1 Product Overview

Oracle Authentication Services for Operating Systems enables you to centralize storage, authentication, and management of user identities using Oracle Internet Directory.

This chapter contains the following topics:

1.1 Introduction to Oracle Internet Directory

Oracle Internet Directory is a standards-based directory server that leverages the security, scalability, and reliability of Oracle Database to store users, groups, and other types of entries. Oracle Internet Directory supports password policy enforcement. Oracle Internet Directory can be synchronized with third-party directory servers, such as Active Directory.

1.2 Features of Oracle Authentication Services for Operating Systems

Oracle Authentication Services for Operating Systems enables you to use Oracle Internet Directory for authentication on Linux- and UNIX-based operating systems. Configuration scripts automate the configuration of Pluggable Authentication Modules (PAM) and Secure Sockets Layer (SSL). You can then migrate existing entries from NIS, files, or another LDAP-compliant directory, and optionally configure features such as password policy enforcement, sudo, and automount. Oracle Internet Directory tools are available for entry management, and libuser tools can be used for many operations. These features are summarized in Figure 1-1.

Figure 1-1 Features of Oracle Authentication Services for Operating Systems

Surrounding text describes Figure 1-1 .

1.3 Components of Oracle Authentication Services for Operating Systems

In Oracle Fusion Middleware 11g R1 Patch Set 2 (11.1.1.3.0), the Oracle Internet Directory installation contains the following components, which are used by Oracle Authentication Services for Operating Systems:

  • SSL and non-SSL server configuration scripts

  • SSL and non-SSL client configuration scripts

  • Support for migration from NIS as well as from flat file-based authentication

  • Support for migration from a third party LDAP directory to Oracle Internet Directory.

  • Support for migration of sudo policy from a sudoers file to Oracle Internet Directory

  • Support for migration of automounts to Oracle Internet Directory

1.4 How User Authentication Works With Oracle Internet Directory

When a user provides credentials (a username and password) to login, xdm, ssh, su, or some other client login program, the following events occur.

  1. An authentication module in the login program examines local configuration files to determine how to authenticate the user. The files contain information such as the method to use (LDAP), the location of the server, and, if SSL is configured, the certificate to use.

  2. The authentication module attempts authenticate the user against the Oracle Internet Directory server with the user's credentials. If SSL is configured, the module first establishes the SSL communications channel using the certificate.

  3. If Oracle Internet Directory determines that the credentials are correct and the account is active, the user's login attempt succeeds. Otherwise, the user's login attempt fails.

  4. If the user login attempt succeeds, the module queries Oracle Internet Directory again for the user's group membership information.

  5. Oracle Internet Directory returns the group membership information.

These events are shown in Figure 1-2.

Figure 1-2 Authentication Using Oracle Internet Directory

Surrounding text describes Figure 1-2 .

1.5 Configuration Overview

To configure Oracle Authentication Services for Operating Systems, you perform the following steps:

  1. Install Oracle Internet Directory. See the Oracle Fusion Middleware Installation Guide for Oracle Identity Management for your platform.

  2. Apply 11g R1 Patch Set 2 (11.1.1.3.0).

  3. Execute the configuration scripts to configure the server and clients for user authentication.

  4. Configure password policies.

  5. Migrate entries from NIS, local files, or another LDAP-compliant directory to Oracle Internet Directory.

  6. Configure sudo and migrate sudo entries to Oracle Internet Directory.

  7. Optionally, you can configure integration with Active Directory so that you can use credentials stored in Active Directory for authentication on a Linux or UNIX-based operating system.

  8. Optionally, you can restrict user logins on individual machines.

1.6 Management Overview

After you configure Oracle Authentication Services for Operating Systems and migrate your data to Oracle Internet Directory, you must use specific tools to manage users, passwords, and other data. Specifically, you must use:

  • Oracle Directory Services Manager

  • The LDAP tools and bulk tools in $ORACLE_HOME/bin

  • The passwd command

  • Certain platform specific tools:

    • The libuser tools on Linux distributions that support it, with some limitations. See libuser Tools.

    • The command mkuser and similar AIX tools with the option -R LDAP. See AIX-Specific Tools.

1.7 Additional Documentation

For more information about Oracle Authentication Services for Operating Systems 11g Release 1 (11.1.1), see:

  • The README document accompanying this release

  • Note 1064891.1: Oracle Authentication Services for Operating Systems Documentation Addendum (11.1.1.3). This document is available on My Oracle Support at https://support.oracle.com.