|Oracle® Fusion Middleware Administrator's Guide for Oracle Authentication Services for Operating Systems
11g Release 1 (11.1.1)
Part Number E16454-02
This chapter contains the following topics:
Before you begin the procedures described in this chapter, you must perform the prerequisite procedures described in Chapter 2.
This introduction contains the following sections:
Oracle Internet Directory can be configured for SSL-no authentication, SSL-server authentication and SSL-mutual authentication modes. In all three modes, the data is encrypted during transmission. Oracle Internet Directory comes pre-configured with the SSL-no authentication mode. However, some clients such as the PAM_LDAP clients used for Linux user authentication do not support this mode and only support SSL-server authentication mode.
The initial server configuration process enables you to configure Oracle Internet Directory for SSL-server authentication mode. You can use an existing certificate or let the SSL configuration script generate a self-signed certificate for you. To use an existing certificate, you must have already configured Oracle Internet Directory in SSL mode with this certificate. See the "Configuring Secure Sockets Layer (SSL)" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information on configuring Oracle Internet Directory in SSL mode.
Note:Self-signed certificates are not intended for production use.
If you do not specify an existing certificate, the SSL server configuration script generates two Oracle wallets:
Test Certificate Authority (CA) Wallet–used to sign the Oracle Internet Directory SSL Server Certificate. This consists of the following files in
cakey.txt–a 1024 bit RSA private key
cacert.txt–based64 encoded certificate
Oracle Internet Directory SSL Server Certificate. This consists of the following files in
creq.txt–Oracle Internet Directory SSL Server Certificate Request
cert.txt–Oracle Internet Directory SSL Server Certificate signed by Test CA Wallet
cwallet.sso–Oracle Internet Directory SSL Server Wallet for auto-login
ewallet.p12–PKCS12 encoded Oracle Internet Directory SSL wallet
Note:The PKCS12-encoded wallets contain the private keys for the relevant entities and are protected by a wallet password that you set when running the SSL server configuration script.
For a client to trust the Oracle Internet Directory SSL Server Certificate (2) it must trust the Test CA Wallet (1). Since most Linux clients work with the PEM format, a copy of the Test CA Wallet (1) in PEM format is available at:
Oracle Internet Directory ships with a rich set of password policies that can be leveraged for centralized password policy management. See the chapter on Password Policies in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1 (11.1.1) to understand the concepts governing these features.
Oracle Internet Directory supports two types of password policies: value policies and state policies. Value policies govern password construction requirements, such as minimum length. State policies govern things like password expiration and lockout. On Linux and UNIX-based operating systems, state policies are traditionally handled in the shadow password file using the password aging feature. These policies can be applied in a fine-grained manner down to the level of a single user entry.
You can use Oracle Internet Directory to enforce both value and state policies. Value policy violations result in visible error message on the Linux client, but state policy violations simply result in login failures. This is because the
pam_ldap client does not display the messages that Oracle Internet Directory sends as additional information with the LDAP bind failure.
To use Oracle Internet Directory for centralized password policies, you must disable value and state policies local to the operating system. The procedure for doing this is described in "Configuring Oracle Internet Directory for Centralized Password Policies".
If you do not want to use Oracle Internet Directory for password policy enforcement, you must disable password policies in Oracle Internet Directory by setting
0. To avoid messages about password syntax, you must also disable the password syntax check by setting
See Also:The Password Policies chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
If you have users in Active Directory, and you want to use the credentials stored in Active Directory for Linux authentication, you can configure Oracle Directory Integration Platform to integrate with Active Directory. The configuration process is described in Chapter 5, "Configuring Active Directory Integration."
A directory server plug-in is a customized program that extends the capabilities of the Oracle Internet Directory server. The procedures for augmenting Active Directory entries and for setting up external authentication with Active Directory both include setting up plug-ins. These procedures are described in Chapter 5, "Configuring Active Directory Integration."
See Also:Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for more information about directory server plug-ins.
Before you run the configuration scripts, you must set your locale by setting the
NLS_LANG environment variable. After you set
NLS_LANG, the scripts will work correctly when you provide input in your local language.
Some of the tasks described in this chapter require you to use Oracle Internet Directory or Oracle Directory Integration Platform tools. These tools include:
The Oracle Internet Directory LDAP command-line tools–These are located in the
$ORACLE_HOME/bin directory. These tools are
ldapmodifymt. For interaction with the Oracle Internet Directory server, you must use the LDAP tools in
$ORACLE_HOME/bin and not those shipped in the operating system base image.
The Oracle Internet Directory bulk tools–These are also located in the
$ORACLE_HOME/bin directory. These tools are
ldifwrite. The bulk tools allow you to perform bulk operations, such as adding or deleting a large number of entries.
One important bulk tool is the
catalog tool. This tool enables you to add indexes to attributes in Oracle Internet Directory. Attributes must be indexed in order to be searchable. This example adds an index to the attribute
catalog connect="connect_str" add="TRUE" attribute="uid"
opmnctl command–You use this to stop and start the Oracle Internet Directory server.
Oracle Directory Integration Platform command
syncProfileBootstrap when configuring SSL for communication between Oracle Directory Integration Platform and Active Directory and when migrating data from another LDAP-compliant directory to Oracle Internet Directory.
Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory and the Oracle Fusion Middleware Reference for Oracle Identity Management for information about the Oracle Internet Directory LDAP tools, bulk tools, and
The chapter entitled "Oracle Directory Integration Platform Tools" in the Oracle Fusion Middleware Reference for Oracle Identity Management and the chapter entitled "Configuration of Directory Synchronization Profiles" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform for more information on
Use the server configuration script to configure the server for UNIX or Linux authentication, as follows.
Look for error messages printed to the screen while the configuration script is running. An example of a successful run is provided for comparison in Appendix E, "Sample Script Output."
You can switch between SSL and non-SSL configurations. See "Switching Between SSL Authentication and Non-SSL Configurations".
You can disable either the SSL port or the non-SSL port if you are not using it. You do this by changing the value of the configuration attribute
orclSSLEnable. See the entry for
orclSSLEnable in the Attribute Reference chapter of the Oracle Fusion Middleware Reference for Oracle Identity Management.
Execute the server script on the server as the same user who installed Oracle Internet Directory. Change directory to
$ORACLE_HOME/oas4os/bin, then type:
You will be prompted for
ORACLE_HOME,ORACLE_INSTANCE, realm (naming context), SSL- and non-SSL port, OID component name (for example,
oid1), and password for
cn=orcladmin. Supply the appropriate values in response to the prompts.
If you have set
ORACLE_INSTANCE as environment variables, you will not be prompted for them.
You will be asked if you want the client machines to connect to Oracle Internet Directory anonymously or by using a specific user DN and password. If you answer
y, the script will enable anonymous binds in Oracle Internet Directory server and clients will connect to the server by using anonymous binds. If you choose
n, you will be prompted for the DN and password for connecting to Oracle Internet Directory.
The "Managing Accounts and Passwords" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory
The "Managing Authentication" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory
If you are using the SSL configuration script, the script will print:
You can provide an SSL Certificate or use the script to create and update OID SSL configuration with a test certificate.Do you have an SSL Certificate [y/n]:
If you type
y in response to that prompt, you will be prompted to supply the path to the certificate. Specify the full path, including the filename, in response to the prompt, for example:
PEM format is supported.
If you type
n in response to the prompt, you will be prompted for the wallet password. The script configures Oracle Internet Directory for SSL server side authentication mode with a self-signed certificate.
The SSL version of the script configures the non-SSL port for StartTLS, which allows SSL and non-ssl connections to use the same port. if the self-signed certificate option was chosen, the script also configures the SSL port for connections from clients that do not support StartTLS. (If the self-signed certificate option was not chosen, you are expected to have already configured OID's SSL port with your custom certificate.)
The server script creates the client script,
config_OIDclient.sh, in the location
timestamp, customizing it for your environment. The server script prints the client script location on the screen at the end of the script as follows:
OAS4OS Client Config Script: client_script_path
The script updates several Oracle Internet Directory server parameters with the information it has gathered. The SSL version of the script restarts the Oracle Internet Directory server. The non-SSL version does not.
You configure each client for UNIX or Linux authentication by running a client configuration script. Follow these steps.
The following steps are specific to Solaris 9.
On Solaris 9 only, download the Sun Java System Directory Server Resource Kit SDRK52 and install it as
After installing the Sun Java System Directory Server Resource Kit, before you run the client configuration script, modify the environment variables
LD_LIBRARY_PATH so that
/lib/nss/bin and LD_LIBRARY_PATH includes
installroot is the directory where you installed the Sun Java System Directory Server Resource Kit For example, if you installed the software in
PATH and add
Perform the tasks described under "All Client Platforms".
The following steps are specific to AIX 5.3.
The base AIX 5L LDAP client is packaged in the
ldap.client file sets located on the AIX 5L product media.
If you plan to use SSL to connect to the LDAP server, you must install the
ldap.max_crypto_client file sets located on the AIX 5L Expansion Pack. The installation procedure is described in "Install SSL-Related Client Packages on AIX".
Install the base AIX LDAP client package. You can find it in the
ldap.client file sets located on the AIX 5L product media. Execute the following command to install the basic package:
installp -acgXd LPPSOURCE ldap.client
LPPSOURCE is the location of your Licensed Product Packages (LPPs).
Note:You can also use SMIT or the Web-based System Manager to install the LPPs.
Verify the installation by typing the following command:
lslpp -l "ldap"
The output from the
lslpp command should include
Before you execute the client script on AIX, you must add at least one user and group to LDAP. Otherwise, the
mksecldap command executed by the configuration script on AIX might fail with one of these error messages:
Cannot find users from all base DN client setup failed."
Cannot find the group base DN from the LDAP server. Client setup failed."
To prevent this problem, you can simply add one user and one group, or you can migrate all your users and groups to Oracle Internet Directory now, rather than waiting until you have run the configuration script.
See Also:"LDAP configuration management and troubleshooting on AIX" at
http://www.ibm.com/developerworks/for more information and an alternative solution.
To migrate all your users and groups, proceed as follows:
Convert local system entries to LDAP entries by using the
sectoldif command. Type:
sectoldif -d "realm" -S "RFC2307" > users.ldif
Ensure that all users to be migrated are associated with a system group or net group. That is, edit
user.ldif so that each user has a
gidnumber. For example:
dn: uid=test,ou=People,dc=us,dc=example,dc=com uid: test objectClass: posixaccount objectClass: shadowaccount objectClass: account cn: test3 uidnumber: 209 gidnumber: 502 homedirectory: /home/test loginshell: /usr/bin/ksh userpassword: passwordhash shadowlastchange: 13182 cn=testgroup,ou=Group,dc=us,dc=example,dc=com gidnumber=502 cn=testgroup objectclass=posixGroup objectclass=groupOfUniqueNames objectclass=top
Add the user entries in
users.ldif to Oracle Internet Directory:
ldapadd -h host -p port -D "cn=orcladmin" -q -c -f users.ldif
If you are using the non-SSL script, perform the tasks described under "All Client Platforms". Otherwise, proceed as described in the next section.
If you plan to use SSL to connect to the LDAP server, you must install the
ldap.max_crypto_client file sets located on the AIX 5L Expansion Pack.
The following packages are required for SSL Configuration on an AIX 5L Version 5.3 client:
If these packages are not already installed, install them from the AIX 5L Version 5.3 Expansion Package CD (5705-603) or from the equivalent package in Tivoli Directory Server, which is available at the IBM web site. Type:
installp -acgXd LPPSOURCE gskta ldap.max_crypto_client
Verify the installed packages by typing:
lslpp -l | grep "gskta*" "*ldap*"
The output of the
lslpp command should include
If necessary, create a symbolic link in
/usr/lib to the new LDAP client library. For example:
ln -s /opt/IBM/ldap/release/lib/libidsldap.a /usr/lib/libibmldap.a
Proceed as described for all client platforms.
Verify that LDAP SSL is enabled by using
ldapsearch, for example:
ldapsearch -h myserver.example.com -Z -K /etc/security/ldap/key.kdb \ -Q -b "" -s base objectclass=*
Verify that authentication is working correctly by logging into your client machine using
ssh, or a similar program.
The SSL client configuration script fails on AIX 6.1 due to a problem with the
mksecldap tool. You can only configure Oracle Authentication Services for Operating Systems in non-SSL mode, using the non-SSL configuration script, on AIX 6.1.
Copy the client configuration script from the server to the client after you have run the server configuration script. The server script edits the client script, customizing it for your environment.
For SSL Server Authentication enabled Linux clients, use the client script
sslConfig_OIDclient.sh. For non-SSL Linux clients, use
config_OIDclient.sh. Copy the script from
$ORACLE_HOME/ldap/bin on the server to each client you want to configure.
Execute the client configuration script on the client as the
root user. Type:
Note:Look for error messages printed to the screen while the configuration script is running. An example of a successful run is provided for comparison in Appendix E, "Sample Script Output."
The script prints the host and port, then prompts:
Do you want to configure test-host to authenticate users against the aboveOID LDAP server [n]: y
If the host and port are correct, confirm that you want to configure the client to authenticate against the LDAP server. If either is incorrect, type
n, edit the script to correct the problem, and execute the script again.
If, while running the server configuration script, you specified that you did not want to use anonymous binds, the client script prints the proxy DN and prompts you for the password to use for connecting to Oracle Internet Directory. Supply the same password that you provided when configuring the server.
If the client is Red Hat Enterprise Linux or Oracle Enterprise Linux, the client script prompts you as to whether you want to configure the
libuser package to work with LDAP. Respond
y if you want
libuser to be configured. If you configure
libuser to work with LDAP, adding a user with
luseradd, for example, adds the user entry to Oracle Internet Directory.
The script configures Pluggable Authentication Modules (PAM) on the client operating system to use Oracle Internet Directory for user authentication. The exact tasks performed depend on the operating system type. The script performs the following basic tasks:
Makes configuration changes to
nsswitch.conf so that
ldap is an option for
/etc/openldap/ldap.conf with the correct URI, Base DN
Optionally, configures the
libuser package (via
libuser.conf) for user management on Red Hat Enterprise Linux and Oracle Enterprise Linux.
Note:The script makes backup copies of the files it touches in subdirectories of the
/etcdirectory. These subdirectories have names of the form
time_stamp. For example, a backup directory created 18:54:46 on Jan. 13 2010 would have the name
sslConfig_OIDclient.sh performs the following steps:
/etc/oracle-certs/oid-test-ca.pem, the pem format encoded certificate for the Test CA created during configuration on the Oracle Internet Directory Server. This is equivalent to
pem.cert in "Self Signed Certificates".
oid-test-ca.pem as a trusted CA in
/etc/ldap.conf to use cleartext passwords and enable SSL
On most client operating systems, the script configures the client to use the StartTLS port on the server for SSL communication. The script does not configure StartTLS if the operating system on the client is HP-UX or Solaris. These clients use the standard SSL port, 636, on the server for SSL communication.
After you have successfully executed the client configuration script, your Linux or UNIX-based client can use Oracle Internet Directory to authenticate users.
To use Oracle Internet Directory for centralized password policies, you must disable value and state policies local to the operating system.
After you do that, users can invoke the
passwd tool as usual to change their password. Violations of Oracle Internet Directory password value policies produce error messages in the log files beginning with
Password Policy Error.
Most Linux distributions are configured by default to use the
cracklib library to perform end-user supplied password quality validations. When using a centralized password policy enforced in Oracle Internet Directory, you might want to disable the local validations in order to avoid conflicts between the two policies.
On Oracle Enterprise Linux and Red Hat Linux, you can do this as follows:
Locate the following line in
/etc/pam.d/system-auth and comment it out:
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
Locate all subsequent lines beginning with
password and remove
use_authtok from those lines.
As mentioned previously, state policies on Linux are enforced through the password aging feature enabled by the shadow password information. The operating system parses the shadow information on each account and enforces state policies locally.
In Red Hat Enterprise Linux or Oracle Enterprise Linux, you can disable password ageing for accounts created under Oracle Internet Directory by modifying
/etc/libuser.conf to use
-1 as the default value for
LU_SHADOWWARNING in the
[userdefaults] section of the file.
For accounts that already exist in Oracle Internet Directory, or that are to be migrated to Oracle Internet Directory, you must set
shadowexpire=-1 to disable password expiration.
If you have configured non-ssl authentication, you can switch to SSL authentication as follows:
On the server, run the script
sslConfigure_OIDserver.sh. Optionally, you can disable the non-ssl port by following the instructions in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
sslConfigure_OIDclient.sh script generated on the server to the client machine and run this script as root.
If you have configured SSL authentication, you can switch to non-ssl authentication as follows:
On the server, run the script
config_OIDserver.sh. Optionally, you can disable the ssl port by following the instructions in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
config_OIDclient.sh generated on the server to the client machine and run this script as
There are occasions when you might need to rerun the configuration scripts. For example, you might need to change to a different Oracle Internet Directory server. As another example, if you are using a proxy DN, rather than anonymous binds, to connect to Oracle Internet Directory, the password of the proxy user will expire at some point and need to be reset.
To rerun the scripts, proceed as follows:
Rerun the configuration script on the server. Execute
sslConfig_OIDserver.sh as the user who installed Oracle Internet Directory.
Restore each client, as described in "Restoring the Client".
Rerun the script on each client. Execute the generated script
sslConfig_OIDclient.sh on each client machine as
You can restore the computers to their original state.
If necessary, you can restore your client computers to the state they were in before you ran
sslConfig_OIDclient.sh. To do so, locate directories under
/etc with names of the form
time_stamp. For example, a backup directory created 18:54:46 on Jan. 13 2008 would have the name
/etc/oracle_backup_20080113185446. If there is more than one backup directory, in most cases, you need to use the backup files in the earliest backup directory.
To restore a client to its pre-configuration state, run the script
resetClient.sh. You can find this script on the server at
$ORACLE_HOME/oas4os/bin. Copy it to the client and run it as
root. The script prompts you for the path to the configuration files that were saved when you ran the configuration script.
There is nothing to restore on the server. See the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory if you want to stop the Oracle Internet Directory server or to disable the SSL or non-SSL port.