The impact of the Circular Group reference in external authenticator causes LDAP to hang and impacts to Outage. By default, Oracle WebLogic Server does not check for Group circularity for any externally configured LDAP Authenticators (iPlanet, Active Directory, Novell, Open LDAP, etc.).
Circular Group reference example:
If Group A is a member of Group B
and Group B is a member of Group A
and Group B is a member of Group A
When a circular group [as above] exists in the backend LDAP, so many LDAP connections are created (due to the backend LDAP group having itself as a member), that a server crash can result.
Solution
A. Enabling the Ignore Duplicate Membership Flag
Starting from Oracle WebLogic Server 8.1 SP4 a new flag "IgnoreDuplicateMembership" is introduced. You can enable this flag in the Administration Console while configuring any external Authentication Provider. When the flag is enabled and a circular group exists, the server ignores the duplicate group and generates a warning (written to the log). By default, this flag is unchecked (disabled). Although this flag works in Production Mode, Oracle recommends that you use it only in Development Mode, as it can adversely affect performance.
1. If you have not already done so, in the Change Center of the Administration Console, click "Lock & Edit"
2. In the left pane, click on the security realms
3. In the right pane, click on myrealm
4. In the Settings for myrealm window navigate to Providers > Authentication tab.
5. Click on the Authentication Provider from the list which has the circular group issue. In my case it is ActiveDirectoryAuthenticator.
6. In the Settings for ActiveDirectoryAuthenticator window navigate to Configuration > Provider Specific tab.
7. Enable Ignore Duplicate Membership parameter
8. Click Save and in the Change Center of the Administration Console, click "Activate Changes".
9. Restart all the Weblogic Server instances specified in the Restart-Checklist for changes to take effect.
B. Setting the Group Membership Searching to Limited
As an alternative workaround, you can set "Group Membership Searching"
to "limited" (the default is "unlimited") in the Authentication Provider
configuration. For configurations that use only the first level of nested group hierarchy, this attribute allows improved performance during user searches by limiting the search to the first level of the group.
to "limited" (the default is "unlimited") in the Authentication Provider
configuration. For configurations that use only the first level of nested group hierarchy, this attribute allows improved performance during user searches by limiting the search to the first level of the group.
If a limited search is specified, the Max Group Membership Search Level attribute must be specified. If an unlimited search is specified, the Max Group Membership Search Level attribute is ignored.
For example, if Max Group Membership Search Level attribute is set to 1, a search for membership in Group A will return direct members of Group A. If Group B is a member of Group A, the members of Group B will also be found by this search. However, if Group C is a member of Group B, the members of Group C will not be found by this search. Any positive number - Indicates the number of levels to search.
Note that when Use Token Groups For Group Membership Lookup is used during authentication, all the groups are returned in a single call, and the recursion limits and depth limits do not apply. They will apply in management operations.
1. If you have not already done so, in the Change Center of the Administration Console, click "Lock & Edit"
2. In the left pane, click on the security realms
3. In the right pane, click on myrealm
4. In the Settings for myrealm window navigate to Providers > Authentication tab.
5. Click on the Authentication Provider from the list which has the circular group issue. In my case it is ActiveDirectoryAuthenticator.
6. In the Settings for ActiveDirectoryAuthenticator window navigate to Configuration > Provider Specific tab.
7. Set Group Membership Searching to limited and Max Group Membership Search Level to a value that you think is appropriate. In my case I am setting the value to "3"
8. Click Save and in the Change Center of the Administration Console, click "Activate Changes".
9. Restart all the Weblogic Server instances specified in the Restart-Checklist for changes to take effect.
That's it.
Please do leave your valuable comments.
Please do leave your valuable comments.
2 comments:
Admiring the dedication you put into your website and
in depth information you offer. It's good to come across a blog every once in a while that isn't the same unwanted rehashed information.
Wonderful read! I've bookmarked your site and I'm adding your RSS feeds to my Google account.
Also visit my web-site : piano lessons
Asking questіοns are really gооd thing if you
are not understanding ѕomething totаlly, howеνer this poѕt prеѕents
рleasant unԁerstanԁing еvеn.
Fеel free to vіsіt my web-sіtе
:: http://www.Getcash4surveys.info
Post a Comment