31 Integrating Oracle Unified Directory with Oracle Enterprise User Security
Topics:
-
Understanding How Oracle Enterprise User Security Works with Oracle Unified Directory
-
Enabling Oracle Unified Directory and Oracle Enterprise User Security to Work Together
-
Using Additional Enterprise User Security Configuration Options
-
Troubleshooting Issues after Integrating OUD and Enterprise User Security
-
Disabling the Existing Anonymous ACIs in Upgraded Environments
31.1 Understanding How Oracle Enterprise User Security Works with Oracle Unified Directory
Oracle Enterprise User Security enables you to centrally manage database users across the enterprise. You can create enterprise users in an LDAP-compliant directory service, and then assign roles and privileges across various enterprise databases registered with the directory.
Users connect to Oracle Database by providing credentials stored in Oracle Unified Directory or other external LDAP-compliant directory front-ended by Oracle Unified Directory proxy server. The database executes LDAP search operations to query user specific authentication and authorization information. For more information, see Configuration 6: Enterprise User Security.
Integrating Oracle Unified Directory and Enterprise User Security enhances and simplifies your authentication and authorization capabilities by allowing you to leverage user identities stored in LDAP-compliant directory service without any additional synchronization.
For more information about Oracle Enterprise User Security, see the Oracle Database Enterprise User Security Administrator's Guide.
31.2 Understanding the Options Before Integrating Oracle Unified Directory with Oracle Enterprise User Security
Before you integrate Oracle Unified Directory with Oracle Enterprise User Security, you should consider what role Oracle Unified Directory will play in your topology. Also consider other business requirements for your enterprise.
Before you begin integration, review all tasks and steps required for the various integration options.
-
Is OUD used as a directory server or as a directory proxy in the topology?
When you use OUD as a directory server, installation is straightforward, and configuration is contained in OUD. For more information, see Configuring Oracle Directory Server as a Directory for Enterprise User Security.
When you use OUD as a directory proxy, you must take additional steps to configure the external LDAP-compliant directory that stores user entries. For more information, see Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security.
-
Are you configuring an existing directory or proxy instance, or installing a new instance?
If you are configuring an existing directory or proxy instance to work with Enterprise User Security, you will need to complete some configuration steps manually. See the following for more information:
If you are installing a new directory or proxy instance, you can choose the Enterprise User Security option during setup. The new instance is automatically configured to EUS integration. See the following for more information:
-
Additional business requirements for you to consider.
See the following for more information:
31.3 About the Prerequisites Before Integrating Oracle Unified Directory with Oracle Enterprise User Security
Make sure you review the prerequisites before integrating Oracle Unified Directory with multiple Oracle products, as well as any external LDAP-compliant directory you may have in your topology.
Before you begin, ensure that you can access the following components as well as the current documentation that goes with them:
-
Oracle Unified Directory, OUDSM,
oud-setup
andoud-proxy-setup
commands -
Oracle Enterprise User Security Net Configuration Assistant
-
Database Configuration Assistant for Oracle Database
-
Enterprise Manager for Oracle Database
-
Supported LDAP directories (Microsoft Active Directory, Novell eDirectory, Oracle Unified Directory, or Oracle Directory Server Enterprise Edition) you have in your topology
31.4 Enabling Oracle Unified Directory and Oracle Enterprise User Security to Work Together
Follow these step-by-step instructions for integrating Oracle Unified Directory with Oracle Enterprise User Security.
31.4.1 Configuring Oracle Directory Server as a Directory for Enterprise User Security
Follow these tasks to configure Oracle Unified Directory Server as a directory for Enterprise User Security.
To configure Oracle Directory Server as a directory for Enterprise User Security, complete the tasks described in the following table:
Table 31-1 List of Tasks to configure Oracle Directory Server as a directory for Enterprise User Security
Task # | Link |
---|---|
Task 1 |
Configuring Oracle Unified Directory to Work with Enterprise User Security |
Task 2 |
|
Task 3 |
Selecting the Oracle Context to be Used by Enterprise User Security |
Task 4 |
|
Task 5 |
|
Task 6 |
31.4.1.1 Configuring Oracle Unified Directory to Work with Enterprise User Security
-
If you already have an existing Oracle Unified Directory instance installed and provisioned, then complete the steps in one of these sections:
-
If you do not already have an Oracle Unified Directory installed and provisioned, then complete the steps in the following section Installing and Configuring a New Oracle Unified Directory Instance to Work with Enterprise User Security
31.4.1.1.1 Installing and Configuring a New Oracle Unified Directory Instance to Work with Enterprise User Security
You can run the oud-setup
program using either the command line or the graphical user interface.
-
To run
oud-setup
with following--cli
option. For example:$ oud-setup --cli --integration eus --no-prompt --ldapPort 1389\ --adminConnectorPort 4444 -D "cn=directory manager"\ --rootUserPasswordFile pwd.txt --ldapsPort 1636\ --generateSelfSignedCertificate --baseDN "dc=example,dc=com"
For detailed information about using
oud-setup
and all its options, see "Setting Up the Directory Server" in the Oracle Fusion Middleware Installation Guide for Oracle Unified DirectoryDuring setup, the
baseDN
specified in the--baseDN
option is prepared for EUS. If you specify multiple base DNs, they will all be prepared for EUS.Using the above command, you can configure OUD instance to use Salted SHA-1 password storage scheme. However, you can configure OUD to use the more secure EUS PBKDF2 SHA512 password storage scheme, which encodes password using SHA-512 based algorithm.
In order to do so, run the
oud-setup
command usingeusPasswordScheme
argument with value "sha2
". For example:oud-setup --cli --integration eus --no-prompt --ldapPort 1389\ --adminConnectorPort 4444 -D "cn=directory manager"\ --rootUserPasswordFile pwd.txt --ldapsPort 1636\ --generateSelfSignedCertificate --baseDN "dc=example,dc=com" --eusPasswordScheme sha2
Note:
-
You can configure Oracle Unified Directory to use
EUS PBKDF2 SHA512
password storage scheme only if your Oracle RDBMS version supports it. Oracle recommends that you contact your Database Administrator to validate if the RDBMS supportsMulti-Round SHA-512
based password verifier. -
You can configure OUD to use
EUS PBKDF2 SHA512
password storage scheme only using CLI option. The same is not supported in GUI mode.
-
-
To use the graphical user interface:
-
Run the
oud-setup
command -
In the Welcome page, click Next.
-
In the Server Settings page, provide the following information:
-
Host Name
This is the server that hosts the Oracle Unified Directory instance that stores users and groups.
-
Administration Connector Port
This is the administration port used by OUD tools such as dsconfig.
-
LDAP Listener Port
Specify the port used by OUD.
-
LDAP Secure Access
Click Configure to enable secure access.
In the Configure Secure Access window, click to mark the Enable SSL on Port check box. Then enter a port number for LDAPS, and click OK to continue.
-
Root User DN
This is the identity of the server administrator
-
Password
Enter a password to be used by the server administrator.
-
Password (confirm)
Enter the password a second time to confirm.
Click Next to continue.
-
-
In the Topology Options page, be sure the option "This will be a stand alone server" is selected, and click Next.
-
In the Directory Data page, provide the following information:
-
Directory Base DN
Enter the base DN where you will store user entries.
-
Directory Data
Do not choose the option "Leave Database Empty." Choose one of the following options:
-
"Only Create Base Entry" creates an entry with the base DN specified previously.
-
"Import Data from LDIF File" imports LDIF data from the file specified in the Path field.
-
"Import Automatically-Generated Sample Data" generates the number of sample entries specified in the Number of User Entries field.
Click Next.
