OBIEE Security Enforcement – LDAP Authentication
Authentication in OBIEE
Some authentication methods used by Oracle BI server are
- Oracle BI server (repository users) – I do not recommend this method for medium to large implementations. It will be difficult to manage.
I will discuss on setting up LDAP in this article.
Setting up LDAP or Windows ADSI in OBIEE
Microsoft ADSI (Active Directory Service Interface) is Microsoft version of LDAP server. Most of the steps to setup of either Microsoft ADSI or LDAP server are similar. In either case, you would need help from your network security group/admin to configure LDAP. They should provide you with the following information regarding the LDAP server
- LDAP server host name
- LDAP Server port number
- Base DN
- Bind DN
- Bind Password
- LDAP version
- Domain identifier, if any
- User name attribute type (in most cases this is default)
Registering an LDAP server in OBIEE
In Oracle BI repository, go to manage security.
Create a new LDAP server in OBIEE Security Manager
With the help from your network security group/administration, fill out the following information
Next in the Advanced tab, based on the kind of LDAP server you have and its configuration, make the necessary changes.
For Microsoft ADSI (Active Directory Service Interface), choose ADSI and for all others leave it unchecked.
Most of the times, Username attribute would be automatically generated. For Microsoft ADSI It is sAMAccountName; for most of the LDAP servers it is uid or cn. Check with your network security group/administrator on what is the username attribute for your LDAP server. Make a note of the user name attribute you will need it later.
Now we need to create an Authentication initialization block. In administration tool, under Manage go to Variables.
Under Action, go to New -> Session -> Initialization Block
Configure the session initialization block. Give it a name and click on Edit Data Source. In the pop up window, choose LDAP from the drop down box and then click on Browse. You can also configure a LDAP server here by clicking on “New”. In the browse pop up window choose the LDAP server you would like to use.
Next we need to create variables. User and Email are the common variables normally in play.
Upon clicking on OK, a warning pops up on the usage of User session variable (User session variable has a special purpose. Are you sure you want to use this name). Click yes.
Next enter the LDAP variable for username. sAMAccountName in the case of ADSI as configured in the LDAP.
Next following similar steps create a variable for Email. In addition, depending on you need, you can bring additional variables from the LDAP server.
Now bounce your services.
February 3, 2009 - Posted by Kumar Kambam | OBIEE Security | ADSI, LDAP, OBIEE, OBIEE and ADSI, OBIEE and LDAP, OBIEE Authentication, OBIEE Authorization, OBIEE Configuration, OBIEE Security, Oracle BI
15 Comments »
I am Kumar Kambam, a BI and DW professional. I have been working with OBIEE (also known as Siebel Analytics yesteryears) and Informatica for a long time now. I am currently working with BI Consulting Group (BICG). This Blog is my attempt to share my knowledge with the world. I will write here as often as I can about whatever I come across in the BI and DW space. Also please visit Oracle BI Blog by BICG where my colleagues often contribute at.
The views expressed here by me are entirely mine and do not necessarily express the views of my Employer or Clients.
- OBIEE Security Enforcement – LDAP Authentication
- OBIEE Data Security - Column Level Security
- OBIEE and Virtual Private Database (VPD)
- OBIEE Cache is enabled, but why is the query not cached?
- OBIEE Security Enforcement – External Database Table Authorization
- Simplifying Migration Process – Changing Environment Specific Variables in RPD
- Connection Pools – Best Practices
- OBI Apps Informatica Performance Tuning – Optimizing SIL Read Throughputs – Teradata Response Buffer Size Optimization
- OBIEE on Windows 7 beta 32 bits