Configuring OUD to Support Multiple Enterprise User Security Domains

Configuring OUD to Support Multiple Enterprise User Security Domains

If your users and groups are stored in multiple domains, you must configure OUD to support multiple EUS domains. For example, a single OUD instance contains two EUS domains. One EUS domain stores users entries in Active Directory below cn=users,dc=ad1,dc=com. A second EUS domain stores user entries in a different Active Directory instance below cn=users,dc=ad2,dc=com. You must configure OUD to support each EUS domain.

To configure OUD to support multiple EUS domains:

  1. Configure OUD as if the primary domain is the single domain containing all your users and groups.

    In this example, the primary domain is dc=ad1,dc=com.

    Complete the tasks in 28.4 Oracle Unified Directory Used as a Proxy Server for an External LDAP Directory with Enterprise User Security

  2. Configure the secondary domain.

    In this example, the secondary domain is dc=ad2,dc=com.

    For this secondary domain, complete the steps in 28.4.1.1 User Identities in Microsoft Active Directory

  3. Create a new naming context for the EUS domain, which is dc=ad2,dc=com in this example.

    Complete the steps in 28.4.2.1.2 to configure Enterprise User Security for an existing Oracle Unified Directory Proxy Server instance.

  4. Update the Oracle context with the new naming context.
    1. Create an LDIF file.

      In the following myconfig.ldif example, make the following substitutions:

      • Replace dc=ad1,dc=com with the DN of your first domain.
      • Replace orclcommonusersearchbase with the users location in the secondary domain.
      • orclcommongroupsearchbase with the groups location in the secondary domain.
      dn: cn=Common,cn=Products,cn=OracleContext,dc=ad1,dc=com
      changetype: modify
      add: orclcommonusersearchbase
      orclcommonusersearchbase: cn=users,dc=ad2,dc=com
      orclcommongroupsearchbase: cn=groups,dc=ad2,dc=com
      
    2. Update OUD configuration using the LDIF file you created in step 4a.
      ldapmodify -h oudhost -p 1389 -D "cn=directory manager" 
      
      -w password -f myconfig.ldif

OUD&EUS Take 2: DB Accounts Proxy-ed by OUD into existing Directories

By Sylvain Duloutre on Aug 27, 2013

This post is the second one of a serie focusing on Enterprise User Security (EUS) and Oracle Unified DIrectory (OUD).

Enterprise User Security (EUS), an Oracle Database Enterprise Edition feature, leverages the Oracle Directory Services and gives you the ability to centrally manage database users and role memberships in an LDAP directory. EUS reduces administration costs and increases security.

DB Accounts Proxy-ed by OUD into existing Directories

Most enterprises already have existing corporate directories in place, and prefer the EUS implementation. An EUS implementation leverages the existing directory infrastructure and user information base without putting in place synchronization between directories. In this way, OUD acts as a real-time interpreter for Oracle database information requests to user data.

Using OUD enables the database to interact with third-party directories. OUD leverages existing user and group information in the existing third-party directory infrastructure by forwarding LDAP requests and responses back and forth to the third-party directory holding user data. User data, database meta-data such as DB registration information, user/role Mappings, and other EUS specific meta-data are stored locally in OUD, without requiring any schema changes to store EUS configuration in the existing third-party directory.

As of release 11gR2PS1, OUD is certified with EUS to support Active Directory, Oracle Directory Server Enterprise Edition, and Novell eDirectory. Working with these products, OUD eliminates user data duplication and synchronization and consequently lowers total cost of ownership (TCO).

  1. Centralizing Accounts into Microsoft Active Directory

You can integrate Active Directory for password-based authentication or integrate Active Directory with Kerberos authentication.

Active Directory Integration for Password-based authentication

Such a scenario requires deployment of an additional component: the OUD Password Change Notification plug-in (oidpwdcn.dll). Microsoft uses a proprietary implementation to hash passwords in Active Directory that is incompatible with the Oracle DB requirements. The OUD Password Change Notification plug-in isnotified when a password change occurs, and stores hashes in Active Directory. The oidpwdcn dll must be installed on every Active Directory domain controller.

Active Directory Schema extension is required to store the hashed passwords.

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Active Directory. User passwords are retrieved from the hashed password stored by the OUD Password Change Notification plug-in. EUS metadata are stored and retrieved from OUD.

The database version must be 10.1 or later as earlier versions use a different and incompatible password format.

eus_ad[1]

Figure 2: EUS Account management with Active Directory

Active Directory Integration with Kerberos Authentication

In this scenario, Kerberos is used for DB authentication. EUS with DB Kerberos authentication does not require any changes to the database beyond standard EUS configuration. The database establishes a connection to OUD. OUD looks up the requested DB information in Active Directory. All database clients must be Kerberos-enabled to use this option. This capability is only supported with DB version 10.1 or higher.

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Active Directory. EUS metadata are stored and retrieved from OUD. Access to the hashed user password is not required, so no schema extensions and no Password Change Notification dll have to be deployed on Active Directory.

eus_kerberos[1]

Figure 3: EUS Account management with Kerberos and Active Directory

  1. Centralizing Accounts into ODSEE

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Oracle Directory Server Enterprise Edition (ODSEE) . EUS metadata are stored and retrieved from OUD.

This integration does not require any changes in the database (beyond what is usually required for EUS, nor for database clients that use username/password authentication.

eus_dsee[1]

Figure 4: EUS Account management with DSEE

  1. Centralizing Accounts into Novell eDirectory

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Novell eDirectory. EUS metadata are retrieved from OUD.

This integration does not require any changes in the database beyond what is usually required for EUS, nor for database clients that use username/password authentication.

Using Novell eDirectory doesn’t require an Oracle password filter. You have to enable Universal Password in eDirectory, and allow the administrator to retrieve the user password. Refer to Novell’s eDirectory documentation on Password Management for more information.

This configuration can only be used with DB versions 10.1 or higher due to incompatible password formats in earlier DB versions.

eus_edir[1]

Figure 5: EUS Account management with DSEE

OUD&EUS Take 1: DB Accounts Stored in OUD

By Sylvain Duloutre on Jul 09, 2013

This post is the first one of a serie focusing on Enterprise User Security (EUS) and Oracle Unified DIrectory (OUD).

Enterprise User Security (EUS), an Oracle Database Enterprise Edition feature, leverages the Oracle Directory Services and gives you the ability to centrally manage database users and role memberships in an LDAP directory. EUS reduces administration costs and increases security

Storing DB Accounts in OUD

OUD is specifically tailored to work seamlessly with EUS. Database user information, passwords and privileges information for a database or for a database domain can be stored in OUD.

EUS can leverage existing user and group information stored in OUD to provide single password authentication and consistent password policy across enterprise applications. User data, database meta-data, such as DB registration information, user/role Mappings, and other EUS specific meta-data are stored in OUD using a specific, supported, read-to-use LDAP schema. These meta-data are stored in a separate OUD suffix, called Oracle Context, making a clean logical separation between EUS data and user information that can be shared across applications.

In addition to providing centralized database user management, Enterprise EUS provides three different methods of user authentication: X.509 certificate authentication (introduced in DB 8i); Password-based authentication (since DB 9i); and authentication via Kerberos (since DB 10g). OUD support for Password-based authentication for EUS was introduced in OUD 11gR2. The other authentication methods were introduced in OUD 11gR2PS1.

In the password authentication scenario, the database does not perform user authentication via LDAP bind to OUD. Instead the database collects user credentials, hashes the password, and compares the password hash value retrieved from OUD. More detailed information about EUS can be found in the Enterprise User Administrator’s Guide in the Database documentation section on OTN.

eus_general[1]