X

Oracle Customer Engineering & Advocacy Lab (CEAL) Blog covers BI Tech, EPM, BI Cloud and EPM Cloud.

OBIEE Login Fails while searching users from a Large MSAD

Olivier Bennardo
Director, DEV Eng Cloud and Infrastructure Solution Architect

Author: veera.raghavendra.rao@oracle.com

Problem: OBIEE Login Failed due to max timeout to search and
retrieve a user from the base DN when there are multiple sub trees and large
user store

Oracle Support Doc ID:

Using User Filter to
Reduce the Number of Users Retrieved from Microsoft Active Directory (MSAD)
(Doc ID 1227144.1)

Example:

Users are from multiple sub
trees like below:

CN=auuser1,OU=Users,OU=AU,DC=paceal,DC=oracle,DC=com

CN=causer1,OU=Users,OU=CA,DC=paceal,DC=oracle,DC=com

CN=cnuser1,OU=Users,OU=CN,DC=paceal,DC=oracle,DC=com

CN=fruser1,OU=Users,OU=FR,DC=paceal,DC=oracle,DC=com

CN=inuser1,OU=Users,OU=IN,DC=paceal,DC=oracle,DC=com

CN=jpuser1,OU=Users,OU=JP,DC=paceal,DC=oracle,DC=com

CN=nzuser1,OU=Users,OU=NZ,DC=paceal,DC=oracle,DC=com

CN=uaeuser1,OU=Users,OU=UAE,DC=paceal,DC=oracle,DC=com

CN=ukuser1,OU=Users,OU=UK,DC=paceal,DC=oracle,DC=com

CN=ususer1,OU=Users,OU=US,DC=paceal,DC=oracle,DC=com

HERE ALL THE USERS ARE MEMBERS OF A GROUP “AU Hyperion EPM Users”.

The Distinguished Name of the
Group:

CN=AU
Hyperion EPM Users,OU=Common,OU=Groups,OU=AU,DC=paceal,DC=oracle,DC=com

Problem Statement:

No of users actually used to
login to OBIEE are limited (e.g some 200 Users) and are scattered across
multiple sub trees but we are using user based DN as DC=paceal,DC=oracle,DC=com
where it has to search 10,000 + Users, so the users might not be retrieved on
time i.e. within 120 seconds and so the Login Fails.

In this situation we can
configure the Authentication
Provider
where User Filter is set to retrieve users who are members of a
certain Group.

User Base DN: DC=paceal,DC=oracle,DC=com

All Users Filter & User
From Name Filter: (&(objectCategory=Person)(objectClass=user)(memberOf=CN=AU
Hyperion EPM Users,OU=Common,OU=Groups,OU=AU,DC=paceal,DC=oracle,DC=com))

The users who are members of
the group are searched immediately and retrieved

This will help to retrieve the
users that are required to login to OBIEE instead of searching the entire
directory with (&(cn=%u)(objectClass=user))

Join the discussion

Comments ( 1 )
  • Senthilnathan Monday, September 19, 2016

    Nice Article !!!


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha
Oracle

Integrated Cloud Applications & Platform Services