OBIEE 11g: The 'All Users' Filter in the Web Logic Server (WLS) Security Provider is not Applied in Enterprise Manager (EM) and All Users in the User Base DN can login to OBIEE (Doc ID 2083225.1)

Last updated on DECEMBER 04, 2015

Applies to:

Business Intelligence Server Enterprise Edition - Version 11.1.1.7.0 to 11.1.1.7.151020 [Release 11g]
Information in this document applies to any platform.

Symptoms

Users are to be authenticated (and authorized) via an Active Directory LDAP.

An Authentication Provider is created via the WebLogic Server (WLS) Console; for example, see a few of the provider specific configurations as below:-
   Name: MyADAuthenticator
   User Base DN: DC=myUserBaseDN,DC=net
   All Users Filter: (|(memberOf=CN=OBI Users,OU=myOrgUnit,DC=myUserBaseDN,DC=net))

And the Identity Store is configured via the Fusion Middleware Control (EM) to enable virtualization for the support of multiple authentication providers (identity stores); for example:-
   WebLogic Domain > bifoundation_domain > Right-click bifoundation_domain : Select Security - Security Provider > Click Identity Store Provider : Configure
   Add a Property in the Custom Properties area:
      Property Name=virtualize
      Value=true

When viewing the users in the WLS Console, the list of MSAD users contains only those users that satisfy the All Users Filter (see above).

When viewing the users in EM (for example, to add members to an Application Role), the list of MSAD users contains all those users under the User Base DN.

Similarly, any MSAD user under the User Base DN can login successfully to OBIEE, even those that do not satisfy the All Users Filter.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms