Oracle Fusion Middleware: Using Active Directory as a User Provider - Active Directory Authentication to OBIEE 11g - Active Directory Configuration'ını OBIEE 11g İçin Yapmak

In Oracle OBIEE 11g, we could use AD(Active Directory) as an LDAP source. Therefore we could use the users and their accounts which are defined in AD server. To do that, we have some configuration tasks to apply in Oracle Weblogic Server and Fusion Middleware Control which is  also known as Oracle .

1. Creating a New Provider

1.1. Create System Users & Groups in Active Director:First step is to create some of system users in AD. These are:

OBIA_Weblogic, OBIAOracleSystemUser, OBIA_BISystemUser

We also need to create 2 groups in AD. These are

OBIA_Administrators(Member:OBIA_Weblogic) and OBIAOracleSystemGroup(OBIAOracleSysUser)

The reason why we added prefixes like OBIA is to make them specific to our installation.

1.2 Backup of Configuration: 

The given config.xml file is where we %OBI_HOME%\user_projects\domains\bifoundation_domain\config\config.xml

In case we  make an error, we should have a backup of this file. If we ever have a problem with the opening of Oracle Weblogic, we could solve this problem by returning to the old configuration file.

1.3 Creation of Active Directory Provider:

Lets login to the Weblogic Admin Console: http://localhost:7001/console. Ports and links  may change according the installation you are making.

Click Security Realms on left panel. Click “myrealm” on Realms list. Go to Providers tab. Click Lock & Edit button on left panel. Click NEW. 

Specify the name for new authentication provider as you like.  Select “ActiveDirectoryAuthenticatior” from the TYPE drop-down list. Click OK. Click on the newly created Active Directory provider.

Select SUFFICIENT from Control Flag drop down list. Click SAVE. Then we fill the Provider specific properties. 

Connection / Host	Active Directory IP
Connection / Port	389
Connection / Principal	cn=obia_weblogic,cn=users,dc=gm,dc=,dc=com,dc=tr
Connection / Credential	Passw0rd
Connection / SSLEnabled	NOT SELECTED
Users / User Base DN	dc=gm,dc=,dc=com,dc=tr
Users / All Users Filter
Users / User From Name Filter	(&(samaccountname=%u)(objectclass=user))
Users / User Search Scope	subtree
Users / User Name Attribute	samaccountname
Users / User Object Class	user
Users / Use Retrieved User Name as Principal	SELECTED
Groups / Group Base DN	cn=users,dc=gm,dc=,dc=com,dc=tr
Groups / All Groups Filter
Groups / Group From Name Filter	(&(cn=%g)(objectclass=group))
Groups / Group Search Scope	subtree
Groups / Group Membership Searching	limited
Groups / Max Group Membership Search Level	1
Groups / Ignore Duplicate Membership	NOT SELECTED
Groups / Use Token Groups For Group Membership Lookup	NOT SELECTED
Static Groups / Static Group Name Attribute	cn
Static Groups / Static Group Object Class	group
Static Groups / Static Member DN Attribute	member
Static Groups / Static Group DNs from Member DN Filter	(&(member=%M)(objectclass=group))
Dynamic Groups / Dynamic Group Name Attribute
Dynamic Groups / Dynamic Group Object Class:
Dynamic Groups / Dynamic Member URL Attribute
Dynamic Groups / User Dynamic Group DN Attribute
General / Connection Pool Size	0
General / Connect Timeout	20
General / Connection Retry Limit	3
General / Parallel Connect Delay	0
General / Results Time Limit	0
General / Keep Alive Enabled	NOT SELECTED
General / Follow Referrals	SELECTED
General / Bind Anonymously On Referrals	NOT SELECTED
General / Propagate Cause For Login Exception	NOT SELECTED
General / Cache Enabled	SELECTED
General / Cache Size	32
General / Cache TTL	60
General / GUID Attribute	samaccountname

Click DefaultAuthenticator from the Provider list.

Select SUFFICIENT from Control Flag drop down list. Click SAVE.

Click Activate Changes button from Left Panel. Stop and start BI Services for these changes to take effect. 

1.4 Check If Integration Works

Login Weblogic admin console and go to Provider list. Click on Users and Groups tab.

See if users and groups from Active Directory are listed. 

1.5 Security Provider Configuration

Click “WebLogic Domain” menu in Enterprise Manager. Click “Security Provider Configuration” menu item under Security sub-menu.

Add the following property to the custom properties.

Property Name	Value
virtualize	true

Now we shoud be able to login to the environment with both our default authenticator and with the users from active directory users.

References:

1-http://www.peakindicators.com/media_pi/Knowledge/oracle%20bi%2011g%20-%20active%20directory%20authentication.pdf

2- TechNote: Configuring Oracle BI 11g and Weblogic for Single Sign-On using Kerberos-based Windows Authentication backed by Active Directory.
An Oracle White Paper
Updated October 2011