0 Replies Latest reply on Jun 15, 2017 9:59 PM by CP Strother-Oracle

    OID groups not mapping to OBIEE 12c application roles

    CP Strother-Oracle

      Has anyone had any success with mapping ldap groups in OID with application roles in OBIEE for authorization?


      We are running on OEL linux 6.8 and for some reason our LDAP group membership in OID are not mapping back to the associated OBIEE application role in Middleware even though we can see and add the ldap groups as members to a role.


      As a result we are getting Access Prohibited.  OBIEE for some reason is not searching the ldap tree to see that I’m a member of the Super User group.


      For starters, I have configured Weblogic to use our corporate OID as the default authenticator.   


      I can then verify in Weblogic that I can see the OID users and groups.


      For kickers, If I re-add the out of the box authenticated-role as a member of BIConsumer it works, or if I directly add my user ID as a member of BI Consumer it also works. 


      From what I can tell the authentication piece is working fine but the authorization piece is not.  I'd really like to authorize to OBIEE as a member of a ldap group that is mapped to an application role.


      Here’s how we’ve configure our User and Base DN’s in weblogic for OID.  I think these are the ones that matter most:


      All Users Filter:                     (&(mail=*)(objectclass=inetorgperson))

      User From Name Filter:        (&(mail=*)(objectclass=inetorgperson))


      All Groups Filter:                                         (&(cn=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup)))

      Group From Name Filter:                         (|(&(cn=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=orcldynamicgroup)))

      Group Membership Searching:                unlimited

      Max Group Membership Search Level:   5


      Static Group Nmae Attribute:                         cn

      Static Group Object Class:                            groupofuniquenames

      Static Member DN Attibute:                          uniquemember

      Static Group DNs from Member DN filter:   (&(uniquemember=%M)(objectclass=groupofuniquenames))


      Dynamic Group Name Attribute:                cn

      Dynamic Group Object Class:                   orcldynamicgroup

      Dynamic Member URL Attribute:              labeleduri

      User Dynamic Group DN Attribute:           <empty>


      We have a open ticket with MOS and here are the things we’ve tried with them, but with no success:


      1. ORACLESYSTEMUSER ------------- made part of Admin Group
      2. Fixed the OWSM issue (I don’t think is related, but it cleans up our logs) which can be found here:  https://community.oracle.com/blogs/mnemonic/2016/10/16/soa-suite-1221-owsm-wsm-02084-issue


      I've got authorization to work in 11g with Active Directory, but it involved configuring a BISYSTEM user and role, but these no longer exist in 12c.  Not sure if that's what's missing and the documentation makes no reference to it.


      I’ve followed the documentation to the letter as well as have an engineer from Oracle Support double-check our environment, but still with no avail.


      If anyone has got this to work or can offer any tips or suggested blogs to read, which surprisingly are quite limited for how long 12c has been on the market.  I’d greatly appreciate any assistance or suggestions you may have.


      Thank you very much