Oracle Authentication Services for Operating Systems enables you to centralize storage, authentication, and management of user identities using Oracle Internet Directory.
This chapter contains the following topics:
Features of Oracle Authentication Services for Operating Systems
Components of Oracle Authentication Services for Operating Systems
How User Authentication Works With Oracle Internet Directory
Oracle Internet Directory is a standards-based directory server that leverages the security, scalability, and reliability of Oracle Database to store users, groups, and other types of entries. Oracle Internet Directory supports password policy enforcement. Oracle Internet Directory can be synchronized with third-party directory servers, such as Active Directory.
Oracle Authentication Services for Operating Systems enables you to use Oracle Internet Directory for authentication on Linux- and UNIX-based operating systems. Configuration scripts automate the configuration of Pluggable Authentication Modules (PAM) and Secure Sockets Layer (SSL). You can then migrate existing entries from NIS, files, or another LDAP-compliant directory, and optionally configure features such as password policy enforcement, sudo
, and automount. Oracle Internet Directory tools are available for entry management, and libuser
tools can be used for many operations. These features are summarized in Figure 1-1.
In Oracle Fusion Middleware 11g R1 Patch Set 2 (11.1.1.3.0), the Oracle Internet Directory installation contains the following components, which are used by Oracle Authentication Services for Operating Systems:
SSL and non-SSL server configuration scripts
SSL and non-SSL client configuration scripts
Support for migration from NIS as well as from flat file-based authentication
Support for migration from a third party LDAP directory to Oracle Internet Directory.
Support for migration of sudo policy from a sudoers
file to Oracle Internet Directory
Support for migration of automounts to Oracle Internet Directory
When a user provides credentials (a username and password) to login
, xdm
, ssh
, su
, or some other client login program, the following events occur.
An authentication module in the login program examines local configuration files to determine how to authenticate the user. The files contain information such as the method to use (LDAP), the location of the server, and, if SSL is configured, the certificate to use.
The authentication module attempts authenticate the user against the Oracle Internet Directory server with the user's credentials. If SSL is configured, the module first establishes the SSL communications channel using the certificate.
If Oracle Internet Directory determines that the credentials are correct and the account is active, the user's login attempt succeeds. Otherwise, the user's login attempt fails.
If the user login attempt succeeds, the module queries Oracle Internet Directory again for the user's group membership information.
Oracle Internet Directory returns the group membership information.
These events are shown in Figure 1-2.
To configure Oracle Authentication Services for Operating Systems, you perform the following steps:
Install Oracle Internet Directory. See the Oracle Fusion Middleware Installation Guide for Oracle Identity Management for your platform.
Apply 11g R1 Patch Set 2 (11.1.1.3.0).
Execute the configuration scripts to configure the server and clients for user authentication.
Configure password policies.
Migrate entries from NIS, local files, or another LDAP-compliant directory to Oracle Internet Directory.
Configure sudo
and migrate sudo
entries to Oracle Internet Directory.
Optionally, you can configure integration with Active Directory so that you can use credentials stored in Active Directory for authentication on a Linux or UNIX-based operating system.
Optionally, you can restrict user logins on individual machines.
After you configure Oracle Authentication Services for Operating Systems and migrate your data to Oracle Internet Directory, you must use specific tools to manage users, passwords, and other data. Specifically, you must use:
Oracle Directory Services Manager
The LDAP tools and bulk tools in $ORACLE_HOME/bin
The passwd
command
Certain platform specific tools:
The libuser
tools on Linux distributions that support it, with some limitations. See libuser Tools.
The command mkuser
and similar AIX tools with the option -R LDAP
. See AIX-Specific Tools.
For more information about Oracle Authentication Services for Operating Systems 11g Release 1 (11.1.1), see:
The README document accompanying this release
Note 1064891.1: Oracle Authentication Services for Operating Systems Documentation Addendum (11.1.1.3). This document is available on My Oracle Support at https://support.oracle.com
.