WL6.0 LDAP Realm problems

Similar Messages

• Installing LDAP realm Problem

  Hi,
  I'm trying to configure Netsacape Directory Server 4.1 to work with the
  LDAP Security Realm Update for WebLogic Server 6.1. The Weblogic Server
  is unable to connect to NDS and there is not error message to indicate
  any exception. I have connect to the NDS using a LDAP browser using the
  same principal and credential in the ldaprealm.properties file and was
  able to establish connection.
  Has anyone encountered the same problem? Any help is appreciated.
  Thank you,
  PY

  Humm,
  I have heard of different people with the same name but with the same
  email address. Strange...
  Will the person who did the posting below please email me. You've
  already have my email address.
  Han.
  "Ng, Wey-Han" <[email protected]> wrote in message news:<[email protected]>...
  Hi,
  I'm trying to configure Netsacape Directory Server 4.1 to work with the
  LDAP Security Realm Update for WebLogic Server 6.1. The Weblogic Server
  is unable to connect to NDS and there is not error message to indicate
  any exception. I have connect to the NDS using a LDAP browser using the
  same principal and credential in the ldaprealm.properties file and was
  able to establish connection.
  Has anyone encountered the same problem? Any help is appreciated.
  Thank you,
  PY

• Problem configure Ldap realm with multi master Ldap server

  I have a multimaster Directory Server (Ldap) eg: LdapMaster01 & LdapMaster02.
  I configured the realm Ldap:
  realm= myLdapRealm
  class name =com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
  jaas-context = myLdapRealm
  directory = ldap://LdapMaster01:389
  base-dn = ou=my_APP, ou=Applications, dc=devinc, dc=com
  search-bind-dn = cn=Directory Manager
  search-bind-password = 99999999So how can i configure realm to automatically switch to LdapMaster02 when the LdapMaster01 is not up?
  Thanks in advance

  Probably you need an external intelligent
  loadbalancer unit, that receives all requests for an
  DNS like 'LdapMaster' and reroutes the traffic to
  LdapMaster01 or LdapMaster02.
  If one LdapMaster ist not available then the
  loadbalancer is responsible to route all requests
  only to the available server.Thank you very much. :)
  I found other post on the internet about this, and yes, probably the only way is a loadbalancer.
  Another way is to write a custum realm impl that receives the server list and try to connect until an available server is found.

• Ldap realm won't recognise group members...

  I've modified the defaultLDAPRealmForNovellDirectoryServices to talk to
  Novell e-directory v8.6.
  The Weblogic console correctly displays my Ldap groups. I have custom ACL's
  defined (in the filerealm, (Jerry - I'm also baffled how to do this in
  Ldap)) with permissions granted to my Ldap groups of which my Ldap user is a
  memeber. This user is authenticated (can logon) correctly but can't perform
  actions that their group permissions permit. (Users defined in the file
  realm with this permission have no problem).
  I can only think that the Ldap group is not recognising its members. This
  is, of course, impossible to test as listing members of a group has been
  disabled in Ldap realm v2....
  If anyone has encountered such a problem, or can see an obvious solution,
  cheers, very grateful.
  <CustomRealm
  ConfigurationData="user.filter=(&(cn=%u)(objectclass=person));user.dn=ou
  =people, dc=ftid,
  dc=com;server.principal=cn=Admin,dc=ftid,dc=com;membership.filter=(&(uni
  queMember=%M)(objectclass=groupOfNames));group.filter=(&(cn=%g)(objectcl
  ass=groupOfNames));server.host=localhost
  server.port=389;server.ssl=false;group.dn=ou=Groups, dc=ftid, dc=com"
  Name="defaultLDAPRealmForNovellDirectoryServices"
  Notes="No notes" Password="{3DES}q4+IymeHqO2H/zvRdQK5oA=="
  RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"/>
  Ldif export for my group.
  dn: cn=LdapUpdaterPrincipal, ou=Groups, dc=ftid, dc=com
  equivalentToMe: cn=tom,ou=people,dc=ftid,dc=com
  objectClass: groupOfNames
  objectClass: top
  uniqueMember: cn=tom,ou=people,dc=ftid,dc=com
  uniqueMember: cn=andy,ou=people,dc=ftid,dc=com
  ACL: 2#entry#[Root]#uniqueMember
  cn: LdapUpdaterPrincipal
  I'm using wl6.1 sp2.
  Cheers,
  Alan.

  solved, sorry, it was a problem with the principal-name in the
  weblogic-ejb-jar file not mapping to the correct group name...
  Alan
  "Alan Phillips" <alan.phillips@|remove|ftid.com> wrote in message
  news:3c690985$[email protected]..
  I've modified the defaultLDAPRealmForNovellDirectoryServices to talk to
  Novell e-directory v8.6.
  The Weblogic console correctly displays my Ldap groups. I have customACL's
  defined (in the filerealm, (Jerry - I'm also baffled how to do this in
  Ldap)) with permissions granted to my Ldap groups of which my Ldap user isa
  memeber. This user is authenticated (can logon) correctly but can'tperform
  actions that their group permissions permit. (Users defined in the file
  realm with this permission have no problem).
  I can only think that the Ldap group is not recognising its members. This
  is, of course, impossible to test as listing members of a group has been
  disabled in Ldap realm v2....
  If anyone has encountered such a problem, or can see an obvious solution,
  cheers, very grateful.
  <CustomRealm
  ConfigurationData="user.filter=(&(cn=%u)(objectclass=person));user.dn=ou
  =people, dc=ftid,
  dc=com;server.principal=cn=Admin,dc=ftid,dc=com;membership.filter=(&(uni
  >
  queMember=%M)(objectclass=groupOfNames));group.filter=(&(cn=%g)(objectcl
  ass=groupOfNames));server.host=localhost
  server.port=389;server.ssl=false;group.dn=ou=Groups, dc=ftid, dc=com"
  Name="defaultLDAPRealmForNovellDirectoryServices"
  Notes="No notes" Password="{3DES}q4+IymeHqO2H/zvRdQK5oA=="
  RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"/>
  Ldif export for my group.
  dn: cn=LdapUpdaterPrincipal, ou=Groups, dc=ftid, dc=com
  equivalentToMe: cn=tom,ou=people,dc=ftid,dc=com
  objectClass: groupOfNames
  objectClass: top
  uniqueMember: cn=tom,ou=people,dc=ftid,dc=com
  uniqueMember: cn=andy,ou=people,dc=ftid,dc=com
  ACL: 2#entry#[Root]#uniqueMember
  cn: LdapUpdaterPrincipal
  I'm using wl6.1 sp2.
  Cheers,
  Alan.

• LDAP realm in Weblogic

  I am using Netscape Directory Service 4.2. I want to use LDAP realm for authentication from Weblogic 5.1. I have created a principal(kevink - username and cambridge - group) in NDS. I have created a servlet and registered in Weblogic giving permission to execute the servlet to the above username and group. I have the following entry in my weblogic properties file weblogic.allow.execute.weblogic.servlet.helloWorld=\ kevink, cambridge
  I have also created the LDAPRealm.properties file in my weblogic home directory.
  When I start weblogic with the LDAP debug mode on, I get the following messages
  Mon May 01 14:38:52 EDT 2000:<W> <CachingRealm> ACL "weblogic.servlet.helloWorld" contains non existent principal "kevink" - ignoring principal ******** Error: ACL "weblogic.servlet.helloWorld" contains non-existent principal "kevink" - i noring principal
  Mon May 01 14:38:52 EDT 2000:<W> <CachingRealm> ACL "weblogic.servlet.helloWorld" contains non- existent principal "cambridge" - ignoring principal ******** Error: ACL "weblogic.servlet.helloWorld" contains non-existent principal "cambridge" - ignoring principal
  Any ideas to solve this problem are welcome Ram

  Yep. And if your LDAP realm is hooked up correctly, you'll see groups from your ldap realm
  in the weblogic console, under the Security->Groups tab on the frame to the left.
  Keep in mind that you will not see users from your LDAP server under the Security->Users
  tab. This is expected behavior. But if you see the groups, then you've most likely hooked
  up the LDAP realm the right way ...
  Joe Jerry
  Vishwanath Kumar wrote:
  Hello Kumar,
  I am attaching a small portion of config.xml which contains LDAP settings . Please change
  this according to your LDAP server configuration and test it . I hope this should help
  you out.
  You also need to create a caching realm and then hook up that caching realm to this LDAP
  realm .
  For more information this URL should be helpful:
  http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1071872
  here is portion of config.xml
  <LDAPRealm AuthProtocol="simple" Credential="dropdead"
  GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
  GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
  LDAPURL="ldap://mmanson:389"
  Name="defaultLDAPRealmForNetscapeDirectoryServer"
  Notes="This is provided as an example. Before enabling this Realm, you must edit
  the configuration parameters as appropriate for your environment."
  Principal="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
  UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
  UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
  kumar wrote:
  Hi,
  I have tried to configure LDAP realm in weblogic, but I think it is not configured
  correctly. And I don't know how to test it. Can anybody send me the sample config.xml
  having LDAP realm configured correctly. Please send me a sample program to access
  LDAP realm via weblogic.
  Thx--
  Vishwanath Kumar
  Developer Relations Engineer
  BEA Systems, Inc.

• Trying to setup a LDAP Realm

  I'm runing WLS6.0 SP2 and I'm trying to set up a LDAP realm to talk to a openldap
  server. I'm on Win2k and have it installed as a service.
  I can connect to the server via a ldap browser, and I have a user in the ldap
  tree with a clear text password.
  I created a LDAP realm but I can't find where to configure WebLogic to use that
  LDAP realm for authentication.
  thanks
  joe

  I guess they don't use the LDAP Realm in Weblogic, you should create your custom
  realm that access to AD and return user/group enumerations, acl's, etc...
  I'm able to access to AD using jdk1.4, and I have my custom realm, the only
  problem is wl uses jdk1.3 (+jaas) and I couldn't connect to AD with the old jaas,
  because it didn't support kerberos authentication. A more complete jaas it's included
  in jdk1.4
  Regards,
  Marc
  "Roy Cornell" <[email protected]> wrote:
  Great news, Scott. I hope you don't mind answering the three questions
  below:
  1. Which LDAP realm ***version*** did you use : V1 or V2?
  2. Which LDAP realm type did you specify during the configuration: "MS
  Site
  Server" or other ?
  3. Did you encounter any problems during the integration?
  Thanks a lot.
  Roy
  "Scott Harger" <[email protected]> wrote in message
  news:3b794a7c$[email protected]..
  We have been able to get the LDAP realm (6.0 SP1) to work with Active
  Directory.
  Scott
  "Roy Cornell" <[email protected]> wrote in message
  news:3b72eb32$[email protected]..
  I've got the same question (posted it yesterday). Please, Please,
  Please,
  could somebody reply.
  "Andrew Wallace" <[email protected]> wrote in message
  news:3b72ce38$[email protected]..
  Somehow my last message got truncated. Here's the full deal:
  We're trying to setup an LDAP realm in a microsoft-centric environment
  (Windows 2000). All the documentation from BEA that I've found
  talks
  about MS Site Server, which, as near as I can find, is not an LDAPserver.
  So - can I use MS Active Directory on Win2k? Is it functionally
  the
  same
  thing? Does the MS template in LDAP Realm V2 support it? Does anyone
  have success or horror stories about using AD?
  thanks,
  andy

• LDAP realm with Active Directory

  Hello,
  In the sun one app server admin console i have set the security role to LDAP.
  I have set up security roles in my web.xml such as this:
  <security-role>
  <description>This role represents administrators of the system, see actor administrators</description>
  <role-name>administrators</role-name>
  </security-role>
  ..and mapped the roles to groups in sun-application as follows:
  <security-role-mapping>
  <role-name>administrators</role-name>
  <group-name>CMS_PM</group-name>
  <principal-name>rlancett</principal-name>
  </security-role-mapping>
  My user and group information is stored in Active Directory so I have tried to configure the ldap realm in the admin console to get it working. These are the settings i have put in:
  directory: ldap://earth.tier2consulting.com:389
  base-dn: cn=Users,dc=tier2consulting,dc=com
  jaas-context: ldapRealm
  search-bind-dn: cn=administrator,cn=Users,dc=domain,dc=com
  search-bind-password: ******
  search-filter: sAMAccountName=%s
  I get the error message :javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
  WARNING: va:850)
  FINEST: JAAS authentication aborted.
  INFO: SEC5046: Audit: Authentication refused for [administrator].
  I am pretty stuck on this having looked arounds all the forums:
  Has anyone got sun one app server using Active Directory to get user/group information for security roles?
  Thanks.

  Howdy,
  I don't have a solution to your problem, but maybe this tid-bit will help in debugging with Active Directory error messages. I'm new to AD, so excuse me if everyone already knows this, but...
  The error message you get back from the directory contains an error code in hexidecimal:
  LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
  If you translate '525' from hex to decimal you get '1317' which is the error message you can look up here:
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/system_error_codes.asp
  1317 - ERROR_NO_SUCH_USER - The specified user does not exist.
  It took me a while to find this tip, so I thought I'd share it. Oh, and the easy way to get decimal from hexidecimal is:
  System.out.println( "Here is 525 in decimal: " + Integer.parseInt("525", 16));
  Okay, hope this helps somebody.
  Now it's up to you to find out why it can't find the administrator!
  Craig

• LDAP realm for authentication and ACL in Database

  We are thinking of using LDAP realm for authentication and we want to use ACL from a Database. But the documentation says: "WebLogic Server defers to the LDAP realm for authentication, but not for authorization. Authorization is accomplished with access control lists (ACLs), which are defined in the weblogic.properties file"
  Can we use LDAP realm for authentication and manage our ACL from a Database? or do we have to use the weblogic.properties file? Do the weblogic security API help in the above scenario? Thanks Ram

  Unfortunately, there is no easy way to do this in wls 6.0.
  The only way to handle it is to write your own custom realm
  that uses ldap for users and groups and a database for acls -
  probably not a viable alternative.
  -Tom
  "kevin doherty" <[email protected]> wrote:
  >
  Jeffrey Hirsch <[email protected]> wrote:
  You should be able to use the DelegatedRealm interface to utilize the authentication methods from LDAP and the authorization methods from RDBMSRealm...
  I'm trying to do this too, but we are using WL6 and I see that the DelegatedRealm interface has been deprecated in this version. I'd greatly appreciate more information on doing this in WL6.
  Thanks!
  -kd

• BASIC/LDAP Realm Authentication

  I am trying to protect access to my Web Application using BASIC
  Authentication based on an LDAPRealm that I have configured. I want all
  users that try to access anything in my Web App to have to log in first,
  based on their information in the LDAP server.
  My web.xml file looks as such.
  <web-app>
  <display-name>LDAPSpike</display-name>
  <servlet>
  <servlet-name>TestServlet</servlet-name>
  <servlet-class>test.TestServlet</servlet-class>
  </servlet>
  <servlet-mapping>
  <servlet-name>TestServlet</servlet-name>
  <url-pattern>/test</url-pattern>
  </servlet-mapping>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>ActiveDirectoryCachingRealm</realm-name>
  </login-config>
  </web-app>
  Do I need to setup a <security-constraint> tag or a <security-role> tag? if
  so what role do I use? I just want ANY user the be authenticated by using
  the LDAP Realm (in this case ActiveDirectory as an LDAP Server)
  Thanks in advance for the help...
  Frank
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Frank Febbraro
  Senior Software Engineer

  Plamen Petrov wrote:
  I am having similar problem. I managed to grant access
  to individual users and groups in the LDAP server, but
  what I want to do is to give access to everyone in
  the LDAP directory without explicitly specifiyng his
  name or group membership.Create a group "everyone" in LDAP as a workaround.
  Cheers,
  Alexander Petrushko
  mailto:[email protected]
  Consulting Services available
  Freemarker vs JSP:
  http://javaworld.com/javaworld/jw-01-2001/jw-0119-freemarker.html

• HTTP Basic Autnetication - LDAP Realm

  Hi,
  I have developed a SOAP webservice in BPEL 2.0 [ JBI ] and added the HTTP basic authentication on top of it ( added the policy ). I have used LDAP realm to authenticate the users from the LDAP server and its working fine.
  Below is the code snippet of the WSDL used to point to LDAP realm.
      <service name="casaService1">
          <port name="casaPort1" binding="tns:casaBinding1">
              <soap:address
  location="http://localhost:9080/SOAPWSService/SOAPWS"/>
              <wsp:PolicyReference URI="#HttpBasicAuthBindingLdapRealmPolicy"/>
          </port>
      </service>
          <wsp:Policy wsu:Id="HttpBasicAuthBindingLdapRealmPolicy">
          <mysp:MustSupportBasicAuthentication on="true">
              <mysp:BasicAuthenticationDetail>
                 <mysp:Realm realmName="LdapRealm" />
              </mysp:BasicAuthenticationDetail>
          </mysp:MustSupportBasicAuthentication>
      </wsp:Policy>
  The LDAP realm details from the Glassfish Server are as below:
  JAAS Context - ldapRealm
  Directory - ldap://localhost:389
  Based DN - dc=example,dc=com
  Bind DN - cn=Directory Manager
  Password - ldap123
  Now i would like to provide access to only users in a particular group. I have updated the Assigned Groups in the LDAP realm ( admin console ) to the group for which i would like to provide access to. But its not working.
  For webservices developed using EJB,we can use the web.xml , sun-web.xml,deployment descriptor files to add roles and map groups to this roles.
  But how do we implement the same in OpenESB ( service assemblies ). Do we have to modify the WSDL ? Please share some info if anyone has worked on this before.
  Thanks,
  Kris.

  Plamen Petrov wrote:
  I am having similar problem. I managed to grant access
  to individual users and groups in the LDAP server, but
  what I want to do is to give access to everyone in
  the LDAP directory without explicitly specifiyng his
  name or group membership.Create a group "everyone" in LDAP as a workaround.
  Cheers,
  Alexander Petrushko
  mailto:[email protected]
  Consulting Services available
  Freemarker vs JSP:
  http://javaworld.com/javaworld/jw-01-2001/jw-0119-freemarker.html

• User and group handling in LDAP Realm

  Hi,
  I'm currently using an LDAP Realm for storing users and groups, which I need to be able to add, amend and remove at runtime.
  I understand that in earlier versions of Weblogic, the methods to do the add/remove/modify were not implemented but I was told that this may change in WL6. If so, is there any documentation or examples about these methods ? If not, would I need to extend ManageableRealm to create a custom realm ?
  Any help much appreciated.
  Dave

  Hi Dave:
  In our project, we use security realm (LDAP realm) for Users and Groups authentication. We turned the CacheRealm on to optimize performance. To add and amend Users and Groups, we use a stateless EJB to talk to LDAP server. This kind of partition works fine for us to separate the user authentication
  logic and user management logic.
  Fun
  Dave Horner wrote:
  Hi,
  I'm currently using an LDAP Realm for storing users and groups, which I need to be able to add, amend and remove at runtime.
  I understand that in earlier versions of Weblogic, the methods to do the add/remove/modify were not implemented but I was told that this may change in WL6. If so, is there any documentation or examples about these methods ? If not, would I need to extend ManageableRealm to create a custom realm ?
  Any help much appreciated.
  Dave

• OptimizeIt and LDAP realm

  I have problems running WebLogic 5.1 SP10 with a LDAP realm configured
  I have used the script supplied with my OptimizeIt installation, but WebLogic can't find the ldaprealm.properties file but instead assumes the LDAP hostname ldapserver:389

  We ran into a similar situation where our users were stored in SiteMinder/LDAP.
  So we are going to bulk load all the users into WLI and then synchronize the users
  nightly for any activated and deactivated users. We kept the roles in LDAP different
  from the roles in WLI though. Would like to know if you guys addresses this differently
  Thanks
  Sreeram
  "Peter Giesin" <[email protected]> wrote:
  >
  I am curious to know if anyone is actually running WLI with a LDAP Realm.
  I would
  like to know how you dealt with the fact that the users still need to
  be defined
  in the WLI database so that they can be added to the organization.
  Thanks,
  Pete

• Selecting LDAP Realm V2

  My environment is WL 6.1 SP2.
  I am currently using the LDAP Realm V1 (deprecated) and would like to switch to LDAP
  Realm V2. The problem is that my WL console does not give me the option to configure
  a LDAP Realm V2 when creating a new security realm. The only options I get are: LDAP
  Realm V1, NT Realm, UNIX Realm, RDBMS Realm and Custom Realm.
  I would appreciate it if anybody can tell me what needs to be done to get the configure
  LDAP Realm V2 option.
  Thanks
  Charl

  I have had a custom realm that handles ACLs since 5.1. My question is I want to
  mix it with the out-of-the box ldaprealm v2. I was hoping for a failover mechanism
  where I can supply a custom realm that knows how to authorize and leave it up
  to the canned ldaprealm to authenticate. The filerealm behaves in such a manner,
  does it not.
  I will try your idea about extending the ldaprealm. But, the challenge will be
  in dealing with the delegate.
  "Utpal" <[email protected]> wrote:
  If you extend the weblogic.security.ldaprealmv2.LDAPRealm and implements
  newAcl, deleteAcl, newPermission,
  setPermission etc, I think it's doable.
  =========
  public class weblogic.security.ldaprealmv2.LDAPRealm extends
  weblogic.security.a
  cl.AbstractListableRealm implements weblogic.security.acl.DebuggableRealm
  =========
  -utpal
  "Utpal" <[email protected]> wrote in message
  news:[email protected]..
  Why don't you use the Custom Security Realm? You can construct an ACLin a
  custom seecurity realm.
  http://edocs.beasys.com/wls/docs61/security/prog.html#1042361
  -utpal
  "Ziad Kurdi" <[email protected]> wrote in message
  news:3c9b4c80$[email protected]..
  Is there a way in 6.1 to use the supplied LDAP Realm V2 for
  authentication
  and
  managing groups, but enhance it with ACL's (stored in a database)
  for
  authorization?
  Obviously, I would like to take advantage of the server's caching
  realm
  capabilities.
  I currently running a custom realm (from 5.1 which works in 6.1)
  that
  mixes LDAP
  authentication, group management, and DB ACL's for authorization,
  but I
  no
  longer
  wish to capture the user's password (due to sorporate policies) and
  would
  like
  to avoid maitaining the authentication code.
  Thanks in advance for any assistance.

• Unable to access Admin Tools for portal after configuring LDAP realm

  After setting weblogic to use the LDAP realm I am unable to access the Administration Tools. It does not take the username "administrator" and password "password". I've created the SystemAdministrator Group in LDAP as well as the appropriate "administrator" user but it still does not let me access the Administratotion Tools.

  This thread is being discussed in the weblogic.developer.interest.portal
  newsgroup under the same title. You can cross-post to multiple groups in
  the future so that the thread develops in all newsgroups that you posted to.
  "Wendy Kajiyama" <[email protected]> wrote in message
  news:[email protected]..
  After setting weblogic to use the LDAP realm I am unable to access theAdministration Tools. It does not take the username "administrator" and
  password "password". I've created the SystemAdministrator Group in LDAP as
  well as the appropriate "administrator" user but it still does not let me
  access the Administratotion Tools.

• Setting up LDAP realm with WLI 7

  Any pointer to Step by step instruction on to how to set up LDAP realm for Access Control with Weblogic integration 7

  Pramit Basu <[email protected]> wrote:
  Any pointer to Step by step instruction on to how to set up LDAP realm
  for Access Control with Weblogic integration 7In order to use LDAP realm with WLI 7.0, you need to do the following steps:
  1) In WebLogic server level, you need to create a Caching Realm and a LDAP realm.
  First, please backup your original config.xml file. Then, you can start configure
  the realms. You can do this by modifying the config.xml file, or through WLS console.
  After you have done this, your config.xml file should contain the following:
  <LDAPRealm AuthProtocol="none"
  Credential="{3DES}rYiW/DkUxq4UPwR0XLbM9w=="
  GroupDN="o=beasys.com,ou=Groups" GroupIsContext="false"
  GroupNameAttribute="cn" GroupUsernameAttribute="uniquemember"
  LDAPURL="ldap://jpengdesk:389"
  Name="LDAPRealmForNetscapeDirectoryServer" Principal="cn=admin"
  UserAuthentication="bind" UserDN="o=beasys.com,ou=People"
  UserNameAttribute="uid" UserPasswordAttribute="userpassword"/>
  --- You can also do this in Console. Please make sure the "UserDN" and "GroupDN"
  values are correct according to the groups and users stored on your LDAP server.
  In my example here, "beasys.com" is my root entry, and I have all the users created
  underneath of OU "People", and I have all the groups created in OU "Groups".
  <CachingRealm BasicRealm="LDAPRealmForNetscapeDirectoryServer" Name="MyCaching
  Realm"/>
  --- You can do this in console by clicking on "Caching Realms", then click on
  the link of "Configure a new Caching Realm". Name it as "MyCaching Realm", and
  select "LDAPRealmForNetscapeDirectoryServer" as the BasicRealm.
  <Realm CachingRealm="MyCaching Realm" FileRealm="myFileRealm" Name="myRealm"/>
  --- you can do this in console by clicking on "Compatibility Security", then click
  on the "Filerealm" tab, then, in the "Caching Realm" field, select MyCaching Realm"
  from the pull down comb box.
  Please make sure all the names are related. See above example, the value in blue
  color should match, and the value in red color should match too.
  Please see the attached config.xml file for reference.
  2) Create the users in LDAP server. In my example, I simply created 3 users underneath
  of OU &#8220;People&#8221;, they are:
  weblogic
  wlisystem
  admin
  &#8220;weblogic&#8221; is the user I used as my system administrator user, which
  I used to boot my WLS server and access my WLS console.
  &#8220;wlisystem&#8221; and &#8220;admin&#8221; are the users created for WLI
  component.
  3) Create 11 groups in LDAP server. In my example, as I mentioned above, I create
  all these groups underneath of OU &#8220;Groups&#8221;. These groups are:
  ConfigureComponents
  Administrators
  wlpiUsers
  MonitorInstance
  ExecuteTemplate
  CreateTemplate
  UpdateTemplate
  DeleteTemplate
  AdminsterUser
  ConfigureSystem
  wlpiAdministrators
  Also, add the users created in step 2 into all of these groups.
  4) Clean up the fileRealm.properties file.
  Backup your original fileRealm.properties file. Then, remove all the entries starting
  with &#8220;user.xxx&#8221; and &#8220;group.xxx&#8221;, only leave those entries
  starting with &#8220;acl.xxx&#8221;.
  Please see the attached &#8220;fileRealm.properties&#8221; file for reference.
  5) Restart your WLI server. Verify the users and groups you defined in LDAP server
  are displayed in WLS console correctly. You can see the user and group information
  in &#8220;Compatibility Security&#8221; à &#8220;Users&#8221;, and &#8220;Compatibility
  Security&#8221; à &#8220;Groups&#8221; respectively.
  6) Start your studio to design a simple Workflow. When you login, the authentication
  of your username and password is against the LDAP server, since you don&#8217;t
  have any user entries in your fiel realm any more.
  7) Start your Worklist to execute the workflow. Also, When you login, the authentication
  of your username and password is against the LDAP server, since you don&#8217;t
  have any user entries in your fiel realm any more.
  Once you execute the workflow, you can verify that workflow instance in Studio.
  You can monitor the instance, and delete the instance.