When OBI is first installed it is configured to use Weblogic internal user directory, which is fine if you have a small number of users. With most installations however, it’s more ideal to use the company LDAP, which allows users to login with common user-ids (windows/network user-id for example). Below is the step by step process that I took to configure external LDAP in OBIEE 12c.

Create a New Authentication Provider

1. Login into Console

2.  In the Domain Structure window on the left-hand column click on ‘Security Realms’. Then click on on myrealm in the Summary of Security Realms window pane.

1

3. Click on Lock & Edit in the top left corner to allow changes to be made

2

4. Click on the Providers tab. Click on ‘DefaultAuthenticator’

3

5. Change the Control Flag from REQUIRED to SUFFICIENT. Click Save.

This change ensures that if the authentication finds a user/password match in the internal user directory then that is sufficient to allow the user to login.

4

6. Return to the Providers tab. Click New to create a new authentication provider.

5

7. In the create screen enter MSAD as the name and select ActiveDirectoryAuthentication from the Type drop down. Click ‘OK’.

6

Edit the MSAD Provider Details

1. Click on the newly created MSAD provider to edit. In the Common tab change the Control Flag from OPTIONAL to SUFFICIENT.

7

2. Click the Provider Specific tab. There are quite a few settings on this tab, most can be left at their default settings, however the items mentioned below are the settings I changed for AD. Once settings have been updated click Save.

  • Host
  • Port
  • Principal
  • Credential
  • User Base DN
  • All Users Filter
  • User From Name Filter
  • User Name Attribute
  • Object User Class
  • Group Based DN
  • Group From Name Filter

3. Click Activate Changes in the top left corner and you should receive the following message indicating that all changes have been activated.

8

4. You will need to do a full stop and restart of OBIEE. Once OBIEE has restarted log back into Console. Navigate to Security Realm -> myrealm then click the Users and Groups tab. You should see a list of users from both the weblogic DefaultAuthenticator and your LDAP provider.

Security Provider Configuration

1.Log into Enterprise Manager

2. From the Weblogic Domain drop-down select Security -> Security Provider Configuration.

9

3. Expand Security Provider, then expand Identity Store Provider and finally click click Configure.

10

4. Click the +Add  11 button to add a new Custom Property.

5. Enter a property name of ‘virtualize’ and a value of ‘true’. Note: these must be types in lowercase. Then click OK twice.

12

Test Configuration

1.Login to Answers using a user from either the weblogic internal directory or from your LDAP.

Hope is provides a bit a of assistance. If you have any questions or comments feel free to drop me a line at:

Kristi Smith, ksmith@ecapitaladvisors.com