OBIEE Online Training

Friday, January 27, 2012

OBIEE11g Integration with LDAP and configuration




Hi ALL,

               OBIEE 11g can work with many Authentication Providers. OBIEE 11g provides default authentication to connect with Enterprise Manager, Analytics, and Weblogic Server. Some companies struggled with the configuration using other third party providers. I worked with some customers to configure out the OBIEE 11g security with Microsoft Active Directory



Active Directory Configuration With Weblogic.
Create a user in Active Directory , here it is deva

The Below Screen Shot Shows user deva Properties
CN=deva,OU=Accounts,OU=OBIEE,OU=IN,DC=reg1,DC=uat1Hex,DC=Hex,DC=com

Required info from LDAP team:

1) LDAP server Host name and Platform(OS Type)
2) LDAP Server IP
3) LDAP Server Port no
4) User Path structure (Object )

ex.: like UAT1Hex path structure (Path : Functional user ID)
GROUP:
CN=Hex_BIUser,OU=Groups,OU=Accounts,OU=OBIEE,OU=IN,DC=reg1,DC=uat1Hex,DC=Hex,DC=com
IN/OBIEE/accounts/Hex_1Bank
SG= OU folder
sub folder
OBIEE
sub folder
Accounts

5) Group Path Structure (Object)
like e.x: (Path : Functional usergroup)
reg1.uat1Hex.Hex.com/IN/OBIEE/Accounts/Groups/Hex_BIUser.

6) Access required for our functional ID: deva
--------------------------------------------------------------------------

1) ldifd.tex files ---> permission required for our functional ID(deva)
2) Windows Active Directory access required for our functional ID(deva)
3) Access requred for functional id user (deva) to properties of the user in AD



Oracle BI EE version 11.1.1.5.0 and Microsoft Active Directory 2008 (Windows Server 2008 R2 version 64 bit type). 

 Configuring Active Directory Authenticator in Weblogic
















Now click finish and then go to the default Authenticator’s setting and select sufficient

 Control Flag as sufficient.


 Reorder the MSAD as first,

 like below,
 finaly the order
Save the settings and go to the Provder specific TAB.
Enter Host, and port will be the default port and principal as







 Example of LDAP Configuration for Provider Specific:
---------------------------------------------------------------------------

Host:
10.10.10.10
Port
3268
Principal
CN=deva,OU=FNDEPT,OU=MAIL,OU=SW2,OU=NDS,DC=reg1,DC=Hex,DC=Tech,DC=com
Credential:
ldap deva functional id password
confirm Credential:
ldap deva functional id password
User Base DN:
DC=Hex,DC=Tech,DC=com
All Users Filter:
(&(memberof=CN=01UREG1GPCOBIEE,OU=GPCOBIEE,OU=APPS,DC=reg1,DC=Hex,DC=Tech,DC=com)(sAMAccountName=*)(objectclass=user))
User From Name Filter:
(&(memberof=CN=01UREG1GPCOBIEE,OU=GPCOBIEE,OU=APPS,DC=reg1,DC=Hex,DC=Tech,DC=com)(sAMAccountName=%u)(objectclass=user))
User Name Attribute:
sAMAccountName
User Object Class:
user
group base DN
OU=GPCOBIEE,OU=APPS,DC=reg1,DC=Hex,DC=Tech,DC=com
All group filters
(&(sAMAccountName=*)(objectclass=group))
Group From Name Filter:
(&(sAMAccountName=%g)(objectclass=group))
GUID Attribute:
objectguid



 after finishing above steps save it and restart all your BI Services then login weblogic console then
check it whether the MSAD is integrated or not yet.. below screen u can find Provider type as MSAD and Defaultauthenditactor like that.

Now to security realm->roles and policies->roles
Go to the global roles in that Admin role and view the conditions.
As shown in the below screenshot
Go to the below weblogic console then set global admin role to the AD user (deva)

 Select View Role Conditions and the below screen will appear


 select user then add it our AD user (deva)

Now add the condition.
Select User and click next and then In the user Argument Description type the ad username and then click add






Restart weblogic server.............
Now login to the admin console and go to the users and group “deva” is displayed in the below screen
 After you login you can see that now we have successfully logged in as AD user




In the Edit Application Role screen, scroll down to the Users section and click on the button marked “Add User”.
An Add User dialog will appear. Either type your system user username into the User Name box or for a full list of users, leave it blank.

screen and select the “Configure…” button to bring up the Identity Store Configuration screen. Click on the green + icon to add the new properties to the Identity Store and as stated above, two new properties need to be added, user.login.attr and username.attr, both set to the value of the alternate user name attribute.

                          add the AD group or AD users into the Application role



   

To regenerate user GUIDs:

1.     Update the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter in NQSConfig.INI:
a.      Open NQSConfig.INI for editing at:
b.               ORACLE_INSTANCE/config/OracleBIServerComponent/coreapplication_obisn
c.      Locate the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter and set it to YES, as follows:
d.               FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES;
e.      Save and close the file.
2.     Update the Catalog element in instanceconfig.xml:
a.      Open instanceconfig.xml for editing at:
b.               ORACLE_INSTANCE/config/OracleBIPresentationServicesComponent/
c.               coreapplication_obipsn
d.     Locate the Catalog element and update it as follows:
e.               <Catalog>
f.               <UpgradeAndExit>false</UpgradeAndExit>
g.               <UpdateAccountGUIDs>UpdateAndExit</UpdateAccountGUIDs>
h.               </Catalog>
i.        Save and close the file.
3.     Restart the Oracle Business Intelligence system components using opmnctl:
4.         cd ORACLE_HOME/admin/instancen/bin
5.         ./opmnctl stopall
6.         ./opmnctl startall
7.     Set the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter in NQSConfig.INI back to NO.
Important: You must perform this step to ensure that your system is secure.
8.     Update the Catalog element in instanceconfig.xml to remove the UpdateAccount GUIDs entry.
9.     Restart the Oracle Business Intelligence system components again using opmnctl:
10.    cd ORACLE_HOME/admin/instancen/bin
11.    ./opmnctl stopall
12.    ./opmnctl startall


            Once you’ve restarted Weblogic, check that you can still log into the Weblogic Administrative Console as the Weblogic admin user you specified during install.
Next check you can log in to Oracle BI using the credentials of one of the Active Directory users.

 References:

fyi..https://forums.oracle.com/forums/thread.jspa?threadID=2251295
Steps to configure OBIEE 11g LDAP SSL Authentication by configuring the Authentication Provider in Weblogichttps://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=BULLETIN&id=1326641.1

Thanks

Deva

28 comments:

  1. Hi - We are trying to set up SSO - EBS for OBIEE 11g,

    We have been trying to integrate EBS with OBIEE with EBS-ICX Cookie mechanism- Somehow we couldn’t able to achieve this functionality - Need help **URGENT**

    Platform: Linux - BI APPS 7.9.6.3 & OBIEE 11.1.1.5.0 & EBS R12

    Below are the steps:

    1. On the Connection Scripts tab, we have: call /* valueof(NQ_SESSION.ACF) */ APP_SESSION.validate_icx_session(‘valueof(NQ_SESSION.ICX_SESSION_COOKIE)’)

    2. Initialization Block EBS Security Context - In Data Source default Initalization string : we have
    SELECT FND_GLOBAL.RESP_ID, FND_GLOBAL.RESP_APPL_ID, FND_GLOBAL.SECURITY_GROUP_ID, FND_GLOBAL.RESP_NAME, FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, FND_GLOBAL.USER_NAME FROM DUAL

    3. In Edit Data Target Section - we have following session variables
    EBS_RESP_ID
    EBS_RESP_APPL_ID
    EBS_SEC_GROUP_ID
    EBS_RESP_NAME
    EBS_USER_ID
    EBS_EMPLOYEE_ID
    USER

    4. authenticationschemas.xml:



    5. instanceconfig.xml:
    UidPwd,Impersonate,UidPwd-soap,Impersonate-soap,EBS-ICX

    6. Restrated the BI Server. And trying to login from EBS but Cannot login to OBIEE....

    Testing:

    1. Yes - Our E-Business Suite and OBIEE are on the same domain
    2. Yes - E-Business Suite and OBIEE are both using the same security protocol (Both using http)
    3. call app_session.validate_icx_session('Actual Cookie Value');
    Result: Call completed
    4. select fnd_global.user_name from dual;
    Result: Output is my user which has OBIEE Responsibility and created in EBS

    Do we still need to configure any additional things in Enterprise Manager and Weblogic Server? Am I missing anything Here Please let me know ASAP

    Log:
    [nQSError: 13011] Query for Initialization Block 'EBS Security Context' has failed

    ReplyDelete
  2. Hi Deva
    Great blog. I'm also trying to connect to active directory and tried it in different ways. See also my otn-request:
    https://forums.oracle.com/forums/thread.jspa?threadID=2370360&tstart=0

    Did you ever try to integrate active directory but keep the default authenticator as the first one? In that case no SystemUsers had to be created in active Directory.
    Cheers Fab

    ReplyDelete
  3. Hi Deva,
    Your blog was informative and much appreciation for a job well done. Now I am facing a new challenge and that is how to assign different Application Roles such as BIAdministrator, BIAthur and BIConsumer to different users to control what each users sees according to his or her role. I have tried to assign some of these roles to the Active Directory users' from Weblogic Domain to no avail any guide to this next level will be highly appreciated. In addition if you have a blog for SSL configuration, it will be appreciated and once again, great job.

    -Nick-

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. hi,Deva:
    I did two configuration, have not been very successful. Can you help me?
    一、 Active Directory Configuration With Weblogic is successfully. in the Weblogic Console, I can access USER folder all users .
    but I cannot see the users from another AD folder "My_Organization_unit".

    Required info from LDAP team(AD folder "Users" have a user: Administrator. ):
    Host: 192.168.0.244
    Port: 389
    Principal: CN=Administrator,CN=Users,DC=dnstest,DC=com
    User Base DN: CN=Users,DC=dnstest,DC=com
    All Users Filter:
    Users From Name Filter: (&(cn=%u)(objectclass=user))
    User Name Attribute: sAMAccountName
    User Object Class: user
    Group Base DN: CN=Builtin,DC=dnstest,DC=com
    All Groups Filter:
    Group From Name Filter: (&(cn=%g)(objectclass=group))

    Static Group Name Attribute: cn
    Static Group Object Class: group
    Static Member DN Attribute: member
    Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=group))
    GUID Attribute: objectguid
    EM Identity Store Provider:
    user.login.attr=sAMAccountName
    username.attr=sAMAccountName
    virtualize=true

    二、I according to your reminder, reintroduced change. but connection Active Directory is failure,I can't access a AD USER .

    Required info from LDAP team(AD folder "My_Organization_unit" have a user: libai. ):
    Host: 192.168.0.244

    Port: 389

    Principal: CN=libai,OU=My_Organization_Unit,DC=dnstest,DC=com
    User Base DN: DC=dnstest,DC=com

    All Users Filter:
    (&(memberof=DC=dnstest,DC=com)(sAMAccountName=*)(objectclass=user))
    Users From Name Filter:
    (&(memberof=DC=dnstest,DC=com)(sAMAccountName=*)(objectclass=user))
    User Name Attribute: sAMAccountName

    User Object Class: user
    Group Base DN: DC=dnstest,DC=com

    All Groups Filter:
    (&(sAMAccountName=*)(objectclass=group))

    Group From Name Filter: (&(sAMAccountName=%g)(objectclass=group))
    Static Group Name Attribute: cn
    Static Group Object Class: group
    Static Member DN Attribute: member
    Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=group))
    GUID Attribute:objectguid

    EM Identity Store Provider:
    user.login.attr=sAMAccountName
    username.attr=sAMAccountName
    virtualize=true

    ReplyDelete
  6. hi ,deva :
    problem have solving.
    I tried with AD global catalog .
    Host : xxxxxx
    Port: 3268
    Principal: CN=Administrator,CN=Users,DC=dnstest,DC=com
    User Base DN: DC=dnstest,DC=com
    All Users Filter:
    Users From Name Filter: (&(cn=%u)(objectclass=user))
    User Name Attribute: sAMAccountName
    User Object Class: user
    Group Base DN: CN=Builtin,DC=dnstest,DC=com
    All Groups Filter:
    Group From Name Filter: (&(cn=%g)(objectclass=group))

    Static Group Name Attribute: cn
    Static Group Object Class: group
    Static Member DN Attribute: member
    Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=group))
    GUID Attribute: objectguid
    EM Identity Store Provider:
    user.login.attr=sAMAccountName
    username.attr=sAMAccountName
    virtualize=true

    ReplyDelete
  7. Hi,

    I have a client that has Essbase 11.1.2.1 that is set up with Shared Services, Authentication takes plance through MSAD to allow for SSO. They have around 1000 users in 50 gourps with filters on each group of what data they are allowed to see.
    We need to install OBIEE 11g, can anyone explain how i can use the data security already set up in Essbase?

    So basically we will configure MSAD for OBIEE as well to allow for SSO, once they sign on and retrieve Dashboards or Analysis i need to ensure that only the applicable data that they are allowed to access from Essbase is shown.

    Recreating and maintaining security inside of OBIEE is not an option as it took more than 6 weeks to initially set up.

    Can anyone give me advise of how to achieve this, even if it is a work around, i need to find a solution as this is a potential deal breaker.

    Regards
    Dylan
    dylan.bornman@intellient.co.za

    ReplyDelete
  8. Hi Deva,

    Very nice blog.
    I want to configure the external LDAP (OID) for authentication for BI Publisher (OBIEE 11.1.1.6) and authorization with Oracle Fusion Middleware or BI Security?
    What are the simple steps to configure the desired?
    Could you let me know.

    Regards,
    Ashutosh

    ReplyDelete
  9. I took Obiee online training from www.monstercourses.com , now i also want to take informatica online training will this the good combination

    ReplyDelete
  10. I has a very bad experience in Monstercourses.com .... tutors are really worst.. wast of money

    ReplyDelete
  11. It works! The 'All Users Filter:' was the key to my problem. I had more than 1000 users in AD and needed filtering. Thank you so much

    Charles

    ReplyDelete
  12. Hi Deva, nice informative post, keep up the good work.

