Hey, So I am adding ActiveDirectoryAuthentication which is successful the first run bu

Can you try this manually with wlst <a href="https://github.com/biem

Ran the directly and got this. <div class="snippet-clipboard-content notran

<div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clip

Adding LDAP authentication about biemond-orawls HOT 15 CLOSED

biemond commented on September 25, 2024

Adding LDAP authentication

from biemond-orawls.

Comments (15)

biemond commented on September 25, 2024

Hi,

indeed, after an authenticator change you need to subscribe on this change ( also for domain changes ) and autorestart the adminserver

here you got an example of this.

https://github.com/biemond/biemond-orawls-vagrant/blob/master/puppet/hieradata/admin.example.com.yaml

but after restart it should re- create it again. then the index.py script is failing.
https://github.com/biemond/biemond-orawls/blob/master/files/providers/wls_authentication_provider/index.py.erb

you can use puppet resource wls_authentication_provider --debug or run puppet with --debug to see this WLST script and test it yourself in wlst.sh

hope this helps

from biemond-orawls.

joewimmer commented on September 25, 2024

Hey thanks for helping!
Maybe I'm missing something or don't understand what your saying. This seems non-idempotent since it errors on the second run but all green on the initial run.

When i try the: puppet resource wls_authentication_provider --debug command i get

Could not run: Could not find template 'puppet:///modules/orawls/providers/wls_authentication_provider/index.py.erb'

Thanks again

from biemond-orawls.

biemond commented on September 25, 2024

ok,

oh you are using a puppet master, that the reason puppet resource fails
but when the index py script fails , so it doesn't detect it is already there and so it will do another create.

can you do this puppet agent --test --debug. If it fails can you update the orawls module to it latest version ( I fixed the debug error )

from biemond-orawls.

joewimmer commented on September 25, 2024

Hey,
After reviewing commit, 'ad6e98f30f884cc1a6c7b79feda629d75682583c', i've
found that the check won't work for the 'ActiveDirectoryAuthenticator' provider that we are using.

weblogic.security.providers.authentication.ActiveDirectoryAuthenticator

from biemond-orawls.

biemond commented on September 25, 2024

oh strange,

does it crash

from biemond-orawls.

biemond commented on September 25, 2024

Can you try this manually with wlst

https://github.com/biemond/biemond-orawls/blob/master/files/providers/wls_authentication_provider/index.py.erb

Only user and group won't support external ldap because it can be too heavy to retrieve them all

from biemond-orawls.

joewimmer commented on September 25, 2024

Ran the script directly and got this.

Successfully connected to Admin Server 'AdminServer' that belongs to domain 
'JOETEST'.Warning: An insecure protocol was used to connect to the server. 
To ensure on-the-wire security, the SSL port orAdmin port should be used instead.dr-- DefaultAuthenticatordr-- DefaultIdentityAsserter___DefaultAuthenticator___
Problem invoking WLST - Traceback (innermost last):File "/home/ser_dvapp/index.py", line 41, 
in ?NameError: domain

In the output file is:

name;authentication_provider_name;control_flag;domain;order

Not sure if this is what you wanted...

from biemond-orawls.

biemond commented on September 25, 2024

thanks

can you add this to the top of the script.

domain = 'xxx'

and try it again because https://github.com/biemond/biemond-orawls/blob/master/lib/utils/wls_daemon.rb
automatically add this to every WLST invocation.

from biemond-orawls.

joewimmer commented on September 25, 2024

Stdout:

dr--   DefaultAuthenticator
dr--   DefaultIdentityAsserter

___DefaultAuthenticator___
___DefaultIdentityAsserter___
This Exception occurred at Wed Jan 21 14:02:24 EST 2015.
javax.management.AttributeNotFoundException: Security:Name=myrealmDefaultIdentityAsserter:ControlFlag
ControlFlag does not exists, continue
~~~~COMMAND SUCCESFULL~~~~

/tmp/wlstScript.out:

name;authentication_provider_name;control_flag;domain;order
"xxx/DefaultAuthenticator";"DefaultAuthenticator";"REQUIRED";"xxx";"0"
"xxx/DefaultIdentityAsserter";"DefaultIdentityAsserter";;"xxx";"1"

from biemond-orawls.

biemond commented on September 25, 2024

Ok much better

did you add the AD authentication provider?
Because this looks ok and it does not crash.

Thanks

from biemond-orawls.

joewimmer commented on September 25, 2024

Obviously I'm not the best with weblogic so I apologize. When I login to the console there are three providers. One being ActiveDirectoryAuthenticator. When I run the script directly, your right it doesn't fail. But when i run puppet it fails. Is there something that needs to be added to the script that will pick up ActiveDirectoryAuthenticator ? Thanks for your help. I know this is painful.

from biemond-orawls.

biemond commented on September 25, 2024

And did you restart the adminserver?

your script fails in create ( already exists) and not in index, the index script should detect this one so puppet does not need to execute the create script

Can you give me your AD wls puppet definition, I will also add this to my config and see if I can find the problem in the index py script.

from biemond-orawls.

joewimmer commented on September 25, 2024

Its all pulled from hiera which is

authentication_provider_instances:
  'DefaultAuthenticator':
    ensure:             'present'
    control_flag:       'SUFFICIENT'
    order:              '0'
  'ActiveDirectoryAuthenticator':
    ensure:             'present'
    control_flag:       'SUFFICIENT'
    providerclassname:  'weblogic.security.providers.authentication.ActiveDirectoryAuthenticator'
    attributes:         'Credential;GroupBaseDN;GroupFromNameFilter;GroupMembershipSearching;Host;MaxGroupMembershipSearchLevel;Principal;UserBaseDN;UserFromNameFilter;UserNameAttribute;Port'
    attributesvalues:   'password;DC=ad,DC=company,DC=org;(&(sAMAccountName=%g)(objectclass=group));limited;ad.company.org;0;CN=SER_WASadmin,OU=Service Accounts,DC=ad,DC=company,DC=org;DC=ad,DC=company,DC=org;(&(sAMAccountName=%u)(objectclass=user));sAMAccountName;389'
    order:              '1'
    #before:             Orawls::Domain[domain]

I tried the before but that failed before running which is why its commented out.

Hope this is what you requested.

from biemond-orawls.

biemond commented on September 25, 2024

thanks

I will do some tests and make a patch

from biemond-orawls.

biemond commented on September 25, 2024

Your config is working fine for me
see
https://github.com/biemond/biemond-orawls-vagrant-12.1.3/blob/master/puppet/hieradata/admin.example.com.yaml#L144

[vagrant@admin ~]$ sudo puppet resource wls_authentication_provider

wls_authentication_provider { 'default/ActiveDirectoryAuthenticator':
  ensure       => 'present',
  control_flag => 'SUFFICIENT',
  order        => '1',
}
wls_authentication_provider { 'default/DefaultAuthenticator':
  ensure       => 'present',
  control_flag => 'SUFFICIENT',
  order        => '0',
}
wls_authentication_provider { 'default/DefaultIdentityAsserter':
  ensure => 'present',
  order  => '2',
}

So probably you need to restart the adminserver

like this

authentication_provider_instances:
  'DefaultAuthenticator':
    ensure:             'present'
    control_flag:       'SUFFICIENT'
    order:              '0'
  'ActiveDirectoryAuthenticator':
    ensure:             'present'
    control_flag:       'SUFFICIENT'
    providerclassname:  'weblogic.security.providers.authentication.ActiveDirectoryAuthenticator'
    attributes:         'Credential;GroupBaseDN;GroupFromNameFilter;GroupMembershipSearching;Host;MaxGroupMembershipSearchLevel;Principal;UserBaseDN;UserFromNameFilter;UserNameAttribute;Port'
    attributesvalues:   'password;DC=ad,DC=company,DC=org;(&(sAMAccountName=%g)(objectclass=group));limited;ad.company.org;0;CN=SER_WASadmin,OU=Service Accounts,DC=ad,DC=company,DC=org;DC=ad,DC=company,DC=org;(&(sAMAccountName=%u)(objectclass=user));sAMAccountName;389'
    order:              '1'

# subscribe on a domain change and restart the adminserver
wls_adminserver_instances_domain:
  'AdminServer_Wls1213':
    ensure:                    'running'
    server_name:               *domain_adminserver
    domain_name:               *domain_name
    domain_path:               "/opt/oracle/wlsdomains/domains/Wls1213"
    os_user:                   *wls_os_user
    weblogic_home_dir:         *wls_weblogic_home_dir
    weblogic_user:             *wls_weblogic_user
    weblogic_password:         *domain_wls_password
    jdk_home_dir:              '/usr/java/latest'
    nodemanager_address:       *domain_adminserver_address
    nodemanager_port:          *domain_nodemanager_port
    jsse_enabled:              true
    custom_trust:              *wls_custom_trust
    trust_keystore_file:       *wls_trust_keystore_file
    trust_keystore_passphrase: *wls_trust_keystore_passphrase
    refreshonly:               true
    subscribe:                 Wls_authentication_provider[ActiveDirectoryAuthenticator]

from biemond-orawls.

Adding LDAP authentication about biemond-orawls HOT 15 CLOSED

Comments (15)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent