Having trouble integrating Oracle Business Intelligence Enterprise Edition (OBIEE) with Active Directory (AD)? You're not alone. This guide walks you through common challenges and solutions, with a specific focus on OBIEE 12c (12.2.1.1).
Common Issues
The most frequent problem we see is partial authentication failure:
•
Some users can log in with AD credentials while others can't
•
Failed login attempts show "Invalid User Name or Password" errors
What to Look for in Error Logs
Check your bi_server1-diagnostic.log for these telltale signs:
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43113] Message returned from OBIS.
[nQSError: 43126] Authentication failed: invalid user/password
Plain Text
복사
Understanding the Root Cause
Here's the deal: When OBIEE 12c doesn't play nice with Active Directory, it's usually because of misconfigured AD authentication provider settings. Keep your eyes on these three critical areas:
1.
User Base DN configuration
2.
Group Base DN setup
3.
Group From Name Filter parameters
Step-by-Step Troubleshooting
Let's break this down:
1.
First Stop: WebLogic Admin Server Console
•
Can you see both user and group lists?
•
Missing group list? That's your red flag for AD authentication issues
2.
Double-Check AD Server Manager
•
Verify user properties
•
Confirm group memberships
3.
Fine-Tune Group Base DN Settings
We've found this progression works best:
•
Start with: OU=IT_Dept,OU=HO,DC=oh,DC=richbank,DC=org (typically fails)
•
Try: OU=IT_Dept,DC=oh,DC=richbank,DC=org (might still fail)
•
Winner: OU=HO,DC=oh,DC=richbank,DC=org
The Fix: Step by Step
1.
Head to your WebLogic Admin console's AD authentication provider section
2.
Get these settings right:
•
User Base DN: OU=IT_Dept,OU=HO,DC=oh,DC=richbank,DC=org
•
Group Base DN: OU=HO,DC=oh,DC=richbank,DC=org
•
Group From Name Filter: (&(sAMAccountName=%g)(objectclass=group))
3.
Implementation Checklist:
•
Save and activate your WebLogic console changes
•
Shut down all BI services
•
Open /app/oracle/biee/user_projects/domains/bi/config/config.xml
•
Verify changes (manual edit if needed)
•
Fire up all BI services again
Pro Tips
1.
Cache Management
•
Current setting: Off
•
Pro tip for production: Turn it on and bump up the Cache Size (3200+ recommended)
2.
Role Mapping
•
Link your AD groups to OBIEE roles:
◦
BIServiceAdministrator
◦
BIAuthor
◦
BIConsumer
3.
DN Verification
•
Work with your AD admin to nail down those Distinguished Names
Working Configuration Sample
Here's a configuration that actually works:
<sec:authentication-provider xsi:type="wls:active-directory-authenticator-type">
<sec:name>ADAuthenticator</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:host>10.2.212.117</wls:host>
<wls:user-name-attribute>sAMAccountName</wls:user-name-attribute>
<wls:principal>CN=svc-bacl,OU=IT_Dept,OU=HO,DC=oh,DC=richbank,DC=org</wls:principal>
<wls:user-base-dn>OU=PR_Dept,OU=HO,DC=oh,DC=richbank,DC=org</wls:user-base-dn>
<wls:credential-encrypted>{AES}UCQolTmHNPtWnP5SsRJHyVu2FAkse5djNVZNmQyis=</wls:credential-encrypted>
<wls:cache-enabled>false</wls:cache-enabled>
<wls:user-from-name-filter>(&(sAMAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
<wls:group-base-dn>OU=HO,DC=oh,DC=richbank,DC=org</wls:group-base-dn>
<wls:group-from-name-filter>(&(sAMAccountName=%g)(objectclass=group))</wls:group-from-name-filter>
<wls:static-group-name-attribute>sAMAccountName</wls:static-group-name-attribute>
<wls:use-retrieved-user-name-as-principal>false</wls:use-retrieved-user-name-as-principal>
</sec:authentication-provider>
XML
복사
Wrapping Up
This guide should help you tackle most OBIEE-AD integration headaches. Remember:
•
Always test thoroughly after making changes
•
Keep those log files handy
•
When in doubt, Oracle support is there to help
Before implementing any changes in production, remember the golden rule: test everything in a development environment first. Your future self will thank you.
Need more help or have questions? Drop them in the comments below – let's troubleshoot together!