10 Configuring LDAP Authentication When LDAP Synchronization is Enabled

Use the following procedure to be able to use LDAP for authentication when LDAP synchronization is enabled.

Note:

This procedure does not enable the following functionality:

  • Forced password changes, including first login, administrator password reset, and expired passwords

  • Forced setting of challenge responses

  1. Add a dynamic group in Oracle Internet Directory (OID).

    1. Create an oimusers.ldif file that defines a dynamic group. The format of the LDIF file should be similar to the following:

      dn: cn=oimusers, <group search base>
                objectclass: orclDynamicGroup
                objectclass: groupOfUniqueNames
                labeleduri:ldap://<LdapHost>:<LdapPort>/<UserSearchBase>??sub?(objectclass=inetOrgPerson)

      For example:

      dn: cn=oimusers,cn=Groups,dc=us,dc=oracle,dc=com
                objectclass: orclDynamicGroup
                objectclass: groupOfUniqueNames
                labeleduri: ldap://dadvmc0225:3060/cn=Users,dc=us,dc=oracle,dc=com??sub?(objectclass=inetOrgPerson)

    2. Use the ldapadd command to upload the oimusers.ldif file to OID. The command should have the following format:

      ldapadd -h <ldaphost> -p <ldapport> -D <root dn> -w <password> -f oimusers.ldif

      For example:

      ldapadd -h dadvmc0225 -p 3060 -D cn=orcladmin -w welcome1 -f oimusers.ldif

    3. Use the ldapsearch command to validate group members. The command should have the following format:

      ldapsearch -h <ldaphost> -p <ldapport> -D <root dn> -w <password> -b "cn=oimusers,<groupsearchbase>" -s base "objectclass=*"

      For example:

      ldapsearch  -h dadvmc0225 -p 3060 -Dcn=orcladmin -wwelcome1 -b "cn=oimusers,cn=Groups,dc=us,dc=oracle,dc=com" -s base "objectclass=*"

  2. Configure the LDAP Authenticator in WLS.

    1. Log in to WebLogic Administrative Console.

    2. Go to Security Realms, myrealm, Providers.

    3. Click New. Give a name and choose OracleInternetDirectoryAuthenticator as type.

    4. Set the Control Flag to SUFFICIENT.

    5. Click the Provider Specific settings and configure the OID connection details.

    6. In Dynamic groups section, enter the following values:

      Dynamic Group Name Attribute: cn

      Dynamic Group Object Class: orcldynamicgroup

      Dynamic Member URL Attribute: labeleduri

      User Dynamic Group DN Attribute: GroupOfUniqueNames

    7. Click the Providers tab and then click Reorder. Reorder the LDAP authenticator so this is placed before the OIM Authenticator.

  3. Restart all servers.

  4. Validate role memberships.

    1. Login to WebLogic Admin Console.

    2. Go to Security Realms, myrealm, User and Groups.

    3. Click users to display all the users in the LDAP user search base. If the LDAP users are not displayed, it means that there is an error with the LDAP connection, and the details are specified in OID Authenticator (provider specific settings).

    4. Click on any user and then to the corresponding group entry. "Oimusers" should be one of the listed entries. If this validation fails, please go through the LDAP authenticator's provider-specific details.