OBIEE 11g Security Week : Connecting to Active Directory, and Obtaining Group Membership from Database Tables

March 16th, 2012 by

In this final posting in the OBIEE 11g Security Week, we’re going to look at two common tasks that an OBIEE 11g administrator might have to perform:

  • Connecting the system to Microsoft Active Directory, so users can log-into the dashboard using their Windows Active Directory username and password, and retrieve group membership, and
  • Connecting the system to an external set of database tables that contain the group membership for users authenticated through Active Directory

Whilst OBIEE 11g comes with the embedded WebLogic LDAP server to hold users and groups, the license for this is restricted such that you can’t just move all your other user details from other applications into the LDAP server. Realistically, you wouldn’t want to do that anyway as it’s likely you’ve got a corporate directory somewhere that you want to leave user and group details in, with OBIEE instead just connecting to it as an authentication and authorisation source. Luckily, now that OBIEE 11g uses WebLogic and Fusion Middleware’s Oracle Platform Security Services framework, connecting to external directories such as Active Directory is pretty straightforward, especially with recent versions of OBIEE such as 11.1.1.6 that do this all a lot smoother now.

So in this example, we’ve got an Active Directory server running on the host pdc.gcbc.com, that contains three users:

  • ADBISystemUser, which will be used as the principal that OBIEE uses to connect to the Active Directory server
  • Anne Administrator, a user on Active Directory who wants to have administration rights in the Presentation Server and BI Server
  • AD User, another user that just wants to be able to create analyses and dashboards

These users are organised into three groups in the AD server:

  • ADBIAdministrators, analogous to the BIAdministrators group in the WLS LDAP server
  • ADBIAuthors, ditto
  • ADBIConsumers, ditto again

Now if you search the internet and Oracle docs for instructions on how to integrate OBIEE 11g with Active Directory, there seems to be about as many different ways to do it as there are sets of instructions. A lot of this is because Active Directory is highly-configurable, and a lot depends on how much you want to replace, or just work alongside, the existing WLS LDAP server. In this example, our objective is to keep the WLS LDAP server and the user accounts within it (including the biadmin administrator account), but then make it possible for Active Directory users to also log in, and be assigned to the standard application roles that the WLS LDAP users have. Keeping the WLS LDAP users and administration account considerably simplifies the configuration process, though you might still want to go the full way if you intend to completely replace WLS LDAP with Active Directory. For now though, we’ll have the two running alongside each other.

Looking at the Active Directory Users and Configuration utility, we can see the three users we’re interested in:

Sshot 1

And the three groups:

Sshot 2

The groups have just got those users as members, and the users are just regular AD users, including the ADBISystemUser account. Internally, the domain is called gcbc.com, with the users held in the Users directory and groups in the Builtin directory – fairly standard stuff.

So let’s go into the WebLogic Server Administration Console (http://[machine_name]:7001/console) and start configuring the system for Active Directory integration.

  1. Log into the WebLogic Server Administration Console as an administration user, for example biadmin/welcome1
  2. When the Admin Console homepage is displayed, click on the Security Realms menu item on the left-hand side, and then then on myrealm when the link is shown.
  3. You are now going to alter the domain configuration, so press the Lock and Edit button. Then, click on the Providers tab in the Settings for my realm page.
  4. Active Directory integration is achieved through registering a new authentication provider, using the Active Directory provider type. To register this, press the New button just under the Authentication Providers label.

    Sshot 3

  5. The Create a New Authentication Provider page will be displayed. Give the provider a name (for example, ADProvider) and select ActiveDirectoryAuthenticator as the Type.
  6. Now click on this new authentication provider in the list, and then when the Settings for ADProvider page is shown, set the Control Flag to SUFFICIENT, and press Save.
  7. Then, click on the Provider Specific tab, and enter the following details for your Active Directory installation, amending the settings as appropriate for your AD server.

    Host :  pdc.gcbc.com
    Port : 389
    Principal : CN=ADBISystemUser, CN=Users, DC=gcbc, DC=com
    Credential : Welcome1
    Confirm Credential : Welcome1 
    User Base DN : CN=Users,DC=gcbc, DC=com
    User Name Attribute : cn
    User Object Class : user
    Group Base DN : CN=Builtin, DC=gcbc, DC=com
    GUID Attribute : objectguid

    Sshot 4
    Then, press Save to save and close the page.

  8. Now go back to the list of providers, and click on the DefaultAuthenticator one. With the Configuration > Common sub-tab selected, set the Control Flag to OPTIONAL, and press Save.
  9. Then, again with the list of authentication providers displayed, press the Reorder button and then change the order of the providers so that ADProvider is first, followed by DefaultAuthenticator and DefaultIdentityAsserter.

    Sshot 5

  10. You’re now at the point where you can restart your BI domain and see the new users and groups within the WebLogic Admin Console. To do this, restart the BI Domain (the Admin and Managed Servers), and once complete, log in again into the WebLogic Admin Console and select Security Realms > myrealm > Users and Groups > Groups. You should then see the Active Directory users listed alongside the WLS LDAP ones.

    Sshot 6
    Similarly, you should see your AD groups under the Groups tab. Note that you can’t edit these AD users and groups from within the WebLogic Admin Console, nor can you create new AD users here – to do that, you’d need to use Active Directory’s own console and tools.

  11. Next we will switch over to Enterprise Manager, first to configure Fusion Middleware’s Oracle Platform Security Services to accept users and groups from both WLS LDAP and Active Directory when logging into the dashboard, and then we’ll map the Active Directory groups to their equivalent application roles.

    Log into Enterprise Manager, and select the WebLogic Domain > bifoundation_domain menu item on the left. Right-click on it and select Security > Security Provider Configuration. When the Security Provider Configuration page is displayed, expand the Identity Store Provider area and press the Configure… button.

    Sshot 7
    The Identity Store Configuration page will then be displayed. Press the Add button next to the Custom Properties area, and add a new custom property with these settings :

    Property Name : virtualize
    Value : true

    Press OK to close the page.

  12. Now right-click on the Business Intelligence > coreapplication entry in the left-hand side menu, and select Security > Application Roles. As you may have done with the application role settings in yesterday’s postings, edit the BIAdministrator, BIAuthor and BIConsumer application roles so that the new Active Directory groups are listed as members.

    Sshot 8
    Doing this ensures that the Active Directory users get the same type of Presentation Server and repository privileges as WLS LDAP users, but they won’t have administration access to WebLogic or Enterprise Manager. 

    You can, if you want, grant these users the same sorts of domain administrator rights as the WLS LDAP users, and you can indeed remove all of the WLS LDAP users and groups and move over to Active Directory entirely. But in most cases I see, this level of integration is sufficient, as it still allows the OBIEE administrators to control their own user accounts and privileges.

  13. You should now be able to log in as one of the Active Directory users. In the screenshot below, the AD User user has logged in, and has been granted the BIAuthor role through their membership of the ADBIAuthors Active Directory group. If Anne Administrator, an Active Directory user assigned to the ADBIAdministrator group, logs in she will be able to administer the Presentation Server permissions and privileges, but she won’t be able to log into Enterprise Manager to change the repository, for example.

    Sshot 9

So what we’ve seen here so far is OBIEE 11g connecting to Active Directory, to retrieve in addition to the existing WLS LDAP users and groups, users and groups from this directory. But what if the groups in Active Directory bear no resemblance to the groups and application roles that you’d like to organise users into? Because you can map LDAP groups to roles in Enterprise Manager, it’s possible to “reshape” group membership to fit your BI requirements, but often organisations will solve this problem by creating a couple of database tables on a spare database, and use those to define which users belong to which group.

Now this is something that was done a lot in OBIEE 10g – using Active Directory to authenticate someone, then retrieve their group membership through a separate database table lookup – but you’re not supposed to mix WLS provider-based authentication with old-style init block authorisation, so how will this work, if, for example we’ve got a couple of tables called GROUPS and GROUPMEMBERS that detail which user belongs to which group:

Sshot 10
To handle this type of situation, OBIEE 11.1.1.5 (through the patch associated with Bug 11667221 / ARU 14523400) and OBIEE 11.1.1.6 (by default, though you need to copy the BISecurityProviders.jar file from [middleware_home]/Oracle_BI1/bifoundation/security/providers to [middleware_home]/wlserver_10.3/server/lib/mbeantypes, and then restart the Admin Server before it’s available), has a new authenticator called BISQLGroupProvider that can do this for you.

To use this new authenticator with either OBIEE 11.1.1.5 or 11.1.1.6, you’ll need to perform the following tasks:

  1. Configure a data source within WebLogic that the provider will use to connect to the schema and tables described above
  2. Configure a BISQLGroupProvider with the SQL SELECT statements required to access these tables
  3. Re-order your authentication providers, and if you’ve not done so already, enable the virtualised identity store adapter (we did this infact in the previous example)
  4. Configure a database adapter so that the Identity Store APIs can map your groups into application roles.

Full details of this new authenticator are in a document on My Oracle Support, Doc. ID. 1428008.1. So, with some new users added to my Active Directory server and corresponding entries in the two database tables, so that these users are assigned to groups such as QA Managers, HR Managers and SF Managers, let’s get this set up.

  1. If you’ve not done so already, apply the above patch to OBIEE 11.1.1.5 if that’s the version you’re running, and then copy the BISecurityProviders.jar file as directed above (this applies to 11.1.1.6 as well, which already has the file without needing the patch applied). Once done, restart the WebLogic Admin Server.
  2. Now you will configure the data source and BISQLGroupProvider. To do so, use your Web browser to navigate to the WebLogic admin console (http://[machine_name]:7001/console), and then press the Lock and Edit button.

    From the left-hand menu select Services > Data Sources. Then, from the Data Sources list, press New > Generic Data Source.

    Then, on the Create a New JDBC Data Source page, enter or select the following details:

    Name : BIDatabaseGroupsDS
    JNDI Name : jdbc/BIDatabaseGroupsDS
    Database Type : Oracle (for example) 

    Sshot 11On the following page, select the Database Driver, and then at the Connection Properties page, enter the connection details to your schema and database, for example:

    Database Name : orcl
    Host Name : obisrv1c
    Port : 1521
    Database User Name : gcbc_bi_groups
    Password : password
    Confirm Password : password

    Once entered, test the connection on the next page, on the next page deploy the datasource to all of your WebLogic servers, then press Finish, and then press the Activate Changes button.

  3. Next you will create a BISQLGroupProvider against this JDBC data source. The SQL that’s in the SELECT statements below is particular to the tables that I diagrammed earlier, and you’d need to change it if your table structure was different.

    Start by pressing the Lock & Edit button, to start editing the domain configuration. Then, select Security Realm > myrealm > Providers from the menus and tabs.

    With the Providers tab selected, press the New button to create a new authentication provider. When prompted, enter MySQLGroupProvider as the Name, and select BISQLGroupProvider as the Type.

    Sshot 13
    Then, press OK to close the page, and then click on the new MySQLGroupProvider authentication provide to display its settings page. Select the Provider Specific tab, and then type in the name of the JDBC datasource that you created earlier, i.e. jdbc/BIDatabaseGroupDS.

    If you used the same table and column names as in the diagram before, the SQL settings for this provider will not need to be changed. If you did alter the table or column names though, update the SQL commands to reflect your actual database structure.

    Sshot 14
    Once complete, press Save.

  4. Now go back to the list of providers, and Reorder them so that the new MySQLGroupProvider is at the top of the list.

    Sshot 17

  5. If you have not done so already, set the virtualized=true flag in the Identity Store Provider settings in Enterprise Manager  - see the steps earlier in this posting for details on how to do this.

    Once you’ve done this, press the Activate Changes button and then stop, and then start your entire BI system, so that all WebLogic and OBIEE components restart.

  6. Next, you are going to create an XML file that will be an adapter template for the database adapter, and will be used by the Identity Store APIs to map groups to application roles. Use a text editor and call the file bi_sql_groups_adapter_template.xml, and substitute your own LDAP details into the 

    <param name=”ReplaceAttribute”value=”uniquemember={cn=%uniquemember%,cn=Users,dc=gcbc,dc=com}”/>

    section, and also the:

    <objectClass name=”groupofuniquenames” rdn=”cn“> 

    section. In addition, if you have used different database table names and columns, you’ll need to adjust the SQL statements in the XML file accordingly.

