Wednesday, July 2, 2014

WebLogic: More on Default Authentication Provider

You can read this companion article[1] on WebLogic's authentication providers. In this article, we will discuss what the default authentication provide is and how it is different from others.

Embedded LDAP Provider


WebLogic Server includes an embedded LDAP server that acts as the default security provider data store for the Default Authentication, Authorization, Credential Mapping, and Role Mapping providers. The performance of the embedded LDAP server is best with fewer than 10,000 users.[2] If you have more users, consider using a different LDAP server and Authentication provider.

The embedded LDAP server in WebLogic Server contains user, group, group membership, security role, security policy, and credential map information. By default, each WebLogic Server domain has an embedded LDAP server configured with the default values set for each attribute. The WebLogic Authentication, Authorization, Credential Mapping, and Role Mapping providers use the embedded LDAP server as their database. If you use any of these providers in a new security realm, you may want to change the default values for the embedded LDAP server to optimize its use in your environment.

WebLogic Authentication Provider


The WebLogic Authentication provider, also known as the DefaultAuthenticator, accesses user and group information in WebLogic Server's embedded LDAP server. In the next section, we will discuss what's the difference between this provider and other 3rd-party providers.

Difference: Creating Users from Admin Console


When using the WebLogic Server Administration Console, or WLST,[9] you can create users[7] only in the following databases:
  • The embedded LDAP server, configured with the WebLogic Authentication provider (DefaultAuthenticator)
  • An RDBMS system that is configured with a valid SQL Authentication provider.
To create users in other identity stores — for example, any external LDAP server (i.e., OpenLDAP)[8] — you must use the tools available with those stores. In addition, if you customize the default security configuration to use a custom Authentication provider, you must use the administration tools supplied by that security provider to create a user. If you are upgrading to the WebLogic Authentication provider, you can load existing users and groups into the embedded LDAP server. For more information, see Migrating Security Data.

Summary


The embedded LDAP provider is unique in this way—it is managed via MBeans that are specific to WebLogic and the default LDAP server. The WebLogic Server Administration Console doesn't provide an MBean administrative layer for 3rd-party providers. For example, if you have installed openLDAP as the new authenticator provider and click on New to add users, you will get only the option of DefaultAuthenticator in the drop-down list. In other words, to create new users for other providers, you need to use the tools available with those stores.[3,9]

References

  1. Understanding Authentication Security Providers in Oracle WebLogic
  2. Managing the Embedded LDAP Server
  3. LDAP Data Interchange Files (LDIF)
  4. Oracle WebLogic Server Administration Console
  5. Configuring Authentication Providers
  6. Manage Users and Groups
  7. Create Users
  8. OpenLDAP
  9. Migrating Data with WLST
  10. WebLogic Server 12c and WebLogic Server 11g Releases (OTN)

No comments: