In a production system, Oracle Enterprise
Content Management Suite applications need to use an external Lightweight
Directory Application Protocol (LDAP) authentication provider. You need to
reassociate the identity store for your application with one of the following
external LDAP authentication providers before you complete the configuration of
a Managed Server, before you connect a Managed Server to a repository, and
before the first user logs in to the application:
Unlike the
previous versions, LDAP provider needs to be configured in Weblogic server NOT
IN UCM.
Steps to integrate microsoft's active directory is as follows ( i have used security group based security model to create this example)
1) Login to weblogic console of the domain and navigate to 'Domain Structure' as given below
2) On click of 'Security Realms, following page appears
3) Click on 'myrealm' and the following page appears
Click on 'Providers' link as marked above
4) Providers page appears
Select 'New' to create a new providers
5) Screen to enter ther 'Name' and 'Type' for the new provider appears
For active directory the type should be : ActiveDirectoryAuthenticator
LDAP Authentication Provider Authenticator Type
Microsoft AD ActiveDirectoryAuthenticator
Click 'Ok'
6) Settings for 'my realm' appears as given below.
The
newly created provider should be the
first on in the list. To do that, we need to
reorder the listing of providers
using ‘Reorder’.
Reorder page appears as given below
Using the arrow buttons, move the newly created provider to the top of the list and click 'Ok'
On clicking 'Ok' , providers list will be updated as given below
7) Click on the newly created provider name and ‘Settings for <newly
created provider> page gets displayed .
Select 'Control Flag' as 'Sufficient' for the newly created provider and click 'Save'.
8) After changing the control flag and saving the settings click on
‘Provider Specific’ tab in the same page.
‘Settings’ page for the
new provider gets displayed as given
below
9) To connect the specific provider, we need to provide the details
Set Provider Specific values in the following
fields, and leave default values in the other fields:
Set connection Details
- Host: The host name or IP address of the LDAP server.
- Port: The Oracle Internet Directory Port, 389 by default.
- Principal: The Distinguished Name (DN) of the LDAP user that Oracle
WebLogic Server should use to connect to the LDAP server; for example:
- cn=orcladmin
- Credential: The credential used to connect to the LDAP server (usually a
password).
- Confirm Credential: The same value as for the
Credential field.
User Details
- User Base DN: The base distinguished name (DN) of the tree in the LDAP
directory that contains users; for example:
- cn=users,dc=example,dc=co
- Note: Use an exact DN rather than
a top-level DN. Using a top-level DN would provide access to all the default
users and groups under the DN, giving access to more users than required by the
application.
- Use Retrieved User Name as Principal: Specifies
whether or not the user name retrieved from the LDAP server should be used as
the Principal value.
Group Details
-
Group Base DN: The base distinguished name (DN) of the tree in the LDAP
directory that contains groups; for example:
cn=groups,dc=example,dc=com
After specifying connection, users and groups details. click on 'save' to save all the details.
10) Go back to the list
of providers screen ( my realm page) and click on the default provider as give
below
‘Settings’ page for the
default provider opens as given below
Change the control flag for
the ‘default provider’ to ‘Sufficient’ and click ‘Save’
11)
Restart the admin server using windows service
12)
Relogin to admin server
13)
Navigate to ‘my realm’ page as given below and click on ‘Users and
Groups’ tab
14)
Users and Groups gets displayed as given below
Groups
Verify whether the user
names/groups listed above are coming from the newly configured provider by checking
the ‘Provider’ column for each user as given in the screen shot.
15) The next step is to map the groups from AD to UCM/Oracle Webcenter Groups
For that we need to create 'Roles' in Oracle Webcenter Content , with the same name as that of Groups
As given the screen shot above, we need to create Roles and assign rights to them.
16) The next steps is to map the groups to these roles using credential mapping
For that we need to create a credential mapping as given below
Once the credential mapping is added as given above, an entry for the mapping should be added into the providers
For that navigate to the provider.hda file for jps provider located at <domain_name>/ucm/cs/data/providers/jpsprovider
There in add the following variable:
ProviderCredentialsMap=<map name created above>
Save the file and restart UCM server .
17) Once the servers are restarted, login to Oracle Webcenter Content with the AD users and verify the access rights.
For more info : http://docs.oracle.com/cd/E12839_01/webcenter.1111/e12405/wcadm_security.htm#BGBHHGEH