Before You Begin

This tutorial provides a step-by-step example of how to test the integration of Oracle Unified Directory (OUD) 12c PS3 with Oracle Enterprise User Security (EUS). This tutorial takes approximately 15 minutes to complete.

This is the sixth and final tutorial in the series Integrating Oracle Unified Directory 12c with Oracle Enterprise User Security. Read them sequentially.

• Installing Oracle Unified Directory 12c for EUS
• Configuring OUDSM 12c for EUS
• Configuring an OUD 12c Directory Server for EUS
• Configuring Network and Database Connectivity for OUD 12c and EUS
• Configuring Schemas, Roles and Mapping for EUS and OUD 12c
• Testing the EUS and OUD 12c Integration

Background

This tutorial will demonstrate the different access levels or permissions granted to users based on their OUD group membership. It will show that no users need to be created in the database because OUD users are mapped to a shared schema while accessing the database. A summary of the users and their group memberships defined in OUD are as follows:

What Do You Need?

• To have followed OBE IV: Configuring Schemas, Roles and Mapping for EUS and OUD 12c

Testing the TNS Alias

In this section you test that the TNS Alias myorcl is resolved successfully via OUD.

1. Launch a terminal window as oracle on the database server and run the following commands:
   

   cd $ORACLE_HOME/bin
   ./tnsping myorcl

   If successful you should see the following::
   

   TNS Ping Utility for Linux: Version 12.1.0.2.0 - Production on 27-OCT-2017 05:53:48 
   Copyright (c) 1997, 2014, Oracle.  All rights reserved.
   
   Used parameter files: 
   /u01/app/oracle/product/12.1.0/db_1/network/admin/sqlnet.ora 
   
   Used LDAP adapter to resolve the alias 
   Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=db.example.com)
   (PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl.example.com))) 
   OK (0 msec)                              

Testing Database Access with No Privileges

In this section user.0 will try to connect to the database.

1. Launch a terminal window as oracle on the database server and run the following commands:
   

   cd $ORACLE_HOME/bin
   ./sqlplus user.0/Welcome1@myorcl

   Although user.0 is a valid user within OUD, user.0 does not have a valid group membership and as a result, is prevented from accessing the database:
   

   ERROR:
   ORA-01045: user GLOBAL_USER lacks CREATE SESSION privilege; logon denied

Testing Database Access With DBA Privileges

In this section user.2 will try to connect to the database.

1. Launch a terminal window as oracle on the database server and run the following commands:
   

   cd $ORACLE_HOME/bin
   ./sqlplus user.2/Welcome1@myorcl

   As user.2 belongs to the ora_connect group in OUD, the user can connect to the database. This is possible because the enterprise role EUS_CONNECT was granted to this group and linked to the global role GLOBAL_CONNECT which gives users privileges to create a session with the database.
2. Run the following SQL statements:
   

   SQL> select * from session_roles;
   ..
   ROLE
   -------------------------------------------------------------------------------- 
   JAVA_ADMIN 
   JAVA_DEPLOY 
   OLAP_XS_ADMIN 
   XS_RESOURCE 
   OLAP_DBA 
   27 rows selected.       
   
   SQL> create view role_view AS select * from session_roles; 
   View created.
   

   User.2 can run all the commands successfully as the user also belongs to the ora_dba group in OUD. This group has been granted the enterprise role EUS_DBA that is linked to the global role GLOBAL_DBA, which gives users DBA privileges.
3. Run the following SQL statements:
   

   SQL> select sys_context('USERENV','AUTHENTICATED_IDENTITY') from dual;
   SYS_CONTEXT('USERENV','AUTHENTICATED_IDENTITY')
   --------------------------------------------------------------------------------
   USER.2

   SQL> select sys_context('USERENV','ENTERPRISE_IDENTITY') from dual;
   SYS_CONTEXT('USERENV','ENTERPRISE_IDENTITY')
   --------------------------------------------------------------------------------
   uid=user.2,ou=People,dc=example,dc=com

   These commands show the authenticated identity and enterprise identity.
   

Testing Database Access With Controlled Privileges

In this section user.1 will try to connect to the database.

1. Launch a terminal window as oracle on the database server and run the following commands:
   

   cd $ORACLE_HOME/bin
   ./sqlplus user.1/Welcome1@myorcl

   As user.1 belongs to the ora_connect group in OUD, then the user can connect to the database.
2. Run the following SQL statements:
   

   SQL> select * from session_roles;                              
   ROLE
   --------------------------------------------------------------------------------
   GLOBAL_CONNECT
   CONNECT
   GLOBAL_RESOURCE
   RESOURCE
   
   SQL> create view role_view AS select * from session_roles;
   create view role_view AS select * from session_roles
               *
   ERROR at line 1:
   ORA-01031: insufficient privileges 
   

   The first command runs successfully, but the second command fails. User.1 belongs to the ora_resource group in OUD. This group has been granted the enterprise role EUS_RESOURCE that is linked to the global role GLOBAL_RESOURCE. This grants users privileges to query data but not to create or delete objects in the database.
3. Run the following SQL statements:
   

   SQL> select sys_context('USERENV','AUTHENTICATED_IDENTITY') from dual;
   SYS_CONTEXT('USERENV','AUTHENTICATED_IDENTITY')
   --------------------------------------------------------------------------------
   USER.1

   SQL> select sys_context('USERENV','ENTERPRISE_IDENTITY') from dual;
   SYS_CONTEXT('USERENV','ENTERPRISE_IDENTITY')
   --------------------------------------------------------------------------------
   uid=user.1,ou=People,dc=example,dc=com

   These commands show the authenticated identity and enterprise identity.
   

Want to Learn More?

• Integrating Oracle Unified Directory with Oracle Enterprise User Security