Oracle9i Network, Directory, and Security Guide Release 1 (9.0.1) for Windows Part Number A90165-01 |
|
This chapter describes the use of Oracle9i Directory Server Features with Active Directory.
This chapter contains these topics:
This section provides an overview of the following topics:
The Lightweight Directory Access Protocol (LDAP) is a standard, extensible directory access protocol that enables directory clients and servers to interact using a common language. LDAP is a lightweight implementation of the X.500 Directory Access Protocol (DAP). LDAP runs directly over TCP/IP.
Oracle Internet Directory provides data management tools, such as Oracle Directory Manager and command line tools, for manipulating large amounts of LDAP data. Oracle Internet Directory implements three levels of user authentication, namely, anonymous, password-based, and certificate-based using Secure Socket Layer (SSL) for authenticated access and data privacy.
Active Directory is the LDAP-compliant directory server included with Windows 2000. Active Directory stores all Windows 2000 information, including users, groups, and policies. Active Directory also stores information about network resources such as databases, and makes this information available to application users and network administrators. Active Directory enables users to access network resources with a single login. The scope of Active Directory can range from storing all the resources of a small computer network to storing all the resources of several wide areas networks (WANs). When using Oracle features that support Active Directory using LDAP, ensure that the Active Directory computer can be successfully reached using all of the TCP/IP hostname forms possible to reach the domain controller. For example, if the hostname of the domain controller is server1
in the domain acme.com
, then you can ping that computer using:
server1.acme.com acme.com and server1
Active Directory often issues referrals back to itself in one or more of these forms, depending upon the operation being performed. If all of the forms cannot be used to reach the Active Directory computer, then some LDAP operations may fail.
Two features are provided which make use of a directory server. These features are briefly described in the following sections:
Both features have been enabled to work with Microsoft's Active Directory.
This feature enables clients to connect to the database server making use of information stored centrally in an LDAP-compliant directory server such as Active Directory. For example, net service names previously stored in the tnsnames.ora
file can now be stored in Active Directory.
Note: Database service and net service name entries stored in an Oracle Names Server can be migrated to a directory server using the Oracle Names Server Control utility. See Oracle9i Net Services Administrator's Guide for more information. |
This feature enables you to create and store Oracle9i database information as directory objects in an LDAP-compliant directory server. An administrator can create and store enterprise users and roles for the Oracle9i database in the directory, which helps centralize the administration of users and roles across multiple databases.
This chapter frequently references enterprise user security terms and concepts. Read the following documentation in Table 4-1 for descriptions of terms and concepts that an administrator and client user must understand before using an Oracle9i database with Active Directory. You must license Oracle Advanced Security to use Active Directory to manage enterprise roles.
See... | Which Describes... |
---|---|
"Managing Enterprise User Security" in Oracle Advanced Security Administrator's Guide |
|
"Using Oracle Enterprise Security Manager" in Oracle Advanced Security Administrator's Guide |
In addition to Oracle Net directory naming and enterprise user security integration with a directory server, the following features have been specifically integrated into Active Directory:
Oracle Net Configuration Assistant enables you to configure client computer and Oracle9i database server access to a directory server. When Oracle Net Configuration Assistant starts at the end of Oracle9i database installation or is manually started after installation, it prompts you to specify a directory server type to use. When you select Active Directory as the directory server type, Oracle Net Configuration Assistant automatically:
If the Active Directory server through which client connections are accessing an Oracle9i database is shut down, another Active Directory server is automatically discovered and begins providing connection information; this prevents any downtime for client connections.
If you are not running in a Windows 2000 domain, Oracle Net Configuration Assistant does not automatically discover your directory server, and instead prompts you for additional information, such as the Active Directory location.
When using the Oracle Net Configuration Assistant to complete directory usage configuration against Active Directory, Oracle schema creation can fail due to Active Directory display not being populated with all 24 default languages. Before running the Oracle Net Configuration Assistant to complete directory access configuration, verify that display specifiers for all 24 languages are populated by entering the following at the command prompt:
ldifde -p OneLevel -d cn=DisplaySpecifiers,cn=Configuration,domain context -f temp file
where:
domain context
is the domain context for this Active Directory server. For example dc=acme,dc=com
temp
file
is a file where you want to put the output.
If the command reports that less than 24 entries were found, you can still use the Oracle Net Configuration Assistant. However, it will report that Oracle schema creation failed when all that failed was that display specifiers for some languages were not created.
Oracle9i database services, net service names, and enterprise role entries in Active Directory display in the Microsoft Windows 2000 tools in Table 4-2:
The property menus of Oracle9i database service and net service name objects in Windows Explorer and Active Directory Users and Computers have been enhanced. This enables you to test for object connectivity to the Oracle9i database and perform database administration. When you right-click these Oracle directory objects, a menu presents you with two options for testing connectivity shown in Table 4-3:
Oracle directory object type descriptions in Active Directory have been enhanced to make them easier to understand. For example, in Figure 4-1 is the description for OracleDefaultDomain's type in the Type column of the right window pane.
This feature enables the Oracle client and database to use the credentials of the currently logged on Windows user for authentication and authorization.
The Oracle9i database and configuration tools can use the currently logged on Windows user's login credentials to automatically connect to Active Directory without having to re-enter their login credentials. This enables:
Figure 4-2 shows when the Oracle9i database and Oracle Net Services are installed and configured to access Active Directory, Oracle directory objects appear in Active Directory Users and Computers:
Table 4-4 describes these Oracle directory objects:
Object | Description |
---|---|
|
The domain (also known as the administrative context) in which you created your Oracle Context. The administrative context contains various Oracle entries to support directory naming and enterprise user security. Oracle Net Configuration Assistant automatically discovers this information during Oracle9i database integration with Active Directory. |
Oracle Context |
The top-level Oracle entry in the Active Directory tree that can contain Oracle9i database service and net service name object information. All Oracle software information is placed in this folder. |
|
The Oracle9i database service name (for this example, |
Products |
A folder for Oracle product information. |
OracleDBSecurity |
A folder for database security information. |
OracleDefaultDomain |
The default enterprise domain created. You can create additional enterprise domains with Oracle Enterprise Security Manager. |
|
The net service name object (for this example, |
Users |
The folder for the three Oracle security groups. See section "Access Control List Management for Oracle Directory Objects" for more information. Enterprise users and roles created with Oracle Enterprise Security Manager also appear in this folder. |
Table 4-5 lists the requirements that you must complete depend upon the Oracle features you want to use:
Required For... | ||
---|---|---|
Requirement | Net Directory Naming? | Enterprise User Security? |
Yes |
Yes |
|
Yes |
Yes |
|
Yes |
No |
|
No |
Yes |
If you are using Active Directory with Oracle on Windows 2000 or Windows NT, then ping the DNS domain name of your Windows 2000 domain. If this does not work, perform either of the following tasks:
For example, if your Windows 2000 domain is sales
, the DNS domain name for this domain is sales.acme.com
. The IP address is of the form 001.002.003.0.
hosts
or lmhosts
file.
On the Windows 2000 computer, either 001.002.003.0 can be set as the DNS, or 001.002.003.0 sales.acme.com
can be added to the hosts
or lmhosts
file.
If this step is not performed, then errors such as the following are returned when using Active Directory:
Cannot Chase Referrals
On Windows NT and Windows 2000, the Oracle database service runs in the security context of the LocalSystem or a specific local or domain user. When using Oracle8i release 8.1.7 with Active Directory, if the database service runs in the security context of LocalSystem, manually add the computer name in which the database service is running. This enables you to access control entries on the OracleDBSecurity container object in the Active Directory with read permissions on the OracleDBSecurity container object. For example, if the database service OracleServiceORCL
is running in the security context of LocalSystem in the computer mypc1
, then add mypc1
with READ permissions ON OracleDBSecurity object to the access control entries on the OracleDBSecurity container object.
Complete the following Oracle schema creation requirements to use the net directory naming and enterprise user security features with Active Directory. A schema is a set of rules for Oracle Net Services and Oracle9i database entries and their attributes stored in Active Directory.
Oracle9i Net Services Administrator's Guide for configuration procedures and Oracle9i Database installation guide for Windows for a configuration overview
See Also:
You must complete the following Oracle Context creation requirements to use the net directory naming and enterprise user security features with Active Directory. The Oracle Context is the top-level Oracle entry in the Active Directory tree that contains Oracle9i database service and Oracle Net service name object information.
See Oracle9i Database installation guide for Windows for installation procedures and Oracle9i Net Services Administrator's Guide for configuration procedures
See Also:
Ensure that you first satisfy the requirements described in:
Table 4-6 describes the minimum Microsoft and Oracle software releases that must be installed to use directory naming with Active Directory:
For... | Required Microsoft Software | Required Oracle Software |
---|---|---|
Client Computers from which to manage the Oracle9i enterprise users, roles and domains |
|
Oracle8i Client release 8.1.6 or later
|
Database Server |
Oracle8i database release 8.1.6 or later is required for registering the database service as an object in Active Directory. |
|
|
|
Ensure that you first satisfy the requirements described in:
Table 4-7 describes the Microsoft and Oracle software releases required to use enterprise user security with Active Directory:
This section provides an overview of installation and configuration information. This section contains these topics:
See the Oracle9i Database installation guide for Windows for Oracle9i installation instructions.
You must set the OSAUTH_X509_NAME
registry parameter to true
to use enterprise user security in the Oracle Windows Native Authentication Adapter. See "Task 2: Set the OSAUTH_X509_NAME Registry Parameter".
This section describes how to connect to an Oracle9i database through Active Directory. This section contains these topics:
When using Oracle Net directory naming client computers connect to a database by specifying the database or net service name entry that appears in the Oracle Context. For example, if the database entry under the Oracle Context in Active Directory was orcl
, a user connects through SQL*Plus to the Oracle9i database as shown in Table 4-8:
The connect strings in this table follow DNS-style conventions. While Active Directory also supports connections using X.500 naming conventions, DNS-style conventions are the recommended method because of ease of use. DNS-style conventions enable client users to access an Oracle9i database through a directory server by entering minimal connection information; this is the case even when the client computer and Oracle9i database are in separate domains. X.500 names are longer; this is especially the case when the client and Oracle9i database are located in different domains (also known as administrative contexts).
To learn more about X.500 naming conventions, see "Configuration Management Concepts", of Oracle9i Net Services Administrator's Guide for information.
Oracle directory objects in Active Directory are integrated with Microsoft tools such as:
You can perform the following tasks from within these Microsoft tools:
To access connectivity tools:
With... | Choose... |
---|---|
Windows Explorer |
|
Active Directory Users and Computers |
A menu appears with several options:
If You Want To... | Then... |
---|---|
Test connectivity |
|
Connect with SQL*Plus |
|
A status message appears describing the status of your connection attempt:
The Oracle SQL*Plus Login dialog box appears:
Enter your username and password. A status message appears describing the status of your connection attempt.
Access Control Lists provide Active Directory security by specifying:
Three security groups shown in Table 4-9 are automatically created when the Oracle Context is created in Active Directory. The user configuring access (and thus creating the Oracle Context) is automatically added to each:
Active Directory Users and Computers enables you to add or remove users or change permission settings in the three security groups. See Table 4-10.
This section describes how to use Active Directory Users and Computers. See Oracle Advanced Security Administrator's Guide for instructions on using Oracle Enterprise Security Manager.
To add or remove users or change permission settings:
This enables you to view and edit information that is normally hidden.
The three security groups appear in the right window pane:
A menu appears with several options.
If You Want To... | Then... |
---|---|
Add or remove users |
|
Change permissions |
|
To add or remove users:
The Properties dialog box for the group you selected appears (in this example, OracleDBSecurityAdmins):
To... | Then... |
---|---|
Add Users |
|
Remove Users |
To change user permissions:
The Properties dialog box for the group you selected appears.
The Permission Entry dialog box for the security group you selected appears:
A default enterprise domain, OracleDefaultDomain, is created in your Oracle Context. If you do not want to use this domain or want to create another domain, use Oracle Enterprise Security Manager to create additional enterprise domains. These domains are added under the OracleDBSecurity folder.
|
Copyright © 1996-2001, Oracle Corporation. All Rights Reserved. |
|