OBIEE Blog

This is official – you can’t get groups from ADSI! Hopefully, this can help someone who’s battling management in the beginning of the project. Sometimes Oracle salespeople are overly optimistic and provide an impression that OBIEE can do everything. But I’ll let it be a theme of another post.

Here’s the full text below:”

I am able to login to Analytics web using my Acitive Directory credentials. However, I need to be able to assign permissions to my self. How do I do that? Do I create an Analytics group named the same as an Active Directory group and assign permissions to the Analytics group?

Customer is able to login to Analytics web using my Acitive Directory credentials. However, he wants to assign permissions to my self. How do I do that? Do I create an Analytics group named the same as an Active Directory group and assign permissions to the Analytics group?

Resolution
After understanding the requirements of the customer it was determined that it is not possible to retrieve the Group name the way customer is trying.

Customer is trying to retrieve GROUP value from member of attribute.

memberOf attribute is an array which has multivalues for example

Here is an example:
CN=Siebel Administrator,OU=People,DC=d1,DC=us,DC=ts
memberOf=CN=Group Policy Creator Owners,CN=Users,DC=d1,DC=us,DC=ts
memberOf=CN=Domain Admins,CN=Users,DC=d1,DC=us,DC=ts
memberOf=CN=Enterprise Admins,CN=Users,DC=d1,DC=us,DC=ts
memberOf=CN=Schema Admins,CN=Users,DC=d1,DC=us,DC=ts
memberOf=CN=Administrators,CN=Builtin,DC=d1,DC=us,DC=ts

We do not support retrieving group dynamically for LDAP/ADSI validation.
I have logged Bug No# 5714777 as an Enhancement Request to support this feature.
Only way to retrieve the group name is to create an attribute “xyz” in ADSI and then populate with xyz:webadmin;siebeladmin then you can map it to Group variable. “

he question is – if you can mix LDAP and other type of authentication. In one word – yes and no.

Here’s what Oracle suggests:

1. You can have internal authentication and LDAP authentication. eg users in the rpd, and users in the LDAP.

For users not defined in the repository, the presence of a defined session system variable USER determines that external authentication is performed.
So using this method, you can have groups with internal users using the internal security, and groups with users that use the LDAP authentication.

But you cannot mix external table and LDAP authentication for example, as you cannot have different connection pools on same init block.

2. The best option would be to create your own authentication Dll (Custom authentication) so  you will have full control on what systems you will lookup for the user account.
You can write your own DLL in C++ , and have OBI Server invoke it. BI just pass the username/pwd received, and wait for an authenticated/no authenticated message from the dll.

This exists since 10.1.3.2.

We provide an example of such dll.
Location for the sample one: D:\OracleBI\server\SDK\CustomAuthenticatorSamples

I wonder if anyone tried it – I think that at this time, it’d be easier to work around the requirement by using standard methods. Let’s see what John Minkjan might say about it.