OBIEE Authorization (LDAP)

Hi
Obiee Experts
i have query in obiee ?????
i did Authentication for AIX ( Unix server 6.1). How to config Authorization for LDAP .
could you please share step by step
( we have 250 groups in ldap server how to maping with obiee level . we can apply object level and at same time data level security also )

Did you have to change the function in anyway - apart from the bits to customise for your own AD server, user & pw to use?

Similar Messages

OBIEE and LDAP problem

Hi all!
After connecting our OBIEE 11.1.1.5 to LDAP we faced with a strange problem: after one user enters the system any next user logged in has the same privileges in OBIEE as the first one.
We turned off the following caches:
- WebLogic Principal Validator Cache in a security realm Performance section
- Group Membership Lookup Hierarchy Caching in our LDAP authentication provider Performance section
But the problem still occurs. Does anyone have any suggestions on this?

Hi I was having endless issues with OBIEE and LDAP, I followed the exact steps here:
http://docs.oracle.com/cd/E17904_01/web.1111/e13707/atn.htm#SECMG169
These worked for me, so you could check for a start these recommended setting are same in your environment.
Thanks

Security service error in OBIEE 11G LDAP configuration

Hello
I've recently set up some OBIEE 11G installations and they appear to work ok.
I've more recently been using various guides on the internet to configure OBIEE 11G and Active Directory and can see the users and groups within Weblogic that belong the to the Provider that i've configured.
However, when I attempt to start up OPMN, it always gives me the error like the following:
<Jun 24, 2013 1:45:38 PM NZST> <Warning> <oracle.jps.idmgmt> <BEA-000000> <Requested Object Class (user)not found in cache.
oracle.security.idm.OperationFailureException: Requested Object Class (user)not found in cache.
<Jun 24, 2013 1:52:20 PM NZST> <Error> <oracle.bi.security.service> <OBI-SEC-00004> <Unable to initialize oracle.bi.security.service.SecurityWebService>
I initially had the User Object Class as User in the Provider configuration and noticed it wasn't in the LDAP directory so I tried changing it to a Object Class that did exist for one of the users but it made no difference. It still says the same error message even though I have no reference to User in the configuration.
Can anyone suggest something I might be doing wrong or missing?

I have followed the same configuration. However i am getting the following error when i try to login
Caused by: oracle.bi.security.service.SecurityServiceException: SecurityService::authenticateUserWithLanguage - '<LDAP user>' was authenticated but could not located within the Identity Store.
I guess some configuration issue, but cannot be able to spot the error. Please let me know your idea
Thanks

OAM 10g Authorization ldap query

Hi all
Please let me know if we can write a LDAP query in Authorization - Deny access to deny the users who are not a member of Usergroup 'X'.
If yes, please give me a sample. Please help.
Thanks

Hi,
Does the solution offered by Sagar (from the above link):
"If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access"
(which also applies to Denying access to groups) meet your needs?
Regards,
Colin
Edited by: ColinPurdon on Jun 27, 2011 9:20 AM

Authorization in OBIEE

We have configured OBIEE with ldap server for authentication, can somebody tell us how can we authorize the user with respect to a particular group.
Do I need to create similar groups in repository and web catalog ?
(. We dont want to import all the users and groups from ldap- is there any other way for doing this ?)
Thanks

I got a comparable problem.
With LDAP I can login, but I can't provide the user with the right role or any role at all. I tried to make a table in the database where I could select the role with de :USER (username) but it doesn't work. Also, when I look in "my account" I only see the group "authenticated users".
Steps so far:
- Initblock user with ldap (variable = user, ldap variable = sAMAAccountName)
- Initblock Roles with query
select role_name
from obiee_roles
where user_name = ':USER'
variabe target (variable = GROUP )
Execution precedence is FIRST initblock USER.
I have to be forgotten something.. Maybe someone can help me?
Thanks!

OBIEE LDAP

Hi,
I have successfully integrated OBIEE with LDAP. I have created an initialization Block called Authentication in which I am using LDAP to authenticate users. Users are able to login to Answers. However, if I create another initialization block to get the department name ( using LDAP), when the user tries to login to Answers, it says Invalid user name and password. I have the set the execution precedence such that Authentication happens first. Also, I have checked the box "required for Authentication" in the Authentication init block. I am able to test the initialization block for department number in the rpd and the value comes correct.
Can you please let me know if there is anything I can do to rectify this issue.
Thanks

In the department init block don't set the "required for Authentication" check box.

WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment

WLC 5508: software version 7.0.98.0
Windows 7 Client
Radius Server: Fedora Core 13 / Freeradius with LDAP storage backend
I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server. 802.1x authorization and authenication correctly work. The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly. From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
AVP: l=4 t=Tunnel-Private-Group-Id(81): 10
AVP: l=6 t=Tunnel-Medium-Type(65): IEEE-802(6)
AVP: l=6 t=Tunnel-Type(64): VLAN(13)
I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.

Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept. I wrote up a medium high level config for any future viewers of this thread:
The following was tested and verified on a fedora 13 installation.   This is a minimal setup; not meant for a "live" network (security issues with cleartext passwords, ldap not indexed properly for performance)
Install Packages
1. Install needed packages.
yum install openldap*
yum install freeradius*
2. Set the services to automatically start of system startup
chkconfig --level 2345 slapd on
chkconfig --level 2345 radiusd on
Configure and start LDAP
1. Copy the needed ladp schemas for radius. Your path may vary a bit
cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
2. Create a admin password for slapd. Record this password for later use when configuring the slapd.conf file
slappasswd
3. Add the ldap user and group; if it doesn't exisit. Depending on the install rpm, it may have been created
useradd ldap
groupadd ldap
4. Create the directory and assign permissions for the database files
mkdir /var/lib/ldap
chmod 700 /var/lib/ldap
chown ldap:ldap /var/lib/ldap
5. Edit the slapd.conf file.
cd /etc/openldap
vi slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#Default needed schemas
include        /etc/openldap/schema/corba.schema
include        /etc/openldap/schema/core.schema
include        /etc/openldap/schema/cosine.schema
include        /etc/openldap/schema/duaconf.schema
include        /etc/openldap/schema/dyngroup.schema
include        /etc/openldap/schema/inetorgperson.schema
include        /etc/openldap/schema/java.schema
include        /etc/openldap/schema/misc.schema
include        /etc/openldap/schema/nis.schema
include        /etc/openldap/schema/openldap.schema
include        /etc/openldap/schema/ppolicy.schema
include        /etc/openldap/schema/collective.schema
#Radius include
include        /etc/openldap/schema/radius.schema
#Samba include
#include        /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral    ldap://root.openldap.org
pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args
# ldbm and/or bdb database definitions
#Use the berkely database
database    bdb
#dn suffix, domain components read in order
suffix        "dc=cisco,dc=com"
checkpoint    1024 15
#root container node defined
rootdn        "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw        secret
rootpw
{SSHA}
cVV/4zKquR4IraFEU7NTG/PIESw8l4JI
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory    /var/lib/ldap
# Indices to maintain for this database
index objectClass                       eq,pres
index uid,memberUid                     eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
         by dn.exact="cn=Manager,dc=cisco,dc=com" read
         by * none
6. Remove the slapd.d directory
cd /etc/openldap
rm -rf slapd.d
7. Hopefully if everything is correct, should be able to start up slapd with no problem
service slapd start
8. Create the initial database in a text file called /tmp/initial.ldif
dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco
dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people
dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user Jonathan Strickland
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg
9. Add the file to the database
ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
10. Issue a basic query to the ldap db, makes sure that we can request and receive results back
ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
Configure and Start FreeRadius
1. Configure ldap.attrmap, if needed. This step is only needed if we need to map and pass attributes back to the authenicator (dynamic vlan assignments as an example). Below is an example for dynamic vlan addresses
cd /etc/raddb
vi ldap.attrmap
For dynamic vlan assignments, verify the follow lines exist:
replyItem    Tunnel-Type                                   radiusTunnelType
replyItem    Tunnel-Medium-Type                   radiusTunnelMediumType
replyItem    Tunnel-Private-Group-Id              radiusTunnelPrivateGroupId
Since we are planning to use the userpassword, we will let the mschap module perform the NT translations for us. Add the follow line to check ldap object for userpassword and store as Cleartext-Password:
checkItem    Cleartext-Password    userPassword
2. Configure eap.conf. The following sections attributes below should be verified. You may change other attributes as needed, they are just not covered in this document.
eap
{      default_eap_type = peap      ..... }
tls {
    #I will not go into details here as this is beyond scope of setting up freeradisu. The defaults will work, as freeradius comes with generated self signed certificates.
peap {
    default_eap_type = mschapv2
    #you will have to set this to allowed the inner tls tunnel attributes into the final accept message
    use_tunneled_reply = yes
3. Change the authenication and authorization modules and order.
cd /etc/raddb/sites-enabled
vi default
For the authorize section, uncomment the ldap module.
For the authenicate section, uncomment the ldap module
vi inner-tunnel
Very importants, for the authorize section, ensure the ldap module is first, before mschap. Thus authorize will look like:
authorize
{      ldap      mschap      ...... }
4. Configure ldap module
cd /etc/raddb/modules
ldap
{        server=localhost       identify = "cn=Manager,dc=cisco,dc=com"        password=admin       basedn="dc=cisco,dc=com"       base_filter = "(objectclass=radiusprofile)"       access_attr="uid"       ............   }
5. Start up radius in debug mode on another console
radiusd -X
6. radtest localhost 12 testing123
You should get a Access-Accept back
7. Now to perform an EAP-PEAP test. This will require a wpa_supplicant test libarary called eapol_test
First install openssl support libraries, required to compile
yum install openssl*
yum install gcc
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz
tar xvf wpa_supplicant-0.6.10.tar.gz
cd wpa_supplicant-0.6.10/wpa_supplicant
vi defconfig
Uncomment CONFIG_EAPOL_TEST = y and save/exit
cp defconfig .config
make eapol_test
cp eapol_test /usr/local/bin
chmod 755 /usr/local/bin/eapol_test
8. Create a test config file named eapol_test.conf.peap
network=
{   eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="jonatstr"   password="ggsg" \#If you want to verify the Server certificate the below would be needed   \#ca_cert="/root/ca.pem" phase2="auth=MSCAHPV2"   }
9. Run the test
eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

Automatically set the mail profile for users

Hello all,
Is it possible to set the default delivery profile of all users to email and add the email device as well.
I have integrated OBIEE with LDAP, so I can read all mail adressess of the users.
But for now every user has to 'configure' his own delivery profile.
(I meand the screen when you go to settings -> my account)
Is it possible to set this profile automatically?
can't find anything about this, but I think it is strange that it can't be done...
So hope anyone out here have a good tip for me!
best regards,
Remc0

Hi,
Yes it is possible to have users' email addresses set automatically, it is what the SA System subject area is for. However I am not sure whether it is possible to get the email from LDAP. The only method I am aware of is to have a database table which holds the user's contact details and then set up SA System to use this table. The user will then have a delivery profile called "System profile" and a device called "System email" which will be the default, the email address for this device will be the one from the table and cannot be changed (although the user can override it by creating a new device/profile.
There is a section in this book:
Oracle® Business
Intelligence Server
Administration Guide
Version 10.1.3.2
December 2006
Called
About the SA System Subject Area
Which should point you in the right direction.
Regards,
Matt

LDAP Authorization for OBIEE 10.1.3

Hello,
We have setup LDAP authentication (ADSI LDAP) using OBIEE standalone.
I'm trying to figure out the best way to manage Authorization - user to group assignment in OBIEE.
Options:
1. Using external table
Challange: The client doesn't have other application that manages user to group assignment. If I am using external table authorization, how will they manage changes to user to group or add new user to group?? This will require IT admin to modify table directly in production. They would like to have business super user to handle new user to group assignment.
2. Import user to LDAP
This is unfortunately doesn't work with ADSI LDAP. I got error message: This function is not supported for all LDAP type..
3. I read something about using database DBMS_LDAP package. Basically: Define user to group assignment in LDAP. Define a db function to get db to group assignment. Call this db function in OBIEE.
I am not sure if this DBMS_LDAP package will work with DB2. Any comments will be helpful.
4. I thought about using Microsoft Excel to maintain user to group assignment and use the excel connection pool in Authorization init block. However, the OBIEE server is configured in AIX environment, and there is no excel driver for UNIX that's available...
Has anyone seen this scenario before? Any suggestions will be greatly appreciated..

When we were asked to combine OBIEE 10g with Active Directory, we chose external Table Authorization to get information on the groups, a user is part of.
In general, one could follow these articles to achieve AD Authentication:
[http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/|http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/]
[http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/|http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/]
To sum it up: Read User-information from AD. Knowing a user's login-name then, one could query an external table, which consists of user and group information. Everything is setup within initializationBlocks, which could be created in the administration tool.
Problem: As you already said, the problem is, that this external user--group table has to be filled and updated "manually". That is, someone has to input new users or at least assign them to the existing groups.
In our case, there's an admin who knows what sql is and how to work with it.
Another solution could be, to prepare a xml-file, containing user and group information and add it to your repository. The tables could then be queried, too. Although, xml files can become quite unhandy, if a lot of information is held within it, they can be edited via external tools or at least with a standard text editor.

How to enable only a subset of LDAP users to be able to login to OBIEE

We have enabled LDAP authentication. Now every single LDAP user can login to Presentation server. That is an issue. Not all LDAP users are OBIEE users. Only a small subset of the LDAP users should be able to access OBIEE. We have a database table that lists all OBIEE users. This table however does not have user password information. User Password information is stored in the LDAP.
so question is how do we limit OBIEE access to only OBIEE users and not all LDAP users.
Thank you

Thanks for your suggestion. If i understand it correctly, user will still be able to login to Presentation server but will not have access to any content using your solution approach. Did i get it right?
In my current setup, user gets authenticated against LDAP, then i extract user group for that user and assign it to GROUP. Only those users gets assigned to GROUP who have access to OBIEE. We have secured RPD and Catalogs so that user must be a member of at least one GROUP to be able to access content.
Right now, a LDAP user who is not present in OBIEE user table, is able to login to BI Presentation server but is not able to see any thing. Because user gets authenticated, but does not have any authorization rights. So far so good.
I would like to take next step, where use login to BI Presentation server is denied if user id does not exist in the OBIEE user table ( but exists in the LDAP).
Thank you

OBIEE 11G 64-Bit Windows LDAP Admin Server Startup Issue

All,
I have OBIEE 11G installed on 64-bit Windows, and can see all my LDAP users inside Admin Console just fine. When I reorder my LDAP above the DefaultAuthenticator, and make them both 'SUFFICIENT', my Admin Server no longer starts. It hangs on a line in the AdminServer.log that roughly says '<Security initializing using security realm myrealm.>'. Has anyone ran into this? If so, how do you get the Admin Server to start with a non default LDAP authenticator? I've tried re-ordering numerous ways with the DefaultIdentityAsserter in the middle and at the bottom; I've also tried switching the Control Flags on both with REQUIRED and OPTIONAL, all to no avail. Finally, I tried deleting out the DefaultAuthenticator all together, and it still won't start. At this point, I'm assuming this is another 64-bit issue that was not tested properly. Any thoughts/help will be greatly appreciated.
Thanks in Advance,
Josh

Paul,
Unfortunately that made no difference. I have pasted in the startup log below. Perhaps someone has some insight into what's happening?
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <WebLogicServer> <HQ200-HYPPROD03> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1302613111266> <BEA-000000> <WebLogic Server "AdminServer" version:
WebLogic Server 10.3.3.0 Fri Apr 9 00:05:28 PDT 2010 1321401 Copyright (c) 1995, 2009, Oracle and/or its affiliates. All rights reserved.>
####<Apr 12, 2011 8:58:31 AM EDT> <Notice> <Log Management> <HQ200-HYPPROD03> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1302613111344> <BEA-170019> <The server log file D:\Oracle\Middleware\user_projects\domains\bifoundation_domain\servers\AdminServer\logs\AdminServer.log is opened. All server side log events will be written to this file.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Log Management> <HQ200-HYPPROD03> <> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1302613111360> <BEA-170023> <The Server Logging is initialized with Java Logging API implementation.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Diagnostics> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111438> <BEA-320001> <The ServerDebug service initialized successfully.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Server> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111594> <BEA-002622> <The protocol "t3" is now configured.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Server> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111594> <BEA-002622> <The protocol "t3s" is now configured.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Server> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111594> <BEA-002622> <The protocol "http" is now configured.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Server> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111594> <BEA-002622> <The protocol "https" is now configured.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Server> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111594> <BEA-002622> <The protocol "iiop" is now configured.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Server> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111610> <BEA-002622> <The protocol "iiops" is now configured.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Server> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111610> <BEA-002622> <The protocol "ldap" is now configured.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Server> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111610> <BEA-002622> <The protocol "ldaps" is now configured.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Server> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111610> <BEA-002622> <The protocol "cluster" is now configured.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Server> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111610> <BEA-002622> <The protocol "clusters" is now configured.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Server> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111610> <BEA-002622> <The protocol "snmp" is now configured.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Server> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111610> <BEA-002622> <The protocol "admin" is now configured.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Server> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111610> <BEA-002624> <The administration protocol is "t3s" and is now configured.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <RJVM> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111657> <BEA-000570> <Network Configuration for Channel "AdminServer"
Listen Address          :7002
Public Address          N/A
Http Enabled          true
Tunneling Enabled     false
Outbound Enabled     false
Admin Traffic Enabled     true>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Server> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111688> <BEA-002609> <Channel Service initialized.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Socket> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111719> <BEA-000406> <NTSocketMuxer was built on Jan 24 2006 20:40:35
>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Socket> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111751> <BEA-000436> <Allocating 3 reader threads.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <Socket> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111751> <BEA-000446> <Native IO Enabled.>
####<Apr 12, 2011 8:58:31 AM EDT> <Info> <IIOP> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613111907> <BEA-002014> <IIOP subsystem enabled.>
####<Apr 12, 2011 8:58:35 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613115079> <BEA-090894> <Successfully loaded the OPSS Policy Provider using oracle.security.jps.internal.policystore.JavaPolicyProvider.>
####<Apr 12, 2011 8:58:35 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613115704> <BEA-000000> <Starting OpenJPA 1.1.1-SNAPSHOT>
####<Apr 12, 2011 8:58:35 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613115797> <BEA-000000> <StoreServiceImpl.initJDO - StoreService is initialized with Id = ldap_m7FMisDU3HeeJX/MUK4nqmEiSqI=>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116266> <BEA-090516> <The Authenticator provider has preexisting LDAP data.>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116594> <BEA-090516> <The Authorizer provider has preexisting LDAP data.>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116704> <BEA-000000> <Parsing class "com.bea.common.security.store.data.Top".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116735> <BEA-000000> <Parsing class "com.bea.common.security.store.data.DomainRealmScope".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116735> <BEA-000000> <Parsing class "com.bea.common.security.store.data.RegistryScope".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116735> <BEA-000000> <Parsing class "com.bea.common.security.store.data.PKITypeScope".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116735> <BEA-000000> <Parsing class "com.bea.common.security.store.data.XACMLTypeScope".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116735> <BEA-000000> <Parsing class "com.bea.common.security.store.data.BEASAMLPartner".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116735> <BEA-000000> <Parsing class "com.bea.common.security.store.data.Credential".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116751> <BEA-000000> <Parsing class "com.bea.common.security.store.data.CredentialMap".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116751> <BEA-000000> <Parsing class "com.bea.common.security.store.data.XACMLEntry".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116751> <BEA-000000> <Parsing class "com.bea.common.security.store.data.BEASAMLAssertingParty".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116766> <BEA-000000> <Parsing class "com.bea.common.security.store.data.BEASAMLRelyingParty".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116782> <BEA-000000> <Parsing class "com.bea.common.security.store.data.PasswordCredential".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116782> <BEA-000000> <Parsing class "com.bea.common.security.store.data.UserPasswordCredential".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116782> <BEA-000000> <Parsing class "com.bea.common.security.store.data.PasswordCredentialMap".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116797> <BEA-000000> <Parsing class "com.bea.common.security.store.data.ResourceMap".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116797> <BEA-000000> <Parsing class "com.bea.common.security.store.data.PKIResourceMap".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116797> <BEA-000000> <Parsing class "com.bea.common.security.store.data.WLSCertRegEntry".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116813> <BEA-000000> <Parsing class "com.bea.common.security.store.data.WLSCredMapCollectionInfo".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116813> <BEA-000000> <Parsing class "com.bea.common.security.store.data.WLSPolicyCollectionInfo".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116813> <BEA-000000> <Parsing class "com.bea.common.security.store.data.WLSRoleCollectionInfo".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116813> <BEA-000000> <Parsing class "com.bea.common.security.store.data.XACMLAuthorizationPolicy".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116829> <BEA-000000> <Parsing class "com.bea.common.security.store.data.XACMLRoleAssignmentPolicy".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116844> <BEA-000000> <Parsing class "com.bea.common.security.store.data.Endpoint".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116844> <BEA-000000> <Parsing class "com.bea.common.security.store.data.Partner".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116860> <BEA-000000> <Parsing class "com.bea.common.security.store.data.SPPartner".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116876> <BEA-000000> <Parsing class "com.bea.common.security.store.data.IdPPartner".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116907> <BEA-000000> <Parsing class "com.bea.common.security.store.data.SAML2CacheEntry".>
####<Apr 12, 2011 8:58:36 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613116922> <BEA-000000> <Parsing class "com.bea.common.security.store.data.SchemaVersion".>
####<Apr 12, 2011 8:58:37 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613117516> <BEA-090516> <The CredentialMapper provider has preexisting LDAP data.>
####<Apr 12, 2011 8:58:37 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613117532> <BEA-090516> <The RoleMapper provider has preexisting LDAP data.>
####<Apr 12, 2011 8:58:37 AM EDT> <Info> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613117766> <BEA-090093> <No pre-WLS 8.1 Keystore providers are configured for server AdminServer for security realm myrealm.>
####<Apr 12, 2011 8:58:37 AM EDT> <Notice> <Security> <HQ200-HYPPROD03> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1302613117766> <BEA-090082> <Security initializing using security realm myrealm.>
Thanks,
Josh

Using OWSM for SAML verification and LDAP authorization

I can verify SAML tokens by using EM security (verifying SAML tokens) but when I use OWSM I get this error at the proxy (by adding the step : SAML - Verify WSS 1.0 Token to the policy of a server agent)
Exception in thread "main" java.lang.NoSuchMethodError: oracle.security.wss.saml.SAMLAssertionIssuer.<init>(Ljavax/xml/rpc/handler/soap/SOAPMessageContext;Lorg/w3c/dom/Document;Loracle/security/wss/config/SamlTokenConfigType;Z)V
Also I need to LDAP authorize the subject of SAML after verification of SAML token. Is it just enough to put the LDAP authorize step after SAML verification?
Won't I need any EXTRACT CREDENTIAL step?
Regards
Farbod

When we were asked to combine OBIEE 10g with Active Directory, we chose external Table Authorization to get information on the groups, a user is part of.
In general, one could follow these articles to achieve AD Authentication:
[http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/|http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/]
[http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/|http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/]
To sum it up: Read User-information from AD. Knowing a user's login-name then, one could query an external table, which consists of user and group information. Everything is setup within initializationBlocks, which could be created in the administration tool.
Problem: As you already said, the problem is, that this external user--group table has to be filled and updated "manually". That is, someone has to input new users or at least assign them to the existing groups.
In our case, there's an admin who knows what sql is and how to work with it.
Another solution could be, to prepare a xml-file, containing user and group information and add it to your repository. The tables could then be queried, too. Although, xml files can become quite unhandy, if a lot of information is held within it, they can be edited via external tools or at least with a standard text editor.

OBIEE with both SSO and LDAP

I need to be able to run OBIEE using SSO with LDAP to 'reauthenticate' the user and then provide information as to which user groups they are in.
The overall idea is that the user logs in to the 'system' as a whole and is then provided a hyperlink to OBIEE. Behind the scenes, the system login process will set a cookie holding the users name, thus allowing SSO to be used with OBIEE. When the user logs in, LDAP will then be used to determine which groups the user is a member of.
I can get SSO working (on its own) and I can get LDAP authentication working (on its own), but when I try to combine the two I just get user authentication errors.
I suspect that what is happening is that the OBIEE login process is passing the correct username to LDAP (i.e. the one from the cookie), but the IMPERSONATOR password rather than the user one (at this point OBIEE does not know the user password).
Is there any way of getting around this? as far as I can tell the LDAP authentication mechanism requires both a username and password to be passed to it, but since we are using SSO, we only have the username.
Note: is it not considered secure enough to hold the user password as a cookie or as part of a 'GO' URL, which is why we wish to use SSO.
Many thanks,
Chris

We have the init block set up to login to LDAP and authenticate the user. The ID we use is not the user account that logged in to the BI Server, but an id we have that only has the ability to read users and groups.
You probably need to also uncheck "required for authorization" in this init block, otherwise the impersonator account will not be able to authenticate.
To get our group assignment we have a PL/SQL program that uses the ldap utils to connect to the ldap server and get the group membership and return it in a "GROUP" variable (row-wise) back to the BI Server.
I'm a relative newbie to BIEE, so this may not be the best or most secure way, but it is working.

OBIEE Groups - RPD Groups, Catalog Groups, LDAP Groups

Greeting Experts
I am trying to get a clear understanding of how these different groups play out in the OBIEE world. Ideally I am looking to get clarity around what the boundaries are for these groups (what they control and don't). Really appreciate if someone could enlighten me
Thank you very much.

will LDAP Group security takes precedence over Catalog Group security
Yes
when it comes to LDAP security, can it be extended to control Authorizations besides, just User Authentication ?
Basically LDAP groups are associated with the users and those groups are again associated to Application Roles so Authorization and authentication can be done using Application role rather than a group
But if you have catalog groups (default 10g security model) you can still assign application roles for those catalog group and enable the object level security (Goto Administrator ---> Manage Catalog Groups ---> select any default 10g group there you can search and add applicatoin roles)
thanks,
Saichand

LDAP configuration error for SampleLiteApp in OBIEE 11g

Hi Experts,
I am trying to configure the LDAP for "SampleAppLite" application which comes with OBIEE 11g default installation in OBIEE11g. I followed the following steps in the oracle document,
http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10543/privileges.htm#BABCDCFE
Unfortunately i am getting the following exception when i start my OBIEE server, not only that after this also i am getting same error when i try to login using the any of the user (User is LDAP).
(initially MyBISystemUser as <user_id> )
++java.security.PrivilegedActionException: oracle.bi.security.service.SecurityServiceException: SecurityService::authenticateUserWithLanguage - '<user_id>' was authenticated but could not located within the Identity Store.++
++at oracle.bi.security.service.SecurityWebService.authenticateWithLanguage(SecurityWebService.java:185)++
++at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)++
++at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)++
++at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)++
++at java.lang.reflect.Method.invoke(Method.java:597)++
++at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:92)++
++at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:74)++
++at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:151)++
++at com.sun.xml.ws.server.sei.EndpointMethodHandlerImpl.invoke(EndpointMethodHandlerImpl.java:265)++
++at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:100)++
++at weblogic.wsee.jaxws.tubeline.FlowControlTube$FlowControlAwareTube.processRequest(FlowControlTube.java:155)++
++at weblogic.wsee.jaxws.tubeline.FlowControlTube$1.run(FlowControlTube.java:94)++
++at weblogic.wsee.jaxws.tubeline.FlowControlTube$1.run(FlowControlTube.java:92)++
++at javax.security.auth.Subject.doAs(Subject.java:337)++
++at weblogic.wsee.jaxws.tubeline.FlowControlTube.processRequest(FlowControlTube.java:91)++
++at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:604)++
++at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:563)++
++at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:548)++
++at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:445)++
++at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:373)++
++at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:524)++
++at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:255)++
++at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:141)++
++at weblogic.wsee.jaxws.WLSServletAdapter.handle(WLSServletAdapter.java:210)++
++at weblogic.wsee.jaxws.HttpServletAdapter$AuthorizedInvoke.run(HttpServletAdapter.java:311)++
am i missing any configuration? Or is it a bug in oracle OBIEE 11g? Can anyone guide me to resolve this issue.
Much appreciate your answer

Though this is little late for you but may help others.
Check default authenticator and ensure that control flag is NOT set to REQUIRED
Check here http://onlineappsdba.com/index.php/2011/06/21/unable-to-login-to-obiee-anylytics-after-oid-integration-user-was-authenticated-but-could-not-be-located-within-the-identity-store/

OBIEE Authorization (LDAP)

Similar Messages

Maybe you are looking for