Friday, May 15, 2015

Authentication using OpenLDAP. Weblogic Console and BPM Worklist

In this blog I will illustrate how you can configure Weblogic Server to use OpenLDAP as authentication provider and to allow OpenLDAP users to login to the Oracle BPM Worklist application. In a previous blog I have already shown how to do Weblogic Authentication with ApacheDS (http://javaoraclesoa.blogspot.nl/2014/08/ldap-and-weblogic-using-apacheds-as.html). In this blog I will use OpenLDAP to also do BPM Worklist authentication.


Why use OpenLDAP?

Oracle Platform Security Services (OPSS) supports the use of several authentication providers. See: http://docs.oracle.com/cd/E23943_01/core.1111/e10043/devuserole.htm#JISEC2474. OpenLDAP is the only open source provider available in this list.
  • Microsoft Active Directory
  • Novell eDirectory
  • Oracle Directory Server Enterprise Edition
  • Oracle Internet Directory
  • Oracle Virtual Directory
  • OpenLDAP
  • Oracle WebLogic Server Embedded LDAP Directory
  • Microsoft ADAM
  • IBM Tivoli
When you can use a certain provider for Weblogic authentication, this does not automatically mean you also use this user in Fusion Middleware applications which use JPS such as the BPM Worklist application. Possible authentication providers in Weblogic Server cover a wider range of servers and mechanisms than can be used in JPS out of the box.

What causes this limitation? Well, most Fusion Middleware Applications (all as far as I've seen) can only look at the first LDAP provider for authentication. This is usually the default authenticator (Weblogic Embedded LDAP server). When I add another LDAP authenticator, it will be ignored. The solution is straightforward; use a single LDAP. Of course if you don't want that, you can also virtualize several LDAPs and offer them as a single LDAP for the application to talk to. The most common solutions for this are; Oracle Virtual Directory (OVD, http://docs.oracle.com/cd/E12839_01/oid.1111/e10036/basics_10_ovd_what.htm) and LibOVD. Oracle Virtual Directory is a separate product. LibOVD is provided with Weblogic Server but does not have its own web-interface and is limited in functionality (and configuration is more troublesome in my opinion). When (for example for ApacheDS) you specify the generic LDAPAuthenticator and not a specific one such as for OpenLDAP, you need to specify an idstore.type in the jps-config.xml in DOMAINDIR\config\fmwconfig. This idstore.type is limited to the list below (see https://docs.oracle.com/cd/E14571_01/core.1111/e10043/jpsprops.htm#JISEC3159);
  • XML
  • OID - Oracle Internet Directory
  • OVD - Oracle Virtual Directory
  • ACTIVE_DIRECTORY - Active Directory
  • IPLANET - Sun Java System Directory Server
  • WLS_OVD - WebLogic OVD
  • CUSTOM - Any other type
Custom can be any type, but mind you that if you specify custom, you will also need to specify an implementation of the oracle.security.idm.IdentityStoreFactory interface in the property 'ADF_IM_FACTORY_CLASS' and here you are limited or you have to build your own. When using OpenLDAP, you don't have this problem.

Configuring OpenLDAP

Installing

This has been described on various other blogs such as https://blogs.oracle.com/jamesbayer/entry/using_openldap_with_weblogic_s and http://biemond.blogspot.nl/2008/10/using-openldap-as-security-provider-in.html. I'll not go into much detail here, just describe what I needed to do to get it working.

First install OpenLDAP. I used a Windows version since at the time of writing this blog I was sitting behind a Windows computer. http://sourceforge.net/projects/openldapwindows. There are also plenty of other versions. The benefit of this version (I downloaded 2.4.38) is that it pretty much works out of the box. I updated part of the etc\openldap\slapd.conf file which you can see below to provide my own domain and update the Manager password. The password (you can make a SSHA version of this by looking at https://onemoretech.wordpress.com/2012/12/17/encoding-ldap-passwords/) is 'Welcome01' in my case. There are also a couple of other references to the dc=example,dc=com domain in the config file and you should replace those also.

#######################################################################
# BDB database definitions
#######################################################################


database bdb
suffix "dc=smeetsm,dc=amis,dc=nl"
rootdn "cn=Manager,dc=smeetsm,dc=amis,dc=nl"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}2HdAW3UmR5uK4zXOVwxO01E38oYanHUa
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       ../var/openldap-data
# Indices to maintain

index   default         pres,eq
index objectClass eq
index   uniqueMember    eq

access to attrs=userPassword
       by dn="cn=Manager,dc=smeetsm,dc=amis,dc=nl" write
       by anonymous auth
       by * none

access to dn.base=""
       by * read

access to *
       by dn="cn=Manager,dc=smeetsm,dc=amis,dc=nl" write
       by * read

access to *
       by dn="cn=root,dc=smeetsm,dc=amis,dc=nl" write
       by * read

Adding users

Commandline with an ldif file

I used Apache Directory Studio to add users in a graphical way (described below). The result I exported to the below ldif file (all passwords are 'Welcome01'). After you have done this you have a sample Administrator user and group available which will correspond to the below Weblogic Server configuration. You can save the below file in base.ldif.

version: 1

dn: dc=smeetsm,dc=amis,dc=nl
objectClass: top
objectClass: domain
dc: smeetsm

dn: ou=people,dc=smeetsm,dc=amis,dc=nl
objectClass: top
objectClass: organizationalUnit
ou: people

dn: cn=smeetsm,ou=people,dc=smeetsm,dc=amis,dc=nl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: smeetsm
sn: Smeets
userPassword:: e3NzaGF9Y1lEOE9hM09IdjhGWjFQSVZPWG9DMTFHeDBvQThZcVV1TGV5aVE9P
 Q==

dn: ou=groups,dc=smeetsm,dc=amis,dc=nl
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: cn=Administrators,ou=groups,dc=smeetsm,dc=amis,dc=nl
objectClass: top
objectClass: groupOfNames
cn: Administrators
member: cn=smeetsm,ou=people,dc=smeetsm,dc=amis,dc=nl

On an empty database (configured with the slapd.conf above) you can import this like;

ldapadd.exe -f base.ldif -xv -D "cn=Manager,dc=smeetsm,dc=amis,dc=nl" -w Welcome01
(ldapadd.exe is in the bin directory of my OpenLDAP installation)

With a GUI (Apache Directory Studio)

Download Apache Directory Studio from: https://directory.apache.org/studio/. First create a connection in Apache Directory Studio. Use the same login data as specified in the slapd.conf file.

Host: localhost port: 389
BindDN or user: cn=Manager,dc=smeetsm,dc=amis,dc=nl
Password: Welcome01

Next, right-click Root DSE. Add a new entry. Create from scratch. Add the 'domain' object class.


Specify parent: 'dc=smeetsm,dc=amis,dc=nl'
Specify RDN: 'dc=smeetsm'


Using a similar method, you can look at the ldif file above to add the other entries. You only have to add the last class per object as the other classes are its super-classes (check though). The end result will be;



Weblogic Server configuration

Authentication provider configuration

This part has been described in other posts as well. I'll just shortly repeat it here for thoroughness.

In your security realm add a new authentication provider, select OpenLDAPAuthenticator. Fill in the below details;

Group Base DN:  ou=groups,dc=smeetsm,dc=amis,dc=nl
Static Group Object Class:  groupOfNames
User Base DN:  ou=people,dc=smeetsm,dc=amis,dc=nl
User Object Class:  inetOrgPerson
Principal:  cn=Manager,dc=smeetsm,dc=amis,dc=nl
Host:  localhost
Credential:  Welcome01
Static Group DNs from Member DN Filter:  (&(member=%M)(objectclass=groupOfNames))
User From Name Filter:  (&(cn=%u)(objectclass=inetOrgPerson))
Group From Name Filter:  (&(cn=%g)(objectclass=groupOfNames))

Mind that the DefaultAuthenticator and your newly created authenticator should both have their control flag set to SUFFICIENT.

You can now use the new user to login to the Weblogic Console and Enterprise Manager. In this example I have added the user to the Administrators group. If you don't want that, you can create your own group and add the users to that group. The user won't be able to login to the Weblogic Console but using the worklist application will work if the below configuration is also done.

LibOVD configuration

You can enable LibOVD as specified on http://fusionsecurity.blogspot.nl/2012/06/libovd-when-and-how.html. Set the virtualize=true property from the Enterprise Manager Fusion Middleware control. Click the arrow before Security Provider, Click configure and add the property.


In order to allow people to login to the worklist application, they should be able to login or have a valid role as you can see in the screenshot below. You can of course also make this more specific.


Thus after the virtualize=true property has been set (and the server has been restarted), you can add users to your OpenLDAP and they can be assigned tasks. I do recommend though when working with tasks to map the application roles to LDAP groups and not to specific users directly. This will make management of the users a lot easier at a later stage (especially when working with Organizational Units).

Now you can use the Oracle BPM Worklist application to login and do things. You don't have any assigned tasks though so you won't see much yet but you can assign them to this user or the group it belongs to.


Resources

OVD JPS properties

OpenLDAP with Weblogic

OpenLDAP Windows

Encoding LDAP passwords

LibOVD idstore.type for ApacheDS?

Identity store providers

LibOVD when and how?

No comments:

Post a Comment