Friday, November 8, 2013

[OBIEE 11g] Integrating MS Active Directory With OBIEE 11g In Weblogic Server






Integrating MS Active Directory with OBIEE 11g in Weblogic Server




Business Problem


Business wants to leverage the existing MS Active Directory for Authentication in OBIEE 11g. In addition to this IT wants flexibility in adding users like DEV1, QA1 etc for system development without adding these users in the enterprise Active Directory. This means basically two Authentication Providers 1. MSAD and 2. The Out-of-the-Box WLS LDAP


In 10G, we had the option of integrating MSAD (Microsoft Active Directory) in OBIEE RPD and also users like Dev1, QA1 could be added in RPD.  However in OBIEE 11G while LDAP integration is still available in RPD, the recommended way is to do this in the Weblogic Server. Adding Users and Password in RPD is not possible in 11G


Going by the Oracle Documentation there is a lot of confusion w.r.t this subject. This blog is the answer.



Solution


Prerequisites:


This solution assumes you have successfully installed OBIEE 11.1.1.5 on Windows XP and the SampleAppLite application is up and running. The default user weblogic should be able to login to OBIEE. In Active Directory a user by the name ‘BISystemUser‘ has to be created. - This is very important. Once the Pre-requisites are done, please proceed with the below steps.


(This solution is taking the simplest route i.e rather than creating a new TrustedUser to replace  ’BISystemUser’ , I created a user with the same name ‘BISystemUser’ in MSAD. This will avoid finding and replacing all the occurrences of BISystemUser with a different TrustedUserName)


1.  Logon to WLS (WebLogicServer) and navigate to Security Realms->myrealm->Providers Tab


2. Click on Lock&Edit from the left Pane and then click on ‘New’ button to add a new Authentication Provider.


2.1 Supply the details as shown below








2.2 You should now be able to see the new Authentication Provider as shown below



2.3 Click on MSAD and in the new screen set the Control Flag:SUFFICIENT


2.4 Click on ‘Provider Specific’ tab and input the MSAD Specific Details


The main entries in the above screen are listed below (NOTE: This varies based on your company’s specific details)



Host: HOSTNAME.YOURCOMPANY.com


Port 389

Principal: CN=obiee-svc,CN=Users,DC=corp,DC=YOURCOMPANY,DC=com

User Base DN: CN=Users,DC=corp,DC=YOURCOMPANY,DC=com

All Users Filter: (&(sAMAccountName=*)(objectclass=user))

User From Name Filter:(&(sAMAccountName=%u)(objectclass=user))

User Name Attribute:sAMAccountName

User Object Class: user

Group Base DN:CN=Users,DC=corp,DC=YOURCOMPANY,DC=com




You can copy the existing entries from your 10G RPD, if you had set this up before in 10G.


The main things to note here would be ‘Principal’ which was known as Bind User in 10G. Also change the User Name Attribute to sAMAccountName. Make sure this change is also made in ‘All Users Filter’ and ‘User From Name Filter’. I also changed the Group Base DN. Having done this, now you should be able to see the users from your AD in the ’Users and Groups’ tab. If you are not able to , then you didn’t enter the entries listed above correctly. Try changing it, also try it out within the RPD to make sure all the entries are supplied correctly.



3. Now in the ‘Providers’ tab click on the ‘DefaultAuthenticator’ and change its Control Flag to OPTIONAL



4. Reorder the Authentication Providers so that ‘MSAD’ comes as the first.




Click on Activate Changes. You might need to restart the WLS.



5. Logon to WLS (myrealm->Users and Groups tab)and make sure you see two ‘BISystemUser‘, The first one belongs to the defaultAuthenticator and the second one is from the MSAD. Delete the BISystemUser of DefaultAuthenticator


6. Logon to Enterprise Manager (EM) and goto WebLogic Domain->Right-click on bifoundation_domain to reach Security->Credentials


6.1 Update the password of BISystemUser to the value set in MSAD


6.2 Goto WebLogic Domain->Right-clicked on bifoundation_domain to reach Security->Security Provider Configuration.Click on the ‘Configure’ button under ‘Identity Store Provider‘. Add three Properties as below


user.login.attr=sAMAccountName, username.attr=sAMAccountName, virtualize=true


NOTE->If  virtualize=true is NOT added, then only MSAD users will be able to login. (since MSAD is the First Authenticator)


7. Restart WLS and restart BIServer Components from EM.


8. Thats it. Now the MSAD users and the WLS LDAP users will be able to login.






No comments:

Post a Comment