Configuring LDAP Server to provide OBIEE users
Prerequisites
and best practices before starting any LDAP related changes
- LDAP Server is installed and running
- Users and groups and configured within the LDAP
- Backup is taken for the
following files :
C:\OBIEE11G\user_projects\domains\bifoundation_domain\config\config.xml
C:\OBIEE11G\user_projects\domains\bifoundation_domain\config\fmwconfig\*.XML (i.e. All xml files in that directory)
o Some developers prefer to take the backup of the whole domain folder C:\OBIEE11G\user_projects\domains\bifoundation_domain , instead of just a few XML's if massive security changes are being tested. - Post the LDAP related changes if the weblogic server fails to bootup (which means an Administrator is locked out of whe WLS Console), the above files can be restored back (which is a last known good configuration) and previous state is restored.
The
above log can be found at :
C:\OBIEE11G\user_projects\domains\bifoundation_domain\servers\AdminServer\logs\
AdminServer.log
In the same folder
bifoundation_domain.log and AdminServer-diagnostic.log files provide further
trouble shooting information which is quite self explanatory and can be googled
in case of errors. These are all weblogic server logs.
The current document describes
integration with an OpenLDAP directory. However it would be same for other
kinds of LDAP directories.
OpenLDAP
for windows can be downloaded from:
http://www.userbooster.de/en/download/openldap-for-windows.aspx
A
LDAP browser can be downloaded from:
http://jxplorer.org/downloads/index.html
This can be used for browsing through the LDAP directory entries
The following snap shows the users
in a LDAP explorer tool
Login
to Weblogic Server Admin Console and Navigate to your Security Realm
Go to the provider tab. This tab is
used to add a new provider, e,g, a new LDAP Server that will
"provide" users for OBIEE system. Click on Lock and edit and New
under the providers table, to add a new Provider, which in this case is an
OpenLDAP Directory
Name the LDAP provider as
"OpenLDAPAuthenticator" (or whatever you wish) and select the Type of
Authenticator as " OpenLDAPAuthenticator" and Click OK.
This authenticator now appears in
the list of WLS authenticators as shown below. This must be reordered to be the
first Authenticator.
Reorder by using the up keys
This is how it looks post reorder
And the below snap shows how this
looks in the Authenticator Providers Table:
Click on the newly created Provider
to configure it for handshaking with our OpenLDAP Server
An important step here, Mark control
flag as OPTIONAL. This step is not to be missed else the Administrator will be
locked out of Weblogic Server. Do the same for the other Authenticator.(i.e.
mark control flag as OPTIONAL) DefaultAuthenticator(WebLogic Authentication
Provider). Skipping this step will prove to be disastrous
Next in the "Provider
Specific" Tab the LDAP specific configurations will be applied. Enter the
Host,Port,Principal(admin user of LDAP),Password to connect to LDAP,User Base
DN (Distinguished Name), Group Base DN etc. Note: The LDAP admin is the best
person to talk to and get it filled as deemed appropriate.
Say OK to Save and Click on Release
Cofiguration. Then Reboot the whole BI System (Stop BI Services--> Start BI
Services) from Start menu
Once booted up, login to EM. In the
EM, Navigate to Security Provider Configuration as shown below
Go to Identity store click Configure
as shown below
Add a property as
Property Name : virtualize
Value : true
Property Name : virtualize
Value : true
Reboot the whole BI System from
Windows Start Menu (Not just the BI server using opmnctl stopall/startall)
Check that LDAP users are available
now in Weblogic server
Try to login now
No comments:
Post a Comment