Technical data
14 Managing Security
14-14 Administration Guide
Restrictions When Using the LDAP Security Realm
The LDAP security realm has the following restrictions:
n When the LDAP server in Microsoft Site Server is installed and the root of the
LDAP directory is created, a number of organizational units are created by
default. Under Groups there is a default organization unit called
NTGroups with
a default Group named
Administrators, which is empty. By default,
WebLogic Server also provides a Group called
Administrators that contains a
member
System which is the User under which WebLogic Server is started. If
you use the defaults in Microsoft Site Server and start creating your own Groups
under the default organizational unit, WebLogic Server will not start. In order to
start WebLogic Server with the LDAP security realm, you need to create your
own unique organizational unit in the LDAP directory and create Groups for
your WebLogic Server deployment under that organizational unit.
n If you have two Groups within the LDAP directory with the same name,
WebLogic Server cannot properly authenticate the Users in the second Group
that it locates. The LDAP security realm uses the Group’s distinguished name
(DN) to locate Groups in the LDAP directory. If you create more than one group
with the same name, WebLogic Server only authenticates the Users in the first
Group it locates. You must use unique Group names when using the LDAP
security realm.
n The LDAP realm V2 does not provide the following functionality provided in
LDAP realm V1:
l Listing all Users
l Listing the members of a Group
l The authProtocol and userAuthentication mechanisms have been removed.
You need to use the JNDI bind mechanism to pass security credentials to the
LDAP server.
n The LDAP realm V2 has issues with the Open LDAP Server when running the
getGroups() method for large numbers of groups (more than 300). This
problem is due to caching bugs in Open LDAP.