Configure Active Directory with Weblogic 12c server as Authentication Provider
Configuring Authentication Providers for WebLogic Server is a very common task. I will explain the steps to configure Active directory with Weblogic 12c Server as an Authentication Provider. Further, I will demonstrate how can you let Active Directory users to log into the WebLogic 12c Console for administration purposes.
Assumptions
This article assumes that you already have
- Microsoft Active Directory Environment Setup. Single Domain Controller will used in this example.
- WebLogic 12c Server is installed and running.
- You are able to access the WebLogic Administration console using “weblogic” user.
Environment
In this demonstration of Configure Active Directory with Weblogic 12c server as Authentication Provider, we have the our environment setup as below
MS Domain Name | contoso.local |
Domain Controller IP Address | 192.168.179.132 |
Domain User to Query AD | Administrator |
Configure Active Directory with Weblogic 12c server as Authentication Provider
- Login into the WebLogic Administration console. Under the Domain Structure, click on
Security Realm > myrealm > Providers
.
- Click on
New
and fill the details. Make sure to choose the type asActiveDirectoryAuthenticator
- Click on the Active Directory provider from the list of providers and under the common settings change the
Control Flag
toSufficient
and click on save. - Under Provider Specific Settings, fill the details as below. Only Required settings are shown and most of them are left to defaults. You may decide to tweak the settings based on your environment.User Base DN: dc=contoso,dc=localAll Users Filter: (&(objectCategory=person)(objectClass=user))User From Name Filter: (&(cn=%u)(objectclass=user))User Name Attribute: sAMAccountName
User Object Class: user
Group Base DN: dc=contoso,dc=local
Group From Name Filter: (&(cn=%g)(objectclass=group))
Static Group Name Attribute: cn
Static Group Object Class: group
Static Member DN Attribute: member
Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=group))
- Click Save.
You must restart the Admin Server in order for this provider to work. You may do this using the scripts or service (if configured).
If all above steps were configured properly, you should be able to see the Active Directory Users and Groups in the WebLogic Console. In order to verify this navigate to Security Realms > myrealm
and select Users and Groups Tab.
And this is it. If you see the AD Users and Groups listed under Users and Groups tab, this means that the Integration was successful. Next step is how can you allow AD Users to access the WebLogic console?
Allow Active Directory Users to login into WebLogic Console
in order to allow Active Directory Users to login into WebLogic console, we will utilize the Roles and Policies. You cannot add AD Users or Groups into WebLogic Users or Groups directly. Therefore, it is must that the access is granted through the Roles and Policies. In order to achieve this
- Navigate to
Security Realms > myrealm > Roles and Policies tab > expand the Global Roles
and click onView Role Conditions
for Admin under Roles.
This is the place where you will add the Groups or Users from Active directory. In this example we will add an AD Group called WebLogicAdmins2
- Once added. Click on save.
Now you should be able to login into the WebLogic Console using an AD credentials for a user who belongs to above mentioned group.