Use of LDAP group external authentication in Essbase v7.16

Similar Messages

• External authentication for Essbase 7.1.6.

  Hi all,
  We are trying to set up external authentication for Essbase 7.1.6. We have a customized version of Essbase which does not use DLL. we do not have a Hyperion Hub or any CSS set up. All we have is an authentication module from the vendor to be used instead of the DLL. As per the documents provided to us all we have to do is change the cfg file to include the AUTHENTICATIONMODULE setting. Does anyone has any experience with this? What all parameters do we need to pass to Active Directory for this to work? Please help.
  Thanks.
  Vish.

  You could create a maxl script that replaces the filters, when you call the maxl script you could pass in a variable such as YR08 and use that variable in the script.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• External authentication on Essbase 9.3.1

  I am migrating from Essbase 7.3.x on 32-bit Windows to System9 on 64-bit windows. External authentication works on both Shared Services and EAS. I have successfully registered EAS and Essbase with shared services however I do not see Essbase in "User console" of Shared Services as an application. I am able to create native authenticated users in Essbase but unable to externalise the security. I get the following error messages when trying to externalise:
  Error: 1051549: Can not convert Analytic Services to Shared Services mode when Analytic Services is not configured with Shared Services or the initialization process has failed
  On starting Essbase, I see the following error message when I use the same CSSconfig file as used by shared services:
  [Wed Jul 16 10:26:45 2008]Local/ESSBASE0///Error(1051223)
  Single Sign On function call [css_init] failed with error [getOSVersion]
  [Wed Jul 16 10:26:45 2008]Local/ESSBASE0///Info(1051198)
  Single Sign-On Initialization Failed !
  If I point to the current CSS file used in production Essbase 7, I get the following message:
  [Wed Jul 16 10:33:26 2008]Local/ESSBASE0///Error(1051223)
  Single Sign On function call [css_init] failed with error [-1]
  [Wed Jul 16 10:33:26 2008]Local/ESSBASE0///Info(1051198)
  Single Sign-On Initialization Failed !
  In either case everything except External Authentication on System9 for Essbase works.
  Both shared services and Essbase are on the same 64-bit Windows box.
  Any help in resolving this will be greatly appreciated.
  Thanks,
  Vikram.

  HI:
  I recommand following these steps:
  1. Go to the box where you have your Essbase installed
  2. Pull up the Shared Services Configuration Utility
  3. Select COmponent to be registered as Essbase
  4. Remeber to stop the essbase - i assume you are getting the error hence essbae would not have loaded.
  5. Re-register Essbase with Shared services
  6.Start essbase in Foreground
  It shuld Start :) good Luck..let me know If this failed..
  Thanks,
  Sriram

• OBIEE 11.1.1.5.0 LDAP group restriction @authentication

  Hi all,
  We have OBIEE 11.1.1.5.0 with LDAP authenticator... We want just one group @LDAP to login and other groups not authenticated .. What should we do ?

  Hi,
  @weblogic Home >Summary of Security Realms >myrealm >Providers >LDAPAuthenticator>Provider Specific>Users
  I tried something like :
  All Users Filter:(&(memberOf=cn=LDAPGroupName,cn=Users,dc=xxxx,dc=yyy,dc=com))
  User From Name Filter: (&(cn=%u)(objectclass=user))
  the original was:
  All Users Filter: (&(uid=*)(objectclass=person))
  User From Name Filter: (&(uid=%u)(objectclass=person))
  and restarted the server but it did not work ...

• Shared Services External Authentication using LDAP in 9.3.1

  Hi,
  I have installed Hyperion Shared Services with native directory. And now planning to setup external authentication using LDAP. I need some guidance to understanding how the external authentication works.
  Questions:
  1. Is it possible to setup Shared Services to use both Native and LDAP user directory? What I mean is some users will be able to login using Native directory, and some others will need to login using User Directory (external authentication).
  2. For User Directory (say we use LDAP), when the user is added into Shared Services, can they be assigned with Groups created in Native directory? We want to explore to use just the external authentication and define all of the groups within shared services.
  If not possible, can we manage the Groups of the User directory using shared services? How is the groups work with external authentication?
  Any feedback would be much appreciated.
  Thanks,
  Lian

  Hi,
  Yes you can use both Native and external authentication. When you add the external provider the native is left by defaut anyway.
  Yes you can add your external users to native groups. You can also provision the groups in the AD if you wish.
  Gee

