LDAP
Contents
- Sun One LDAP w/WAS
- Sun One LDAP w/WebLogic
- Active Directory LDAP
- phpLDAPFirstName
- Sun One LDAP User Management
- OpenLDAP
See Also
Sun One LDAP and WAS
To configure WebSphere users to be authenticated using a Sun One LDAP server:
- Use the Sun One LDAP console to create LDAP groups (roles) and users.
- Assign users to roles.
- In the WebSphere Application Server console, go to...
Security | Registries | LDAP...and set...
Server User ID was Server User Password password Type Custom Host ldaphost.company.net Port 1389 Base Distinguished Name (DN) OU=people,DC=company,DC=net Bind Distinguished Name (DN) uid=bindadmin,OU=people,DC=company,DC=net Bind Password password Search Timeout 120 Reuse Connection Yes Ignore Case Yes SSL Enabled No SSL Configuration DefaultSSLSettings Use Tivoli Access Manager No- On the same page, go to Advanced LDAP Settings and configure...
User Filter (&(uid=%v)(objectclass=inetOrgPerson)) Group Filter (&(cn=%v)(objectclass=ldapsubentry)) User ID Map inetOrgPerson:uid Group ID Map *:cn Group Member ID Map nsroledn:nsroledn Certificate Map Mode EXACT_DN Certificate Filter- Save the configuration changes.
- Go to
Security -> Global Securityand set:Active User RegistrytoLDAP- Save the configuration changes.
- Bounce the deployment manager, the node manager and the servers.
- Map the security roles to proper users/groups.
- Bounce the application.
Sun One LDAP w/WebLogic
To configure WebSphere users to be authenticated using a Sun One LDAP server:
- Use the Sun One LDAP console to create LDAP groups (roles) and users.
- Assign users to roles.
- Assign users to groups
- Go to...
company -> Security -> Realms -> Default Realms (e.g. myrealms) -> Providers -> Authentication Configure a new iPlanet Authenticator... and configure with the following values:
- General:
Name Hostname-LDAP Control Flag SUFFICIENT- iPlanet LDAP:
Host ldaphost Port 1389 Principal uid=wls, ou=people, dc=company, dc=net Credential password Confirm Credential password- Users:
User Object Class: person User Name Attribute uid User Base DN ou=people, dc=company, dc=net User From Name Filter (&(uid=%u)(objectclass=person))- Groups:
Group Base DN ou=groups, dc=company, dc=net Group Search Scope subtree Group From Name Filter (|(&(cn=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=groupOfURLs))) Static Group Object Class groupofuniquenames Static Group Name Attribute cn- Membership:
Static Member DN Attribute member Static Group DNs from Member DN Filter (&(uniquemember=%M)(objectclass=groupofuniquenames)) Dynamic Group Object Class groupofURLs Dynamic Group Name Attribute cn Dynamic Member URL Attribute memberURL- Leave everything else default.
- Bounce the admin server and the cluster.
When they are back up, you should be able to see the users and groups under the default realm (e.g. myrealm) provided by Sun One LDAP.
Sun One LDAP User Management
- Access the Sun One LDAP console.
- Open the console of Sun One LDAP
- Note: you have to have an X-windows to access the Sun One LDAP console.
- Log in to ldaphost as
ldapwithpasswordas the password.- Run the following command:
/usr/local/SunOneLDAP/startconsole &
- Log in with
User ID cn=Directory Manager Password password Administration URL http://ldaphost.company.net:1390
- Access organizational units (e.g.
ou=groups,dc=company,dc=net)
- Unfold
ldaphost.company.net.- Unfold
Server Group.- Double click on
Directory Server ldaphost.- Click on
Directorytab.- Unfold
dc=company,dc=net.- Under
dc=company,dc=netare 3 organizational units (ou):ou=Groups ou=People ou=Special Users- Create/delete a user, a group or a role.
- Open the Sun One LDAP console and unfold dc=company,dc=net.(Click here for instruction)
- Create a user. e.g. to create user
test.lastnameunderou=people,dc=company,dc=net
- Right click on
Peopleunderdc=company,dc=net.- Pick "New", then "User".
- Fill the following values in the dialog box:
First Name: firstname Last Name: lastname Common Name(s): firstname lastname User ID: firstname.lastname Password: password- Click "OK".
- You will see user
firstname.lastnamehas been created in the right pane.- Note: By default, all users should be created under "People" unless you want to change the user filter and/or user/group map filter in WAS or WLS configurations.
