LDAP Authentication

Instead of storing user IDs and passwords in an Oracle BI repository, you can set up the Oracle BI Server to take the user ID and password typed by a user and pass them to an LDAP server for authentication. The server uses clear text passwords in LDAP authentication. Make sure your LDAP servers are set up to allow this.
In addition to basic user authentication, the LDAP server can also provide the Oracle BI Server with other information, such as the user display name (used by Oracle BI Presentation Services) and the name of any groups to which the user belongs. The LDAP server can also provide the names of specific database catalogs or schemas to use for each user when querying data. This information is contained in LDAP variables that get passed to Oracle BI session variables during the process of user authentication. For more information about session variables, refer to Understanding and Creating Session Variables.
LDAP authentication uses Oracle BI session variables, that you define using the Variable Manager of the Administration Tool. For more information about the Variable Manager, refer to Using the Variable Manager.
You need to perform the following steps to set up LDAP authentication:
  1. Create an LDAP Server using the Administration Tool menu path: Manage > Security. For instructions, see Setting Up an LDAP Server.
  2. Create an LDAP initialization block and associate it with an LDAP server. Setting up an LDAP initialization block is explained in Process of Creating Initialization Blocks.
  3. Define a system variable named USER and map the USER variable to an LDAP attribute (uid or sAMAccountName).
    Session variables get their values when a user begins a session by logging on. Certain session variables, called system session variables, have special uses. The variable USER is a system variable that is used with LDAP authentication. For more information about the USER system variable, refer to Using System Session Variables and Defining a USER Session Variable for LDAP Authentication.
  4. If applicable, delete users from the Oracle BI repository file.
  5. Associate the USER system variable with the LDAP initialization block. For more information, see About Authenticating Users Using Initialization Blocks.

Defining a USER Session Variable for LDAP Authentication

To set up LDAP authentication, you define a system variable called USER and associate it with an LDAP initialization block that is associated with an LDAP server. When a user logs into the Oracle BI Server, the user ID and password will be passed to the LDAP server for authentication. After the user is authenticated successfully, other session variables for the user could also be populated from information returned by the LDAP server.
NOTE:  If you create a variable for the same user in both the repository and in a LDAP server, the local repository user definition takes precedence and LDAP authentication will not occur.
The information in this section assumes that an LDAP initialization block has already been defined.
For users not defined in the repository, the presence of a defined session system variable USER determines that external authentication is performed. Associating USER with an LDAP initialization block determines that the user will be authenticated by LDAP. To provide other forms of authentication, associate the USER variable with an initialization block associated with an external database or XML source. For more information, refer to Setting Up External Table Authentication.
To define the USER session system variable for LDAP authentication
  1. Select Manage > Variables from the Administration Tool menu.
  2. Select the System leaf of the tree in the left pane.
  3. Right-click on the right pane and select New USER.
  4. In the Session Variable - USER dialog box, select the appropriate LDAP initialization block from the Initialization Block drop-down list.
    The selected initialization block provides the USER session system variable with its value.
  5. Click OK to create the USER variable.

Setting the Logging Level

Use the system variable LOGLEVEL to set the logging level for users who are authenticated by an LDAP server. Refer to Setting a Logging Level for more information.

No comments:

Post a Comment

Popular Posts