Use of groups on External Authentication.

Hi All, I'm triying to use Active Directory groups instead of users in order to authenticate users on ODI 11.1.1.6.
Unfortunately ODI seems to be prepared to use MS AD users, but groups.
Does anybody configure LDAP to authenticate users and got it working with groups?
Thanks and regards!

ODI 11g supports external authentication for users only.

Similar Messages

External Authentication in EAS using MSAD

We use MSAD for our external authentication and it works fine ifthe user logon names are set up a certain way in MSAD. However,some of them are set up differently and Essbase won't allow us touse external authentication for them. Is there a setting somewherein Essbase that can be changed to allow more than one user logonname format coming from MSAD?

Hi Krista, Unfortunately u cannot specify two formats to authenticate. If iunderstand correclty you want to identify a user in MSAD by morethan one feild, as far as i know essbase external authenticationthe xml file cannot use more than one feild. your most probable solution to this would be to add the feildyou are using in your xml file to all users using essbase inMSAD. Please use the following link if you need furtherinformation. http://dev.hyperion.com/techdocs/essbase/essbase_712/Docs/techref/techref.htm#config/security/configure/config.htm here is the sample active directory format. <msad name="<a href="ldapserver.htm">msadServer</a>"> <trusted><ahref="trust.htm">false</a></trusted> <url><ahref="provurl.htm">ldap://host<img src="i/expressions/face-icon-small-tongue.gif" border="0">ortNo/DIT</a></url><userDN>cn=UserName</userDN><password>UserPassword</password> <user><url>ou=people</url></user> <group> <url>ou=Groups</url> </group></msad>

Shared Services External Authentication using LDAP in 9.3.1

Hi,
I have installed Hyperion Shared Services with native directory. And now planning to setup external authentication using LDAP. I need some guidance to understanding how the external authentication works.
Questions:
1. Is it possible to setup Shared Services to use both Native and LDAP user directory? What I mean is some users will be able to login using Native directory, and some others will need to login using User Directory (external authentication).
2. For User Directory (say we use LDAP), when the user is added into Shared Services, can they be assigned with Groups created in Native directory? We want to explore to use just the external authentication and define all of the groups within shared services.
If not possible, can we manage the Groups of the User directory using shared services? How is the groups work with external authentication?
Any feedback would be much appreciated.
Thanks,
Lian

Hi,
Yes you can use both Native and external authentication. When you add the external provider the native is left by defaut anyway.
Yes you can add your external users to native groups. You can also provision the groups in the AD if you wish.
Gee

OracleAS SSO - Microsoft Active Directory External Authentication Plug-in

hi ,
I recently inherited support of a Oracle SSO/OID environment where we use AD and a external Authentication Plug-
in to talk to it as user credentials are managed in AD,
We have a lot of domain controllers for AD in our env , so my questions is
1) How do I find out which AD server is the plugin currently referring to ,
I need to know this info ASAP as lot of AD servers are getting decomissioned and I want to make sure the SSO env
is not talking to a AD server that would get decomissioned soon

hi,
Look in the integration part in oidadmin. ActiveChgImp
$ORACLE_HOME/bin/oidadmin
or look for ad2oid.properties
or look at this URL http://www.oracle.com/technology/obe/obe_as_10g/im/ads_import/import.htm
is what I used to configure ours
Regards

External Authentication general-type questions

Greetings all,
I was recently shown how to get Oracle to allow Windows NT Authentication the way SQL 2005 etc. can. I was able to get it working. It's actually simple, you just have to have this line in your SQLNET.ORA file:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
and make sure a couple initialization parameters are set (OS_AUTHENT_PREFIX to NULL and REMOTE_OS_AUTHENT to TRUE - the first can't be changed once the database is built!).
My first question is does Oracle support external authentications to operating systems other than NT, i.e. SUN, UNIX, LDAP etc? And is it a similar architecture?
Secondly, the only ways I've ever connected to Oracle are 1) through SQL*Plus, 2) Using OLE DB from Windows and 3) Using ODBC.
Is external authentication supported when logging in any way other than through OLE DB? If so, how?
Appreciating any general information!
Thanks
Joe

1. The name of the product is SQL Server not SQL. SQL is a language.
2. Oracle supports all major forms of internal and external authentication. The ones you listed and many more. The docs are at http://tahiti.oracle.com
3. External authentication is support across the board. But you've got to be working with a database holding nothing more important than your mother's cookie recipes to think that operating system authentication in a Windows environment is secure: It is not.
Your first responsibility, unless you are just playing games at home or in school, is to secure the data and that means an environment more secure than the one you've chosen.

Use of LDAP group external authentication in Essbase v7.16

Hello Experts,
One of my customer wants an answer for his query -
They currently use LDAP external authentificaiton with userid only and would like to use LDAP groups. Is this supported in version 7.1.6 (Heard that It is a known limitation in version 7.x that LDAP / MSAD groups are not supported. MSAD groups are supported in System 9.x)
My Research:
I read in the Essbase v7 documentation the following 2 examples of using groups, under Essbase.CFG Configuration Settings > AUTHENTICATIONMODULE
Can you explain how this works
Thank you
Example 1
The entries in this example allow users in the group Engineers from domain yahoo.com to be authenticated on host Gorky, via port number 389, with a timeout period of 30 seconds.
AuthenticationModule LDAP essldap.dll 30 cn=Engineers, ou=Groups, dc=yahoo, dc=com@Gorky:389
Example 2
The entries in this example allow users in the group Engineers from domain yahoo.com to be authenticated on host 129.63.140.122, via port number 389, with a timeout period of 45 seconds.
AuthenticationModule MSAD essmsad.dll essmsad.lib 45 cn=Engineers, ou=Groups, dc=yahoo, dc=[email protected]:389
Regards,
Sonal
Edited by: 637223 on Oct 23, 2009 7:16 PM

I do not believe using LDAP groups is supported in 716.

WebVPN using External Authentication

I have a VPN concentrator 3005 that is configured for WebVPN which works great if I login with a local user.
I would like to authenticate my users through our LDAP. I created a SSLusers group that is setup for external authentication. The SSLusers group works fine when I use the Cisco VPN client to connect (I enter the group name/password in the text boxes, when it connects it asks for the username/password).
In the logs it shows that it is checking for the user in the Internal server, I want to point it to my ACS box. I feel like there is a check box somewhere that I am missing that tells the concentrator 'if I can't find the user in my local database, check the external authentication server'.
Any advice on how to get the external authentication working with the WebVPN would be most appreciated. Thanks in advance.

Thanks Daniel for the suggestion. I tried to add the above, but still received the same error. Is there an additional checkbox that needs to be marked for the base group to search the radius server?
Authentication rejected: Reason = User was not found
handle = 686, server = Internal, user = bobeldde, domain =
It appears to work ok if I login with 'bobeldde#ssl';where the ssl group is configured for Radius Authentication.

Plug-in Request Group field into the external authentication plug-in

Hi all,
I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
Is possible to do this?
Thank you.
Message was edited by:
user571491

Hi all,
I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
Is possible to do this?
Thank you.
Message was edited by:
user571491

External authentication using Headervariable

Hi SAP Experts
We have configured External authentication for WEM using Headervariable.We are using BI Java 7.0
External authentication is working fine using Headervariable Login module for URL http://<WEb Server hostname>/irj which redirect to http://<J2EE hostname>:<port #>/irj
As you all know that we also use http://<J2EE hostname>:<port #> for Administation point of view where many options available like user management, SLD, Webdynpro, NetWeaver Administation etc.We have not configured this URL for External Authentication and also do not want to configure but when tyring to access any administration option on this, portal prompts default logon page and after entering Portal UserID/Password we get message like " No Loginmodules configured for Header"
I do not know why system display this message
Please help me if anyone has experience to resolve this issue, as we want to use URL http://<J2EE hostname:<port #>, which should prompts Portal Logon screen and after entering Portal userid/password we should access the administration screen without afftecting our External Authentication configuration for URL http://<WEb Server host>/irj
Thanks in Advance
Thanks with Regards
Deelip Kumar

Hi Deelip,
my earlier post referred to an additional authscheme that you may have created. If you have done so, please remove it. If you have checked this, there still is a predelivered authscheme called header, wich references a login stack called header. This login stack template does not exist as a default.
In this case, you may have assigned this authscheme (header) to some component, like an iview. How this works is explained in the docs <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/54/f91fba71ae48309e4267b4a36fa47b/frameset.htm">here</a> and<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/54/a334ed5bbfd5488b8cdd67b2c594a9/frameset.htm">here</a> for example.
If you have done so, this reference to the authscheme header may trigger the lookup of the login stack template called header, which does not exist and thus leads to the error.
For detailed error analysis, I would recommend to search the security log and the portal logs for indications where the source of this error might be.
Regards,
Patrick

Anyconnect authentication via Radius (IAS) using AD groups

Hi all,
I'm trying to figure out how to setup our ASA to use AD group membership to assign users a profile using Radius. The goal is to setup different access into the network.
For instance, one group would be allowed full access to the network, including access to infrastructure elements (ASA, routers, etc.)
Another group will be given basic access to the network, but no access to the DMZ.
Another group will be allowed access to the DMZ server, but not to the infrastructure.
We're currently using Radius (IAS) on Windows Server 2003. Is there a way to check group membership in AD using Radius?
I'd like to keep this as simple as possible, so I'm thinking of each profile using a different VPN Pool, then using split-tunneling to put routes, or not, to the required networks on the users device. The users would only belong to one group in AD. They will be able to choose their group, but if they're not a member they should be denied.
I've done LDAP authentication using group membership, but we need good accounting and logging so we'd like to use the Radius server. I've looked for this info everywhere, but it's pretty elusive.
Thanks for any suggestions, links, step-by-step instructions or volunteers to come on-site and help

It's significantly easier with security products like Cisco Identity Services Engine, but you're adding infrastrcture and cost. Next best thing is DAP. DAP is actually pretty easy, don't let the config guide scare you away from it. IMO MS Radius stinks for anything other than basic authentication so I never use it for anything else.

ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
ACS version: 5.3.0.40.6 (internal build B.839)
I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
Requested Identity Group exist
Testing user is created in Internal Users and has assigned requested Identity Group
Radius Access Policy:
Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
What I am tested:
Remove testing user and create his account again.
Rename Identity Group
Use another Identity Group
Remove Access Policy rule and create it again
Use Compound Condition: System:Identity Group
Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
Do you have any idea where problem can be?

OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.

Error while Configuring AD external authentication plug in

Hi
While configuring Active directory external authentication plug I am getting following error
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
Please enter Active Directory host name: clmad101.ad.company.com
Do you want to use SSL to connect to Active Directory? (y/n) n
Please enter Active Directory port number [389]: 389
Please enter DB connect string:SQLPLUS sys/manager1 @infradb.ad.company-.com @md61nthiims1.ad.company.com:1521
Please enter ODS password:
Please enter confirmed ODS password:
Please enter OID host name: md61nthiims1.ad.company.com
Please enter OID port number [389]: 389
Please enter orcladmin password:
Please enter confirmed orcladmin password:
Please enter the subscriber common user search base [orclcommonusersearchbase]:
CN=Users,dc=ad,dc=company,dc=com
Please enter the Plug-in Request Group DN:
Please enter the exception entry property [(!(objectclass=orcladuser))]: (|(!obj
ectclass=orcladuser))(cn=orcladmin))
Do you want to setup the backup Active Directory for failover? (y/n) n
Installing Plug-in Packages ...
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Registering Plug-ins ...
adding new entry cn=adwhencompare,cn=plugin,cn=subconfigsubentry
adding new entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry
Done.
Is there anythign wrong in the DB connect string??
Thanks

Did you check the debug information from the external auth plugin.?
This is mentioned in metalink note https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=277382.1
here an excerpt:
D) Enabled plug in debugging at the database level. Reference documentation: Oracle Internet Directory Administrator's Guide 10g (9.0.4) Chapter 43 Integration with the Microsoft Windows Environment - Troubleshooting Integration with Microsoft Windows Under section "Debugging the Microsoft Active Directory External Authentication Plug-in"
...enable the plug-in debugging. To do this, enter:
> sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.pls
To check the plug-in debugging log, enter:
> sqlplus system/manager
SQL> select * from ods.plg_debug_log order by id;
(To delete the plug-in debugging log:
> sqlplus system/manager
SQL> truncate table ods.plg_debug_log
To disable the plug-in debugging:
> sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls
E) Dump the plug-in profile to make sure it is enabled and configured correctly:
> ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <orcladmin password> -b "cn=plugin,cn=subconfigsubentry" -L -s sub "(objectclass=*)" "*"
please take also a look into the DIPTESTER tool available in
http://www.oracle.com/technology/sample_code/products/oid/java_diptester.tar
regards
--Olaf

Essbase security Migration from native mode to external authentication

Hi!!
I want some guidance on setting up security, all the users are currently in Native user mode and Native groups.
Now we want to migrate to external mode, current version of hyperion is 11.1.1.3, any steps to follow in
this direction would be really helpful.
What is the best way of migrating huge user base from native directory to setting up for external authentication,
this is the first time move from native to external authentication, If anyone who has done this will be helpful.
steps to setup , maxl based migration will be helpful or utility based.
Thanks

When you say native mode do you mean that that essbase security is in native mode and you want to convert to shared services security mode,or do you mean you are using shared services securtiy with native users and you want to use an external directory like MSAD.
For your question ::
Yes the first piece is correct, our security is in native mode.
and we want to convert to shared services security mode,
The request involves moving from essbase native mode to Shared services native user mode (moving all the existing users, groups and existing provisioning)
The next stage is moving from Shared services native user mode to external directory. (moving all the existing users, groups and existing provisioning)
Your input will guide me in the direction.
Thanks

AD external authentication plug-in

Is it possible to authenticate the users stored in AD just by configuring the external authentication plug-in, or it is necessary to populate OID with users and groups stored in AD?
All the user information is in AD, and we don't want, if possible, to replicate the users in both places.

I am planning to do the same. We'd like to use the passwords stored in the AD to authenticate our users. We do not want to store and maintain the passwords ourselves.
Celso -- Could you tell me more about your experience on installation of the AD external authentication plug-in? Do you use the PL/Sql program in book "OID ADMIN Guide" chapter 47? How much work is involved with populate OID with users and groups stored in AD? Is the whole installation hard or easy?
Partrick -- Could I not populate OID from AD, instead, create user via OID itself (oiddas)? I am trying to avoid any "non plug-in related" work.
Thanks,
Xiaoyun

Essbase analytic services 7.1.5 & external authentication

Hi,
first off, you have to excuse me for being a total newbie in the field of Essbase ;)
We are currently trying to move our external authetication from Novell eDirectory via LDAP to Microsoft Active Directory. We use the LDAP authentication module with the following string in essbase.cfg "AuthenticationModule LDAP essldap.dll x".
Reading the documentation for external authentication (x_auth.pdf) we came to the conclusion that we "needed" the Hub installed. Talking to Hyperion support told us that use of the Hub with our version was very unusual.
Is it possible to configure the CSS authentication module to use a .xml file configured for our Microsoft AD and simply forget about the hub? If so, does the following lines look correct to you:
essbase.cfg:
"AuthenticationModule CSS file://localhost/D:/Program/ESSBASE/bin/css_config.xml"
css_config.xml:
<msad name="msad1">
<trusted>false</trusted>
<url>ldap://ADDC_server:389/ou=contoso, dc=COMPANY, DC=LOCAL</url>
<userDN>cn=Administrator</userDN>
<password>wordpass</password>
<authType>simple</authType>
<authProtocol>ssl</authProtocol>
<identityAttribute>dn</identityAttribute>
<user>
<url>ou=Users</url>
<loginAttribute>cn</loginAttribute>
<fnAttribute>givenname</fnAttribute>
<snAttribute>sn</snAttribute>
<emailAttribute>mail</emailAttribute>
<objectclass>
<entry>person</entry>
<entry>organizationalPerson</entry>
<entry>user</entry>
</objectclass>
Trying to add or copy a user in the Essbase Administration Services enterprise view gives us the following error:
"Error: 1051203 Single Sign On External Authentication is Disabled"
That tells me that we need to configure SSO in the css_config.xml file, but i have not found any examples for Analyzer but only for OBIEE.
Is there anybody at this forum that have achieved what we are striving for?
Best Regards,
Johannes

Hi,
Something must wrong in your css.xml, I am not sure if you can get any further logging...
here is an example of a css.xml
<?xml version="1.0" encoding="UTF-8"?>
<css xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<spi>
<provider>
<msad name="msad1"> <trusted>false</trusted>
<url>ldap://ldapserver:389/dc=CompanyName,dc=com</url>
<userDN>CN=#######,OU=Security Accounts,OU=IT,DC=CompanyName,DC=com</userDN>
<password>########</password>
<authType>simple</authType>
<identityAttribute>dn</identityAttribute>
<user>
<loginAttribute>sAMAccountName</loginAttribute>
<fnAttribute>givenname</fnAttribute>
<snAttribute>sn</snAttribute>
<emailAttribute>mail</emailAttribute>
<objectclass>
</objectclass>
</user>
<group>
<url>cn=LostAndFound</url>
</group>
</msad>
</provider>
</spi>
<searchOrder>
<el>msad1</el>
</searchOrder>
<token>
<timeout>60</timeout>
</token>
<logger>
<priority>ERROR</priority>
</logger>
</css>
If you are still struggling you could try an ldap browser to see if you can connect with the details you are trying.
Cheers
John
http://john-goodwin.blogspot.com/

Use of groups on External Authentication.

Similar Messages

Maybe you are looking for