1. AUTHENTICATION WITH ACTIVE DIRECTORY
1.1 OVERVIEWThis document provides instructions for configuration Oracle BI 11g to authenticate against Active Directory.
With this configuration, the embedded Weblogic LDAP provider will still be the “primary” identity provider, so you don’t need to migrate the “BISystemUser” account or any other system/admin accounts to Active Directory.
The advantage of this is that Oracle BI will still be accessible and running even if the Active Directory server becomes unavailable on the network.
Active Directory will be configured as the “secondary” identity provider, so all you normal end user accounts can be mastered in here. It assumes that all user “groups” will also be stored in Active Directory. So both authentication and authorization of the end users will be handled by Active Directory.
Towards the end there is a section which shows you how to tune the authentication/authorisation processes – this is applicable for very large Active Directory tree structures.
1.2 SET WEBLOGIC LDAP TO “SUFFICIENT”
• Log on to the WebLogic Console as the weblogic adminsitrator account:
http://[BI SERVER]:7001/console
• Click on the “Providers” tab and then click on the “Lock and Edit” button:
1.3 CREATE NEW IDENTITY PROVIDER
• Navigate back to the “Providers” tab by clicking the link at the top of the page:
• Set the following “Name” and “Type” before hitting the “OK” button:
Name: ADAuthenticator
Type: ActiveDirectoryAuthenticator
• You should see you new Identity Provider listed, click on the “ADAuthenticator” link to do some further configuration:
• Set the “Control Flag” parameter to “SUFFICIENT” and then click the “Save” button
• Once saved, go to the “Provider Specific” tab:
• Set the Active Directory configuration parameters as follows:
Host: [AD Server Hostname or IP address]
Port: [AD port e.g. 389]
Principle: [DN for OBI service account, used for connecting to AD to authenticate]
e.g. CN=BIAdmin, OU=Users, DC=mycompany, DC=com
Credential: [password for OBI service account]
Confirm Credential: [password OBI service account]
User Base DN: [DN for the location of users within AD]
e.g. OU=Users, DC=mycompany, DC=com
All Users Filter: (&(sAMAccountName=*)(objectclass=user))
User From Name Filter: (&(sAMAccountName=%u)(objectclass=user))
User Name Attribute: sAMAccountName
Group Base DN: [DN for the location of groups within AD]
OU=Groups, DC=mycompany, DC=com
• Click the “Save” button
• Return back to the “Providers” tab (by clicking the link at the top) and then click the “Reorder” button:
• Move “ADAuthenticator” to the second in the list:
• Now click “Activate Changes”
1.4 ENABLE “VIRTUALIZATION”
NOTE: This step is required to enable the use of multiple Identity Providers and also to ensure that users will still be able to log in to OBIEE even if the WebLogic “Admin Server” went down
• Log on to Enterprise Manager as the [BI ADMIN USER] account:
http://[BI SERVER]:7001/em
• Expand “WebLogic Domain”, right-mouse click on “bifoundation_domain” and then choose the following menu option:
Security > Security Provider Configuration
• In the middle of the screen, click the “Configure” button:
• Click the “Add” button to add the following 3 custom properties:
user.login.attr sAMAccountName
username.attr sAMAccountName
virtualize true
• Click the “OK” button at the top-right
• Observe the success message to confirm the parameters have been applied:
1.5 TUNING ACTIVE DIRECTORY FOR LARGE ORGANISATIONS (OPTIONAL)
If you have a very large Active Directory tree structure, then it might cause performance issues during the login process as it takes an extended period of time for authentication and authorisation to complete.
The settings documented in this section can significantly improve performance.
In one example (where users/groups were spread over 150 sub-trees in Active Directory) these settings reduced login times from 5-6 minutes down to just a few seconds.
• Log on to the WebLogic Console as the weblogic adminsitrator account:
http://[BI SERVER]:7001/console
• Navigate to the following screen “Security Realms > myRealm > Providers > Authentication” and click on the link for your “ADAuthentictor”:
• Click the “Lock and Edit” button
• Go to the “Provider Specific” tab and change the following parameters:
Use Token Groups For Group Membership Lookup: [Enable]
Cache Size: 3200
• Click the “Save” button
• Now go to the “Performance” tab of your authenticator and set the parameters as follows:
Max Group Hierarchies in Cache: 1000
Group Hierarchy Cache TTL: 600
Enable SID to Group Lookup Caching: [Enable]
Max SID TO Group Lookups In Cache: 5000
• Click the “Save” Button
• Click the “Activate Changes” button
NOTE: You will need to restart, this will be done in the next section
1.6 RESTART ORACLE BI
• The configuration is now complete, restart all Oracle BI Services:
0 comments:
Post a Comment