Hi all,
I've hit an issue with a Weblogic deployment and application authenticating against MS Active Directory. WLS and AD from here on.
What works:
I've configured WLS to point to point to my active directory server and all filters and dn's etc... seem to be correct as under users and groups i get back all the users and groups setup within AD. It's a standard web appliction and in the weblogic.xml I've specificed the security role and in the principal name specified the users that i wish to use the application with. user1 and user2 as setup in AD (its a development system). This works fine however its not what I want.
<security-role-assignment>
<role-name>secureaccessrole</role-name>
<principal-name>user1,user2</principal-name>
</security-role-assignment>
What doesn't work:
As this system when rolled out to a client will have 300 users accessing it obviously I can't expect them to put in every single user into the weblogic.xml. What I want to do is specify the group that the users are in so that I only need to reference 3 or 4 groups as oppsed to 300 users. On our development system the users user1, user2 etc... are all in the Users group in AD.
<security-role-assignment>
<role-name>secureaccessrole</role-name>
<principal-name>Users</principal-name>
</security-role-assignment>
Question is what do I need to configure or how do I get the system to authenticate users that are members of a group rather than specifying the users themselves. I'm assuming this is down to the group filter setup or somethign like that. I've googled the hell out of it and gone through various sites such as this:
and this
The only thing is surely the filter is correct if its pulling in all the groups from AD. Within the deployments I can select my deployment, see my role and in the url pattern of the security tab and I have the group Users specified so any user in the group Users shoudl have access.
In the logs with debug on for secutiry I can see the user being authenticated correctly but then it gets denied for each role so it seems that it's being authenticated however it's not been given access to the role specified in the weblogic.xml.
Anyone for any help or any good instructions for speficying AD groups as opposed to users?
Should say that this is WLS 10.3
Thanks
Graham
I've hit an issue with a Weblogic deployment and application authenticating against MS Active Directory. WLS and AD from here on.
What works:
I've configured WLS to point to point to my active directory server and all filters and dn's etc... seem to be correct as under users and groups i get back all the users and groups setup within AD. It's a standard web appliction and in the weblogic.xml I've specificed the security role and in the principal name specified the users that i wish to use the application with. user1 and user2 as setup in AD (its a development system). This works fine however its not what I want.
<security-role-assignment>
<role-name>secureaccessrole</role-name>
<principal-name>user1,user2</principal-name>
</security-role-assignment>
What doesn't work:
As this system when rolled out to a client will have 300 users accessing it obviously I can't expect them to put in every single user into the weblogic.xml. What I want to do is specify the group that the users are in so that I only need to reference 3 or 4 groups as oppsed to 300 users. On our development system the users user1, user2 etc... are all in the Users group in AD.
<security-role-assignment>
<role-name>secureaccessrole</role-name>
<principal-name>Users</principal-name>
</security-role-assignment>
Question is what do I need to configure or how do I get the system to authenticate users that are members of a group rather than specifying the users themselves. I'm assuming this is down to the group filter setup or somethign like that. I've googled the hell out of it and gone through various sites such as this:
and this
The only thing is surely the filter is correct if its pulling in all the groups from AD. Within the deployments I can select my deployment, see my role and in the url pattern of the security tab and I have the group Users specified so any user in the group Users shoudl have access.
In the logs with debug on for secutiry I can see the user being authenticated correctly but then it gets denied for each role so it seems that it's being authenticated however it's not been given access to the role specified in the weblogic.xml.
Anyone for any help or any good instructions for speficying AD groups as opposed to users?
Should say that this is WLS 10.3
Thanks
Graham
