Configure CMU with Microsoft Active Directory on Autonomous Database

You can configure Autonomous Database to authenticate and authorize Microsoft Active Directory users. This configuration allows Active Directory users to access an Autonomous Database using their Active Directory credentials.

Note

See Use Azure Active Directory (Azure AD) with Autonomous Database for information on using Azure Active Directory with Autonomous Database. The CMU option supports Microsoft Active Directory servers but does not support the Azure Active Directory service.

The integration of Autonomous Database with Centrally Managed Users (CMU) provides integration with Microsoft Active Directory. CMU with Active Directory works by mapping Oracle database global users and global roles to Microsoft Active Directory users and groups.

See Configuring Centrally Managed Users with Microsoft Active Directory for information on Centrally Managed Users (CMU).

The following are required before you configure the connection from Autonomous Database to Active Directory:

  • You must have Microsoft Active Directory installed and configured. See AD DS Getting Started for more information.

  • You must create an Oracle service directory user in Active Directory. See Connecting to Microsoft Active Directory for information on the Oracle service directory user account.

  • An Active Directory system administrator must have installed Oracle password filter on the Active Directory servers, and set up Active Directory groups with Active Directory users to meet your requirements. Only password authentication is supported with CMU for Autonomous Database, so you must use the included utility, opwdintg.exe, to install the Oracle password filter on Active Directory, extend the schema, and create three new ORA_VFR groups for three types of password verifier generation. See Connecting to Microsoft Active Directory for information on installing the Oracle password filter.

  • The Active Directory servers must be accessible from Autonomous Database through the internet and the port 636 of the Active Directory servers must be open to Autonomous Database in Oracle Cloud Infrastructure, so that Autonomous Database can have secured LDAP access over TLS/SSL to the Active Directory servers through the internet.

    You can also extend your on-premise Active Directory to Oracle Cloud Infrastructure, where you can set up Read Only Domain Controllers (RODCs) for the on-premise Active Directory. Then you can use these RODCs in Oracle Cloud Infrastructure to authenticate and authorize the on-premise Active Directory users for access to Autonomous Databases.

    See Extend Active Directory integration in Hybrid Cloud for more information.

  • You need the CMU configuration database wallet, cwallet.sso and the CMU configuration file dsi.ora to configure CMU for your Autonomous Database. If you have configured CMU for an on-premise database, you can obtain these configuration files from your on-premise database server. If you have not configured CMU for an on-premise database, you need to create these files on your local computer, or on an on-premise database server. You can validate the wallet and the dsi.ora by configuring CMU for an on-premise database and verifying that an Active Directory user can successfully log on to the on-premise database with these configuration files. Then you upload these configuration files to the cloud in order to configure CMU for your Autonomous Database.

    For details on the wallet file for CMU, see Create the Wallet for a Secure Connection and Verify the Oracle Wallet.

    For details on the dsi.ora file for CMU, see Creating the dsi.ora File.

    For details on configuring Active Directory for CMU and troubleshooting CMU for on-premise databases, see How To Configure Centrally Managed Users For Database Release 18c or Later Releases (Doc ID 2462012.1).

The following limitation applies to CMU with Active Directory on Autonomous Database:

  • Only "password authentication" and Kerberos is supported for CMU with Autonomous Database. When you are using CMU authentication with Autonomous Database, other authentication methods such as Azure AD, OCI IAM, and PKI are not supported.

Note

When you perform the configuration steps, connect to the Autonomous Database as the ADMIN user.

To configure Autonomous Database for CMU to connect to Active Directory servers:

  1. Verify if another external authentication scheme is enabled on your database, and disable it.
    Note

    You can continue with CMU-AD configuration on top of Kerberos to provide CMU-AD Kerberos authentication for Microsoft Active Directory users.
  2. Upload the CMU configuration files, including the database wallet file, cwallet.sso and the CMU configuration file, dsi.ora to your Object Store. This step depends on the Object Store you use.

    The dsi.ora configuration file contains the information to find the Active Directory servers.

    If you are using Oracle Cloud Infrastructure Object Store, see Putting Data into Object Storage for details on uploading files.

  3. On your Autonomous Database, create a new directory object or choose an existing directory object. This is the directory where you store the wallet and the configuration file for connecting to Active Directory:

    For example:

    CREATE OR REPLACE DIRECTORY cmu_wallet_dir AS 'cmu_wallet';

    Use the following SQL statement to query the file system directory path of the directory object:

    SELECT DIRECTORY_PATH FROM DBA_DIRECTORIES WHERE 
       DIRECTORY_NAME='directory_object_name';

    For example:

    SELECT DIRECTORY_PATH FROM DBA_DIRECTORIES WHERE 
       DIRECTORY_NAME='CMU_WALLET_DIR';
    
    
    DIRECTORY_PATH
    ----------------------------------------------------------------------------
    /file_system_directory_path_example/cmu_wallet

    Note that the directory object name in the query must be upper case as its case was not preserved when the directory object was created.

  4. Use DBMS_CLOUD.GET_OBJECT to copy the CMU configuration files, the database wallet cwallet.sso and dsi.ora, from your Object Store to the directory that you created or chose in Step 2.

    For example, use DBMS_CLOUD.GET_OBJECT to copy the files from Object Store to CMU_WALLET_DIR as follows:

    BEGIN
       DBMS_CLOUD.GET_OBJECT(
          credential_name => 'DEF_CRED_NAME',
          object_uri => 'https://objectstorage.us-phoenix-1.oraclecloud.com/n/namespace-string/b/bucketname/o/cwallet.sso',
          directory_name => 'CMU_WALLET_DIR');
       DBMS_CLOUD.GET_OBJECT(
          credential_name => 'DEF_CRED_NAME',
          object_uri => 'https://objectstorage.us-phoenix-1.oraclecloud.com/n/namespace-string/b/bucketname/o/dsi.ora',
          directory_name => 'CMU_WALLET_DIR');
    END;
    /

    In this example, namespace-string is the Oracle Cloud Infrastructure object storage namespace and bucketname is the bucket name. See Understanding Object Storage Namespaces for more information.

    See GET_OBJECT Procedure for more information.

    Use the following SQL statement to query the files copied to the directory.

    SELECT * FROM DBMS_CLOUD.LIST_FILES('directory_object_name');

    For example:

    SELECT * FROM DBMS_CLOUD.LIST_FILES('CMU_WALLET_DIR');

    Note that the directory object name in this query must be upper case as its case was not preserved when the directory object was created.

  5. Set the Autonomous Database property CMU_WALLET to the name of the directory object that you created or chose in Step 2.
    ALTER DATABASE PROPERTY SET CMU_WALLET='directory_object_name';

    For example:

    ALTER DATABASE PROPERTY SET CMU_WALLET='CMU_WALLET_DIR';

    Use the following SQL statement to query the property value of the database property CMU_WALLET:

    SELECT PROPERTY_VALUE FROM DATABASE_PROPERTIES WHERE PROPERTY_NAME='CMU_WALLET';

    For example:

    SQL> SELECT PROPERTY_VALUE FROM DATABASE_PROPERTIES WHERE PROPERTY_NAME='CMU_WALLET';
    
    PROPERTY_VALUE
    --------------------------------
    CMU_WALLET_DIR

    In the CREATE OR REPLACE DIRECTORY statement in Step 2, if you want to preserve case for the directory object name then you need to include double quotes. For example:

    CREATE OR REPLACE DIRECTORY "CMU_wallet_dir" AS 'cmu_wallet';

    Then the case would be preserved and you would set the property CMU_WALLET as follows:

    ALTER DATABASE PROPERTY SET CMU_WALLET='CMU_wallet_dir';
  6. Set the LDAP_DIRECTORY_ACCESS parameter value to PASSWORD to enable the access from Autonomous Database to Active Directory.
    ALTER SYSTEM SET LDAP_DIRECTORY_ACCESS=PASSWORD;
  7. To maintain security, remove the CMU configuration files including the database wallet cwallet.sso and the CMU configuration file dsi.ora from Object Store. You can use local Object Store methods to remove these files or use DBMS_CLOUD.DELETE_OBJECT to delete the files from Object Store.
    See DELETE_OBJECT Procedure for more information on DBMS_CLOUD.DELETE_OBJECT.
Note

See Disable Active Directory Access on Autonomous Database for instructions to disable the access from Autonomous Database to Active Directory.

See Configuring Centrally Managed Users with Microsoft Active Directory for more information on configuring CMU with Microsoft Active Directory.