Importing Users and Groups from LDAP


If your organization uses Lightweight Directory Access Protocol (LDAP), you can import your existing LDAP users and groups to a repository. After imported, all normal Oracle BI Server user and group functions are available. You can resynchronize your imported list at any time.
You can also authenticate against LDAP as an external source. When you do this, users are not imported into the repository. Users are authenticated, and their group privileges determined, when they log on. For more information about using LDAP authentication, refer to Setting Up LDAP Authentication.
NOTE:  If you create a variable for the same user in both the repository and in a LDAP server, the local repository user definition takes precedence and LDAP authentication will not occur. This allows the Oracle BI Administrator to reliably override users that exist in an external security system.
This section includes the following topics:

Setting Up an LDAP Server

This section explains how to set up LDAP authentication for the repository.
NOTE:  For information about the basics of security and setting up authentication, refer to Oracle BI Security Manager.
For instances of Oracle BI that use ADSI as the authentication method, the following options should be used when setting up the AD instance:
  • In Log On To, check All Computers or, if you list some computers, include the AD server as a Logon workstation.
  • The following option must not be checked:
    User must change password at next logon
In the Administration Tool, the CN user used for the BIND DN of the LDAP Server section must have both ldap_bind and ldap_search authority.
NOTE:  The Oracle BI Server uses clear text passwords in LDAP authentication. Make sure your LDAP Servers are set up to allow this.
To set up LDAP authentication for the repository
  1. Open a repository in the Administration Tool in offline or online mode.
  2. From the application menu, choose Manage > Security.
  3. From the Security Manager menu, choose Action > New > LDAP Server.
  4. In the LDAP Server dialog box, in the General tab, complete the necessary fields. The following list of fields (or buttons) and descriptions contain additional information to help you set up the LDAP server:
    • Host name. The name of your LDAP server.
    • Port number. The default LDAP port is 389.
    • LDAP version. LDAP 2 or LDAP 3 (versions). The default is LDAP 3.
    • Base DN. The base distinguished name (DN) identifies the starting point of the authentication search. For example, if you want to search all of the entries under the o=Oracle.com subtree of the directory, o=Oracle.com is the base DN.
    • Bind DN and Bind Password. The optional DN and its associated user password that are required to bind to the LDAP server.
      If these two entries are blank, anonymous binding is assumed. For security reasons, not all LDAP servers allow anonymous binding.
      These fields are optional for LDAP V3, but required for LDAP V2, because LDAP V2 does not support anonymous binding.
      These fields are required if you select the ADSI check box. If you leave these fields blank, a warning message appears asking if you want to leave the password empty anyway. If you click Yes, anonymous binding is assumed.
    • Test Connection. Use this button to verify your parameters by testing the connection to the LDAP server.
  5. Click the Advanced tab, and type the required information. The following list of fields and descriptions contain additional information to help you set up the LDAP server:
    NOTE:  The Oracle BI Server maintains an authentication cache in memory that improves performance when using LDAP to authenticate large numbers of users. Disabling the authentication cache can slow performance when hundreds of sessions are being authenticated.
    • Connection timeout. When the Administration Tool attempts to connect to an LDAP server for import purposes or the Oracle BI Server attempts to connect to an LDAP server for user authentication, the connection will time out after the specified interval.
    • Domain identifier. Typically, the identifier is a single word that uniquely identifies the domain for which the LDAP object is responsible. This is especially useful when you use multiple LDAP objects. If two different users have the same user ID and each is on a different LDAP server, you can designate domain identifiers to differentiate between them. The users log in to the Oracle BI Server using the following format:
      domain_id/user_id
      If a user enters a user id without the domain identifier, it will be authenticated against all available LDAP servers in turn. If there are multiple users with the same ID, only one user can be authenticated.
    • ADSI. (Active Directory Service Interfaces) A type of LDAP server. If you select the ADSI check box, Bind DN and Bind password are required.
    • SSL. (Single Socket Layer) Check this box to enable this.
    • User Name Attribute Type. This uniquely identifies a user. In many cases, this is the RDN (relative distinguished name). Typically, you accept the default value. For most LDAP servers, you would use the user ID. For ADSI, use sAMAccountName.
NOTE:  For information about configuring cache settings and SSL, refer to Oracle Business Intelligence Enterprise Edition Deployment Guide.

Importing Users from LDAP

You can import selected users or groups, or you can import all users or groups. If you have previously performed an import, you can choose to synchronize the repository with the LDAP server.
To import LDAP users and groups to a repository
  1. Open a repository in the Administration Tool in offline or online mode.
  2. From the application menu, choose Manage > Security.
  3. In the Security Manager, select LDAP Servers in the left pane to display existing LDAP servers in the right pane. Select the LDAP server from which you want to import users or groups, and select Import... from the right-click menu. (You can also select the server and then select LDAP > Import.)
    You can choose to import selected users or groups, or you can import all users and groups. If you have previously done an import, you can choose to synchronize the repository with the LDAP server.
  4. Select the users you want to import and click Import.
    You can import groups by selecting Groups from the drop down list instead of Users.

Synchronizing Users and Groups with LDAP

You can refresh the repository users and groups with the current users and groups on your LDAP server. After selecting the appropriate LDAP server, select LDAP > Synchronize (or choose Synchronize from the right-click menu).
Synchronization updates your list of repository users and groups to mirror your current LDAP users and groups. Users and groups that do not exist on your LDAP server are removed from the repository. The special user Administrator and the special group Administrators always remain in your repository and are never removed.
Properties of users already included in the repository are not changed by synchronization. If you have recycled a login name for another user, drop that name from your repository prior to synchronization. This assures that the process will import the new LDAP user definition.
NOTE:  With external LDAP authentication (discussed in the next section), import and synchronization are not really necessary. The primary use for import is to make it easy to copy LDAP users as Oracle BI users for testing.

No comments:

Post a Comment

Popular Posts