I am trying to integrate OBIEE 188.8.131.52 SampleAppLite with two Authentication Providers (MS Active Directory and the defaultAuthenticator(WLS LDAP)).
My objective is to configure MS Active Directory (MSAD) as a new 'Authentication Provider' along with the defaultAuthenticator (WLS LDAP). So basically two Authentication providers. The MSAD Authenticator for all the business users in the company directory and the default WLS LDAP for Technology dept users like Developer1, QA1 etc.
After following the instructions mentioned in Oracle DOcumentation and also useful info from RittmanMead Blog, none of the users are able to login to OBIEE. Even the default 'weblogic' user cannot login.
At a high level I did the following.
1. Installed 184.108.40.206 with the SampleAppLite RPD.
2. Weblogic user is able to login to OBIEE and everything working as expected.
3. Created the new MSAD Authenticator Provider in WLS. Changed the CONTROL_FLAG field to SUFFICIENT for this Authenticator
3. For the 'defaultAuthenticator' I Changed the CONTROL_FLAG field to SUFFICIENT
4. Re-ordered the Authentication providers so that MSAD comes at the top.
5. I am able to see all the MSAD users as well as the 'defaultAuthenticator' users like Dev1 etc in the 'Users and Groups' tab under 'myrealm'
6.*I deleted the BISystemUser in WLS* and wanted to make an existing user in MSAD (say OBI_ADMIN) as the new 'Trusted User' (OBI_ADMIN already exists in the MSAD)
7. I now logged onto ENterprise Manager->Expanded WebLogic Domain->Right-clicked on bifoundation_domain to reach Security->Credentials
8.I edited the system.user key with values for OBI_ADMIN (Since OBI_ADMIN is going to be the Trusted User - replacement for BISystemUser)
9.Then I Right-clicked on bifoundation_domain to reach Security-> Security Provider Configuration. In the Identity store provider I added two properties user.login.attr and username.attr. I assigned them values sAMAccountName
10.Then I Right-clicked on bifoundation_domain to reach Security->Application Roles and added OBI_ADMIN to the Application Role 'BISystem'. Though I deleted the BISystemUser (step 6), I was still able to see BISystemUser under the Role 'BISystem'. Not sure why.
11. Next as mentioned in the Oracle Docs (http://download.oracle.com/docs/cd/E21764_01/bi.1111/e10543/privileges.htm#CIHIDCHI) Section 3.2.6 ->Step 11, I added the OBI_Admin user to the Admin Global Role
12. I also updated the new trusted user credentials in WebLogic Console, select - Services - Messaging - JMS Modules.(as mentioned in the above link)
13. Restarted all the components.
While trying out many options to get this working, I un-checked Use WebLogic Authentication Provider Configuration under the Identity store configuration in Enterprise Manager. AFter this I am not able to start the WebLogic Server. So I un-installed and I am installing it fresh.
Is there a way to back up all your configurations after a fresh install.?
I finally got this working on AIX. I following all of the steps in chapter 3 of the Security Guide for OBIEE, http://download.oracle.com/docs/cd/E21764_01/bi.1111/e10543.pdf. The cause of my problem turned out to be the virtualize=true setting in the Identify Store Provider configuration in EM. Section 220.127.116.11 says you need this if you have multiple authenticaiton providers. I thought, siince I had MSAD and the DefaultAuthenticator, but the DefaultAuthenticator doesn't count in this case. Once I removed virtualize=true and restarted ManagedWebLogic and OBIEE I was able to login with my MSAD userid.
There are still questions about the virtualize attribute. Oracle Support isn't sure why that was causing me a problem. It may not be an issue in your environment...
BISystemUser exists in both MSAD and the DefaultAuthenticator. The password is the same in both. The MSAD id is not a member of any MSAD groups. The DefaultAuthenticator id is a member of the Administrators group. I assigned BISystemUser to the BISystem role in EM.
I changed the password in the DefaultAuthenticator to what it is in MSAD. And I changed the password in EM.
Also, if you change your User Name Attribute (we use sAMAccountName), you also need to change it in the All Users Filter and the User From Name Filter. The docs mention these two but they don't tell you explicitly what to do. And an area that the docs don't cover is changing cn in the All Groups Filter, Groups From Name Filter, Static Group Name Attribute and Dynamic Group Name Attribute.
Thanks Jerry. That was helpful. I got it working now. I created BISytemUser in MSAD and updated the WLS BISystemUser's password to match the MSAD one.
This is a much easier way rather than trying to create a new TrustedUser to replace BISystemUser. The only thing different I did was I used virtualize=true to get both types of Authentication working. Please see my below blog for more details.
You probably installed OBIEE on Windows or Linux. Setting virtualize=true works on those platforms. It doesn't work on AIX. I'm still working with Oracle Support to figure out why. The update I got this past Friday points to a possible bug in the IBM JVM.