Configuring LDAP in Weblogic

WebLogic Server does not support or certify any particular LDAP servers. Any LDAP v2 or v3 compliant LDAP server should work with WebLogic Server. The LDAP Authentication providers in this release of WebLogic Server (v9.2) are configured to work readily with the SunONE (iPlanet), Active Directory, Open LDAP, and Novell NDS LDAP servers. You can use an LDAP Authentication provider to access other types of LDAP servers. Choose either the LDAP Authentication provider (LDAPAuthenticator) or the existing LDAP provider that most closely matches the new LDAP server and customize the existing configuration to match the directory schema and other attributes for your LDAP server. The server comes with the following Authentication Providers, which help to configure different LDAP servers

• iPlanet Authentication provider
• Active Directory Authentication provider
• Open LDAP Authentication provider
• Novell Authentication provider
• generic LDAP Authentication provider

Follow these steps to configure LDAP in Weblogic:

1. Choose an LDAP Authentication provider that matches your LDAP server and create an instance of the provider in your security realm.
   
2. Configure the provider-specific attributes of the LDAP Authentication provider, which you can do through the Administration Console. For each LDAP Authentication provider, there are attributes that:
   1. Enable communication between the LDAP server and the LDAP Authentication provider. For a more secure deployment, BEA recommends using the SSL protocol to protect communications between the LDAP server and WebLogic Server. Enable SSL with the SSLEnabled attribute.
   2. Configure options that control how the LDAP Authentication provider searches the LDAP directory.
   3. Specify where in the LDAP directory structure users are located.
   4. Specify where in the LDAP directory structure groups are located.
   5. Define how members of a group are located.
3. Configure performance options that control the cache for the LDAP server. Use the Configuration: Provider Specific and Performance pages for the provider in the Administration Console to configure the cache.
   

FAILOVER
You can configure an LDAP provider to work with multiple LDAP servers and enable failover if one LDAP server is not available. For this, Change the Host attribute in the security_realm > Providers > provider_specific page, to contain a list of hostnames and ports (localhost:389, remotehost:389). When using failover, the Parallel Connect Delay and Connection Timeout attributes have to be set for the LDAP Authentication provider:

• Parallel Connect Delay—Specifies the number of seconds to delay when making concurrent attempts to connect to multiple servers. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. This setting might cause your application to block for an unacceptably long time if a host is down. If the value is greater than 0, another connection setup thread is started after the specified number of delay seconds has passed. If the value is 0, connection attempts are serialized.
• Connection Timeout—Specifies the maximum number of seconds to wait for the connection to the LDAP server to be established. If the set to 0, there is no maximum time limit and WebLogic Server waits until the TCP/IP layer times out to return a connection failure. Set to a value over 60 seconds depending upon the configuration of TCP/IP.

NOTE
If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. You can either create an Administrators group in the LDAP directory, and include your user in that group, or use an existing group and add the group to the admin role in the WebLogic Administration Console. For more information refer to Weblogic documentation: Configuring LDAP providers.