Weblogic中配置Active Directory Authentication Provider

其要点或者容易出错的关键点是：(<>及其中说明代表需要替换的内容)

        Host: ads.yourdomain.com         Host填AD服务器的域名或IP

         Port: 389                                       Port默认389端口，可以用telnet <ad server ip>  389  来测试你的域控端口是否可以访问

         Principal: cn=Administrator,cn=Users,dc=yourdomain,dc=com         cn填管理员用户名，dc dc 把域名拆开写就可以了

         Credential： ******* 你的管理员密码

  Confirm Credential： ******* 再一遍

     Users

      User Base DN:               cn=Users,dc=yourdomain,dc=com        

      User From Name Filter: (&(samAccountName=%u)(objectclass=user))

      User Name Attribute:      samAccountName

    

     Groups

     Group Base DN:              cn=Users,dc=yourdomain,dc=com        

     Group From Name Filter:  (&(cn=%g)(objectclass=group))

 

具体参考下文  http://www.weblogic-wonders.com/weblogic/2010/12/04/configuring-active-directory-authenticator-with-weblogic-server/

Configuring Active Directory Authenticator with Weblogic Server

Weblogic Server comes with an Embedded LDAP Server which acts as the Default Provider for authentication, authorization and rolemapping.Since authentication is based on JAAS ( Java Authentication and Authorization Service), we can have external providers as well.These providers can be Out Of the Box Providers provided by WLS or Custom Providers which can be plugged in. I’ll discuss that in some other article.

These are some of the providers

WLS does provide an out of the box provider for Active Directory.
These are the steps to configure it.
Step 1). Open Active Directory Console

Step 2). Create a User

Step 3). Assign it to Administrator Group. This is required as Active Directory gives connection only to Admin User.

Step 4). Go to Weblogic Server and Create an Active Directory Authentication Provider

Step 5) Under Provider Specific, provide the following values, leave the others as default.

Propagate Cause For Login Exception ( checked)
Principal :CN=aduser,CN=Users,DC=faisal,DC=bea,DC=com
User Base Dn : CN=Users,DC=faisal,DC=bea,DC=com
Credential : XXXXXX
Group Base Dn: CN=Users,DC=faisal,DC=bea,DC=com

You should see the following in the config.xml

<sec:authentication-provider xsi:type=”wls:active-directory-authenticatorType”>
<sec:name>ActiveDirectory</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:principal>CN=aduser,CN=Users,DC=faisal,DC=bea,DC=com</wls:principal>
<wls:user-base-dn>CN=Users,DC=faisal,DC=bea,DC=com</wls:user-base-dn>
<wls:credential-encrypted>{3DES}YoOwqSH1jxsOlvUmAYOENw==</wls:credential-encrypted>
<wls:group-base-dn>CN=Users,DC=faisal,DC=bea,DC=com</wls:group-base-dn>
</sec:authentication-provider>

Step 6) Change the control flag of the Active Directory Authenticator and the Default Authenticator to SUFFICIENT

Step 7) Restart your server. Go to myrealm. You should be able to see the users and groups from the Active Directory.