Labels

Tuesday, March 5, 2013

LDAP and how is it used by Weblogic server?

Lightweight Directory Access Protocol (LDAP) is a protocol that programs use to look up contact information from a server. Much like a relational database, every LDAP database (or directory) has a schema. An LDAP schema is implemented as a set of object class definitions and attribute definitions.
Some common terms used in LDAP are:
  • dc= domain component
  • o = organization
  • ou= organizational unit
  • cn= common name
  • dn= distinguished name
  • uid= user id
When you need to search for an entry in LDAP, you must provide the base of the search and a filter.
For example:
ldapsearch -b "dc=beasys,dc=com" uid=fred
This will return all the attributes of the user who has uid=fred as specified in the filter:
uid=fred,ou=People, dc=beasys,dc=com   //this is what is referred to as Full DN
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetorgperson
givenName=Fred
cn=Fred A
uid=fred
sn=A
creatorsName=uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
modifiersName=uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
createTimestamp=20040108160418Z
modifyTimestamp=20040108162837Z

This entry is seen in the LDAP tree as the following:

dc=beasys,dc=com
/     (root)          \
/                          \
/                             \
ou=people             ou=otherusers
/
uid=fred

WLS can read and search information from an external directory server, giving it the right configuration information to connect, bind, search (base and filter), etc.

For this you need to configure the following fields in WLS:
  • LDAP server host and port
  • Principal/password used to connect and make the search
  • User Base DN: used as a base when making a user search
  • User filter: used as a filter when making a user search
  • Group Base DN: used as a base when making a group search
  • Group filter: used as a filter when making a group search
  • Group membership filter: used as a filter when doing a search to find groups a user belongs to
Within these fields, you can find the following characters:
%u is replaced by the user id
%g is replaced by the group
%M is replaced by the Full DN of the user

When WLS needs to verify that a user exists and has privilege/role to access a resource, it connects to LDAP using the principal defined and then does a search on the user, verifies that it exists, and authenticates using its password. After that, it searches the groups the user belongs to.
Following is some concise pseudocode for the membership check algorithm:
check_membership(group g, principal p):
for each group g1 that contains p directly:
if g1 == g or check_membership(g, g1)
then return success
return failure

Once this is done, WLS verifies if the user that belongs to the groups found has the privilege/role to access the resource requested, and based on that either permits the access or denies it.

Common LDAP servers used in WLS

The common LDAP servers used in WLS (as authentication providers) are:
  • Default Authenticator (Embedded LDAP)
  • IPlanet
  • Active Directory
  • OpenLDAP
  • Novell

No comments:

Post a Comment