wls authentication provider
Overview
This resource allows you to manage authentication providers in a WebLogic domain.
Here is an example on how you should use this:
wls_authentication_provider { 'ldap':
ensure => 'present',
control_flag => 'SUFFICIENT',
providerclassname => 'weblogic.security.providers.authentication.LDAPAuthenticator',
attributes: => 'Principal;Host;Port;CacheTTL;CacheSize;MaxGroupMembershipSearchLevel;SSLEnabled',
attributesvalues => 'ldapuser;ldapserver;389;60;1024;4;1',
order => '0'
}
To manage Weblogic’s DefaultIdentityAsserter use the wls_identity_asserter type. In this example you are managing a provider in the default domain. When you want to manage a provider in a specific domain, you can use:
wls_authentication_provider { 'MyDomain/MyAuthenticationProvider':
ensure => 'present',
}
Check the Oracle Weblogic documentation for more documentation about setting up and managing a WebLogic cluster.
Experience the Power of Puppet for WebLogic
If you want to play and experiment with Puppet and WebLogic, please take a look at our playgrounds. At our playgrounds, we provide you with a pre-installed environment, where you experiment fast and easy.
Attributes
| Attribute Name | Short Description |
|---|---|
| attributes | The extra authentication provider properties. |
| attributesvalues | The extra authentication provider property values. |
| authentication_provider_name | The authentication provider name. |
| control_flag | The control flag. |
| disable_autorequire | Puppet supports automatic ordering of resources by autorequire. |
| disable_corrective_change | Disable the modification of a resource when Puppet decides it is a corrective change. |
| disable_corrective_ensure | Disable the creation or removal of a resource when Puppet decides is a corrective change. |
| domain | With this parameter, you identify the domain, where your objects is in. |
| ensure | The basic property that the resource should be in. |
| name | The name. |
| order | The order of the Authentication Provider (0 is highest) |
| provider | resource. |
| provider_specific | The provider specific properties. |
| providerclassname | The provider class name. |
| timeout | Timeout for applying a resource. |
attributes
The extra authentication provider properties.
These are extra properties you add to the provider. This parameter is a sibling to attributesvalues. This parameter allows you to specify extra settings you pass to the creation of the authentication provider. They are only used when creating the authentication provider and not used during normal operation.
wls_authentication_provider{'my_athentication_provider':
...
attributes => ['attribute_a','attribute_b'],
attribute_values => ['value_for_a', 'value_for_b']
...
}
Back to overview of wls_authentication_provider
attributesvalues
The extra authentication provider property values.
This parameter is a sibling to attributes. This parameter allows you to specify extra settings you pass to the creation of the authentication provider. They are only used when creating the authentication provider and not used during normal operation.
wls_authentication_provider{'my_athentication_provider':
...
attributes => ['attribute_a','attribute_b'],
attribute_values => ['value_for_a', 'value_for_b']
...
}
Back to overview of wls_authentication_provider
authentication_provider_name
The authentication provider name.
To identify an authentication provider, use:
wls_authentication_provider{'domain/authentication_provider_name':
...
}
Back to overview of wls_authentication_provider
control_flag
The control flag.
Here is an example on how to use this:
wls_authentication_provider{'my_provider':
...
control_flag => 'REQUIRED',
...
}
In older versions of the wls_config module, This property used Captialized key words. Now all upcase keywords are required.
Specifies how the authentication provider behaviour influences the total flow. For more information checkout the documentation of propery DefaultAuthenticatorMBean.ControlFlag in the WebLogic documentation.
Valid values are REQUIRED, REQUISITE, SUFFICIENT, OPTIONAL.
Back to overview of wls_authentication_provider
disable_autorequire
Puppet supports automatic ordering of resources by autorequire. Sometimes, however, this causes issues. Setting this parameter to true, disables autorequiring for this specific resource.
USE WITH CAUTION!!
Here is an example on hopw to use this:
...{'domain_name/...':
disableautorequire => true,
...
}
Back to overview of wls_authentication_provider
disable_corrective_change
Disable the modification of a resource when Puppet decides it is a corrective change.
(requires easy_type V2.11.0 or higher)
When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.
Using the disable_corrective_change parameter, you can disable corrective changes on the current resource.
Here is an example of this:
crucial_resource {'be_carefull':
...
disable_corrective_change => true,
...
}
When a corrective ensure does happen on the resource Puppet will not modify the resource and signal an error:
Error: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change
Error: /Stage[main]/Main/Crucial_resource[be_carefull]/parameter: change from '10' to '20' failed: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change. (corrective)
Back to overview of wls_authentication_provider
disable_corrective_ensure
Disable the creation or removal of a resource when Puppet decides is a corrective change.
(requires easy_type V2.11.0 or higher)
When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.
Using the disable_corrective_ensure parameter, you can disable corrective ensure present or ensure absent actions on the current resource.
Here is an example of this:
crucial_resource {'be_carefull':
ensure => 'present',
...
disable_corrective_ensure => true,
...
}
When a corrective ensure does happen on the resource Puppet will not create or remove the resource and signal an error:
Error: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure.
Error: /Stage[main]/Main/Crucial_resource[be_carefull]/ensure: change from 'absent' to 'present' failed: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure. (corrective)
Back to overview of wls_authentication_provider
domain
With this parameter, you identify the domain, where your objects is in.
The domain name is part of the full qualified name of any WebLogic object on a system. Let’s say we want to describe a WebLogic server. The full qualified name is:
wls_server{'domain_name/server_name':
ensure => present,
...
}
When you don’t specify a domain name, Puppet will use default as domain name. For every domain you want to manage, you’ll have to put a wls_settings in your manifest.
Back to overview of wls_authentication_provider
ensure
The basic property that the resource should be in.
Valid values are present, absent.
Back to overview of wls_authentication_provider
name
The name.
Back to overview of wls_authentication_provider
order
The order of the Authentication Provider (0 is highest)
Specifies the order in which the providers will be called. For more information checkout the documentation of propery AuthenticationProviders in the WebLogic documentation. Here is an example on how to use this:
wls_authentication_provider{'my_provider':
...
order => 1, # Means it is the second (after 0)
...
}
Optionally, providers can be ordered by providing a value to the order paramater, which is a zero-based list. When configuring ordering order, it may be necessary to create the resources with Puppet ordering (if not using Hiera) or by structuring Hiera in matching order. Otherwise ordering may fail if not all authentication providers are created yet (by default the provider will be ordered last if it is greater than the number of providers currently configured).
Back to overview of wls_authentication_provider
provider
The specific backend to use for this wls_authentication_provider resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.Available providers are:
- prefetching
- Manage wls_authentication_providers
Back to overview of wls_authentication_provider
provider_specific
The provider specific properties.
This value is a Hash that contains key’s and values. Here is an example on how to use this:
wls_authentication_provider { 'domain/MyLDAPAuthenticator':
...
provider_specific => {
'ResultsTimeLimit' => 300,
'SSLEnabled' => 0,
'Host' => 'ldap.enterprisemodules.com',
'ConnectTimeout' => '5000',
},
providerclassname => 'weblogic.security.providers.authentication.LDAPAuthenticator',
}
In this example the ResultsTimeLimit, SSLEnabled, Host and ConnectTimeout are the provider-specific properties for the weblogic.security.providers.authentication.LDAPAuthenticator class. In this example, we mix integer values and quoted integer values. It doesn’t matter. Internally all values are quoted and converted to their right representation.
For the logical value SSLEnabled, you must use 0 for false and 1 for true. When you use the values false or true, the changes are not idempotent.
When you specify a key value that the provider doesn’t understand or a value that is invalid for the specific property, the puppet type will fail with the error
Error: Failed to apply catalog: command in daemon failed.
ATTENTION:
Most of the properties from the wls_authentication_provider need a restart from the Admin server. If you don’t restart the server, the changes will not be applied, and Puppet will redo them.
Back to overview of wls_authentication_provider
providerclassname
The provider class name.
This is the class name of the authentication provider you are creating. This is a parameter and will only be used during creatio of the provider. You cannot change a class name of a provider.
wls_authentication_provider{'my_athentication_provider':
...
classname => 'LDAPAUthenticator'
...
}
Check The WebLogic documentation for a list of valid classes.
Back to overview of wls_authentication_provider
timeout
Timeout for applying a resource.
To be sure no Puppet operation, hangs a Puppet daemon, all operations have a timeout. When this timeout expires, Puppet will abort the current operation and signal an error in the Puppet run.
With this parameter, you can specify the length of the timeout. The value is specified in seconds. In this example, the timeout is set to 600 seconds.
wls_server{'my_server':
...
timeout => 600,
}
The default value for timeout is 120 seconds.
