Oracle Enterprise User Security (EUS) enables Oracle Database users to authenticate against identities stored in an LDAP-compliant directory service. This chapter provides instructions for enabling Oracle Unified Directory to work with Oracle Enterprise User Security.
This chapter contains the following sections:
Section 31.4, "Using Additional Enterprise User Security Configuration Options"
Section 31.5, "Understanding Enterprise User Security Password Warnings"
Oracle Enterprise User Security enables you to centrally manage database users across the enterprise. You can create enterprise users in an LDAP-compliant directory service, and then assign roles and privileges across various enterprise databases registered with the directory.
Users connect to Oracle Database by providing credentials stored in Oracle Unified Directory or other external LDAP-compliant directory front-ended by Oracle Unified Directory proxy server. The database executes LDAP search operations to query user specific authentication and authorization information. For more information, see Section 3.2.6, "Configuration 6: Enterprise User Security."
Integrating Oracle Unified Directory and Enterprise User Security enhances and simplifies your authentication and authorization capabilities by allowing you to leverage user identities stored in LDAP-compliant directory service without any additional synchronization.
For more information about Oracle Enterprise User Security, see the Oracle Database Enterprise User Security Administrator's Guide.
Before you integrate Oracle Unified Directory with Oracle Enterprise User Security, you should consider what role Oracle Unified Directory will play in your topology. Also consider other business requirements for your enterprise. Before you begin integration, review all tasks and steps required for the various integration options.
When you use OUD as a directory server, installation is straightforward, and configuration is contained in OUD. For more information, see Section 31.3.1, "Configuring Oracle Directory Server as a Directory for Enterprise User Security."
When you use OUD as a directory proxy, you must take additional steps to configure the external LDAP-compliant directory that stores user entries. For more information, see Section 31.3.2, "Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security."
If you are configuring an existing directory or proxy instance to work with Enterprise User Security, you will need to complete some configuration steps manually. See the following for more information:
Task 1: Configure Oracle Unified Directory to Work with Enterprise User Security
Task 1: Configure User Identities in the External LDAP Directory
If you are installing a new directory or proxy instance, you can choose the Enterprise User Security option during setup. The new instance is automatically configured to EUS integration. See the following for more information:
See the following for more information:
This section provides step-by-step instructions for the following:
Note:
Anonymous search access is enabled in Oracle Unified Directory for Enterprise User Security integration to work. This is required as Oracle Net Configuration Assistant (NetCA) performs anonymous searches against Oracle Unified Directory during configuration. After configuration using NetCA, you can disable anonymous access. See Section 28.5.1, "Disabling Anonymous Access."These instructions require you to configure multiple Oracle products, as well as any external LDAP-compliant directory you may have in your topology. Before you begin, be sure that you can access the following components as well as the current documentation that goes with them:
Oracle Unified Directory, ODSM, oud-setup
and oud-proxy-setup
commands
Oracle Enterprise User Security Net Configuration Assistant
Database Configuration Assistant for Oracle Database
Enterprise Manager for Oracle Database
Supported LDAP directories (Microsoft Active Directory, Novell eDirectory, Oracle Unified Directory, or Oracle Directory Server Enterprise Edition) you have in your topology
To Configure Oracle Directory Server as a directory for Enterprise User Security, complete the tasks in the following sections:
Task 1: Configure Oracle Unified Directory to Work with Enterprise User Security
Task 3: Select the Oracle Context to be Used by Enterprise User Security
If you already have an existing Oracle Unified Directory instance installed and provisioned, then complete the steps in one of these sections:
If you do not already have an Oracle Unified Directory installed and provisioned, then complete the steps in the following section "Installing and Configuring a New Oracle Unified Directory Instance to Work with Enterprise User Security."
Run the oud-setup
program. You can use the command line, or the graphical user interface.
To run oud-setup
with following --cli
option. For example:
$ oud-setup --cli --integration eus --no-prompt --ldapPort 1389\ --adminConnectorPort 4444 -D "cn=directory manager"\ --rootUserPasswordFile pwd.txt --ldapsPort 1636\ --generateSelfSignedCertificate --baseDN "dc=example,dc=com"
For detailed information about using oud-setup
and all its options, see "Setting Up the Directory Server" in the Oracle Fusion Middleware Installation Guide for Oracle Unified Directory
During setup, the baseDN
specified in the --baseDN
option is prepared for EUS. If you specify multiple base DNs, they will all be prepared for EUS.
To use the graphical user interface:
Run the oud-setup
command
In the Welcome page, click Next.
In the Server Settings page, provide the following information:
Host Name
This is the server that hosts the Oracle Unified Directory instance that stores users and groups.
Administration Connector Port
This is the administration port used by OUD tools such as dsconfig.
LDAP Listener Port
Specify the port used by OUD.
LDAP Secure Access
Click Configure to enable secure access.
In the Configure Secure Access window, click to mark the Enable SSL on Port checkbox. Then enter a port number for LDAPS, and click OK to continue.
Root User DN
This is the identity of the server administrator
Password
Enter a password to be used by the server administrator.
Password (confirm)
Enter the password a second time to confirm.
Click Next to continue.
In the Topology Options page, be sure the option "This will be a stand alone server" is selected, and click Next.
In the Directory Data page, provide the following information:
Directory Base DN
Enter the base DN where you will store user entries.
Directory Data
Do not choose the option "Leave Database Empty." Choose one of the following options:
"Only Create Base Entry" creates an entry with the base DN specified previously.
"Import Data from LDIF File" imports LDIF data from the file specified in the Path field.
"Import Automatically-Generated Sample Data" generates the number of sample entries specified in the Number of User Entries field.
Click Next.
In the Oracle Components Integration page, choose the option "Enable for EUS (Enterprise User Security), EBS, Database Net Services and DIP." This option also enables the server for Database Net Services.
Click Next to continue.
In the Server Tuning page, you can configure your tunings or click Next.
See the Installation Guide for information about tuning configurations.
In the Review page, review your settings, and click Finish.
A new instance of Oracle Unified Directory is installed, configured, and then started.
You can configure an existing naming context for EUS, or you can create and configure a new naming context for EUS.
To use an existing naming context for EUS, run the manage-suffix update
command. For example:
$ manage-suffix update -h host -p adminPort -D "cn=directory manager" -j pwd.txt -X -n -b baseDN --integration eus
This command-line will configure the naming context specified as baseDN
for EUS.
To create a new naming context for EUS, run the manage-suffix create
command. For example:
$ manage-suffix create -h host -p adminPort -D "cn=directory manager" -j pwd.txt -X -n -b baseDN --integration eus
For more information about the manage-suffix
command, see Section 17.2, "Managing Suffixes Using manage-suffix
."
Before you begin, ensure that the server instance has an LDAP connection handler that is enabled for SSL. If SSL is not enabled, add an LDAPS connection handler. For information about adding an LDAPS connection handler, see Section 17.1, "Managing the Server Configuration Using dsconfig
," and Section 17.1.5.2, "Configuring the LDAP Connection Handler."
You can configure an existing naming context for EUS, or you can create and configure a new naming context for EUS.
To configure an existing naming context for EUS using ODSM:
Connect to the directory server from ODSM
Click the Configuration tab
In the navigation pane on the left, below "Naming Contexts," choose the naming context you want to use.
In the right pane, in the "Oracle Components Integration" section, choose "Enable for Enterprise User Security (EUS)" and click Apply.
To create and configure a new naming context for EUS using ODSM:
Connect to the directory server from ODSM, as described in Section 16.2, "Connecting to the Server Using ODSM."
Click the Home tab.
Under the Configuration menu, choose Create Local Naming Context.
In the New Local Naming Context window, provide the following information:
Base DN
Type a name for the suffix that you want to create. You cannot enable EUS on an existing suffix that has already been populated with user data.
Directory Data Options
Choose one of the following:
Only Create Base Entry creates the database along with the base entry of the suffix. Any additional entries must be added after suffix creation.
Leave Database Empty creates an empty database. Do not select this option.
When you use this option, the base entry and any additional entries must be added after suffix creation. But for this configuration, the suffix must contain at least one entry.
Import Generated Sample Data populates the suffix with sample entries.
Specify the number of entries that should be generated in the Number of User Entries field. You can import a maximum of 30,000 sample entries through ODSM. If you want to add more than 30,000 entries, you must use the import-ldif
command.
Oracle Components Integration
To enable the new suffix, for Enterprise User Security (EUS), select Enable.
Network Group
Attach the suffix to at least one network group:
To attach the suffix to an existing network group: Choose "Use Existing," and then choose the required network group from the list.
To attach the suffix to a new network group: Select "Create New," and then in the Name field, type a name for the network group you want to create.
You can attach the same suffix to several network groups.
Workflow Element
Attach the suffix to the workflow element.
To attach the suffix to an existing workflow element:
Choose "Use Existing," and then choose the required workflow element from the list.
The suffix is stored inside the same database Local Backend workflow element, and will have the same properties such as an instance path to Berkeley DB files.
To attach the suffix to a new workflow element:
Choose "Create New," and then in the Name field, type a name for the workflow element you want to create.
You can configure this new workflow element with additional other values such as Berkeley DB files, database cache size, and so on.
Click Create.
The following confirmation message is displayed:
Naming Context created successfully.
After Oracle Unified Directory has been configured for EUS or Oracle E-Business Suite, you must configure the naming context used to store the users and the groups by performing the following steps:
Locate the LDIF template file at install_dir
ectory/config/EUS/modifyRealm.ldif
.
Edit the modifyRealm.ldif
file as follows:
Replace dc=example,dc=com
with the correct naming context for your server instance.
Replace ou=people
and ou=groups
with the correct location of the user and group entries in your DIT.
Use the ldapmodify
command to update the configuration with the edited LDIF template file, for example:
$ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file -f modifyRealm.ldif
Note:
Ensure that you specify the port number on which the LDAP Connection Handler will listen for connections from clients (For example:1389
) and not the administration port number which is 4444
.Enterprise User Security stores its configuration, also called EUS metadata, in an Oracle Context which corresponds to a part of the Directory Information Tree. If your user entries are stored below dc=example,dc=com
, then EUS is usually configured to use cn=OracleContext,dc=example,dc=com
as Oracle Context.
Use Oracle Net Configuration Assistant to indicate where EUS should read its configuration.
To start the Oracle Net Configuration Assistant, run the netca
command on the host where the database is installed.
On the Welcome page, select "Directory Usage Configuration," and click Next.
On the subsequent pages, provide the following information:
Directory Type
Select "Oracle Internet Directory" even if the LDAP server is an Oracle Virtual Directory or an Oracle Unified Directory.
Click Next.
Hostname
Enter the hostname or IP address of the server hosting your LDAP server.
Port
Enter the LDAP port number.
SSL Port
Enter the LDAPS port number.
Oracle Context
Do not select cn=OracleContext
. Instead, click the arrow to display and choose the location of your OracleContext.
Click Next.
When the following message is displayed, click Next: "Directory usage configuration complete!"
When the Welcome page is displayed, click Finish.
To verify that the Net Configuration Assistant has successfully created the configuration file containing the LDAP server information, run the following command:
# cat $ORACLE_HOME/network/admin/ldap.ora # ldap.ora Network Configuration File: /app/oracle/product/db/product/11.2.0/dbhome_1/network/admin/ldap.ora # Generated by Oracle configuration tools. DIRECTORY_SERVERS= (oudhost:1389:1636) DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com" DIRECTORY_SERVER_TYPE = OID
The configuration file used by the database contains the hostname and port of the LDAP server. In this example, the information is represented as: (oudhost:1389:1636)
. You can specify multiple servers, separated by commas, for high availability deployments. See Section 31.4.2, "Using Oracle Unified Directory and Enterprise User Security in High Availability Topologies."
In this example, dc=example,dc=com
represents the Oracle Context used to store the EUS configuration, also known as the EUS metadata.
Use the Database Configuration Assistant for Oracle Database to complete this task.
Run the dbca
command on the host where the database is installed.
The Database Configuration Assistant for Oracle Database is displayed. Click Next, then provide the following information in the subsequent pages:
Select the operation you want to perform
Choose "Configure Database Option," then click Next.
Database
In the list box, select the database you want to register. Then click Next.
Database Configuration Assistant determines if the database is already registered in the LDAP server.
Would you like to register this database with the directory service?
Choose "Yes, register the database." Database Configuration Assistant will create an entry for the database in the Oracle Context.
User DN
The user DN will be used to authenticate to the LDAP server. The user DN is also used in the add operation, which creates the database entry in the Oracle Context. The user must have write access to the LDAP server.
Password
Database Configuration Assistant creates a wallet for the database. The database entry DN and password will be stored in the wallet. When the database connects to the LDAP server, it will authenticated using credentials stored in this wallet.
Database Components
Make no changes to this page, and click Next.
Connection Mode
Choose "Dedicated Server Mode," then click Finish.
Confirmation
Click OK to register the database.
Do you want to perform another operation?
Click No to exit the Database Configuration Assistant application.
To verify that Database Configuration Assistant successfully created a new entry for the database, run the following command, where cn=orcl11g is the name of the database specified in the previous step:
$ ldapsearch -h oudhost -p 1389 -D "cn=directory manager" -j pwd.txt -b cn=oraclecontext,dc=example,dc=com "(cn=orcl11g)"
dn: cn=orcl11g,cn=OracleContext,dc=example,dc=com
orclVersion: 112000
orclcommonrpwdattribute: {SASL -MD5}eW5+2LTPRKzFmHxmMZQmnw==
objectClass: orclApplicationEntity
objectClass: orclService
objectClass: orclDBServer_92
objectClass; orclDBServer
objectClass: top
orclServiceType: DB
orclSid: orcl11g
oracleHome: /app/oracle/product/db/product/11.2.0/dbhome_1
cn: orcl11g
orclSystemName: oudhost
userPassord: {SSHA}oNeBEqkUMtDusjXNXJPpa7qa+Yd0b9RHvA==
orclNetDescString: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST)=oudhost)
(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl11g)))
orclDBGLOBALNAME: orcl11g
orclNetDescName: 000:cn= DESCRIPTION_0
Use Oracle Enterprise Manager to complete the steps in this task.
Run the following SQL commands:
SQL> CREATE USER global_ident_schema_user IDENTIFIED GLOBALLY; User created. SQL> GRANT CONNECT TO global_ident_schema_user; Grant succeeded.
In a web browser, connect to Enterprise Manager. For example:
https://localhost:1158/em
Provide the following, then click Login.
User Name
Enter the name of a user who is authorized to administer the database.
Password
Enter the administrator password.
Connect As
Choose SYSDBA.
Click Login.
Click the Server tab.
On the Server tab, in the Security section, click Enterprise User Security.
In the "Oracle Internet Directory Login: Enterprise User Security" page, provide the following information:
User
Enter the username of a user, for example cn=directory manager
, who has write access to Oracle Context.
Password
Enter the password for the same user.
Click Login.
On the Enterprise User Security page, click Manage Enterprise Domains.
An Enterprise Domain can contain one or more databases. The settings for an Enterprise Domain apply to all databases it contains.
On the Manage Enterprise Domains page, select the domain you want to configure, then click Configure.
On the Configure Domain page, click "User - Schema Mappings."
On the User - Schema Mappings page, click Create.
To create a domain-schema mapping, on New Mapping page provide the following information:
From
You can associate a global schema to all the users in a given subtree, or to a given user.
To associate a global schema to all users in a given subtree:
1. Choose Subtree, then click the flashlight icon to search for available subtrees.
2. In the Select User page, select a subtree.
3. Enterprise users below the DN you select will be mapped to the same global schema. Click Select.
To associate a global schema to a given user:
1. Choose User Name, then click the flashlight icon to search for available users.
2. In the select User page, select a user DN. Only this specific user will be mapped to the global schema. Click Select.
To
1. In the Schema field, enter the name of the global schema.
2. For example, global_ident_schema_user
.
Click Continue.
On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.
For this example, a role named hr_access,
is created. The role grants read access to the table hr.employees
.
To create a role in the database:
SQL> CREATE ROLE hr_access IDENTIFIED GLOBALLY; Role created. SQL> GRANT SELECT ON hr.employees TO hr_access; Grant succeeded.
For more information, see the Oracle Database documentation.
On the Manage Enterprise Domains page, select the domain in which you want to create the role, then click Configure.
On the Configure Domain page, click Enterprise Roles. Click Create.
On the Create Enterprise Role page, provide the following information:
In the Name field, provide a name for your enterprise role.
In the DB Global Roles tab, click Add.
In the Search And Select: Database Global Roles page, provide the following information:
Database
Choose the database from the drop-down list.
User Name
Enterprise Manager will retrieve the available roles from the database. Enter a username of an administrator, for example SYS AS SYSDBA
, who is authorized to access the roles.
Password
Enter the administrator password.
Click Go.
In the "Search and Select: Database Global Roles" page, choose the global role you want to grant to Enterprise Users.
Click Select.
In the Create Enterprise Role page, select the Enterprise user or groups to which you will grant the Enterprise Role, then click the Grantees tab.
On the Grantees tab, to select Enterprise users or groups click Add.
In the "Select: Users and Groups" page, click Go. Enterprise Manager retrieves available Users and Groups.
View
You can search for users or groups.
Search Base
Enterprise Manager begins the search at this DN.
Name
Enter a string here to narrow down the search. For example, if you want to find a user whose name starts with jo, enter jo and Click Go.
A table displays relevant entries. From the list, select the users and groups to which you want to grant the Enterprise Role, then click Select.
Click Continue.
In the Configure Domain page, click OK to continue.
In the Edit Enterprise Role page, click Continue.
In the Configure Domain page, click OK.
After the role has been successfully created, click Configure.
To define a proxy permission on user SH, run the following command:
SQL> ALTER USER SH GRANT CONNECT THROUGH ENTERPRISE USERS; User altered.
This command defines a proxy permission on user SH.
On the Configure Domain Information page, select the domain you want to configure, then click Configure.
On the Configure Domain page, click Proxy Permissions.
To create a new Proxy Permission, on the Proxy Permissions tab click Create.
On the Create Proxy Permission page, in the Name field, provide a name for your Proxy Permission.
On the Target DB Users tab, click Add.
On the "Search And Select: Database Target Users" page, provide the following information:
Database
Choose the database from the drop-down list.
User Name
Enter the username of an administrator, for example SYS AS SYSDBA
, who is authorized to access the users.
Password
Enter the administrator password.
Click Go.
Enterprise Manager retrieves the available target users from the database.
