其要点或者容易出错的关键点是:(<>及其中说明代表需要替换的内容)
Host: ads.yourdomain.com Host填AD服务器的域名或IP
Port: 389 Port默认389端口,可以用telnet <ad server ip> 389 来测试你的域控端口是否可以访问
Principal: cn=Administrator,cn=Users,dc=yourdomain,dc=com cn填管理员用户名,dc dc 把域名拆开写就可以了
Credential: ******* 你的管理员密码
Confirm Credential: ******* 再一遍
Users
User Base DN: cn=Users,dc=yourdomain,dc=com
User From Name Filter: (&(samAccountName=%u)(objectclass=user))
User Name Attribute: samAccountName
Groups
Group Base DN: cn=Users,dc=yourdomain,dc=com
Group From Name Filter: (&(cn=%g)(objectclass=group))
Configuring Active Directory Authenticator with Weblogic Server
Weblogic Server comes with an Embedded LDAP Server which acts as the Default Provider for authentication, authorization and rolemapping.Since authentication is based on JAAS ( Java Authentication and Authorization Service), we can have external providers as well.These providers can be Out Of the Box Providers provided by WLS or Custom Providers which can be plugged in. I’ll discuss that in some other article.
These are some of the providers
WLS does provide an out of the box provider for Active Directory.
These are the steps to configure it.
Step 1). Open Active Directory Console
Step 2). Create a User
Step 3). Assign it to Administrator Group. This is required as Active Directory gives connection only to Admin User.
Step 4). Go to Weblogic Server and Create an Active Directory Authentication Provider
Step 5) Under Provider Specific, provide the following values, leave the others as default.
Propagate Cause For Login Exception ( checked)
Principal :CN=aduser,CN=Users,DC=faisal,DC=bea,DC=com
User Base Dn : CN=Users,DC=faisal,DC=bea,DC=com
Credential : XXXXXX
Group Base Dn: CN=Users,DC=faisal,DC=bea,DC=com
You should see the following in the config.xml
<sec:authentication-provider xsi:type=”wls:active-directory-authenticatorType”>
<sec:name>ActiveDirectory</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:principal>CN=aduser,CN=Users,DC=faisal,DC=bea,DC=com</wls:principal>
<wls:user-base-dn>CN=Users,DC=faisal,DC=bea,DC=com</wls:user-base-dn>
<wls:credential-encrypted>{3DES}YoOwqSH1jxsOlvUmAYOENw==</wls:credential-encrypted>
<wls:group-base-dn>CN=Users,DC=faisal,DC=bea,DC=com</wls:group-base-dn>
</sec:authentication-provider>
Step 6) Change the control flag of the Active Directory Authenticator and the Default Authenticator to SUFFICIENT
Step 7) Restart your server. Go to myrealm. You should be able to see the users and groups from the Active Directory.