This discussion is archived
4 Replies Latest reply: Feb 16, 2013 1:03 PM by 987345 RSS

OBIEE 11g AD Authentication question

987345 Newbie
Currently Being Moderated
Hello Gurus,

I have a question regarding OBIEE 11.1.1.6.2 Active Directory configuration setup. Currently I have followed this blog http://paulcannon-bi.blogspot.com/2012/07/configuring-ldap-authentication-for.html and setup AD authentication along with the default authenticator by WLS.

We have setup four groups in AD and were planning to authenticate these users in these four groups only. Yes, now the AD users are able to login to OBIEE, however the issue here we are coming across is that everyone who is AD no matter if they below to either of these four groups or not are able to login.

Restricting the Answers and Dashboards permissions privileges to authenticated users and allowing only these 4 groups/roles from AD is what I was planning on but the business is planning to integrate more authentication systems in future and does not like this concept.

Is there a way to authentication to users from these 4 groups only in OBIEE 11.1.1.6.2

Please advice is any has come across a situation like this before.

Thanks in advance.
  • 1. Re: OBIEE 11g AD Authentication question
    JaiG Pro
    Currently Being Moderated
    Have you created 4 different Roles for these 4 Groups in OBIEE? If not, do that and assign privileges in Analytics to those Roles only and remove the Authenticated User Role and BI Consumer Role from permissions. Also, are all users in AD in the same OU? What does your Group Base DN setting in Console for AD look like?

    Please award points if helpful/correct.
  • 2. Re: OBIEE 11g AD Authentication question
    user248025 Guru
    Currently Being Moderated
    Hi,

    I too faced such a issue in my 1st attempt, then resolved by setting "All Users Filter" & "Group base DN"

    Note: to get right root structure of u r group base DN/user path -- try to login AD with admin user then generate ldif file then get the right path and then set it.

    for more refer my blog steps,
    http://obieeelegant.blogspot.sg/2012/01/obiee-11g-integration-with-ldap.html

    Thanks
    Deva
  • 3. Re: OBIEE 11g AD Authentication question
    987345 Newbie
    Currently Being Moderated
    Hello,

    Thanks for the reply.

    Yes I have created 4 roles in EM and mapped these groups to those roles.

    However, removing authneticated role and BIConsumer roles at Presenation level would not work since there are other authenticaiton systems coming up for OBIEE soon and then it would be a problem.

    User Base DN: ou=XXUsers,dc=XXdomain,dc=com ( this is where all the corp users are at )
    All Users Filter : Leave blank
    User From Name Filter:     Leave blank

    Group Base DN : dc=XXdomain,dc=com ( this is where all the corp groups are at )
    All Groups Filter: Leave blank
    Group From Name Filter:     (&(cn=%g)(objectclass=group))

    Please advice.
  • 4. Re: OBIEE 11g AD Authentication question
    987345 Newbie
    Currently Being Moderated
    Deva as per your blog you have setup All users filter for this group "01UREG1GPCOBIEE" ( I am assuming all the users who are accessing OBIEE exist here or is this just another group in AD .?)

    All Users Filter:
    (&(memberof=CN=01UREG1GPCOBIEE,OU=GPCOBIEE,OU=APPS,DC=reg1,DC=Hex,DC=Tech,DC=com)(sAMAccountName=*)(objectclass=user))
    User From Name Filter:
    (&(memberof=CN=01UREG1GPCOBIEE,OU=GPCOBIEE,OU=APPS,DC=reg1,DC=Hex,DC=Tech,DC=com)(sAMAccountName=%u)(objectclass=user))

    If we have 4 groups and use these group in All users Filter .? can we mention those 4 groups at a time here.?

    I am using Apache LDAP Browser to get the DN paths.

    Please adivce.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points