Integrating Oracle Unified Directory with Oracle Enterprise User Security

31.1 Understanding How Oracle Enterprise User Security Works with Oracle Unified Directory

Oracle Enterprise User Security enables you to centrally manage database users across the enterprise. You can create enterprise users in an LDAP-compliant directory service, and then assign roles and privileges across various enterprise databases registered with the directory.

Users connect to Oracle Database by providing credentials stored in Oracle Unified Directory or other external LDAP-compliant directory front-ended by Oracle Unified Directory proxy server. The database executes LDAP search operations to query user specific authentication and authorization information. For more information, see Configuration 6: Enterprise User Security.

Integrating Oracle Unified Directory and Enterprise User Security enhances and simplifies your authentication and authorization capabilities by allowing you to leverage user identities stored in LDAP-compliant directory service without any additional synchronization.

For more information about Oracle Enterprise User Security, see the Oracle Database Enterprise User Security Administrator's Guide.

31.2 Understanding the Options Before Integrating Oracle Unified Directory with Oracle Enterprise User Security

Before you integrate Oracle Unified Directory with Oracle Enterprise User Security, you should consider what role Oracle Unified Directory will play in your topology. Also consider other business requirements for your enterprise.

Before you begin integration, review all tasks and steps required for the various integration options.

Is OUD used as a directory server or as a directory proxy in the topology?

When you use OUD as a directory server, installation is straightforward, and configuration is contained in OUD. For more information, see Configuring Oracle Directory Server as a Directory for Enterprise User Security.

When you use OUD as a directory proxy, you must take additional steps to configure the external LDAP-compliant directory that stores user entries. For more information, see Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security.
Are you configuring an existing directory or proxy instance, or installing a new instance?

If you are configuring an existing directory or proxy instance to work with Enterprise User Security, you will need to complete some configuration steps manually. See the following for more information:
- Configuring Oracle Unified Directory to Work with Enterprise User Security
- Configuring User Identities in the External LDAP Directory
If you are installing a new directory or proxy instance, you can choose the Enterprise User Security option during setup. The new instance is automatically configured to EUS integration. See the following for more information:
- Installing and Configuring a New Oracle Unified Directory Instance to Work with Enterprise User Security
- Configuring Oracle Unified Directory Proxy to Work with Enterprise User Security
Additional business requirements for you to consider.

See the following for more information:
- Configuring OUD to Support Multiple Enterprise User Security Domains
- Using Oracle Unified Directory and Enterprise User Security in High Availability Topologies

31.3 About the Prerequisites Before Integrating Oracle Unified Directory with Oracle Enterprise User Security

Make sure you review the prerequisites before integrating Oracle Unified Directory with multiple Oracle products, as well as any external LDAP-compliant directory you may have in your topology.

Before you begin, ensure that you can access the following components as well as the current documentation that goes with them:

Oracle Unified Directory, OUDSM, oud-setup and oud-proxy-setup commands
Oracle Enterprise User Security Net Configuration Assistant
Database Configuration Assistant for Oracle Database
Enterprise Manager for Oracle Database
Supported LDAP directories (Microsoft Active Directory, Novell eDirectory, Oracle Unified Directory, or Oracle Directory Server Enterprise Edition) you have in your topology

31.4 Enabling Oracle Unified Directory and Oracle Enterprise User Security to Work Together

Follow these step-by-step instructions for integrating Oracle Unified Directory with Oracle Enterprise User Security.

31.4.1 Configuring Oracle Directory Server as a Directory for Enterprise User Security

Follow these tasks to configure Oracle Unified Directory Server as a directory for Enterprise User Security.

To configure Oracle Directory Server as a directory for Enterprise User Security, complete the tasks described in the following table:

Table 31-1 List of Tasks to configure Oracle Directory Server as a directory for Enterprise User Security

Task #	Link
Task 1	Configuring Oracle Unified Directory to Work with Enterprise User Security
Task 2	Configuring the User and Groups Location
Task 3	Selecting the Oracle Context to be Used by Enterprise User Security
Task 4	Registering the Database in the LDAP Server
Task 5	Configuring Roles and Permissions
Task 6	Testing the Database Configurations

31.4.1.1 Configuring Oracle Unified Directory to Work with Enterprise User Security

If you already have an existing Oracle Unified Directory instance installed and provisioned, then complete the steps in one of these sections:
- Configuring an Existing Oracle Unified Directory Server to Work with Enterprise User Security Using the Command Line
- Configuring an Existing Oracle Unified Directory Server to Work with Enterpriser User Security Using OUDSM
If you do not already have an Oracle Unified Directory installed and provisioned, then complete the steps in the following section Installing and Configuring a New Oracle Unified Directory Instance to Work with Enterprise User Security

31.4.1.1.1 Installing and Configuring a New Oracle Unified Directory Instance to Work with Enterprise User Security

You can run the oud-setup program using either the command line or the graphical user interface.

To run oud-setup with following --cli option. For example:
```
$ oud-setup --cli --integration eus --no-prompt --ldapPort 1389\
 --adminConnectorPort 4444 -D "cn=directory manager"\
 --rootUserPasswordFile pwd.txt --ldapsPort 1636\
 --generateSelfSignedCertificate --baseDN "dc=example,dc=com" 
```
For detailed information about using oud-setup and all its options, see "Setting Up the Directory Server" in the Oracle Fusion Middleware Installation Guide for Oracle Unified Directory

During setup, the baseDN specified in the --baseDN option is prepared for EUS. If you specify multiple base DNs, they will all be prepared for EUS.

Using the above command, you can configure OUD instance to use Salted SHA-1 password storage scheme. However, you can configure OUD to use the more secure EUS PBKDF2 SHA512 password storage scheme, which encodes password using SHA-512 based algorithm.

In order to do so, run the oud-setup command using eusPasswordScheme argument with value "sha2". For example:
```
oud-setup --cli --integration eus --no-prompt --ldapPort 1389\
 --adminConnectorPort 4444 -D "cn=directory manager"\
 --rootUserPasswordFile pwd.txt --ldapsPort 1636\
 --generateSelfSignedCertificate --baseDN "dc=example,dc=com" --eusPasswordScheme sha2
```
Note:
- You can configure Oracle Unified Directory to use EUS PBKDF2 SHA512 password storage scheme only if your Oracle RDBMS version supports it. Oracle recommends that you contact your Database Administrator to validate if the RDBMS supports Multi-Round SHA-512 based password verifier.
- You can configure OUD to use EUS PBKDF2 SHA512 password storage scheme only using CLI option. The same is not supported in GUI mode.
To use the graphical user interface:
1. Run the oud-setup command
2. In the Welcome page, click Next.
3. In the Server Settings page, provide the following information:
  1. Host Name
    
    This is the server that hosts the Oracle Unified Directory instance that stores users and groups.
  2. Administration Connector Port
    
    This is the administration port used by OUD tools such as dsconfig.
  3. LDAP Listener Port
    
    Specify the port used by OUD.
  4. LDAP Secure Access
    
    Click Configure to enable secure access.
    
    In the Configure Secure Access window, click to mark the Enable SSL on Port check box. Then enter a port number for LDAPS, and click OK to continue.
  5. Root User DN
    
    This is the identity of the server administrator
  6. Password
    
    Enter a password to be used by the server administrator.
  7. Password (confirm)
    
    Enter the password a second time to confirm.
  Click Next to continue.
4. In the Topology Options page, be sure the option "This will be a stand alone server" is selected, and click Next.
5. In the Directory Data page, provide the following information:
  1. Directory Base DN
    
    Enter the base DN where you will store user entries.
  2. Directory Data
    
    Do not choose the option "Leave Database Empty." Choose one of the following options:
    - "Only Create Base Entry" creates an entry with the base DN specified previously.
    - "Import Data from LDIF File" imports LDIF data from the file specified in the Path field.
    - "Import Automatically-Generated Sample Data" generates the number of sample entries specified in the Number of User Entries field.
    Click Next.
6. In the Oracle Components Integration page, choose the option "Enable for EUS (Enterprise User Security), EBS, Database Net Services and DIP." This option also enables the server for Database Net Services.
  
  Click Next to continue.
7. In the Server Tuning page, you can configure your tunings or click Next.
  
  See the Installation Guide for information about tuning configurations.
8. In the Review page, review your settings, and click Finish.
  
  A new instance of Oracle Unified Directory is installed, configured, and then started.

31.4.1.1.2 Configuring an Existing Oracle Unified Directory Server to Work with Enterprise User Security Using the Command Line

You can configure an existing naming context for EUS, or you can create and configure a new naming context for EUS.

To use an existing naming context for EUS, run the manage-suffix update command. For example:
```
$ manage-suffix update -h host -p adminPort -D "cn=directory manager" -j pwd.txt -X -n -b baseDN --integration eus 
```
This command-line will configure the naming context specified as baseDN for EUS.

Using the above command, you can configure OUD to use Salted SHA-1 password storage scheme. However, you can configure OUD to use the more secure EUS PBKDF2 SHA512 password storage scheme, which encodes password using SHA-512 based algorithm. In order to do so, run the manage-suffix update command using eusPasswordScheme argument with value "sha2". For example:
```
$ manage-suffix update -h host -p adminPort -D "cn=directory manager" -j pwd.txt -X -n -b baseDN --integration eus
--eusPasswordScheme sha2
```
To create a new naming context for EUS, run the manage-suffix create command. For example:
```
$ manage-suffix create -h host -p adminPort -D "cn=directory manager" -j pwd.txt -X -n -b baseDN --integration eus
```
Using the above command, you can configure OUD to use Salted SHA-1 password storage scheme. However, you can configure OUD to use the more secure EUS PBKDF2 SHA512 password storage scheme, which encodes password using SHA-512 based algorithm. In order to do so, run the manage-suffix create command using eusPasswordScheme argument with value "sha2". For example:
```
$ manage-suffix create -h host -p adminPort -D "cn=directory manager" -j pwd.txt -X -n -b baseDN --integration eus 
--eusPasswordScheme sha2
```

Note:

You can configure Oracle Unified Directory to use EUS PBKDF2 SHA512 password storage scheme only if your Oracle RDBMS version supports it. Oracle recommends that you contact your Database Administrator to validate if the RDBMS supports Multi-Round SHA-512 based password verifier.

For more information about the manage-suffix command, see Managing Suffixes Using manage-suffix.

31.4.1.1.3 Configuring an Existing Oracle Unified Directory Server to Work with Enterpriser User Security Using OUDSM

Before you begin, ensure that the server instance has an LDAP connection handler that is enabled for SSL. If SSL is not enabled, add an LDAPS connection handler. For information about adding an LDAPS connection handler, see Managing the Server Configuration Using dsconfig, and Displaying the Properties of LDAP Connection Handler.

You can configure an existing naming context for EUS, or you can create and configure a new naming context for EUS.

To configure an existing naming context for EUS using OUDSM:
1. Connect to the directory server from OUDSM.
2. Click the Configuration tab.
3. In the navigation pane on the left, below Naming Contexts, choose the naming context you want to use.
4. In the right pane, in the Oracle Components Integration section, choose Enable for Enterprise User Security (EUS) and click Apply.
To create and configure a new naming context for EUS using OUDSM:
1. Connect to the directory server from OUDSM, as described in Connecting to the Server Using OUDSM.
2. Click the Home tab.
3. Under the Configuration menu, choose Create Local Naming Context.
4. In the New Local Naming Context window, provide the following information:
  1. Base DN
    
    Type a name for the suffix that you want to create. You cannot enable EUS on an existing suffix that has already been populated with user data.
  2. Directory Data Options
    
    Choose one of the following:
    
    Only Create Base Entry creates the database along with the base entry of the suffix. Any additional entries must be added after suffix creation.
    
    Leave Database Empty creates an empty database. Do not select this option.
    
    When you use this option, the base entry and any additional entries must be added after suffix creation. But for this configuration, the suffix must contain at least one entry.
    
    Import Generated Sample Data populates the suffix with sample entries.
    
    Specify the number of entries that should be generated in the Number of User Entries field. You can import a maximum of 30,000 sample entries through OUDSM. If you want to add more than 30,000 entries, you must use the import-ldif command.
  3. Oracle Components Integration
    
    To enable the new suffix, for Enterprise User Security (EUS), select Enable.
  4. Network Group
    
    Attach the suffix to at least one network group:
    
    To attach the suffix to an existing network group: Choose Use Existing, and then choose the required network group from the list.
    
    To attach the suffix to a new network group: Select Create New, and then in the Name field, type a name for the network group you want to create.
    
    You can attach the same suffix to several network groups.
  5. Workflow Element
    
    Attach the suffix to the workflow element.
    
    To attach the suffix to an existing workflow element: Choose Use Existing, and then choose the required workflow element from the list.
    
    The suffix is stored inside the same database Local Backend workflow element, and will have the same properties such as an instance path to Berkeley DB files.
    
    To attach the suffix to a new workflow element: Choose Create New, and then in the Name field, type a name for the workflow element you want to create.
    
    You can configure this new workflow element with additional other values such as Berkeley DB files, database cache size, and so on.
5. Click Create.
  
  The following confirmation message is displayed:
  
  Naming Context created successfully.

Note:

After creating and configuring a naming context for EUS, the Oracle Unified Directory 12c configuration can be updated to enable the TNS Aliasing capability.

You must manually run the dsconfig command to set up the TNS Aliasing feature by adding the eus-alias-resolution workflow element into the global cn=OracleContext and also the cn=OracleContext,<EUS Realm> workflow chains. See Enabling TNS Alias Support for EUS-enabled Configurations in Installing Oracle Unified Directory.

31.4.1.2 Configuring the User and Groups Location

After Oracle Unified Directory has been configured for EUS or Oracle E-Business Suite, you must configure the naming context used to store the users and the groups by performing the following steps:

Locate the LDIF template file at install_directory/config/EUS/modifyRealm.ldif.
Edit the modifyRealm.ldif file as follows:
- Replace dc=example,dc=com with the correct naming context for your server instance.
- Replace ou=people and ou=groups with the correct location of the user and group entries in your DIT.
Use the ldapmodify command to update the configuration with the edited LDIF template file, for example:
```
$ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file -f modifyRealm.ldif
```
Note:
Ensure that you specify the port number on which the LDAP Connection Handler will listen for connections from clients (For example, 1389) and not the administration port number which is 4444.

31.4.1.3 Selecting the Oracle Context to be Used by Enterprise User Security

Enterprise User Security stores its configuration, also called EUS metadata, in an Oracle Context which corresponds to a part of the Directory Information Tree. If your user entries are stored below dc=example,dc=com, then EUS is usually configured to use cn=OracleContext,dc=example,dc=com as Oracle Context.

Use Oracle Net Configuration Assistant to indicate where EUS should read its configuration.

To start the Oracle Net Configuration Assistant, run the netca command on the host where the database is installed.
On the Welcome page, select "Directory Usage Configuration," and click Next.
On the subsequent pages, provide the following information:
- Directory Type
  
  Select "Oracle Internet Directory" even if the LDAP server is an Oracle Virtual Directory or an Oracle Unified Directory.
  
  Click Next.
- Hostname
  
  Enter the hostname or IP address of the server hosting your LDAP server.
- Port
  
  Enter the LDAP port number.
- SSL Port
  
  Enter the LDAPS port number.
- Oracle Context
  
  Do not select cn=OracleContext. Instead, click the arrow to display and choose the location of your OracleContext.
  
  Click Next.
When the following message is displayed, click Next: "Directory usage configuration complete!"
When the Welcome page is displayed, click Finish.
To verify that the Net Configuration Assistant has successfully created the configuration file containing the LDAP server information, run the following command:
```
# cat $ORACLE_HOME/network/admin/ldap.ora
# ldap.ora Network Configuration File: /app/oracle/product/db/product/11.2.0/dbhome_1/network/admin/ldap.ora
# Generated by Oracle configuration tools.
DIRECTORY_SERVERS= (oudhost:1389:1636)
DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com"
DIRECTORY_SERVER_TYPE = OID
```
The configuration file used by the database contains the hostname and port of the LDAP server. In this example, the information is represented as: (oudhost:1389:1636). You can specify multiple servers, separated by commas, for high availability deployments. See Using Oracle Unified Directory and Enterprise User Security in High Availability Topologies.

In this example, dc=example,dc=com represents the Oracle Context used to store the EUS configuration, also known as the EUS metadata.

31.4.1.4 Registering the Database in the LDAP Server

Use the Database Configuration Assistant for Oracle Database to complete this task.

Run the dbca command on the host where the database is installed.
The Database Configuration Assistant for Oracle Database is displayed. Click Next, then provide the following information in the subsequent pages:
- Select the operation you want to perform
  
  Choose "Configure Database Option," then click Next.
- Database
  
  In the list box, select the database you want to register. Then click Next.
  
  Database Configuration Assistant determines if the database is already registered in the LDAP server.
- Would you like to register this database with the directory service?
  
  Choose "Yes, register the database." Database Configuration Assistant will create an entry for the database in the Oracle Context.
- User DN
  
  The user DN will be used to authenticate to the LDAP server. The user DN is also used in the add operation, which creates the database entry in the Oracle Context. The user must have write access to the LDAP server.
- Password
  
  Database Configuration Assistant creates a wallet for the database. The database entry DN and password will be stored in the wallet. When the database connects to the LDAP server, it will authenticated using credentials stored in this wallet.
- Database Components
  
  Make no changes to this page, and click Next.
- Connection Mode
  
  Choose "Dedicated Server Mode," then click Finish.
- Confirmation
  
  Click OK to register the database.
- Do you want to perform another operation?
  
  Click No to exit the Database Configuration Assistant application.

To verify that Database Configuration Assistant successfully created a new entry for the database, run the following command, where cn=orcl11g is the name of the database specified in the previous step:

$ ldapsearch -h oudhost -p 1389 -D "cn=directory manager" -j pwd.txt -b cn=oraclecontext,dc=example,dc=com "(cn=orcl11g)"
dn: cn=orcl11g,cn=OracleContext,dc=example,dc=com
orclVersion: 112000
orclcommonrpwdattribute: {SASL -MD5}eW5+2LTPRKzFmHxmMZQmnw==
objectClass: orclApplicationEntity
objectClass: orclService
objectClass: orclDBServer_92
objectClass; orclDBServer
objectClass: top
orclServiceType: DB
orclSid: orcl11g
oracleHome: /app/oracle/product/db/product/11.2.0/dbhome_1
cn: orcl11g
orclSystemName: oudhost 
userPassord: {SSHA}oNeBEqkUMtDusjXNXJPpa7qa+Yd0b9RHvA==
orclNetDescString: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST)=oudhost)
(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl11g)))
orclDBGLOBALNAME: orcl11g
orclNetDescName: 000:cn=	DESCRIPTION_0

31.4.1.5 Configuring Roles and Permissions

The following topics provide the steps to configure roles and permissions using Oracle Enterprise Manager:

31.4.1.5.1 Creating a Shared Schema in the Database

Run the following SQL commands:

SQL> CREATE USER global_ident_schema_user IDENTIFIED GLOBALLY;
User created.
SQL> GRANT CONNECT TO global_ident_schema_user;
Grant succeeded.

31.4.1.5.2 Creating a New User-Schema Mapping

Note:

Before performing the steps mentioned in this procedure, see Configuring Password Policy for Oracle Unified Directory Administrator.

To create a new user schema mapping:

In a web browser, connect to Enterprise Manager. For example:

https://localhost:1158/em

Provide the following, then click Login.
- User Name
  
  Enter the name of a user who is authorized to administer the database.
- Password
  
  Enter the administrator password.
- Connect As
  
  Choose SYSDBA.
  
  Click Login.
Click the Server tab.

On the Server tab, in the Security section, click Enterprise User Security.
In the "Oracle Internet Directory Login: Enterprise User Security" page, provide the following information:
- User
  
  Enter the username of a user, for example cn=directory manager, who has write access to Oracle Context.
- Password
  
  Enter the password for the same user.
Click Login.
On the Enterprise User Security page, click Manage Enterprise Domains.

An Enterprise Domain can contain one or more databases. The settings for an Enterprise Domain apply to all databases it contains.
On the Manage Enterprise Domains page, select the domain you want to configure, then click Configure.
On the Configure Domain page, click "User - Schema Mappings."
On the User - Schema Mappings page, click Create.
To create a domain-schema mapping, on New Mapping page provide the following information:
1. From
  
  You can associate a global schema to all the users in a given subtree, or to a given user.
  
  To associate a global schema to all users in a given subtree:
  
  1. Choose Subtree, then click the flashlight icon to search for available subtrees.
  
  2. In the Select User page, select a subtree.
  
  3. Enterprise users below the DN you select will be mapped to the same global schema. Click Select.
  
  To associate a global schema to a given user:
  
  1. Choose User Name, then click the flashlight icon to search for available users.
  
  2. In the select User page, select a user DN. Only this specific user will be mapped to the global schema. Click Select.
2. To
  
  1. In the Schema field, enter the name of the global schema.
  
  2. For example, global_ident_schema_user.
Click Continue.
On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.

31.4.1.5.3 Creating a Role in the Database

For this example, a role named hr_access, is created. The role grants read access to the table hr.employees.

To create a role in the database:

SQL> CREATE ROLE hr_access IDENTIFIED GLOBALLY;
Role created.
SQL> GRANT SELECT ON hr.employees TO hr_access;
Grant succeeded.

For more information, see the Oracle Database documentation.

31.4.1.5.4 Creating a New Role in the Domain

To create a new role in the domain:

On the Manage Enterprise Domains page, select the domain in which you want to create the role, then click Configure.
On the Configure Domain page, click Enterprise Roles. Click Create.
On the Create Enterprise Role page, provide the following information:
1. In the Name field, provide a name for your enterprise role.
2. In the DB Global Roles tab, click Add.
In the Search And Select: Database Global Roles page, provide the following information:
- Database
  
  Choose the database from the drop-down list.
- User Name
  
  Enterprise Manager will retrieve the available roles from the database. Enter a username of an administrator, for example SYS AS SYSDBA, who is authorized to access the roles.
- Password
  
  Enter the administrator password.
Click Go.
In the "Search and Select: Database Global Roles" page, choose the global role you want to grant to Enterprise Users.

Click Select.
In the Create Enterprise Role page, select the Enterprise user or groups to which you will grant the Enterprise Role, then click the Grantees tab.
On the Grantees tab, to select Enterprise users or groups click Add.
In the "Select: Users and Groups" page, click Go. Enterprise Manager retrieves available Users and Groups.
- View
  
  You can search for users or groups.
- Search Base
  
  Enterprise Manager begins the search at this DN.
- Name
  
  Enter a string here to narrow down the search. For example, if you want to find a user whose name starts with jo, enter jo and Click Go.
  
  A table displays relevant entries. From the list, select the users and groups to which you want to grant the Enterprise Role, then click Select.
  
  Click Continue.
In the Configure Domain page, click OK to continue.
In the Edit Enterprise Role page, click Continue.
In the Configure Domain page, click OK.

After the role has been successfully created, click Configure.

31.4.1.5.5 Defining a Proxy Permission in the Database

To define a proxy permission on user SH, run the following command:

SQL> ALTER USER SH GRANT CONNECT THROUGH ENTERPRISE USERS;
User altered.

This command defines a proxy permission on user SH.

31.4.1.5.6 Creating a New Proxy Permission

To create a new proxy permission:

On the Configure Domain Information page, select the domain you want to configure, then click Configure.
On the Configure Domain page, click Proxy Permissions.
To create a new Proxy Permission, on the Proxy Permissions tab click Create.
On the Create Proxy Permission page, in the Name field, provide a name for your Proxy Permission.
On the Target DB Users tab, click Add.
On the "Search And Select: Database Target Users" page, provide the following information:
- Database
  
  Choose the database from the drop-down list.
- User Name
  
  Enter the username of an administrator, for example SYS AS SYSDBA, who is authorized to access the users.
- Password
  
  Enter the administrator password.
Click Go.

Enterprise Manager retrieves the available target users from the database.
In the Search and Select page, select the target user for the proxy permission, then click Select.
In the Create Proxy Permission page, click the Grantees tab.
On the Grantees tab, click Add.
On the Select Users and Groups page, click Go. Enterprise Manager retrieves available Enterprise Users.

In the Select: Users and Groups page, select the users to be granted Proxy Permission. Then click Select to continue.
On the Create Proxy Permission page, click Continue.
On the Configure Domain page, click OK to continue.

31.4.1.5.7 Configuring Mappings for a Specific Database

To configure mappings for a specific database:

On the Enterprise User Security page, click Manage Databases.
On the Manage Databases page, select the database you want to configure, and click Configure.
On the Configure Database page, click "User - Schema Mappings" tab.
On the "User - Schema Mappings" page, click Create.
To create a domain-schema mapping, on New Mapping page provide the following information:
1. From
  
  You can associate a global schema to all the users in a given subtree, or to a given user.
  
  To associate a global schema to all users in a given subtree:
  
  1. Choose Subtree, then click the flashlight icon to search for available subtrees.
  
  2. In the Select User page, select a subtree.
  
  3. Enterprise users below the DN you select will be mapped to the same global schema. Click Select.
  
  To associate a global schema to a given user:
  
  1. Choose User Name, then click the flashlight icon to search for available users.
  
  2. In the select User page, select a user DN. Only this specific user will be mapped to the global schema. Click Select.
2. To
  
  1. In the Schema field, enter the name of the global schema.
  
  2. For example, global_ident_schema_user.
Click Continue.
On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.

31.4.1.6 Testing the Database Configurations

At this point Enterprise User Security contains the following configurations:

A users-schema mapping granting a global schema to all users below dc=example,dc=com
An Enterprise Role granting HR_ACCESS to uid=user.0,ou=people,dc=example,dc=com
A Proxy Permission allowing uid=user.1,our=people,dc=example,dc=com to proxy user SH.

To test the database configurations:

Run sqlplus to connect to the database with user.0.
In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.0,ou=people,dc=example,dc=com in the LDAP server.
```
# sqlplus user.0
 
SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014
 
Copyright  (c) 1982, 2010, Oracle. All rights reserved.
 
Enter password:
 
Connected to: 
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
 
SQL> select * from session_roles;
 
 
Role
-------------------------------
CONNECT
HR_ACCESS
 
SQL>
```
In this example, the following are indications that the database is configured properly for users such as user.0.
- The line that starts with Connected to: indicates that authentication succeeded.
- The line that begins with SQL> select * from session_roles; enables the user to check the roles granted to himself.
- The database role HR_ACCESS is granted through the Enterprise Role.
Run sqlplus to connect to the database with user.1 credentials.
In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.1,ou=people,dc=example,dc=com in the LDAP server.
```
# sqlplus user.1
 
SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014
 
Copyright  (c) 1982, 2010, Oracle. All rights reserved.
 
Enter password:
 
Connected to: 
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
 
SQL> select * from session_roles;
 
 
Role
-------------------------------
CONNECT
 
 
SQL>
```
In this example, the following are indications that the database is configured properly for users such as user.1.
- The line that starts with Connected to: indicates that authentication succeeded.
- The line that begins with SQL> select * from session_roles; enables the user to check the roles granted to himself.
- The only database role is CONNECT, and it is granted through the Global Schema.
Run sqlplus to connect to the database a with user.1 credentials using a proxy permission as user SH.
In the following example, SQLPlus prompts for the user password.The administrator provides the password configured for uid=user.1,ou=people,dc=example,dc=com in the LDAP server.
```
# sqlplus user.1[sh]
 
SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014
 
Copyright  (c) 1982, 2010, Oracle. All rights reserved.
 
Enter password:
 
Connected to: 
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
 
SQL> select * from session_roles;
 
 
Role
-------------------------------
RESOURCE
SELECT_CATALOG_ROLE
HS_ADMIN_SELECT_ROLE
CWM_USER
 
 
SQL>
```
In this example, the following are indications that the database is configured properly for users such as user.1.
- The line that starts with Connected to: indicates that authentication succeeded.
- The line that begins with SQL> select * from session_roles; enables the user to check the roles granted to himself.
- The user user.1 inherits the roles of user SH through the proxy authentication.

31.4.2 Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security

Follow these tasks to configure Oracle Unified Directory Proxy to work with an External LDAP Directory and Enterprise User Security.

Table 31-2 List of tasks to configure Oracle Unified Directory Proxy

Task #	Link
Task 1	Configuring User Identities in the External LDAP Directory
Task 2	Configuring Oracle Unified Directory Proxy to Work with Enterprise User Security
Task 3	Configuring the Users and Groups Location
Task 4	Selecting the Oracle Context to be Used By Enterprise User Security
Task 5	Registering the Database in the LDAP Server
Task 6	Configuring Roles and Permissions
Task 7	Testing the Database Configurations

31.4.2.1 Configuring User Identities in the External LDAP Directory

Configure the existing user and group identities so they can be recognized by Enterprise User Security. Choose from the following based on your external LDAP directory:

31.4.2.1.1 Configuring User Identities in Microsoft Active Directory

To configure user identities in Microsoft Active Directory:

Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.
Execute the following command to load the Enterprise User Security required schema, ExtendAD, into Active Directory using the Java classes included in Oracle Unified Directory.

The ExtendAD file is located in the $ORACLE_HOME/config/EUS/ActiveDirectory/ directory (UNIX) or ORACLE_HOME\config\EUS\ActiveDirectory\ directory (Windows). You can use the java executable in the ORACLE_HOME/jdk/bin directory.
```
java ExtendAD -h Active_Directory_Host_Name -p Active_Directory_Port 
-D Active_Directory_Admin_DN -w Active_Directory_Admin_Password
–AD Active_Directory_Domain_DN -commonattr
```
Example:
```
java ExtendAD -h myhost -p 389 -D cn=administrator,cn=users,dc=example,dc=com -w <pwd> -AD dc=example,dc=com -commonattr
```
Install the Oracle Unified Directory Password Change Notification plug-in, oidpwdcn.dll, by performing the following steps:
1. Complete the following depending on your Windows:
  
  Windows 32-bit
  
  Copy OUD_HOME\config\EUS\ActiveDirectory\win\oidpwdcn.dll file to the Active Directory WINDOWS\system32 directory.
  
  Windows 64-bit
  
  Copy OUD_HOME\config\EUS\ActiveDirectory\win64\oidpwdcn.dll file to the Active Directory WINDOWS\system32 directory.
2. Use regedt32 or regedt64 to edit the registry and enable the oidpwdcn.dll. Start regedt32 by entering regedt32 at the command prompt.
3. Add oidpwdcn to the end of the Notification Packages entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ registry, for example:
```
RASSFM
KDCSVC
WDIGEST
scecli
oidpwdcn
```
  This step enables the password DLL and populates orclCommonAttribute attribute with the password verifier required by EUS.
4. Restart the Active Directory system after making these changes.
Reset the password for all the Active Directory users, allowing the plug-in to acquire the password changes and generate and store password verifiers.
Verify the Active Directory setup by performing the following steps:
1. Change the password of an Active Directory user.
2. Search Active Directory for the user you changed the password for. Verify the orclCommonAttribute attribute contains the generated hash password value.
  
  This value adds the orclCommonAttribute attribute definition in Active Directory.

Note:

Ensure that you modify the default password policy of the Oracle Unified Directory containing the Enterprise Users and the Enterprise Groups details. Do not modify the default password policy of the Oracle Unified Directory instance acting as the proxy server.

31.4.2.1.2 Configuring User Identities in Oracle Directory Server Enterprise Edition

Run ldapmodify command from Oracle Directory Server Enterprise Edition to enable extended operation for the account lock, as follows:

ldapmodify -h <ODSEE Server> -p <ODSEE port> -D <ODSEE Admin ID> -w <ODSEE Admin password>
dn: oid=1.3.6.1.4.1.42.2.27.9.6.25,cn=features,cn=config
changetype: add
objectclass: directoryServerFeature
oid: 1.3.6.1.4.1.42.2.27.9.6.25
cn: Password Policy Account Management

31.4.2.1.3 Configuring User Identities in Novell eDirectory

Enable the Universal Password in eDirectory, and allow the administrator to retrieve the user password.

See the Novell eDirectory documentation about Password Management for more information.

31.4.2.1.4 Configuring User Identities in Oracle Unified Directory

Modify the default password policy to use Salted SHA-1 as password storage scheme by running dsconfig command as follows:

./dsconfig -h <OUD host> -p <OUD admin port> -D <OUD dirmgr> -j <pwdfile>
-X -n set-password-policy-prop\
--policy-name "Default Password Policy"\ 
--set default-password-storage-scheme:"Salted SHA-1"

You can configure the default password policy to use a more secure and a robust password storage scheme, namely EUS PBKDF2 SHA-512 if your Oracle RDBMS version supports it. Oracle recommends that you contact your Database Administrator to validate if the RDBMS version deployed at your end supports Multi-Round SHA-512 based password verifier.

Note:

Ensure that you modify the default password policy of Oracle Unified Directory containing the Enterprise Users and the Enterprise Groups details. Do not modify the default password policy of the Oracle Unified Directory instance acting as the proxy server.

31.4.2.2 Configuring Oracle Unified Directory Proxy to Work with Enterprise User Security

If you do not already have an Oracle Unified Directory Proxy installed, complete the steps in one of these sections:

If you already have an Oracle Unified Directory Proxy instance installed, complete the steps in Configuring an Existing Oracle Unified Directory Proxy to Work with Enterprise User Security Using OUDSM.

31.4.2.2.1 Installing and Configuring a New Oracle Unified Directory Proxy Using the Command Line

To install and configure the new Oracle Unified Directory Proxy:

Run the oud-proxy-setup command. For example:

oud-proxy-setup -i -p 1389 --adminConnectorPort 4444
-D "cn=directory manager" -j pwd.txt -Z 1636 --generateSelfSignedCertificate 
--eusContext dc=example,dc=com

Create an LDAP server extension for the remote LDAP server containing the Enterprise users and groups. For example:

dsconfig create-extension \
          --set enabled:true \
          --set remote-ldap-server-address:serverip \
          --set remote-ldap-server-port:389 \
          --type ldap-server \
          --extension-name proxy1 \
          --hostname localhost \
          --port 4444 \
          --trustAll \
          --bindDN "cn=directory manager" \
          --bindPasswordFile pwd.txt \
          --no-prompt

Create a Proxy workflow element for the remote LDAP server using the LDAP server extension you created in the previous step.
You can configure this Proxy workflow element to use either the use-specific-identity or the use-client-identity mode.
- Use use-specific-identity mode if your external LDAP server does not allow anonymous access. This is the most common Enterprise User Security configuration, especially when Active Directory is used as the external LDAP server.
  
  To create the proxy workflow element using the use-specific-identity mode, run the dsconfig command as follows:
```
dsconfig create-workflow-element \
          --set client-cred-mode:use-specific-identity \
          --set enabled:true \
          --set ldap-server-extension:proxy1 \
          --set remote-ldap-server-bind-dn: \
            cn=administrator,cn=users,dc=example,dc=com \
          --set remote-ldap-server-bind-password:******** \
          --set remote-root-dn:cn=administrator,cn=users,dc=example,dc=com\
          --set remote-root-password:******** \
          --type proxy-ldap \
          --element-name proxy-we1 \
          --hostname localhost \
          --port 4444 \
          --trustAll \
          --bindDN "cn=directory manager" \
          --bindPasswordFile pwd.txt \
          --no-prompt
```
  In this example, remote-root-dn and remote-ldap-server-bind-dn are the credentials used by OUD proxy to connect to the remote server.
- Use use-client-identity mode if your external LDAP server allows anonymous access.
  
  If you want to use the use-client-identity mode, then you must configure the external LDAP server credentials and configure an exclude-list.
  
  The database usually connects with its own credentials to Oracle Unified Directory proxy server, and then performs searches on the external LDAP server. When EUS is enabled, the database must use an alternate ID to bind to the external LDAP server because the database entry does not exist on the external LDAP server. The database entry is stored locally on the Oracle Unified Directory proxy server.
  
  To create the proxy workflow element using use-client-identity mode, run the dsconfig command as follows:
```
dsconfig create-workflow-element \
          --set client-cred-mode:use-client-identity \
          --set enabled:true \
          --set ldap-server-extension:proxy1 \
          --set exclude-list:"cn=directory manager" \
          --set exclude-list:cn=oraclecontext,dc=example,dc=com \
          --set remote-ldap-server-bind-dn: \
            cn=administrator,cn=users,dc=example,dc=com \
          --set remote-ldap-server-bind-password:******** \
          --set remote-root-dn:cn=administrator,cn=users,dc=example,dc=com\
          --set remote-root-password:******** \
          --type proxy-ldap \
          --element-name proxy-we1 \
          --hostname localhost \
          --port 4444 \
          --trustAll \
          --bindDN "cn=directory manager" \
          --bindPasswordFile pwd.txt \
          --no-prompt
```
  In this example, remote-root-dn and remote-ldap-server-bind-dn are the credentials used by the remote LDAP administrator.
  
  Important. When in use-client-identity mode, if you are integrating with Active Directory, then you must also run the following command to allow anonymous login, where dc=example,dc=com is the base DN of your Active Directory server.
```
ldapmodify -h ADhost -p ADport -D ADdirmgr -w pwd
dn: cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=example,dc=com
changetype: modify
replace: dsHeuristics
dsHeuristics: 0000002
```

Create a EUS workflow element using the proxy workflow element created in the previous step:

dsconfig create-workflow-element \
          --set enabled:true \
          --set eus-realm:dc=example,dc=com \
          --set next-workflow-element:proxy-we1 \
          --set server-type:ad \
          --type eus \
          --element-name eus-we1 \
          --hostname localhost \
          --port 4444 \
          --trustAll \
          --bindDN "cn=directory manager" \
          --bindPasswordFile pwd.txt \
          --no-prompt

Note: The server-type defines the remote LDAP server containing your enterprise users and groups. Use one of the following values: ad for Active Directory, edir for Novell eDirectory, oud for Oracle Unified Directory, or odsee Oracle Directory Server Enterprise Edition.

Create a workflow for your naming context using the EUS workflow element created in the previous step:

dsconfig create-workflow \
          --set base-dn:dc=example,dc=com \
          --set enabled:true \
          --set workflow-element:eus-we1 \
          --type generic \
          --workflow-name workflow1 \
          --hostname localhost \
          --port 4444 \
          --trustAll \
          --bindDN "cn=directory manager" \
          --bindPasswordFile pwd.txt \
          --no-prompt

Add the workflow created in the previous step to your network group:

dsconfig set-network-group-prop \
          --group-name network-group \
          --add workflow:workflow1 \
          --hostname localhost \
          --port 4444 \
          --trustAll \
          --bindDN "cn=directory manager" \
          --bindPasswordFile pwd.txt \
          --no-prompt

31.4.2.2.2 Installing and Configuring a New Oracle Unified Directory Proxy to Work with Enterprise User Security Using the Graphical User Interface

To install and configure a new Oracle Unified Directory Proxy to work with Enterprise User Security using the graphical user interface:

Run the oud-proxy-setup program.
1. In the Welcome page, click Next.
2. In the Server Settings page, provide the following information:
  
  Host Name. Enter the name of the OUD proxy host.
  
  Administration Connector Port. This is the administration port used by OUD tools such as dsconfig.
  
  LDAP Listener Port. Specify the port used by the OUD proxy.
  
  LDAP Secure Access. Click Configure to enable secure access.
  
  In the Configure Secure Access window, click to mark the "Enable SSL on Port" check box. Then enter a port number for LDAPS, and click OK to continue.
  
  Root User DN. This is the identity of the server administrator.
  
  Password. Enter a password to be used by the server administrator.
  
  Password (confirm). Enter the password a second time to confirm.
  
  Click Next to continue.
3. In the Deployment Options page, in the Configuration Option field, choose "Configure EUS (Enterprise User Security)" and click Next.
  
  Oracle Unified Directory will be used as a proxy, and deployed in front of the LDAP server containing EUS users and groups.
4. On the Back-End Server Type page, choose one of the supported server types. This is the LDAP-compliant server that contains the Enterprise User Security users and groups.
  
  Click Next to continue.
5. On the next page, click Add Server.
  
  On the Add Server page, provide the following information:
  
  Host Name. Enter the host name of the LDAP server that contains Enterprise User Security users and groups.
  
  Protocol. If you are using Novell eDirectory, you must choose LDAPS.
  
  For all other external directories, you can choose one of the following: LDAP, LDAPS, or [LDAP & LDAPS]. This determines how OUD proxy will connect to the remote LDAP server.
  
  Port Number. Enter the port number of the LDAP server that contains Enterprise User Security users and groups.
  
  You can click Add to add another LDAP server. After you are done adding LDAP servers, click Close to continue.
6. Review the list on the Servers Page.
  
  The Servers Page now lists the server or servers that contain Enterprise User Security users and groups. Click Next to continue.
7. On the Naming Contexts page, click to mark the check box beside a Base DN to choose the Base DN for a naming context.
  
  If the table does not display a Naming Context, enter the Base DN of your remote LDAP server in the "Additional Naming Context DN" field, select Add.
  
  Click Next to continue.
8. Configure the runtime options for the server.
  
  You can click Change to configure any specific JVM settings, or click Next to run the server with the default JVM settings.
  
  Click Next.
9. In the Review page, review your settings, and click Finish.
  
  A new instance of Oracle Unified Directory Proxy is installed, configured, and started.
  
  Click Close.
Set the remote root DN and remote root user accounts by running the dsconfig command on the OUD Proxy as follows:
```
dsconfig set-workflow-element-prop \
          --element-name proxy-we1 \
          --set remote-root-dn:cn=directory manager \
          --set remote-root-password:******** \
          --hostname localhost \
          --port 4444 \
          --trustAll \
          --bindDN "cn=directory manager" \
          --bindPasswordFile pwd.txt \
          --no-prompt
```
Note:

In the preceding command, --element-name property corresponds to the name of the proxy workflow element, which is used to connect to the external LDAP directory server.

If you configure proxy through OUD proxy setup wizard, then the default name of the proxy workflow element is proxy-we1. Alternatively, if you configure the proxy through CLI by using dsconfig command, then the name of the workflow element would be as per the value you provide as an input in the command.
You can find the workflow element by running the dsconfig command as follows:
```
			dsconfig -h localhost -p administration port number -D "cn=Directory Manager" -X -n list-workflow-elements --bindPasswordFile password.txt
```
You observe output similar to the following:
```
			Workflow Element  : Type               : enabled
			----------------- :--------------------:--------
			adminRoot         : ldif-local-backend : true
			load-bal-we1      : load-balancing     : true
			proxy-we1         : proxy-ldap         : true
```
In the above example, if you look at the proxy-ldap type, you will locate the workflow element name (proxy-we1) corresponding to that.
Set the mode for the proxy workflow element for the external LDAP-compliant directory.

By default, the configuration is set to use-client-identity mode.
- Use use-specific-identity mode if your external LDAP server does not allow anonymous access. This is the most common Enterprise User Security configuration, especially when Active Directory is used as the external LDAP server.
  
  If you want to change the mode setting to use-specific-identity, then you must configure the external LDAP server credentials.
  
  To use use-specific-identity mode, run the dsconfig command as follows:
```
dsconfig set-workflow-element-prop \
          --element-name proxy-we1 \
          --set client-cred-mode:use-specific-identity \
          --set remote-ldap-server-bind-dn: \
            cn=administrator,cn=users,dc=example,dc=com\
          --set remote-ldap-server-bind-password:******** \
          --hostname localhost \
          --port 4444 \
          --trustAll \
          --bindDN "cn=directory manager" \
          --bindPasswordFile pwd.txt \
          --no-prompt
```
  In this example, remote-root-dn and remote-ldap-server-bind-dn are the credentials used by the remote LDAP administrator.
- Use use-client-identity mode if your external LDAP server allows anonymous access.
  
  If you want to use the use-client-identity mode, then you must configure the external LDAP server credentials and an exclude-list.
  
  The database usually connects with its own credentials to Oracle Unified Directory proxy server, and performs searches on the external LDAP server. When EUS is enabled, the database must use an alternate ID to bind to the external LDAP server because the database entry does not exist on the external LDAP server. The database entry is stored locally on the Oracle Unified Directory proxy server.
  
  To use the use-client-identity mode, run the dsconfig command as follows:
```
dsconfig set-workflow-element-prop \
          --element-name proxy-we1 \
          --set client-cred-mode:use-client-identity \
          --add exclude-list:cn=directory manager \
          --add exclude-list:cn=oraclecontext,dc=example,dc=com \
          --set remote-ldap-server-bind-dn: \
            cn=administrator,cn=users,dc=example,dc=com \
          --set remote-ldap-server-bind-password:******** \
          --hostname localhost \
          --port 4444 \
          --trustAll \
          --bindDN "cn=directory manager" \
          --bindPasswordFile pwd.txt \
          --no-prompt
```
  In this example, remote-root-dn and remote-ldap-server-bind-dn are the credentials used by the remote LDAP administrator.
  
  Important. When in use-client-identity mode, if you are integrating with Active Directory, then you must run the following command to allow anonymous login, where dc=example,dc=com is the base DN of your Active Directory server.
```
ldapmodify -h <ADhost> -p <AD port> -D <AD dirmgr> -w <pwd>
dn: cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=example,dc=com
changetype: modify
replace: dsHeuristics
dsHeuristics: 0000002
```

31.4.2.2.3 Configuring an Existing Oracle Unified Directory Proxy to Work with Enterprise User Security Using OUDSM

To configure an existing Oracle Unified Directory Proxy to work with Enterprise User Security using OUDSM:

Connect to Oracle Unified Directory Proxy from OUDSM.
Select the Home tab.
Under the Configuration section, choose "Set Up Remote EUS Naming Context."
In the "Create Remote EUS Naming Context" page, provide the following information:

Base DN. This is the suffix provided by the remote LDAP server.

Network Group. Attach the suffix to at least one network group. Select the required network group from the list.

Server Type. Select the type of LDAP server containing your users and groups from the list.

Host Name. Enter the name of the machine where the remote LDAP server is running.

Ports available. Indicate whether you want the OUD Proxy to connect to the remote LDAP server using LDAP, or LDAPS, or both LDAP and LDAPS.

Depending upon the option you chose, enter a port number for the LDAP port, LDAPS port, or for both LDAP and LDAP ports. This must be the port used by the remote LDAP server.

If you checked LDAPS, configure SSL to either Trust All or configure a Trust Manager.

Click Create.
Select the Configuration tab.
In the Naming Contexts list, choose the Proxy below the Naming context you just created.
In the Proxy LDAP workflow element window:
1. Enter a Bind DN and a Bind Password.
  
  These must match the credentials of the remote LDAP server administrator.
2. Expand the Remote Root Properties, and enter a Remote Root DN and password.
  
  These must match the credentials of the remote LDAP server administrator.
3. In the Credentials Mode field, set the mode for the proxy workflow element for the external LDAP-compliant directory.
  - Use use-specific-identity mode if your external LDAP server does not allow anonymous access. This is the most common Enterprise User Security configuration, especially when Active Directory is used as the external LDAP server.
    
    To use use-specific-identity mode:
    
    In the Credentials Mode field, choose Use Specific Identity. Then enter the values for the Bind DN and the Bind Password. Enter the Bind Password a second time to confirm it.
  - Use use-client-identity mode if your external LDAP server allows anonymous access.
    
    To use-client-identity mode:
    
    In the Credentials Mode field, first select Use Client Identity, and expand the Client Identity Mode Properties. Then add "cn=directory manager" and "cn=OracleContext,dc=example,dc=com" to the Exclude Bind DNs table.
4. Click Apply.

31.4.2.3 Configuring the Users and Groups Location

After Oracle Unified Directory has been configured for EUS or Oracle E-Business Suite, you must configure the naming context used to store the users and the groups by performing the following steps:

Locate the LDIF template file at install_dir/config/EUS/modifyRealm.ldif.
Edit the modifyRealm.ldif file as follows:
- Replace dc=example,dc=com with the correct naming context for your server instance.
- Replace ou=people and ou=groups with the correct location of the user and group entries in your DIT.
Use the ldapmodify command to update the configuration with the edited LDIF template file, for example:
```
$ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file -f modifyRealm.ldif
```
Note:
Ensure that you specify the port number on which the LDAP Connection Handler will listen for connections from clients (For example, 1389) and not the administration port number which is 4444.

If you are integrating Active Directory, run the following command, replacing dc=example,dc=com with the appropriate base DN for your configuration:

$ ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j pwd-file
dn:cn=Common,cn=Products,cn=OracleContext,dc=example,dc=com
changetype: modify
replace: orclCommonNickNameAttribute
orclCommonNickNameAttribute: samaccountname

31.4.2.4 Selecting the Oracle Context to be Used By Enterprise User Security

Enterprise User Security stores its configuration (also called EUS metadata) in an Oracle Context, which corresponds to a part of the Directory Information Tree. If your user entries are stored below dc=example,dc=com, then EUS is usually configured to use cn=OracleContext,dc=example,dc=com as Oracle Context.

In this task, Oracle Net Configuration Assistant tells EUS where it should read its configuration.

To start the Oracle Net Configuration Assistant, run the netca command on the host where the database is installed.

The Oracle Net Configuration Assistant is displayed.
On the Welcome page, select "Directory Usage Configuration," and click Next.

Enter the following information in subsequent pages:
1. Directory Type
  
  Select "Oracle Internet Directory" even if the LDAP server is an Oracle Virtual Directory or an Oracle Unified Directory.
  
  Click Next.
2. Hostname
  
  Enter the host name or IP address of the server hosting your LDAP server.
3. Port
  
  Enter the LDAP port number.
4. SSL Port
  
  Enter the LDAPS port number.
5. Oracle Context
  
  Do not select cn=OracleContext. Instead, click the arrow to display and choose the location of your OracleContext.
  
  Oracle Net Configuration Assistant connects to the LDAP server to retrieve the available Oracle Contexts. Enterprise User Security configuration will be stored within your OracleContext.
  
  Click Next.
6. Directory usage configuration complete!
  
  Click Next.
When the Welcome page is displayed, click Finish.
To verify that the Net Configuration Assistant has successfully created the configuration file containing the LDAP server information, run the following command:
```
# cat $ORACLE_HOME/network/admin/ldap.ora
# ldap.ora Network Configuration File: /app/oracle/product/db/product/11.2.0/dbhome_1/network/admin/ldap.ora
# Generated by Oracle configuration tools.
DIRECTORY_SERVERS= (oudhost:1389:1636)
DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com"
DIRECTORY_SERVER_TYPE = OID
```
The configuration file used by the database contains the host name and port of the LDAP server. In this example, the information is represented as: (oudhost:1389:1636). You can specify multiple servers, separated by commas, for high availability deployments.

In this example, dc=example,dc=com represents the Oracle Context used to store the EUS configuration, also known as the EUS metadata.

31.4.2.5 Registering the Database in the LDAP Server

To register the database in the LDAP server:

Run the dbca command on the host where the database is installed.

The Database Configuration Assistant for Oracle database is displayed. Click Next, then provide the following information in the subsequent pages:
1. Select the operation you want to perform.
  
  Choose "Configure Database Option," then click Next.
2. Database
  
  In the list box, select the database you want to register. Then click Next.
  
  Database Configuration Assistant determines if the database is already registered in the LDAP server.
3. Would you like to register this database with the directory service?
  
  Choose "Yes, register the database." Database Configuration Assistant will create an entry for the database in the Oracle Context.
4. User DN
  
  The user DN will be used to authenticate to the LDAP server.
  
  The user DN is usually cn=directory manager, the directory manager of OUD proxy. The user DN is also used in the add operation, which creates the database entry in the Oracle Context. The user must have write access to the LDAP server.
5. Password
  
  Database Configuration Assistant creates a wallet for the database. The database entry DN and password will be stored in the wallet. When the database connects to the LDAP server, it will authenticated using credentials stored in this wallet.
6. Database Components
  
  Make no changes to this page, and click Next.
7. Connection Mode
  
  Choose "Dedicated Server Mode," then click Finish.
8. Confirmation
  
  Click OK to register the database.
9. Do you want to perform another operation?
  
  Click No to exit the Database Configuration Assistant application.

To verify that Database Configuration Assistant successfully created a new entry for the database, run the following command, replacing orcl11g with the name of your database:

$ ldapsearch -h oudhost -p 1389 -D "cn=directory manager" -j pwd.txt -b cn=oraclecontext,dc=example,dc=com "(cn=orcl11g)"
dn: cn=orcl11g,cn=OracleContext,dc=example,dc=com
orclVersion: 112000
orclcommonrpwdattribute: {SASL -MD5}eW5+2LTPRKzFmHxmMZQmnw==
objectClass: orclApplicationEntity
objectClass: orclService
objectClass: orclDBServer_92
objectClass; orclDBServer
objectClass: top
orclServiceType: DB
orclSid: orcl11g
oracleHome: /app/oracle/product/db/product/11.2.0/dbhome_1
cn: orcl11g
orclSystemName: oudhost
userPassord: {SSHA}oNeBEqkUMtDusjXNXJPpa7qa+Yd0b9RHvA==
orclNetDescString: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST)=oudhost)
(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl11g)))
orclDBGLOBALNAME: orcl11g
orclNetDescName: 000:cn=	DESCRIPTION_0

31.4.2.6 Configuring Roles and Permissions

The following topics provide the steps to configure roles and permissions using Oracle Enterprise Manager:

31.4.2.6.1 Creating a Shared Schema in the Database

Run the following SQL commands:

SQL> CREATE USER global_ident_schema_user IDENTIFIED GLOBALLY;
User created.
SQL> GRANT CONNECT TO global_ident_schema_user;
Grant succeeded.

31.4.2.6.2 Creating a New User-Schema Mapping

Note:

Before performing the steps mentioned in this procedure, see Configuring Password Policy for Oracle Unified Directory Administrator.

To create a new user schema mapping:

In a web browser, connect to Enterprise Manager. For example:

https://localhost:1158/em

Provide the following information:

User Name. Enter the name of a user who is authorized to administer the database.

Password. Enter the administrator password.

Connect As.Choose SYSDBA.

Click Login.
Click the Server tab.

On the Server tab, in the Security section, click Enterprise User Security.
In the "Oracle Internet Directory Login: Enterprise User Security" page, provide the following information:

User. Enter the username of a user, for example cn=directory manager, who has write access to Oracle Context.

Password. Enter the password for the same user.

Click Login.
On the Enterprise User Security page, click Manage Enterprise Domains.

An Enterprise Domain can contain one or more databases. The settings for an Enterprise Domain apply to all databases it contains.
On the Manage Enterprise Domains page, select the domain you want to configure, then click Configure.
On the Configure Domain page, click "User - Schema Mappings."
On the User - Schema Mappings page, click Create.
To create a domain-schema mapping, on the New Mapping page provide the following information:

From

You can associate a global schema to all the users in a given subtree, or to a given user.

To associate a global schema to all users in a given subtree:
1. Choose Subtree, then click the flashlight icon to search for available subtrees.
2. In the Select User page, select a subtree. Enterprise users below the DN you select will be mapped to the same global schema.
3. Click Select.
To associate a global schema to a given user:
1. Choose User Name, then click the flashlight icon to search for available users.
2. In the select User page, select a user DN. Only this specific user will be mapped to the global schema.
3. Click Select.
To

In the Schema field, enter the name of the global schema. For example:global_ident_schema_user.

Click Continue.
On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.

31.4.2.6.3 Creating a Role in the Database

For this example, a role named hr_access, is created. The role grants read access to the table hr.employees.

To create a role in the database:

SQL> CREATE ROLE hr_access IDENTIFIED GLOBALLY;
Role created.
SQL> GRANT SELECT ON hr.employees TO hr_access;
Grant succeeded.

For more information, see the Oracle Database documentation.

31.4.2.6.4 Creating a New Role in the Domain

To create a new role in the domain:

To create a new role in a domain, On the Manage Enterprise Domains page, select the domain in which you want to create the role, then click Configure.
On the Configure Domain page, click Enterprise Roles. Click Create.
On the Create Enterprise Role page, provide the following information:
1. In the Name field, provide a name for your enterprise role.
2. In the DB Global Roles tab, click Add.
On the "Search And Select: Database Global Roles' page, provide the following information:

Database. Choose a database from the drop-down list.

User Name. Enterprise Manager will retrieve the available roles from the database. Enter a username of an administrator, such as SYS AS SYSDBA, who is authorized to access the roles.

Password. Enter the administrator password.

Click Go.
In the "Search and Select: Database Global Roles" page, choose the global role you want to grant to Enterprise Users.

Click Select.
In the Create Enterprise Role page, select the Enterprise user or groups to which you will grant the Enterprise Role, then click the Grantees tab.
On the Grantees tab, to select Enterprise users or groups click Add.
In the "Select: Users and Groups" page, click Go. Enterprise Manager retrieves available Users and Groups.

View. You can search for users or groups.

Search Base. Enterprise Manager begins the search at this DN.

Name.Enter a string here to narrow down the search. For example, if you want to find a user whose name starts with jo, enter jo and Click Go.

A table displays relevant entries. From the list, select the users and groups to which you want to grant the Enterprise Role, then click Select.

Click Continue.
In the Configure Domain page, click OK to continue.
In the Edit Enterprise Role page, click Continue.
In the Configure Domain page, click OK.

After the role has been successfully created, click Configure.

31.4.2.6.5 Defining a Proxy Permission in the Database

To define a proxy permission on user SH, run the following command:

SQL> ALTER USER SH GRANT CONNECT THROUGH ENTERPRISE USERS;
User altered.
 
This command defines a proxy permission on user SH.

31.4.2.6.6 Creating a New Proxy Permission

To create a new proxy permission:

On the Configure Domain Information page, select the domain you want to configure, then click Configure.
On the Configure Domain page, click Proxy Permissions.
To create a new Proxy Permission, on the Proxy Permissions tab click Create.
On the Create Proxy Permission page, in the Name field, provide a name for your Proxy Permission.
On the Target DB Users tab, click Add.
On the "Search And Select: Database Target Users" page, provide the following information:

Database. Choose the database from the drop-down list.

User Name. Enter the username of an administrator, for example SYS AS SYSDBA, who is authorized to access the users.

Password. Enter the administrator password.

Click Go.

Enterprise Manager retrieves the available target users from the database.

In the Search and Select page, select the target user for the proxy permission, then click Select.
In the Create Proxy Permission page, click the Grantees tab.
On the Grantees tab, click Add.
On the Select Users and Groups page, click Go. Enterprise Manager retrieves available Enterprise Users.

In the Select: Users and Groups page, select the users to be granted Proxy Permission. Then click Select to continue.
On the Create Proxy Permission page, click Continue.
On the Configure Domain page, click OK to continue.

31.4.2.6.7 Configuring Mappings for a Specific Database

To configure mappings for a specific database:

On the Enterprise User Security page, click Manage Databases.
On the Manage Databases page, select the database you want to configure, and click Configure.
On the Configure Database page, click "User - Schema Mappings" tab.
On the "User - Schema Mappings" page, click Create.
To create a domain-schema mapping, on the New Mapping page provide the following information:

From

You can associate a global schema to all the users in a given subtree, or to a given user.

To associate a global schema to all users in a given subtree:
1. Choose Subtree, then click the flashlight icon to search for available subtrees.
2. In the Select User page, select a subtree. Enterprise users below the DN you select will be mapped to the same global schema.
3. Click Select.
To associate a global schema to a given user:
1. Choose User Name, then click the flashlight icon to search for available users.
2. In the select User page, select a user DN. Only this specific user will be mapped to the global schema.
3. Click Select.
To

In the Schema field, enter the name of the global schema. For example:global_ident_schema_user.

Click Continue.
On the "User - Schema Mappings" tab, when you are satisfied that the mapping is correct, click OK.

31.4.2.7 Testing the Database Configurations

At this point Enterprise User Security contains the following configurations:

A users-schema mapping granting a global schema to all users below dc=example,dc=com
An Enterprise Role granting HR_ACCESS to uid=user.0,ou=people,dc=example,dc=com
A Proxy Permission allowing uid=user.1,our=people,dc=example,dc=com to proxy user SH.

To test the database configurations:

Run sqlplus to connect to the database with user.1 credentials using a proxy permission as user SH.
In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.0,ou=people,dc=example,dc=com in the LDAP server.
```
# sqlplus user.0
 
SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014
 
Copyright  (c) 1982, 2010, Oracle. All rights reserved.
 
Enter password:
 
Connected to: 
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
 
SQL> select * from session_roles;
 
 
Role
-------------------------------
CONNECT
HR_ACCESS
 
SQL>
```
In this example, the following are indications that the database is configured properly for users such as user.0.
- The line that starts with Connect to: indicates that authentication succeeded.
- The line that begins with SQL> select * from session_roles; enables the administrator to check the roles granted to the Enterprise User.
- The database role HR_ACCESS is granted through the Enterprise Role.
Run sqlplus to connect to the database as with user.1 credentials using a proxy permission as user SH.
In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.1,ou=people,dc=example,dc=com in the LDAP server.
```
# sqlplus user.1
 
SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014
 
Copyright  (c) 1982, 2010, Oracle. All rights reserved.
 
Enter password:
 
Connected to: 
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
 
SQL> select * from session_roles;
 
 
Role
-------------------------------
CONNECT
 
 
SQL>
```
In this example, the following are indications that the database is configured properly for users such as user.1.
- The line that starts with Connect to: indicates that authentication succeeded.
- The line that begins with SQL> select * from session_roles; enables the administrator to check the roles granted to the Enterprise User.
- The only database role is CONNECT, and it is granted through the Global Schema.
Run sqlplus to connect to the database a with user.1 credentials using a proxy permission as user SH.
In the following example, SQLPlus prompts for the user password. The administrator provides the password configured for uid=user.1,ou=people,dc=example,dc=com in the LDAP server.
```
# sqlplus user.1[sh]
 
SQL*Plus: Release 11.2.0.2.0 Production on Fri Feb 7 16:16:04 2014
 
Copyright  (c) 1982, 2010, Oracle. All rights reserved.
 
Enter password:
 
Connected to: 
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
 
SQL> select * from session_roles;
 
 
Role
-------------------------------
RESOURCE
SELECT_CATALOG_ROLE
HS_ADMIN_SELECT_ROLE
CWM_USER
 
 
SQL>
```
In this example, the following are indications that the database is configured properly for users such as user.1.
- The line that starts with Connect to: indicates that authentication succeeded.
- The line that begins with SQL> select * from session_roles; enables the user currently logged in to check the roles granted to himself.
- The user user.0 inherits user SH's roles through the proxy authentication.

31.4.3 Configuring Password Policy for Oracle Unified Directory Administrator

When you create the user-schema mapping you are required to provide the user name of the Oracle Unified Directory administrator, such as cn=directory manager, which is used to log in to Oracle Unified Directory server.

You must perform the following steps before creating the user-schema mapping:

Modify the password policy associated with the Oracle Unified Directory administrator to add AES as the default password storage scheme and to allow for multiple password values. For instance, if the administrator is cn=directory manager then modify the password policy as follows:

./dsconfig -h localhost -p port -D "cn=directory manager" -j pwdfile -X -n set-password-policy-prop \ 
--policy-name "Root Password Policy" \ 
--add default-password-storage-scheme:AES

./dsconfig -h localhost -p port -D "cn=directory manager" -j pwdfile -X -n set-password-policy-prop \
--policy-name "Root Password Policy" \
--set allow-multiple-password-values:true

Modify the LDAP password of the Oracle Unified Directory administrator as follows:

./ldappasswordmodify -X -Z -h localhost -p port -D "cn=directory manager" -j pwdfile \
--currentPassword password --newPassword mynewpassword

31.5 Using Additional Enterprise User Security Configuration Options

After the basic integration of Oracle Unified Directory and Enterprise User Security, you can configure OUD to support multiple EUS domains and configure replication to support high availability.

31.5.1 Configuring OUD to Support Multiple Enterprise User Security Domains

If your users and groups are stored in multiple domains, you must configure OUD to support multiple EUS domains. For example, a single OUD instance contains two EUS domains. One EUS domain stores users entries in Active Directory below cn=users,dc=ad1,dc=com. A second EUS domain stores user entries in a different Active Directory instance below cn=users,dc=ad2,dc=com. You must configure OUD to support each EUS domain.

To configure OUD to support multiple EUS domains:

Configure OUD as if the primary domain is the single domain containing all your users and groups.

In this example, the primary domain is dc=ad1,dc=com.

Complete the tasks in Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security.
Configure the secondary domain.

In this example, the secondary domain is dc=ad2,dc=com.

For this secondary domain, complete the steps in Configuring User Identities in the External LDAP Directory.
Create a new naming context for the EUS domain, which is dc=ad2,dc=com in this example.

Complete the steps in Configuring an Existing Oracle Unified Directory Proxy to Work with Enterprise User Security Using OUDSM.
Update the Oracle context with the new naming context.
1. Create an LDIF file.
  
  In the following myconfig.ldif example, make the following substitutions:
  - Replace dc=ad1,dc=com with the DN of your first domain.
  - Replace orclcommonusersearchbase with the users location in the secondary domain.
```
dn: cn=Common,cn=Products,cn=OracleContext,dc=ad1,dc=com
changetype: modify
add: orclcommonusersearchbase
orclcommonusersearchbase: cn=users,dc=ad2,dc=com
```
  - Replace orclcommongroupsearchbase with the groups location in the secondary domain.
```
dn: cn=Common,cn=Products,cn=OracleContext,dc=ad1,dc=com
changetype: modify
add: orclcommongroupsearchbase
orclcommongroupsearchbase: cn=groups,dc=ad2,dc=com
```
2. Update OUD configuration using the LDIF file you created in step 4a.
```
ldapmodify -h oudhost -p 1389 -D "cn=directory manager" -w password -f myconfig.ldif
```

31.5.2 Using Oracle Unified Directory and Enterprise User Security in High Availability Topologies

You can achieve high availability among two or more OUD instances that have been integrated with Enterprise User Security. First, integrate OUD with Enterprise User Security. Then configure replication among the integrated OUD instances. Once configured, replication takes place among Enterprise User Security metadata (in either directory server or directory proxy) and the OUD server users and groups.

Configuring an integrated OUD LDAP server for replication is the same as configuring an integrated OUD Proxy server with one exception: the list of suffixes to be replicated is different.

When an integrated OUD instance is configured as an LDAP server, the following suffixes are replicated:

cn=oraclecontext
cn=oraclecontext,dc=example,dc=com
dc=example,dc=com

When an integrated OUD instance is configured as a Proxy server, the following suffixes are replicated:

cn=oraclecontext
cn=oraclecontext,dc=example,dc=com

Note:

If you are using Oracle Data Guard or Oracle Real Application Clusters or high availability, each database instance must be configured using NetCA and DBCA.

To configure OUD-EUS integrated instances for high availability:

Enable the first Oracle Unified Directory and Oracle Enterprise User Security to work together.
- If the first OUD instance is a directory server, then complete the tasks in Configuring Oracle Directory Server as a Directory for Enterprise User Security.
- If the first OUD instance is a directory proxy, then complete the tasks in Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security.
Enable the second Oracle Unified Directory instance and Oracle Enterprise User Security to work together.
- If the second OUD instance is configured as an LDAP server, then complete the tasks in Configuring Oracle Directory Server as a Directory for Enterprise User Security.
- If the second OUD instance is configured as a proxy, then complete the tasks in Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security.

Enable replication between the first OUD instance and the second OUD instance.

If the OUD instance is an LDAP server, then run this command:

# dsreplication enable --host1 oud-proxy-source --port1 4444 --bindDN1
 "cn=Directory Manager"  --bindPasswordFile1 /tmp/pwd1.txt
 --replicationPort1 repl1 --host2 oud-proxy-dest --port2 4444 --bindDN2
 "cn=Directory Manager"  --bindPasswordFile2 /tmp/pwd2.txt
 --replicationPort2 repl2 --adminUID admin --adminPasswordFile
 /tmp/pwd3.txt --baseDN "cn=OracleContext,dc=example,dc=com" --baseDN
 "cn=OracleContext" --baseDN "dc=example,dc=com" -X -n

If the OUD instance is a directory proxy, then run this command:

# dsreplication enable --host1 oud-proxy-source --port1 4444 --bindDN1
 "cn=Directory Manager"  --bindPasswordFile1 /
tmp/pwd1.txt --replicationPort1 repl1 --host2 oud-proxy-dest --port2 4444
 --bindDN2 "cn=Directory Manager"  --bindPasswordFile2 /tmp/pwd2.txt
 --replicationPort2 repl2 --adminUID admin --adminPasswordFile
 /tmp/pwd3.txt --baseDN "cn=OracleContext,dc=example,dc=com" --baseDN
 "cn=OracleContext" -X -n

Note:

In the directory proxy example, the --baseDN "dc=example,dc=com" option is not included.

Replication is now enabled in the first OUD instance (from step 1), and in the second OUD instance (from step 2).

Initialize replication. For example:

If the OUD instance is a directory server, then run this command:

dsreplication initialize  --baseDN "cn=OracleContext,dc=example,dc=com"
  --baseDN "cn=OracleContext" --baseDN "dc=example,dc=com" \
  --adminUID admin --adminPasswordFile /tmp/pwd3.txt \
  --hostSource <oud-proxy-source> --portSource 4444 \
  --hostDestination <oud-proxy-dest>  --portDestination 4444 -X -n

If the OUD instance is a directory proxy, then run this command:

dsreplication initialize  --baseDN "cn=OracleContext,dc=example,dc=com" \
  --baseDN "cn=OracleContext" \ 
  --adminUID admin --adminPasswordFile /tmp/pwd3.txt \
  --hostSource <oud-proxy-source> --portSource 4444 \
  --hostDestination <oud-proxy-dest>  --portDestination 4444 -X -n

Note:

In the directory proxy example, the --baseDN "dc=example,dc=com" option is not included.

Both OUD instances now contain the same data. For more information, see Initializing a Replicated Server With Data.

Declare both OUD instances in the Database ldap.ora configuration file.

# ldap.ora Network Configuration File: /app/oracle/product/db/product/11.2.0/dbhome_1/network/admin/ldap.ora
# Generated by Oracle configuration tools.
DIRECTORY_SERVERS= (oudhost1:1389:1636,oudhost2:1389:1636)
DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com"
DIRECTORY_SERVER_TYPE = OID

31.7 Understanding Enterprise User Security Password Warnings

Password policies are a set of rules that apply to all user passwords in an identity management realm. Password policies include settings for password complexity, minimum password length, and so forth. They also include account lockout and password expiration settings.

The database communicates with Oracle Unified Directory and requests the Oracle Unified Directory to report any password policy violations. If the database gets a policy violation response from Oracle Unified Directory, then it displays the appropriate warning or error message to the user. The following table summarizes password warnings and their meanings.

Table 31-3 Password Warnings

Warning Condition	Message Example
The user password is about to expire. Message indicates the number of days left for the user to change his or her password.	SQL> connect joe/Admin123 ERROR: ORA-28055: the password will expire within 1 days Connected.
The password has expired and informs the user about the number of grace logins that remain.	SQL> connect joe/Admin123 ERROR: ORA-28054: the password has expired. 1 Grace logins are left Connected.
The user password has expired and the user does not have any grace logins left.	SQL> connect joe/Admin123 ERROR: ORA-28049: the password has expired
The user account has been locked due to repeated failed attempts at login.	SQL> connect joe/Admin123 ERROR: ORA-28051: the account is locked
The user account has been disabled by the administrator.	SQL> connect joe/Admin123 ERROR: ORA-28052: the account is disabled
The user account is inactive.	SQL> connect joe/Admin123 ERROR: ORA-28053: the account is inactive

Enterprise user login attempts to the database update the user account status in Oracle Unified Directory or any supported external LDAP-compliant directory. For example, consecutive failed login attempts to the database results in the account getting locked in the directory, as per the directory's password policy.

31.8 Troubleshooting Issues after Integrating OUD and Enterprise User Security

You may encounter problems after integrating OUD and Enterprise User Security and need information on how to troubleshoot those problems.

These topics suggest solutions to issues you may encounter after integrating OUD and Enterprise User Security:

31.8.1 Resolving Net Configuration Assistant Tool Error Messages

Find out how to resolve error messages reported by the Net Configuration Assistant (NetCA) Tool while integrating OUD and Enterprise User Security.

The following topics describe the Net Configuration Assistant (NetCA) Tool error messages and solutions:

31.8.1.1 Resolving LDAP Server Connection Error

If the NetCA fails to connect to the directory then the Oracle Net Configuration Assistant screen displays the following error message:

Figure 31-1 Connection Error

Description of "Figure 31-1 Connection Error"

To resolve this error, verify that the host name and port number are correct by running the following command on the command line:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT  -b "" -s base "(objectclass=*)"
dn: 
objectClass: top
objectClass: ds-root-dse
 
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X  -b "" -s base "(objectclass=*)"
dn: 
objectClass: top
objectClass: ds-root-dse

31.8.1.2 Resolving Schema Error

If the required schema is not available or the version number is incorrect then the Oracle Net Configuration Assistant screen displays the following error message:

Figure 31-2 Oracle Schema

Description of "Figure 31-2 Oracle Schema"

To resolve this error, ensure that you can access Oracle Unified Directory anonymously and that it contains the cn=subschemasubentry entry:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X  -b cn=subschemasubentry -s base "(objectclass=*)"
dn: cn=subschemasubentry
objectClass: top
objectClass: ldapSubentry
objectClass: subschema

If the Oracle Unified Directory is not enabled for Enterprise User Security then the cn=subschemasubentry entry will not be available. To enable Enterprise User Security, see "Setting up the Directory Server by Using the GUI" in the Installing Oracle Unified Directory.

If the cn=subschemasubentry is not accessible anonymously then ensure that the following ACI is defined in the Oracle Unified Directory as a global ACIs:

(target="ldap:///cn=subschemasubentry")(targetscope="base") \
(targetattr="objectClass||attributeTypes||dITContentRules||dITStructureRules| \
|ldapSyntaxes||matchingRules||matchingRuleUse||nameForms||objectClasses") \ 
(version 3.0; acl "User-Visible SubSchemaSubentry Operational Attributes"; \
allow (read,search,compare) userdn="ldap:///anyone";)

For more information, see Managing Global ACIs Using dsconfig.

31.8.1.3 Resolving Naming Context Error

If the cn=OracleContext and cn=OracleContext,<your baseDN> naming contexts are not available, then the Oracle Net Configuration Assistant screen displays an error message.

To resolve this error:

Verify if the baseDN is available, by running the following command on the command line:
```
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X  -b "" -s base "(objectclass=*)" namingContexts
dn: 
namingContexts: cn=OracleContext
namingContexts: cn=OracleSchemaVersion
namingContexts: dc=eusovd,dc=com
```
As shown above, ensure that there are three available naming contexts. If the base DN is missing then you must enable Enterprise User Security, as described in "Setting up the Directory Server by Using the GUI" in the Installing Oracle Unified Directory.

Verify if the baseDN contains the Oracle context by running the following command on the command line:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X  -b ""  "(objectclass=orclcontext)"
dn: cn=OracleContext
orclVersion: 90600
cn: OracleContext
objectClass: orclContext
objectClass: orclContextAux82
objectClass: top
objectClass: orclRootContext
 
dn: cn=OracleContext,dc=eusovd,dc=com
orclVersion: 90600
cn: OracleContext
objectClass: orclContext
objectClass: orclContextAux82
objectClass: top

Note:

The NetCA performs the search anonymously. If the Oracle Unified Directory is configured to refuse anonymous searches or the ACIs restricts access to cn=OracleContext,<baseDN> then the NetCA will not be able to find the Oracle Context.

After the NetCA configuration is complete, it creates an ldap.ora file in the $ORACLE_HOME/network/admin directory (UNIX) or ORACLE_HOME\network\admin directory (Windows). Ensure that it includes the following parameters:
```
DIRECTORY_SERVERS= (oudhost:1389:1636) 
DEFAULT_ADMIN_CONTEXT = "dc=eusovd,dc=com"
DIRECTORY_SERVER_TYPE = OID
```

31.8.2 Resolving Database Configuration Assistant Error Messages

Find out how to resolve error messages reported by the Database Configuration Assistant (DBCA) while integrating OUD and Enterprise User Security.

The following topics describe the Database Configuration Assistant (DBCA) error messages and solutions:

31.8.2.1 Resolving TNS-04409 error / TNS-04427: SSL access to the Directory Server

This error message appears if SSL is not enabled for Oracle Unified Directory.

To resolve this error, check if SSL is enabled for Oracle Unified Directory by running the following command on the command line:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $LDAPSPORT -Z -X  -b "" -s base "(objectclass=*)"
dn: 
objectClass: top
objectClass: ds-root-dse

For more information, see Configuring Security Between Clients and Servers

31.8.2.2 Resolving TNS-04409 error / TNS-04431: Required suffixes

This error message appears if the suffixes are not available.

To resolve this error, ensure that the suffixes are created, as described in "Setting up the Directory Server by Using the GUI" in the Installing Oracle Unified Directory.

31.8.2.3 Resolving TNS-04411 error when registering the DB with a user different from cn=directory manager

This error message appears if you specify a different user name other then cn=directory manager during database registration.

To resolve this error, ensure that the user has password reset privilege, and the user entry contains one of the following uniqueMember attributes:

cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com

cn=oraclenetadmins,dc=oraclecontext,dc=eusovd,dc=com

Run the following command on the command line:

$ OracleUnifiedDirectory/bin/ldapmodify -h $LDAPSERVER -p $LDAPPORT -D $DN -w $PWD
dn: cn=newadmin,ou=people,dc=eusovd,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset
 
Processing MODIFY request for cn=newadmin,ou=people,dc=eusovd,dc=com
MODIFY operation successful for DN cn=newadmin,ou=people,dc=eusovd,dc=com
dn: cn=oraclenetadmins,cn=oraclecontext,dc=eusovd,dc=com
changetype: modify
add: uniquemember
uniquemember:  cn=newadmin,ou=people,dc=eusovd,dc=com
 
Processing MODIFY request for cn=oraclenetadmins,cn=oraclecontext,dc=eusovd,dc=com
MODIFY operation successful for DN cn=oraclenetadmins,cn=oraclecontext,dc=eusovd,dc=com
dn: cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com
changetype: modify
add: uniquemember
uniquemember:  cn=newadmin,ou=people,dc=eusovd,dc=com
 
Processing MODIFY request for cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com
MODIFY operation successful for DN cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=eusovd,dc=com

31.8.2.4 Resolving TNS-04409 error / TNS-04405

This error message appears if the Oracle Unified Directory password validator does not accept the password that DBCA creates for the database entry (For example, if it requires a password minimum length of 10 characters).

To resolve this error:

Disable the password validator by running the following command on the command line:

$ OracleUnifiedDirectory/bin/dsconfig -h $LDAPSERVER -p $ADMINPORT \
-D $DN -j pwd.txt set-password-policy-prop \
--policy-name Default\ Password\ Policy --reset password-validator \
--trustAll --no-prompt

Run the dbca command.

Enable the password validator by running the following command on the command line:

$ OracleUnifiedDirectory/bin/dsconfig -h $LDAPSERVER -p $ADMINPORT -D
 $DN -j pwd.txt set-password-policy-prop --policy-name Default\ 
Password\ Policy --set password-validator:Length-Based\ Password\ Validator --trustAll --no-prompt

31.8.3 Resolving Oracle SQL Error Messages

Find out how to resolve error messages reported by Oracle SQL while integrating OUD and Enterprise User Security.

The following topics describe the Oracle SQL error messages and solutions:

31.8.3.1 Resolving ORA-28030: Server encountered problems accessing LDAP directory service

This error message appears, if there is a problem with the connection between the database and the directory.

To resolve this issue:

Check that the database wallet has auto-login enabled. Either use Oracle Wallet Manager or check that there is a cwallet.sso file in $ORACLE_HOME/admin/<ORACLE_SID>/wallet/.

Check the DN and password of the user entry by running the following commands:

$ mkstore -wrl $ORACLE_BASE/admin/$ORACLE_SID/wallet -viewEntry ORACLE.SECURITY.DN
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:   ********   
ORACLE.SECURITY.DN = cn=orcl11gr2,cn=OracleContext,dc=eusovd,dc=com
 
$ mkstore -wrl $ORACLE_BASE/admin/$ORACLE_SID/wallet -viewEntry ORACLE.SECURITY.PASSWORD
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:   ********       
ORACLE.SECURITY.PASSWORD = zQ7v4ek3

Check that the database can connect to the directory server using the following command:

$ oracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT 
-b cn=common,cn=products,cn=oraclecontext,$BASEDN  "(objectclass=*)"
orclcommonusersearchbase orclcommongroupsearchbase orclcommonnicknameattribute
orclcommonnamingattribute
dn: cn=Common,cn=Products,cn=OracleContext,dc=eusovd,dc=com
orclcommonusersearchbase: ou=people,dc=eusovd,dc=com
orclcommongroupsearchbase: ou=groups,dc=eusovd,dc=com
orclcommonnicknameattribute: uid
orclcommonnamingattribute: cn

If the connection to the directory server fails, then you must do the following:

Ensure that the database entry exists in the Directory Server.

Ensure that the database entry contains a password in the orclcommonrpwdattribute, by running the following command:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT 
-b  cn=oraclecontext,$BASEDN -s one "(objectclass=orcldbserver)" 
 orclcommonrpwdattribute
dn: cn=orcl11gr2,cn=OracleContext,dc=eusovd,dc=com
orclcommonrpwdattribute: {SASL-MD5}KvIVAyYahxnHWdlfN649Kw==

If the entry is missing or does not contain a password then you must use DBCA, as described in Registering the Database in the LDAP Server.

31.8.3.2 Resolving ORA-01017: invalid username/password; logon denied

This error message appears, if an invalid username or password is provided.

To resolve this error, specify the correct username and password.

Check the Enterprise User Security configuration by running the following command:
```
$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -b \
cn=common,cn=products,cn=oraclecontext,$BASEDN \
"(objectclass=*)" orclcommonusersearchbase \
orclcommongroupsearchbase orclcommonnicknameattribute orclcommonnamingattribute
dn: cn=Common,cn=Products,cn=OracleContext,dc=eusovd,dc=com
orclcommonusersearchbase: ou=people,dc=eusovd,dc=com
orclcommongroupsearchbase: ou=groups,dc=eusovd,dc=com
orclcommonnicknameattribute: uid
orclcommonnamingattribute: cn
```
After Oracle Unified Directory has been configured for EUS, the users and groups configurations are stored in the attributes orclcommonusersearchbase and orclusercommongroupsearchbase.

The username provided to sqlplus must correspond to the value of orclcommonnicknameattribute in the user entry. For example, if you connect sqlplus using the values joe/password and orclcommonnicknameattribute=uid, then the database will look for an entry containing the attribute uid=joe.

The user entry DN must start with orclcommonnamingattribute. For example, if orclcommonnamingattribute=cn, the user entry must be cn=joe,<orclcommonusersearchbase>.

Ensure that there is a user entry in the user container that matches the username provided in sqlplus. The inetorgperson objectclass, containing the attribute defined in orclcommonnicknameattribute.

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT \
-D $DN -w $PWD -b ou=people,$BASEDN  "(ui \d=joe)"                         
dn: cn=joe,ou=people,dc=eusovd,dc=com
userPassword: {SSHA}DdW5je5GCUnT2jVTeMdfPR9NWwkBt40FwWImpA==
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: top
uid: joe
cn: joe
sn: joe

Ensure that you have created the user-schema mapping, as described in "Mapping Enterprise Users to the Shared Schema" in the Oracle Database Enterprise User Security Administrator's Guide.

31.8.3.3 Resolving ORA-28274: No ORACLE password attribute corresponding to user nickname exists

This error message appears, when the database finds a corresponding user but cannot compare its password with the password supplied to SQL.

To resolve this issue:

Ensure that the database entry has the required ACI to read the entry authpassword and orclguid:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -D $DN 
-w $PWD -b ou=people,$BASEDN  "(uid=joe)" authpassword orclguid
dn: cn=joe,ou=people,dc=eusovd,dc=com
authpassword;orclcommonpwd: {SSHA}DdW5je5GCUnT2jVTeMdfPR9NWwkBt40FwWImpA==
orclguid: 6458c6945c0a48be92ab35cf71859210

If the database cannot read the entry, check that the following ACIs are defined in your OUD server as global-acis (they are added automatically by oud-setup when EUS is selected):

(target="ldap:///dc=eusovd,dc=com")(targetattr!="userpassword||authpassword
||aci")(version 3.0; acl "Anonymous read access to subtree";allow
 (read,search,compare) userdn="ldap:///anyone";)
(target="ldap:///dc=eusovd,dc=com")(targetattr="authpassword||userpassword")
(version 3.0; acl "EUS reads authpassword"; allow (read,search,compare)
userdn="ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))";)

If the user entry does not contain authpassword, ensure that there is a user password:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -D $DN -w $PWD -b ou=people,$BASEDN  "(uid=joe)" userpassword         
dn: cn=joe,ou=people,dc=eusovd,dc=com
userpassword: {SSHA}DdW5je5GCUnT2jVTeMdfPR9NWwkBt40FwWImpA==

Ensure that the userpassword attribute is stored using a compatible scheme (SSHA-512 is not supported):

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -D $DN -w $PWD -b ou=people,$BASEDN  "(uid=joe)" userpassword         
dn: cn=joe,ou=people,dc=eusovd,dc=com
userpassword: {SSHA}DdW5je5GCUnT2jVTeMdfPR9NWwkBt40FwWImpA==

31.8.3.4 Resolving ORA-28051: the account is locked

This error message appears, if you fail to authenticate properly after multiple attempts.

To resolve this issue:

Verify if Oracle Unified Directory is configured for account lockout, by running the following command on the command line:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -X -Z -D $DN 
-w $PWD -b "cn=Default Password Policy,cn=Password Policies,cn=config" 
"(objectclass=*)" ds-cfg-lockout-failure-count ds-cfg-lockout-duration  ds-cfg-lockout-failure-expiration-interval
dn: cn=Default Password Policy,cn=Password Policies,cn=config
ds-cfg-lockout-failure-expiration-interval: 180 s
ds-cfg-lockout-failure-count: 3
ds-cfg-lockout-duration: 180 s

If the failure-count value is 0, then the account lockout is not enabled. For more information, see Managing Password Policies.

Ensure that the following ACI is defined, when the Enterprise User Security is configured:

(target="ldap:///dc=eusovd,dc=com")(targetattr="orclaccountstatusevent")
(version 3.0; acl "EUS write orclaccountstatusenabled"; allow (write) 
userdn="ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))";)
(targetcontrol="2.16.840.1.113894.1.8.16")(version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
(targetcontrol="2.16.840.1.113894.1.8.2")(version 3.0; acl "Anonymous control
 access"; allow(read) userdn="ldap:///anyone";)

31.9 Disabling the Existing Anonymous ACIs in Upgraded Environments

When Oracle Unified Directory is used as the directory for Enterprise User Security, before 12.2.1.3.0, anonymous ACI was granted for EUS integration. In such upgraded environments, the existing anonymous global-aci in Oracle Unified Directory can be modified as follows to restrict anonymous search requests to Oracle Unified Directory.

"dc=oracle,dc=com" in the example should be replaced with the actual deployment specific DN.

(target="ldap:///dc=oracle,dc=com")(targetattr!="userpassword||authpassword||aci")(targetfilter="(objectclass=orclContext)")(version 3.0; acl "Anonymous read access to subtree";allow (read,search,compare) userdn="ldap:///anyone";)
(target="ldap:///dc=oracle,dc=com")(targetattr="*")(version 3.0; acl "EUS reads authpassword"; allow (read,search,compare) userdn="ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))";)

When Oracle Unified Directory Proxy is used to work with an External LDAP Directory and Enterprise User Security, the following virtual-acis can be added to restrict anonymous search requests to Oracle Unified Directory Proxy. "dc=oracle,dc=com" in the example should be replaced with the actual deployment specific DN.

(target="ldap:///dc=oracle,dc=com")(targetattr="*")(version 3.0; acl "EUS reads users"; allow (read,search,compare) userdn="ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))";)
(target="ldap:///dc=oracle,dc=com")(targetattr="orclaccountstatusevent")(version 3.0; acl "EUS write orclaccountstatusenabled"; allow (write) userdn="ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))";)
(target="ldap:///dc=oracle,dc=com")(targetattr="*")(version 3.0; acl "Proxy self entry access"; allow (read,search,compare,write) userdn="ldap:///self";)

31.1 Understanding How Oracle Enterprise User Security Works with Oracle Unified Directory

31.2 Understanding the Options Before Integrating Oracle Unified Directory with Oracle Enterprise User Security

31.3 About the Prerequisites Before Integrating Oracle Unified Directory with Oracle Enterprise User Security

31.4 Enabling Oracle Unified Directory and Oracle Enterprise User Security to Work Together

31.4.1 Configuring Oracle Directory Server as a Directory for Enterprise User Security

31.4.1.1 Configuring Oracle Unified Directory to Work with Enterprise User Security

31.4.1.1.1 Installing and Configuring a New Oracle Unified Directory Instance to Work with Enterprise User Security

31.4.1.1.2 Configuring an Existing Oracle Unified Directory Server to Work with Enterprise User Security Using the Command Line

31.4.1.1.3 Configuring an Existing Oracle Unified Directory Server to Work with Enterpriser User Security Using OUDSM

31.4.1.2 Configuring the User and Groups Location

31.4.1.3 Selecting the Oracle Context to be Used by Enterprise User Security

31.4.1.4 Registering the Database in the LDAP Server

31.4.1.5 Configuring Roles and Permissions

31.4.1.5.1 Creating a Shared Schema in the Database

31.4.1.5.2 Creating a New User-Schema Mapping

31.4.1.5.3 Creating a Role in the Database

31.4.1.5.4 Creating a New Role in the Domain

31.4.1.5.5 Defining a Proxy Permission in the Database

31.4.1.5.6 Creating a New Proxy Permission

31.4.1.5.7 Configuring Mappings for a Specific Database

31.4.1.6 Testing the Database Configurations

31.4.2 Configuring Oracle Unified Directory Proxy to Work with an External LDAP Directory and Enterprise User Security

31.4.2.1 Configuring User Identities in the External LDAP Directory

31.4.2.1.1 Configuring User Identities in Microsoft Active Directory

31.4.2.1.2 Configuring User Identities in Oracle Directory Server Enterprise Edition

31.4.2.1.3 Configuring User Identities in Novell eDirectory

31.4.2.1.4 Configuring User Identities in Oracle Unified Directory

31.4.2.2 Configuring Oracle Unified Directory Proxy to Work with Enterprise User Security

31.4.2.2.1 Installing and Configuring a New Oracle Unified Directory Proxy Using the Command Line

31.4.2.2.2 Installing and Configuring a New Oracle Unified Directory Proxy to Work with Enterprise User Security Using the Graphical User Interface

31.4.2.2.3 Configuring an Existing Oracle Unified Directory Proxy to Work with Enterprise User Security Using OUDSM

31.4.2.3 Configuring the Users and Groups Location

31.4.2.4 Selecting the Oracle Context to be Used By Enterprise User Security

31.4.2.5 Registering the Database in the LDAP Server

31.4.2.6 Configuring Roles and Permissions

31.4.2.6.1 Creating a Shared Schema in the Database

31.4.2.6.2 Creating a New User-Schema Mapping

31.4.2.6.3 Creating a Role in the Database

31.4.2.6.4 Creating a New Role in the Domain

31.4.2.6.5 Defining a Proxy Permission in the Database

31.4.2.6.6 Creating a New Proxy Permission

31.4.2.6.7 Configuring Mappings for a Specific Database

31.4.2.7 Testing the Database Configurations

31.4.3 Configuring Password Policy for Oracle Unified Directory Administrator

31.5 Using Additional Enterprise User Security Configuration Options

31.5.1 Configuring OUD to Support Multiple Enterprise User Security Domains

31.5.2 Using Oracle Unified Directory and Enterprise User Security in High Availability Topologies

31.6 Best Practices for Employing EUS Admin User

31.6.1 Overview of EUS Admin User

31.6.2 Updating EUS Realm to Grant Administrative Privileges to EUS Admin Users

31.6.3 Creating and Applying Password Policy for EUS Admin Users

31.7 Understanding Enterprise User Security Password Warnings

31.8 Troubleshooting Issues after Integrating OUD and Enterprise User Security

31.8.1 Resolving Net Configuration Assistant Tool Error Messages

31.8.1.1 Resolving LDAP Server Connection Error

31.8.1.2 Resolving Schema Error

31.8.1.3 Resolving Naming Context Error

31.8.2 Resolving Database Configuration Assistant Error Messages

31.8.2.1 Resolving TNS-04409 error / TNS-04427: SSL access to the Directory Server

31.8.2.2 Resolving TNS-04409 error / TNS-04431: Required suffixes

31.8.2.3 Resolving TNS-04411 error when registering the DB with a user different from cn=directory manager

31.8.2.4 Resolving TNS-04409 error / TNS-04405

31.8.3 Resolving Oracle SQL Error Messages

31.8.3.1 Resolving ORA-28030: Server encountered problems accessing LDAP directory service

31.8.3.2 Resolving ORA-01017: invalid username/password; logon denied

31.8.3.3 Resolving ORA-28274: No ORACLE password attribute corresponding to user nickname exists

31.8.3.4 Resolving ORA-28051: the account is locked

31.9 Disabling the Existing Anonymous ACIs in Upgraded Environments