Business Intelligence – Oracle

Oracle BI EE 10.1.3.3/2 – Using LDAP/OID Authentication

Posted by Venkatakrishnan J on October 10, 2007

One of the very good features of OBI EE 10.1.3.3/2 is its ability to leverage OID/LDAP authentication. I was trying this one out today and thought i would document it. I would split this into 2 articles. In this article we will see how to setup the OID authentication. In the next article we would see how to pass on group credentials to users from OID. Lets go through the steps one by one.

1.   Open the repository in Online Mode using the Administrator. Go to Manage and click on Security. Click on Action–New–LDAP Server

      

2.   Enter the Oracle Internet Directory details like hostname and the Base DN. And test the connection.

      

      

3.   Right click on the LDAP server and click on import. You should be seeing the users that are under OID.

      

4.   Once this is done, the next step is to create an initialization block that would basically use the OID server created above and set a system session variable called USER. This USER variable would be used during authentication.
Go to Manage->Variables to open up the variable manager. Click on Action->New->Sesion->Initialization Block

      

Enter any name, say OID, and click on edit data source. Select the OID/LDAP server that we created in the 1st 3 steps. Then click on edit target and click on new variable. Enter USER as the name of the variable and click ok.

      

Edit the variable and add the uid as the LDAP variable.

      

Test the initialization block as orcladmin.

      

You must see orcladmin username set for the USER variable. If you see that then steps that you have done so far are correct. Remember to set the Required for Authentication check box.

      

Check in the changes and save the repository. Log into Answers as orcladmin. We should be able to see all the public dashboards.

      

This is the first step in enabling authentication. The next step is to get the group related info from the OID and assign it to the user which we will see in a later article.

About these ads

59 Responses to “Oracle BI EE 10.1.3.3/2 – Using LDAP/OID Authentication”

  1. Esther said

    Hi Venkat,

    Is it possible to do the same LDAP/OID authentication using the Basic Installation of BI Server.

    Thanks,
    -Esther

  2. Venkatakrishnan J said

    Yes very much

  3. Manju Nambiar said

    Hey Venkat,
    I am doing a fresh install and configuration of OBIEE.
    I followed the steps in your blog “Oracle BI EE 10.1.3.3/2 – Using LDAP/OID Authentication” to configure security using company LDAP.
    Instead of OID, I am using the company LDAP. After creating the server, I tested the connection and was successful. Next I tried Import option, but got the Oracle BI Administration Tool error message: “There is nothing to import.”
    Next I tried the initialization block setup and system variables – but no luck.
    Is this an LDAP privilege issue or OBI issue?
    I tried the same LDAp with a LDAP viewer tool and am able to see all the users.
    Please help me out.
    Thanks,
    Manju

  4. Venkatakrishnan J said

    @Manju – Looks like your Base DN for your LDAP is wrong. Are you using Active Directory?

  5. Manju Nambiar said

    Venkat,
    No, I am not using AD.
    I used the same Base DN in the LDAP viewer tool and it worked fine.
    –Manju

  6. Venkatakrishnan J said

    Can you let me know what LDAP are you using. I just want to confirm whether this is certified.

  7. Manju Nambiar said

    How do i check which one i am using?

  8. Manju Nambiar said

    Venkat,
    I checked with my administrator and yes – we are using AD. Does that require some additional steps?
    –Manju

  9. sid said

    Venkat,
    can you tell me how does the OBIEE uses AD (or any other LDAP)? Our users are authenticated based on Active Directory. Now if I try to run something like ADInsight (for sysinternal) which basically tracks all connection from local machine to a given AD server at that moment, it can not track any AD request sent by application at the time users are trying to login. Can you exlain whether it uses Windows API to connect to AD (which means it should use some dll in System32) or it uses some kind of special dll hidden in OracleBI folder (may be ./server/bin)? There are couple of users who always seem to complain about not being able to log on to the BI portal temporarily. I am interested to see what sort of AD request goes to the server when user logs on to the server. Thanks in advance. Please keep the blog up.

  10. Tom Ware said

    Thanks, it worked like a charm.

  11. Trevor said

    Hi Venkat,

    Before I found your blog I did all the steps above except the import. I would prefer not to have to do the import step if possible. When I test my init block the user variable is populated correctly. When I try and log in as that user (not the administrator) I get an error telling me the initialisation block failed. I had to create the user in the repos but I gave it a nonsense password hoping that the LDAP call would use the password entered at the login screen to authenticate. Do you have any ideas why the initialisation block would fail at the login screen when it works fine in the Administration Tool?

    Thanks

  12. Trevor said

    Hi Venkat,

    I worked it out. my mistake. If I remove the user from the repository it works fine now.

    Thanks

  13. Sarosh said

    Hi,

    We are using Active Directory, and when I try to import users or synchronize, I get the error message: [53014] Not supported for Active Directory Services.

    We are using version 10.1.3.3. The documentation has no mention of AD not being supported.

    Thanks.

  14. arghya roy said

    Venkat,

    I might be going a little ahead, but is it true that as of now we cant import group information or rather cant associate a USER with a Group from an LDAP? And so, we have to maintain the USER/GRP as 2 columns in an external DB table, to be read into the GROUP variable in RPD ..Rowwise?

  15. Venkatakrishnan J said

    @Arghya – Yes currently we cannot import GROUPS from the LDAP. We need to make sure that the LDAP GROUPS are created in the repository. You do not need an external table to make the association. In the above example, i have used the DBMS_LDAP package to get the USER and GROUP association. But for some LDAPs which do not have these packages, we need to have that external table to get that relation.

  16. Peter said

    Thanks for the post.

    for the AD users, AD doesnt support anonymous binding so you need to provide a username and a password in the bind DN of the LDAP server configuration.

  17. ittichai said

    Venkat,

    Great information from your blog!!!

    Quick question please. I just installed OBIEE on my Windows test machine. I configure LDAP with this base DN “ou=people,ou=intranet,dc=company,dc=com”. This is pretty much standard DN recommended by IT group. It works for all other applications.

    Test connection is okay. But when importing, I received this error -

    [53002] LDAP search failure: Sizelimit exceeded

    Any place I can increase limit or limit the amount of import?

    Thanks
    Ittichai

  18. Pablo said

    Venkat,

    Great information. I am currently setup to do LDAP Authentication which works like a charm. Now I am trying to get single Signon to work. Our associates LDAP infomration is the same as the windows login and password. Is there anyway to automatically pull the users Windows authentication so they do not have to sign in every time?

  19. Sidhu said

    I followed this one for setting up authentication with our Active Directory and it was a piece of cake. Many Thanks.

  20. Pablo said

    Venkat, I’m at the same place, let me know if you figure this out

  21. paola said

    Excelent post, however, do you have the instructions in how to do it if the LDAP is openLDAP v3.0, the import step doesn’t work and I’m stuck. Thanks a lot!

  22. Sreedhar said

    Hi Venkat
    I followed all the steps you have listed exactly. I could connect to ldap server successfully and then inported the users.
    After creating initialization block I tested it using orcladmin and it works fine.
    but when i try to login to Answers i got the following error.

    Error Codes: OPR4ONWY:U9IM8TAC
    State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused. [nQSError: 13024] Successful completion of init block ‘setUser’ is required. (08004)

    Can you please suggest what I should do.(Note I also ran the cryptotools thing) it did not help me.
    Please respond.
    Thank you very much.

  23. Ron band said

    I got the same error as Sreedhar.
    Any solutgion? Everything in Administration works fine and I can login as orcladmin in Administration layer. But I am not able to login to presentation layer.
    I have also been able to import users from ldap

    Error Codes: OPR4ONWY:U9IM8TAC
    State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused. [nQSError: 13024] Successful completion of init block ’xxxxxx’ is required. (08004)

  24. Deepak Karanwal said

    Venkat,

    Great information from your blog!!!

    Quick question please. I just installed OBIEE on my Windows machine. I configure LDAP with this base DN dc=company,dc=com”. This is pretty much standard DN recommended by IT group. It works for all other applications.

    Test connection is okay. But when importing, I received this error -

    [53002] LDAP search failure: Sizelimit exceeded
    Apprecite any help

    Thanks
    Deepak

  25. [...] Posts Oracle BI EE 10.1.3.3 – Configuring Delivers – iBotsOracle BI EE 10.1.3.3/2 – Using LDAP/OID AuthenticationOracle BI EE 10.1.3.3/2 – Executing Stored Procedures/Functions before Reports – Before Report [...]

  26. Sujal said

    Hi,

    I am also facing one problem configuring LDAP.

    I have not imported the users from LDAP. When i log in to Dashboard using the bind user credentials (orcladmin), it works fine but when i try with user login it errors out with An ‘invalid User Name or Password was entered’.

    Here is a snapshot of the server log.
    2008-07-17 08:53:09
    [nQSError: 13011] Query for Initialization Block ‘Authentication’ has failed.
    [53012] User authentication failure: .
    2008-07-17 08:53:09
    [nQSError: 13011] Query for Initialization Block ‘Authentication’ has failed.

    Any solution to this? Please help.

  27. bogdan said

    @Sujal
    If the user from LDAP is also in repository, it will give this [nQSError: 13011] Query for Initialization Block ‘Authentication’ has failed. error;
    try to remove users from repository.

  28. OBIEE User said

    Venkat-

    I have gone through all the procedures and it works fine…

    Instead of Authenticating directly against the LDAP server, I want to import the users only and authenticate against the repository. I am able to import the users I want, and do not set up the Initialization block. When I get to login, I am able to login with any of the User Names I have imported but all of them with a blank password. Why is the password not coming across when I import from ldap?

  29. rick said

    1. Administration Tool error message: “There is nothing to import.”

    Then you should setup OU before DC like
    OU=development,DC=office,DC=XXX,DC=com

    2. We are using Active Directory, and when I try to import users or synchronize, I get the error message: [53014] Not supported for Active Directory Services.

    I think you should check the advanced option in LDAP SERVER
    set User name attribute bype :

    sAMAccountName not UID

  30. aluke1 said

    Hi Guys,

    I am having some problem with setting up ADSI. When I import, I keep getting the error message: [53014] Not supported for Active Directory Services.

    I have followed all the instruction provided by Venky and thur comments.

    I have check the the ADSI box in the Advance Tab.

    Here is the info I set up creating the ADSI

    Name:xxxxxadsi
    Host:xx.xx.xx.xx
    Port:389
    LDAP Version: 3
    Base DN: cn=Users,dc=dev,dc=xxxx,dc=xxx,dc=xxx
    Bind DN: xxxxx
    Bind Password: xxxxx

    Advance Tab:
    ADSI = Check box (Yes)

    User Name Attribute Type: Automatically Generate = Yes
    sAMsAMAccountName

    Test Connection= LDAP Server connected successfully.

    Please advice.

    Thanks much!!

    • Tanya said

      Hi,

      I have the same problem when try to import users and groups from LDAP. [53014] Not supported for Active Directory Service. I use MS AD and the configuration is Name:xxxxxadsi
      Host:xx.xx.xx.xx
      Port:389
      LDAP Version: 3
      Base DN: CN=Users,DC=xxx,DC=xxx
      Bind DN: CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=xxxx,DC=xxxx
      Bind Password: xxxxx

      Advance Tab:
      ADSI = Check box (Yes)

      User Name Attribute Type: Automatically Generate = Yes
      sAMsAMAccountName

      Test Connection= LDAP Server connected successfully.

      Please for any Idea where to find the problem?

      Thanks in advice!
      Regards!
      Tanya

  31. Davin said

    now BI EE can be authenticated by Sun ldap server, but how to assignment ldap user to group of BI EE? first import this user to BI EE, right?

  32. dave said

    I am getting the same error as Pablo. [53002] LDAP search failure: Sizelimit exceeded

    Anyway around this?

  33. Karthik said

    Hi Venkat,

    For our webcat, authentication is based on LDAP and it works fine with our Dev environment, when we publish it to stage env we come across a strange behavior and it would authenticate a user only for the first time. When a user log’s out and tries to log back in using the same browser, it doesn’t allow them back in. He needs to close his browser and re-open a new browser to log-in.

    Was wondering if this kind of behaviour was observed before and if there is any possible way to clear this in-consistency.

    Thanks,
    Karthik

  34. Michhi said

    Hi guys,

    I still have a question: we’ve got the authentication/authorization against windows AD for OBIEE webportal solution.

    What we don’t have is, that I could login with my AD login/pw to OBI repository itself. Here I still need an administrator account created in repository. Could you tell me
    - whether what we intend is possible at all
    - if yes, how to:-))

    Kind regards
    Michael

  35. Richard said

    Hi guys,
    I have a question about how OBIEE login thru LDAP does it use ldapbind, ldapsearch or ldapcompare?).