-
-
-
In the Oracle Components Integration page, choose the option "Enable for EUS (Enterprise User Security), EBS, Database Net Services and DIP." This option also enables the server for Database Net Services.
Click Next to continue.
-
In the Server Tuning page, you can configure your tunings or click Next.
See the Installation Guide for information about tuning configurations.
-
In the Review page, review your settings, and click Finish.
A new instance of Oracle Unified Directory is installed, configured, and then started.
-
31.4.1.1.2 Configuring an Existing Oracle Unified Directory Server to Work with Enterprise User Security Using the Command Line
You can configure an existing naming context for EUS, or you can create and configure a new naming context for EUS.
-
To use an existing naming context for EUS, run the
manage-suffix update
command. For example:$ manage-suffix update -h host -p adminPort -D "cn=directory manager" -j pwd.txt -X -n -b baseDN --integration eus
This command-line will configure the naming context specified as
baseDN
for EUS.Using the above command, you can configure OUD to use Salted SHA-1 password storage scheme. However, you can configure OUD to use the more secure EUS PBKDF2 SHA512 password storage scheme, which encodes password using SHA-512 based algorithm. In order to do so, run the
manage-suffix update
command using eusPasswordScheme argument with value "sha2". For example:$ manage-suffix update -h host -p adminPort -D "cn=directory manager" -j pwd.txt -X -n -b baseDN --integration eus --eusPasswordScheme sha2
-
To create a new naming context for EUS, run the
manage-suffix create
command. For example:$ manage-suffix create -h host -p adminPort -D "cn=directory manager" -j pwd.txt -X -n -b baseDN --integration eus
Using the above command, you can configure OUD to use Salted SHA-1 password storage scheme. However, you can configure OUD to use the more secure EUS PBKDF2 SHA512 password storage scheme, which encodes password using SHA-512 based algorithm. In order to do so, run the
manage-suffix create
command using eusPasswordScheme argument with value "sha2". For example:$ manage-suffix create -h host -p adminPort -D "cn=directory manager" -j pwd.txt -X -n -b baseDN --integration eus --eusPasswordScheme sha2
Note:
You can configure Oracle Unified Directory to use EUS PBKDF2 SHA512
password storage scheme only if your Oracle RDBMS version supports it. Oracle recommends that you contact your Database Administrator to validate if the RDBMS supports Multi-Round SHA-512
based password verifier.
For more information about the manage-suffix
command, see Managing Suffixes Using manage-suffix.
31.4.1.1.3 Configuring an Existing Oracle Unified Directory Server to Work with Enterpriser User Security Using OUDSM
Before you begin, ensure that the server instance has an LDAP connection handler that is enabled for SSL. If SSL is not enabled, add an LDAPS connection handler. For information about adding an LDAPS connection handler, see Managing the Server Configuration Using dsconfig, and Displaying the Properties of LDAP Connection Handler.
You can configure an existing naming context for EUS, or you can create and configure a new naming context for EUS.
-
To configure an existing naming context for EUS using OUDSM:
-
Connect to the directory server from OUDSM.
-
Click the Configuration tab.
-
In the navigation pane on the left, below Naming Contexts, choose the naming context you want to use.
-
In the right pane, in the Oracle Components Integration section, choose Enable for Enterprise User Security (EUS) and click Apply.
-
-
To create and configure a new naming context for EUS using OUDSM:
-
Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
-
Click the Home tab.
-
Under the Configuration menu, choose Create Local Naming Context.
-
In the New Local Naming Context window, provide the following information:
-
Base DN
Type a name for the suffix that you want to create. You cannot enable EUS on an existing suffix that has already been populated with user data.
-
Directory Data Options
Choose one of the following:
Only Create Base Entry creates the database along with the base entry of the suffix. Any additional entries must be added after suffix creation.
Leave Database Empty creates an empty database. Do not select this option.
When you use this option, the base entry and any additional entries must be added after suffix creation. But for this configuration, the suffix must contain at least one entry.
Import Generated Sample Data populates the suffix with sample entries.
Specify the number of entries that should be generated in the Number of User Entries field. You can import a maximum of 30,000 sample entries through OUDSM. If you want to add more than 30,000 entries, you must use the
import-ldif
command. -
Oracle Components Integration
To enable the new suffix, for Enterprise User Security (EUS), select Enable.
-
Network Group
Attach the suffix to at least one network group:
To attach the suffix to an existing network group: Choose Use Existing, and then choose the required network group from the list.
To attach the suffix to a new network group: Select Create New, and then in the Name field, type a name for the network group you want to create.
You can attach the same suffix to several network groups.
-
Workflow Element
Attach the suffix to the workflow element.
To attach the suffix to an existing workflow element: Choose Use Existing, and then choose the required workflow element from the list.
The suffix is stored inside the same database Local Backend workflow element, and will have the same properties such as an instance path to Berkeley DB files.
To attach the suffix to a new workflow element: Choose Create New, and then in the Name field, type a name for the workflow element you want to create.
You can configure this new workflow element with additional other values such as Berkeley DB files, database cache size, and so on.
-
-
Click Create.
The following confirmation message is displayed:
Naming Context created successfully.
-
Note:
After creating and configuring a naming context for EUS, the Oracle Unified Directory 12c configuration can be updated to enable the TNS Aliasing capability.
You must manually run the dsconfig
command to set up the TNS Aliasing feature by adding the eus-alias-resolution
workflow element into the global cn=OracleContext
and also the cn=OracleContext,<EUS Realm>
workflow chains. See Enabling TNS Alias Support for EUS-enabled Configurations in Installing Oracle Unified Directory.
31.4.1.2 Configuring the User and Groups Location
After Oracle Unified Directory has been configured for EUS or Oracle E-Business Suite, you must configure the naming context used to store the users and the groups by performing the following steps:
31.4.1.3 Selecting the Oracle Context to be Used by Enterprise User Security
Enterprise User Security stores its configuration, also called EUS metadata, in an Oracle Context which corresponds to a part of the Directory Information Tree. If your user entries are stored below dc=example,dc=com
, then EUS is usually configured to use cn=OracleContext,dc=example,dc=com
as Oracle Context.
Use Oracle Net Configuration Assistant to indicate where EUS should read its configuration.
31.4.1.4 Registering the Database in the LDAP Server
Use the Database Configuration Assistant for Oracle Database to complete this task.
31.4.1.5 Configuring Roles and Permissions
The following topics provide the steps to configure roles and permissions using Oracle Enterprise Manager:
31.4.1.5.1 Creating a Shared Schema in the Database
Run the following SQL commands:
SQL> CREATE USER global_ident_schema_user IDENTIFIED GLOBALLY; User created. SQL> GRANT CONNECT TO global_ident_schema_user; Grant succeeded.
31.4.1.5.2 Creating a New User-Schema Mapping
Note:
Before performing the steps mentioned in this procedure, see Configuring Password Policy for Oracle Unified Directory Administrator.To create a new user schema mapping:
-
In a web browser, connect to Enterprise Manager. For example:
https://localhost:1158/em
Provide the following, then click Login.
-
User Name
Enter the name of a user who is authorized to administer the database.
-
Password
Enter the administrator password.
-
Connect As
Choose SYSDBA.
Click Login.
-
-
Click the Server tab.
On the Server tab, in the Security section, click Enterprise User Security.
-
In the "Oracle Internet Directory Login: Enterprise User Security" page, provide the following information:
-
User
Enter the username of a user, for example
cn=directory manager
, who has write access to Oracle Context. -
Password
Enter the password for the same user.
Click Login.
-
-
On the Enterprise User Security page, click Manage Enterprise Domains.
An Enterprise Domain can contain one or more databases. The settings for an Enterprise Domain apply to all databases it contains.
-
On the Manage Enterprise Domains page, select the domain you want to configure, then click Configure.
-
On the Configure Domain page, click "User - Schema Mappings."
-
On the User - Schema Mappings page, click Create.
-
To create a domain-schema mapping, on New Mapping page provide the following information:
-
From
You can associate a global schema to all the users in a given subtree, or to a given user.
To associate a global schema to all users in a given subtree:
1. Choose Subtree, then click the flashlight icon to search for available subtrees.
2. In the Select User page, select a subtree.
3. Enterprise users below the DN you select will be mapped to the same global schema. Click Select.
To associate a global schema to a given user:
1. Choose User Name, then click the flashlight icon to search for available users.
2. In the select User page, select a user DN. Only this specific user will be mapped to the global schema. Click Select.
-
To
1. In the Schema field, enter the name of the global schema.
2. For example,
global_ident_schema_user
.
Click Continue.
-
-
On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.
31.4.1.5.3 Creating a Role in the Database
For this example, a role named hr_access,
is created. The role grants read access to the table hr.employees
.
To create a role in the database:
SQL> CREATE ROLE hr_access IDENTIFIED GLOBALLY; Role created. SQL> GRANT SELECT ON hr.employees TO hr_access; Grant succeeded.
For more information, see the Oracle Database documentation.
31.4.1.5.4 Creating a New Role in the Domain
To create a new role in the domain:
-
On the Manage Enterprise Domains page, select the domain in which you want to create the role, then click Configure.
-
On the Configure Domain page, click Enterprise Roles. Click Create.
-
On the Create Enterprise Role page, provide the following information:
-
In the Name field, provide a name for your enterprise role.
-
In the DB Global Roles tab, click Add.
-
-
In the Search And Select: Database Global Roles page, provide the following information:
-
Database
Choose the database from the drop-down list.
-
User Name
Enterprise Manager will retrieve the available roles from the database. Enter a username of an administrator, for example
SYS AS SYSDBA
, who is authorized to access the roles. -
Password
Enter the administrator password.
Click Go.
-
-
In the "Search and Select: Database Global Roles" page, choose the global role you want to grant to Enterprise Users.
Click Select.
-
In the Create Enterprise Role page, select the Enterprise user or groups to which you will grant the Enterprise Role, then click the Grantees tab.
-
On the Grantees tab, to select Enterprise users or groups click Add.
-
In the "Select: Users and Groups" page, click Go. Enterprise Manager retrieves available Users and Groups.
-
View
You can search for users or groups.
-
Search Base
Enterprise Manager begins the search at this DN.
-
Name
Enter a string here to narrow down the search. For example, if you want to find a user whose name starts with jo, enter jo and Click Go.
A table displays relevant entries. From the list, select the users and groups to which you want to grant the Enterprise Role, then click Select.
Click Continue.
-
-
In the Configure Domain page, click OK to continue.
-
In the Edit Enterprise Role page, click Continue.
-
In the Configure Domain page, click OK.
After the role has been successfully created, click Configure.
31.4.1.5.5 Defining a Proxy Permission in the Database
To define a proxy permission on user SH, run the following command:
SQL> ALTER USER SH GRANT CONNECT THROUGH ENTERPRISE USERS; User altered.
This command defines a proxy permission on user SH.
31.4.1.5.7 Configuring Mappings for a Specific Database
To configure mappings for a specific database:
-
On the Enterprise User Security page, click Manage Databases.
-
On the Manage Databases page, select the database you want to configure, and click Configure.
-
On the Configure Database page, click "User - Schema Mappings" tab.
-
On the "User - Schema Mappings" page, click Create.
-
To create a domain-schema mapping, on New Mapping page provide the following information:
-
From
You can associate a global schema to all the users in a given subtree, or to a given user.
To associate a global schema to all users in a given subtree:
1. Choose Subtree, then click the flashlight icon to search for available subtrees.
2. In the Select User page, select a subtree.
3. Enterprise users below the DN you select will be mapped to the same global schema. Click Select.
To associate a global schema to a given user:
1. Choose User Name, then click the flashlight icon to search for available users.
2. In the select User page, select a user DN. Only this specific user will be mapped to the global schema. Click Select.
-
To
1. In the Schema field, enter the name of the global schema.
2. For example,
global_ident_schema_user
.
Click Continue.
-
-
On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.
31.4.1.6 Testing the Database Configurations
At this point Enterprise User Security contains the following configurations:
-
A users-schema mapping granting a global schema to all users below
dc=example,dc=com
-
An Enterprise Role granting
HR_ACCESS
touid=user.0,ou=people,dc=example,dc=com
-
A Proxy Permission allowing
uid=user.1,our=people,dc=example,dc=com
to proxy userSH
.
To test the database configurations:
31.4.2 Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security
Follow these tasks to configure Oracle Unified Directory Proxy to work with an External LDAP Directory and Enterprise User Security.
Table 31-2 List of tasks to configure Oracle Unified Directory Proxy
Task # | Link |
---|---|
Task 1 |
|
Task 2 |
Configuring Oracle Unified Directory Proxy to Work with Enterprise User Security |
Task 3 |
|
Task 4 |
Selecting the Oracle Context to be Used By Enterprise User Security |
Task 5 |
|
Task 6 |
|
Task 7 |
31.4.2.1 Configuring User Identities in the External LDAP Directory
Configure the existing user and group identities so they can be recognized by Enterprise User Security. Choose from the following based on your external LDAP directory:
31.4.2.1.1 Configuring User Identities in Microsoft Active Directory
Starting with Oracle Unified Directory 12c (12.2.1.4.0), the Password Notification Change plug-in (oidpwdcn.dll
) is deprecated. Oracle recommends that you use the CMU feature provided by Oracle Database. CMU supports all the newer and stronger hashing algorithms and other updated security enhancements.
If you are currently using the Password Notification Change plug-in and planning to transition to CMU, you must perform the following steps:
31.4.2.1.2 Configuring User Identities in Microsoft Active Directory Using Centrally Managed Users
Starting with Oracle Unified Directory 12c (12.2.1.4.0), the Password Notification Change plug-in (oidpwdcn.dll
) is deprecated. Oracle recommends that you use the CMU feature provided by Oracle Database. CMU supports all the newer and stronger hashing algorithms and other updated security enhancements.
If you are currently using the Password Notification Change plug-in and planning to transition to CMU, you must perform the following steps:
31.4.2.1.3 Configuring User Identities in Oracle Directory Server Enterprise Edition
Run ldapmodify
command from Oracle Directory Server Enterprise Edition to enable extended operation for the account lock, as follows:
ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password> dn: oid=1.3.6.1.4.1.42.2.27.9.6.25,cn=features,cn=config changetype: add objectclass: directoryServerFeature oid: 1.3.6.1.4.1.42.2.27.9.6.25 cn: Password Policy Account Management
31.4.2.1.4 Configuring User Identities in Novell eDirectory
Enable the Universal Password in eDirectory, and allow the administrator to retrieve the user password.
See the Novell eDirectory documentation about Password Management for more information.
31.4.2.1.5 Configuring User Identities in Oracle Unified Directory
Modify the default password policy to use Salted SHA-1 as password storage scheme by running dsconfig
command as follows:
./dsconfig -h <OUD host> -p <OUD admin port> -D <OUD dirmgr> -j <pwdfile> -X -n set-password-policy-prop\ --policy-name "Default Password Policy"\ --set default-password-storage-scheme:"Salted SHA-1"
You can configure the default password policy to use a more secure and a robust password storage scheme, namely EUS PBKDF2 SHA-512 if your Oracle RDBMS version supports it. Oracle recommends that you contact your Database Administrator to validate if the RDBMS version deployed at your end supports Multi-Round SHA-512 based password verifier.
Note:
Ensure that you modify the default password policy of Oracle Unified Directory containing the Enterprise Users and the Enterprise Groups details. Do not modify the default password policy of the Oracle Unified Directory instance acting as the proxy server.
31.4.2.2 Configuring Oracle Unified Directory Proxy to Work with Enterprise User Security
If you do not already have an Oracle Unified Directory Proxy installed, complete the steps in one of these sections:
If you already have an Oracle Unified Directory Proxy instance installed, complete the steps in Configuring an Existing Oracle Unified Directory Proxy to Work with Enterprise User Security Using OUDSM.
31.4.2.2.1 Installing and Configuring a New Oracle Unified Directory Proxy Using the Command Line
To install and configure the new Oracle Unified Directory Proxy:
31.4.2.2.2 Installing and Configuring a New Oracle Unified Directory Proxy to Work with Enterprise User Security Using the Graphical User Interface
Note:
The OUD instance creation GUI wizard is deprecated in Oracle Unified Directory 12c (12.2.1.4.0). Oracle recommends use of the command-line (CLI) to create an instance. For more information, see Setting Up the Proxy Using the CLI.To install and configure a new Oracle Unified Directory Proxy to work with Enterprise User Security using the graphical user interface:
-
Run the
oud-proxy-setup
program.-
In the Welcome page, click Next.
-
In the Server Settings page, provide the following information:
Host Name. Enter the name of the OUD proxy host.
Administration Connector Port. This is the administration port used by OUD tools such as
dsconfig
.LDAP Listener Port. Specify the port used by the OUD proxy.
LDAP Secure Access. Click Configure to enable secure access.
In the Configure Secure Access window, click to mark the "Enable SSL on Port" check box. Then enter a port number for LDAPS, and click OK to continue.
Root User DN. This is the identity of the server administrator.
Password. Enter a password to be used by the server administrator.
Password (confirm). Enter the password a second time to confirm.
Click Next to continue.
-
In the Deployment Options page, in the Configuration Option field, choose "Configure EUS (Enterprise User Security)" and click Next.
Oracle Unified Directory will be used as a proxy, and deployed in front of the LDAP server containing EUS users and groups.
-
On the Back-End Server Type page, choose one of the supported server types. This is the LDAP-compliant server that contains the Enterprise User Security users and groups.
Click Next to continue.
-
On the next page, click Add Server.
On the Add Server page, provide the following information:
Host Name. Enter the host name of the LDAP server that contains Enterprise User Security users and groups.
Protocol. If you are using Novell eDirectory, you must choose LDAPS.
For all other external directories, you can choose one of the following: LDAP, LDAPS, or [LDAP & LDAPS]. This determines how OUD proxy will connect to the remote LDAP server.
Port Number. Enter the port number of the LDAP server that contains Enterprise User Security users and groups.
You can click Add to add another LDAP server. After you are done adding LDAP servers, click Close to continue.
-
Review the list on the Servers Page.
The Servers Page now lists the server or servers that contain Enterprise User Security users and groups. Click Next to continue.
-
On the Naming Contexts page, click to mark the check box beside a Base DN to choose the Base DN for a naming context.
If the table does not display a Naming Context, enter the Base DN of your remote LDAP server in the "Additional Naming Context DN" field, select Add.
Click Next to continue.
-
Configure the runtime options for the server.
You can click Change to configure any specific JVM settings, or click Next to run the server with the default JVM settings.
Click Next.
-
In the Review page, review your settings, and click Finish.
A new instance of Oracle Unified Directory Proxy is installed, configured, and started.
Click Close.
-
-
Set the remote root DN and remote root user accounts by running the
dsconfig
command on the OUD Proxy as follows:dsconfig set-workflow-element-prop \ --element-name proxy-we1 \ --set remote-root-dn:cn=directory manager \ --set remote-root-password:******** \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN "cn=directory manager" \ --bindPasswordFile pwd.txt \ --no-prompt
Note:
In the preceding command,
--element-name
property corresponds to the name of the proxy workflow element, which is used to connect to the external LDAP directory server.If you configure proxy through OUD proxy setup wizard, then the default name of the proxy workflow element is
proxy-we1
. Alternatively, if you configure the proxy through CLI by usingdsconfig
command, then the name of the workflow element would be as per the value you provide as an input in the command.You can find the workflow element by running thedsconfig
command as follows:dsconfig -h localhost -p administration port number -D "cn=Directory Manager" -X -n list-workflow-elements --bindPasswordFile password.txt
You observe output similar to the following:Workflow Element : Type : enabled ----------------- :--------------------:-------- adminRoot : ldif-local-backend : true load-bal-we1 : load-balancing : true proxy-we1 : proxy-ldap : true
In the above example, if you look at the
proxy-ldap
type, you will locate the workflow element name (proxy-we1
) corresponding to that. -
Set the mode for the proxy workflow element for the external LDAP-compliant directory.
By default, the configuration is set to
use-client-identity
mode.-
Use
use-specific-identity
mode if your external LDAP server does not allow anonymous access. This is the most common Enterprise User Security configuration, especially when Active Directory is used as the external LDAP server.If you want to change the mode setting to
use-specific-identity
, then you must configure the external LDAP server credentials.To use
use-specific-identity
mode, run thedsconfig
command as follows:dsconfig set-workflow-element-prop \ --element-name proxy-we1 \ --set client-cred-mode:use-specific-identity \ --set remote-ldap-server-bind-dn: \ cn=administrator,cn=users,dc=example,dc=com\ --set remote-ldap-server-bind-password:******** \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN "cn=directory manager" \ --bindPasswordFile pwd.txt \ --no-prompt
In this example,
remote-root-dn
andremote-ldap-server-bind-dn
are the credentials used by the remote LDAP administrator. -
Use
use-client-identity
mode if your external LDAP server allows anonymous access.If you want to use the
use-client-identity
mode, then you must configure the external LDAP server credentials and an exclude-list.The database usually connects with its own credentials to Oracle Unified Directory proxy server, and performs searches on the external LDAP server. When EUS is enabled, the database must use an alternate ID to bind to the external LDAP server because the database entry does not exist on the external LDAP server. The database entry is stored locally on the Oracle Unified Directory proxy server.
To use the
use-client-identity
mode, run thedsconfig
command as follows:dsconfig set-workflow-element-prop \ --element-name proxy-we1 \ --set client-cred-mode:use-client-identity \ --add exclude-list:cn=directory manager \ --add exclude-list:cn=oraclecontext,dc=example,dc=com \ --set remote-ldap-server-bind-dn: \ cn=administrator,cn=users,dc=example,dc=com \ --set remote-ldap-server-bind-password:******** \ --hostname localhost \ --port 4444 \ --trustAll \ --bindDN "cn=directory manager" \ --bindPasswordFile pwd.txt \ --no-prompt
In this example,
remote-root-dn
andremote-ldap-server-bind-dn
are the credentials used by the remote LDAP administrator.Important. When in
use-client-identity
mode, if you are integrating with Active Directory, then you must run the following command to allow anonymous login, wheredc=example,dc=com
is the base DN of your Active Directory server.ldapmodify -h <ADhost> -p <AD port> -D <AD dirmgr> -w <pwd> dn: cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=example,dc=com changetype: modify replace: dsHeuristics dsHeuristics: 0000002
-
31.4.2.2.3 Configuring an Existing Oracle Unified Directory Proxy to Work with Enterprise User Security Using OUDSM
To configure an existing Oracle Unified Directory Proxy to work with Enterprise User Security using OUDSM:
-
Connect to Oracle Unified Directory Proxy from OUDSM.
