This article show how to configure Weblogic in order to let OBIEE authenticate against Active Directory.
Once the AD domain is recognise as a valid user store to authenticate Oracle BI, users will be able to log in to Oracle BI EE using the same credentials as they use to log in to the Windows domain
Each security realm must have at least one Authentication provider configured.
The WebLogic Security Framework supports multiple Authentication providers (and thus multiple LoginModules) for multipart authentication (since version 11.5). Therefore, you can use multiple Authentication providers as well as multiple types of Authentication providers in a security realm. Authentication providers are called in the order in which they were configured in the security realm.
When a user is authenticated into WebLogic Server, an authentication provider creates a Weblogic - Login Module (Control Flag and authentication flow) with a set of user and group principals, which include the user and group names, respectively. The LDAP Authentication providers included in WebLogic Server also store the guid and LDAP distinguished name (DN) data of users and groups as attributes of those principals.
See Weblogic - Login Module (Control Flag and authentication flow)
In the Oracle BI Administration Tool, the user used for the Ldap - Configuration Parameters in the LDAP Server section must have both ldap_bind and ldap_search authority.
The steps in this document have been tested with the following configuration
OBIEE 11:
This document will not work with OBIEE 11g (11.1.1.3) because it does not support chaining of authenticators
OBIEE 12:
Set the critical node to false. Otherwise you may get this behaviour. See OBIEE 11g: Error: “Unable to Sign In An error occurred during authentication.” When You Try to Log in and One of Multiple Authentication Providers is Down
You can see the value of the LDAP attribute by using a LDAP client. For instance, with Jexplorer
Attribute Name | Required Setting |
---|---|
UserNameAttribute | AUserAttribute |
AllUsersFilter | (&(AUserAttribute =*)(objectclass=person)) |
UserFromNameFilter | (&(AnOtherUserAttribute =%u)(objectclass=person)) |
where the AUserAttribute is for Active Directory:
For the Groups
Attribute Name | Value |
---|---|
Static Group Name Attribute | AnAttribute |
AllGroupsFilter | (&(AnAttribute=*)(objectclass=group)) |
GroupFromNameFilter | (&(AnAttribute=%g)(objectclass=group)) |
Identity Store settings are reached via the Security Provider Configuration screen, which is accessed via Enterprise Manager. Select Weblogic Domain → bifoundation_domain→(right click) Security → Security Provider Configuration
virtualize true
This property can be either true (multi-LDAP lookup) or false (single-LDAP lookup). The default is false.
Verification:
$MY_DOMAIN=bi # in 12c
grep -n virtualize $FMW_HOME/user_projects/domains/$MY_DOMAIN/config/fmwconfig/jps-config.xml
<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
<description>LDAP Identity Store Service Instance</description>
<property name="virtualize" value="true"/>
<property name="idstore.config.provider" value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>
<property name="CONNECTION_POOL_CLASS" value="oracle.security.idm.providers.stdldap.JNDIPool"/>
</serviceInstance>
OPTIMIZE_SEARCH must be set to true
This configuration are only needed for older version. check with your documentation.
Oracle Business Intelligence uses a specific user for the configured authentication provider for internal communication, you can create a new user in the external LDAP or use the pre-existing user in the Weblogic.
No more needed from 11.7
For UserName Attribute only, you also need to add two properties to the Identity Store configuration (user.login.attr and and username.attr) to tell it about the attribute you’re expecting to get user name from (it defaults to using “uid” if none is specified).
user.login.attr sAMAccountName
username.attr displayName
The system user profile could not be found in the identity store
You can find this error in a lot of log. Example:
System user validation failed - the system user profile could not be found in the identity store.
oracle.bi.security.service.UserProfileNotFoundException
Unable to initialize oracle.bi.security.service.SecurityServiceBean
[2014-07-07T13:41:41.000+02:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: 004zPZpJz5EFO9WFLzrI8A0007V3000000] [tid: 6f893700] An error message was received from the BI Security Service: oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
[2014-07-07T13:41:41.000+02:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: 004zPZpJz5EFO9WFLzrI8A0007V3000000] [tid: 6f893700] [13026] Error in getting roles from BI Security Service: 'An error message was received from the BI Security Service: oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.'
When adding a new LDAP provider, Weblogic expects to see the bisystemuser in the first provider. It must also return the result directly and therefore must be flagged with the SUFFICIENT control flag ???