Before You Begin

This tutorial provides a step-by-step example of how to create an Oracle Unified Directory (OUD) 12c PS3 Proxy Server for use with Microsoft Active Directory and Oracle Enterprise Security (EUS) integration. This tutorial takes approximately 15 minutes to complete.

This is the third tutorial in the series Integrating Oracle Unified Directory Proxy Server 12c with Microsoft Active Directory and Oracle Enterprise User Security. Read them sequentially.

• Installing Oracle Unified Directory 12c for Active Directory and EUS Integration
• Configuring OUDSM 12c for EUS
• Configuring an OUD 12c Proxy Server for Active Directory and EUS Integration
• Configuring Active Directory for OUD 12c and EUS Integration
• Configuring Network and Database Connectivity for OUD 12c and EUS
• Configuring Schemas, Roles and Mapping for EUS and OUD 12c
• Testing the EUS, OUD 12c and Active Directory Integration

Background

Oracle EUS enables Oracle Database users to authenticate against identities stored in an LDAP-compliant directory service such as OUD or Active Directory. In this tutorial you configure OUD as a Proxy Server for use with Microsoft Active Directory and Enterprise User Security.

What Do You Need?

• To have completed OBE II: Configuring OUDSM 12c for EUS
  

Create an OUD Proxy Server for EUS

1. Launch a terminal window as oracle and enter the following command:
   

   cd /u01/app/oracle/product/oud/oud
   echo Welcome1 >pwd.txt
   ./oud-proxy-setup --cli \
   --instancePath /u01/app/oracle/config/oud_instances/oud_proxy \
   --adminConnectorPort 5444 --httpAdminConnectorPort disabled \
   --rootUserDN 'cn=Directory Manager' \
   --rootUserPasswordFile pwd.txt --ldapPort 2389 --enableStartTLS \
   --ldapsPort 2636 --generateSelfSignedCertificate \
   --eusContext dc=example,dc=com

   If successful you should see the following output if successful:
   

   ......
   [07/Nov/2017:16:41:16 +0000] category=CORE severity=NOTICE msgID=458887 msg=The Directory Server has started successfully
   [07/Nov/2017:16:41:16 +0000] category=CORE severity=NOTICE msgID=458891 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerStarted, alert ID 458887): 
    The Directory Server has started successfully
   

Create LDAP Server Extensions

In this section you create LDAP Server Extensions, Workflow Elements, Workflows, and Network Groups in the Proxy Server.

1. Launch a terminal window as oracle and enter the following command to create the LDAP extension proxy1:
   

   cd /u01/app/oracle/config/oud_instances/oud_proxy/bin
   echo Welcome1 >pwd.txt
   ./dsconfig create-extension --type ldap-server --extension-name proxy1 \
   --set enabled:true --set remote-ldap-server-address:ad.example.com \
   --set remote-ldap-server-port:389 --set remote-ldap-server-ssl-port:636 \
   --set remote-ldap-server-ssl-policy:always --set ssl-trust-all:true \
   --hostname oud.example.com --port 5444 --bindDN 'cn=Directory Manager' \
   --bindPasswordFile pwd.txt --trustAll --no-prompt
   

2. Enter the following commands to create the workflow elements proxy-we1 and eus-we1:
   

   ./dsconfig create-workflow-element --set enabled:true \
   --set client-cred-mode:use-specific-identity \
   --set remote-ldap-server-bind-dn:cn=eusadmin,cn=Users,dc=example,dc=com \
   --set remote-ldap-server-bind-password:Welcome1 \
   --set remote-root-dn:cn=eusadmin,cn=Users,dc=example,dc=com \
   --set remote-root-password:Welcome1 \
   --set ldap-server-extension:proxy1 --type proxy-ldap \
   --element-name proxy-we1 --hostname oud.example.com --port 5444 \
   --bindDN 'cn=Directory Manager' --bindPasswordFile pwd.txt \
   --trustAll --no-prompt	

   Note: the user cn=eusadmin,cn=Users,dc=example,dc=com will be created in Active Directory in the next tutorial. No administrator privileges are required for this account.

   ./dsconfig create-workflow-element --type eus --element-name eus-we1 \
   --set eus-realm:dc=example,dc=com --set server-type:ad --set enabled:true \
   --set next-workflow-element:proxy-we1 --hostname oud.example.com --port 5444 \
   --portProtocol LDAP --bindDN 'cn=Directory Manager' \
   --bindPasswordFile pwd.txt --trustAll --no-prompt

3. Enter the following commands to create the workflow workflow1:
   

   ./dsconfig create-workflow --set base-dn:dc=example,dc=com --set enabled:true \
   --set workflow-element:eus-we1 --type generic --workflow-name workflow1 \
   --hostname oud.example.com --port 5444 --bindDN 'cn=Directory Manager' \
   --bindPasswordFile pwd.txt --trustAll --no-prompt

4. Enter the following commands to set the network group properties:
   
   

   ./dsconfig  set-network-group-prop --group-name network-group \
   --add workflow:workflow1  --add workflow:oraclecontextworkflow1 \
   --hostname oud.example.com --port 5444  --bindDN 'cn=Directory Manager' \
   --bindPasswordFile pwd.txt --trustAll  --no-prompt

5. Enter the following commands to create the network group qos policy:
   

   ./dsconfig create-network-group-qos-policy --group-name network-group \
   --type referral --set referral-policy:discard --hostname oud.example.com \
   --port 5444 --bindDN 'cn=Directory Manager' \
   --bindPasswordFile pwd.txt --trustAll --no-prompt

6. Enter the following commands to create the necessary access controls:
   

   ./dsconfig set-access-control-handler-prop \
   --add 'global-aci:(target="ldap:///cn=oraclecontext,dc=example,dc=com")\
   (targetattr!="userpassword||authpassword||aci")(version 3.0; acl \
   "Anonymous read access to subtree";allow (read,search,compare) \
   userdn="ldap:///anyone";)' --hostname oud.example.com --port 5444 \
   --bindDN 'cn=Directory Manager' --bindPasswordFile pwd.txt \
   --trustAll --no-prompt

Configure a Password Policy For EUS Administrator

In this section you create a new password policy for EUS Administrators.

1. Launch a terminal window as oracle on the OUD server and run the following command to create the EUSAdmins password policy:
   

   cd /u01/app/oracle/config/oud_instances/oud_proxy/bin
   ./dsconfig create-password-policy --policy-name EUSAdmins \
   --set password-attribute:userpassword \
   --set default-password-storage-scheme:AES \
   --set default-password-storage-scheme:Salted\ SHA-512 \
   --type generic \
   --hostName oud.example.com \
   --port 5444 \
   --bindDN "cn=Directory Manager" \
   --bindPasswordFile pwd.txt \
   --trustAll \
   --no-prompt                                

Customize the Oracle Context for EUS

In this section you customize the Oracle Context for EUS within the OUD Proxy Server and create an EUS Administration user cn=eusadmin,cn=oraclecontext.

1. Download the eusrealm.ldif file and copy to /stage. The eusRealm.ldif file customizes the Oracle Context for EUS. It also creates the EUS Administration user cn=eusadmin,cn=oraclecontext and assigns the EUSAdmins password policy created above to it.
2. Launch a terminal window as oracle on the OUD server and run the following command to load the eusrealm.ldif file:
   

   cd /u01/app/oracle/config/oud_instances/oud_proxy/bin
   ./ldapmodify -h oud.example.com -p 2389 -D "cn=Directory Manager" \
   -w password -c -f /stage/eusrealm.ldif

   where password is the password you used previously.

   If successful you should see the following:
   
   

   Processing ADD request for cn=eusadmin,cn=OracleContext
   ADD operation successful for DN cn=eusadmin,cn=OracleContext
   Processing MODIFY request for cn=Common,cn=Products,cn=OracleContext
   MODIFY operation successful for DN cn=Common,cn=Products,cn=OracleContext
   ...
   etc.
   ...
   MODIFY operation successful for DN cn=OracleNetAdmins,cn=OracleContext,dc=example,dc=com
   Processing MODIFY request for cn=OracleDBCreators,cn=OracleContext,dc=example,dc=com
   MODIFY operation successful for DN cn=OracleDBCreators,cn=OracleContext,dc=example,dc=com                                                       

Next Tutorial

Configuring Active Directory for OUD 12c and EUS Integration