Integrating MS Active Directory with OBIEE 11g in

Weblogic Server
Business Problem
Business wants to leverage the existing MS Active Directory for Authentication in OBIEE 11g.
In addition to this IT wants flexibility in adding users like DEV1, QA1 etc for system
development without adding these users in the enterprise Active Directory. This means basically
two Authentication Providers 1. MSAD and 2. The Out-of-the-Box WLS LDAP
In 10G, we had the option of integrating MSAD (Microsoft Active Directory) in OBIEE RPD
and also users like Dev1, QA1 could be added in RPD. However in OBIEE 11G while LDAP
integration is still available in RPD, the recommended way is to do this in the Weblogic Server.
Adding Users and Password in RPD is not possible in 11G
Going by the Oracle Documentation there is a lot of confusion w.r.t this subject. This blog is the
answer.
Solution
Prerequisites:
This solution assumes you have successfully installed OBIEE 11.1.1.5 on Windows XP and the
SampleAppLite application is up and running. The default user weblogic should be able to login
to OBIEE. In Active Directory a user by the name BISystemUser has to be created. This
is very important. Once the Pre-requisites are done, please proceed with the below steps.
(This solution is taking the simplest route i.e rather than creating a new TrustedUser to replace
BISystemUser , I created a user with the same name BISystemUser in MSAD. This will avoid
finding and replacing all the occurrences of BISystemUser with a different TrustedUserName)
1. Logon to WLS (WebLogicServer) and navigate to Security Realms->myrealm->Providers Tab
2. Click on Lock&Edit from the left Pane and then click on New button to add a new
Authentication Provider.
2.1 Supply the details as shown below

2.2 You should now be able to see the new Authentication Provider as shown below

2.3 Click on MSAD and in the new screen set the Control Flag:SUFFICIENT
2.4 Click on Provider Specific tab and input the MSAD Specific Details
The main entries in the above screen are listed below (NOTE: This varies based on your
companys specific details)
Host: HOSTNAME.YOURCOMPANY.com
Port 389
Principal: CN=obiee-svc,CN=Users,DC=corp,DC=YOURCOMPANY,DC=com
User Base DN: CN=Users,DC=corp,DC=YOURCOMPANY,DC=com
All Users Filter: (&(sAMAccountName=*)(objectclass=user))
User From Name Filter:(&(sAMAccountName=%u)(objectclass=user))
User Name Attribute:sAMAccountName
User Object Class: user

Group Base DN:CN=Users,DC=corp,DC=YOURCOMPANY,DC=com

You can copy the existing entries from your 10G RPD, if you had set this up before in 10G.
The main things to note here would be Principal which was known as Bind User in 10G. Also
change the User Name Attribute to sAMAccountName. Make sure this change is also made in
All Users Filter and User From Name Filter. I also changed the Group Base DN. Having done
this, now you should be able to see the users from your AD in the Users and Groups tab. If you
are not able to , then you didnt enter the entries listed above correctly. Try changing it, also try it
out within the RPD to make sure all the entries are supplied correctly.
3. Now in the Providers tab click on the DefaultAuthenticator and change its Control Flag to
OPTIONAL
4. Reorder the Authentication Providers so that MSAD comes as the first.

Click on Activate Changes. You might need to restart the WLS.

5. Logon to WLS (myrealm->Users and Groups tab)and make sure you see two
BISystemUser, The first one belongs to the defaultAuthenticator and the second one is from
the MSAD. Delete the BISystemUser of DefaultAuthenticator
6. Logon to Enterprise Manager (EM) and goto WebLogic Domain->Right-click on
bifoundation_domain to reach Security->Credentials
6.1 Update the password of BISystemUser to the value set in MSAD
6.2 Goto WebLogic Domain->Right-clicked on bifoundation_domain to reach Security>Security Provider Configuration.Click on the Configure button under Identity Store
Provider. Add three Properties as below
user.login.attr=sAMAccountName, username.attr=sAMAccountName, virtualize=true
NOTE->If virtualize=true is NOT added, then only MSAD users will be able to login. (since
MSAD is the First Authenticator)

7. Restart WLS and restart BIServer Components from EM.

8. Thats it. Now the MSAD users and the WLS LDAP users will be able to login.

Connecting the system to Microsoft Active Directory, so users can log-into the dashboard
using their Windows Active Directory username and password, and retrieve group
membership, and
Connecting the system to an external set of database tables that contain the group
membership for users authenticated through Active Directory

Whilst OBIEE 11g comes with the embedded WebLogic LDAP server to hold users and groups,
the license for this is restricted such that you cant just move all your other user details from
other applications into the LDAP server. Realistically, you wouldnt want to do that anyway as
its likely youve got a corporate directory somewhere that you want to leave user and group
details in, with OBIEE instead just connecting to it as an authentication and authorisation source.
Luckily, now that OBIEE 11g uses WebLogic and Fusion Middlewares Oracle Platform Security
Services framework, connecting to external directories such as Active Directory is pretty
straightforward, especially with recent versions of OBIEE such as 11.1.1.6 that do this all a lot
smoother now.
So in this example, weve got an Active Directory server running on the host pdc.gcbc.com, that
contains three users:

ADBISystemUser, which will be used as the principal that OBIEE uses to connect to the
Active Directory server
Anne Administrator, a user on Active Directory who wants to have administration rights
in the Presentation Server and BI Server
AD User, another user that just wants to be able to create analyses and dashboards

These users are organised into three groups in the AD server:

ADBIAdministrators, analogous to the BIAdministrators group in the WLS LDAP

server
ADBIAuthors, ditto

ADBIConsumers, ditto again

Now if you search the internet and Oracle docs for instructions on how to integrate OBIEE 11g
with Active Directory, there seems to be about as many different ways to do it as there are sets of
instructions. A lot of this is because Active Directory is highly-configurable, and a lot depends on
how much you want to replace, or just work alongside, the existing WLS LDAP server. In this
example, our objective is to keep the WLS LDAP server and the user accounts within it
(including the biadmin administrator account), but then make it possible for Active Directory
users to also log in, and be assigned to the standard application roles that the WLS LDAP users
have. Keeping the WLS LDAP users and administration account considerably simplifies the
configuration process, though you might still want to go the full way if you intend to completely
replace WLS LDAP with Active Directory. For now though, well have the two running
alongside each other.
Looking at the Active Directory Users and Configuration utility, we can see the three users were
interested in:

And the three groups:

The groups have just got those users as members, and the users are just regular AD users,
including the ADBISystemUser account. Internally, the domain is called gcbc.com, with the
users held in the Users directory and groups in the Builtin directory fairly standard stuff.
So lets go into the WebLogic Server Administration Console (http://
[machine_name]:7001/console) and start configuring the system for Active Directory integration.
1. Log into the WebLogic Server Administration Console as an administration user, for
example biadmin/welcome1
2. When the Admin Console homepage is displayed, click on the Security Realms menu
item on the left-hand side, and then then on myrealm when the link is shown.
3. You are now going to alter the domain configuration, so press the Lock and Edit button.
Then, click on the Providers tab in the Settings for my realm page.
4. Active Directory integration is achieved through registering a new authentication
provider, using the Active Directory provider type. To register this, press the New button
just under the Authentication Providers label.

5. The Create a New Authentication Provider page will be displayed. Give the provider a
name (for example, ADProvider) and select ActiveDirectoryAuthenticator as the
Type.
6. Now click on this new authentication provider in the list, and then when the Settings for
ADProvider page is shown, set the Control Flag to SUFFICIENT, and press Save.
7. Then, click on the Provider Specific tab, and enter the following details for your Active
Directory installation, amending the settings as appropriate for your AD server.
Host : pdc.gcbc.com
Port : 389
Principal : CN=ADBISystemUser, CN=Users, DC=gcbc, DC=com
Credential : Welcome1
Confirm Credential : Welcome1
User Base DN : CN=Users,DC=gcbc, DC=com
User Name Attribute : cn
User Object Class : user
Group Base DN : CN=Builtin, DC=gcbc, DC=com
GUID Attribute : objectguid

Then, press Save to save and close the page.

