3 Replies Latest reply on Feb 24, 2018 10:47 AM by 3302484

    Problem with LDAP authentication (using AD authentication provider) [OBIEE]



      We use windows AD authentication with OBIEE. At first glance it looks all working fine, but the problem begins, when I want pick up permissions for users to log on into OBIEE. Simply, when I remove user from BIAuthors (security group) with AD level, that user (for example user_n1) still can log on into OBIEE successfully, but with BIConsumer privileges only (despite the fact, there is no user_n1 in BIConsumer [security group] with AD level).

      From weblogic console I see user_n1 has gone from users list after removing that user from BIAuthors security group with AD level, so why that user still can log on into OBIEE?


      In AD we have created OU called BI. Inside that OU we have created four security groups: BIAdministrators, BIAuthors, BIConsumers and BISystemUsers. From weblogic console I can see all four groups, so I suppose that configuration settings for AD authentication provider are correct.


      Here is my AD provider configuration settings for users and groups:


      User Base DN: DC=my_company, DC=local

      All Users Filter: (&(sAMAccountType=805306368)(|(memberOf=CN=BIAdministrators,OU=BI,DC=my_company,DC=local)(memberOf=CN=BISystemUsers,OU=BI,DC=my_company,DC=local)(memberOf=CN=BIAuthors,OU=BI,DC=my_company,DC=local)(memberOf=CN=BIConsumers,OU=BI,DC=my_company,DC=local)))

      User From Name Filter: (sAMAccountName=%u)

      User Search Scope: subtree

      User Name Attribute: sAMAccountName

      User Object Class: user


      Group Base DN: OU=BI,DC=my_company,DC=local

      All Groups Filter: (objectCategory=group)

      Group From Name Filter: (&(cn=%g)(objectclass=group))

      Group Search Scope: subtree

      Group Membership Searching: unlimited


      In my opinion these setttings are correct (but maybe I'm wrong?) and only AD users, which are member of BIAuthors, BIConsumers, BIAdministrators or BISystemUsers security group, can log on into OBIEE and other AD users should not have possibility to successfully log on into OBIEE.

      We have license limit, so situation, that every AD user can successfully log on into OBIEE is unacceptable.


      Any help appreciated. Thank you!