OBIEE 11g provides a number of different ways to integrate with authentication services. This post shows how to authenticate users with an existing AD solution.
Log into the console (host:7001/console)
Click on Security realm, then click on My Realm
Click on Providers
Click on Lock and Edit, then open the Default authenticator
Make the default authenticator optional.
Gather the required information for active directory… and make sure to verify it. The most common mistake with any LDAP setup in 11g the connection information. Unfortunately, there is no way to test connectivity through the weblogic console. Instead, download an LDAP query tool like LDAP soft, or better yet, just copy the settings from another system that interfaces with AD. Here is a list of the info that you will need.
AD Host: AD server name/IP
Port: 389 (389 is the default for non-SSL active directory instances)
Principal DN: This is the full distinguished name of the user that will be searching through the AD tree for all other users. It need not be administrator, but it does need permissions to see other users that you want to have access to OBIEE
Credential: password for the principal user
User Base DN: This will be the level that the user search begins. If you aren't sure, just ask your AD administrator.
User Name Attribute: sAMAccountName is the default.
User Object Class: user is the default (Be careful, sometimes you may need to set this to another setting. Try * if you are having issues seeing users through weblogic)
Create a new Provider by clicking new
Enter a Name (ADProvider for example) ad select ActiveDirectoryAuthenticator as the type.
Add the provider specific settings that we discussed above for your new authenticator.
Go back and make sure that your AD Authenticator is optional
Restart the BI and Admin servers. Log back into the console and view users and groups. You should see all the LDAP users now, along with any other users that were set in the weblogic console.
Reorder providers so that your AD provider comes first.
You will need to create a generic user in AD to mimic what BISystemUser does for the default authenticator. You can either create a user called BISystemUser, or just use an existing user. If you are adding a user called BISystemUser, make sure to delete BISystem user from the default authenticator.
First, log into the enterprise manager, then go into credentials.
Select system user and edit
If you have created a BISystemUser in AD, then enter the password information. If not, pick a different user, and enter that username in the place of BISystemUser, along with the username and password.
Next, you need to tell OBIEE where to look for the username information. Stay in EM and go into the security provider configuration.
Add a custom property
Add user.login.attr with a value of sAMAccountName
Add username.attr with a value of sAMAccountName
Once you are finished, your identity store configuration should look like this
Now you can restart the services and assign the user to an application role.
Go onto application roles in the enterprise manager
Search on all obi application roles, then click on BISystem role
Click add user
When you query users, you will not see the LDAP users as available users, but when you enter the entire username and search, they will appear in the available users box. Once you search for it, move it over to the selected users and click ok.
Now you should be able to log in as any authorized LDAP user. Keep in mind that you will no longer be able to log into the application as your weblogic user because of the BISystemUser name you changed in the enterprise manager.
Blog author: Brian Makarewicz
Brian is a contributing blog author on the Business Intelligence Practice team at BizTech.