Paul Cannon's BI Blog: Configuring LDAP Authentication for OBIEE 11g

Sunday, 15 July 2012

Configuring LDAP Authentication for OBIEE 11g

This blog shows an example of how to configure LDAP authentication for OBIEE 11g (11.1.1.6) using Active Directory. Configuring LDAP authenticaton is a complex process, so below simply shows the steps I went through - additional steps may be required, espeically if using an LDAP other than AD.

Rather then modify the existing default 'myrealm' security realm in Weblogic, these instructions show the setting up of a new realm - this enables the original realm to be reinstated easily should problems occur. Hence why this is a somewhat lengthy posting.

Click on Security Realms in the Domain Structure panel on the left hand side

We do not want to alter the default ‘myrealm’ security realm as this is our back-out route should anything go wrong – as we are dealing with security a mistake could prevent the weblogic user from being able to login, so we’ll retain the ability to revert back to the default realm.

Before we can make changes we have to lock the session. Click the Lock & Edit button in the top left corner:

In the Realms list, the New button is now available, so click it.

In the Create a New Realm screen enter a name for the Realm, leave the ‘Ignore Deploy Credential Mapping’ check box un-ticked and click ok.

This may generate some errors because the new Realm isn’t setup properly. If you get these, click the Cancel button and the Realm will still be created.

The first thing we need to do is setup the new Realm in exactly the same way as the default ‘myrealm’. Unfortunately there isn’t a copy option.

Click on the new Realm name.

In the settings screen, click on the Providers tab then the Authentication sub-tab

Under Application Providers, click ‘New’:

Enter the name of DefaultAuthenticator (must match exact case and spelling) and select the type DefaultAuthenticator from the drop down box. Click Ok.

You can now see this new provider. Click on the provider name to edit its settings.

In the common tab, change the Control Flag to REQUIRED. Click save.

In the Provider Specific tab, check the ‘Use Retrieved User Name As Principal’, leave the other check boxes unchecked and set the final three options to 8, unlimited and 0 respectively. Click Save.

To return to the Providers list, click the ‘Providers’ link in the breadcrumb trail at the top of the screen:

Now click New again.

This time enter the name DefaultIdentityAsserter (must match exact case and spelling) and select DefaultIdentityAsserter from the drop down list. Click Ok.

Now click on DefaultIdentityAsserter.

In the common tab select the Authenticateduser option from the list of Active Types and click the

icon to move it to the chosen window. Click Save.

In the Provider Specific tab leave the default settings in place.

Now click the ‘providers’ list in the breadcrumb trail again.

Now still under the Providers tab, click the Password Validation sub-tab

Click New.

Enter the name of SystemPasswordValidator (must match exact case and spelling) and select the type SystemPasswordValidator from the drop down box. Click Ok.

Now click on the SystemPasswordValidator to edit its settings.

Go to the Provider Specific tab and change the minimum password length to 8. The other settings in this screen all relate to the contents of passwords and can be left at the default values unless you want to alter them to specific values.

Click Save.

Now click the ‘providers’ list in the breadcrumb trail again. Then select the Authorization sub-tab:

Click New.

Enter the name of XACMLAuthorizer (must match exact case and spelling) and select the type XACMLAuthorizer from the drop down box. Click Ok.

There are no configuration settings required for the Authorization Provider.

Now select the Adjudication sub-tab.

Click New.

Enter the name of DefaultAdjudicator (must match exact case and spelling) and select the type DefaultAdjudicator from the drop down box. Click Ok.

There are no configuration settings required for the Adjudication Provider.

Now select the Role Mapping sub-tab.

Click New.

Enter the name of XACMLRoleMapper (must match exact case and spelling) and select the type XACMLRoleMapper from the drop down box. Click Ok.

There are no configuration settings required for the Role Mapping Provider.

Now select the Credential Mapping sub-tab.

Click New.

