OBIEE Security Enforcement LDAP Authentication Authentication in OBIEE

Some authentication methods used by Oracle BI server are 1. Database 2. LDAP 3. Oracle BI server (repository users) I do not recommend this method for medium to large implementations. It will be difficult to manage.

Setting up LDAP or Windows ADSI in OBIEE

Microsoft ADSI (Active Directory Service Interface) is Microsoft version of LDAP server. Most of the steps to setup of either Microsoft ADSI or LDAP server are similar. In either case, you would need help from your network security group/admin to configure LDAP. They should provide you with the following information regarding the LDAP server 1. 2. 3. 4. 5. 6. 7. 8. LDAP server host name LDAP Server port number Base DN Bind DN Bind Password LDAP version Domain identifier, if any User name attribute type (in most cases this is default)

Registering an LDAP server in OBIEE

In Oracle BI repository, go to manage security.

Create a new LDAP server in OBIEE Security Manager

With the help from your network security group/administration, fill out the following information

Next in the Advanced tab, based on the kind of LDAP server you have and its configuration, make the necessary changes. For Microsoft ADSI (Active Directory Service Interface), choose ADSI and for all others leave it unchecked. Most of the times, Username attribute would be automatically generated. For Microsoft ADSI It is sAMAccountName; for most of the LDAP servers it is uid or cn. Check with your network security group/administrator on what is the username attribute for your LDAP server. Make a note of the user name attribute you will need it later.

Now we need to create an Authentication initialization block. In administration tool, under Manage go to Variables.

Under Action, go to New -> Session -> Initialization Block

Configure the session initialization block. Give it a name and click on Edit Data Source. In the pop up window, choose LDAP from the drop down box and then click on Browse. You can also configure a LDAP server here by clicking on New. In the browse pop up window choose the LDAP server you would like to use.

Next we need to create variables. User and Email are the common variables normally in play.

Upon clicking on OK, a warning pops up on the usage of User session variable (User session variable has a special purpose. Are you sure you want to use this name). Click yes.

Next enter the LDAP variable for username. sAMAccountName in the case of ADSI as configured in the LDAP.

Next following similar steps create a variable for Email. In addition, depending on you need, you can bring additional variables from the LDAP server.

Now bounce your services.

Commonly asked question. How to do the user control access. For example, i have create a single dashboard report for two user which is user A and user B. User A not able to read user B report and so on, only user itself can see their own report.
1. What is the difference between authentication and authorization?

Answer: Authentication is the process in which a user id and password is verified to

see if the user is a valid user. The process can be compared to logging on to your email or even your laptop. Once the user logs on, authorization takes care of what components or data a user can have access to. To read about OBIEE Authentication click here. [...]
2. I am facing some problem in authentication (i am using microsoft ADSI version LDAP

Server) but am not able to authenticate the LDAP users. I have configured my LDAP server in the same manner as u mentioned in this blog.

when I am trying to authenticate the user from the RPD itself i m gettig the following error: authentication failed (actually i forgot the exact message but it mean is same as i referred here) though i am able authenticate the bind user ( which i used to configure the LDAP Server) 3. How do we associate LDAP users to BI Server groups? I can login but Im just an authenticated user with no rights to do anything at that point.

4. For detailed instructions follow related links useful:

http://dylanwan.wordpress.com/2008/01/04/oracle-vpd-and-oracle-bi-ee-part-1/ http://oraclebizint.wordpress.com/2007/08/29/obi-ee-10133-and-vpd/ http://download.oracle.com/owsf_2003/40176_dw_security_10g.doc

5. Two notes: 1. On Session Initialization Block dialog the check box Required for authentication must be checked. 2. Authentication will fail if the LDAP user trying to log in also exists in the repository!