When using an alternative security realm or a custom security realm in WebLogic Server, you must configure and enable the Caching realm.
When the LDAP server in Microsoft Site Server is installed and the root of the LDAP directory is created, a number of organizational units are created by default. Under Groups there is a default organization unit called NTGroups with a default group called Administrators which is empty. By default, WebLogic Server also provides a Group called Administrators that contains a member System which is the User under which WebLogic Server is started. If you use the defaults in Microsoft Site Server and start creating your own Groups under the default organizational units, WebLogic Server will not start. You need to create your own organizational unit in the LDAP directory and create your Groups under that organizational unit.
If you have two Groups in the LDAP directory with the same name, WebLogic Server cannot properly authenticate the Users in the Groups. The LDAP security realm uses the Group's DN (distinguished name) to locate Groups in the LDAP directory. If you create more than one group with the same name, WebLogic Server only authenticates the Users in the first Group it locates. You must use unique Group names when using the LDAP security realm.
The LDAP realm V2 does not provide the following functionality provided in the LDAP realm V1:
* Listing all Users
* Listing the members of a Group
* The AuthProtocol and User Authentication mechanisms for authenticating the LDAP server.
The LDAP security realm needs to know where the Users and Groups are stored in the LDAP directory used with the security realm. This is done by specifying the distinguished names (DNs) of the LDAP directories containing the Users and Groups.
In LDAP, a DN starts with the leaf node and goes to the root node. The following figure shows a branch of a LDAP directory.
root
|
|
o=acme.com
|
|
ou=Groups
The DN for this branch would be specified as ou=Groups, o=acme.com.
In LDAP realm V1, you specify DNs via the GroupDN and UserDN attributes on the LDAPRealm MBean or through the Administration Console. However, you must reverse the DNs so the example DN would be specified as:
groupDN="o=acme.com, ou=Groups"
In LDAP realm V2, you specify DNs by adding user.dn and group.dn properties to the Configuration attribute of the CustomRealm MBean or through the Administration Console. Unlike LDAP realm V1, you do not have to reverse the DN. For example, the user.dn and group.dn properties for a LDAP realm V2 are specified as follows:
ConfigurationData="..., group.dn=ou=Groups, o=acme.com,..."
In short, the LDAP realm V1 requires reverse DNs and the LDAP realm V2 requires normal DNs.
A common error customers make when switching between LDAP realm V1 and LDAP realm V2 is copying over the reverse DNs thus causing the LDAP realm to stop working. Check your DN specifications when migrating from LDAP realm V1 to LDAP realm V2.