An Oracle ReportsTechnical Note
Jul 2006
| Introduction | Installation and Configuration | Running Reports with the LdapSecurity | Usage Notes | Related Materials |
This document provides instructions on how to configure LdapSecurity sample that can be used to authenticate users with a 3rd party LDAP Server.
By default, Oracle Reports is configured to use Oracle’s powerful security mechanism, via Identity Management infrastructure. This security mechanism uses industry-leading solutions like Oracle Single Sign On, Oracle Internet Directory and Oracle Infrastructure database. This framework is exposed to the users via easy-to-use Oracle Portal user interface. This default security infrastructure is highly recommended to all users. However, in certain cases, organizations may have their existing user management systems in LDAP-compliant or LDAP-enabled solutions like Microsoft Active Directory and Novell eDirectory. In such situations, it may not be feasible to migrate the user information to Oracle Internet Directory, and the organization may thus need to configure Oracle Reports to authenticate users against the existing LDAP servers. The LdapSecurity sample uses a custom security implementation, a 3rd party LDAP server, for user authentication.
This sample implements user authentication, but not user authorization. To see a sample that implements user authorization as well, refer to the XML security plugin sample available on OTN.
Before you deploy the new security class, you need to make the LDAP security jar file (LdapSecurity.jar) available to Oracle Reports via the classpath. This procedure depends on whether you are using the in-process Reports Server or a standalone Reports Server. If you are using the in-process Reports Server, you need to modify the classpath for the OC4J instance. The reason being that the in-process Reports Server inherits the classpath from its OC4J instance.
If you are using the in-process Reports Server, use the Oracle Enterprise Manager Application Server Control to modify the classpath:
If you are using a standalone Reports Server:
Note: On Windows, use the registry to specify the value. On Unix/Linux, set the environment variable in reports.sh. Refer to Oracle Application Server Reports Services Publishing Reports to the Web available on Oracle Technology Network (OTN) for details on how to set classpath for OracleAS Reports Services.
To register the new security class with the Oracle Reports Services, you need to add an entry in the Reports Server configuration file (server_name.conf). The configuration file is in ORACLE_HOME/reports/conf directory. Specifically, add the following entry:
<security id="LDAPsec" class="oracle.reports.plugin.security.ldapv3.LdapSecurity">
<property name="dir_name" value="…"/>
<property name="dir_port" value="…"/>
<property name="base_dn_suffix" value="…"/>
<property name="base_dn_prefix" value="…"/>
<property name="oidEntity" value="ReportsApp"/>
</security>
Here is an explanation of the terms used:
The values of these parameters depend on your LDAP Server. Consult your LDAP Server's documentation for the values to be specified. As an example, for a default installation of SidVault, the XML to be added to the Reports Server configuration file is:
<security id="LDAPsec" class="oracle.reports.plugin.security.ldapv3.LdapSecurity">
<property name="dir_name" value="LDAP_Server_host_name"/>
<property name="dir_port" value="389"/>
<property name="base_dn_suffix" value="dc=example,dc=com"/>
<property name="base_dn_prefix" value="cn="/>
<property name="oidEntity" value="ReportsApp"/>
</security>
Note: You need to change the value of LDAP_Server_host_name above.
Change the <job> element in the reports server configuration file as follows:
<job jobType="report" engineId="rwEng" securityId="LDAPsec"/>
Modify rwservlet.properties file to disable Single Sign On (this file is available in ORACLE_HOME/reports/conf directory):
SINGLESIGNON=NO
The reason for disabling Single Sign On is: Oracle Single Sign On Server does not directly interact with custom security implementations. As a result, we need to disable Single Sign On when we configure Oracle Reports to use a custom security implementation. Refer to Oracle Application Server Security Guide for information on configuring Oracle Single Sign On to use 3rd party LDAP Servers.
Back to Top
Once you have configured the new security mechanism, you can use it by specifying the same command to execute reports as you use with the default security mechanism. If you specify AUTHID in the command, the report will be run without displaying the System Authentication screen. If you do not specify AUTHID in the command line, the System Authentication screen will be shown, where you must supply your username and password. In other words, the behavior is exactly the same as with default Reports security, with the exception that Single Sign-On is not available with the custom security implementtation.
Refer to Oracle Application Server Reports Services Publishing Reports to the Web for information on the default Reports security architecture.
| Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065, USA http://www.oracle.com/ |
Worldwide Inquiries: 1-800-ORACLE1 Fax 650.506.7200 |
Copyright and Corporate Info |