    <?xml version = '1.0' encoding = 'UTF-8'?>
    <adapters schvers="303" version="1" xmlns="http://www.octetstring.com/schemas/Adapters"
    xmlns:adapters="http://www.w3.org/2001/XMLSchema-instance">
        <dataBase id="directoryType" version="0">
          <root>%ROOT%</root>
          <active>true</active>
          <serverType>directoryType</serverType>
          <routing>
             <critical>true</critical>
             <priority>50</priority>
             <inclusionFilter/>
             <exclusionFilter/>
             <plugin/>
             <retrieve/>
             <store/>
             <visible>Yes</visible>
             <levels>-1</levels>
             <bind>true</bind>
             <bind-adapters/>
             <views/>
             <dnpattern/>
          </routing>
          <pluginChains xmlns="http://xmlns.oracle.com/iam/management/ovd/config/plugins">
             <plugins>
                <plugin>
                   <name>VirtualAttribute</name>
    <class>oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin</class> <initParams>
                      <param name="ReplaceAttribute"
    value="uniquemember={cn=%uniquemember%,cn=Users,dc=gcbc,dc=com}"/>
                   </initParams>
                </plugin>
             </plugins>
             <default>
                <plugin name="VirtualAttribute"/>
             </default>
             <add/>
             <bind/>
             <delete/>
             <get/>
             <modify/>
             <rename/>
          </pluginChains>
          <driver>oracle.jdbc.driver.OracleDriver</driver>
          <url>%URL%</url>
          <user>%USER%</user>
          <password>%PASSWORD%</password>
          <ignoreObjectClassOnModify>false</ignoreObjectClassOnModify>
          <includeInheritedObjectClasses>true</includeInheritedObjectClasses>
          <maxConnections>10</maxConnections>
          <mapping>
    <joins/>
             <objectClass name="groupofuniquenames" rdn="cn">
    <attribute ldap="cn" table="GROUPMEMBERS" field="G_NAME" type=""/>
                <attribute ldap="description" table="GROUPMEMBERS" field="G_NAME" type=""/>
                <attribute ldap="uniquemember" table="GROUPMEMBERS" field="G_MEMBER" type=""/>
             </objectClass>
          </mapping>
          <useCaseInsensitiveSearch>true</useCaseInsensitiveSearch>
          <connectionWaitTimeout>10</connectionWaitTimeout>
          <oracleNetConnectTimeout>0</oracleNetConnectTimeout>
          <validateConnection>false</validateConnection>
       </dataBase>
    </adapters>
    

    Now, open a command-prompt session in the server running Oracle Business Intelligence, and enter the following commands, adjusting for your particular environment and LDAP settings:

    cd c:\Middleware\oracle_common\bin
    set ORACLE_HOME=c:\Middleware\Oracle_BI1
    set WL_HOME=c:\Middleware\wlserver_10.3
    set JAVA_HOME=c:\Middleware\jdk160_24

    libovdadapterconfig -adapterName biSQLGroupAdapter -adapterTemplate bi_sql_groups_adapter_template.xml -host localhost -port 7001 -userName biadmin -domainPath c:\Middleware\user_projects\domains\bifoundation_domain -dataStore DB -root cn=Users,DC=gcbc,DC=com -contextName default -dataSourceJNDIName jdbc/BIDatabaseGroupDS

    When prompted, enter the password for the Administration Server. Once complete, you should see the message:

    Adapter created successfully: biSQLGroupAdapter

  7. Now stop and restart the entire BI system. During the restart, you will see an error message saying that the connection pool you just created is unusable – this is expected and will not cause a problem.

    Now, go into Enterprise Manager and create a matching role for one of your new database-defined groups. You should see the new groups appearing when you go to add a group to the application role – if not, check the console output for the WebLogic Server for any diagnostic messages.

    Sshot 15

  8. Finally, you’re now ready to test out the new roles and groups. Restart your entire BI system, then log in as one of the users with groups in the database tables, and then view the list of roles assigned to the user. You should see your new roles, corresponding to the group settings in the database tables, assigned to the user – in this case, the HR Manager role.

    Sshot 16

So that concludes my look this week at OBIEE 11g security. There’s a lot more you could cover – EBS integration, setting up of SSO and SSL, etc, but I think this gives you a flavour of what’s involved. On now to write the actual book chapter, so no blogging for me for a couple of weeks.

Comments

  1. Michal Says:

    Thank you for this guide.
    It seems there is a lot of configuration steps behind the DB tables group membership approach, i.e. many chances to make an error :-/

  2. NILESH AGARWAL Says:

    This is very helpful post. What If you have multiple active directory domains like one for corporate office and another for store. How do you configure that in 11g. In 10g, we could add both the domains using the init block method.

  3. Josh Says:

    Thanks for the guide, one error though:
    You define the identity store provider parameter as “virtualise=true” up top, and “virtualized=true” below.

  4. Mark Rittman Says:

    Yes, unfortunately my spell-checker corrected the spelling to British English ;-)

    I’ve changed it now – thanks for spotting it.