    I’m using authentication thru OID, but our OID only handles users and groups.
    So when I try to login I have a initialization block that looks up user and groups against our OID and forward the password question to another ldap-server. In our OID we have a plugin with “Plug-in LDAP Operation”=ldapcompare and this works fine with Discoverer and other Oracle Applications but OBIEE seems to not use ldapcompare.
    So I can only login with the password that the user have in our local OID not the global one.

    Regards Richard

  36. gv said

    Hi Venkat
    I followed all the steps you have listed exactly. I could connect to ldap server successfully and then inported the users.
    After creating initialization block I tested it using orcladmin and it works fine.
    but when i try to login to Answers i got the following error.

    Error Codes: OPR4ONWY:U9IM8TAC
    State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused. [nQSError: 13024] Successful completion of init block is required

    What do I do

    Appreciate your help

  37. Tomas said

    Hi,

    Has anybody resolved the problem with [53014] Not supported for Active Directory Services?
    I followed instructions in administration guide and LDAP test works fine.
    However once I try to import users then I’m getting above mentioned error.
    We need to import the users as we need to assign them privileges on BI level and not on AD level (we cannot manage users in AD)
    I get stuck and cannot find solution.

    Appreciate any hint.
    Thanks

  38. Michael said

    Hi Thomas,

    we had an oracle specialist for AD problem and his reply was, that importing AD users/groups directly into OBI is not possible at all.

    There are work arounds with OID, where you import users there, and afterward into OBI.

    Regards
    Michael

  39. Sandeep said

    Hi Venkat

    I am getting an error as

    [53005] LDAP Server referral is not supported

    when i checked the lDAP connection it shows that LDAP Server connected successfully. can you let me know what is causing this error ?

    –Sandeep.

  40. Tony Lilley said

    These articles are a bit worrisome. I am lead to believe that true AD support is enabled on 10.1.3.4. Similar I thought to the way Business Objects 3.1 have inplemented this where you create a specific AD group on the DC, add this to the ‘groups’ on the BI server and attach to repository. As users who belong to that OU login to the web site, are authenticated and automatically added to the BI server as a user withing that rpd group. If that is not the case, then true automatic AD authentication does not really work?

  41. Lynn said

    Active Directory has a built in size limit to prevent rogue queries from taking down a domain controller.

    If you are setting up LDAP and are targeting the root of a domain – and receive the [53002] LDAP search failure: Sizelimit exceeded, it is because there is a 1000 object limitation in Active Directory for LDAP queries. Instead of targeting the root of a domain, target a specific OU which is under 1,000 users. You can add as many OUs as you’d like – the problem is the 1,000 limit. That limit can be changed in Active Directory, but it is not recommended.

  42. Bob Murray said

    I have this setup and working however when the “Administrtor” logs in(a repository defined account)it throws a nQSError: 13011 Query for Initialization Block ‘InitUser’ has failed entry in the NQServer.log file. This account has not been defined in LDAP. Is there a way to get the initilization block to accept this scenario?

  43. Sd said

    Hi Venkat,

    We setup LDAP for user authencation. It was working fine. But for past few weeks its throwing following errors frequenlty when ever user try to login
    “LDAP BIND FAILURE” CANT CONTACT LDAP SERVER , REFUSED CONNECTION

    Sometimes even though user id and password is correct its giving error ” Invalid username /password”

    Please let me know how we can resolve this issue.

    Thanks,
    Sd

  44. David said

    Venkat,

    I have got through the setup of LDAP and ADSI however I am not able to successfully login. One possible wrinkle is that I am running BI Applications and trying to login to that repository.
    I am getting the nQSError 13024 Successful completion of init blcok ‘xxx’ is required.

    At first the user was in both repository and ldap but was removed from repository and still failed. After removing from repository should I bounce the server?

    David

  45. Beliz said

    Venkat;

    Great info, helped me greatly to set up the LDAP in the OBIEE admin tool. I can sucessfully connect to LDAP, and bring in the user/uid info, however I am struggeling to bring in the group information from LDAP. ONce I can pull the group info from LDAP (oid) I need to set filters to some of the groups. Any input/feedback will be appreciated.

    Thanks
    Beliz

  46. reena said

    Hi Venkat

    I am trying to set up ADSI Authentication and we are getting error that says invalid credentials even thought the user id/pwd is correct.Below are t he steps that I followed for configuring

    1. Open a repository in the Administration Tool in offline or online mode.
    2. From the application menu, choose Manage > Security.
    3. From the Security Manager menu, choose Action > New > LDAP Server.
    4. In the LDAP Server dialog box:
    a. In the General tab complete the following list of fields
    1. Name: The name of your LDAP server
    2. Host name: The host name of your LDAP server
    3. Port number: The default LDAP port is 389 (keep it default).
    4. LDAP version; LDAP 2 or LDAP 3 (versions). The default is LDAP 3 (keep it default).
    5. Base DN; The base distinguished name (DN) identifies the starting point of the authentication search.
    6. Bind DN and Bind Password:

    b. Click the Advanced tab, and type the required information
    1. Connection timeout: Leave it Default: Infinite.
    2. Domain identifier: Leave it blank.
    3. Select the ADSI check box. Bind DN and Bind password are required.
    4. User Name Attribute Type: For ADSI, use sAMAccountName.

    and 1.Create “Authentication” initialization blocks and connect to LDAP and assign a variable.

    • Hello,

      I need to know if it works on oracle Business Intelligence Standard Edition One (OBISEO)… I’m facing a problem conected with it and I need to know if this points that you put under my reply really works with OBISEO.

      Thank you,
      Elisabete Silva

    • Devang said

      Hi Reena,

      Did you find the solution for the issue you have mentioned? I am facing the exact same issue with ADSI. Able to test the connection successfully but when I provided the username and password to test the initialization block, it gave the invalid credentials error.

      Thanks
      Devang

  47. Guram said

    Hi
    We are using Microsoft AD.
    Where can i find “Base DN”, “Bind DN and Bind Password” attributes to complete this LDAP configuration?

    • Michael said

      Hi Guram,

      these settings you better ask from your IT infrastructure team.
      Bind DN and password are just username and password to read out the AD.

      Search DN is individual for every company. AD is organized like a tree. You manage your security via group policies in AD. Search DN tells you, where to look for user groups.

      I’d recommend you to read more on the subject. Following link is an introduction to what AD actually is (very basic knowledge): http://www.learnthat.com/software/learn/1295/Introduction-to-Active-Directory/ Managing OBI security via AD groups is tricky, so you need to have a firm grasp of the basics to windows network security.

  48. Abhishek said

    Hi,
    I followed your post and everything worked fine for me. Thanks for posting detailed info on LDAP authentication. However we do have marketing component in our Siebel-CRM, which uses authentication to get segments from Analytics. This authentication is failing and hence the marketing segment is not working. Any input on this would be appreciated.

    Thanks.

  49. Elizabeth Kang said

    Hi Venkat,

    It’s a great infor to setup LDAP with OBIEE.

    I am facing on a problem same as Beliz’s(No.45)

    I would like to assigne the LDAP users into one or more groups in BIEE with setting filters to control data access.

    Any recommend would be helpful.
    Thanks
    Elizabeth

  50. Ram Rotte said

    Hi Venkat,
    Thanks for the info.We are using Nortal Directory server as LDAP.
    We did set up LDAP server similar to what you have detailed above.We did not import users as we are large organization and all users are under single ou.I did test the initilization blocks and got the username,email,groups(i listed them in a LDAP attribute).When dashboard is accessed with URL http://xxx.xxx/analytics/saw.dll?Answers we get you are not logged in.What is missing here?Is OBI server unable to read the headers for user ID (and password) and query LDAP? Do we need any special setting on OBI to read http headers?

    Any help would be greatly appreciated.
    Thanks,
    Ram Rotte

  51. Joe said

    Hi, I am able to get this working with both AD and an LDAP server. However, I have one issue…When I add an LDAP Server EVERY USER within the BaseDN can access analytics. Even if I add the users one at a time all of the other users that I have not added to the users list within OBI can still access it.

    Is there a way to restrict the login capabilities to just the users added in OBI? So far the only way I found to do this was to make the BaseDN the DN of the actual user, this means one LDAP server (in OBI administrator) per user… I am not able to modify the groups that the users are in as the company has a policy of all users in one main group called “people”.

    • Michael said

      Hi Joe,

      you have to work with OBI Groups to restrict access (at least we configured it in this way).

      We created special OBI groups within Microsoft AD. Only users contained in these groups are allowed to login to OBI.

      You can limit access for certain groups via Administration interface in OBI.

      Regards
      Michael

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 158 other followers

%d bloggers like this: