Here are entries I used.
--------config.xml-------------------- <LDAPRealm AuthProtocol="simple" Credential="password"
GroupDN="o=company.com, ou=weblogic, ou=wlsgroups" GroupUsernameAttribute="uniquemember"
LDAPURL="ldap://ldapserver:389" Name="MyLDAPRealmV1" Principal="cn=Directory Manager"
UserDN="o=company.com, ou=weblogic, ou=users" UserNameAttribute="uid"/>
<PasswordPolicy Name="wl_default_password_policy"/> <Security Name="mydomain" PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm"/>
<CachingRealm BasicRealm="MyLDAPRealmV1" CacheCaseSensitive="false" Name="wlpiCachingRealm"/>
<FileRealm Name="wl_default_file_realm"/> <Realm CachingRealm="wlpiCachingRealm"
FileRealm="wl_default_file_realm" Name="wl_default_realm"/> -------------------------------------------------------------
On the LDAP side. I created ou=weblogic under that, I created, ou=wlsgroups and ou=users
Now, I created 4 users in users group (guest, system, admin, wlpisystem)
I created the following groups in the wlsgroups group (cn=AdministerUser, cn=ConfigureComponents,
cn=ConfigureSystem, cn=CreateTemplate, cn=DeleteTemplate, cn=ExecuteTemplate, cn=MonitorInstance,
cn=wlpiAdministrators, cn=wlpiUsers, cn=everyone)
everyone group has attribute uniquemember, which has entries uid=wlpisystem,ou=users,ou=weblogic,o=company.com
uid=admin,ou=users,ou=weblogic,o=company.com uid=guest,ou=users,ou=weblogic,o=company.com
all other groups have attribute uniquemember, with entries uid=wlpisystem,ou=users,ou=weblogic,o=company.com
uid=admin,ou=users,ou=weblogic,o=company.com
Now, when I add start the server, it authenticates with the LDAP server (accepts
the password). On the console, I can see the groups and users I created in the ldap.
Now the problem is, I am getting following errors.
- On the users page, I see at the top. Failed to add Users {1} Existing users r listed
anyway.
- When I create a new user, it creates but not in ldap (seems its still using eith
FileRealm or RDBMS somewhere)
-At startup time, I get the following error java.lang.SecurityException: Security
violation: insufficient permission to access method
-When I try to add a user in the group I get this error. java.lang.UnsupportedOperationException:
group modification not supported at weblogic.security.acl.DefaultGroupImpl.addMember(DefaultGroupImpl.java:39)
at weblogic.management.internal.RemoteRealmManagerImpl.addMember(RemoteRealmManagerImpl.java:201)
at weblogic.management.configuration.Group.addMember(Group.java:58) at weblogic.management.console.actions.realm.DoGroupFormAction.perform(DoGroupFormAction.java:132)
at weblogic.management.console.actions.internal.ActionServlet.doAction(ActionServlet.java:171)
at weblogic.management.console.actions.internal.ActionServlet.doPost(ActionServlet.java:85)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:265)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:200)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:2495)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2204)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139) at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
--------------- nested within: ------------------ weblogic.management.configuration.RealmException:
Group.addMember - with nested exception: [java.lang.UnsupportedOperationException:
group modification not supported] at weblogic.management.configuration.Group.addMember(Group.java:60)
at weblogic.management.console.actions.realm.DoGroupFormAction.perform(DoGroupFormAction.java:132)
at weblogic.management.console.actions.internal.ActionServlet.doAction(ActionServlet.java:171)
at weblogic.management.console.actions.internal.ActionServlet.doPost(ActionServlet.java:85)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:265)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:200)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:2495)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2204)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139) at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
--------------- nested within: ------------------ weblogic.management.console.actions.ActionException:
Group.addMember - with nested exception: [weblogic.management.configuration.RealmException:
Group.addMember - with nested exception: [java.lang.UnsupportedOperationException:
group modification not supported]] at weblogic.management.console.actions.ErrorAction.(ErrorAction.java:38)
at weblogic.management.console.actions.realm.DoGroupFormAction.perform(DoGroupFormAction.java:154)
at weblogic.management.console.actions.internal.ActionServlet.doAction(ActionServlet.java:171)
at weblogic.management.console.actions.internal.ActionServlet.doPost(ActionServlet.java:85)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:265)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:200)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:2495)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2204)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139) at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
If LDAPRealms only have read access, then we will have to programatically add the
users and/or groups (through JNDI)?
ACL is still maintained in the FileRealm? How can I use LDAP for ACL also?
Jerry <nos...@youwish.com> wrote:
>Hi,
>
>Two things.
>
>First, it looks like you're using "LDAP V1" class.
>WebLogic has a newer version of LDAPRealm called LDAPV2
>I would strongly recommend that you use the LDAPV2 classes.
>
>You are seeing this error
>
>- On the users page, I see at the top. Failed to add Users {1} Existing
>users r listed
>anyway.
>
>because you are using LDAP V1. Switch to V2 and you will not see this any
>more.
>
>
>Sample config.xml configuration for LDAP V2 is
>
> <CustomRealm
> ConfigurationData="server.host=myHost:389;membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquenames));group.dn=ou=groups,
>o=beasys.com;group.filter=(&(cn=%g)(objectclass=groupofuniquenames));server.principal=;user.dn=ou=people,
>o=beasys.com;anonBind=true;server.credential=;user.filter=(&(uid=%u)(objectclass=person))"
> Name="defaultLDAPRealmForNetscapeDirectoryServer" RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"/>
>
>
>Second, you cannot perform any write operations (add user, add group) to
>the LDAP realm, whether you are using WebLogic LDAP V1, or V2
>
>WebLogic's LDAP realms only have read access on the LDAP server.
>
>Cheers,
>Joe Jerry