Oracle® Authentication Services for Operating Systems Administrator's Guide 10g (10.1.4.0.1-OAS4OS) E12023-01 |
|
|
View PDF |
Oracle Authentication Services for Operating Systems enables you to centralize storage, authentication, and management of user identities using Oracle Internet Directory.
This chapter contains the following topics:
Features of Oracle Authentication Services for Operating Systems
Components of Oracle Authentication Services for Operating Systems
Oracle Internet Directory is a standards-based directory server that leverages the security, scalability, and reliability of Oracle Database 10g to store users, groups, and other types of entries. Oracle Internet Directory supports password policy enforcement. Oracle Internet Directory can be synchronized with third-party directory servers, such as Active Directory.
Oracle Authentication Services for Operating Systems enables you to use Oracle Internet Directory for authentication on Linux and UNIX-based operating systems. Configuration scripts automate the configuration of Pluggable Authentication Modules (PAM) and Secure Sockets Layer (SSL). You can then migrate existing entries from NIS, files, or another LDAP-compliant directory, and optionally configure features such as password policy enforcement, sudo
, and automount. Oracle Internet Directory tools are available for entry management, and libuser
tools can be used for many operations. These features are summarized in Figure 1-1.
Oracle Authentication Services for Operating Systems requires the Oracle Internet Directory patch tracked by Bug 6843350, which adds the following capabilities to 10g (10.1.4.2.0):
Start-TLS–enables you configure the same port for both SSL and non-SSL connections on most operating systems
MD5 Crypt Library–provides native MD5 crypt password hashing
The Oracle Authentication Services for Operating Systems download contains the following components:
SSL and non-SSL server configuration scripts
SSL and non-SSL client configuration scripts
Support for migration from NIS as well as from flat file-based authentication
Support for migration from a third party LDAP directory to Oracle Internet Directory. A separate patch is required.
Support for migration of sudo policy from a sudoers
file to Oracle Internet Directory
Support for migration of automounts to Oracle Internet Directory
When a user provides credentials (a username and password) to login
, xdm
, ssh
, su
, or some other client login program, the following events occur.
An authentication module in the login program examines local configuration files to determine how to authenticate the user. The files contain information such as the method to use (LDAP), the location of the server, and, if SSL is configured, the certificate to use.
The authentication module attempts to perform an LDAP bind
operation to the Oracle Internet Directory server with the user's credentials. If SSL is configured, the module first establishes the SSL communications channel using the certificate.
If Oracle Internet Directory determines that the credentials are correct and the account is active, the bind
succeeds. Otherwise, the bind
fails, and the user's login attempt fails.
If the bind
succeeds, the module queries Oracle Internet Directory again for the user's group membership information.
Oracle Internet Directory returns the group membership information.
These events are shown in Figure 1-2.
To install and configure Oracle Authentication Services for Operating Systems, you perform the following steps:
Install Oracle Internet Directory 10g (10.1.4.2.0).
Install the patch tracked by Bug 6843350 on the Oracle Internet Directory 10.1.4.2.0 server.
Download the release.
Execute the configuration scripts to configure the server and clients for user authentication.
Configure password policies.
Migrate entries from NIS, local files, or another LDAP-compliant directory to Oracle Internet Directory.
Configure sudo
authentication and migrate sudo
entries to Oracle Internet Directory.
Optionally, you can configure integration with Active Directory so that you can use credentials stored in Active Directory for authentication on a Linux or UNIX-based operating system.
After you install Oracle Authentication Services for Operating Systems and migrate your data to Oracle Internet Directory, you must use specific tools to manage users, passwords, and other data. Specifically, you must use:
Oracle Directory Manager
The LDAP tools and bulk tools in $ORACLE_HOME/bin
The passwd
command
You can also use the libuser
tools on Linux distributions that support it, with some limitations.
For more information about Oracle Authentication Services for Operating Systems 10g (10.1.4.0.1-OAS4OS), see:
The README document accompanying this release
Metalink Note 558907.1: OAS4OS 10.1.4.0.1 Installation, on Oracle MetaLink, http://metalink.oracle.com