Oracle Analytics Forum

Home Oracle Analytics and AI Oracle Analytics and AI Forums Oracle Analytics Forums Oracle Analytics Forum

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Problem with LDAP authentication (using AD authentication provider) [OBIEE 11.1.1.6.6]

Received Response
11
Views
3
Comments
3302484
3302484 Rank 2 - Community Beginner
edited Aug 13, 2024 5:51PM in Oracle Analytics Forum

Hello,

We use windows AD authentication with OBIEE. At first glance it looks all working fine, but the problem begins, when I want pick up permissions for users to log on into OBIEE. Simply, when I remove user from BIAuthors (security group) with AD level, that user (for example user_n1) still can log on into OBIEE successfully, but with BIConsumer privileges only (despite the fact, there is no user_n1 in BIConsumer [security group] with AD level).

From weblogic console I see user_n1 has gone from users list after removing that user from BIAuthors security group with AD level, so why that user still can log on into OBIEE?

In AD we have created OU called BI. Inside that OU we have created four security groups: BIAdministrators, BIAuthors, BIConsumers and BISystemUsers. From weblogic console I can see all four groups, so I suppose that configuration settings for AD authentication provider are correct.

Here is my AD provider configuration settings for users and groups:

User Base DN: DC=my_company, DC=local

All Users Filter: (&(sAMAccountType=805306368)(|(memberOf=CN=BIAdministrators,OU=BI,DC=my_company,DC=local)(memberOf=CN=BISystemUsers,OU=BI,DC=my_company,DC=local)(memberOf=CN=BIAuthors,OU=BI,DC=my_company,DC=local)(memberOf=CN=BIConsumers,OU=BI,DC=my_company,DC=local)))

User From Name Filter: (sAMAccountName=%u)

User Search Scope: subtree

User Name Attribute: sAMAccountName

User Object Class: user

Group Base DN: OU=BI,DC=my_company,DC=local

All Groups Filter: (objectCategory=group)

Group From Name Filter: (&(cn=%g)(objectclass=group))

Group Search Scope: subtree

Group Membership Searching: unlimited

In my opinion these setttings are correct (but maybe I'm wrong?) and only AD users, which are member of BIAuthors, BIConsumers, BIAdministrators or BISystemUsers security group, can log on into OBIEE and other AD users should not have possibility to successfully log on into OBIEE.

We have license limit, so situation, that every AD user can successfully log on into OBIEE is unacceptable.

Any help appreciated. Thank you!

Answers

  • Martin van Donselaar
    Martin van Donselaar Rank 6 - Analytics & AI Lead

    See: Welcome to OBIEE12c: Configuring External LDAP Authentication Part 2 - Red Stack Tech

    tl;dr : Remove the authenticated-role from BIConsumers

  • Sherry George
    Sherry George Rank 7 - Analytics & AI Coach

    The above step will probably fix your issue. But also see if the following bug (available in Oracle support) is affecting your setup. Doc ID 2083225.1

  • 3302484
    3302484 Rank 2 - Community Beginner

    Thank you for your answer, Martin. I removed authenticated-role from BIConsumers and it looks like it's working. If user doesn't belong to any of the above four BI groups, he can't log on into OBIEE. During login proccess it displays information about insufficient privileges to access home page (error code C64RS3Z2). I consider problem solved.

    Sherry George, thanks for your answer too. I'll check this on Monday (when I'm at work), but I suppose that bug is affecting our OBIEE.