Categories
OBIEE 12c - BI Groups from External Table and LDAP Authentication
Hello Guys,
I am currently using OBIEE 12.2.1.2.0 in RHEL 6.7 platform for my current client and facing couple of issues while setting up LDAP Authentication as well as fetching BIGroups from an external table. The issues are:
1. LDAP Active Directory has been set up successfully in myrealms. I can fetch the users from active directory successfully in Users and Groups section. I have also made changes to the FMW -> Security Provider Configuration -> Identity Store Provider -> Configure -> Optimize Search = true and Virtualize = true. Restarted the service. But somehow the users are not able to login to analytics. Says Invalid user and password.
2. Groups from External Table -> I am trying to create a provider that will fetch the groups from an external Oracle database tables. I have set up the data source correctly in Weblogic Console -> Services -> Data Sources. But when creating a new provider in Authentication block I do not see "BISQLProvider" in the Authenticator Type dropdown. There are a lot of other options but not this one. In our 11g environment it is there. Due to this I am not able to create this BIGroups provider.
Can anyone please suggest something to resolve these two issues?
Regards,
Avik
Answers
-
Hi,
I faced a similar error after setting up LDAP with Active Directory. It my case, it was what my Analytics username is. I thought I would be able to log in as "jdoe", but received the "invalid user and password" error. Then I tried logging in as "John Doe" and it worked! Since our users log into their workstations with the "jdoe" convention, I replaced "cn" with "samAccountName" in the User Name Attribute and User From Name Filter fields in Weblogic Provider Specific.
Also, I believe it is recommended to also add the OPTIMIZE_SEARCH=true properties to the same place where you added virtualize=true.
0 -
Did you install the provider?
Installing the BISQLGroupProvider
Before you can configure a BISQLGroupProvider authenticator, you must first install the JAR file bi-sql-group-provider.jar, which contains the authenticator. The file is available in the following location...
Did you restart AdminServer after the install?
(All these things are in the steps in the documentation: Configuring Oracle Business Intelligence to Use Alternative Authentication Providers )
If you follow the steps in the doc it works fine and the provider is available, so (as for once it's written with all the steps) take the documentation from the beginning and validate your setup and do the missing steps. It will take you 10 minutes and will work fine.
0 -
3298808 wrote:1. LDAP Active Directory has been set up successfully in myrealms. I can fetch the users from active directory successfully in Users and Groups section. I have also made changes to the FMW -> Security Provider Configuration -> Identity Store Provider -> Configure -> Optimize Search = true and Virtualize = true. Restarted the service. But somehow the users are not able to login to analytics. Says Invalid user and password.
Doesn't mean a lot to be able to fetch the users and groups in WebLogic. If your username doesn't match the user identifier fetched...it won't work. If the security providers aren't in the right order...it won't work. If their "required/sufficient" settings are wrong...it won't work.
also: "Says Invalid user and password" isn't really an empirical investigation of the root cause. If you are sure your config is correct (which we can't say from what you've written above) then you can always increase logging and simply look into the log files to see more details about what's happening during the logon process.3298808 wrote:2. Groups from External Table -> I am trying to create a provider that will fetch the groups from an external Oracle database tables. I have set up the data source correctly in Weblogic Console -> Services -> Data Sources. But when creating a new provider in Authentication block I do not see "BISQLProvider" in the Authenticator Type dropdown. There are a lot of other options but not this one. In our 11g environment it is there. Due to this I am not able to create this BIGroups provider.
Have you read the documentation? Gianni posted the link and as he says it has it all. You most likely simply haven't done the necessary work - i.e. configure things properly - to actually HAVE that option available to you.
@3310714 - where does that recommendation for "OPTIMIZE_SEARCH" come from? Is it just "something that worked for you" like the cn/samAccountName one? Because that's...well as I said username must match of course because 1234 obviously doesn't match jsmith and doesn't match j.smith@company.com.
0 -
Thanks Gianni,
No, I haven't installed the bi-sql-group-provider.jar file yet. Could you please let me know from where I can download the same and how to install and to which directory to install? It would be extremely helpful then. Please suggest!
Regards,
Avik Dutta.
0 -
Once again, read the documentation! Configuring Oracle Business Intelligence to Use Alternative Authentication Providers
Everything (but really everything) is covered, if you take 30 seconds to open the link and read the steps you will see where the jar file is located and where you have to copy it and all the details.
Stop doing things randomly, invest 5 minutes of your day to read the official doc and follow it. You will be surprised ... it works
0 -
Thanks Gianni,
For some reason I could not view the link you provided earlier. Now I can and I have resolved the issue for the BISQL Group provider stuff. So that is fixed now and thanks a ton for the same.
Having said that I am still facing the LDAP authentication issue. I have entered the following details in provider specific tab in my 12c weblogic console- myrealms:
1. Made the default authenticator : Sufficient
2. Kept the BISQLGroups provider at the top (working condition).
3. LDAP provider at 2nd in myrealms -> providers list.
4.
Host: The host name or IP address of the LDAP server
Port: 389
Principal: uid=principal_user,ou=system,ou=users,dc=companyname,dc=com
Credential: The password for the principal user
Confirm Credential: repeat
User Base DN: dc=companyname,dc=com
All Users Filter: Blank
User From Name Filter: (&(uid=%u)(objectclass=person))
User Search Scope: Subtree
User Name Attribute: uid
User Object Class: person
Use Retrieved User Name as Principal: Unchecked
Group Base DN: dc=companyname,dc=com
All Groups Filter: Blank
Group From Name Filter: (|(&(cn=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=groupOfURLs)))
Group Search Scope: Subtree
Group Membership Searching: Unlimited
Max Group Membership Search Level: 0
Ignore Duplicate Membership: uncheck
Use Token Groups For Group Membership Lookup: uncheck
Static Group Name Attribute: cn
Static Group Object Class: groupofuniquenames
Static Member DN Attribute: uniquemember
Static Group DNs from Member DN Filter: (&(uniquemember=%M)(objectclass=groupofuniquenames))
Dynamic Group Name Attribute: cn
Dynamic Group Object Class: groupofURLs
Dynamic Member URL Attribute: memberURL
User Dynamic Group DN Attribute: blank
Connection Pool Size: 6
Connect Timeout: 0
Connection Retry Limit: 1
Parallel Connect Delay: 0
Results Time Limit: 0
Keep Alive Enabled: uncheck
Follow Referrals: check
Bind Anonymously On Referrals: uncheck
Propagate Cause For Login Exception: check
Cache Enabled: check
Cache Size: 32
Cache TTL: 60
Cache Statistics Enabled: check
GUID Attribute: nsuniqueid
Identity Domain: kept blank5. In the enterprise manager I have also added OPTIMIZE_SEARCH=true properties to the same place where I added virtualize=true.
6. Restarted the complete server.
7. Still the users are available in weblogic console -> myrealms -> Users and Groups -> Customize this table but are not able to login to analytics.
8. In-fact all the users are available in weblogic console -> myrealms -> Users and Groups -> Customize this table but NOT all of them are present in Enterprise Manager -> Weblogic Domain -> Security -> Users and Groups. Some of them are present. Having said that ALL the groups have been fetched successfully both in weblogic console and EM users and groups section. It's the problem with the user's list. Console has it all but not EM. And that's why those absent users in EM are not able to login to analytics.
9. The same setting works in an obiee 11g environment.
Any file or anything else I need to update?
Regards,
Avik Dutta.
0 -
Hi Christian,
I read this in section 2.2.5 "Tune LibOVD searches" of the OBIEE 12c Best Practics Guide for Infrastructure Tuning:
LibOVD is a java library providing virtualization capabilities over LDAP authentication providers in Oracle Fusion Middleware. LibOVD is activated when you set the property virtualize=true for the identity store provider in jps-config.xml.
By setting the libOVD property attribute parameter OPTIMIZE_SEARCH=true will improve the performance of searches as it forces libOVD to search only within the users and groups search bases defined in the authenticator providers. No searches are performed elsewhere.
My LDAP was working prior to adding this. I thought adding it would only improve performance. What do you think?
0 -
Randomly using things from a "tuning guide" is basically twisting knobs without understanding what happens and why what changes. it CAN work but you won't ever know why or why not or whether that's appropriate or applicable.
0 -
I have tried both with OPTIMIZE_SEARCH= true in place and out of place and both didn't work. Also as you have seen my users get fetched from attribute uid (not cn or smAccountName) and objectclass = person (not user). Any particular ordering of Providers should I try? Currently the ordering is:
1. BIGroups (BI SQL Group Provider) - OPTIONAL
2. Edir (LDAP Authenticator) - SUFFICIENT
3. Trust Service Identity Asserter - default settings, no changes made
4. Default Authenticator - SUFFICIENT
5. DefaultIdentityAsserter - AuthenticatedUser and weblogic-jwt-token being chosen in the Active Types.
Kindly suggest. Please be noted that the groups are being fetched properly both in weblogic console and Enterprise Manager.
Regards,
Avik Dutta.
0 -
So your LDAP users are in the BIGroups? Did you add the groups to your application roles?
0
