14 Replies Latest reply on Mar 21, 2017 8:55 PM by Christian Berg

    OBIEE 12c - BI Groups from External Table and LDAP Authentication

    3298808

      Hello Guys,

       

      I am currently using OBIEE 12.2.1.2.0 in RHEL 6.7 platform for my current client and facing couple of issues while setting up LDAP Authentication as well as fetching BIGroups from an external table. The issues are:

       

      1. LDAP Active Directory has been set up successfully in myrealms. I can fetch the users from active directory successfully in Users and Groups section. I have also made changes to the FMW -> Security Provider Configuration -> Identity Store Provider -> Configure -> Optimize Search = true and Virtualize = true. Restarted the service. But somehow the users are not able to login to analytics. Says Invalid user and password.

       

      2. Groups from External Table -> I am trying to create a provider that will fetch the groups from an external Oracle database tables. I have set up the data source correctly in Weblogic Console -> Services -> Data Sources. But when creating a new provider in Authentication block I do not see "BISQLProvider" in the Authenticator Type dropdown. There are a lot of other options but not this one. In our 11g environment it is there. Due to this I am not able to create this BIGroups provider.

       

      Can anyone please suggest something to resolve these two issues?

       

      Regards,

      Avik

        • 1. Re: OBIEE 12c - BI Groups from External Table and LDAP Authentication
          3310714

          Hi,

           

          I faced a similar error after setting up LDAP with Active Directory.  It my case, it was what my Analytics username is.  I thought I would be able to log in as "jdoe", but received the "invalid user and password" error.  Then I tried logging in as "John Doe" and it worked!   Since our users log into their workstations with the "jdoe" convention, I replaced "cn" with "samAccountName" in the User Name Attribute and User From Name Filter fields in Weblogic Provider Specific. 

           

          Also, I believe it is recommended to also add the OPTIMIZE_SEARCH=true properties to the same place where you added virtualize=true.

          • 2. Re: OBIEE 12c - BI Groups from External Table and LDAP Authentication
            Gianni Ceresa

            Did you install the provider?

             

            Installing the BISQLGroupProvider

            Before you can configure a BISQLGroupProvider authenticator, you must first install the JAR file bi-sql-group-provider.jar, which contains the authenticator. The file is available in the following location...

             

            Did you restart AdminServer after the install?

             

            (All these things are in the steps in the documentation: Configuring Oracle Business Intelligence to Use Alternative Authentication Providers )

             

            If you follow the steps in the doc it works fine and the provider is available, so (as for once it's written with all the steps) take the documentation from the beginning and validate your setup and do the missing steps. It will take you 10 minutes and will work fine.

            • 3. Re: OBIEE 12c - BI Groups from External Table and LDAP Authentication
              Christian Berg

              3298808 wrote:

               

              1. LDAP Active Directory has been set up successfully in myrealms. I can fetch the users from active directory successfully in Users and Groups section. I have also made changes to the FMW -> Security Provider Configuration -> Identity Store Provider -> Configure -> Optimize Search = true and Virtualize = true. Restarted the service. But somehow the users are not able to login to analytics. Says Invalid user and password.

               

              Doesn't mean a lot to be able to fetch the users and groups in WebLogic. If your username doesn't match the user identifier fetched...it won't work. If the security providers aren't in the right order...it won't work. If their "required/sufficient" settings are wrong...it won't work.
              also: "Says Invalid user and password" isn't really an empirical investigation of the root cause. If you are sure your config is correct (which we can't say from what you've written above) then you can always increase logging and simply look into the log files to see more details about what's happening during the logon process.

               

              3298808 wrote:

               

              2. Groups from External Table -> I am trying to create a provider that will fetch the groups from an external Oracle database tables. I have set up the data source correctly in Weblogic Console -> Services -> Data Sources. But when creating a new provider in Authentication block I do not see "BISQLProvider" in the Authenticator Type dropdown. There are a lot of other options but not this one. In our 11g environment it is there. Due to this I am not able to create this BIGroups provider.

               

              Have you read the documentation? Gianni posted the link and as he says it has it all. You most likely simply haven't done the necessary work - i.e. configure things properly - to actually HAVE that option available to you.

               

              3310714 - where does that recommendation for "OPTIMIZE_SEARCH" come from? Is it just "something that worked for you" like the cn/samAccountName one? Because that's...well as I said username must match of course because 1234 obviously doesn't match jsmith and doesn't match j.smith@company.com.

              • 4. Re: OBIEE 12c - BI Groups from External Table and LDAP Authentication
                3298808

                Thanks Gianni,

                 

                No, I haven't installed the bi-sql-group-provider.jar file yet. Could you please let me know from where I can download the same and how to install and to which directory to install? It would be extremely helpful then. Please suggest!

                 

                Regards,

                Avik Dutta.

                • 5. Re: OBIEE 12c - BI Groups from External Table and LDAP Authentication
                  Gianni Ceresa

                  Once again, read the documentation! Configuring Oracle Business Intelligence to Use Alternative Authentication Providers

                  Everything (but really everything) is covered, if you take 30 seconds to open the link and read the steps you will see where the jar file is located and where you have to copy it and all the details.

                  Stop doing things randomly, invest 5 minutes of your day to read the official doc and follow it. You will be surprised ... it works

                  • 6. Re: OBIEE 12c - BI Groups from External Table and LDAP Authentication
                    3298808

                    Thanks Gianni,

                     

                    For some reason I could not view the link you provided earlier. Now I can and I have resolved the issue for the BISQL Group provider stuff. So that is fixed now and thanks a ton for the same.

                     

                    Having said that I am still facing the LDAP authentication issue. I have entered the following details in provider specific tab in my 12c weblogic console- myrealms:

                     

                    1. Made the default authenticator : Sufficient

                    2. Kept the BISQLGroups provider at the top (working condition).

                    3. LDAP provider at 2nd in myrealms -> providers list.

                    4.

                     

                    Host: The host name or IP address of the LDAP server
                    Port: 389
                    Principal: uid=principal_user,ou=system,ou=users,dc=companyname,dc=com
                    Credential: The password for the principal user
                    Confirm Credential: repeat
                    User Base DN: dc=companyname,dc=com
                    All Users Filter: Blank
                    User From Name Filter: (&(uid=%u)(objectclass=person))
                    User Search Scope: Subtree
                    User Name Attribute: uid
                    User Object Class: person
                    Use Retrieved User Name as Principal: Unchecked
                    Group Base DN: dc=companyname,dc=com
                    All Groups Filter: Blank
                    Group From Name Filter: (|(&(cn=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=groupOfURLs)))
                    Group Search Scope: Subtree
                    Group Membership Searching: Unlimited
                    Max Group Membership Search Level: 0
                    Ignore Duplicate Membership: uncheck
                    Use Token Groups For Group Membership Lookup: uncheck
                    Static Group Name Attribute: cn
                    Static Group Object Class: groupofuniquenames
                    Static Member DN Attribute: uniquemember
                    Static Group DNs from Member DN Filter: (&(uniquemember=%M)(objectclass=groupofuniquenames))
                    Dynamic Group Name Attribute: cn
                    Dynamic Group Object Class: groupofURLs
                    Dynamic Member URL Attribute: memberURL
                    User Dynamic Group DN Attribute: blank
                    Connection Pool Size: 6
                    Connect Timeout: 0
                    Connection Retry Limit: 1
                    Parallel Connect Delay: 0
                    Results Time Limit: 0
                    Keep Alive Enabled: uncheck
                    Follow Referrals: check
                    Bind Anonymously On Referrals: uncheck
                    Propagate Cause For Login Exception: check
                    Cache Enabled: check
                    Cache Size: 32
                    Cache TTL: 60
                    Cache Statistics Enabled: check
                    GUID Attribute: nsuniqueid
                    Identity Domain: kept blank

                     

                    5. In the enterprise manager I have also added OPTIMIZE_SEARCH=true properties to the same place where I added virtualize=true.

                    6. Restarted the complete server.

                    7. Still the users are available in weblogic console -> myrealms -> Users and Groups -> Customize this table but are not able to login to analytics.

                    8. In-fact all the users are available in weblogic console -> myrealms -> Users and Groups -> Customize this table but NOT all of them are present in Enterprise Manager -> Weblogic Domain -> Security -> Users and Groups. Some of them are present. Having said that ALL the groups have been fetched successfully both in weblogic console and EM users and groups section. It's the problem with the user's list. Console has it all but not EM. And that's why those absent users in EM are not able to login to analytics.

                    9. The same setting works in an obiee 11g environment.

                     

                    Any file or anything else I need to update?

                     

                    Regards,

                    Avik Dutta.

                    • 7. Re: OBIEE 12c - BI Groups from External Table and LDAP Authentication
                      3310714

                      Hi Christian,

                       

                      I read this in section 2.2.5 "Tune LibOVD searches" of the OBIEE 12c Best Practics Guide for Infrastructure Tuning:  

                       

                      LibOVD is a java library providing virtualization capabilities over LDAP authentication providers in Oracle Fusion Middleware. LibOVD is activated when you set the property virtualize=true for the identity store provider in jps-config.xml.

                       

                      By setting the libOVD property attribute parameter OPTIMIZE_SEARCH=true will improve the performance of searches as it forces libOVD to search only within the users and groups search bases defined in the authenticator providers. No searches are performed elsewhere.

                       

                      My LDAP was working prior to adding this.  I thought adding it would only improve performance.  What do you think?

                      • 8. Re: OBIEE 12c - BI Groups from External Table and LDAP Authentication
                        Christian Berg

                        Randomly using things from a "tuning guide" is basically twisting knobs without understanding what happens and why what changes. it CAN work but you won't ever know why or why not or whether that's appropriate or applicable.

                        • 9. Re: OBIEE 12c - BI Groups from External Table and LDAP Authentication
                          3298808

                          I have tried both with OPTIMIZE_SEARCH= true in place and out of place and both didn't work. Also as you have seen my users get fetched from attribute uid (not cn or smAccountName) and objectclass = person (not user). Any particular ordering of Providers should I try? Currently the ordering is:

                           

                          1. BIGroups (BI SQL Group Provider) - OPTIONAL

                          2. Edir (LDAP Authenticator) - SUFFICIENT

                          3. Trust Service Identity Asserter - default settings, no changes made

                          4. Default Authenticator - SUFFICIENT

                          5. DefaultIdentityAsserter - AuthenticatedUser and weblogic-jwt-token being chosen in the Active Types.

                           

                          Kindly suggest. Please be noted that the groups are being fetched properly both in weblogic console and Enterprise Manager.

                           

                          Regards,

                          Avik Dutta.

                          • 10. Re: OBIEE 12c - BI Groups from External Table and LDAP Authentication
                            3310714

                            So your LDAP users are in the BIGroups?  Did you add the groups to your application roles?

                            • 11. Re: OBIEE 12c - BI Groups from External Table and LDAP Authentication
                              3298808

                              Hello,

                               

                              LDAP users have to be authenticated from the LDAP Provider EDir (see the list below). BIGroups is a BISQLGroupProvider and not an authenticator. Its used to fetch groups that are tagged to different application roles and those roles have been given access.

                               

                              The groups getting fetched from the LDAP Authentication are actually of no use in OBIEE. Main issue is with the users getting fetched having difficulties logging in. Please help.

                               

                              Regards,

                              Avik Dutta.

                              • 12. Re: OBIEE 12c - BI Groups from External Table and LDAP Authentication
                                3298808

                                The issue has been finally resolved. The problem was with the provider authentication type. I selected ActiveDirectoryAuthenticator as the type where as it should have been Iplanet authenticator. Deleted the existing provider and recreated the the same with this type and things worked. Thanks for all your help. Seems like I was misinformed by the system Admin regarding the type of the LDAP server.

                                 

                                Regards,

                                Avik Dutta.

                                • 13. Re: OBIEE 12c - BI Groups from External Table and LDAP Authentication
                                  Gianni Ceresa

                                  Not easy if the admin doesn't even tell you the right kind of LDAP they have ...

                                   

                                  So you can close the thread as everything has been solved, for now it's still This question is Not Answered.

                                  • 14. Re: OBIEE 12c - BI Groups from External Table and LDAP Authentication
                                    Christian Berg

                                    Geezus that's pretty bad. Ask him whether it's also no problem to fill a petrol car with diesel or vice versa (hint: one is indefinitely worse than the other :-P )