Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 14 Oracle Analytics Lounge
- 212 Oracle Analytics News
- 42 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 78 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
Problem with LDAP authentication (using AD authentication provider) [OBIEE 11.1.1.6.6]
Hello,
We use windows AD authentication with OBIEE. At first glance it looks all working fine, but the problem begins, when I want pick up permissions for users to log on into OBIEE. Simply, when I remove user from BIAuthors (security group) with AD level, that user (for example user_n1) still can log on into OBIEE successfully, but with BIConsumer privileges only (despite the fact, there is no user_n1 in BIConsumer [security group] with AD level).
From weblogic console I see user_n1 has gone from users list after removing that user from BIAuthors security group with AD level, so why that user still can log on into OBIEE?
In AD we have created OU called BI. Inside that OU we have created four security groups: BIAdministrators, BIAuthors, BIConsumers and BISystemUsers. From weblogic console I can see all four groups, so I suppose that configuration settings for AD authentication provider are correct.
Here is my AD provider configuration settings for users and groups:
User Base DN: DC=my_company, DC=local
All Users Filter: (&(sAMAccountType=805306368)(|(memberOf=CN=BIAdministrators,OU=BI,DC=my_company,DC=local)(memberOf=CN=BISystemUsers,OU=BI,DC=my_company,DC=local)(memberOf=CN=BIAuthors,OU=BI,DC=my_company,DC=local)(memberOf=CN=BIConsumers,OU=BI,DC=my_company,DC=local)))
User From Name Filter: (sAMAccountName=%u)
User Search Scope: subtree
User Name Attribute: sAMAccountName
User Object Class: user
Group Base DN: OU=BI,DC=my_company,DC=local
All Groups Filter: (objectCategory=group)
Group From Name Filter: (&(cn=%g)(objectclass=group))
Group Search Scope: subtree
Group Membership Searching: unlimited
In my opinion these setttings are correct (but maybe I'm wrong?) and only AD users, which are member of BIAuthors, BIConsumers, BIAdministrators or BISystemUsers security group, can log on into OBIEE and other AD users should not have possibility to successfully log on into OBIEE.
We have license limit, so situation, that every AD user can successfully log on into OBIEE is unacceptable.
Any help appreciated. Thank you!
Answers
-
See: Welcome to OBIEE12c: Configuring External LDAP Authentication Part 2 - Red Stack Tech
tl;dr : Remove the authenticated-role from BIConsumers
0 -
The above step will probably fix your issue. But also see if the following bug (available in Oracle support) is affecting your setup. Doc ID 2083225.1
0 -
Thank you for your answer, Martin. I removed authenticated-role from BIConsumers and it looks like it's working. If user doesn't belong to any of the above four BI groups, he can't log on into OBIEE. During login proccess it displays information about insufficient privileges to access home page (error code C64RS3Z2). I consider problem solved.
Sherry George, thanks for your answer too. I'll check this on Monday (when I'm at work), but I suppose that bug is affecting our OBIEE.
0