Setting up Active Directory with OBIEE 11g and their issues

Hi All,

I have been recently setting up Active Directory(Microsoft) with OBIEE 11g and assigning roles and privileges from users from LDAP and faced a lot of issues. I composing a document on all of them and will share my research soon.


Topics to be covered in Securities in this Post

1. How to set up LDAP along with Default Authenticator
2. How to add Users to Application Roles



 How to set up Microsoft AD in OBIEE 11g.


In any company they will have their own Authentication system which has to be configured along with OBIEE 11g. In OBIEE 10g this was done in the RPD while now this is to be done in the console

1. Login in to console localhost:7001/console




 2. After clicking my realms. Click on the tab Providers and then New to Create a New LDAP Connection.

3. Then Enter the connection details of the LDAP. Please find the details below which I used for my connection.


Host
Enter the host name Eg 10.132.45.3
 Port:
 7231
 Principal
 CN=OracleBIDEV,OU=Service Accounts,OU=IT              Security,DC=corp,DC=spar,DC=net
 Credentials
 XXXXXXXX
 User Base DN
 DC=corp,DC=spar,DC=net
 All User Filter
 (&(sAMAccountName=*)(objectclass=user))
 User from Name Filters
 (&(sAMAccountName=%u)(objectclass=user))
 UserName Attribute
 sAMAccountName


 If you want to retrieve the group information also please complete as above the required information.

4. This is all the information you have to add. Basically to set the LDAP all the information you need is the Host, Principal,Credentials. The filters are added so that you get the actual values, if not you will get all the informations.


5. Once all the informations is added save the changes and Activate the changes. Then come back to the previous page and Reorder the AD so that the newly configured comes first .

6. Once these changes are done then we have completed with the configuration in the console.

7. In the em there are a few more configurations to be done. This method is done to add the User Name Attributes in the credential Identity Store.
 Login to your em and follow the path mentioned in the screenshot.

Weblogic-->bifoundation-->Security-->Security Provider Configurations




8. Click on the button Configure in the middle of the screen.



9.In the Custom Properties area, use the Add option to add the following 3 Custom Properties:

user.login.attr: sAMAccountName
username.attr : sAMAccountName
virtualize : true

The last property is important as this is the property that allows both the default authenticator and AD to login in together in Analytics. Keep this property as this will be one of the fixes later when we add users to Application Roles.


10. Once these changes are done then click Ok and save the changes.


11.  The next step is to Configure a New Trusted user (Optional if required)

A trusted user has to be created along with this. In OBIEE we have default user as BISystemUser and that is set as the trusted user by default in OBIEE. Since we are going for the approach of maintaining both the authentication of LDAP and default authentication then we do not have to change is. It is recommended to change the Trusted user to user in the LDAP. Once making this change make sure that the LDAP is always connected when the services are brought up. If the Trusted user is not Authenticated initially then the LDAP authentication will not work which can be one of the reason why LDAP authentication does not work.

12. To add the Trusted user traverse through the path mentioned below.

13. Choose oracle.bi.system-->system-user and click edit and the user and make sure that the user exists in the LDAP.

 


14. Once the User is added. Save the changes. After this Stop and Start the services so that changes are reflected.

15. After the services have been started. Then login to the console and follow the same path where the LDAP was configured. and click on Users and Groupd

16. Then in Users click on Customise this table and add in filter conditions to search for name. In the below screenshot I'm trying to search my name from the LDAP.


17. The LDAP works now try loggin in Analytics using weblogic and your user.









It works :)

Reference

Oracle Docs



Please click the link below of Part 2 how to add users to Application Roles

Adding Users to Application Roles and issues faced and resolved.


Thanks
Jethin

Labels: , , ,