In the Search and Select page, select the target user for the proxy permission, then click Select.
In the Create Proxy Permission page, click the Grantees tab.
On the Grantees tab, click Add.
On the Select Users and Groups page, click Go. Enterprise Manager retrieves available Enterprise Users.
In the Select: Users and Groups page, select the users to be granted Proxy Permission. Then click Select to continue.
On the Create Proxy Permission page, click Continue.
On the Configure Domain page, click OK to continue.
On the Enterprise User Security page, click Manage Databases.
On the Manage Databases page, select the database you want to configure, and click Configure.
On the Configure Database page, click "User - Schema Mappings" tab.
On the "User - Schema Mappings" page, click Create.
To create a domain-schema mapping, on New Mapping page provide the following information:
From
You can associate a global schema to all the users in a given subtree, or to a given user.
To associate a global schema to all users in a given subtree:
1. Choose Subtree, then click the flashlight icon to search for available subtrees.
2. In the Select User page, select a subtree.
3. Enterprise users below the DN you select will be mapped to the same global schema. Click Select.
To associate a global schema to a given user:
1. Choose User Name, then click the flashlight icon to search for available users.
2. In the select User page, select a user DN. Only this specific user will be mapped to the global schema. Click Select.
To
1. In the Schema field, enter the name of the global schema.
2. For example, global_ident_schema_user
.
Click Continue.
On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.
At this point Enterprise User Security contains the following configurations:
A users-schema mapping granting a global schema to all users below dc=example,dc=com
An Enterprise Role granting HR_ACCESS
to uid=user.0,ou=people,dc=example,dc=com
A Proxy Permission allowing uid=user.1,our=people,dc=example,dc=com
to proxy user SH
.
To test the database configurations:
Run sqlplus
to connect to the database with user.0
.
In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.0,ou=people,dc=example,dc=com
in the LDAP server.
# sqlplus user.0 SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014 Copyright (c) 1982, 2010, Oracle. All rights reserved. Enter password: Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> select * from session_roles; Role ------------------------------- CONNECT HR_ACCESS SQL>
In this example, the following are indications that the database is configured properly for users such as user.0
.
The line that starts with Connected to:
indicates that authentication succeeded.
The line that begins with SQL> select * from session_roles;
enables the user to check the roles granted to himself.
The database role HR_ACCESS
is granted through the Enterprise Role.
Run sqlplus
to connect to the database with user.1
credentials.
In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.1,ou=people,dc=example,dc=com
in the LDAP server.
# sqlplus user.1 SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014 Copyright (c) 1982, 2010, Oracle. All rights reserved. Enter password: Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> select * from session_roles; Role ------------------------------- CONNECT SQL>
In this example, the following are indications that the database is configured properly for users such as user.1
.
The line that starts with Connected to:
indicates that authentication succeeded.
The line that begins with SQL> select * from session_roles;
enables the user to check the roles granted to himself.
The only database role is CONNECT
, and it is granted through the Global Schema.
Run sqlplus
to connect to the database a with user.1
credentials using a proxy permission as user SH
.
In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.1,ou=people,dc=example,dc=com
in the LDAP server.
# sqlplus user.1[sh] SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014 Copyright (c) 1982, 2010, Oracle. All rights reserved. Enter password: Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> select * from session_roles; Role ------------------------------- RESOURCE SELECT_CATALOG_ROLE HS_ADMIN_SELECT_ROLE CWM_USER SQL>
In this example, the following are indications that the database is configured properly for users such as user.1
.
The line that starts with Connected to:
indicates that authentication succeeded.
The line that begins with SQL> select * from session_roles;
enables the user to check the roles granted to himself.
The user user.1
inherits the roles of user SH
through the proxy authentication.
To configure Oracle Unified Directory Proxy to work with an External LDAP Directory and Enterprise User Security, complete the tasks described in the following sections:
Task 1: Configure User Identities in the External LDAP Directory
Task 2: Configure Oracle Unified Directory Proxy to Work with Enterprise User Security
Task 4: Select the Oracle Context to be Used By Enterprise User Security
Task 6: Configure Roles and Permissions
Configure the existing user and group identities so they can be recognized by Enterprise User Security. Choose from the following based on your external LDAP directory:
Section 31.3.2.1.1, "To Configure User Identities in Microsoft Active Directory"
Section 31.3.2.1.2, "To Configure User Identities in Oracle Directory Server Enterprise Edition"
Section 31.3.2.1.3, "To Configure User Identities in Novell eDirectory"
Section 31.3.2.1.4, "To Configure User Identities in Oracle Unified Directory"
Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.
Execute the following command to load the Enterprise User Security required schema, ExtendAD
, into Active Directory using the Java classes included in Oracle Unified Directory.
The ExtendAD
file is located in the $
ORACLE_HOME
/config/EUS/ActiveDirectory/
directory (UNIX) or ORACLE_HOME
\config\EUS\ActiveDirectory\
directory (Windows). You can use the java
executable in the ORACLE_HOME
/jdk/bin
directory.
java ExtendAD -h Active_Directory_Host_Name -p Active_Directory_Port -D Active_Directory_Admin_DN -w Active_Directory_Admin_Password –AD Active_Directory_Domain_DN -commonattr
Example:
java ExtendAD -h myhost -p 389 -D cn=administrator,cn=users,dc=example,dc=com -w <pwd> -AD dc=example,dc=com -commonattr
Install the Oracle Unified Directory Password Change Notification plug-in, oidpwdcn.dll
, by performing the following steps:
Complete the following depending on your Windows:
Windows 32-bit
Copy OUD_HOME
\config\EUS\ActiveDirectory\win\oidpwdcn.dll
file to the Active Directory WINDOWS\system32
directory.
Windows 64-bit
Copy OUD_HOME
\config\EUS\ActiveDirectory\win64\oidpwdcn.dll
file to the Active Directory WINDOWS\system32
directory.
Use regedt32
or regedt64
to edit the registry and enable the oidpwdcn.dll
. Start regedt32
by entering regedt32
at the command prompt.
Add oidpwdcn
to the end of the Notification Packages entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
registry, for example:
RASSFM KDCSVC WDIGEST scecli oidpwdcn
This step enables the password DLL and populates orclCommonAttribute
attribute with the password verifier required by EUS.
Restart the Active Directory system after making these changes.
Reset the password for all the Active Directory users, allowing the plug-in to acquire the password changes and generate and store password verifiers.
Verify the Active Directory setup by performing the following steps:
Change the password of an Active Directory user.
Search Active Directory for the user you changed the password for. Verify the orclCommonAttribute
attribute contains the generated hash password value.
This value adds the orclCommonAttribute
attribute definition in Active Directory.
Note:
Ensure that you modify the default password policy of the Oracle Unified Directory containing the Enterprise Users and the Enterprise Groups details. Do not modify the default password policy of the Oracle Unified Directory instance acting as the proxy server.Run ldapmodify
command from Oracle Directory Server Enterprise Edition to enable extended operation for the account lock, as follows:
ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> dn: oid=1.3.6.1.4.1.42.2.27.9.6.25,cn=features,cn=config changetype: add objectclass: directoryServerFeature oid: 1.3.6.1.4.1.42.2.27.9.6.25 cn: Password Policy Account Management
Enable the Universal Password in eDirectory, and allow the administrator to retrieve the user password. See the Novell eDirectory documentation about Password Management for more information.
Modify the default password policy to use Salted SHA-1 as password storage scheme by running dsconfig
command as follows:
./dsconfig -h <OUD host> -p <OUD admin port> -D <OUD dirmgr> -j <pwdfile> -X -n set-password-policy-prop\ --policy-name "Default Password Policy"\ --set default-password-storage-scheme:"Salted SHA-1"
Note:
Ensure that you modify the default password policy of the Oracle Unified Directory containing the Enterprise Users and the Enterprise Groups details. Do not modify the default password policy of the Oracle Unified Directory instance acting as the proxy server.If you do not already have an Oracle Unified Directory Proxy installed, complete the steps in one of these sections:
If you already have an Oracle Unified Directory Proxy instance installed, complete the steps in Section 31.3.2.2.3, "Configuring an Existing Oracle Unified Directory Proxy to Work with Enterprise User Security Using ODSM."
Run the oud-proxy-setup
command. For example:
oud-proxy-setup -i -p 1389 --adminConnectorPort 4444 -D "cn=directory manager" -j pwd.txt -Z 1636 --generateSelfSignedCertificate --eusContext dc=example,dc=com
Create an LDAP server extension for the remote LDAP server containing the Enterprise users and groups. For example:
dsconfig create-extension \ --set enabled:true \ --set remote-ldap-server-address:serverip \ --set remote-ldap-server-port:389 \ --type ldap-server \ --extension-name proxy1 \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN "cn=directory manager" \ --bindPasswordFile pwd.txt \ --no-prompt
Create a Proxy workflow element for the remote LDAP server using the LDAP server extension you created in the previous step.
You can configure this Proxy workflow element to use either the use-specific-identity
or the use-client-identity
mode.
Use use-specific-identity
mode if your external LDAP server does not allow anonymous access. This is the most common Enterprise User Security configuration, especially when Active Directory is used as the external LDAP server.
To create the proxy workflow element using the use-specific-identity
mode, run the dsconfig
command as follows:
dsconfig create-workflow-element \ --set client-cred-mode:use-specific-identity \ --set enabled:true \ --set ldap-server-extension:proxy1 \ --set remote-ldap-server-bind-dn: \ cn=administrator,cn=users,dc=example,dc=com \ --set remote-ldap-server-bind-password:******** \ --set remote-root-dn:cn=administrator,cn=users,dc=example,dc=com\ --set remote-root-password:******** \ --type proxy-ldap \ --element-name proxy-we1 \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN "cn=directory manager" \ --bindPasswordFile pwd.txt \ --no-prompt
In this example, remote-root-dn
and remote-ldap-server-bind-dn
are the credentials used by OUD proxy to connect to the remote server.
Use use-client-identity
mode if your external LDAP server allows anonymous access.
If you want to use the use-client-identity
mode, then you must configure the external LDAP server credentials and configure an exclude-list.
The database usually connects with its own credentials to Oracle Unified Directory proxy server, and then performs searches on the external LDAP server. When EUS is enabled, the database must use an alternate ID to bind to the external LDAP server because the database entry does not exist on the external LDAP server. The database entry is stored locally on the Oracle Unified Directory proxy server.
To create the proxy workflow element using use-client-identity
mode, run the dsconfig
command as follows:
dsconfig create-workflow-element \ --set client-cred-mode:use-client-identity \ --set enabled:true \ --set ldap-server-extension:proxy1 \ --set exclude-list:"cn=directory manager" \ --set exclude-list:cn=oraclecontext,dc=example,dc=com \ --set remote-ldap-server-bind-dn: \ cn=administrator,cn=users,dc=example,dc=com \ --set remote-ldap-server-bind-password:******** \ --set remote-root-dn:cn=administrator,cn=users,dc=example,dc=com\ --set remote-root-password:******** \ --type proxy-ldap \ --element-name proxy-we1 \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN "cn=directory manager" \ --bindPasswordFile pwd.txt \ --no-prompt
In this example, remote-root-dn
and remote-ldap-server-bind-dn
are the credentials used by the remote LDAP administrator.
Important. When in use-client-identity
mode, if you are integrating with Active Directory, then you must also run the following command to allow anonymous login, where dc=example,dc=com
is the base DN of your Active Directory server.
ldapmodify -h ADhost -p ADport -D ADdirmgr -w pwd dn: cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=example,dc=com changetype: modify replace: dsHeuristics dsHeuristics: 0000002
Create a EUS workflow element using the proxy workflow element created in the previous step:
dsconfig create-workflow-element \ --set enabled:true \ --set eus-realm:dc=example,dc=com \ --set next-workflow-element:proxy-we1 \ --set server-type:ad \ --type eus \ --element-name eus-we1 \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN "cn=directory manager" \ --bindPasswordFile pwd.txt \ --no-prompt
Note: The server-type
defines the remote LDAP server containing your enterprise users and groups. Use one of the following values: ad
for Active Directory, edir
for Novell eDirectory, oud
for Oracle Unified Directory, or odsee
Oracle Directory Server Enterprise Edition.
Create a workflow for your naming context using the EUS workflow element created in the previous step:
dsconfig create-workflow \ --set base-dn:dc=example,dc=com \ --set enabled:true \ --set workflow-element:eus-we1 \ --type generic \ --workflow-name workflow1 \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN "cn=directory manager" \ --bindPasswordFile pwd.txt \ --no-prompt
Add the workflow created in the previous step to your network group:
dsconfig set-network-group-prop \ --group-name network-group \ --add workflow:workflow1 \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN "cn=directory manager" \ --bindPasswordFile pwd.txt \ --no-prompt
Run the oud-proxy-setup
program.
In the Welcome page, click Next.
In the Server Settings page, provide the following information:
Host Name. Enter the name of the OUD proxy host.
Administration Connector Port. This is the administration port used by OUD tools such as dsconfig
.
LDAP Listener Port. Specify the port used by the OUD proxy.
LDAP Secure Access. Click Configure to enable secure access.
In the Configure Secure Access window, click to mark the "Enable SSL on Port" checkbox. Then enter a port number for LDAPS, and click OK to continue.
Root User DN. This is the identity of the server administrator.
Password. Enter a password to be used by the server administrator.
Password (confirm). Enter the password a second time to confirm.
Click Next to continue.
In the Deployment Options page, in the Configuration Option field, choose "Configure EUS (Enterprise User Security)" and click Next.
Oracle Unified Directory will be used as a proxy, and deployed in front of the LDAP server containing EUS users and groups.
On the Back-End Server Type page, choose one of the supported server types. This is the LDAP-compliant server that contains the Enterprise User Security users and groups.
Click Next to continue.
On the next page, click Add Server.
On the Add Server page, provide the following information:
Host Name. Enter the host name of the LDAP server that contains Enterprise User Security users and groups.
Protocol. If you are using Novell eDirectory, you must choose LDAPS.
For all other external directories, you can choose one of the following: LDAP, LDAPS, or [LDAP & LDAPS].This determines how OUDproxy will connect to the remote LDAP server.
Port Number. Enter the port number of the LDAP server that contains Enterprise User Security users and groups.
You can click Add to add another LDAP server. After you are done adding LDAP servers, click Close to continue.
Review the list on the Servers Page.
The Servers Page now lists the server or servers that contain Enterprise User Security users and groups. Click Next to continue.
On the Naming Contexts page, click to mark the checkbox beside a Base DN to choose the Base DN for a naming context.
If the table does not display a Naming Context, enter the Base DN of your remote LDAP server in the "Additional Naming Context DN" field, select Add.
Click Next to continue.
Configure the runtime options for the server.
You can click Change to configure any specific JVM settings, or click Next to run the server with the default JVM settings.
Click Next.
In the Review page, review your settings, and click Finish.
A new instance of Oracle Unified Directory Proxy is installed, configured, and started.
Click Close.
Set the remote root DN and remote root user accounts by running the dsconfig
command on the OUD Proxy as follows:
dsconfig set-workflow-element-prop \ --element-name proxy-we1 \ --set remote-root-dn:cn=directory manager \ --set remote-root-password:******** \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN "cn=directory manager" \ --bindPasswordFile pwd.txt \ --no-prompt
Note:
In the preceding command,--element-name
property corresponds to the name of the proxy workflow element, which is used to connect to the external LDAP directory server.
If you configure proxy through OUD-proxy-setup wizard, then the default name of the proxy workflow element is proxy-we1
. Alternatively, if you configure the proxy through CLI by using dsconfig
command, then the name of the workflow element would be as per the value you provide as an input in the command.
You can find the workflow element by running the dsconfig
command as follows:
dsconfig -h localhost -p administration port number -D "cn=Directory Manager" -X -n list-workflow-elements --bindPasswordFile password.txt
You observe output similar to the following:
Workflow Element : Type : enabled ----------------- :--------------------:-------- adminRoot : ldif-local-backend : true load-bal-we1 : load-balancing : true proxy-we1 : proxy-ldap : true
In the above example, if you look at the proxy-ladp
type, you will locate the workflow element name (proxy-we1) corresponding to that.
Set the mode for the proxy workflow element for the external LDAP-compliant directory.
By default, the configuration is set to use-client-identity
mode.
Use use-client-identity
mode if your external LDAP server allows anonymous access.
If you want to use the use-client-identity
mode, then you must configure the external LDAP server credentials and an exclude-list.
The database usually connects with its own credentials to Oracle Unified Directory proxy server, and performs searches on the external LDAP server. When EUS is enabled, the database must use an alternate ID to bind to the external LDAP server because the database entry does not exist on the external LDAP server. The database entry is stored locally on the Oracle Unified Directory proxy server.
To use the use-client-identity
mode, run the dsconfig
command as follows:
dsconfig set-workflow-element-prop \ --element-name proxy-we1 \ --set client-cred-mode:use-client-identity \ --add exclude-list:cn=directory manager \ --add exclude-list:cn=oraclecontext,dc=example,dc=com \ --set remote-ldap-server-bind-dn: \ cn=administrator,cn=users,dc=example,dc=com \ --set remote-ldap-server-bind-password:******** \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN "cn=directory manager" \ --bindPasswordFile pwd.txt \ --no-prompt
In this example, remote-root-dn
and remote-ldap-server-bind-dn
are the credentials used by the remote LDAP administrator.
Important. When in use-client-identity
mode, if you are integrating with Active Directory, then you must run the following command to allow anonymous login, where dc=example,dc=com
is the base DN of your Active Directory server.
ldapmodify -h <ADhost> -p <AD port> -D <AD dirmgr> -w <pwd> dn: cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=example,dc=com changetype: modify replace: dsHeuristics dsHeuristics: 0000002
Use use-specific-identity
mode if your external LDAP server does not allow anonymous access. This is the most common Enterprise User Security configuration, especially when Active Directory is used as the external LDAP server.
If you want to change the mode setting to use-specific-identity
, then you must configure the external LDAP server credentials.
To use use-specific-identity
mode, run the dsconfig
command as follows:
dsconfig set-workflow-element-prop \ --element-name proxy-we1 \ --set client-cred-mode:use-specific-identity \ --set remote-ldap-server-bind-dn: \ cn=administrator,cn=users,dc=example,dc=com\ --set remote-ldap-server-bind-password:******** \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN "cn=directory manager" \ --bindPasswordFile pwd.txt \ --no-prompt
In this example, remote-root-dn
and remote-ldap-server-bind-dn
are the credentials used by the remote LDAP administrator.
