7 Replies Latest reply: May 13, 2013 4:04 AM by metalray RSS

    Enterprise Manager BI application roles and login problem.

    metalray
      Hello,

      When I add a new LDAP group/role to the BIAdministrator role
      in the Enterprise Manager (Business Intelligence) do I
      then need to restart web logic each time?

      I added the user, its group and even the whole authenticated-role
      to the BIAdministrator role but I still cant login.
      Why is that?

      Have a nice weekend ahead.
        • 1. Re: Enterprise Manager BI application roles and login problem.
          metalray
          the log says "OBI-SEC-00015" unable to find user in identity store.
          I read the following on a blog regarding this error.
          "Make the BISystemUser password in your default authenticator the same password as BISystemUser in your OID authenticator"
          I dont have any user that is named the same in the LDAP as well as in the DefaultAuthenticationProvider :/
          • 2. Re: Enterprise Manager BI application roles and login problem.
            metalray
            Name:user.login.attr value: cn
            Name:username.attr value: cn
            Name:virtualize value: true

            When I added those, the BI Admin server did not start anymore but
            presented me the error:

            JPS-02597: You configured a custom Authentication Provider or WLS generic LDAPAuthenticator, which the li
            bOvd can not recognize. Supply the idstore.type property in jps-config.xml file, or use a specific WLS LDAP Authentication provider that matches your LDAP server instead of a generic one.>

            now, I wonder why those three attribute stop the whole admin
            server to start.????

            Edited by: metalray on 27.04.2013 06:08
            • 3. Re: Enterprise Manager BI application roles and login problem.
              metalray
              Hi,
              I isolated the problem.
              Its the virtualize value: true that causes
              the error and the server to not start anymore.
              Why is that?
              • 4. Re: Enterprise Manager BI application roles and login problem.
                metalray
                The problem was the following:

                I had "OracleVirtualDirectory" instead of "OracleInternetDirectory" selected in the provider creation
                phase.

                Now I have a different problem:

                Failure in WS-Policy Execution due to exception.
                ...
                Caused by: javax.security.auth.login.LoginException: [Security:090304]Authentication Failed: User BISystemUser javax.security.auth.login.FailedLoginException: [Security:090302]*Authentication Failed: User BISystemUser denied* ..
                An error occurred for port: {http://oracle/bi/security/}SecurityServicePort: oracle.fabric.common.PolicyEnforcementException: FailedAuthentication : The security token cannot be authenticated..
                ..

                I got the user.login.attr, username.attr and virtualize=true. I see ALL the ldap user and
                groups in web logic (mysecurityrealm->user and groups). The BISystemUser can log into weblogic , so I dont think the user is "corrupted" or something.

                I checked that the BISystemUser passwords are the same:
                1) in WLS Console / Home >Summary of Security Realms > myrealm > Users and Groups > BISystemUser
                And
                2) in em, weblogic domain > bifoundation_domain > Security > Credentials > oracle.bi.system � system.user
                • 5. Re: Enterprise Manager BI application roles and login problem.
                  metalray
                  I read the following
                  "..If this is already set to the same setting may be there is an issue with the BISystemUser itself try creating this system user again and see if it works. This BISystemUser should also exist in your LDAP as a user capable of searching for users and groups."
                  This is not the case in my LDAP. I dont create technical users. Is that really necessary?
                  After all, I have provided the LDAP login details in the web logic ldap provider configuration and
                  those should be used to access the ldap, not BISystemUser.
                  • 6. Re: Enterprise Manager BI application roles and login problem.
                    metalray
                    altough BISystemUser was part of the DefaultAuthentication provider (and the documentation* says
                    having a system user in one provider is enough) I deleted it and created a new trusted user, this
                    time an existing user in the custom LDAP provider.

                    that did not work either, I still get the same error even mentioning BI system user, but I deleted BI
                    system user...crazy.


                    *
                    http://docs.oracle.com/cd/E21764_01/bi.1111/e10543/privileges.htm#BABDCJBH
                    3.2.6 Configuring a New Trusted User (BISystemUser)
                    • 7. Re: Enterprise Manager BI application roles and login problem.
                      metalray
                      the problem was the missing attribute PROPERTY_ATTRIBUTE_MAPPING | GUID=ourGuid
                      in the enterprise manager provider settings.