1 Reply Latest reply: Sep 12, 2013 12:02 PM by 1026660 RSS

    please help: WebLogic + BI + Bi SQl Group Loader

    h.o.o.k

      Hi all, i have big problem with solution on my company project. I please somebody help me.

       

      This is my problem:

       

      I have bifoundation_domain :

       

      WebLogic Server Version: 10.3.5.0

      EM 11g

      Oracle Business Intelligence 11.1.1.7.0

       

      with this structure:

       

      bifoundation_domain

      |- AdminServer

      |- bi_cluster

        |- bi_server1

        

      So and i need use Weblogic embedded LDAP (DefaultAuthenticator in realms security providers) and i need loading GROUPS from DATABASE. I read and tried a lot of articles, blogs, manuals but

      within positive result.

       

      My procedure is:

       

      In WLS console :

       

      - create jdbc datasource with name "bip_apps_DS"

       

      - create BI SQL Group provider (with name BIGroupLoader) with this settings

      <sec:authentication-provider xmlns:ext="http://xmlns.oracle.com/weblogic/security/extension" xsi:type="ext:bisql-group-providerType">
        <sec:name>BIGroupLoader</sec:name>
        <sec:control-flag>OPTIONAL</sec:control-flag>
        <ext:data-source-jndi-name>bip_apps_DS</ext:data-source-jndi-name>
        <ext:sql-list-member-groups>SELECT ROLE_NAME FROM V_SYS_AUTH_ROLES WHERE LOGIN_NAME = ?</ext:sql-list-member-groups>
        <ext:sql-list-groups>SELECT NAME FROM UA_ROLES WHERE NAME LIKE ?</ext:sql-list-groups>
        <ext:sql-group-exists>SELECT NAME FROM UA_ROLES WHERE NAME = ?</ext:sql-group-exists>
        <ext:sql-is-member>SELECT LOGIN_NAME FROM V_SYS_AUTH_ROLES WHERE ROLE_NAME = ? AND LOGIN_NAME = ?</ext:sql-is-member>
        <ext:sql-get-group-description>SELECT DESCRIPTION FROM UA_ROLES WHERE NAME = ?</ext:sql-get-group-description>
      </sec:authentication-provider>
      
      

      (my DB schema is correct)

       

      and i move him on first place in providers list.

       

      So after these steps in WLS console i see in security realm->groups my groups from DB. Everything is OK.

       

      Now i need use GROUPS from my database in EM in the context of create BI users roles (maping BI application roles on GROUPS (enterprise roles)).

       

      So i created a database adapter for the Virtualized Identity Store

       

      this is it:

       

      <?xml version = '1.0' encoding = 'UTF-8'?>
       <adapters schvers="303" version="1" xmlns="http://www.octetstring.com/schemas/Adapters" xmlns:adapters="http://www.w3.org/2001/XMLSchema-instance">
        <dataBase id="directoryType" version="0">
        <root>%ROOT%</root>
        <active>true</active>
        <serverType>directoryType</serverType>
        <routing>
        <critical>true</critical>
        <priority>50</priority>
        <inclusionFilter/>
        <exclusionFilter/>
        <plugin/>
        <retrieve/>
        <store/>
        <visible>Yes</visible>
        <levels>-1</levels>
        <bind>true</bind>
        <bind-adapters/>
        <views/>
        <dnpattern/>
        </routing>
        <pluginChains xmlns="http://xmlns.oracle.com/iam/management/ovd/config/plugins">
        <plugins>
        <plugin>
        <name>VirtualAttribute</name>
        <class>oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin</class>
        <initParams>
        <param name="ReplaceAttribute" value="uniqueMember={cn=%uniquemember%,ou=people,ou=myrealm,dc=bifoundation_domain}"/>
        </initParams>
        </plugin>
        </plugins>
        <default>
        <plugin name="VirtualAttribute"/>
        </default>
        <add/>
        <bind/>
        <delete/>
        <get/>
        <modify/>
        <rename/>
        </pluginChains>
        <driver>oracle.jdbc.driver.OracleDriver</driver>
        <url>%URL%</url>
        <user>%USER%</user>
        <password>%PASSWORD%</password>
        <ignoreObjectClassOnModify>false</ignoreObjectClassOnModify>
        <includeInheritedObjectClasses>true</includeInheritedObjectClasses>
        <maxConnections>10</maxConnections>
        <mapping>
        <joins/>
        <objectClass name="groupofuniquenames" rdn="cn">
        <attribute ldap="cn" table="V_SYS_AUTH_ROLES" field="ROLE_NAME" type=""/>
        <attribute ldap="description" table="V_SYS_AUTH_ROLES" field="ROLE_NAME" type=""/>
        <attribute ldap="uniquemember" table="V_SYS_AUTH_ROLES" field="LOGIN_NAME" type=""/>
        </objectClass>
        </mapping>
        <useCaseInsensitiveSearch>true</useCaseInsensitiveSearch>
        <connectionWaitTimeout>10</connectionWaitTimeout>
        <oracleNetConnectTimeout>0</oracleNetConnectTimeout>
        <validateConnection>false</validateConnection>
        </dataBase>
       </adapters>
      
      

      and run command to register:

       

      ./libovdadapterconfig.sh -adapterName BIGroupLoader -adapterTemplate bi_sql_groups_adapter_template.xml

      -host localhost -port 7001 -userName weblogic -domainPath /OFM/BI/user_projects/domains/bifoundation_domain

      -dataStore DB -root ou=people,ou=myrealm,dc=bifoundation_domain -contextName default -dataSourceJNDIName bip_apps_DS

       

      Adapter is creatted successfully within errors!

       

      I restarted managed server(bi_server1) and AdminServer, all bi commponets etc. BUT WITHOUT RESULT. I still dont see GROUPS in Enterprise manager in

      BI->coreapplication->security->application roles

       

      I tried set in security setting of webLogic domain in EM virtualize=true.

      This procedure is described on all sites but not funkcionaly for me. Do you know somebody where is mistake? Etc. need i installing OVD server? I dont know. Please helm me.

       

        • 1. Re: please help: WebLogic + BI + Bi SQl Group Loader
          1026660

          Hi,

           

          You will not be able to see groups that you have defined in database in EM. To assign a database group to a role in EM go to BI->coreapplication->security->application roles & search for groups locate Advance Option at the bottom and check the box "Check to enter principal name here instead of searching from above. This option can be used for advanced scenarios related to custom authenticators". Now select Groups under Type and enter the name (exactly same) of the database group manually. Now you should be able to assign database groups to users authenticated through weblogic embedded LDAP.

           

          Thanks