WL6.0 LDAP Realm problems
Mike
getting it to work - basic auth just keeps popping the window up 3 times and
then giving up. Only pertinent message in the log is:
####<Mar 16, 2001 12:03:21 PM EST> <Info> <Security> <FOOBAR>
<examplesServer> <ExecuteThread: '11' for queue: 'default'> <> <> <090021>
<Locking account, user jdoe.>
No obvious LDAP info or errors in the log, despite adding the following two
to the startup script cmd line and restarting the server:
-Dweblogic.security.realm.debug=true -Dweblogic.security.ldaprealm.verbose=t
rue
The HTTP basic-auth dialog box is correctly showing me that I'm trying to
authenticate to: MyLDAPRealm
Here's the config info for MyLDAPRealm
<LDAPRealm AuthProtocol="simple"
Credential="myserverpasswd"
GroupDN="o=mycompany,c=us" GroupIsContext="false" GroupNameAttribute="cn"
GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://tug:390"
Name="MyLDAPRealm"
Principal="cn=myserver,ou=myserverstuff,o=mycompany,c=US"
UserAuthentication="local"
UserDN="o=mycompany,c=us" UserNameAttribute="uid"/>
It's a Netscape 4.1 Directory server, and I've verified that the above
server account exists AND can authenticate and retrieve account
userpasswords (yes, the server account is "cn=" while the user accounts are
"uid=" - don't ask :-)....
I've tried both "bind" and "local" and get the same results both ways.
Any ideas???
Mike
won't
work with 6.0 (old 5.x and previous style property), but I can't figure out
what
replaced it, to figure out why the LDAP realm isn't working for me...
The property mapping guide at:
http://e-docs.bea.com/wls/docs60///////config_xml/properties.html
shows that things like weblogic.security.ldaprealm.url
changed to LDAPURL in config.xml (without telling
you that this resides as an XML attribute of
<Domain><LDAPRealm ... /></Domain> although that's
easy enough to find by looking through the example
LDAP realm.
It then says that weblogic.security.ldaprealm.verbose
has changed to "Debug" in config.xml, but doesn't
say whether that's a "Debug" XML attribute on one
of the XML elements in there, or whether it's an
XML node itself, or where in the config.xml doc
it goes... It doesn't work as an attribute of
<LDAPRealm ...> (server won't start with it there)
and it doesn't show up at all in the DTD for config.xml
so I'm assuming the mapping doc at the above url is
wrong. Anybody know what this really became in 6.0?
I've tried setting StdoutDebugEnabled="true" in config.xml
and turning the logging level all the way up to see everything, but even
then all I
get is the account locked message, not why it's failing to authenticate via
LDAP...
Any other ideas?
"Mike" <bur...@tiac.net> wrote in message
news:3ab254a7$1...@newsgroups.bea.com...
Mike
<ServerDebug Name="examplesServer" DebugSecurityRealm="true" />
under the <Server> element in config.xml and restarted with this and still
no additional
info from the LDAP realm printed about why it's not working (nothing but the
same
locking account message mentioend below).
Is the source for the LDAP realm available so I can debug it myself or has
anybody
written their own LDAP realm that they'd be willing to share with the group?
Thanks again,
..Mike
"Mike" <bur...@tiac.net> wrote in message
news:3ab29992$1...@newsgroups.bea.com...
Tom Moreau
Mike,
I haven't had any trouble getting the LDAPRealm to work
in WLS 6.0. Could it be that while you've created the LDAPRealmMBean,
you haven't told WLS to use it?
In other words, you can create many realm configurations then
you need to activate the one you want. If you haven't, the
we just use the file realm. The file realm won't be able
to authenticate you (since you put the info in LDAP!) and
after 3 failures, will lock out the account.
The instructions for selecting the realm are at:
http://e-docs.bea.com/wls/docs60/adminguide/index.html
See:
12. Managing Security
Specifying a Security Realm
Configuring the Caching Realm
The basic idea is:
1) create your LDAP Realm (you've already done this)
2) create a CachingRealm
3) set the CachingRealm's BasicRealm to your LDAP Realm
4) set the Security Realm's CachingRealm to your Caching Realm
5) reboot
It's pretty easy to do this through the admin console.
Otherwise, you can edit config.xml by hand.
Here's how:
<Domain>
<Security
Name="mydomain"
Realm="myRealm"
/>
<Realm
Name="myRealm"
FileRealm="myFileRealm"
CachingRealm="myCachingRealm"
/>
<FileRealm
Name="myFileRealm"
/>
<CachingRealm
Name="myCachingRealm"
BasicRealm="myLDAPRealm"
/>
<LDAPRealm
Name="myLDAPRealm"
...
/>
-Tom
"Mike" <bur...@tiac.net> wrote:
>BTW, before someone suggests it, I found Tom Moreau's
>suggestion to use:
><ServerDebug Name="examplesServer" DebugSecurityRealm="true"
>/>
>
>under the <Server> element in config.xml and restarted
>with this and still
>no additional
>info from the LDAP realm printed about why it's not working
>(nothing but the
>same
>locking account message mentioend below).
