8/10/2019 Configuring LDAP Authentication for OBIEE 11g

1/27

Configuring LDAP Authentication for OBIEE 11g

This blog shows an example of how to configure LDAP authentication for OBIEE 11g (11.1.1.6) usingActive Directory. Configuring LDAP authenticaton is a complex process, so below simply shows the stepsI went through - additional steps may be required, espeically if using an LDAP other than AD.

Rather then modify the existing default 'myrealm' security realm in Weblogic, these instructions show thesetting up of a new realm - this enables the original realm to be reinstated easily should problems occur.Hence why this is a somewhat lengthy posting.

Login into the weblogic console

Click on Security Realms in the Domain Structure panel on the left hand side

We do not want to alter the default myrealm security realm as this is our back-out route should anythinggo wrongas we are dealing with security a mistake could prevent the weblogic user from being able tologin, so well retain the ability to revert back to the default realm.Before we can make changes we have to lock the session. Click the Lock & Edit button in the top leftcorner:

http://4.bp.blogspot.com/-OPGCVFYmFpU/UAKNOT8zVdI/AAAAAAAAAI8/eLlJwp9t91w/s1600/2.pnghttp://4.bp.blogspot.com/-fBHNHcT9Xbg/UAKMsv6HL0I/AAAAAAAAAHs/4gnmfFfpmXQ/s1600/1.pnghttp://4.bp.blogspot.com/-OPGCVFYmFpU/UAKNOT8zVdI/AAAAAAAAAI8/eLlJwp9t91w/s1600/2.pnghttp://4.bp.blogspot.com/-fBHNHcT9Xbg/UAKMsv6HL0I/AAAAAAAAAHs/4gnmfFfpmXQ/s1600/1.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

2/27

In the Realms list, the New button is now available, so click it.

In the Create a New Realm screen enter a name for the Realm, leave the Ignore Deploy CredentialMapping check box un-ticked and click ok.

This may generate some errors because the new Realm isnt setup properly. If you get these, click theCancel button and the Realm will still be created.

The first thing we need to do is setup the new Realm in exactly the same way as the default myrealm.Unfortunately there isnt a copy option.

http://3.bp.blogspot.com/-Dilo0gKWEeo/UAKN4PHBQuI/AAAAAAAAAP0/-db7AMZR410/s1600/7.pnghttp://2.bp.blogspot.com/-RiJ4xtvIvIw/UAKNudzG3lI/AAAAAAAAAOc/pyJydxYaZf4/s1600/6.pnghttp://4.bp.blogspot.com/-teWudkPU4kA/UAKNm4w9oII/AAAAAAAAANA/UFp_CF1Y4BY/s1600/5.pnghttp://3.bp.blogspot.com/-SkYu47H8kcI/UAKNeYx7MxI/AAAAAAAAALo/NsAJ_wsf1D4/s1600/4.pnghttp://3.bp.blogspot.com/-2mPjgLfOSZs/UAKNWdsXnhI/AAAAAAAAAKQ/N7W_aVSLGPI/s1600/3.pnghttp://3.bp.blogspot.com/-Dilo0gKWEeo/UAKN4PHBQuI/AAAAAAAAAP0/-db7AMZR410/s1600/7.pnghttp://2.bp.blogspot.com/-RiJ4xtvIvIw/UAKNudzG3lI/AAAAAAAAAOc/pyJydxYaZf4/s1600/6.pnghttp://4.bp.blogspot.com/-teWudkPU4kA/UAKNm4w9oII/AAAAAAAAANA/UFp_CF1Y4BY/s1600/5.pnghttp://3.bp.blogspot.com/-SkYu47H8kcI/UAKNeYx7MxI/AAAAAAAAALo/NsAJ_wsf1D4/s1600/4.pnghttp://3.bp.blogspot.com/-2mPjgLfOSZs/UAKNWdsXnhI/AAAAAAAAAKQ/N7W_aVSLGPI/s1600/3.pnghttp://3.bp.blogspot.com/-Dilo0gKWEeo/UAKN4PHBQuI/AAAAAAAAAP0/-db7AMZR410/s1600/7.pnghttp://2.bp.blogspot.com/-RiJ4xtvIvIw/UAKNudzG3lI/AAAAAAAAAOc/pyJydxYaZf4/s1600/6.pnghttp://4.bp.blogspot.com/-teWudkPU4kA/UAKNm4w9oII/AAAAAAAAANA/UFp_CF1Y4BY/s1600/5.pnghttp://3.bp.blogspot.com/-SkYu47H8kcI/UAKNeYx7MxI/AAAAAAAAALo/NsAJ_wsf1D4/s1600/4.pnghttp://3.bp.blogspot.com/-2mPjgLfOSZs/UAKNWdsXnhI/AAAAAAAAAKQ/N7W_aVSLGPI/s1600/3.pnghttp://3.bp.blogspot.com/-Dilo0gKWEeo/UAKN4PHBQuI/AAAAAAAAAP0/-db7AMZR410/s1600/7.pnghttp://2.bp.blogspot.com/-RiJ4xtvIvIw/UAKNudzG3lI/AAAAAAAAAOc/pyJydxYaZf4/s1600/6.pnghttp://4.bp.blogspot.com/-teWudkPU4kA/UAKNm4w9oII/AAAAAAAAANA/UFp_CF1Y4BY/s1600/5.pnghttp://3.bp.blogspot.com/-SkYu47H8kcI/UAKNeYx7MxI/AAAAAAAAALo/NsAJ_wsf1D4/s1600/4.pnghttp://3.bp.blogspot.com/-2mPjgLfOSZs/UAKNWdsXnhI/AAAAAAAAAKQ/N7W_aVSLGPI/s1600/3.pnghttp://3.bp.blogspot.com/-Dilo0gKWEeo/UAKN4PHBQuI/AAAAAAAAAP0/-db7AMZR410/s1600/7.pnghttp://2.bp.blogspot.com/-RiJ4xtvIvIw/UAKNudzG3lI/AAAAAAAAAOc/pyJydxYaZf4/s1600/6.pnghttp://4.bp.blogspot.com/-teWudkPU4kA/UAKNm4w9oII/AAAAAAAAANA/UFp_CF1Y4BY/s1600/5.pnghttp://3.bp.blogspot.com/-SkYu47H8kcI/UAKNeYx7MxI/AAAAAAAAALo/NsAJ_wsf1D4/s1600/4.pnghttp://3.bp.blogspot.com/-2mPjgLfOSZs/UAKNWdsXnhI/AAAAAAAAAKQ/N7W_aVSLGPI/s1600/3.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

3/27

Click on the new Realm name.

In the settings screen, click on the Providers tab then the Authentication sub-tab

Under Application Providers, click New:

Enter the name of DefaultAuthenticator (must match exact case and spelling) and select the typeDefaultAuthenticator from the drop down box. Click Ok.

http://2.bp.blogspot.com/-JBtV-JMsqV0/UAKOGmK6wpI/AAAAAAAAARw/q98XsMgjAZg/s1600/9.pnghttp://1.bp.blogspot.com/-BccXK3SIU0E/UAKOCwt2LgI/AAAAAAAAARI/0VgAOA_TvYQ/s1600/8.pnghttp://2.bp.blogspot.com/-JBtV-JMsqV0/UAKOGmK6wpI/AAAAAAAAARw/q98XsMgjAZg/s1600/9.pnghttp://1.bp.blogspot.com/-BccXK3SIU0E/UAKOCwt2LgI/AAAAAAAAARI/0VgAOA_TvYQ/s1600/8.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

4/27

You can now see this new provider. Click on the provider name to edit its settings.

In the common tab, change the Control Flag to REQUIRED. Click save.

In the Provider Specific tab, check the Use Retrieved User Name As Principal, leave the other checkboxes unchecked and set the final three options to 8, unlimited and 0 respectively. Click Save.

http://2.bp.blogspot.com/-fz6qFJdwcqI/UAKNJXq-ODI/AAAAAAAAAIA/8Di6YEVEiL8/s1600/13.pnghttp://2.bp.blogspot.com/-f3Bk8K9-fug/UAKNI-ZW5qI/AAAAAAAAAH4/xsla2ofkLCw/s1600/12.pnghttp://3.bp.blogspot.com/-Y4oltmkkXXk/UAKNIbjT0VI/AAAAAAAAAH0/vwPghbWjrYw/s1600/10.pnghttp://2.bp.blogspot.com/-fz6qFJdwcqI/UAKNJXq-ODI/AAAAAAAAAIA/8Di6YEVEiL8/s1600/13.pnghttp://2.bp.blogspot.com/-f3Bk8K9-fug/UAKNI-ZW5qI/AAAAAAAAAH4/xsla2ofkLCw/s1600/12.pnghttp://3.bp.blogspot.com/-Y4oltmkkXXk/UAKNIbjT0VI/AAAAAAAAAH0/vwPghbWjrYw/s1600/10.pnghttp://2.bp.blogspot.com/-fz6qFJdwcqI/UAKNJXq-ODI/AAAAAAAAAIA/8Di6YEVEiL8/s1600/13.pnghttp://2.bp.blogspot.com/-f3Bk8K9-fug/UAKNI-ZW5qI/AAAAAAAAAH4/xsla2ofkLCw/s1600/12.pnghttp://3.bp.blogspot.com/-Y4oltmkkXXk/UAKNIbjT0VI/AAAAAAAAAH0/vwPghbWjrYw/s1600/10.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

5/27

To return to the Providers list, click the Providers link in the breadcrumb trail at the top of the screen:

Now click New again.

This time enter the name DefaultIdentityAsserter (must match exact case and spelling) and selectDefaultIdentityAsserter from the drop down list. Click Ok.

http://1.bp.blogspot.com/-4FYPtTnKDxM/UAKNLk5o4mI/AAAAAAAAAIY/7Lt8R_Ort3Y/s1600/16.pnghttp://2.bp.blogspot.com/-qymnIc_x3bQ/UAKNLJ28HwI/AAAAAAAAAIQ/YGRYCJoHEBU/s1600/15.pnghttp://3.bp.blogspot.com/-niLOND7TH9I/UAKNKesfiyI/AAAAAAAAAIM/5pAweO8HBpg/s1600/14.pnghttp://1.bp.blogspot.com/-4FYPtTnKDxM/UAKNLk5o4mI/AAAAAAAAAIY/7Lt8R_Ort3Y/s1600/16.pnghttp://2.bp.blogspot.com/-qymnIc_x3bQ/UAKNLJ28HwI/AAAAAAAAAIQ/YGRYCJoHEBU/s1600/15.pnghttp://3.bp.blogspot.com/-niLOND7TH9I/UAKNKesfiyI/AAAAAAAAAIM/5pAweO8HBpg/s1600/14.pnghttp://1.bp.blogspot.com/-4FYPtTnKDxM/UAKNLk5o4mI/AAAAAAAAAIY/7Lt8R_Ort3Y/s1600/16.pnghttp://2.bp.blogspot.com/-qymnIc_x3bQ/UAKNLJ28HwI/AAAAAAAAAIQ/YGRYCJoHEBU/s1600/15.pnghttp://3.bp.blogspot.com/-niLOND7TH9I/UAKNKesfiyI/AAAAAAAAAIM/5pAweO8HBpg/s1600/14.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

6/27

Now click on DefaultIdentityAsserter.

In the common tab select the Authenticateduser option from the list of Active Types and click the iconto move it to the chosen window. Click Save.

In the Provider Specific tab leave the default settings in place.

http://2.bp.blogspot.com/-cptvcnfuC4Y/UAKNNXK2OMI/AAAAAAAAAIw/NCPtEt6NUr4/s1600/19.pnghttp://4.bp.blogspot.com/-yYIZxOE7gN8/UAKNMnkj5kI/AAAAAAAAAIo/wU9ZUpG6M2g/s1600/18.pnghttp://4.bp.blogspot.com/-Cf7kX372XcQ/UAKNME4R18I/AAAAAAAAAIc/7s0uA7Ic8ig/s1600/17.pnghttp://2.bp.blogspot.com/-cptvcnfuC4Y/UAKNNXK2OMI/AAAAAAAAAIw/NCPtEt6NUr4/s1600/19.pnghttp://4.bp.blogspot.com/-yYIZxOE7gN8/UAKNMnkj5kI/AAAAAAAAAIo/wU9ZUpG6M2g/s1600/18.pnghttp://4.bp.blogspot.com/-Cf7kX372XcQ/UAKNME4R18I/AAAAAAAAAIc/7s0uA7Ic8ig/s1600/17.pnghttp://2.bp.blogspot.com/-cptvcnfuC4Y/UAKNNXK2OMI/AAAAAAAAAIw/NCPtEt6NUr4/s1600/19.pnghttp://4.bp.blogspot.com/-yYIZxOE7gN8/UAKNMnkj5kI/AAAAAAAAAIo/wU9ZUpG6M2g/s1600/18.pnghttp://4.bp.blogspot.com/-Cf7kX372XcQ/UAKNME4R18I/AAAAAAAAAIc/7s0uA7Ic8ig/s1600/17.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

7/27

Now click the providers list in the breadcrumb trail again.

Now still under the Providers tab, click the Password Validation sub-tab

Click New.

http://4.bp.blogspot.com/-OtWc9dnxEeU/UAKNQbKqokI/AAAAAAAAAJQ/vztIMfkF4jc/s1600/22.pnghttp://2.bp.blogspot.com/-tpSYD90yCXQ/UAKNPutKknI/AAAAAAAAAJI/Boy2Z1n1Lrs/s1600/21.pnghttp://4.bp.blogspot.com/-XFxVL8yE4PE/UAKNPI6tn0I/AAAAAAAAAJA/AQWWLc9HxEs/s1600/20.pnghttp://4.bp.blogspot.com/-OtWc9dnxEeU/UAKNQbKqokI/AAAAAAAAAJQ/vztIMfkF4jc/s1600/22.pnghttp://2.bp.blogspot.com/-tpSYD90yCXQ/UAKNPutKknI/AAAAAAAAAJI/Boy2Z1n1Lrs/s1600/21.pnghttp://4.bp.blogspot.com/-XFxVL8yE4PE/UAKNPI6tn0I/AAAAAAAAAJA/AQWWLc9HxEs/s1600/20.pnghttp://4.bp.blogspot.com/-OtWc9dnxEeU/UAKNQbKqokI/AAAAAAAAAJQ/vztIMfkF4jc/s1600/22.pnghttp://2.bp.blogspot.com/-tpSYD90yCXQ/UAKNPutKknI/AAAAAAAAAJI/Boy2Z1n1Lrs/s1600/21.pnghttp://4.bp.blogspot.com/-XFxVL8yE4PE/UAKNPI6tn0I/AAAAAAAAAJA/AQWWLc9HxEs/s1600/20.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

8/27

Enter the name of SystemPasswordValidator (must match exact case and spelling) and select the typeSystemPasswordValidator from the drop down box. Click Ok.

Now click on the SystemPasswordValidator to edit its settings.

Go to the Provider Specific tab and change the minimum password length to 8. The other settings in thisscreen all relate to the contents of passwords and can be left at the default values unless you want toalter them to specific values.

Click Save.

Now click the providers list in the breadcrumb trail again. Then select the Authorization sub-tab:

http://1.bp.blogspot.com/-d1xi-gI4Jyw/UAKNSa87kwI/AAAAAAAAAJs/PzO8xD5WVaM/s1600/25.pnghttp://4.bp.blogspot.com/-9rgdPhlZehs/UAKNRoI1W_I/AAAAAAAAAJg/3PRA2SaqCTo/s1600/24.pnghttp://2.bp.blogspot.com/-pMks_3HI3tE/UAKNQ92h0xI/AAAAAAAAAJc/ZBdQ0OTrT1E/s1600/23.pnghttp://1.bp.blogspot.com/-d1xi-gI4Jyw/UAKNSa87kwI/AAAAAAAAAJs/PzO8xD5WVaM/s1600/25.pnghttp://4.bp.blogspot.com/-9rgdPhlZehs/UAKNRoI1W_I/AAAAAAAAAJg/3PRA2SaqCTo/s1600/24.pnghttp://2.bp.blogspot.com/-pMks_3HI3tE/UAKNQ92h0xI/AAAAAAAAAJc/ZBdQ0OTrT1E/s1600/23.pnghttp://1.bp.blogspot.com/-d1xi-gI4Jyw/UAKNSa87kwI/AAAAAAAAAJs/PzO8xD5WVaM/s1600/25.pnghttp://4.bp.blogspot.com/-9rgdPhlZehs/UAKNRoI1W_I/AAAAAAAAAJg/3PRA2SaqCTo/s1600/24.pnghttp://2.bp.blogspot.com/-pMks_3HI3tE/UAKNQ92h0xI/AAAAAAAAAJc/ZBdQ0OTrT1E/s1600/23.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

9/27

Click New.

Enter the name of XACMLAuthorizer (must match exact case and spelling) and select the typeXACMLAuthorizer from the drop down box. Click Ok.

There are no configuration settings required for the Authorization Provider.

Now select the Adjudication sub-tab.

Click New.

http://1.bp.blogspot.com/-Y30txiH_Cjs/UAKNVgZyQqI/AAAAAAAAAKM/oJm0-z9vcnI/s1600/29.pnghttp://1.bp.blogspot.com/-JLLEoMDGqxg/UAKNVOS8KWI/AAAAAAAAAJ8/KomYoWOYUIk/s1600/28.pnghttp://1.bp.blogspot.com/-vow_4hkDolM/UAKNTdJ2DHI/AAAAAAAAAJ4/BwTt2lKTN30/s1600/27.pnghttp://3.bp.blogspot.com/-wfASKJHGBwk/UAKNS6Q2xYI/AAAAAAAAAJw/6NA2hUGiBBo/s1600/26.pnghttp://1.bp.blogspot.com/-Y30txiH_Cjs/UAKNVgZyQqI/AAAAAAAAAKM/oJm0-z9vcnI/s1600/29.pnghttp://1.bp.blogspot.com/-JLLEoMDGqxg/UAKNVOS8KWI/AAAAAAAAAJ8/KomYoWOYUIk/s1600/28.pnghttp://1.bp.blogspot.com/-vow_4hkDolM/UAKNTdJ2DHI/AAAAAAAAAJ4/BwTt2lKTN30/s1600/27.pnghttp://3.bp.blogspot.com/-wfASKJHGBwk/UAKNS6Q2xYI/AAAAAAAAAJw/6NA2hUGiBBo/s1600/26.pnghttp://1.bp.blogspot.com/-Y30txiH_Cjs/UAKNVgZyQqI/AAAAAAAAAKM/oJm0-z9vcnI/s1600/29.pnghttp://1.bp.blogspot.com/-JLLEoMDGqxg/UAKNVOS8KWI/AAAAAAAAAJ8/KomYoWOYUIk/s1600/28.pnghttp://1.bp.blogspot.com/-vow_4hkDolM/UAKNTdJ2DHI/AAAAAAAAAJ4/BwTt2lKTN30/s1600/27.pnghttp://3.bp.blogspot.com/-wfASKJHGBwk/UAKNS6Q2xYI/AAAAAAAAAJw/6NA2hUGiBBo/s1600/26.pnghttp://1.bp.blogspot.com/-Y30txiH_Cjs/UAKNVgZyQqI/AAAAAAAAAKM/oJm0-z9vcnI/s1600/29.pnghttp://1.bp.blogspot.com/-JLLEoMDGqxg/UAKNVOS8KWI/AAAAAAAAAJ8/KomYoWOYUIk/s1600/28.pnghttp://1.bp.blogspot.com/-vow_4hkDolM/UAKNTdJ2DHI/AAAAAAAAAJ4/BwTt2lKTN30/s1600/27.pnghttp://3.bp.blogspot.com/-wfASKJHGBwk/UAKNS6Q2xYI/AAAAAAAAAJw/6NA2hUGiBBo/s1600/26.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

10/27

Enter the name of DefaultAdjudicator(must match exact case and spelling) and select thetype DefaultAdjudicatorfrom the drop down box. Click Ok.

There are no configuration settings required for the Adjudication Provider.Now select the Role Mapping sub-tab.

Click New.

http://4.bp.blogspot.com/-XQ8fpSk_V78/UAKNYR83j0I/AAAAAAAAAKs/sdpFe7oI0do/s1600/32.pnghttp://4.bp.blogspot.com/-X55bzZZrLgA/UAKNXgh9i_I/AAAAAAAAAKg/b65vRzotDxE/s1600/31.pnghttp://3.bp.blogspot.com/-gicAAaBISYA/UAKNXDb5f8I/AAAAAAAAAKY/QMJhdd_MFmQ/s1600/30.pnghttp://4.bp.blogspot.com/-XQ8fpSk_V78/UAKNYR83j0I/AAAAAAAAAKs/sdpFe7oI0do/s1600/32.pnghttp://4.bp.blogspot.com/-X55bzZZrLgA/UAKNXgh9i_I/AAAAAAAAAKg/b65vRzotDxE/s1600/31.pnghttp://3.bp.blogspot.com/-gicAAaBISYA/UAKNXDb5f8I/AAAAAAAAAKY/QMJhdd_MFmQ/s1600/30.pnghttp://4.bp.blogspot.com/-XQ8fpSk_V78/UAKNYR83j0I/AAAAAAAAAKs/sdpFe7oI0do/s1600/32.pnghttp://4.bp.blogspot.com/-X55bzZZrLgA/UAKNXgh9i_I/AAAAAAAAAKg/b65vRzotDxE/s1600/31.pnghttp://3.bp.blogspot.com/-gicAAaBISYA/UAKNXDb5f8I/AAAAAAAAAKY/QMJhdd_MFmQ/s1600/30.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

11/27

Enter the name of XACMLRoleMapper(must match exact case and spelling) and select thetype XACMLRoleMapperfrom the drop down box. Click Ok.

There are no configuration settings required for the Role Mapping Provider.Now select the Credential Mapping sub-tab.

Click New.

http://2.bp.blogspot.com/-EwSZVlMWlyg/UAKNaUrllLI/AAAAAAAAALA/rnVgriUOnMo/s1600/35.pnghttp://1.bp.blogspot.com/-XM1i5HBrNzE/UAKNZt7-tCI/AAAAAAAAAK4/ZPGzbF4hxQk/s1600/34.pnghttp://2.bp.blogspot.com/-S0Si1G3lV64/UAKNZG8qroI/AAAAAAAAAKw/s3wmXCRJ4-k/s1600/33.pnghttp://2.bp.blogspot.com/-EwSZVlMWlyg/UAKNaUrllLI/AAAAAAAAALA/rnVgriUOnMo/s1600/35.pnghttp://1.bp.blogspot.com/-XM1i5HBrNzE/UAKNZt7-tCI/AAAAAAAAAK4/ZPGzbF4hxQk/s1600/34.pnghttp://2.bp.blogspot.com/-S0Si1G3lV64/UAKNZG8qroI/AAAAAAAAAKw/s3wmXCRJ4-k/s1600/33.pnghttp://2.bp.blogspot.com/-EwSZVlMWlyg/UAKNaUrllLI/AAAAAAAAALA/rnVgriUOnMo/s1600/35.pnghttp://1.bp.blogspot.com/-XM1i5HBrNzE/UAKNZt7-tCI/AAAAAAAAAK4/ZPGzbF4hxQk/s1600/34.pnghttp://2.bp.blogspot.com/-S0Si1G3lV64/UAKNZG8qroI/AAAAAAAAAKw/s3wmXCRJ4-k/s1600/33.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

12/27

Enter the name of DefaultCredentialMapper(must match exact case and spelling) and select thetype DefaultCredentialMapperfrom the drop down box. Click Ok.

There are no configuration settings required for the Credential Mapping Provider.Now select the Certification Path sub-tab.

Click New.

http://1.bp.blogspot.com/-YEv6WbiWbeY/UAKNcnL2z5I/AAAAAAAAALY/GRzfIV2qSik/s1600/38.pnghttp://3.bp.blogspot.com/-h-s4jAzU9SY/UAKNb77V6YI/AAAAAAAAALU/vUd7zDCg3tU/s1600/37.pnghttp://1.bp.blogspot.com/-sPkdnFJTEhc/UAKNbQ2x4GI/AAAAAAAAALI/HTcBDPd537o/s1600/36.pnghttp://1.bp.blogspot.com/-YEv6WbiWbeY/UAKNcnL2z5I/AAAAAAAAALY/GRzfIV2qSik/s1600/38.pnghttp://3.bp.blogspot.com/-h-s4jAzU9SY/UAKNb77V6YI/AAAAAAAAALU/vUd7zDCg3tU/s1600/37.pnghttp://1.bp.blogspot.com/-sPkdnFJTEhc/UAKNbQ2x4GI/AAAAAAAAALI/HTcBDPd537o/s1600/36.pnghttp://1.bp.blogspot.com/-YEv6WbiWbeY/UAKNcnL2z5I/AAAAAAAAALY/GRzfIV2qSik/s1600/38.pnghttp://3.bp.blogspot.com/-h-s4jAzU9SY/UAKNb77V6YI/AAAAAAAAALU/vUd7zDCg3tU/s1600/37.pnghttp://1.bp.blogspot.com/-sPkdnFJTEhc/UAKNbQ2x4GI/AAAAAAAAALI/HTcBDPd537o/s1600/36.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

13/27

Select WebLogicCertPathProviderfrom the drop down pick-list. Click Next.

Enter WebLogicCertPathProvideras the name of the provider. Click Next.

http://4.bp.blogspot.com/-rLZmUzHvByc/UAKNf3DvfoI/AAAAAAAAAL4/KjRMEaB1CW0/s1600/41.pnghttp://4.bp.blogspot.com/-w3PJ3L9i1Ag/UAKNe6CJ9rI/AAAAAAAAAL0/w7DD7eNH2pk/s1600/40.pnghttp://2.bp.blogspot.com/-M8A8ijLv-uY/UAKNdHkKexI/AAAAAAAAALk/HdfuttsktHI/s1600/39.pnghttp://4.bp.blogspot.com/-rLZmUzHvByc/UAKNf3DvfoI/AAAAAAAAAL4/KjRMEaB1CW0/s1600/41.pnghttp://4.bp.blogspot.com/-w3PJ3L9i1Ag/UAKNe6CJ9rI/AAAAAAAAAL0/w7DD7eNH2pk/s1600/40.pnghttp://2.bp.blogspot.com/-M8A8ijLv-uY/UAKNdHkKexI/AAAAAAAAALk/HdfuttsktHI/s1600/39.pnghttp://4.bp.blogspot.com/-rLZmUzHvByc/UAKNf3DvfoI/AAAAAAAAAL4/KjRMEaB1CW0/s1600/41.pnghttp://4.bp.blogspot.com/-w3PJ3L9i1Ag/UAKNe6CJ9rI/AAAAAAAAAL0/w7DD7eNH2pk/s1600/40.pnghttp://2.bp.blogspot.com/-M8A8ijLv-uY/UAKNdHkKexI/AAAAAAAAALk/HdfuttsktHI/s1600/39.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

14/27

Leave the Replace Existing Builder as unchecked. Click Finish.

Now click on the WebLogicCertPathProviderto edit its settings.

In the Common tab, check the Current Builder check box. Click Save.

Now click the providers list in the breadcrumb trail again.

The basic configuration of the new realm is now complete.

Click the Activate Changes button in the top left corner.

If successful this returns the following message:

We now need to restart the weblogic service. Logout of the console and perform a full shutdown andrestart of OBIEE and Weblogic.

http://4.bp.blogspot.com/-RlrbfDb8HrU/UAKNjpXCoBI/AAAAAAAAAMY/X7DNiK2iN9U/s1600/45.pnghttp://4.bp.blogspot.com/-QwMzd_GqSv4/UAKNii6g9YI/AAAAAAAAAMQ/x35yHSZg-aY/s1600/44.pnghttp://4.bp.blogspot.com/-vzVpkt76yFA/UAKNhFrBgVI/AAAAAAAAAMM/sqeUdMlOdG0/s1600/43.pnghttp://4.bp.blogspot.com/-BcdtPEiuQpU/UAKNgXPhNbI/AAAAAAAAAMA/cXW0eWmqIh4/s1600/42.pnghttp://4.bp.blogspot.com/-RlrbfDb8HrU/UAKNjpXCoBI/AAAAAAAAAMY/X7DNiK2iN9U/s1600/45.pnghttp://4.bp.blogspot.com/-QwMzd_GqSv4/UAKNii6g9YI/AAAAAAAAAMQ/x35yHSZg-aY/s1600/44.pnghttp://4.bp.blogspot.com/-vzVpkt76yFA/UAKNhFrBgVI/AAAAAAAAAMM/sqeUdMlOdG0/s1600/43.pnghttp://4.bp.blogspot.com/-BcdtPEiuQpU/UAKNgXPhNbI/AAAAAAAAAMA/cXW0eWmqIh4/s1600/42.pnghttp://4.bp.blogspot.com/-RlrbfDb8HrU/UAKNjpXCoBI/AAAAAAAAAMY/X7DNiK2iN9U/s1600/45.pnghttp://4.bp.blogspot.com/-QwMzd_GqSv4/UAKNii6g9YI/AAAAAAAAAMQ/x35yHSZg-aY/s1600/44.pnghttp://4.bp.blogspot.com/-vzVpkt76yFA/UAKNhFrBgVI/AAAAAAAAAMM/sqeUdMlOdG0/s1600/43.pnghttp://4.bp.blogspot.com/-BcdtPEiuQpU/UAKNgXPhNbI/AAAAAAAAAMA/cXW0eWmqIh4/s1600/42.pnghttp://4.bp.blogspot.com/-RlrbfDb8HrU/UAKNjpXCoBI/AAAAAAAAAMY/X7DNiK2iN9U/s1600/45.pnghttp://4.bp.blogspot.com/-QwMzd_GqSv4/UAKNii6g9YI/AAAAAAAAAMQ/x35yHSZg-aY/s1600/44.pnghttp://4.bp.blogspot.com/-vzVpkt76yFA/UAKNhFrBgVI/AAAAAAAAAMM/sqeUdMlOdG0/s1600/43.pnghttp://4.bp.blogspot.com/-BcdtPEiuQpU/UAKNgXPhNbI/AAAAAAAAAMA/cXW0eWmqIh4/s1600/42.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

15/27

Then log back into the Weblogic Console.We now have a duplicate realm setup, but there are no users in it. Later on well be setting up a thirdprovider to connect to the Active Directory server, but before then there are a few internal users required.

These however can be copied from the default myrealm realm.

Click on the Security Realm link in the Domain Structure window again.

Click on myrealm.Click on the Migration tab, then the Export sub-tab. Create a directory to store the realm export files, enterit into the Export Directory on Server: field and check the Overwrite option .

Click Save to perform the export.This creates a number of files in the export directory:

Now click on the Security Realms link in the Domain Structure window again. This time click on the newLDAP_Realm. Again go to the Migration tab, but this time select the Import sub-tab.

http://4.bp.blogspot.com/-X3eEEiALMcc/UAKNlqMOfrI/AAAAAAAAAMw/qdCOzJ-94bg/s1600/48.pnghttp://4.bp.blogspot.com/-yBrP1jNzos8/UAKNlCdpbkI/AAAAAAAAAMo/N8r35y7oYuY/s1600/47.pnghttp://1.bp.blogspot.com/-cbbRDqFkFko/UAKNkAfrU0I/AAAAAAAAAMk/pl-6d9l5Ess/s1600/46.pnghttp://4.bp.blogspot.com/-X3eEEiALMcc/UAKNlqMOfrI/AAAAAAAAAMw/qdCOzJ-94bg/s1600/48.pnghttp://4.bp.blogspot.com/-yBrP1jNzos8/UAKNlCdpbkI/AAAAAAAAAMo/N8r35y7oYuY/s1600/47.pnghttp://1.bp.blogspot.com/-cbbRDqFkFko/UAKNkAfrU0I/AAAAAAAAAMk/pl-6d9l5Ess/s1600/46.pnghttp://4.bp.blogspot.com/-X3eEEiALMcc/UAKNlqMOfrI/AAAAAAAAAMw/qdCOzJ-94bg/s1600/48.pnghttp://4.bp.blogspot.com/-yBrP1jNzos8/UAKNlCdpbkI/AAAAAAAAAMo/N8r35y7oYuY/s1600/47.pnghttp://1.bp.blogspot.com/-cbbRDqFkFko/UAKNkAfrU0I/AAAAAAAAAMk/pl-6d9l5Ess/s1600/46.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

16/27

Enter the export directory path again and click Save. You should see the following messages:

We are now ready to create the Authentication Provider to connect to the Active Directory server.

Click the Lock & Edit button again.

Now click on the Providers tab, then the Authentication sub-tab.

Click the New button again.

http://3.bp.blogspot.com/-td3kWBt_DgQ/UAKNoe5A7SI/AAAAAAAAANY/pRwaonak8Xo/s1600/52.pnghttp://3.bp.blogspot.com/-smMImhY6oO4/UAKNn8ZvNII/AAAAAAAAANM/s0TgfD7gSys/s1600/51.pnghttp://3.bp.blogspot.com/-E2MSXD2grSk/UAKNnfa2mNI/AAAAAAAAANI/0wg_NtoiXdo/s1600/50.pnghttp://1.bp.blogspot.com/-N8FrozIrQVc/UAKNl3JqykI/AAAAAAAAAM4/CtPLfuJqJ18/s1600/49.pnghttp://3.bp.blogspot.com/-td3kWBt_DgQ/UAKNoe5A7SI/AAAAAAAAANY/pRwaonak8Xo/s1600/52.pnghttp://3.bp.blogspot.com/-smMImhY6oO4/UAKNn8ZvNII/AAAAAAAAANM/s0TgfD7gSys/s1600/51.pnghttp://3.bp.blogspot.com/-E2MSXD2grSk/UAKNnfa2mNI/AAAAAAAAANI/0wg_NtoiXdo/s1600/50.pnghttp://1.bp.blogspot.com/-N8FrozIrQVc/UAKNl3JqykI/AAAAAAAAAM4/CtPLfuJqJ18/s1600/49.pnghttp://3.bp.blogspot.com/-td3kWBt_DgQ/UAKNoe5A7SI/AAAAAAAAANY/pRwaonak8Xo/s1600/52.pnghttp://3.bp.blogspot.com/-smMImhY6oO4/UAKNn8ZvNII/AAAAAAAAANM/s0TgfD7gSys/s1600/51.pnghttp://3.bp.blogspot.com/-E2MSXD2grSk/UAKNnfa2mNI/AAAAAAAAANI/0wg_NtoiXdo/s1600/50.pnghttp://1.bp.blogspot.com/-N8FrozIrQVc/UAKNl3JqykI/AAAAAAAAAM4/CtPLfuJqJ18/s1600/49.pnghttp://3.bp.blogspot.com/-td3kWBt_DgQ/UAKNoe5A7SI/AAAAAAAAANY/pRwaonak8Xo/s1600/52.pnghttp://3.bp.blogspot.com/-smMImhY6oO4/UAKNn8ZvNII/AAAAAAAAANM/s0TgfD7gSys/s1600/51.pnghttp://3.bp.blogspot.com/-E2MSXD2grSk/UAKNnfa2mNI/AAAAAAAAANI/0wg_NtoiXdo/s1600/50.pnghttp://1.bp.blogspot.com/-N8FrozIrQVc/UAKNl3JqykI/AAAAAAAAAM4/CtPLfuJqJ18/s1600/49.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

17/27

Enter a name for the Provider, e.g. MSAD_Provider and select the appropriate LDAP Authenticator, inthis case ActiveDirectoryAuthenticator, from the drop down list.Click Ok.

Click on MSAD_Provider to edit its details.

In the Common tab, change the Control Flag to SUFFICIENT. Click Save.

In the provider Specific tab enter the following details, adjusting them to suite your environment.

Field Value

Host localhost

Port 389

Principal CN=Administrator,CN=Users,DC=obiee,DC=local,DC=com

Credential & Confirm Credential Enter the password for the Administrator user in Active

Directory.

http://1.bp.blogspot.com/-Hl5p8cFrYZc/UAKNq64a_HI/AAAAAAAAAN0/oWm6yRYdHAk/s1600/55.pnghttp://2.bp.blogspot.com/-shvvd2IX5i0/UAKNp6Q4I3I/AAAAAAAAANs/LXy7Tb58js4/s1600/54.pnghttp://4.bp.blogspot.com/-wVcD5Ln1rR4/UAKNpNFoH3I/AAAAAAAAANk/vL-y-0VGKAQ/s1600/53.pnghttp://1.bp.blogspot.com/-Hl5p8cFrYZc/UAKNq64a_HI/AAAAAAAAAN0/oWm6yRYdHAk/s1600/55.pnghttp://2.bp.blogspot.com/-shvvd2IX5i0/UAKNp6Q4I3I/AAAAAAAAANs/LXy7Tb58js4/s1600/54.pnghttp://4.bp.blogspot.com/-wVcD5Ln1rR4/UAKNpNFoH3I/AAAAAAAAANk/vL-y-0VGKAQ/s1600/53.pnghttp://1.bp.blogspot.com/-Hl5p8cFrYZc/UAKNq64a_HI/AAAAAAAAAN0/oWm6yRYdHAk/s1600/55.pnghttp://2.bp.blogspot.com/-shvvd2IX5i0/UAKNp6Q4I3I/AAAAAAAAANs/LXy7Tb58js4/s1600/54.pnghttp://4.bp.blogspot.com/-wVcD5Ln1rR4/UAKNpNFoH3I/AAAAAAAAANk/vL-y-0VGKAQ/s1600/53.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

18/27

SSLEnabled No

User Base DN CN=Users,DC=obiee,DC=local,DC=com

All Users Filter (|(memberOf=CN=Users,DC=obiee,DC=local,DC=com))

User From Name Filter (&(uid=%u)(objectclass=user))

User Search Scope subtree

User Name Attribute cnUser Object Class User

Use Retrieved User Name asPrincipal

No

Group Base DN CN=Users,DC=obiee,DC=local,DC=com

All Groups Filter (&(uid=*)

Group From Name Filter (&(cn=%g)(objectclass=group))

Group Search Scope subtree

Group Membership Searching unlimited

Max Group Membership Search

Level

0

Ignore Duplicate Membership No

Static Group Name Attribute cn

Static Group Object Class group

Static Member DN Attribute member

Static Group DNs from Member DN

Filter

(&(member=%M)(objectclass=group))

Dynamic Group Name Attribute Leave blank

Dynamic Group Object Class Leave blank

Dynamic Member URL Attribute Leave blank

User Dynamic Group DN Attribute Leave blank

Connection Pool Size 6Connect Timeout 0

Connection Retry Limit 1

Parallel Connect Delay 0

Results Time Limit 0

Keep Alive Enabled No

Follow Referrals Yes

Bind Anonymously On Referrals No

Propagate Cause For Login

Exception

No

Cache Enabled yesCache Size 32

Cache TTL 60

GUID Attribute Objectguid

Note: If you dont know the DN details for your users and groups, with Active directory you can discoverthese using the dsquery command from a command prompt.

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

19/27

http://3.bp.blogspot.com/-te7EgsYF-qQ/UAKNsGQhj9I/AAAAAAAAAOA/9d_b3bcSI-4/s1600/57.pnghttp://1.bp.blogspot.com/-fZa3xJA37is/UAKNrpbkKTI/AAAAAAAAAN4/w2MsRnjAJjQ/s1600/56.pnghttp://3.bp.blogspot.com/-te7EgsYF-qQ/UAKNsGQhj9I/AAAAAAAAAOA/9d_b3bcSI-4/s1600/57.pnghttp://1.bp.blogspot.com/-fZa3xJA37is/UAKNrpbkKTI/AAAAAAAAAN4/w2MsRnjAJjQ/s1600/56.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

20/27

When complete, Click Save. Return to the Providers list.

We now need to change the order so that the MSAD_Provider is first in the list. Click the Reorder button.

Check the MSAD_Provider option and click the icon to put it top. Then click Ok.

http://1.bp.blogspot.com/-2lLOY36mJ60/UAKNvs0aFiI/AAAAAAAAAOk/L0W4HpQ6Qvs/s1600/60.pnghttp://3.bp.blogspot.com/-TEzMLpOb30s/UAKNt3CSF_I/AAAAAAAAAOQ/PvEhqRH2Qh0/s1600/59.pnghttp://4.bp.blogspot.com/-XXHQH0h3Y8Q/UAKNtCxw1sI/AAAAAAAAAOM/s4LDUglvOg8/s1600/58.pnghttp://1.bp.blogspot.com/-2lLOY36mJ60/UAKNvs0aFiI/AAAAAAAAAOk/L0W4HpQ6Qvs/s1600/60.pnghttp://3.bp.blogspot.com/-TEzMLpOb30s/UAKNt3CSF_I/AAAAAAAAAOQ/PvEhqRH2Qh0/s1600/59.pnghttp://4.bp.blogspot.com/-XXHQH0h3Y8Q/UAKNtCxw1sI/AAAAAAAAAOM/s4LDUglvOg8/s1600/58.pnghttp://1.bp.blogspot.com/-2lLOY36mJ60/UAKNvs0aFiI/AAAAAAAAAOk/L0W4HpQ6Qvs/s1600/60.pnghttp://3.bp.blogspot.com/-TEzMLpOb30s/UAKNt3CSF_I/AAAAAAAAAOQ/PvEhqRH2Qh0/s1600/59.pnghttp://4.bp.blogspot.com/-XXHQH0h3Y8Q/UAKNtCxw1sI/AAAAAAAAAOM/s4LDUglvOg8/s1600/58.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

21/27

The new Security Realm is now setup, but before we activate it we need to check it is working correctly.Click the Activate Changes button to save all recent changes, then logout of the console and perform afull restart of Weblogic and OBIEE again.

Once complete, log back into the console.Click on Security Realms, then the new LDAP_Realm and finally click on the Usersand Groups tab.

Click on Customize this table. In the Filter window that opens up, enter the name of a user in the Criteria

field and click apply.

The user you entered should now appear in the user list. If it does not then something is not right with thenew provider details.

http://1.bp.blogspot.com/-sSAEikWJshY/UAKNz2fjw8I/AAAAAAAAAPI/m72C19cWd3o/s1600/65.pnghttp://3.bp.blogspot.com/-MkucWa31Fr0/UAKNyUP_yYI/AAAAAAAAAO4/lZL3wWNmvIo/s1600/63.pnghttp://1.bp.blogspot.com/-KWHI8eDbIl4/UAKNx808neI/AAAAAAAAAOw/TNBglIoSvqg/s1600/62.pnghttp://2.bp.blogspot.com/-SVeaV3rWfZw/UAKNxRx-piI/AAAAAAAAAOo/4MzZ7HOWEu0/s1600/61.pnghttp://1.bp.blogspot.com/-sSAEikWJshY/UAKNz2fjw8I/AAAAAAAAAPI/m72C19cWd3o/s1600/65.pnghttp://3.bp.blogspot.com/-MkucWa31Fr0/UAKNyUP_yYI/AAAAAAAAAO4/lZL3wWNmvIo/s1600/63.pnghttp://1.bp.blogspot.com/-KWHI8eDbIl4/UAKNx808neI/AAAAAAAAAOw/TNBglIoSvqg/s1600/62.pnghttp://2.bp.blogspot.com/-SVeaV3rWfZw/UAKNxRx-piI/AAAAAAAAAOo/4MzZ7HOWEu0/s1600/61.pnghttp://1.bp.blogspot.com/-sSAEikWJshY/UAKNz2fjw8I/AAAAAAAAAPI/m72C19cWd3o/s1600/65.pnghttp://3.bp.blogspot.com/-MkucWa31Fr0/UAKNyUP_yYI/AAAAAAAAAO4/lZL3wWNmvIo/s1600/63.pnghttp://1.bp.blogspot.com/-KWHI8eDbIl4/UAKNx808neI/AAAAAAAAAOw/TNBglIoSvqg/s1600/62.pnghttp://2.bp.blogspot.com/-SVeaV3rWfZw/UAKNxRx-piI/AAAAAAAAAOo/4MzZ7HOWEu0/s1600/61.pnghttp://1.bp.blogspot.com/-sSAEikWJshY/UAKNz2fjw8I/AAAAAAAAAPI/m72C19cWd3o/s1600/65.pnghttp://3.bp.blogspot.com/-MkucWa31Fr0/UAKNyUP_yYI/AAAAAAAAAO4/lZL3wWNmvIo/s1600/63.pnghttp://1.bp.blogspot.com/-KWHI8eDbIl4/UAKNx808neI/AAAAAAAAAOw/TNBglIoSvqg/s1600/62.pnghttp://2.bp.blogspot.com/-SVeaV3rWfZw/UAKNxRx-piI/AAAAAAAAAOo/4MzZ7HOWEu0/s1600/61.pnghttp://2.bp.blogspot.com/-sPzg5u_SHQM/UAKN0TsFKAI/AAAAAAAAAPQ/fU0YFP8ffCw/s1600/66.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

22/27

Return to the Providers tab, click on the MSAD_Provider, then the Provider Specific sub-tab and recheckall of the details, especially the User Base DN, Group Base DN and Principal & Credential fields. You willthen need to restart weblogic again and perform this test again before continuing.

If the configuration is correct you will see the user and note that the Provider of the user MSAD_Provider.

You can use wild cards to see users, e.g. entering the Criteria of p* returns:

If you click on one of the users you see which groups they belong to, also picked up from the LDAP:

Similarly you can view the Groups being picked up from the LDAP:

If all is correct we now need to configure the domain to make this new realm the default one for Weblogic.First click the Lock & Edit button. Then In the Domain Structure panel, click on the bifoundation_domainlink.

Go to the Security tab and change the Default Realm option to Realm. Then click Save.

http://1.bp.blogspot.com/-IwdDFZuWsyw/UAKN2znBcsI/AAAAAAAAAPs/KE3AMZFqTj0/s1600/69.pnghttp://1.bp.blogspot.com/-kI6wjr7FVwE/UAKN2Z5xvKI/AAAAAAAAAPg/zd8lrQaRWZo/s1600/68.pnghttp://1.bp.blogspot.com/-uenAU-5PO5A/UAKN00BHhfI/AAAAAAAAAPc/o4wSO_lyWs4/s1600/67.pnghttp://2.bp.blogspot.com/-sPzg5u_SHQM/UAKN0TsFKAI/AAAAAAAAAPQ/fU0YFP8ffCw/s1600/66.pnghttp://1.bp.blogspot.com/-IwdDFZuWsyw/UAKN2znBcsI/AAAAAAAAAPs/KE3AMZFqTj0/s1600/69.pnghttp://1.bp.blogspot.com/-kI6wjr7FVwE/UAKN2Z5xvKI/AAAAAAAAAPg/zd8lrQaRWZo/s1600/68.pnghttp://1.bp.blogspot.com/-uenAU-5PO5A/UAKN00BHhfI/AAAAAAAAAPc/o4wSO_lyWs4/s1600/67.pnghttp://2.bp.blogspot.com/-sPzg5u_SHQM/UAKN0TsFKAI/AAAAAAAAAPQ/fU0YFP8ffCw/s1600/66.pnghttp://1.bp.blogspot.com/-IwdDFZuWsyw/UAKN2znBcsI/AAAAAAAAAPs/KE3AMZFqTj0/s1600/69.pnghttp://1.bp.blogspot.com/-kI6wjr7FVwE/UAKN2Z5xvKI/AAAAAAAAAPg/zd8lrQaRWZo/s1600/68.pnghttp://1.bp.blogspot.com/-uenAU-5PO5A/UAKN00BHhfI/AAAAAAAAAPc/o4wSO_lyWs4/s1600/67.pnghttp://2.bp.blogspot.com/-sPzg5u_SHQM/UAKN0TsFKAI/AAAAAAAAAPQ/fU0YFP8ffCw/s1600/66.pnghttp://1.bp.blogspot.com/-IwdDFZuWsyw/UAKN2znBcsI/AAAAAAAAAPs/KE3AMZFqTj0/s1600/69.pnghttp://1.bp.blogspot.com/-kI6wjr7FVwE/UAKN2Z5xvKI/AAAAAAAAAPg/zd8lrQaRWZo/s1600/68.pnghttp://1.bp.blogspot.com/-uenAU-5PO5A/UAKN00BHhfI/AAAAAAAAAPc/o4wSO_lyWs4/s1600/67.pnghttp://2.bp.blogspot.com/-sPzg5u_SHQM/UAKN0TsFKAI/AAAAAAAAAPQ/fU0YFP8ffCw/s1600/66.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

23/27

Click the Activate Changes button again, then logout of the console and perform a full restart of Weblogicand OBIEE again.

Now that Weblogic is configured to allow authentication to Active Directory, OBIEE itself needs to beinstructed to tell weblogic to use it.

Login into the Fusion Enterprise Manager:

Expand the Weblogic Domain, the right click on bifoundation_domain, select Security -> Security ProviderConfiguration

http://3.bp.blogspot.com/-W_YCZzu6SBU/UAKN625vw3I/AAAAAAAAAQE/7mZcXDySgVc/s1600/71.pnghttp://3.bp.blogspot.com/-Y5CHuJJiZP8/UAKN5FnAIQI/AAAAAAAAAP8/SQcMvfWHzqE/s1600/70.pnghttp://3.bp.blogspot.com/-W_YCZzu6SBU/UAKN625vw3I/AAAAAAAAAQE/7mZcXDySgVc/s1600/71.pnghttp://3.bp.blogspot.com/-Y5CHuJJiZP8/UAKN5FnAIQI/AAAAAAAAAP8/SQcMvfWHzqE/s1600/70.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

24/27

If the Identity Security Store section is compressed, click the + icon to expand it:

Then click on Configure.

