Before You Begin

This tutorial provides a step-by-step example of how to test the integration of Oracle Unified Directory (OUD) 12c PS3, Microsoft Active Directory, Oracle Enterprise User Security (EUS) and Kerberos Authentication. This tutorial takes approximately 15 minutes to complete.

This is the seventh and final tutorial in the series Integrating Oracle Unified Directory 12c with Microsoft Active Directory, Oracle Enterprise User Security and Kerberos. Read them sequentially.

• Installing Oracle Unified Directory 12c for Active Directory and EUS Integration
• Configuring OUDSM 12c for EUS
• Configuring an OUD 12c Proxy Server for Active Directory and EUS Integration
• Configuring Active Directory and Database with Kerberos for OUD 12c and EUS Integration
• Configuring Network and Database Connectivity for OUD 12c and EUS
• Configuring Schemas, Roles and Mapping for EUS and OUD 12c
• Testing the EUS, OUD 12c, Active Directory and Kerberos Integration

Background

This tutorial will demonstrate the different access levels or permissions granted to users based on their Microsoft Active Directory group membership. It will show that no users need to be created in the database because Active Directory users are mapped to a shared schema while accessing the database. A summary of the users and their group memberships defined in Active Directory are as follows:

What Do You Need?

• To have completed OBE VI: Configuring Schemas, Roles and Mapping for EUS and OUD 12c

Testing the TNS Alias

In this section you test that the TNS Alias myorcl is resolved successfully via OUD.

1. Launch a terminal window as oracle on the database server and run the following commands:
   

   cd $ORACLE_HOME/bin
   ./tnsping myorcl

   If successful you should see the following:
   

   TNS Ping Utility for Linux: Version 12.1.0.2.0 - Production on 10-NOV-2017 11:50:38 
   Copyright (c) 1997, 2014, Oracle.  All rights reserved. 
   
   Used parameter files: 
   /u01/app/oracle/product/12.1.0/db_1/network/admin/sqlnet.ora 
   
   Used LDAP adapter to resolve the alias 
   Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=db.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl.example.com)))
   OK (0 msec) 

Testing Database Access with No Privileges

In this section user.0 will try to connect to the database.

1. Launch a terminal window as oracle on the database server and run the following commands to request a Kerberos ticket for user.0. When prompted enter Welcome1 as the password:
   

   cd $ORACLE_HOME/bin
   okinit user.0

2. Run the following commands to test a database connection:
   

   ./sqlplus /@myorcl

   Although user.0 is a valid user within Active Directory, user.0 does not have a valid group membership and as a result, is prevented from accessing the database:
   

   ERROR:
   ORA-01045: user GLOBAL_USER lacks CREATE SESSION privilege; logon denied

3. Exit sqlplus and run the following command to destroy the Kerberos ticket:
   

   okdstry

Testing Database Access With DBA Privileges

In this section user.2 will try to connect to the database.

1. Launch a terminal window as oracle on the database server and run the following commands to request a Kerberos ticket for user.2. When prompted enter Welcome1 as the password:
   

   cd $ORACLE_HOME/bin
   okinit user.2

2. Run the following commands to test a database connection:
   

   ./sqlplus /@myorcl

   As user.2 belongs to the ora_connect group in Active Directory, the user can connect to the database. This is possible because the enterprise role EUS_CONNECT was granted to this group and linked to the global role GLOBAL_CONNECT which gives users privileges to create a session with the database.
3. Run the following SQL statements:
   

   SQL> select * from session_roles;
   ..
   ROLE
   -------------------------------------------------------------------------------- 
   JAVA_ADMIN 
   JAVA_DEPLOY 
   OLAP_XS_ADMIN 
   XS_RESOURCE 
   OLAP_DBA 
   27 rows selected.                           
   
   SQL> create view role_view AS select * from session_roles;
   View created.
   

   User.2 can run all the commands successfully as the user also belongs to the ora_dba group in Active Directory. This group has been granted the enterprise role EUS_DBA that is linked to the global role GLOBAL_DBA, which gives users DBA privileges.
4. Run the following SQL statements:
   

   SQL> select sys_context('USERENV','AUTHENTICATED_IDENTITY') from dual;
   SYS_CONTEXT('USERENV','AUTHENTICATED_IDENTITY')
   --------------------------------------------------------------------------------
   user2@EXAMPLE.COM

   SQL> select sys_context('USERENV','ENTERPRISE_IDENTITY') from dual;
   SYS_CONTEXT('USERENV','ENTERPRISE_IDENTITY')
   --------------------------------------------------------------------------------
   cn=user.2,cn=Users,dc=example,dc=com

   These commands show the authenticated identity and enterprise identity.
5. Exit sqlplus and run the following command to destroy the Kerberos ticket:
   

   okdstry

Testing Database Access With Controlled Privileges

In this section user.1 will try to connect to the database.

1. Launch a terminal window as oracle on the database server and run the following commands to request a Kerberos ticket for user.1. When prompted enter Welcome1 as the password:
   

   cd $ORACLE_HOME/bin
   okinit user.1

2. Run the following commands to test a database connection:
   

   ./sqlplus /@myorcl

   As user.1 belongs to the ora_connect group in Active Directory, then the user can connect to the database.
3. Run the following SQL statements:
   

   SQL> select * from session_roles;                              
   ROLE
   --------------------------------------------------------------------------------
   GLOBAL_CONNECT
   CONNECT
   GLOBAL_RESOURCE
   RESOURCE
   
   SQL> create view role_view AS select * from session_roles;
   create view role_view AS select * from session_roles
               *
   ERROR at line 1:
   ORA-01031: insufficient privileges 
   

   The first command runs successfully, but the second command fails. User.1 belongs to the ora_resource group in Active Directory. This group has been granted the enterprise role EUS_RESOURCE that is linked to the global role GLOBAL_RESOURCE. This grants users privileges to query data but not to create or delete objects in the database.
4. Run the following SQL statements:
   

   SQL> select sys_context('USERENV','AUTHENTICATED_IDENTITY') from dual;
   SYS_CONTEXT('USERENV','AUTHENTICATED_IDENTITY')
   --------------------------------------------------------------------------------
   user.1@EXAMPLE.COM

   SQL> select sys_context('USERENV','ENTERPRISE_IDENTITY') from dual;
   SYS_CONTEXT('USERENV','ENTERPRISE_IDENTITY')
   --------------------------------------------------------------------------------
   cn=user.1,cn=Users,dc=example,dc=com

   These commands show the authenticated identity and enterprise identity.
5. Exit sqlplus and run the following command to destroy the Kerberos ticket:
   

   okdstry

Want to Learn More?

• Integrating Oracle Unified Directory with Oracle Enterprise User Security