最近几天为客户搭建一个POC环境,客户使用微软Active Directory进行用户管理,希望实现UCM、WebCenter与AD的集成。下面是实现步骤:
1.配置Weblogic Server与AD集成
1)通过http://host:7001/console登录Weblogic Server管理控制台;
2)选择安全领域,选择myrealm,点击“提供程序”选择卡;
3)点击“新建”,新建验证提供程序,提供程序类型选择“ ActiveDirectoryAuthenticator”,控制标记选择“SUFFICIENT”;
4)设定提供程序,依据AD实际结构设定提供程序
Host:
Port: 389           (default)
Principal: CN=Administrator,CN=Users,DC=company,DC=com
Credential:
SS Enabled: 不选(默认)
User Base DN: OU=Ucm,DC=company,DC=com
All Users filter: 空 (默认)
User from Name Filter: (&(cn=%u)(objectclass=user))    (默认)
User search scope: onelevel (按实际情况选择onelevel或subtree)
User name attribute: cn (默认)
User object class: user (默认)
Use retrieved User Name as Principal: not-checked  (默认)
Group Base DN: OU=Roles,OU=Ucm,DC=company,DC=com
All groups filter:    (默认)
Group from name filter: (&(cn=%g)(objectclass=group))    (默认)
Group search scope: subtree (默认)
Group membership searching: unlimited (默认)
Max Group membership search level: 0 (默认)
Ignore duplicate membership: not-checked (默认)
Use token groups for group membership lookup: not-checked   (leave not-checked, unless you experience slow performance and/or double-lookups to AD from WLS) (default is not checked)
Static group name attribute: cn (默认)
Static group object class: group (默认)
Static member DN attribute: member (默认)
Static Group DNs from Member DN filter: (&(member=%M)(objectclass=group))   (default)
Dynamic groups: All entries (默认)
General: left all as default except Connection retry limit: 5
Keep alives enabled: checked
Cache enabled: un-checked (for testing, so there is no cache. You may want caching for a Production install)



保存设定。
5)把myrealm的DefaultAuthenticator的控制标记设置为“SUFFICIENT”,把提供程序重新排序把AD的验证提供程序放至第一位;
6)重启Weblogic Server,在管理控制台应该的用户和组可以看到AD中的用户与组。完成Weblogic Server上AD的配置。

 2.UCM与AD集成的设置
1)完成WLS上AD的设定后,应该可以利用AD的用户登录到UCM;
2)AD上的组对应到UCM的Roles,在UCM上进行相应的角色授权就可完成;如需使用UCM的Account进行细粒度的权限控制,可以AD组名前加“@”符号实现。

3. WebCenter与AD集成
1)修改C:\Oracle\Middleware\user_projects\domains\uaes_domain\config\fmwconfig下的jps-config.xml文件,增加以下内容:
 
       
           
           
       
       
       
 注意value根据AD的实际情况进行调整。
2)重启WebCenter Space,试验是否可能用AD用户登录系统。

4.注意事项
1)设置提供程序的时候注意AD的结构;

2)调整jps-config.xml文件时注意value值,这是关系能否正常登录的关键,如果使用账号value用“sAMAccountName”

3)如果你还使用WebCenter与UCM集成,注意Documents Services是否正确配置。

安装完WebCenter后,发现访问WebLogic Server EM报“Error 503–Service Unavailable”错误,错误信息如下:

Error 503–Service Unavailable

From RFC 2068 Hypertext Transfer Protocol — HTTP/1.1:

10.5.4 503 Service Unavailable

The server is currently unable to handle the request due to a temporary overloading or maintenance of the server. The implication is that this is a temporary condition which will be alleviated after some delay. If known, the length of the delay may be indicated in a Retry-After header. If no Retry-After is given, the client SHOULD handle the response as it would for a 500 response.

Note: The existence of the 503 status code does not imply that a server must use it when becoming overloaded. Some servers may wish to simply refuse the connection.


查找了一下原因,发现因为是$MW_HOME/user_projects/domains//sysman/state/targets.xml文件丢失引起的,解决步骤如下:
1.备份旧的targets.xml文件;
2.按以下模板修改targets.xml文件









 
按你域的情况修改以上百分号表示的变量,以下是示例:








3.重启AdminServer;
4.确认 http://:7001/em能够正常访问;
5.备份正确的targets.xml文件。