dinsdag 28 oktober 2014
dinsdag 29 mei 2012
Implementing the OpenLDAP Authenticator
In an older blog post I explained the steps you'll have to execute to implement the SQL Authenticator.
In this article, I will explain you how to implement an OpenLDAP authenticator.
You can download the sources here.
Architecture of my setup:
* First Oracle Linux 5 server machine with the Open LDAP setup:
suffix "dc=mycompany,dc=com"
rootdn "cn=manager,dc=mycompany,dc=com"
rootpw <<Your_Encrypted_Password>>
* Second Oracle Linux 5 server machine with WebLogic Server 11g with a basic domain.
(1)
To populate the LDAP tree, you can use the attached ldif file (fill_openldap_full.ldif):
ldapadd -f fill_openldap_full.ldif -xv -D "cn=manager,dc=mycompany,dc=com" -w <<Your_Password>>
Result of this operation:
* 4 users (organizational unit = people): bill, harry, kelly and stuart.
* 2 groups (organizational unit = groups): java_dev (with members kelly and stuart) and wls_admin (with members bill, harry and stuart)
(2)
Create the OpenLDAP Authenticator.
(3)
Fill in the "Provider Specific" tab page with the following data:
Host myOpenLDAPServer
Port 389
Principal cn=manager,dc=mycompany,dc=com
User Base DN ou=people,dc=mycompany,dc=com
User From Name Filter (&(cn=%u)(objectclass=person))
User Name Attribute cn
User Object Class person
Group Base DN ou=groups,dc=mycompany,dc=com
Group From Name Filter (&(cn=%g)(objectclass=groupofnames))
Static Group Name Attribute cn
Static Group Object Class groupofnames
Static Member DN Attribute member
Static Group DNs from Member DN Filter (&(member=%M)(objectclass=groupofnames))
(4)
Set the Control Flag for the default authenticator to OPTIONAL.
(5)
Restart the servers within your domain and verify afterwards if you see the OpenLDAP users and groups in the console.
(6)
Deploy the file openldap_scrty.war into your WLS domain and verify that only the users who belong to the group wls_admin can successfully access the application.
vrijdag 20 januari 2012
Setting up and testing the SQL Authenticator
Please download sql_authenticator.zip for the source files.
To configure the SQL Authenticator, please follow these steps:
(1)
In the database, create a user that holds the security data (sqlauth_ddl1.sql).
(2)
Create some tables in your security schema (sqlauth_ddl2.sql).
P.S.: in this script the default structure is defined. If you want to use another table structure, you'll have to change the SQL statements in your provider (see further).
(3)
Insert data in the tables (sqlauth_dml.sql).
(4)
Connect to the WLS Administration Console.
(5)
Create a data source that points to the schema you created.
(6)
In the WLS Administration Console, go to Security Realms.
Select myrealm - Providers and click on the New button.
Choose a name and select SQLAuthenticator in the Type poplist.
Click OK.
In the overview of the providers, your new provider is available.
Select your provider.
In the next screen go to the Configuration - Provider Specific tab.
In this screen you'll have to check the Plaintext Password Enabled checkbox, define your Data Source Name and select PLAINTEXT for Password Style.
Keep the defaults for the other fields.
P.S.: if you defined another table structure defined in the second step, you'll have to modify the SQL statements here.
(7)
For the DefaultAuthenticator, the Control Flag must be set on OPTIONAL (default value = REQUIRED). If you don't do this, the users defined in your SQL Authenticator will not be able to log in.
(8)
Restart your domain.
(9)
If you go to the Users and Groups section of myrealm, you should see your users and groups defined in your database schema. Here you can reorganise your users and groups. All the provider-specific changes are written to the database.
(10)
Deploy sql_scrty.war to test your new security provider.
Please note that only access for the users who belong to the group SQL_Administrators is granted in the deployment descriptors of the application.
To configure the SQL Authenticator, please follow these steps:
(1)
In the database, create a user that holds the security data (sqlauth_ddl1.sql).
(2)
Create some tables in your security schema (sqlauth_ddl2.sql).
P.S.: in this script the default structure is defined. If you want to use another table structure, you'll have to change the SQL statements in your provider (see further).
(3)
Insert data in the tables (sqlauth_dml.sql).
(4)
Connect to the WLS Administration Console.
(5)
Create a data source that points to the schema you created.
(6)
In the WLS Administration Console, go to Security Realms.
Select myrealm - Providers and click on the New button.
Choose a name and select SQLAuthenticator in the Type poplist.
Click OK.
In the overview of the providers, your new provider is available.
Select your provider.
In the next screen go to the Configuration - Provider Specific tab.
In this screen you'll have to check the Plaintext Password Enabled checkbox, define your Data Source Name and select PLAINTEXT for Password Style.
Keep the defaults for the other fields.
P.S.: if you defined another table structure defined in the second step, you'll have to modify the SQL statements here.
(7)
For the DefaultAuthenticator, the Control Flag must be set on OPTIONAL (default value = REQUIRED). If you don't do this, the users defined in your SQL Authenticator will not be able to log in.
(8)
Restart your domain.
(9)
If you go to the Users and Groups section of myrealm, you should see your users and groups defined in your database schema. Here you can reorganise your users and groups. All the provider-specific changes are written to the database.
(10)
Deploy sql_scrty.war to test your new security provider.
Please note that only access for the users who belong to the group SQL_Administrators is granted in the deployment descriptors of the application.
Abonneren op:
Posts (Atom)