When OBI is first installed it is configured to use Weblogic internal user directory, which is fine if you have a small number of users. With most installations however, it’s more ideal to use the company LDAP, which allows users to login with common user-ids (windows/network user-id for example). Below is the step by step process that I took to configure external LDAP in OBIEE 12c.

Create a New Authentication Provider

1. Login into Console

2.  In the Domain Structure window on the left-hand column click on ‘Security Realms’. Then click on on myrealm in the Summary of Security Realms window pane.


3. Click on Lock & Edit in the top left corner to allow changes to be made


4. Click on the Providers tab. Click on ‘DefaultAuthenticator’


5. Change the Control Flag from REQUIRED to SUFFICIENT. Click Save.

This change ensures that if the authentication finds a user/password match in the internal user directory then that is sufficient to allow the user to login.


6. Return to the Providers tab. Click New to create a new authentication provider.


7. In the create screen enter MSAD as the name and select ActiveDirectoryAuthentication from the Type drop down. Click ‘OK’.


Edit the MSAD Provider Details

1. Click on the newly created MSAD provider to edit. In the Common tab change the Control Flag from OPTIONAL to SUFFICIENT.


2. Click the Provider Specific tab. There are quite a few settings on this tab, most can be left at their default settings, however the items mentioned below are the settings I changed for AD. Once settings have been updated click Save.

  • Host
  • Port
  • Principal
  • Credential
  • User Base DN
  • All Users Filter
  • User From Name Filter
  • User Name Attribute
  • Object User Class
  • Group Based DN
  • Group From Name Filter

3. Click Activate Changes in the top left corner and you should receive the following message indicating that all changes have been activated.


4. You will need to do a full stop and restart of OBIEE. Once OBIEE has restarted log back into Console. Navigate to Security Realm -> myrealm then click the Users and Groups tab. You should see a list of users from both the weblogic DefaultAuthenticator and your LDAP provider.

Security Provider Configuration

1.Log into Enterprise Manager

2. From the Weblogic Domain drop-down select Security -> Security Provider Configuration.


3. Expand Security Provider, then expand Identity Store Provider and finally click click Configure.


4. Click the +Add  11 button to add a new Custom Property.

5. Enter a property name of ‘virtualize’ and a value of ‘true’. Note: these must be types in lowercase. Then click OK twice.


Test Configuration

1.Login to Answers using a user from either the weblogic internal directory or from your LDAP.