biemond-orawls
biemond-orawls copied to clipboard
biemond
Restart Admin Server for AD authenticator
So the active directory authenticator is present only after I restart the admin server.... I've seen how you restart the admin server in the heira config but not with a defined resource. Am I missing a meta-parameter?
wls_authentication_provider { 'ActiveDirectoryAuthenticator' :
ensure => 'present',
control_flag => 'SUFFICIENT',
providerclassname => 'weblogic.security.providers.authentication.ActiveDirectoryAuthenticator',
attributes => 'Credential;GroupBaseDN;GroupFromNameFilter;GroupMembershipSearching;Host;MaxGroupMembershipSearchLevel;Principal;UserBaseDN;UserFromNameFilter;UserNameAttribute;Port',
attributesvalues => 'Issw1234;DC=ad,DC=company,DC=org;(&(sAMAccountName=%g)(objectclass=group));limited;ad.company.org;0;CN=SER_WASadmin,OU=Service Accounts,DC=ad,DC=company,DC=org;DC=ad,DC=company,DC=org;(&(sAMAccountName=%u)(objectclass=user));sAMAccountName;389',
order => '0',
}
Hi,
There is no attribute for this but you can use the wls_adminserver type and subscribe to the ActiveDirectoryAuthenticator type. When something changes on this AD resource it will restart the adminserver.
Hope this helps
Here is what I have, Still can't seem to get the admin server to restart. I have tried a subscribe and notify. No luck..
orawls::control { 'start_admin_server':
middleware_home_dir => $middleware_home_dir,
weblogic_home_dir => $weblogic_home_dir,
jdk_home_dir => $java_home_dir,
wls_domains_dir => $domains_dir,
domain_name => $domain_name,
server_type => 'admin',
target => 'Server',
server => 'AdminServer',
adminserver_address => $admin_server_address,
adminserver_port => $admin_server_port,
nodemanager_port => $nodemanager_port,
action => 'start',
weblogic_user => $wls_os_user,
weblogic_password => $wls_user_password,
jsse_enabled => false,
custom_trust => false,
os_user => $wls_os_user,
os_group => $wls_os_group,
download_dir => $download_dir,
log_output => false,
}
wls_authentication_provider { 'ActiveDirectoryAuthenticator' :
ensure => 'present',
control_flag => 'SUFFICIENT',
providerclassname => 'weblogic.security.providers.authentication.ActiveDirectoryAuthenticator',
attributes => 'Credential;GroupBaseDN;GroupFromNameFilter;GroupMembershipSearching;Host;MaxGroupMembershipSearchLevel;Principal;UserBaseDN;UserFromNameFilter;UserNameAttribute;Port',
attributesvalues => 'mapped values',
order => '0',
notify => Wls_adminserver['start_admin_server:AdminServer']
}
Any ideas?
OK,
You should the use the wls_adminserver type directly like I did here https://github.com/biemond/biemond-orawls-vagrant/blob/master/puppet/hieradata/admin.example.com.yaml#L224
With the matching site.pp, which read the hiera definitions
https://github.com/biemond/biemond-orawls-vagrant/blob/master/puppet/manifests/site.pp#L308
Control is just a manifest and no puppet type.
Like this?
$domain_dir = "${domains_dir}/${domain_name}"
wls_adminserver{ 'AdminServer' :
ensure => 'running', #running|start|abort|stop
server_name => 'AdminServer',
domain_name => $domain_name,
domain_path => $domain_dir,
os_user => $wls_os_user,
weblogic_home_dir => $weblogic_home_dir,
weblogic_user => $wls_os_user,
weblogic_password => $wls_user_password,
jdk_home_dir => $java_home_dir,
nodemanager_address => $adminserver_address,
nodemanager_port => $nodemanager_port,
subscribe => Wls_authentication_provider['ActiveDirectoryAuthenticator'],
}
Also with:
wls_authentication_provider { 'ActiveDirectoryAuthenticator' :
ensure => 'present',
control_flag => 'SUFFICIENT',
providerclassname => 'weblogic.security.providers.authentication.ActiveDirectoryAuthenticator',
attributes => 'Credential;GroupBaseDN;GroupFromNameFilter;GroupMembershipSearching;Host;MaxGroupMembershipSearchLevel;Principal;UserBaseDN;UserFromNameFilter;UserNameAttribute;Port',
attributesvalues => 'mapped values',
order => '0',
}
PS: I am using orawls v1.0.21 btw
yeah indeed,
only missing refreshonly => true parameter so it will only restart it when there is a change
Using the Orawls::control works but only after i manually restart the server. When I use wls_adminserver it fails completely. I feel like its an ordering issue ?
You need to have 2 entries , one after the domain creation to start up the adminserver ( without subscribe ) And the subscribe ,refresh only one after the wls authentication provider.
You cannot reuse the first one.
So here is my entire code base for the admin server. This inherits code from a node manager class. There is some ordering down at the bottom. Not sure if that would conflict or not. Really grasping at straws here now...
Really appreciate the help so far.
class profile::weblogic_adminserver {
# Include the managed node profile (version-specific) so we can get access to the variables defined there
include "profile::weblogic_${::company_wl_version}"
$profile_prefix = "profile::weblogic_${::company_wl_version}"
# Variables (we get them from the managed node profile so we don't duplicate typing them)
$domain_name = getvar("${profile_prefix}::domain_name")
$wls_os_user = getvar("${profile_prefix}::wls_os_user")
$wls_user_password = getvar("${profile_prefix}::wls_user_password")
$wls_os_group = getvar("${profile_prefix}::wls_os_group")
$java_home_dir = getvar("${profile_prefix}::java_home_dir")
$middleware_home_dir = getvar("${profile_prefix}::middleware_home_dir")
$weblogic_home_dir = getvar("${profile_prefix}::weblogic_home_dir")
$domains_dir = getvar("${profile_prefix}::domains_dir")
$download_dir = getvar("${profile_prefix}::download_dir")
$nodemanager_port = getvar("${profile_prefix}::nodemanager_port")
$admin_server_address = getvar("${profile_prefix}::admin_server_address")
$admin_server_port = getvar("${profile_prefix}::admin_server_port")
$domain_dir = "${domains_dir}/${domain_name}"
orawls::control { 'start_admin_server':
middleware_home_dir => $middleware_home_dir,
weblogic_home_dir => $weblogic_home_dir,
jdk_home_dir => $java_home_dir,
wls_domains_dir => $domains_dir,
domain_name => $domain_name,
server_type => 'admin',
target => 'Server',
server => 'AdminServer',
adminserver_address => $admin_server_address,
adminserver_port => $admin_server_port,
nodemanager_port => $nodemanager_port,
action => 'start',
weblogic_user => $wls_os_user,
weblogic_password => $wls_user_password,
jsse_enabled => false,
custom_trust => false,
os_user => $wls_os_user,
os_group => $wls_os_group,
download_dir => $download_dir,
log_output => false,
}
wls_setting { 'default':
user => $wls_os_user,
weblogic_home_dir => $weblogic_home_dir,
connect_url => "t3://${admin_server_address}:${$admin_server_port}",
weblogic_user => $wls_os_user,
weblogic_password => $wls_user_password,
}
orawls::storeuserconfig { 'storeuserconfig':
domain_name => $domain_name,
weblogic_home_dir => $weblogic_home_dir,
jdk_home_dir => $java_home_dir,
adminserver_address => $admin_server_address,
adminserver_port => $admin_server_port,
user_config_dir => undef,
weblogic_user => $wls_os_user,
weblogic_password => $wls_user_password,
os_user => $wls_os_user,
os_group => $wls_os_group,
download_dir => $download_dir,
log_output => false,
}
wls_user { 'weblogic':
ensure => 'present',
authenticationprovider => 'DefaultAuthenticator',
description => 'weblogic user',
password => 'weblogic1',
realm => 'myrealm',
}
wls_user { 'ser_dvapp':
ensure => 'present',
authenticationprovider => 'DefaultAuthenticator',
description => 'weblogic user',
password => $wls_user_password,
realm => 'myrealm',
}
wls_group { 'Administrators':
ensure => 'present',
authenticationprovider => 'DefaultAuthenticator',
description => 'SuperUsers',
realm => 'myrealm',
users => ['weblogic', 'ser_dvapp'],
}
wls_authentication_provider { 'ActiveDirectoryAuthenticator' :
ensure => 'present',
control_flag => 'SUFFICIENT',
providerclassname => 'weblogic.security.providers.authentication.ActiveDirectoryAuthenticator',
attributes => 'Credential;GroupBaseDN;GroupFromNameFilter;GroupMembershipSearching;Host;MaxGroupMembershipSearchLevel;Principal;UserBaseDN;UserFromNameFilter;UserNameAttribute;Port',
attributesvalues => 'Issw1234;DC=ad,DC=company,DC=org;(&(sAMAccountName=%g)(objectclass=group));limited;ad.company.org;0;CN=SER_WASadmin,OU=Service Accounts,DC=ad,DC=company,DC=org;DC=ad,DC=company,DC=org;(&(sAMAccountName=%u)(objectclass=user));sAMAccountName;389',
order => '0',
}
wls_adminserver{ 'AdminServer' :
ensure => 'running', #running|start|abort|stop
server_name => 'AdminServer',
domain_name => $domain_name,
domain_path => $domain_dir,
os_user => $wls_os_user,
weblogic_home_dir => $weblogic_home_dir,
weblogic_user => $wls_os_user,
weblogic_password => $wls_user_password,
jdk_home_dir => $java_home_dir,
nodemanager_address => $adminserver_address,
nodemanager_port => $nodemanager_port,
refreshonly => true,
subscribe => Wls_authentication_provider['ActiveDirectoryAuthenticator'],
}
##
## Ordering Below!
##
# NOTE: Revisit this, might have been too overzealous
Class['orawls::weblogic'] -> Orawls::Domain<| |> -> Wls_setting<| |> -> Orawls::Nodemanager<| |> -> Orautils::Nodemanagerautostart<| |> -> Orawls::Control<| |>
Orawls::Control<| |> -> Orawls::Storeuserconfig<| |> -> Wls_User<| |> -> Wls_Group<| |> -> Wls_authentication_provider<| |>
}
That looks fine.
what is the error you get? can you post the 'puppet agent --test --trace' output and maybe with --debug when it is not too big.
Thanks
So I got it to work. Its hacky but it works. I found that restarting just the admin server wasn't really what I needed to do. My test for success what when I would go to: Home >Summary of Security Realms >myrealm >Users and Groups There would be a list of active directory users listed. This whole time I was presented with a message in that section saying I needed to restart the server to apply the changes. In the begining the only way I knew to do this was either: -from the console, shutdown the admin server then restart it using puppet. (wasn't sure how to do it via cmd line at the time) OR -kill the process and restart weblogic.
I found scripts in the domain directory to start and stop weblogic. not just the admin server. Apparenly there is a difference...(not sure, im not a weblogic guru obviously)
So I created a service at the end that refreshed weblogic:
service { 'weblogic':
enable => true,
ensure => running,
provider => base,
stop => "/projects/${domain_name}/bin/stopWebLogic.sh",
start => "/projects/${domain_name}/bin/startWebLogic.sh &",
restart => "/projects/${domain_name}/bin/stopWebLogic.sh ; /projects/${domain_name}/bin/startWebLogic.sh &",
subscribe => Wls_authentication_provider['ActiveDirectoryAuthenticator'],
}
This works on the first run but not the second, but I can fix that. Unless you have a suggestion on how to make this better, you can probably close the issue now.
Again, Thanks for your help on this. Much appreciated
Still so strange. this is not necessary. but if you can make a vagrant box then I will take a look at it.
by the way you can use orautils and it will generate in /opt/scripts/wls some handy scripts.
I would if I could. Company policy won't let me and you wouldn't be able to connect to AD to test anyway. (well, you shouldn't be able to..)
Are you the one laying down those scripts or is that oracle?
I don't need your AD, only your used site.pp / hiera config of my modules, if necessary I can use my own test AD. can you add the configuration to some dropbox folder and change all domain names, password etc.
On Mon, Apr 20, 2015 at 3:28 PM, joewimmer [email protected] wrote:
I would if I could. Company policy won't let me and you wouldn't be able to connect to AD to test anyway. (well, you shouldn't be able to..)
Are you the one laying down those scripts or is that oracle?
— Reply to this email directly or view it on GitHub https://github.com/biemond/biemond-orawls/issues/142#issuecomment-94450807 .
Thanks Edwin
Email: [email protected] Blog: http://biemond.blogspot.com LinkedIn: http://www.linkedin.com/in/biemond Twitter: http://twitter.com/biemond Git: https://github.com/biemond