Oracle® Authentication Services for Operating Systems Administrator's Guide 10g (10.1.4.0.1-OAS4OS) E12023-01 |
|
|
View PDF |
Before installing Oracle Authentication Services for Operating Systems, ensure that you are using a supported operating system and the supported version of Oracle Internet Directory. Then, before you start the install, determine which of the optional product features you will use and locate the scripts you will use for migration.
This chapter contains the following topics:
Install Oracle Internet Directory and Oracle Directory Integration Platform
Apply the Oracle Internet Directory StartTLS and MD5 Crypt Library Patch
Oracle Authentication Services for Operating Systems has both server and client components. The server is the computer that runs Oracle Internet Directory. The client is a computer that uses the services of Oracle Internet Directory for authentication.
For up-to-date information about supported server and client operating systems, please consult the following documents:
The README document accompanying this release
Metalink Note 558907.1: OAS4OS 10.1.4.0.1 Installation, on Oracle MetaLink, http://metalink.oracle.com
Before you can install the patches described in the next two sections, you must install Oracle Internet Directory 10g (10.1.4.0.1). If you plan to migrate entries from an existing LDAP-compliant directory, or to synchronize Oracle Internet Directory with another directory, such as Active Directory, you must install Oracle Directory Integration Platform along with Oracle Internet Directory.
See Also:
for information about installing and patching Oracle Internet Directory. Both documents are located at: |
Oracle Authentication Services for Operating Systems requires Oracle Internet Directory 10g (10.1.4.2.0) on the server. If you have not already done so, use $ORACLE_HOME/OPatch
to apply the patch for 10.1.4.2.0. Oracle Internet Directory 10g (10.1.4.2.0) contains the necessary schemas for authentication on a Linux or UNIX-based operating system. The tracking bug for this patch is 5983637. See http://metalink.oracle.com
.
Oracle Authentication Services for Operating Systems requires a patch that adds StartTLS capability and the MD5 Crypt Library to Oracle Internet Directory. Use $ORACLE_HOME/OPatch
to apply this patch on the server before you install Oracle Authentication Services for Operating Systems. The tracking bug for this patch is 6843350. See http://metalink.oracle.com
.
Before you begin the installation, consider which features of the product you are likely to use. For basic functionality, you need to apply the Oracle Internet Directory patch, run the server script on the system where you are running the Oracle Internet Directory server, then run the client script on each client. These scripts configure the server and clients for LDAP authentication. In addition to configuring basic LDAP authentication, you can choose from the following options:
Secure Socket Layer (SSL)–Unless your server and clients are isolated from the internet, you should enable SSL. To do so, use the SSL versions of the server and client configuration scripts. The libuser
tool system-config-users
requires SSL when you use it with Oracle Authentication Services for Operating Systems on Red Hat or Oracle Enterprise Linux.
Certificate and wallet to use with SSL–The SSL server configuration script generates a self-signed certificate, which is not designed for production mode. You can substitute a certificate signed by a certificate signing authority. You can also choose to use a customized wallet instead of the default wallet. See Oracle Application Server Administrator's Guide for information on Oracle wallets.
Current authentication source to migrate from–If you are using files, NIS, or another LDAP server, you can migrate to Oracle Internet Directory.
Whether to configure the libuser
tools to use LDAP–The GUI tool system-config-users
and the command-line utilities (luseradd
, luserdelete
, etc.) exist, by default, on Red Hat Enterprise Linux and Oracle Enterprise Linux. You can configure the libuser
tools to work with LDAP, so that adding a user with luseradd
, for example, adds the user entry to Oracle Internet Directory. If you do not use the libuser
tools, you must use Oracle Directory Manager, Oracle Internet Directory bulk tools, or Oracle Internet Directory LDAP tools to configure entries directly in Oracle Internet Directory. If your client is Red Hat Enterprise Linux or Oracle Enterprise Linux, the client script will prompt you as to whether you want to configure libuser
.
Note:
|
Data to migrate–Open Source scripts such as those described in the next section support migration of users and groups and other configuration data from NIS or from files. Oracle Authentication Services for Operating Systems includes tools for migrating from a third-party LDAP directory server.
Whether to migrate sudo
–You can use Oracle Internet Directory instead of a sudoers
configuration file to authenticate sudo
commands.
How to enforce password policies–You can continue to use the operating system for password enforcement. Alternatively, you can use Oracle Internet Directory for centralized password policies.
Whether to integrate with Active Directory–You can use credentials stored in Active Directory for user authentication on Linux or UNIX-based operating systems.
If you have user, group, and other entries maintained in the local file system or in NIS/NIS+, you can move to LDAP as your storage mechanism for these entries. A number of free tools are available for this purpose. These tools enable you to extract the existing information and produce output files in the LDAP Data Interchange Format (LDIF). Once you have your information in LDIF files, you can use the ldapadd
tool to load the information into Oracle Internet Directory.
We have validated the process of migrating information using the LDAP migration tools available at:
If you have the openldap
packages installed on your host, you will find the same migration tools at: /usr/share/openldap/migration
.
If you are migrating entries from a third-party, LDAP-compliant directory to Oracle Internet Directory, use $ORACLE_HOME/OPatch
to apply the dipassistant
patch, which simplifies the syntax of the properties file you will use with the Oracle Directory Integration Platform migration tool dipassistant
.
Note: If you encounter an error when using OPatch to apply this patch, set the environment variableOPATCH_PLATFORM_ID to 0 and try again. |
The tracking bug for this patch is 6849766. See http://metalink.oracle.com
.
If you want to migrate the contents of the sudoers
file to LDAP, you must run a migration script and build sudo
with LDAP enabled. You can obtain the sudo
package from:
You cannot successfully search for an attribute in Oracle Internet Directory unless the attribute is indexed. If you plan to add custom attributes, you can index them at the time you create them by using Oracle Directory Manager. You can also use ldapmodify
to create an indexed attribute. You would use an LDIF file such as this:
dn: cn=catalogs
changetype: modify
add: orclindexedattribute
orclindexedattribute: attribute_name
Alternatively, you can index attributes after they have been created in Oracle Internet Directory by using catalog
, as explained in "Using Custom Attributes in Oracle Internet Directory".
Note: If you attempt to perform a search with a non-indexed attribute specified as a required attribute, the server will return the error:Function not implemented. DSA unwilling to perform. |