Configuring Spaces to authenticate with Active Directory

WebCenter Spaces 11g was released on July 1, 2009.  It is a collaboration platform, built on top of Oracle WebCenter 11g.

I recently went through the process of setting it up for a client, and integrating it with Microsoft technologies for user management and authentication, mail, presence and instant messaging.

The environment is running on Windows Server 2003, and looks like this:

spaces-ad

You can see from the diagram which components need to be configured to work with Active Directory.  The configuration for the Content Server is covered in this earlier post.  That leaves WebLogic Server and also the Wiki service, which has a separate configuration requirement.  I will cover the configuration of WebLogic Server in this post.

Preparing Active Directory

To prepare Active Directory for use with Spaces, you need to create a new group in Active Directory, named Spaces-User and add to this group any users who will be able to use Spaces.

Configuring WebLogic Server for Active Directory

By configuring Active Directory as an authentication provider in WebLogic Server, we allow users to sign on to Spaces and the Content Server and most WebCenter services (expect wiki).

The configuration is quite simple, and is done in mostly in the WebLogic Server administration console, located at http://yourserver:7001/console, and you need to log on as an administrative user, like weblogic, and navigate to the Security Realms section of the console.

security_realms

Click on myrealm.

myrealm

Open the Providers tab.

providerstab

Click on the New button to create a new provider.  Name it ActiveDirectory and select ActiveDirectoryAuthenticator as the type.

newprovider

Click on your new provider.  You should see the settings page, similar to this:

providerinfo

Your Control Flag should have defaulted to OPTIONAL.  Don’t change it yet.  Click on the Provider Specific tab to see more settings.  On this tab, we need to provide the details to connect to the Active Directory server.

ps1

In the Connection section, we provide the hostname and port number for the Active Directory server, along with the CN and password for the administrative user.  In my case, this is the Administrator user on the Windows Server.  Note that you must provide the CN of this user, not the full DN, i.e. administrator as opposed to cn=administrator,cn=Users,dc=webcenter,dc=au,dc=oracle,dc=com.

ps2

In the Users section, we provide information about how to find user accounts in Active Directory.  The User Base DN is the DN of the container where users are stored.  In my case, this is cn=Users,dc=webcenter,dc=au,dc=oracle,dc=com.

The All Users Filter can be left blank, or you can specify a query like (objectclass=user) as I have.

The User From Name Filter must be updated to reflect the correct attribute for user account names in Active Directory.  It should be set to: (&(sAMAccountName=%u)(objectclass=user)).

Leave the User Search Scope as subtree.

Set the User Name Attribute to sAMAccountName.  This is the attribute in the directory where the user account name is stored.

the User Object Class should be set to user.

And finally, make sure you check the User Retrieved User Name as Principal option.

ps3

In the Groups section, you just need to update the Group Base DN to reflect where you want to search for groups in Active Directory, in my case this is dc=webcenter,dc=au,dc=oracle,dc=com.

The remainder of the settings can be left as the defaults.

It is also necessary to make a change to one of the WebLogic Server configuration files, since we have changed the account name attribute.  Open the jps-config.xml file, located under your domain directory in the config\fmwconfig subdirectory.  On my system, the file is located at c:\Oracle\Middleware\user_projects\domains\base_domain\config\fmwconfig\jps-config.xml.

Find the serviceInstance entry for idstore.ldap.provider and add the two properties shown below in bold.

<serviceInstances>

 <!-- JPS WLS LDAP Identity Store Service Instance -->
 <serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
 <property name="idstore.config.provider" value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>
 <property name="username.attr" value="sAMAccountName"/>
 <property name="user.login.attr" value="sAMAccountName"/>
 </serviceInstance>

You can now save your settings, and restart the WebLogic Server (the AdminServer and any managed servers you have running).

After WebLogic Server has restarted, log back in to the administration console and return to the myrealm security realm.

Click on the Users and Groups tab.  If you got all the settings correct, you should now see your Active Directory users listed in the Users table.  Note that the value in the Provider column indicates where the users come from.

users

If this has not worked, you got your configuration settings wrong.  Check the AdminServer log file, you will probably get a reasonably helpful error message in there to help you work out which setting needs to be updated.

The final step is to go back into your myrealm security realm again, and edit both your ActiveDirectory and DefaultAuthenticator providers to change their Control Flag to SUFFICIENT.  Then reorder the providers so that ActiveDirectory is the first in the list.

adfirst

Now restart your WebLogic Servers one more time, and you should then be able to log on to Spaces using an Active Directory username and password.  If you have also completed the configuration of UCM for Active Directory authentication, you should also get seamless single sign on to UCM whenever you access a “documents” portlet in Spaces.

About Mark Nelson

Mark Nelson is an Architect (an "IC6") in the Fusion Middleware Central Development Team at Oracle. Mark's job is to make Fusion Middleware easy to use in the cloud and at home, for developers and operations folks, with special focus on continuous delivery, configuration management and provisioning - making it simple to manage the configuration of complex environments and applications built with Oracle Database, Fusion Middleware and Fusion Applications, on-premise and in the cloud. Before joining this team, Mark was a senior member of the A-Team since 2010, and worked in Sales Consulting at Oracle since 2006 and various roles at IBM since 1994.
This entry was posted in Uncategorized and tagged , , . Bookmark the permalink.

4 Responses to Configuring Spaces to authenticate with Active Directory

  1. It works exactly as you described. No issues or problems

    Thanks you

  2. Garima Dubey says:

    Hi,
    I’m able to do the ocnfigurations and list the users and groups in weblogic console.But when i try to Edit the global role and add the user in any of the roles,i get a message which says ” does not exist”. Can any one tell me what can be the probable cause for this.

    Thanks

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s