Authentication with an External LDAP Does Not Work with useRetrievedUserNameAsPrincipal set to true (Doc ID 972602.1)

Last updated on JULY 17, 2017

Applies to:

Oracle WebLogic Portal - Version 8.1 to 8.1 [Release Weblogic Platform]
Information in this document applies to any platform.

Symptoms

Authentication to an external LDAP does not work if useRetrievedUserNameAsPrincipal is set to true and userNameAttribute is set to "cn"


useRetrievedUserNameAsPrincipal is set to true weblogic config.xml.

UseRetrievedUserNameAsPrincipal: When enabled, this attribute retrieves the user name from the LDAP to use as the principal name for authentication, instead of the supplied user name.
http://download.oracle.com/docs/cd/E13222_01/wls/docs81/notes/resolved_sp03.html



<Security Name="mydomain"
...
<weblogic.security.providers.authentication.OpenLDAPAuthenticator
ControlFlag="SUFFICIENT" Credential="{3DES}7Jr5M+YiXCM="
GroupBaseDN="DC=domainBEA,DC=com2" Host="XX.XX.X.XXX"
Name="Security:Name=myrealmOpenLDAPAuthenticator"
Principal="cn=Administrateur, DC=DomainBEA, DC=com2"
Realm="Security:Name=myrealm"
UseRetrievedUserNameAsPrincipal="true" UserBaseDN="ou=listeDePersonnes, DC=domainBEA,DC=com2"/>
</Security>



1. For a user defined in the external LDAP as dn: cn=testuser,ou=listeDePersonnes,DC=domainBEA,DC=com2 the resulting username contains an extra '=' character.

'testuser' ldap schema

dn: cn=testuser,ou=listeDePersonnes, DC=domainBEA,DC=com2
objectClass: top
objectClass: person
sn: testuser
cn: testuser


weblogic server config file with security flag on

<Server ListenAddress="" ListenPort="7591" Name="myserver"
NativeIOEnabled="true" ReliableDeliveryPolicy="RMDefaultPolicy"
ServerVersion="8.1.5.0" StdoutDebugEnabled="true" StdoutSeverityLevel="64">
<ServerDebug DebugEmbeddedLDAP="true"
DebugEmbeddedLDAPLogLevel="11"
DebugEmbeddedLDAPLogToConsole="true"
DebugSecurityAdjudicator="true" DebugSecurityAtn="true"
DebugSecurityAtz="true" DebugSecurityRoleMap="true" Name="myserver"/>


weblogic server log for testuser:

<1 mars 2006 12 h 35 CET> <Debug> <SecurityDebug> <000000> <authenticate user:testuser>
<1 mars 2006 12 h 35 CET> <Debug> <SecurityDebug> <000000> <getDNForUser search("ou=listeDePersonnes, DC=domainBEA,DC=com2", "(&(cn=testuser)(objectclass=person))", base DN & below)>
<1 mars 2006 12 h 35 CET> <Debug> <SecurityDebug> <000000> <DN for user testuser: cn=testuser,ou=listeDePersonnes,dc=domainBEA,dc=com2>
<1 mars 2006 12 h 35 CET> <Debug> <SecurityDebug> <000000> <authenticate user:testuser with DN:cn=testuser,ou=listeDePersonnes,dc=domainBEA,dc=com2>
<1 mars 2006 12 h 35 CET> <Debug> <SecurityDebug> <000000> <Retrieved username from LDAP :=testuser>
<1 mars 2006 12 h 35 CET> <Debug> <SecurityDebug> <000000> <authentication succeeded>



And a NotFoundException is raised:

weblogic.management.utils.NotFoundException: [Security:090255]User or Group=testuser
at weblogic.security.providers.authentication.LDAPAtnDelegate.listMemberGroups(Ljava/lang/String;Z)Ljava/lang/String;(LDAPAtnDelegate.java:2004)
at .....



2. For a user defined in the external LDAP as dn: uid=testuser2,ou=listeDePersonnes, DC=domainBEA,DC=com2 there is no extra "=" character added and no weblogic.management.utils.NotFoundException raised.

'testuser2' ldap schema

dn: uid=testuser2,ou=listeDePersonnes, DC=domainBEA,DC=com2
uid: testuser2
userPassword: testuser2
givenName: test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: user
cn: testuser2



weblogic server log for testuser2

<1 mars 2006 12 h 35 CET> <Debug> <SecurityDebug> <000000> <authenticate user:testuser2>
<1 mars 2006 12 h 35 CET> <Debug> <SecurityDebug> <000000> <getDNForUser search("ou=listeDePersonnes, DC=domainBEA,DC=com2", "(&(cn=testuser2)(objectclass=person))", base DN & below)>
<1 mars 2006 12 h 35 CET> <Debug> <SecurityDebug> <000000> <DN for user testuser2: uid=testuser2,ou=listeDePersonnes,dc=domainBEA,dc=com2>
<1 mars 2006 12 h 35 CET> <Debug> <SecurityDebug> <000000> <authenticate user:testuser2 with DN:uid=testuser2,ou=listeDePersonnes,dc=domainBEA,dc=com2>
<1 mars 2006 12 h 35 CET> <Debug> <SecurityDebug> <000000> <getEntryForUser search("ou=listeDePersonnes, DC=domainBEA,DC=com2", "(&(cn=testuser2)(objectclass=person))", base DN & below)>
<1 mars 2006 12 h 35 CET> <Debug> <SecurityDebug> <000000> <Retrieved username from LDAP :testuser2>
<1 mars 2006 12 h 35 CET> <Debug> <SecurityDebug> <000000> <authentication succeeded>


If the parameter useRetrievedUserNameAsPrincipal is set to false, both test users -testuser and testuser2- defined above are authenticated.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms