OBIEE Groups - RPD Groups, Catalog Groups, LDAP Groups
Greeting Experts
I am trying to get a clear understanding of how these different groups play out in the OBIEE world. Ideally I am looking to get clarity around what the boundaries are for these groups (what they control and don't). Really appreciate if someone could enlighten me
Thank you very much.
will LDAP Group security takes precedence over Catalog Group security
Yes
when it comes to LDAP security, can it be extended to control Authorizations besides, just User Authentication ?
Basically LDAP groups are associated with the users and those groups are again associated to Application Roles so Authorization and authentication can be done using Application role rather than a group
But if you have catalog groups (default 10g security model) you can still assign application roles for those catalog group and enable the object level security (Goto Administrator ---> Manage Catalog Groups ---> select any default 10g group there you can search and add applicatoin roles)
thanks,
Saichand
Similar Messages
-
LDAP Group is empty while the LDAP group have 150 users
Hi,
My BOE is mapped to the corporate LDAP, and the LDAP group is already mapped to a BO group.
The problem is that the LDAP Group is empty while the LDAP group have 150 users.
Currently, just after each user login at the first time the user is created under the BO Group.
Is there any way to populate the BO Group automatically?
Best Regards,
DoronSHi,
yes there is. Check your LDAP Authentication Tab and select "Create new aliases when the Alias Update occurs"
It should be under your Alias settings.
But please note that you than require 150 licenses. So each users gets a license even if he doesnt use the BOE System but is part of the LDAP Group.
Regards
-Seb. -
HI
Can any one help me
how to create new catalog for Bisample repository to deploy the rpd and catalog
can any one explain beiefly plzFollow these steps
1). Go to localDrive:C:\OBIEE11G\instances\instance1\config\OracleBIPresentationServicesComponent\coreapplication_obips1
2). Open your instanceconfig.xml file
3). Find <CatalogPath> and </CatalogPath> tags
4). Write the new catalong name that you want to create (suppose sh_new) then your tag should look like this
<CatalogPath>C:\OBIEE11G\instances\instance1/bifoundation/OracleBIPresentationServicesComponent/coreapplication_obips1/catalog/obirep</CatalogPath>
5). Save the file and start/re-start the BI presentation service
6). It automatically creates the obirep catalog, once we start our presentation service and you need not to create anything manually.
Pls mark as correct -
OBIEE 11.1.1.5.0 LDAP group restriction @authentication
Hi all,
We have OBIEE 11.1.1.5.0 with LDAP authenticator... We want just one group @LDAP to login and other groups not authenticated .. What should we do ?Hi,
@weblogic Home >Summary of Security Realms >myrealm >Providers >LDAPAuthenticator>Provider Specific>Users
I tried something like :
All Users Filter:(&(memberOf=cn=LDAPGroupName,cn=Users,dc=xxxx,dc=yyy,dc=com))
User From Name Filter: (&(cn=%u)(objectclass=user))
the original was:
All Users Filter: (&(uid=*)(objectclass=person))
User From Name Filter: (&(uid=%u)(objectclass=person))
and restarted the server but it did not work ... -
Migrate Rpd Catalog and User ,Groups from OBIEE 11.1.1.3.0 to 11.1.1.5.0
hi Guys,
I have got a setup of OBIEE 11.1.1.3.0 on windows 32bit machine and now i am planning to have a setup of 11.1.1.5.0 on windows 64 bit machine.
please tell me the Detailed steps for Migrating the Rpd Catalog and User ,Groups from OBIEE 11.1.1.3.0 to 11.1.1.5.0
Like
1. Do i have to copy the RPD and Catalog Directly to 1.5 or some Upgrade Assistance is to be done
2. If i am Using the Export Provided in the myrelam ( in 1.3) and taking it to obiee 1.5 (as it already contains some inbuilt policies and groups) does it going to give me error
Regards
AnkitCheck the Oracle reference I have provided earlier. Concept goes like this:
Important difference is that upgrading from 10g to 11g is called an "out-of-place upgrade" while upgrading to another 11g is called an "in-place upgrade," because the upgrade operates on existing files. Moving from one 11g release to another 11g release is sometimes referred to as "patching."
http://download.oracle.com/docs/cd/E21764_01/bi.1111/e16452/bi_plan.htm#BABECJJH
Follow patching and not out-of-place upgrade as you are required to upgrade component
http://download.oracle.com/docs/cd/E21764_01/doc.1111/e16793/patch_set_installer.htm#PATCH789
Hope this is clear now -
Create "buckets or groups" in OBIEE's RPD
All - Thanks in advance for helping out. I need to create "buckets" for data in the RPD.
Essentially, i have Total Revenue for a Product Line. I need to create separate buckets for some of these products in the RPD.
Example:
Bucket (grouping) one: Product A Revenue
Bucket (grouping) two: Product B, C, D Revenue
Bucket (grouping) three: Product E, F, G, Z, 12, 32 Revenue
Etc, etc. you got the point.
Again, thanks for your help.
Gracie
Edited by: user12949454 on Apr 6, 2010 3:38 PMScott, i think i end up needed a hybrid solution.
Will need a grouping / bucket for the dimension attribute but will need revenue for that grouping only. Looking to repeat the same steps for different dimension grouping.
Let me know your feedback.
Regards, -
Retrieve nested LDAP groups independent from the network env. (five different approaches)
Hi all,
I want to retrieve a list of nested LDAP groups per user from the Active Directory. I have been searching google for half a day now, but I'm still not sure what approach to use. I have the following requirements:
* The script/program must run in different network environments (I can't be sure if there is a global catelog or AD DS or AD LDS, etc). I will write my own program.
* The membership info will be used in combination with directory ACL's and must be as complete as possible (global groups, universal groups, local groups, perhaps different domains). Distribution groups are not really necessary, because they are not used in
the directory ACL's.
* It would be nice to support other LDAP implementations than Active Directory using the same code, but that not a hard requirement. I could use another approach to support a different LDAP.
Now I have figured out five possible approaches (info comes from different sites, please correct me if I'm wrong):
1) tokengroups attribute:
- The attribute contains Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine.
- Returns a list of SIDs which will have to be translated to group names
- The tokenGroups attribute exists on both AD DS and AD LDS
- For AD DS, the tokenGroups attribute is not present if no GC server is available to evaluate the transitive reverse memberships.
- quote from site "Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab."
- Token Groups cannot be retrieved if no Global Catalog is present to retrieve the transitive reverse memberships.
2) tokenGroupsGlobalAndUniversal
- A subset of the tokenGroups attribute. Only the global and universal group SIDs are included.
- If you want consistent results, read tokenGroupsGlobalAndUniversal that will return the same result no matter which DC you are connected to. However, it will not include local groups.
- other source says "tokenGroups will give you all the security groups this user belongs to, including nested groups and domain users, users, etc tokenGroupsGlobalAndUniversal will include everything from tokenGroups AND distribution groups". Not
sure if this is correct, I think it doesn't contain local groups.
- The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS.
3) LDAP_MATCHING_RULE_IN_CHAIN / 1.2.840.113556.1.4.1941
- Use a recursive search query which returns all nested groups for user at once.
- Returns all groups except for the primary group
- It's a fast approach, see performance test from Richard Mueller:
http://social.technet.microsoft.com/Forums/fr-FR/f238d2b0-a1d7-48e8-8a60-542e7ccfa2e8/recursive-retrieval-of-all-ad-group-memberships-of-a-user?forum=ITCG
- It only works on Active Directory, not for other LDAP implementations
4) Recursive retrieval of the memberOf attribute
- Retrieves all groups except the primary group. (also local groups from other domains??)
- works for all LDAP implementations
- executes a lot of queries to the LDAP, especially if you want to scan all users/groups (perhaps limited on OU, but still)
5) Store memberOf attribute in local database and calculate the nested groups using recursive queries to the local database
- No heavy load to the LDAP
- Needs space to store the user/group info locally (embedded Derby database perhaps)
- Performs fast since the queries are executed locally
- Works for all LDAP implementations
My thoughts on these different approaches:
* appreach 1) I understand that the tokengroups attribute is not present if no GC server is available. In how many network environments is this the case? This option won't work because I want to support different network environments.
* approach 2) The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS. Same here, in how many network environments is this the case? I don't think I can rely on this approach.
* approach 3) Seems to be a good option. How will it perform compared to approach 5 (local recursive queries)? Won't work for other LDAP implementations
* approach 4) I don't think I want to execute that many queries to the LDAP. I can limit the scan on OU, but still companies can have thousands of users and groups.
* approach 5) Perhaps the best approach. I want to store user/group info locally for fast filtering / reporting (only group DNs, user names, databse id's and membership info as id-id pairs). I only need the memberOf attribute of users and groups, recursive
loops are done locally. It will work for all LDAP implementations.
What do you guys think? I'm not a network admin, but a programmer, so I'm no expert in network setups and when to use AD DS or AD LDS. The thing is I want to use this code at different customers without knowing their network setup (except for the domain name(s),
LDAP host/port and bind user to connect to LDAP).
Thanks a lot!
PaulI want to write a tool that can answer questions like "what users from group ABC have delete permission in all the (sub)directories of server MyDataServer?". This results in a list of directories and users and includes nested group membership. So it's about
effective permissions. That's why I want all information in a SQL database so I can answer these questions with a single query in milliseconds. Otherwise, in order to answer these questions, I would have to get all members from group ABC and determine the
nested groups for all these members (which can be thousands) for every report. Using a SQL database I can retrieve this information once a night for all the members.
But I guess I will use the LDAP_MATCHING_RULE_IN_CHAIN syntax which gives me all nested groups for a member and should work for all AD installations from W2K3 SP2 and higher. When I want to support other LDAPs I will use another method for that specific
LDAP.
Again - note that this question has nothing to do with LDAP or AD. It just asks what group has permissions on what resources.
I really think you would do well to spend time understanding the NTFS and its security along with how we sue security in Windows. By assuming this has something to do with AD you are making it a bigger issue than needed. AD is a repository for
accounts and trusts and manages authentication and security group membership. All file security is managed by the OS that hosts the files and not by AD. Users are not normally granted access to resources through direct inclusion in the DACL but
are given access through membership in one or more groups. Loading AD into a SQLL database will not help you.
¯\_(ツ)_/¯ -
Hi, I configured LDAP authentication on BOXI R2 SP3 on IIS. The settings are as given below.
To change a setting, click on the value to start the LDAP Configuration Wizard. I have replaced few entries with XXXX and YYYY due to security.
LDAP Hosts: nccXXX.XXX.YYYY.XX.YY:636
LDAP Server Type: Novell eDirectory
Base LDAP Distinguished Name: ou=XXXXX,dc=YY
LDAP Server Administration Distinguished Name: cn=XXX,o=YYYYY
LDAP Referral Distinguished Name: ""
Maximum Referral Hops: 0
SSL Type: Server Authentication
Server Side SSL Strength: Always accept server certificate
Single Sign On Type: None
When I add any new group then its not added and I get below error message in the Logging directory for WCA.
Error: 2009-08-24 14:56:30, Thread:161, WriteData::_Flush catch unexcepted exception, source: System.Web, message: Specified argument was out of the range of valid values.
Parameter name: offset, stack: at System.Web.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count)
at BusinessObjects.Enterprise.WebComponentAdapter.WriteData._Flush(IntPtr handle)
Can anyone help to find if LDAP is configured correctly before adding group?
Thanks,Resolved. It was due to wrong LDAP group given to me.
Thanks, -
Can an email address be a member of an LDAP group even if it isn't
associated with an object in the Directory Server?
<P>
General members of a group are the members defined in the
Directory Server. They are full-fledged members of the group who
may have a set of permissions associated with their membership,
a title, or other attributes. Mail-specific users are users who
are not full-fledged members of the group, but who receive mail
sent to the group. Mail-specific users need not be identified as
a user in the Directory Server--an email address is sufficient.
An example of this is a group of salespeople, all of whom are in
the group "North American Sales Team." They have access to a
sales-tracking database, on-line quota information, and
competitive information. The mail-specific users of this group
are the admins who support the members of the sales team, who need
to get the mail that goes out to the group, but don't need access
to the applications and information that the salespeople do.Hey EllyK,
Welcome to the BlackBerry Support Community Forums.
Thanks for the question.
I would suggest performing this workaround and then try to login to BlackBerry Link:
Open BlackBerry World on the BlackBerry smartphone and sign in using the BlackBerry ID.
Connect the BlackBerry 10 smartphone to the computer.
Open BlackBerry Link
Sign in using the BlackBerry ID.
Let me know if the issue still persists.
Cheers.
-ViciousFerret
Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
Be sure to click Like! for those who have helped you.
Click Accept as Solution for posts that have solved your issue(s)! -
Mapping LDAP Groups to SAP Roles
Hi there,
i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
In Web AS ABAP it seems impossible to assign roles to groups.
<b>The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?</b>
Or is there another way to administrate users in different systems?
Thanks alot for your answers,
stefanHi
in this case u have to use the concept of central user administration. use the following links
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
hope this helps u to get fair bit of idea
don,t forget to give points
With regards
subrato kundu -
LDAP user groups not visible for configuring a Group Portal
Hi,
We have created a Custom Security Realm(myRealm) on WebLogic 7.0 SP2 in which
I've added the Novell LDAP Authentication provider as the authentication provider
and then set "myRealm" as the default realm for the domain. I am able to start
the WLS server instance and login to portalAppTools with the "administrator" account.
We would like to configure a Group Portal. In Portal Administration interfaces,
when I click on Group Administartion, I am unable to see any of my external LDAP
groups. I know that we cannot create/delete users or groups in the external LDAP
repository thru the Admin UI but the documentation says that I should be able
to view the users/groups in the Admin UI. Authentication against the external
LDAP repository works fine. Can anybody suggest the reason why we are unable to
view any of the Users or Groups in our external LDAP repository thru the User
Administration interfactes.
Appreciate any feedback.
Thanks
VikramHi Jim,
I've configured a default LDAP V2 Compatibility Realm by modifying the Config.xml
file. I was able to restart Weblogic and see the LDAP Groups and Users thru the
WLS console. In our project we've a unique requirement wherein all Application
Groups and User Accounts would be stored in an LDAP repository and all BEA SERVICE
level accounts and groups are stored in a Database (groups like AdminEligible,
Administrators etc.). We need to be able to look at the groups in both the Database
and LDAP repositories in order to administer and configure a Group Portal. On
the outset it looks like we will not be able to do what we want to with the current
portal framework. Please suggest if there are any alternatives in order to implement
this solution. I am sure there are lot of other Clients who cannot create groups
like Administrators, AdminEligible etc in their LDAP repositories and will be
forced to think of alternatives.
I would appreciate if you can reply back at your earliest convenience.
Thanks
Vikram
Jim Litton <replyto@newsgroup> wrote:
The Weblogic 7.0 Authentication Providers (new JAAS Framework) is not
supported with Portal 7.0. You will need to configure the Compatibility
Security CustomRealm for Novell to try to get Portal working.
see defaultLDAPRealmForNovellDirectoryServices at
http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1083149
In addition, remember to test functionality through the Weblogic
Console. If you can see groups and users there okay it is very likely
that Portal will operate.
-- Jim
Vikram wrote:
Hi,
We have created a Custom Security Realm(myRealm) on WebLogic 7.0 SP2in which
I've added the Novell LDAP Authentication provider as the authenticationprovider
and then set "myRealm" as the default realm for the domain. I am ableto start
the WLS server instance and login to portalAppTools with the "administrator"account.
We would like to configure a Group Portal. In Portal Administrationinterfaces,
when I click on Group Administartion, I am unable to see any of myexternal LDAP
groups. I know that we cannot create/delete users or groups in theexternal LDAP
repository thru the Admin UI but the documentation says that I shouldbe able
to view the users/groups in the Admin UI. Authentication against theexternal
LDAP repository works fine. Can anybody suggest the reason why we areunable to
view any of the Users or Groups in our external LDAP repository thruthe User
Administration interfactes.
Appreciate any feedback.
Thanks
Vikram -
LDAP groups and WebLogic Roles - Urgent ( weblogic 6.1 sp1, iPLanet 5.1)
I have 2 questions and these are very urgent :-
1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
contractactors and employess. How do I map LDAP group contractors to weblogic security
Role contractors? Similarly for employees ?
2. I have not defined contarctors and employeees under People container in IPlanet.
e.g. The RDN for contractor is
uid=1234,ou=dir,dc=orams,dc=com
Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
under People ) OR I have to write my own custom code ?
3. I am planning to use Roles insetad of groups to manage the logical grouping in
iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
parameters ?)
This is very urgent ....so if any of you can throw any hints that will be greatly
appreciated.
--SunitaHi Ariel,
The driver is bundled with the product in WLS 6.1sp1. you don't have to
download any additional driver. Use it as you normally would only thing to
remember is if you are trying to write standalone java code then you have to
have weblogic.jar in your classpath. For the rest of the info follow the wls
docs for 6.1
HTH
sree
"Ariel" <[email protected]> wrote in message
news:3bb4a643$[email protected]..
We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
downloaded the JDriver from bea.com, but all the istructions that camewith
it are for WLserver 5.1.
What has to be done to do this with 6.1 sp1?
Thanks,
Ariel -
Cannot add new LDAP Group Members in Sun Java Server 7.0
Hello!
I've got Sun Java™ System Web Server 7.0 installed and Apache Directory Server as LDAP server.
So, the task is -to create/add users to a group (just created or already existent).
When I try to do that, I got only "An error has occured" message and that's all.
What really happens, I cannot understand even from server logs:
here is the screenshot - http://tinyurl.com/34xuw42
and the log:
[08/Dec/2010:16:44:03] info ( 8504): for host 127.0.0.1 trying to POST /admingui/admingui/editGroupDialog, service-j2ee reports:
java.lang.NullPointerException
at com.sun.web.admin.configlib.LdapDatabase.isUserGroupMgmtSupported(LdapDatabase.java:161)
at com.sun.web.admin.mbeans.UserGroupMBean.isUserGroupMgmtSupported(UserGroupMBean.java:244)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.web.admin.mbeans.BaseAdminMBean.invoke(BaseAdminMBean.java:49)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)
at com.sun.web.admin.gui.util.MBeanUtil.invoke(MBeanUtil.java:139)
at com.sun.web.admin.gui.util.MBeanUtil.invoke(MBeanUtil.java:39)
at com.sun.web.admin.gui.handlers.CommonHandlers.invokeMBean(CommonHandlers.java:66)
at com.sun.web.admin.gui.handlers.CommonHandlers.invokeWizardMBean(CommonHandlers.java:170)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.enterprise.tools.guiframework.view.DescriptorViewHelper.invokeHandler(DescriptorViewHelper.java:938)
at com.sun.enterprise.tools.guiframework.view.DescriptorViewHelper.invokeHandlers(DescriptorViewHelper.java:875)
at com.sun.enterprise.tools.guiframework.view.DescriptorViewHelper.dispatchEvent(DescriptorViewHelper.java:841)
at com.sun.enterprise.tools.guiframework.view.DescriptorViewHelper.beginChildDisplay(DescriptorViewHelper.java:477)
at com.sun.enterprise.tools.guiframework.view.DescriptorViewBeanBase.beginChildDisplay(DescriptorViewBeanBase.java:168)
at com.iplanet.jato.taglib.TagBase.fireBeginDisplayEvent(TagBase.java:133)
at com.sun.web.ui.taglib.common.CCTagBase.fireBeginDisplayEvent(CCTagBase.java:149)
at com.sun.web.ui.taglib.common.CCTagBase.doEndTag(CCTagBase.java:108)
at org.apache.jsp.jsp.addGroupMembers_jsp._jspx_meth_cc_propertysheet_0(addGroupMembers_jsp.java:347)
at org.apache.jsp.jsp.addGroupMembers_jsp._jspx_meth_cc_pagetitle_0(addGroupMembers_jsp.java:317)
at org.apache.jsp.jsp.addGroupMembers_jsp._jspx_meth_cc_form_0(addGroupMembers_jsp.java:201)
at org.apache.jsp.jsp.addGroupMembers_jsp._jspx_meth_cc_header_0(addGroupMembers_jsp.java:154)
at org.apache.jsp.jsp.addGroupMembers_jsp._jspService(addGroupMembers_jsp.java:99)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:917)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:373)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:457)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:351)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:917)
at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:398)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:792)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:472)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:353)
at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
at com.sun.enterprise.tools.guiframework.view.DescriptorViewHelper.execute(DescriptorViewHelper.java:338)
at com.sun.enterprise.tools.guiframework.view.DescriptorViewBeanBase.execute(DescriptorViewBeanBase.java:210)
at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
What I am doing wrong?
Please, help.You can configure a LDAP authentication database. Once you have configured it, you will be able to see users and groups contained in the configured ldap store.
Select a web instance configuration and select the Access Control tab. Under the Authentication Database sub tab create a new Authentication Database and select as database type LDAP Server. Make sure you provide as a bind dn a user that has sufficient permissions to read user and group entries.
Once that is done and you applied the changes, you will be able to select your LDAP server as an Authentication Database under the Users and Groups sub tabs. -
RSA authentication with LDAP group mapping
Greetings,
I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
The problem I'm having is that my users are in multiple OU's on our AD tree. When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error. If I add an OU in front of it, then it will work fine.
As far as I know, you can only use one LDAP configuration with RSA.
Any thoughts on this?@Tarik
I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen. I have resorted to creating a Radius profile on the RSA appliance for each access group I need. Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
Thankfully, I have a small group of users that I am attempting to map. I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create. Likewise, our Account Admin will have to determine who gets assigned a particular access group.
I would still prefer to do this dynamically.
Scott -
OBIEE BI Answers: Query filter on USER GROUP
Hi,
I have following problem.
In Administration Tool i've defined a catalogue and I have associated to it a User Group "Ter Group". Then I have attached to this group a user with credentials: Username="Ter User" Password:"Ter".
So in Answers i log in as Ter User , Ter to see the catalogue and create my request.
Now, I must filter query generated by requests, on User Group to which belongs the User and not on User Username (so i can't use default session variable :USER which retrieves value filled in log in form).
For example if I have another group "Quarter Group" with a user "Quarter User" with credentials: "Quarter User" Password:"Quarter". If I log as "Ter User" - "Ter" i must retrieve value "Ter Group", but if I log in as "Quarter User" - "Quarter" I must retrieve value "Quarter Group".
How can I retrieve this information?
Thanks
GiancarloHi Alastair,
I've used nqudmlexec.exe in following way:
I've created a txt file userexport.txt:
DECLARE USER "MFNC44R288" AS "MFNC44R288" FULL NAME {Automatic Import} PASSWORD 'MFNC44R288' NEVER EXPIRES HAS ROLES ("Group ASL AVELLINO") PRIVILEGES (READ);
where Group ASL AVELLINO is the group which must contain the user.
I've launched script as following:
nQUDMLExec -U Administrator -I "C:\Documents and Settings\giancarlo murino\Documenti\userexport.txt" -B "C:\OracleBI\
server\Repository\TerPermissions.rpd" -O "C:\OracleBI\server\Repository\TerPermi
ssions.rpd"
where TerPermissions.rpd is the repository to modify.
Procedure completes successfully, and I can view my new User under Administration Tool.
So in Answers I log in as:
Username: MFNC44R288
Password: MFNC44R288
but i see error: Authentication failed
But if I log in as:
Username: MFNC44R288
Password: <empty>
I can access.
Why password setted in my txt file is skipped? What I wrong?????
All Regards
Giancarlo
EDITED: I have modified my txt file and replaced my password MFNC44R288 with your encrypted password: 'D7EDED84BC624A917F5B462A4DCA05CDCE256EEEEEDC97D54A286E822D97C35C7AD5C43AD4F2A09EAC4D07C3A079829F'
Then in Answers I logged as:
Username: MFNC44R288
Password: welcome1 (decrypted password)
and it works.
Now I would know which alghoritm have you used to obtain encrypted version of password "welcome1" ?
Edited by: user5380662 on 8-apr-2010 3.05
Maybe you are looking for
-
Binding a JavaFX variable to a Java class instance variable
Hi, I am pretty new to JavaFX but have been developing in Java for many years. I am trying to develop a JavaFX webservice client. What I am doing is creating a basic scene that displays the data values that I am polling with a Java class that extends
-
MDM Taxonomy attribute values disappearing
Hello - a problem has been encountered where some of the attributes of the taxonoy table disappear when two taxonomy fields in MDM main table lookup the same taxonomy table. However, these attribue values still appear in the main table records, they
-
hi in my company i have two prequisitons one is used for imports and one for domestic .Ineed to make the field account asignment category an mandatory field for the domestic purchase requisition and for imports i do not how can i do this and can u al
-
When updating Vaults, Aperture creates files on my external hard drive, "Images removed from Aperture Vaults". Does anybody keep these or simply trash them?
-
Is there an add-on that will add a tab submenu to each of the windows listed in the "Window" menu?
When several windows are open, it might be difficult to find which one has the tab you are looking for. A submenu that would pop-up when when mousing over the name of individual windows in the "Window" menu would be helpful. Is there an add-on that w