LDAP Active
Directory Authentication on OBIEE 11g
This post will covered for
configuration Oracle BI 11g to authenticate against Active Directory. I have followed Peak indicators document for
this implementation.
With this configuration, the
embedded Weblogic LDAP provider will still be the “primary” identity provider,
so you don’t need to migrate the “BISystemUser” account or any other
system/admin accounts to Active Directory.
The advantage of this is that
Oracle BI will still be accessible and running even if the Active Directory
server becomes unavailable on the network.
Active
Directory will be configured as the “secondary” identity provider, so all you
normal end user accounts can be mastered in here. It assumes that all user
“groups” will also be stored in Active Directory. So both authentication and
authorization of the end users will be handled by Active Directory.
Let start
the configuration steps.
1.
Please Log on to
the Web Logic Console as the web logic administrator account:
http://satya:7001/console
2.
Click to the following screen “Security Realms >
myRealm”:
3.
Click on the
“Providers” tab and then click on the “Lock and Edit” button:
4.
Click on the link
for “DefaultAuthenticator”:
5.
Set the “Control
Flag” parameter to “SUFFICIENT”
6.
Click the “Save”
button
7.
Navigate back to
the “Providers” tab by clicking the link at the top of the page:
8.
Click on the
“New” button to create a new Identity Provider:
9. Set the following “Name” and “Type” before hitting the
“OK” button:
Name: ADAuthenticator
Type: ActiveDirectoryAuthenticator
10.
You should see
you new Identity Provider listed, click on the “ADAuthenticator” link to do
some further configuration:
11.
Set the “Control
Flag” parameter to “SUFFICIENT” and then click the “Save” button
12.
Once saved, go to
the “Provider Specific” tab:
13.
Set the Active
Directory configuration parameters as follows:
Host: [AD Server Hostname or
IP address] (17.16.110.151)
Port: [AD port e.g. 389] ---
Default
Principle: [DN for OBI service
account, used for connecting to AD to authenticate]
e.g. CN=BIAdmin, OU=Users,
DC=mycompany, DC=com
Credential: [password for OBI
service account]
Confirm Credential: [password
OBI service account]
User Base DN: [DN for the
location of users within AD]
e.g. OU=Users, DC=mycompany,
DC=com
All Users Filter:
(&(sAMAccountName=*)(objectclass=user))
User From Name Filter:
(&(sAMAccountName=%u)(objectclass=user))
User Name Attribute: sAMAccountName
Group Base DN: [DN for the
location of groups within AD]
10.
OU=Groups,
DC=mycompany, DC=com
Ex:- ldap_host
:= 192.16.110.44<UAT1>
ldap_port
:= 389
ldap_user
:= cn=Satya,cn=Users,dc=Adgen,dc=in
ldap_passwd
:= satya@admin
sub_type
:= DBMS_LDAP_UTL.TYPE_DN;
subscriber_id
:= dc=Adgen,dc=in
user_type
:= DBMS_LDAP_UTL.TYPE_DN;
user_id
:= ‘cn=’||Username||’,cn=Users,dc=Adgen,dc=in’;
group_type
:= DBMS_LDAP_UTL.TYPE_DN;
group_id
:= ‘cn=group1,cn=Groups, dc=Adgen,dc=in’;
–
Choosing exceptions to be raised by DBMS_LDAP library.
DBMS_LDAP.USE_EXCEPTION
:= TRUE;
14.
Click the “Save”
button
15.
Return back to
the “Providers” tab (by clicking the link at the top) and then click the
“Reorder” button:
16.
Move
“ADAuthenticator” to the second in the list:
17.
Click on the “OK”
button
18.
Now click
“Activate Changes”
19.
NOTE: This step
is required to enable the use of multiple Identity Providers and also to ensure
that users will still be able to log in to OBIEE even if the Web Logic “Admin
Server” went down
• Log on to Enterprise Manager
as the [BI ADMIN USER] account:
http://satya:7001/em
20.
Expand “WebLogic
Domain”, right-mouse click on “bifoundation_domain” and then choose the
following menu option:
Security >
Security Provider Configuration
21. In
the middle of the screen , Click the
Configure button:
22.
Click
the “ADD” button to add the following 3 custom properties.
user.login.attr sAMAccountName
username.attr sAMAccountName
virtualize true
23.
Click
the “OK” button at the top-right
Observe
the success message to confirm the parameters have been applied:
24.
If
you have a very large Active Directory tree structure, then it might cause
performance issues during the login process as it takes an extended period of
time for authentication and authorization to complete.
The
settings documented in this section can significantly improve performance.
In one
example (where users/groups were spread over 150 sub-trees in Active Directory)
these settings reduced login times from 5-6
minutes down to just a few seconds.
i.
Log
on to the Web Logic Console as the web logic administrator account:
ii.
http://satya:7001/console
a.
Navigate
to the following screen “Security Realms > my Realm > Providers >
Authentication” and click on the link for your “ADAuthentictor”:
25.
•
Click the “Lock and Edit” button
a.
Go
to the “Provider Specific” tab and change the following parameters:
b. Use Token Groups For Group
Membership Lookup: [Enable]
i.
Cache
Size: 3200
26.
Click the “Save”
button
v Now go to the “Performance” tab of your authenticator
and set the parameters as follows:
a.
Max Group
Hierarchies in Cache: 1000
b.
Group Hierarchy
Cache TTL: 600
c.
Enable SID to
Group Lookup Caching: [Enable]
d.
Max SID TO Group
Lookups In Cache: 5000
27.
Click the “Save”
Button
Click
the “Activate Changes” button
NOTE:
You will need to restart; this will be done in the next section
28.
The configuration
is now complete, restart all Oracle BI Services
Hope this help's !!!!!!!!
Thanks,
Satya Ranki Reddy
Is there any help that How could we use with our custom web application
ReplyDelete