Oracle Enterprise User Security (EUS) enables you to store user identities in LDAP-compliant directory service for Oracle Database authentication.
Enterprise User Security enables you to centrally manage database users across the enterprise. Enterprise users are created in LDAP-compliant directory service and can be assigned roles and privileges across various enterprise databases registered with the directory.
Users connect to Oracle Database by providing credentials that are stored in Oracle Unified Directory or external LDAP-compliant directory front-ended by Oracle Unified Directory proxy server. The database executes LDAP search operations to query user specific authentication and authorization information.
Integrating Oracle Unified Directory and Enterprise User Security enhances and simplifies your authentication and authorization capabilities by allowing you to leverage user identities stored in LDAP-compliant directory service without any additional synchronization.
This chapter covers the following topics:
In this release, Oracle Unified Directory support for EUS includes:
Storing the user and group entries in an Oracle Unified Directory (Used as a LDAP server) or an external LDAP-compliant directory service (Oracle Unified Directory used as a proxy server front-ending the external LDAP Directory)
Certificate authentication and integration with Kerberos authentication.
Note:
Certificate authentication only supports DN entry matching the DN in the certificate.The following external LDAP-compliant directories are supported:
Microsoft Active Directory
Novell eDirectory
Oracle Directory Server Enterprise Edition
Oracle Unified Directory
Note:
You can configure an Oracle Unified Directory instance as an external directory server with another Oracle Unified Directory instance as the proxy server.Password Policies:
The password policy entry defined in the LDAP-compliant directory storing storing the user entries can be used by Oracle Database for Enterprise User Security.
The database communicates with Oracle Unified Directory and requests the Oracle Unified Directory to report any password policy violations. For more information, see Section 28.6, "Password Policies".
For information about configuring Enterprise User Security, see Oracle Database Enterprise User Administrator's Guide.
To integrate Oracle Unified Directory and Enterprise User Security, you can select one of the following scenarios:
If users and groups are stored in the Oracle Unified Directory, then you must integrate EUS by configuring Oracle Unified Directory, as described in Section 28.3, "Oracle Unified Directory Used as a Directory Server with Enterprise User Security".
If users and groups are stored in an external LDAP-compliant directory service with Oracle Unified Directory used as the proxy server front-ending an external LDAP-compliant directory service, then you must integrate EUS by configuring Oracle Unified Directory, as described in as described in Section 28.4, "Oracle Unified Directory Used as a Proxy Server for an External LDAP Directory with Enterprise User Security".
After configuration, the EUS metadata are stored in the Oracle Unified Directory and the users and groups are stored in the external LDAP-compliant directory service.
This section describes the task required to integrate Oracle Unified Directory with Enterprise User Security, where the user identities stored in an Oracle Unified Directory without any additional synchronization. To do so, complete the following:
Section 28.3.2, "Task 2: Configuring Users and Groups Location"
Section 28.3.3, "Task 3: Configuring Oracle Database for Oracle Unified Directory"
You must prepare the Oracle unified directory for an EUS integration. You can do so, while installing Oracle Unified Directory or on an existing Oracle Unified Directory server instance.
If you want to prepare the EUS integration during Oracle Unified Directory installation then complete the steps, as described in Section 28.3.1.1, "Enabling Enterprise User Security During Installation"
If you want to prepare the EUS integration for an existing directory server instance then perform the steps, as described in Section 28.3.1.2, "Enabling Enterprise User Security With ODSM for an Existing Instance"
You can use this option when you are installing Oracle Unified Directory. Enable the Oracle Unified Directory directory server instance for integration with EUS while you are setting up the server instance, as described in "Setting Up the Directory Server" in the Oracle Fusion Middleware Installation Guide for Oracle Unified Directory.
Note:
Ensure that you select Enable for EUS in the Oracle Components Integration screen while running theoud-setup graphical interface option or if you are running oud-setup with the --cli option then specify the following option while launching the installer:
oud-setup --eus
On an existing directory server instance, you can create a new suffix for EUS by using ODSM.
Note:
There is no command-line equivalent for this functionality.To create a suffix for EUS by using ODSM, perform the following steps:
Ensure that the server instance has an LDAP connection handler that is enabled for SSL
If SSL is not enabled, add an LDAPS connection handler, as described in Section 17.2, "Managing the Server Configuration With Oracle Directory Services Manager".
Connect to the directory server from ODSM, as described in Section 21.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Home tab.
Under the Configuration menu, select Create Local Naming Context.
The New Local Naming Context window is displayed.
Enter the following details:
In the Base DN field, type a name for the suffix that you want to create.
Note:
You cannot enable EUS on an existing suffix that has already been populated with user data.From the Directory Data Options group, select one of the following options for populating the suffix with data:
Only Create Base Entry creates the database along with the base entry of the suffix. Any additional entries must be added after suffix creation.
Leave Database Empty creates an empty database. The base entries and any additional entries must be added after suffix creation.
Note:
The suffix must contain at least one entry hence do not select the Leave Database Empty option.Import Generated Sample Data populates the suffix with sample entries.
Specify the number of entries that should be generated in the Number of User Entries field. You can import a maximum of 30,000 sample entries through ODSM. If you want to add more than 30,000 entries, you must use the import-ldif command.
In the Oracle Components Integration region, select Enable for Enterprise User Security (EUS) to enable the new suffix.
When you select EUS, in addition to creating this suffix, two suffixes are created automatically: "cn=oracleschemaversion" and "cn=oraclecontext." An EUS workflow element is also added in front of the local backend workflow element. Further, a DN renaming workflow element for "cn=schema" is added, so that it can be accessed using the "cn=subschemasubentry" DN.
In the Network Group region, attach the suffix to at least one network group by performing the following steps:
To attach the suffix to an existing network group, select Use Existing and select the required network group from the list.
To attach the suffix to a new network group, select Create New and then in the Name field, type a name for the network group you want to create.
You can attach several network groups to the same suffix.
In the Workflow Element region, attach the suffix to the workflow element by performing either of the following steps:
To attach the suffix to an existing workflow element, select Use Existing and then select the required workflow element from the list.
To attach the suffix to a new workflow element, select Create New and then in the Name field, type a name for the workflow element you want to create.
Click Create.
The following confirmation message is displayed:
Configuration created successfully.
After Oracle Unified Directory has been configured for EUS, you must configure the naming context used to store the users and the groups by performing the following steps:
Locate the LDIF template file at install_dir/config/EUS/modifyRealm.ldif.
Edit the modifyRealm.ldif file as follows:
Replace dc=example,dc=com with the correct naming context for your server instance.
Replace ou=people and ou=groups with the correct location of the user and group entries in your DIT.
Use the ldapmodify command to update the configuration with the edited LDIF template file, for example:
$ ldapmodify -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -v -f modifyRealm.ldif
You must configure the Oracle Database for Enterprise User Security by completing the following steps:
Section 28.3.3.1, "Configuring Your Database to Use the Oracle Unified Directory"
Section 28.3.3.2, "Registering Your Database with the Oracle Unified Directory"
Section 28.3.3.4, "Connecting to the Database as an Enterprise User"
Run Net Configuration Assistant (NetCA) tool to configure the Oracle Unified Directory host name and port numbers for the database.
To configure your database for directory usage:
Start Oracle Net Configuration Assistant:
Unix
Run netca (Located at $ORACLE_HOME/bin) on the command line.
Windows
Choose Start, Programs, Oracle-HOME_NAME, Configuration and Migration Tools, and select Net Configuration Assistant.
The Oracle Net Configuration Assistant: Welcome screen is displayed.
Select Directory Usage Configuration and click Next.
The Oracle Net Configuration Assistant: Directory Usage Configuration, Directory Type screen is displayed.
Select Oracle Internet Directory as the directory type and click Next.
The Oracle Net Configuration Assistant: Directory Usage Configuration, Directory Location screen is displayed.
Enter the following details:
Hostname: Enter the name of the host on which the Oracle Unified Directory server is running.
Port: Enter the Oracle Unified Directory port number.
SSL Port: Enter the Oracle Unified Directory SSL port number.
Click Next.
The Oracle Net Configuration Assistant: Directory Usage Configuration, Select OracleContext screen is displayed.
Select cn=OracleContext,<your base DN>, where <your base DN> is the naming context used to store the user and group entries. Click Next.
The Directory Usage Configuration, Done screen is displayed.
Confirm that the directory usage configuration is successfully completed. Click Next.
Click Finish.
NetCA creates an ldap.ora file in the $ORACLE_HOME/network/admin directory (Unix) or ORACLE_HOME\network\admin directory (Windows). The file stores the connection information details about the directory.
DIRECTORY_SERVERS= (oudserver:1389:1636) DEFAULT_ADMIN_CONTEXT = "dc=eus,dc=com" DIRECTORY_SERVER_TYPE = OID
The Oracle Unified Directory server is running on the oudserver host name using LDAP port 1389 and LDAPS port 1636. The users and groups are stored in dc=eus and dc=com.
Register the database with the directory service. The Database Configuration Assistant (DBCA) tool enables you to register the database with Oracle Unified Directory.
After you create an entry containing the database information (database name and connection information), it will be used by the database to authenticate when the database performs requests on Oracle Unified Directory server.
To register the database with the directory:
Start DBCA using the dbca command.
On Unix systems, you can start DBCA using the following command:
$ORACLE_HOME/bin/dbca
On Windows, you can also start DBCA from the Start menu:
Click Start, All Programs, Oracle - OracleHomeName, Configuration and Migration Tools, and then select Database Configuration Assistant.
The Welcome screen is displayed.
Click Next.
The Operations screen is displayed.
Select Configure Database Options.
Click Next.
The Database screen is displayed.
Select the database name that you wish to configure. You might also be asked to enter SYS user credentials if you are not using operating system authentication.
Click Next.
The Management Options screen is displayed.
Select Keep the database configured with Database Control if you want to continue using Database Control to manage the database. You also have the option of using Grid Control to manage the database.
Click Next.
The Security Settings screen is displayed.
Select Keep the enhanced 11g default security settings to keep the 11g security settings.
Click Next.
The Network Configuration screen is displayed.
Select Yes, register the Database to register the database with the directory. Enter the distinguished name (DN) of a user who is authorized to register databases in Oracle Unified Directory. Also, enter the password for the directory user. Enter a wallet password. Reenter the password in the Confirm Password field.
Click Next.
Note:
The database uses a randomly generated password to log in to the directory. This database password is stored in an Oracle wallet. The wallet can also be used to store certificates needed for SSL connections.The wallet password that you specify is different from the database password. The wallet password is used to protect the wallet.
The Database Components screen is displayed.
Click Next.
The Connection Mode page is displayed.
Select Dedicated Server Mode or Shared Server Mode.
Click Finish.
The Confirmation dialog box is displayed.
Click OK.
You can verify the database registration by searching for the following entry created by DBCA in Oracle Unified Directory server:
cn=<database name>,cn=oraclecontext,<your baseDN>
Note:
After you register the database with the directory, make sure that auto login is enabled for the database wallet. The default wallet is created in the$ORACLE_BASE/admin/database_sid/wallet directory (Unix) or ORACLE_BASE\admin\database_sid\wallet directory (Windows).
You can verify that auto login for the wallet is enabled by checking for the presence of the cwallet.sso file in the wallet directory. If the file is not present, you can enable auto login by opening the wallet using Oracle Wallet Manager, and using the option to enable auto login for the wallet. For more information, see "Using Oracle Wallet Manager" in the Oracle Database Advanced Security Administrator's Guide.
You must create the user-schema mapping using Enterprise Manager, as described in "Mapping Enterprise Users to the Shared Schema" in the Oracle Database Enterprise User Security Administrator's Guide.
Connect to the Database as an Enterprise User, as described in "Connecting to the Database as an Enterprise User" in the Oracle Database Enterprise User Security Administrator's Guide.
For more information, see "Using Enterprise Roles" in the Oracle Database Enterprise User Security Administrator's Guide.
For more information, see "Using Proxy Permissions" in the Oracle Database Enterprise User Security Administrator's Guide.
This section describes the steps required to integrate Oracle Unified Directory with EUS when the user identities are stored in an external LDAP directory server.
You can integrate EUS with an external LDAP directory, if the Oracle Unified Directory is configured as a proxy front ending an external LDAP repository. The EUS configuration details are stored locally in Oracle Unified Directory and the remote external LDAP directory contains only the Enterprise Users and the Enterprise Groups details.
To integrate Oracle Unified Directory with Oracle Enterprise User Security, you must complete the following:
Section 28.4.1, "Task 1: Preparing the External Directories for Integration"
Section 28.4.2, "Task 2: Preparing the Oracle Unified Directory for Integration"
Section 28.4.3, "Task 3: Configuring Users and Groups Location"
Section 28.4.4, "Task 4: Configuring Oracle Database for Enterprise User Security"
Note:
Create a back-up copy of theORACLE_HOME/config/eus/ directory (Unix) or ORACLE_HOME\config\eus\ directory (Windows). All the configuration files required for the Enterprise User Security integration are in the eus directory. Making a back-up copy of the eus directory enables you to edit the template-like files in the original eus directory based on your environment, and still keep copies of the original files.When the user and group entries are stored in an external LDAP directory server, you must prepare this directory server for Enterprise User Security.
The following external LDAP-compliant directories are supported:
Microsoft Active Directory
Novell eDirectory
Oracle Directory Server Enterprise Edition
Oracle Unified Directory
Note:
You can configure an Oracle Unified Directory instance as an external directory server with another Oracle Unified Directory instance as the proxy server.These instructions are organized by external directory type into the following sections:
Section 28.4.1.1, "User Identities in Microsoft Active Directory"
Section 28.4.1.2, "User Identities in Oracle Directory Server Enterprise Edition"
Section 28.4.1.4, "User Identities in Oracle Unified Directory"
Note:
Back-end LDAP schema extensions are no longer required for any of these external directories, except Microsoft Active Directory. These changes are now done in the Oracle Unified Directory local store.Only a single, minimal schema change to add the orclCommonAttribute attribute definition is necessary for Active Directory.
Perform the following procedures to integrate Oracle Unified Directory with Enterprise User Security for user identities stored in Active Directory:
Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.
Execute the following command to load the Enterprise User Security required schema, ExtendAD, into Active Directory using the Java classes included in Oracle Unified Directory.
The ExtendAD file is located in the $ORACLE_HOME/config/EUS/ActiveDirectory/ directory (Unix) or ORACLE_HOME\config\EUS\ActiveDirectory\ directory (Windows). You can use the java executable in the ORACLE_HOME/jdk/bin directory.
java ExtendAD -h Active_Directory_Host_Name -p Active_Directory_Port -D Active_Directory_Admin_DN -w Active_Directory_Admin_Password –AD Active_Directory_Domain_DN -commonattr
Example:
java ExtendAD -h myhost -p 389 -D cn=administrator,cn=users,dc=example,dc=com -w <pwd> -AD dc=example,dc=com -commonattr
Install the Oracle Unified Directory Password Change Notification plug-in, oidpwdcn.dll, by performing the following steps:
Complete the following depending on your Windows:
Windows 32-bit
Copy OUD_HOME\config\EUS\ActiveDirectory\win\oidpwdcn.dll file to the Active Directory WINDOWS\system32 directory.
Windows 64-bit
Copy OUD_HOME\config\EUS\ActiveDirectory\win64\oidpwdcn.dll file to the Active Directory WINDOWS\system32 directory.
Use regedt32 or regedt64 to edit the registry and enable the oidpwdcn.dll. Start regedt32 by entering regedt32 at the command prompt.
Add oidpwdcn to the end of the Notification Packages entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ registry, for example:
RASSFM KDCSVC WDIGEST scecli oidpwdcn
This enables the password DLL and populates orclCommonAttribute attribute with the password verifier required by EUS.
Restart the Active Directory system after making these changes.
Reset the password for all the Active Directory users, allowing the plug-in to acquire the password changes and generate and store password verifiers.
Verify the Active Directory setup by performing the following steps:
Change the password of an Active Directory user.
Search Active Directory for the user you changed the password for. Verify the orclCommonAttribute attribute contains the generated hash password value.
This value adds the orclCommonAttribute attribute definition in Active Directory.
Prepare the Oracle Unified Directory for integration by performing the task described in Section 28.4.2, "Task 2: Preparing the Oracle Unified Directory for Integration."
Configure users and groups, as described in Section 28.4.3, "Task 3: Configuring Users and Groups Location.".
Configure the Oracle Database, as described in Section 28.4.4, "Task 4: Configuring Oracle Database for Enterprise User Security.".
Perform the following procedures to integrate Oracle Unified Directory with Enterprise User Security for user identities stored in Oracle Directory Server Enterprise Edition:
Run ldapmodify command from Oracle Directory Server Enterprise Edition to enable extended operation for the account lock, as follows:
ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> dn: oid=1.3.6.1.4.1.42.2.27.9.6.25,cn=features,cn=config changetype: add objectclass: directoryServerFeature oid: 1.3.6.1.4.1.42.2.27.9.6.25 cn: Password Policy Account Management
Prepare the Oracle Unified Directory for integration by performing the task described in Section 28.4.2, "Task 2: Preparing the Oracle Unified Directory for Integration."
Configure users and groups, as described in Section 28.4.3, "Task 3: Configuring Users and Groups Location.".
Configure the Oracle Database, as described in Section 28.4.4, "Task 4: Configuring Oracle Database for Enterprise User Security.".
Perform the following procedures to integrate Oracle Unified Directory with Enterprise User Security for user identities stored in Novell eDirectory:
To configure Novell eDirectory for the integration, enable Universal Password in eDirectory and allow the administrator to retrieve the user password. Refer to Novell's eDirectory documentation on Password Management for more information.
Prepare the Oracle Unified Directory for integration by performing the task described in Section 28.4.2, "Task 2: Preparing the Oracle Unified Directory for Integration."
Configure users and groups, as described in Section 28.4.3, "Task 3: Configuring Users and Groups Location.".
Configure the Oracle Database, as described in Section 28.4.4, "Task 4: Configuring Oracle Database for Enterprise User Security.".
You can configure an Oracle Unified Directory instance as an external directory server with another Oracle Unified Directory instance as the proxy server. In this scenario, the EUS configuration details are stored locally in Oracle Unified Directory proxy server and the external Oracle Unified Directory contains only the Enterprise Users and the Enterprise Groups details.
Perform the following procedures to integrate Oracle Unified Directory with Enterprise User Security for user identities stored in an Oracle Unified Directory:
Modify the default password policy to use Salted SHA-1 as password storage scheme by running dsconfig command as follows:
dsconfig -h <OUD host> -p <OUD admin port> -D <OUD dirmgr> -j <pwdfile> -X -n set-password-policy-prop --policy-name "Default Password Policy" --set default-password-storage-scheme:"Salted SHA-1"
Note:
Ensure that you modify the default password policy of the Oracle Unified Directory containing the Enterprise Users and the Enterprise Groups details. Do not modify the default password policy of the Oracle Unified Directory instance acting as the proxy server.Prepare the Oracle Unified Directory proxy server for integration by performing the task described in Section 28.4.2, "Task 2: Preparing the Oracle Unified Directory for Integration."
Configure users and groups, as described in Section 28.4.3, "Task 3: Configuring Users and Groups Location.".
Configure the Oracle Database, as described in Section 28.4.4, "Task 4: Configuring Oracle Database for Enterprise User Security.".
Configure Oracle Unified Directory with external LDAP Directories by performing the following steps:
You must prepare the Oracle unified directory for an EUS integration. You can do so, while installing Oracle Unified Directory proxy server or on an existing Oracle Unified Directory proxy server instance.
If you want to prepare the EUS integration during Oracle Unified Directory installation then complete the steps, as described in Section 28.4.2.1.1, "Enabling Enterprise User Security for a Proxy Server During Installation"
If you want to prepare the EUS integration for an existing directory server instance then perform the steps, as described in Section 28.4.2.1.2, "Enabling Enterprise User Security for an Existing Proxy Server Instance"
You can enable an Oracle Unified Directory directory server instance for integration with EUS while you are setting up the server instance, as described in "Setting Up the Proxy Server" in the Oracle Fusion Middleware Installation Guide for Oracle Unified Directory.
Notes:
Ensure that you select Configure EUS in the Deployment Options screen while running the oud-proxy-setup graphical interface or if you are running oud-proxy-setup with the --cli option then specify the following option while launching the installer:
oud-proxy-setup --eusContext {namingContext}
If you are running oud-proxy-setup with the --cli option then you must manually configure LDAP server extension, proxy workflow element and EUS workflow element using dsconfig command. In a graphical interface these configurations are automatically configured.
For Novell eDirectory, click Add Server, select LDAPS as the protocol and enter the Novell eDirectory LDAPS port number in the Back-End Server screen while running the oud-proxy-setup graphical interface.
To configure Enterprise User Security for an existing Oracle Unified Directory Proxy Server instance, complete the following steps:
Ensure that the server instance has an LDAP connection handler that is enabled for SSL
If SSL is not enabled, add an LDAPS connection handler, as described in Section 17.2, "Managing the Server Configuration With Oracle Directory Services Manager".
Connect to the proxy server from ODSM, as described in Section 21.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Home tab.
Under the Configuration menu, select Create Remote EUS Naming Context.
The Create Remote EUS Naming Context window is displayed.
Enter the following details:
Base DN: Enter the name for the suffix.
Network Group: Select the network group attached to the suffix.
Server Type: Select the server containing the EUS user entries.
Host Name: Enter the host name of the remote server.
Ports Available: Enter the LDAP port, LDAPS port, or LDAP and LDAPS ports of the remote server.
Note:
For Novell eDirectory, enter the LDAPS port of the Oracle Unified Directory proxy server.Trust All: Select this check box to trust all the certificates presented by the remote server.
Trust Manager: Select the trust manager that the server will use when connecting to the LDAPS ports of the remote server to forward requests.
Click Create.
The following confirmation message is displayed:
Configuration created successfully.
After completing the required configuration as described in Section 28.4.2.1, "Configuring Enterprise User Security for an Oracle Unified Directory Proxy Server", you must now configure the credentials used by Oracle Unified Directory proxy server to communicate with the external LDAP directory server. To do so, perform the following steps:
Configure the proxy workflow elements for the external LDAP directory server by setting the remote root DN and remote root user accounts using the dsconfig command as follows:
dsconfig set-workflow-element-prop \
--element-name proxy-we1 \
--set remote-root-dn:cn=administrator,cn=users,dc=example,dc=com \
--set remote-root-password:******** \
--hostname localhost \
--port 4444 \
--trustAll \
--bindDN cn=directory\ manager \
--bindPasswordFile pwd.txt \
--no-prompt
Note:
You must replaceproxy-we1 with the name of the proxy workflow element corresponding to the external LDAP directory server.Set the mode for the proxy workflow element for the external LDAP-compliant directory.
Use use-specific-identity mode if your external LDAP server does not allow anonymous access. This is the most common Enterprise User Security configuration, especially when Active Directory is used as the external LDAP server.
Use use-client-identity mode if your external LDAP server allows anonymous access.
By default, the configuration is set to use-client-identity mode.
If you want to change the mode setting to use-specific-identity, then you must configure the external LDAP server credentials. Run the dsconfig command as follows:
dsconfig set-workflow-element-prop \
--element-name proxy-we1 \
--set client-cred-mode:use-specific-identity \
--set remote-ldap-server-bind-dn:cn=administrator,\
cn=users,dc=example,dc=com \
--set remote-ldap-server-bind-password:******** \
--hostname localhost \
--port 4444 \
--trustAll \
--bindDN cn=directory\ manager \
--bindPasswordFile pwd.txt \
--no-prompt
If you want to change to the use-client-identity mode, then you must configure the external LDAP server credentials and an exclude-list.
The database usually connects with its own credentials to Oracle Unified Directory proxy server, and performs searches on the external LDAP server. When EUS is enabled, the database must use an alternate ID to bind to the external LDAP server because the database entry does not exist on the external LDAP server. The database entry is stored locally on the Oracle Unified Directory proxy server.
Run the dsconfig command as follows:
dsconfig set-workflow-element-prop \
--element-name proxy-we1 \
--set client-cred-mode:use-client-identity \
--add exclude-list:cn=directory\ manager \
--add exclude-list:cn=oraclecontext,dc=example,dc=com \
--set remote-ldap-server-bind-dn:cn=administrator,cn=users,dc=example,dc=com \
--set remote-ldap-server-bind-password:******** \
--hostname localhost \
--port 4444 \
--trustAll \
--bindDN cn=directory\ manager \
--bindPasswordFile pwd.txt \
--no-prompt
Important. When in use-client-identity mode, if you are integrating with Active Directory, then you must run the following command to allow anonymous login, where dc=example,dc=com is the base DN of your Active Directory server.
ldapmodify -h <ADhost> -p <AD port> -D <AD dirmgr> -w <pwd> dn: cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=example,dc=com changetype: modify replace: dsHeuristics dsHeuristics: 0000002
After Oracle Unified Directory has been configured for EUS, you must configure the naming context used to store the users and the groups by performing the following steps:
Locate the LDIF template file at install_dir/config/EUS/modifyRealm.ldif.
Edit the modifyRealm.ldif file as follows:
Replace dc=example,dc=com with the correct naming context for your server instance.
Replace ou=people and ou=groups with the correct location of the user and group entries in your DIT.
Use the ldapmodify command to update the configuration with the edited LDIF template file, for example:
$ ldapmodify -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -v -f modifyRealm.ldif
If you are integrating Active Directory, run the following command, replacing dc=example,dc=com with the appropriate base DN for your configuration:
$ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file dn:cn=Common,cn=Products,cn=OracleContext,dc=example,dc=com changetype: modify replace: orclCommonNickNameAttribute orclCommonNickNameAttribute: samaccountname
You must configure the Oracle Database, as described in Section 28.3.3, "Task 3: Configuring Oracle Database for Oracle Unified Directory."
To verify the integration, you can connect to the database using sqlplus as an enterprise user:
$ sqlplus SQL> CONNECT joe Enter password: Connected. SQL>
For any error, see Section C, "Troubleshooting Enterprise User Security".
Password Policies: Password policies are a set of rules that apply to all user passwords in an identity management realm. Password policies include settings for password complexity, minimum password length, and the like. They also include account lockout and password expiration settings.
The database communicates with Oracle Unified Directory and requests the Oracle Unified Directory to report any password policy violations. If the database gets a policy violation response from Oracle Unified Directory, then it flashes the appropriate warning or error message to the user.
The database reports the following events:
It gives a warning when the user password is about to expire and displays the number of days left for the user to change his or her password.
Example:
SQL> connect joe/Admin123 ERROR: ORA-28055: the password will expire within 1 days Connected.
It gives a warning when the password has expired and informs the user about the number of grace logins that remain.
Example:
SQL> connect joe/Admin123 ERROR: ORA-28054: the password has expired. 1 Grace logins are left Connected.
It displays an error when the user password has expired and the user does not have any grace logins left.
Example:
SQL> connect joe/Admin123 ERROR: ORA-28049: the password has expired
It displays an error when the user account has been locked due to repeated failed attempts at login.
Example:
SQL> connect joe/Admin123 ERROR: ORA-28051: the account is locked
It displays an error if the user account has been disabled by the administrator.
Example:
SQL> connect joe/Admin123 ERROR: ORA-28052: the account is disabled
It displays an error if the user account is inactive.
Example:
SQL> connect joe/Admin123 ERROR: ORA-28053: the account is inactive
Enterprise user login attempts to the database update the user account status in Oracle Unified Directory or any supported external LDAP-compliant directory. For example, consecutive failed login attempts to the database results in the account getting locked in the directory, as per the directory's password policy.