OBIEE 10G - Authentication

About

The legacy authentication methods supported by BI Server are:

  • External LDAP-based directory server
  • External initialization block authentication
  • Table-based

A user can be defined:

  • in the repository
  • or in an external source (such as ldap, external table, …)

When a User exists in both the repository and in an external source (such as LDAP servers), the local repository User definition takes precedence. This rules allows the OBIEE Server Administrator to override users that exist in an external security system.

LDAP

Instead of storing user names and password in the BI Server, OBIEE passes the user's user name and password to an Ldap server for authentication.

Associating USER with an LDAP initialization block determines that USER is authenticated by LDAP. Whenever a user logs into OBIEE, the user name and password are passed to the LDAP server for authentication. After the user is authenticated successfully, other session variables for the user might also be populated from information returned by the LDAP server.

To configure LDAP authentication, you perform the following tasks:

  • Create an LDAP initialization block.
  • Associate this initialization block with an LDAP server.
  • Define a system variable called USER.
  • Associate the USER system variable with the LDAP initialization block.

If OBIEE get a positive response from the LDAP server, you are authenticated.

At this step, you don't belong to any group and if the permissions are not restrictive, you can see all data (as in the SH repository).

To made up a restrictive authorization process, you can set the DEFAULT_PRIVILEGES parameters to NONE in the file nqsconfig.ini

See this article: OBIEE 10G - How to configure BI Server against the LDAP of ADSI ? This article talk about ldap authentication without ssl. If you need to use SSL, it's here: OBIEE 10G - LDAP over SSL with Global Security Kit (GSKit).

Importing of user information into the repository is supported on regular LDAP servers, but not supported on ADSI servers.

OBI EE can connect to an LDAP server and authenticate a user with user and password credentials, but it is limited in its ability to extract the groups defined within the LDAP server and to leverage these groups in the repository. The work around would allow the admin to reuse the groups in the LDAP server using the DBMS_LDAP package available within the Oracle Database. More … Accessing Groups in LDAP for use in Oracle Business Intelligence

Order of Authentication

If the user does not type a logon name, then OS authentication is triggered, unless OS authentication is explicitly turned off in the NQSConfig.INI file.

Additionally, OS authentication is not used for Oracle BI Presentation Services users. (For more information, refer to OBIEE Deployment Guide)

The Oracle BI Server populates session variables using the initialization blocks in the desired order that are specified by the dependency rules defined in the initialization blocks.

If the server finds the session variable USER, it performs authentication against an LDAP server or an external database table, depending on the configuration of the initialization block with which the USER variable is associated.

Oracle BI Server internal authentication (or, optionally, database authentication) occurs only after these other possibilities have been considered.


Powered by ComboStrap