- Create a role. e.g. to create role
rolenameunderou=people,dc=company,dc=net
- Right click on
Peopleunderdc=company,dc=net.- Pick "New", then "Role".
- Fill the following values in the dialog box:
Role Name: rolename- Click "OK".
- You will see role
rolenamehas been created in the right pane.- Note: By default, all Websphere groups should be created as a role under "People" unless you want to change the group filter and user/group map filter in WAS configurations.
- Create a group. e.g. to create role
RoleNameunderou=groups,dc=company,dc=net
- Right click on
Groupsunderdc=company,dc=net.- Pick "New", then "Group".
- Fill the following values in the dialog box:
Group Name: RoleName- Click "OK".
- You will see group
RoleNamehas been created in the right pane.- Note: By default, all Weblogic groups should be created as a group under "Groups" unless you want to change the group filter and user/group map filter in WLS configurations.
- Delete a user/role/group.
- Right click on the user/role/group.
- Pick "Delete".
- Confirm the delete.
- Assign a user/group/role to a group/role
For example, assign user
firstname.lastnameto rolerolename.
- Open the Sun One LDAP console and unfold dc=company,dc=net.(Click here for instruction)
- Double click on role
rolename.- Click on "Members" on the left pane.
- Click "Add" on the right pane.
- Click "Search".
- Select user
firstname.lastname.- Click "OK".
- Click "OK".
phpLDAPFirstName
There is a browser-based tool, phpLDAPadmin, which you can use to manage users in other LDAP repositories, such as Active Directory and Sun One LDAP.
OpenLDAP
Contents
Overview
OpenLDAP, is an LDAP configuration that supports the propagation of user directory and login information, over LDAP servers, throughout the Internet. OpenLDAP is generally configured under /usr/local/openldap using BerkeleyDB as the LDBM backend.
Starting slapd
slapd is the UNIX daemon for OpenLDAP. It communicates with other applications, responding to authentication requests, deriving information from a BerkelyDB database.
To start slapd
- Log on as user root
- If not set, set the following environment variables
CPPFLAGS="-I/usr/local/BerkeleyDB.4.0/include"
LDFLAGS="-L/usr/local/BerkeleyDB.4.0/lib"
LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.0/lib
export CPPFLAGS LDFLAGS LD_LIBRARY_PATHYou can verify by running "env | sort | more"
- Start the slapd daemon
/usr/local/libexec/slapd > /tmp/slapd.log 2>&1Unless you have specified a debugging level (including level 0), slapd will automatically fork and detach itself from its controlling terminal and run in the background.
- There are several ways to verify the slapd daemon is running
ps -ef
ldapsearch -x -b '' -s base namingContexts
ldapsearch -x -b 'dc=yourdc,dc=com'To start:
- cd /usr/netscape/server4/bin/slapd/server
- ./ns-slapd -f /usr/netscape/server4/slapd-hostname/config/slapd.conf -i /usr/net
To safely kill slapd
kill -INT `cat /usr/local/var/slapd.pid`or
kill -TERM `cat /usr/local/var/slapd.pid`
OpenLDAP Configuration Procedure/ Linux
- Configure an LDBM
- Install OpenLDAP.
- Here is the INSTALL file.
- You should also review the Quick Start Guide.
- You might want to configure without threads
./configure --without-threads- Configure /usr/local/etc/openldap/slapd.conf.
- Configure slapd logging
- Configure ldap.conf
- Start slapd
- Configure slapd to start on boot by modifying /etc/rc.local.
- Create top level directory entries
- Create people directory entries.
- Create group and membership directory entries.
- Configure an LDAP Realm in WebLogic Server
- To have standard PAM-enabled applications use LDAP for authentication, run authconfig and select Use LDAP.
- Configure sftp server authentication with LDAP
- Migrate current authentication information to LDAP Format.
- Make the machine use LDAP for passwd and group lookups
OpenLDAP w/PAM
OpenLDAP can be used as an authentication service via the pam_ldap module. OpenLDAP is commonly used as a central authentication server so that users have a unified login that covers console logins, POP servers, IMAP servers, machines connected to the network using Samba, and even Windows NT/2000 machines. Using OpenLDAP, all of these login situations can rely on the same user ID and password combination, greatly simplifying administration. The pam_ldap module is provided in the nss_ldap package.
