LDAP how restrict the login to members of certain groups in OBIEE?

nQSError: 46073 – ANALYTICS TEMP FILES CANNOT BE LARGER THAN 2GB
March 4, 2009
All OBIEE services are up but the application page is not opening
March 5, 2009
0
Published by OBIEE Architect at
Categories
Tags

he question is – if you can mix LDAP and other type of authentication. In one word – yes and no.

Here’s what Oracle suggests:

1. You can have internal authentication and LDAP authentication. eg users in the rpd, and users in the LDAP.

For users not defined in the repository, the presence of a defined session system variable USER determines that external authentication is performed.
So using this method, you can have groups with internal users using the internal security, and groups with users that use the LDAP authentication.

But you cannot mix external table and LDAP authentication for example, as you cannot have different connection pools on same init block.

2. The best option would be to create your own authentication Dll (Custom authentication) so  you will have full control on what systems you will lookup for the user account.
You can write your own DLL in C++ , and have OBI Server invoke it. BI just pass the username/pwd received, and wait for an authenticated/no authenticated message from the dll.

This exists since 10.1.3.2.

We provide an example of such dll.
Location for the sample one: D:\OracleBI\server\SDK\CustomAuthenticatorSamples

I wonder if anyone tried it – I think that at this time, it’d be easier to work around the requirement by using standard methods. Let’s see what John Minkjan might say about it.

OBIEE Architect
OBIEE Architect

Related posts

May 30, 2013

Please check my blog entry about OBIEE security

Read more
February 13, 2011

How To Setup Session Timeout In Oracle BIEE

Read more
August 29, 2010

Accessing Groups in LDAP for use in Oracle Business Intelligence

Read more

4 Comments

  1. John Minkjan says:
    March 4, 2009 at 5:58 pm

    Hi Andriy,

    You know I love a challenge, But Borkur already did it:
    http://ioug.itconvergence.com/pls/htmldb/DWBISIG.download_my_file?p_file=2005. You will have to find an old C++ compliler. MS express can’t work out an “upgrade” for the SDK code.

    regards

    John

  2. John Minkjan says:
    March 5, 2009 at 4:50 pm

    Of course I couldn’t resist:
    http://obiee101.blogspot.com/2009/03/obiee-custom-authenticators.html

    regards
    John

  3. Andy says:
    March 5, 2009 at 5:05 pm

    Nice job John!

  4. john lee says:
    April 7, 2010 at 1:30 am

    Hi,
    I have a problem in my OBIEE, Authentication is not done by the OBI server, any one can login into the OBI server i.e if user does not exist( new user ), then it creates the user and logins directly. Here I have not changed any privileges for that, I don’t understand why this is happening. Please suggest what are the changes that i hava to do.
    Regards,
    John Lee

Leave a Reply