4 Replies Latest reply on Feb 16, 2013 9:03 PM by 987345

    OBIEE 11g AD Authentication question

      Hello Gurus,

      I have a question regarding OBIEE Active Directory configuration setup. Currently I have followed this blog http://paulcannon-bi.blogspot.com/2012/07/configuring-ldap-authentication-for.html and setup AD authentication along with the default authenticator by WLS.

      We have setup four groups in AD and were planning to authenticate these users in these four groups only. Yes, now the AD users are able to login to OBIEE, however the issue here we are coming across is that everyone who is AD no matter if they below to either of these four groups or not are able to login.

      Restricting the Answers and Dashboards permissions privileges to authenticated users and allowing only these 4 groups/roles from AD is what I was planning on but the business is planning to integrate more authentication systems in future and does not like this concept.

      Is there a way to authentication to users from these 4 groups only in OBIEE

      Please advice is any has come across a situation like this before.

      Thanks in advance.
        • 1. Re: OBIEE 11g AD Authentication question
          Have you created 4 different Roles for these 4 Groups in OBIEE? If not, do that and assign privileges in Analytics to those Roles only and remove the Authenticated User Role and BI Consumer Role from permissions. Also, are all users in AD in the same OU? What does your Group Base DN setting in Console for AD look like?

          Please award points if helpful/correct.
          • 2. Re: OBIEE 11g AD Authentication question

            I too faced such a issue in my 1st attempt, then resolved by setting "All Users Filter" & "Group base DN"

            Note: to get right root structure of u r group base DN/user path -- try to login AD with admin user then generate ldif file then get the right path and then set it.

            for more refer my blog steps,

            • 3. Re: OBIEE 11g AD Authentication question

              Thanks for the reply.

              Yes I have created 4 roles in EM and mapped these groups to those roles.

              However, removing authneticated role and BIConsumer roles at Presenation level would not work since there are other authenticaiton systems coming up for OBIEE soon and then it would be a problem.

              User Base DN: ou=XXUsers,dc=XXdomain,dc=com ( this is where all the corp users are at )
              All Users Filter : Leave blank
              User From Name Filter:     Leave blank

              Group Base DN : dc=XXdomain,dc=com ( this is where all the corp groups are at )
              All Groups Filter: Leave blank
              Group From Name Filter:     (&(cn=%g)(objectclass=group))

              Please advice.
              • 4. Re: OBIEE 11g AD Authentication question
                Deva as per your blog you have setup All users filter for this group "01UREG1GPCOBIEE" ( I am assuming all the users who are accessing OBIEE exist here or is this just another group in AD .?)

                All Users Filter:
                User From Name Filter:

                If we have 4 groups and use these group in All users Filter .? can we mention those 4 groups at a time here.?

                I am using Apache LDAP Browser to get the DN paths.

                Please adivce.