Kumar Kambam’s OBIEE Blog

Intelligence on Oracle Business Intelligence

OBIEE Security Enforcement – LDAP Authentication

Authentication in OBIEE

Some authentication methods used by Oracle BI server are

  1. Database
  2. LDAP
  3. Oracle BI server (repository users) – I do not recommend this method for medium to large implementations. It will be difficult to manage.

I will discuss on setting up LDAP in this article.

 

Setting up LDAP or Windows ADSI in OBIEE

Microsoft ADSI (Active Directory Service Interface) is Microsoft version of LDAP server. Most of the steps to setup of either Microsoft ADSI or LDAP server are similar. In either case, you would need help from your network security group/admin to configure LDAP. They should provide you with the following information regarding the LDAP server

  1. LDAP server host name
  2. LDAP Server port number
  3. Base DN
  4. Bind DN
  5. Bind Password
  6. LDAP version
  7. Domain identifier, if any
  8. User name attribute type (in most cases this is default)

Registering an LDAP server in OBIEE

In Oracle BI repository, go to manage security.

 

Create a new LDAP server in OBIEE Security Manager

With the help from your network security group/administration, fill out the following information

 

Next in the Advanced tab, based on the kind of LDAP server you have and its configuration, make the necessary changes.

For Microsoft ADSI (Active Directory Service Interface), choose ADSI and for all others leave it unchecked.

Most of the times, Username attribute would be automatically generated. For Microsoft ADSI It is sAMAccountName; for most of the LDAP servers it is uid or cn. Check with your network security group/administrator on what is the username attribute for your LDAP server. Make a note of the user name attribute you will need it later.

 

 

Now we need to create an Authentication initialization block. In administration tool, under Manage go to Variables.

 

Under Action, go to New -> Session -> Initialization Block

 

 

Configure the session initialization block. Give it a name and click on Edit Data Source. In the pop up window, choose LDAP from the drop down box and then click on Browse. You can also configure a LDAP server here by clicking on “New”. In the browse pop up window choose the LDAP server you would like to use.

 

Next we need to create variables. User and Email are the common variables normally in play.

 

 

Upon clicking on OK, a warning pops up on the usage of User session variable (User session variable has a special purpose. Are you sure you want to use this name). Click yes.

 

 

Next enter the LDAP variable for username. sAMAccountName in the case of ADSI as configured in the LDAP.

 

Next following similar steps create a variable for Email. In addition, depending on you need, you can bring additional variables from the LDAP server.

 

 

Now bounce your services.

 

 

About these ads

February 3, 2009 - Posted by | OBIEE Security | , , , , , , , , ,

15 Comments »

  1. Hi Kumar,

    Nice to meet you Kumar. I been working with OBIEE around half a year, I have knowledge in answer and dashboard but i lack knowledge in how to do the user control access. For example, i have create a single dashboard report for two user which is user A and user B. User A not able to read user B report and so on, only user itself can see their own report. Can kumar help me for this?
    Very thanks a lot,

    Best regards,
    steve cheong

    Comment by Steve cheong | March 4, 2009

  2. [...] Commonly asked question – What is the difference between authentication and authorization? Authentication is the process in which a user id and password is verified to see if the user is a valid user. The process can be compared to logging on to your email or even your laptop. Once the user logs on, authorization takes care of what components or data a user can have access to. To read about OBIEE Authentication click here. [...]

    Pingback by OBIEE Security Enforcement – External Database Table Authorization « Kumar Kambam’s OBIEE Blog | March 17, 2009

  3. Hi Kumar,
    Nice to see ur blog..
    Now days i am facing some problem in authentication (i am using microsoft ADSI version LDAP Server) but am not able to authenticate the LDAP users.
    I have configured my LDAP server in the same manner as u mentioned in this blog.

    when I am trying to authenticate the user from the RPD itself i m gettig the following error:
    “authentication failed” (actually i forgot the exact message but it mean is same as i referred here)
    though i am able authenticate the bind user ( which i used to configure the LDAP Server)

    Please help me in this as i already wasted a lot of time in doing R&D to make it work..

    I have an urgent requirement to do the same..

    Your help will highly appreciated…
    thanks in advance

    Comment by Mohit | March 20, 2009

  4. How do we associate LDAP users to BI Server groups? I can login but I’m just an authenticated user with no rights to do anything at that point.

    Comment by Mark Jacobson | April 7, 2009

  5. Excellent and detailed instructions. I am working on a VPD setup and found the following related links useful:

    http://dylanwan.wordpress.com/2008/01/04/oracle-vpd-and-oracle-bi-ee-part-1/

    http://oraclebizint.wordpress.com/2007/08/29/obi-ee-10133-and-vpd/

    http://download.oracle.com/owsf_2003/40176_dw_security_10g.doc

    Comment by Rajesh | May 18, 2009

  6. Two notes:
    1. On “Session Initialization Block” dialog the check box “Required for authentication” must be checked.
    2. Authentication will fail if the LDAP user trying to log in also exists in the repository!

    Thanks for this excellent article!

    Comment by GiorgosB | July 13, 2009

  7. Hi
    We are using Microsoft AD.
    Where can i find “Base DN”, “Bind DN and Bind Password” attributes to complete this LDAP configuration?

    Comment by Guram | August 26, 2009

  8. You need to get help from your LDAP admin.

    Comment by Kumar Kambam | August 26, 2009

  9. thanks 4 providing lot of info Kumar.

    Comment by veeresh | December 8, 2009

  10. Hello,

    I’m facing a question and maybe you can answer… It works on Oracle Business Intelligence Standard Edtion One? I’m working with it and I need to know that!

    Thank you,
    Elisabete Silva

    Comment by Elisabete Silva | January 26, 2010

  11. Hi Kumar,

    First of all let me thank you for all this work you are doing (sharing the knowledge)..

    I’ve gone through the Security implementation articles which you’ve published…got a question..I am working in a Siebel Integrated environment with OBIEE and the authentication is LDAP Authentication mode…there z a requriement from biz that we’ve to do data level security also like one Branch person can’t see other branch’s data. Can LDAP and this type of security work together? If yes, could you pls share me the details if you’ve any in that front? Thanks a lott in advance for all your help..

    Regards,
    -Satya

    Comment by Satya | January 27, 2010

  12. I have a working LDAP Definition. I tried to modify it to call Repository Variables vs hard coded values, for example in the Host Name field I replaced the hostname with a variable call VALUEOF(LDAP_HOST), I have the host name stored in a table I have a Repository Variable “LDAP_HOST”. The reason for doing this is to elimintate the manual step of updating the LDAP Definition when I promote from Test to Prod. Well it throws the error “[53003] LDAP bind failure: Can’t Contact LDAP server.” have you tried building an LDAP Server defintion calling Repository Variables?

    Comment by Robert Murray | February 17, 2010

  13. I did not try this Robert. I will try this soon.

    Comment by Kumar Kambam | March 4, 2010

  14. I did not try this Robert. I will try this soon.

    Comment by Kumar Kambam | March 4, 2010

  15. Try this doc for more information

    http://download.oracle.com/docs/cd/E14223_01/bia.796/e14219/security.htm

    Comment by Kumar Kambam | March 4, 2010


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 90 other followers

%d bloggers like this: