Configuring Spaces to authenticate with Active Directory

Introduction

 In this post, I will describe the steps to configure Active Directory with WebCenter spaces 11g.

Main Article

WebCenter Spaces 11g was released on July 1, 2009.  It is a collaboration platform, built on top of Oracle WebCenter 11g.

I recently went through the process of setting it up for a client, and integrating it with Microsoft technologies for user management and authentication, mail, presence and instant messaging.

The environment is running on Windows Server 2003, and looks like this:

img1

You can see from the diagram which components need to be configured to work with Active Directory.  The configuration for the Content Server is covered in this earlier post.  That leaves WebLogic Server and also the Wiki service, which has a separate configuration requirement.  I will cover the configuration of WebLogic Server in this post.

Preparing Active Directory

To prepare Active Directory for use with Spaces, you need to create a new group in Active Directory, named Spaces-User and add to this group any users who will be able to use Spaces.

Configuring WebLogic Server for Active Directory

By configuring Active Directory as an authentication provider in WebLogic Server, we allow users to sign on to Spaces and the Content Server and most WebCenter services (expect wiki).

The configuration is quite simple, and is done in mostly in the WebLogic Server administration console, located at http://yourserver:7001/console, and you need to log on as an administrative user, like weblogic, and navigate to the Security Realms section of the console.

img2

Click on myrealm.

img3

Open the Providers tab.

img4

Click on the New button to create a new provider.  Name it ActiveDirectory and select ActiveDirectoryAuthenticator as the type.

img5

Click on your new provider.  You should see the settings page, similar to this:

img6

Your Control Flag should have defaulted to OPTIONAL.  Don’t change it yet.  Click on the Provider Specific tab to see more settings.  On this tab, we need to provide the details to connect to the Active Directory server.

img7

In the Connection section, we provide the hostname and port number for the Active Directory server, along with the CN and password for the administrative user.  In my case, this is the Administrator user on the Windows Server.  Note that you must provide the CN of this user, not the full DN, i.e. administrator as opposed to cn=administrator,cn=Users,dc=webcenter,dc=au,dc=oracle,dc=com.

img8

In the Users section, we provide information about how to find user accounts in Active Directory.  The User Base DN is the DN of the container where users are stored.  In my case, this is cn=Users,dc=webcenter,dc=au,dc=oracle,dc=com.

The All Users Filter can be left blank, or you can specify a query like (objectclass=user) as I have.

The User From Name Filter must be updated to reflect the correct attribute for user account names in Active Directory.  It should be set to: (&(sAMAccountName=%u)(objectclass=user)).

Leave the User Search Scope as subtree.

Set the User Name Attribute to sAMAccountName.  This is the attribute in the directory where the user account name is stored.

the User Object Class should be set to user.

And finally, make sure you check the User Retrieved User Name as Principal option.

img9

In the Groups section, you just need to update the Group Base DN to reflect where you want to search for groups in Active Directory, in my case this is dc=webcenter,dc=au,dc=oracle,dc=com.

The remainder of the settings can be left as the defaults.

It is also necessary to make a change to one of the WebLogic Server configuration files, since we have changed the account name attribute.  Open the jps-config.xml file, located under your domain directory in the config\fmwconfig subdirectory.  On my system, the file is located at c:\Oracle\Middleware\user_projects\domains\base_domain\config\fmwconfig\jps-config.xml.

Find the serviceInstance entry for idstore.ldap.provider and add the two properties shown below in bold.

# Copyright 2012 Oracle Corporation. 
# All Rights Reserved. 
# 
# Provided on an 'as is' basis, without warranties or conditions of any kind, 
# either express or implied, including, without limitation, any warranties or 
# conditions of title, non-infringement, merchantability, or fitness for a 
# particular purpose. You are solely responsible for determining the 
# appropriateness of using and assume any risks. You may not redistribute.

<serviceInstances>
 <!-- JPS WLS LDAP Identity Store Service Instance -->
 <serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
 <property name="idstore.config.provider" value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>
 <property name="username.attr" value="sAMAccountName"/>
 <property name="user.login.attr" value="sAMAccountName"/>
</serviceInstance>

You can now save your settings, and restart the WebLogic Server (the AdminServer and any managed servers you have running).

After WebLogic Server has restarted, log back in to the administration console and return to the myrealm security realm.

Click on the Users and Groups tab.  If you got all the settings correct, you should now see your Active Directory users listed in the Users table.  Note that the value in the Provider column indicates where the users come from.

img10

If this has not worked, you got your configuration settings wrong.  Check the AdminServer log file, you will probably get a reasonably helpful error message in there to help you work out which setting needs to be updated.

The final step is to go back into your myrealm security realm again, and edit both your ActiveDirectory and DefaultAuthenticator providers to change their Control Flag to SUFFICIENT.  Then reorder the providers so that ActiveDirectory is the first in the list.

img11

Now restart your WebLogic Servers one more time, and you should then be able to log on to Spaces using an Active Directory username and password.  If you have also completed the configuration of UCM for Active Directory authentication, you should also get seamless single sign on to UCM whenever you access a “documents” portlet in Spaces.

Add Your Comment