Active Directory Modifications
When using the Oracle Enterprise Communications Broker LDAP configuration to access authentication and routing information from Active Directory (AD), you must prepare AD to serve those functions. For authentication, you can add an Oracle-supplied DLL to the system to capture password hashes during password changes and store them for authentication.
The Oracle-supplied DLL, oecbpwdcn.dll, is an OSD DLL that provides the Windows-specific password hash capture function. When a user changes their password, the DLL intercepts the hash of the password and stores it for SIP authentication. The user's password is never visible in clear-text.
Related AD changes consist of the following, which can be done manually or by way of Oracle-provided scripts:
- Create orclDigestRealmAttribute attribute (to store digest realm name) and associate it users.
- Create orclDigestPwdAttribute attribute (to store hashed password) and associate with users.
- Create orclAgentNameAttribute and associate it with users.
You can refer to http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/howto/adschema.mspx for instructions on managing AD. You can manually add the following entries into AD:
dn: cn=orcldigestrealmattribute,cn=schema,cn=configuration,dc=example,dc=com changetype: add objectClass: top objectClass: attributeSchema cn: orclDigestRealmAttribute instanceType: 4 attributeID: 1.2.840.113556.1.8000.2554.54362.52699.4250.17878.46369.10622351.7266019.1 attributeSyntax: 2.5.5.4 isSingleValued: TRUE showInAdvancedViewOnly: TRUE adminDisplayName: orclDigestRealmAttribute adminDescription: Oracle ECB Digest Realm oMSyntax: 20 lDAPDisplayName: orclDigestRealmAttribute name: orclDigestRealmAttribute
This creates the attribute to which oecbpwdcn.dll stores password hashes.
dn: cn=orcldigestpwdattribute,cn=schema,cn=configuration,dc=example,dc=com changetype: add objectClass: top objectClass: attributeSchema cn: orclDigestPwdAttribute instanceType: 4 attributeID: 1.2.840.113556.1.8000.2554.54362.52699.4250.17878.46369.10622351.7266019.2 attributeSyntax: 2.5.5.4 isSingleValued: TRUE showInAdvancedViewOnly: TRUE adminDisplayName: orclDigestPwdAttribute adminDescription: Oracle ECB Digest Password oMSyntax: 20 lDAPDisplayName: orclDigestPwdAttribute name: orclDigestPwdAttribute
This creates an attribute that can be used for routing, specifically by providing a field for storing the users' Agent.
dn: cn=orclagentnameattribute,cn=schema,cn=configuration,dc=example,dc=com changetype: add objectClass: top objectClass: attributeSchema cn: orclAgentNameAttribute instanceType: 4 attributeID: 1.2.840.113556.1.8000.2554.54362.52699.4250.17878.46369.10622351.7266019.3 attributeSyntax: 2.5.5.4 isSingleValued: TRUE showInAdvancedViewOnly: TRUE adminDisplayName: orclAgentNameAttribute adminDescription: Oracle ECB Agent Name oMSyntax: 20 lDAPDisplayName: orclAgentNameAttribute name: orclAgentNameAttribute
Note:
You must replace %AD_DOMAN_NAME% with your AD domain name, such as dc=acme,dc=com.For convenience, two LDIF files are provided to facilitate adding these two attributes. They are "addOrclECBAttribute.ldif" and "addUserObjClass.ldif". To add the two attributes automatically:
- Make sure the Active
Directory Schema Snap-In is installed by following the directions from:
- http://social.technet.microsoft.com/wiki/contents/articles/20319.how-to-create-a-custom-attribute-in-active-directory.aspx or
- http://technet.microsoft.com/en-us/library/cc759633(v=ws.10).aspx
- Open the two files and replace %AD_DOMAN_NAME% with your actual AD domain name, such as dc=acme,dc=com.
- Run the command "ldifde –i –f addOrclECBAttribute.ldif –v" to create the three attributes.
- Then run the command "ldifde –i –f addUserObjClass.ldif –v" to associate the attributes to AD users.
- Reload the AD schema or reboot AD.
- Verify that the two attributes are present by checking users to see that attributes are available to them.
In addition to AD schema modification, follow the steps below to install oecbpwdcn.dll.
- Install OID Password Change Notification (oecbpwdcn) DLL, by simply copying the oecbpwdcn.dll to your AD WINDOWS\system32
- Using regedt32 to change the
registry and enable the DLL. Invoke regedt32 and modify the registry setting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages.
Add "oecbpwdcn" to the end of this list. Example registry entries, including
oecbowdcn, could now include:
- RASSFM
- KDCSVC
- WDIGEST
- scecli
- oecbpwdcn
- Reboot AD.
Test your deployment as follows:
- Assign a digest realm name to user's orclDigestRealmAttribute in AD. You can use script modifyUsersDigestRealmName.vbs to modify this attribute for all users. Right click on modifyUsersDigestRealmName.vbs and select "Run with Command Prompt"
- Modify user password for any AD user (or reset the password)
- Search against AD and look up the AD user and orclDigestPwdAttribute should have the generated hash value.
You can use a script named displayUsersDigestRealmPassword.vbs to display the values from all users. To do this, right-clickdisplayUsersDigestRealmPassword.vbs and select "Run with Command Prompt."