Connect to Oracle Unified Directory Proxy from ODSM.
Select the Home tab.
Under the Configuration section, choose "Set Up Remote EUS Naming Context."
In the "Create Remote EUS Naming Context" page, provide the following information:
Base DN. This is the suffix provided by the remote LDAP server.
Network Group. Attach the suffix to at least one network group. Select the required network group from the list.
Server Type. Select the type of LDAP server containing your users and groups from the list.
Host Name. Enter the name of the machine where the remote LDAP server is running.
Ports available. Indicate whether you want the OUD Proxy to connect to the remote LDAP server using LDAP, or LDAPS, or both LDAP and LDAPS.
Depending upon the option you chose, enter a port number for the LDAP port, LDAPS port, or for both LDAP and LDAP ports. This must be the port used by the remote LDAP server.
If you checked LDAPS, configure SSL to either Trust All or configure a Trust Manager.
Click Create.
Select the Configuration tab.
In the Naming Contexts list, choose the Proxy below the Naming context you just created.
In the Proxy LDAP workflow element window:
Enter a Bind DN and a Bind Password.
These must match the credentials of the remote LDAP server administrator.
Expand the Remote Root Properties, and enter a Remote Root DN and password.
These must match the credentials of the remote LDAP server administrator.
In the Credentials Mode field, set the mode for the proxy workflow element for the external LDAP-compliant directory.
Use use-specific-identity
mode if your external LDAP server does not allow anonymous access. This is the most common Enterprise User Security configuration, especially when Active Directory is used as the external LDAP server.
To use use-specific-identity
mode:
In the Credentials Mode field, choose Use Specific Identity. Then enter the values for the Bind DN and the Bind Password. Enter the Bind Password a second time to confirm it.
Use use-client-identity
mode if your external LDAP server allows anonymous access.
To use-client-identity
mode:
In the Credentials Mode field, first select Use Client Identity, and expand the Client Identity Mode Properties. Then add "cn=directory manager"
and "cn=OracleContext,dc=example,dc=com"
to the Exclude Bind DNs table.
Click Apply.
After Oracle Unified Directory has been configured for EUS or Oracle E-Business Suite, you must configure the naming context used to store the users and the groups by performing the following steps:
Locate the LDIF template file at install_dir/config/EUS/modifyRealm.ldif
.
Edit the modifyRealm.ldif
file as follows:
Replace dc=example,dc=com
with the correct naming context for your server instance.
Replace ou=people
and ou=groups
with the correct location of the user and group entries in your DIT.
Use the ldapmodify
command to update the configuration with the edited LDIF template file, for example:
$ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file -f modifyRealm.ldif
Note:
Ensure that you specify the port number on which the LDAP Connection Handler will listen for connections from clients (For example:1389
) and not the administration port number which is 4444
.If you are integrating Active Directory, run the following command, replacing dc=example,dc=com
with the appropriate base DN for your configuration:
$ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file dn:cn=Common,cn=Products,cn=OracleContext,dc=example,dc=com changetype: modify replace: orclCommonNickNameAttribute orclCommonNickNameAttribute: samaccountname
Enterprise User Security stores its configuration (also called EUS metadata) in an Oracle Context, which corresponds to a part of the Directory Information Tree. If your user entries are stored below dc=example,dc=com
, then EUS is usually configured to use cn=OracleContext,dc=example,dc=com
as Oracle Context.
In this task, Oracle Net Configuration Assistant tells EUS where it should read its configuration.
To start the Oracle Net Configuration Assistant, run the netca
command on the host where the database is installed.
The Oracle Net Configuration Assistant is displayed.
On the Welcome page, select "Directory Usage Configuration," and click Next.
Enter the following information in subsequent pages:
Directory Type
Select "Oracle Internet Directory" even if the LDAP server is an Oracle Virtual Directory or an Oracle Unified Directory.
Click Next.
Hostname
Enter the hostname or IP address of the server hosting your LDAP server.
Port
Enter the LDAP port number.
SSL Port
Enter the LDAPS port number.
Oracle Context
Do not select cn=OracleContext
. Instead, click the arrow to display and choose the location of your OracleContext.
Oracle Net Configuration Assistant connects to the LDAP server to retrieve the available Oracle Contexts. Enterprise User Security configuration will be stored within your OracleContext
.
Click Next.
Directory usage configuration complete!
Click Next.
When the Welcome page is displayed, click Finish.
To verify that the Net Configuration Assistant has successfully created the configuration file containing the LDAP server information, run the following command:
# cat $ORACLE_HOME/network/admin/ldap.ora # ldap.ora Network Configuration File: /app/oracle/product/db/product/11.2.0/dbhome_1/network/admin/ldap.ora # Generated by Oracle configuration tools. DIRECTORY_SERVERS= (oudhost:1389:1636) DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com" DIRECTORY_SERVER_TYPE = OID
The configuration file used by the database contains the hostname and port of the LDAP server. In this example, the information is represented as: (oudhost:1389:1636)
. You can specify multiple servers, separated by commas, for high availability deployments.
In this example, dc=example,dc=com
represents the Oracle Context used to store the EUS configuration, also known as the EUS metadata.
Run the dbca
command on the host where the database is installed.
The Database Configuration Assistant for Oracle database is displayed. Click Next, then provide the following information in the subsequent pages:
Select the operation you want to perform.
Choose "Configure Database Option," then click Next.
Database
In the list box, select the database you want to register. Then click Next.
Database Configuration Assistant determines if the database is already registered in the LDAP server.
Would you like to register this database with the directory service?
Choose "Yes, register the database." Database Configuration Assistant will create an entry for the database in the Oracle Context.
User DN
The user DN will be used to authenticate to the LDAP server.
The user DN is usually cn=directory manager
, the directory manager of OUD proxy. The user DN is also used in the add operation, which creates the database entry in the Oracle Context. The user must have write access to the LDAP server.
Password
Database Configuration Assistant creates a wallet for the database. The database entry DN and password will be stored in the wallet. When the database connects to the LDAP server, it will authenticated using credentials stored in this wallet.
Database Components
Make no changes to this page, and click Next.
Connection Mode
Choose "Dedicated Server Mode," then click Finish.
Confirmation
Click OK to register the database.
Do you want to perform another operation?
Click No to exit the Database Configuration Assistant application.
To verify that Database Configuration Assistant successfully created a new entry for the database, run the following command, replacing orcl11g
with the name of your database:
$ ldapsearch -h oudhost -p 1389 -D "cn=directory manager" -j pwd.txt -b cn=oraclecontext,dc=example,dc=com "(cn=orcl11g)"
dn: cn=orcl11g,cn=OracleContext,dc=example,dc=com
orclVersion: 112000
orclcommonrpwdattribute: {SASL -MD5}eW5+2LTPRKzFmHxmMZQmnw==
objectClass: orclApplicationEntity
objectClass: orclService
objectClass: orclDBServer_92
objectClass; orclDBServer
objectClass: top
orclServiceType: DB
orclSid: orcl11g
oracleHome: /app/oracle/product/db/product/11.2.0/dbhome_1
cn: orcl11g
orclSystemName: oudhost
userPassord: {SSHA}oNeBEqkUMtDusjXNXJPpa7qa+Yd0b9RHvA==
orclNetDescString: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST)=oudhost)
(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl11g)))
orclDBGLOBALNAME: orcl11g
orclNetDescName: 000:cn= DESCRIPTION_0
Use Oracle Enterprise Manager to complete the steps in this task.
Run the following SQL commands:
SQL> CREATE USER global_ident_schema_user IDENTIFIED GLOBALLY; User created. SQL> GRANT CONNECT TO global_ident_schema_user; Grant succeeded.
In a web browser, connect to Enterprise Manager. For example:
https://localhost:1158/em
Provide the following information:
User Name. Enter the name of a user who is authorized to administer the database.
Password. Enter the administrator password.
Connect As.Choose SYSDBA.
Click Login.
Click the Server tab.
On the Server tab, in the Security section, click Enterprise User Security.
In the "Oracle Internet Directory Login: Enterprise User Security" page, provide the following information:
User. Enter the username of a user, for example cn=directory manager
, who has write access to Oracle Context.
Password. Enter the password for the same user.
Click Login.
On the Enterprise User Security page, click Manage Enterprise Domains.
An Enterprise Domain can contain one or more databases. The settings for an Enterprise Domain apply to all databases it contains.
On the Manage Enterprise Domains page, select the domain you want to configure, then click Configure.
On the Configure Domain page, click "User - Schema Mappings."
On the User - Schema Mappings page, click Create.
To create a domain-schema mapping, on the New Mapping page provide the following information:
From
You can associate a global schema to all the users in a given subtree, or to a given user.
To associate a global schema to all users in a given subtree:
1. Choose Subtree, then click the flashlight icon to search for available subtrees.
2. In the Select User page, select a subtree. Enterprise users below the DN you select will be mapped to the same global schema.
3. Click Select.
To associate a global schema to a given user:
1. Choose User Name, then click the flashlight icon to search for available users.
2. In the select User page, select a user DN. Only this specific user will be mapped to the global schema.
3. Click Select.
To
In the Schema field, enter the name of the global schema. For example:global_ident_schema_user
.
Click Continue.
On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.
For this example, a role named hr_access,
is created. The role grants read access to the table hr.employees
.
To create a role in the database:
SQL> CREATE ROLE hr_access IDENTIFIED GLOBALLY; Role created. SQL> GRANT SELECT ON hr.employees TO hr_access; Grant succeeded.
For more information, see the Oracle Database documentation.
To create a new role in a domain, On the Manage Enterprise Domains page, select the domain in which you want to create the role, then click Configure.
On the Configure Domain page, click Enterprise Roles. Click Create.
On the Create Enterprise Role page, provide the following information:
In the Name field, provide a name for your enterprise role.
In the DB Global Roles tab, click Add.
On the "Search And Select: Database Global Roles' page, provide the following information:
Database. Choose a database from the drop-down list.
User Name. Enterprise Manager will retrieve the available roles from the database. Enter a username of an administrator, such as SYS AS SYSDBA
, who is authorized to access the roles.
Password. Enter the administrator password.
Click Go.
In the "Search and Select: Database Global Roles" page, choose the global role you want to grant to Enterprise Users.
Click Select.
In the Create Enterprise Role page, select the Enterprise user or groups to which you will grant the Enterprise Role, then click the Grantees tab.
On the Grantees tab, to select Enterprise users or groups click Add.
In the "Select: Users and Groups" page, click Go. Enterprise Manager retrieves available Users and Groups.
View. You can search for users or groups.
Search Base. Enterprise Manager begins the search at this DN.
Name.Enter a string here to narrow down the search. For example, if you want to find a user whose name starts with jo, enter jo and Click Go.
A table displays relevant entries. From the list, select the users and groups to which you want to grant the Enterprise Role, then click Select.
Click Continue.
In the Configure Domain page, click OK to continue.
In the Edit Enterprise Role page, click Continue.
In the Configure Domain page, click OK.
After the role has been successfully created, click Configure.
To define a proxy permission on user SH, run the following command:
SQL> ALTER USER SH GRANT CONNECT THROUGH ENTERPRISE USERS; User altered. This command defines a proxy permission on user SH.
On the Configure Domain Information page, select the domain you want to configure, then click Configure.
On the Configure Domain page, click Proxy Permissions.
To create a new Proxy Permission, on the Proxy Permissions tab click Create.
On the Create Proxy Permission page, in the Name field, provide a name for your Proxy Permission.
On the Target DB Users tab, click Add.
On the "Search And Select: Database Target Users" page, provide the following information:
Database. Choose the database from the drop-down list.
User Name. Enter the username of an administrator, for example SYS AS SYSDBA
, who is authorized to access the users.
Password. Enter the administrator password.
Click Go.
Enterprise Manager retrieves the available target users from the database.
In the Search and Select page, select the target user for the proxy permission, then click Select.
In the Create Proxy Permission page, click the Grantees tab.
On the Grantees tab, click Add.
On the Select Users and Groups page, click Go. Enterprise Manager retrieves available Enterprise Users.
In the Select: Users and Groups page, select the users to be granted Proxy Permission. Then click Select to continue.
On the Create Proxy Permission page, click Continue.
On the Configure Domain page, click OK to continue.
On the Enterprise User Security page, click Manage Databases.
On the Manage Databases page, select the database you want to configure, and click Configure.
On the Configure Database page, click "User - Schema Mappings" tab.
On the "User - Schema Mappings" page, click Create.
To create a domain-schema mapping, on the New Mapping page provide the following information:
From
You can associate a global schema to all the users in a given subtree, or to a given user.
To associate a global schema to all users in a given subtree:
1. Choose Subtree, then click the flashlight icon to search for available subtrees.
2. In the Select User page, select a subtree. Enterprise users below the DN you select will be mapped to the same global schema.
3. Click Select.
To associate a global schema to a given user:
1. Choose User Name, then click the flashlight icon to search for available users.
2. In the select User page, select a user DN. Only this specific user will be mapped to the global schema.
3. Click Select.
To
In the Schema field, enter the name of the global schema. For example:global_ident_schema_user
.
Click Continue.
On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.
At this point Enterprise User Security contains the following configurations:
A users-schema mapping granting a global schema to all users below dc=example,dc=com
An Enterprise Role granting HR_ACCESS
to uid=user.0,ou=people,dc=example,dc=com
A Proxy Permission allowing uid=user.1,our=people,dc=example,dc=com
to proxy user SH.
To test the database configurations:
Run sqlplus
to connect to the database with user.1
credentials using a proxy permission as user SH
.
In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.0,ou=people,dc=example,dc=com
in the LDAP server.
# sqlplus user.0 SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014 Copyright (c) 1982, 2010, Oracle. All rights reserved. Enter password: Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> select * from session_roles; Role ------------------------------- CONNECT HR_ACCESS SQL>
In this example, the following are indications that the database is configured properly for users such as user.0.
The line that starts with Connect to:
indicates that authentication succeeded.
The line that begins with SQL> select * from session_roles;
enables the administrator to check the roles granted to the Enterprise User.
The database role HR_ACCESS
is granted through the Enterprise Role.
Run sqlplus
to connect to the database as with user.1
credentials using a proxy permission as user SH
.
In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.1,ou=people,dc=example,dc=com
in the LDAP server.
# sqlplus user.1 SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014 Copyright (c) 1982, 2010, Oracle. All rights reserved. Enter password: Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> select * from session_roles; Role ------------------------------- CONNECT SQL>
In this example, the following are indications that the database is configured properly for users such as user.1.
The line that starts with Connect to:
indicates that authentication succeeded.
The line that begins with SQL> select * from session_roles;
enables the administrator to check the roles granted to the Enterprise User.
The only database role is CONNECT
, and it is granted through the Global Schema.
Run sqlplus
to connect to the database a with user.1
credentials using a proxy permission as user SH
.
In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.1,ou=people,dc=example,dc=com
in the LDAP server.
# sqlplus user.1[sh] SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014 Copyright (c) 1982, 2010, Oracle. All rights reserved. Enter password: Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> select * from session_roles; Role ------------------------------- RESOURCE SELECT_CATALOG_ROLE HS_ADMIN_SELECT_ROLE CWM_USER SQL>
In this example, the following are indications that the database is configured properly for users such as user.1
.
The line that starts with Connect to:
indicates that authentication succeeded.
The line that begins with SQL> select * from session_roles;
enables the user currently logged in to check the roles granted to himself.
The user user.0
inherits user SH's roles through the proxy authentication.
The following are common configurations that are beyond the basic integration of Oracle Unified Directory and Enterprise User Security:
If your users and groups are stored in multiple domains, you must configure OUD to support multiple EUS domains. For example, a single OUD instance contains two EUS domains. One EUS domain stores users entries in Active Directory below cn=users,dc=ad1,dc=com
. A second EUS domain stores user entries in a different Active Directory instance below cn=users,dc=ad2,dc=com
. You must configure OUD to support each EUS domain.
To configure OUD to support multiple EUS domains:
Configure OUD as if the primary domain is the single domain containing all your users and groups.
In this example, the primary domain is dc=ad1,dc=com
.
Complete the tasks in Section 31.3.2, "Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security."
Configure the secondary domain.
In this example, the secondary domain is dc=ad2,dc=com
.
For this secondary domain, complete the steps in Section 31.3.2.1, "Task 1: Configure User Identities in the External LDAP Directory."
Create a new naming context for the EUS domain, which is dc=ad2,dc=com
in this example.
Complete the steps in Section 31.3.2.2.3, "Configuring an Existing Oracle Unified Directory Proxy to Work with Enterprise User Security Using ODSM."
Update the Oracle context with the new naming context.
Create an LDIF file.
In the following myconfig.ldif
example, make the following substitutions:
Replace dc=ad1,dc=com
with the DN of your first domain.
Replace orclcommonusersearchbase
with the users location in the secondary domain.
orclcommongroupsearchbase
with the groups location in the secondary domain.
dn: cn=Common,cn=Products,cn=OracleContext,dc=ad1,dc=com changetype: modify add: orclcommonusersearchbase orclcommonusersearchbase: cn=users,dc=ad2,dc=com orclcommongroupsearchbase: cn=groups,dc=ad2,dc=com
Update OUD configuration using the LDIF file you created in step 4a.
ldapmodify -h oudhost -p 1389 -D "cn=directory manager" -w password -f myconfig.ldif
You can achieve high availability among two or more OUD instances that have been integrated with Enterprise User Security. First, integrate OUD with Enterprise User Security. Then configure replication among the integrated OUD instances. Once configured, replication takes place among Enterprise User Security metadata (in either directory server or directory proxy) and the OUD server users and groups.
Configuring an integrated OUD LDAP server for replication is exactly the same as configuring an integrated OUD Proxy server with one exception: the list of suffixes to be replicated is different.
When an integrated OUD instance is configured as an LDAP server, the following suffixes are replicated:
cn=oraclecontext
cn=oraclecontext,dc=example,dc=com
dc=example,dc=com
When an integrated OUD instance is configured as a Proxy server, the following suffixes are replicated:
cn=oraclecontext
cn=oraclecontext,dc=example,dc=com
Note:
If you are using Oracle Data Guard or Oracle Real Application Clusters or high availability, each database instance must be configured using NetCA and DBCA.To configure OUD-EUS integrated instances for high availability:
Enable the first Oracle Unified Directory and Oracle Enterprise User Security to work together.
If the first OUD instance is a directory server, then complete the tasks in Section 31.3.1, "Configuring Oracle Directory Server as a Directory for Enterprise User Security."
If the first OUD instance is a directory proxy, then complete the tasks in Section 31.3.2, "Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security."
Enable the second Oracle Unified Directory instance and Oracle Enterprise User Security to work together.
If the second OUD instance is configured as an LDAP server, then complete the tasks in Section 31.3.1, "Configuring Oracle Directory Server as a Directory for Enterprise User Security."
If the second OUD instance is configured as a Proxy, then complete the tasks in Section 31.3.2, "Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security."
Enable replication between the first OUD instance and the second OUD instance.
If the OUD instance is an LDAP server, then run this command:
# dsreplication enable --host1 oud-proxy-source --port1 4444 --bindDN1 "cn=Directory Manager" --bindPasswordFile1 /tmp/pwd1.txt --replicationPort1 repl1 --host2 oud-proxy-dest --port2 4444 --bindDN2 "cn=Directory Manager" --bindPasswordFile2 /tmp/pwd2.txt --replicationPort2 repl2 --adminUID admin --adminPasswordFile /tmp/pwd3.txt --baseDN "cn=OracleContext,dc=example,dc=com" --baseDN "cn=OracleContext" --baseDN "dc=example,dc=com" -X -n
If the OUD instance is a directory proxy, then run this command:
# dsreplication enable --host1 oud-proxy-source --port1 4444 --bindDN1 "cn=Directory Manager" --bindPasswordFile1 / tmp/pwd1.txt --replicationPort1 repl1 --host2 oud-proxy-dest --port2 4444 --bindDN2 "cn=Directory Manager" --bindPasswordFile2 /tmp/pwd2.txt --replicationPort2 repl2 --adminUID admin --adminPasswordFile /tmp/pwd3.txt --baseDN "cn=OracleContext,dc=example,dc=com" --baseDN "cn=OracleContext" -X -n
Note:
In the directory proxy example, the--baseDN "dc=example,dc=com"
option is not included.Replication is now enabled in the first OUD instance (from step 1), and in the second OUD instance (from step 2).
Initialize replication. For example:
If the OUD instance is a directory server, then run this command:
dsreplication initialize --baseDN "cn=OracleContext,dc=example,dc=com"
--baseDN "cn=OracleContext" --baseDN "dc=example,dc=com" \
--adminUID admin --adminPasswordFile /tmp/pwd3.txt \
--hostSource <oud-proxy-source> --portSource 4444 \
--hostDestination <oud-proxy-dest> --portDestination 4444 -X -n
If the OUD instance is a directory proxy, then run this command:
dsreplication initialize --baseDN "cn=OracleContext,dc=example,dc=com" \ --baseDN "cn=OracleContext" \ --adminUID admin --adminPasswordFile /tmp/pwd3.txt \ --hostSource <oud-proxy-source> --portSource 4444 \ --hostDestination <oud-proxy-dest> --portDestination 4444 -X -n
Note:
In the directory proxy example, the--baseDN "dc=example,dc=com"
option is not included.Both OUD instances now contain the same data. For more information, see Section 32.6, "Initializing a Replicated Server With Data."
Declare both OUD instances in the Database ldap.ora
configuration file.
# ldap.ora Network Configuration File: /app/oracle/product/db/product/11.2.0/dbhome_1/network/admin/ldap.ora # Generated by Oracle configuration tools. DIRECTORY_SERVERS= (oudhost1:1389:1636,oudhost2:1389:1636) DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com" DIRECTORY_SERVER_TYPE = OID
Password policies are a set of rules that apply to all user passwords in an identity management realm. Password policies include settings for password complexity, minimum password length, and so forth. They also include account lockout and password expiration settings.
The database communicates with Oracle Unified Directory and requests the Oracle Unified Directory to report any password policy violations. If the database gets a policy violation response from Oracle Unified Directory, then it displays the appropriate warning or error message to the user. The following table summarizes password warnings and their meanings.
Warning Condition | Message Example |
---|---|
The user password is about to expire. Message indicates the number of days left for the user to change his or her password. |
SQL> connect joe/Admin123 ERROR: ORA-28055: the password will expire within 1 days Connected. |
The password has expired and informs the user about the number of grace logins that remain. |
SQL> connect joe/Admin123 ERROR: ORA-28054: the password has expired. 1 Grace logins are left Connected. |
The user password has expired and the user does not have any grace logins left. |
SQL> connect joe/Admin123 ERROR: ORA-28049: the password has expired |
The user account has been locked due to repeated failed attempts at login. |
SQL> connect joe/Admin123 ERROR: ORA-28051: the account is locked |
The user account has been disabled by the administrator. |
SQL> connect joe/Admin123 ERROR: ORA-28052: the account is disabled |
The user account is inactive. |
SQL> connect joe/Admin123 ERROR: ORA-28053: the account is inactive |
Enterprise user login attempts to the database update the user account status in Oracle Unified Directory or any supported external LDAP-compliant directory. For example, consecutive failed login attempts to the database results in the account getting locked in the directory, as per the directory's password policy.
This section suggests solutions to issues you may encounter after integrating OUD and Enterprise User Security. Troubleshooting tips are grouped in the following categories:
Net Configuration Assistant (NetCA) Tool Problems and Solutions
Database Configuration Assistant (DBCA) Problems and Solutions
If the NetCA fails to connect to the directory then the Oracle Net Configuration Assistant screen displays the following error message:
To resolve this error, verify that the host name and port number are correct by running the following command on the command line:
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -b "" -s base "(objectclass=*)" dn: objectClass: top objectClass: ds-root-dse $ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X -b "" -s base "(objectclass=*)" dn: objectClass: top objectClass: ds-root-dse
If the required schema is not available or the version number is incorrect then the Oracle Net Configuration Assistant screen displays the following error message:
To resolve this error, ensure that you can access Oracle Unified Directory anonymously and that it contains the cn=subschemasubentry
entry:
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X -b cn=subschemasubentry -s base "(objectclass=*)" dn: cn=subschemasubentry objectClass: top objectClass: ldapSubentry objectClass: subschema
If the Oracle Unified Directory is not enabled for Enterprise User Security then the cn=subschemasubentry
entry will not be available. To enable Enterprise User Security, see "Setting up the Directory Server by Using the GUI" in the Installing Oracle Unified Directory.
If the cn=subschemasubentry
is not accessible anonymously then ensure that the following ACI is defined in the Oracle Unified Directory as a global ACIs:
(target="ldap:///cn=subschemasubentry")(targetscope="base") \ (targetattr="objectClass||attributeTypes||dITContentRules||dITStructureRules| \ |ldapSyntaxes||matchingRules||matchingRuleUse||nameForms||objectClasses") \ (version 3.0; acl "User-Visible SubSchemaSubentry Operational Attributes"; \ allow (read,search,compare) userdn="ldap:///anyone";)
For more information, see Section 28.1, "Managing Global ACIs Using dsconfig
".
If the cn=OracleContext
and cn=OracleContext,<your baseDN>
naming contexts are not available, then the Oracle Net Configuration Assistant screen displays an error message.
To resolve this error, complete the following:
Verify if the baseDN is available, by running the following command on the command line:
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X -b "" -s base "(objectclass=*)" namingContexts dn: namingContexts: cn=OracleContext namingContexts: cn=OracleSchemaVersion namingContexts: dc=eusovd,dc=com
As shown above, ensure that there are three available naming contexts. If the base DN is missing then you must enable Enterprise User Security, as described in "Setting up the Directory Server by Using the GUI" in the Installing Oracle Unified Directory.
Verify if the baseDN contains the Oracle context by running the following command on the command line:
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X -b "" "(objectclass=orclcontext)" dn: cn=OracleContext orclVersion: 90600 cn: OracleContext objectClass: orclContext objectClass: orclContextAux82 objectClass: top objectClass: orclRootContext dn: cn=OracleContext,dc=eusovd,dc=com orclVersion: 90600 cn: OracleContext objectClass: orclContext objectClass: orclContextAux82 objectClass: top
Note:
The NetCA performs the search anonymously. If the Oracle Unified Directory is configured to refuse anonymous searches or the ACIs restricts access tocn=OracleContext,<baseDN>
then the NetCA will not be able to find the Oracle Context.After the NetCA configuration is complete, it creates an ldap.ora
file in the $ORACLE_HOME/network/admin
directory (UNIX) or ORACLE_HOME\network\admin directory
(Windows). Ensure that it includes the following parameters:
DIRECTORY_SERVERS= (oudhost:1389:1636) DEFAULT_ADMIN_CONTEXT = "dc=eusovd,dc=com" DIRECTORY_SERVER_TYPE = OID
TNS-04409 error / TNS-04427: SSL access to the Directory Server
TNS-04411 error when registering the DB with a user different from cn=directory manager
This error message appears if SSL is not enabled for Oracle Unified Directory.
To resolve this error, check if SSL is enabled for Oracle Unified Directory by running the following command on the command line:
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X -b "" -s base "(objectclass=*)" dn: objectClass: top objectClass: ds-root-dse
For more information, see Chapter 26, "Configuring Security Between Clients and Servers"
This error message appears if the suffixes are not available.
To resolve this error, ensure that the suffixes are created, as described in "Setting up the Directory Server by Using the GUI" in the Installing Oracle Unified Directory.
This error message appears if you specify a different user name other then cn=directory manager
during database registration.
To resolve this error, ensure that the user has password reset privilege, and the user entry contains one of the following uniqueMember
attributes:
cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com
cn=oraclenetadmins,dc=oraclecontext,dc=eusovd,dc=com
Run the following command on the command line:
$ OracleUnifiedDirectory/bin/ldapmodify -h $LDAPSERVER -p $LDAPPORT -D $DN -w $PWD dn: cn=newadmin,ou=people,dc=eusovd,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset Processing MODIFY request for cn=newadmin,ou=people,dc=eusovd,dc=com MODIFY operation successful for DN cn=newadmin,ou=people,dc=eusovd,dc=com dn: cn=oraclenetadmins,cn=oraclecontext,dc=eusovd,dc=com changetype: modify add: uniquemember uniquemember: cn=newadmin,ou=people,dc=eusovd,dc=com Processing MODIFY request for cn=oraclenetadmins,cn=oraclecontext,dc=eusovd,dc=com MODIFY operation successful for DN cn=oraclenetadmins,cn=oraclecontext,dc=eusovd,dc=com dn: cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com changetype: modify add: uniquemember uniquemember: cn=newadmin,ou=people,dc=eusovd,dc=com Processing MODIFY request for cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com MODIFY operation successful for DN cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com
This error message appears if the Oracle Unified Directory password validator does not accept the password that DBCA creates for the database entry (For example, if it requires a password minimum length of 10 characters).
To resolve this error, you must complete the following:
Disable the password validator by running the following command on the command line:
$ OracleUnifiedDirectory/bin/dsconfig -h $LDAPSERVER -p $ADMINPORT \ -D $DN -j pwd.txt set-password-policy-prop \ --policy-name Default\ Password\ Policy --reset password-validator \ --trustAll --no-prompt
Run the dbca
command.
Enable the password validator by running the following command on the command line:
$ OracleUnifiedDirectory/bin/dsconfig -h $LDAPSERVER -p $ADMINPORT -D $DN -j pwd.txt set-password-policy-prop --policy-name Default\ Password\ Policy --set password-validator:Length-Based\ Password\ Validator --trustAll --no-prompt
ORA-28030: Server encountered problems accessing LDAP directory service
ORA-28274: No ORACLE password attribute corresponding to user nickname exists
This error message appears, if there is a problem with the connection between the database and the directory.
To resolve this issue, do the following:
Check that the database wallet has auto-login enabled. Either use Oracle Wallet Manager or check that there is a cwallet.sso
file in $ORACLE_HOME/admin/<ORACLE_SID>/wallet/
.
Check the DN and password of the user entry by running the following commands:
$ mkstore -wrl $ORACLE_BASE/admin/$ORACLE_SID/wallet -viewEntry ORACLE.SECURITY.DN Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: ******** ORACLE.SECURITY.DN = cn=orcl11gr2,cn=OracleContext,dc=eusovd,dc=com $ mkstore -wrl $ORACLE_BASE/admin/$ORACLE_SID/wallet -viewEntry ORACLE.SECURITY.PASSWORD Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: ******** ORACLE.SECURITY.PASSWORD = zQ7v4ek3
Check that the database can connect to the directory server using the following command:
$ oracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -b cn=common,cn=products,cn=oraclecontext,$BASEDN "(objectclass=*)" orclcommonusersearchbase orclcommongroupsearchbase orclcommonnicknameattribute orclcommonnamingattribute dn: cn=Common,cn=Products,cn=OracleContext,dc=eusovd,dc=com orclcommonusersearchbase: ou=people,dc=eusovd,dc=com orclcommongroupsearchbase: ou=groups,dc=eusovd,dc=com orclcommonnicknameattribute: uid orclcommonnamingattribute: cn
If the connection to the directory server fails, then you must do the following:
Ensure that the database entry exists in the Directory Server.
Ensure that the database entry contains a password in the orclcommonrpwdattribute
, by running the following command:
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -b cn=oraclecontext,$BASEDN -s one "(objectclass=orcldbserver)" orclcommonrpwdattribute dn: cn=orcl11gr2,cn=OracleContext,dc=eusovd,dc=com orclcommonrpwdattribute: {SASL-MD5}KvIVAyYahxnHWdlfN649Kw==
If the entry is missing or does not contain a password then you must use DBCA, as described in Task 4: Register the Database in the LDAP Server.
This error message appears, if an invalid username or password is provided.
To resolve this error, specify the correct username and password.
Check the Enterprise User Security configuration by running the following command:
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -b \ cn=common,cn=products,cn=oraclecontext,$BASEDN \ "(objectclass=*)" orclcommonusersearchbase \ orclcommongroupsearchbase orclcommonnicknameattribute orclcommonnamingattribute dn: cn=Common,cn=Products,cn=OracleContext,dc=eusovd,dc=com orclcommonusersearchbase: ou=people,dc=eusovd,dc=com orclcommongroupsearchbase: ou=groups,dc=eusovd,dc=com orclcommonnicknameattribute: uid orclcommonnamingattribute: cn
After Oracle Unified Directory has been configured for EUS, the users and groups configurations are stored in the attributes orclcommonusersearchbase
and orclusercommongroupsearchbase
.
The username provided to sqlplus must correspond to the value of orclcommonnicknameattribute
in the user entry. For example, if you connect sqlplus using the values joe/password and orclcommonnicknameattribute=uid
, then the database will look for an entry containing the attribute uid=joe
.
The user entry DN must start with orclcommonnamingattribute
. For example, if orclcommonnamingattribute=cn
, the user entry must be cn=joe,<orclcommonusersearchbase>
.
Ensure that there is a user entry in the user container that matches the username provided in sqlplus. The inetorgperson objectclass, containing the attribute defined in orclcommonnicknameattribute.
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT \ -D $DN -w $PWD -b ou=people,$BASEDN "(ui \d=joe)" dn: cn=joe,ou=people,dc=eusovd,dc=com userPassword: {SSHA}DdW5je5GCUnT2jVTeMdfPR9NWwkBt40FwWImpA== objectclass: person objectclass: organizationalPerson objectclass: inetorgperson objectclass: top uid: joe cn: joe sn: joe
Ensure that you have created the user-schema mapping, as described in "Mapping Enterprise Users to the Shared Schema" in the Oracle Database Enterprise User Security Administrator's Guide.
This error message appears, when the database finds a corresponding user but cannot compare its password with the password supplied to SQL.
To resolve this issue, do the following:
Ensure that the database entry has the required ACI to read the entry authpassword
and orclguid
:
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -D $DN -w $PWD -b ou=people,$BASEDN "(uid=joe)" authpassword orclguid dn: cn=joe,ou=people,dc=eusovd,dc=com authpassword;orclcommonpwd: {SSHA}DdW5je5GCUnT2jVTeMdfPR9NWwkBt40FwWImpA== orclguid: 6458c6945c0a48be92ab35cf71859210
If the database cannot read the entry, check that the following ACIs are defined in your OUD server as global-acis (they are added automatically by oud-setup when EUS is selected):
(target="ldap:///dc=eusovd,dc=com")(targetattr!="userpassword||authpassword ||aci")(version 3.0; acl "Anonymous read access to subtree";allow (read,search,compare) userdn="ldap:///anyone";) (target="ldap:///dc=eusovd,dc=com")(targetattr="authpassword||userpassword") (version 3.0; acl "EUS reads authpassword"; allow (read,search,compare) userdn="ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))";)
If the user entry does not contain authpassword, ensure that there is a user password:
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -D $DN -w $PWD -b ou=people,$BASEDN "(uid=joe)" userpassword dn: cn=joe,ou=people,dc=eusovd,dc=com userpassword: {SSHA}DdW5je5GCUnT2jVTeMdfPR9NWwkBt40FwWImpA==
Ensure that the userpassword
attribute is stored using a compatible scheme (SSHA-512 is not supported):
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -D $DN -w $PWD -b ou=people,$BASEDN "(uid=joe)" userpassword dn: cn=joe,ou=people,dc=eusovd,dc=com userpassword: {SSHA}DdW5je5GCUnT2jVTeMdfPR9NWwkBt40FwWImpA==
This error message appears, if you fail to authenticate properly after multiple attempts.
To resolve this issue, do the following:
Verify if Oracle Unified Directory is configured for account lockout, by running the following command on the command line:
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -X -Z -D $DN -w $PWD -b "cn=Default Password Policy,cn=Password Policies,cn=config" "(objectclass=*)" ds-cfg-lockout-failure-count ds-cfg-lockout-duration ds-cfg-lockout-failure-expiration-interval dn: cn=Default Password Policy,cn=Password Policies,cn=config ds-cfg-lockout-failure-expiration-interval: 180 s ds-cfg-lockout-failure-count: 3 ds-cfg-lockout-duration: 180 s
If the failure-count
value is 0, then the account lockout is not enabled. For more information, see Chapter 30, "Managing Password Policies."
Ensure that the following ACI is defined, when the Enterprise User Security is configured:
(target="ldap:///dc=eusovd,dc=com")(targetattr="orclaccountstatusevent") (version 3.0; acl "EUS write orclaccountstatusenabled"; allow (write) userdn="ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))";) (targetcontrol="2.16.840.1.113894.1.8.16")(version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";) (targetcontrol="2.16.840.1.113894.1.8.2")(version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)