1. User's Guide
  2. Active Directory Modifications

18 Active Directory Modifications

When using the Oracle Enterprise Communications Broker LDAP configuration to access authentication and routing information from Active Directory (AD), you must prepare AD to serve those functions. For authentication, you can add an Oracle-supplied DLL to the system to capture password hashes during password changes and store them for authentication.

The Oracle-supplied DLL, oecbpwdcn.dll, is an OSD DLL that provides the Windows-specific password hash capture function. When a user changes their password, the DLL intercepts the hash of the password and stores it for SIP authentication. The user's password is never visible in clear-text.

Related AD changes consist of the following, which can be done manually or by way of Oracle-provided scripts:

  1. Create orclDigestRealmAttribute attribute (to store digest realm name) and associate it users.
  2. Create orclDigestPwdAttribute attribute (to store hashed password) and associate with users.
  3. Create orclAgentNameAttribute and associate it with users.

You can refer to http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/howto/adschema.mspx for instructions on managing AD. You can manually add the following entries into AD: 

dn: cn=orcldigestrealmattribute,cn=schema,cn=configuration,dc=example,dc=com
changetype: add
objectClass: top
objectClass: attributeSchema
cn: orclDigestRealmAttribute
instanceType: 4
attributeID: 1.2.840.113556.1.8000.2554.54362.52699.4250.17878.46369.10622351.7266019.1
attributeSyntax: 2.5.5.4
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: orclDigestRealmAttribute
adminDescription: Oracle ECB Digest Realm
oMSyntax: 20
lDAPDisplayName: orclDigestRealmAttribute
name: orclDigestRealmAttribute

This creates the attribute to which oecbpwdcn.dll stores password hashes. 

dn: cn=orcldigestpwdattribute,cn=schema,cn=configuration,dc=example,dc=com
changetype: add
objectClass: top
objectClass: attributeSchema
cn: orclDigestPwdAttribute
instanceType: 4
attributeID: 1.2.840.113556.1.8000.2554.54362.52699.4250.17878.46369.10622351.7266019.2
attributeSyntax: 2.5.5.4
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: orclDigestPwdAttribute
adminDescription: Oracle ECB Digest Password
oMSyntax: 20
lDAPDisplayName: orclDigestPwdAttribute
name: orclDigestPwdAttribute

This creates an attribute that can be used for routing, specifically by providing a field for storing the users' Agent. 

dn: cn=orclagentnameattribute,cn=schema,cn=configuration,dc=example,dc=com
changetype: add
objectClass: top
objectClass: attributeSchema
cn: orclAgentNameAttribute
instanceType: 4
attributeID: 1.2.840.113556.1.8000.2554.54362.52699.4250.17878.46369.10622351.7266019.3
attributeSyntax: 2.5.5.4
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: orclAgentNameAttribute
adminDescription: Oracle ECB Agent Name
oMSyntax: 20
lDAPDisplayName: orclAgentNameAttribute
name: orclAgentNameAttribute

Note:

You must replace %AD_DOMAN_NAME% with your AD domain name, such as dc=acme,dc=com.

For convenience, two LDIF files are provided to facilitate adding these two attributes. They are "addOrclECBAttribute.ldif" and "addUserObjClass.ldif". To add the two attributes automatically:

  1. Make sure the Active Directory Schema Snap-In is installed by following the directions from:
    • http://social.technet.microsoft.com/wiki/contents/articles/20319.how-to-create-a-custom-attribute-in-active-directory.aspx or
    • http://technet.microsoft.com/en-us/library/cc759633(v=ws.10).aspx
  2. Open the two files and replace %AD_DOMAN_NAME% with your actual AD domain name, such as dc=acme,dc=com.
  3. Run the command "ldifde –i –f addOrclECBAttribute.ldif –v" to create the three attributes.
  4. Then run the command "ldifde –i –f addUserObjClass.ldif –v" to associate the attributes to AD users.
  5. Reload the AD schema or reboot AD.
  6. Verify that the two attributes are present by checking users to see that attributes are available to them.

In addition to AD schema modification, follow the steps below to install oecbpwdcn.dll.

  1. Install OID Password Change Notification (oecbpwdcn) DLL, by simply copying the oecbpwdcn.dll to your AD WINDOWS\system32
  2. Using regedt32 to change the registry and enable the DLL. Invoke regedt32 and modify the registry setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages. Add "oecbpwdcn" to the end of this list. Example registry entries, including oecbowdcn, could now include:
    • RASSFM
    • KDCSVC
    • WDIGEST
    • scecli
    • oecbpwdcn
  3. Reboot AD.

Test your deployment as follows:

  1. Assign a digest realm name to user's orclDigestRealmAttribute in AD. You can use script modifyUsersDigestRealmName.vbs to modify this attribute for all users. Right click on modifyUsersDigestRealmName.vbs and select "Run with Command Prompt"
  2. Modify user password for any AD user (or reset the password)
  3. Search against AD and look up the AD user and orclDigestPwdAttribute should have the generated hash value.

You can use a script named displayUsersDigestRealmPassword.vbs to display the values from all users. To do this, right-clickdisplayUsersDigestRealmPassword.vbs and select "Run with Command Prompt."