of the LDAP Authentication provider to make sure it matches the corresponding settings in the LDAP server. 5-8 Securing Oracle WebLogic Server ■ Section 5.4.4, Enabling an LDAP Authentication Provider for SSL ■ Section 5.4.5, Dynamic Groups and WebLogic Server ■ Section 5.4.6, Use of GUID and LDAP DN Data in WebLogic Principals ■ Section 5.4.7, Configuring Users and Groups in the Oracle Internet Directory and Oracle Virtual Directory Authentication Providers ■ Section 5.4.8, Configuring Failover for LDAP Authentication Providers ■ Section 5.4.9, Following Referrals in the Active Directory Authentication Provider ■ Section 5.4.10, Improving the Performance of WebLogic and LDAP Authentication Providers

5.4.3 Accessing Other LDAP Servers