I recently encountered an issue when configuring an Active Directory Authentication Provider within WebLogic. The issue was that, although the provider was created successfully, only a dozen or so users were displayed under Users and Groups tab when there should have been several hundred.
I verified the following:
I verified the following:
- The Active Directory provider was the default Authentication Provider
- The Control Flag of all of the Providers were set to "Sufficient"
- I could connect to the Active Directory using JXplorer, meaning I had the correct values for:
- Host
- Port
- Principal
- Credential (Password)
- User Base DN
The issue had to be related to some other property for Users in WebLogic. I reviewed the values I was using:
- All Users Filter: <blank>
- User From Name Filter: (&(cn=%u)(objectclass=user))
- User Search Scope: subtree
- User Name Attribute: sAMAccountName
- User Object Class: user
- Use Retrieved User Name as Principal: <checked>
The first thing that jumped out at me was the User From Name Filter. I had simply left the value WebLogic uses by default, which assumes that the User Name attribute is "cn". However, in my case, the username attribute in Active Directory was "sAMAccountName".
Using JXplorer, I confirmed that the only reason that some Users were being displayed in WebLogic was that their "cn" and "sAMAccountName" attributes were identical.
I changed the value of of the User From Name Filter to be "(&(sAMAccountName=%u)(objectclass=user))", and restarted WebLogic. Lo and behold, all users were now being displayed in WebLogic. Success!
No comments:
Post a Comment