8. Now go back to the list of providers, and click on the DefaultAuthenticator one. With the
Configuration > Common sub-tab selected, set the Control Flag to OPTIONAL, and
press Save.
9. Then, again with the list of authentication providers displayed, press the Reorder button
and then change the order of the providers so that ADProvider is first, followed by
DefaultAuthenticator and DefaultIdentityAsserter.

10. Youre now at the point where you can restart your BI domain and see the new users and
groups within the WebLogic Admin Console. To do this, restart the BI Domain (the
Admin and Managed Servers), and once complete, log in again into the WebLogic Admin
Console and select Security Realms > myrealm > Users and Groups > Groups. You
should then see the Active Directory users listed alongside the WLS LDAP ones.

Similarly, you should see your AD groups under the Groups tab. Note that you cant edit
these AD users and groups from within the WebLogic Admin Console, nor can you create
new AD users here to do that, youd need to use Active Directorys own console and
tools.
11. Next we will switch over to Enterprise Manager, first to configure Fusion Middlewares
Oracle Platform Security Services to accept users and groups from both WLS LDAP and
Active Directory when logging into the dashboard, and then well map the Active
Directory groups to their equivalent application roles.
Log into Enterprise Manager, and select the WebLogic Domain > bifoundation_domain
menu item on the left. Right-click on it and select Security > Security Provider
Configuration. When the Security Provider Configuration page is displayed, expand
the Identity Store Provider area and press the Configure button.

The Identity Store Configuration page will then be displayed. Press the Add button
next to the Custom Properties area, and add a new custom property with these settings :
Property Name : virtualize
Value : true
Press OK to close the page.
12. Now right-click on the Business Intelligence > coreapplication entry in the left-hand side
menu, and select Security > Application Roles. As you may have done with the
application role settings in yesterdays postings, edit the BIAdministrator, BIAuthor
and BIConsumer application roles so that the new Active Directory groups are listed as
members.

Doing this ensures that the Active Directory users get the same type of Presentation
Server and repository privileges as WLS LDAP users, but they wont have administration
access to WebLogic or Enterprise Manager.
You can, if you want, grant these users the same sorts of domain administrator rights as
the WLS LDAP users, and you can indeed remove all of the WLS LDAP users and
groups and move over to Active Directory entirely. But in most cases I see, this level of
integration is sufficient, as it still allows the OBIEE administrators to control their own
user accounts and privileges.
13. You should now be able to log in as one of the Active Directory users. In the screenshot
below, the AD User user has logged in, and has been granted the BIAuthor role through
their membership of the ADBIAuthors Active Directory group. If Anne Administrator, an
Active Directory user assigned to the ADBIAdministrator group, logs in she will be able
to administer the Presentation Server permissions and privileges, but she wont be able to
log into Enterprise Manager to change the repository, for example.

So what weve seen here so far is OBIEE 11g connecting to Active Directory, to retrieve in
addition to the existing WLS LDAP users and groups, users and groups from this directory. But
what if the groups in Active Directory bear no resemblance to the groups and application roles
that youd like to organise users into? Because you can map LDAP groups to roles in Enterprise
Manager, its possible to reshape group membership to fit your BI requirements, but often
organisations will solve this problem by creating a couple of database tables on a spare database,
and use those to define which users belong to which group.
Now this is something that was done a lot in OBIEE 10g using Active Directory to authenticate
someone, then retrieve their group membership through a separate database table lookup but
youre not supposed to mix WLS provider-based authentication with old-style init block
authorisation, so how will this work, if, for example weve got a couple of tables called
GROUPS and GROUPMEMBERS that detail which user belongs to which group:

To handle this type of situation, OBIEE 11.1.1.5 (through the patch associated with Bug
11667221 / ARU 14523400) and OBIEE 11.1.1.6 (by default, though you need to copy the
BISecurityProviders.jar file from
[middleware_home]/Oracle_BI1/bifoundation/security/providers to
[middleware_home]/wlserver_10.3/server/lib/mbeantypes, and then restart the Admin Server

before its available), has a new authenticator called BISQLGroupProvider that can do this for
you.
To use this new authenticator with either OBIEE 11.1.1.5 or 11.1.1.6, youll need to perform the
following tasks:
1. Configure a data source within WebLogic that the provider will use to connect to the
schema and tables described above
2. Configure a BISQLGroupProvider with the SQL SELECT statements required to access
these tables
3. Re-order your authentication providers, and if youve not done so already, enable the
virtualised identity store adapter (we did this infact in the previous example)
4. Configure a database adapter so that the Identity Store APIs can map your groups into
application roles.
Full details of this new authenticator are in a document on My Oracle Support, Doc. ID.
1428008.1. So, with some new users added to my Active Directory server and corresponding
entries in the two database tables, so that these users are assigned to groups such as QA
Managers, HR Managers and SF Managers, lets get this set up.
1. If youve not done so already, apply the above patch to OBIEE 11.1.1.5 if thats the
version youre running, and then copy the BISecurityProviders.jar file as directed above
(this applies to 11.1.1.6 as well, which already has the file without needing the patch
applied). Once done, restart the WebLogic Admin Server.
2. Now you will configure the data source and BISQLGroupProvider. To do so, use your
Web browser to navigate to the WebLogic admin console (http://
[machine_name]:7001/console), and then press the Lock and Edit button.
From the left-hand menu select Services > Data Sources. Then, from the Data Sources
list, press New > Generic Data Source.
Then, on the Create a New JDBC Data Source page, enter or select the following
details:
Name : BIDatabaseGroupsDS
JNDI Name : jdbc/BIDatabaseGroupsDS
Database Type : Oracle (for example)

On the following page,

select the Database Driver, and then at the Connection Properties page, enter the
connection details to your schema and database, for example:
Database Name : orcl
Host Name : obisrv1c
Port : 1521
Database User Name : gcbc_bi_groups
Password : password
Confirm Password : password
Once entered, test the connection on the next page, on the next page deploy the
datasource to all of your WebLogic servers, then press Finish, and then press the Activate
Changes button.
3. Next you will create a BISQLGroupProvider against this JDBC data source. The SQL
thats in the SELECT statements below is particular to the tables that I diagrammed
earlier, and youd need to change it if your table structure was different.

Start by pressing the Lock & Edit button, to start editing the domain configuration.
Then, select Security Realm > myrealm > Providers from the menus and tabs.
With the Providers tab selected, press the New button to create a new authentication
provider. When prompted, enter MySQLGroupProvider as the Name, and select
BISQLGroupProvider as the Type.

Then, press OK to close the page, and then click on the new MySQLGroupProvider
authentication provide to display its settings page. Select the Provider Specific tab, and
then type in the name of the JDBC datasource that you created earlier, i.e.
jdbc/BIDatabaseGroupDS.
If you used the same table and column names as in the diagram before, the SQL settings
for this provider will not need to be changed. If you did alter the table or column names
though, update the SQL commands to reflect your actual database structure.

Once complete, press Save.

4. Now go back to the list of providers, and Reorder them so that the new
MySQLGroupProvider is at the top of the list.

5. If you have not done so already, set the virtualized=true flag in the Identity Store
Provider settings in Enterprise Manager see the steps earlier in this posting for details
on how to do this.
Once youve done this, press the Activate Changes button and then stop, and then start
your entire BI system, so that all WebLogic and OBIEE components restart.
6. Next, you are going to create an XML file that will be an adapter template for the
database adapter, and will be used by the Identity Store APIs to map groups to application
roles. Use a text editor and call the file bi_sql_groups_adapter_template.xml, and
substitute your own LDAP details into the
<param name=ReplaceAttributevalue=uniquemember={cn=%uniquemember
%,cn=Users,dc=gcbc,dc=com}/>
section, and also the:
<objectClass name=groupofuniquenames rdn=cn>
section. In addition, if you have used different database table names and columns, youll
need to adjust the SQL statements in the XML file accordingly.
?
<?xml version = '1.0' encoding = 'UTF-8'?>
<adapters schvers="303" version="1"
xmlns="http://www.octetstring.com/schemas/Adapters"
xmlns:adapters="http://www.w3.org/2001/XMLSchema-instance">
<dataBase id="directoryType" version="0">
<root>%ROOT%</root>
<active>true</active>
<serverType>directoryType</serverType>

<routing>
<critical>true</critical>
<priority>50</priority>
<inclusionFilter/>
<exclusionFilter/>
<plugin/>
<retrieve/>
<store/>
<visible>Yes</visible>
<levels>-1</levels>
<bind>true</bind>
<bind-adapters/>
<views/>
<dnpattern/>
</routing>
<pluginChains
xmlns="http://xmlns.oracle.com/iam/management/ovd/config/plugins">
<plugins>
<plugin>
<name>VirtualAttribute</name>
<class>oracle.ods.virtualization.engine.chain.plugins.virtualattr.Virtua
lAttributePlugin</class> <initParams>
<param name="ReplaceAttribute"
value="uniquemember={cn=%uniquemember%,cn=Users,dc=gcbc,dc=com}"/>
</initParams>
</plugin>
</plugins>
<default>
<plugin name="VirtualAttribute"/>
</default>
<add/>
<bind/>
<delete/>
<get/>
<modify/>
<rename/>
</pluginChains>
<driver>oracle.jdbc.driver.OracleDriver</driver>
<url>%URL%</url>
<user>%USER%</user>
<password>%PASSWORD%</password>
<ignoreObjectClassOnModify>false</ignoreObjectClassOnModify>
<includeInheritedObjectClasses>true</includeInheritedObjectClasses
>
<maxConnections>10</maxConnections>
<mapping>
<joins/>
<objectClass name="groupofuniquenames" rdn="cn">
<attribute ldap="cn" table="GROUPMEMBERS" field="G_NAME" type=""/>
<attribute ldap="description" table="GROUPMEMBERS"
field="G_NAME" type=""/>
<attribute ldap="uniquemember" table="GROUPMEMBERS"
field="G_MEMBER" type=""/>
</objectClass>
</mapping>
<useCaseInsensitiveSearch>true</useCaseInsensitiveSearch>
<connectionWaitTimeout>10</connectionWaitTimeout>

<oracleNetConnectTimeout>0</oracleNetConnectTimeout>
<validateConnection>false</validateConnection>
</dataBase>
</adapters>

Now, open a command-prompt session in the server running Oracle Business

Intelligence, and enter the following commands, adjusting for your particular
environment and LDAP settings:
cd c:\Middleware\oracle_common\bin
set ORACLE_HOME=c:\Middleware\Oracle_BI1
set WL_HOME=c:\Middleware\wlserver_10.3
set JAVA_HOME=c:\Middleware\jdk160_24
libovdadapterconfig -adapterName biSQLGroupAdapter -adapterTemplate
bi_sql_groups_adapter_template.xml -host localhost -port 7001 -userName biadmin
-domainPath c:\Middleware\user_projects\domains\bifoundation_domain -dataStore DB
-root cn=Users,DC=gcbc,DC=com -contextName default -dataSourceJNDIName
jdbc/BIDatabaseGroupDS
When prompted, enter the password for the Administration Server. Once complete, you
should see the message:
Adapter created successfully: biSQLGroupAdapter
7. Now stop and restart the entire BI system. During the restart, you will see an error
message saying that the connection pool you just created is unusable this is expected
and will not cause a problem.
Now, go into Enterprise Manager and create a matching role for one of your new
database-defined groups. You should see the new groups appearing when you go to add a
group to the application role if not, check the console output for the WebLogic Server
for any diagnostic messages.

8. Finally, youre now ready to test out the new roles and groups. Restart your entire BI
system, then log in as one of the users with groups in the database tables, and then view
the list of roles assigned to the user. You should see your new roles, corresponding to the
group settings in the database tables, assigned to the user in this case, the HR Manager
role.