Oracle® Authentication Services for Operating Systems Administrator's Guide 10g (10.1.4.0.1-OAS4OS) E12023-01 |
|
|
View PDF |
If you have users in Active Directory, and you want to use the credentials stored in Active Directory for Linux or UNIX authentication, you can configure integration with Active Directory. Setting up integration with Active Directory requires several steps:
You use the Oracle Directory Integration Platform to synchronize user and group entries to Oracle Internet Directory when they are added to or changed in Active Directory.
You use an Oracle Internet Directory plug-in to add required attributes to the user and group entries in Oracle Internet Directory after they are synchronized from Active Directory to Oracle Internet Directory.
You use another Oracle Internet Directory plug-in to enable Active Directory authentication of Linux or UNIX users.
To secure communication, you configure SSL between Oracle Directory Integration Platform and Active Directory and between Oracle Directory Integration Platform and Oracle Internet Directory.
This chapter contains the following sections:
Setting up a Plug-in to Augment Active Directory Entries for Linux Authentication
Configuring SSLBetween Oracle Directory Integration Platform and Active Directory
Configuring SSLBetween Oracle Directory Integration Platform and Oracle Internet Directory
User entries in Active Directory do not include key information required for Linux authentication. Therefore, when you synchronize users from Active Directory into Oracle Internet Directory by using the Active Directory connector of Oracle Directory Integration Platform, you must augment those user entries with the required information. To facilitate this, the product includes a PL/SQL plug-in that can be enabled on Oracle Internet Directory.
Enable the plug-in as follows:
Use a text editor to make the following changes to $
ORACLE_HOME
/ldap/admin/posixattr_when_add.pls
:
In line 71, replace the value of v_homeDirectory
with the desired home directory.
In line 72, replace the value of v_loginShell
with the desired login shell.
In line 73, replace the value of v_gidNumber
with the GID number of the users
Load the plug-in package into the database by typing:
sqlplus ods/odspwd@$ORACLE_HOME/ldap/admin/posixattr_when_add.pls
where odspwd
is the password of the ODS
user.
Use a text editor to make the following change in $ORACLE_HOME/ldap/admin/posixattr_when_add.ldif
: Replace the value of orclpluginsubscriberdnlist
with your realm's DN.
Add the plug-in to Oracle Internet Directory by running the following command:
ldapadd -h host -p port -D cn=orcladmin -w password \ -f $ORACLE_HOME/ldap/admin/posixattr_when_add.ldif
Oracle Directory Integration Platform is documented in the Oracle Identity Management Integration Guide. The following procedure refers to that document in several places.
To enable Oracle Directory Integration Platform for Active Directory integration with Oracle Authentication Services for Operating Systems, perform these steps:
Verify the synchronization requirements, as described in "Verifying Synchronization Requirements," under "Configuring Synchronization with a Third-Party Directory," in Chapter 18 of the Oracle Identity Management Integration Guide.
Create a synchronization profile by running dipassistant
expressconfig
, as described in Step 1 of "Creating Synchronization Profiles with Express Configuration," under "Configuring Synchronization with a Third-Party Directory," in Chapter 18 of the Oracle Identity Management Integration Guide.
Edit the profiles resulting from the express configuration. To understand mapping rules, see: "Configuring Mapping Rules," in Chapter 6 of the Oracle Identity Management Integration Guide.
Make the following changes:
Change the domain rules to point to the following domain in Oracle Internet Directory: ou=People,dc=us,dc=oracle,dc=com
.
Comment out this line:
userPrincipalName: : :user:uid: :inetorgperson:userPrincipalName
Uncomment this line
#sAMAccountName: : :user:uid: :inetorgperson
Add this line:
cn: : :person:gecos: :person:
See the sample synchronization profile in Appendix D. The customizations are shown in boldface.
Continue with Steps 2-5 of "Creating Synchronization Profiles with Express Configuration," under "Configuring Synchronization with a Third-Party Directory," in Chapter 18 of the Oracle Identity Management Integration Guide.
To secure communications between Oracle Directory Integration Platform and Active Directory using SSL, perform the following steps:
Shut down the Oracle Directory Integration Platform server by executing the following command as the user who installed Oracle Internet Directory:
oidctl configset=1 connect=db_connect_string instance=1 server=odisrv stop
where db_connect=string is the backend database connect string that was set during installation of Oracle Internet Directory.
Configure Oracle Directory Integration Platform to use SSL server authentication by executing the following command:
dipassistant modifyprofile -h oid_host -profile profile_name -p oid_port \ -D oid_dn odip.profile.condirurl=host:port:2
The value 2
in the URL specifies SSL server authentication.
Export the Active Directory SSL server certificate to a file and import the result into an Oracle Wallet by executing the following commands:
orapki wallet create -wallet /usr/lib/oracle/oid/wallet/ad -pwd wallet_pwd orapki wallet add -cert Exported_AD_Cert_File -trusted_cert \ -pwd wallet_pwd
Edit the file $ORACLE_HOME/ldap/odi/conf/odi.properties
to set values for the wallet location (certWalletFile
) and the file to store the wallet password (certWalletPwdF
), as follows:
certWalletFile: /usr/lib/oracle/oid/wallet/adcert certWalletPwdF: /usr/lib/oracle/oid/wallet/ad/certWalletPwd
Ensure that there are no trailing spaces at the ends of the lines.
Create the certWalletPwdF
file by executing the following command:
dipassistant wpasswd
Enter your wallet password when prompted.
To start the Oracle Directory Integration Platform server, execute the following command as root
:
oidctl configset=1 connect=xe instance=1 server=odisrv flags='port=OID_port grpid=defaultgroup' start
where OID_port
is the Oracle Internet Directory port number.
To secure communications between Oracle Directory Integration Platform and Oracle Internet Directory using SSL, perform the following steps:
To shut down the Oracle Directory Integration Platform server, execute the following command as root
:
oidctl configset=1 connect=xe instance=1 server=odisrv stop
Edit the file $ORACLE_HOME/ldap/odi/conf/odi.properties
to set values for the wallet location (certWalletFile
) and the file to store the wallet password (certWalletPwdF
), as follows:
certWalletFile: /usr/lib/oracle/oid/wallet/servercertWalletPwdF: /usr/lib/oracle/oid/wallet/server/certWalletPwd
Ensure that there are no trailing spaces at the ends of the lines.
Create the certWalletPwdF
file by executing the following command:
dipassistant wpasswd
Enter your wallet password when prompted.
Start the Oracle Directory Integration Platform server by executing the following command as root
:
oidctl configset=1 connect=xe instance=1 server=odisrv flags='port=OID_port grpid=defaultgroup' start
where OID_port
is the Oracle Internet Directory port number.
Enable the External Authentication plug-in shipped with Oracle Internet Directory so that Linux authentication uses the credentials stored in Active Directory.
To configure and enable this plug-in, use the extauth
operation of the Directory Integration Assistant (dipassistant
) utility. The command syntax is:
dipassistant extauth [-h hostName] [-p port] -D bindDN -w bindPassword \ -t extDirType
See thee dipassistant
section of the chapter entitled "Oracle Directory Integration Platform Tools" in the Oracle Identity Management User Reference for more information on how to use the extauth
operation.
If you want to set up an external authentication plug-in to work with multiple external authentication domains, you must perform some manual instructions after you run the external configuration tool. See "Configuring External Authentication Against Multiple Domains," under "Configuring External Authentication Plug-ins," in Chapter 18 of the Oracle Identity Management Integration Guide.