In Oracle OBIEE 11g, we could use AD(Active Directory) as an LDAP source. Therefore we could use the users and their accounts which are defined in AD server. To do that, we have some configuration tasks to apply in Oracle Weblogic Server and Fusion Middleware Control which is also known as Oracle .
1. Creating a New Provider
1.1. Create System Users & Groups in Active Director:First step is to create some of system users in AD. These are:
OBIA_Weblogic, OBIAOracleSystemUser, OBIA_BISystemUser
We also need to create 2 groups in AD. These are
OBIA_Administrators(Member:OBIA_Weblogic) and OBIAOracleSystemGroup(OBIAOracleSysUser)
The reason why we added prefixes like OBIA is to make them specific to our installation.
1.2 Backup of Configuration:
The given config.xml file is where we %OBI_HOME%\user_projects\domains\bifoundation_domain\config\config.xml
In case we make an error, we should have a backup of this file. If we ever have a problem with the opening of Oracle Weblogic, we could solve this problem by returning to the old configuration file.
1.3 Creation of Active Directory Provider:
Lets login to the Weblogic Admin Console: http://localhost:7001/console. Ports and links may change according the installation you are making.
Click Security Realms on left panel. Click “myrealm” on
Realms list. Go to Providers tab. Click Lock & Edit button on left panel.
Click NEW.
Specify the name for new authentication provider as you like. Select “ActiveDirectoryAuthenticatior” from the TYPE
drop-down list. Click OK. Click on the newly created Active Directory provider.
Select SUFFICIENT from Control Flag drop down list. Click
SAVE. Then we fill the Provider specific properties.
Connection
/ Host
|
Active Directory IP
|
Connection
/ Port
|
389
|
Connection
/ Principal
|
cn=obia_weblogic,cn=users,dc=gm,dc=,dc=com,dc=tr
|
Connection
/ Credential
|
Passw0rd
|
Connection
/ SSLEnabled
|
NOT
SELECTED
|
Users
/ User Base DN
|
dc=gm,dc=,dc=com,dc=tr
|
Users
/ All Users Filter
|
|
Users
/ User From Name Filter
|
(&(samaccountname=%u)(objectclass=user))
|
Users
/ User Search Scope
|
subtree
|
Users
/ User Name Attribute
|
samaccountname
|
Users
/ User Object Class
|
user
|
Users
/ Use Retrieved User Name as Principal
|
SELECTED
|
Groups
/ Group Base DN
|
cn=users,dc=gm,dc=,dc=com,dc=tr
|
Groups
/ All Groups Filter
|
|
Groups
/ Group From Name Filter
|
(&(cn=%g)(objectclass=group))
|
Groups
/ Group Search Scope
|
subtree
|
Groups
/ Group Membership Searching
|
limited
|
Groups
/ Max Group Membership Search Level
|
1
|
Groups
/ Ignore Duplicate Membership
|
NOT
SELECTED
|
Groups
/ Use Token Groups For Group Membership Lookup
|
NOT
SELECTED
|
Static
Groups / Static Group Name Attribute
|
cn
|
Static
Groups / Static Group Object Class
|
group
|
Static
Groups / Static Member DN Attribute
|
member
|
Static
Groups / Static Group DNs from Member DN Filter
|
(&(member=%M)(objectclass=group))
|
Dynamic
Groups / Dynamic Group Name Attribute
|
|
Dynamic
Groups / Dynamic Group Object Class:
|
|
Dynamic
Groups / Dynamic Member URL Attribute
|
|
Dynamic
Groups / User Dynamic Group DN Attribute
|
|
General
/ Connection Pool Size
|
0
|
General
/ Connect Timeout
|
20
|
General
/ Connection Retry Limit
|
3
|
General
/ Parallel Connect Delay
|
0
|
General
/ Results Time Limit
|
0
|
General
/ Keep Alive Enabled
|
NOT
SELECTED
|
General
/ Follow Referrals
|
SELECTED
|
General
/ Bind Anonymously On Referrals
|
NOT
SELECTED
|
General
/ Propagate Cause For Login Exception
|
NOT
SELECTED
|
General
/ Cache Enabled
|
SELECTED
|
General
/ Cache Size
|
32
|
General
/ Cache TTL
|
60
|
General
/ GUID Attribute
|
samaccountname
|
Click DefaultAuthenticator from the Provider list.
Select SUFFICIENT from Control Flag drop down list. Click
SAVE.
Click Activate Changes button from Left Panel. Stop and
start BI Services for these changes to take effect.
1.4 Check If Integration Works
Login Weblogic admin console and go to Provider list. Click
on Users and Groups tab.
See if users and groups from Active Directory are listed.
1.5 Security Provider Configuration
Click “WebLogic Domain” menu in Enterprise Manager. Click “Security Provider
Configuration” menu item under Security sub-menu.
Add the following property to the custom properties.
Property Name
|
Value
|
virtualize
|
true
|
Now we shoud be able to login to the environment with both our default authenticator and with the users from active directory users.
References:
1-http://www.peakindicators.com/media_pi/Knowledge/oracle%20bi%2011g%20-%20active%20directory%20authentication.pdf
2- TechNote: Configuring Oracle BI 11g and Weblogic for Single Sign-On using Kerberos-based Windows Authentication backed by Active Directory.
An Oracle White Paper
Updated October 2011