Oracle Analytics Cloud and Server

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

LDAP filter out disabled users

Received Response
323
Views
27
Comments
Rank 4 - Community Specialist

Does anyone know the syntax and the location to put it in order to filter out any disabled users.  We use Active Directory groups for catalog security and Agent recipient lists.  Any time there is a disabled user in one of our list the Agent fails.  I have been trying update the syntax in the weblogic - Provider specific screen to filter these out.  I have tried variations of (&(sAMAccountName=%u)(objectclass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)) but have not been able to get it to work.

We are on 12c

Welcome!

It looks like you're new here. Sign in or register to get started.
«13

Answers

  • Rank 6 - Analytics Lead

    Are you running the Agent as a deleted user? If so it makes sense that the Agent fails since the user is no longer there.

    If it's in the recipient list it should only fail for that particular user but still sending it to all other users.

  • Rank 4 - Community Specialist

    Yes it runs as the disabled user.  It fails the whole Agent though which doesn't make sense. 

    Is there a way to have disabled users filter out of the search list. 

    This user is disabled.  How do I get her to not even show in this list?

    Agent Recipient Lookup disabled user.jpg

  • Rank 6 - Analytics Lead

    The problem is that the list you're showing is a fixed list of users. So if you add a user there and after it's disabled you'll always have the same error.

    If you have more than 1 user (with at least one disabled) does it fail for all of them?

  • Rank 2 - Community Beginner

    a) That's an MSAD integation issue and has nothing to do with any specific OBI version.

    b) Having to write (!userAccountControl:1.2.840.113556.1.4.803:=2)) is the poorest solution imaginable.

    c) This is really something where your MSAD admins must be of assistance since they control it and they design it. If they don't help you...escalate. It's their LDAP.

    d) If you are pulling the users for agents dynamically then the question becomes: "Where are you pulling them from and why are disabled user still in there in the first place?"

  • Rank 4 - Community Specialist

    a) Yes

    b) This was a solution that I have found and my MSAD admin gave me.  It works when used in the weblogic Provider setup in the All Users Filter and the User from Name Filter.  When used here I can no longer query in the weblogic User/Group section for the disabled users.

    c)  They have been trying to assist.

    d) Where are the settings for this.  I have many additional things I would like to change about this that I can not find where to change them.  Besides not pulling disabled users I would also like to be able to search for a users actual name and not the ID.  Currently we have to search for their ID and their name is returned.  (See example above) 

    Thanks for the information. 

  • Rank 2 - Community Beginner

    ad d) Well *you* have to know where the dynamic list gets pulled up! Are you reading it from a DB table?

  • Rank 4 - Community Specialist

    I do not believe so.  It should be straight from the Active Directory.  I can filter the list in the weblogic users/groups but I do not know where these settings are for the list that the recipients are pulling from. 

  • Rank 6 - Analytics Lead

    @Christian Berg i believe he doesn't use a dynamic list but rater a static list.

    But when a user in his static list gets disabled, since he Agent "run As" the recipient the whole agent fails.

  • Rank 4 - Community Specialist

    Yes exactly.  And I want to be able to remove all disabled users from this list with some type of filter. 

  • Rank 6 - Analytics Lead

    The problem is not in the OBIEE-LDAP filter I would say...

    The problem is in your static list of users...

    Do you have specific data filters tied up with those users? do you need the Run-as for this purpose?

    Can you take the list of users from an analysis instead of a static list? If so you could create a SA on top of MSAD to retrieve only the valid users.

Welcome!

It looks like you're new here. Sign in or register to get started.