Click the Add icon.For the new property enter the name of user.login.attr and the value of cn. Click ok.

http://4.bp.blogspot.com/-M_KIMdY-gWA/UAKN_QrpTII/AAAAAAAAAQk/zPjwkULcuwc/s1600/75.pnghttp://3.bp.blogspot.com/-f2PdFlh8b9s/UAKN-wOBoyI/AAAAAAAAAQY/wYz3H2cm684/s1600/74.pnghttp://4.bp.blogspot.com/-6N8rkziMEzA/UAKN9R0gGNI/AAAAAAAAAQU/ZgVo6SS4xpM/s1600/73.pnghttp://3.bp.blogspot.com/-AYhcYzxZTiQ/UAKN7kDbadI/AAAAAAAAAQM/26q2n5xcDzA/s1600/72.pnghttp://4.bp.blogspot.com/-M_KIMdY-gWA/UAKN_QrpTII/AAAAAAAAAQk/zPjwkULcuwc/s1600/75.pnghttp://3.bp.blogspot.com/-f2PdFlh8b9s/UAKN-wOBoyI/AAAAAAAAAQY/wYz3H2cm684/s1600/74.pnghttp://4.bp.blogspot.com/-6N8rkziMEzA/UAKN9R0gGNI/AAAAAAAAAQU/ZgVo6SS4xpM/s1600/73.pnghttp://3.bp.blogspot.com/-AYhcYzxZTiQ/UAKN7kDbadI/AAAAAAAAAQM/26q2n5xcDzA/s1600/72.pnghttp://4.bp.blogspot.com/-M_KIMdY-gWA/UAKN_QrpTII/AAAAAAAAAQk/zPjwkULcuwc/s1600/75.pnghttp://3.bp.blogspot.com/-f2PdFlh8b9s/UAKN-wOBoyI/AAAAAAAAAQY/wYz3H2cm684/s1600/74.pnghttp://4.bp.blogspot.com/-6N8rkziMEzA/UAKN9R0gGNI/AAAAAAAAAQU/ZgVo6SS4xpM/s1600/73.pnghttp://3.bp.blogspot.com/-AYhcYzxZTiQ/UAKN7kDbadI/AAAAAAAAAQM/26q2n5xcDzA/s1600/72.pnghttp://4.bp.blogspot.com/-M_KIMdY-gWA/UAKN_QrpTII/AAAAAAAAAQk/zPjwkULcuwc/s1600/75.pnghttp://3.bp.blogspot.com/-f2PdFlh8b9s/UAKN-wOBoyI/AAAAAAAAAQY/wYz3H2cm684/s1600/74.pnghttp://4.bp.blogspot.com/-6N8rkziMEzA/UAKN9R0gGNI/AAAAAAAAAQU/ZgVo6SS4xpM/s1600/73.pnghttp://3.bp.blogspot.com/-AYhcYzxZTiQ/UAKN7kDbadI/AAAAAAAAAQM/26q2n5xcDzA/s1600/72.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

25/27

Repeat this to add two more properties:

Name: username.attr value: cnName: virtualize value: true

Note, if the LDAP does not have a GUID (Global User ID field), then OBIEE need to be altered to use adifferent field as the unique identifier. This is done by adding a fourth field into this screen:

Name: PROPERTY_ATTRIBUTE_MAPPING value: GUID=cn

The value is the entire string 'GUID=cn', where cn is the alternative attribute in the LDAP - it can be any

field, not just cn, however usually cn is the user-name and hence will be unique if no other specificallyunique field exists.

The final step is to give users permission to login.From the menu in the left hand pane expand Business Intelligence and select coreapplication.

From the Business Intelligence Instance menu select Security -> Application Roles

http://3.bp.blogspot.com/-AUZ5pn8ogKE/UAKOB33wv1I/AAAAAAAAAQ4/q0ZPdMw1F5M/s1600/78.pnghttp://1.bp.blogspot.com/-3BvBGnVdnJA/UAKOA6gIF6I/AAAAAAAAAQ0/O-sr0tI8k0w/s1600/77.pnghttp://1.bp.blogspot.com/-qEo_9Bfe9R4/UAKOAdqD1OI/AAAAAAAAAQo/DMEKFZQEKUk/s1600/76.pnghttp://3.bp.blogspot.com/-AUZ5pn8ogKE/UAKOB33wv1I/AAAAAAAAAQ4/q0ZPdMw1F5M/s1600/78.pnghttp://1.bp.blogspot.com/-3BvBGnVdnJA/UAKOA6gIF6I/AAAAAAAAAQ0/O-sr0tI8k0w/s1600/77.pnghttp://1.bp.blogspot.com/-qEo_9Bfe9R4/UAKOAdqD1OI/AAAAAAAAAQo/DMEKFZQEKUk/s1600/76.pnghttp://3.bp.blogspot.com/-AUZ5pn8ogKE/UAKOB33wv1I/AAAAAAAAAQ4/q0ZPdMw1F5M/s1600/78.pnghttp://1.bp.blogspot.com/-3BvBGnVdnJA/UAKOA6gIF6I/AAAAAAAAAQ0/O-sr0tI8k0w/s1600/77.pnghttp://1.bp.blogspot.com/-qEo_9Bfe9R4/UAKOAdqD1OI/AAAAAAAAAQo/DMEKFZQEKUk/s1600/76.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

26/27

Normally at this point you would assign the Active Directory groups to the BI Roles in this screen. For nowhowever we are simply going to allow any authenticated user to login as an Administrator.

Click on BIAdministrator and then click the Edit icon.

Click the Add icon.

http://3.bp.blogspot.com/-rrOCjrS7axE/UAKOEjoLGlI/AAAAAAAAARc/PSen6YW4luQ/s1600/81.pnghttp://2.bp.blogspot.com/-BpSC-U5gwkI/UAKODVuicRI/AAAAAAAAARU/efpBQbDqHEM/s1600/80.pnghttp://3.bp.blogspot.com/-FdMQiUI2l9k/UAKOCTkfa-I/AAAAAAAAARA/2UkoUQoR9zE/s1600/79.pnghttp://3.bp.blogspot.com/-rrOCjrS7axE/UAKOEjoLGlI/AAAAAAAAARc/PSen6YW4luQ/s1600/81.pnghttp://2.bp.blogspot.com/-BpSC-U5gwkI/UAKODVuicRI/AAAAAAAAARU/efpBQbDqHEM/s1600/80.pnghttp://3.bp.blogspot.com/-FdMQiUI2l9k/UAKOCTkfa-I/AAAAAAAAARA/2UkoUQoR9zE/s1600/79.pnghttp://3.bp.blogspot.com/-rrOCjrS7axE/UAKOEjoLGlI/AAAAAAAAARc/PSen6YW4luQ/s1600/81.pnghttp://2.bp.blogspot.com/-BpSC-U5gwkI/UAKODVuicRI/AAAAAAAAARU/efpBQbDqHEM/s1600/80.pnghttp://3.bp.blogspot.com/-FdMQiUI2l9k/UAKOCTkfa-I/AAAAAAAAARA/2UkoUQoR9zE/s1600/79.png

8/10/2019 Configuring LDAP Authentication for OBIEE 11g

27/27

Leave the type as Application Role and just click the go icon. When the list of roles appears, selectauthenticated-role and click OK.

Back in the Edit Application Role screen click OK to save the change.Finally perform a full restart of Weblogic and OBIEE again.You should be able to login to OBIEE with an LDAP user-id and password.

http://2.bp.blogspot.com/-XBXD2RUdRPc/UAMNhcmTL6I/AAAAAAAAASA/qF2WkCw7Wis/s1600/m1.pnghttp://1.bp.blogspot.com/-IzAeGuPwuPM/UAKOF-zb3TI/AAAAAAAAARo/iEiTAlZvlr4/s1600/83.pnghttp://2.bp.blogspot.com/-OMZpYgtsxXU/UAKOFKQf8LI/AAAAAAAAARk/tfYOVbbHIYo/s1600/82.pnghttp://1.bp.blogspot.com/-IzAeGuPwuPM/UAKOF-zb3TI/AAAAAAAAARo/iEiTAlZvlr4/s1600/83.pnghttp://2.bp.blogspot.com/-OMZpYgtsxXU/UAKOFKQf8LI/AAAAAAAAARk/tfYOVbbHIYo/s1600/82.pnghttp://2.bp.blogspot.com/-XBXD2RUdRPc/UAMNhcmTL6I/AAAAAAAAASA/qF2WkCw7Wis/s1600/m1.png