Enter the name of DefaultCredentialMapper (must match exact case and spelling) and select the type DefaultCredentialMapper from the drop down box. Click Ok.

There are no configuration settings required for the Credential Mapping Provider.

Now select the Certification Path sub-tab.

Click New.

Select WebLogicCertPathProvider from the drop down pick-list. Click Next.

Enter WebLogicCertPathProvider as the name of the provider. Click Next.

Leave the ‘Replace Existing Builder’ as unchecked. Click Finish.

Now click on the WebLogicCertPathProvider to edit its settings.

In the Common tab, check the ‘Current Builder’ check box. Click Save.

Now click the ‘providers’ list in the breadcrumb trail again.

The basic configuration of the new realm is now complete.

Click the Activate Changes button in the top left corner.

If successful this returns the following message:

We now need to restart the weblogic service. Logout of the console and perform a full shutdown and restart of OBIEE and Weblogic.

Then log back into the Weblogic Console.

We now have a duplicate realm setup, but there are no users in it. Later on we’ll be setting up a third provider to connect to the Active Directory server, but before then there are a few internal users required.

These however can be copied from the default ‘myrealm’ realm.

Click on the Security Realm link in the Domain Structure window again.

Click on myrealm.

Click on the Migration tab, then the Export sub-tab. Create a directory to store the realm export files, enter it into the ‘Export Directory on Server:’ field and check the ‘Overwrite’ option .

Click Save to perform the export.

This creates a number of files in the export directory:

Now click on the Security Realms link in the Domain Structure window again. This time click on the new LDAP_Realm. Again go to the Migration tab, but this time select the Import sub-tab.

Enter the export directory path again and click Save. You should see the following messages:

We are now ready to create the Authentication Provider to connect to the Active Directory server.

Click the Lock & Edit button again.

Now click on the Providers tab, then the Authentication sub-tab.

Click the New button again.

Enter a name for the Provider, e.g. MSAD_Provider and select the appropriate LDAP Authenticator, in this case ActiveDirectoryAuthenticator, from the drop down list.

Click Ok.

Click on MSAD_Provider to edit its details.

In the Common tab, change the Control Flag to SUFFICIENT. Click Save.

In the provider Specific tab enter the following details, adjusting them to suite your environment.

Field	Value
Host	localhost
Port	389
Principal	CN=Administrator,CN=Users,DC=obiee,DC=local,DC=com
Credential & Confirm Credential	Enter the password for the Administrator user in Active Directory.
SSLEnabled	No
User Base DN	CN=Users,DC=obiee,DC=local,DC=com
All Users Filter	(\|(memberOf=CN=Users,DC=obiee,DC=local,DC=com))
User From Name Filter	(&(uid=%u)(objectclass=user))
User Search Scope	subtree
User Name Attribute	cn
User Object Class	User
Use Retrieved User Name as Principal	No
Group Base DN	CN=Users,DC=obiee,DC=local,DC=com
All Groups Filter	(&(uid=*)
Group From Name Filter	(&(cn=%g)(objectclass=group))
Group Search Scope	subtree
Group Membership Searching	unlimited
Max Group Membership Search Level	0
Ignore Duplicate Membership	No
Static Group Name Attribute	cn
Static Group Object Class	group
Static Member DN Attribute	member
Static Group DNs from Member DN Filter	(&(member=%M)(objectclass=group))
Dynamic Group Name Attribute	Leave blank
Dynamic Group Object Class	Leave blank
Dynamic Member URL Attribute	Leave blank
User Dynamic Group DN Attribute	Leave blank
Connection Pool Size	6
Connect Timeout	0
Connection Retry Limit	1
Parallel Connect Delay	0
Results Time Limit	0
Keep Alive Enabled	No
Follow Referrals	Yes
Bind Anonymously On Referrals	No
Propagate Cause For Login Exception	No
Cache Enabled	yes
Cache Size	32
Cache TTL	60
GUID Attribute	Objectguid

Note: If you don’t know the DN details for your users and groups, with Active directory you can discover these using the dsquery command from a command prompt.

When complete, Click Save. Return to the Providers list.

We now need to change the order so that the MSAD_Provider is first in the list. Click the Reorder button.

Check the MSAD_Provider option and click the icon to put it top. Then click Ok.

The new Security Realm is now setup, but before we activate it we need to check it is working correctly.

Click the Activate Changes button to save all recent changes, then logout of the console and perform a full restart of Weblogic and OBIEE again.

Once complete, log back into the console.

Click on Security Realms, then the new LDAP_Realm and finally click on the ‘Users and Groups’ tab.

Click on ‘Customize this table’. In the Filter window that opens up, enter the name of a user in the Criteria

field and click apply.

The user you entered should now appear in the user list. If it does not then something is not right with the new provider details.

Return to the Providers tab, click on the MSAD_Provider, then the Provider Specific sub-tab and recheck all of the details, especially the User Base DN, Group Base DN and Principal & Credential fields. You will then need to restart weblogic again and perform this test again before continuing.

If the configuration is correct you will see the user and note that the Provider of the user MSAD_Provider.

You can use wild cards to see users, e.g. entering the Criteria of p* returns:

If you click on one of the users you see which groups they belong to, also picked up from the LDAP:

Similarly you can view the Groups being picked up from the LDAP:

If all is correct we now need to configure the domain to make this new realm the default one for Weblogic.

First click the Lock & Edit button. Then In the Domain Structure panel, click on the bifoundation_domain link.

Go to the Security tab and change the Default Realm option to Realm. Then click Save.

Click the Activate Changes button again, then logout of the console and perform a full restart of Weblogic and OBIEE again.

Now that Weblogic is configured to allow authentication to Active Directory, OBIEE itself needs to be instructed to tell weblogic to use it.

Expand the Weblogic Domain, the right click on bifoundation_domain, select Security -> Security Provider Configuration

If the Identity Security Store section is compressed, click the + icon to expand it:

Then click on Configure.

Click the Add icon.

For the new property enter the name of user.login.attr and the value of cn. Click ok.

Repeat this to add two more properties:

Name: username.attr value: cn

Name: virtualize value: true

Note, if the LDAP does not have a GUID (Global User ID field), then OBIEE need to be altered to use a different field as the unique identifier. This is done by adding a fourth field into this screen:

Name: PROPERTY_ATTRIBUTE_MAPPING value: GUID=cn

The value is the entire string 'GUID=cn', where cn is the alternative attribute in the LDAP - it can be any field, not just cn, however usually cn is the user-name and hence will be unique if no other specifically unique field exists.

The final step is to give users permission to login.

From the menu in the left hand pane expand Business Intelligence and select coreapplication.

From the Business Intelligence Instance menu select Security -> Application Roles

Normally at this point you would assign the Active Directory groups to the BI Roles in this screen. For now however we are simply going to allow any authenticated user to login as an Administrator.

Click on BIAdministrator and then click the Edit icon.

Click the Add icon.

Leave the type as Application Role and just click the go icon. When the list of roles appears, select ‘authenticated-role’ and click OK.

Back in the Edit Application Role screen click OK to save the change.

Finally perform a full restart of Weblogic and OBIEE again.

You should be able to login to OBIEE with an LDAP user-id and password.

30 comments:

Unknown6 November 2012 at 12:31
In the blog http://www.rittmanmead.com/2010/11/oracle-bi-ee-11g-security-integration-with-microsoft-active-directory/ it says that the weblogic user cannot login to OBIEE analytics. Will your approach of creating a new realm resolve that issue? Will the user 'weblogic' still work in OBIEE?
ReplyDelete
Replies
Paul Cannon7 November 2012 at 10:50
Sha,

Enabling the weblogic user to still work is nothing to do with the new realm approach above - it can be made to work if the myrealm realm is used for ldap. Its the virtualize=true setting in the Enterprise Manager Security Provider Configuration that allows OBIEE to authenticate against either weblogic directory or the ldap rather than just the ldap.

Regards,

Paul.
ReplyDelete
Replies
Unknown20 November 2012 at 07:38
Hello -

I had a couple of questions:

1. What does this do?
Name: username.attr value: cn
Name: virtualize value: true

2. I configured the AD as you mentioned above and everything is working really good (thanks !). The only problem is, I can login with the user name i.e. 'Tom Alt' instead of his id 'talt'. Any idea why this is happening and how I can change it to use id.

Thanks !
ReplyDelete
Replies
Geoff29 November 2012 at 12:43
Hi Paul,

Are you aware of a way that an LDAP authenticator can be used when user names and pw are not stored in the same place? That is pw in LDAP provider != pw used by users to log in. Is there an additional provider that I might be able to use after a user name is verified to exist by the LDAP authenticator?

Thanks,

Geoff
ReplyDelete
Replies
Paul Cannon30 November 2012 at 00:30
Geoff,

does the place where the passwords are stored also contain the user names? if so could you not authenticate against that rather than your ldap?

If not, then the answer is probably to write your own custom authenticator - details on how do to this are in the obiee security guide.

Paul.
ReplyDelete
Replies
Loma10 December 2012 at 09:19
Hello Paul,

I made the preceding configuration as it is, and i can see Active Directory users in the weblogic console.

The problem is, i cannot log in to the Answers using Active Directory ID and Password.
ReplyDelete
Replies
Paul Cannon10 December 2012 at 10:26
Lorna,

can your users login to Dashboards? - is the problem generic to all of OBIEE or specific to just Answers?

If the former then you must have not mapped the authentication through to the enterprise manager correctly. If you edit the application roles can you add a user? you should be able to enter a user id and click search and it will respond with the user name from the AD. If it doesn't recheck the steps above from the point of logging into the fusion enterprise manager.

If the users can login to dashboards, but not answers then I think this is just a application role assignment issue. Unless you've changed it the BIConsumers role includes then generic 'authenticated-users' group, but BIConsumers role can't see Answers. It's the BIAuthors role that can access answers, so if you want all users to see answers add the authenticated-users to the BIAuthors role or add to it the individual users or the AD group that covers the users that need answers.

Hope this helps,

Paul.
ReplyDelete
Replies
Unknown17 February 2013 at 00:15
Hello Paul,

I tried to configure active directory in our Dev instance using the steps provided by you. I am able to see Active Directory users in weblogic console. But when I make changes username.attr, user.login.attr and virtualize properties in BI console - on system restart I am getting the below error -

Caused By: oracle.security.jps.service.igf.IGFException: JPS-02592: Failed to push ldap config data to libOvd for service instance "idstore.ldap" in JPS context "default", cause: java.lang.Exception: Not able to find remote base java.lang.NullPointerException

Do I need to do any additional steps as well.

Thanks for the assistance.

Regards,
Vishal
ReplyDelete
Replies
Unknown20 May 2013 at 03:18
HI Paul,

i am Getting below error after implementing OID Security in OBIEE 11g 11.1.1.7

Error retrieving user/group data from Oracle BI Server's User Population API. Odbc driver returned an error (SQLExecDirectW). State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 43113] Message returned from OBIS. An error message was received from the BI Security Service: SecurityService::executeIdentity store provider error (HY000) SQL Issued: {call NQSSearchIdentities('USERS','NAME_PATTERN=weblogic*')}

Regards,
Manish

ReplyDelete
Replies
Unknown3 June 2013 at 18:27
HI Paul,
We were able to successfully configure OBIEE 11_1_1_6_8 with MSAD. We are also able to see the groups and the usernames. But we have two of the issues as below:

1. We have assigned the MSAD Groups with BI AUTHOR Role in the Application Roles Screen, but unfortunately the users belonging to the group are not able to sign in. It gives the invalid username/password error. On the same note,

2. Some of the users who do not belong to any of the MSAD groups are able to login with Admin Privileges. The credentials are from MSAD for these users, and it also displays the name correctly in "Signed in AS". I have also checked to see if they are part of BI Administrator, and they are not.

Can you please help us in this matter.

Thanks
VK
ReplyDelete
Replies
Unknown11 September 2013 at 08:49
Hi
I am new to obiee , I am not able to log into analytics after creating a provider in console so i went and deleted the provider. I am able to log into EM and Console but not into analytics. I don't know what to do and how to solve the issue.

Thanks
Mbnr
ReplyDelete
Replies
gfucka24 October 2013 at 08:04
Hi, in my company we have an active directory with no group. Can we use ldap with obiee??
ReplyDelete
Replies
Unknown13 May 2014 at 07:59
Hi Paul,
I am having an issue with Active Dir Groups.
I have two AD groups (say AD1 and AD2).
In WebLogic Sever after reordering, AD1 is at the top.
In Ent Mgr I have given both AD1 and AD2 BIAuthor Role.
But every user in the AD1 group have the modify auth, but users in AD2 have read only
access.
I want to give both AD groups modify access.

Please help me out. Thanks in advance

James
ReplyDelete
Replies
Paul Cannon15 May 2014 at 11:29
James,

I've had difficulties directly giving permissions to AD (or any LDAP) group in OBIEE as well. The trick I usually use is to setup BI groups in the enterprise manager (bi_server1 security roles screen) which mirror the ldap groups. Set the ldap group to be the only member of the BI group and then set your BI permissions on the BI group instead.

hope that helps.

Paul
ReplyDelete
Replies
Ravi K9 June 2014 at 16:34
Hi Paul,

Great document.. excellent job on the explanation.. we have configured the LDAP and working for the users. However, we are unable to use the Administrator user name anymore for doing administration on the BI presentation. I checked and this user name is not working.. saying the user name or password is not correct. Is there a way to get to one of the user to do the administration?

thanks,
ReplyDelete
Replies
21st Century Software Solutions10 September 2014 at 01:38
This comment has been removed by a blog administrator.
ReplyDelete
Replies
Unknown8 March 2015 at 20:00
Hi Paul,

I have implemented LDAP active directory in obi 11 g. I can see all the AD users in myrelm but when I ran the data load I got following error:

[2015-03-08T15:00:15.205-06:00] [odi_server1] [ERROR] [] [oracle.odi.core] [tid: 22] [userId: ] [ecid: 0000KjvC0uY7u11_ztk3yW1KzAgk00000P,0] [APP: oraclediagent] odi.core.security.SecurityManager.validateUserName detected opss user:BIAppsSystemUser has different guid in external store and repos. in ext store guid:14bf9ba137184141926fa1e6434b7f61, in repos guid:\a1\9b\bf\14\18\37\41\41\92\6f\a1\e6\43\4b\7f\61, the ldap user unique name is:CN=BIAppsSystemUser,OU=people,OU=pnmr,DC=pnmr,DC=internal,DC=corp
[2015-03-08T15:00:15.234-06:00] [odi_server1] [WARNING] [ODI-1436] [] [tid: 22] [userId: ] [ecid: 0000KjvC0uY7u11_ztk3yW1KzAgk00000P,0] [APP: oraclediagent] Error retrieving ID statistics for repository BIAPPS_WORKREP.[[
oracle.odi.core.security.BadCredentialsException: ODI-10166: The RunAsUser: BIAppsSystemUser has different GUID in ODI repository and external user identity store.

After sometime Weblogic oraclediagent stopped working and gave the when trying to start giving the same GUID mismatch error in ODI and LDAP AD for BIAppsSystemUser. AND LDAP AD GUID is 14BF9BA1-3718-4141-926F-A1E6434B7F61 for the same . Please suggest something asap.
ReplyDelete
Replies
Unknown24 July 2015 at 09:02
This comment has been removed by the author.
ReplyDelete
Replies
Unknown24 July 2015 at 09:04
I followed the above steps and created the realm and ldap
I created a new Realm I was able to bring all the users and groups related to DefaultAuthenticator
But when I create the LDAP
I get the following error

"Connection error: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]. "

And also I get this error

"Failed to retrieve users.
Supplemental Detail org.openliberty.arisid.stack.ConnectionException: Invalid Credentials: entity= op=search mesg=Invalid Credentials LDAP Error 49 : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
at com.oracle.ovd.arisid.OvdStackProvider.mapResultCode(OvdStackProvider.java:640)
"
And

"Invalid Credentials: entity= op=search mesg=Invalid Credentials LDAP Error 49 : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1] "

We checked the credentials(password), and it is absolutely right.
We crosschecked the DN configuration for the LDAP and our network team confirms that its right.
I also tried the IP address instead of Host name still I have the same issue.

Our OBIEE version is 11.1.1.7.131017 (Build 131008.1224.5 64-bit)

Please help
ReplyDelete
Replies
Skdeore14 October 2015 at 07:07
Hi Paul,

I have completed all your steps, but when I configured Identity store provider configuration in EM with the addition of new property virtualize true.
my BI server is not coming up.
please help.

Thanks,
Sunil
ReplyDelete
Replies
Unknown28 October 2015 at 19:49
Hi Paul, getting following error when update GUID.
[2015-10-28T17:05:17.000+07:00] [OBIPS] [ERROR:31] [] [saw.subsystem.catalog.initialize.upgrade] [ecid: ] [tid: ] Failed while trying to update Account GUIDs
Error occurred while collecting map of new GUIDs from back end
Error retrieving user/group data from Oracle BI Server's User Population API.
Odbc driver returned an error (SQLExecDirectW).
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred.
[nQSError: 43113] Message returned from OBIS.
An error message was received from the BI Security Service: SecurityService::logAndCastExceptionSecurity web service caught an unexpected error (HY000)
SQL Issued: {call NQSSearchIdentities('USERS','NAME=biadmin,biadministrator,bisystemuser')}[[
File:initializecatalog.cpp
Line:1104
Location:
saw.subsystem.catalog.initialize.upgrade
saw.subsystem.catalog.initialize
saw.subsystems.catalogbootstrapper.loadcatalog
saw.webextensionbase.init
saw.sawserver
ecid:
Ur inputs are much appreciated.
ReplyDelete
Replies
Unknown15 January 2016 at 11:09
is it needed to restart all services and Guid refreash to reflect LDAP
ReplyDelete
Replies
Anonymous8 April 2017 at 08:26
Great stuff provided by the Admin here… look into this for Obiee online training
ReplyDelete
Replies
Unknown26 April 2018 at 22:25
Informative post. Thanks for sharing.

OrangeHRM LDAP Integeration Module
ReplyDelete
Replies
Harsh Vardhan28 October 2021 at 05:12
Excellent article and this helps to enhance your knowledge regarding new things. Waiting for more updates.
Data Type In PHP
Boolean In PHP
ReplyDelete
Replies
Liyaz6 May 2022 at 04:24
Nice blog...Thanks for commenting…

How to improve the communication skills in English
Ways to improve communication skills in English
ReplyDelete
Replies
milka19 September 2022 at 00:06
Great post. keep sharing such a worthy information.
German Language Course In Chennai
ReplyDelete
Replies
Foxpass6 October 2022 at 00:46
Thanks for sharing such a wonderful blog. All things were explained in such a way that they are easy to understand. We as Foxpass providing you best LDAP Authentication. Give us chance.
ReplyDelete
Replies

Add comment