Professional Documents
Culture Documents
OBIEE 11g Security Week - Connecting To Active Directory, and Obtaining Group Membership From Database Tables
OBIEE 11g Security Week - Connecting To Active Directory, and Obtaining Group Membership From Database Tables
OBIEE 11g Security Week - Connecting To Active Directory, and Obtaining Group Membership From Database Tables
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
(http://www.rittmanmead.com/)
MENU
Blog (http://www.rittmanmead.com/blog/)
In this final posting in the OBIEE 11g Security Week, we're going to look at two common tasks that an OBIEE 11g administrator
might have to perform:
Connecting the system to Microso Active Directory, so users can log-into the dashboard using their Windows Active Directory
username and password, and retrieve group membership, and
Connecting the system to an external set of database tables that contain the group membership for users authenticated
through Active Directory
Whilst OBIEE 11g comes with the embedded WebLogic LDAP server to hold users and groups, the license for this is restricted
such that you can't just move all your other user details from other applications into the LDAP server. Realistically, you wouldn't
want to do that anyway as it's likely you've got a corporate directory somewhere that you want to leave user and group details
in, with OBIEE instead just connecting to it as an authentication and authorisation source. Luckily, now that OBIEE 11g uses
WebLogic and Fusion Middleware's Oracle Platform Security Services framework, connecting to external directories such as
Active Directory is pretty straightforward, especially with recent versions of OBIEE such as 11.1.1.6 that do this all a lot smoother
now.
So in this example, we've got an Active Directory server running on the host pdc.gcbc.com, that contains three users:
ADBISystemUser, which will be used as the principal that OBIEE uses to connect to the Active Directory server
Anne Administrator, a user on Active Directory who wants to have administration rights in the Presentation Server and BI
Server
AD User, another user that just wants to be able to create analyses and dashboards
These users are organised into three groups in the AD server:
ADBIAdministrators, analogous to the BIAdministrators group in the WLS LDAP server
ADBIAuthors, ditto
ADBIConsumers, ditto again
Now if you search the internet and Oracle docs for instructions on how to integrate OBIEE 11g with Active Directory, there seems
to be about as many dierent ways to do it as there are sets of instructions. A lot of this is because Active Directory is highlyconfigurable, and a lot depends on how much you want to replace, or just work alongside, the existing WLS LDAP server. In this
example, our objective is to keep the WLSSUBSCRIBE
LDAP server
and the user accounts within it (including the biadmin administrator
(HTTP://WWW.RITTMANMEAD.COM/BLOG/SUBSCRIBE/)
account), but then make it possible for Active Directory users to also log in, and be assigned to the standard application roles
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
1/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
that the WLS LDAP users have. Keeping the WLS LDAP users and administration account considerably simplifies the
configuration process, though you might still want to go the full way if you intend to completely replace WLS LDAP with Active
Directory. For now though, we'll have the two running alongside each other.
Looking at the Active Directory Users and Configuration utility, we can see the three users we're interested in:
The groups have just got those users as members, and the users are just regular AD users, including the ADBISystemUser
account. Internally, the domain is called gcbc.com, with the users held in the Users directory and groups in the Builtin directory
- fairly standard stu.
So let's go into the WebLogic Server Administration Console (http://[machine_name]:7001/console
(http://[machine_name]:7001/console)) and start configuring the system for Active Directory integration.
1. Log into the WebLogic Server Administration Console as an administration user, for example biadmin/welcome1
2. When the Admin Console homepage is displayed, click on the Security Realms menu item on the le-hand side, and then
then on myrealm when the link is shown.
3. You are now going to alter the domain configuration, so press the Lock and Edit button. Then, click on the Providers tab in
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
2/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
3. You are now going to alter the domain configuration, so press the Lock and Edit button. Then, click on the Providers tab in
the Settings for my realm page.
4. Active Directory integration is achieved through registering a new authentication provider, using the Active Directory provider
type. To register this, press the New button just under the Authentication Providers label.
5. The Create a New Authentication Provider page will be displayed. Give the provider a name (for example, ADProvider) and
select ActiveDirectoryAuthenticator as the Type.
6. Now click on this new authentication provider in the list, and then when the Settings for ADProvider page is shown, set the
Control Flag to SUFFICIENT, and press Save.
7. Then, click on the Provider Specific tab, and enter the following details for your Active Directory installation, amending the
settings as appropriate for your AD server.
Host : pdc.gcbc.com
Port : 389
Principal : CN=ADBISystemUser, CN=Users, DC=gcbc, DC=com
Credential : Welcome1
Confirm Credential : Welcome1
User Base DN : CN=Users,DC=gcbc, DC=com
User Name Attribute : cn
User Object Class : user
Group Base DN : CN=Builtin, DC=gcbc, DC=com
GUID Attribute : objectguid
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
3/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
10. You're now at the point where you can restart your BI domain and see the new users and groups within the WebLogic Admin
Console. To do this, restart the BI Domain (the Admin and Managed Servers), and once complete, log in again into the
WebLogic Admin Console and select Security Realms > myrealm > Users and Groups > Groups. You should then see the
Active Directory users listed alongside the WLS LDAP ones.
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
4/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
Similarly, you should see your AD groups under the Groups tab. Note that you can't edit these AD users and groups from
within the WebLogic Admin Console, nor can you create new AD users here - to do that, you'd need to use Active Directory's
own console and tools.
11. Next we will switch over to Enterprise Manager, first to configure Fusion Middleware's Oracle Platform Security Services to
accept users and groups from both WLS LDAP and Active Directory when logging into the dashboard, and then we'll map the
Active Directory groups to their equivalent application roles.
