How to get group information in case of AD , LDAP authentication?

In the previous post we have seen how to set up LDAP authentication in OBIEE .
If you have not read that I would advice you to read the article
here

In this post will go through limitations of Microsoft AD implementation for SSO.

LDAP Limitations with Microsoft AD

We can not use import ,import all or synchronize users from OBIEE admin in case of  AD.And we can not even get the user’s group defined in the AD.

As in case of groups it returns an array of chars and OBIEE does not understand it as a group name.( it requires group names separatedby ; )

So in we can not implement the security at User level we have to set the security at group level only.

let say we have user devang in LDAP.  and it belongs to a group called PowerUser.

Step 1 Create a database table and make entries

let say  our database table which has user and group called:  USER_SECURITY_GROUPS.

It has enty as user , group = devang,PowerUser

Step 2 Create a init block to get the user group information from database table

Lets called the initialization block as initGroup and create it as show below.

initiGroup creation

Note : in execution precedence make sure that initLDAP gets executed first. So that users gets authenticated and then get the group name from database table.

set 3 Create group in OBIEE repository

Create a group called PowerUser in OBIEE repository

Manage– > Security  –> Groups and create a new group

LDAP Group in Admin

set the permission for the group as required.

Step 4 Create a same catalog group in OBIEE answers.

Go to Setting — > Administration — > Manage Presentation Catalog Groups and Users

Group in Answers

Create a new catalog group

How to Implement Single Sign On (SSO) in OBIEE with Microsoft Active Directory ?

OBIEE LDAP authentication using microsoft Active Directory.

Before starting this, I would prefer that you read my article on session variable and initialized block here

SSO can be implemented using Lightweight Directory Access Protocol (LDAP) in OBIEE.

Most popular LDAP implementation for OBIEE is either OID (Oracle internet Directory) or Microsoft Active Directory (AD). And no wonder why LDAP authentication is supported more on OID and not AD (yeah Oracle v/s Microsoft). This does not mean we can not achieve SSO using LDAP for AD. Yes we can. But with little different implementation style and some limitations. (Oracle documentation talks about all OID and nothing at all for AD)

So Here I am going to discuss on how to implement LDAP authentication for AD to achieve SSO.

Below are the implementation step:

Setting up LDAP Server , Initialization Block and Session Variables

Step 1: Create LDAP Connection.

Open OBIEE Administration.

Go to Manage — > Security

Manage Security.

Select LDAP Servers : on the right side right click and select New LDAP Server

Security Manager

LDAP Connection

LDAP Connection Advance

Step 2: Create  initialization block and session variable

Go to Manage — > Variables

Click Session — > Initialization Block right click on the pan select New Initialization Block

Session Variable Initialization Block

Give the name to the Initialization Block e.g initLDAP

As a part of configuring Initialization Block you need to provide

Click on Edit Data Source

Data Source Type : select LDAP then click on Browse and select appropriate LDAP server connection

Data Source

Click on Edit Data Target

Session Variable

Click on New and you will see the screen like below

User Session Variable

Click ok you will and warning message as below. Just ignore it, as it warns that you are using USER session variable and it has special meaning

User Warning

User LDAP Variable

Here we have just create only one session variable which takes information from LDAP. We can create many such variable like groups( has limitation AD which i am going to discuss in detail) , display name etc etc whatever is available on LDAP.

LDAP admin can help with the name of  variable referred in LDAP

Click on Edit Execution Precedence

If you are using multiple Initialization block then this will be use ful in deciding which block should execute first. As we have just once init block we will not do anything here.

Click on Test

Enter LDAP  UserId and password, in sAMAccountName it should show the user Id which indicates the LDAP connection and hence authentication with LDAP works.

TEST LDAP connection

In the next post I will discuss on how to get group information, limitation of LDAP AD implementaion with OBIEE.