/usr/local/etc/openldap/slapd.conf
The slapd.conf file contains the configuration information needed by your slapd OpenLDAP server.
- You can generate an encrypted password for the rootpw line...
rootpw {crypt}s4L9sOIJo4kBM...by running...
perl -e "print crypt('passwd','a_salt_string');"salt_string is a two character salt, and passwd is the plain text version of the password.
You could also copy a passwd entry out of /etc/passwd, but this won't work if the passwd entry is an MD5 password (the default in Red Hat Linux 7.2).
- Do NOT modify any of the schema files. You can extend a schema by creating a local.schema file, then reference the new schema by adding the following to slapd.conf
include /usr/local/openldapversion/schema/local.schema
OpenLDAP Daemons and Utilities
The OpenLDAP package includes two daemons/ slapd and slurpd.
The slapd daemon is the stand-alone LDAP daemon, which you'll need to run to support LDAP.
The slurpd daemon controls the replication of LDAP directories over a network by sending changes from the master LDAP directory to slave LDAP directories. You won't need to run slurpd unless you have more than one LDAP server on your network. If you have two or more LDAP servers, slurpd will keep the various LDAP directories in sync.
OpenLDAP also includes some utilities in /usr/bin for adding, modifying and deleting entries in an LDAP directory
ldapmodify Modify entries in an LDAP database, accepting input via a file or standard input. ldapadd Adds entries to your directory, accepting input via a file or standard input; ldapadd is actually a hard link to ldapmodify -a. ldapsearch Searches for entries in the LDAP directory using a shell prompt. ldapdelete Deletes entries from an LDAP directory, accepting input via a file or a shell prompt. With the exception of ldapsearch, each of these utilities is much more easily used by referencing a file with the changes to be made rather than typing the commands one after the other. Each of their respective man pages covers the syntax of these files.
To import or export blocks of information with a slapd directory or perform similar administrative tasks, different utilities, located in /usr/sbin, are required
slapadd Adds entries from an LDIF file to an LDAP directory. For example, execute /usr/sbin/slapadd -l ldif where ldif is the name of the LDIF file containing the new entries. slapcat Pulls entries out of an LDAP directory and saves them in an LDIF file. For example, execute /usr/sbin/slapcat -l ldif where ldif is the name of the target LDIF file to contain the entries from the LDAP directory. slapindex Reindexes the slapd database based on the actual current database content. Execute /usr/sbin/slapindex to begin reindexing. slappasswd Generates a user password value for use with ldapmodify or the rootpw value in /usr/local/etc/openldap/slapd.conf. Execute /usr/sbin/slappasswd to create the password. Be sure to stop slapd before using slapadd, slapcat or slapindex. Otherwise, you are risking the consistency of your LDAP database.
The pam_ldap module is needed to integrate LDAP authentication into the Pluggable Authentication Modules (PAM) API. If you use pam_ldap, users can authenticate and change their password using LDAP directories. The nss_ldap and pam_ldap modules are provided in the nss_ldap package.
Red Hat Linux also includes LDAP modules for the Apache Web server. The auth_ldap module is for authenticating HTTP clients against the user entries in an LDAP directory. The php-ldap module adds LDAP support to the PHP4 HTML-embedded scripting language. The auth_ldap and php-ldap modules must be compiled into Apache as Dynamic Shared Objects (DSOs) in order to work.
Additional Resources
A lot of useful information concerning LDAP is available. Please review these sources, especially the OpenLDAP website and the LDAP HOWTO, before beginning to set up and configure LDAP on your system.
Installed Documentation
The ldap man page is a good place to get started for an introduction to LDAP. Also, man pages exist for the various LDAP daemons and utilities. Please check the man pages if you need more information on ldapmodify, ldapsearch, and the like.
/usr/share/docs/openldap-versionnumber Contains a general README document and miscellaneous information.
Useful Websites
- http://www.openldap.org
Home of the OpenLDAP Project, the collaborative effort to develop a "robust, commercial-grade, fully featured, and open source LDAP suite of applications and development tools."- http://www.redhat.com/mirrors/LDP/HOWTO/LDAP-HOWTO.html
LDAP Linux HOWTO document, covering the installation through authentication and logging.- http://www.padl.com
Developers of nss_ldap and pam_ldap, among other useful LDAP tools.- http://www.innosoft.com/ldapworld
Contains information concerning LDAP RFCs and LDAP version 3 specifications.- http://www.kingsmountain.com/ldapRoadmap.shtml
Jeff Hodges' LDAP Road Map contains links to several useful FAQs and emerging news concerning the LDAP protocol.- http://www.rudedog.org/auth_ldap
Home of the auth_ldap authentication module for Apache.- http://www.stanford.edu/~bbense/Inst.html
Discusses the use of LDAP with Sendmail.- http://www.webtechniques.com/archives/2000/05/wilcox
A useful look at managing groups in LDAP.- http://www.ldapman.org/articles
Articles that offer a good introduction to LDAP, including methods to design an directory tree and customizing directory structures.
Issues
Error/
Running rpm -i openldap*rpm. Receiving errorerror/ failed dependencies openldap = 2.0.7-14 is needed by openldap-servers-2.0.7-14 libcrypto.so.1 is needed by openldap-servers-2.0.7-14 libssl.so.1 is needed by openldap-servers-2.0.7-14
Fix/
Decided to abandon the RPM. Downloaded tar version. Ran a ./configure and got an error saying a suitable LDBM backend could not be found. Fixed by downloading and installing BerkeleyDB, then setting the following environment variables
CPPFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB.4.0/include"
LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.4.0/lib"
LD_LIBRARY_PATH=/usr/local/lib//usr/local/BerkeleyDB.4.0/lib"
export CPPFLAGS LDFLAGS LD_LIBRARY_PATHThis time /usr/local/openldap/configure ran cleanly
Fix/
Perusing the openldap-software archive indicated a way to compile slapd without threads
- ./configure --without-threads
- make
- make install
- make veryclean
- ./configure --with-threads
- make
- cd servers/slurpd
- make install
LDAP Applications
Several LDAP client applications are available that greatly simplify viewing and changing LDAP information
LDAP Browser/Editor A user-friendly tool written in 100% Java for easy deployment across different platforms. GQ A GTK-based LDAP client, available with the Red Hat Linux 7.2 distribution or at http://biot.com/gq kldap An LDAP client for the KDE Project, available at http://www.mountpoint.ch/oliver/kldap
Terminology
Information Model
Directory entries are arrange in a tree-like structure called the Directory Information Tree (DIT).At the top of the DIT is the directory root, which is identified by server name and port number on which the directory service is running.Directory Root | | dc=servername, dc=yourdc, dc=com | | / \ / \ / \ / \ ou=Department ou=Corporate / \ / \ cn=Jeff Skilling cn=Ken Lay
Naming Model
LDAP begins a search for data by specifying one specific entry, such as "dc=yourdc,dc=com" as a search base. The entry name is specified as a distinguished name (DN), which is a series of relative distinguished names (RDNs). Each directory server contains a single root directory specific entry (DSE) which contains basic information about the LDAP server. A DSE is specified during base level searches on a directory when you do not know the name of a particular suffix.
Directory Objects
The structure of a directory object is defined by the object class to which it belongs. An object class defines a set of attributes that can be stored in a directory entry. Objectclass definitions are found in various schema files, located in the /usr/local/etc/openldap/schema
- openldap.schema
- inetorgperson.schema
- corba.schema
- core.schema
- cosine.schema
- java.schema
- krb5-kdc.schema
- misc.schema
- nis.schema
Sun Solaris uses the posixAccount object class to store Solaris user account information.
All the attributes defined in a parent class are inherited children. Objects are assigned a numeric object identifier (OID) to ensure they will not conflict with another object class.
Functional Model
Clients access data on an LDAP server must bind using, at a minimum, the DN of the user account entry the clients wishes to biind as. The type of authentication the directory server requires is specified as part of the bind request
Security Model
Access to LDAP entries is protected by the rights established for the authenticated user. The rights can be assigned at the container, object, or attribute level. Access Control Instructions are used to asign access rights.
LDAP Replication
Replication is the mechanism by which directory data is automatically copied from one directory server to another. The mastering directory server is called the Supplier server. Servers that receive directory objects are called Consumer servers.
Authentication versus Authorization
Authentication is the verification of someone's identify using such things as user names, passwords, and digital certificates.Authorization is the granting of access to controlled system resources. In other words, once a user's identify is established, authorization grants only the access right that the user is entitled to.
LDAP Authentication (Simple Authentication)
You supply to the directory server the DN and password. Simple authentication sends passwords over the wire in clear text.When ACLs are implemented, LDAP clients will authenticate to the directory server and be dependent on the access control instructions (ACIs) that have been set.
CRAM-MD5
SASL authentication mechanism describe in RFC 2195.
Advantage includes that a password is never sent clear text. The server issues a challenge to the client in the form of an arbitrary string of random digits, a timestamp, and the fully qualified primary host name of the server. The client responds with the user name, a space, and an MD5 digest or hash of the challenge plus the password. The server computes its own MD5 hash and compares it to the client response.
LDAP v2 servers do not support CRAM-MD5. It can be used if one uses pam_ldap against a server that supports it.
Kerberos
Kerberos is a network authentication protocol that provides strong authentication using secret-key cryptography. It uses a series of encrypted messages to prove to a verifier that a client is running on behalf of a particular user. More precisely, a client has knowledge of an encryption key that is known by only the user and the authentication server.Encryption in the current version of Kerberos uses the data encyrption standard (DES).
Whenever a client authenticates itself to a new verifier, it relies on the authentication server to generate a new encryption key and distribute it securely to both parties. This new encryption key is called a session key, and the Kerberos ticket distributes it to the verifier.
A Kerberos ticket is a certificate issued by an authentication server, encrypted by the server key.
LDAP Data Interchange Format (LDIF)
ASCII text format for LDAP entries. Files that import or export data to and from LDAP servers must be in LDIF format. An LDIF entry looks like this
[] dn/ <distinguished name> <attrtype>/ <attrvalue> <attrtype>/ <attrvalue> <attrtype>/ <attrvalue> An entry can contain as many <attrtype>/ <attrvalue> pairs as needed. A blank line indicates that the entry is finished and that another entry is about to begin.
Your <attrtype> and <attrvalue> pairs must be defined in a schema before they can be used. You cannot simply define them in an LDIF file and expect an LDAP server without corresponding data in its schema files to be able to use this information.
Everything enclosed within < > is variable and can be set by you when you add an LDAP entry, with the exception of the <id>. The <id> is a number normally set by the LDAP tools when you add an entry, and you will probably never need to manually set one.
Directory Entries
For the development environment, initially, we only need to Target entries for testing purposes
target/user1
target/user2
target/user3
...Here is a typical LDAP Directory entry that maps the /etc/passwd
dn/ uid=william,ou=department,dc=yourdc,dc=com
uid/ william
cn/ William Shakespeare
objectClass/ account
objectClass/ posixAccount
objectClass/ top
objectClass/ shadowAccount
shadowLastChange/ 11296
shadowMax/ 99999
shadowWarning/ 7
loginShell/ /bin/bash"
uidNumber/ 500
gidNumber/ 500
homeDirectory/ /home/william
gecos/ William Shakespeare
userPassword/ {crypt}$1$uQSw.ohy$XuiRSCq0kp...The objectClass attributes refer to aspects of the RFC2307 schema. They set the list of mandatory and optional attributes for the entry, and are also useful in searches. A call of the form getpwnam("william") is likely to result in an LDAP search of the form (uid=william) AND (objectClass=posixAccount)
Here is a typical LDAP Directory entry that maps the /etc/group file
dn/ cn=ldapbods,ou=department,dc=yourdc,dc=com
objectClass/ posixGroup
objectClass/ top
cn/ ldapbods
userPassword/ {crypt}x
gidNumber/ 389
memberUid/ tim
memberUid/ steve
memberUid/ colin
memberUid/ damy
memberUid/ william
Migrate Current Info To LDAP
A set of shell and Perl scripts for migrating your old authentication information into LDAP format can be found in
/usr/share/openldap/migration directoryTo perform the migration
- Modify the migrate_common.ph file so that it reflects your domain. The default DNS domain should be changed from
$DEFAULT_MAIL_DOMAIN = "padl.com";to something like
$DEFAULT_MAIL_DOMAIN = "your_company.com";- The default base should also be changed, from
$DEFAULT_BASE = "dc=padl,dc=com";to something like
$DEFAULT_BASE = "dc=your_company,dc=com";- Next, you'll need to decide which script to use
Existing name service Is LDAP running? Use this script/ /usr/local/etc flat files yes migrate_all_online.sh /usr/local/etc flat files no migrate_all_offline.sh NetInfo yes migrate_all_netinfo_online.sh NetInfo no migrate_all_netinfo_offline.sh NIS (YP) yes migrate_all_nis_online.sh NIS (YP) no migrate_all_nis_offline.sh Run the appropriate script based on your existing name service.
