I think I've googled and read everything possible, yet I'm still not able to get this thing working. I'm using 220.127.116.11.6.
I would like to authenticate using the native WLS LDAP. And I can. I log in to OBIEE Analytics just fine with a user/pw stored in native WLS LDAP. But of course, it hasn't yet gotten the proper authorization.
I would like to AUTHORIZE using an external table. But according to http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/legacy.htm#CHDBBIHG section A.2.3 Setting Up Authorization Using Initialization Blocks: "Initialization blocks to set ROLES or GROUP session variables will only function when the user fails to authenticate through an authenticator configured in the WebLogic security realm, and the user instead authenticates through an initialization block."
That seems to be true. I've tried the old 10g initialization block method to read external tables during Authorization. I can successfully use that method to update every other session variable, including the DISPLAYNAME system session variable. So I know that the syntax I'm using is right. Therefore, the statement above must be true: the authorization and the authentication must happen in the same place. Now, I would like to take Oracle to task for that, but I'll save that for another posting.
So according to that logic, it appears that the authorization via external table would have to happen as part of the WLS login.
That's what I've also gathered from the Rittman posting located at http://www.rittmanmead.com/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables/.
Unfortunately, that article is specifically describing an Active Directory implementation. But it seems that the basic information might be the same, so I've done this so far:
1. copied the BISecurityProviders.jar file
and then restarted the Admin Server to make the new authenticator called BISQLGroupProvider available.
2. Created a new Authentication Provider (BISQLGroupProvider)
3. Set the control flag for the new provider to SUFFICIENT
4. Set the security flag for the original DefaultAuthenticator to OPTIONAL
5. Moved the new provider to the top of the list
6. Set up the two security tables exactly as described in the Rittman article.
One question that I still have is related to the Provider Specific SQL statements. Each of the four select statements include one or two question marks in their SQL, so I don't know whether to leave those alone or try to figure out what belongs in the SQL in place of the question marks. For now, I'll leave them alone.
7. Restarted everything.
8. Log in to Analytics.
Unfortunately, at this point the login assigns only Authenticated User and BIConsumer into the ROLES session variable. As I noted above, I'm able to use external tables to populate other session variables. But the ROLES (and GROUP) session variables show Authenticated User; BIConsumer. Based on the external table, they should show BIAuthor.
What am I doing wrong or what am I missing in WLS?
Not sure if you have already checked these but please refer to : Oracle Exalytics With Active Directory (AD) Authentication And Database Authorization Not Showing Expected Groups in OBIEE My Account Settings [ID 1513032.1]
Also confirm that the templates you have created are correct for the bi_sql_groups_adapter_template.xml db adapter. There is also a section in this whitepaper to correct errors in this adapter template. Refer to : “OBIEE 11g: Authenticating to Oracle Business Intelligence Enterprise Edition 11g With Users in LDAP, Groups in Database ( BISQLGroupProvider ) [ID 1428008.1]. Follow the steps per this document as let us know if you have issues.
SSVS, you got me going down the correct path. It is working now!! The key is in following the instructions in the TechNote_LDAP_Auth_DB_Groups V3.pdf, which can be downloaded from release note 1428008.1. I followed those instructions precisely, and everything works.