Integrating OBIEE 11g with MS active directory (LDAP)
In this post, I will show you step-by-step procedure how to integrate OBIEE 11g with MS active directory (AD). Other blogs have too many unnecessary informations that are not required for this integration procedure. Just follow this 'white rabbit' and save your time!
Log in into Weblogic administration console as an administrator (with username and password which you have specified in installation procedure of OBIEE product). Default URL for Weblogic administration console is: http://SERVERFQDN:7001/console
After Weblogic administration console is displayed, on the left side of window, in the "Domain structure" menu, click on "Security realms" and then on "MyRealm" on the right side.
Before you start to change anything in Administration console, you must click on "Lock & Edit" button shown in left side of administration console. After that, you must click on "Providers" tab in the right side of window.
We need to create new authenticator provider through which OBIEE will communicate with MS AD. Click on "New" button. When new window appears, you must enter name of the authentication provider and type of authentication provider you wish to create. Enter content like this below.
Name: ADAuthenticator
Type: ActiveDirectoryAuthenticator
Click on "Save" button to save changes entered before.
Click on this new provider named "ADAuthenticator" and set "Control flag" option to "SUFFICIENT". After all parameters in this "Common" tab are defined, your values should be like those below:
Name: ADAuthenticator
Description: Provider that performs LDAP authentication
Version: 1.0
Control Flag: SUFFICIENT
If all values are correct, click on second tab, named "Provider specific".
In this tab you must enter details/parameters of AD server. Log in into Weblogic administration console as an administrator (with username and password which you have specified in installation procedure of OBIEE product). Default URL for Weblogic administration console is: http://SERVERFQDN:7001/console
After Weblogic administration console is displayed, on the left side of window, in the "Domain structure" menu, click on "Security realms" and then on "MyRealm" on the right side.
Before you start to change anything in Administration console, you must click on "Lock & Edit" button shown in left side of administration console. After that, you must click on "Providers" tab in the right side of window.
Name: ADAuthenticator
Type: ActiveDirectoryAuthenticator
Click on "Save" button to save changes entered before.
Click on this new provider named "ADAuthenticator" and set "Control flag" option to "SUFFICIENT". After all parameters in this "Common" tab are defined, your values should be like those below:
Name: ADAuthenticator
Description: Provider that performs LDAP authentication
Version: 1.0
Control Flag: SUFFICIENT
If all values are correct, click on second tab, named "Provider specific".
- Host: IP address of AD server or FQDN (eg. test.organization.corp)
- Port: 389 (this is default port of MS AD)
- Principal: cn=Administrator,cn=Users,dc=organization,dc=corp*First value is username; Second value is group where the user is; third value is first part of MS domain; fourth value is second part of MS domain
- Credential: enter password of principal specified in third section- Confirm credential: -II-- SSL Enabled: By default SSL is disabled. You can enabled it later.
- User base DN: ou=GROUP,dc=organization,dc=corp
*In value "ou" you must secified name of the AD group where your users are stored. If the users are in default group "Users" replace "GROUP" with "USERS" or enter the real group name.- All users filter: (&(sAMAccountName=*)(objectclass=user))- User from name filter: (&(sAMAccountName=%u)(objectclass=user))
- User search scope: subtree
- User name attribute: sAMAccountName
- User object class: user
- Use Retrieved User Name as Principal: Unchecked
- Group base DN: cn=Builtin,dc=organization,dc=corp
- All Groups Filter: none
- Group From Name Filter: (&(cn=%g)(objectclass=group))
- Group Search Scope: subtree
- Group Membership Searching: unlimited
- Max Group Membership Search Level: 0
- Ignore Duplicate Membership: unchecked
- Use Token Groups For Group Membership Lookup: unchecked
- Static Group Name Attribute: cn
- Static Group Object Class: group
- Static Member DN Attribute: member
- Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=group))
- DYNAMIC GROUPS: All blank (without values)
- Connection Pool Size: 6
- Connect Timeout: 0
- Connection Retry Limit: 1
- Parallel Connect Delay: 0
- Results Time Limit: 0
- Keep Alive Enabled: unchecked
- Follow Referrals: checked
- Bind Anonymously On Referrals: unchecked
- Propagate Cause For Login Exception: unchecked
- Cache Enabled: checked
- Cache Size: 3200
- Cache TTL: 60
- GUID attribute: objectguid
Then, again with the list of authentication providers displayed, press the "Reorder" button and then change the order of the providers so that "ADAuthenticator" is first, followed by "DefaultAuthenticator" and "DefaultIdentityAsserter".