- The README and the migration-tools.txt files in /usr/share/openldap/migration provide more details on how to migrate the information.
slapd logging
slapd sends logging data to syslog, and it is a good idea to separate this into a file of its own with a line like this in /etc/syslog.conf
local4.* /var/log/slapd.logTo reinitialize the syslogd daemon so it starts writing to the slapd log file, run
kill -SIGHUP `cat /var/run/syslogd.pid`If you want to see log messages while you are working, open up a new window and run
tail -f /var/log/slapd.log
Top Level Entry
The following is the top-level LDAP directory entry for servername
# the top level dn/ dc=servername, dc=yourdc, dc=com objectclass/ dcObject dc/ yourdc # users dn/ ou=people, dc=servername, dc=yourdc, dc=com objectclass/ organizationalUnit ou/ people # groups dn/ ou=groups, dc=servername, dc=yourdc, dc=com objectclass/ organizationalUnit ou/ groups # memberships dn/ ou=memberships, dc=servername, dc=yourdc, dc=com objectclass/ organizationalUnit ou/ membershipsTo add it to the LDAP directory, save it into filename.ldif then load using ldapmodify
People Directory Entries
The entries can be loaded using ldapmodify
Group and Membership Directory Entries
The entries can be loaded using ldapmodify
Make the machine use LDAP for passwd and group lookups
- Verify nss_ldap is installed run rpm -qa | grep nss_ldap
- Edit /etc/nsswitch.conf.html and change lines as shown
passwd/ files ldap
shadow/ files ldap
group/ files ldapThe effect of this is that lookups will use local files first and progress to LDAP for anything not found locally. This allows for system accounts to be kept in /etc files (necessary during bootup) while user accounts are held centrally.
- If the name service cache daemon (nscd) is running, it may be necessary to restart it before LDAP lookups work. Similarly, nsswitch.conf is normally only read once per process so don't expect any existing processes to notice until they are restarted (and that includes the shell that you used to set all this up from!)
An easy test is to find the home-directory of a user that is listed in the LDAP store but not in the local password file
echo ~fred
The Solaris version of nss_ldap is based on the iPlanet LDAP libraries and it does not use /etc/ldap.conf, preferring instead to use a program called ldapclient to set up the parameters. The problem with ldapclient is that it depends on a feature that is implemented differently in different LDAP servers so it does not easily work with OpenLDAP. There are a number of mailing-list archives containing discussion of the problem and suggesting various workarounds.
Configure an LDAP realm in WebLogic Server
This procedure references a custom LDAP realm on the devui server
You can configure LDAP by directly editing config files
- Stopping your WebLogic Server
- Replacing the current config files with config.xml and fileRealm.properties files.
- Restarting your WebLogic Server
or you can use the WebLogic Server Console
- Go to the Security | Realms node.
- Configure a new Custom Realm
Field Value Name Call it whatever you like Realm Class Name weblogic.security.ldaprealmv2.LDAPRealm Configuration Data user.filter=(&(cn=%u)(objectclass=person));
user.dn=ou=people, dc=devui, dc=yourdc, dc=com;
server.port=389;
server.principal=cn=root, dc=devui, dc=yourdc, dc=com;
membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquenames));
group.filter=(&(cn=%g)(objectclass=organizationalRole));
server.host=localhost;
group.dn=ou=groups, dc=devui, dc=yourdc, dc=comPassword secret Note that within the Console, the Configuration Data field will contain ampersands/ &. Within config.xml, the ConfigurationData field will contain escaped ampersands/ &. If you get parsing errors when you try to start WebLogic, an incorrect configuration could be the culprit.
- Configure the Caching realm
When configuring the Caching realm, select the LDAP Realm V2 from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the alternate security realm (in this case, the LDAP Realm V2).
- Go to Security node | Filerealm.
In the Caching Realm attribute, choose the name of the Caching Realm to be used with the LDAP Security realm. A list of configured Caching Realms appears on the pull-down menu.
- Reboot WebLogic Server.
Loaded
Use the following to load ldif entries
ldapmodify -a \ -H ldap///192.168.1.180/ \ -c \ -x \ -D 'cn=root,dc=devui, dc=yourdc,dc=com' \ -W \ -f filename.ldifThere is a script in aegir//usr/local/etc/openldap called addentry.sh which contains the above command and can be used to load entries. Usage is
sh ./addentry.sh filename.ldif