Problem Statement:
When creating the Agents in OBIEE 12C, the agents get created successfully but while running the Agents as recipients, they get failed with the message “The user does not have impersonation privilege”.
In OBIEE 11G the LDAP was configured at rpd level and the impersonation and Agents were working fine with no flaws but, when the same was implemented in OBIEE 12c as a part of upgradation from OBIEE 11G to OBIEE 12C we are facing the impersonation problem, which is leading to the Agents failure, nor we can login in as the users apart from Weblogic and Administrator.
Applied Solution: As analyzed, the cause for the above error would be the LDAP configuration in rpd. OBIEE 12c LDAP should be configured in console unlike 11g at rpd level.
Hence, to overcome this we tried implementing LDAP at Console level rather than at rpd level and followed the steps as mentioned in the oracle document to create the LDAP Authentication in weblogic console. The steps followed are as below:
In Providers added a new Provider as ADAuthenticator:
For ADAuthenticator changed the control Flag: SUFFICIENT
Configured Connection details:
Configured the users details:
Configured the group details:
Statics Groups and Dynamic Groups:
In General:
For ‘’Default Authenticator’’ provider ‘’Control Flag’’ changed to OPTIONAL.
After configuring we are able to see the user in ‘Users and Groups’
In EM:
We had configured the Identity store provider:
We had configured the Identity store provider:
In EM we are able to see the users to add to the Application roles:
The user’s list was visible in the console and EM. After restarting the server when we tried to login to Analytics page with the users mentioned above we are still facing Authentication error which is avoiding us to login and we are unable to run the Agents as well.
We further tested whether this issue is related to a specific user or to all the users and realized that this was with all the users, and we also checked that the password for the users should not contain any special character.
After checking the logs, we identified that there were some inti blocks for Authorization where user is getting the groups from E-Business Suite DB which were to disable and re-deploy the rpd, but still the issue continues.
Further we assigned the Global Admin role to one of the LDAP user and tried to login to EM which failed again.
We confirmed that all the LDAP configuration and the related variables were disabled from the rpd level. We tried to login by changing the group membership searching to limited and level to 5, but still we are facing the same issue.
As suggested by oracle, the below parameters were misconfigured and we re-configured it but the issue still remains:
principal – cn=jsmith,cn=users,dc=us,dc=xyzcorp,dc=com.
principal – cn=jsmith,cn=users,dc=us,dc=xyzcorp,dc=com.
Group Base DN:- DC=vm,DC=oracle,DC=com
User Base DN:- cn=users,DC=vm,DC=oracle,DC=com
User Base DN:- cn=users,DC=vm,DC=oracle,DC=com