-
Select the Home tab.
-
Under the Configuration section, choose "Set Up Remote EUS Naming Context."
-
In the "Create Remote EUS Naming Context" page, provide the following information:
Base DN. This is the suffix provided by the remote LDAP server.
Network Group. Attach the suffix to at least one network group. Select the required network group from the list.
Server Type. Select the type of LDAP server containing your users and groups from the list.
Host Name. Enter the name of the machine where the remote LDAP server is running.
Ports available. Indicate whether you want the OUD Proxy to connect to the remote LDAP server using LDAP, or LDAPS, or both LDAP and LDAPS.
Depending upon the option you chose, enter a port number for the LDAP port, LDAPS port, or for both LDAP and LDAP ports. This must be the port used by the remote LDAP server.
If you checked LDAPS, configure SSL to either Trust All or configure a Trust Manager.
Click Create.
-
Select the Configuration tab.
-
In the Naming Contexts list, choose the Proxy below the Naming context you just created.
-
In the Proxy LDAP workflow element window:
-
Enter a Bind DN and a Bind Password.
These must match the credentials of the remote LDAP server administrator.
-
Expand the Remote Root Properties, and enter a Remote Root DN and password.
These must match the credentials of the remote LDAP server administrator.
-
In the Credentials Mode field, set the mode for the proxy workflow element for the external LDAP-compliant directory.
-
Use
use-specific-identity
mode if your external LDAP server does not allow anonymous access. This is the most common Enterprise User Security configuration, especially when Active Directory is used as the external LDAP server.To use
use-specific-identity
mode:In the Credentials Mode field, choose Use Specific Identity. Then enter the values for the Bind DN and the Bind Password. Enter the Bind Password a second time to confirm it.
-
Use
use-client-identity
mode if your external LDAP server allows anonymous access.To
use-client-identity
mode:In the Credentials Mode field, first select Use Client Identity, and expand the Client Identity Mode Properties. Then add
"cn=directory manager"
and"cn=OracleContext,dc=example,dc=com"
to the Exclude Bind DNs table.
-
-
Click Apply.
-
31.4.2.3 Configuring the Users and Groups Location
After Oracle Unified Directory has been configured for EUS or Oracle E-Business Suite, you must configure the naming context used to store the users and the groups by performing the following steps:
31.4.2.4 Selecting the Oracle Context to be Used By Enterprise User Security
Enterprise User Security stores its configuration (also called EUS metadata) in an Oracle Context, which corresponds to a part of the Directory Information Tree. If your user entries are stored below dc=example,dc=com
, then EUS is usually configured to use cn=OracleContext,dc=example,dc=com
as Oracle Context.
In this task, Oracle Net Configuration Assistant tells EUS where it should read its configuration.
-
To start the Oracle Net Configuration Assistant, run the
netca
command on the host where the database is installed.The Oracle Net Configuration Assistant is displayed.
-
On the Welcome page, select "Directory Usage Configuration," and click Next.
Enter the following information in subsequent pages:
-
Directory Type
Select "Oracle Internet Directory" even if the LDAP server is an Oracle Virtual Directory or an Oracle Unified Directory.
Click Next.
-
Hostname
Enter the host name or IP address of the server hosting your LDAP server.
-
Port
Enter the LDAP port number.
-
SSL Port
Enter the LDAPS port number.
-
Oracle Context
Do not select
cn=OracleContext
. Instead, click the arrow to display and choose the location of your OracleContext.Oracle Net Configuration Assistant connects to the LDAP server to retrieve the available Oracle Contexts. Enterprise User Security configuration will be stored within your
OracleContext
.Click Next.
-
Directory usage configuration complete!
Click Next.
When the Welcome page is displayed, click Finish.
-
-
To verify that the Net Configuration Assistant has successfully created the configuration file containing the LDAP server information, run the following command:
# cat $ORACLE_HOME/network/admin/ldap.ora # ldap.ora Network Configuration File: /app/oracle/product/db/product/11.2.0/dbhome_1/network/admin/ldap.ora # Generated by Oracle configuration tools. DIRECTORY_SERVERS= (oudhost:1389:1636) DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com" DIRECTORY_SERVER_TYPE = OID
The configuration file used by the database contains the host name and port of the LDAP server. In this example, the information is represented as:
(oudhost:1389:1636)
. You can specify multiple servers, separated by commas, for high availability deployments.In this example,
dc=example,dc=com
represents the Oracle Context used to store the EUS configuration, also known as the EUS metadata.
31.4.2.5 Registering the Database in the LDAP Server
To register the database in the LDAP server:
-
Run the
dbca
command on the host where the database is installed.The Database Configuration Assistant for Oracle database is displayed. Click Next, then provide the following information in the subsequent pages:
-
Select the operation you want to perform.
Choose "Configure Database Option," then click Next.
-
Database
In the list box, select the database you want to register. Then click Next.
Database Configuration Assistant determines if the database is already registered in the LDAP server.
-
Would you like to register this database with the directory service?
Choose "Yes, register the database." Database Configuration Assistant will create an entry for the database in the Oracle Context.
-
User DN
The user DN will be used to authenticate to the LDAP server.
The user DN is usually
cn=directory manager
, the directory manager of OUD proxy. The user DN is also used in the add operation, which creates the database entry in the Oracle Context. The user must have write access to the LDAP server. -
Password
Database Configuration Assistant creates a wallet for the database. The database entry DN and password will be stored in the wallet. When the database connects to the LDAP server, it will authenticated using credentials stored in this wallet.
-
Database Components
Make no changes to this page, and click Next.
-
Connection Mode
Choose "Dedicated Server Mode," then click Finish.
-
Confirmation
Click OK to register the database.
-
Do you want to perform another operation?
Click No to exit the Database Configuration Assistant application.
-
-
To verify that Database Configuration Assistant successfully created a new entry for the database, run the following command, replacing
orcl11g
with the name of your database:$ ldapsearch -h oudhost -p 1389 -D "cn=directory manager" -j pwd.txt -b cn=oraclecontext,dc=example,dc=com "(cn=orcl11g)" dn: cn=orcl11g,cn=OracleContext,dc=example,dc=com orclVersion: 112000 orclcommonrpwdattribute: {SASL -MD5}eW5+2LTPRKzFmHxmMZQmnw== objectClass: orclApplicationEntity objectClass: orclService objectClass: orclDBServer_92 objectClass; orclDBServer objectClass: top orclServiceType: DB orclSid: orcl11g oracleHome: /app/oracle/product/db/product/11.2.0/dbhome_1 cn: orcl11g orclSystemName: oudhost userPassord: {SSHA}oNeBEqkUMtDusjXNXJPpa7qa+Yd0b9RHvA== orclNetDescString: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST)=oudhost) (PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl11g))) orclDBGLOBALNAME: orcl11g orclNetDescName: 000:cn= DESCRIPTION_0
31.4.2.6 Configuring Roles and Permissions
The following topics provide the steps to configure roles and permissions using Oracle Enterprise Manager:
31.4.2.6.1 Creating a Shared Schema in the Database
Run the following SQL commands:
SQL> CREATE USER global_ident_schema_user IDENTIFIED GLOBALLY; User created. SQL> GRANT CONNECT TO global_ident_schema_user; Grant succeeded.
31.4.2.6.2 Creating a New User-Schema Mapping
Note:
Before performing the steps mentioned in this procedure, see Configuring Password Policy for Oracle Unified Directory Administrator.To create a new user schema mapping:
-
In a web browser, connect to Enterprise Manager. For example:
https://localhost:1158/em
Provide the following information:
User Name. Enter the name of a user who is authorized to administer the database.
