You are here: Blog OBIEE 11g - Configuring LDAP Server to provide OBIEE users
Thursday, 20 December 2012 16:55

OBIEE 11g - Configuring LDAP Server to provide OBIEE users

Written by 
Rate this item
(0 votes)

OBIEE 11g - Configuring LDAP Server to provide OBIEE users

Prerequisites and best practices before starting any LDAP related changes

·         LDAP Server is installed and running

·         Users and groups and configured within the LDAP

·         Backup is taken for the following files :

o    C:\OBIEE11G\user_projects\domains\bifoundation_domain\config\config.xml

o    C:\OBIEE11G\user_projects\domains\bifoundation_domain\config\fmwconfig\*.XML   (i.e. All xml files in that directory)

o    Some developers prefer to take the backup of the whole domain folder C:\OBIEE11G\user_projects\domains\bifoundation_domain , instead of just a few XML's if massive security changes are being tested.

·         Post the LDAP related changes if the weblogic server fails to bootup (which means an Administrator is locked out of whe WLS Console), the above files can be restored back (which is a last known good configuration) and previous state is restored.  The errors look somewhat like this :

####<Sep 30, 2012 8:04:35 AM IST> <Notice> <WebLogicServer> <my-laptop> <AdminServer> <main> <<WLS Kernel>> <> <> <1354242875438> <BEA-000365> <Server state changed to FAILED>

####<Sep 30, 2012 8:04:35 AM IST> <Error> <WebLogicServer> < my-laptop> <AdminServer> <main> <<WLS Kernel>> <> <> <1354242875440> <BEA-000383> <A critical service failed. The server will shut itself down>

####<Sep 30, 2012 8:04:35 AM IST> <Notice> <WebLogicServer> < my-laptop> <AdminServer> <main> <<WLS Kernel>> <> <> <1354242875445> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>

####<Sep 30, 2012 8:04:35 AM IST> <Info> <WebLogicServer> < my-laptop> <AdminServer> <main> <<WLS Kernel>> <> <> <1354242875473> <BEA-000236> <Stopping execute threads.>



The above log can be found at :

C:\OBIEE11G\user_projects\domains\bifoundation_domain\servers\AdminServer\logs\ AdminServer.log


In the same folder bifoundation_domain.log and AdminServer-diagnostic.log files provide further trouble shooting information which is quite self explanatory and can be googled in case of errors. These are all weblogic server logs.


The current document describes integration with an OpenLDAP directory. However it would be same for other kinds of LDAP directories.


OpenLDAP for windows can be downloaded from :


A LDAP browser can be downloaded from :

This can be used for browsing through the LDAP directory entries


The following snap shows the users in a LDAP explorer tool



Login to Weblogic Server Admin Console and Navigate to your Security Realm




Go to the provider tab. This tab is used to add a new provider, e,g, a new LDAP Server that will "provide" users for OBIEE system. Click on Lock and edit and New under the providers table, to add a new Provider, which in this case is an OpenLDAP Directory



Name the LDAP provider as "OpenLDAPAuthenticator" (or whatever you wish) and select the Type of Authenticator as " OpenLDAPAuthenticator" and Click OK.



This authenticator now appears in the list of WLS authenticators as shown below. This must be reordered to be the first Authenticator.


Reorder by using the up keys



This is how it looks post reorder


And the below snap shows how this looks in the Authenticator Providers Table:

Click on the newly created Provider to configure it for handshaking with our OpenLDAP Server







An important step here, Mark control flag as OPTIONAL. This step is not to be missed else the Administrator will be locked out of Weblogic Server. Do the same for the other Authenticator.(i.e. mark control flag as OPTIONAL)                 DefaultAuthenticator(WebLogic Authentication Provider). Skipping this step will prove to be disastrous J



 Next in the "Provider Specific" Tab the LDAP specific configurations will be applied. Enter the Host,Port,Principal(admin user of LDAP),Password to connect to LDAP,User Base DN (Distinguished Name), Group Base DN etc. Note: The LDAP admin is the best person to talk to and get it filled as deemed appropriate.








Say OK to Save and Click on Release Cofiguration. Then Reboot the whole BI System (Stop BI Services--> Start BI Services) from Start menu




Once booted up, login to EM. In the EM, Navigate to Security Provider Configuration as shown below



Go to Identity store click Configure as shown below


Add a property as

Property Name : virtualize
Value : true



Reboot the whole BI System from Windows Start Menu (Not just the BI server using opmnctl stopall/startall)


Check that LDAP users are available now in Weblogic server


Try to login now


Login should be successful

Read 9571 times Last modified on Thursday, 07 March 2013 12:41

Leave a comment

Make sure you enter the (*) required information where indicated.
Basic HTML code is allowed.