31 Integrating Oracle Unified Directory with Oracle Enterprise User Security

Oracle Enterprise User Security (EUS) enables Oracle Database users to authenticate against identities stored in an LDAP-compliant directory service. This chapter provides instructions for enabling Oracle Unified Directory to work with Oracle Enterprise User Security.

This chapter contains the following sections:

• Section 31.1, "Understanding How Oracle Enterprise User Security Works with Oracle Unified Directory"

• Section 31.2, "Before You Begin"

• Section 31.3, "Enabling Oracle Unified Directory and Oracle Enterprise User Security to Work Together"

• Section 31.4, "Using Additional Enterprise User Security Configuration Options"

• Section 31.5, "Understanding Enterprise User Security Password Warnings"

• Section 31.6, "Troubleshooting"

31.1 Understanding How Oracle Enterprise User Security Works with Oracle Unified Directory

Oracle Enterprise User Security enables you to centrally manage database users across the enterprise. You can create enterprise users in an LDAP-compliant directory service, and then assign roles and privileges across various enterprise databases registered with the directory.

Users connect to Oracle Database by providing credentials stored in Oracle Unified Directory or other external LDAP-compliant directory front-ended by Oracle Unified Directory proxy server. The database executes LDAP search operations to query user specific authentication and authorization information. For more information, see Section 3.2.6, "Configuration 6: Enterprise User Security."

Integrating Oracle Unified Directory and Enterprise User Security enhances and simplifies your authentication and authorization capabilities by allowing you to leverage user identities stored in LDAP-compliant directory service without any additional synchronization.

For more information about Oracle Enterprise User Security, see the Oracle Database Enterprise User Security Administrator's Guide.

31.2 Before You Begin

Before you integrate Oracle Unified Directory with Oracle Enterprise User Security, you should consider what role Oracle Unified Directory will play in your topology. Also consider other business requirements for your enterprise. Before you begin integration, review all tasks and steps required for the various integration options.

Is OUD used as a directory server or as a directory proxy in the topology?

When you use OUD as a directory server, installation is straightforward, and configuration is contained in OUD. For more information, see Section 31.3.1, "Configuring Oracle Directory Server as a Directory for Enterprise User Security."

When you use OUD as a directory proxy, you must take additional steps to configure the external LDAP-compliant directory that stores user entries. For more information, see Section 31.3.2, "Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security."

Are you configuring an existing directory or proxy instance, or installing a new instance?

If you are configuring an existing directory or proxy instance to work with Enterprise User Security, you will need to complete some configuration steps manually. See the following for more information:

• Task 1: Configure Oracle Unified Directory to Work with Enterprise User Security

• Task 1: Configure User Identities in the External LDAP Directory

If you are installing a new directory or proxy instance, you can choose the Enterprise User Security option during setup. The new instance is automatically configured to EUS integration. See the following for more information:

• Installing and Configuring a New Oracle Unified Directory Instance to Work with Enterprise User Security

• Task 2: Configure Oracle Unified Directory Proxy to Work with Enterprise User Security

Additional business requirements for you to consider.

See the following for more information:

• Section 31.4.1, "Configuring OUD to Support Multiple Enterprise User Security Domains"

• Section 31.4.2, "Using Oracle Unified Directory and Enterprise User Security in High Availability Topologies"

31.3 Enabling Oracle Unified Directory and Oracle Enterprise User Security to Work Together

This section provides step-by-step instructions for the following:

• Configuring Oracle Directory Server as a Directory for Enterprise User Security

• Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security

Note:

Anonymous search access is enabled in Oracle Unified Directory for Enterprise User Security integration to work. This is required as Oracle Net Configuration Assistant (NetCA) performs anonymous searches against Oracle Unified Directory during configuration. After configuration using NetCA, you can disable anonymous access. See Section 28.5.1, "Disabling Anonymous Access."

Before You Begin

These instructions require you to configure multiple Oracle products, as well as any external LDAP-compliant directory you may have in your topology. Before you begin, be sure that you can access the following components as well as the current documentation that goes with them:

• Oracle Unified Directory, ODSM, oud-setup and oud-proxy-setup commands

• Oracle Enterprise User Security Net Configuration Assistant

• Database Configuration Assistant for Oracle Database

• Enterprise Manager for Oracle Database

• Supported LDAP directories (Microsoft Active Directory, Novell eDirectory, Oracle Unified Directory, or Oracle Directory Server Enterprise Edition) you have in your topology

31.3.1 Configuring Oracle Directory Server as a Directory for Enterprise User Security

To Configure Oracle Directory Server as a directory for Enterprise User Security, complete the tasks in the following sections:

• Task 1: Configure Oracle Unified Directory to Work with Enterprise User Security

• Task 2: Configure the User and Groups Location

• Task 3: Select the Oracle Context to be Used by Enterprise User Security

• Task 4: Register the Database in the LDAP Server

• Task 5: Configure Roles and Permissions

  • Step A: Create a Shared Schema in the Database

  • Step B: Create a New User-Schema Mapping

  • Step C: Create a Role in the Database

  • Step D: Create a New Role in the Domain

  • Step F: Create a New Proxy Permission

  • Step G: Configure Mappings for a Specific Database

• Task 6: Test the Database Configurations

31.3.1.1 Task 1: Configure Oracle Unified Directory to Work with Enterprise User Security

• If you already have an existing Oracle Unified Directory instance installed and provisioned, then complete the steps in one of these sections:

  • Section 31.3.1.1.2, "Configuring an Existing Oracle Unified Directory Server to Work with Enterprise User Security Using the Command Line"

  • Section 31.3.1.1.3, "Configuring an Existing Oracle Unified Directory Server to Work with Enterpriser User Security Using ODSM"

• If you do not already have an Oracle Unified Directory installed and provisioned, then complete the steps in the following section "Installing and Configuring a New Oracle Unified Directory Instance to Work with Enterprise User Security."

31.3.1.1.1 Installing and Configuring a New Oracle Unified Directory Instance to Work with Enterprise User Security

Run the oud-setup program. You can use the command line, or the graphical user interface.

• To run oud-setup with following --cli option. For example:

  $ oud-setup --cli --integration eus --no-prompt --ldapPort 1389\
   --adminConnectorPort 4444 -D "cn=directory manager"\
   --rootUserPasswordFile pwd.txt --ldapsPort 1636\
   --generateSelfSignedCertificate --baseDN "dc=example,dc=com"
  

  For detailed information about using oud-setup and all its options, see "Setting Up the Directory Server" in the Oracle Fusion Middleware Installation Guide for Oracle Unified Directory

  During setup, the baseDN specified in the --baseDN option is prepared for EUS. If you specify multiple base DNs, they will all be prepared for EUS.

  
  

• To use the graphical user interface:

  1. Run the oud-setup command

  2. In the Welcome page, click Next.

  3. In the Server Settings page, provide the following information:

     1. Host Name

        This is the server that hosts the Oracle Unified Directory instance that stores users and groups.

     2. Administration Connector Port

        This is the administration port used by OUD tools such as dsconfig.

     3. LDAP Listener Port

        Specify the port used by OUD.

     4. LDAP Secure Access

        Click Configure to enable secure access.

        In the Configure Secure Access window, click to mark the Enable SSL on Port checkbox. Then enter a port number for LDAPS, and click OK to continue.

     5. Root User DN

        This is the identity of the server administrator

     6. Password

        Enter a password to be used by the server administrator.

     7. Password (confirm)

        Enter the password a second time to confirm.

     Click Next to continue.

  4. In the Topology Options page, be sure the option "This will be a stand alone server" is selected, and click Next.

  5. In the Directory Data page, provide the following information:

     1. Directory Base DN

        Enter the base DN where you will store user entries.

     2. Directory Data

        Do not choose the option "Leave Database Empty." Choose one of the following options:

        "Only Create Base Entry" creates an entry with the base DN specified previously.

        "Import Data from LDIF File" imports LDIF data from the file specified in the Path field.

        "Import Automatically-Generated Sample Data" generates the number of sample entries specified in the Number of User Entries field.

        Click Next.

  6. In the Oracle Components Integration page, choose the option "Enable for EUS (Enterprise User Security), EBS, Database Net Services and DIP." This option also enables the server for Database Net Services.

     Click Next to continue.

  7. In the Server Tuning page, you can configure your tunings or click Next.

     See the Installation Guide for information about tuning configurations.

  8. In the Review page, review your settings, and click Finish.

     A new instance of Oracle Unified Directory is installed, configured, and then started.

31.3.1.1.2 Configuring an Existing Oracle Unified Directory Server to Work with Enterprise User Security Using the Command Line

You can configure an existing naming context for EUS, or you can create and configure a new naming context for EUS.

• To use an existing naming context for EUS, run the manage-suffix update command. For example:

  $ manage-suffix update -h host -p adminPort -D "cn=directory manager" -j pwd.txt -X -n -b baseDN --integration eus
  

  This command-line will configure the naming context specified as baseDN for EUS.

• To create a new naming context for EUS, run the manage-suffix create command. For example:

  $ manage-suffix create -h host -p adminPort -D "cn=directory manager" -j pwd.txt -X -n -b baseDN --integration eus
   
  

For more information about the manage-suffix command, see Section 17.2, "Managing Suffixes Using manage-suffix."

31.3.1.1.3 Configuring an Existing Oracle Unified Directory Server to Work with Enterpriser User Security Using ODSM

Before you begin, ensure that the server instance has an LDAP connection handler that is enabled for SSL. If SSL is not enabled, add an LDAPS connection handler. For information about adding an LDAPS connection handler, see Section 17.1, "Managing the Server Configuration Using dsconfig," and Section 17.1.5.2, "Configuring the LDAP Connection Handler."

You can configure an existing naming context for EUS, or you can create and configure a new naming context for EUS.

• To configure an existing naming context for EUS using ODSM:

  1. Connect to the directory server from ODSM

  2. Click the Configuration tab

  3. In the navigation pane on the left, below "Naming Contexts," choose the naming context you want to use.

  4. In the right pane, in the "Oracle Components Integration" section, choose "Enable for Enterprise User Security (EUS)" and click Apply.

• To create and configure a new naming context for EUS using ODSM:

  1. Connect to the directory server from ODSM, as described in Section 16.2, "Connecting to the Server Using ODSM."

  2. Click the Home tab.

  3. Under the Configuration menu, choose Create Local Naming Context.

  4. In the New Local Naming Context window, provide the following information:

     1. Base DN

        Type a name for the suffix that you want to create. You cannot enable EUS on an existing suffix that has already been populated with user data.

     2. Directory Data Options

        Choose one of the following:

        Only Create Base Entry creates the database along with the base entry of the suffix. Any additional entries must be added after suffix creation.

        Leave Database Empty creates an empty database. Do not select this option.

        When you use this option, the base entry and any additional entries must be added after suffix creation. But for this configuration, the suffix must contain at least one entry.

        Import Generated Sample Data populates the suffix with sample entries.

        Specify the number of entries that should be generated in the Number of User Entries field. You can import a maximum of 30,000 sample entries through ODSM. If you want to add more than 30,000 entries, you must use the import-ldif command.

     3. Oracle Components Integration

        To enable the new suffix, for Enterprise User Security (EUS), select Enable.

     4. Network Group

        Attach the suffix to at least one network group:

        To attach the suffix to an existing network group: Choose "Use Existing," and then choose the required network group from the list.

        To attach the suffix to a new network group: Select "Create New," and then in the Name field, type a name for the network group you want to create.

        You can attach the same suffix to several network groups.

     5. Workflow Element

        Attach the suffix to the workflow element.

        To attach the suffix to an existing workflow element:

        Choose "Use Existing," and then choose the required workflow element from the list.

        The suffix is stored inside the same database Local Backend workflow element, and will have the same properties such as an instance path to Berkeley DB files.

        To attach the suffix to a new workflow element:

        Choose "Create New," and then in the Name field, type a name for the workflow element you want to create.

        You can configure this new workflow element with additional other values such as Berkeley DB files, database cache size, and so on.

  5. Click Create.

     The following confirmation message is displayed:

     Naming Context created successfully.

31.3.1.2 Task 2: Configure the User and Groups Location

After Oracle Unified Directory has been configured for EUS or Oracle E-Business Suite, you must configure the naming context used to store the users and the groups by performing the following steps:

1. Locate the LDIF template file at install_directory/config/EUS/modifyRealm.ldif.

2. Edit the modifyRealm.ldif file as follows:

   • Replace dc=example,dc=com with the correct naming context for your server instance.

   • Replace ou=people and ou=groups with the correct location of the user and group entries in your DIT.

3. Use the ldapmodify command to update the configuration with the edited LDIF template file, for example:

   $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file -f modifyRealm.ldif
   

   Note:

   Ensure that you specify the port number on which the LDAP Connection Handler will listen for connections from clients (For example: 1389) and not the administration port number which is 4444.

31.3.1.3 Task 3: Select the Oracle Context to be Used by Enterprise User Security

Enterprise User Security stores its configuration, also called EUS metadata, in an Oracle Context which corresponds to a part of the Directory Information Tree. If your user entries are stored below dc=example,dc=com, then EUS is usually configured to use cn=OracleContext,dc=example,dc=com as Oracle Context.

Use Oracle Net Configuration Assistant to indicate where EUS should read its configuration.

1. To start the Oracle Net Configuration Assistant, run the netca command on the host where the database is installed.

2. On the Welcome page, select "Directory Usage Configuration," and click Next.

   On the subsequent pages, provide the following information:

   • Directory Type

     Select "Oracle Internet Directory" even if the LDAP server is an Oracle Virtual Directory or an Oracle Unified Directory.

     Click Next.

   • Hostname

     Enter the hostname or IP address of the server hosting your LDAP server.

   • Port

     Enter the LDAP port number.

   • SSL Port

     Enter the LDAPS port number.

   • Oracle Context

     Do not select cn=OracleContext. Instead, click the arrow to display and choose the location of your OracleContext.

     Click Next.

3. When the following message is displayed, click Next: "Directory usage configuration complete!"

4. When the Welcome page is displayed, click Finish.

5. To verify that the Net Configuration Assistant has successfully created the configuration file containing the LDAP server information, run the following command:

   # cat $ORACLE_HOME/network/admin/ldap.ora
   # ldap.ora Network Configuration File: /app/oracle/product/db/product/11.2.0/dbhome_1/network/admin/ldap.ora
   # Generated by Oracle configuration tools.
   DIRECTORY_SERVERS= (oudhost:1389:1636)
   DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com"
   DIRECTORY_SERVER_TYPE = OID
   

   The configuration file used by the database contains the hostname and port of the LDAP server. In this example, the information is represented as: (oudhost:1389:1636). You can specify multiple servers, separated by commas, for high availability deployments. See Section 31.4.2, "Using Oracle Unified Directory and Enterprise User Security in High Availability Topologies."

   In this example, dc=example,dc=com represents the Oracle Context used to store the EUS configuration, also known as the EUS metadata.

31.3.1.4 Task 4: Register the Database in the LDAP Server

Use the Database Configuration Assistant for Oracle Database to complete this task.

1. Run the dbca command on the host where the database is installed.

   The Database Configuration Assistant for Oracle Database is displayed. Click Next, then provide the following information in the subsequent pages:

   • Select the operation you want to perform

     Choose "Configure Database Option," then click Next.

   • Database

     In the list box, select the database you want to register. Then click Next.

     Database Configuration Assistant determines if the database is already registered in the LDAP server.

   • Would you like to register this database with the directory service?

     Choose "Yes, register the database." Database Configuration Assistant will create an entry for the database in the Oracle Context.

   • User DN

     The user DN will be used to authenticate to the LDAP server. The user DN is also used in the add operation, which creates the database entry in the Oracle Context. The user must have write access to the LDAP server.

   • Password

     Database Configuration Assistant creates a wallet for the database. The database entry DN and password will be stored in the wallet. When the database connects to the LDAP server, it will authenticated using credentials stored in this wallet.

   • Database Components

     Make no changes to this page, and click Next.

   • Connection Mode

     Choose "Dedicated Server Mode," then click Finish.

   • Confirmation

     Click OK to register the database.

   • Do you want to perform another operation?

     Click No to exit the Database Configuration Assistant application.

2. To verify that Database Configuration Assistant successfully created a new entry for the database, run the following command, where cn=orcl11g is the name of the database specified in the previous step:

   $ ldapsearch -h oudhost -p 1389 -D "cn=directory manager" -j pwd.txt -b cn=oraclecontext,dc=example,dc=com "(cn=orcl11g)"
   dn: cn=orcl11g,cn=OracleContext,dc=example,dc=com
   orclVersion: 112000
   orclcommonrpwdattribute: {SASL -MD5}eW5+2LTPRKzFmHxmMZQmnw==
   objectClass: orclApplicationEntity
   objectClass: orclService
   objectClass: orclDBServer_92
   objectClass; orclDBServer
   objectClass: top
   orclServiceType: DB
   orclSid: orcl11g
   oracleHome: /app/oracle/product/db/product/11.2.0/dbhome_1
   cn: orcl11g
   orclSystemName: oudhost 
   userPassord: {SSHA}oNeBEqkUMtDusjXNXJPpa7qa+Yd0b9RHvA==
   orclNetDescString: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST)=oudhost)
   (PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl11g)))
   orclDBGLOBALNAME: orcl11g
   orclNetDescName: 000:cn= DESCRIPTION_0
   

31.3.1.5 Task 5: Configure Roles and Permissions

Use Oracle Enterprise Manager to complete the steps in this task.

• Step A: Create a Shared Schema in the Database

• Step B: Create a New User-Schema Mapping

• Step C: Create a Role in the Database

• Step D: Create a New Role in the Domain

• Step E: Define a Proxy Permission in the Database

• Step F: Create a New Proxy Permission

• Step G: Configure Mappings for a Specific Database

31.3.1.5.1 Step A: Create a Shared Schema in the Database

Run the following SQL commands:

SQL> CREATE USER global_ident_schema_user IDENTIFIED GLOBALLY;
User created.
SQL> GRANT CONNECT TO global_ident_schema_user;
Grant succeeded.

31.3.1.5.2 Step B: Create a New User-Schema Mapping

1. In a web browser, connect to Enterprise Manager. For example:

   https://localhost:1158/em

   Provide the following, then click Login.

   • User Name

     Enter the name of a user who is authorized to administer the database.

   • Password

     Enter the administrator password.

   • Connect As

     Choose SYSDBA.

     Click Login.

2. Click the Server tab.

   On the Server tab, in the Security section, click Enterprise User Security.

3. In the "Oracle Internet Directory Login: Enterprise User Security" page, provide the following information:

   • User

     Enter the username of a user, for example cn=directory manager, who has write access to Oracle Context.

   • Password

     Enter the password for the same user.

   Click Login.

4. On the Enterprise User Security page, click Manage Enterprise Domains.

   An Enterprise Domain can contain one or more databases. The settings for an Enterprise Domain apply to all databases it contains.

5. On the Manage Enterprise Domains page, select the domain you want to configure, then click Configure.

6. On the Configure Domain page, click "User - Schema Mappings."

7. On the User - Schema Mappings page, click Create.

8. To create a domain-schema mapping, on New Mapping page provide the following information:

   1. From

      You can associate a global schema to all the users in a given subtree, or to a given user.

      To associate a global schema to all users in a given subtree:

      1. Choose Subtree, then click the flashlight icon to search for available subtrees.

      2. In the Select User page, select a subtree.

      3. Enterprise users below the DN you select will be mapped to the same global schema. Click Select.

      To associate a global schema to a given user:

      1. Choose User Name, then click the flashlight icon to search for available users.

      2. In the select User page, select a user DN. Only this specific user will be mapped to the global schema. Click Select.

   2. To

      1. In the Schema field, enter the name of the global schema.

      2. For example, global_ident_schema_user.

   Click Continue.

9. On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.

31.3.1.5.3 Step C: Create a Role in the Database

For this example, a role named hr_access, is created. The role grants read access to the table hr.employees.

To create a role in the database:

SQL> CREATE ROLE hr_access IDENTIFIED GLOBALLY;
Role created.
SQL> GRANT SELECT ON hr.employees TO hr_access;
Grant succeeded.

For more information, see the Oracle Database documentation.

31.3.1.5.4 Step D: Create a New Role in the Domain

1. On the Manage Enterprise Domains page, select the domain in which you want to create the role, then click Configure.

2. On the Configure Domain page, click Enterprise Roles. Click Create.

3. On the Create Enterprise Role page, provide the following information:

   1. In the Name field, provide a name for your enterprise role.

   2. In the DB Global Roles tab, click Add.

4. In the Search And Select: Database Global Roles page, provide the following information:

   • Database

     Choose the database from the drop-down list.

   • User Name

     Enterprise Manager will retrieve the available roles from the database. Enter a username of an administrator, for example SYS AS SYSDBA, who is authorized to access the roles.

   • Password

     Enter the administrator password.

   Click Go.

5. In the "Search and Select: Database Global Roles" page, choose the global role you want to grant to Enterprise Users.

   Click Select.

6. In the Create Enterprise Role page, select the Enterprise user or groups to which you will grant the Enterprise Role, then click the Grantees tab.

7. On the Grantees tab, to select Enterprise users or groups click Add.

8. In the "Select: Users and Groups" page, click Go. Enterprise Manager retrieves available Users and Groups.

   • View

     You can search for users or groups.

   • Search Base

     Enterprise Manager begins the search at this DN.

   • Name

     Enter a string here to narrow down the search. For example, if you want to find a user whose name starts with jo, enter jo and Click Go.

     A table displays relevant entries. From the list, select the users and groups to which you want to grant the Enterprise Role, then click Select.

     Click Continue.

9. In the Configure Domain page, click OK to continue.

10. In the Edit Enterprise Role page, click Continue.

11. In the Configure Domain page, click OK.

    After the role has been successfully created, click Configure.

31.3.1.5.5 Step E: Define a Proxy Permission in the Database

To define a proxy permission on user SH, run the following command:

SQL> ALTER USER SH GRANT CONNECT THROUGH ENTERPRISE USERS;
User altered.
 

This command defines a proxy permission on user SH.

31.3.1.5.6 Step F: Create a New Proxy Permission

1. On the Configure Domain Information page, select the domain you want to configure, then click Configure.

2. On the Configure Domain page, click Proxy Permissions.

3. To create a new Proxy Permission, on the Proxy Permissions tab click Create.

4. On the Create Proxy Permission page, in the Name field, provide a name for your Proxy Permission.

5. On the Target DB Users tab, click Add.

6. On the "Search And Select: Database Target Users" page, provide the following information:

   • Database

     Choose the database from the drop-down list.

   • User Name

     Enter the username of an administrator, for example SYS AS SYSDBA, who is authorized to access the users.

   • Password

     Enter the administrator password.

   Click Go.

   Enterprise Manager retrieves the available target users from the database.

7. In the Search and Select page, select the target user for the proxy permission, then click Select.

8. In the Create Proxy Permission page, click the Grantees tab.

9. On the Grantees tab, click Add.

10. On the Select Users and Groups page, click Go. Enterprise Manager retrieves available Enterprise Users.

    In the Select: Users and Groups page, select the users to be granted Proxy Permission. Then click Select to continue.

11. On the Create Proxy Permission page, click Continue.

12. On the Configure Domain page, click OK to continue.

31.3.1.5.7 Step G: Configure Mappings for a Specific Database

1. On the Enterprise User Security page, click Manage Databases.

2. On the Manage Databases page, select the database you want to configure, and click Configure.

3. On the Configure Database page, click "User - Schema Mappings" tab.

4. On the "User - Schema Mappings" page, click Create.

5. To create a domain-schema mapping, on New Mapping page provide the following information:

   1. From

      You can associate a global schema to all the users in a given subtree, or to a given user.

      To associate a global schema to all users in a given subtree:

      1. Choose Subtree, then click the flashlight icon to search for available subtrees.

      2. In the Select User page, select a subtree.

      3. Enterprise users below the DN you select will be mapped to the same global schema. Click Select.

      To associate a global schema to a given user:

      1. Choose User Name, then click the flashlight icon to search for available users.

      2. In the select User page, select a user DN. Only this specific user will be mapped to the global schema. Click Select.

   2. To

      1. In the Schema field, enter the name of the global schema.

      2. For example, global_ident_schema_user.

   Click Continue.

6. On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.

31.3.1.6 Task 6: Test the Database Configurations

At this point Enterprise User Security contains the following configurations:

• A users-schema mapping granting a global schema to all users below dc=example,dc=com

• An Enterprise Role granting HR_ACCESS to uid=user.0,ou=people,dc=example,dc=com

• A Proxy Permission allowing uid=user.1,our=people,dc=example,dc=com to proxy user SH.

To test the database configurations:

1. Run sqlplus to connect to the database with user.0.

   In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.0,ou=people,dc=example,dc=com in the LDAP server.

   # sqlplus user.0
    
   SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014
    
   Copyright  (c) 1982, 2010, Oracle. All rights reserved.
    
   Enter password:
    
   Connected to: 
   Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
   With the Partitioning, OLAP, Data Mining and Real Application Testing options
    
   SQL> select * from session_roles;
    
    
   Role
   -------------------------------
   CONNECT
   HR_ACCESS
    
   SQL>
   

   In this example, the following are indications that the database is configured properly for users such as user.0.

   • The line that starts with Connected to: indicates that authentication succeeded.

   • The line that begins with SQL> select * from session_roles;
     enables the user to check the roles granted to himself.

   • The database role HR_ACCESS is granted through the Enterprise Role.

2. Run sqlplus to connect to the database with user.1 credentials.

   In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.1,ou=people,dc=example,dc=com in the LDAP server.

   # sqlplus user.1
    
   SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014
    
   Copyright  (c) 1982, 2010, Oracle. All rights reserved.
    
   Enter password:
    
   Connected to: 
   Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
   With the Partitioning, OLAP, Data Mining and Real Application Testing options
    
   SQL> select * from session_roles;
    
    
   Role
   -------------------------------
   CONNECT
    
    
   SQL>
   

   In this example, the following are indications that the database is configured properly for users such as user.1.

   • The line that starts with Connected to: indicates that authentication succeeded.

   • The line that begins with SQL> select * from session_roles;
     enables the user to check the roles granted to himself.

   • The only database role is CONNECT, and it is granted through the Global Schema.

3. Run sqlplus to connect to the database a with user.1 credentials using a proxy permission as user SH.

   In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.1,ou=people,dc=example,dc=com in the LDAP server.

   # sqlplus user.1[sh]
    
   SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014
    
   Copyright  (c) 1982, 2010, Oracle. All rights reserved.
    
   Enter password:
    
   Connected to: 
   Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
   With the Partitioning, OLAP, Data Mining and Real Application Testing options
    
   SQL> select * from session_roles;
    
    
   Role
   -------------------------------
   RESOURCE
   SELECT_CATALOG_ROLE
   HS_ADMIN_SELECT_ROLE
   CWM_USER
    
    
   SQL>
   

   In this example, the following are indications that the database is configured properly for users such as user.1.

   • The line that starts with Connected to: indicates that authentication succeeded.

   • The line that begins with SQL> select * from session_roles;
     enables the user to check the roles granted to himself.

   • The user user.1 inherits the roles of user SH through the proxy authentication.

31.3.2 Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security

To configure Oracle Unified Directory Proxy to work with an External LDAP Directory and Enterprise User Security, complete the tasks described in the following sections:

• Task 1: Configure User Identities in the External LDAP Directory

• Task 2: Configure Oracle Unified Directory Proxy to Work with Enterprise User Security

• Task 3: Configure the Users and Groups Location

• Task 4: Select the Oracle Context to be Used By Enterprise User Security

• Task 5: Register the Database in the LDAP Server

• Task 6: Configure Roles and Permissions

  • Step A: Create a Shared Schema in the Database

  • Step B: Create a New User-Schema Mapping

  • Step C: Create a Role in the Database

  • Step D: Create a New Role in the Domain

  • Step E: Define a Proxy Permission in the Database

  • Step F: Create a New Proxy Permission

  • Step G: Configure Mappings for a Specific Database

• Task 7: Test the Database Configurations

31.3.2.1 Task 1: Configure User Identities in the External LDAP Directory

Configure the existing user and group identities so they can be recognized by Enterprise User Security. Choose from the following based on your external LDAP directory:

• Section 31.3.2.1.1, "To Configure User Identities in Microsoft Active Directory"

• Section 31.3.2.1.2, "To Configure User Identities in Oracle Directory Server Enterprise Edition"

• Section 31.3.2.1.3, "To Configure User Identities in Novell eDirectory"

• Section 31.3.2.1.4, "To Configure User Identities in Oracle Unified Directory"

31.3.2.1.1 To Configure User Identities in Microsoft Active Directory

1. Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.

2. Execute the following command to load the Enterprise User Security required schema, ExtendAD, into Active Directory using the Java classes included in Oracle Unified Directory.

   The ExtendAD file is located in the $ORACLE_HOME/config/EUS/ActiveDirectory/ directory (UNIX) or ORACLE_HOME\config\EUS\ActiveDirectory\ directory (Windows). You can use the java executable in the ORACLE_HOME/jdk/bin directory.

   java ExtendAD -h Active_Directory_Host_Name -p Active_Directory_Port 
   -D Active_Directory_Admin_DN -w Active_Directory_Admin_Password
   –AD Active_Directory_Domain_DN -commonattr
   

   Example:

   java ExtendAD -h myhost -p 389 -D cn=administrator,cn=users,dc=example,dc=com -w <pwd> -AD dc=example,dc=com -commonattr
   

3. Install the Oracle Unified Directory Password Change Notification plug-in, oidpwdcn.dll, by performing the following steps:

   1. Complete the following depending on your Windows:

      Windows 32-bit

      Copy OUD_HOME\config\EUS\ActiveDirectory\win\oidpwdcn.dll file to the Active Directory WINDOWS\system32 directory.

      Windows 64-bit

      Copy OUD_HOME\config\EUS\ActiveDirectory\win64\oidpwdcn.dll file to the Active Directory WINDOWS\system32 directory.

   2. Use regedt32 or regedt64 to edit the registry and enable the oidpwdcn.dll. Start regedt32 by entering regedt32 at the command prompt.

   3. Add oidpwdcn to the end of the Notification Packages entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ registry, for example:

      RASSFM
      KDCSVC
      WDIGEST
      scecli
      oidpwdcn
      

      This step enables the password DLL and populates orclCommonAttribute attribute with the password verifier required by EUS.

   4. Restart the Active Directory system after making these changes.

4. Reset the password for all the Active Directory users, allowing the plug-in to acquire the password changes and generate and store password verifiers.

5. Verify the Active Directory setup by performing the following steps:

   1. Change the password of an Active Directory user.

   2. Search Active Directory for the user you changed the password for. Verify the orclCommonAttribute attribute contains the generated hash password value.

      This value adds the orclCommonAttribute attribute definition in Active Directory.

Note:

Ensure that you modify the default password policy of the Oracle Unified Directory containing the Enterprise Users and the Enterprise Groups details. Do not modify the default password policy of the Oracle Unified Directory instance acting as the proxy server.

31.3.2.1.2 To Configure User Identities in Oracle Directory Server Enterprise Edition

Run ldapmodify command from Oracle Directory Server Enterprise Edition to enable extended operation for the account lock, as follows:

ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password>
dn: oid=1.3.6.1.4.1.42.2.27.9.6.25,cn=features,cn=config
changetype: add
objectclass: directoryServerFeature
oid: 1.3.6.1.4.1.42.2.27.9.6.25
cn: Password Policy Account Management

31.3.2.1.3 To Configure User Identities in Novell eDirectory

Enable the Universal Password in eDirectory, and allow the administrator to retrieve the user password. See the Novell eDirectory documentation about Password Management for more information.

31.3.2.1.4 To Configure User Identities in Oracle Unified Directory

Modify the default password policy to use Salted SHA-1 as password storage scheme by running dsconfig command as follows:

./dsconfig -h <OUD host> -p <OUD admin port> -D <OUD dirmgr> -j <pwdfile>
-X -n set-password-policy-prop\
--policy-name "Default Password Policy"\ 
--set default-password-storage-scheme:"Salted SHA-1"

Note:

Ensure that you modify the default password policy of the Oracle Unified Directory containing the Enterprise Users and the Enterprise Groups details. Do not modify the default password policy of the Oracle Unified Directory instance acting as the proxy server.

31.3.2.2 Task 2: Configure Oracle Unified Directory Proxy to Work with Enterprise User Security

• If you do not already have an Oracle Unified Directory Proxy installed, complete the steps in one of these sections:

  • Section 31.3.2.2.1, "Installing and Configuring a New Oracle Unified Directory Proxy Using the Command Line."

  • Section 31.3.2.2.2, "Installing and Configuring a New Oracle Unified Directory Proxy to Work with Enterprise User Security Using the Graphical User Interface."

• If you already have an Oracle Unified Directory Proxy instance installed, complete the steps in Section 31.3.2.2.3, "Configuring an Existing Oracle Unified Directory Proxy to Work with Enterprise User Security Using ODSM."

31.3.2.2.1 Installing and Configuring a New Oracle Unified Directory Proxy Using the Command Line

1. Run the oud-proxy-setup command. For example:

   oud-proxy-setup -i -p 1389 --adminConnectorPort 4444
   -D "cn=directory manager" -j pwd.txt -Z 1636 --generateSelfSignedCertificate 
   --eusContext dc=example,dc=com
   

2. Create an LDAP server extension for the remote LDAP server containing the Enterprise users and groups. For example:

   dsconfig create-extension \
             --set enabled:true \
             --set remote-ldap-server-address:serverip \
             --set remote-ldap-server-port:389 \
             --type ldap-server \
             --extension-name proxy1 \
             --hostname localhost \
             --port 4444 \
             --trustAll \
             --bindDN "cn=directory manager" \
             --bindPasswordFile pwd.txt \
             --no-prompt
   

3. Create a Proxy workflow element for the remote LDAP server using the LDAP server extension you created in the previous step.

   You can configure this Proxy workflow element to use either the use-specific-identity or the use-client-identity mode.

   • Use use-specific-identity mode if your external LDAP server does not allow anonymous access. This is the most common Enterprise User Security configuration, especially when Active Directory is used as the external LDAP server.

     To create the proxy workflow element using the use-specific-identity mode, run the dsconfig command as follows:

     dsconfig create-workflow-element \
               --set client-cred-mode:use-specific-identity \
               --set enabled:true \
               --set ldap-server-extension:proxy1 \
               --set remote-ldap-server-bind-dn: \
                 cn=administrator,cn=users,dc=example,dc=com \
               --set remote-ldap-server-bind-password:******** \
               --set remote-root-dn:cn=administrator,cn=users,dc=example,dc=com\
               --set remote-root-password:******** \
               --type proxy-ldap \
               --element-name proxy-we1 \
               --hostname localhost \
               --port 4444 \
               --trustAll \
               --bindDN "cn=directory manager" \
               --bindPasswordFile pwd.txt \
               --no-prompt
     

     In this example, remote-root-dn and remote-ldap-server-bind-dn are the credentials used by OUD proxy to connect to the remote server.

   • Use use-client-identity mode if your external LDAP server allows anonymous access.

     If you want to use the use-client-identity mode, then you must configure the external LDAP server credentials and configure an exclude-list.

     The database usually connects with its own credentials to Oracle Unified Directory proxy server, and then performs searches on the external LDAP server. When EUS is enabled, the database must use an alternate ID to bind to the external LDAP server because the database entry does not exist on the external LDAP server. The database entry is stored locally on the Oracle Unified Directory proxy server.

     To create the proxy workflow element using use-client-identity mode, run the dsconfig command as follows:

     dsconfig create-workflow-element \
               --set client-cred-mode:use-client-identity \
               --set enabled:true \
               --set ldap-server-extension:proxy1 \
               --set exclude-list:"cn=directory manager" \
               --set exclude-list:cn=oraclecontext,dc=example,dc=com \
               --set remote-ldap-server-bind-dn: \
                 cn=administrator,cn=users,dc=example,dc=com \
               --set remote-ldap-server-bind-password:******** \
               --set remote-root-dn:cn=administrator,cn=users,dc=example,dc=com\
               --set remote-root-password:******** \
               --type proxy-ldap \
               --element-name proxy-we1 \
               --hostname localhost \
               --port 4444 \
               --trustAll \
               --bindDN "cn=directory manager" \
               --bindPasswordFile pwd.txt \
               --no-prompt
     

     In this example, remote-root-dn and remote-ldap-server-bind-dn are the credentials used by the remote LDAP administrator.

     Important. When in use-client-identity mode, if you are integrating with Active Directory, then you must also run the following command to allow anonymous login, where dc=example,dc=com is the base DN of your Active Directory server.

     ldapmodify -h ADhost -p ADport -D ADdirmgr -w pwd
     dn: cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=example,dc=com
     changetype: modify
     replace: dsHeuristics
     dsHeuristics: 0000002
     

4. Create a EUS workflow element using the proxy workflow element created in the previous step:

   dsconfig create-workflow-element \
             --set enabled:true \
             --set eus-realm:dc=example,dc=com \
             --set next-workflow-element:proxy-we1 \
             --set server-type:ad \
             --type eus \
             --element-name eus-we1 \
             --hostname localhost \
             --port 4444 \
             --trustAll \
             --bindDN "cn=directory manager" \
             --bindPasswordFile pwd.txt \
             --no-prompt
   

   Note: The server-type defines the remote LDAP server containing your enterprise users and groups. Use one of the following values: ad for Active Directory, edir for Novell eDirectory, oud for Oracle Unified Directory, or odsee Oracle Directory Server Enterprise Edition.

5. Create a workflow for your naming context using the EUS workflow element created in the previous step:

   dsconfig create-workflow \
             --set base-dn:dc=example,dc=com \
             --set enabled:true \
             --set workflow-element:eus-we1 \
             --type generic \
             --workflow-name workflow1 \
             --hostname localhost \
             --port 4444 \
             --trustAll \
             --bindDN "cn=directory manager" \
             --bindPasswordFile pwd.txt \
             --no-prompt
   

6. Add the workflow created in the previous step to your network group:

   dsconfig set-network-group-prop \
             --group-name network-group \
             --add workflow:workflow1 \
             --hostname localhost \
             --port 4444 \
             --trustAll \
             --bindDN "cn=directory manager" \
             --bindPasswordFile pwd.txt \
             --no-prompt
   

31.3.2.2.2 Installing and Configuring a New Oracle Unified Directory Proxy to Work with Enterprise User Security Using the Graphical User Interface

1. Run the oud-proxy-setup program.

   1. In the Welcome page, click Next.

   2. In the Server Settings page, provide the following information:

      Host Name. Enter the name of the OUD proxy host.

      Administration Connector Port. This is the administration port used by OUD tools such as dsconfig.

      LDAP Listener Port. Specify the port used by the OUD proxy.

      LDAP Secure Access. Click Configure to enable secure access.

      In the Configure Secure Access window, click to mark the "Enable SSL on Port" checkbox. Then enter a port number for LDAPS, and click OK to continue.

      Root User DN. This is the identity of the server administrator.

      Password. Enter a password to be used by the server administrator.

      Password (confirm). Enter the password a second time to confirm.

      Click Next to continue.

   3. In the Deployment Options page, in the Configuration Option field, choose "Configure EUS (Enterprise User Security)" and click Next.

      Oracle Unified Directory will be used as a proxy, and deployed in front of the LDAP server containing EUS users and groups.

   4. On the Back-End Server Type page, choose one of the supported server types. This is the LDAP-compliant server that contains the Enterprise User Security users and groups.

      Click Next to continue.

   5. On the next page, click Add Server.

      On the Add Server page, provide the following information:

      Host Name. Enter the host name of the LDAP server that contains Enterprise User Security users and groups.

      Protocol. If you are using Novell eDirectory, you must choose LDAPS.

      For all other external directories, you can choose one of the following: LDAP, LDAPS, or [LDAP & LDAPS].This determines how OUDproxy will connect to the remote LDAP server.

      Port Number. Enter the port number of the LDAP server that contains Enterprise User Security users and groups.

      You can click Add to add another LDAP server. After you are done adding LDAP servers, click Close to continue.

   6. Review the list on the Servers Page.

      The Servers Page now lists the server or servers that contain Enterprise User Security users and groups. Click Next to continue.

   7. On the Naming Contexts page, click to mark the checkbox beside a Base DN to choose the Base DN for a naming context.

      If the table does not display a Naming Context, enter the Base DN of your remote LDAP server in the "Additional Naming Context DN" field, select Add.

      Click Next to continue.

   8. Configure the runtime options for the server.

      You can click Change to configure any specific JVM settings, or click Next to run the server with the default JVM settings.

      Click Next.

   9. In the Review page, review your settings, and click Finish.

      A new instance of Oracle Unified Directory Proxy is installed, configured, and started.

      Click Close.

2. Set the remote root DN and remote root user accounts by running the dsconfig command on the OUD Proxy as follows:

   dsconfig set-workflow-element-prop \
             --element-name proxy-we1 \
             --set remote-root-dn:cn=directory manager \
             --set remote-root-password:******** \
             --hostname localhost \
             --port 4444 \
             --trustAll \
             --bindDN "cn=directory manager" \
             --bindPasswordFile pwd.txt \
             --no-prompt
   

   Note:

   In the preceding command, --element-name property corresponds to the name of the proxy workflow element, which is used to connect to the external LDAP directory server.

   If you configure proxy through OUD-proxy-setup wizard, then the default name of the proxy workflow element is proxy-we1. Alternatively, if you configure the proxy through CLI by using dsconfig command, then the name of the workflow element would be as per the value you provide as an input in the command.

   You can find the workflow element by running the dsconfig command as follows:

   dsconfig -h localhost -p administration port number -D "cn=Directory Manager" -X -n list-workflow-elements --bindPasswordFile password.txt
   

   You observe output similar to the following:

   Workflow Element  : Type               : enabled
   ----------------- :--------------------:--------
   adminRoot         : ldif-local-backend : true
   load-bal-we1      : load-balancing     : true
   proxy-we1         : proxy-ldap         : true
   

   In the above example, if you look at the proxy-ladp type, you will locate the workflow element name (proxy-we1) corresponding to that.

3. Set the mode for the proxy workflow element for the external LDAP-compliant directory.

   By default, the configuration is set to use-client-identity mode.

   • Use use-client-identity mode if your external LDAP server allows anonymous access.

     If you want to use the use-client-identity mode, then you must configure the external LDAP server credentials and an exclude-list.

     The database usually connects with its own credentials to Oracle Unified Directory proxy server, and performs searches on the external LDAP server. When EUS is enabled, the database must use an alternate ID to bind to the external LDAP server because the database entry does not exist on the external LDAP server. The database entry is stored locally on the Oracle Unified Directory proxy server.

     To use the use-client-identity mode, run the dsconfig command as follows:

     dsconfig set-workflow-element-prop \
               --element-name proxy-we1 \
               --set client-cred-mode:use-client-identity \
               --add exclude-list:cn=directory manager \
               --add exclude-list:cn=oraclecontext,dc=example,dc=com \
               --set remote-ldap-server-bind-dn: \
                 cn=administrator,cn=users,dc=example,dc=com \
               --set remote-ldap-server-bind-password:******** \
               --hostname localhost \
               --port 4444 \
               --trustAll \
               --bindDN "cn=directory manager" \
               --bindPasswordFile pwd.txt \
               --no-prompt
     

     In this example, remote-root-dn and remote-ldap-server-bind-dn are the credentials used by the remote LDAP administrator.

     Important. When in use-client-identity mode, if you are integrating with Active Directory, then you must run the following command to allow anonymous login, where dc=example,dc=com is the base DN of your Active Directory server.

     ldapmodify -h <ADhost> -p <AD port> -D <AD dirmgr> -w <pwd>
     dn: cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=example,dc=com
     changetype: modify
     replace: dsHeuristics
     dsHeuristics: 0000002
     

   • Use use-specific-identity mode if your external LDAP server does not allow anonymous access. This is the most common Enterprise User Security configuration, especially when Active Directory is used as the external LDAP server.

     If you want to change the mode setting to use-specific-identity, then you must configure the external LDAP server credentials.

     To use use-specific-identity mode, run the dsconfig command as follows:

     dsconfig set-workflow-element-prop \
               --element-name proxy-we1 \
               --set client-cred-mode:use-specific-identity \
               --set remote-ldap-server-bind-dn: \
                 cn=administrator,cn=users,dc=example,dc=com\
               --set remote-ldap-server-bind-password:******** \
               --hostname localhost \
               --port 4444 \
               --trustAll \
               --bindDN "cn=directory manager" \
               --bindPasswordFile pwd.txt \
               --no-prompt
     

     In this example, remote-root-dn and remote-ldap-server-bind-dn are the credentials used by the remote LDAP administrator.

31.3.2.2.3 Configuring an Existing Oracle Unified Directory Proxy to Work with Enterprise User Security Using ODSM

1. Connect to Oracle Unified Directory Proxy from ODSM.

2. Select the Home tab.

3. Under the Configuration section, choose "Set Up Remote EUS Naming Context."

4. In the "Create Remote EUS Naming Context" page, provide the following information:

   Base DN. This is the suffix provided by the remote LDAP server.

   Network Group. Attach the suffix to at least one network group. Select the required network group from the list.

   Server Type. Select the type of LDAP server containing your users and groups from the list.

   Host Name. Enter the name of the machine where the remote LDAP server is running.

   Ports available. Indicate whether you want the OUD Proxy to connect to the remote LDAP server using LDAP, or LDAPS, or both LDAP and LDAPS.

   Depending upon the option you chose, enter a port number for the LDAP port, LDAPS port, or for both LDAP and LDAP ports. This must be the port used by the remote LDAP server.

   If you checked LDAPS, configure SSL to either Trust All or configure a Trust Manager.

   Click Create.

5. Select the Configuration tab.

6. In the Naming Contexts list, choose the Proxy below the Naming context you just created.

7. In the Proxy LDAP workflow element window:

   1. Enter a Bind DN and a Bind Password.

      These must match the credentials of the remote LDAP server administrator.

   2. Expand the Remote Root Properties, and enter a Remote Root DN and password.

      These must match the credentials of the remote LDAP server administrator.

   3. In the Credentials Mode field, set the mode for the proxy workflow element for the external LDAP-compliant directory.

      • Use use-specific-identity mode if your external LDAP server does not allow anonymous access. This is the most common Enterprise User Security configuration, especially when Active Directory is used as the external LDAP server.

        To use use-specific-identity mode:

        In the Credentials Mode field, choose Use Specific Identity. Then enter the values for the Bind DN and the Bind Password. Enter the Bind Password a second time to confirm it.

      • Use use-client-identity mode if your external LDAP server allows anonymous access.

        To use-client-identity mode:

        In the Credentials Mode field, first select Use Client Identity, and expand the Client Identity Mode Properties. Then add "cn=directory manager" and "cn=OracleContext,dc=example,dc=com" to the Exclude Bind DNs table.

   4. Click Apply.

31.3.2.3 Task 3: Configure the Users and Groups Location

After Oracle Unified Directory has been configured for EUS or Oracle E-Business Suite, you must configure the naming context used to store the users and the groups by performing the following steps:

1. Locate the LDIF template file at install_dir/config/EUS/modifyRealm.ldif.

2. Edit the modifyRealm.ldif file as follows:

   • Replace dc=example,dc=com with the correct naming context for your server instance.

   • Replace ou=people and ou=groups with the correct location of the user and group entries in your DIT.

3. Use the ldapmodify command to update the configuration with the edited LDIF template file, for example:

   $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file -f modifyRealm.ldif
   

   Note:

   Ensure that you specify the port number on which the LDAP Connection Handler will listen for connections from clients (For example: 1389) and not the administration port number which is 4444.

4. If you are integrating Active Directory, run the following command, replacing dc=example,dc=com with the appropriate base DN for your configuration:

   $ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file
   dn:cn=Common,cn=Products,cn=OracleContext,dc=example,dc=com
   changetype: modify
   replace: orclCommonNickNameAttribute
   orclCommonNickNameAttribute: samaccountname
   

31.3.2.4 Task 4: Select the Oracle Context to be Used By Enterprise User Security

Enterprise User Security stores its configuration (also called EUS metadata) in an Oracle Context, which corresponds to a part of the Directory Information Tree. If your user entries are stored below dc=example,dc=com, then EUS is usually configured to use cn=OracleContext,dc=example,dc=com as Oracle Context.

In this task, Oracle Net Configuration Assistant tells EUS where it should read its configuration.

1. To start the Oracle Net Configuration Assistant, run the netca command on the host where the database is installed.

   The Oracle Net Configuration Assistant is displayed.

2. On the Welcome page, select "Directory Usage Configuration," and click Next.

   Enter the following information in subsequent pages:

   1. Directory Type

      Select "Oracle Internet Directory" even if the LDAP server is an Oracle Virtual Directory or an Oracle Unified Directory.

      Click Next.

   2. Hostname

      Enter the hostname or IP address of the server hosting your LDAP server.

   3. Port

      Enter the LDAP port number.

   4. SSL Port

      Enter the LDAPS port number.

   5. Oracle Context

      Do not select cn=OracleContext. Instead, click the arrow to display and choose the location of your OracleContext.

      Oracle Net Configuration Assistant connects to the LDAP server to retrieve the available Oracle Contexts. Enterprise User Security configuration will be stored within your OracleContext.

      Click Next.

   6. Directory usage configuration complete!

      Click Next.

   When the Welcome page is displayed, click Finish.

3. To verify that the Net Configuration Assistant has successfully created the configuration file containing the LDAP server information, run the following command:

   # cat $ORACLE_HOME/network/admin/ldap.ora
   # ldap.ora Network Configuration File: /app/oracle/product/db/product/11.2.0/dbhome_1/network/admin/ldap.ora
   # Generated by Oracle configuration tools.
   DIRECTORY_SERVERS= (oudhost:1389:1636)
   DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com"
   DIRECTORY_SERVER_TYPE = OID
   

   The configuration file used by the database contains the hostname and port of the LDAP server. In this example, the information is represented as: (oudhost:1389:1636). You can specify multiple servers, separated by commas, for high availability deployments.

   In this example, dc=example,dc=com represents the Oracle Context used to store the EUS configuration, also known as the EUS metadata.

31.3.2.5 Task 5: Register the Database in the LDAP Server

1. Run the dbca command on the host where the database is installed.

   The Database Configuration Assistant for Oracle database is displayed. Click Next, then provide the following information in the subsequent pages:

   1. Select the operation you want to perform.

      Choose "Configure Database Option," then click Next.

   2. Database

      In the list box, select the database you want to register. Then click Next.

      Database Configuration Assistant determines if the database is already registered in the LDAP server.

   3. Would you like to register this database with the directory service?

      Choose "Yes, register the database." Database Configuration Assistant will create an entry for the database in the Oracle Context.

   4. User DN

      The user DN will be used to authenticate to the LDAP server.

      The user DN is usually cn=directory manager, the directory manager of OUD proxy. The user DN is also used in the add operation, which creates the database entry in the Oracle Context. The user must have write access to the LDAP server.

   5. Password

      Database Configuration Assistant creates a wallet for the database. The database entry DN and password will be stored in the wallet. When the database connects to the LDAP server, it will authenticated using credentials stored in this wallet.

   6. Database Components

      Make no changes to this page, and click Next.

   7. Connection Mode

      Choose "Dedicated Server Mode," then click Finish.

   8. Confirmation

      Click OK to register the database.

   9. Do you want to perform another operation?

      Click No to exit the Database Configuration Assistant application.

2. To verify that Database Configuration Assistant successfully created a new entry for the database, run the following command, replacing orcl11g with the name of your database:

   $ ldapsearch -h oudhost -p 1389 -D "cn=directory manager" -j pwd.txt -b cn=oraclecontext,dc=example,dc=com "(cn=orcl11g)"
   dn: cn=orcl11g,cn=OracleContext,dc=example,dc=com
   orclVersion: 112000
   orclcommonrpwdattribute: {SASL -MD5}eW5+2LTPRKzFmHxmMZQmnw==
   objectClass: orclApplicationEntity
   objectClass: orclService
   objectClass: orclDBServer_92
   objectClass; orclDBServer
   objectClass: top
   orclServiceType: DB
   orclSid: orcl11g
   oracleHome: /app/oracle/product/db/product/11.2.0/dbhome_1
   cn: orcl11g
   orclSystemName: oudhost
   userPassord: {SSHA}oNeBEqkUMtDusjXNXJPpa7qa+Yd0b9RHvA==
   orclNetDescString: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST)=oudhost)
   (PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl11g)))
   orclDBGLOBALNAME: orcl11g
   orclNetDescName: 000:cn= DESCRIPTION_0
   

31.3.2.6 Task 6: Configure Roles and Permissions

Use Oracle Enterprise Manager to complete the steps in this task.

• Step A: Create a Shared Schema in the Database

• Step B: Create a New User-Schema Mapping

• Step C: Create a Role in the Database

• Step D: Create a New Role in the Domain

• Step E: Define a Proxy Permission in the Database

• Step F: Create a New Proxy Permission

• Step G: Configure Mappings for a Specific Database

31.3.2.6.1 Step A: Create a Shared Schema in the Database

Run the following SQL commands:

SQL> CREATE USER global_ident_schema_user IDENTIFIED GLOBALLY;
User created.
SQL> GRANT CONNECT TO global_ident_schema_user;
Grant succeeded.

31.3.2.6.2 Step B: Create a New User-Schema Mapping

1. In a web browser, connect to Enterprise Manager. For example:

   https://localhost:1158/em

   Provide the following information:

   User Name. Enter the name of a user who is authorized to administer the database.

   Password. Enter the administrator password.

   Connect As.Choose SYSDBA.

   Click Login.

2. Click the Server tab.

   On the Server tab, in the Security section, click Enterprise User Security.

3. In the "Oracle Internet Directory Login: Enterprise User Security" page, provide the following information:

   User. Enter the username of a user, for example cn=directory manager, who has write access to Oracle Context.

   Password. Enter the password for the same user.

   Click Login.

4. On the Enterprise User Security page, click Manage Enterprise Domains.

   An Enterprise Domain can contain one or more databases. The settings for an Enterprise Domain apply to all databases it contains.

5. On the Manage Enterprise Domains page, select the domain you want to configure, then click Configure.

6. On the Configure Domain page, click "User - Schema Mappings."

7. On the User - Schema Mappings page, click Create.

8. To create a domain-schema mapping, on the New Mapping page provide the following information:

   1. From

      You can associate a global schema to all the users in a given subtree, or to a given user.

      To associate a global schema to all users in a given subtree:

      1. Choose Subtree, then click the flashlight icon to search for available subtrees.

      2. In the Select User page, select a subtree. Enterprise users below the DN you select will be mapped to the same global schema.

      3. Click Select.

      To associate a global schema to a given user:

      1. Choose User Name, then click the flashlight icon to search for available users.

      2. In the select User page, select a user DN. Only this specific user will be mapped to the global schema.

      3. Click Select.

   2. To

      In the Schema field, enter the name of the global schema. For example:global_ident_schema_user.

      Click Continue.

9. On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.

31.3.2.6.3 Step C: Create a Role in the Database

For this example, a role named hr_access, is created. The role grants read access to the table hr.employees.

To create a role in the database:

SQL> CREATE ROLE hr_access IDENTIFIED GLOBALLY;
Role created.
SQL> GRANT SELECT ON hr.employees TO hr_access;
Grant succeeded.

For more information, see the Oracle Database documentation.

31.3.2.6.4 Step D: Create a New Role in the Domain

1. To create a new role in a domain, On the Manage Enterprise Domains page, select the domain in which you want to create the role, then click Configure.

2. On the Configure Domain page, click Enterprise Roles. Click Create.

3. On the Create Enterprise Role page, provide the following information:

   1. In the Name field, provide a name for your enterprise role.

   2. In the DB Global Roles tab, click Add.

4. On the "Search And Select: Database Global Roles' page, provide the following information:

   Database. Choose a database from the drop-down list.

   User Name. Enterprise Manager will retrieve the available roles from the database. Enter a username of an administrator, such as SYS AS SYSDBA, who is authorized to access the roles.

   Password. Enter the administrator password.

   Click Go.

5. In the "Search and Select: Database Global Roles" page, choose the global role you want to grant to Enterprise Users.

   Click Select.

6. In the Create Enterprise Role page, select the Enterprise user or groups to which you will grant the Enterprise Role, then click the Grantees tab.

7. On the Grantees tab, to select Enterprise users or groups click Add.

8. In the "Select: Users and Groups" page, click Go. Enterprise Manager retrieves available Users and Groups.

   View. You can search for users or groups.

   Search Base. Enterprise Manager begins the search at this DN.

   Name.Enter a string here to narrow down the search. For example, if you want to find a user whose name starts with jo, enter jo and Click Go.

   A table displays relevant entries. From the list, select the users and groups to which you want to grant the Enterprise Role, then click Select.

   Click Continue.

9. In the Configure Domain page, click OK to continue.

10. In the Edit Enterprise Role page, click Continue.

11. In the Configure Domain page, click OK.

    After the role has been successfully created, click Configure.

31.3.2.6.5 Step E: Define a Proxy Permission in the Database

To define a proxy permission on user SH, run the following command:

SQL> ALTER USER SH GRANT CONNECT THROUGH ENTERPRISE USERS;
User altered.
 
This command defines a proxy permission on user SH.

31.3.2.6.6 Step F: Create a New Proxy Permission

1. On the Configure Domain Information page, select the domain you want to configure, then click Configure.

2. On the Configure Domain page, click Proxy Permissions.

3. To create a new Proxy Permission, on the Proxy Permissions tab click Create.

4. On the Create Proxy Permission page, in the Name field, provide a name for your Proxy Permission.

5. On the Target DB Users tab, click Add.

6. On the "Search And Select: Database Target Users" page, provide the following information:

   Database. Choose the database from the drop-down list.

   User Name. Enter the username of an administrator, for example SYS AS SYSDBA, who is authorized to access the users.

   Password. Enter the administrator password.

   Click Go.

   Enterprise Manager retrieves the available target users from the database.

   In the Search and Select page, select the target user for the proxy permission, then click Select.

7. In the Create Proxy Permission page, click the Grantees tab.

8. On the Grantees tab, click Add.

9. On the Select Users and Groups page, click Go. Enterprise Manager retrieves available Enterprise Users.

   In the Select: Users and Groups page, select the users to be granted Proxy Permission. Then click Select to continue.

10. On the Create Proxy Permission page, click Continue.

11. On the Configure Domain page, click OK to continue.

31.3.2.6.7 Step G: Configure Mappings for a Specific Database

1. On the Enterprise User Security page, click Manage Databases.

2. On the Manage Databases page, select the database you want to configure, and click Configure.

3. On the Configure Database page, click "User - Schema Mappings" tab.

4. On the "User - Schema Mappings" page, click Create.

5. To create a domain-schema mapping, on the New Mapping page provide the following information:

   1. From

      You can associate a global schema to all the users in a given subtree, or to a given user.

      To associate a global schema to all users in a given subtree:

      1. Choose Subtree, then click the flashlight icon to search for available subtrees.

      2. In the Select User page, select a subtree. Enterprise users below the DN you select will be mapped to the same global schema.

      3. Click Select.

      To associate a global schema to a given user:

      1. Choose User Name, then click the flashlight icon to search for available users.

      2. In the select User page, select a user DN. Only this specific user will be mapped to the global schema.

      3. Click Select.

   2. To

      In the Schema field, enter the name of the global schema. For example:global_ident_schema_user.

      Click Continue.

6. On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.

31.3.2.7 Task 7: Test the Database Configurations

At this point Enterprise User Security contains the following configurations:

• A users-schema mapping granting a global schema to all users below dc=example,dc=com

• An Enterprise Role granting HR_ACCESS to uid=user.0,ou=people,dc=example,dc=com

• A Proxy Permission allowing uid=user.1,our=people,dc=example,dc=com to proxy user SH.

To test the database configurations:

1. Run sqlplus to connect to the database with user.1 credentials using a proxy permission as user SH.

   In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.0,ou=people,dc=example,dc=com in the LDAP server.

   # sqlplus user.0
    
   SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014
    
   Copyright  (c) 1982, 2010, Oracle. All rights reserved.
    
   Enter password:
    
   Connected to: 
   Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
   With the Partitioning, OLAP, Data Mining and Real Application Testing options
    
   SQL> select * from session_roles;
    
    
   Role
   -------------------------------
   CONNECT
   HR_ACCESS
    
   SQL>
   

   In this example, the following are indications that the database is configured properly for users such as user.0.

   • The line that starts with Connect to: indicates that authentication succeeded.

   • The line that begins with SQL> select * from session_roles;
     enables the administrator to check the roles granted to the Enterprise User.

   • The database role HR_ACCESS is granted through the Enterprise Role.

2. Run sqlplus to connect to the database as with user.1 credentials using a proxy permission as user SH.

   In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.1,ou=people,dc=example,dc=com in the LDAP server.

   # sqlplus user.1
    
   SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014
    
   Copyright  (c) 1982, 2010, Oracle. All rights reserved.
    
   Enter password:
    
   Connected to: 
   Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
   With the Partitioning, OLAP, Data Mining and Real Application Testing options
    
   SQL> select * from session_roles;
    
    
   Role
   -------------------------------
   CONNECT
    
    
   SQL>
   

   In this example, the following are indications that the database is configured properly for users such as user.1.

   • The line that starts with Connect to: indicates that authentication succeeded.

   • The line that begins with SQL> select * from session_roles;
     enables the administrator to check the roles granted to the Enterprise User.

   • The only database role is CONNECT, and it is granted through the Global Schema.

3. Run sqlplus to connect to the database a with user.1 credentials using a proxy permission as user SH.

   In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.1,ou=people,dc=example,dc=com in the LDAP server.

   # sqlplus user.1[sh]
    
   SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014
    
   Copyright  (c) 1982, 2010, Oracle. All rights reserved.
    
   Enter password:
    
   Connected to: 
   Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
   With the Partitioning, OLAP, Data Mining and Real Application Testing options
    
   SQL> select * from session_roles;
    
    
   Role
   -------------------------------
   RESOURCE
   SELECT_CATALOG_ROLE
   HS_ADMIN_SELECT_ROLE
   CWM_USER
    
    
   SQL>
   

   In this example, the following are indications that the database is configured properly for users such as user.1.

   • The line that starts with Connect to: indicates that authentication succeeded.

   • The line that begins with SQL> select * from session_roles;
     enables the user currently logged in to check the roles granted to himself.

   • The user user.0 inherits user SH's roles through the proxy authentication.

31.4 Using Additional Enterprise User Security Configuration Options

The following are common configurations that are beyond the basic integration of Oracle Unified Directory and Enterprise User Security:

• Section 31.4.1, "Configuring OUD to Support Multiple Enterprise User Security Domains."

• Section 31.4.2, "Using Oracle Unified Directory and Enterprise User Security in High Availability Topologies."

31.4.1 Configuring OUD to Support Multiple Enterprise User Security Domains

If your users and groups are stored in multiple domains, you must configure OUD to support multiple EUS domains. For example, a single OUD instance contains two EUS domains. One EUS domain stores users entries in Active Directory below cn=users,dc=ad1,dc=com. A second EUS domain stores user entries in a different Active Directory instance below cn=users,dc=ad2,dc=com. You must configure OUD to support each EUS domain.

To configure OUD to support multiple EUS domains:

1. Configure OUD as if the primary domain is the single domain containing all your users and groups.

   In this example, the primary domain is dc=ad1,dc=com.

   Complete the tasks in Section 31.3.2, "Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security."

2. Configure the secondary domain.

   In this example, the secondary domain is dc=ad2,dc=com.

   For this secondary domain, complete the steps in Section 31.3.2.1, "Task 1: Configure User Identities in the External LDAP Directory."

3. Create a new naming context for the EUS domain, which is dc=ad2,dc=com in this example.

   Complete the steps in Section 31.3.2.2.3, "Configuring an Existing Oracle Unified Directory Proxy to Work with Enterprise User Security Using ODSM."

4. Update the Oracle context with the new naming context.

   1. Create an LDIF file.

      In the following myconfig.ldif example, make the following substitutions:

      • Replace dc=ad1,dc=com with the DN of your first domain.

      • Replace orclcommonusersearchbase with the users location in the secondary domain.

      • orclcommongroupsearchbase with the groups location in the secondary domain.

      dn: cn=Common,cn=Products,cn=OracleContext,dc=ad1,dc=com
      changetype: modify
      add: orclcommonusersearchbase
      orclcommonusersearchbase: cn=users,dc=ad2,dc=com
      orclcommongroupsearchbase: cn=groups,dc=ad2,dc=com
      

   2. Update OUD configuration using the LDIF file you created in step 4a.

      ldapmodify -h oudhost -p 1389 -D "cn=directory manager" -w password -f myconfig.ldif
      

31.4.2 Using Oracle Unified Directory and Enterprise User Security in High Availability Topologies

You can achieve high availability among two or more OUD instances that have been integrated with Enterprise User Security. First, integrate OUD with Enterprise User Security. Then configure replication among the integrated OUD instances. Once configured, replication takes place among Enterprise User Security metadata (in either directory server or directory proxy) and the OUD server users and groups.

Configuring an integrated OUD LDAP server for replication is exactly the same as configuring an integrated OUD Proxy server with one exception: the list of suffixes to be replicated is different.

When an integrated OUD instance is configured as an LDAP server, the following suffixes are replicated:

cn=oraclecontext
cn=oraclecontext,dc=example,dc=com
dc=example,dc=com

When an integrated OUD instance is configured as a Proxy server, the following suffixes are replicated:

cn=oraclecontext
cn=oraclecontext,dc=example,dc=com

Note:

If you are using Oracle Data Guard or Oracle Real Application Clusters or high availability, each database instance must be configured using NetCA and DBCA.

To configure OUD-EUS integrated instances for high availability:

1. Enable the first Oracle Unified Directory and Oracle Enterprise User Security to work together.

   • If the first OUD instance is a directory server, then complete the tasks in Section 31.3.1, "Configuring Oracle Directory Server as a Directory for Enterprise User Security."

   • If the first OUD instance is a directory proxy, then complete the tasks in Section 31.3.2, "Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security."

2. Enable the second Oracle Unified Directory instance and Oracle Enterprise User Security to work together.

   • If the second OUD instance is configured as an LDAP server, then complete the tasks in Section 31.3.1, "Configuring Oracle Directory Server as a Directory for Enterprise User Security."

   • If the second OUD instance is configured as a Proxy, then complete the tasks in Section 31.3.2, "Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security."

3. Enable replication between the first OUD instance and the second OUD instance.

   • If the OUD instance is an LDAP server, then run this command:

     # dsreplication enable --host1 oud-proxy-source --port1 4444 --bindDN1
      "cn=Directory Manager"  --bindPasswordFile1 /tmp/pwd1.txt
      --replicationPort1 repl1 --host2 oud-proxy-dest --port2 4444 --bindDN2
      "cn=Directory Manager"  --bindPasswordFile2 /tmp/pwd2.txt
      --replicationPort2 repl2 --adminUID admin --adminPasswordFile
      /tmp/pwd3.txt --baseDN "cn=OracleContext,dc=example,dc=com" --baseDN
      "cn=OracleContext" --baseDN "dc=example,dc=com" -X -n
     

   • If the OUD instance is a directory proxy, then run this command:

     # dsreplication enable --host1 oud-proxy-source --port1 4444 --bindDN1
      "cn=Directory Manager"  --bindPasswordFile1 /
     tmp/pwd1.txt --replicationPort1 repl1 --host2 oud-proxy-dest --port2 4444
      --bindDN2 "cn=Directory Manager"  --bindPasswordFile2 /tmp/pwd2.txt
      --replicationPort2 repl2 --adminUID admin --adminPasswordFile
      /tmp/pwd3.txt --baseDN "cn=OracleContext,dc=example,dc=com" --baseDN
      "cn=OracleContext" -X -n
     

     Note:

     In the directory proxy example, the --baseDN "dc=example,dc=com" option is not included.

   Replication is now enabled in the first OUD instance (from step 1), and in the second OUD instance (from step 2).

4. Initialize replication. For example:

   • If the OUD instance is a directory server, then run this command:

     dsreplication initialize  --baseDN "cn=OracleContext,dc=example,dc=com"
       --baseDN "cn=OracleContext" --baseDN "dc=example,dc=com" \
       --adminUID admin --adminPasswordFile /tmp/pwd3.txt \
       --hostSource <oud-proxy-source> --portSource 4444 \
       --hostDestination <oud-proxy-dest>  --portDestination 4444 -X -n
     

   • If the OUD instance is a directory proxy, then run this command:

     dsreplication initialize  --baseDN "cn=OracleContext,dc=example,dc=com" \
       --baseDN "cn=OracleContext" \ 
       --adminUID admin --adminPasswordFile /tmp/pwd3.txt \
       --hostSource <oud-proxy-source> --portSource 4444 \
       --hostDestination <oud-proxy-dest>  --portDestination 4444 -X -n
     

     Note:

     In the directory proxy example, the --baseDN "dc=example,dc=com" option is not included.

   Both OUD instances now contain the same data. For more information, see Section 32.6, "Initializing a Replicated Server With Data."

5. Declare both OUD instances in the Database ldap.ora configuration file.

   # ldap.ora Network Configuration File: /app/oracle/product/db/product/11.2.0/dbhome_1/network/admin/ldap.ora
   # Generated by Oracle configuration tools.
   DIRECTORY_SERVERS= (oudhost1:1389:1636,oudhost2:1389:1636)
   DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com"
   DIRECTORY_SERVER_TYPE = OID
   

31.5 Understanding Enterprise User Security Password Warnings

Password policies are a set of rules that apply to all user passwords in an identity management realm. Password policies include settings for password complexity, minimum password length, and so forth. They also include account lockout and password expiration settings.

The database communicates with Oracle Unified Directory and requests the Oracle Unified Directory to report any password policy violations. If the database gets a policy violation response from Oracle Unified Directory, then it displays the appropriate warning or error message to the user. The following table summarizes password warnings and their meanings.

Table 31-1 Password Warnings

Warning Condition	Message Example
The user password is about to expire. Message indicates the number of days left for the user to change his or her password.	SQL> connect joe/Admin123 ERROR: ORA-28055: the password will expire within 1 days Connected.
The password has expired and informs the user about the number of grace logins that remain.	SQL> connect joe/Admin123 ERROR: ORA-28054: the password has expired. 1 Grace logins are left Connected.
The user password has expired and the user does not have any grace logins left.	SQL> connect joe/Admin123 ERROR: ORA-28049: the password has expired
The user account has been locked due to repeated failed attempts at login.	SQL> connect joe/Admin123 ERROR: ORA-28051: the account is locked
The user account has been disabled by the administrator.	SQL> connect joe/Admin123 ERROR: ORA-28052: the account is disabled
The user account is inactive.	SQL> connect joe/Admin123 ERROR: ORA-28053: the account is inactive

Enterprise user login attempts to the database update the user account status in Oracle Unified Directory or any supported external LDAP-compliant directory. For example, consecutive failed login attempts to the database results in the account getting locked in the directory, as per the directory's password policy.

31.6 Troubleshooting

This section suggests solutions to issues you may encounter after integrating OUD and Enterprise User Security. Troubleshooting tips are grouped in the following categories:

• Net Configuration Assistant (NetCA) Tool Problems and Solutions

• Database Configuration Assistant (DBCA) Problems and Solutions

• Oracle SQL Problems and Solutions

31.6.1 Net Configuration Assistant (NetCA) Tool Problems and Solutions

• LDAP Server Connection Error

• Schema Error

• Naming Context Error

31.6.1.1 LDAP Server Connection Error

If the NetCA fails to connect to the directory then the Oracle Net Configuration Assistant screen displays the following error message:

Figure 31-1 Connection Error

Description of ''Figure 31-1 Connection Error''

To resolve this error, verify that the host name and port number are correct by running the following command on the command line:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT  -b "" -s base "(objectclass=*)"
dn: 
objectClass: top
objectClass: ds-root-dse
 
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X  -b "" -s base "(objectclass=*)"
dn: 
objectClass: top
objectClass: ds-root-dse

31.6.1.2 Schema Error

If the required schema is not available or the version number is incorrect then the Oracle Net Configuration Assistant screen displays the following error message:

Figure 31-2 Oracle Schema

Description of ''Figure 31-2 Oracle Schema''

To resolve this error, ensure that you can access Oracle Unified Directory anonymously and that it contains the cn=subschemasubentry entry:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X  -b cn=subschemasubentry -s base "(objectclass=*)"
dn: cn=subschemasubentry
objectClass: top
objectClass: ldapSubentry
objectClass: subschema

If the Oracle Unified Directory is not enabled for Enterprise User Security then the cn=subschemasubentry entry will not be available. To enable Enterprise User Security, see "Setting up the Directory Server by Using the GUI" in the Installing Oracle Unified Directory.

If the cn=subschemasubentry is not accessible anonymously then ensure that the following ACI is defined in the Oracle Unified Directory as a global ACIs:

(target="ldap:///cn=subschemasubentry")(targetscope="base") \
(targetattr="objectClass||attributeTypes||dITContentRules||dITStructureRules| \
|ldapSyntaxes||matchingRules||matchingRuleUse||nameForms||objectClasses") \ 
(version 3.0; acl "User-Visible SubSchemaSubentry Operational Attributes"; \
allow (read,search,compare) userdn="ldap:///anyone";)

For more information, see Section 28.1, "Managing Global ACIs Using dsconfig".

31.6.1.3 Naming Context Error

If the cn=OracleContext and cn=OracleContext,<your baseDN> naming contexts are not available, then the Oracle Net Configuration Assistant screen displays an error message.

To resolve this error, complete the following:

1. Verify if the baseDN is available, by running the following command on the command line:

   $ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X  -b "" -s base "(objectclass=*)" namingContexts
   dn: 
   namingContexts: cn=OracleContext
   namingContexts: cn=OracleSchemaVersion
   namingContexts: dc=eusovd,dc=com
   

   As shown above, ensure that there are three available naming contexts. If the base DN is missing then you must enable Enterprise User Security, as described in "Setting up the Directory Server by Using the GUI" in the Installing Oracle Unified Directory.

2. Verify if the baseDN contains the Oracle context by running the following command on the command line:

   $ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X  -b ""  "(objectclass=orclcontext)"
   dn: cn=OracleContext
   orclVersion: 90600
   cn: OracleContext
   objectClass: orclContext
   objectClass: orclContextAux82
   objectClass: top
   objectClass: orclRootContext
    
   dn: cn=OracleContext,dc=eusovd,dc=com
   orclVersion: 90600
   cn: OracleContext
   objectClass: orclContext
   objectClass: orclContextAux82
   objectClass: top
   

   Note:

   The NetCA performs the search anonymously. If the Oracle Unified Directory is configured to refuse anonymous searches or the ACIs restricts access to cn=OracleContext,<baseDN> then the NetCA will not be able to find the Oracle Context.

3. After the NetCA configuration is complete, it creates an ldap.ora file in the $ORACLE_HOME/network/admin directory (UNIX) or ORACLE_HOME\network\admin directory (Windows). Ensure that it includes the following parameters:

   DIRECTORY_SERVERS= (oudhost:1389:1636) 
   DEFAULT_ADMIN_CONTEXT = "dc=eusovd,dc=com"
   DIRECTORY_SERVER_TYPE = OID
   

31.6.2 Database Configuration Assistant (DBCA) Problems and Solutions

• TNS-04409 error / TNS-04427: SSL access to the Directory Server

• TNS-04409 error / TNS-04431: Required suffixes

• TNS-04411 error when registering the DB with a user different from cn=directory manager

• TNS-04409 error / TNS-04405

31.6.2.1 TNS-04409 error / TNS-04427: SSL access to the Directory Server

This error message appears if SSL is not enabled for Oracle Unified Directory.

To resolve this error, check if SSL is enabled for Oracle Unified Directory by running the following command on the command line:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X  -b "" -s base "(objectclass=*)"
dn: 
objectClass: top
objectClass: ds-root-dse

For more information, see Chapter 26, "Configuring Security Between Clients and Servers"

31.6.2.2 TNS-04409 error / TNS-04431: Required suffixes

This error message appears if the suffixes are not available.

To resolve this error, ensure that the suffixes are created, as described in "Setting up the Directory Server by Using the GUI" in the Installing Oracle Unified Directory.

31.6.2.3 TNS-04411 error when registering the DB with a user different from cn=directory manager

This error message appears if you specify a different user name other then cn=directory manager during database registration.

To resolve this error, ensure that the user has password reset privilege, and the user entry contains one of the following uniqueMember attributes:

• cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com

• cn=oraclenetadmins,dc=oraclecontext,dc=eusovd,dc=com

  Run the following command on the command line:

  $ OracleUnifiedDirectory/bin/ldapmodify -h $LDAPSERVER -p $LDAPPORT -D $DN -w $PWD
  dn: cn=newadmin,ou=people,dc=eusovd,dc=com
  changetype: modify
  add: ds-privilege-name
  ds-privilege-name: password-reset
   
  Processing MODIFY request for cn=newadmin,ou=people,dc=eusovd,dc=com
  MODIFY operation successful for DN cn=newadmin,ou=people,dc=eusovd,dc=com
  dn: cn=oraclenetadmins,cn=oraclecontext,dc=eusovd,dc=com
  changetype: modify
  add: uniquemember
  uniquemember:  cn=newadmin,ou=people,dc=eusovd,dc=com
   
  Processing MODIFY request for cn=oraclenetadmins,cn=oraclecontext,dc=eusovd,dc=com
  MODIFY operation successful for DN cn=oraclenetadmins,cn=oraclecontext,dc=eusovd,dc=com
  dn: cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com
  changetype: modify
  add: uniquemember
  uniquemember:  cn=newadmin,ou=people,dc=eusovd,dc=com
   
  Processing MODIFY request for cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com
  MODIFY operation successful for DN cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com
  

31.6.2.4 TNS-04409 error / TNS-04405

This error message appears if the Oracle Unified Directory password validator does not accept the password that DBCA creates for the database entry (For example, if it requires a password minimum length of 10 characters).

To resolve this error, you must complete the following:

1. Disable the password validator by running the following command on the command line:

   $ OracleUnifiedDirectory/bin/dsconfig -h $LDAPSERVER -p $ADMINPORT \
   -D $DN -j pwd.txt set-password-policy-prop \
   --policy-name Default\ Password\ Policy --reset password-validator \
   --trustAll --no-prompt
   

2. Run the dbca command.

3. Enable the password validator by running the following command on the command line:

   $ OracleUnifiedDirectory/bin/dsconfig -h $LDAPSERVER -p $ADMINPORT -D
    $DN -j pwd.txt set-password-policy-prop --policy-name Default\ 
   Password\ Policy --set password-validator:Length-Based\ Password\ Validator --trustAll --no-prompt
   

31.6.3 Oracle SQL Problems and Solutions

• ORA-28030: Server encountered problems accessing LDAP directory service

• ORA-01017: invalid username/password; logon denied

• ORA-28274: No ORACLE password attribute corresponding to user nickname exists

• ORA-28051: the account is locked

31.6.3.1 ORA-28030: Server encountered problems accessing LDAP directory service

This error message appears, if there is a problem with the connection between the database and the directory.

To resolve this issue, do the following:

1. Check that the database wallet has auto-login enabled. Either use Oracle Wallet Manager or check that there is a cwallet.sso file in $ORACLE_HOME/admin/<ORACLE_SID>/wallet/.

2. Check the DN and password of the user entry by running the following commands:

   $ mkstore -wrl $ORACLE_BASE/admin/$ORACLE_SID/wallet -viewEntry ORACLE.SECURITY.DN
   Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
   Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
   Enter wallet password:   ********   
   ORACLE.SECURITY.DN = cn=orcl11gr2,cn=OracleContext,dc=eusovd,dc=com
    
   $ mkstore -wrl $ORACLE_BASE/admin/$ORACLE_SID/wallet -viewEntry ORACLE.SECURITY.PASSWORD
   Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
   Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
   Enter wallet password:   ********       
   ORACLE.SECURITY.PASSWORD = zQ7v4ek3
   

3. Check that the database can connect to the directory server using the following command:

   $ oracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT 
   -b cn=common,cn=products,cn=oraclecontext,$BASEDN  "(objectclass=*)"
   orclcommonusersearchbase orclcommongroupsearchbase orclcommonnicknameattribute
   orclcommonnamingattribute
   dn: cn=Common,cn=Products,cn=OracleContext,dc=eusovd,dc=com
   orclcommonusersearchbase: ou=people,dc=eusovd,dc=com
   orclcommongroupsearchbase: ou=groups,dc=eusovd,dc=com
   orclcommonnicknameattribute: uid
   orclcommonnamingattribute: cn
   

   If the connection to the directory server fails, then you must do the following:

   1. Ensure that the database entry exists in the Directory Server.

   2. Ensure that the database entry contains a password in the orclcommonrpwdattribute, by running the following command:

      $ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT 
      -b  cn=oraclecontext,$BASEDN -s one "(objectclass=orcldbserver)" 
       orclcommonrpwdattribute
      dn: cn=orcl11gr2,cn=OracleContext,dc=eusovd,dc=com
      orclcommonrpwdattribute: {SASL-MD5}KvIVAyYahxnHWdlfN649Kw==
      

   If the entry is missing or does not contain a password then you must use DBCA, as described in Task 4: Register the Database in the LDAP Server.

31.6.3.2 ORA-01017: invalid username/password; logon denied

This error message appears, if an invalid username or password is provided.

To resolve this error, specify the correct username and password.

1. Check the Enterprise User Security configuration by running the following command:

   $ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -b \
   cn=common,cn=products,cn=oraclecontext,$BASEDN \
   "(objectclass=*)" orclcommonusersearchbase \
   orclcommongroupsearchbase orclcommonnicknameattribute orclcommonnamingattribute
   dn: cn=Common,cn=Products,cn=OracleContext,dc=eusovd,dc=com
   orclcommonusersearchbase: ou=people,dc=eusovd,dc=com
   orclcommongroupsearchbase: ou=groups,dc=eusovd,dc=com
   orclcommonnicknameattribute: uid
   orclcommonnamingattribute: cn
   

   After Oracle Unified Directory has been configured for EUS, the users and groups configurations are stored in the attributes orclcommonusersearchbase and orclusercommongroupsearchbase.

   The username provided to sqlplus must correspond to the value of orclcommonnicknameattribute in the user entry. For example, if you connect sqlplus using the values joe/password and orclcommonnicknameattribute=uid, then the database will look for an entry containing the attribute uid=joe.

   The user entry DN must start with orclcommonnamingattribute. For example, if orclcommonnamingattribute=cn, the user entry must be cn=joe,<orclcommonusersearchbase>.

2. Ensure that there is a user entry in the user container that matches the username provided in sqlplus. The inetorgperson objectclass, containing the attribute defined in orclcommonnicknameattribute.

   $ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT \
   -D $DN -w $PWD -b ou=people,$BASEDN  "(ui \d=joe)"                         
   dn: cn=joe,ou=people,dc=eusovd,dc=com
   userPassword: {SSHA}DdW5je5GCUnT2jVTeMdfPR9NWwkBt40FwWImpA==
   objectclass: person
   objectclass: organizationalPerson
   objectclass: inetorgperson
   objectclass: top
   uid: joe
   cn: joe
   sn: joe
   

3. Ensure that you have created the user-schema mapping, as described in "Mapping Enterprise Users to the Shared Schema" in the Oracle Database Enterprise User Security Administrator's Guide.

31.6.3.3 ORA-28274: No ORACLE password attribute corresponding to user nickname exists

This error message appears, when the database finds a corresponding user but cannot compare its password with the password supplied to SQL.

To resolve this issue, do the following:

1. Ensure that the database entry has the required ACI to read the entry authpassword and orclguid:

   $ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -D $DN 
   -w $PWD -b ou=people,$BASEDN  "(uid=joe)" authpassword orclguid
   dn: cn=joe,ou=people,dc=eusovd,dc=com
   authpassword;orclcommonpwd: {SSHA}DdW5je5GCUnT2jVTeMdfPR9NWwkBt40FwWImpA==
   orclguid: 6458c6945c0a48be92ab35cf71859210
   

2. If the database cannot read the entry, check that the following ACIs are defined in your OUD server as global-acis (they are added automatically by oud-setup when EUS is selected):

   (target="ldap:///dc=eusovd,dc=com")(targetattr!="userpassword||authpassword
   ||aci")(version 3.0; acl "Anonymous read access to subtree";allow
    (read,search,compare) userdn="ldap:///anyone";)
   (target="ldap:///dc=eusovd,dc=com")(targetattr="authpassword||userpassword")
   (version 3.0; acl "EUS reads authpassword"; allow (read,search,compare)
   userdn="ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))";)
   

3. If the user entry does not contain authpassword, ensure that there is a user password:

   $ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -D $DN -w $PWD -b ou=people,$BASEDN  "(uid=joe)" userpassword         
   dn: cn=joe,ou=people,dc=eusovd,dc=com
   userpassword: {SSHA}DdW5je5GCUnT2jVTeMdfPR9NWwkBt40FwWImpA==
   

4. Ensure that the userpassword attribute is stored using a compatible scheme (SSHA-512 is not supported):

   $ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -D $DN -w $PWD -b ou=people,$BASEDN  "(uid=joe)" userpassword         
   dn: cn=joe,ou=people,dc=eusovd,dc=com
   userpassword: {SSHA}DdW5je5GCUnT2jVTeMdfPR9NWwkBt40FwWImpA==
   

31.6.3.4 ORA-28051: the account is locked

This error message appears, if you fail to authenticate properly after multiple attempts.

To resolve this issue, do the following:

1. Verify if Oracle Unified Directory is configured for account lockout, by running the following command on the command line:

   $ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -X -Z -D $DN 
   -w $PWD -b "cn=Default Password Policy,cn=Password Policies,cn=config" 
   "(objectclass=*)" ds-cfg-lockout-failure-count ds-cfg-lockout-duration  ds-cfg-lockout-failure-expiration-interval
   dn: cn=Default Password Policy,cn=Password Policies,cn=config
   ds-cfg-lockout-failure-expiration-interval: 180 s
   ds-cfg-lockout-failure-count: 3
   ds-cfg-lockout-duration: 180 s
   

   If the failure-count value is 0, then the account lockout is not enabled. For more information, see Chapter 30, "Managing Password Policies."

2. Ensure that the following ACI is defined, when the Enterprise User Security is configured:

   (target="ldap:///dc=eusovd,dc=com")(targetattr="orclaccountstatusevent")
   (version 3.0; acl "EUS write orclaccountstatusenabled"; allow (write) 
   userdn="ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))";)
   (targetcontrol="2.16.840.1.113894.1.8.16")(version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
   (targetcontrol="2.16.840.1.113894.1.8.2")(version 3.0; acl "Anonymous control
    access"; allow(read) userdn="ldap:///anyone";)