8 Replies Latest reply: Jul 5, 2012 8:16 AM by Christian Berg RSS

    OBIEE Authentication with LDAP Server

    Deepsa
      Hi All,

      I have a scenario for obiee 11g authentication, through LDAP server(AD) configured in Web logic console.
      i am able to see the list of LDAP user in User section in Web-logic console.

      Let me explain you more and how i setup the security:

      1.Suppose total there are 100 user in LDAP server.
      2.40 are My work related user and other 60 are just not in my scope( i dnt want these 60 user to use my OBIEE application).
      3. Now out of 40 ,i want to make some user(10) as Author(Power user) and some of them i want to keep just consumer user(30)(normal user).
      4. So i added above 10 user in BIAuthore application roles so that they can get BIAuthore role privilege.
      6. Other 30 user i have not added anywhere, as all authenticated user gets the by default BIConsumer role.
      7. Object level security : Report/dashboard / subject area i am handling from Answers through assigning these LDAP user directly attaching to Web catalog group.
      9. column level security i am handling with data base table where i am creating a table and putting all these 40 user there.

      Now my requirement is i dnt want above 60 user(Coming from LDAP(AD)) to lo-gin in my application .

      Please let me know the work around to give no access to these 60 LDAP user for OBIEE Analytic.

      Thanks,
      Deependra
        • 1. Re: OBIEE Authentication with LDAP Server
          user248025
          Hi,

          PLease set user filer and group filter then you can able to solve your issues.
          i.e:let say your LDAP have 100 users.make it one new group in ldap server then add your 40 users into that group and generate ldip.txt file or get the user group structure
          and just put it into your weblogic console (LDAP provider specific configuration part).

          once applier user group filer then just create application role (power user,normal user) then assign existing application role as(author and consume role)

          http://obieeelegant.blogspot.sg/2012/01/obiee-11g-integration-with-ldap.html

          For more refer my blog..and drop me your email i can forward my document.thanks

          Regards,
          Deva
          • 2. Re: OBIEE Authentication with LDAP Server
            Deepsa
            Hi Dev,


            I have a tree structure like thing in LDAP Server where all my 40 user are stored.
            But when i was discussing this issue with oracle team,what they are saying is : this grouping at LDAP side, User and group section in weblogic console provider just help you to see less no. of users in weblogic console instead of seeing a big list( might be 1000).
            If we can restrict these user from LDAP itself or inbetween LDAP and weblogic consel through user and gruop filter. then it would be good.
            Can you share your doc with me on deepsmertiya@gmail.com.

            User base DN: DC=abc,DC=ae
            All User filter: (&(cn=*)(memberOf=CN=OBI-Group,OU=Security-Group,OU=Groups,DC=abc,DC=ae)(objectclass=user))

            Group base DN: CN=OBI-Group,OU=Security-Group,OU=Groups,DC=abc,DC=ae
            All group filter:(&(cn=*)(CN=OBI-Group,OU=Security-Group,OU=Groups,DC=abc,DC=ae)(objectclass=group))

            OBI -Group is a tree node in LDAP where my LDAP user are grouped or have a logical referecne.

            by above setting i am able to see my 40 user list in Weblogic console user section.
            but still other user are not stopping here and able to enter in OBIEE with any problem.

            Waiting for your reply.

            Thanks
            • 3. Re: OBIEE Authentication with LDAP Server
              user248025
              Hi,
              Can you try with below steps and also tonight i will send you that doc to your mail
              just take a back of your existing configuration(config.xml) file and do the below changes
              on provider specific configuration part.

              User Base DN:
              DC=abc,DC=ae

              All Users Filter:
              (&(memberOf=CN=OBI-Group,OU=Security-Group,OU=Groups,DC=abc,DC=ae)(sAMAccountName=*)(objectclass=user))

              User From Name Filter:
              (&(memberof=CN=OBI-Group,OU=Security-Group,OU=Groups,DC=abc,DC=ae)(sAMAccountName=%u)(objectclass=user))

              Group Base DN:
              CN=OBI-Group,OU=Security-Group,OU=Groups,DC=abc,DC=ae

              All Groups Filter:
              (&(sAMAccountName=*)(objectclass=group))

              Group From Name Filter:
              (&(sAMAccountName=%g)(objectclass=group))

              restart it and then test it out.

              Thanks
              Deva
              • 4. Re: OBIEE Authentication with LDAP Server
                Deepsa
                Hi Deva,

                I will definatley do the given correction in my system in evening.
                But before that i want to give you some background of this configuration:
                Having 2 providers:
                1. Active directory LDAP: SUFFICENT ( Order 1)
                2. Default weblogic: OPTIONAL(Order 2)

                OBI-GROUP(AD LDAP) users are visible in weblogic console.
                these LDAP users are not appearing in RPD(some kind of bug).

                whilel creating a catalog group in answers and seeing user i am able to fetch all the users even if they are not in the list of OBI-GROUP.

