OBIEE 12c LDAP account log into Weblogic — Oracle Analytics

Oracle Analytics Cloud and Server

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

OBIEE 12c LDAP account log into Weblogic

Received Response
91
Views
17
Comments
3310714
3310714 Rank 6 - Analytics Lead

Hi,

We are using OBIEE 12.2.1.2.  I just want to confirm, LDAP accounts (MSAD) can log into Analytics, but can't log into Weblogic and Fusion Middleware Enterprise Manager?  But local accounts like "weblogic" can log into Analytics, Weblogic, and Fusion Middleware Enterprise Manager?  It's been a while since I used OBIEE and trying to get back to it. 

«1

Answers

  • Joel
    Joel Rank 8 - Analytics Strategist

    Are you logging onto WebLogic Admin console with a user that is in the WebLogic Administrator group? What do you mean by local user? Have you checked your log files for any clues?

    Have you also set the virtualize property in the identity store to enable multiple authentication providers? - https://docs.oracle.com/middleware/12212/biee/BIESC/GUID-30F09EE4-A2DE-443D-BF24-CC401B6E13FD.htm#BIESC6077

  • 3310714
    3310714 Rank 6 - Analytics Lead

    Hi Joel,

    Thanks.  Initially I was logging into WebLogic console and Middleware EM using my LDAP admin account and it didn't work.  Then I recall only local users created in WebLogic console that's part of the Administrator group can log in.  I was getting confused on who can log into where after 6 months of absence from OBIEE.

  • Adam Wickes
    Adam Wickes Rank 6 - Analytics Lead

    That's the way we have ours set up.

    Open LDAP Authenticator provider (sufficient) users can login into analytics, xmlp etc but not WLS, EM etc.
    Default Authenticator provider (sufficient) users can login into WLS, EM but not Analytics, xmlp etc.

    Apparently you can set virtualize=true and default auth users can log into analytics as well but we've never been able to get it to work. Never really cared either.


    Cheers,
    Adam

    EDIT: We have our "admin" account (not weblogic) stored in LDAP and have added it to the global admin roles in WLS (roles and policies). This user is then used as the admin user for Analytics and can also login to EM and WLS because of the admin role.

  • 3310714
    3310714 Rank 6 - Analytics Lead

    Hi Adam,


    Thanks for your reply.  Actually, we had to set the virtualize=true parameter in order for LDAP users to log into Analytics.  Our Default Authenticator users could log into Analytics without issues.

    How were you able to add your LDAP admin account to the WLS admin role?   Which role are you referring to?  In Weblogic?

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    He said it: roles and policies in Weblogic.

    Never forget: WLS is an own platform product with its own security! So you need to manage that. WLS only reads your LDAP. It does not utilize it to actually do anything.

    https://blogs.oracle.com/imc/oracle-weblogic-server:-weblogic-administrator-accounts-with-specific-grants

    https://docs.oracle.com/cd/E57014_01/wls/WLACH/taskhelp/security/AddUsersToRoles.html

  • 3310714
    3310714 Rank 6 - Analytics Lead

    Thanks, that's what I thought too; WLS only reads LDAP and doesn't do anything.

    But when I read Adam's EDIT comments about his LDAP admin account being assigned a WLS admin role, I was confused.  I couldn't do anything to my LDAP accounts in WLS.

  • Adam Wickes
    Adam Wickes Rank 6 - Analytics Lead

    As Christian mentioned, you can add users to specific roles within WLS.
    We have added an LDAP user (which we have specified as "admin") to the global admin role which now allows it to login to EM and WLS as the weblogic user does.

  • 3310714
    3310714 Rank 6 - Analytics Lead

    Thanks!  I figured it out now.  Before, I didn't know this trick so I manually created local accounts in Weblogic to perform upload/download of RPDs, bounce servers, etc.  Now I could do this using my regular admin LDAP account!

  • 3310714
    3310714 Rank 6 - Analytics Lead

    Hi Adam,

    Are you able to upload/download the RPD file using your LDAP admin account?  I'm not able to do that.  I could only use a WLS admin account to perform this task. 

  • 3310714
    3310714 Rank 6 - Analytics Lead

    Confirmed with Oracle support, LDAP accounts can't upload/download RPD.  This is by design as documented in Doc ID 2208290.1.  Need to use "weblogic" or other WLS accounts that's part of the Administrators group.