Oracle Bi 11g - Active Directory Authentication

Oracle Business Intelligence 11g
Active Directory Authenication
Antony Heljula November 2012
Page 1
www.peakindicators.com enquiries@peakindicators.com
TABLE OF CONTENTS 1. Authentication With Active Directory ............................................................................................................... 3 1.1 Overview ...................................................................................................................................................... 3 1.2 Set WebLogic LDAP to Sufficient ............................................................................................................... 4 1.3 Create New Identity Provider ....................................................................................................................... 6 1.4 Enable Virtualization ............................................................................................................................... 11 1.5 Tuning Active Directory for Large Organisations (Optional) ...................................................................... 13 1.6 Restart Oracle BI ......................................................................................................................................... 15
Page 2
1. AUTHENTICATION WITH ACTIVE DIRECTORY 1.1 OVERVIEW

This document provides instructions for configuration Oracle BI 11g to authenticate against Active Directory. With this configuration, the embedded Weblogic LDAP provider will still be the primary identity provider, so you dont need to migrate the BISystemUser account or any other system/admin accounts to Active Directory. The advantage of this is that Oracle BI will still be accessible and running even if the Active Directory server becomes unavailable on the network. Active Directory will be configured as the secondary identity provider, so all you normal end user accounts can be mastered in here. It assumes that all user groups will also be stored in Active Directory. So both authentication and authorization of the end users will be handled by Active Directory. Towards the end there is a section which shows you how to tune the authentication/authorisation processes this is applicable for very large Active Directory tree structures.
Page 3
1.2 SET WEBLOGIC LDAP TO SUFFICIENT

Log on to the WebLogic Console as the weblogic adminsitrator account: http://[BI SERVER]:7001/console
Navigate to the following screen Security Realms > myRealm:
Page 4
Click on the Providers tab and then click on the Lock and Edit button:
Click on the link for DefaultAuthenticator:
Set the Control Flag parameter to SUFFICIENT
Click the Save button
Page 5
1.3 CREATE NEW IDENTITY PROVIDER

Navigate back to the Providers tab by clicking the link at the top of the page:
Click on the New button to create a new Identity Provider:
Set the following Name and Type before hitting the OK button: Name: ADAuthenticator Type: ActiveDirectoryAuthenticator
Page 6
You should see you new Identity Provider listed, click on the ADAuthenticator link to do some further configuration:
Set the Control Flag parameter to SUFFICIENT and then click the Save button
Once saved, go to the Provider Specific tab:
Page 7
Set the Active Directory configuration parameters as follows: Host: Port: Principle: [AD Server Hostname or IP address] [AD port e.g. 389] [DN for OBI service account, used for connecting to AD to authenticate] e.g. CN=BIAdmin, OU=Users, DC=mycompany, DC=com [password for OBI service account] [password OBI service account] [DN for the location of users within AD] e.g. OU=Users, DC=mycompany, DC=com
Credential: Confirm Credential: User Base DN:
All Users Filter: (&(sAMAccountName=*)(objectclass=user)) User From Name Filter: (&(sAMAccountName=%u)(objectclass=user)) User Name Attribute: sAMAccountName Group Base DN: [DN for the location of groups within AD] OU=Groups, DC=mycompany, DC=com
Page 8
Click the Save button
Return back to the Providers tab (by clicking the link at the top) and then click the Reorder button:
Move ADAuthenticator to the second in the list:
Click on the OK button
Page 9
Now click Activate Changes
Page 10
1.4 ENABLE VIRTUALIZATION

NOTE: This step is required to enable the use of multiple Identity Providers and also to ensure that users will still be able to log in to OBIEE even if the WebLogic Admin Server went down Log on to Enterprise Manager as the [BI ADMIN USER] account: http://[BI SERVER]:7001/em
Expand WebLogic Domain, right-mouse click on bifoundation_domain and then choose the following menu option: Security > Security Provider Configuration
Page 11
In the middle of the screen, click the Configure button:
Click the Add button to add the following 3 custom properties: user.login.attr username.attr virtualize sAMAccountName sAMAccountName true
Click the OK button at the top-right Observe the success message to confirm the parameters have been applied:
Page 12
1.5 TUNING ACTIVE DIRECTORY FOR LARGE ORGANISATIONS (OPTIONAL)

If you have a very large Active Directory tree structure, then it might cause performance issues during the login process as it takes an extended period of time for authentication and authorisation to complete. The settings documented in this section can significantly improve performance. In one example (where users/groups were spread over 150 sub-trees in Active Directory) these settings reduced login times from 5-6 minutes down to just a few seconds. Log on to the WebLogic Console as the weblogic adminsitrator account: http://[BI SERVER]:7001/console Navigate to the following screen Security Realms > myRealm > Providers > Authentication and click on the link for your ADAuthentictor:
Click the Lock and Edit button Go to the Provider Specific tab and change the following parameters: Use Token Groups For Group Membership Lookup: [Enable] Cache Size: 3200
Page 13
Click the Save button Now go to the Performance tab of your authenticator and set the parameters as follows: Max Group Hierarchies in Cache: Group Hierarchy Cache TTL: Enable SID to Group Lookup Caching: Max SID TO Group Lookups In Cache: 1000 600 [Enable] 5000
Click the Save Button Click the Activate Changes button
NOTE: You will need to restart, this will be done in the next section
Page 14
1.6 RESTART ORACLE BI

The configuration is now complete, restart all Oracle BI Services:
Page 15

Oracle Bi 11g - Active Directory Authentication

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Oracle Bi 11g - Active Directory Authentication

Enviado por

Direitos autorais:

Formatos disponíveis

Oracle Business Intelligence 11g

Active Directory Authenication

Antony Heljula November 2012

1. AUTHENTICATION WITH ACTIVE DIRECTORY 1.1 OVERVIEW

1.2 SET WEBLOGIC LDAP TO SUFFICIENT

Navigate to the following screen Security Realms > myRealm:

Click on the link for DefaultAuthenticator:

Set the Control Flag parameter to SUFFICIENT

Click the Save button

1.3 CREATE NEW IDENTITY PROVIDER

Click on the New button to create a new Identity Provider:

Once saved, go to the Provider Specific tab:

Credential: Confirm Credential: User Base DN:

Click the Save button

Move ADAuthenticator to the second in the list:

Click on the OK button

Now click Activate Changes

1.4 ENABLE VIRTUALIZATION

In the middle of the screen, click the Configure button:

1.5 TUNING ACTIVE DIRECTORY FOR LARGE ORGANISATIONS (OPTIONAL)

Click the Save Button Click the Activate Changes button

1.6 RESTART ORACLE BI

Você também pode gostar