Migration from OID to OUD: Adapting EUS metadata

Enterprise User Security is an important component of Oracle Database Enterprise Edition. It enables you to address administrative and security challenges for a large number of enterprise database users by centralizing users and roles in a LDAP directory.

It is possible to use either Oracle Internet Directory (OID) or Oracle Unified Directory (OUD) as LDAP repository for EUS.

To migrate from OID to OUD,
– enable EUS support in OUD
– copy your user and groups in <your_context)
– copy across EUS metadata (in cn=oracleContext,<your suffix)

EUS metadata as stored in OID must be slighly adapted before being impoorted to OUD otherwise the DB won’t be able to authenticate against OUD and will raise the following error:

ORA-28043: invalid bind credentials for DB-OID connection

Migrating the DB entry from OID to OUD requires some specific steps for SASL/DIGEST-MD5 authentication. In OID, the password hash used for SASL/DIGEST-MD5 authentication is stored in authpassword;oid, with the {SASL/MD5} prefix.
In OUD, this must be stored in orclcommonrpwdattribute with the {SASL-MD5} prefix.

For instance:

In OID:
ldapsearch [conn details] -b cn=oraclecontext,dc=example,dc=com -s one “(cn=orcl11g)” authpassword
dn: cn=orcl11g,cn=oraclecontext,dc=example,dc=com
authpassword;oid: {SASL/MD5}ola+G+GFsSeiu6QcRiAh9g==
authpassword;oid: {SASL/MD5-DN}3UeqmU5Axd+XVAM9Lxf28g==
authpassword;oid: {SASL/MD5-U}BD6uyBcSiFbGtlPzq6TtUA==

In OUD:
ldapsearch [conn details] -b cn=oraclecontext,dc=example,dc=com -s one “(objectclass=orcldbserver)” orclcommonrpwdattribute
dn: cn=orcl11g,cn=OracleContext,dc=example,dc=com
orclcommonrpwdattribute: {SASL-MD5}ola+G+GFsSeiu6QcRiAh9g==

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s