1. Owner's Guide
  2. Security and Maintenance of Recovery Appliance
  3. User Security on Recovery Appliance
  4. LDAP Authentication and the Recovery Appliance

LDAP Authentication and the Recovery Appliance

The Recovery Appliance offers support for LDAP authentication, which grants named users reduced privileges to manage the Recovery Appliance through the RACLI. These user names, whether LDAP users or native OS users, appear in audit logs for the Recovery Appliance. Direct SSH access for root and oracle users can be removed from Recovery Appliance nodes.

An existing company LDAP infrastructure can be leveraged to allow OS-level LDAP configuration for computer server nodes. This requires shadow/posix user accounts on the LDAP server. The LDAP users need to belong to the raadmin group.

The LDAP user can belong to the following groups:

  • raadmin - required
  • dbmadmin - used for monitoring Exadata.
  • dbmusers - used for monitoring Exadata.
  • oinstall

It is important that the group identifier (GID) is standardized for these groups.

  • During install you can use ra_preinstall.pl to define a specific group identifier.
  • During patch/upgrade, you can also specify raadmin GID with ra_preinstall.pl.

Note:

If you have an existing ZDLRA 21.1 system with a conflicting GID for raadmin group, please open a support case so we can review and help update the group identifier.

  1. Follow your data center processes for configuring a Recovery Appliance compute server node to authenticate an OS user with LDAP.

  2. Confirm your LDAP-authenticated user is accessible on all of the Recovery Appliance compute server nodes in the cluster. 

    getent passwd <USER_NAME>

    This confirms that the client configuration is correct for the name services and that the users are present.

  3. From the Recovery Appliance, issue the command to add that LDAP user as an admin_user. 

    racli add admin_user --user_name=USER_NAME [--user_uid=USER_ID --user_gid=GROUP_ID]
    --user_name

    System user name to add to RACLI admin group.

    --user_uid

    Set the user identifier for the newly created admin user. Value must be >= 1003.

    During the installation of RA 19.x or later, you can define the raadmin uid with ra_preinstall.pl.

    --user_gid

    Set the initial login group identifier for the newly created admin user. A group number must refer to an already existing group. Value must be >= 1003.

    During the installation of RA 21.1 or later, you can define the gid with ra_preinstall.pl.

Additional non-standard packages

If you require additional packages which are non-standard please review the two paths forward and pick the one which most aligns to your environment.

  1. If you have an existing LDAP client authentication setup procedure that is used on your Exadata systems which include the nonstandard packages.

    Continue using the same process to configure LDAP client authentication which you have been successfully using on your other Engineered systems.

    Because these are nonstandard, there is a chance you would need to uninstall them during OS Updates and RACLI Updates.

  2. If you have never configured LDAP on an Engineered system, and require non-standard Linux packages.

    Contact Support to confirm any risks with installing nonstandard Linux packages on the Database/Compute Server nodes.