Categories
- All Categories
- Oracle Analytics Learning Hub
- 26 Oracle Analytics Sharing Center
- 18 Oracle Analytics Lounge
- 234 Oracle Analytics News
- 45 Oracle Analytics Videos
- 16K Oracle Analytics Forums
- 6.2K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 87 Oracle Analytics Trainings
- 15 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
AD Integration - any User can Authenticate with any Password.
Team,
I have done AD integration and i am able to see all the users in weblogic console. But challenge is any User can Authenticate with any Password.
for example
username- kjdnkjandkja
Password = dnsadnaj
also able to login to obiee. Version =11.1.1.9.160119 (Build 151227.0323.02 64-bit)
followed similar steps:
http://paulcannon-bi.blogspot.com/2012/07/configuring-ldap-authentication-for.html
Thanks
Joji
Answers
-
Thank god I never saw that blog post since that advice is pretty much insane.
You don't create a new security realm but extend the existing one with (a) additional security provider(s)!
0 -
What about following the official doc or some MOS notes? (there has been quite a lot written on AD authentication)
Keep it simple and stick to "certified" sources as they exists.
0 -
Hi, even I didn't follow this one just gave for reference. So far I done almost more than 12 AD integrations environments but never tested in this way.
My requirement is configure AD integration and disable SSO.
Have you seen such scenarios in past?
0 -
If you didn't follow this then why post it and lead us on a wrong path?
What *exactly* have you done and how have you configured things?
3709799 wrote:My requirement is configure AD integration and disable SSO.Have you seen such scenarios in past?
A scenario where everybody could log on with no check? No. Not in almost a dozen security integrations I have done so far on 12.
0 -
Sorry Chris, I didn't mean to lead the other way.
I have followed standard steps to configure AD authentication with obiee 11g in weblogic console by getting Principal name and credentials from my AD team.
I can see all AD users in weblogic console and also all AD users can login to OBIEE and access their reports.
Today 1 developer while checking randomly found this issue. Have you encountered similar scenario?
Thanks
Joji
0 -
Joji,
That still doesn't tell us what has been done - precisely. As indicated I've done this time and time again and there must be a hiccup somewhere in your config.
I guess you can understand that us asking you for every single config option one by one would be quite tedious as it can be just about anything.
0 -
All,
Seems to be a bug# 13892104 . We need to remove authenticated user role from BI consumer role in EM. And this solved the issue
Many thanks
0 -
That's more a good practice than a bug : if you don't filter extremely well the definition of your users in the AD integration any user with valid AD credentials will end up being a BI Consumer. Removing authenticated users from any inheritance is normal in any setup (when you care about security).
Still the bug isn't about letting users to authenticate against AD with any password, while you said that users are authenticated with any password.
So do you mean that as long as you know the username you can login using any random password?
Or did you mean that even users not having any OBIEE group/approle assigned to them in AD can login? (which by default is normal as you didn't setup security to avoid it?)
0 -
+1 to Gianni. Your symptom and the bug as well as MOS Doc ID 2220462.1 are talking about two different things.
If you think you "solved" your issue, then you're on the best way of creating a security "solution" where you quite literally do not understand what is working why and how.
0 -
Guys,
i have raised an Oracle SR and they gave below resolution and it's worked perfectly:
I have USER session variable in my rpd.
1. Log into the Administration tool.
2. Open the repository in question. ( I guess it's online mode)
3. Check for any initialization associated with the USER session variable.
4. Disable the initialization block.
5. Save your changes.
6. Restart the OBIEE services.
Thanks
Joji
0