    Mark

  5. Venkat J Says:

    Just to add

    1. Generally i wouldn’t recommend creating groups in AD – BIAuthors,BIAdministrators etc are not needed in AD. Not every AD admin will accept that (also not necessary for the functionality – but if allowed then that should be ok). Perhaps the new BISQLGroupAuthenticator can be used to get
    these groups(less intrusive) but not in AD/LDAP.

    2. I think user.login.attr & username.attr are still needed if the AD admin determines sAMAccountName is the principal ID instead of cn. The setting is not needed only when we are sure cn attribute is always populated. It depends on the underlying LDAP.

    3. Also, for default configurations (like Windows AD default), WLS provider setup should & will suffice. But for in some customer implementations where the AD setup can change, we still have to go and modify the user search settings, group search settings etc(which will be the case in many
    corporate setups).

    4. In terms of the BISystemUser, i think this can come from any provider. But its best to have this in the first provider (AD). For intercomponent communication, BISystemUser will be authenticated and if it is not in the first provider BI EE always has to go through to the second provider (After the first provider) and it can sometimes slow down the Authentication. Or better to have AD as the second provider and then leave BISystemUser in the default WLS. But for every AD user, authentication has to go through 2 providers (which might not be acceptable).

    Thanks,
    Venkat

  6. Mark Rittman Says:

    @MIchal

    Absolutely – it took me several attempts before I got it working. What I can say it – it does work in the end, but make sure your XML file hasn’t got any special characters, added spaces etc from the cut-and-paste into the text file; make sure that the new provider is top of the list of providers, and so on. As you say, lots of opportunities for errors.

    Mark

  7. JK Says:

    In our OBIEE deployment, we authenticate against Active Directory for single sign-on from a corporate web portal, but AD stores only a single group for all OBI users (groups are maintained at an application level on our AD server, not at a role level, since we manage access to several different applications in our AD server)

    In our 10g environment we were storing Groups in a database table and assigning group membership via a session variable that initialized against the table.

    What you explain here seems applicable to our situation – it would be a way to override our non-role specific AD group assignments with the role specific groups required to control privileges….

    But from what I understand about Groups and Roles in OBI 11g, Roles are more akin to OBI 10g Groups, in that they are used to control privileges in the application, whereas Groups are specifically LDAP objects. It is also my understanding that Roles can be assigned directly to Users and this can be done using the ‘ROLES’ session variable, initialized in the same manner as the ‘GROUP’ variable was in 10g.

    That being the case, I have simply re-mapped the session variable that assigned the ‘GROUP’ variable to users to the ‘ROLES’ variable, and modified the assignments in the database table to assign users to the out of the box Roles (BI Administrator Role, BI Author Role etc.) so that when users authenticate, they are assigned to the appropriate Role, and granted privileges in the application according to their role assignment. This bypasses the requirement to assign LDAP Group membership at the role level altogether. And seems to be an effective way to control application privileges in 11g.

  8. Martien Truijen Says:

    Rick,

    Thanks for your BLOGs. Very useful.

    Question though, that I am also planning to ask Oracle about but maybe you can answers as well.

    Can you go into more depth about the ReplaceAttribute? From what I read, it appears to me that all users are expected to be in a single OU in AD/LDAP? Unfortunately, that is not true in our AD implementation and many larger AD implementations. Users are typically spread across different OUs, especially when you have users in different domains…

    If you say, substitute your own LDAP details into ReplaceAttribute, what exactly do you mean? I would very much appreciate a more in depth explaination.

    Thanks in advance!

  9. Vikas Barsaiyan Says:

    Hi Mark,

    Still the parameter “vitualize” and “virtualized” exist in your article. Can you please let us know which one is correct?

  10. Vikas Barsaiyan Says:

    I have done this setup mentioned above. After adding a new application roles, when I try to add a existing group in databse, I didn’t find it while searching for group list. Do you any idea what are the possible causes for this issue?

  11. Vikas Barsaiyan Says:

    Hi Mark,

    I am not able to fetch the group information although I have followed this article step by step.
    What can be the causes for the same? I have looked into diagnostic logs on Weblogic server but I didn’t find anything there.

  12. Martien Truijen Says:

    I have been in touch with Oracle. Oracle is working on an improved or replacing functionality of the BISQLGroupProvider. Obviously because this is something that many organization would want to implement. Especially when initialization blocks in the RPD are not suppose to be used anymore to get the web groups that a user is member of.

    Active Directory groups are great too but that alone is not going to cut it in many organizations. We have created custom tables that are being populated from all sorts of applications/directories (e.g. AD Groups, Oracle E-Business Suite Responsibilities, etc.).

  13. Anil Says:

    Hi Mark,

    Could you please let me know how do you assign a single user to multiple groups in the GROUP_MEMBERS table.

    Thanks,
    Anil

  14. Ashish Gandhi Says:

    Hi Martien,

    We are trying to integrate eBS with OBIEE 11g following the cookie based approach(10g – way) to authenticate and Assign RESPONSIBILITY to GROUP session variable. Also created application role for each responsibility and OBI Roles as parent for new application role. when user login from eBS navigate to OBIEE dashboard, My account does not show new application role. I have not done any steps as explained by Mark in above blog but I was expecting it will work seamlessly. Please let me know if you have done integration with eBS and came across this issue. Please share the high level approach to achieve this.

    Many Thanks,
    Ashish Gandhi

  15. Daniel Says:

    Does anyone know how to delete or recreate the biSQLGroupAdapter which is created by libovdadapterconfig using the xml template file?

    I need to update the “cn=Users,dc=gcbc,dc=com” part in the xml template file. When I run the libovdadapterconfig command again, it say’s “Adapter already exists: biSQLGroupAdapter”.

    Any idea how this can be done?

    Thanks,
    Daniel

  16. Vismay Says:

    Hi Daniel,

    Please follow the below steps.

    1) Log into the WSLT console by running the WLST script at /oracle_common/common/bin/ /wlst[.sh/cmd]

    2) Connect to your admin server using the following syntax
    connect(‘[WLS admin user name]‘,’[WLS admin password]‘,’t3://[admin server host]:[admin server port]‘)
    e.g. connect(‘weblogic’,’weblogic’,’t3://localhost:7001′)

    3) Delete the misconfigured adapter using the syntax
    deleteAdapter(adapterName=’[adapter name]‘)
    e.g. deleteAdapter(adapterName=’userGroupAdapter2′)

    4) Exit WLST console using the command exit()

    Regards,
    Vismay Chawla

  17. Vismay Says:

    Hi Venkat/Mark,

    I have followed the above mentioned steps and successfully configured the SSO implementation using MSAD and OBIEE11g. Users are able to login to application with their Groups.

    The only problem which I am facing is : If a user belongs to multiples Groups (Roles). It does not show all the Roles/Groups in OBIEE. It shows only one Group. Even both the application roles/groups have been defined in Weblogic.

    e.g. User ‘ABC’ belongs to two Groups ‘HR Manager’ and ‘Finance User’, it shows only ‘HR Manager’ not ‘Finance User’.

    Could you please guide me as this is the sure stopper for me now?

    Regards,
    Vismay Chawla

  18. Harshini Says:

    Hi Daniel,

    If you are working in windows machine then you can follow below steps:
    1. Open command prompt and navigate to /oracle_common/common/bin
    2. Log into the WSLT console by running the WLST script. Just type wlst and hit enter.
    3. After that connect to your admin server using the following syntax.
    connect(‘weblogic’,’weblogic_usr_pwd’,’t3://localhost:7001′)
    4. Delete the misconfigured adapter using the syntax
    deleteAdapter(adapterName=’biSQLGroupAdapter’)
    5. Exit WLST console using the command exit() and recreate the Adapter with the correct settings

    If you are working in Solaris then you can follow below steps:
    1. Open Putty and navigate to /oracle_common/common/bin
    2. Log into the WSLT console by running the WLST script.
    syntax: sh wlst.sh
    3. After that connect to your admin server using the following syntax.
    connect(‘weblogic’,’weblogic_usr_pwd’,’t3://localhost:7001′)
    4. Delete the misconfigured adapter using the syntax
    deleteAdapter(adapterName=’biSQLGroupAdapter’)
    5. Exit WLST console using the command exit() and recreate the Adapter with the correct settings.

    Thanks

  19. Mr.Yang Says:

    hi:
    I Create an organization in AD domain , the organization name is a company, the company it created two users.
    The two users, I can’t use Console to check.

  20. Uday Says:

    Can someone please elaborate what should be for ReplaceAttribute, as per the example above? Will the “uniquemember” be principal ID or the DB schema owner name?

    Thanks in advance,

  21. Emil Says:

    Hello everybody !
    When executing I’m getting this error. No argument is allowed: ûdataSourceJNDIName.

    Thank you for your attention !

  22. Kim Says:

    Can I avoid the use of WLS completely and work as I did in 10.1.3? Using AD defined in repository and init blocks to authenticate and get groups using init blocks?
    Thanks,
    Kim

  23. Kalyan Says:

    Hi, followed the same steps but when trying to activate the changes for the Provider getting the below error. any thoughts ?

    An error occurred during activation of changes, please see the log for details.
    [Management:141191]The prepare phase of the configuration update failed with an exception:
    [Management:141245]Schema Validation Error in config/config.xml see log for details. Schema validation can be disabled by starting the server with the command line option: -Dweblogic.configuration.schemaValidationEnabled=false

  24. Kalyan Says:

    Issue is resolved , there are two providers. As per oracle doc there should be only one provider which should be used for authentication/authorization

  25. Eric Says:

    I want to combine the authorization for the majority of user by AD-Groups and fine grained authorization by group mapping in the database table. So, is it possible to associate the groups from AD and the Database as well? If so, does the SQLProvider overwrite the AD group setting and what happens if the user have a group by AD and none by the SQL-Provider.

    I’m looking forward to your experiences.

  26. simon Says:

    Very helpful week of posts, thank you for these.

  27. Meera Says:

    Hi Mark,

    Can you pls give me the steps to be followed for Oracle EBS and OBIEE 11g Integration.

  28. Peter Says:

    I am having an issue — we changed the LDAP ip and now when I login to BIPUB i enter the email address and passwd, it says successfull, and then prompts me to use local login like administrator.
    This works, however, the sso part is not working anymore– any ideas? I am using AIX BI 11G (11.1.15)

  29. Norm Says:

    Hello,
    I am trying to configure using Active Directory for authentication, and an external table for Groups.

    My question is …
    If I set “All Users Filter” and “User from Name Filter” Active Directory parameters to (&(sAMAccountName=*)(objectclass=user)),
    and set “User Name Attribute” to sAMAccountName” … do I need to replace “cn” with ‘sAMAccountName” in the Database Adapter configuration file?

  30. Raj Says:

    HI Mark,

    Good Post very usefull. If we have to Authenticate the users using Database(No LDAP) what changes needs to don to the DB Adapter file. Please let me know if any steps needs to be followed.

    Thanks in Advance
    Raj

  31. Uday Says:

    Do we just raise question(s) and forget about getting any help? I find it strange that Mark has the same exact steps in his newly released book too. Honestly, I was expecting a better job by Mark in atleast explaining/pointing to the “finer” details like where to find if the adapter got properly installed and such OR monitor these blogs and help us!

    His vast experiences are just being wasted and no where near to that of AskTom!

    Sorry Mark. I’m still willing to pay for your next book (?) if these finer details are addressed.

  32. Sunil Says:

    Hi,

    In Step 10, I am getting below errors.

    Security Web Service could not be initialised: oracle.bi.security.service.SecurityServiceException: SecurityService:: – oracle.security.jps.service.idstore.IdentityStoreException: JPS-01520: Cannot initialize identity store.

    Security Service initialisation failed – could not initialise Identity Store: oracle.security.jps.service.idstore.IdentityStoreException: JPS-01520: Cannot initialize identity store.

    [13026] Error in getting roles from BI Security Service: ‘Error Message From BI Security Service: oracle.bi.security.service.SecurityServiceException: SecurityService:: – oracle.security.jps.service.idstore.IdentityStoreException: JPS-01520: Cannot initialize identity store.’

    Thanks,
    Sunil

  33. Mark Rittman Says:

    Hi Uday,

    Fair point about getting help, however unfortunately unlike Tom I’ve actually got a very intensive day-job to do and at the moment, no real time to reply to tech help requests let alone write new blog posts ;-) I’d like to come back to this topic soon and go back through the steps, see what problems people are regularly hitting, but in the meantime I just don’t have the time or resources to help people out with their specific issues – sorry. All I can say is – in my instance, it worked for me, but as people say there are lots of reasons why for them, they’ve hit problems. If you do hit issues your best place to look initially is the tech docs, then raise an SR with Oracle Support, but I will try and revisit this topic in the near future.

    Mark

  34. SMAIL Says:

    Hi,

    I try to connect to the Active DIrectory, when I restart the BI Domain the connection fails with parameter ldap://pdc.gcbc.com:389.

    Thank you for your help

  35. Prasad Says:

    I have configured AD and DB group..currently groups are showing if I capitals letter..how can I change to login AD user without any case sestive.

  36. Prasad Says:

    Also we are getting performance issue for login with AD user after configure the AD and DB provider.
    Please suggest how to imporove performanc..it is taking around 3 minutes for login into the system

  37. Stefano Says:

    Can this authenticator/feature be used to implement a data filtering for users? I mean to restrict user results implemeting a rule that filters AREA=US for users belonging to group=A and AREA=EMEA for users belonging to group=B ?

  38. Chaitanya Says:

    Hello

    I have configured the AD with the Weblogic domain and everything goes fine. There is a new requirement where i need to provided analysis of the number of Users by Country acessing the applications.

    Could you please help me as to how to get this information from AD.

    Regards
    Chaitanya

  39. Sri Says:

    I have assigned several EBS responsibilities to the user in EBS and able to navigate from EBS to OBIEE successfully.

    when i am checking in My Account–>Roles and Catalog groups, i am able to see only one responsibility
    But as per my requirement i want to see all the responsibilities which are assigned in EBS.

    Please advise, thanks in advance.

    Ex:

    EBS Responsibilities : ABC,XYZ , when i am logging from ABC i am seeing only ABC in (My Account–>Roles and Catalog groups)

    Regards,
    Sri

  40. OBIE Wizard Says:

    Helo, I am trying to get a dynamic formula entered into a Criteria (Essbase cube) To get previous years data. I dont have access to Admin Tools or BMM any other soultions?

    Thanks
    NJ

  41. Basheer Says:

    This is a Great Article. I did have a question. Is it possible to assign a AD User to a Group that is created under the DefaultAutneticator?

  42. Prakhar Says:

    Hi
    I was wondering if I can get help on the error message –

    Caused by: java.io.IOException: [Management:141245]Schema Validation Error in config/config.xml see log for details. Schema validation can be disabled by starting the server with the command line option: -Dweblogic.configuration.schemaValidationEnabled=false

    I get this error message while activating changes (after adding SQL statements).

    Back ground -

    We have successfully created LDAP authentication provider without issues with control flag set to SUFFICIENT. And now we want to create this external database provider for authorization.

    Any help / ideas would be much appreciated ?

    Thanks.
    -Prakhar

  43. hitesh Says:

    I have following the same steps which were in Oracle BI Security 11g document and the above. But I cant see any of new DB groups in Roles and Catalog Groups. Any inputs greatly appreciated.

    thanks

  44. Srinivas Chindam Says:

    Hi All,

    This is very useful topic and comments as well.

    On development server some one tried configuring AD Authentication with OBIEE 11g but was not successful.
    When am trying to login to presentation services login fails as “invalid user ID and password”.

    So when tried to debug in em and AD
    1) The default BI groups are missing like BI Administrators , BI Authors and BI Consumers groups are missing though default Roles are existing.
    2) Some other custom groups are loaded
    Not sure why and how it all happened.

    So now am trying resolve the issue.

    planning to remove or clean complete AD authentication and want to login with just WLS LDAP authentication first.

    if so to clean the AD Authentication and come back to default WLS config.

    Please suggest.

    Regards
    Srinivas Chindam

  45. Srinivas Chindam Says:

    if so how to clean the AD Authentication and come back to default WLS config.

    Please suggest.

    Regards
    Srinivas Chindam

  46. Salih Says:

    Hi,

    When I try to delete the adapter using “deleteAdapter(adapterName=’userGroupAdapter2′)” command I get an error like below. Any thoughts?

    Traceback (innermost last):
    File “”, line 1, in ?
    NameError: deleteAdapter

  47. Hugo Says:

    Hi Salih,

    make sure you are launching the right wlst.

    Hi All, i can map roles to groups coming from database, but my user is not mapped to the role and group…

  48. Hugo Says:

    I think there is a mistake between jdbc/BIDatabaseGroupDS
    and
    jdbc/BIDatabaseGroupsDS

  49. Pat Miller Says:

    Hi,
    Nice article on Weblogic integration with AD. We are actually not OBIEE users, but are trying to utilize AD Group information as a way to add authorization groups in Weblogic. Does anyone have any suggestion on resources to take a look at –published articles, blogs, or any more details on how to do this?

    Thanks,
    Pat

Website Design & Build: tymedia.co.uk