Monday, February 28, 2011

Look Inside WebLogic Server Embedded LDAP with an LDAP Explorer

This blog was originally posted on http://blogs.oracle.com/jamesbayer when I worked for Oracle.

Today a question came up on our internal WebLogic Server mailing lists about an issue deleting a Group from WebLogic Server. The group had a special character in the name. The WLS console refused to delete the group with the message a java.net.MalformedURLException and another message saying “Errors must be corrected before proceeding.” as shown below. The group aa:bb is the one with the issue. Click to enlarge.

specialName

WebLogic Server includes an embedded LDAP server that can be used for managing users and groups for “reasonably small environments (10,000 or fewer users)”. For organizations scaling larger or using more high-end features, I recommend looking at one of Oracle’s very popular enterprise directory services products like Oracle Internet Directory or Oracle Directory Server Enterprise Edition. You can configure multiple authenicators in WebLogic Server so that you can use multiple directories at the same time.

I am not sure WebLogic Server supports special characters in group names for the Embedded LDAP server, but in this case both the console and WLST reported the same issue deleting the group with the special character in the name. Here’s the WLST output:

wls:/hotspot_domain/serverConfig/SecurityConfiguration/hotspot_domain/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator> cmo.removeGroup('aa:bb')

Traceback (innermost last):

  File "<console>", line 1, in ?

weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090296]invalid URL ldap:///ou=people,ou=myrealm,dc=hotspot_domain??sub?(&(objectclass=person)(wlsMemberOf=cn=aa:bb,ou=groups,ou=myrealm,dc=hotspot_domain))

        at weblogic.security.providers.authentication.LDAPAtnGroupMembersNameList.advance(LDAPAtnGroupMembersNameList.java:254)

        at weblogic.security.providers.authentication.LDAPAtnGroupMembersNameList.<init>(LDAPAtnGroupMembersNameList.java:119)

        at weblogic.security.providers.authentication.LDAPAtnDelegate.listGroupMembers(LDAPAtnDelegate.java:1392)

        at weblogic.security.providers.authentication.LDAPAtnDelegate.removeGroup(LDAPAtnDelegate.java:1989)

        at weblogic.security.providers.authentication.DefaultAuthenticatorImpl.removeGroup(DefaultAuthenticatorImpl.java:242)

        at weblogic.security.providers.authentication.DefaultAuthenticatorMBeanImpl.removeGroup(DefaultAuthenticatorMBeanImpl.java:407)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

        at java.lang.reflect.Method.invoke(Method.java:597)

        at weblogic.management.jmx.modelmbean.WLSModelMBean.invoke(WLSModelMBean.java:437)

        at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)

        at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)

        at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)

        at java.security.AccessController.doPrivileged(Native Method)

        at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)

        at weblogic.management.mbeanservers.internal.JMXContextInterceptor.invoke(JMXContextInterceptor.java:263)

        at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)

        at java.security.AccessController.doPrivileged(Native Method)

        at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)

        at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:444)

        at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:323)

        at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11$1.run(JMXConnectorSubjectForwarder.java:663)

        at java.security.AccessController.doPrivileged(Native Method)

        at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11.run(JMXConnectorSubjectForwarder.java:661)

        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)

        at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder.invoke(JMXConnectorSubjectForwarder.java:654)

        at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1427)

        at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72)

        at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1265)

        at java.security.AccessController.doPrivileged(Native Method)

        at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1367)

        at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)

        at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source)

        at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:667)

        at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:522)

        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)

        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)

        at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:518)

        at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)

        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)

        at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)

Caused by: java.net.MalformedURLException

        at netscape.ldap.LDAPUrl.readNextConstruct(LDAPUrl.java:651)

        at netscape.ldap.LDAPUrl.parseUrl(LDAPUrl.java:277)

        at netscape.ldap.LDAPUrl.<init>(LDAPUrl.java:114)

        at weblogic.security.providers.authentication.LDAPAtnGroupMembersNameList.advance(LDAPAtnGroupMembersNameList.java:224)

        ... 41 more


It’s fairly clear that in order to work that the : character needs to be URL encoded to %3A or similar. But all is not lost, there is another way. You can configure an LDAP Explorer like JXplorer to WebLogic Server Embedded LDAP and browse/edit the entries.

Follow the instructions here, being sure to change the authentication credentials to the Embedded LDAP server to some value you know, as by default they are some unknown value. You’ll need to reboot the WebLogic Server Admin Server after making this change.

Now configure JXplorer to connect as described in the documentation. I’ve circled the important inputs. In this example, my domain name is “hotspot_domain” which listens on the localhost listen address and port 7001. The cn=Admin user name is a constant identifier for the Administrator of the embedded LDAP and that does not change, but you need to know what it is so you can enter it into the tool you use.

ldapExplorer

Once you connect successfully, you can explore the entries and in this case delete the group that is no longer desired.

ldap2

No comments: