Wednesday, March 31, 2010

WebLogic, LDAP Authenticators, and Groups

The number one cause of mystery login problems that I see with customers using LDAP authenticators (be it OID, Sun, or AD) relates to a problem with the search done to determine what groups the user is a member of.

As part of the authentication process, LDAP authenticators do a search to determine what groups the user is a member of which in turn get used in determining the group memberships and roles for the JAAS subject and principals. If there is a problem with this search, then WebLogic will fail the entire authentication even if the user authentication check (username + password) against the directory was successful. Notice that I said problem with the search and not search failure. If the user simply doesn’t exist in any groups then the authentication will succeed. The issue is with the authenticator not even being able to successfully execute the search.

The group search failure can be cause by a couple different things and can be a very nasty situation to recognize and sort out.

Search Configuration Failures
The more straight forward cause of a group search failure is that the search itself. This can be cause by having a bad “Group Base DN” or “All Groups Filter” in the authenticator configuration. If for example you mistyped part of the base DN or the object class in the filter, then the search will fail to execute. What you’ll see in the logs is a message saying authentication has succeeded then one or more error messages about the group search, and then another message saying authentication has failed.

Problems with Nested Groups
The more insidious cause of group search failures is with nested groups. By default the authenticator will search not only what groups a user belongs to, but will go on to search what groups those groups containing the user belong to and then what groups those groups belong to and on and on…

If there are a ton of groups with lots of nesting, the authenticators can time out just in processing nested groups. However, the bigger or more common issue is that authenticators can get in infinite loops processing two groups that contain each other or certain dynamic groups.

The best way to prevent this is to limit the levels of group membership nesting that the authenticator will follow to build up the JAAS subject and principals. You do this by changing “Group Membership Searching” from unlimited to limited and changing “Max Group Membership Search Level” to the desired level of nesting you want to pursue. Leaving it at 0 will mean that the authenticator will not process any nested groups.

My recommendation is that as a best practice you should almost always switch to a limited search even if you want the authenticator to heavily process nested groups. Setting the level of nesting to something high like 5 will almost always give you all the memberships/roles you need but will limit your exposure to infinite loop situations caused by problems in the directory.

4 comments:

  1. if active directory retrieves more than 3000 users, can we create pagination on weblogic server? or is there a limitation to display 1000 users
    Regards,

    ReplyDelete
  2. There is a limitation in that you can only view up to 1000 users in the WLS admin console. However, this does not affect actual provider operations. The providers will operate on user sets greater than 1000.

    ReplyDelete
  3. HI,
    I have also set up ldap authentication in my weblogic server. I see only 1000 users. I cannot see my user in that list of 1000 users and when I try logging in with my user id, I get authentication failure.
    So where do you think I should look for ?

    ReplyDelete
  4. The searches for an individual user based on their username are separate from the search for all users. In the WLS Console see "All Users Filter:" vs. "User From Name Filter:". The former is what's used to populate the list that you are seeing limited to 1.000 users. The latter is used when you enter a username - in that case WLS replaces the %u with the username you enter and then executes the search.

    You should enable debug logging for the authenticators and see what shows up. If you run into trouble the WLS docs are pretty good at helping you troubleshoot and there's always support. Support will probably get you an answer more quickly than asking here... as you can see from the dates we're a bit backlogged on approving and responding to comments! :-(

    ReplyDelete

Note: Only a member of this blog may post a comment.