Before You Begin
This tutorial provides a step-by-step example of how to create an Oracle Unified Directory (OUD) 12c PS3 Proxy Server for use with Microsoft Active Directory and Oracle Enterprise Security (EUS) integration. This tutorial takes approximately 15 minutes to complete.
This is the third tutorial in the series Integrating Oracle Unified Directory Proxy Server 12c with Microsoft Active Directory and Oracle Enterprise User Security. Read them sequentially.
- Installing Oracle Unified Directory 12c for Active Directory and EUS Integration
- Configuring OUDSM 12c for EUS
- Configuring an OUD 12c Proxy Server for Active Directory and EUS Integration
- Configuring Active Directory for OUD 12c and EUS Integration
- Configuring Network and Database Connectivity for OUD 12c and EUS
- Configuring Schemas, Roles and Mapping for EUS and OUD 12c
- Testing the EUS, OUD 12c and Active Directory Integration
Background
Oracle EUS enables Oracle Database users to authenticate against identities stored in an LDAP-compliant directory service such as OUD or Active Directory. In this tutorial you configure OUD as a Proxy Server for use with Microsoft Active Directory and Enterprise User Security.
What Do You Need?
- To have completed OBE II: Configuring OUDSM 12c for EUS
Create an OUD Proxy Server for EUS
- Launch a terminal window as
oracle
and enter the following command:
If successful you should see the following output if successful:cd /u01/app/oracle/product/oud/oud echo Welcome1 >pwd.txt
./oud-proxy-setup --cli \ --instancePath /u01/app/oracle/config/oud_instances/oud_proxy \ --adminConnectorPort 5444 --httpAdminConnectorPort disabled \ --rootUserDN 'cn=Directory Manager' \ --rootUserPasswordFile pwd.txt --ldapPort 2389 --enableStartTLS \ --ldapsPort 2636 --generateSelfSignedCertificate \ --eusContext dc=example,dc=com
...... [07/Nov/2017:16:41:16 +0000] category=CORE severity=NOTICE msgID=458887 msg=The Directory Server has started successfully
[07/Nov/2017:16:41:16 +0000] category=CORE severity=NOTICE msgID=458891 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerStarted, alert ID 458887):
The Directory Server has started successfully
Create LDAP Server Extensions
In this section you create LDAP Server Extensions, Workflow Elements, Workflows, and Network Groups in the Proxy Server.
- Launch a terminal window as
oracle
and enter the following command to create the LDAP extensionproxy1
:
cd /u01/app/oracle/config/oud_instances/oud_proxy/bin echo Welcome1 >pwd.txt
./dsconfig create-extension --type ldap-server --extension-name proxy1 \ --set enabled:true --set remote-ldap-server-address:ad.example.com \ --set remote-ldap-server-port:389 --set remote-ldap-server-ssl-port:636 \ --set remote-ldap-server-ssl-policy:always --set ssl-trust-all:true \ --hostname oud.example.com --port 5444 --bindDN 'cn=Directory Manager' \ --bindPasswordFile pwd.txt --trustAll --no-prompt - Enter the following commands to create the workflow elements
proxy-we1
andeus-we1
:
./dsconfig create-workflow-element --set enabled:true \ --set client-cred-mode:use-specific-identity \ --set remote-ldap-server-bind-dn:cn=eusadmin,cn=Users,dc=example,dc=com \ --set remote-ldap-server-bind-password:Welcome1 \ --set remote-root-dn:cn=eusadmin,cn=Users,dc=example,dc=com \ --set remote-root-password:Welcome1 \ --set ldap-server-extension:proxy1 --type proxy-ldap \ --element-name proxy-we1 --hostname oud.example.com --port 5444 \ --bindDN 'cn=Directory Manager' --bindPasswordFile pwd.txt \ --trustAll --no-prompt
Note: the user
cn=eusadmin,cn=Users,dc=example,dc=com
will be created in Active Directory in the next tutorial. No administrator privileges are required for this account../dsconfig create-workflow-element --type eus --element-name eus-we1 \ --set eus-realm:dc=example,dc=com --set server-type:ad --set enabled:true \ --set next-workflow-element:proxy-we1 --hostname oud.example.com --port 5444 \ --portProtocol LDAP --bindDN 'cn=Directory Manager' \ --bindPasswordFile pwd.txt --trustAll --no-prompt
- Enter the following commands to create the workflow
workflow1
:
./dsconfig create-workflow --set base-dn:dc=example,dc=com --set enabled:true \ --set workflow-element:eus-we1 --type generic --workflow-name workflow1 \ --hostname oud.example.com --port 5444 --bindDN 'cn=Directory Manager' \ --bindPasswordFile pwd.txt --trustAll --no-prompt
- Enter the following commands to set the network group properties:
./dsconfig set-network-group-prop --group-name network-group \ --add workflow:workflow1 --add workflow:oraclecontextworkflow1 \ --hostname oud.example.com --port 5444 --bindDN 'cn=Directory Manager' \ --bindPasswordFile pwd.txt --trustAll --no-prompt
- Enter the following commands to create the network group qos policy:
./dsconfig create-network-group-qos-policy --group-name network-group \ --type referral --set referral-policy:discard --hostname oud.example.com \ --port 5444 --bindDN 'cn=Directory Manager' \ --bindPasswordFile pwd.txt --trustAll --no-prompt
- Enter the following commands to create the necessary access controls:
./dsconfig set-access-control-handler-prop \ --add 'global-aci:(target="ldap:///cn=oraclecontext,dc=example,dc=com")\ (targetattr!="userpassword||authpassword||aci")(version 3.0; acl \ "Anonymous read access to subtree";allow (read,search,compare) \ userdn="ldap:///anyone";)' --hostname oud.example.com --port 5444 \ --bindDN 'cn=Directory Manager' --bindPasswordFile pwd.txt \ --trustAll --no-prompt
Configure a Password Policy For EUS Administrator
In this section you create a new password policy for EUS Administrators.
- Launch a terminal window as
oracle
on the OUD server and run the following command to create theEUSAdmins
password policy:
cd /u01/app/oracle/config/oud_instances/oud_proxy/bin
./dsconfig create-password-policy --policy-name EUSAdmins \ --set password-attribute:userpassword \
--set default-password-storage-scheme:AES \
--set default-password-storage-scheme:Salted\ SHA-512 \
--type generic \
--hostName oud.example.com \
--port 5444 \
--bindDN "cn=Directory Manager" \
--bindPasswordFile pwd.txt \
--trustAll \
--no-prompt
Customize the Oracle Context for EUS
In this
section you customize the Oracle Context for EUS within the OUD Proxy Server and create an EUS Administration user cn=eusadmin,cn=oraclecontext
.
- Download the eusrealm.ldif file and copy to /stage. The eusRealm.ldif file customizes the Oracle Context for EUS. It also creates the EUS Administration user
cn=eusadmin,cn=oraclecontext
and assigns theEUSAdmins
password policy created above to it. - Launch a terminal window as
oracle
on the OUD server and run the following command to load the eusrealm.ldif file:
where password is the password you used previously.cd /u01/app/oracle/config/oud_instances/oud_proxy/bin
./ldapmodify -h oud.example.com -p 2389 -D "cn=Directory Manager" \ -w password -c -f /stage/eusrealm.ldifIf successful you should see the following:
Processing ADD request for cn=eusadmin,cn=OracleContext
ADD operation successful for DN cn=eusadmin,cn=OracleContext
Processing MODIFY request for cn=Common,cn=Products,cn=OracleContext
MODIFY operation successful for DN cn=Common,cn=Products,cn=OracleContext ... etc. ... MODIFY operation successful for DN cn=OracleNetAdmins,cn=OracleContext,dc=example,dc=com
Processing MODIFY request for cn=OracleDBCreators,cn=OracleContext,dc=example,dc=com
MODIFY operation successful for DN cn=OracleDBCreators,cn=OracleContext,dc=example,dc=com
Next Tutorial
Configuring Active Directory for OUD 12c and EUS Integration