Many enterprises have multiple identity stores; this can include LDAP, Active Directory, as well as application specific databases. Oracle Virtual Directory (OVD) allows us to provide a virtual LDAP layer on top of these disparate identity stores and presents a single unified view across these data stores.
In this recipe, we will configure OVD to provide a virtual LDAP layer on top of Oracle Internet Directory (OID), and then configure OVD as the authentication provider for WebLogic.
You will need to have an instance of OID installed and configured; you will also need to create the demo
user and add them to the Administrators
group as described in the previous recipe.
You will also need to have installed and configured an instance of Oracle Directory Services Manager (ODSM), OVD, and Oracle SOA Suite running on Oracle WebLogic.
http://host:port/odsm
into your browser's address field.Next, click on Create a New Connection. This will open the New Connection dialog. Enter the details specified in the following table:
Field |
Value |
---|---|
Directory Type |
OVD |
Name |
|
Server |
hostname or IP address of OVD server |
Port |
|
SSL Enabled |
checked |
User Name |
|
Password |
Your Password |
Start Page |
Home |
Within ODSM, select the Adapter tab, and then click on the Create Adapter icon. This will launch New Adapter Wizard.
Click on the Create Adapter button in the left-hand side pane.
Select Adapter Type as LDAP, give it the name useOID
, and select User_OID as the Adapter Template. Then click on Next.
Enter the OID hostname and port for your OID server and leave Weight Value set to 100.
For Server proxy Bind DN and Proxy Password enter the admin DN (cn=orcladmin, cn=Users, dc=rubiconred,dc=com
in our example) and password for your OID server.
Leave Use SSL/TLS unchecked and click on Next.
If Status is not OK, select Status to get details of the error.
In this demo, we are using the same namespace (dc=rubiconred,dc=com
) in both the directories. Set Pass Through Credentials to Always and click on Next.
http://host:port/console
) with the user that has an administrator privilege, such as weblogic
.Once logged in, within Domain Structure select Security Realms. Next, select myrealm. This will display the settings for myrealm.
Click on Lock&Edit to edit the session. Then select the Providers tab, and within that select the Authentication tab. This will list the authentication providers currently defined for myrealm.
Enter a name, such as OVDProvider
, and select the OracleVirtualDirectoryAuthenticator type as the authentication provider type and click on OK.
This will return us to the list of authentication providers; we can see here our newly created OVD authentication provider.
To do this, click on Reorder, ensure OVDProvider is selected; then click on the up arrow to move it to the top of the list and then click on OK.
Here, we need to provide our OVD specific connection details, as well as the location of our users and groups within the identity store, as detailed in the following table:
Field |
Description |
---|---|
Host |
The host of the machine hosting Active Directory. |
Port |
The port number on which Active Directory is listening. |
Principal |
The admin DN (for example |
Credential |
The credential (password) used to connect to OVD. |
User Base DN |
The base Distinguished Name of the tree in the |
Group Base DN |
The base Distinguished Name of the tree in the |
Next select the Common tab, and set the Control Flag to SUFFICIENT and click on Save.
Select Default Authenticator from the authentication provider list, click on the Configuration tab, and then select the Common tab. From here set Control Flag to SUFFICIENT and click on Save.
This is similar to our first recipe, in that WebLogic is still authenticating against OID, the difference being that it is now going via OVD, as this has been defined as the first authentication provider.
When we log in as the demo
user, WebLogic will attempt to authenticate the user against OVD, which in turn will pass the request to OID. Assuming the password is correct the authentication will be successful and return control to the application.
When we log in as weblogic
, authentication will fail against OVD, but because the OVD authentication provider is defined as SUFFICIENT, WebLogic will attempt to authenticate the user against the embedded LDAP at the point at which it succeeds and control is returned to the application.
It may seem a bit pointless having WebLogic go via OVD to authenticate a user against OID. However, OVD offers a number of advantages. Firstly it can be used to present non-LDAP data as LDAP data to WebLogic (or any other LDAP client); this includes identity information available via a web service call or in a database (such as PeopleSoft HR or Seibel UCM).
In addition, where an enterprise has multiple identity stores we can use OVD to present a single unified view.
Although you can configure multiple authentication providers for Oracle WebLogic, the Oracle Platform Security Service does not support multiple LDAP authentication providers.
As a result, the provider you want to use for Human Workflow authentication must be the first one listed in the order of authentication providers. Using OVD allows us to work around this limitation.