OWSM policies works seamlessly with integrated LDAP provided by weblogic. However sometimes the requirement is to integrate the OWSM policies like user name token policy to work with external LDAP.
Here are the steps that I recently followed to secure my Proxy services using OWSM and user token authenticated using LDAP server.
Part I: Create an external LDAP provider in weblogic
1. Add LDAP Provider : Login to Weblogic console
Home >Summary of Servers >Summary of Security Realms >myrealm >Providers
Create a new provider : MyLdapProvider
Type : Active Directory Authentication provider
2) Set Control Flag : Sufficient
This step is important as this will make sure that if the user is not validated using this provider the validation will go to next provider. As the document says:
A SUFFICIENT value specifies this LoginModule need not succeed. If it does succeed, control is returned to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list
3. Set the Provider Specific configuration this is very important to get connected to LDAP server.
Host : mycompanycatalog.com
Port : 389
Principal : CN=LdapAdmin,OU=WLUsers,DC=Myorg,DC=com
Credential : password
User Base DN: OU=WLUsers,DC=Myorg,DC=com , add filter for particular user if you want to restrict the access to only one user. like CN=Sam001, OU=WLUsers,DC=Myorg,DC=com
Group Base DN :OU=MyorgUsers, DC=Myorg,DC=com
4. Reorder Providers to make MyLdapProvider as first provider
5. Restart the servers
6. Verify if the LDAP settings are good .
My Realms -> Users and Groups
You should see the user fetched from Ldap Provider MyLdapProvider
Part II : Securing the OSB proxy with OWSM
1) Attach the policy to Proxy service
oracle/wss_username_token_service_policy
2) Pass security header with LDAP user credentials :
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-4" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>Sam001</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PassWord3241</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
This works !!
Hello Gurusharan,
ReplyDeleteI found this post very much helpful. Thank you for sharing your knowledge.. I have a question, what if you have more than one user? do we have to create a group? or add all users separated by ';'?
It is very useful information. Thanks for sharing with us.
ReplyDeleteOrangeHRM LDAP Integeration Module