Oracle BI EE 11g – Security Integration with Microsoft Active Directory
November 1st, 2010 by Venkatakrishnan J
As Mark had mentioned here, one big change in BI EE 11g is the adoption of OPSS or Oracle Platform Services Security Model as a framework for security in BI EE. In BI EE 10g, integration with external LDAP security had to be done through the use of Init Blocks and LDAP Servers setup within the repository. In BI EE 11g, the older method of integration is still supported and will work. But the recommended approach is to setup the LDAP as a security provider in Weblogic. In today’s blog post, we shall see how to go about setting up Active Directory as a security provider in Weblogic.
When we install BI EE 11g, a Default Security provider is configured out of the box. So, any new user/group that we add to the Default Security Provider can be assigned to Application Roles directly. To change the Default Security Provider to an Active Directory Provider we will have to follow the steps outlined below.
First step is to make sure that we are changing the Control Flag property of the Default Security provider from SUFFICIENT to OPTIONAL. This step ensures that we can have users coming in from other Providers as well. This is done from the Admin Console (http://localhost:7001/console)
After this, the next step is to add a provider to Weblogic to connect to the Active Directory instance. This step requires us to know 4 main Active Directory Properties
1. Base DN – The base path from where the LDAP search will happen (for users & groups)
2. Bind DN/Principal – This is the Active Directory Administrator user DN that has the privileges to get all the users/groups from the Base DN. Also the password for this user will be required.
3. Active Directory ServerName & Port
4. User Attribute – This attribute is what will be extracted as the username for the users residing in Active Directory. For AD, the attribute name will be sAMAccountName.
Before making any change in Weblogic, ensure that you have all the properties identified correctly. To ensure whether we have got all the properties correctly, there are a couple of methods.
1. In the first method, create a dummy LDAP server connection to Active Directory using the traditional 10g method. This will help us in validating the connection. In my case, the properties that i have are
Base DN: CN=Users,DC=venkatad,DC=venkatlap,DC=com
Bind DN: CN=Administrator,CN=Users,DC=venkatad,DC=venkatlap,DC=com
AD port: 389 (Default LDAP port without SSL)
User Attribute – sAMAccountName (this does not change across instances)
Lets test this out from the LDAP Server setup within the repository.
When we test this connection, the connection should be successful (there is a bug in this release – Though the connection is successful it will show a wrong icon but with the correct message).
2. The second method is to use any external LDAP Clients that are available like LDAPSoft etc.
These will basically help us in validating the connection to LDAP. Once we are sure about the properties, lets go into the Admin Console and add a new Provider.
Give it a name like say MSAD. Choose the ActiveDirectoryAuthenticator as the provider type and then provide all the properties that we validated above.
Principal: CN=Administrator,CN=Users,DC=venkatad,DC=venkatlap,DC=com
Password: Administrator password
User Base DN: CN=Users,DC=venkatad,DC=venkatlap,DC=com
Unlike BI EE 10g, where we did not have a lot of control on how BI EE was actually searching AD, with weblogic we have more control. Also ensure that the User Attribute property points to sAMAccountName as shown below
After adding this provider, we need to restart the Admin Server. Before making any further change, after the restart we should be starting to see the Users defined in Active Directory to appear in Weblogic Users/Group section. Ensure that you are able to see the users in your instance as well before moving on to the next step.
After verifying the connection, the next step is to make Active Directory as the first searchable directory i.e during login as Weblogic can have multiple providers, we need to specify from which provider the search for users/groups will start. This is done through the Reorder button in the Providers tab of the Admin Console. Ensure that the Active Directory Provider we created comes first as the Searchable provider.
The next step is to delete the BISystemUser from the Default Provider and then Create it in Active Directory. The reason for doing this is, Credential Store entries of BI EE 11g use the out of the box Configured BISystemUser present in the Default Provider. As our preferred provider now is Active Directory, we will have to make the BISystemUser to be available in Active Directory.
Restart the Admin Server. If you want to use some other name(or a different password) instead of BISystemUser in Active Directory, then the system.user Credential Key will have be updated from Enterprise manager Credential Store (to point to the correct user/password)
Even after making these changes, after restarting the Admin Server, you will notice that login to BI EE will fail. The reason for that is we need to configure the Identity Store to basically pick up sAMAccountName property that we have setup in the LDAP. In order to do, we login to Enterprise manager (http://localhost:7001/em) and the expand WebLogic Domain folder as shown below. Right click on the bifoundation_domain and then click on Security > Security Provider Configuration.
Click on the Configure button of the Identity Store Provider and add the 2 entries as shown below.
These 2 entries are absolutely needed as they help in propagating the credentials from AD to BI EE. After this change, restart the Managed Server. Lets now add a new user in Active Directory called ADReportAuthor.
From Enterprise Manager, lets add this user now to the BIAuthor Application role.
If we now login to BI EE using the ADReportAuthor, we will be able to do so as weblogic is now configured to connect to AD.
This is a lot easier when compared with setting the security up in 10g. But i believe currently its not supported to have multiple providers (users coming from 2 directories) as the Identity Store attribute setup basically will match only one provider. But it will be good, if BI EE can support multiple providers as well since Weblogic supports it by default.
Update: After enabling an Active Directory provider, the older weblogic super-user that you had used for logging in to Enterprise Manager or Weblogic Console will continue to work, but it won’t now work as a login to BI EE. This behavior is controlled by the Administrators group in the Default Authenticator. Any user in any directory (which is not disabled) when assigned to this group can still log in to EM & Console, but log-in to BI EE is controlled by the Application Roles and authentication provider sequence, and the weblogic user won’t be in the new set of AD log-ins and therefore won’t have the required application role.
November 3rd, 2010 at 9:39 am
Thanks for this post.
I have 2 questions. What is the role of Refresh GUIDs in the context of replacing BISystemUser. Apparently it worked for you without this step.
How flexible is to handle AD Groups ?.Can we append additional custom groups from other providers (RDBMS) and get a consolidated list for use in OBIEE
Thanks
November 9th, 2010 at 9:57 am
Hi,
Nice posting. What i am looking for is how to get an LDAP attribute such as a groupname into OBIEE at runtime. We have an LDAP source that has all this info but don’t want to create all these of groups on the OBIEE side. We just want to read this LDAP attribute when authenticating the user and use that value in our Business Model filtering, since the value stored there is exactly the same as stored in the field.
I cannot quite figure out how to do this.
Any help is appreciated…
November 10th, 2010 at 5:57 pm
A small change is required to the “User From Name Filter” to accomodate users where their samAccountName does not match their CN.
The filter should read (&(samAccountName=%u(objectclass=user))
November 15th, 2010 at 7:52 pm
Hi Expert,
I got a requirement of hours in prompt level and i am facing problem that once i selected any hour from prompt then it is showing values to that particular hour only not all remaining records
logical columns
hour-extract from timestamp column(col1)
date- extact from timestamp column(col2)
thanks
November 20th, 2010 at 9:51 am
Hi Rittmanmead,
I expecting some solution for hour level prompt
thanks
November 22nd, 2010 at 11:32 am
hi,expert
Nice posting!I have a question.When I click the name which provide by LDAP,and then I click the group button,there are a lot of errors.
I think there are someting wrong with the configure of LDAP group.
Did you have the same error?
Thanks!
November 25th, 2010 at 3:35 pm
Hi,
what other configuration is needed to automatically populate the email address of the LDAP user as a delivers email address?
December 1st, 2010 at 12:56 am
What are the requirements for the BISystemUser created in Active Directory ?
December 20th, 2010 at 6:55 am
All the above instructions were followed to integrate with AD. Dashboard.
a. Deleted existing default user BISystemUser.
b. Created different user in AD with
different name
c. Username/passwd has been changed in
credential.
d. Added user into BISystemUser role
Unable to login to Dashboard due to following error in bifoundation_domain.log
#### <>
#### <>
Is there any other steps is required if we change Default name ( BISystemUser )
Mahantesh
January 4th, 2011 at 2:11 am
I am also facing the same problem as Mahantesh is facing above. Any clue?
January 4th, 2011 at 9:22 am
@Vishal/Mahantesh – Did you add/update the new username in the System.User Credential Entry? This is needed if you are using a different username or even a different password for the BISystemUser.
@Jay – BISystemUser is the user that will be used to extract the credentials for individual BI EE components from the Credential Framework. The name need not match, but there has to be a user in the underlying provider that can be used as a system user.
In general, when you are facing errors while extracting groups, then make sure the Search string, Base DN’s etc are correct. Also, ensure that in AD, the number of groups being searched (base DN determines this) is less. We have seen instances where extracting/showing groups can take a long time depending on how the Search class is structured.
This integration will work the same on 32 bit as well as 64 bit machines (both windows & linux).
January 5th, 2011 at 7:24 pm
Hi,
I got BISystemUser created in AD it has a different password than the one in default Authentication provider. I followed all the mentioned steps and edited the system.user credential key to contain the new password.
All the bi services are running fine but I am unable to login. I am not getting any groups from AD. Should I be getting the groups from AD for this to work?
Thanks,
PRM
I checked the l
January 6th, 2011 at 5:51 pm
PRM
I got the same error ,i config all the step with biee11g document
1.filter group error
2.login error
baohuima
January 10th, 2011 at 4:31 pm
Hi Venkat,
Thanks for sharing the steps. Followed your steps. Even created the BISystemUser in MSAD and also tried with a separate user. But no luck! Can you please help?
Thanks,
Nabhanil
January 12th, 2011 at 4:25 pm
Hi Venkat,
First of all thanks for post, as usual it helped me a lot in understanding OBIEE 11g security and configuring ADSI ..
Want to see more blogs on OBIEE 11g from you..!! :)
Thanks.
January 12th, 2011 at 7:22 pm
Hi Venkatkrishnan,
Thanks for article..!!
I’ve one doubt on this process..
Do we have any files that we can go and modify the authentication provider for “BISystemUser”?
why i want this is: my ADSI got around 1500 users and all users(even non OBI) are maintained by same Active Directory.. So, when i click on Users & Groups tab, it’s taking long time to retrieve users. I need to wait all users loaded there to pick BISystemUser from list to change it’s authentication provider to newly created LDAP authenticator.
Thanks in advance..!!
January 13th, 2011 at 8:34 am
John Cormier,
Thanks a lot man.!! you made my day.!!
using (&(samAccountName=%u(objectclass=user)) as user filter i’m able to retrieve all my ldap users very easily.. Now, it’s not taking much time..
Thanks to Venkat once again :)
January 15th, 2011 at 8:26 pm
Thanks Venkant for all the info. I could load in all the uers into weblogic using OID . I have an issue with SSO. I can make OBIEE 11g SSO work with our portal. I am having use when I am trying to authenticate the same user against Hyperion Shared Services. Any query to Essbase is failing for authetication. HSS is not configured with OID. When I log into BI via BI login screen and not via out portal using my HSS password , I am fine but if I use portal I have an issue. Any idea or suggestion would help.
Thanks
January 25th, 2011 at 5:19 am
Hi Venkat,
first of all, thanks for this great post.
I have a quick question, do you think it’s possible to get users authenticated using AD and retrieve a list of groups from a DB table (populating the GROUP variable)?
Cheers,
Dan
February 7th, 2011 at 4:51 pm
Could you expand on your last “Update” point. Are you saying that the original weblogic powe r user will never be able to log into Analytics? Can we modify settings to allow user to access Analytics?
February 8th, 2011 at 11:11 am
Hi Venkat ,
First of all thanks for your post.I had done it by following your instractions.
But there is something strange at authentication.
I have 18 users in my security group and I can see them all in weblogic console.
I can login with 17 users but for one user I cant login.It gives ‘an error occured in authentication’ error and I cant login.When I write down wrong password , it says ‘Invalid username and password’.
I try to remove that user from security group and then re-import him to users but nothing changed?.
Is there any spesific configurations for users?.Do you have any comments?.
Thanks…
February 11th, 2011 at 10:23 pm
Tayfur,
please remove particular user folder from catalog and try again logging in.
February 17th, 2011 at 2:50 pm
Hi Venkat,
Thanks for an extremely helpful article.
Have one question: in your update , we will not be able to use the ‘weblogic’ user for login to BIEE but if we were to re-enable this user, what steps do we need to take?
Kind Regards,
Samrat
February 21st, 2011 at 3:31 pm
Tell me please, BISystemUser in Active Directory must be in the Administrators group?
February 21st, 2011 at 8:35 pm
Hi Venkat,
After setup AD authentication, delivery not working correctly. My question is: how to get email attribute from AD to weblogic or setup email attribute in weblogic for users?
