How-to: OID Authentication with Groups Stored in an External Database Table - OBIEE 11g

As more firms seek to consolidate their technology stack while expanding their analytics capabilities, it makes more and more sense to transition your OBIEE 10g analytics solution to Oracle's new 11g framework. Oracle's 11g framework provides, among other things:

• An integrated solution for managing & deploying 11g applications from a single environment (Weblogic and Fusion Middleware)
• A centralized system for configuring security across all your environments
• Integration with Oracle's 11g exadata & exalytics solutions
• A framework for utilizing external web services within your reporting solution
• e.g. Your company seeks to expand its business and enter a new market so you create a report using 11g's mapviewer utilizing Yelp.com's API to aggregate user reviews to determine what services consumers are the unsatisfied with, thus allowing you to quantify new business opportunities and entry points. You definitely cannot do that in 10g :)

But before you can save the world and generate new business ideas for your company - step 1 is to deploy the OBIEE 11g application within your company. You've done an analysis of your company's security policy and determined that user authentication is stored in Oracle Internet Directory but corresponding reporting groups are stored in an external database table.

In 11g you can accommodate this security model by deploying two authentication providers: one for OID, and another for the external database table. I've outline the steps below needed to accomplish this task:


Step 1: Configure OID Authentication

To successfully implement an 'OID authentication w/ groups in an external database' security model, you are really completing two separate tasks:

1) Configure OID Authentication
2) Configure external groups authentication

I've posted a complete series on how to configure your 11g environment to utilize OID as an authentication source . The OID authentication configuration process is approximately 15 steps, so take your time, document your process and before proceeding to step 2  -  make sure you can log into your 11g Answers environment with users in your OID.

Do not proceed to step 2 until your OID users can successfully log into the 11g Answers environment.

Step 2:  Deploy your Sample Schema for Groups & Group Members

In your 10g deployment, you probably created an init block that stored a user's groups to the GROUPS session variable. 11g handles user group authentication via Weblogic & Fusion Middleware using an authentication provider similar to the one you created for your OID authentication. The only difference between the OID authentication & the group authentication is instead of hitting OID as the authenticator, we're going to create a BI SQL Group authentication provider that will hit an external database.

Your groups database schema needs to resemble the following data model*:

* Data model taken from Oracle Fusion Middleware Security Guide

Groups table: represents all of the possible groups in your system.

Groupmembers table: stores all of the users and their corresponding group.

Below are 2 rudimentary queries you can use to generate the tables but note they don't utilize any type of indexes, PK/FK relationships, or best practices. I'd use these for a POC (proof of concept) and once the system is ready to scale, create model using best practices:

GROUPS create statement:

CREATE

TABLE USER.GROUPS(

GROUPMEMBERS

VARCHAR2(100 BYTE),

G_NAME

VARCHAR2(100 BYTE),

G_MEMBER

VARCHAR2(100 BYTE)

)

Groupmembers create statement:

CREATE

TABLE USER.GROUPMEMBERS(

GROUPS VARCHAR2(100 BYTE),

G_NAME

VARCHAR2(100 BYTE),

G_DESCRIPTION

VARCHAR2(100 BYTE)

)

Remember that the BISystemUsers, BIAdministrators, BIConsumers and BIAuthors group must appear in your external database table!

Step 3:  Install the BISQLGroupProvider authenticator

Using an external data source for groups within 11g is a new feature that was not initially available in 11.1.1. Oracle later implemented this feature as an add-on but since it wasn't part of the core release (11.1.1.4 and earlier), you're going to have to install the BISQLGroupProvider authenticator before it will appear as an available provider within your provider tab.

Step 3.1)

Copy the BISecurityProviders.jar file located in MW_HOME/ORACLE_HOME/bifoundation/security/providers
to the following folder path:  MW_HOME/wlserver_10.3/server/lib/mbeantypes

Step 3.2)

After copying the file into the specified location you must restart the Administration Server to enable the new provider to appear in the list of available authenticators.

Step 4:  Create the Groups data source in Weblogic

In weblogic (:7001/console/) navigate to : bifoundation_domain -> Services -> Data sources -> Configuration -> New -> Generic Data source

Step 4.1) Create a new JDBC source name

Name:  The value of the 'name' field wwill be used in the config.xml file and in weblogic whenever referring to this data source. For this example, let's use the name : BIDatabaseGroupDS

JDNI Name: This value will be used when creating the database adapter for the virtualized identity store. For this example, let's use: jdbc/BIDatabaseGroupDS

Step 4.2) Specify the database driver

You will need to identify your database driver before proceeding. If you're using an Oracle stack w/ an 11g database, then the default specification will suffice.

Step 4.3) Specify Connection Information

Database Name: For example, enter: ora11. The name of the database that you want to connect to.

Host Name: For example, enter: mymachine.mycompany.com The DNS name or IP address of the server that hosts the database.

Port: For example, enter: 1521. The port on which the database server listens for connections requests.

Database User Name: Typically the schema owner of the tables defined in  Step 2.

Step 4.4) Test database connection

At this point you'll be transferred to a screen that ask you to test the connection using a

SQL SELECT 1 FROM DUAL

You need to pass this step before moving on, so an error like:

is an indication that you've incorrectly configured your data source.

Hopefully, will you see a 'Connection test succeeded' message like below.

Step 4.5) Deploy the JDBC Data Source to the Admin and Managed Server

After clicking 'Finish' you will need to navigate to : bifoundation_domain - > Services -> Data Sources -> BIDatabaseGroupsDS -> Targets. Check the 'AdminServer' and 'bi_cluster' checkbox to deploy the JDBC Data Source.

Step 5: Create the BISQLGroupProvider Authentication Provider

5.1) Navigate to Security Realms -> myrealm -> Providers -> Authentication (as seen below)

5.2) Create a New Authentication Provider called 'MySQLGroupProvider' using type 'BISQLGroupProvider'

5.3) Re-order the Authentication Provider list so that MySQLGroupProvider is the first authentication provider on the list

5.4) Create the custom SQL statements needed to generate the user & corresponding group memberships

Navigate to the 'Provider Specific' tab within your MySQLGroupProvider and populate the SQL Statements as follows (note that you will have to modify these statements if you did not follow the data model in Step 2. Do not remove the '?' from the SQL statement as it is a wild card indicator weblogic populates with a specific value at runtime.

Query	SQL	Notes
SQL List Groups	SELECT G_NAME FROM GROUPS WHERE G_NAME LIKE ?	The SQL statement used to retrieve group names that match a wildcard. The SQL statement requires a single parameter for the group name and must return a resultSet containing matching groups.
SQL Group Exists	SELECT G_NAME FROM GROUPS WHERE G_NAME = ?	The SQL statement used to look up a group. The SQL statement requires a single parameter for the group name and must return a resultSet containing at most a single record containing the group.
SQL Is Member	SELECT G_MEMBER FROM GROUPMEMBERS WHERE G_NAME = ? AND G_MEMBER = ?	The SQL statement used to look up members of a group. The SQL statement requires two parameters: a group name and a member or group name. It must return a resultSet containing the group names that matched.
SQL List Member Groups	SELECT G_NAME FROM GROUPMEMBERS WHERE G_MEMBER = ?	The SQL statement used to look up the groups a user or group is a member of. The SQL statement requires a single parameter for the username or group name and returns a resultSet containing the names of the groups that matched.
SQL Get Group Description (if description supported enabled)	SELECT G_DESCRIPTION FROM GROUPS WHERE G_NAME = ?	The SQL statement used to retrieve the description of a group. Only valid if Descriptions Supported is enabled. The SQL statement requires a single parameter for the group name and must return a resultSet containing at most a single record containing the group description.

Make the Data Source Name: jdbc/BIDatabaseGroupDS

5.4) Navigate to the 'Common' tab and set the Control Flag to 'Optional'

The JAAS Control flag needs to be set to optional to let weblogic know that even if authentication fails (a user isn't found in the group/groupmembers data model) to continue down the authentication provider list.

Step 6) Create a database adapter for the Virtualized Identity Store

Now we're going to create an XML file which will act as a database adapter to facilitate access to the group/groupmembers data model.

Create an XML file called 'bi_sql_groups_adapter_template.xml' and populate it with the following content:


<?xml version = '1.0' encoding = 'UTF-8'?>
<adapters schvers="303" version="1" xmlns="http://www.octetstring.com/schemas/Adapters" xmlns:adapters="http://www.w3.org/2001/XMLSchema-instance">
   <dataBase id="directoryType" version="0">
      <root>%ROOT%</root>
      <active>true</active>
      <serverType>directoryType</serverType>
      <routing>
         <critical>true</critical>
         <priority>50</priority>
         <inclusionFilter/>
         <exclusionFilter/>
         <plugin/>
         <retrieve/>
         <store/>
         <visible>Yes</visible>
         <levels>-1</levels>
         <bind>true</bind>
         <bind-adapters/>
         <views/>
         <dnpattern/>
      </routing>
      <pluginChains xmlns="http://xmlns.oracle.com/iam/management/ovd/config/plugins">
         <plugins>
            <plugin>
               <name>VirtualAttribute</name>
               <class>oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin</class>
               <initParams>
                  <param name="ReplaceAttribute" value="uniquemember={cn=%uniquemember%,cn=Users,dc=trusted,dc=oracle,dc=dev}"/>
               </initParams>
            </plugin>
         </plugins>
         <default>
            <plugin name="VirtualAttribute"/>
         </default>
         <add/>
         <bind/>
         <delete/>
         <get/>
         <modify/>
         <rename/>
      </pluginChains>
      <driver>oracle.jdbc.driver.OracleDriver</driver>
      <url>%URL%</url>
      <user>%USER%</user>
      <password>%PASSWORD%</password>
      <ignoreObjectClassOnModify>false</ignoreObjectClassOnModify>
      <includeInheritedObjectClasses>true</includeInheritedObjectClasses>
      <maxConnections>10</maxConnections>
      <mapping>
         <joins/>
         <objectClass name="groupofuniquenames" rdn="cn">
            <attribute ldap="cn" table="GROUPMEMBERS" field="G_NAME" type=""/>
            <attribute ldap="description" table="GROUPMEMBERS" field="G_NAME" type=""/>
            <attribute ldap="uniquemember" table="GROUPMEMBERS" field="G_MEMBER" type=""/>
         </objectClass>
      </mapping>
      <useCaseInsensitiveSearch>true</useCaseInsensitiveSearch>
      <connectionWaitTimeout>10</connectionWaitTimeout>
      <oracleNetConnectTimeout>0</oracleNetConnectTimeout>
      <validateConnection>false</validateConnection>
   </dataBase>
</adapters>

The bold text indicates fields that you will need to customize based on your requirements. Let's take this 1 step at a time.

First)   <param name="ReplaceAttribute" value="uniquemember={cn=%uniquemember%,cn=Users,dc=trusted,dc=oracle,dc=dev}"/>  needs to be the User Base DN you specified in Step 2 of Part 1 in my OBIEE 11g OID installation guide 

If, for example, your User Base DN is dc=trusted,dc=oracle,dc=com , then you would need to modify the XML above to be:
 <param name="ReplaceAttribute" value="uniquemember={cn=%uniquemember%,dc=trusted,dc=oracle,dc=com}"/>

The  %uniquemember% field is a placeholder which gets populated via the SQL statements in your Group Authentication provider.


Second)
    <attribute ldap="cn" table="GROUPMEMBERS" field="G_NAME" type=""/>
            <attribute ldap="description" table="GROUPMEMBERS" field="G_NAME" type=""/>
            <attribute ldap="uniquemember" table="GROUPMEMBERS" field="G_MEMBER" type=""/>

GROUPMEMBERS needs to be replaced with the table you created which stores your group members via the group/groupmembers data model in Step 2.



Step 7) Bind the adapter to Weblogic using the Weblogic Scripting Tool (WLST)

7.1) Copy the bi_sql_groups_adapter_template.xml to: ../../oracle_common/modules/oracle.ovd_11.1.1/templates/

7.2) Confirm key environmental variables are set

• ORACLE_HOME=<MW_HOME>/Oracle_BI1
• WL_HOME=<MW_HOME>/wlserver_10.3/
• JAVA_HOME=<MW_HOME>/jdk160_24/
   

7.3) Bind the adapter:

Navigate to /oracle_common/bin and run the following command:

libovdadapterconfig -adapterName MySQLGroupProvider -adapterTemplate bi_sql_groups_adapter_template.xml -host hostname -port 7001 -userName weblogic -domainPath C:\app\11g\mw_home\user_projects\domains\bifoundation_domain\ -dataStore DB -root cn=Staff,cn=Users,dc=trusted,dc=oracle,dc=dev -contextName default -dataSourceJNDIName jdbc/BIDatabaseGroupDS

Parameter	Value
host	Represents the hostname (ip address) of your weblogic server
port	Represents the port of your weblogic server , usually 7001
username	Represents your weblogic administrator account
adapterName	Represnets the name of the group authentication provider
domainPath	Represents the path to your bifoundation_domain folder
root	Represents the User Base DN you specified in your in your bi_sql_groups_adapter_template.xml , excluding the %uniquemember% component
dataSourceJNDIName	represents the JDNI name of your Groups Datasource

The command should execute without any error.

7.4) Restart admin server & managed services (bi_server) 

Step 8) Validate Changes by Creating a Custom Application Role

We're going to create a custom application role based on one of our custom groups to confirm that the Group Authenticator works.

8.1) Create an Application Role
From FMW Enterprise Manager (:7001/em/) -> farm_bifoundation_domain -> Business Intelligence -> coreapplication -> Right Click -> Security -> Application Roles -> Create

Click the Add button and select a Group from your Group Authenticator. In this example, I will add a group called 'ES Worker':

8.2) Login to Answers as a user of the group application role you just created

Navigate to My Account -> Roles and Catalog Groups

That concludes the tutorial on how to integrate weblogic 11g using OID as the user authenticator and storing groups in an external table. Next we will focus on SSO.

keywords: obiee ldap authentication, obiee 11g oid, obiee authentication, weblogic authentication provider, authentication with ldap, external groups authentication, wc_groups_d, wc_groupmembers_d

FYI: Identity found in Weblogic but could not be authenticated (OBI-SEC-00022, OVD-40066)

During most 11g implementations, a practitioner will be required to implement a security policy that allows OBIEE 11g Answers to authenticate against an external data source (such as OID , ADUC, or even an external database). Infact, I've even posted a how-to on integrating Oracle Internet Directory as an authentication source with 11g Answers .

During the security integration process, Oracle's technical documentation recommends that the practitioner should verify that the Users and Groups are visible in Weblogic Admin Console before completing the implementation process.   See the screen below for an example of a fairly common Users and Groups section:

Nothing too spectacular. You'll see that the user i've filtered on has 'myOIDDirectory' (the name of my OID authentication provider) listed as its source.

Per Oracle's technical documentation, we would mark this as a success and move on.

Now you attempt to log into Answers 11g and the authentication fails:

Your real time log now says the following: 

SecurityService::authenticateUserWithLanguage [OBI-SEC-00022] Identity found but could not be authenticated

and your bi_server1-diagnostic.log confirms:

Relax, you're not alone, and the fix is quick : If you've configured an external authentication provider using Oracle Internet Directory or Active Directory , OBI-SEC-00022 most likely means you've provided the correct User Base DN but at the wrong level.

For example (using OID):

If your OID tree is : cn=team,cn=users,cn=company,dc=trusted,dc=oracle,dc=dev - meaning that your user list is under the cn=team branch (reading left to right, cn=company being the root), then you need to specify your User Base DN one level above that branch. In this case, your User Base DN would be

cn=users,cn=company,dc=trusted,dc=oracle,dc=dev

Although not specifically stated in the Fusion Middleware Security Guide , your User Base DN should be one level above the branch that contains your users.

Also, make sure your Principal DN specifies the full path. 

For example:

If you're authenticating with cn=orcladmin, your Principal DN cannot be cn=orcladmin. It should be:

cn=orcladmin,cn=team,cn=users,cn=company,dc=trusted,dc=oracle,dc=dev  - assuming that the orcladmin account is under the cn=team directory.

keywords: obiee 11g security, obiee ldap authentication, OBIEE-SEC-00022, OVD-40066, OBIEE OID authentication, weblogic authentication provider

FYI: Enabling Virtualization (virtualize=true) and OBI-SEC-00015

Many OBIEE blogs that discuss external authentication with obiee 11g (including my recent post on OID integration ) specify that a virtualize=true parameter is required for the configuration of Fusion Middleware's Identity Store. Even Oracle's own technical documentation specify this as a required parameter when dealing with multiple authentication sources.

Here is an example of a common Identity Store configuration w/ OID and a default authenticator:

Yet a quick google search will tell you that many practitioners have encountered problems (or so they think) with the virtualize = true parameter during their external authentication implementation.

What does the virtualize=true parameter mean?

If you are implementing multiple authentication providers, you need to 'enable' Fusion Middleware applications to see all the users, groups, and roles within the Weblogic Administration Console.   This is accomplished with Oracle Virtual Directory (OVD). Oracle Virtual Directory is an LDAP service that provides virtualized abstraction of multiple data sources into a single view.  By specifying virtualize=true, Fusion Middleware utilizes the OVD service as the mechanism for identifying, storing, and accessing users and groups across multiple authentication systems.


Does DefaultAuthenticator count as an authentication source?

When implementing weblogic 11g/obiee out of the box, a weblogic defaultAuthenticator is provided with 3 system accounts : BISystemUser, OracleSystemUser, and weblogic. Multiple posts have been created on Oracle Technical Network questioning the need to count the default authenticator as an authentication source.

What happens we do not count Default Authenticator as an authentication source, there by eliminating the need for virtualize=true?

If you're encountering a scenario where you have an external LDAP authentication (OID, ADUC) as well as the default authenticator for system users, and you remove the virtualize=true paramater in the Identity Store, you will still be able to log into OBIEE 11g Answers w/ your OID/ADUC users.

But try logging in with a System User (e.g. weblogic or OracleSystemUser): You will encounter OBI-SEC-00015 error:

Error Message From BI Security Service: SecurityService::authenticateUserWithLanguage [OBI-SEC-00015] Unable to find user in identity store

An examination of your bi_server1-diagnostic.log will confirm the error:

 Conclusion?

• The DefaultAuthenticator does count as an authentication source
• If you are going to implement an external authentication provider and use the DefaultAuthenticator, virtualize=true is needed for the DefaultAuthenticator system users

If you are unable to log into Answers 11g with your OID/ADUC users, the problem is most likely not the virtualize=true flag.   Review your configuration settings, search OTN, and remember - virtualize=true is needed!



keywords : OBIEE 11g authentication, ldap authentication, weblogic authentication provider, OBI-SEC-00015, virtualization, external groups authentication

How-to: Oracle Internet Directory Authentication with OBIEE 11g - Part 2

In our part 1 of 'Internet Directory Authentication with OBIEE 11g' we used weblogic to:

1. Add OID to the Authentication Provider List
2. Configure the OID Authenticator with required credentials
3. Configure the authentication control flag
4. Re-configure the authentication sequence
5. Validate that the OID users and groups are appearing in weblogic

In this post we will move to the Oracle 11g Enterprise Manager : Fusion Middleware  (located in :7001/em/ )

Step 1: Configure the user name and virtualization attributes within the Fusion Middleware Identity Store

In the Weblogic Domain folder navigate to Security -> Security Provider Configuration menu option

then click 'Configure':

You will need to add the following 3 custom properties:

Property	Value
user.login.attr	Specify the User Name Attribute that is set in the authentication provider. For example, if the User Name Attribute is set to mail in the authentication provider, then set this value to mail.
username.attr	Specify the User Name Attribute that is set in the authentication provider. For example, if the User Name Attribute is set to mail in the authentication provider, then set this value to mail.
virtualize	TRUE

Step 2:  Add BISystemUser to the BISystem Application Role

After clicking 'OK', navigate to the Application Roles screen as follows:

2.a) Click BISystem under the rolename column. You should see a user called 'BISystemUser' under Membership for BISystem' table

You might ask yourself, 'Why do I need to add the BISystemUser to the BISystem Application Role if that user is already a member?'

And the answer is: YOU DON'T! But why? Remember the prerequisite in part 1 was to have a BISystemUser created in OID? That was because OBI uses a specific user for each configured authenticator for internal communication within weblogic. Furthermore, each configured authenticator needs to be a member of the BISystemUser application role for Administrator privileges.

Rather than maintaining separate pseudo BISystemUser accounts in each authenticator, Oracle recommends 1 BISystemUser for all authentication providers  . Although, if you decided to maintain a BISystemUser in your OID under a different alias, you would need to add the user to the BISystemUser Application Role as outlined above.

Step 3: Add your OID BISystemUser to the Credential Store Provider

After clicking 'OK', Navigate to the Credential Store Provider screen as follows:

3.a) expand the oracle.bi.system folder and edit the 'system.user' credential

3.b) Modify the system.user key to specify your 'OID' BISystemUser

If you've been paying attention, you should be asking yourself 'What about the BISystemUser in the Default Authenticator?'

Answer: If you do not change your default authenticator password to match the BISystemUser password in your OID, then you will not be able to authenticate any weblogic system users in answers. You will get an error:

Error Message From BI Security Service: SecurityService::authenticateUserWithLanguage [OBI-SEC-00015] Unable to find user in identity store When attempting to log into Answers with a weblogic user such as OraclesSystemUser or weblogic (BISystemUser will work because you've specified myOIDDirectory as sufficient and ranked it higher priority on the provider list than your default authenticator).

Step 4:  Change your default authenticator BISystemUser password to match the BISystemUser password in OID

I made this a high level step rather than a sub step to emphasize the importance. If this step is skipped, you will not be able to log into weblogic with any system users.

Navigate to the Weblogic Server Admin Console (:7001/console/) -> Security Realm -> myrealm -> Users and Groups -> Users -> BISystemUser (DefaultAuthenticator)


 *note that if your OID system has more than 1000 users then you will have to click the 'Customize this table' link and search for BISystemUser


Make the BISystemUser password in your default authenticator the same password as BISystemUser in your OID authenticator

  Step 5: Add BISystemUser to the Global Admin Role

Navigate to Security Realm -> myRealms -> Roles and Policies -> Realm Roles -> Global Roles -> Roles -> Admin -> View Role Conditions

then...

then..

and finally add 'BISystemUser' under 'User Argument Name'

At 'Edit Global Roles', your screen should look like:

Step 6: Add BISystemUser to the JMS OBI Module

Navigate to Services -> Messaging -> JMS Modules -> BIpJmsResource -> Security Tab -> Policies Sub Tab and add the BISystemUser in a similar fashion as in step 5

After adding BISystemUser, your 'Settings for BipJmsResource' page should look like:

Step 7: Set the Control Flag in your defaultAuthenticator to 'OPTIONAL'

A control flag of optional indicates that authentication can fail or succeed with the specified provider. If the provider succeeds, it will continue down the authentication list. If tf the provider fails, it will also continue down the authentication list. This is ok because we've specified the DefaultAuthenticator as the last authentication provider on the list.

Navigate to : Security Realm -> myRealms -> Providers -> Authentication -> Default Authenticator -> Configuration -> Common

Step 8: Activate Changes and restart Admin Server & BI Service

Step 9: Validate OID Authentication by logging into Answers:

and finally if you were to look at the bi_server1-diagnostic.log in Fusion Middleware , it would confirm the OID authentication as follows:

Next I will cover OID Authentication in 11g while using external databases to store groups.


keywords: OBIEE 11g security, ldap authentication, weblogic authentication provider, obiee ldap, obiee authentication, alternate authentication providers

How-to: Oracle Internet Directory Authentication with OBIEE 11g - Part 1

Consider the scenario where you're configuring a proof of concept 11g implementation using Oracle Internet Directory as the authentication provider. Oracle's Fusion Middleware Security Guide for 11g certainly provides you with a bird's eye view of how to configure OBIEE 11g to integrate with web logic's OID LDAP authentication provider but in this how-to I will digress slightly and present a detailed, step by step guide on how to configure your OBIEE 11.1.1.6 system to use OID LDAP authentication for users.

This how-to is a culmination of the countless posts on Oracle Technical Network requesting additional help with implementation and will provide the user answers to the most common OBI and OVD (Oracle Virtual Directory) errors that you typically encounter in this proces, including: OVD-40666, OBI-SEC-00022, OBI-SEC-00015, and LDAP error code 32.

At the end of this how-to, any user within OID will be able to log into OBIEE 11g Answers.

Note that if you're using OID as the authentication provider but storing groups in an external database table, this also serves as a suitable 'step 1' prior to implementing the groups authentication model (to be covered at a later date)

Prequisities:

Your Oracle Internet Directory must have the following users:

• BISystemUser
• BIAuthor
• BIConsumer
• BIAdministrator

These are out-of-the-box weblogic users that weblogic uses in its defaultauthenticator for users, groups, and application roles.

If you are using Oracle Internet Directory to store groups, then it must include the following weblogic out of the box groups:

• BIAdministrators
• BISystemUsers
• BIAuthors
• BIConsumers

Step 1: Add Oracle Internet Directory as an Authentication Provider in Weblogic Administration Console

1.a) Navigate to Security Realm -> myRealm -> Providers -> Authentication -> New 

to add an OID Authentication Provider

* Note that at this point, you  will not  see myOIDDirecotory in your Authentication Provider. You will be adding this authentication provider in the next steps. Your only two authentication providers should be: DefaultAuthenticator and DefaultIdentityAsserter

1.b) After Clicking 'New', populate the 'Create a new Authentication Provider' screen as outlined below:

1.c.) After clicking 'Ok' Your myOIDDirectory Authenticator Provider will appear on the Authentication Provider list below: Click 'myOIDDirectory' to begin the configuratin of the Provider Specific information:

Step 2:  Configure the myOIDDirectory Authentication Provider with required connection details

 2.a) After clicking 'myOIDDirectory' navigate to 'Configuration' -> Provider Specific  as seen below:

The correct configuration of Host, Port, Principal, and Credential is required before proceeding to step 2.b.. If you are unfamiliar with Oracle Internet Directory, it is recommended that consult your OID Administrator for assistance. Here is a breakdown of each required field.

Host is the ip address of your company's OID LDAP server.

Port represents the port number that the OID LDAP server utilizes for listening & communication

Principal  represents the distinguished name (DN) or 'orcladmin' account needed to connect the OID LDAP server.  Yes that is correct, you will need a cn=orcladmin or equivilent account for communication to the OID LDAP server.  We have tested leaving the Principal and Credential field blank even if anonymous binding is enabled, with no success.

Your principal  DN should represent the full path to the orcladmin account and not just cn=orcladmin. 

For example: If your cn=orcladmin (or equivilant) account is under :

cn=Users,dc=trusted,dc=oracle,dc=com 

Then the above Principal DN should be : cn=orcladmin,cn=Users,dc=trusted,dc=oracle,dc=com . It is not sufficient to only include cn=orcladmin

Credential/Confirm Credential represents the password of the cn=orcladmin (or equivalent) account.

Failure to correctly configure the host/port/prinicpal settings will most likely result in one of the following errors:

• OBI-SEC-00004 Unable to initialize oracle.bi.security.service.SecurityWebService
• OVD-60024 Connection error: [LDAP: error code 49 - Invalid Credentials].
• OBI-SEC-00028 System User could not be authenticated
• OBI-SEC-00003 OVD-60143 Unable to create connection to ldap:// 

 2.b)  Configure remaining required settings

 

 User Base DN represents the OID tree branch path that stores the users .

NOTE: Here is where many people misconfigure their OID Authentication Provider in web logic. Oracle's Fusion Middleware Security Guide does not explicitly state this, but your User Base DN needs to be 1 level higher than the tree branch which stores your user list.

For example:

If your OID that contains your users is:  cn=Users,dc=trusted,dc=oracle,dc=com  , then your User Base DN needs to be: dc=trusted,dc=oracle,dc=com.

Failure to appropriately configure this step will result in OBI-SEC-00022 error:

SecurityService::authenticateUserWithLanguage [OBI-SEC-00022] Identity found <username> but could not be authenticated

 which means that Oracle was able to find the user in the web logic console under 'Users and Groups' but could not complete the authentication against OID.

User Name Attribute  specifies the OID attribute which you want to use to authentication. If you want to use the user's email address, the User Name attribute would be mail. In this example, I will use the common name (cn) .

User Object Class  specifies the tree branch in OID that contains the users. Out of the box OID implementation uses 'person' , but in this example i've used a custom 'Staff tree'.

Group Base DN represents the OID tree branch path that stores the groups. Similar to User Base DN, it should be 1 level higher than the tree branch which stores your groups list. If  you are using an external database table to store groups, than you can disregard this field.

Step 3: Configure the authentication control flag to sufficient

After clicking saving on 'Settings for myOIDDirectory' page, you should be back at:

3.a) Click 'myOIDDirectory'  then Configuration -> Common and change the Control Flag to 'SUFFICIENT'

A SUFFICIENT control flag indicates that if the user successfully authenticates against this provider, then weblogic will release control back to the system. But if the user fails to authenticate with this provider, weblogic will continue down the authentication provider list.

Step 4: Reorganize the authentication provider list

After clicking Save on the 'Common' tab of the Settings for myOIDDirectory, you will be back in the Authentication tab. Click 'reorder' and move myOIDDirectory to the top of the list.

and then...

4.a) After clicking 'OK' you will be taken back to the Authentication tab. Click 'Activate Changes' within the Change Center, then reboot the Admin Server & BI Service.

Step 5:  Validate your OID users are found in the 'Users and Groups' tab

After rebooting the Admin Server and BI Service you should be able to see the Users and Groups of your OID LDAP server within the Users and Groups tab under: Security Realms -> myrealms -> Users and Groups

You should also test Groups by clicking on a user within your OID directory (for example cookjr@c02) and then viewing the groups tab:

Even if you are using an external database table to store groups (and not OID), clicking on groups for a specific user should not return an error. 

"If your users do not appear on the Users and Groups tab, or viewing the groups of a specific OID user throws an error, do not proceed to step 6 and instead, review your configuration settings with your OID Administrator"

Step 6: Fusion Middleware Changes

At this stage, we are going to move to Fusion Middleware to make the required application role changes. I've decided to seperate that into part 2 which you can find here


keywords: obiee 11g authentication, ldap authentication, weblogic authentication provider, obiee 11g oid authentication, custom authentication provider