Before You Begin

This tutorial provides a step-by-step example of how to create a shared schema, global roles and appropriate mappings for EUS, OUD 12c PS3 and Active Directory.

This tutorial takes approximately 15 minutes to complete.

This is the sixth tutorial in the series Integrating Oracle Unified Directory Proxy Server 12c with Microsoft Active Directory and Oracle Enterprise User Security. Read them sequentially.

• Installing Oracle Unified Directory 12c for Active Directory and EUS Integration
• Configuring OUDSM 12c for EUS
• Configuring an OUD 12c Proxy Server for Active Directory and EUS Integration
• Configuring Active Directory for OUD 12c and EUS Integration
• Configuring Network and Database Connectivity for OUD 12c and EUS
• Configuring Schemas, Roles and Mapping for EUS and OUD 12c
• Testing the EUS, OUD 12c and Active Directory Integration

Background

Oracle EUS enables Oracle Database users to authenticate against identities stored in an LDAP-compliant directory service such as OUD or Active Directory. In this tutorial you complete the schema and role mapping configuration.

What Do You Need?

• To have completed OBE V: Configuring Network and Database Connectivity for OUD 12c and EUS.

Create a Shared Schema

In this section you create a global schema user in the Oracle Database with permissions to connect and create sessions in the database. As a result, the global schema user enables LDAP users to authenticate against the Oracle Database.

1. Launch a terminal window as oracle on the database server and run the following command to create a shared schema:
   

   cd $ORACLE_HOME/bin
   ./sqlplus /nolog
   connect / as sysdba
   SQL> CREATE USER global_user IDENTIFIED GLOBALLY;
   SQL> exit                                

Create Database Roles

In this section you create the global database roles global_connect, global_resource, and global_dba, and grant them associated privileges.

1. Launch a terminal window as oracle on the database server and run the following command to create the global roles global_connect, global_dba, and global_resource:
   

   cd $ORACLE_HOME/bin
   ./sqlplus /nolog
   connect / as sysdba
   
   SQL> CREATE ROLE global_connect IDENTIFIED GLOBALLY;
   SQL> GRANT CONNECT TO global_connect;
   
   SQL> CREATE ROLE global_resource IDENTIFIED GLOBALLY;
   SQL> GRANT RESOURCE TO global_resource;
   
   SQL> CREATE ROLE global_dba IDENTIFIED GLOBALLY;
   SQL> GRANT DBA TO global_dba;
   SQL> exit;

Define User and Role Mappings for EUS via Cloud Control

Note: There are two ways to configure user schema and role mappings - via Enterprise Manager Cloud Control, or via the eusm command line tool .This section shows how to configure it via Cloud Control. If you prefer to use the eusm command line tool, then skip this section and follow Section 4 instead.

In this section you use Enterprise Manager Cloud Control to map the schema user global_user to users under cn=users,dc=example,dc=com in Active Directory. You also create the Enterprise Roles EUS_CONNECT, EUS_RESOURCE, and EUS_DBA and map these to the groups ora_connect, ora_resource, and ora_dba under ou=groups,dc=example,dc=com in OUD.

1. On the database server launch a browser and access Enterprise Manager Cloud Control via http://db.example.com:7802. Login with sysman/Welcome1.
2. From the top menu select Targets > Databases. In the Databases screen select the View Search List radio button
3. In the Search results, click the relevant database from the list e.g orcl.example.com.
4. From the drop down menus select Security > Enterprise User Security.
5. In the Oracle Internet Directory Login: Enterprise User Security screen accept the defaults for Host, Port and Realm which should be picked up from the ldap.ora. Enter the following and click Login:
   
   
   • User: cn=eusadmin,cn=OracleContext
   • Password: Welcome1
   Note: If on this screen you see an error "unable to locate the ldap.ora file" or Host, Port and Realm are not displayed, then copy the database $ORACLE_HOME/network/admin/ldap.ora to the $CLOUD12c_HOME/oracle_common/network/admin directory (you may need to create the admin directory).
6. In the Enterprise User Security page, click Manage Enterprise Domains, and select the domain to configure e.g: OracleDefaultDomain. Click Configure.
7. In the Configure Domain : OracleDefaultDomain screen, click the User-Schema Mappings tab, and click Create.
8. On the Create Mapping : New Mapping page, in From click Subtree and the flashlight icon to search. Select users and click Select. This should populate the field with cn=users,dc=example,dc=com. This will associate a global schema to all the users in the given subtree.
9. In the To field, enter the name of the global schema global_user. Click Continue.
10. In the Configure Domain: OracleDefaultDomain page, click the Enterprise Roles tab, and click Create.
11. In the Create Enterprise Role page, enter the Name as EUS_CONNECT.
12. In the DB Global Roles tab, click Add.
13. In the Database Global Roles page, select the database from the drop down menu erg: orcl. Enter User Name: SYS AS SYSDBA and Password: Welcome1. Click Go. The Global Roles will appear in the results.
14. Select the GLOBAL_CONNECT role and click Select.
15. In the Create Enterprise Role: EUS_CONNECT page, click the Grantees tab and click Add.
16. In the Select: Users or Groups page, select GROUP from the View menu, and ou=groups,dc=example,dc=com from the Search Base. Click Go. Choose ora_connect and click Select. Click Continue.
17. In the Configure Domain: OracleDefaultDomain page, click the Enterprise Roles tab, and click Create.
18. In the Create Enterprise Role page enter Name as EUS_RESOURCE.
19. In the DB Global Roles tab click Add.
20. In the Database Global Roles page select the database from the drop down menu erg: orcl. Enter User Name: SYS AS SYSDBA and Password: Welcome1. Click Go. The Global Roles will appear in the results.
21. Select the GLOBAL_RESOURCE role and click Select.
22. In the Create Enterprise Role: EUS_RESOURCE page, click the Grantees tab and click Add.
23. In the Select: Users or Groups page, select GROUP from the View menu, and ou=groups,dc=example,dc=com from the Search click Go. Choose ora_resource and click Select. Click Continue.
24. In the Configure Domain: OracleDefaultDomain page, click the Enterprise Roles tab, and click Create.
25. In the Create Enterprise Role page enter Name as EUS_DBA.
26. In the DB Global Roles tab click Add.
27. In the Database Global Roles page select the database from the drop down menu erg: orcl. Enter User Name: SYS AS SYSDBA and Password: Welcome1. Click Go. The Global Roles will appear in the results.
28. Select the GLOBAL_DBA role and click Select.
29. In the Create Enterprise Role: EUS_DBA page, click the Grantees tab and click Add.
30. In the Select: Users or Groups page, select GROUP from the View menu, and ou=groups,dc=example,dc=com from the Search click Go. Choose ora_dba and click Select. Click Continue.
31. Click OK. You should receive the message Configure Domain : OracleDefaultDomain - Successful.
    

Define User and Role Mappings for EUS via EUSM

Note: Only follow this section if you want to configure user schema and role mappings via EUSM command line. If you have already followed Section 3, then skip this section and move to the next tutorial.

In this section you use the eusm command line tool to map the schema user global_user to users under cn=users,dc=example,dc=com in OUD. You also create the Enterprise Roles EUS_CONNECT, EUS_RESOURCE, and EUS_DBA and map these to the groups ora_connect, ora_resource, and ora_dba under ou=groups,dc=example,dc=com in OUD.

1. Launch a terminal window as oracle on the database server and run the following command to map the schema user global_user to users under the subtree cn=users,dc=example,dc=com:
   
   

   cd $ORACLE_HOME/bin
   ./eusm createMapping domain_name="OracleDefaultDomain" realm_dn="dc=example,dc=com" \
   map_type="SUBTREE" map_dn="cn=users,dc=example,dc=com" schema="global_user" \
   ldap_host="oud.example.com" ldap_port=2389 \
   ldap_user_dn="cn=eusadmin,cn=oraclecontext" \
   ldap_user_password="Welcome1"

2. Run the following commands to create the Enterprise Roles EUS_CONNECT, EUS_RESOURCE, EUS_DBA:
   
   

   ./eusm createRole enterprise_role="EUS_CONNECT" domain_name=OracleDefaultDomain \
   realm_dn="dc=example,dc=com" ldap_host="oud.example.com" \
   ldap_port=2389 ldap_user_dn="cn=eusadmin,cn=oraclecontext" \
   ldap_user_password="Welcome1"
   
   ./eusm createRole enterprise_role="EUS_RESOURCE" domain_name=OracleDefaultDomain \
   realm_dn="dc=example,dc=com" ldap_host="oud.example.com" ldap_port=2389 \
   ldap_user_dn="cn=eusadmin,cn=oraclecontext" ldap_user_password="Welcome1"
   
   ./eusm createRole enterprise_role="EUS_DBA" domain_name=OracleDefaultDomain \
   realm_dn="dc=example,dc=com" ldap_host="oud.example.com" ldap_port=2389 \
   ldap_user_dn="cn=eusadmin,cn=oraclecontext" ldap_user_password="Welcome1"

3. Run the following commands to create the Enterprise Role Mappings:
   
   

   ./eusm addGlobalRole enterprise_role="EUS_CONNECT" domain_name=OracleDefaultDomain \
   realm_dn="dc=example,dc=com" database_name="orcl" global_role="global_connect" \
   dbuser="sys as sysdba" dbuser_password="Welcome1" \
   dbconnect_string="db.example.com:1521:orcl" ldap_host="oud.example.com" \
   ldap_port=2389 ldap_user_dn="cn=eusadmin,cn=oraclecontext" \
   ldap_user_password="Welcome1"
   
   ./eusm grantRole enterprise_role="EUS_CONNECT" domain_name=OracleDefaultDomain \
   realm_dn="dc=example,dc=com" group_dn="cn=ora_connect,ou=groups,dc=example,dc=com" \
   ldap_host="oud.example.com" ldap_port=2389 \
   ldap_user_dn="cn=eusadmin,cn=oraclecontext" ldap_user_password="Welcome1"
   
   ./eusm addGlobalRole enterprise_role="EUS_RESOURCE" domain_name=OracleDefaultDomain \
   realm_dn="dc=example,dc=com" database_name="orcl" global_role="global_resource" \
   dbuser="sys as sysdba" dbuser_password="Welcome1" \
   dbconnect_string="db.example.com:1521:orcl" ldap_host="oud.example.com" \
   ldap_port=2389 ldap_user_dn="cn=eusadmin,cn=oraclecontext" ldap_user_password="Welcome1"
   
   ./eusm grantRole enterprise_role="EUS_RESOURCE" domain_name=OracleDefaultDomain \
   realm_dn="dc=example,dc=com" group_dn="cn=ora_resource,ou=groups,dc=example,dc=com" \
   ldap_host="oud.example.com" ldap_port=2389 \
   ldap_user_dn="cn=eusadmin,cn=oraclecontext" ldap_user_password="Welcome1"
   
   ./eusm addGlobalRole enterprise_role="EUS_DBA" domain_name=OracleDefaultDomain \
   realm_dn="dc=example,dc=com" database_name="orcl" global_role="global_dba" \
   dbuser="sys as sysdba" dbuser_password="Welcome1" \
   dbconnect_string="db.example.com:1521:orcl" \
   ldap_host="oud.example.com" ldap_port=2389 \
   ldap_user_dn="cn=eusadmin,cn=oraclecontext" \
   ldap_user_password="Welcome1"
   
   ./eusm grantRole enterprise_role="EUS_DBA" domain_name=OracleDefaultDomain \
   realm_dn="dc=example,dc=com" group_dn="cn=ora_dba,ou=groups,dc=example,dc=com" \
   ldap_host="oud.example.com" ldap_port=2389 \
   ldap_user_dn="cn=eusadmin,cn=oraclecontext" ldap_user_password="Welcome1"    

   Note: In the addGlobalRole command, the db_user parameter can be any user that has the CREATE SESSION and SELECT_CATALOG_ROLE.

Next Tutorial

Testing the EUS, OUD 12c and Active Directory Integration