Skip Headers
Oracle® Enterprise Data Quality for Product Data Oracle DataLens Server Administration Guide
Release 5.6.2

Part Number E23614-02
Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Feedback page
Contact Us

Go to previous page
Go to next page
View PDF

E User Authentication with LDAP

Lightweight Directory Access Protocol (LDAP) contains the functions to provide user authentication. It you use LDAP, then users do not need to be separately created in the Oracle DataLens Server Administration Web pages and assigned roles and passwords.

When LDAP is used, the Oracle DataLens Server contacts the LDAP server, and attempt to login with the provided credentials. If login is successful, it will find the group objects corresponding to its internal roles, and determine which of these groups the user is a member of in order to assign the appropriate rights.

Oracle DataLens Server LDAP Configuration Files

There are two files that need to be placed in the server /config directory (defined in web.xml):

The Oracle DataLens Server will check for these two files in the config directory and will use LDAP user authentication if these files are found. The admin user within the DLS server will always be checked internally to prevent lockouts.

The ldap.keystore file needs to be created by your local IT Administrator with the Java keystore utility. Oracle Consulting Services can also create this file for you given the CA root certificate file generated by the LDAP directory server (for example, by Active Directory). The DLS supports LDAP and LDAPs connections, not SASL or negotiated TLS.

The ldap.xml file needs to be manually edited based on your local LDAP settings.

Following is an example ldap.xml file, configured for use with Microsoft Active Directory

<LdapInfo><!-- Connection Information --><host>AD-LDAP</host><port>636</port><!-- Security information --><keystoreFile>ldap.keystore</keystoreFile><!-Proxy Information à<proxyUser>cn=proxytest,cn=users,dc=ad-ldap,dc=datalens,dc=com </proxyUser><proxyPass>password</proxyPass><displayNameAttribute>sAMAccountName</displayNameAttribute><!-- Users --><userPrefix>cn=</userPrefix><userSuffix>ou=dlsusers,dc=ad-ldap,dc=com</userSuffix><!-- Roles --><rolePrefix>cn=</rolePrefix><roleSuffix>ou=datalens,dc=ad-ldap,dc=datalens,dc=com</roleSuffix><memberAttribute>member</memberAttribute></LdapInfo>

The entries control the directory lookup behavior as follows:


This should be the LDAP server name or address. Host names must be able to be resolved on the Oracle DataLens Server.


Use port 389 for unencrypted, 636 for SSL connections.


If a keystore file entry is included, SSL connections will be used to connect and make all queries against LDAP.

proxyUser (optional)

If a proxy user is included, an initial connection will be made as the proxy user to search recursively through the directory for a user whose entered name is found in the directory with a matching displayNameAttribute.

proxyPassword (optional)

Login password for the proxy user.

displayNameAttribute (optional)

If a proxy user is used, this will be the criteria used to search for the username entered in the login screens. For example, sAMAccountName is used for Active Directory, or UID in many other systems.


This is the attribute prefix on user objects, typically cn= or uid=

userSuffix (optional)

The base container in which to search for users. If a proxy user is not used, searches are conducted in this scope only, and are not recursive. If a proxy user is used, this tag is ignored.


The attribute prefix for group objects, typically cn=.


The base container in which to search for groups. This is a single scope search, and group names must exactly match the roles in the Oracle DataLens Server.


The attribute of the group objects, which will contain the list of users within the group.

LDAP User Restrictions

The LDAP administrator must define roles (groups) that are used by the Oracle DataLens Server. These roles are mapped from LDAP to the Oracle DataLens Roles based on the name only. New roles can be created and used with LDAP, as long as corresponding groups are created in the LDAP directory.

Standard role names for the Oracle DataLens Server include the following.

Setting Up a Sample LDAP Directory

First, make a new OU (organization unit) to house your users:

Description of image081.jpg follows
Description of the illustration image081.jpg

Description of image082.jpg follows
Description of the illustration image082.jpg

Now, make some users in that OU:

Description of image083.jpg follows
Description of the illustration image083.jpg

Description of image084.jpg follows
Description of the illustration image084.jpg

Description of image085.jpg follows
Description of the illustration image085.jpg

Then, make an OU for the Oracle DataLens roles:

Description of image086.jpg follows
Description of the illustration image086.jpg

Create new groups for the Oracle DataLens Server roles:

Description of image087.jpg follows
Description of the illustration image087.jpg

Description of image088.jpg follows
Description of the illustration image088.jpg

Then add users to the corresponding role groups.


Most likely, you will already have your network users set up. If this is the case, just add you existing users to the new Oracle DataLens Server group.

Description of image089.jpg follows
Description of the illustration image089.jpg

Description of image090.jpg follows
Description of the illustration image090.jpg

Description of image091.jpg follows
Description of the illustration image091.jpg

After configuring the Oracle DataLens Server with an appropriate ldap.xml and ldapstore.xml, the users will now be able to login with their Active Directory credentials.

Surrounding text describes adminlogon.png.