In this article I will share the configuration steps to get this up an running.
Step 1: Configure LDAP Authentication against Active Directory
Step 2: Configure SmartCard Authentication, Certs are stored in Active Directory
We take the following as given:
- OIM 11g with Weblogic 10.3.x configured and running
- Working LDAP Server (here Active Directory) available
- SSL for OIM / Weblogic set up
- Users from AD exist in OIM (e.g. through trusted source reconciliation)
- Users in OIM have scrambled passwords
Requirements (on AD side)
- LDAP connection user with the necessary rights in AD to do subtree searches on your users and groups container, respectively in the scope we configure below
- For LDAP in OIM to work, you need an AD Group called "oimusers", in which all users who shall be able to login to OIM need to be member. The group need to be named exactly "oimusers".
After a standard OIM / Weblogic Installation you should have something like this
Now we add an additional Authentication Provider
Name: ADAuthenticationProvider
Type: ActiveDirectoryAuthenticator
Control Flag: SUFFICIENT
LDAP Connection Information
(In a production environment you would use SSL enabled LDAP, but this configuration is not part of this article)
Principal: Your LDAP connection user
User scope configuration
User Base DN: Container where your users are found
Rest of the parameters stay default
Group scope configuration
Group Base DN: Container where your groups are found
Your "oimusers" group must be found in this container or in the subtree
Rest of the parameters stay default
Optionally you can also set Weblogic Server Debugging option for troubleshooting
If needed do the same for oim_server1 as well
Restart your AdminServer.
To confirm the debug option is properly set, you should see <Debug> <SecurityAtn> entries in your logfile.
The logfile will be found in your AdminServer log directory, in our Windows Installation this is:
C:\Oracle\Middleware\user_projects\domains\OIM_DEV\servers\AdminServer\logs\AdminServer.log
Login to your Weblogic console, navigate to "myrealm" and check the Users and Groups tabs. You should now see all your users from Active Directory within the subtree of the configured scope.
Check on Groups tab and find “oimusers” (this is a regular AD group, OIM will only accept authentication for users belonging to this object as “member”).
Notice that the embedded LDAP (DefaultAuthenticator) also has an “oimusers” group.
With that configuration step complete you should already be able to login to OIM with one of your Active Directory users.
Please note:
In our environment Active Directory is configured as a trusted source for OIM, so all the users we log in with already exist as accounts in OIM, but with unknown random passwords.
For simple LDAP login tests you can just manually create a corresponding account in OIM and give it some password. (Preferably not the same as the LDAP password, otherwise you cannot properly test)
Configure Weblogic (and OIM) Smart Card authentication against Active Directory
Add and configure an additional Authentication Provider.
Name: LDAPX509IdentityAsserter
Type: LDAPX509IdentityAsserter
Active Types Chosen: X.509 (already the default)
Type: LDAPX509IdentityAsserter
Active Types Chosen: X.509 (already the default)
Provider Specific Parameters
Host: Your LDAP Host, same as used above
Principal: Your LDAP connection user, same as used above
User Filter Attributes: The attribute in Active Directory you want to map the Smart Card attribute to. In our case we map the SmartCard Subject CN to use userPrincipalName in AD.
Certificate Attribute: userCertificate. Please note default value was userCertificate;binary. This didn't work although our Certs are save in binary in AD.
Certificate Mapping: Container where your AD users are, if in doubt, use the same as during our LDAP configuration above.
Now that we configured the new Authentication Providers we need to put them in the right order.
Host: Your LDAP Host, same as used above
Principal: Your LDAP connection user, same as used above
User Filter Attributes: The attribute in Active Directory you want to map the Smart Card attribute to. In our case we map the SmartCard Subject CN to use userPrincipalName in AD.
Certificate Attribute: userCertificate. Please note default value was userCertificate;binary. This didn't work although our Certs are save in binary in AD.
Certificate Mapping: Container where your AD users are, if in doubt, use the same as during our LDAP configuration above.
For Weblogic to request the client Certificate, in our use case from the Smart Card, the SSL Advanced Option "Two Way Client Cert Behavior" needs to be modified for each managed server you want to be able to use your Smart Card.
See here for more details.
Summary
- We created one WLS Authentication Provider for LDAP authentication
- We created one WLS Authentication Provider to act as an Identity Asserter for our Smart Card certificates
- We configured both providers to "talk" to Active Directory using LDAP to find the corresponding users and to do the authentication based on certificates from the Smart Card
- Additional steps would be to put a proper authorization setup for OIM and Weblogic in place
Please give feedback if you find this useful, or if something is missing or incorrect.
