# This is a WLST script to create a Weblogic Identity Provider that points to OID.

# This script also changes the domain's jps-config.xml to use the same "username attribute" that is configured in the LDAP.

# It is good to mention that this script should be used at your own risk. This is not provided or supported by Oracle.

#

# The section "LDAP default properties" should be updated with the data of the LDAP in question.

#

# Besides, this script will also expect the following parameters:

#

# -d        Name of WLS domain (default: DefaultDomain)

# -u        WLS administration user (default: weblogic)

# -p        WLS password (default: welcome1)

# -s        WLS admin URL to connect to (default: t3://localhost:7101)

# -r    If this parameter is present the script will remove the auth provider (default: false)

#

# If the parameter is not present, the default value is used.

#

# @author Eduardo Rodrigues

# @author Fabio Souza

##

import os

import sys

import getopt

WLS.commandExceptionHandler.setSilent(1)

# LDAP default properties

authprovider_name = 'OID localhost'

authprovider_class = 'weblogic.security.providers.authentication.OracleInternetDirectoryAuthenticator'

ldap_host = 'localhost'

ldap_port = '389'

ldap_userbasedn = 'ou=people, o=example.com'

ldap_all_users_filter = '(&(cn=*)(objectclass=person))'

ldap_user_object_class = 'person'

ldap_all_groups_filter = '(&(cn=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup)))'

ldap_group_base_dn = 'ou=groups, o=example.com'

ldap_user_from_name_filter = '(&(cn=%u)(objectclass=person))'

ldap_username_attribute = 'cn'

wls_username = 'weblogic'

wls_password = 'weblogic1'

wls_admin_server_url = 't3://localhost:7101'

wls_domain_name = 'DefaultDomain'

remove_provider = 'false'

def usage():  

    print "Usage:"  

    print "  ldap.py [-u] <username> [-p] <password> [-s] <adminserver_url> [-d] <domain_name> [-r]"

    print "Example:"  

    print "  ldap.py -u weblogic -p weblogic1 -s t3://localhost:7101 -d DefaultDomain"

try:  

    opts, args = getopt.getopt( sys.argv[1:], "u:p:s:d:r")  

except getopt.GetoptError, err:  

    print str(err)  

    usage()  

    sys.exit(2)  

 

#===== Handling get options  ===============  

for opt, arg in opts:  

    if opt == "-u":  

        wls_username = arg      

    elif opt == "-p":  

        wls_password = arg

    elif opt == "-s":  

        wls_admin_server_url = arg

    elif opt == "-d":  

        wls_domain_name = arg

    elif opt == "-r":  

        remove_provider = 'true'

connect(wls_username, wls_password, wls_admin_server_url)

WLS.commandExceptionHandler.setSilent(0)

edit()

startEdit()

myrealmRoot = '/SecurityConfiguration/%s/Realms/myrealm' % wls_domain_name

try:

   cd(myrealmRoot)

   

   if (remove_provider == 'true'):

      # remove the auth provider (online mode)

      print('Removing authentication provider %s...' % authprovider_name)

      cmo.destroyAuthenticationProvider(getMBean('%s/AuthenticationProviders/%s' % (myrealmRoot, authprovider_name)))

   else:

      # selecting the default authenticator

      cd('AuthenticationProviders/DefaultAuthenticator')

     

      cmo.setControlFlag('SUFFICIENT')

     

      cd('..')

     

      try:

         cd(authprovider_name)

      except:

              cd(myrealmRoot)

              cmo.createAuthenticationProvider(authprovider_name, authprovider_class)

              cd('AuthenticationProviders/%s' % authprovider_name)

     

      # configuring the new auth provider's properties

      cmo.setControlFlag('SUFFICIENT')

      cmo.setUseRetrievedUserNameAsPrincipal(true)

      cmo.setGroupSearchScope('onelevel')

      cmo.setSSLEnabled(true)

      cmo.setHost(ldap_host)

      cmo.setPort(int(ldap_port))

      cmo.setUserNameAttribute(ldap_username_attribute)

      cmo.setUserBaseDN(ldap_userbasedn)

      cmo.setUserFromNameFilter(ldap_user_from_name_filter)

      cmo.setGroupBaseDN(ldap_group_base_dn)

      cmo.setAllGroupsFilter(ldap_all_groups_filter)

      cmo.setAllUsersFilter(ldap_all_users_filter)

      cmo.setPropagateCauseForLoginException(true)

      cmo.setUserObjectClass(ldap_user_object_class)

     

      cd(myrealmRoot)

      # reordering the auth providers putting the new one 1st (online mode)

      set('AuthenticationProviders',jarray.array([ObjectName('Security:Name=myrealm%s' % (authprovider_name)), ObjectName('Security:Name=myrealmDefaultAuthenticator'), ObjectName('Security:Name=myrealmDefaultIdentityAsserter')], ObjectName))

      # Configuring Domain's jps-config.xml to setup the username attribute

      on = ObjectName("com.oracle.jps:type=JpsConfig")

      sign = ["java.lang.String", "java.lang.String", "java.lang.String"]

      params = ['idstore.ldap', 'username.attr', ldap_username_attribute]

      mbs.invoke(on, "updateServiceInstanceProperty", params, sign)

      params[1] = 'user.login.attr'

      mbs.invoke(on, "updateServiceInstanceProperty", params, sign)

      mbs.invoke(on, "persist", None, None)

   save()

   activate()

   

   if (remove_provider == 'true'):

    print('The authentication provider %s  was successfully removed.' % authprovider_name)

   else:

    print('New authentication provider %s successfully created.' % authprovider_name)

   

   print('\nIMPORTANT: The server might have to be restarted for changes to be effective.\n')

   

   ret = 0

except:

   dumpStack()

   print('ERROR: %s - %s' % (sys.exc_type, sys.exc_value))

   print('Canceling changes...')

   cancelEdit('y')

   ret = 1

exit(exitcode=ret)