Integrating MS Active Directory with OBIEE 11g in
Weblogic Server
Business wants to
leverage the existing MS Active Directory for Authentication in OBIEE 11g. In
addition to this IT wants flexibility in adding users like DEV1, QA1
etc for system development without adding these users in the enterprise Active
Directory. This means basically two Authentication Providers 1. MSAD and 2. The
Out-of-the-Box WLS LDAP
In
10G, we had the option of integrating MSAD (Microsoft Active
Directory) in OBIEE RPD and also users like Dev1, QA1 could be added in RPD.
However in OBIEE 11G while LDAP integration is still available in RPD,
the recommended way is to do this in the Weblogic Server. Adding Users and
Password in RPD is not possible in 11G
Going
by the Oracle Documentation there is a lot of confusion w.r.t this subject.
This blog is the answer.
Solution
Prerequisites:
This
solution assumes you have successfully installed OBIEE 11.1.1.5 on
Windows XP and the SampleAppLite application is up and running. The default
user weblogic should be able to login to OBIEE. In Active Directory a user
by the name ‘BISystemUser‘ has to be created. - This is very
important. Once the Pre-requisites are done, please proceed with the below
steps.
(This solution is taking the simplest route i.e rather than creating a
new TrustedUser to replace ’BISystemUser’ , I created a user with the
same name ‘BISystemUser’ in MSAD. This will avoid finding and replacing all
the occurrences of BISystemUser with a different TrustedUserName)
1.
Logon to WLS (WebLogicServer) and navigate to Security Realms->myrealm->Providers Tab
2.
Click on Lock&Edit from the left
Pane and then click on ‘New’ button
to add a new Authentication Provider.
2.1
Supply the details as shown below
2.2
You should now be able to see the new Authentication Provider as shown below
2.3
Click on MSAD and in the new screen set the Control Flag:SUFFICIENT
2.4
Click on ‘Provider Specific’ tab and input the MSAD Specific Details
The
main entries in the above screen are listed below (NOTE: This varies based on
your company’s specific details)
—-
Host: HOSTNAME.YOURCOMPANY.com
Port 389
Principal:
CN=obiee-svc,CN=Users,DC=corp,DC=YOURCOMPANY,DC=com
User Base DN: CN=Users,DC=corp,DC=YOURCOMPANY,DC=com
All Users Filter: (&(sAMAccountName=*)(objectclass=user))
User From Name Filter:(&(sAMAccountName=%u)(objectclass=user))
User Name Attribute:sAMAccountName
User Object Class: user
Group Base DN:CN=Users,DC=corp,DC=YOURCOMPANY,DC=com
—–
You
can copy the existing entries from your 10G RPD, if you had set this up before
in 10G.
The
main things to note here would be ‘Principal’ which was known as Bind User in
10G. Also change the User Name Attribute to sAMAccountName. Make sure this
change is also made in ‘All Users Filter’ and ‘User From Name Filter’. I
also changed the Group Base DN. Having done this, now you should be able
to see the users from your AD in the ’Users and Groups’ tab. If you are
not able to , then you didn’t enter the entries listed above correctly. Try
changing it, also try it out within the RPD to make sure all the entries are
supplied correctly.
3.
Now in the ‘Providers’ tab click on the ‘DefaultAuthenticator’ and change its Control
Flag to OPTIONAL
4.
Reorder the Authentication Providers so that ‘MSAD’ comes as the first.
Click
on Activate Changes. You might need to restart the WLS.
5.
Logon to WLS (myrealm->Users and Groups tab)and make sure you see two ‘BISystemUser‘,
The first one belongs to the defaultAuthenticator and the second one is from
the MSAD. Delete the BISystemUser of DefaultAuthenticator
6.
Logon to Enterprise Manager (EM) and goto WebLogic Domain->Right-click on
bifoundation_domain to reach Security->Credentials
6.1
Update the password of BISystemUser to the value set in MSAD
6.2
Goto WebLogic Domain->Right-clicked on bifoundation_domain to reach
Security->Security Provider Configuration.Click on the ‘Configure’
button under ‘Identity Store Provider‘. Add three Properties as
below
user.login.attr=sAMAccountName,
username.attr=sAMAccountName, virtualize=true
NOTE-> If
virtualize=true is NOT added, then only MSAD users will be
able to login. (since MSAD is the First Authenticator)
7.
Restart WLS and restart BIServer Components from EM.
8.
Thats it. Now the MSAD users and the WLS LDAP users will be able to login.
No comments:
Post a Comment