Showing posts with label LDAP. Show all posts
Showing posts with label LDAP. Show all posts

Using Initialization Blocks with LDAP and database queries to control authentication and authorization

Someone on OTN asked me to elaborate on a comment I made on a post that Mark Rittman wrote last week. What I need to achieve here is to use an existing LDAP server to validate the credentials of the use who is logging on to the OBIEE. To set this up we first open the Administrator tool and in the Manager->Security… tool we define a new LDAP server:LDAP server defined
The values you enter here are, of course, dependent on your system and your LDAP administrator can give you the correct values you need. But once you have defined an LDAP server we pop over to the Manager->Variables… tool and start the real work.
First off we define an Initialization Block called something like LDAP Init Block. An Init Block needs a data source, so we define one by clicking on the ‘Edit Data Source…’ button and choose data source type: LDAP. Click on the ‘Browse…’ button and select the LDAP server we defined before. You can actually create new LDAP servers here as well, by clicking the ‘New…’ button (which just starts the same wizard we used previously).
Next we need to map LDAP attributes to Session Variables. Click the ‘Edit Data Target…’ button and add the following system variables:
System Session Variables defined
The warning dialog you will get after creating each variable is normal, since these are special variables used in by the system. The LDAP variable column might differ on your LDAP server, so make sure you get the correct attribute names from your LDAP administrator as well. Close the dialog and make sure you check the ‘ Required for Authentication’ box at the bottom:
Init Block defined
Notice the ‘Test…’ button? This is a really nice feature that allows you to debug your block and execute it against your LDAP server.
Now you should be able to log in to the BI Dashboard using credentials stored in your LDAP server.
The special System Session Variables we are populating here can also be populated using other Init Blocks. Let’s say that you already have your groups defined in a database table, something like the following:
CREATE TABLE OBIEE_USERS (USERNAME VARCHAR(100),GROUPNAME VARCHAR(2000))
For sake of simplicity I assume here we simply store the groups as a simple semicolon delimited list, one row per user.
We now want to create a new Init block for session variables, that will fire after the authentication block has been fired:
DB init block created
Click on the ‘Edit Data Source …’ button and create a new Data Source of type Database. The SQL you enter should look something like this (mind the quotes):
select groupname
from obiee_users
where username=':USER'
DB init block
Just make sure that the username that is used in the connection pool you choose, has SELECT privs (and no more than that) on the table you use to store your group permissions.
Next we need to define the variable that will hold the results of the data source we just defined. This variable is calledGROUP and is populated after the user logs in. The Presentation Service parses this variable and grants the user access to any group that is defined there and matches a semicolon delimited value in the variable. Any unmatched value is ignored. So if the table contains something like:
SCOTT SALES;Managers;Research and Development
Then SCOTT will be granted access to these three groups defined in his corporate dashboard: SALES, Managers and R&D.
Now click on the ‘Edit Data Target…’ button and create a new Variable called GROUP:
DB init block target
Now try to log in to the Dashboard and see your blocks in action. Make sure that the groups you have in your database table are actually defined in the Presentation service. A good and quick test is to also create dashboards for these groups. Once you log in you should be automatically granted access to different dashboards depending on the values in your table.
If you want to populate more variables using the same SQL statement, make sure the column order in the query matches to variable order in the ‘Data Target’ settings.
Labels:

Oracle BI EE 10.1.3.3/2 – Using LDAP/OID Authentication

One of the very good features of OBI EE 10.1.3.3/2 is its ability to leverage OID/LDAP authentication. I was trying this one out today and thought i would document it. I would split this into 2 articles. In this article we will see how to setup the OID authentication. In the next article we would see how to pass on group credentials to users from OID. Lets go through the steps one by one.
1.   Open the repository in Online Mode using the Administrator. Go to Manage and click on Security. Click on Action–New–LDAP Server
      
2.   Enter the Oracle Internet Directory details like hostname and the Base DN. And test the connection.
      
      
3.   Right click on the LDAP server and click on import. You should be seeing the users that are under OID.
      
4.   Once this is done, the next step is to create an initialization block that would basically use the OID server created above and set a system session variable called USER. This USER variable would be used during authentication.
Go to Manage->Variables to open up the variable manager. Click on Action->New->Sesion->Initialization Block
      
Enter any name, say OID, and click on edit data source. Select the OID/LDAP server that we created in the 1st 3 steps. Then click on edit target and click on new variable. Enter USER as the name of the variable and click ok.
      
Edit the variable and add the uid as the LDAP variable.
      
Test the initialization block as orcladmin.
      
You must see orcladmin username set for the USER variable. If you see that then steps that you have done so far are correct. Remember to set the Required for Authentication check box.
      
Check in the changes and save the repository. Log into Answers as orcladmin. We should be able to see all the public dashboards.
      
This is the first step in enabling authentication. The next step is to get the group related info from the OID and assign it to the user which we will see in a later article.
Labels:

OBIEE Security Enforcement – LDAP Authentication


Authentication in OBIEE

Some authentication methods used by Oracle BI server are
  1. Database
  2. LDAP
  3. Oracle BI server (repository users) – I do not recommend this method for medium to large implementations. It will be difficult to manage.
I will discuss on setting up LDAP in this article.

Setting up LDAP or Windows ADSI in OBIEE

Microsoft ADSI (Active Directory Service Interface) is Microsoft version of LDAP server. Most of the steps to setup of either Microsoft ADSI or LDAP server are similar. In either case, you would need help from your network security group/admin to configure LDAP. They should provide you with the following information regarding the LDAP server
  1. LDAP server host name
  2. LDAP Server port number
  3. Base DN
  4. Bind DN
  5. Bind Password
  6. LDAP version
  7. Domain identifier, if any
  8. User name attribute type (in most cases this is default)

Registering an LDAP server in OBIEE

In Oracle BI repository, go to manage security.

Create a new LDAP server in OBIEE Security Manager
With the help from your network security group/administration, fill out the following information

Next in the Advanced tab, based on the kind of LDAP server you have and its configuration, make the necessary changes.
For Microsoft ADSI (Active Directory Service Interface), choose ADSI and for all others leave it unchecked.
Most of the times, Username attribute would be automatically generated. For Microsoft ADSI It is sAMAccountName; for most of the LDAP servers it is uid or cn. Check with your network security group/administrator on what is the username attribute for your LDAP server. Make a note of the user name attribute you will need it later.


Now we need to create an Authentication initialization block. In administration tool, under Manage go to Variables.

Under Action, go to New -> Session -> Initialization Block


Configure the session initialization block. Give it a name and click on Edit Data Source. In the pop up window, choose LDAP from the drop down box and then click on Browse. You can also configure a LDAP server here by clicking on “New”. In the browse pop up window choose the LDAP server you would like to use.

Next we need to create variables. User and Email are the common variables normally in play.


Upon clicking on OK, a warning pops up on the usage of User session variable (User session variable has a special purpose. Are you sure you want to use this name). Click yes.


Next enter the LDAP variable for username. sAMAccountName in the case of ADSI as configured in the LDAP.

Next following similar steps create a variable for Email. In addition, depending on you need, you can bring additional variables from the LDAP server.


Now bounce your services.

Labels:

OBIEE LDAP Authentication using Microsoft AD 2


How to get group information in case of AD , LDAP authentication?
In the previous post we have seen how to set up LDAP authentication in OBIEE .
If you have not read that I would advice you to read the article
here
In this post will go through limitations of Microsoft AD implementation for SSO.
LDAP Limitations with Microsoft AD
LDAP Limitations with Microsoft AD
We can not use import ,import all or synchronize users from OBIEE admin in case of  AD.And we can not even get the user’s group defined in the AD.
As in case of groups it returns an array of chars and OBIEE does not understand it as a group name.( it requires group names separatedby ; )
So in we can not implement the security at User level we have to set the security at group level only.
let say we have user dhwani in LDAP.  and it belongs to a group called PowerUser.
Step 1 Create a database table and make entries
let say  our database table which has user and group called:  USER_SECURITY_GROUPS.
It has enty as user , group = dhwani, PowerUser
Step 2 Create a init block to get the user group information from database table
Lets called the initialization block as initGroup and create it as show below.
initiGroup creation
initiGroup creation
Note : in execution precedence make sure that initLDAP gets executed first. So that users gets authenticated and then get the group name from database table.
set 3 Create group in OBIEE repository
Create a group called PowerUser in OBIEE repository
Manage– > Security  –> Groups and create a new group
LDAP Group in Admin
LDAP Group in Admin
set the permission for the group as required.
Step 4 Create a same catalog group in OBIEE answers.
Go to Setting — > Administration — > Manage Presentation Catalog Groups and Users
Group in Answers
Group in Answers
Create a new catalog group
Create a new catalog group
Labels:

