OBIEE11g Integration with LDAP and configurationOBIEE 11g can work with many Authentication Providers. OBIEE 11g provides default authentication to connect with Enterprise Manager, Analytics, and Weblogic Server. Some companies struggled with the configuration using other third party providers. I worked with some customers to configure out the OBIEE 11g security with Microsoft Active Directory

First Configuring LDAP Authenticator in Weblogic Server 11.1.1.6.0 as follow the step:

Step 1: Login into the weblogic console.

Step 2: Click on Security Realms in the Domain Structure panel on the left hand side.

Step 3: In the Security Realms list, Click on the “myrealm” name.

Step4: In the settings screen, click on the “Providers” tab then the Authentication sub-tab.

Step 5: we can make or new create changes we have to lock the session. Click the Lock & Edit button in the top left corner.

Step 6: Before we starting new LDAP Configuration we need to change DefaultAuthenticator Control Flag from “REQUIRED” to “SUFFICIENT”.

Step 7: Enter the name of New Authentication Provider such as “OpenLDAP” and select the type DefaultAuthenticator from the drop down box select “LDAP Authenticator”. Click Ok.

Step 8: You can now see this new provider. Click on the provider name to edit its settings.

Step 10: In the provider Specific tab enter the following details, adjusting them to suite your environment.

Connection Section:Section Host Value

Connection

Host sfcoldap01Port 389Principal CN=admin,DC=portal,DC=lodgenet,DC=comCredential Enter the password for the

Administrator user in LDAP server.SSlEnabled No

User Section:

Section Host Value

User

User Base DN ou=people,dc=portal,dc=lodgenet,dc=comAll User Filter Live blankUser From Name Filter (&(mail=%u)(objectclass=posixAccount))User Search Scope SubtreeUser Name Attribute MailUser Object Class posiXAccountUse Retrieved User Name as Principal

No

Group Section:

Section Host ValueGroup Group Base DN ou=groups,dc=portal,dc=lodgenet,dc=com

All User Filter Live blankGroup From Name Filter (&(cn=%g)(objectclass=posixGroup))Group Search Scope SubtreeGroup Membership unlimited

SearchingMax Group Membership Search Level

0

Ignore Duplicate Membership

No

Static Groups Section:

Section Host Value

Static Groups

Static Group Name Attribute

cn

Static Group Object Class posixGroupStatic Member DN Attributes

memberUid

Static Group DNs from Member DN Filter

(&(memberUid=%M)(objectclass=posixGroup))

Dynamic Groups Section:

Section Host ValueDynamic Groups Dynamic Group Name

AttributeLeave blank

Dynamic Group Object Class

Leave blank

Dynamic Member URL Attributes

Leave blank

User Dynamic Group DN Leave blank

Attribute

General Section:

Section Host Value

General

Connection Pool Size 6

Connect Timeout 0Connection Retry Limit 1Parallel Connect Delay 0Results Time Limit 0Keep Alive Enabled noFollow Referrals yesBind Anonymously On Referrals

no

Propagate Cause for Login Exception

no

Cache Enabled yesCache Size 32Cache TTL 60GUID Attributes entryuuid

When complete, Click Save. Return to the Providers list.

Now We are to create the Authentication Provider to connect to the Active Directory server.

Step a: Enter the name of New Authentication Provider such as “LodgenetAD” and select the type DefaultAuthenticator from the drop down box select “ActiveDirectoryAuthenticator”. Click Ok.

Step b: You can now see this new provider. Click on the provider name to edit its settings.

Step c: In the common tab, change the Control Flag to “SUFFICIENT”. Click save.

Step d: In the provider Specific tab enter the following details, adjusting them to suite your environment.Connection Section:

Section Host Value

Connection

Host sfcodc01Port 389Principal LODGENET\obieeldapCredential Enter the password for the

Administrator user in LDAP server.SSlEnabled No

User Section:

Section Host ValueUser User Base DN OU=IT,DC=lodgenet,DC=com

All User Filter Live blankUser From Name Filter (&(mail=%u)(objectclass=user))User Search Scope SubtreeUser Name Attribute mail

User Object Class userUse Retrieved User Name as Principal

No

Group Section:

Section Host Value

Group

Group Base DN OU=OBIEE Users,DC=lodgenet,DC=comAll User Filter Live blankGroup From Name Filter (&(cn=%g)(objectclass=group))Group Search Scope SubtreeGroup Membership Searching

unlimited

Max Group Membership Search Level

0

Ignore Duplicate Membership

No

Ignore Duplicate Membership

No

Use Token Groups For Group Membership Lookup

no

Static Groups Section:

Section Host Value

Static Groups

Static Group Name Attribute

cn

Static Group Object Class groupStatic Member DN Attributes

member

Static Group DNs from Member DN Filter

(&(member=%M)(objectclass=group))

Dynamic Groups Section:

Section Host Value

Dynamic Groups

Dynamic Group Name Attribute

Leave blank

Dynamic Group Object Class

Leave blank

Dynamic Member URL Attributes

Leave blank

User Dynamic Group DN Attribute

Leave blank

General Section:

Section Host Value

General

Connection Pool Size 6

Connect Timeout 0Connection Retry Limit 1Parallel Connect Delay 0Results Time Limit 0Keep Alive Enabled noFollow Referrals yes

Bind Anonymously On Referrals

no

Propagate Cause for Login Exception

no

Cache Enabled yesCache Size 32Cache TTL 60GUID Attributes objectguid

When complete, Click Save. Return to the Providers list.

Step 11: We now need to change the order so that the “LodgenetAD” is first and “OpneLDAP” is Second in the list. Click the Reorder button.

Check the “LodgenetAD” option and click the icon to put it top then same follow to “OpneLDAP”. Then click Ok.

Step 12: The Realm is now setup, but before we activate it we need to check it is working correctly. Click the Activate Changes button to save all recent changes, logout of the console and perform a full restart of Weblogic and OBIEE again.

Step 13: After starting OBIEE 11g verify the configuration is correct you will see the user and group note that the Provider of the user or groups LodgenetAD and OpenLDAP.

Similarly you can view the Groups being picked up from the LDAP: