X509 Authentication Using Oracle Access Manager (OAM) 11gR2PS2 and Oracle Unified Directory (OUD)


It is assumed the following products have been installed:
Oracle RDBMS 11gR2 - holding metadata 
Oracle Unified Directory - LDAP for system and user store
Oracle Access Manager 11gR2PS2
Weblogic 10.3.6
Oracle OHS (which if I recall is installed with Weblogic)
Webgate 11g installed and configured

My environment consists of three RHEL 5.10 x64 VMs consisting of svrtoes01, svrtst02, and svrtst03 as follows:
Oracle RDBMS 11gR2 on server svrtoes01

Components installed for supporting the FMW (fusion middleware) stack are:

COMP_ID              OWNER                VERSION           MODIFIED   U
-------------------- -------------------- ----------------- ---------- -
APM                  SYSMAN_APM         2014-03-05 N
MDS                  SYSMAN_MDS         2014-03-05 N
OPSS                 SYSMAN_OPSS        2014-03-05 N
IAU                  DEV_IAU            2014-04-30 N
MDS                  DEV_MDS            2014-04-30 N
OAM                  DEV_OAM            2014-04-30 N
OID                  ODS                2014-04-30 N
OPSS                 DEV_OPSS           2014-04-30 Y
OIM                  DEV_OIM            2014-05-08 N
ORASDPM              DEV_ORASDPM        2014-05-08 N
SOAINFRA             DEV_SOAINFRA        2014-05-08 N

An 11g webgate was installed:

However, in order to protect the resource and only allow access via X509 certificates, some changes are required in OAM.  To be clear, this exercise shows how to do X509 authentication (AUTHN) to allow access to a resource, in this case a simple web page.

It is assumed that Weblogic and OAM have been configured for SSL and that you have access to certificates issued by a CA (

Add Root and Intermediate Certificates to .oamkeystore

The oamkeystore is Access Managers keystore and is located in $MW_HOME/user_projects/domains/WLSDomain/config/fmwconfig/.

The root and intermediate (if any) certificates need to be installed for X509 authN to work.

First, get the password for the keystore as follows:

cd $MW_HOME/Oracle_IDM1/common/bin




Make a note of the password and then exit scripting tool


Install the root and intermediate certificates.  In my setup, I have my certs located in the /certs directory.  The root certificate is in a file called ISEDlabRoot.crt and the intermediate certificate is in a file called CADCA1.crt.  I need to change to the location where my certs are installed:

cd /certs

Then run the command to import the certs into the keystore:

keytool -importcert -alias ISEDlabRoot -file ISEDlabRoot.crt \
-keystore $MW_HOME/user_projects/domains/WLSDomain/config/fmwconfig/.oamkeystore \
-storepass oa6fgome4lsnf9c6ntoio1qc5p -storetype jceks

Answer 'yes' when prompted whether to trust this certificate

Successful import will respond with: Certificate was added to keystore

Import the intermediate cert into the keystore:

keytool -importcert -alias CADCA1 -file CADCA1.crt \
-keystore /opt/oracle/middleware/user_projects/domains/WLSDomain/config/fmwconfig/.oamkeystore \
-storepass oa6fgome4lsnf9c6ntoio1qc5p -storetype jceks

Successful import will respond with: Certificate was added to keystore

Configure Web Pages

I have two web pages:
<i><a href="">Logout</a></i>
<i> <h1>
 
Name it as sample.html

<i><b><span style="color: red;"><a href="">Logout</a></span></b></i>
<i> <h1>
 This is Secure Page, Only logged in users can view </h1></i></center><i> </i>

These are installed $MW_HOME/Oracle_WT1/instances/instance1/config/OHS/ohs1/htdocs.  Note that end_url= is left blank when configured for X509 authN.

Configure Oracle Access Management

Login to the Oracle Access Management console
From Launch Pad -> Access Manager -> Application Domains
Click Search

Select RREG_OAM11G then click the edit icon

Click on Resources tab, then click Create

Select HTTP from the Type drop down

Host Identifier can be searched for using the search icon.  Enter RREG_HostId11G in the Host Identifier field

Enter /secure.html in Resource URL.  This is the resource that is going to be protected

Select Protected for Protection Level

Click Apply to continue

Close the RREG_OAM11G: RREG_HostID... tab

Click on the Autentication Policies tab then click on the Create Authentication Policy button

Enter a name for the policy, e.g X509_Test

Select X509Scheme for Authentication Scheme

The new policy will be displayed

Click on the Resources tab and the newly added resource that needs to be protected (secure.html) will be displayed.  Note that the new resource is not attached to any policy yet

Next, attach the resource to the newly created authentication policy.  Select the resource (secure.html) in the grid and click the Edit button.

From the Authentication Policy drop down, select X509_Test and click Apply

Close the RREG_OAM11G:RREG_HostId... tab

In the RREG_OAM11G tab, click the Search button which will show that secure.html is protected by the new X509_Test authentication scheme

Restart the OAM server for the changes to take effect

Now try and access the protected resource, secure.html in this case which hosted on  The HTTP request will be intercepted by the 11g Webgate and routed to OAM which will prompt you to present a client certificate:

The protected web page will be displayed:

Click the Logout link and you will be logged out and all session cookies will be removed:

You can view the Oracle Unified Directory (OUD) access_log located $OUD_HOME/logs and see the connection to the LDAP being made the the user CN being verified:

[21/May/2014:15:50:04 -0400] SEARCH REQ conn=29429 op=15 msgID=16 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=inetOrgPerson)(cn=weblogic))" attrs="uid,wirelessacctnumber,postalcode,manager,street,orclguid,obresponsetries,dateofbirth,uniquename,defaultgroup,telephonenumber,obresponsetimeout,orgunit,timezone,employeenumber,obYetToBeAnsweredChallenge,initials,activestartdate,description,maidenname,localityname,gender,objectclass,sn,oblastloginattemptdate,fax,middlename,homeaddress,country,obpasswordhistory,cn,oblastsuccessfullogin,oblastfailedlogin,preferredlanguage,pobox,mobile,hiredate,uiaccessmode,oblastresponseattemptdate,department,state,givenname,lastname,org,employeetype,title,obfirstlogin,name,obpasswordcreationdate,homephone,pager,mail,activeenddate,oblockouttime,obAnsweredChallenges,loginid,firstname,obpasswordexpmail,obpasswordchangeflag,postaladdress,obuseraccountcontrol,telephone,displayname,oblogintrycount"
[21/May/2014:15:50:04 -0400] SEARCH RES conn=29429 op=15 msgID=16 result=0 nentries=1 etime=2
[21/May/2014:15:50:04 -0400] SEARCH REQ conn=29430 op=4 msgID=5 base="cn=weblogic,cn=systemids,dc=acme,dc=com" scope=base filter="(objectclass=inetOrgPerson)" attrs="uid,wirelessacctnumber,postalcode,manager,street,orclguid,obresponsetries,dateofbirth,uniquename,defaultgroup,telephonenumber,obresponsetimeout,orgunit,timezone,employeenumber,obYetToBeAnsweredChallenge,initials,activestartdate,description,maidenname,localityname,gender,objectclass,sn,oblastloginattemptdate,fax,middlename,homeaddress,country,obpasswordhistory,cn,oblastsuccessfullogin,oblastfailedlogin,preferredlanguage,pobox,mobile,hiredate,uiaccessmode,oblastresponseattemptdate,department,state,givenname,lastname,org,employeetype,title,obfirstlogin,name,obpasswordcreationdate,homephone,pager,mail,activeenddate,oblockouttime,obAnsweredChallenges,loginid,firstname,obpasswordexpmail,obpasswordchangeflag,postaladdress,obuseraccountcontrol,telephone,displayname,oblogintrycount"
[21/May/2014:15:50:04 -0400] SEARCH RES conn=29430 op=4 msgID=5 result=0 nentries=1 etime=2

Also, in the oam_server1.out log located $MW_HOME/user_projects/domains/WLSDomain//servers/oam_server1/logs, you can view the SSL key negotiation and exchange in progress and verification of the certificates.  This is only true if SSL debugging is turned on.

And in $MW_HOME/Oracle_WT1/instances/instance1/diagnostics/logs/OHS/ohs1 the access_log will show the initial connection being made as the user requests the resource.

Create and Deploy an 11g Webgate

Deploy Webgate

Note that this is an 11gR2PS2 environment running Weblogic 10.3.6 and Oracle Access Manager 11gR2PS2.

cd $MW_HOME/Oracle_OAMWebGate1/webgate/ohs/tools/deployWebGate

Run the following command (required for copying agent bits from the Webgate_Home directory to Webgate Instance location):
./ -w $MW_HOME/Oracle_WT1/instances/instance1/config/OHS/ohs1 -oh $MW_HOME/Oracle_OAMWebGate1


cd ../setup/InstallTools/

and run this command...
./EditHttpConf -w <Webgate_Instance_Directory> [-oh <Webgate_Oracle_Home>] [-o <output_file>]

where Webgate_Instance_Directory is the instance directory for ohs1
and Webgate_Oracle_Home is the home directory for the webgate

./EditHttpConf -w $MW_HOME/Oracle_WT1/instances/instance1/config/OHS/ohs1 -oh $MW_HOME/Oracle_OAMWebGate1 -o Edithttpconf.log

Sample output is shown below:
The web server configuration file was successfully updated
/opt/oracle/middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1/httpd.conf has been backed up as

Create Webgate

Oracle Access Management -> Launch Pad -> SSO Agents -> Create 11g Webgate
Choose a name, for example RREG_OAM11G and click Apply

In Logout Target URL, type end_url
In Logout URL, type

Click Apply again

Artifacts will be created in the following directory:

Backup the OAM11GRequest.xml file
cd $MW_HOME/Oracle_IDM1/oam/server/rreg/input

cp OAM11GRequest.xml NewOAM11GRequest.xml

Edit NewOAM11GRequest.xml and add the correct values for serverAddress and agentBaseUrl

Start the process to complete the agent registration
cd ..
You should now be in the $MW_HOME/Oracle_IDM1/oam/server/rreg/bin directory.  Run the following command (with output shown):
./bin/ inband input/NewOAM11GRequest.xml

Request summary:                                                               
OAM11G Agent Name:RREG_OAM11G                                                  
Base URL:http://localhost:7001                                                 
URL String:RREG_HostId11G                                                      
Registering in Mode:inband                                                     
Your registration request is being sent to the Admin server at: http://localhost:7001

Now copy the artifacts as follows:
cp $MW_HOME/Oracle_IDM1/oam/server/rreg/output/RREG_OAM11G/cwallet.sso $MW_HOME/Oracle_WT1/instances/instance1/config/OHS/ohs1/webgate/config

cp $MW_HOME/Oracle_IDM1/oam/server/rreg/output/RREG_OAM11G/ObAccessClient.xml $MW_HOME/Oracle_WT1/instances/instance1/config/OHS/ohs1/webgate/config

Restart OHS
cd $MW_HOME/Oracle_WT1/instances/instance1/bin
./opmnctl stopall
./opmnctl startall

...and check if domain got created in OAM as follows:
Launch Pad -> Access Manager -> Applications Domains
Click Search

Enable SSL Debugging for Oracle Access Manager 11gR2

For debugging SSL connections terminating on the Weblogic Server, from Weblogic Administration Console, click on Servers, select oam_server1:

Click on the Server Start tab and add -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true in the Arguments section:

Restart oam_server1.  SSL-debug information will be written to the oam_server1.log (located in $MW_HOME/domains/WLSDomain/servers/oam_server1/logs):

####<May 16, 2014 2:30:25 PM EDT> <Debug> <SecuritySSL> <> <oam_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <114848da72d7dcfc:-3a0c05c9:14605a3f20e:-8000-0000000000001794> <1400265025295> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 207182277780947434404477757924094648847
Issuer:C=US, O=U.S. Government, OU=DoD, OU=NRO, CN=ISED lab Root
Subject:C=US, O=U.S. Government, OU=DoD, OU=NRO, OU=CA, CN=CAD CA 1
Not Valid Before:Thu Jun 14 10:00:16 EDT 2012
Not Valid After:Sun Jun 14 10:00:16 EDT 2015
Signature Algorithm:SHA1withRSA
####<May 16, 2014 2:30:25 PM EDT> <Debug> <SecuritySSL> <> <oam_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <114848da72d7dcfc:-3a0c05c9:14605a3f20e:-8000-0000000000001794> <1400265025295> <BEA-000000> <validationCallback: validateErr = 0>
####<May 16, 2014 2:30:25 PM EDT> <Debug> <SecuritySSL> <> <oam_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <114848da72d7dcfc:-3a0c05c9:14605a3f20e:-8000-0000000000001794> <1400265025296> <BEA-000000> <  cert[0] = Serial number: 85355980927748066409252166003794705697
Issuer:C=US, O=U.S. Government, OU=DoD, OU=NRO, OU=CA, CN=CAD CA 1
Subject:C=US, O=U.S. Government, OU=DoD, OU=NRO, CN=weblogic
Not Valid Before:Fri May 09 16:24:56 EDT 2014
Not Valid After:Sun Jun 14 09:59:16 EDT 2015
Signature Algorithm:SHA1withRSA
####<May 16, 2014 2:30:25 PM EDT> <Debug> <SecuritySSL> <> <oam_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <114848da72d7dcfc:-3a0c05c9:14605a3f20e:-8000-0000000000001794> <1400265025296> <BEA-000000> <  cert[1] = Serial number: 207182277780947434404477757924094648847
Issuer:C=US, O=U.S. Government, OU=DoD, OU=NRO, CN=ISED lab Root
Subject:C=US, O=U.S. Government, OU=DoD, OU=NRO, OU=CA, CN=CAD CA 1
Not Valid Before:Thu Jun 14 10:00:16 EDT 2012
Not Valid After:Sun Jun 14 10:00:16 EDT 2015
Signature Algorithm:SHA1withRSA

When using Firefox and passing your SSL certificate to the server, if the "Remember this decision" is checked, Firefox will not prompt you again for the cert:

While testing, it's good to reset this behavior so that you will be always prompted to select a certificate to present to the server.  To do this, from Firefox Tools -> Options -> Privacy -> clear your recent history:

Check Active Logins and un-check everything else and click Clear Now.  This will prompt for a client cert to be selected.

Oracle Access Manager (OAM) and Oracle Unified Directory (OUD) Integration

Oracle Access Manager (OAM) and Oracle Unified Directory (OUD) and WebLogic 10.3.6 Integration

OAM and WebLogic installed on svrtst02
OUD and WebLogic installed on svrtst03

Assumptions:  WebLogic 10.3.6 domain has been created on both svrtst02 and svrtst03 and extended for OAM.

Good idea to backup the configuration or server home before proceeding.

Install OUD on svrtst03 in $MW_HOME.

So, svrtst02 has the following installed:

And, svrtst03 has the following installed:

Run oud-setup on svrtst03 either in GUI mode or CLI.  End result being that the following command is executed to create an LDAP directory store:

./oud-setup \
          --cli \
          --baseDN dc=acme,dc=com \
          --addBaseEntry \
          --ldapPort 1389 \
          --adminConnectorPort 4444 \
          --rootUserDN cn=Directory\ Manager \
          --rootUserPasswordFile ****** \
          --doNotStart \
          --ldapsPort 1636 \
          --useJavaKeystore /certs/ \
          --keyStorePasswordFile ****** \
          --certNickname\ u.s.\ government\ id \
          --serverTuning autotune \
          --importTuning autotune \
          --no-prompt \

The LDAP directory instance is created in $MW_HOME/asinst_1/OUD.
export OUD_HOME=$MW_HOME/asinst_1/OUD

Start the instance as follows:
cd $OUD_HOME/bin

The default listening port is 1389, the SSL port is on 1636 and the management port is on 4444.

The instance can be managed from here:

Create a scripts directory in $OUD_HOME/scripts

Quick check to make sure that everything is up and running, from the CLI:
cd $OUD_HOME/bin
./ldapsearch -h localhost -p 1389 -D "cn=directory manager" -w passw0rd -b "dc=acme,dc=com" "(objectclass=*)"

dn: dc=acme,dc=com
dc: acme
objectClass: domain
objectClass: top

Configuring OUD for OAM

The following links are useful:

From the Oracle documentation:
"Before you can use your LDAP directory as an Identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Oracle Unified Directory (OUD) for using Oracle Unified Directory (OUD) as your LDAP Identity store."

Create the following file in $MW_HOME/asinst_1/OUD/scripts:





Next, import the OUD server:
cd $OUD_HOME/bin
./import-ldif --backendID userRoot --append --ldifFile $OUD_HOME/scripts/OUDContainers.ldif

Configure OIM proxy users and acis to communicate with OUD after installing OUD. Create the OIM Admin User, Group and the ACIs.

vi $OUD_HOME/scripts/oudadmin.ldif

dn: cn=systemids,dc=acme,dc=com
changetype: add
objectclass: orclContainer
objectclass: top
cn: systemids

dn: cn=oimAdminUser,cn=systemids,dc=acme,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
mail: oimAdminUser
givenname: oimAdminUser
sn: oimAdminUser
cn: oimAdminUser
uid: oimAdminUser
userPassword: passw0rd

dn: cn=oimAdminGroup,cn=systemids,dc=acme,dc=com
changetype: add
objectclass: groupOfUniqueNames
objectclass: top
cn: oimAdminGroup
description: OIM administrator role
uniquemember: cn=oimAdminUser,cn=systemids,dc=acme,dc=com

dn: cn=oracleAccounts,dc=acme,dc=com
changetype: modify
add: aci
aci: (target = "ldap:///cn=oracleAccounts,dc=acme,dc=com")(targetattr =
 "*")(version 3.0; acl "Allow OIMAdminGroup add, read and write access to
 all attributes"; allow (add, read, search, compare,write, delete, import,export)
 (groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=acme,dc=com");)

dn: cn=oimAdminUser,cn=systemids,dc=acme,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset

Run the following command to load the above LDIF file:

./ldapmodify --hostname localhost --port 1389 --bindDN "cn=Directory Manager" \
--bindPassword passw0rd --defaultAdd --filename $OUD_HOME/scripts/oudadmin.ldif

Create a weblogic account

vi $OUD_HOME/scripts/weblogic.ldif

dn: cn=weblogic,cn=systemids,dc=acme,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
mail: weblogic
givenname: weblogic
sn: weblogic
cn: weblogic
uid: weblogic
userPassword: passw0rd

And add it to the LDAP:

./ldapmodify --hostname localhost --port 1389 --bindDN "cn=Directory Manager" \
--bindPassword passw0rd --defaultAdd --filename $OUD_HOME/scripts/weblogic.ldif

Add weblogic account to the oimAdminGroup

vi $OUD_HOME/scripts/weblogicGroup.ldif

dn: cn=oimAdminGroup,cn=systemids,dc=acme,dc=com
changetype: modify
add: uniquemember
uniquemember: cn=weblogic,cn=systemids,dc=acme,dc=com

And add it to the LDAP:

./ldapmodify --hostname localhost --port 1389 --bindDN "cn=Directory Manager" \
--bindPassword passw0rd --defaultAdd --filename ../scripts/weblogicGroup.ldif

Add the global-aci to changelog node in OUD (I think this is only necessary if you setup replication.  See the documentation listed above for more information).

cd $OUD_HOME/bin

./dsconfig ->
2. Authentication and Authorization ->
2. Access Control Handler ->
1. View and edit the Access Control Handler ->
2. global-aci ->
2. Add one or more values ->

(target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; allow(read,search,compare,add,write,delete,export) groupdn="ldap:///cn=oimAdminGroup,cn=systemids,dc=acme,dc=com";)

Delete this one:
(target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; deny (all) userdn="ldap:///anyone";)

q from dsconfig

Start OAM...
Configuration -> User Identity Stores

From OAM ID Stores, click Create

Store Name: OUD
Store Type: OUD: Oracle Unified Directory
Login ID Attribute: uid
User Password Attribute: userPassword
User Search Base: dc=acme,dc=com
User Filter Object Class: inetOrgPerson
Group Search Base: dc=acme,dc=com

Test the connection and if successful, click Apply:

Change the Default Store to OUD:

And click Apply

Change the System Store to OUD click the green plus sign to add users:

Click Search and add the selected users:

Then click Apply:

Click OK and enter a valid administrator username and password to validate the system administrator account:

Click Validate.  This can error "Group oimAdminGroup is already a member" can be ignored.

Now configure the IDMDomainAgent to use the new OUD store:

Launch Pad -> Access Manager -> Authentication Modules

Click Search, then select LDAP.  Change User Identity Store to OUD and click Apply:

Sign out and then sign back in.  The new new credential store is in use now.

One way to confirm is to check the OUD access logs on svrtst03.

cd $OUD_HOME/logs

Do a tail -f access and logon to Oracle Access Manager.  Typical output is shown below from the access log:

[06/May/2014:10:33:56 -0400] SEARCH REQ conn=11517 op=23 msgID=24 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=inetOrgPerson)(uid=weblogic))" attrs="uid,wirelessacctnumber,postalcode,manager,street,orclguid,obresponsetries,dateofbirth,uniquename,defaultgroup,telephonenumber,obresponsetimeout,orgunit,timezone,employeenumber,obYetToBeAnsweredChallenge,initials,activestartdate,description,maidenname,localityname,gender,objectclass,sn,oblastloginattemptdate,fax,middlename,homeaddress,country,obpasswordhistory,cn,oblastsuccessfullogin,oblastfailedlogin,preferredlanguage,pobox,mobile,hiredate,uiaccessmode,oblastresponseattemptdate,department,state,givenname,lastname,org,employeetype,title,obfirstlogin,name,obpasswordcreationdate,homephone,pager,mail,activeenddate,oblockouttime,obAnsweredChallenges,loginid,firstname,obpasswordexpmail,obpasswordchangeflag,postaladdress,obuseraccountcontrol,telephone,displayname,oblogintrycount"
[06/May/2014:10:33:56 -0400] SEARCH RES conn=11517 op=23 msgID=24 result=0 nentries=1 etime=3
[06/May/2014:10:33:56 -0400] BIND REQ conn=11526 op=3 msgID=4 type=SIMPLE dn="cn=weblogic,cn=systemids,dc=acme,dc=com"
[06/May/2014:10:33:56 -0400] BIND RES conn=11526 op=3 msgID=4 result=0 authDN="cn=weblogic,cn=systemids,dc=acme,dc=com" etime=2
[06/May/2014:10:33:56 -0400] SEARCH REQ conn=11517 op=24 msgID=25 base="cn=weblogic,cn=systemids,dc=acme,dc=com" scope=base filter="(objectclass=inetOrgPerson)" attrs="uid,wirelessacctnumber,postalcode,manager,street,orclguid,obresponsetries,dateofbirth,uniquename,defaultgroup,telephonenumber,obresponsetimeout,orgunit,timezone,employeenumber,obYetToBeAnsweredChallenge,initials,activestartdate,description,maidenname,localityname,gender,objectclass,sn,oblastloginattemptdate,fax,middlename,homeaddress,country,obpasswordhistory,cn,oblastsuccessfullogin,oblastfailedlogin,preferredlanguage,pobox,mobile,hiredate,uiaccessmode,oblastresponseattemptdate,department,state,givenname,lastname,org,employeetype,title,obfirstlogin,name,obpasswordcreationdate,homephone,pager,mail,activeenddate,oblockouttime,obAnsweredChallenges,loginid,firstname,obpasswordexpmail,obpasswordchangeflag,postaladdress,obuseraccountcontrol,telephone,displayname,oblogintrycount"
[06/May/2014:10:33:56 -0400] SEARCH RES conn=11517 op=24 msgID=25 result=0 nentries=1 etime=2
[06/May/2014:10:33:56 -0400] SEARCH REQ conn=11529 op=35 msgID=36 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=inetOrgPerson)(uid=weblogic))" attrs="uid,wirelessacctnumber,postalcode,manager,street,orclguid,obresponsetries,dateofbirth,uniquename,defaultgroup,telephonenumber,obresponsetimeout,orgunit,timezone,employeenumber,obYetToBeAnsweredChallenge,initials,activestartdate,description,maidenname,localityname,gender,objectclass,sn,oblastloginattemptdate,fax,middlename,homeaddress,country,obpasswordhistory,cn,oblastsuccessfullogin,oblastfailedlogin,preferredlanguage,pobox,mobile,hiredate,uiaccessmode,oblastresponseattemptdate,department,state,givenname,lastname,org,employeetype,title,obfirstlogin,name,obpasswordcreationdate,homephone,pager,mail,activeenddate,oblockouttime,obAnsweredChallenges,loginid,firstname,obpasswordexpmail,obpasswordchangeflag,postaladdress,obuseraccountcontrol,telephone,displayname,oblogintrycount"
[06/May/2014:10:33:56 -0400] SEARCH RES conn=11529 op=35 msgID=36 result=0 nentries=1 etime=3
[06/May/2014:10:33:56 -0400] SEARCH REQ conn=11529 op=36 msgID=37 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=groupofuniquenames)(uniquemember=cn=weblogic,cn=systemids,dc=acme,dc=com))" attrs="orgunit,mail,cn,description,name,orclguid,rolecategory,org,objectclass,displayname"
[06/May/2014:10:33:56 -0400] SEARCH RES conn=11529 op=36 msgID=37 result=0 nentries=1 etime=2
[06/May/2014:10:33:56 -0400] SEARCH REQ conn=11529 op=37 msgID=38 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=groupofuniquenames)(uniquemember=cn=oimAdminGroup,cn=systemids,dc=acme,dc=com))" attrs="orgunit,mail,cn,description,name,orclguid,rolecategory,org,objectclass,displayname"
[06/May/2014:10:33:56 -0400] SEARCH RES conn=11529 op=37 msgID=38 result=0 nentries=0 etime=1
[06/May/2014:10:33:56 -0400] SEARCH REQ conn=11529 op=38 msgID=39 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=inetOrgPerson)(uid=weblogic))" attrs="uid,wirelessacctnumber,postalcode,manager,street,orclguid,obresponsetries,dateofbirth,uniquename,defaultgroup,telephonenumber,obresponsetimeout,orgunit,timezone,employeenumber,obYetToBeAnsweredChallenge,initials,activestartdate,description,maidenname,localityname,gender,objectclass,sn,oblastloginattemptdate,fax,middlename,homeaddress,country,obpasswordhistory,cn,oblastsuccessfullogin,oblastfailedlogin,preferredlanguage,pobox,mobile,hiredate,uiaccessmode,oblastresponseattemptdate,department,state,givenname,lastname,org,employeetype,title,obfirstlogin,name,obpasswordcreationdate,homephone,pager,mail,activeenddate,oblockouttime,obAnsweredChallenges,loginid,firstname,obpasswordexpmail,obpasswordchangeflag,postaladdress,obuseraccountcontrol,telephone,displayname,oblogintrycount"
[06/May/2014:10:33:56 -0400] SEARCH RES conn=11529 op=38 msgID=39 result=0 nentries=1 etime=3
[06/May/2014:10:33:56 -0400] SEARCH REQ conn=11529 op=39 msgID=40 base="cn=weblogic,cn=systemids,dc=acme,dc=com" scope=base filter="(objectclass=inetOrgPerson)" attrs="uid,wirelessacctnumber,postalcode,manager,street,orclguid,obresponsetries,dateofbirth,uniquename,defaultgroup,telephonenumber,obresponsetimeout,orgunit,timezone,employeenumber,obYetToBeAnsweredChallenge,initials,activestartdate,description,maidenname,localityname,gender,objectclass,sn,oblastloginattemptdate,fax,middlename,homeaddress,country,obpasswordhistory,cn,oblastsuccessfullogin,oblastfailedlogin,preferredlanguage,pobox,mobile,hiredate,uiaccessmode,oblastresponseattemptdate,department,state,givenname,lastname,org,employeetype,title,obfirstlogin,name,obpasswordcreationdate,homephone,pager,mail,activeenddate,oblockouttime,obAnsweredChallenges,loginid,firstname,obpasswordexpmail,obpasswordchangeflag,postaladdress,obuseraccountcontrol,telephone,displayname,oblogintrycount"
[06/May/2014:10:33:56 -0400] SEARCH RES conn=11529 op=39 msgID=40 result=0 nentries=1 etime=1
[06/May/2014:10:33:57 -0400] SEARCH REQ conn=11529 op=40 msgID=41 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=inetOrgPerson)(uid=weblogic))" attrs="uid,wirelessacctnumber,postalcode,manager,street,orclguid,obresponsetries,dateofbirth,uniquename,defaultgroup,telephonenumber,obresponsetimeout,orgunit,timezone,employeenumber,obYetToBeAnsweredChallenge,initials,activestartdate,description,maidenname,localityname,gender,objectclass,sn,oblastloginattemptdate,fax,middlename,homeaddress,country,obpasswordhistory,cn,oblastsuccessfullogin,oblastfailedlogin,preferredlanguage,pobox,mobile,hiredate,uiaccessmode,oblastresponseattemptdate,department,state,givenname,lastname,org,employeetype,title,obfirstlogin,name,obpasswordcreationdate,homephone,pager,mail,activeenddate,oblockouttime,obAnsweredChallenges,loginid,firstname,obpasswordexpmail,obpasswordchangeflag,postaladdress,obuseraccountcontrol,telephone,displayname,oblogintrycount"
[06/May/2014:10:33:57 -0400] SEARCH RES conn=11529 op=40 msgID=41 result=0 nentries=1 etime=3
[06/May/2014:10:33:57 -0400] SEARCH REQ conn=11529 op=41 msgID=42 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=groupofuniquenames)(uniquemember=cn=weblogic,cn=systemids,dc=acme,dc=com))" attrs="orgunit,mail,cn,description,name,orclguid,rolecategory,org,objectclass,displayname"
[06/May/2014:10:33:57 -0400] SEARCH RES conn=11529 op=41 msgID=42 result=0 nentries=1 etime=1
[06/May/2014:10:33:57 -0400] SEARCH REQ conn=11529 op=42 msgID=43 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=groupofuniquenames)(uniquemember=cn=oimAdminGroup,cn=systemids,dc=acme,dc=com))" attrs="orgunit,mail,cn,description,name,orclguid,rolecategory,org,objectclass,displayname"
[06/May/2014:10:33:57 -0400] SEARCH RES conn=11529 op=42 msgID=43 result=0 nentries=0 etime=2
[06/May/2014:10:34:02 -0400] CONNECT conn=11544 from= to= protocol=LDAP
[06/May/2014:10:34:02 -0400] DISCONNECT conn=11544 reason="Client Disconnect"

WebLogic Integration

On svrtst02, login to WebLogic.

Security Realms -> my realm -> Providers

From Authentication Providers, click New

Select LDAP Authenticator for Type and click OK.

From Authenticator Providers, click on OUD_LDAP:

 Under the Common tab, change Control Flag to SUFFICIENT:

 Click on the Provider Specific tab and enter the relevant information for the new provider:

Click Save to complete.