Oracle Analytics Cloud and Server

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

OBIEE 12c - LDAP config

Received Response
182
Views
17
Comments
3310714
3310714 Rank 6 - Analytics Lead

Hi,

Most of the blogs/documentations I've read utilizes an external LDAP such as MS AD for users and groups.  I'm wondering if anyone setup their OBIEE by utilizing users from AD, but creating groups in Weblogic.  This way, you don't need to wait for another team to add/edit the groups.  Thoughts?

«1

Answers

  • Joel
    Joel Rank 8 - Analytics Strategist

    Some might argue that this defeats the purpose of configuring external LDAP. The main reason for external LDAP is for user authentication and user management to be dealt with external from OBIEE.

    However, you can achieve this by assigning your LDAP users to WebLogic Application roles. You can then apply your specific security settings to the Application role.

  • 3310714
    3310714 Rank 6 - Analytics Lead

    Hi Gbenga,

    I followed the first link to install our OBIEE with LDAP. 

  • Gbenga Ajakaye
    Gbenga Ajakaye Rank 5 - Community Champion

    Did it work?

  • 3310714
    3310714 Rank 6 - Analytics Lead

    Hi Joel,

    Yes, user management can still be done at the external LDAP.  I was thinking group management might be faster doing in Weblogic by ourselves.  Then apply the groups to application roles.   

    I believe the standard practice is:   Users -->  Groups -->  App Roles -->  OBI Privileges/Permission

    Your idea would also work and bypass the group setups. 

  • Venkata Rachuri
    Venkata Rachuri Rank 5 - Community Champion

    You cannot assign a user from AD to Group created in weblogic. Try and let me know If you can ?

    Thanks

    Venkata Rachuri

  • EmmanuelMash
    EmmanuelMash Rank 4 - Community Specialist

    I think from an IT governance angle especially in corporate where systems are audited, even if that functionality could be implemented, it is such bad practice to allow OBIEE to be rearranging AD groups in MSAD. Your question sounds more like you require a system that you have control over in terms of creating groups etc to which I echo @Joel Acha comment, make use of weblogic's LDAP.

    Regards

    Emmanuel

  • Hi,

    I would agree with Venkata you can't assign an AD user to a weblogic group and honestly I never saw it done in that way.

    For people having your kind of requirement (getting users - groups relationship from somewhere else than LDAP/AD but still keep authentication on LDAP/AD) you have the BISQLGroupProvider.

    Basically you have a table in your DB where you make the user - group relationship, and then add groups to application roles. But you don't store passwords of users, it's just a mapping between users and groups.

    Have a look at https://docs.oracle.com/middleware/1221/biee/BIESC.pdf and mainly "3.4.4 Configuring LDAP as the Authentication Provider and Storing Groups in a Database".

    I guess it's the thing getting closer to what you look for as you will be independent and not have to wait on your AD guys to add people into groups in AD.

  • 3310714
    3310714 Rank 6 - Analytics Lead

    Hi Venkata/Gianni,

    You are right, it can't be done.  I just tried it.  Should have tried it first before asking this question.  Sorry!

    I have another question.  We have about 5000 users and 900 groups in our AD.  When I'm navigating in Weblogic to view the list of Users and Groups it's kind of slow (assumed this is normal).  When I log into Analytics using an AD user, sometimes it is fast, sometimes it takes a while.  Now that OBI is integrated with AD, does the authentication happens in Weblogic or AD? 

  • Depends on your authentication providers chain, but AD users will of course be authenticated in AD (AD will not send out to Weblogic users password to authenticate them).

    The slowness has more chances to come from your AD than weblogic, you are supposed to configure the authentication provider using your AD in a way to reduce the users and groups only to those required by OBIEE. So not matching all the users and groups but maybe pointing to a smaller part of the AD tree, or making the matching more precise by additional conditions.