LDAP Authentication and the Recovery Appliance
The Recovery Appliance offers support for LDAP authentication, which grants named users reduced privileges to manage the Recovery Appliance through the RACLI. These user names, whether LDAP users or native OS users, appear in audit logs for the Recovery Appliance. Direct SSH access for root
and oracle
users can be removed from Recovery Appliance nodes.
An existing company LDAP infrastructure can be leveraged to allow OS-level LDAP configuration for computer server nodes. This requires shadow/posix user accounts on the LDAP server. The LDAP users need to belong to the raadmin
group.
The LDAP user can belong to the following groups:
raadmin
- requireddbmadmin
- used for monitoring Exadata.dbmusers
- used for monitoring Exadata.oinstall
It is important that the group identifier (GID) is standardized for these groups.
- During install you can use
ra_preinstall.pl
to define a specific group identifier. - During patch/upgrade, you can also specify
raadmin
GID withra_preinstall.pl
.
Note:
If you have an existing ZDLRA 21.1 system with a conflicting GID for raadmin
group, please open a support case so we can review and help update the group identifier.
-
Follow your data center processes for configuring a Recovery Appliance compute server node to authenticate an OS user with LDAP.
-
Confirm your LDAP-authenticated user is accessible on all of the Recovery Appliance compute server nodes in the cluster.
getent passwd <USER_NAME>
This confirms that the client configuration is correct for the name services and that the users are present.
-
From the Recovery Appliance, issue the command to add that LDAP user as an
admin_user
.racli add admin_user --user_name=USER_NAME [--user_uid=USER_ID --user_gid=GROUP_ID]
-
--user_name
-
System user name to add to RACLI admin group.
-
--user_uid
-
Set the user identifier for the newly created admin user. Value must be >= 1003.
During the installation of RA 19.x or later, you can define the
raadmin
uid
withra_preinstall.pl
. -
--user_gid
-
Set the initial login group identifier for the newly created admin user. A group number must refer to an already existing group. Value must be >= 1003.
During the installation of RA 21.1 or later, you can define the
gid
withra_preinstall.pl
.
-
Additional non-standard packages
If you require additional packages which are non-standard please review the two paths forward and pick the one which most aligns to your environment.
-
If you have an existing LDAP client authentication setup procedure that is used on your Exadata systems which include the nonstandard packages.
Continue using the same process to configure LDAP client authentication which you have been successfully using on your other Engineered systems.
Because these are nonstandard, there is a chance you would need to uninstall them during OS Updates and RACLI Updates.
- If you have never configured LDAP on an Engineered system, and require non-standard Linux packages.
Contact Support to confirm any risks with installing nonstandard Linux packages on the Database/Compute Server nodes.