9 Replies Latest reply: Jun 12, 2014 9:12 AM by user12200191 RSS

    OEDQ Active Directory

    user12200191

      I have installed OEDQ 11.1.1.7.3 (weblogic server) and following the documentation in the below link for active directory integration

       

      http://docs.oracle.com/cd/E48549_01/doc.11117/e40042/toc.htm

       

      I am confused with the documentation. Do i have to follow both the below sections or just one of these sections to implement active directory integration?

        1) LDAP Integrations using OPSS on weblogic server

        2) Direct LDAP Integrations approach.

       

       

      Any help is appreciated.

        • 1. Re: OEDQ Active Directory
          Mike-Matthews-Oracle

          Hi,

           

          It is one or the other.

           

          If you are installing on WebLogic, it is probably best to use WebLogic OPSS to integrate with Active Directory, especially since EDQ will be using WebLogic OPSS for its user by default.

           

          If you are installing on another platform (WebSphere or Tomcat), you will need to integrate EDQ with Active Directory directly.

           

          Regards,

           

          Mike

          • 2. Re: OEDQ Active Directory
            user12200191

            Mike

             

            Thanks for the response.

            I am very new to weblogic. Could you please tell me if OPSS integration can only be done with Oracle Internet Directory (OID) or if its supports Active Directory Integration too?

            Any documentation link would help.

             

            Thanks

            • 3. Re: OEDQ Active Directory
              Rde1-Oracle

              WebLogic can integrate with AD as well as OID.  You need to go to the WebLogic administration console and select Security Realms, myrealm.  The on the Prividers tab you can click new and define a new authentication provider.  For AD choose the ActiveDirectoryAuthenticator type.  Then sekect the new provider and enter the AD details on the Provider Specific page.  You will need an AD account to connect to the domain controller.

               

              Also in the details for the new authenticator, set the control flag to SUFFICIENT to indicate that if AD authentication succeeds, that is sufficient.  Also set the control flag for the DefaultAuthenticator to SUFFICIENT to indicate that a built-in WebLogic user is not required for authentication to succeed.

               

              Finally, once the AD authenticator is configured and tested (you can go to the Users and Groups tab to see if AD users are found), change the order of the providers (use the Reorder button) to move the AD authenticator above the Default authenticator.  The OPSS APIs use the first authenticator as the sources of user and group information and if the AD authenticator was not first, EDQ would not see the users.

               

              Richard

              • 4. Re: OEDQ Active Directory
                user12200191

                Richard

                 

                Thanks for the info.

                I followed the steps and i am able to see AD Users & Groups.

                 

                However, weblogic user id still has access to administration console. How can i restrict access to administration console?

                Also, could you please tell me how can i give access to administration console for a group of users

                 

                Thanks

                • 5. Re: OEDQ Active Directory
                  user12200191

                  Richard

                   

                  Is it possible to grant administration console access to ldap user?

                   

                  Thanks

                  • 6. Re: OEDQ Active Directory
                    Rde1-Oracle

                    Yes, that is quite straightforward.  Once you have setup the AD authenticator then any LDAP user can log into the WebLogic admin console.  However users will not have any administration permissions.

                     

                    Go to Security Realms -> myrealm and select the Roles and Policies tab.  Expand Global Roles and Roles and then click on "View Role Conditions" for the Admin role.  You will see a condition granting the role to any member of the "Administrators" group.  This is effectively any group named "Administrators", in the default WebLogic store or in LDAP.  So if you create an LDAP group named Administrators then any member of that group can log in and administer the WebLogic console.  Alternatively just add a new condition referring to a named group in AD.

                     

                    If you wish to disable the internal WebLogic users you can just remove the Default Authenticator.  However I would advise against this - if there was an issue or misconfiguration of the AD integration then you would not be able to login to the WebLogic console.

                     

                    In EDQ note that you need to map AD groups to EDQ groups (in the external groups tab) to grant EDQ permissions to AD users. As with WebLogic, the group "Administrators" is mapped by default to the EDQ Administrators group.  So once you have the AD intregration working with EDQ you will need the AD Administrators group to be able to login to EDQ to perform further group mapping (EDQ does not use the role mappings defined in the WebLogic console).  Alternatively the built-in mappings can be edited in the login.properties configuration file.

                     

                    Richard

                    • 7. Re: OEDQ Active Directory
                      user12200191

                      Richard

                      Thanks for the response.

                       

                      One last question about group mapping. Is login.properties configuration file only meant for mapping  AD Administrators -->  Administrators (EDQ Group) ?

                      Can i also define AD Data Analysts --> Data Analysts (EDQ) , AD Data Stewards --> Data Stewards (EDQ)  in login.properties file?

                      Please let me know if Mapping AD groups to EDQ Groups has to be done only by logging into EDQ Administration?

                       

                      Thanks

                      • 8. Re: OEDQ Active Directory
                        Rde1-Oracle

                        The mappings in login.propeties are used as initial defaults so a system using OPSS will work out of the box.  Whilst additional mappings can be added, the preferred approach is to use the EDQ administration pages.  Alternatively mappings can be setup by a script run outside EDQ which connects to the EDQ JMX MBeans.

                         

                        Richard

                        • 9. Re: OEDQ Active Directory
                          user12200191

                          Thanks Richard