February 21st, 2011 at 9:02 pm
Does your scheduler/alert work after AD authentication setup?
March 2nd, 2011 at 10:18 pm
Hi,
I have 3 questions:
1.how you login in the administration tools (online mode) if you can’t use the weblogic user?
2.After all the configuration of AD Authentication I can’t login in analytics and have the error: Requested Object Class (user)not found in cache in the bi_server1-diagnostic.log file.
3. Is mandatory delete the BISystemUser from the Default Provider and then Create it in Active Directory? we can’t use the Bind DN/Principal of the configuration?
Kind Regards,
Maria
March 4th, 2011 at 8:07 pm
Hi Venkat, we are on Oracle BI EE 10g (10.1.3.4.0.1) on Windows 2003 Server OS and SQL 2005 database. Could you please help me on how to integrate OBIEE 10g with Microsoft Active Directory? Any documentation?
Thanks for your help.
Frank
April 21st, 2011 at 6:10 am
hi,Venkatakrishnan J
I knew how to config AD with OBIEE11G and i could logon biee with AD USER.I just wanna to ask you some questions:
If my AD user logon windowsNT,how can i access biee without enter user name and password andthen logon to dashboard directly,please help me to config it. thanks!
May 5th, 2011 at 6:37 pm
Hi All,
Just to share with everyone. I was able to successfully configure openLDAP authenticator with OBIEE 11g. Here are few hicups and gotchas from my POC.
1)OBIEE 11g does not support SAML2.0,1.1 identity asserters (eventhough they are in the list of authentication providers).We tried integrating Shibboleth (that uses SAML) and it did not work. We’ve opened an SR with oracle.
2)LDAP Authenticator that is listed did not work for me (I read somewhere that it is not compatible with WLS 10.3.3).
3) Finally,I have chosen open LDAP authenticator.
Issues that we encountered with open LDAP:
(i) It looks like there is an issue with the user setup in a Dynamic Group. Initially the test user is setup in a Dynamic group and we could not get the group for the user ( throws up a java exception when you click on the group tab for the user.
(ii) we have setup a static group and added the user to it.Then we could see the group.
Note that, you should be able to see the user/group from the LDAP (even before you make changes like bysystemuser,adding to app roles etc;)
(iii)You can use any user as BISystemUser (name does not matter). However, do not forget to add this user in the Admin role (under Global roles) under roles and policies in security realm
(iv) If the LDAP is on SSL then make sure you get the certificates.Use .PEM or .DER format only. Use javakeytool utility add the certificates to the keystore.
Make sure you update the location of the keystores and SSL tab on Admin and managed servers. We faced a ton of issues with these certificates. If you do not load these certificates you will see a warning in the Adminserver and managed server logs (something like ssl handshake failure).
I hope these tips would be helpful to you.
Thanks,
Kris
May 18th, 2011 at 7:42 am
hi all,
I met a problem,when I finished the install,I try to login localhost:7001/console nomoral,but i can’t login the localhost:7001/em.when I input the login_name/password,it’s no reponse.
May 23rd, 2011 at 12:30 am
Venkat, I need to know how to set up an “impersonator” user in 11g which we can use for our SSO implementation as in 10g. In 10g, after validating the USER outside of OBIEE, we used the impersonator userid and password to actually login to OBIEE. Not sure what to configure or how to set up this user.
May 24th, 2011 at 3:29 pm
I was able to configure AD with the steps in this articke, I can login in BI Publisher (security model Oracle fusion Middleware), however the assigned BIP rol in Weblogic (Application role BIAdministrator granted to a user) looks as if not assigned: the adminstration tab is not visible and the folder with reports is invisible as well
any ideas?
May 24th, 2011 at 3:29 pm
I was able to configure AD with the steps in this articke, I can login in BI Publisher (security model Oracle fusion Middleware), however the assigned BIP rol in Weblogic (Application role BIAdministrator granted to a user) looks as if not assigned: the adminstration tab is not visible and the folder with reports is invisible as well
any ideas? wrong email
July 4th, 2011 at 10:10 pm
Great Post!
Mark, Do you know if LDAP and local authentication both be enabled at the same time.
Thanks so much.
July 11th, 2011 at 10:50 pm
I am facing some issues with this set up. I posted a new thread in OTN and here is the link to that. Any help would be highly appreciated.
http://forums.oracle.com/forums/thread.jspa?threadID=2251295&stqc=true
July 19th, 2011 at 5:09 pm
Hi,
what other configuration is needed to automatically populate the email address of the LDAP user as a delivers email address?
July 28th, 2011 at 4:59 pm
I’ve configured MSAD, following the instructions in the OBIEE Security Guide and info in this post. The only differences were in the Control Flag for the DefaultAuthenticator (the Sec Guide says it should be SUFFICIENT) and deleting the BISystemUser from the Default Authenticator (the Sec Guide doesn’t mention this). I set the Control Flag to OPTIONAL and deleted BISystemUser from the Default Authenticator.
I can see MSAD users in the Admin Console.
Once I added BISystemUser to as a condition to the Admin role, I was able to start Managed WebLogic.
When I try to login to OBIEE, I get this error in the Managed WebLogic log:
‘axis11′ was authenticated but could not be located within the Identity Store.
I thought the Identity Store is the Embedded LDAP. Why would my id be there? Why would Managed WebLogic expect to find it there?
Have you seen any of this problem before? Any idea what might be causing it?
Thanks.
December 15th, 2011 at 6:14 am
Hi,
is it possible to configure multiple LDAP server in bi publisher? i have requirement like if one server goes down i need another one for backup. is it possible?
- Dharmi
March 12th, 2012 at 8:53 pm
Hi
I have done all these steps.. its perfectly working.
My requirement is when user enters http://xxx:7001/analytics in IE, it should automatically fetch the User’s windows login details (Assume the same user is part of AD) and authenticate.
User should never see the login dialog.
How can i achieve this?? I am guessing something to do with IIS here..
July 19th, 2012 at 12:53 pm
Hi Team,
It was a great help from all of you on our OBIEE learnings.
I recently configured Microsoft AD on Weblogic rather than RPD. But felt like I am in a desert of helplessness due to the complicated and lengthy documents and settings :(
Still when I configured everything and logged in to presentation services using AD Credentials, observed following error!
Error retrieving user/group data from Oracle BI Server’s User Population API.
Error Details
Error Codes: GDU6UYHS:OPR4ONWY:U9IM8TAC:OI2DL65P:SDKE4UTF
Odbc driver returned an error (SQLExecDirectW).
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 43113] Message returned from OBIS. [nQSError: 13049] User ‘gp06108′ with ‘oracle.bi.publisher.scheduleReport;AtAGlance;oracle.bi.publisher.accessReportOutput;all;oracle.bi.publisher.accessExcelReportAnalyzer;all;oracle.epm.financialreporting.accessReporting;Explore;oracle.bi.publisher.accessOnlineReportAnalyzer;EPM_Essbase_Filter;oracle.bi.publisher.runReportOnline;oracle.as.scheduler.security.MetadataPermission’ permission can not query user population.Please have your System Administrator look at the log for more details on this error. (HY000)
Please have your System Administrator look at the log for more details on this error.
Expression: privileges['Admin: Catalog']['Change Permissions']
July 26th, 2012 at 6:07 pm
Hi,
The configuration steps provided above by Venkat allow an AD user to connect to OBIEE (use AD as an identity store instead of WebLogic)…
Additional configuration steps are required to enable SSO (users that log on on their Windows machines to access OBIEE, via a browser, without further authentication). The configuration steps are provided in the following tech note “OBIEE 11g: Configuring Authentication and SSO with Active Directory and Windows Native Authentication [ID 1274953.1]”
Hope this helps,
Tarik.
November 6th, 2012 at 9:22 pm
Hi Venkat –
You mentioned in your blog that the weblogic user will be able to login to console and EM but not to OBIEE Analytics. Will creating another realm along with myrealm work? If you check this blog: http://paulcannon-bi.blogspot.ca/2012/07/configuring-ldap-authentication-for.html
you will find the method to create a new realm. Will this process still retain the ‘power’ it had earlier?
Thanks in advance
Shabs
February 22nd, 2013 at 4:56 pm
Thank you very much, the article is very useful and detailed
May 28th, 2013 at 5:42 pm
Hi Venkat,
Nice post Thanks….
we have IBM ladp cilent.plese let me know which provider name i need to select and what is user name attribute for ibm client.
Thank you,