Configuring
Active Directory as the Authentication Provider (OBIEE 11.1.1.9)
Purpose:
Connecting the OBIEE WebLogic LDAP
server to Microsoft Active Directory, so users can log-into the dashboard using
their Windows Active Directory username and password, and retrieve group
membership.
Whilst OBIEE comes with the embedded
WebLogic LDAP server to hold users and groups, the license for this is
restricted such that you can't just move all users from other applications into
the LDAP server.
If you search in the internet and
Oracle docs for instructions on how to integrate OBIEE 11g with Active
Directory, there are many different ways to do it with set of instructions.
A lot of this is because Active
Directory is highly-configurable, and a lot depends on how much you want to
replace, or just work alongside, the existing WLS LDAP server.
Our objective is to keep the WLS
LDAP server and the user accounts within it and then make it possible for
Active Directory users also log in and be assigned to the standard application
roles that the WLS LDAP users have.
Procedure:
This procedure illustrates how to
configure Oracle Business Intelligence to use Active Directory.
Before starting the configuration, we
need the following Active Director users and groups as below.
ADbiapps, will be used as the principal that OBIEE uses to
connect to the Active Directory server
ADBISystemUser a user on Active Directory who wants to have
administration rights in the Presentation Server and BI Server
Above users are organized into three
groups in the AD server:
ADBIAdministrators, analogous to the BIAdministrators group in
the WLS LDAP server
ADBIAuthors, analogous to the BIAuthors group in the WLS LDAP
server
ADBIConsumers, analogous to the BIConsumers group in the WLS LDAP
server
The groups have just got those users
as members, and the users are just regular AD users, including the
ADBISystemUser account.
Let's go into the WebLogic Server
Administration Console http://[machine_name]:7001/console) and start
configuring the system for Active Directory integration.
To configure Active Directory as the
Authentication Provider:
- Log in to Oracle WebLogic Server Administration
Console, and click Lock & Edit in the Change Center.
- Select Security Realms from the left pane and click
myrealm.
The default
Security Realm is named myrealm.
- Display the Providers tab, then display the
Authentication sub-tab.
- Click New to launch the Create a New Authentication
Provider page.
- Enter values in the Create a New Authentication
Provider page as follows:
- Name: Enter a name for the authentication provider.
For example, ADAuthenticator.
- Type: Select ActiveDirectoryAuthenticator from the
list.
- Click OK to save the changes and display the authentication
providers list updated with the new authentication provider.
- Now click on this new authentication provider in
the list, and then when the Settings for ADProvider page is shown, set the
Control Flag to SUFFICIENT,
and press Save.
- Click DefaultAuthenticator in the Name column to display the Settings page.
- In the Common Authentication Provider Settings page, change the Control Flag from REQUIRED to SUFFICIENT and click Save.
Then, again click on Providers and with
the list of authentication providers displayed, press the Reorder button.
Change the order of the providers so that MSADProvider is first, followed by DefaultAuthenticator, DefaultIdentityAsserter and TrustServiceIdAsserter
Click ok.
With the list of authentication providers
displayed Click on MSADProvider
Click on the Provider Specific tab
Enter the following details for your
Active Directory installation, amending the settings as appropriate for your AD
server.
Provider Specific
|
|
Connection
|
|
Host:
|
10.10.2.76
|
Port:
|
389
|
Principal:
|
CN=ADbiapps,DC=GLC,DC=COM,DC=SA
|
Credential:
|
|
Confirm Credential:
|
|
Users
|
|
User Base DN:
|
DC=GLC,DC=COM,DC=SA
|
User From Name Filter:
|
(&(sAMAccountName=%u)(objectclass=user))
|
User Name Attribute:
|
sAMAccountName
|
Groups
|
|
Group Base DN:
|
DC=GLC,DC=COM,DC=SA
|
Group From Name Filter:
|
(&(sAMAccountName=%g)(objectclass=group))
|
Static Groups
|
|
Static Group Name Attribute:
|
sAMAccountName
|
Click Save.
In the
Change Center, click Activate Changes.
Restart
Oracle WebLogic Server.
Once complete, log in again into
the WebLogic Admin Console and select Security Realms > myrealm > Users and Groups. You
should then see the Active Directory users listed alongside the WLS LDAP ones.
Next we will switch over to
Enterprise Manager, first to configure Fusion Middleware's Oracle Platform
Security Services to accept users and groups from both WLS LDAP and Active
Directory when logging into the dashboard, and then we'll map the Active Directory
groups to their equivalent application roles.
Log into Enterprise Manager, and select the WebLogic Domain > bifoundation_domain menu item on the left. Right-click on it and select Security > Security Provider Configuration. When the Security Provider Configuration page is displayed, expand the Identity Store Provider area and press the Configure… button.
Log into Enterprise Manager, and select the WebLogic Domain > bifoundation_domain menu item on the left. Right-click on it and select Security > Security Provider Configuration. When the Security Provider Configuration page is displayed, expand the Identity Store Provider area and press the Configure… button.
The Identity
Store Configuration page will then be displayed. Press the Add button next to the Custom Properties area, and add a new custom property
with these settings :
Property Name : virtualize
Value : true
Press OK to close the page.
Property Name : virtualize
Value : true
Press OK to close the page.
Update the system.user key points
to an existing user BISystemUser in Active
Directory, then the system.user Credential
Key will have be updated from Enterprise manager Credential Store (to point to
the correct user/password
Edit Key > Select map=
oracle.bi.system
Key = system.user
TYpe = Password
User name = this should be your AD user
Password= password for AD user
TYpe = Password
User name = this should be your AD user
Password= password for AD user
Now right-click on the Business
Intelligence > coreapplication entry in the left-hand side menu, and select Security > Application
Roles. As you may have done with the application role settings
in yesterday's postings, edit the BIAdministrator, BIAuthor and BIConsumer application
roles so that the new Active Directory groups are listed as members.
Doing this ensures that the Active
Directory users get the same type of Presentation Server and repository
privileges as WLS LDAP users, but they won't have administration access to
WebLogic or Enterprise Manager.
Add AD User ADBISystemUser are
mapped to Application Roles
Log in to Weblogic Admin console > Security Realms from the left-hand menu > drill on your security realm in the main screen (e.g. myrealm)
> Roles and Policies Tab >expand Global Roles> then Roles, then click on the link marked View Role Conditions
For the OBIEE application role eg "Apptester" you should see the corresponding AD group in View Role Conditions eg Group=Apptester (created on AD)
Log in to Weblogic Admin console > Security Realms from the left-hand menu > drill on your security realm in the main screen (e.g. myrealm)
> Roles and Policies Tab >expand Global Roles> then Roles, then click on the link marked View Role Conditions
For the OBIEE application role eg "Apptester" you should see the corresponding AD group in View Role Conditions eg Group=Apptester (created on AD)
· Doing this ensures
that the Active Directory users get the same type of Presentation Server and
repository privileges as WLS LDAP users, but they won't have administration
access to WebLogic or Enterprise Manager.
You can, if you want, grant these users the same sorts of domain administrator rights as the WLS LDAP users, and you can indeed remove all of the WLS LDAP users and groups and move over to Active Directory entirely. But in most cases I see, this level of integration is sufficient, as it still allows the OBIEE administrators to control their own user accounts and privileges.
You can, if you want, grant these users the same sorts of domain administrator rights as the WLS LDAP users, and you can indeed remove all of the WLS LDAP users and groups and move over to Active Directory entirely. But in most cases I see, this level of integration is sufficient, as it still allows the OBIEE administrators to control their own user accounts and privileges.
·
You should now be able to log in as one of the Active Directory users.
In the screenshot below, the AD User user has logged in, and has been granted
the BIAuthor role through their membership of the ADBIAuthors Active Directory
group. If Anne Administrator, an Active Directory user assigned to the
ADBIAdministrator group, logs in she will be able to administer the
Presentation Server permissions and privileges, but she won't be able to log
into Enterprise Manager to change the repository, for example.
Useful Links and Oracle Doc ID’s
After Upgrade from OBIEE 10g Unable
To Login To OBIEE 11g : "Unable to find user in identity store" (Doc
ID 1482788.1)
OBIEE 11g: Alert: Users Unable to Log in to
OBIEE 11.1.1.9 if Using MSAD or Other Third-Party LDAP as the Identity Store
and Virtualization is Set to true. (Doc ID 2016571.1)
OBIEE 11g: How To Setup ADSI LDAP Security
Provider (Doc ID 1273961.1)
https://www.rittmanmead.com/blog/2010/11/oracle-bi-ee-11g-security-integration-with-microsoft-active-directory/
https://www.rittmanmead.com/blog/2010/11/oracle-bi-ee-11g-security-integration-with-microsoft-active-directory/
http://paulcannon-bi.blogspot.com/2012/07/configuring-ldap-authentication-for.html
https://docs.oracle.com/middleware/11119/biee/BIESC/privileges.htm#BABBCEFH
https://www.rittmanmead.com/blog/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables
0 Comments:
Post a Comment