OBIEE LDAP Authentication using Microsoft AD 1


How to Implement Single Sign On (SSO) in OBIEE with Microsoft Active Directory ?
OBIEE LDAP authentication using microsoft Active Directory.
Before starting this, I would prefer that you read my article on session variable and initialized block here
SSO can be implemented using Lightweight Directory Access Protocol (LDAP) in OBIEE.
Most popular LDAP implementation for OBIEE is either OID (Oracle internet Directory) or Microsoft Active Directory (AD). And no wonder why LDAP authentication is supported more on OID and not AD (yeah Oracle v/s Microsoft). This does not mean we can not achieve SSO using LDAP for AD. Yes we can. But with little different implementation style and some limitations. (Oracle documentation talks about all OID and nothing at all for AD)
So Here I am going to discuss on how to implement LDAP authentication for AD to achieve SSO.
Below are the implementation step:
Setting up LDAP Server , Initialization Block and Session Variables
Step 1: Create LDAP Connection.
Open OBIEE Administration.
Go to Manage — > Security
Manage Security.
Manage Security.
Select LDAP Servers : on the right side right click and select New LDAP Server
Security Manager
Security Manager
LDAP Connection
LDAP Connection
LDAP Connection Advance
LDAP Connection Advance
Step 2: Create  initialization block and session variable
Go to Manage — > Variables
Click Session — > Initialization Block right click on the pan select New Initialization Block
Session Variable Initialization Block
Session Variable Initialization Block
Give the name to the Initialization Block e.g initLDAP
As a part of configuring Initialization Block you need to provide
Click on Edit Data Source
Data Source Type : select LDAP then click on Browse and select appropriate LDAP server connection
Data Source
Data Source
Click on Edit Data Target
Session Variable
Session Variable
Click on New and you will see the screen like below
User Session Variable
User Session Variable
Click ok you will and warning message as below. Just ignore it, as it warns that you are using USER session variable and it has special meaning
User Warning
User Warning
User LDAP Variable
User LDAP Variable
Here we have just create only one session variable which takes information from LDAP. We can create many such variable like groups( has limitation AD which i am going to discuss in detail) , display name etc etc whatever is available on LDAP.
LDAP admin can help with the name of  variable referred in LDAP
Click on Edit Execution Precedence
If you are using multiple Initialization block then this will be use ful in deciding which block should execute first. As we have just once init block we will not do anything here.
Click on Test
Enter LDAP  UserId and password, in sAMAccountName it should show the user Id which indicates the LDAP connection and hence authentication with LDAP works.

TEST LDAP connection
TEST LDAP connection
In the next post I will discuss on how to get group information, limitation of LDAP AD implementaion with OBIEE.
Labels:

OBIEE LDAP Authentication using Microsoft AD 2


How to get group information in case of AD , LDAP authentication?
In the previous post we have seen how to set up LDAP authentication in OBIEE .
If you have not read that I would advice you to read the article
here
In this post will go through limitations of Microsoft AD implementation for SSO.
LDAP Limitations with Microsoft AD
LDAP Limitations with Microsoft AD
We can not use import ,import all or synchronize users from OBIEE admin in case of  AD.And we can not even get the user’s group defined in the AD.
As in case of groups it returns an array of chars and OBIEE does not understand it as a group name.( it requires group names separatedby ; )
So in we can not implement the security at User level we have to set the security at group level only.
let say we have user dhwani in LDAP.  and it belongs to a group called PowerUser.
Step 1 Create a database table and make entries
let say  our database table which has user and group called:  USER_SECURITY_GROUPS.
It has enty as user , group = dhwani, PowerUser
Step 2 Create a init block to get the user group information from database table
Lets called the initialization block as initGroup and create it as show below.
initiGroup creation
initiGroup creation
Note : in execution precedence make sure that initLDAP gets executed first. So that users gets authenticated and then get the group name from database table.
set 3 Create group in OBIEE repository
Create a group called PowerUser in OBIEE repository
Manage– > Security  –> Groups and create a new group
LDAP Group in Admin
LDAP Group in Admin
set the permission for the group as required.
Step 4 Create a same catalog group in OBIEE answers.
Go to Setting — > Administration — > Manage Presentation Catalog Groups and Users
Group in Answers
Group in Answers
Create a new catalog group
Create a new catalog group
Labels:
Subscribe to: Posts (Atom)