LDAP in Anger

In this blog entry I explore the use of an LDAP[1] directory and infrastructure to establish a single directory for authentication and user management in an Oracle WebLogic[2] environment.

Background

I have been working and consulting around [Oracle] WebLogic for quite some time. When it comes to user management, the use of the embedded LDAP server (shipped with WebLogic Server) is the most common configuration I have come across. This means that a user directory exists for every domain.

Let’s assume a customer site (like the one I am on currently) require 5 environments to support their software development lifecycle (Development, Test, QA, Staging and Production). Every environment consists of two WebLogic domains; an Oracle Service Bus domain and an Oracle SOA Suite domain. That is a sum total of 10 user directories. Managing user data across 10 directories, even when using bulk import and export facilities, can be an error prone and time consuming administrative task. Just think of the complexity when members from various development (or support) teams require varying levels of access to two or more of the environments.

Wouldn’t it be easier if we could centralise the user directory and establish a simple delegation model to ensure the right people, get the right level of access without having to create users in 10 WebLogic domains separately? The rest of this post will focus on what is required, from a functional point of view, to establish a centralised LDAP infrastructure.

We have to address two key areas to establish the LDAP infrastructure, which we will cover in the sections that follow:

  1. Design a server topology to allow all WebLogic Server domains to connect to a central LDAP directory.
  2. Establish a delegation model that can be administered centrally.

Topology

From a functional point of view, the requirement is simply to have a single source where all WebLogic Server domains can obtain user and group information. To satisfy this requirement the server topology must allow all WebLogic Server domains to connect to a central LDAP directory. The image below illustrates a very simple topology where three WebLogic Server domains are connected to a single LDAP server*.

What do we need to do to connect a WebLogic server domain to an LDAP server?

WebLogic Server includes a very comprehensive and standards based set of Security Services[3] that address a wide range of security requirements. By default, every WebLogic Server domain includes a default Security Realm[4], named myrealm, as illustrated above. A security realm contains a set of Security Providers[5] that provide security services. These security services can be used to protect WebLogic resources.

Authentication Providers (a type of Security Provider) are responsible for accessing user databases to obtain user and group information and establish trust (e.g username/password authentication). To enable a WebLogic Server domain to gain access to user information, stored in an LDAP directory, we must add an additional Authentication Provider to the default security realm (myrealm) by using the following steps**:

  1. Log on to the WebLogic Server Administration Console as an administrator.
  2. Browse to Security Realms -> myrealm -> Providers [-> Authentication]
  3. Create a new Authentication Provider by providing a Name(e.g LDAPAuthenticator) and a Type. For the purpose of this post we will assume LDAPAuthenticator as the Type of Authentication Provider.***
  4. Browse to the newly created Provider [Configuration -> Common] and change the Control Flag value to SUFFICIENT.
  5. Complete the Provider Specific configuration tab. Be sure to enable the Use Retrieved User Name as Principal flag. You will need the configuration details of your LDAP server to complete this configuration.
  6. Browse to the DefaultAuthenticator: Security Realms -> myrealm -> Providers [-> Authentication] -> DefaultAuthenticator [-> Configuration -> Common] and change the Control Flag value to SUFFICIENT. The Control Flag values must be changed to ensure both Authentication Providers are interrogated and that the authentication process stops whenever a user is found in either provider.
  7. Reorder the Authentication Providers to reflect the following order: DefaultAuthenticator, LDAPAuthenticator, DefaultIdentityAsserter.
  8. Save the WebLogic Server configuration and restart all WebLogic Server instances in the domain.
  9. Repeat the steps above for all domains to establish connectivity to the LDAP server.

Upon returning to the WebLogic Server Administration Console you should be able to see the list of users and groups on the LDAP directory by browsing to Security Realms -> myrealm -> Users and Groups. This will confirm that the configuration was successful. If you do not see the users and groups from your LDAP directory, something went wrong ;)

Delegation Model

Delegation or Delegated Administration refers to the decentralisation of administrative responsibilities. “So What?”, I hear you say. OK, rather than use some hypothetical scenario, let’s use WebLogic Server administration (i.e that act of administering) as a use case to explain what I am getting at w.r.t a delegation model:

In many organisations the (operational) team responsible for administering WebLogic Server is centralised. In big environments this can result in a substantial burden on the daily activities of such a team. The image below depicts a model that can be used to decentralise the administrative responsibilities for a number of WebLogic Server domains that span across multiple environments:

From the model:

  • Members of the GlobalWLAdministrators Group are authorised to administer all WebLogic domains. The members of this group can be viewed as the organisation’s expert WebLogic resources.
  • Members of the DevWLAdministrators Group are authorised to administer the WebLogic Dev Domains and do not have access to the other domains.
  • Similarly, the members of the TestWLAdministrators Group are authorised to administer the WebLogic Test Domains and do not have access to the other domains.

This model effectively allows the WebLogic expert users (GlobalWLAdministrators) to delegate the day to day administration of development and testing environments to authorised users in the development and testing teams.

Getting back to the centralised LDAP directory. The Groups depicted in the model above can be translated directly into concrete group entries in an LDAP directory. This implies, for example, that a user in the GlobalWLAdministrators Group has a single username/password combination to access all WebLogic domains and is granted Admin privileges based on his/her group membership.

What do we need to do to ensure the WebLogic Admin Security Role is granted to the appropriate users?

Security Roles[6] is another important aspect of a Weblogic Security Realm. A Security Role is a specific privilege granted to users and groups based on a set of conditions e.g group membership. The important thing to remember is that a Security Role is computed and granted dynamically. Security Roles in turn are used by Policies[7] to determine who can access a WebLogic resource.

For example; for a user to be granted the Admin role in a WebLogic Server domain, the user must belong to the Administrators group i.e group membership is the precondition for a user to be granted the Admin role. To implement the delegation model we discussed above we have to modify the default set of conditions that is used to grant the Admin role to authenticated users. Use the following steps to modify the conditions of the default Admin role in a WebLogic Security Realm:

  1. Log on to the WebLogic Server Administration Console as an administrator.
  2. Browse to Security Realms -> myrealm -> Roles and Policies -> {expand} Global Roles -> Roles -> Admin. This page will present the current set of conditions for the Admin role.
  3. Click the Add Conditions button and select Group as the Predicate List when presented. Click next.
  4. Assuming the current WebLogic domain represents a development domain; repeat the Add operation on the Group Argument Name field twice with the following values: GlobalWLAdministrators and DevWLAdministrators.
  5. Click Finish. The Admin role conditions should now read: GlobalWLAdministrators or DevWLAdministrators or Administrators. This means that any user belonging to any one of these groups will be granted the Admin role when logging on to the WebLogic Administration Console.
  6. Repeat the steps above for all domains, substituting DevWLAdministrators for the appropriate group name.

The use case and steps above cover the LDAP directory and WebLogic requirements for the Admin role, but what about expanding the delegation model to other security roles and Oracle products e.g Oracle Service Bus and Oracle SOA Suite? No problem.

Oracle WebLogic Server, Oracle SOA Suite and Oracle Service Bus employ a set of well defined security roles to control administrative privileges. In fact, the key roles employed by WebLogic Server and SOA Suite overlap. The following provides more information on the various security roles as employed by the Oracle products:

The following table provides a mapping between the products, security roles and LDAP directory groups for the simple topology and delegation model we have discussed:

Product Security Role LDAP Groups
WebLogic Server and SOA Suite Admin GlobalWLAdministrators
DevWLAdministrators
TestWLAdministrators
Monitor GlobalWLMonitors
DevWLMonitors
TestWLMonitors
Operator GlobalWLOperators
DevWLOperators
TestWLOperators
WebLogic Server Deployer GlobalWLDeployers
DevWLDeployers
TestWLDeployers
Service Bus IntegrationAdmin GlobalWLIntegrationAdministrators
DevWLIntegrationAdministrators
TestWLIntegrationAdministrators
IntegrationMonitor GlobalWLIntegrationMonitors
DevWLIntegrationMonitors
TestWLIntegrationMonitors
IntegrationOperator GlobalWLIntegrationOperators
DevWLIntegrationOperators
TestWLIntegrationOperators
IntegrationDeployer GlobalWLIntegrationDeployers
DevWLIntegrationDeployers
TestWLIntegrationDeployers

To summarise:

  • We touched on the basics required to connect a WebLogic server environment to a central LDAP directory to obtain user information. (Topology)
  • We illustrated, using the out of the box WebLogic Security Roles,the benefits of managing user and group information in an LDAP directory, as appose to employing an embedded user store per WebLogic domain. (Delegation Model)
  • Remember that you can apply similar authorisation and delegation models to your own applications using an LDAP directory.

Java Toolbox Simple User Console (ldapconsole)

Some shameless self promotion before I go. Back in February 2010 I developed a very basic user interface to use in conjunction with LDAPv3 directories. I wanted a very simple user interface that didn’t require the user to have any knowledge of LDAP specifically. The following is a list of the current features:

  • JEE (Java Enterprise Edition) Web Application. Tested on Tomcat 5, 7 and WebLogic Server 11g.
  • Should work with most LDAPv3 implementations.
  • Basic user management, including the ability to change and reset passwords.
  • Basic (static) group and group membership management.
  • Provides LDIF files to create users and groups to support the simple delegated administration model for Oracle WebLogic Server, Oracle SOA Suite and Oracle Service Bus we discussed earlier in the post.
  • Simple Java API for user and group management.
  • Simple SOAP based web services for user and group management.

You will notice that I included the ldapconsole as part of the topology diagram earlier in this post. The ldapconsole can be deployed on a WebLogic Server domain. The user interface and SOAP web services can then be used to manage user and group entries in an LDAP directory.

Below are some screen shots of the ldapconsole in action:

User provisioning form indicating missing required fields:

User search results:

Group search results for all groups containing the substring *DevWL* in their name:

Group membership form for the WebLogic Root user:

The following is an example of a SOAP envelope accepted by the simple_user web service of the ldapconsole to create a user entry:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
                               xmlns:java="java:toolbox.services.ldap.simple" 
                               xmlns:java1="java:toolbox.services.ldap.simple.beans">
   <soapenv:Header/>
   <soapenv:Body>
      <java:addUser>
         <java:simpleUser>
            <java1:cn>Billy Connolly</java1:cn>
            <java1:givenName>Billy</java1:givenName>
            <java1:mail>billy@somewhere.com</java1:mail>
            <java1:sn>Connolly</java1:sn>
            <java1:uid>billyc</java1:uid>
            <java1:userPassword>password</java1:userPassword>
         </java:simpleUser>
      </java:addUser>
   </soapenv:Body>
</soapenv:Envelope>

The ldapconsole can be obtained as part of the Java Toolbox Framework[11]. Instructions for compiling and installing the ldapconsole is available in the apps/ldapconsole/doc/INSTALL.txt file upon installation of the framework.

Notes

  • * Depending on the size of the environment, the topology (from an LDAP server perspective) would need to include things like master and slave replication to scale sufficiently at an enterprise level while still addressing the requirement.

  • ** It is important to note that we are adding an additional Authentication Provider and not replacing the exising Default Authenticator. This will ensure that you are able to start and access your WebLogic domain if the LDAP directory becomes unavailable for some reason. It is also useful to have the default provider just in case the LDAP provider is configured incorrectly. You don’t want to find yourself locked out of your own WebLogic domain because of a typo.

  • *** WebLogic Server provides a number of Authentication Providers that support a number of LDAP server implementations, including Microsoft Active Directory and Oracle’s own Internet Directory.

Links

  1. LDAP
    http://www.ldapman.org/articles/intro_to_ldap.html

  2. Oracle WebLogic Server
    http://docs.oracle.com/cd/E23943_01/wls.htm

  3. Oracle WebLogic Security Services
    http://docs.oracle.com/cd/E23943_01/web.1111/e13710/model.htm

  4. Oracle WebLogic Security Realms
    http://docs.oracle.com/cd/E23943_01/web.1111/e13710/realm_chap.htm

  5. Oracle WebLogic Security Providers
    http://docs.oracle.com/cd/E23943_01/web.1111/e13710/realm_chap.htm#i1033501

  6. Oracle WebLogic Security Roles
    http://docs.oracle.com/cd/E23943_01/web.1111/e13710/realm_chap.htm#i1033485

  7. Oracle WebLogic Security Policies
    http://docs.oracle.com/cd/E23943_01/web.1111/e13710/realm_chap.htm#i1035646

  8. Oracle WebLogic Server Global Roles
    http://docs.oracle.com/cd/E23943_01/web.1111/e13747/secroles.htm#i1219977

  9. Oracle SOA Suite: Oracle Enterprise Manager Roles
    http://docs.oracle.com/cd/E23943_01/admin.1111/e10226/appx_roles_privs.htm”

  10. Oracle Service Bus: Administrative Security Roles and Privileges
    http://docs.oracle.com/cd/E23943_01/dev.1111/e15866/admin_security.htm#i1058496

  11. Java Toolbox Framework
    http://javatoolbox.sourceforge.net/

Happy Hacking!

This entry was posted in User Management and tagged , , . Bookmark the permalink.

101 Responses to LDAP in Anger

  1. Pingback: Tiffany Rings

  2. Pingback: Tiffany Outlet

  3. Pingback: rabaty

  4. Pingback: Make Money From Home

  5. Pingback: Online Home Business

  6. Pingback: Home Business

  7. Pingback: Listy seo

  8. Pingback: harvey

  9. Pingback: My Very Best Ping

  10. Pingback: car title loans

  11. Pingback: online auto title loan

  12. Pingback: http://www.youtube.com/watch?v=hyGSGHuqZpM

  13. Pingback: cna courses

  14. Pingback: title loans

  15. Pingback: online accredited colleges

  16. Pingback: car title loans los angeles

  17. Pingback: notary public vancouver

  18. Pingback: car loans

  19. Pingback: online classes

  20. Pingback: o canada lyrics

  21. Pingback: oh canada classified

  22. Pingback: virus removal

  23. Pingback: information on bankruptcy

  24. Pingback: bankruptcy chapter 7

  25. Pingback: car title loans texas

  26. Pingback: chapter 13 bankruptcy

  27. Pingback: filing bankruptcy

  28. Pingback: bankruptcy chapter 11

  29. Pingback: us bankruptcy forms

  30. Pingback: bankruptcy lawyer

  31. Pingback: free instagram followers download

  32. Pingback: payday loan online

  33. Pingback: payday loans online

  34. Pingback: payday

  35. Pingback: direct payday loans for bad credit online lender

  36. Pingback: drugrehabcentershotline.com addiction treatment centers

  37. Pingback: Gregory Smith

  38. Pingback: http://www.ukrsvit.net/node/517924

  39. Pingback: Jay

  40. Pingback: займ онлайн

  41. Pingback: займы на банковский счет

  42. Pingback: bmi chart for men

  43. Pingback: Peter Smith

  44. Pingback: Vanessa Smith

  45. Pingback: google chrome download free

  46. Pingback: firefox download windows 7

  47. Pingback: javascript

  48. Pingback: skype download

  49. Pingback: Blue Coaster33

  50. Pingback: stream movies

  51. Pingback: watch tv show episodes

  52. Pingback: watch free movies online

  53. Pingback: watch movies online

  54. Pingback: watch movies online free

  55. Pingback: watch free movies online

  56. Pingback: watch movies online

  57. Pingback: streaming movies

  58. Pingback: watch movies online free

  59. Pingback: free movie downloads

  60. Pingback: Direct TV vs Dish TV

  61. Pingback: lan penge online

  62. Pingback: mobile porn movies

  63. Pingback: parking

  64. Pingback: stop parking

  65. Pingback: laan penge nu

  66. Pingback: water ionizer

  67. Pingback: zakład szklarski piotrków trybunalski

  68. Pingback: house blue

  69. Pingback: level 3 electrician jobs

  70. Pingback: electrician tool kit home depot

  71. Pingback: water ionizer

  72. Pingback: water ionizer

  73. Pingback: ionizer payment plan

  74. Pingback: paypal loans

  75. Pingback: pay per day loan plans

  76. Pingback: alkaline water brands

  77. Pingback: alkaline water

  78. Pingback: http://webkingz.camkingz.com/

  79. Pingback: http://makemoney.camkingz.com/

  80. Pingback: do you agree

  81. Pingback: pay plan

  82. Pingback: see

  83. Pingback: drewno

  84. Pingback: budowa

  85. Pingback: tier2

  86. Pingback: tier2 junk

  87. Pingback: istanbul real estate

  88. Pingback: Full film izle

  89. Pingback: 720p film izle

  90. Pingback: Film izle

  91. Pingback: buy property turkey

  92. Pingback: flash site

  93. Pingback: atari breakout online

  94. Pingback: englishtospanishtranslation.us

  95. Pingback: happy wheels game

  96. Pingback: happy wheels unblocked game

  97. Pingback: Happy wheels

  98. Pingback: swefilmer

  99. Pingback: real estate in Turkey

  100. Pingback: Putlocker

  101. Pingback: investment in Bursa Turkey

Leave a Reply