Oracle Business Intelligence 11gR2 11.1.1.7 authentication to Microsoft Active Directory

This will take you through the steps to have BI users authenticate against Active Directory. The users already defined in BI can still login. For example, the user “weblogic”.

Open the admin console http://obiee.example-domain.com:7001/console.

Go to Security Realms/myRealm/Providers tab/Authentication [Lock & Edit]

OBIEE-MSAD

Click New. type ActiveDirectoryAuthenticator, eg myADAuthenticator

OBIEE-MSAD1

Set the control flag to Sufficient. This ensures that either authentication in AD or in BI is sufficient to let a user login. It means you’ll still be able to use the “weblogic” account. For that, you must set to Sufficient the control flag of the default authenticator. If you forget this, the AD users will not be able to login.

OBIEE-MSAD2

Click on myADAuthenticator, go to Provider Specific tab

Input host of AD server and a user

userbase DN: ou=wlsusers,dc=example-domain,dc=com

If you can’t get it to work with “ou=wlsusers,dc=…”, you can also try only “dc=example-domain,dc=com”, but this means that all your AD users will be able to login into BI.

All users filter: (&(sAMAccountName=*)(objectclass=user))

User From Name Filter: (&(sAMAccountName=*)(objectclass=user))

Now restart the admin server.

Then you have to add three keys in the identity store provider.

Enterprise Manager, WebLogic Domain, bifoundation_domain, Security, Security Provider Configuration, Identity Store Provider, Configure

OBIEE-MSAD3

These are the keys:

  1. user.login.attr=sAMAccountName
  2. username.attr=sAMAccountName
  3. virtualize=true

OBIEE-MSAD4

Then you should define three groups in AD and add them to the corresponding roles in BI.

  1. AD_BIAdministrator
  2. AD_BIAuthor
  3. AD_BIConsumer

OBIEE-MSAD5

This was all, you should be able to login now into BI with your domain user.