    ReplyDelete
  13. Make certain also you just are taking a look at who will probably giving you your gay sizegenetics. Element of the thing using a gay sizegenetics is that you will have picked that lifestyle to get a reason, in the event you going to relax and obtain a terrific sizegenetics you intend to do it with someone that is certainly pretty across the eyes. Generally, at any time you start looking online for male gay masseuse, you'll be in a position to look at their photos online and find the one that is going to work the greatest for you. Pick up a couple though so that you choose and aren't disappointed generally if the one merely originally wanted isn't available, they is booked or not work the day that you really are looking for, so having options is always good.
    http://buysizegeneticsonline.tumblr.com/

    ReplyDelete
  14. attractive piece of information, I had come to know about your blog from my friend arjun, ahmedabad,i have read atleast eleven posts of yours by now, and let me tell you, your website gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanks a lot once again, Regards,obiee online training

    ReplyDelete
  15. @siddela dinesh : Thank you...

    ReplyDelete
  16. Appreciation for nice Updates, I found something new and folks can get useful info about BEST OBIEE ONLINE TRAINING

    ReplyDelete
  17. Appreciation for nice Updates, I found something new and folks can get useful info about BEST ONLINE TRAINING

    ReplyDelete
  18. HI Deva,

    I am trying to configure SSO with Windows AD and Authorization Via Database in n OBIEE BI Publisher application version 11.1.1.6.11.
    Please guide me if whether the same is feasible and steps for the same.
    Actually SSO is already enabled in my application but the roles are not being passed in applications therefore by default it is picking up the BIConsumer role.

    I want to pass roles implemented in the application through database.Please guide me how I could proceed with it.

    Thanks and Regards,
    Sarvesh Abrol

    ReplyDelete
  19. excellent piece of information, I had come to know about your website from my friend kishore, pune,i have read atleast 8 posts of yours by now, and let me tell you, your site gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanx a lot once again, Regards, obiee training in hyderebad

    ReplyDelete
  20. Iam trying to run application deployed in weblogic server.But When i start the weblogic server am getting a ldap authentication error as below

    <> <> (PrincipalAuthenticator.java:262)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.doATN(SecurityServiceManagerDelegateImpl.java:581)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealm(SecurityServiceManagerDelegateImpl.java:420)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.loadRealm(SecurityServiceManagerDelegateImpl.java:700)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealms(SecurityServiceManagerDelegateImpl.java:733)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.initialize(SecurityServiceManagerDelegateImpl.java:876)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:734)
    at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:822)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:670)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:344)
    at weblogic.Server.main(Server.java:32)
    Please give any idea which cause this error.

    Thanks in advance

    ReplyDelete

  21. Thank you provide valuable informations and iam seacrching same informations,and saved my time OBIEE Online Training

    ReplyDelete
  22. Hi,
    I'm able to do the ocnfigurations and list the users and groups in weblogic console.But when i try to Edit the global role and add the user in any of the roles,i get a message which says " does not exist". Can any one tell me what can be the probable cause for this.

    Thanks

    ReplyDelete
  23. Hi Deva,

    I am not able to view USERS list after 1000. Is there a way, i can see all USERS who exist in LDAP in my OBIEE Console USERS list.I need to manually add USERS to newly created ROLES in EM. Due to this 1000 USERS limitation i am not able to add USERS(beyond 1000) to my New Roles.

    Thanks

    ReplyDelete
  24. Hi,

    I wish to install OBIEE on server machine the server configurations are as under , my question is what version of OBIEE would be compatible for following configuration

    Database Oracle Database 10 Enterprises Edition Release 10.2.0.3.0 64 bit
    OAF Framework 12.1.3
    XML Oracle XML Developers Kit 10.1.3.10 Production
    Java 1.6.0
    JDBC 11.2.0.1.0

    Kindly email me on my these email ids adil.niazi@ssgc.com.pk and adil_niazi@hotmail.com

    Regards

    Adil

    ReplyDelete
  25. Hi,

    I wish to install OBIEE on server machine the server configurations are as under , my question is what version of OBIEE would be compatible for following configuration

    Application Oracle Apps r12
    Database Oracle Database 10 Enterprises Edition Release 10.2.0.3.0 64 bit
    OAF Framework 12.1.3
    XML Oracle XML Developers Kit 10.1.3.10 Production
    Java 1.6.0
    JDBC 11.2.0.1.0

    Kindly email me on my these email ids adil.niazi@ssgc.com.pk and adil_niazi@hotmail.com

    Regards

    Adil

    ReplyDelete
  26. its great post you made about this software its working great I was very illiterate about learning this.

    ReplyDelete