dinsdag 29 mei 2012

Implementing the OpenLDAP Authenticator

In an older blog post I explained the steps you'll have to execute to implement the SQL Authenticator.
In this article, I will explain you how to implement an OpenLDAP authenticator.
You can download the sources here.
Architecture of my setup:
* First Oracle Linux 5 server machine with the Open LDAP setup:
suffix          "dc=mycompany,dc=com"
rootdn        "cn=manager,dc=mycompany,dc=com"
rootpw       <<Your_Encrypted_Password>>
* Second Oracle Linux 5 server machine with WebLogic Server 11g with a basic domain.

To populate the LDAP tree, you can use the attached ldif file (fill_openldap_full.ldif):
ldapadd -f fill_openldap_full.ldif -xv -D "cn=manager,dc=mycompany,dc=com" -w <<Your_Password>>
Result of this operation:
* 4 users (organizational unit = people): bill, harry, kelly and stuart.
* 2 groups (organizational unit = groups): java_dev (with members kelly and stuart) and wls_admin (with members bill, harry and stuart)

Create the OpenLDAP Authenticator.

Fill in the "Provider Specific" tab page with the following data:
Host                                                             myOpenLDAPServer
Port                                                              389
Principal                                                       cn=manager,dc=mycompany,dc=com
User Base DN                                              ou=people,dc=mycompany,dc=com
User From Name Filter                                 (&(cn=%u)(objectclass=person))
User Name Attribute                                     cn
User Object Class                                         person
Group Base DN                                            ou=groups,dc=mycompany,dc=com
Group From Name Filter                               (&(cn=%g)(objectclass=groupofnames))
Static Group Name Attribute                         cn
Static Group Object Class                             groupofnames
Static Member DN Attribute                         member
Static Group DNs from Member DN Filter    (&(member=%M)(objectclass=groupofnames))

Set the Control Flag for the default authenticator to OPTIONAL.

Restart the servers within your domain and verify afterwards if you see the OpenLDAP users and groups in the console.

Deploy the file openldap_scrty.war into your WLS domain and verify that only the users who belong to the group wls_admin can successfully access the application.

vrijdag 20 januari 2012

Setting up and testing the SQL Authenticator

Please download sql_authenticator.zip for the source files.

To configure the SQL Authenticator, please follow these steps:

In the database, create a user that holds the security data (sqlauth_ddl1.sql).

Create some tables in your security schema (sqlauth_ddl2.sql).
P.S.: in this script the default structure is defined.  If you want to use another table structure, you'll have to change the SQL statements in your provider (see further).

Insert data in the tables (sqlauth_dml.sql).

Connect to the WLS Administration Console.

Create a data source that points to the schema you created.

In the WLS Administration Console, go to Security Realms.
Select myrealm - Providers and click on the New button.

Choose a name and select SQLAuthenticator in the Type poplist.
Click OK.

In the overview of the providers, your new provider is available.
Select your provider.
In the next screen go to the Configuration - Provider Specific tab.

In this screen you'll have to check the Plaintext Password Enabled checkbox, define your Data Source Name and select PLAINTEXT for Password Style.
Keep the defaults for the other fields.

P.S.: if you defined another table structure defined in the second step, you'll have to modify the SQL statements here.

For the DefaultAuthenticator, the Control Flag must be set on OPTIONAL (default value = REQUIRED).  If you don't do this, the users defined in your SQL Authenticator will not be able to log in.

Restart your domain.

If you go to the Users and Groups section of myrealm, you should see your users and groups defined in your database schema.  Here you can reorganise your users and groups.  All the provider-specific changes are written to the database.

Deploy sql_scrty.war to test your new security provider.
Please note that only access for the users who belong to the group SQL_Administrators is granted in the deployment descriptors of the application.