Password. Enter the administrator password.
Connect As.Choose SYSDBA.
Click Login.
-
Click the Server tab.
On the Server tab, in the Security section, click Enterprise User Security.
-
In the "Oracle Internet Directory Login: Enterprise User Security" page, provide the following information:
User. Enter the username of a user, for example
cn=directory manager
, who has write access to Oracle Context.Password. Enter the password for the same user.
Click Login.
-
On the Enterprise User Security page, click Manage Enterprise Domains.
An Enterprise Domain can contain one or more databases. The settings for an Enterprise Domain apply to all databases it contains.
-
On the Manage Enterprise Domains page, select the domain you want to configure, then click Configure.
-
On the Configure Domain page, click "User - Schema Mappings."
-
On the User - Schema Mappings page, click Create.
-
To create a domain-schema mapping, on the New Mapping page provide the following information:
From
You can associate a global schema to all the users in a given subtree, or to a given user.
To associate a global schema to all users in a given subtree:
-
Choose Subtree, then click the flashlight icon to search for available subtrees.
-
In the Select User page, select a subtree. Enterprise users below the DN you select will be mapped to the same global schema.
-
Click Select.
To associate a global schema to a given user:
-
Choose User Name, then click the flashlight icon to search for available users.
-
In the select User page, select a user DN. Only this specific user will be mapped to the global schema.
-
Click Select.
To
In the Schema field, enter the name of the global schema. For example:
global_ident_schema_user
.Click Continue.
-
-
On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.
31.4.2.6.3 Creating a Role in the Database
For this example, a role named hr_access,
is created. The role grants read access to the table hr.employees
.
To create a role in the database:
SQL> CREATE ROLE hr_access IDENTIFIED GLOBALLY; Role created. SQL> GRANT SELECT ON hr.employees TO hr_access; Grant succeeded.
For more information, see the Oracle Database documentation.
31.4.2.6.4 Creating a New Role in the Domain
To create a new role in the domain:
-
To create a new role in a domain, On the Manage Enterprise Domains page, select the domain in which you want to create the role, then click Configure.
-
On the Configure Domain page, click Enterprise Roles. Click Create.
-
On the Create Enterprise Role page, provide the following information:
-
In the Name field, provide a name for your enterprise role.
-
In the DB Global Roles tab, click Add.
-
-
On the "Search And Select: Database Global Roles' page, provide the following information:
Database. Choose a database from the drop-down list.
User Name. Enterprise Manager will retrieve the available roles from the database. Enter a username of an administrator, such as
SYS AS SYSDBA
, who is authorized to access the roles.Password. Enter the administrator password.
Click Go.
-
In the "Search and Select: Database Global Roles" page, choose the global role you want to grant to Enterprise Users.
Click Select.
-
In the Create Enterprise Role page, select the Enterprise user or groups to which you will grant the Enterprise Role, then click the Grantees tab.
-
On the Grantees tab, to select Enterprise users or groups click Add.
-
In the "Select: Users and Groups" page, click Go. Enterprise Manager retrieves available Users and Groups.
View. You can search for users or groups.
Search Base. Enterprise Manager begins the search at this DN.
Name.Enter a string here to narrow down the search. For example, if you want to find a user whose name starts with jo, enter jo and Click Go.
A table displays relevant entries. From the list, select the users and groups to which you want to grant the Enterprise Role, then click Select.
Click Continue.
-
In the Configure Domain page, click OK to continue.
-
In the Edit Enterprise Role page, click Continue.
-
In the Configure Domain page, click OK.
After the role has been successfully created, click Configure.
31.4.2.6.5 Defining a Proxy Permission in the Database
To define a proxy permission on user SH, run the following command:
SQL> ALTER USER SH GRANT CONNECT THROUGH ENTERPRISE USERS; User altered. This command defines a proxy permission on user SH.
31.4.2.6.7 Configuring Mappings for a Specific Database
To configure mappings for a specific database:
-
On the Enterprise User Security page, click Manage Databases.
-
On the Manage Databases page, select the database you want to configure, and click Configure.
-
On the Configure Database page, click "User - Schema Mappings" tab.
-
On the "User - Schema Mappings" page, click Create.
-
To create a domain-schema mapping, on the New Mapping page provide the following information:
From
You can associate a global schema to all the users in a given subtree, or to a given user.
To associate a global schema to all users in a given subtree:
-
Choose Subtree, then click the flashlight icon to search for available subtrees.
-
In the Select User page, select a subtree. Enterprise users below the DN you select will be mapped to the same global schema.
-
Click Select.
To associate a global schema to a given user:
-
Choose User Name, then click the flashlight icon to search for available users.
-
In the select User page, select a user DN. Only this specific user will be mapped to the global schema.
-
Click Select.
To
In the Schema field, enter the name of the global schema. For example:
global_ident_schema_user
.Click Continue.
-
-
On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.
31.4.2.7 Testing the Database Configurations
At this point Enterprise User Security contains the following configurations:
-
A users-schema mapping granting a global schema to all users below
dc=example,dc=com
-
An Enterprise Role granting
HR_ACCESS
touid=user.0,ou=people,dc=example,dc=com
-
A Proxy Permission allowing
uid=user.1,our=people,dc=example,dc=com
to proxy user SH.
To test the database configurations:
31.4.3 Configuring Password Policy for Oracle Unified Directory Administrator
When you create the user-schema mapping you are required to provide the user name of the Oracle Unified Directory administrator, such as cn=directory manager
, which is used to log in to Oracle Unified Directory server.
31.5 Using Additional Enterprise User Security Configuration Options
After the basic integration of Oracle Unified Directory and Enterprise User Security, you can configure OUD to support multiple EUS domains and configure replication to support high availability.
31.5.1 Configuring OUD to Support Multiple Enterprise User Security Domains
If your users and groups are stored in multiple domains, you must configure OUD to support multiple EUS domains. For example, a single OUD instance contains two EUS domains. One EUS domain stores users entries in Active Directory below cn=users,dc=ad1,dc=com
. A second EUS domain stores user entries in a different Active Directory instance below cn=users,dc=ad2,dc=com
. You must configure OUD to support each EUS domain.
To configure OUD to support multiple EUS domains:
-
Configure OUD as if the primary domain is the single domain containing all your users and groups.
In this example, the primary domain is
dc=ad1,dc=com
.Complete the tasks in Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security.
-
Configure the secondary domain.
In this example, the secondary domain is
dc=ad2,dc=com
.For this secondary domain, complete the steps in Configuring User Identities in the External LDAP Directory.
-
Create a new naming context for the EUS domain, which is
dc=ad2,dc=com
in this example.Complete the steps in Configuring an Existing Oracle Unified Directory Proxy to Work with Enterprise User Security Using OUDSM.
-
Update the Oracle context with the new naming context.
-
Create an LDIF file.
In the following
myconfig.ldif
example, make the following substitutions:-
Replace
dc=ad1,dc=com
with the DN of your first domain. -
Replace
orclcommonusersearchbase
with the users location in the secondary domain.dn: cn=Common,cn=Products,cn=OracleContext,dc=ad1,dc=com changetype: modify add: orclcommonusersearchbase orclcommonusersearchbase: cn=users,dc=ad2,dc=com
-
Replace
orclcommongroupsearchbase
with the groups location in the secondary domain.dn: cn=Common,cn=Products,cn=OracleContext,dc=ad1,dc=com changetype: modify add: orclcommongroupsearchbase orclcommongroupsearchbase: cn=groups,dc=ad2,dc=com
-
-
Update OUD configuration using the LDIF file you created in step 4a.
ldapmodify -h oudhost -p 1389 -D "cn=directory manager" -w password -f myconfig.ldif
-
31.5.2 Using Oracle Unified Directory and Enterprise User Security in High Availability Topologies
You can achieve high availability among two or more OUD instances that have been integrated with Enterprise User Security. First, integrate OUD with Enterprise User Security. Then configure replication among the integrated OUD instances. Once configured, replication takes place among Enterprise User Security metadata (in either directory server or directory proxy) and the OUD server users and groups.
Configuring an integrated OUD LDAP server for replication is the same as configuring an integrated OUD Proxy server with one exception: the list of suffixes to be replicated is different.
When an integrated OUD instance is configured as an LDAP server, the following suffixes are replicated:
cn=oraclecontext
cn=oraclecontext,dc=example,dc=com
dc=example,dc=com
When an integrated OUD instance is configured as a Proxy server, the following suffixes are replicated:
cn=oraclecontext
cn=oraclecontext,dc=example,dc=com
Note:
If you are using Oracle Data Guard or Oracle Real Application Clusters or high availability, each database instance must be configured using NetCA and DBCA.
To configure OUD-EUS integrated instances for high availability:
31.6 Best Practices for Employing EUS Admin User
Enterprise User Security (EUS) requires a privileged user who can make changes to database information within the directory and reset users’ passwords. Although the root DN user (cn=Directory Manager
for OUD/ODSEE or cn=orcladmin
for OID/OVD) of a directory could do this, the best practice should be to use a least privileged user to administer EUS. This user is referred as the EUS Admin User (cn=eusadmin
).
See:
31.6.1 Overview of EUS Admin User
Enterprise User Security (EUS) requires a privileged user who can make changes to database information within the directory and reset users’ passwords. Although the root DN user (cn=Directory Manager
for OUD/ODSEE or cn=orcladmin
for OID/OVD) of a directory could do this, the best practice is to use a least privileged user to administer EUS. This user is referred as the EUS Admin User (cn=eusadmin
).
The location of this user in the DIT structure is also important. If you place the EUS Admin User in any branch beyond the "cn=OracleContext, <Suffix>"
branch in OUD, then the EUS Admin User will not be able to change their password because of constraints in the EUScontext workflow element. You should place the EUS Admin User in a local backend, so that it can be granted the password-reset privilege. If the implementation stores users and groups within a local backend, you can store the EUS Admin User in that backend. However, if the implementation proxies the users and groups through to a separate backend directory service, you should not store the user there. There is one other local backend suffix in the OUD instance that will exist for all OUD EUS deployments. That is the cn=OracleContext
local backend. Although not required, it might be the best to place the EUS Admin users under cn=OracleContext
for consistency.
Here is a sample EUS admin user:
dn: cn=eusadmin,ou=EUSAdmins,cn=OracleContext objectClass: top objectClass: organizationalperson objectClass: inetorgperson uid: cn=eusadmin,ou=EUSAdmins,cn=OracleContext cn: eusadmin sn: EUS givenName: Admin userPassword: password ds-privilege-name: password-reset ds-privilege-name: unindexed-search
31.6.2 Updating EUS Realm to Grant Administrative Privileges to EUS Admin Users
You must update the EUS Realm to grant administrative privileges to the EUS Admin Users. You can do this by making them a member of the respective EUS Administrative Groups.
The following example shows how to add the new EUS admin user cn=eusadmin,ou=EUSAdmins,cn=OracleContext
to OracleContextAdmins
groups. You can use this example as a reference to create the LDIF file to add the new user to all the required groups as per the Enterprise User Security Administrator's Guide.
See Administrative Groups in the Enterprise User Security Administrator's Guide to know about the respective EUS Administrative Groups.
dn: cn=OracleContextAdmins,cn=Groups,cn=OracleContext changetype: modify add: uniqueMember uniqueMember: cn=eusadmin,ou=EUSAdmins,cn=OracleContext dn: cn=OracleContextAdmins,cn=groups,cn=OracleContext,dc=example,dc=com changetype: modify add: uniqueMember uniqueMember: cn=eusadmin,ou=EUSAdmins,cn=OracleContext
31.6.3 Creating and Applying Password Policy for EUS Admin Users
If you run Oracle Database 12c with EUS, you would need the EUS Admin User to support the SASL DIGEST-MD5 authentication scheme. This requires that the uid value of the user be set to the full DN of that user and that the password policy for the EUS Admin Users include a reversible encryption storage scheme for the users’ password such as AES, Base64, Blowfish, Clear, RC4 or TripleDES. So, you must create a password policy for the EUS Admin Users and apply that policy to the EUS Admin Users.
31.7 Understanding Enterprise User Security Password Warnings
Password policies are a set of rules that apply to all user passwords in an identity management realm. Password policies include settings for password complexity, minimum password length, and so forth. They also include account lockout and password expiration settings.
The database communicates with Oracle Unified Directory and requests the Oracle Unified Directory to report any password policy violations. If the database gets a policy violation response from Oracle Unified Directory, then it displays the appropriate warning or error message to the user. The following table summarizes password warnings and their meanings.
Table 31-3 Password Warnings
Warning Condition | Message Example |
---|---|
The user password is about to expire. Message indicates the number of days left for the user to change his or her password. |
SQL> connect joe/Admin123 ERROR: ORA-28055: the password will expire within 1 days Connected. |
The password has expired and informs the user about the number of grace logins that remain. |
SQL> connect joe/Admin123 ERROR: ORA-28054: the password has expired. 1 Grace logins are left Connected. |
The user password has expired and the user does not have any grace logins left. |
SQL> connect joe/Admin123 ERROR: ORA-28049: the password has expired |
The user account has been locked due to repeated failed attempts at login. |
SQL> connect joe/Admin123 ERROR: ORA-28051: the account is locked |
The user account has been disabled by the administrator. |
SQL> connect joe/Admin123 ERROR: ORA-28052: the account is disabled |
The user account is inactive. |
SQL> connect joe/Admin123 ERROR: ORA-28053: the account is inactive |
Enterprise user login attempts to the database update the user account status in Oracle Unified Directory or any supported external LDAP-compliant directory. For example, consecutive failed login attempts to the database results in the account getting locked in the directory, as per the directory's password policy.
31.8 Troubleshooting Issues after Integrating OUD and Enterprise User Security
You may encounter problems after integrating OUD and Enterprise User Security and need information on how to troubleshoot those problems.
These topics suggest solutions to issues you may encounter after integrating OUD and Enterprise User Security:
31.8.1 Resolving Net Configuration Assistant Tool Error Messages
Find out how to resolve error messages reported by the Net Configuration Assistant (NetCA) Tool while integrating OUD and Enterprise User Security.
The following topics describe the Net Configuration Assistant (NetCA) Tool error messages and solutions:
31.8.1.1 Resolving LDAP Server Connection Error
If the NetCA fails to connect to the directory then the Oracle Net Configuration Assistant screen displays the following error message:
To resolve this error, verify that the host name and port number are correct by running the following command on the command line:
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -b "" -s base "(objectclass=*)" dn: objectClass: top objectClass: ds-root-dse $ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X -b "" -s base "(objectclass=*)" dn: objectClass: top objectClass: ds-root-dse
31.8.1.2 Resolving Schema Error
If the required schema is not available or the version number is incorrect then the Oracle Net Configuration Assistant screen displays the following error message:
To resolve this error, ensure that you can access Oracle Unified Directory anonymously and that it contains the cn=subschemasubentry
entry:
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X -b cn=subschemasubentry -s base "(objectclass=*)" dn: cn=subschemasubentry objectClass: top objectClass: ldapSubentry objectClass: subschema
If the Oracle Unified Directory is not enabled for Enterprise User Security then the cn=subschemasubentry
entry will not be available. To enable Enterprise User Security, see "Setting up the Directory Server by Using the GUI" in the Installing Oracle Unified Directory.
If the cn=subschemasubentry
is not accessible anonymously then ensure that the following ACI is defined in the Oracle Unified Directory as a global ACIs:
(target="ldap:///cn=subschemasubentry")(targetscope="base") \ (targetattr="objectClass||attributeTypes||dITContentRules||dITStructureRules| \ |ldapSyntaxes||matchingRules||matchingRuleUse||nameForms||objectClasses") \ (version 3.0; acl "User-Visible SubSchemaSubentry Operational Attributes"; \ allow (read,search,compare) userdn="ldap:///anyone";)
For more information, see Managing Global ACIs Using dsconfig.
31.8.2 Resolving Database Configuration Assistant Error Messages
Find out how to resolve error messages reported by the Database Configuration Assistant (DBCA) while integrating OUD and Enterprise User Security.
The following topics describe the Database Configuration Assistant (DBCA) error messages and solutions:
31.8.2.1 Resolving TNS-04409 error / TNS-04427: SSL access to the Directory Server
This error message appears if SSL is not enabled for Oracle Unified Directory.
To resolve this error, check if SSL is enabled for Oracle Unified Directory by running the following command on the command line:
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X -b "" -s base "(objectclass=*)" dn: objectClass: top objectClass: ds-root-dse
For more information, see Configuring Security Between Clients and Servers
31.8.2.2 Resolving TNS-04409 error / TNS-04431: Required suffixes
This error message appears if the suffixes are not available.
To resolve this error, ensure that the suffixes are created, as described in "Setting up the Directory Server by Using the GUI" in the Installing Oracle Unified Directory.
31.8.2.3 Resolving TNS-04411 error when registering the DB with a user different from cn=directory manager
This error message appears if you specify a different user name other then cn=directory manager
during database registration.
To resolve this error, ensure that the user has password reset privilege, and the user entry contains one of the following uniqueMember
attributes:
-
cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com
-
cn=oraclenetadmins,dc=oraclecontext,dc=eusovd,dc=com
Run the following command on the command line:
$ OracleUnifiedDirectory/bin/ldapmodify -h $LDAPSERVER -p $LDAPPORT -D $DN -w $PWD dn: cn=newadmin,ou=people,dc=eusovd,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset Processing MODIFY request for cn=newadmin,ou=people,dc=eusovd,dc=com MODIFY operation successful for DN cn=newadmin,ou=people,dc=eusovd,dc=com dn: cn=oraclenetadmins,cn=oraclecontext,dc=eusovd,dc=com changetype: modify add: uniquemember uniquemember: cn=newadmin,ou=people,dc=eusovd,dc=com Processing MODIFY request for cn=oraclenetadmins,cn=oraclecontext,dc=eusovd,dc=com MODIFY operation successful for DN cn=oraclenetadmins,cn=oraclecontext,dc=eusovd,dc=com dn: cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com changetype: modify add: uniquemember uniquemember: cn=newadmin,ou=people,dc=eusovd,dc=com Processing MODIFY request for cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com MODIFY operation successful for DN cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com
31.8.3 Resolving Oracle SQL Error Messages
Find out how to resolve error messages reported by Oracle SQL while integrating OUD and Enterprise User Security.
The following topics describe the Oracle SQL error messages and solutions:
31.8.3.1 Resolving ORA-28030: Server encountered problems accessing LDAP directory service
This error message appears, if there is a problem with the connection between the database and the directory.
To resolve this issue:
-
Check that the database wallet has auto-login enabled. Either use Oracle Wallet Manager or check that there is a
cwallet.sso
file in$ORACLE_HOME/admin/<ORACLE_SID>/wallet/
. -
Check the DN and password of the user entry by running the following commands:
$ mkstore -wrl $ORACLE_BASE/admin/$ORACLE_SID/wallet -viewEntry ORACLE.SECURITY.DN Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: ******** ORACLE.SECURITY.DN = cn=orcl11gr2,cn=OracleContext,dc=eusovd,dc=com $ mkstore -wrl $ORACLE_BASE/admin/$ORACLE_SID/wallet -viewEntry ORACLE.SECURITY.PASSWORD Oracle Secret Store Tool : Version 11.2.0.2.0 - Production Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Enter wallet password: ******** ORACLE.SECURITY.PASSWORD = zQ7v4ek3
-
Check that the database can connect to the directory server using the following command:
$ oracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -b cn=common,cn=products,cn=oraclecontext,$BASEDN "(objectclass=*)" orclcommonusersearchbase orclcommongroupsearchbase orclcommonnicknameattribute orclcommonnamingattribute dn: cn=Common,cn=Products,cn=OracleContext,dc=eusovd,dc=com orclcommonusersearchbase: ou=people,dc=eusovd,dc=com orclcommongroupsearchbase: ou=groups,dc=eusovd,dc=com orclcommonnicknameattribute: uid orclcommonnamingattribute: cn
If the connection to the directory server fails, then you must do the following:
-
Ensure that the database entry exists in the Directory Server.
-
Ensure that the database entry contains a password in the
orclcommonrpwdattribute
, by running the following command:$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -b cn=oraclecontext,$BASEDN -s one "(objectclass=orcldbserver)" orclcommonrpwdattribute dn: cn=orcl11gr2,cn=OracleContext,dc=eusovd,dc=com orclcommonrpwdattribute: {SASL-MD5}KvIVAyYahxnHWdlfN649Kw==
If the entry is missing or does not contain a password then you must use DBCA, as described in Registering the Database in the LDAP Server.
-
31.8.3.2 Resolving ORA-01017: invalid username/password; logon denied
This error message appears, if an invalid username or password is provided.
To resolve this error, specify the correct username and password.
31.8.3.3 Resolving ORA-28274: No ORACLE password attribute corresponding to user nickname exists
This error message appears, when the database finds a corresponding user but cannot compare its password with the password supplied to SQL.
To resolve this issue:
31.9 Disabling the Existing Anonymous ACIs in Upgraded Environments
When Oracle Unified Directory is used as the directory for Enterprise User Security, before 12.2.1.3.0, anonymous ACI was granted for EUS integration. In such upgraded environments, the existing anonymous global-aci in Oracle Unified Directory can be modified as follows to restrict anonymous search requests to Oracle Unified Directory.
"dc=oracle,dc=com"
in the example should be replaced with the actual deployment specific DN.
(target="ldap:///dc=oracle,dc=com")(targetattr!="userpassword||authpassword||aci")(targetfilter="(objectclass=orclContext)")(version 3.0; acl "Anonymous read access to subtree";allow (read,search,compare) userdn="ldap:///anyone";) (target="ldap:///dc=oracle,dc=com")(targetattr="*")(version 3.0; acl "EUS reads authpassword"; allow (read,search,compare) userdn="ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))";)
When Oracle Unified Directory Proxy is used to work with an External LDAP Directory and Enterprise User Security, the following virtual-acis can be added to restrict anonymous search requests to Oracle Unified Directory Proxy. "dc=oracle,dc=com"
in the example should be replaced with the actual deployment specific DN.
(target="ldap:///dc=oracle,dc=com")(targetattr="*")(version 3.0; acl "EUS reads users"; allow (read,search,compare) userdn="ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))";) (target="ldap:///dc=oracle,dc=com")(targetattr="orclaccountstatusevent")(version 3.0; acl "EUS write orclaccountstatusenabled"; allow (write) userdn="ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))";) (target="ldap:///dc=oracle,dc=com")(targetattr="*")(version 3.0; acl "Proxy self entry access"; allow (read,search,compare,write) userdn="ldap:///self";)