Oracle's Enterprise User Security (EUS) enables you to store user identities in LDAP-compliant directory service for Oracle Database authentication.
Enterprise User Security enables you to centrally manage database users across the enterprise. Enterprise users are created in LDAP-compliant directory service, and can be assigned roles and privileges across various enterprise databases registered with the directory.
Users connect to Oracle Database by providing credentials that are stored in Oracle Unified Directory. The database executes LDAP search operations to query user specific authentication and authorization information.
Integrating Oracle Unified Directory and Enterprise User Security enhances and simplifies your authentication and authorization capabilities by allowing you to leverage user identities stored in LDAP-compliant directory service without any additional synchronization.
This chapter covers the following topics:
Section 25.3, "Integrating Oracle Unified Directory with Enterprise User Security"
Section 25.4, "Integrating with Enterprise User Security and an External LDAP Directory"
To integrate Oracle Unified Directory and Enterprise User Security, you can select one of the following scenarios:
User identities stored in the Oracle Unified Directory, as described in Section 25.3, "Integrating Oracle Unified Directory with Enterprise User Security".
User identities stored in an external LDAP-compliant directory service with Oracle Unified Directory used as the proxy server, as described in Section 25.4, "Integrating with Enterprise User Security and an External LDAP Directory".
In this release, Oracle Unified Directory support for EUS includes:
Certificate authentication and integration with Kerberos authentication.
Note:
Certificate authentication only supports DN entry matching the DN in the certificate.
Password Policies: Password policies are a set of rules that apply to all user passwords in an identity management realm. Password policies include settings for password complexity, minimum password length, and the like. They also include account lockout and password expiration settings.
The password policy entry defined in the LDAP-compliant directory storing storing the user entries can be used by Oracle Database for Enterprise User Security.
The database communicates with Oracle Unified Directory and requests the Oracle Unified Directory to report any password policy violations. If the database gets a policy violation response from Oracle Unified Directory, then it flashes the appropriate warning or error message to the user.
The database reports the following events:
It flashes a warning when the user password is about to expire and displays the number of days left for the user to change his or her password.
It flashes a warning when the password has expired and informs the user about the number of grace logins that remain.
It displays an error when the user password has expired and the user does not have any grace logins left.
It displays an error when the user account has been locked due to repeated failed attempts at login.
It displays an error if the user account has been disabled by the administrator.
It displays an error if the user account is inactive.
Enterprise user login attempts to the database update the user account status in Oracle Unified Directory or any supported external LDAP-compliant directory. For example, consecutive failed login attempts to the database results in the account getting locked in the directory, as per the directory's password policy.
The following external LDAP-compliant directories are supported:
Microsoft Active Directory
Novell eDirectory
Oracle Directory Server Enterprise Edition
Oracle Unified Directory
Note:
You can configure an Oracle Unified Directory instance as an external directory server with another Oracle Unified Directory instance as the proxy server.
For information about configuring Enterprise User Security, see the Oracle Database Enterprise User Administrator's Guide.
You can integrate Oracle Unified Directory with Enterprise User Security, where user identities stored in an Oracle Unified Directory without any additional synchronization. To do so, complete the following:
Configuring Enterprise User Security for an Oracle Unified Directory Server
Modifying the Oracle Unified Directory Configuration for Enterprise User Security
You can configure the EUS for an Oracle Unified Directory server using one of the following options:
Notes:
If you want to enable EUS during installation then complete the steps described in Enabling Enterprise User Security During Installation.
If you want to configure EUS for an existing Oracle Unified Directory instance then complete the steps described in Enabling Enterprise User Security With ODSM for an Existing Instance.
You can use this option when you are installing Oracle Unified Directory. Enable the Oracle Unified Directory directory server instance for integration with EUS while you are setting up the server instance, as described in "Setting Up the Directory Server" in the Oracle Fusion Middleware Installation Guide for Oracle Unified Directory.
Note:
Ensure that you select Enable for EUS in the Oracle Components Integration screen while running the oud-setup graphical interface option or if you are running oud-setup with the --cli option then specify the following option while launching the installer:
oud-setup --eus
On an existing directory server instance, you can create a new suffix for EUS by using ODSM. There is no command-line equivalent for this functionality.
To create a suffix for EUS by using ODSM, perform the following steps:
Ensure that the server instance has an LDAP connection handler that is enabled for SSL
If SSL is not enabled, add an LDAPS connection handler, as described in Section 14.2, "Managing the Server Configuration With Oracle Directory Services Manager".
Connect to the directory server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Home tab.
Under the Configuration menu, select Create Local Naming Context.
The New Local Naming Context window is displayed.
Enter the following details:
In the Base DN field, type a name for the suffix that you want to create.
Note:
You cannot enable EUS on an existing suffix that has already been populated with user data.
From the Directory Data Options group, select one of the following options for populating the suffix with data:
Only Create Base Entry creates the database along with the base entry of the suffix. Any additional entries must be added after suffix creation.
Leave Database Empty creates an empty database. The base entries and any additional entries must be added after suffix creation.
Note:
The suffix must contain at least one entry hence do not select the Leave Database Empty option.
Import Generated Sample Data populates the suffix with sample entries.
Specify the number of entries that should be generated in the Number of User Entries field. You can import a maximum of 30,000 sample entries through ODSM. If you want to add more than 30,000 entries, you must use the import-ldif command.
In the Oracle Components Integration region, select Enable for Enterprise User Security (EUS) to enable the new suffix.
When you select EUS, in addition to creating this suffix, two suffixes are created automatically: "cn=oracleschemaversion" and "cn=oraclecontext." An EUS workflow element is also added in front of the local backend workflow element. Further, a DN renaming workflow element for "cn=schema" is added, so that it can be accessed using the "cn=subschemasubentry" DN.
In the Network Group region, attach the suffix to at least one network group by performing the following steps:
To attach the suffix to an existing network group, select Use Existing and select the required network group from the list.
To attach the suffix to a new network group, select Create New and then in the Name field, type a name for the network group you want to create.
You can attach several network groups to the same suffix.
In the Workflow Element region, attach the suffix to the workflow element by performing either of the following steps:
To attach the suffix to an existing workflow element, select Use Existing and then select the required workflow element from the list.
To attach the suffix to a new workflow element, select Create New and then in the Name field, type a name for the workflow element you want to create.
Click Create.
The following confirmation message is displayed:
Configuration created successfully.
After OUD has been enabled for EUS, you must update the realm information in the OUD configuration by performing the following steps:
Locate the LDIF template file at install_dir/config/EUS/modifyRealm.ldif.
Edit the modifyRealm.ldif file as follows:
Replace dc=example,dc=com with the correct naming context for your server instance.
Replace ou=people and ou=groups with the correct location of the user and group entries in your DIT.
Use the ldapmodify command to update the configuration with the edited LDIF template file, for example:
$ ldapmodify -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -v -f modifyRealm.ldif
You must configure the Oracle Database for Enterprise User Security by completing the following steps:
Run Net Configuration Assistant (NetCA) tool to configure the Oracle Unified Directory host name and port numbers for the database.
To configure your database for directory usage:
Start Oracle Net Configuration Assistant:
Unix
Run netca (Located at $ORACLE_HOME/bin) on the command line.
Windows
Choose Start, Programs, Oracle-HOME_NAME, Configuration and Migration Tools, and select Net Configuration Assistant.
The Oracle Net Configuration Assistant: Welcome screen is displayed.
Select Directory Service Usage Configuration and click Next.
The Oracle Net Configuration Assistant: Directory Usage Configuration, Directory Type screen is displayed.
Select Oracle Unified Directory as the directory type and click Next.
The Oracle Net Configuration Assistant: Directory Usage Configuration, Directory Location screen is displayed.
Enter the following details:
Hostname: Enter the name of the host on which the Oracle Unified Directory server is running.
Port: Enter the Oracle Unified Directory port number.
SSL Port: Enter the Oracle Unified Directory SSL port number.
Click Next.
The Oracle Net Configuration Assistant: Directory Usage Configuration, Select OracleContext screen is displayed.
Select the default Oracle Context to use. You need to select this if there are multiple Oracle Unified Directory realms on the directory server. Click Next.
The Directory Usage Configuration, Done screen is displayed.
Confirm that the directory usage configuration is successfully completed. Click Next.
Click Finish.
NetCA creates an ldap.ora file in the $ORACLE_HOME/network/admin directory (Unix) or ORACLE_HOME\network\admin directory (Windows). The file stores the connection information details about the directory.
Register the database with the directory service. The Database Configuration Assistant (DBCA) tool enables you to register the database with Oracle Unified Directory.
To register the database with the directory:
Start DBCA using the dbca command.
On Unix systems, you can start DBCA using the following command:
$ORACLE_HOME/bin/dbca
On Windows, you can also start DBCA from the Start menu:
Click Start, All Programs, Oracle - OracleHomeName, Configuration and Migration Tools, and then select Database Configuration Assistant.
The Welcome screen is displayed.
Click Next.
The Operations screen is displayed.
Select Configure Database Options.
Click Next.
The Database screen is displayed.
Select the database name that you wish to configure. You might also be asked to enter SYS user credentials if you are not using operating system authentication.
Click Next.
The Management Options screen is displayed.
Select Keep the database configured with Database Control if you want to continue using Database Control to manage the database. You also have the option of using Grid Control to manage the database.
Click Next.
The Security Settings screen is displayed.
Select Keep the enhanced 11g default security settings to keep the 11g security settings.
Click Next.
The Network Configuration screen is displayed.
Select Yes, register the database to register the database with the directory. Enter the distinguished name (DN) of a user who is authorized to register databases in Oracle Unified Directory. Also, enter the password for the directory user. Enter a wallet password. Reenter the password in the Confirm Password field.
Click Next.
Note:
The database uses a randomly generated password to log in to the directory. This database password is stored in an Oracle wallet. The wallet can also be used to store certificates needed for SSL connections.
The wallet password that you specify is different from the database password. The wallet password is used to protect the wallet.
The Database Components screen is displayed.
Click Next.
The Connection Mode page is displayed.
Select Dedicated Server Mode or Shared Server Mode.
Click Finish.
The Confirmation dialog box is displayed.
Click OK.
Note:
After you register the database with the directory, make sure that auto login is enabled for the database wallet. The default wallet is created in the $ORACLE_BASE/admin/database_sid/wallet directory (Unix) or ORACLE_BASE\admin\database_sid\wallet directory (Windows).
You can verify that auto login for the wallet is enabled by checking for the presence of the cwallet.sso file in the wallet directory. If the file is not present, you can enable auto login by opening the wallet using Oracle Wallet Manager, and using the option to enable auto login for the wallet.
Integrating Oracle Unified Directory and Enterprise User Security (EUS) enhances and simplifies your authentication and authorization capabilities by allowing you to centralize user identities stored in an external LDAP repository without any additional synchronization.
You can integrate EUS with an external LDAP directory, if the Oracle Unified Directory is configured as a proxy front ending an external LDAP repository. The EUS configuration details are stored locally in Oracle Unified Directory and the remote external LDAP directory contains only the Enterprise Users and the Enterprise Groups details.
This section describes how to integrate Oracle Unified Directory with Oracle Enterprise User Security and contains the following sections:
Note:
Create a back-up copy of the ORACLE_HOME/config/eus/ directory (Unix) or ORACLE_HOME\config\eus\ directory (Windows). All the configuration files required for the Enterprise User Security integration are in the eus directory. Making a back-up copy of the eus directory enables you to edit the template-like files in the original eus directory based on your environment, and still keep copies of the original files.
This section contains instructions for integrating Oracle Unified Directory with Enterprise User Security for use with specific external directories.
These instructions are organized by external directory type into the following sections:
Note:
Back-end LDAP schema extensions are no longer required for any of these external directories, except Microsoft Active Directory. These changes are now done in the Oracle Unified Directory local store.
Only a single, minimal schema change to add the orclCommonAttribute attribute definition is necessary for Active Directory.
Perform the following procedures to integrate Oracle Unified Directory with Enterprise User Security for user identities stored in Active Directory:
Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.
Execute the following command to load the Enterprise User Security required schema, ExtendAD, into Active Directory using the Java classes included in Oracle Unified Directory.
The ExtendAD file is located in the $ORACLE_HOME/config/EUS/ActiveDirectory/ directory (Unix) or ORACLE_HOME\config\EUS\ActiveDirectory\ directory (Windows). You can use the java executable in the ORACLE_HOME/jdk/bin directory.
java ExtendAD -h Active_Directory_Host_Name -p Active_Directory_Port -D Active_Directory_Admin_DN -w Active_Directory_Admin_Password –AD Active_Directory_Domain_DN -commonattr
Example:
java ExtendAD -h myhost -p 389 -D cn=administrator,cn=users,dc=example,dc=com -w <pwd> -AD dc=example,dc=com -commonattr
Install the Oracle Unified Directory Password Change Notification plug-in, oidpwdcn.dll, by performing the following steps:
Complete the following depending on your Windows:
Windows 32-bit
Copy OUD_HOME\config\EUS\ActiveDirectory\win\oidpwdcn.dll file to the Active Directory WINDOWS\system32 directory.
Windows 64-bit
Copy OUD_HOME\config\EUS\ActiveDirectory\win64\oidpwdcn.dll file to the Active Directory WINDOWS\system64 directory.
Use regedt32 or regedt64 to edit the registry and enable the oidpwdcn.dll. Start regedt32 by entering regedt32 at the command prompt.
Add oidpwdcn to the end of the Notification Packages entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ registry, for example:
RASSFM KDCSVC WDIGEST scecli oidpwdcn
This enables the password DLL and populates orclCommonAttribute attribute with the password verifier required by EUS.
Restart the Active Directory system after making these changes.
Run ldapmodify: to allow anonymous logins on Active Directory:
ldapmodify -h <ADhost> -p <AD port> -D <AD dirmgr> -w <pwd> dn: cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=example,dc=com changetype: modify replace: dsHeuristics dsHeuristics: 0000002
Note:
Ensure that you replace dc=example,dc=com with the base DN of your Active Directory server.
Reset the password for all the Active Directory users, allowing the plug-in to acquire the password changes and generate and store password verifiers.
Verify the Active Directory setup by performing the following steps:
Change the password of an Active Directory user.
Search Active Directory for the user you changed the password for. Verify the orclCommonAttribute attribute contains the generated hash password value.
This value adds the orclCommonAttribute attribute definition in Active Directory.
Complete the integration by performing the task described in Configuring Oracle Unified Directory for the Integration.
Perform the following procedures to integrate Oracle Unified Directory with Enterprise User Security for user identities stored in Oracle Directory Server Enterprise Edition:
Run ldapmodify command from Oracle Directory Server Enterprise Edition to enable extended operation for the account lock, as follows:
ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> dn: oid=1.3.6.1.4.1.42.2.27.9.6.25,cn=features,cn=config changetype: add objectclass: directoryServerFeature oid: 1.3.6.1.4.1.42.2.27.9.6.25 cn: Password Policy Account Management
Complete the integration by performing the task described in Configuring Oracle Unified Directory for the Integration.
Perform the following procedures to integrate Oracle Unified Directory with Enterprise User Security for user identities stored in Novell eDirectory:
To configure Novell eDirectory for the integration, enable Universal Password in eDirectory and allow the administrator to retrieve the user password. Refer to Novell's eDirectory documentation on Password Management for more information.
Complete the integration by performing the task described in Configuring Oracle Unified Directory for the Integration.
You can configure an Oracle Unified Directory instance as an external directory server with another Oracle Unified Directory instance as the proxy server. In this scenario, the EUS configuration details are stored locally in Oracle Unified Directory proxy server and the external Oracle Unified Directory contains only the Enterprise Users and the Enterprise Groups details.
To do so, you must modify the default password policy to use Salted SHA-1 as password storage scheme by running dsconfig command as follows:
dsconfig -h <OUD host> -p <OUD admin port> -D <OUD dirmgr> -j <pwdfile> -X -n set-password-policy-prop --policy-name "Default Password Policy" --set default-password-storage-scheme:"Salted SHA-1"
Note:
Ensure that you modify the default password policy of the Oracle Unified Directory containing the Enterprise Users and the Enterprise Groups details. Do not modify the default password policy of the Oracle Unified Directory instance acting as the proxy server.
Configure Oracle Unified Directory with external LDAP Directories by performing the following steps:
Configuring Enterprise User Security for an Oracle Unified Directory Proxy Server
Modifying the Oracle Unified Directory Proxy Server Configuration for Enterprise User Security
You can configure the EUS for an Oracle Unified Directory proxy servers using one of the following options:
Enabling Enterprise User Security for a Proxy Server During Installation
Enabling Enterprise User Security for an Existing Proxy Server Instance
Notes:
If you want to enable EUS during installation then complete the steps described in Enabling Enterprise User Security for a Proxy Server During Installation.
If you want to configure EUS for an existing Oracle Unified Directory instance then complete the steps described in Enabling Enterprise User Security for an Existing Proxy Server Instance.
You can enable an Oracle Unified Directory directory server instance for integration with EUS while you are setting up the server instance, as described in "Setting Up the Proxy Server" in the Oracle Fusion Middleware Installation Guide for Oracle Unified Directory.
Notes:
Ensure that you select Configure EUS in the Deployment Options screen while running the oud-proxy-setup graphical interface or if you are running oud-proxy-setup with the --cli option then specify the following option while launching the installer:
oud-proxy-setup --eusContext {namingContext}
If you are running oud-proxy-setup with the --cli option then you must manually configure LDAP server extension, proxy workflow element and EUS workflow element using dsconfig command. In a graphical interface these configurations are automatically configured.
For Novell eDirectory, enter the LDAPS port of the Oracle Unified Directory proxy server.
To configure Enterprise User Security for an existing Oracle Unified Directory Proxy Server instance, complete the following steps:
Ensure that the server instance has an LDAP connection handler that is enabled for SSL
If SSL is not enabled, add an LDAPS connection handler, as described in Section 14.2, "Managing the Server Configuration With Oracle Directory Services Manager".
Connect to the proxy server from ODSM, as described in Section 18.2, "Connecting to the Server From Oracle Directory Services Manager".
Select the Home tab.
Under the Configuration menu, select Create Remote EUS Naming Context.
The Create Remote EUS Naming Context window is displayed.
Enter the following details:
Base DN: Enter the name for the suffix.
Network Group: Select the network group attached to the suffix.
Server Type: Select the server containing the EUS user entries.
Host Name: Enter the host name of the remote server.
Ports Available: Enter the LDAP port, LDAPS port, or LDAP and LDAPS ports of the remote server.
Note:
For Novell eDirectory, enter the LDAPS port of the Oracle Unified Directory proxy server.
Trust All: Select this check box to trust all the certificates presented by the remote server.
Trust Manager: Select the trust manager that the server will use when connecting to the LDAPS ports of the remote server to forward requests.
Click Create.
The following confirmation message is displayed:
Configuration created successfully.
After completing the required configuration as described in Section 25.4.2.1, "Configuring Enterprise User Security for an Oracle Unified Directory Proxy Server", you must perform the following:
Configure the proxy workflow elements, remote root DN and remote root user accounts for the external LDAP-compliant directories by running the dsconfig command as follows:
dsconfig set-workflow-element-prop \
--element-name proxy-we1 \
--set remote-root-dn:cn=administrator,cn=users,dc=example,dc=com \
--set remote-root-password:******** \
--hostname localhost \
--port 4444 \
--trustAll \
--bindDN cn=directory\ manager \
--bindPasswordFile pwd.txt \
--no-prompt
You can configure the proxy workflow elements for the external LDAP-compliant directories with use-client-identity by defining the exclude-list, remote ldap server bind dn and remote ldap server bind password. When the EUS is enabled, the database connects with its own credentials and performs searches on the external LDAP server. As the DB entry is stored locally on OUD proxy, it uses an alternate ID to bind to the external LDAP server as the database entry does not exist on the external LDAP server.
dsconfig set-workflow-element-prop \
--element-name proxy-we1 \
--add exclude-list:cn=directory\ manager \
--add exclude-list:cn=oraclecontext,dc=example,dc=com \
--set remote-ldap-server-bind-dn:cn=administrator,cn=users,dc=example,dc=com \
--set remote-ldap-server-bind-password:******** \
--hostname localhost \
--port 4444 \
--trustAll \
--bindDN cn=directory\ manager \
--bindPasswordFile pwd.txt \
--no-prompt
After OUD has been enabled for EUS, you must update the realm information in the OUD configuration by performing the following steps:
Locate the LDIF template file at install_dir/config/EUS/modifyRealm.ldif.
Edit the modifyRealm.ldif file as follows:
Replace dc=example,dc=com with the correct naming context for your server instance.
Replace ou=people and ou=groups with the correct location of the user and group entries in your DIT.
Use the ldapmodify command to update the configuration with the edited LDIF template file, for example:
$ ldapmodify -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -v -f modifyRealm.ldif
You must configure the Oracle Database, as described in Configuring Oracle Database for Oracle Unified Directory.