22 Deploying the Oracle Password Filter for Microsoft Active Directory
This chapter explains how to install and configure the Oracle Password Filter for Microsoft Active Directory.
Topics:
-
Overview of the Oracle Password Filter for Microsoft Active Directory
-
Importing a Trusted Certificate into a Microsoft Active Directory Domain Controller
-
Testing SSL/TLS Communication Between Oracle Back-end directory and Microsoft Active Directory
-
Installing and Reconfiguring the Oracle Password Filter for Microsoft Active Directory
-
Removing the Oracle Password Filter for Microsoft Active Directory
For help troubleshooting an issue with the Oracle Password Filter for Microsoft Active Directory, see the following topic in Troubleshooting the Oracle Directory Integration Platform.
Note:
The installation file for the Oracle Password Filter for Microsoft Active Directory is located in ORACLE_HOME/dip/utils/adpwdfilter
(UNIX) or ORACLE_HOME\dip\utils\adpwdfilter
(Windows).
A 32-bit version and a 64-bit version of the password filter application are provided. The 32-bit version should only be installed on a 32-bit OS, and the 64-bit version should only be installed on a 64-bit OS. For more information, see "Installing the Oracle Password Filter for Microsoft Active Directory".
22.1 Overview of the Oracle Password Filter for Microsoft Active Directory
This section describes the purpose of the Oracle Password Filter for Microsoft Active Directory and how it works. It contains these topics:
22.1.1 What is the Oracle Password Filter for Microsoft Active Directory?
Oracle Directory Integration Platform enables synchronization between the Oracle back-end directory and Microsoft Active Directory. The Oracle Directory Integration Platform can retrieve all Microsoft Active Directory attributes with the exception of user passwords. Applications can use the Oracle Password Filter for Microsoft Active Directory to retrieve passwords from Microsoft Active Directory and store the password in the Oracle back-end directory. Applications such as Oracle Database Enterprise User Security that do not use Oracle Application Server Single Sign-On can use the Oracle Password Filter for Microsoft Active Directory to retrieve passwords from Microsoft Active Directory and store the password in the Oracle back-end directory.
Note:
Your Oracle back-end directory must support Enterprise User Security.
When users change their passwords from their desktops, the updated password is automatically synchronized with the Oracle back-end directory. More specifically, the Oracle Password Filter for Microsoft Active Directory monitors Microsoft Active Directory for password changes, which it then stores in the Oracle back-end directory. This allows users to be authenticated with their Microsoft Active Directory credentials and authorized to access resources by using information stored in the Oracle back-end directory. Storing Microsoft Active Directory user credentials in the Oracle back-end directory also provides a high availability solution in the event that the Microsoft Active Directory server is down. The Oracle Password Filter is installed on each Microsoft Active Directory server and automatically forwards password changes to the Oracle back-end directory.
Note:
Enterprise User Security can only verify user credentials that are stored in the Oracle Internet Directory and Oracle Unified Directory back-end directories. For this reason, to verify user credentials in Microsoft Active Directory with Enterprise User Security, you must use the Oracle Password Filter to retrieve passwords from Microsoft Active Directory into the Oracle Internet Directory and Oracle Unified Directory back-end directories.
The Oracle Directory Server Enterprise Edition back-end directory do not support integration with Enterprise User Security.
The Oracle Password Filter for Microsoft Active Directory does not require the Oracle Directory Integration Platform to synchronize passwords from Microsoft Active Directory to the Oracle back-end directory. The only requirement is that users synchronized from Microsoft Active Directory to the Oracle back-end directory must include the orclObjectGUID
attribute value to identify the user in both directories. The Oracle Password Filter for Microsoft Active Directory does not enforce password policies, or differences in password policies, between Microsoft Active Directory and the Oracle back-end directory. Instead, the system administrator must ensure that the password policies are consistent in both directories.
Password change requests occur when an account is created, an administrator resets a user's password, or when a user changes his or her own password. In order for the Oracle Password Filter for Microsoft Active Directory to capture Microsoft Active Directory passwords, one of these events must occur. Passwords that were set prior to installing the Oracle Password Filter for Microsoft Active Directory cannot be captured unless a system administrator forces a global password change request to all users.
Note:
-
The Oracle Password Filter for Microsoft Active Directory only captures password changes for 32-bit or higher Windows systems that have been integrated with Microsoft Active Directory.
-
Ensure that the Microsoft Active Directory is enabled to use secure protocol TLS v1.2 or TLS v1.1. Oracle Internet Directory and Oracle Unified Directory 12c supports TLS v1.2 and TLS v1.1 protocol for communication.
You can also configure TLS v1 or SSLv3 with Oracle Internet Directory and Oracle Unified Directory 12c. Oracle does not recommend this.
22.1.2 Learn How the Oracle Password Filter for Microsoft Active Directory Work?
This section describes how the Oracle Password Filter for Microsoft Active Directory works. It contains these topics:
22.1.2.1 Understanding How Clear Text Password Changes are Captured
When a password change request is made, the Local Security Authority (LSA) of the Windows operating system calls the Oracle Password Filter for Microsoft Active Directory package that is registered on the system. When the LSA calls the Oracle Password Filter for Microsoft Active Directory package, it passes to it the user name and changed password. The Oracle Password Filter for Microsoft Active Directory then performs the synchronization.
22.1.2.2 Understanding How Password Changes are Stored when the Oracle Back-end Directory is Unavailable
When the Oracle back-end directory is unavailable, the password change events are archived securely and the encrypted passwords are stored in the Microsoft Active Directory. The Oracle Password Filter for Microsoft Active Directory attempts to synchronize these entries until it reaches the specified maximum number of retries.
Note:
The Password Filter encryption is proprietary of Microsoft. Oracle Directory Integration Platform uses the CryptProtectData
function for data encryption and provides CRYPTPROTECT_UI_FORBIDDEN as the flag value. The CryptProtectData
function is associated with an user, and only the associated user can decrypt the password. For Oracle Password Filter for Microsoft Active Directory, a system user has the same identity as the LSA.
22.1.2.3 About Delay in Password Synchronization Until Microsoft Active Directory Users are Synchronized with Oracle Back-end Directory
The Oracle Password Filter for Microsoft Active Directory is notified immediately when a new user is created in Microsoft Active Directory. However, Oracle Directory Integration Platform will not synchronize entries until the next scheduled synchronization interval. For this reason, passwords for new user entries are stored in encrypted format in Microsoft Active Directory until the next synchronization. The Oracle Password Filter for Microsoft Active Directory then attempts to synchronize these entries until it reaches the specified maximum number of retries.
22.1.2.4 Understanding Password Bootstrapping
Because the original clear text form of a password is not retrievable by the Oracle Password Filter for Microsoft Active Directory, you cannot perform initial bootstrapping to synchronize passwords from Microsoft Active Directory to the Oracle back-end directory. However, you can instruct users to change their passwords or force a password change for all users in Microsoft Active Directory by changing the password expiration policy.
22.1.3 Deploying the Oracle Password Filter for Microsoft Active Directory?
The general procedures for installing and configuring the Oracle Password Filter for Microsoft Active Directory are as follows;
- Enable synchronization between the Oracle back-end directory and Microsoft Active Directory by following the instructions described in Integrating with Microsoft Active Directory.
- Configure and test the Oracle back-end directory in SSL server authentication mode by following the instructions in "Understanding How to Configure and Test Oracle Back-end Directory with SSL Server-Side Authentication".
- Import the Oracle back-end directory trusted server certificate into the Microsoft Active Directory domain controller by following the instructions in "Importing a Trusted Certificate into a Microsoft Active Directory Domain Controller".
- Verify that the Oracle back-end directory and Microsoft Active Directory can communicate with SSL server authentication by following the instructions in "Testing SSL/TLS Communication Between Oracle Back-end directory and Microsoft Active Directory".
- Install the Oracle Password Filter for Microsoft Active Directory by following the instructions in "Installing the Oracle Password Filter for Microsoft Active Directory".
- Configure the Oracle Password Filter for Microsoft Active Directory by following the instructions in "Reconfiguring the Oracle Password Filter for Microsoft Active Directory".
22.2 Understanding How to Configure and Test Oracle Back-end Directory with SSL Server-Side Authentication
Use SSL server authentication mode to synchronize password changes between back-end directory and Microsoft Active Directory.
The Oracle Password Filter communicates password changes from Microsoft Active Directory to back-end directory using the Secure Socket Layer (SSL) protocol, which provides data encryption and message integrity for a TCP/IP connection. More specifically, to synchronize password changes between back-end directory and Microsoft Active Directory, you must use SSL server authentication mode, which allows a client to confirm a server's identity.
When combined with digital certificates, SSL also provides both server authentication and client authentication. Server authentication with SSL requires that you install a digital certificate on the server side of the communications link. When an SSL transaction is initiated by a client, the server sends its digital certificate to the client. The client examines the certificate to validate that the server has properly identified itself, including verifying that the certificate was issued by a trusted Certificate Authority (CA).
The subject attribute of the back-end directory server certificate must match the
back-end directory server hostname. For example, if the Oracle Internet Directory server
hostname is oid.example.com
, then the subject attribute of the Oracle
Internet Directory server certificate must also be oid.example.com
. If
the subject attribute of the Oracle Internet Directory server certificate does not match
the Oracle Internet Directory server hostname, the Microsoft Active Directory password
filter API will not accept the Oracle Internet Directory server certificate as being
valid, despite the ldapbind -U 2
command's success. Oracle Internet
Directory configured for Server authentication is also referred to as SSL type 2.
In the case of back-end directory and Microsoft Active Directory integration, back-end directory is the server and Microsoft Active Directory is the client. The Oracle Password Filter for Microsoft Active Directory uses SSL to protect the password during transmission between the Microsoft Active Directory domain controller and the back-end directory server.
Note:
The certificate you use with the Oracle Password Filter for Microsoft Active Directory can be generated by any X.509-compliant certificate authority capable of accepting PKCS#10 standard certificate requests and producing certificates compliant with the X.509, Version 3, ISO standard and with RFC 2459.22.3 Importing a Trusted Certificate into a Microsoft Active Directory Domain Controller
You must use the Microsoft Management Console to import the certificate authority's trusted certificate into the domain controller
Server-authenticated SSL communication between a Microsoft Active Directory domain controller and back-end directory will fail if the domain controller does not recognize the back-end directory SSL certificate as valid. In order for a domain controller to accept an back-end directory SSL certificate, you must use the Microsoft Management Console to import the certificate authority's trusted certificate into the domain controller.
To use the Microsoft Management Console to import the certificate authority's trusted certificate into the domain controller:
- Select Run from the Windows Start menu. The Run dialog box displays. In the Run dialog box, type mmc, and then click OK. The Microsoft Management Console window displays.
- Select Add/Remove Snap-in from the File menu. The Add/Remove Snap-in dialog box displays.
- In the Add/Remove Snap-in dialog box, click Add. The Add Standalone Snap-in dialog box displays.
- In the Add Standalone Snap-in dialog box, select Certificates, and then click Add. The Certificates snap-in dialog box displays, prompting you to select an option for which the snap-in will manage certificates.
- In the Certificates snap-in dialog box, select Computer Account, and then click Next. The Select Computer dialog box displays.
- In the Select Computer dialog box, select Local Computer, and then click Finish.
- Click Close in the Add Standalone Snap-in dialog box, and then click OK in the Add/Remove Snap-in dialog box. The new console displays Certificates (Local Computer) in the console tree.
- In the console tree, expand Certificates (Local Computer), and then click Trusted Root Certification Authority.
- Point to All Tasks on the Action menu, and then select Import. The Welcome page of the Certificate Import Wizard displays. Click Next to display the File to Import page.
- On the File to Import page, enter the path and file name of the certificate authority's trusted root certificate, or click Browse to search for a file, and then click Next. The Certificate Store page displays.
- On the Certificate Store page, select Place all certificates in the following store. If Trusted Root Certification Authorities is not already selected as the certificate store, click Browse and select it. Click Next. The Completing the Certificate Import page displays.
- On the Completing the Certificate Import page, click Finish. A dialog box displays indicating that the import was successful. Click OK.
- Click Save from the File menu. The Save As dialog box displays. Enter a name for the new console, and then click Save.
- Close Microsoft Management Console.
Note:
For help on importing a trusted certificate with Microsoft Management Console, refer to your Windows product documentation or visit Microsoft Help and Support at http://support.microsoft.com
.
22.4 Testing SSL/TLS Communication Between Oracle Back-end directory and Microsoft Active Directory
The Oracle Password Filter for Microsoft Active Directory installs a command named ldapbindssl
on the domain controller that you can use to test SSL or TLS communication between back-end directory and Microsoft Active Directory.
Note:
The ldapbindssl
binary is included in the Oracle Password Filter for Microsoft Active Directory installation. You cannot execute the ldapbindssl
command without first installing the Oracle Password Filter for Microsoft Active Directory.
The syntax for the ldapbindssl
is as follows:
ldapbindssl -h oid_hostname -p ssl_port -D binddn -w password
To test SSL connectivity from Microsoft Active Directory to back-end directory:
22.5 Installing and Reconfiguring the Oracle Password Filter for Microsoft Active Directory
This section describes how to install and reconfigure the Oracle Password Filter for Microsoft Active Directory.
Topics:
22.5.1 Prerequisites to Install or Reconfigure the Oracle Password Filter for Microsoft Active Directory
Before you install or reconfigure the Oracle Password Filter for Microsoft Active Directory, be sure to collect the necessary configuration parameters for Microsoft Active Directory and for back-end directories. Table 22-1 lists the configuration parameters you will need for Microsoft Active Directory and Table 22-2 lists the configuration parameters you will need for back-end directories.
Table 22-1 Oracle Password Filter Configuration Parameters for Microsoft Active Directory
Parameter | Description |
---|---|
Domain |
The Microsoft Active Directory domain for this domain controller. This value is typically the DNS domain name, in the form mycompany.com. |
Base DN |
The container in the Microsoft Active Directory DIT where the Oracle Password Filter searches for entries with changed passwords. If password propagation fails, the DNS of the failed password will be stored in an entry named |
Port |
The Microsoft Active Directory LDAP port (usually 389). |
Host |
The IP address (NOT the host name) of the Microsoft Active Directory domain controller. |
Microsoft Active Directory User |
A user name with read privileges on the entire Microsoft Active Directory DIT and privileges to create an organizational unit and subtree entries under the Microsoft Active Directory base DN. Note that you must enter a user name and not the DN of an administrative user. This value is usually in the form administrator@ad_domain.name. |
Microsoft Active Directory User Password |
The specified Microsoft Active Directory user's password. |
Log File Path |
A directory where log files will be written, such as E:\ADPasswordFilter\Log. |
Table 22-2 Oracle Password Filter Configuration Parameters for Oracle Back-end Directory
Parameter | Description |
---|---|
Base DN |
The container in the back-end directory DIT where the Oracle Password Filter searches for entries synchronized from Microsoft Active Directory. For example: |
Host |
Specifies the host name where the back-end directory LDAP processes are running. For Oracle Unified Directory and Oracle Internet Directory installations running in a high availability configuration, use the virtual host name of the load balancer. For more information, see the section “Oracle Directory Integration Platform High Availability" in the Oracle Fusion Middleware High Availability Guide. |
SSL Port |
The back-end directory port that is configured for SSL server authentication. |
Non-SSL Port |
The back-end directory for unencrypted communication. |
User |
The distinguished name of a back-end directory user with permissions to update user passwords in the base DN. For example: |
User Password |
The specified back-end directory user's password. |
22.5.2 Installing the Oracle Password Filter for Microsoft Active Directory
This section describes how to install the Oracle Password Filter for Microsoft Active Directory on a domain controller.
Note:
The Microsoft Active Directory and back-end directory configuration parameters listed in the following procedure are described in Table 22-1 and Table 22-2.
To install the Oracle Password Filter for Microsoft Active Directory on a domain controller:
-
Do the following:
For 32-bit systems
-
Locate the
setup.exe
file in theORACLE_HOME\dip\utils\adpwdfilter
directory in the distribution package. -
Navigate to the directory where you extracted the installation files and double-click
setup.exe
.The Welcome page of the Oracle Password Filter for Microsoft Active Directory installation program displays, informing you that the program will install the Oracle Password Filter for Microsoft Active Directory.
For 64-bit systems
-
Locate the
setup.exe
file in theORACLE_HOME\dip\utils\adpwdfilter\64bit
directory in the distribution package. -
Navigate to the directory where you extracted the installation files and double-click
setup.exe
.The Welcome page of the Oracle Password Filter for Microsoft Active Directory installation program displays, informing you that the program will install the Oracle Password Filter for Microsoft Active Directory.
Note:
setup.exe is a Window 32-bit binary built on a Windows 64- bit binary.
-
-
On the Welcome page, click Next. The Installation Requirements page is displayed, notifying you that SSL must be enabled between back-end directory and Microsoft Active Directory and that installing the Oracle Password Filter for Microsoft Active Directory must restart your computer at the end of the installation process.
-
On the Installation Requirements screen, click Next. The Installation Options screen is displayed.
-
Select Typical (Recommended) or Advanced. If you select the Advanced option then you can specify attributes for back-end directory and Microsoft Active Directory later in the installation process (Step 10). Click Next.
The Installation Location screen is displayed. prompting you for the folder where you want to install Oracle Password Filter for Microsoft Active Directory.
.
Accept the default installation directory or enter a different directory. You can also select Browse to locate a different directory. Click Next after selecting an installation directory.
The Active Directory Configuration Parameters screen is displayed.
-
Enter values for the following parameters:
-
Domain: The Microsoft Active Directory domain for this domain controller. This value is typically the DNS domain name, in the form
mycompany.com
. -
Base DN: The container in the Microsoft Active Directory DIT where the Oracle Password Filter searches for entries with changed passwords. If password propagation fails, the DNS of the failed password will be stored in an entry named
organizationalUnit
within the specified container. For this reason, the specified container should be capable of holdingorganizationalUnit
objects. This value is typically in the formdc=mycompany,dc=com
. -
Port: The Microsoft Active Directory LDAP port (usually
389
). -
Host: The IP address (NOT the host name) of the Microsoft Active Directory domain controller.
Click Next.
The Microsoft Active Directory Domain Controller Information screen is displayed.
-
-
Enter the values for the following parameters:
-
User: A user name with read privileges on the entire Microsoft Active Directory DIT and privileges to create an organizational unit and subtree entries under the Microsoft Active Directory base DN. Note that you must enter a user name and not the DN of an administrative user. This value is usually in the form
administrator@ad_domain.name
. -
User Password: Specify the Microsoft Active Directory user's password.
-
Log File Path: Accept the default location where the log files will be written or select Browse to locate a different directory.
-
-
Click Next to continue.
The Oracle Backend Directory Configuration Parameters page is displayed.
-
Enter values for the following parameters:
-
Base DN: The container in the back-end directory DIT where the Oracle Password Filter searches for entries synchronized from Microsoft Active Directory. For example:
o=Microsoft Active Directory,c=us
. -
Host: Specify the host name where the back-end directory LDAP processes are running. For back-end directory installations running in a high availability configuration, use the virtual host name of the load balancer.
-
SSL Port: Enter the SSL port number for the back-end directory.
-
Non-SSL Port: Enter the The back-end directory port number for unencrypted communication.
-
User: The distinguished name of a back-end directory user with permissions to update user passwords in the base DN.For example:
cn=orcladmin
(Oracle Internet Directory) orcn=Directory Manager
(Oracle Unified Directory or Oracle Directory Server Enterprise Edition). -
User Password: The back-end directory password.
Note:
If you have configured both import and export synchronization between back-end directory and Microsoft Active Directory, be sure to enter for the User and User Password parameters the same bind DN and password that are specified in the synchronization profile that imports values from Microsoft Active Directory into back-end directory. This is necessary to prevent password updates from looping between back-end directory and Microsoft Active Directory.
Click Next.
The Configuration Parameter Information screen is displayed.
-
-
Enter values for the following parameters:
-
SleepTime: The number of minutes between attempts to synchronize passwords changes between back-end directory and Microsoft Active Directory.
-
ConfigSleepTime: The number of minutes between attempts to synchronize configuration changes between back-end directory and Microsoft Active Directory.
-
ExcludeListDN: A fully qualified DN containing a list of users whose passwords should not be synchronized.
The DLL can ignore certain entries from the password synchronization. To do so, you must add the users in the remote LDAP server under a given subtree.
ExcludeListDN needs to be configured with the same value on all Microsoft Active Directory servers where the Oracle Password Filter is installed.
Once the DLL starts, the
cn=ExcludeList
attribute will be created under the entry configured in ExcludeListDN.You need to update entry as follows:
dn: cn=user2@fr.example.com,cn=ExcludeList,<ExcludeListDN> cn: user2@fr.example.com objectClass: orclcontainer objectClass: top
In the above example:
-
user2
is the value ofsamAccountName
. -
fr.example.com
is theADDomain
attribute in the Windows registry.
Once the above entry is added, the password for
user2
will not be synchronized. -
-
Maximum Retries: Specifies the maximum number of attempts to synchronize a password.
-
-
Click Next to continue. If you chose Advanced on the Installation Options page, the Specify Attributes page is displayed.
Perform the following steps for advanced installations:
-
On the Specify Attributes page displays, enter values in the Source Attribute (Microsoft Active Directory) and Target Attribute (Oracle back-end directory) boxes for any attributes that you want to synchronize between the two directories. Also, select a value of
true
orfalse
from the Binary Attribute Type box to specify whether the source attribute type is binary. -
Click Next to continue. The Summary page is displayed and lists the path where the Oracle Password Filter for Microsoft Active Directory will be installed.
-
-
Click Next to install the Oracle Password Filter.
-
When prompted whether or not to upload schema extensions to Oracle Backend Directory, select Yes if the back-end directory is Oracle Internet Directory.
For Oracle Unified Directory and Oracle Directory Server Enterprise Edition, select No.
The Restart page is displayed.
-
Click Next to restart the computer.
-
Do the following:
For 32-bit systems
-
After the computer restarts, log in as an administrator. The remaining configuration tasks for the Oracle Password Filter execute automatically after you log in.
For 64-bit systems
-
After the computer restarts, log in as an administrator.
-
Locate the following two DLL files in
C:\WINDOWS\syswow64
and copy them toC:\WINDOWS\system32
:oraidmpwf10.dll
orclmessages.dll
-
Restart the Active Directory server.
-
The Oracle Password Filter for Microsoft Active Directory is now installed.
22.5.3 Reconfiguring the Oracle Password Filter for Microsoft Active Directory
In most cases, you should not need to reconfigure the Oracle Password Filter following the installation process. However, you can reconfigure the Oracle Password Filter for Microsoft Active Directory by running the Oracle Password Filter for Microsoft Active Directory installation program.
Note:
The Microsoft Active Directory and back-end directory configuration parameters listed in the following procedure are described in Table 22-1 and Table 22-2.
To reconfigure the Oracle Password Filter for Microsoft Active Directory: