I faced a similar error after setting up LDAP with Active Directory. It my case, it was what my Analytics username is. I thought I would be able to log in as "jdoe", but received the "invalid user and password" error. Then I tried logging in as "John Doe" and it worked! Since our users log into their workstations with the "jdoe" convention, I replaced "cn" with "samAccountName" in the User Name Attribute and User From Name Filter fields in Weblogic Provider Specific.
Also, I believe it is recommended to also add the OPTIMIZE_SEARCH=true properties to the same place where you added virtualize=true.
Did you install the provider?
Installing the BISQLGroupProvider
Before you can configure a BISQLGroupProvider authenticator, you must first install the JAR file bi-sql-group-provider.jar, which contains the authenticator. The file is available in the following location...
Did you restart AdminServer after the install?
(All these things are in the steps in the documentation: Configuring Oracle Business Intelligence to Use Alternative Authentication Providers )
If you follow the steps in the doc it works fine and the provider is available, so (as for once it's written with all the steps) take the documentation from the beginning and validate your setup and do the missing steps. It will take you 10 minutes and will work fine.
1. LDAP Active Directory has been set up successfully in myrealms. I can fetch the users from active directory successfully in Users and Groups section. I have also made changes to the FMW -> Security Provider Configuration -> Identity Store Provider -> Configure -> Optimize Search = true and Virtualize = true. Restarted the service. But somehow the users are not able to login to analytics. Says Invalid user and password.
Doesn't mean a lot to be able to fetch the users and groups in WebLogic. If your username doesn't match the user identifier fetched...it won't work. If the security providers aren't in the right order...it won't work. If their "required/sufficient" settings are wrong...it won't work.
also: "Says Invalid user and password" isn't really an empirical investigation of the root cause. If you are sure your config is correct (which we can't say from what you've written above) then you can always increase logging and simply look into the log files to see more details about what's happening during the logon process.
2. Groups from External Table -> I am trying to create a provider that will fetch the groups from an external Oracle database tables. I have set up the data source correctly in Weblogic Console -> Services -> Data Sources. But when creating a new provider in Authentication block I do not see "BISQLProvider" in the Authenticator Type dropdown. There are a lot of other options but not this one. In our 11g environment it is there. Due to this I am not able to create this BIGroups provider.
Have you read the documentation? Gianni posted the link and as he says it has it all. You most likely simply haven't done the necessary work - i.e. configure things properly - to actually HAVE that option available to you.
3310714 - where does that recommendation for "OPTIMIZE_SEARCH" come from? Is it just "something that worked for you" like the cn/samAccountName one? Because that's...well as I said username must match of course because 1234 obviously doesn't match jsmith and doesn't match email@example.com.
No, I haven't installed the bi-sql-group-provider.jar file yet. Could you please let me know from where I can download the same and how to install and to which directory to install? It would be extremely helpful then. Please suggest!
Once again, read the documentation! Configuring Oracle Business Intelligence to Use Alternative Authentication Providers
Everything (but really everything) is covered, if you take 30 seconds to open the link and read the steps you will see where the jar file is located and where you have to copy it and all the details.
Stop doing things randomly, invest 5 minutes of your day to read the official doc and follow it. You will be surprised ... it works
For some reason I could not view the link you provided earlier. Now I can and I have resolved the issue for the BISQL Group provider stuff. So that is fixed now and thanks a ton for the same.
Having said that I am still facing the LDAP authentication issue. I have entered the following details in provider specific tab in my 12c weblogic console- myrealms:
1. Made the default authenticator : Sufficient
2. Kept the BISQLGroups provider at the top (working condition).
3. LDAP provider at 2nd in myrealms -> providers list.
Host: The host name or IP address of the LDAP server
Credential: The password for the principal user
Confirm Credential: repeat
User Base DN: dc=companyname,dc=com
All Users Filter: Blank
User From Name Filter: (&(uid=%u)(objectclass=person))
User Search Scope: Subtree
User Name Attribute: uid
User Object Class: person
Use Retrieved User Name as Principal: Unchecked
Group Base DN: dc=companyname,dc=com
All Groups Filter: Blank
Group From Name Filter: (|(&(cn=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=groupOfURLs)))
Group Search Scope: Subtree
Group Membership Searching: Unlimited
Max Group Membership Search Level: 0
Ignore Duplicate Membership: uncheck
Use Token Groups For Group Membership Lookup: uncheck
Static Group Name Attribute: cn
Static Group Object Class: groupofuniquenames
Static Member DN Attribute: uniquemember
Static Group DNs from Member DN Filter: (&(uniquemember=%M)(objectclass=groupofuniquenames))
Dynamic Group Name Attribute: cn
Dynamic Group Object Class: groupofURLs
Dynamic Member URL Attribute: memberURL
User Dynamic Group DN Attribute: blank
Connection Pool Size: 6
Connect Timeout: 0
Connection Retry Limit: 1
Parallel Connect Delay: 0
Results Time Limit: 0
Keep Alive Enabled: uncheck
Follow Referrals: check
Bind Anonymously On Referrals: uncheck
Propagate Cause For Login Exception: check
Cache Enabled: check
Cache Size: 32
Cache TTL: 60
Cache Statistics Enabled: check
GUID Attribute: nsuniqueid
Identity Domain: kept blank
5. In the enterprise manager I have also added OPTIMIZE_SEARCH=true properties to the same place where I added virtualize=true.
6. Restarted the complete server.
7. Still the users are available in weblogic console -> myrealms -> Users and Groups -> Customize this table but are not able to login to analytics.
8. In-fact all the users are available in weblogic console -> myrealms -> Users and Groups -> Customize this table but NOT all of them are present in Enterprise Manager -> Weblogic Domain -> Security -> Users and Groups. Some of them are present. Having said that ALL the groups have been fetched successfully both in weblogic console and EM users and groups section. It's the problem with the user's list. Console has it all but not EM. And that's why those absent users in EM are not able to login to analytics.
9. The same setting works in an obiee 11g environment.
Any file or anything else I need to update?
I read this in section 2.2.5 "Tune LibOVD searches" of the OBIEE 12c Best Practics Guide for Infrastructure Tuning:
LibOVD is a java library providing virtualization capabilities over LDAP authentication providers in Oracle Fusion Middleware. LibOVD is activated when you set the property virtualize=true for the identity store provider in jps-config.xml.
By setting the libOVD property attribute parameter OPTIMIZE_SEARCH=true will improve the performance of searches as it forces libOVD to search only within the users and groups search bases defined in the authenticator providers. No searches are performed elsewhere.
My LDAP was working prior to adding this. I thought adding it would only improve performance. What do you think?
Randomly using things from a "tuning guide" is basically twisting knobs without understanding what happens and why what changes. it CAN work but you won't ever know why or why not or whether that's appropriate or applicable.
I have tried both with OPTIMIZE_SEARCH= true in place and out of place and both didn't work. Also as you have seen my users get fetched from attribute uid (not cn or smAccountName) and objectclass = person (not user). Any particular ordering of Providers should I try? Currently the ordering is:
1. BIGroups (BI SQL Group Provider) - OPTIONAL
2. Edir (LDAP Authenticator) - SUFFICIENT
3. Trust Service Identity Asserter - default settings, no changes made
4. Default Authenticator - SUFFICIENT
5. DefaultIdentityAsserter - AuthenticatedUser and weblogic-jwt-token being chosen in the Active Types.
Kindly suggest. Please be noted that the groups are being fetched properly both in weblogic console and Enterprise Manager.
So your LDAP users are in the BIGroups? Did you add the groups to your application roles?
LDAP users have to be authenticated from the LDAP Provider EDir (see the list below). BIGroups is a BISQLGroupProvider and not an authenticator. Its used to fetch groups that are tagged to different application roles and those roles have been given access.
The groups getting fetched from the LDAP Authentication are actually of no use in OBIEE. Main issue is with the users getting fetched having difficulties logging in. Please help.
The issue has been finally resolved. The problem was with the provider authentication type. I selected ActiveDirectoryAuthenticator as the type where as it should have been Iplanet authenticator. Deleted the existing provider and recreated the the same with this type and things worked. Thanks for all your help. Seems like I was misinformed by the system Admin regarding the type of the LDAP server.
Not easy if the admin doesn't even tell you the right kind of LDAP they have ...
So you can close the thread as everything has been solved, for now it's still This question is Not Answered.
Geezus that's pretty bad. Ask him whether it's also no problem to fill a petrol car with diesel or vice versa (hint: one is indefinitely worse than the other :-P )