>
>Is the source for the LDAP realm available so I can debug
>it myself or has
>anybody
>written their own LDAP realm that they'd be willing to
>share with the group?
>
>Thanks again,
>...Mike
Mike
be
activated as the default realm - I had mistakenly thought I could create
multiple
and then use a particular one (eg, to test it) via the realm settings in the
prop
files - and that belief was reinforced by the HTTP BasicAuth dialog showing
me my LDAP realm name "MyLDAPRealm" in the authn prompt for the
servlet resource I protected using that realm. I was going to make sure it
worked
first, THEN switch over to using it as the default realm...
Anyway, I tried the steps you suggested which were fairly obvious and
straightforward after your confirmation that it had to be the activated
realm,
and I should be using the caching realm (I had wanted caching off til I was
sure it was working, but I can live with it if necessary).
BUT, now the server won't even start - I get plenty of debug now and then
the following exceptions and then the server exits. Do I have to create the
"system" account in LDAP or will it fall back to the file realm for that
acct
(by the "backup HAS system" msg - I assume it's ok if it's only in the file
realm?)?
What would cause the startup runtime exceptions below?
startExamplesServer
...
<Mar 19, 2001 4:50:14 PM EST> <Debug> <LDAPRealm> <getUser("system")>
<Mar 19, 2001 4:50:14 PM EST> <Debug> <LDAPRealm> <lookup("o=mycompany")>
<Mar 19, 2001 4:50:14 PM EST> <Debug> <LDAPRealm> <user: UNPERSON system>
<Mar 19, 2001 4:50:24 PM EST> <Debug> <CachingRealm> <user: backup HAS
system>
...
<Mar 19, 2001 4:34:27 PM EST> <Info> <HTTP> <Initializing WEB server
examplesSer
ver>
javax.management.RuntimeOperationsException: RuntimeException thrown by the
getA
ttribute method of the DynamicMBean for the attribute
MagicThreadDumpEnabled
at
com.sun.management.jmx.MBeanServerImpl.getAttribute(MBeanServerImpl.j
ava:1183)
at
com.sun.management.jmx.MBeanServerImpl.getAttribute(MBeanServerImpl.j
ava:1151)
at
weblogic.management.internal.MBeanProxy.getAttribute(MBeanProxy.java:
223)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:156)
at $Proxy56.isMagicThreadDumpEnabled(Unknown Source)
at
weblogic.management.configuration.ServerDebugMBean_CachingStub.isMagi
cThreadDumpEnabled(ServerDebugMBean_CachingStub.java:1680)
at weblogic.t3.srvr.ListenThread.run(ListenThread.java:198)
javax.management.RuntimeOperationsException: RuntimeException thrown by the
getA
ttribute method of the DynamicMBean for the attribute
MagicThreadDumpEnabled
at
com.sun.management.jmx.MBeanServerImpl.getAttribute(MBeanServerImpl.j
ava:1183)
at
com.sun.management.jmx.MBeanServerImpl.getAttribute(MBeanServerImpl.j
ava:1151)
at
weblogic.management.internal.MBeanProxy.getAttribute(MBeanProxy.java:
223)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:156)
at $Proxy56.isMagicThreadDumpEnabled(Unknown Source)
at
weblogic.management.configuration.ServerDebugMBean_CachingStub.isMagi
cThreadDumpEnabled(ServerDebugMBean_CachingStub.java:1680)
at weblogic.t3.srvr.ListenThread.run(ListenThread.java:198)
Unable to dump log: 'Fatal initialization exception
Throwable: javax.management.RuntimeOperationsException: RuntimeException
thrown
by the getAttribute method of the DynamicMBean for the attribute
ListenThreadSt
artDelaySecs
javax.management.RuntimeOperationsException: RuntimeException thrown by the
getA
ttribute method of the DynamicMBean for the attribute
ListenThreadStartDelaySec
s
at
com.sun.management.jmx.MBeanServerImpl.getAttribute(MBeanServerImpl.j
ava:1183)
at
com.sun.management.jmx.MBeanServerImpl.getAttribute(MBeanServerImpl.j
ava:1151)
at
weblogic.management.internal.MBeanProxy.getAttribute(MBeanProxy.java:
223)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:156)
at $Proxy43.getListenThreadStartDelaySecs(Unknown Source)
at
weblogic.management.configuration.ServerMBean_CachingStub.getListenTh
readStartDelaySecs(ServerMBean_CachingStub.java:1022)
at weblogic.t3.srvr.T3Srvr.waitForListenThreads(T3Srvr.java:990)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:442)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:170)
at weblogic.Server.main(Server.java:35)
'
javax.management.RuntimeOperationsException: RuntimeException thrown by the
getA
ttribute method of the DynamicMBean for the attribute FileTimeSpan
at
com.sun.management.jmx.MBeanServerImpl.getAttribute(MBeanServerImpl.j
ava:1183)
at
com.sun.management.jmx.MBeanServerImpl.getAttribute(MBeanServerImpl.j
ava:1151)
at
weblogic.management.internal.MBeanProxy.getAttribute(MBeanProxy.java:
223)
at
weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:156)
at $Proxy3.getFileTimeSpan(Unknown Source)
at weblogic.logging.FileStreamLogger.log(FileStreamLogger.java:169)
at
weblogic.management.logging.DomainLogHandler.handleNotification(Domai
nLogHandler.java:308)
at
weblogic.management.internal.MBeanProxy.sendNotification(MBeanProxy.j
ava:764)
at
weblogic.management.internal.BaseNotificationListenerImpl.handleNotif
ication(BaseNotificationListenerImpl.java:71)
at
com.sun.management.jmx.MBeanServerNotificationListener.handleNotifica
tion(MBeanServerNotificationListener.java:48)
at
javax.management.NotificationBroadcasterSupport.sendNotification(Noti
ficationBroadcasterSupport.java:142)
at
weblogic.management.internal.DynamicMBeanImpl.sendNotification(Dynami
cMBeanImpl.java:742)
at
weblogic.management.logging.LogBroadcaster.log(LogBroadcaster.java:22
3)
at
weblogic.management.logging.LogBroadcaster.log(LogBroadcaster.java:18
7)
at
weblogic.management.logging.LogBroadcaster.log(LogBroadcaster.java:18
0)
at weblogic.logging.LogManager.log(LogManager.java:129)
at
weblogic.t3.srvr.T3Srvr.handleFatalInitializationException(T3Srvr.jav
a:203)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:175)
at weblogic.Server.main(Server.java:35)
C:\bea\wlserver6.0sp1>goto finish
C:\bea\wlserver6.0sp1>cd config\examples
C:\bea\wlserver6.0sp1\config\examples>ENDLOCAL
C:\bea\wlserver6.0sp1\config\examples>
Tom Moreau
Mike,
Yes, if the "system" user is not in the LDAPRealm,
then the system user in the file realm should be used
instead. The debug output indicates to me that it is
working properly.
By the way, your partial output doesn't show the entire
authentication process. Did it have anything
like the following in it:
authenticate("system")
auth: delegate PASSES system
auth: backup PASSES system
auth: FAIL system
I don't know that the other errors are about.
Thanks, -Tom
>....
><Mar 19, 2001 4:50:14 PM EST> <Debug> <LDAPRealm> <getUser("system")>
><Mar 19, 2001 4:50:14 PM EST> <Debug> <LDAPRealm> <lookup("o=mycompany")>
><Mar 19, 2001 4:50:14 PM EST> <Debug> <LDAPRealm> <user:
>UNPERSON system>
><Mar 19, 2001 4:50:24 PM EST> <Debug> <CachingRealm> <user:
>backup HAS
>system>
>....
Tom Braverman
when I try to protect a servlet with an ACL, the LDAP user
that I enter is rejected with a message that there's "No such
user". I can tell that I'm connecting to LDAP
by my debug output (as below).
Tom
Hitesh
Dear Tom,
As you have mentioned I have created a ldap realm and a caching realm.. I have
specified my ldap realm as the 'basic realm' in the caching realm. In the security
realm i have mentioned my caching realm as the 'caching realm'. but still when
i restart the server and click users a warning comes "all new users will be aded
to the file realm." i am using weblogic 6.0 sp2 and netscape directory server
4.12. my ldap configuration seems to be correct because if i donot provide the
'principal' correct the server does not start. can you H E L P me please.
Sushil Pulikkal
Hi Tom,
I am using iPlanet Directory server with WL6.0 (which I presume is supported as
Netscape's is) and facing the same problem as Mike was i.e account locking after
three attempts(bottom of the message). I have created my own caching realm with
the basic realm being MyLDAPRealm.
The log gives no info other than the one about account locking.
My config.xml looks something like this -
<CachingRealm BasicRealm="MyLDAPRealm" CacheCaseSensitive="true" Name="MyCachingRealm"/>
Sushil Pulikkal
Hi Tom,
<PasswordPolicy Name="wl_default_password_policy"/>
<LDAPRealm AuthProtocol="simple" Credential="enslaved"
GroupDN="ou=Aussies,dc=timerasolutions,dc=com"
GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://DJ-SUSHILP.timerasolutions.com:389"
Name="MyLDAPRealm"
Principal="uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot"
UserAuthentication="bind"
UserDN="ou=Aussies,dc=timerasolutions,dc=com"
UserNameAttribute="uid"/>
The browser window does pop up, but the user id doesn't get authenticated. Is
there a way to know whether WLS is actually going to the LDAP server for authentication?
Any insight into this?
Thanks in advance,
Sushil
Ronald van Kuijk
with the default wls6.0sp1, but with the ldap-patch it works fine.
AND probably even more important... change
<Realm FileRealm="..." Name=".....">
to
<Realm CachingRealm"MyCachingRealm" FileRealm="..." Name=".....">
Hope this helps...
Ronald
christopher Chu
christopher chu
Satya Ghattu
find the message you are referring to.
Thanks,
-satya
christopher Chu <christo...@avaya.com> wrote in message
news:3b68b00f$1...@newsgroups.bea.com...