OBIEE Blog

Someone asked the Oracle support if Siebel Analytics could use 2 LDAP servers for authentication. “We currently use one of the LDAP server for authentication and it works fine. We have some users from another LDAP server and want to add it to our authentication.”

Response was:
Siebel Analytics can only authenticate against on LDAP server at a time. If you define multiple LDAP servers, the 2nd LDAP server is not being looked at unless the connection to the 1st failed.

You define multiple LDAP server by putting the LDAP server names in a concatenated string and use space as delimiter in the Host Name entry, i.e. “ldap1.siebel.com ldap2.siebel.com:9872 ldap3.siebel.com” in AN78x release

In the latest Oracle Business Intelligence Enterprise Edition, you can define multiple LDAP server definitions in the Manage > Security > LDAP Server.

But Authentication tries the first LDAP server, if it fails then it uses the second LDAP server defined in the repository

“Product change request 12-HOAZ87 has been logged to ask for authentication against multiple LDAP servers simultaneously.”

This is official – you can’t get groups from ADSI! Hopefully, this can help someone who’s battling management in the beginning of the project. Sometimes Oracle salespeople are overly optimistic and provide an impression that OBIEE can do everything. But I’ll let it be a theme of another post.

Here’s the full text below:”

I am able to login to Analytics web using my Acitive Directory credentials. However, I need to be able to assign permissions to my self. How do I do that? Do I create an Analytics group named the same as an Active Directory group and assign permissions to the Analytics group?

Customer is able to login to Analytics web using my Acitive Directory credentials. However, he wants to assign permissions to my self. How do I do that? Do I create an Analytics group named the same as an Active Directory group and assign permissions to the Analytics group?

Resolution
After understanding the requirements of the customer it was determined that it is not possible to retrieve the Group name the way customer is trying.

Customer is trying to retrieve GROUP value from member of attribute.

memberOf attribute is an array which has multivalues for example

Here is an example:
CN=Siebel Administrator,OU=People,DC=d1,DC=us,DC=ts
memberOf=CN=Group Policy Creator Owners,CN=Users,DC=d1,DC=us,DC=ts
memberOf=CN=Domain Admins,CN=Users,DC=d1,DC=us,DC=ts
memberOf=CN=Enterprise Admins,CN=Users,DC=d1,DC=us,DC=ts
memberOf=CN=Schema Admins,CN=Users,DC=d1,DC=us,DC=ts
memberOf=CN=Administrators,CN=Builtin,DC=d1,DC=us,DC=ts

We do not support retrieving group dynamically for LDAP/ADSI validation.
I have logged Bug No# 5714777 as an Enhancement Request to support this feature.
Only way to retrieve the group name is to create an attribute “xyz” in ADSI and then populate with xyz:webadmin;siebeladmin then you can map it to Group variable. “

We would like to reset the ‘Administrator’ password for:

i) ‘OBIEE’
ii) ‘BI Publisher’ and
iii) ‘BI Scheduler’

Please provide a solution to perform a password reset.
Solution

The steps to perform this task are below.

The example solution begins by creating a BI Publisher superuser.

On both OBIEE and BI Publisher.

Start username/password:    Administrator/Administrator
After username/password    Administrator/admin3

BI Publisher superuser username/password admin2/admin2

After the test I also proved you could log into OBIEE and click on the preconfigured Dashboard.

Please follow the exact steps below and create the same usernames and passwords to start off with.

1. Take a backup copy of the

c:\OracleBI\xmlp\XMLP\Admin\Configuration\xmlp-server-config.xml

file.
2. Log into BI Publisher
3. Select Admin > Security Center > Security Configuration
4. Enable a Local Superuser called: admin2 with the password admin2
. Click <Apply>

5. Restart oc4j
6. Sign into BI Publisher as  admin2/admin2
This should log in successfully.

7. Log into OBIEE Admintool (Online) and change the Administrator password to ‘admintool’.
8. Check in and save the changes.
9. Log into OBIEE Answers as Administrator/admin3

10. Change the ‘Administrator’ password under the ‘Security Model’ to ‘admin3′. Click <Apply>
11. Restart oc4j
12. Login to BI Publisher as Administrator/admin3
This should log in successfully.

13. Log into OBIEE Answers as Administrator/admin3
14. Click on More Products > BI Publisher
15. This should go straight through to BI Publisher without prompting for a username and password.

If the above method still fails attach your c:\OracleBI\xmlp\XMLP\Admin\Configuration\xmlp-server-config.xml file for comparison. I would expect the encrypted password strings to exactly match my environment.

** BI Scheduler password **

This password can be changed in ’schconfig’ from the DOS/UNIX command line/shell.
C:\>schconfig
Copyright (c) 1997-2006 Oracle Corporation, All rights reserved

***** Delivers Configuration Menu *****
1 – Configure Scheduler

>>> Enter Choice: 1

***** Scheduler Configuration *****
1 – Database
2 – General
3 – Advanced
0 – Quit

>>> Enter Choice:

>>> Enter Choice: 2

***** Scheduler General Configuration *****
10 – Administrator Name : Administrator
11 – Administrator Password : *****
0 – Quit

>>> Enter Choice: 10, then 11

0 – Quit
0 – Quit
0 – Quit

Quit 3 times and restart all Analytics Services (to bring them back in sync – restarting the BI Scheduler on its own also works, but Job Manager connections may exhibit stale behaviour depending on what has been changed) .

The goal is to set session variables using url variables, but can you also do this for the user and password ?
url variable (&Upwd) is not passed to session variable USER_PWD.
The variable USER is correctly passed, the variable USER_PWD is not!

Solution

The steps to set an OBIS session variable via a URL call utilizing the
instanceconfig.xml tag should be as follows

1. Create a session init block that will act as a ‘placeholder’ for the
session variable to be set via the url call – the variable can be set to
anything.

2. Set the ‘Enable any user to set the value’ option for the variable.

3. Add the following tag block to the instanceconfig.xml file anywhere
between the <ServerInstance></ServerInstance> tags:

<Auth>
<UserIdPassword enabled=”true”>
<ParamList>
<Param name=”NQ_SESSION.TEST_VAR”
source=”url”
nameInSource=”SETVAR”/>
</ParamList>
</UserIdPassword>
</Auth>
“TEST_VAR” should match the session variable name (case sensitive).

4. The following option will need to be appended to the OBI url passed -
&SETVAR=’variable value to pass. So a full example would be:
http://localhost:9704/analytics/saw.dll?Dashboard&nqUser=USER001&nqPassword=US
ER001&SETVAR=SomeValue

However, note that you cannot set the value of any System Security Session variable (specifically USER, PROXY, GROUP and WEBGROUPS) using any source method (e.g.: url, cookie, httpHeader) by design. Having this ability would open possible security breaches.

If you attempt to set the USER variable with the following instanceconfig.xml setting:

<Param name=”NQ_SESSION.USER” source=”url” nameInSource=”nquser” />

You will get the following error when using the url: http://localhost:9704/analytics/saw.dll?Dashboard&nquser=user1&nqpassword=public :

nQSError: 10018: Access for the requested connection is refused
nQSError: 1315 You do not have the permission to set the value of the variable :USER

he question is – if you can mix LDAP and other type of authentication. In one word – yes and no.

Here’s what Oracle suggests:

1. You can have internal authentication and LDAP authentication. eg users in the rpd, and users in the LDAP.

For users not defined in the repository, the presence of a defined session system variable USER determines that external authentication is performed.
So using this method, you can have groups with internal users using the internal security, and groups with users that use the LDAP authentication.

But you cannot mix external table and LDAP authentication for example, as you cannot have different connection pools on same init block.

2. The best option would be to create your own authentication Dll (Custom authentication) so  you will have full control on what systems you will lookup for the user account.
You can write your own DLL in C++ , and have OBI Server invoke it. BI just pass the username/pwd received, and wait for an authenticated/no authenticated message from the dll.

This exists since 10.1.3.2.

We provide an example of such dll.
Location for the sample one: D:\OracleBI\server\SDK\CustomAuthenticatorSamples

I wonder if anyone tried it – I think that at this time, it’d be easier to work around the requirement by using standard methods. Let’s see what John Minkjan might say about it.