                In EM: inside identity store configurations, added property for virtualize = true, user.login.attr = sAMAccountName, username.attr=sAMAccountName.

                Added one user from AD LDAP as a BISystem user in weblogic console and in EM.

                Please let me know if above configuration is as per the standard or went wrong somewhere.

                Thanks in advance.

                Deependra
                • 5. Re: OBIEE Authentication with LDAP Server
                  Deepsa
                  Hi Deva,

                  I tried by code provided by you for Provider cofiguration, but landed with the Admin server start error. below i am attaching the some part of the log file:

                  ####<Jun 8, 2012 2:59:04 PM GST> <Error> <Security> <edwapptest.fgb.ae> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1339153144389> <BEA-090892> <The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider>
                  ####<Jun 8, 2012 2:59:04 PM GST> <Critical> <WebLogicServer> <edwapptest.fgb.ae> <AdminServer> <main> <<WLS Kernel>> <> <> <1339153144391> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
                  weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
                       at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1398)
                       at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1018)
                       at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
                       at weblogic.security.SecurityService.start(SecurityService.java:141)
                       at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
                       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
                       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
                  Caused By: oracle.security.jps.JpsRuntimeException: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
                       at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:293)
                       at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:284)
                       at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
                       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
                       at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
                       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
                       at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
                       at java.lang.Class.newInstance0(Class.java:355)
                       at java.lang.Class.newInstance(Class.java:308)
                       at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1339)
                       at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1018)
                       at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
                       at weblogic.security.SecurityService.start(SecurityService.java:141)
                       at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
                       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
                       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
                  • 6. Re: OBIEE Authentication with LDAP Server
                    Deepsa
                    aused By: oracle.security.jps.JpsException: javax.naming.InvalidNameException: Invalid name: (&(cn=*)(CN=OBI-Group,OU=Security-Group,OU=Groups,DC=fgb,DC=ae)(objectclass=group))
                         at oracle.security.jps.wls.internal.idstore.LdapIdStoreConfigProvider.getAllIdentityStoreConfig(LdapIdStoreConfigProvider.java:120)
                         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                         at java.lang.reflect.Method.invoke(Method.java:597)
                         at oracle.security.jps.internal.api.identitystore.IdentityStoreConfigurationUtil.getAllWlsLdapConfig(IdentityStoreConfigurationUtil.java:600)
                         at oracle.security.jps.internal.api.identitystore.IdentityStoreConfigurationUtil.getIgfLdapSpecifiedProperties(IdentityStoreConfigurationUtil.java:394)
                         at oracle.security.jps.internal.api.identitystore.IdentityStoreConfigurationUtil.getLibOvdLdapPushData(IdentityStoreConfigurationUtil.java:513)
                         at oracle.security.jps.internal.igf.ovd.OvdIGFServiceProvider$1.run(OvdIGFServiceProvider.java:228)
                         at oracle.security.jps.internal.igf.ovd.OvdIGFServiceProvider$1.run(OvdIGFServiceProvider.java:225)
                         at java.security.AccessController.doPrivileged(Native Method)
                         at oracle.security.jps.internal.igf.ovd.OvdIGFServiceProvider.getConfigData(OvdIGFServiceProvider.java:224)
                         at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider$UseLibOvd.getInstance(LdapIdentityStoreProvider.java:378)
                         at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getInstance(LdapIdentityStoreProvider.java:110)
                         at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getInstance(LdapIdentityStoreProvider.java:70)
                         at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.findServiceInstance(ContextFactoryImpl.java:139)
                         at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:170)
                         at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:191)
                         at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:132)
                         at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:127)
                         at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:850)
                         at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:844)
                         at java.security.AccessController.doPrivileged(Native Method)
                         at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:844)
                         at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
                         at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:284)
                         at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
                         at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
                         at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
                         at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
                         at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
                         at java.lang.Class.newInstance0(Class.java:355)
                         at java.lang.Class.newInstance(Class.java:308)
                         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1339)
                         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1018)
                         at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
                         at weblogic.security.SecurityService.start(SecurityService.java:141)
                         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
                         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
                         at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
                    • 7. Re: OBIEE Authentication with LDAP Server
                      Deepsa
                      No solution received
                      • 8. Re: OBIEE Authentication with LDAP Server
                        Christian Berg
                        aused By: oracle.security.jps.JpsException: javax.naming.InvalidNameException: Invalid name: (&(cn=*)(CN=OBI-Group,OU=Security-Group,OU=Groups,DC=fgb,DC=ae)(objectclass=group))
                        Have a look at that part of your error...is that actually avalid DN?