In few Projects, Uses Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM) and used to setup external LDAP for authentication in OBIEE.
In one of our project, we had scenario to configure LDAP authentication using Active Directory Lightweight Directory Services (AD LDS) in OBIEE. We have tried to configure LDAP type as ActiveDirectoryAuthenticator and faced issue to authenticate application. Sharing my experience below when configured LDAP as ActiveDirectoryAuthenticator and solution to Resolve issue.
ActiveDiretoryAuthenticator as Authenticator:
When configured ActiveDiretoryAuthenticator in Weblogic to access Active Directory Lightweight Directory Services (AD LDS) for authentication, authentication error is getting for valid user id even though AD LDS users and groups able to see in security realm.
Error:
The ActiveDiretoryAuthenticator uses attributes which are incompatible with the Active Directory Lightweight Directory Service (AD LDS). Specifically, the ActiveDirectoryAuthenticator uses the attribute User-Account-Control (UAC), which is used in the full version of ActiveDirectory, but is not used with the lightweight version. Therefore, the default ActiveDirectoryAuthenticator cannot be used with AD LDS.
Generic LDAPAuthenticator as Authenticator:
Microsoft ADAM is a lightweight implementation of Active Directory which does not provide all the services of the complete Active Directory provider. So we should not be using the Active Directory Authentication Provider to configure ADAM.
Solution for above issue to use the generic LDAPAuthenticator with AD LDS instead of using the ActiveDirectoryAuthenticator. Unable to start Admin server after configuring generic LDAPAuthenticator and getting below error.
Error:
Solution:
JPS will not support the generic LDAPAuthenticator by default, which will result in the server startup failure issue and JPS Error.
Add idstore.type property in the jps-config.xml file located under <domainhome>/config/fmwconfig to support the Generic LDAPAuthenticator to integrate WLS with the AD LDS Server and restart Admin Server service.
Note: take backup of jps-config.xml before modifying.