After saving all changes, press "Activate changes" button in the left pane. Now, you can restart all BI domain services. My advice is to restart all OBIEE services (OPMN).
After restart is successfully finished, you can log in again in Weblogic administration console, in the "Domain structure" menu, click again on "Security realms" and then on "MyRealm" on the right side. In the "Users" tab now you can see all users from MS AD from group you have specified in section seven. You should then see the AD users listed alongside the WLS LDAP ones.
Similarly, you should see your AD groups under the Groups tab. Note that you can’t edit these AD users and groups from within the Weblogic administration console, you can't create new AD users here – to do that, you’d need to use MS AD's own console and tools on Microsoft Windows domain controller (Active directory users and computers).
Similarly, you should see your AD groups under the Groups tab. Note that you can’t edit these AD users and groups from within the Weblogic administration console, you can't create new AD users here – to do that, you’d need to use MS AD's own console and tools on Microsoft Windows domain controller (Active directory users and computers).
Next we will switch to Oracle enterprise manager console (EM), to configure Fusion Middleware’s Oracle Platform Security Services to accept users and groups from both WLS LDAP and Active Directory when logging into the dashboard, and then we will map the AD groups to their equivalent application roles in OBIEE.
Log into Enterprise Manager. Default URL is: http://SERVERFQDN:7001/em (with username and password which you have specified in installation procedure of OBIEE product).
Select the "WebLogic Domain" on the left side -> "bifoundation_domain" menu item. Right click on it and select "Security > Security Provider Configuration". When the "Security Provider Configuration" page is displayed, expand the "Identity Store Provider" area and press the "Configure…" button in the middle of screen.
The Identity Store Configuration page will then be displayed. Press the "Add" button next to the "Custom properties" area, and add a new custom property with these settings:
Property Name : virtualizeValue : true
Press "OK" button to close window.
Log into Enterprise Manager. Default URL is: http://SERVERFQDN:7001/em (with username and password which you have specified in installation procedure of OBIEE product).
Select the "WebLogic Domain" on the left side -> "bifoundation_domain" menu item. Right click on it and select "Security > Security Provider Configuration". When the "Security Provider Configuration" page is displayed, expand the "Identity Store Provider" area and press the "Configure…" button in the middle of screen.
The Identity Store Configuration page will then be displayed. Press the "Add" button next to the "Custom properties" area, and add a new custom property with these settings:
Property Name : virtualizeValue : true
Press "OK" button to close window.
We're still working in Oracle Enterprise manager. Please, right click on the "Business Intelligence" from the left side and "coreapplication" entry in the left side menu, and select "Security - Application Roles". As you may have done with the application role settings in yesterday’s postings, edit the "BIAdministrator", "BIAuthor" and "BIConsumer" application roles so that the new "MS Active Directory" groups are listed as members (Picture: .
Doing this ensures that the MS Active Directory users get the same type of Presentation Server and repository privileges as WLS LDAP users, but they won’t have administration access to WebLogic or Enterprise Manager. In this case, I have added BIAdministrator role to DomainUsers group from MS Active Directory.
You can, if you want, grant these users the same sorts of domain administrator rights as the WLS LDAP users, and you can indeed remove all of the WLS LDAP users and groups and move over to Active Directory entirely.
You should now be able to log in as one of the Active Directory users. In the screenshot below, the AD User user has logged in, and has been granted the BIAdministrator role through their membership of the DomainUsers Active Directory group.
Laserline d.o.o.
drazen.kovacevic@laserline.hr
 |
and that is all? God guard me!! cuz next monday I'm using this guide to integrate OBIEE with AD and sessions variables using initialization blocks for a customer. Thank you!
ReplyDeleteHi AL.
ReplyDeleteYes, this is all you must do to integrate OBIEE with MS AD.
Have you successfully done that?
Regards,
Drazen