Configuring Active Directory for OUD 12c and EUS Integration
Before You Begin
This tutorial provides a step-by-step example of how to configure Microsoft Active Directory for OUD 12c and Oracle Enterprise Security (EUS) integration. This tutorial takes approximately 15 minutes to complete.
This is the fourth tutorial in the series Integrating Oracle Unified Directory Proxy Server 12c with Microsoft Active Directory and Oracle Enterprise User Security. Read them sequentially.
- Installing Oracle Unified Directory 12c for Active Directory and EUS Integration
- Configuring OUDSM 12c for EUS
- Configuring an OUD 12c Proxy Server for Active Directory and EUS Integration
- Configuring Active Directory for OUD 12c and EUS Integration
- Configuring Network and Database Connectivity for OUD 12c and EUS
- Configuring Schemas, Roles and Mapping for EUS and OUD 12c
- Testing the EUS, OUD 12c and Active Directory Integration
Background
Oracle EUS enables Oracle Database users to authenticate against identities stored in an LDAP-compliant directory service such as OUD or Active Directory. In this tutorial you configure Microsoft Active Directory.
What Do You Need?
- To have completed OBE III: Configuring an OUD 12c Proxy Server for Active Directory and EUS Integration
Extend Microsoft Active Directory with EUS Schema
In this section you extend Microsoft Active Directory with the EUS schema ExtendAd.
- Launch a terminal window on the OUD server as
oracleand enter the following command:
If successful you should see the following:cd /u01/app/oracle/product/oud/oud/config/EUS/ActiveDirectory
java ExtendAD -h ad.example.com -p 389 -D cn=administrator,cn=users,dc=example,dc=com -w Welcome1 -AD dc=example,dc=com -commonattr
Processing adOrclAttribute.ldif........
--- Adding cn=orclcommonattribute,cn=schema,cn=configuration,dc=example,dc=com
Finished processing adOrclAttribute.ldif........
AD Schema is refreshed.
Processing adUserObjClass.ldif........
... Modifying cn=user,cn=schema,cn=configuration,dc=example,dc=com
Finished processing adUserObjClass.ldif........
AD Schema is refreshed.
Configure the OUD Password Change Notification Plugin in Microsoft Active Directory
In this section you copy the oidpwdcn.dll file to the Microsoft Active Directory's system32 directory and update the registry to point at this file. This file is the OUD Password Change Notification plug-in which is used to acquire password changes for Active Directory users, and to generate and store password verifiers.
- Using a secure ftp client or similar, transfer the
/u01/app/oracle/product/middleware/oud/oud/config/EUS/ActiveDirectory/win64/oidpwdcn.dllfile to theC:\Windows\System32directory on the Microsoft Active Directory server. - On the Microsoft Active Directory machine load the registry editor (regedt32). Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsaand double clickNotification Packages. Addoidpwdcnto the bottom of the list and click OK. - Restart the Windows 2012 R2 Server for the changes to take effect.
Create Sample Users and Groups in Microsoft Active Directory
In this section you create a number of sample users and groups under cn=users,dc=example,dc=com and ou=groups,dc=example,dc=com. First you create an OUD administration user cn=eusadmin,cn=Users,dc=example,dc=com. Then you create a number of users and groups, and assign the users to the groups as follows. These users will be used to log in to the database with EUS in a later tutorial:
| UserID | Groups | Password |
|---|---|---|
user.0 |
[no group] |
Welcome1 |
user.1 |
ora_connect, ora_resource |
Welcome1 |
user.2 |
ora_connect, ora_dba |
Welcome1 |
- On the Microsoft Active Directory server, load Server Manager and select Tools > Active Directory Users and Computers.
- In Active Directory Users and Computers, in the left hand navigation menu, expand example.com and right click on Users. Select New > User.
- In the New Object - User window enter
eusadminin the First name and User logon name fields. Click Next. - In the Password and Confirm Password field enter
Welcome1. Deselect User must change password at next logon. Click Next and then Finish. - Repeat steps 2-5 and create the users
user.0,user.1anduser.2. - In the left hand navigation menu, right click on Groups. Select New > Group.
- In the New Object - Group window enter
ora_connectin the Group Name field. Ensure Group Scope: Global and Group Type: Security are selected. Click OK. - Repeat steps 6-7 and create the groups
ora_resourceandora_dba. - Under Group, double click
ora_connect. In the Members tab, click Add. In the Enter the object names to select field, enteruser.1and click Check Names. Selectuser.1(user1@example.com)and click OK. Repeat and adduser.2to the group. Click OK. - Under Group, double click
ora_resource. In the Members tab, click Add. In the Enter the object names to select field, enteruser.1and click Check Names. Selectuser.1(user1@example.com)and click OK twice. - Under Group, double click
ora_dba. In the Members tab, click Add. In the Enter the object names to select field, enteruser.2and click Check Names. Selectuser.2(user2@example.com)and click OK twice.
Check the OUD Password Change Notification Plugin Works
In this section you check that the OUD Password Change Notification plug-in (oidpwdcn.dll) configured earlier is working correctly.
- Launch a terminal window as
oracleon the OUD server and run the following command to verify the orclCommonAttribute attribute foruser.0contains the generated hash password value:
If successful you should see the following:cd /u01/app/oracle/product/oud/oud/bin
./ldapsearch -h ad.example.com -p 389 -D "cn=Administrator,cn=users,dc=example,dc=com" -w Welcome1 -b "cn=user.0,cn=users,dc=example,dc=com" objectclass=* orclCommonAttribute
dn: CN=user.0,CN=Users,DC=example,DC=com orclCommonAttribute: {SSHA}Am7cD0T0P1Sg6J0om3XtpZJ3BIrUHpRejojTofFZ - Repeat the above command replacing
user.0withuser.1,user.2andeusadmin. Notice that the hash value returned, differs for each user.
Configure OUD Truststore for Active Directory Certificates
In this section you export the Trusted Root CA Certificate for the Active Directory certificate and import it into the OUD Proxy server truststore. This is required so OUD Proxy Server can establish an SSL connection to Active Directory successfully.
- On the Active Directory server, launch a command prompt as Administrator, and run the following command to export the Root CA certificate to the file
msadca.crt:
certutil -ca.cert msadca.crt - Using a secure ftp client or similar, copy the
mdadca.crtfile over to the /stage directory of the OUD server .
- On the OUD server, launch a terminal window as
oracleand run the following command to import the root CA certificate from the Active Directory Server. Enteryeswhen asked "Trust this certificate".
cd /u01/app/oracle/config/oud_instances/oud_proxy/config keytool -import -alias msad-rootca -trustcacerts -file /stage/msadca.crt -keystore keystore -storepass `cat keystore.pin` -v
Next Tutorial
Configuring Network and Database Connectivity for OUD 12c and EUS