• External Authentication in EAS using MSAD

  <p>We use MSAD for our external authentication and it works fine ifthe user logon names are set up a certain way in MSAD. However,some of them are set up differently and Essbase won't allow us touse external authentication for them. Is there a setting somewherein Essbase that can be changed to allow more than one user logonname format coming from MSAD?</p>

  <p>Hi Krista,</p><p> </p><p>Unfortunately u cannot specify two formats to authenticate. If iunderstand correclty you want to identify a user in MSAD by morethan one feild, as far as i know essbase external authenticationthe xml file cannot use more than one feild.</p><p> </p><p>your most probable solution to this would be to add the feildyou are using in your xml file to all users using essbase inMSAD.</p><p> </p><p>Please use the following link if you need furtherinformation.</p><p> </p><p>http://dev.hyperion.com/techdocs/essbase/essbase_712/Docs/techref/techref.htm#config/security/configure/config.htm</p><p> </p><p>here is the sample active directory format.</p><p> </p><p><msad name="<b><a href="ldapserver.htm">msadServer</a></b>"> <trusted><b><ahref="trust.htm">false</a></b></trusted> <url><b><ahref="provurl.htm">ldap://host<img src="i/expressions/face-icon-small-tongue.gif" border="0">ortNo/DIT</a></b></url><userDN><b>cn=UserName</b></userDN><password><b>UserPassword</b></password> <user><url><b>ou=people</b></url></user> <group> <url><b>ou=Groups</b></url> </group></msad></p>

• External Authentication with LDAP

  Has anyone integrated external authentication of Essbase with LDAP? I've searched discussion groups, websites with no luck, and of course, Essbase documentation doesn't help either. Any additional documentation will help.Thanks in advance!

  Thanks for the info. Is this sample code part of the default implementation that comes installed with the product (essldap.dll)? Or is this something completely different.Also, has anyone done anything similar in visual basic? We have a shortage of v c++ skills around here.Thanks again!

• OIM OES Integration to use LDAP groups for policy making

  Hi ,
  I am trying to make policy for the OIM application using OES. i want to use my LDAP groups as principals to control the access in OIM. How it can be achieved
  Thanks
  Edited by: user10660448 on May 21, 2013 1:35 AM

  Note that you can use the internal LDAP that comes with WebLogic, for your users and groups if you want.
  When you have multiple domains, you have a problem with this set-up as the internal LDAP is coupled to
  a specific domain. This means that users you created in one domain are not visible in the other. When using
  a separate LDAP that contains the users. You can configure in each domain an authenticator that points
  to the LDAP. In this way you can share to user accross multiple domains.
  When you are planning to use one domain you can stick with the internal LDAP if you want.
  An example set-up (that uses access manager not identity manager) can be found here: http://middlewaremagic.com/weblogic/?p=7819,
  which might help you in how to proceed.

• External Authentication general-type questions

  Greetings all,
  I was recently shown how to get Oracle to allow Windows NT Authentication the way SQL 2005 etc. can. I was able to get it working. It's actually simple, you just have to have this line in your SQLNET.ORA file:
  SQLNET.AUTHENTICATION_SERVICES = (NTS)
  and make sure a couple initialization parameters are set (OS_AUTHENT_PREFIX to NULL and REMOTE_OS_AUTHENT to TRUE - the first can't be changed once the database is built!).
  My first question is does Oracle support external authentications to operating systems other than NT, i.e. SUN, UNIX, LDAP etc? And is it a similar architecture?
  Secondly, the only ways I've ever connected to Oracle are 1) through SQL*Plus, 2) Using OLE DB from Windows and 3) Using ODBC.
  Is external authentication supported when logging in any way other than through OLE DB? If so, how?
  Appreciating any general information!
  Thanks
  Joe

  1. The name of the product is SQL Server not SQL. SQL is a language.
  2. Oracle supports all major forms of internal and external authentication. The ones you listed and many more. The docs are at http://tahiti.oracle.com
  3. External authentication is support across the board. But you've got to be working with a database holding nothing more important than your mother's cookie recipes to think that operating system authentication in a Windows environment is secure: It is not.
  Your first responsibility, unless you are just playing games at home or in school, is to secure the data and that means an environment more secure than the one you've chosen.

• OracleAS SSO - Microsoft Active Directory External Authentication Plug-in

  hi ,
  I recently inherited support of a Oracle SSO/OID environment where we use AD and a external Authentication Plug-
  in to talk to it as user credentials are managed in AD,
  We have a lot of domain controllers for AD in our env , so my questions is
  1) How do I find out which AD server is the plugin currently referring to ,
  I need to know this info ASAP as lot of AD servers are getting decomissioned and I want to make sure the SSO env
  is not talking to a AD server that would get decomissioned soon

  hi,
  Look in the integration part in oidadmin. ActiveChgImp
  $ORACLE_HOME/bin/oidadmin
  or look for ad2oid.properties
  or look at this URL http://www.oracle.com/technology/obe/obe_as_10g/im/ads_import/import.htm
  is what I used to configure ours
  Regards

• LDAP Group

  Is there a way to control the depth TES 6.1 can query AD Groups?          
  For example, I created AD sec groups TESScheduler, TESMIgrators, TESOperator and TESInquiry. 
  Inside AD group TESScheduler, I want to add another AD security group instead of an AD Account (user).
  When I tried it, TES 6.1 will not recognize the AD security group inside the AD security group, it only works when I put in users.
  Also, since moving the security policy to be associated to the LDAP Group, I can no longer impersonate the users.  I may have read this somewhere (probably since sec policy is no longer associated with user) does someone remember where this way mentioned?

  Thanks for the response - I just wanted to check if maybe thre is a configuration setting that can be tweaked currently.  I will log a case since this will make it easier for me to get away from managing users.
  Did have a followup question to get idea on how everyone else is using the LDAP group capability.    We are a very distributed in terms of the teams/workgroups - each team has total autonomy over their jobs and objects they own and job activity functions.
  With help of consultants, this is what we have deviced and outline the challenges with it:
  First we decided to use team's existing AD sec group to control the functional aspect of security (as in workgroup they have access to).  This ensures that Tidal access to workgroups  is always up to date - in case someone joins the team or leaves the team.
  We then create an LDAP group for each workgroup (associating runtime users and agents on the LDAP group).  We took out any userse and agents out of the workgroups and moved them to LDAP group.
  Then we created four new AD sec group to control what users can with the objects they have access to.
  - TESScheduler
  - TESOperator
  - TESMigrator
  - TESInquiry
  Lastly in Tidal, we create the 4 LDAP groups for the security policy access linking it to the new AD sec groups.
  So that for example, if Pete belongs to the Finance team and is a scheduler.  He is automatically in the Finance team AD sec group as soon as he is hired.  Then someone (TIdal Admind) adds him manually to the TESScheduler AD sec group - then voila he can log into Tidal with the appropriate access.
  Challenges with this (aside from the bug I encounter when adding LDAP group to workgroup >_<):
  - it wold be nice if I can add the team's AD sec group into TESScheduler (as mentioned in my orignal post)
  - I am still having to be in the picture whenevr someone needs Tidal access granted or revoked because a central body needs to make sure that user is not in more than one of the sec policy AD group (TESScheduler, TESOperator, ...)  We have sold this LDAP group thing as a way for teams to finally control their own access but that is not the case really.
  We have decided to live with this model but wondered if other implementations with distributed user bases have other ways to deal with this.  I can obviously open the 4 new sec policies for the teams to edit on their own but I cannot guarantee they will check for duplicates and not accidentally delete other folks etc.  Also, some folks who belong to multiple workgroup have to be handled differently since they may want to be schedulers for Finance but Marketing requires them to be operator only - which means they really can't be a scheduler.  In this case, they have to be an operator only to belong in both groups or not be in Marketing at all to get Scheduler privs.  Kind of goes against the cumulative access model that TIDAL 6 is based on.

• Use of groups on External Authentication.

  Hi All, I'm triying to use Active Directory groups instead of users in order to authenticate users on ODI 11.1.1.6.
  Unfortunately ODI seems to be prepared to use MS AD users, but groups.
  Does anybody configure LDAP to authenticate users and got it working with groups?
  Thanks and regards!

  ODI 11g supports external authentication for users only.

• Essbase analytic services 7.1.5 & external authentication

  Hi,
  first off, you have to excuse me for being a total newbie in the field of Essbase ;)
  We are currently trying to move our external authetication from Novell eDirectory via LDAP to Microsoft Active Directory. We use the LDAP authentication module with the following string in essbase.cfg "AuthenticationModule LDAP essldap.dll x".
  Reading the documentation for external authentication (x_auth.pdf) we came to the conclusion that we "needed" the Hub installed. Talking to Hyperion support told us that use of the Hub with our version was very unusual.
  Is it possible to configure the CSS authentication module to use a .xml file configured for our Microsoft AD and simply forget about the hub? If so, does the following lines look correct to you:
  essbase.cfg:
  "AuthenticationModule CSS file://localhost/D:/Program/ESSBASE/bin/css_config.xml"
  css_config.xml:
  <msad name="msad1">
  <trusted>false</trusted>
  <url>ldap://ADDC_server:389/ou=contoso, dc=COMPANY, DC=LOCAL</url>
  <userDN>cn=Administrator</userDN>
  <password>wordpass</password>
  <authType>simple</authType>
  <authProtocol>ssl</authProtocol>
  <identityAttribute>dn</identityAttribute>
  <user>
  <url>ou=Users</url>
  <loginAttribute>cn</loginAttribute>
  <fnAttribute>givenname</fnAttribute>
  <snAttribute>sn</snAttribute>
  <emailAttribute>mail</emailAttribute>
  <objectclass>
  <entry>person</entry>
  <entry>organizationalPerson</entry>
  <entry>user</entry>
  </objectclass>
  Trying to add or copy a user in the Essbase Administration Services enterprise view gives us the following error:
  "Error: 1051203 Single Sign On External Authentication is Disabled"
  That tells me that we need to configure SSO in the css_config.xml file, but i have not found any examples for Analyzer but only for OBIEE.
  Is there anybody at this forum that have achieved what we are striving for?
  Best Regards,
  Johannes

  Hi,
  Something must wrong in your css.xml, I am not sure if you can get any further logging...
  here is an example of a css.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <css xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <spi>
  <provider>
  <msad name="msad1"> <trusted>false</trusted>
  <url>ldap://ldapserver:389/dc=CompanyName,dc=com</url>
  <userDN>CN=#######,OU=Security Accounts,OU=IT,DC=CompanyName,DC=com</userDN>
  <password>########</password>
  <authType>simple</authType>
  <identityAttribute>dn</identityAttribute>
  <user>
  <loginAttribute>sAMAccountName</loginAttribute>
  <fnAttribute>givenname</fnAttribute>
  <snAttribute>sn</snAttribute>
  <emailAttribute>mail</emailAttribute>
  <objectclass>
  </objectclass>
  </user>
  <group>
  <url>cn=LostAndFound</url>
  </group>
  </msad>
  </provider>
  </spi>
  <searchOrder>
  <el>msad1</el>
  </searchOrder>
  <token>
  <timeout>60</timeout>
  </token>
  <logger>
  <priority>ERROR</priority>
  </logger>
  </css>
  If you are still struggling you could try an ldap browser to see if you can connect with the details you are trying.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Essbase 6.5 External Authentication Issue!! Urgent Please!!

  Hi all,
  I am great trouble over an external authentication issue in Essbase 6.5. I request you all to please give me your feedback on the same as soon as possible.
  I am in a situation where I need to get my Essbase 6.5 external Authentication converted from LDAP to Active Directory services.
  I suppose there has been necessary changes done to the .cfg file for the same. However, I think I am getting an error
  "User [vikc]'c external authentication protocol [MSEX]'s password check module is not loaded".
  Please let me know if you have come across such an issue earlier and can anybody to able to help me with the same.
  Its kinda Urgent. so any replies for the same will be appreciated.
  Thanks and Regards,
  Vikram

  Vikram,
  Yes you will have to reconfigure the CSS.xml and cfg file for external auth.
  Here is the Sample CSS
  <spi>
            <provider>
                 <msad name="full360">
                      <trusted>false</trusted>
                      <url>ldap://192.168.1.100:389/DC=full360,DC=com</url>
                      <userDN>CN=Ravinder Singh,DC=full360,DC=com</userDN>
                      <password>full@360</password>
                      <authType>simple</authType>
                      <identityAttribute>dn</identityAttribute>
                      <maxSize>1000</maxSize>
                      <user>
                           <loginAttribute>sAMAccountName</loginAttribute>
                           <nameAttribute>dn</nameAttribute>
                      </user>
                      <group>
                           <nameAttribute>cn</nameAttribute>
                           <objectclass>
                                <entry>group?member</entry>
                           </objectclass>
                      </group>
                 </msad>
  Download this toll "http://www.ldapbrowser.com/download.htm"
  LDAP browser to get the perfact DN information.
  Let me know the status
  Ravikant

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott