nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Oracle Communities

Oracle Analytics and AI

Child Item

OBIEE 12.2.1.4 - Adding Microsoft LDAP as Auth provider - not all AD users retreived

Ivan M.

Hi,

after configuring MSAD as alternative auth provider, i have a strange situation where I can't see certain LDAP users (i see more than 1000 AD users but some users missing) in Weblogic users tab. On the other hand, a search through the Microsoft AD using Active Directory Explorer tool neatly displays users that I do not see in Weblogic. In Active Directory Explorer tool I use Class: user and for attribute: sAMAccountName when searching users. I have the following settings in Weblogic:

User Base DN:	DC=XXXXX,DC=LOCAL
All Users Filter::	(&(cn=*)(objectclass=user))
User From Name Filter:	(&(sAMAccountName=%u)(objectclass=user))
User Search Scope:	subtree
User Name Attribute:	sAMAccountName

I've spent some time troubleshooting but I'm running out of ideas. SR is opened, but not so efficient (work in progress).

Thanks,

Ivan

Find more posts tagged with

Accepted answers

All comments

Mostafa Morsy-Oracle

@Ivan M.

This should be handled by Weblogic Server Team as users not showing up in WLS Console Page

but search missing users in WLS Console to see if you are able to find them

also I would suggest to use third party tools like https://jxplorer.org/ Or https://www.ldapadministrator.com/softerra-ldap-browser.htm

are you able to see the users or still missing

Gianni Ceresa

Hi,

Are you able to quantify a bit more precisely the issue?

You see more than 1000, but how many is that? (If you see 1050 users it is different than seeing 15000)

How many are missing? Are they always the same users missing?

Can those users connect to your OBIEE or not?

And also, is that an issue? Not seeing AD users in WebLogic isn't a big deal as you aren't supposed to use WebLogic if you want to list all your AD users. Or is this an issue because you can't do something you need to do because you can't see them all?

Ivan M.

Hi,

Maybe I didn't formulate my problem precisely. After MSAD provder configuration, I am able to retrieve users from ldap (I'm not sure how many ldap users there are and it doesn't matter) but i cannot see certain users for which I need to set privileges for OBIEE . In meantime i tested few things - for eg. missing ldap user has sAMAccountName: ivan.loveldap
If i put in Users section filters like this:
All Users Filter: sAMAccountName=ivan.loveldap
User From Name Filter: sAMAccountName=ivan.loveldap
(restart services)
I am able to retrieve only ldap user ivan.loveldap, so user is ok on AD side. But, when i revert All Users Filter:(&(sAMAccountName=*)(objectclass=user)) and User From Name Filter: (&(sAMAccountName=%u)(objectclass=user)) and restart services, i am not getting sAMAccountName=ivan.loveldap :(

It seems that i need to find and set proper combination for filter or I'm wrong..?

Regarding question - Can those users connect to your OBIEE or not? I only have one AD user which i am using for principal and that user can login to OBIEE ok.

Thanks for helping.

Gianni Ceresa

Ok, so you need to see the users to add them to an approle or things like that.

In MOS there is document saying that by default AD only return 1000 users, and that WebLogic doesn't make paginated requests and therefore there is a setting to tell AD to return more users per request.

Did you try that?

The fact you see your user when setting a filter that return exactly that user make me say that your AD is configured correctly, but there is a limit that is applied somewhere when users are retrieved.

I don’t have the weblogic screen in front of my right now to see if it maybe has some advanced settings for that limit, but it could be worth looking in MOS for that document describing this AD limit, and see if it’s what you are facing (surprised the SR didn’t point you there directly in the first place, to exclude that).

Ivan M.

I did not come across such a doc at MOS, but I will check again tomorrow.
Also, regarding the AD limit, the exact number of users I get now is 1021, so it is possible that the problem is not in the limit of 1000, but maybe in some other type of limit that exists somewhere in the settings.

Shantaram-Oracle

Hi, See this MOS document , Limitation to Number Of Users Displayed In Security Realm in WebLogic Server (Doc ID 1281357.1): "In earlier versions of WebLogic Server, the Administration Console pages that displayed users and groups for a security realm were limited to only the first 1,000 entries that met the search criteria. This console limitation has been increased in this release to support displaying up to the first 50,000 entries. Administration Sever memory availability and the security provider configurations may impose additional constraints on these results." . It may be that filters need to be properly configured . Check this document as well

How to Set Active Directory Filters for WebLogic Server LDAP (Doc ID 1350991.1)

Gianni Ceresa

The MOS document I was thinking at is this: LDAP Integration Using Active Directory Only Lists Few Users in WLS and EM Console (Doc ID 2531914.1)

It is for WebLogic 12.2.1.3, which is exactly the WebLogic you are running with OBIEE 12.2.1.4 if you didn't reinstall it freshly recently when OBIEE 12.2.1.4 supported WebLogic 12.2.1.4 (because 12.2.1.3 support ended, so a special patch was released to make OBIEE 12.2.1.4 work with WebLogic 12.2.1.4, but this isn't the point…).

Ivan M.

Thank you all for sharing MOS links. I will check everything. I meantime i concluded that I can see all the users properly in the EM Fusion console, which means that it is a WLS problem (not showing part of the users).

So i will continue to work with users/groups in EM, and try to fix WLS in paralell.