Sunday, January 27, 2013

Active Directory user management with the IdentityStore framework of FMW

With the IdentityStore framework of Fusion Middleware you can change or create any user or role in almost every LDAP server. With this framework the authenticated user change their own password from ADF or in your own ADF Admin page you can create an user with its roles without knowing LDAP or know what LDAP server is used.

IdentityStore framework will automatically detect the configured WebLogic LDAP servers. Default is the internal WebLogic LDAP and this is also the first authenticator. You can also add other LDAP servers like Microsoft Active Directory or Oracle Internet Directory. For this you need to set the virtualize property with true as value to the idstore.ldap serviceInstance entry.
In this case I will set the AD Authenticator as first authenticator and don't use virtualize property, this way I can retrieve all the LDAP attributes and know for sure that new users are created in AD and not in the local WebLogic LDAP.

To create an user or change a password in AD we need to use LDAPS ( port 636 and not 389 ).  Else you will get this error javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190E49, problem 5003 (WILL_NOT_PERFORM), data 0 ];

This means we need to configure SSL.

The first step is to import the AD ca key and the AD public key to the local WebLogic TrustStore keystore.

keytool.exe -importcert -trustcacerts -alias ad_ca -file C:\2008-ca.cer -keystore C:\oracle\JDEV11~1.6\WLSERV~1.3\server\lib\DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase

Trust this certificate? [no]: yes

keytool.exe -importcert -trustcacerts -alias ad_pub -file C:\2008-pub.cer -keystore C:\oracle\JDEV11~1.6\WLSERV~1.3\server\lib\DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase

We also need to set the Hostname verification to None.

Create the AD Authenticator and also put all Control Flag to Sufficient ( also the default Authenticator )

We need to use LDAPS so use 636 as Port and enable SSL

Restart the Weblogic server and check if you can see all the AD users and the AD roles in the WebLogic Console .

Here is the java code to change the password of the AD user

Here is the code to create an AD User with a password, add an AD role to this user and set the UserAccountControl to 66048.

Here you can download the demo application at github