Welcome Guest!
Create Account | Login
Locator+ Code:

Search:
FTPOnline Channels Conferences Resources Hot Topics Partner Sites Magazines About FTP RSS 2.0 Feed

Free Subscription to WebLogic Pro

Resolve LDAP Connection Issues in BEA WebLogic Server (Continued)

You can also edit the config.xml and the MBean element in the <ServerDebug/> stanza for each server that you want to debug and set it to a value of "true" to enable or "false" to disable: 

<ServerDebug 
DebugSecurityAdjudicator="true"
	// for security adjucator debug
DebugSecurityAtn="true" 
	// for security authentication debug
DebugSecurityAtz="true"
	// for security authorization debug
DebugSecurityRoleMap="true"
	// for security role mapping debug 
Name="MyServer"/>

Then you must restart the admin server.

Make sure the StdoutDebugEnabled is set to "true". You could verify this in config.xml. Debug to stdout may be enabled via the console or via the command-line using:

-Dweblogic.StdoutDebugEnabled=true

The debug information will be logged into the server log as well as to the standard out. The server log file is specified at the startup by the message BEA-170019:

BEA-170019 Notice: The server log file fileName 
	is opened. All server side log events will be 
	written to this file.

User authentication failure. WLS connects first to LDAP and then tries to search for the user based on the "User Base DN" and the "User Filter" defined in the authentication provider. Once the user is found, WLS tries to authenticate using the password provided.

If authentication fails, after enabling the debug flags, search for the pattern getDNForUser in the log file to see why it failed. It is possible that either the user does not exist in LDAP (javax.security.auth.login.FailedLoginException) or the password is not correct (authentication failed error 49).

The search will be similar to:

<SecurityDebug><getDNForUser search 
	("ou=people,dc=beasys,dc=com", 
	"(&(uid=fred)(objectclass=person))", 
	base DN & below)

If the user does not exist, we will see this message:

<SecurityDebug><returnConnection 
	conn:netscape.ldap.LDAPConnection@e4bb3c>
javax.security.auth.login.FailedLoginException: 
	[Security:090302]Authentication Failed: 
	User fred denied

If the user password is not correct we will see that the full DN was retrieved from LDAP, but authentication fails:

<SecurityDebug> <DN for user fred: 
	uid=fred,ou=People,dc=beasys,dc=com>
<SecurityDebug> <authenticate user:fred with 
	DN:uid=fred,ou=People,dc=beasys,dc=com>
<Debug> <SecurityDebug>  
<authentication failed 49>



Back to top











Java Pro | Visual Studio Magazine | Windows Server System Magazine
.NET Magazine | Enterprise Architect | XML & Web Services Magazine
VSLive! | Thunder Lizard Events | Discussions | Newsletters | FTPOnline Home
 
© Copyright 2001-2007 1105 Media, Inc. | Privacy Policy | Contact Us