You can configure Autonomous Database to authenticate and authorize Microsoft Active Directory users. This configuration allows Active Directory users to access an Autonomous Database using their Active Directory credentials.
See Use Azure Active Directory (Azure AD) with Autonomous Database for information on using Azure Active Directory with Autonomous Database. The CMU option supports Microsoft Active Directory servers but does not support the Azure Active Directory service.
The integration of Autonomous Database with Centrally Managed Users (CMU) provides integration with Microsoft Active Directory. CMU with Active Directory works by mapping Oracle database global users and global roles to Microsoft Active Directory users and groups.
See Configuring Centrally Managed Users with Microsoft Active Directory for information on Centrally Managed Users (CMU).
The following are required before you configure the connection from Autonomous Database to Active Directory:
You must have Microsoft Active Directory installed and configured. See AD DS Getting Started for more information.
You must create an Oracle service directory user in Active Directory. See Connecting to Microsoft Active Directory for information on the Oracle service directory user account.
An Active Directory system administrator must have installed Oracle password filter on the Active Directory servers, and set up Active Directory groups with Active Directory users to meet your requirements. Only password authentication is supported with CMU for Autonomous Database, so you must use the included utility,
opwdintg.exe, to install the Oracle password filter on Active Directory, extend the schema, and create three new
ORA_VFRgroups for three types of password verifier generation. See Connecting to Microsoft Active Directory for information on installing the Oracle password filter.
The Active Directory servers must be accessible from Autonomous Database through the internet and the port 636 of the Active Directory servers must be open to Autonomous Database in Oracle Cloud Infrastructure, so that Autonomous Database can have secured LDAP access over TLS/SSL to the Active Directory servers through the internet.
You can also extend your on-premise Active Directory to Oracle Cloud Infrastructure, where you can set up Read Only Domain Controllers (RODCs) for the on-premise Active Directory. Then you can use these RODCs in Oracle Cloud Infrastructure to authenticate and authorize the on-premise Active Directory users for access to Autonomous Databases.
See Extend Active Directory integration in Hybrid Cloud for more information.
You need the CMU configuration database wallet,
cwallet.ssoand the CMU configuration file
dsi.orato configure CMU for your Autonomous Database. If you have configured CMU for an on-premise database, you can obtain these configuration files from your on-premise database server. If you have not configured CMU for an on-premise database, you need to create these files on your local computer, or on an on-premise database server. You can validate the wallet and the
dsi.oraby configuring CMU for an on-premise database and verifying that an Active Directory user can successfully log on to the on-premise database with these configuration files. Then you upload these configuration files to the cloud in order to configure CMU for your Autonomous Database.
For details on the
dsi.orafile for CMU, see Creating the dsi.ora File.
For details on configuring Active Directory for CMU and troubleshooting CMU for on-premise databases, see How To Configure Centrally Managed Users For Database Release 18c or Later Releases (Doc ID 2462012.1).
The following limitation applies to CMU with Active Directory on Autonomous Database:
Only "password authentication" and Kerberos is supported for CMU with Autonomous Database. When you are using CMU authentication with Autonomous Database, other authentication methods such as Azure AD, OCI IAM, and PKI are not supported.
When you perform the configuration steps, connect to the Autonomous Database as the ADMIN user.
To configure Autonomous Database for CMU to connect to Active Directory servers:
- Verify if another external authentication scheme is enabled on your database, and disable it.Note
You can continue with CMU-AD configuration on top of Kerberos to provide CMU-AD Kerberos authentication for Microsoft Active Directory users.
- Upload the CMU configuration files, including the database wallet file,
cwallet.ssoand the CMU configuration file,
dsi.orato your Object Store. This step depends on the Object Store you use.
dsi.oraconfiguration file contains the information to find the Active Directory servers.
If you are using Oracle Cloud Infrastructure Object Store, see Putting Data into Object Storage for details on uploading files.
- On your Autonomous Database, create a new directory object or choose an existing directory object. This is the directory where you store the wallet and the configuration file for connecting to Active Directory:
CREATE OR REPLACE DIRECTORY cmu_wallet_dir AS 'cmu_wallet';
Use the following SQL statement to query the file system directory path of the directory object:
SELECT DIRECTORY_PATH FROM DBA_DIRECTORIES WHERE DIRECTORY_NAME='directory_object_name';
SELECT DIRECTORY_PATH FROM DBA_DIRECTORIES WHERE DIRECTORY_NAME='CMU_WALLET_DIR'; DIRECTORY_PATH ---------------------------------------------------------------------------- /file_system_directory_path_example/cmu_wallet
Note that the directory object name in the query must be upper case as its case was not preserved when the directory object was created.
DBMS_CLOUD.GET_OBJECTto copy the CMU configuration files, the database wallet
dsi.ora, from your Object Store to the directory that you created or chose in Step 2.
For example, use
DBMS_CLOUD.GET_OBJECTto copy the files from Object Store to
DBMS_CLOUD.GET_OBJECT( credential_name => 'DEF_CRED_NAME', object_uri => 'https://objectstorage.us-phoenix-1.oraclecloud.com/n/namespace-string/b/bucketname/o/cwallet.sso', directory_name => 'CMU_WALLET_DIR');
DBMS_CLOUD.GET_OBJECT( credential_name => 'DEF_CRED_NAME', object_uri => 'https://objectstorage.us-phoenix-1.oraclecloud.com/n/namespace-string/b/bucketname/o/dsi.ora', directory_name => 'CMU_WALLET_DIR'); END; /
In this example,
namespace-stringis the Oracle Cloud Infrastructure object storage namespace and
bucketnameis the bucket name. See Understanding Object Storage Namespaces for more information.
See GET_OBJECT Procedure for more information.
Use the following SQL statement to query the files copied to the directory.
SELECT * FROM DBMS_CLOUD.LIST_FILES('directory_object_name');
SELECT * FROM DBMS_CLOUD.LIST_FILES('CMU_WALLET_DIR');
Note that the directory object name in this query must be upper case as its case was not preserved when the directory object was created.
- Set the Autonomous Database property
CMU_WALLETto the name of the directory object that you created or chose in Step 2.
ALTER DATABASE PROPERTY SET CMU_WALLET='directory_object_name';
ALTER DATABASE PROPERTY SET CMU_WALLET='CMU_WALLET_DIR';
Use the following SQL statement to query the property value of the database property
SELECT PROPERTY_VALUE FROM DATABASE_PROPERTIES WHERE PROPERTY_NAME='CMU_WALLET';
SQL> SELECT PROPERTY_VALUE FROM DATABASE_PROPERTIES WHERE PROPERTY_NAME='CMU_WALLET'; PROPERTY_VALUE -------------------------------- CMU_WALLET_DIR
CREATE OR REPLACE DIRECTORYstatement in Step 2, if you want to preserve case for the directory object name then you need to include double quotes. For example:
CREATE OR REPLACE DIRECTORY "CMU_wallet_dir" AS 'cmu_wallet';
Then the case would be preserved and you would set the property
ALTER DATABASE PROPERTY SET CMU_WALLET='CMU_wallet_dir';
- Set the
LDAP_DIRECTORY_ACCESSparameter value to
PASSWORDto enable the access from Autonomous Database to Active Directory.
ALTER SYSTEM SET LDAP_DIRECTORY_ACCESS=PASSWORD;
- To maintain security, remove the CMU configuration files including the database wallet
cwallet.ssoand the CMU configuration file
dsi.orafrom Object Store. You can use local Object Store methods to remove these files or use
DBMS_CLOUD.DELETE_OBJECTto delete the files from Object Store.See DELETE_OBJECT Procedure for more information on
See Disable Active Directory Access on Autonomous Database for instructions to disable the access from Autonomous Database to Active Directory.
See Configuring Centrally Managed Users with Microsoft Active Directory for more information on configuring CMU with Microsoft Active Directory.