1 2 Previous Next 21 Replies Latest reply: Mar 26, 2013 2:11 PM by Turbokat RSS

    assigning group from activie directory to the bi consumers group

    user483999
      we have been successfull in importing all the users from the active directory group OBIEE. i want to associate every user of this group, with the biconsumers group, so that i don't have to specify the biconsumers group for each individual user (over 1000). when i click on the group biconsumers and select membership, the only groups that show are the ones for the defaultauthenticator. so i created a new group called OBIEE and the provider is the defaultauthenticator, and now when i select biconsumers group i can assign the OBIEE group. (so i have two groups with the same name, the provider is msdauthenticator for one and defaultathenticator for the other one). Will this work, or is there another way to accomplish this ???
        • 1. Re: assigning group from activie directory to the bi consumers group
          Turbokat
          You cannot add AD group to DefualtAuthnenticator groups/roles. Do you want your OBIEE group to have the have privileges like that of BIConsumer then Go to Enterprise Manager > coreapplication > Application Roles > select obi stirpe > Edit BIConsumer and add your AD group= OBIEE to this BIConsumer role. Now you will have all the users who are part of OBIEE group having BIConsumer role.

          Hope this helps. Mark if answered.

          Let us know.

          Thanks,
          SVS
          • 2. Re: assigning group from activie directory to the bi consumers group
            user483999
            when i enter the group name i get a message that "No principals found based on search criteria"...

            although the group name in ldap is obiee, when i look at the groups listed in the console 'groups', i see the
            name $CTH300-VKK7JTIJ9TUP, which is associated the the user name attribute aSAMAccountName shown in the provider specific information in the console

            yet if i use jxplorer it finds the group name OBIEE, and shows me all the users..


            should i change the user name attribute from aSAMAccountName to OBIEE ??

            i got the entry from the analyst at myoracle, and it was only by trail and error that we finally got the
            users from the ldap to finally show up in the console . although the group name was the one i listed above and not
            OBIEE... that stumped the myoracle analyst ??
            • 3. Re: assigning group from activie directory to the bi consumers group
              user483999
              i was selecteing starts with when adding the group, if i change it to includes, it now picks up the group name
              $CTH300-VKK7JTIJ9TUP..

              now it shows under BIConsumer;

              name type
              BIConsumer group
              BIAuthor application role
              Authenticated-Role Authenticated Role
              $CTH300-VKK7JTIJ9TUP group

              -----------------------------------------------------

              but when i try to login to the bi publisher or the bi home analytics with one of the users from ldap
              i get an invalid username or password .. i restarted all the obiee components first ?
              • 4. Re: assigning group from activie directory to the bi consumers group
                Turbokat
                That group name look disturbing to me ;) may be it was not setup right on your AD check what display name is given to this OBIEE group.

                When you are creating Roles for these AD groups do not include any special characters or spaces in them else might come across errors.

                What error does your nqserver.log and sawlog say when you try to login as this AD user .?

                Hope you have restarted all Admin server and Managed Server stacks on you machine after making all the configuration changes.

                Please let us know.

                Thanks,
                SVS
                • 5. Re: assigning group from activie directory to the bi consumers group
                  user483999
                  restarted all servers...

                  the group name      $CTH300-VKK7JTIJ9TUP , comes from the ldap and its the name associated with
                  sAMAccountName

                  trying to logon the analytics as tskinner1

                  nqserver.log:

                  2013-03-23T22:23:38.000-04:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: 11d1def534ea1be0:17f1a78a:13d99df07ad:-8000-0000000000001238] [tid: db374940] Error Message From BI Security Service: SecurityService::authenticateUserWithLanguage [OBI-SEC-00022] Identity found tskinner1 but could not be authenticated
                  [2013-03-23T22:23:38.000-04:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: 11d1def534ea1be0:17f1a78a:13d99df07ad:-8000-0000000000001238] [tid: db374940] [nQSError: 43126] Authentication failed: invalid user/password.

                  tskinner1 is in users on the console... i even changed the password and when i tried to logon to analytics i got the same error.
                  • 6. Re: assigning group from activie directory to the bi consumers group
                    user483999
                    i found oracle note 1451542.1 and it appears that becuase obiee is picking up the group name of $CTH300-VKK7JTIJ9TUP , thats causing the problem. the note indicates that's a problematic name because of the special characters... as i said before that name, is the name associated with sAMAccountName... not sure what changes
                    have to be made in the provider specific information for the msdauthenticator to make this happen

                    group from name filter is currently : (&(sAMAccountName=%g)(objectclass=group)) .. do you think changing
                    sAMAccountName to OBIEE would make a difference ??
                    • 7. Re: assigning group from activie directory to the bi consumers group
                      Turbokat
                      Hello,

                      Did you make all the changes according to that note.

                      No your group filter looks correct (&(sAMAccountName=%g)(objectclass=group)) , you should not have to change sAMAccountName to OBIEE

                      I suggest you install some LDAP browser and see how this group is setup : directory.apache.org/studio/

                      Let me know the updates.

                      thanks,
                      SVS
                      • 8. Re: assigning group from activie directory to the bi consumers group
                        user483999
                        i made the changes suggested by the note, but i still get the same error..

                        i use jxplorer to validate the ldap connection and these are the values:


                        name OBIEE
                        objectCategory CN=Group,CN=Schema,CN=Configuration,DC=lcccportal,DC=com
                        objectClass top
                        group
                        objectGUID ' J E *;je B.
                        objectSid .< a S+ ;C
                        sAMAccountName $CTH300-VKK7JTIJ9TUP (note this is the group name that i see in the em console)
                        sAMAccountType 268435456
                        uSNChanged 145633455
                        uSNCreated 138530061
                        whenChanged 20130322030147.0Z
                        whenCreated 20130218040000.0Z
                        • 9. Re: assigning group from activie directory to the bi consumers group
                          user483999
                          don't know if this is important or not but the group base dn entry from provider specific info is: CN=OBIEE,OU=Groups,OU=People,DC=lcccportal,DC=com

                          the objectCategory from jxplorer is : CN=Group,CN=Schema,CN=Configuration,DC=lcccportal,DC=com

                          i have a screen shot of what jxplorer shows but i don't know how to attach it to this thread
                          • 10. Re: assigning group from activie directory to the bi consumers group
                            Turbokat
                            Hello,

                            Could please let me know what document you have refereed to setup AD. I will look into it and let you know.

                            Thanks,
                            SVS
                            • 11. Re: assigning group from activie directory to the bi consumers group
                              user483999
                              most of the AD entries were recommended by the analyst at myoracle... i can let you know tomorrow the actual obiee guide that i used.
                              • 12. Re: assigning group from activie directory to the bi consumers group
                                user483999
                                i've been using Oracle Business Intelligence Enterprise Edition 11g: A Hands-On Tutorail by Haroun Khan,Christian Screen,Adrian Ward (the chapter Configuring an LDAP indetity provider in WLS)
                                • 13. Re: assigning group from activie directory to the bi consumers group
                                  Turbokat
                                  Alright thanks for that,

                                  I have looked into it and have couple of questions.

                                  1. You have previously mentioned
                                  user483999 wrote:
                                  although the group name in ldap is obiee, when i look at the groups listed in the console 'groups', i see the
                                  name $CTH300-VKK7JTIJ9TUP, which is associated the the user name attribute aSAMAccountName shown in the provider specific information in the console
                                  are you using 'aSAMAccountName' .??

                                  Also, could you try with change your Identity store properties to below settings :

                                  username.attr = cn

                                  user.login.attr = cn

                                  virtualize = true

                                  2. Is your User Base DN and Group Base DN the same.?? , bcoz I see that in the document you mentioned you refereed too. Could you check your DN's for user and group and change the group from name filter as below

                                  User Name Attribute : sAMAccountName

                                  Use Retrieved User Name as Principal :     Yes

                                  All Groups Filter :     Leave blank

                                  Group From Name Filter     : (&(cn=%g)(objectclass=group))

                                  Let me know if this changes anything. Hope this helps. Mark if it does.!

                                  Thanks,
                                  SVS
                                  • 14. Re: assigning group from activie directory to the bi consumers group
                                    user483999
                                    where is the identity store properties maintained ?
                                    ---------------------------------------------------------------------

                                    i was able to get the ldap administrator to make a change and now i get the group OBIEE into the console, i made the change to BIConsumer so that
                                    the OBIEE group now shows up.., i changed the following

                                    User Name Attribute : sAMAccountName

                                    Use Retrieved User Name as Principal : Yes

                                    All Groups Filter : Leave blank

                                    Group From Name Filter : (&(cn=%g)(objectclass=group))
                                    ---------------------------------------------------------------------------------------
                                    i'm still getting the same authentication errors in the nqserver.log file ??
                                    1 2 Previous Next