If you've arrived @ this page then BELIEVE ME, I've saved you several work hours because I've done it all for you. Infact, you can show your appreciation by liking the TC facebook page

• To picture the scene, I have 2 separate VM instances (one RHEL, the other Window 2008 with Active Directory), both can ping one another.
• I assume you have OIM setup and have access to the Weblogic (WLS) admin domain
• Oh, and forget about LDAP sync, it's not needed.

Log into the weblogic admin console and click on security realms, then myrealms

Then click on providers, then Authentication. then click new.

Then within the 'create a new Authentication Provider', give your authentication an appropriate name (I decided to call it ADAuthenticationProvider). Then select ActiveDirectoryAuthenticator from the drop-down list, then press OK.

You should now see the newly-created authentication provider on the previous screen

To save time configuring WLS, I'd recommend downloading a LDAP query tool. The two I often use are Jxplorer and ApacheDirectory. In this example I'm using ApacheDirectory. I also use the dsquery command within my command prompt at some point also.

Within Apache, click on new..., then LDAP Connection

Then add in the network parameters and ensure you have successful connection

Then click next and ensure that your Bind DN or user with the respective credentials correct.

In my example, I'm using the Administrator username on the windows AD side. If you perform the following 'dsquery' below, you'll be able to get the complete string value needed for the 'Bind DN or user' field.

Add the value within the authentication Parameter with it's associated password and check Authentication.

(if you get this far, you know the correct hostname, LDAP port (389), User Base DN, the the corresponding credentials in preparation for the Authentication Provider within Steph 5

Now jump back to the Weblogic admin console and click on authentication provider and click on provider Specific. This is the page is the single configuration for the authentication provider to extract the users

Connection Host: It's the hostname or IP of the AD server
Port: Keep the value as 389
Principle: Is the user account you'll be using to connect the authentication provider to the AD instance. In fact I used the Bind DN or user value I used before
Credential: This is the password of the principle

Users
The User Base DN is the 'container' in which the users can be located. Easiest way to find out the value is to use the search base within Apache, which will allow you to navigate to the DN. As you can see below, I have selected the generic Users

I altered the User From Name Filter. Turns out when I used that specific filter, I was not returning any users. Again, use the filter editor within ApacheDirectory to double-check.As you can see below, I ran the user base DN with the filter and returned a list of users.

These will be the users that will be able to log into OIM. I also clicked 'Use Retrieved User Name as Principle' and altered the user name attribute to sAMAccountName to ensure the AD userlogin matches the user_login within OIM

The screenshot above highlights the users that will be able to authenticate against OIM once the AD provider is configured successfully. Follow the similar process with the oimusers group

Click on the HOW TO: Configure OIM 11g AD/LDAP Authentication Part 2

About the author