Configure Active Directory with Weblogic 12c server as Authentication Provider

Configuring Authentication Providers for WebLogic Server is a very common task. I will explain the steps to configure Active directory with Weblogic 12c Server as an Authentication Provider. Further, I will demonstrate how can you let Active Directory users to log into the WebLogic 12c Console for administration purposes.

Assumptions

This article assumes that you already have

1. Microsoft Active Directory Environment Setup. Single Domain Controller will used in this example.
2. WebLogic 12c Server is installed and running.
3. You are able to access the WebLogic Administration console using “weblogic” user.

Environment

In this demonstration of Configure Active Directory with Weblogic 12c server as Authentication Provider, we have the our environment setup as below

Configure Active Directory with Weblogic 12c server as Authentication Provider

• Login into the WebLogic Administration console. Under the Domain Structure, click on Security Realm > myrealm > Providers.

• Click on New  and fill the details. Make sure to choose the type as ActiveDirectoryAuthenticator
• Click on the Active Directory provider from the list of providers and under the common settings change the Control Flag to Sufficient and click on save.
• Under Provider Specific Settings, fill the details as below. Only Required settings are shown and  most of them are left to defaults. You may decide to tweak the settings based on your environment.User Base DN: dc=contoso,dc=localAll Users Filter:  (&(objectCategory=person)(objectClass=user))User From Name Filter: (&(cn=%u)(objectclass=user))User Name Attribute: sAMAccountName

  User Object Class: user

   

  Group Base DN: dc=contoso,dc=local

  Group From Name Filter:  (&(cn=%g)(objectclass=group))

  Static Group Name Attribute: cn

  Static Group Object Class: group

  Static Member DN Attribute: member

  Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=group))

•  Click Save.

You must restart the Admin Server in order for this provider to work. You may do this using the scripts or service (if configured).

If all above steps were configured properly, you should be able to see the Active Directory Users and Groups in the WebLogic Console. In order to verify this navigate to Security Realms > myrealm and select Users and Groups Tab.

And  this is it. If you see the AD Users and Groups  listed under Users and Groups tab, this means that the Integration was successful. Next step is how can you allow AD Users to access the WebLogic console?

Allow Active Directory Users to login into WebLogic Console

in order to allow Active Directory Users to login into WebLogic console, we will utilize the Roles and Policies. You cannot add AD Users or Groups into WebLogic Users or Groups directly. Therefore, it is must that the access is granted through the Roles and Policies. In order to achieve this

• Navigate to Security Realms > myrealm > Roles and Policies tab > expand the Global Roles and click on View Role Conditions for Admin under Roles.
  This is the place where you will add the Groups or Users from Active directory. In this example we will add an AD Group called WebLogicAdmins2
  
  
• Once added. Click on save.

Now you should be able to login into the WebLogic Console using an AD credentials for a user who belongs to above mentioned group.