Log into Enterprise Manager, and select the WebLogic Domain > bifoundation_domain menu item on the le. Right-click on
it and select Security > Security Provider Configuration. When the Security Provider Configuration page is displayed,
expand the Identity Store Provider area and press the Configure button.
The Identity Store Configuration page will then be displayed. Press the Add button next to the Custom Properties area, and
add a new custom property with these settings :
Property Name : virtualize
Value : true
Press OK to close the page.
12. Now right-click on the Business Intelligence > coreapplication entry in the le-hand side menu, and select Security >
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
5/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
12. Now right-click on the Business Intelligence > coreapplication entry in the le-hand side menu, and select Security >
Application Roles. As you may have done with the application role settings in yesterday's postings, edit the BIAdministrator,
BIAuthor and BIConsumer application roles so that the new Active Directory groups are listed as members.
Doing this ensures that the Active Directory users get the same type of Presentation Server and repository privileges as WLS
LDAP users, but they won't have administration access to WebLogic or Enterprise Manager.
You can, if you want, grant these users the same sorts of domain administrator rights as the WLS LDAP users, and you can
indeed remove all of the WLS LDAP users and groups and move over to Active Directory entirely. But in most cases I see, this
level of integration is suicient, as it still allows the OBIEE administrators to control their own user accounts and privileges.
13. You should now be able to log in as one of the Active Directory users. In the screenshot below, the AD User user has logged in,
and has been granted the BIAuthor role through their membership of the ADBIAuthors Active Directory group. If Anne
Administrator, an Active Directory user assigned to the ADBIAdministrator group, logs in she will be able to administer the
Presentation Server permissions and privileges, but she won't be able to log into Enterprise Manager to change the
repository, for example.
So what we've seen here so far is OBIEE 11g connecting to Active Directory, to retrieve in addition to the existing WLS LDAP users
and groups, users and groups from this directory. But what if the groups in Active Directory bear no resemblance to the groups
and application roles that you'd like to organise users into? Because you can map LDAP groups to roles in Enterprise Manager,
it's possible to "reshape" group membership to fit your BI requirements, but oen organisations will solve this problem by
creating a couple of database tables on a spare database, and use those to define which users belong to which group.
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
6/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
Now this is something that was done a lot in OBIEE 10g - using Active Directory to authenticate someone, then retrieve their
group membership through a separate database table lookup - but you're not supposed to mix WLS provider-based
authentication with old-style init block authorisation, so how will this work, if, for example we've got a couple of tables called
GROUPS and GROUPMEMBERS that detail which user belongs to which group:
To handle this type of situation, OBIEE 11.1.1.5 (through the patch associated with Bug 11667221 / ARU 14523400) and OBIEE
11.1.1.6 (by default, though you need to copy the BISecurityProviders.jar file from
[middleware_home]/Oracle_BI1/bifoundation/security/providers to
[middleware_home]/wlserver_10.3/server/lib/mbeantypes, and then restart the Admin Server before it's available), has a
new authenticator called BISQLGroupProvider that can do this for you.
To use this new authenticator with either OBIEE 11.1.1.5 or 11.1.1.6, you'll need to perform the following tasks:
1. Configure a data source within WebLogic that the provider will use to connect to the schema and tables described above
2. Configure a BISQLGroupProvider with the SQL SELECT statements required to access these tables
3. Re-order your authentication providers, and if you've not done so already, enable the virtualised identity store adapter (we
did this infact in the previous example)
4. Configure a database adapter so that the Identity Store APIs can map your groups into application roles.
Full details of this new authenticator are in a document on My Oracle Support, Doc. ID. 1428008.1
(https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=WHITE%20PAPER&id=1428008.1).So, with
some new users added to my Active Directory server and corresponding entries in the two database tables, so that these users
are assigned to groups such as QA Managers, HR Managers and SF Managers, let's get this set up.
1. If you've not done so already, apply the above patch to OBIEE 11.1.1.5 if that's the version you're running, and then copy the
BISecurityProviders.jar file as directed above (this applies to 11.1.1.6 as well, which already has the file without needing the
patch applied). Once done, restart the WebLogic Admin Server.
2. Now you will configure the data source and BISQLGroupProvider. To do so, use your Web browser to navigate to the WebLogic
admin console (http://[machine_name]:7001/console (http://[machine_name]:7001/console)), and then press the Lock and
Edit button.
From the le-hand menu select Services > Data Sources. Then, from the Data Sources list, press New > Generic Data
Source.
Then, on the Create a New JDBC Data Source page, enter or select the following details:
Name : BIDatabaseGroupsDS
JNDI Name : jdbc/BIDatabaseGroupsDS
Database Type : Oracle (for example)
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
7/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
On the following page, select the Database Driver, and then at the Connection Properties page, enter the connection details
to your schema and database, for example:
Database Name : orcl
Host Name : obisrv1c
Port : 1521
Database User Name : gcbc_bi_groups
Password : password
Confirm Password : password
Once entered, test the connection on the next page, on the next page deploy the datasource to all of your WebLogic servers,
then press Finish, and then press the Activate Changes button.
3. Next you will create a BISQLGroupProvider against this JDBC data source. The SQL that's in the SELECT statements below is
particular to the tables that I diagrammed earlier, and you'd need to change it if your table structure was dierent.
Start by pressing the Lock & Edit button, to start editing the domain configuration. Then, select Security Realm > myrealm >
Providers from the menus and tabs.
With the Providers tab selected, press the New button to create a new authentication provider. When prompted, enter
MySQLGroupProvider as the Name, and select BISQLGroupProvider as the Type.
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
8/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
Then, press OK to close the page, and then click on the new MySQLGroupProvider authentication provide to display its
settings page. Select the Provider Specific tab, and then type in the name of the JDBC datasource that you created earlier,
i.e. jdbc/BIDatabaseGroupDS.
If you used the same table and column names as in the diagram before, the SQL settings for this provider will not need to be
changed. If you did alter the table or column names though, update the SQL commands to reflect your actual database
structure.
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
9/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
5. If you have not done so already, set the virtualized=true flag in the Identity Store Provider settings in Enterprise Manager see the steps earlier in this posting for details on how to do this.
Once you've done this, press the Activate Changes button and then stop, and then start your entire BI system, so that all
WebLogic and OBIEE components restart.
6. Next, you are going to create an XML file that will be an adapter template for the database adapter, and will be used by the
Identity Store APIs to map groups to application roles. Use a text editor and call the file
bi_sql_groups_adapter_template.xml, and substitute your own LDAP details into the
<param name="ReplaceAttribute"value="uniquemember={cn=%uniquemember%,cn=Users,dc=gcbc,dc=com}"/>
section, and also the:
<objectClass name="groupofuniquenames" rdn="cn">
section. In addition, if you have used dierent database table names and columns, you'll need to adjust the SQL statements
in the XML file accordingly.
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
10/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
<?xmlversion='1.0'encoding='UTF8'?>
<adaptersschvers="303"version="1"xmlns="http://www.octetstring.com/schemas/Adapters"
xmlns:adapters="http://www.w3.org/2001/XMLSchemainstance">
<dataBaseid="directoryType"version="0">
<root>%ROOT%</root>
<active>true</active>
<serverType>directoryType</serverType>
<routing>
<critical>true</critical>
<priority>50</priority>
<inclusionFilter/>
<exclusionFilter/>
<plugin/>
<retrieve/>
<store/>
<visible>Yes</visible>
<levels>1</levels>
<bind>true</bind>
<bindadapters/>
<views/>
<dnpattern/>
</routing>
<pluginChainsxmlns="http://xmlns.oracle.com/iam/management/ovd/config/plugins">
<plugins>
<plugin>
<name>VirtualAttribute</name>
<class>oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin</class><initParams>
<paramname="ReplaceAttribute"
value="uniquemember={cn=%uniquemember%,cn=Users,dc=gcbc,dc=com}"/>
</initParams>
</plugin>
</plugins>
<default>
<pluginname="VirtualAttribute"/>
</default>
<add/>
<bind/>
<delete/>
<get/>
<modify/>
<rename/>
</pluginChains>
<driver>oracle.jdbc.driver.OracleDriver</driver>
<url>%URL%</url>
<user>%USER%</user>
<password>%PASSWORD%</password>
<ignoreObjectClassOnModify>false</ignoreObjectClassOnModify>
<includeInheritedObjectClasses>true</includeInheritedObjectClasses>
<maxConnections>10</maxConnections>
<mapping>
<joins/>
<objectClassname="groupofuniquenames"rdn="cn">
<attributeldap="cn"table="GROUPMEMBERS"field="G_NAME"type=""/>
<attributeldap="description"table="GROUPMEMBERS"field="G_NAME"type=""/>
<attributeldap="uniquemember"table="GROUPMEMBERS"field="G_MEMBER"type=""/>
</objectClass>
</mapping>
<useCaseInsensitiveSearch>true</useCaseInsensitiveSearch>
<connectionWaitTimeout>10</connectionWaitTimeout>
<oracleNetConnectTimeout>0</oracleNetConnectTimeout>
<validateConnection>false</validateConnection>
</dataBase>
</adapters>
Now, open a command-prompt session in the server running Oracle Business Intelligence, and enter the following
commands, adjusting for your particular environment and LDAP settings:
cd c:\Middleware\oracle_common\bin
set ORACLE_HOME=c:\Middleware\Oracle_BI1
set WL_HOME=c:\Middleware\wlserver_10.3
set JAVA_HOME=c:\Middleware\jdk160_24
libovdadapterconfig -adapterName biSQLGroupAdapter -adapterTemplate bi_sql_groups_adapter_template.xml -host
localhost -port 7001 -userName biadmin -domainPath c:\Middleware\user_projects\domains\bifoundation_domain dataStore DB -root cn=Users,DC=gcbc,DC=com -contextName default -dataSourceJNDIName jdbc/BIDatabaseGroupDS
When prompted, enter the password for the Administration Server. Once complete, you should see the message:
Adapter created successfully: biSQLGroupAdapter
7. Now stop and restart the entire BI system. During the restart, you will see an error message saying that the connection pool
you just created is unusable - this is expected and will not cause a problem.
Now, go into Enterprise Manager and create a matching role for one of your new database-defined groups. You should see the
new groups appearing when you go to add a group to the application role - if not, check the console output for the WebLogic11/22
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
new groups appearing when you go to add a group to the application role - if not, check the console output for the WebLogic
Server for any diagnostic messages.
8. Finally, you're now ready to test out the new roles and groups. Restart your entire BI system, then log in as one of the users
with groups in the database tables, and then view the list of roles assigned to the user. You should see your new roles,
corresponding to the group settings in the database tables, assigned to the user - in this case, the HR Manager role.
So that concludes my look this week at OBIEE 11g security. There's a lot more you could cover - EBS integration, setting up of
SSO and SSL, etc, but I think this gives you a flavour of what's involved. On now to write the actual book chapter, so no blogging
for me for a couple of weeks.
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
12/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
49Comments
RittmanMead
Recommend
Share
Login
SortbyNewest
Jointhediscussion
PatMiller3yearsago
Hi,
NicearticleonWeblogicintegrationwithAD.WeareactuallynotOBIEEusers,butaretryingtoutilizeADGroupinformationasawaytoaddauthorization
groupsinWeblogic.Doesanyonehaveanysuggestiononresourcestotakealookatpublishedarticles,blogs,oranymoredetailsonhowtodothis?
Thanks,
Pat
Reply Share
Hugo3yearsago
Ithinkthereisamistakebetweenjdbc/BIDatabaseGroupDS
and
jdbc/BIDatabaseGroupsDS
Reply Share
Hugo3yearsago
HiSalih,
makesureyouarelaunchingtherightwlst.
HiAll,icanmaprolestogroupscomingfromdatabase,butmyuserisnotmappedtotheroleandgroup...
Reply Share
Salih3yearsago
Hi,
WhenItrytodeletetheadapterusing"deleteAdapter(adapterName='userGroupAdapter2')"commandIgetanerrorlikebelow.Anythoughts?
Traceback(innermostlast):
File"",line1,in?
NameError:deleteAdapter
Reply Share
SrinivasChindam3yearsago
ifsohowtocleantheADAuthenticationandcomebacktodefaultWLSconfig.
Pleasesuggest.
Regards
SrinivasChindam
Reply Share
SrinivasChindam3yearsago
HiAll,
Thisisveryusefultopicandcommentsaswell.
OndevelopmentserversomeonetriedconfiguringADAuthenticationwithOBIEE11gbutwasnotsuccessful.
Whenamtryingtologintopresentationservicesloginfailsas"invaliduserIDandpassword".
SowhentriedtodebuginemandAD
1)ThedefaultBIgroupsaremissinglikeBIAdministrators,BIAuthorsandBIConsumersgroupsaremissingthoughdefaultRolesareexisting.
2)Someothercustomgroupsareloaded
Notsurewhyandhowitallhappened.
Sonowamtryingresolvetheissue.
planningtoremoveorcleancompleteADauthenticationandwanttologinwithjustWLSLDAPauthenticationfirst.
ifsotocleantheADAuthenticationandcomebacktodefaultWLSconfig.
Pleasesuggest.
Regards
SrinivasChindam
Reply Share
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
13/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
Reply Share
hitesh3yearsago
IhavefollowingthesamestepswhichwereinOracleBISecurity11gdocumentandtheabove.ButIcantseeanyofnewDBgroupsinRolesandCatalog
Groups.Anyinputsgreatlyappreciated.
thanks
Reply Share
Prakhar3yearsago
Hi
IwaswonderingifIcangethelpontheerrormessage
Causedby:java.io.IOException:[Management:141245]SchemaValidationErrorinconfig/config.xmlseelogfordetails.Schemavalidationcanbedisabledby
startingtheserverwiththecommandlineoption:Dweblogic.configuration.schemaValidationEnabled=false
Igetthiserrormessagewhileactivatingchanges(afteraddingSQLstatements).
Background
WehavesuccessfullycreatedLDAPauthenticationproviderwithoutissueswithcontrolflagsettoSUFFICIENT.Andnowwewanttocreatethisexternal
databaseproviderforauthorization.
Anyhelp/ideaswouldbemuchappreciated?
Thanks.
Prakhar
Reply Share
Basheer3yearsago
ThisisaGreatArticle.Ididhaveaquestion.IsitpossibletoassignaADUsertoaGroupthatiscreatedundertheDefaultAutneticator?
Reply Share
OBIEWizard3yearsago
Helo,IamtryingtogetadynamicformulaenteredintoaCriteria(Essbasecube)Togetpreviousyearsdata.IdonthaveaccesstoAdminToolsorBMMany
othersoultions?
Thanks
NJ
Reply Share
Sri3yearsago
IhaveassignedseveralEBSresponsibilitiestotheuserinEBSandabletonavigatefromEBStoOBIEEsuccessfully.
wheniamcheckinginMyAccount>RolesandCataloggroups,iamabletoseeonlyoneresponsibility
ButaspermyrequirementiwanttoseealltheresponsibilitieswhichareassignedinEBS.
Pleaseadvise,thanksinadvance.
Ex:
EBSResponsibilities:ABC,XYZ,wheniamloggingfromABCiamseeingonlyABCin(MyAccount>RolesandCataloggroups)
Regards,
Sri
Reply Share
Chaitanya3yearsago
Hello
IhaveconfiguredtheADwiththeWeblogicdomainandeverythinggoesfine.Thereisanewrequirementwhereineedtoprovidedanalysisofthenumberof
UsersbyCountryacessingtheapplications.
CouldyoupleasehelpmeastohowtogetthisinformationfromAD.
Regards
Chaitanya
Reply Share
Stefano3yearsago
Canthisauthenticator/featurebeusedtoimplementadatafilteringforusers?ImeantorestrictuserresultsimplemetingarulethatfiltersAREA=USforusers
belongingtogroup=AandAREA=EMEAforusersbelongingtogroup=B?
Reply Share
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
14/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
Prasad4yearsago
AlsowearegettingperformanceissueforloginwithADuserafterconfiguretheADandDBprovider.
Pleasesuggesthowtoimporoveperformanc..itistakingaround3minutesforloginintothesystem
Reply Share
Prasad4yearsago
IhaveconfiguredADandDBgroup..currentlygroupsareshowingifIcapitalsletter..howcanIchangetologinADuserwithoutanycasesestive.
Reply Share
SMAIL4yearsago
Hi,
ItrytoconnecttotheActiveDIrectory,whenIrestarttheBIDomaintheconnectionfailswithparameterldap://pdc.gcbc.com:389.
Thankyouforyourhelp
Reply Share
Sunil4yearsago
Hi,
InStep10,Iamgettingbelowerrors.
SecurityWebServicecouldnotbeinitialised:oracle.bi.security.service.SecurityServiceException:SecurityService::
oracle.security.jps.service.idstore.IdentityStoreException:JPS01520:Cannotinitializeidentitystore.
SecurityServiceinitialisationfailedcouldnotinitialiseIdentityStore:oracle.security.jps.service.idstore.IdentityStoreException:JPS01520:Cannotinitialize
identitystore.
[13026]ErroringettingrolesfromBISecurityService:'ErrorMessageFromBISecurityService:oracle.bi.security.service.SecurityServiceException:
SecurityService::oracle.security.jps.service.idstore.IdentityStoreException:JPS01520:Cannotinitializeidentitystore.'
Thanks,
Sunil
Reply Share
Uday4yearsago
Dowejustraisequestion(s)andforgetaboutgettinganyhelp?IfinditstrangethatMarkhasthesameexactstepsinhisnewlyreleasedbooktoo.Honestly,I
wasexpectingabetterjobbyMarkinatleastexplaining/pointingtothe"finer"detailslikewheretofindiftheadaptergotproperlyinstalledandsuchOR
monitortheseblogsandhelpus!
HisvastexperiencesarejustbeingwastedandnowhereneartothatofAskTom!
SorryMark.I'mstillwillingtopayforyournextbook(?)ifthesefinerdetailsareaddressed.
Reply Share
MarkRittman>Uday4yearsago
HiUday,
Fairpointaboutgettinghelp,howeverunfortunatelyunlikeTomI'veactuallygotaveryintensivedayjobtodoandatthemoment,norealtimetoreply
totechhelprequestsletalonewritenewblogposts)I'dliketocomebacktothistopicsoonandgobackthroughthesteps,seewhatproblems
peopleareregularlyhitting,butinthemeantimeIjustdon'thavethetimeorresourcestohelppeopleoutwiththeirspecificissuessorry.AllIcansay
isinmyinstance,itworkedforme,butaspeoplesaytherearelotsofreasonswhyforthem,they'vehitproblems.Ifyoudohitissuesyourbest
placetolookinitiallyisthetechdocs,thenraiseanSRwithOracleSupport,butIwilltryandrevisitthistopicinthenearfuture.
Mark
Reply Share
Raj4yearsago
HIMark,
GoodPostveryusefull.IfwehavetoAuthenticatetheusersusingDatabase(NoLDAP)whatchangesneedstodontotheDBAdapterfile.Pleaseletme
knowifanystepsneedstobefollowed.
ThanksinAdvance
Raj
Reply Share
Norm4yearsago
Hello,
IamtryingtoconfigureusingActiveDirectoryforauthentication,andanexternaltableforGroups.
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
15/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
Myquestionis...
IfIset"AllUsersFilter"and"UserfromNameFilter"ActiveDirectoryparametersto(&(sAMAccountName=*)(objectclass=user)),
andset"UserNameAttribute"tosAMAccountName"...doIneedtoreplace"cn"with'sAMAccountName"intheDatabaseAdapterconfigurationfile?
Reply Share
Peter4yearsago
IamhavinganissuewechangedtheLDAPipandnowwhenIlogintoBIPUBientertheemailaddressandpasswd,itsayssuccessfull,andthenprompts
metouselocalloginlikeadministrator.
Thisworks,however,thessopartisnotworkinganymoreanyideas?IamusingAIXBI11G(11.1.15)
Reply Share
Meera4yearsago
HiMark,
CanyouplsgivemethestepstobefollowedforOracleEBSandOBIEE11gIntegration.
Reply Share
simon4yearsago
Veryhelpfulweekofposts,thankyouforthese.
Reply Share
Eric4yearsago
IwanttocombinetheauthorizationforthemajorityofuserbyADGroupsandfinegrainedauthorizationbygroupmappinginthedatabasetable.So,isit
possibletoassociatethegroupsfromADandtheDatabaseaswell?Ifso,doestheSQLProvideroverwritetheADgroupsettingandwhathappensifthe
userhaveagroupbyADandnonebytheSQLProvider.
I'mlookingforwardtoyourexperiences.
Reply Share
Kalyan4yearsago
Issueisresolved,therearetwoproviders.Asperoracledocthereshouldbeonlyoneproviderwhichshouldbeusedforauthentication/authorization
Reply Share
Kalyan4yearsago
Hi,followedthesamestepsbutwhentryingtoactivatethechangesfortheProvidergettingthebelowerror.anythoughts?
Anerroroccurredduringactivationofchanges,pleaseseethelogfordetails.
[Management:141191]Thepreparephaseoftheconfigurationupdatefailedwithanexception:
[Management:141245]SchemaValidationErrorinconfig/config.xmlseelogfordetails.Schemavalidationcanbedisabledbystartingtheserverwiththe
commandlineoption:Dweblogic.configuration.schemaValidationEnabled=false
Reply Share
Kim4yearsago
CanIavoidtheuseofWLScompletelyandworkasIdidin10.1.3?UsingADdefinedinrepositoryandinitblockstoauthenticateandgetgroupsusinginit
blocks?
Thanks,
Kim
Reply Share
Emil4yearsago
Helloeverybody!
WhenexecutingI'mgettingthiserror.Noargumentisallowed:dataSourceJNDIName.
Thankyouforyourattention!
Reply Share
Uday4yearsago
CansomeonepleaseelaboratewhatshouldbeforReplaceAttribute,aspertheexampleabove?Willthe"uniquemember"beprincipalIDortheDBschema
ownername?
Thanksinadvance,
Reply Share
Mr.Yang4yearsago
hi:
ICreateanorganizationinADdomain,theorganizationnameisacompany,thecompanyitcreatedtwousers.
Thetwousers,Ican'tuseConsoletocheck.
Reply Share
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
16/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
Harshini4yearsago
HiDaniel,
Ifyouareworkinginwindowsmachinethenyoucanfollowbelowsteps:
1.Opencommandpromptandnavigateto/oracle_common/common/bin
2.LogintotheWSLTconsolebyrunningtheWLSTscript.Justtypewlstandhitenter.
3.Afterthatconnecttoyouradminserverusingthefollowingsyntax.
connect('weblogic','weblogic_usr_pwd','t3://localhost:7001')
4.Deletethemisconfiguredadapterusingthesyntax
deleteAdapter(adapterName='biSQLGroupAdapter')
5.ExitWLSTconsoleusingthecommandexit()andrecreatetheAdapterwiththecorrectsettings
IfyouareworkinginSolaristhenyoucanfollowbelowsteps:
1.OpenPuttyandnavigateto/oracle_common/common/bin
2.LogintotheWSLTconsolebyrunningtheWLSTscript.
syntax:shwlst.sh
3.Afterthatconnecttoyouradminserverusingthefollowingsyntax.
connect('weblogic','weblogic_usr_pwd','t3://localhost:7001')
4.Deletethemisconfiguredadapterusingthesyntax
deleteAdapter(adapterName='biSQLGroupAdapter')
5.ExitWLSTconsoleusingthecommandexit()andrecreatetheAdapterwiththecorrectsettings.
Thanks
Reply Share
Vismay4yearsago
HiVenkat/Mark,
IhavefollowedtheabovementionedstepsandsuccessfullyconfiguredtheSSOimplementationusingMSADandOBIEE11g.Usersareabletologinto
applicationwiththeirGroups.
TheonlyproblemwhichIamfacingis:IfauserbelongstomultiplesGroups(Roles).ItdoesnotshowalltheRoles/GroupsinOBIEE.Itshowsonlyone
Group.Evenboththeapplicationroles/groupshavebeendefinedinWeblogic.
e.g.User'ABC'belongstotwoGroups'HRManager'and'FinanceUser',itshowsonly'HRManager'not'FinanceUser'.
Couldyoupleaseguidemeasthisisthesurestopperformenow?
Regards,
VismayChawla
Reply Share
Vismay4yearsago
HiDaniel,
Pleasefollowthebelowsteps.
1)LogintotheWSLTconsolebyrunningtheWLSTscriptat/oracle_common/common/bin//wlst[.sh/cmd]
2)Connecttoyouradminserverusingthefollowingsyntax
connect('[WLSadminusername]','[WLSadminpassword]','t3://[adminserverhost]:[adminserverport]')
e.g.connect('weblogic','weblogic','t3://localhost:7001')
3)Deletethemisconfiguredadapterusingthesyntax
deleteAdapter(adapterName='[adaptername]')
e.g.deleteAdapter(adapterName='userGroupAdapter2')
4)ExitWLSTconsoleusingthecommandexit()
Regards,
VismayChawla
Reply Share
Daniel4yearsago
DoesanyoneknowhowtodeleteorrecreatethebiSQLGroupAdapterwhichiscreatedbylibovdadapterconfigusingthexmltemplatefile?
Ineedtoupdatethe"cn=Users,dc=gcbc,dc=com"partinthexmltemplatefile.WhenIrunthelibovdadapterconfigcommandagain,itsay's"Adapteralready
exists:biSQLGroupAdapter".
Anyideahowthiscanbedone?
Thanks,
Daniel
Reply Share
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
17/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
Reply Share
AshishGandhi4yearsago
HiMartien,
WearetryingtointegrateeBSwithOBIEE11gfollowingthecookiebasedapproach(10gway)toauthenticateandAssignRESPONSIBILITYtoGROUP
sessionvariable.AlsocreatedapplicationroleforeachresponsibilityandOBIRolesasparentfornewapplicationrole.whenuserloginfromeBSnavigateto
OBIEEdashboard,Myaccountdoesnotshownewapplicationrole.IhavenotdoneanystepsasexplainedbyMarkinaboveblogbutIwasexpectingitwill
workseamlessly.PleaseletmeknowifyouhavedoneintegrationwitheBSandcameacrossthisissue.Pleasesharethehighlevelapproachtoachieve
this.
ManyThanks,
AshishGandhi
Reply Share
Anil4yearsago
HiMark,
CouldyoupleaseletmeknowhowdoyouassignasingleusertomultiplegroupsintheGROUP_MEMBERStable.
Thanks,
Anil
Reply Share
MartienTruijen5yearsago
IhavebeenintouchwithOracle.OracleisworkingonanimprovedorreplacingfunctionalityoftheBISQLGroupProvider.Obviouslybecausethisis
somethingthatmanyorganizationwouldwanttoimplement.EspeciallywheninitializationblocksintheRPDarenotsupposetobeusedanymoretogetthe
webgroupsthatauserismemberof.
ActiveDirectorygroupsaregreattoobutthataloneisnotgoingtocutitinmanyorganizations.Wehavecreatedcustomtablesthatarebeingpopulatedfrom
allsortsofapplications/directories(e.g.ADGroups,OracleEBusinessSuiteResponsibilities,etc.).
Reply Share
VikasBarsaiyan5yearsago
HiMark,
IamnotabletofetchthegroupinformationalthoughIhavefollowedthisarticlestepbystep.
Whatcanbethecausesforthesame?IhavelookedintodiagnosticlogsonWeblogicserverbutIdidn'tfindanythingthere.
Reply Share
VikasBarsaiyan5yearsago
Ihavedonethissetupmentionedabove.Afteraddinganewapplicationroles,whenItrytoaddaexistinggroupindatabse,Ididn'tfinditwhilesearchingfor
grouplist.Doyouanyideawhatarethepossiblecausesforthisissue?
Reply Share
VikasBarsaiyan5yearsago
HiMark,
Stilltheparameter"vitualize"and"virtualized"existinyourarticle.Canyoupleaseletusknowwhichoneiscorrect?
Reply Share
MartienTruijen5yearsago
Rick,
ThanksforyourBLOGs.Veryuseful.
Questionthough,thatIamalsoplanningtoaskOracleaboutbutmaybeyoucananswersaswell.
CanyougointomoredepthabouttheReplaceAttribute?FromwhatIread,itappearstomethatallusersareexpectedtobeinasingleOUinAD/LDAP?
Unfortunately,thatisnottrueinourADimplementationandmanylargerADimplementations.UsersaretypicallyspreadacrossdifferentOUs,especially
whenyouhaveusersindifferentdomains...
Ifyousay,substituteyourownLDAPdetailsintoReplaceAttribute,whatexactlydoyoumean?Iwouldverymuchappreciateamoreindepthexplaination.
Thanksinadvance!
Reply Share
JK5yearsago
InourOBIEEdeployment,weauthenticateagainstActiveDirectoryforsinglesignonfromacorporatewebportal,butADstoresonlyasinglegroupforall
OBIusers(groupsaremaintainedatanapplicationlevelonourADserver,notatarolelevel,sincewemanageaccesstoseveraldifferentapplicationsinour
ADserver)
Inour10genvironmentwewerestoringGroupsinadatabasetableandassigninggroupmembershipviaasessionvariablethatinitializedagainstthetable.
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
18/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
Inour10genvironmentwewerestoringGroupsinadatabasetableandassigninggroupmembershipviaasessionvariablethatinitializedagainstthetable.
WhatyouexplainhereseemsapplicabletooursituationitwouldbeawaytooverrideournonrolespecificADgroupassignmentswiththerolespecific
groupsrequiredtocontrolprivileges....
ButfromwhatIunderstandaboutGroupsandRolesinOBI11g,RolesaremoreakintoOBI10gGroups,inthattheyareusedtocontrolprivilegesinthe
application,whereasGroupsarespecificallyLDAPobjects.ItisalsomyunderstandingthatRolescanbeassigneddirectlytoUsersandthiscanbedone
usingthe'ROLES'sessionvariable,initializedinthesamemannerasthe'GROUP'variablewasin10g.
Thatbeingthecase,Ihavesimplyremappedthesessionvariablethatassignedthe'GROUP'variabletouserstothe'ROLES'variable,andmodifiedthe
assignmentsinthedatabasetabletoassignuserstotheoutoftheboxRoles(BIAdministratorRole,BIAuthorRoleetc.)sothatwhenusersauthenticate,
theyareassignedtotheappropriateRole,andgrantedprivilegesintheapplicationaccordingtotheirroleassignment.Thisbypassestherequirementto
assignLDAPGroupmembershipattherolelevelaltogether.Andseemstobeaneffectivewaytocontrolapplicationprivilegesin11g.
Reply Share
VenkatJ5yearsago
Justtoadd
1.Generallyiwouldn'trecommendcreatinggroupsinADBIAuthors,BIAdministratorsetcarenotneededinAD.NoteveryADadminwillacceptthat(also
notnecessaryforthefunctionalitybutifallowedthenthatshouldbeok).PerhapsthenewBISQLGroupAuthenticatorcanbeusedtoget
thesegroups(lessintrusive)butnotinAD/LDAP.
2.Ithinkuser.login.attr&username.attrarestillneedediftheADadmindeterminessAMAccountNameistheprincipalIDinsteadofcn.Thesettingisnot
neededonlywhenwearesurecnattributeisalwayspopulated.ItdependsontheunderlyingLDAP.
3.Also,fordefaultconfigurations(likeWindowsADdefault),WLSprovidersetupshould&willsuffice.Butforinsomecustomerimplementationswherethe
ADsetupcanchange,westillhavetogoandmodifytheusersearchsettings,groupsearchsettingsetc(whichwillbethecaseinmany
corporatesetups).
4.IntermsoftheBISystemUser,ithinkthiscancomefromanyprovider.Butitsbesttohavethisinthefirstprovider(AD).Forintercomponent
communication,BISystemUserwillbeauthenticatedandifitisnotinthefirstproviderBIEEalwayshastogothroughtothesecondprovider(Afterthefirst
provider)anditcansometimesslowdowntheAuthentication.OrbettertohaveADasthesecondproviderandthenleaveBISystemUserinthedefaultWLS.
ButforeveryADuser,authenticationhastogothrough2providers(whichmightnotbeacceptable).
Thanks,
Venkat
Reply Share
Josh5yearsago
Thanksfortheguide,oneerrorthough:
Youdefinetheidentitystoreproviderparameteras"virtualise=true"uptop,and"virtualized=true"below.
Reply Share
MarkRittman>Josh5yearsago
Yes,unfortunatelymyspellcheckercorrectedthespellingtoBritishEnglish)
I'vechangeditnowthanksforspottingit.
Mark
Reply Share
NILESHAGARWAL5yearsago
Thisisveryhelpfulpost.WhatIfyouhavemultipleactivedirectorydomainslikeoneforcorporateofficeandanotherforstore.Howdoyouconfigurethatin
11g.In10g,wecouldaddboththedomainsusingtheinitblockmethod.
Reply Share
Michal5yearsago
Thankyouforthisguide.
ItseemsthereisalotofconfigurationstepsbehindtheDBtablesgroupmembershipapproach,i.e.manychancestomakeanerror:/
Reply Share
MarkRittman>Michal5yearsago
@MIchal
AbsolutelyittookmeseveralattemptsbeforeIgotitworking.WhatIcansayititdoesworkintheend,butmakesureyourXMLfilehasn'tgotany
specialcharacters,addedspacesetcfromthecutandpasteintothetextfilemakesurethatthenewprovideristopofthelistofproviders,andso
on.Asyousay,lotsofopportunitiesforerrors.
Mark
Reply Share
ALSOONRITTMANMEAD
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
19/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
ALSOONRITTMANMEAD
AnatomyofBIEEPageRenderingUseofHTTP/WebServer&
Compression
5comments2monthsago
UsinglogdumptodebugOracleGoldenGateandKafka
3commentsamonthago
LegoHaryantoSince12.2.0.1.1,oneshouldbeabletousethis
TUHiVenkat,Iamalsointerestedaboutthelicensing.Alsocanwedo
workaroundintheproperties
HTTPcompressionwithoutusingOHS?
IntroducingobimetricsagentanOpenSourceOBIEEMetrics
Collector
OracleBIEE11gandOracleADFPart2RealTimereporting
usingViewObjects
3comments2monthsago
5comments2monthsago
SasikanthVeryinterestingandIthinkthishelpssomuchtoanalysethe
DavoodIfounditin
platformforperformance.
{oracle_home}\oracle_common\atgpf\modules\oracle.applcore.model_11.1.1\oracle.app
containsoracle.applcore.model
Subscribe d AddDisqustoyoursiteAddDisqusAdd
Privacy
Subscribe
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
20/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
(https://twitter.com/intent/tweet?
text=OBIEE%2011g%20Security%20Week%20%3A%20Connecting%20to%20Active%20Directory%2C%20and
11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-databasetables/) (https://www.facebook.com/sharer/sharer.php?
u=http://www.rittmanmead.com/blog/2012/03/obiee-11g-security-week-connecting-to-activedirectory-and-obtaining-group-membership-from-database-tables/)
(https://plus.google.com/share?url=http://www.rittmanmead.com/blog/2012/03/obiee-11g-securityweek-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables/)
T E C H N I C A L I N S I G H TS ( / B LO G / TA G / T E C H N I C A L )
B U S I N E S S I N S I G H T S ( / B LO G / TA G / B U S I N E S S - I N S I G H T S )
R I T T M A N M E A D L I F E ( / B LO G / TA G / R I T T M A N - M E A D - L I F E )
SUBSCRIBE
Recent Posts
Streaming data from Oracle using Oracle GoldenGate and Kafka Connect (/blog/2016/10/streaming-data-from-oracle-using-oracle-goldengate-and-kafkaconnect/)
OTN Appreciation Day : OBIEE's BI Server (/blog/2016/10/otn-appreciation-day-obiees-bi-server/)
OTN Appreciation Day: OBIEE's Export to Excel Functionality (/blog/2016/10/otn-appreciation-day-obiees-export-to-excel-functionality/)
OTN Appreciation Day: Oracle Data Integrator 12c - Flexibility (/blog/2016/10/otn-appreciation-day-odi12c-flexibility/)
POUG (/blog/2016/10/poug/)
(/blog/2012/03/new-
(/blog/2012/03/deploying-
training-courses-and-
odi-11g-agents-for-high-
seminars-from-rittmanmead/)
availability-and-loadbalancing/)
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
21/22
10/13/2016
OBIEE11gSecurityWeek:ConnectingtoActiveDirectory,andObtainingGroupMembershipfromDatabaseTables
I've recently joined Rittman Mead to headup our Training area, and for the past few
weeks have been working
About Us
Rittman Mead consults, trains, and innovates within the world of Oracle Business Intelligence, data integration, and analytics.
We work globally with clients, partners and Oracle Corporation to deliver world-class solutions based around Oracle and
related BI technologies.
(http://www.rittmanmead.com/feed/)
(http://twitter.com/rittmanmead)
(http://www.linkedin.com/company/rittmanmead)
Get in Touch
Rittman Mead Consulting Ltd.
Suite B, First Floor,
Moore House, 11-13 Black Lion Street,
Brighton, BN1 1ND, United Kingdom
P: (Phone) +44 (0) 1273 911 268
https://www.rittmanmead.com/blog/2012/03/obiee11gsecurityweekconnectingtoactivedirectoryandobtaininggroupmembershipfromdatabasetables/
22/22