New blog about Oracle Unified Directory

A new & interesting technical blog covering Directory Services and Oracle Unified Directory is available at https://floblanc.wordpress.com/.

Today’s blog covers Enterprise Manager Cloud Control and EUSM support. To be bookmarked as the EUSM documentation is quite scarce !

 

Advertisements

Migration from OID to OUD: Adapting EUS metadata

Enterprise User Security is an important component of Oracle Database Enterprise Edition. It enables you to address administrative and security challenges for a large number of enterprise database users by centralizing users and roles in a LDAP directory.

It is possible to use either Oracle Internet Directory (OID) or Oracle Unified Directory (OUD) as LDAP repository for EUS.

To migrate from OID to OUD,
– enable EUS support in OUD
– copy your user and groups in <your_context)
– copy across EUS metadata (in cn=oracleContext,<your suffix)

EUS metadata as stored in OID must be slighly adapted before being impoorted to OUD otherwise the DB won’t be able to authenticate against OUD and will raise the following error:

ORA-28043: invalid bind credentials for DB-OID connection

Migrating the DB entry from OID to OUD requires some specific steps for SASL/DIGEST-MD5 authentication. In OID, the password hash used for SASL/DIGEST-MD5 authentication is stored in authpassword;oid, with the {SASL/MD5} prefix.
In OUD, this must be stored in orclcommonrpwdattribute with the {SASL-MD5} prefix.

For instance:

In OID:
ldapsearch [conn details] -b cn=oraclecontext,dc=example,dc=com -s one “(cn=orcl11g)” authpassword
dn: cn=orcl11g,cn=oraclecontext,dc=example,dc=com
authpassword;oid: {SASL/MD5}ola+G+GFsSeiu6QcRiAh9g==
authpassword;oid: {SASL/MD5-DN}3UeqmU5Axd+XVAM9Lxf28g==
authpassword;oid: {SASL/MD5-U}BD6uyBcSiFbGtlPzq6TtUA==

In OUD:
ldapsearch [conn details] -b cn=oraclecontext,dc=example,dc=com -s one “(objectclass=orcldbserver)” orclcommonrpwdattribute
dn: cn=orcl11g,cn=OracleContext,dc=example,dc=com
orclcommonrpwdattribute: {SASL-MD5}ola+G+GFsSeiu6QcRiAh9g==

Configuring OUD to Support Multiple Enterprise User Security Domains

Configuring OUD to Support Multiple Enterprise User Security Domains

If your users and groups are stored in multiple domains, you must configure OUD to support multiple EUS domains. For example, a single OUD instance contains two EUS domains. One EUS domain stores users entries in Active Directory below cn=users,dc=ad1,dc=com. A second EUS domain stores user entries in a different Active Directory instance below cn=users,dc=ad2,dc=com. You must configure OUD to support each EUS domain.

To configure OUD to support multiple EUS domains:

  1. Configure OUD as if the primary domain is the single domain containing all your users and groups.

    In this example, the primary domain is dc=ad1,dc=com.

    Complete the tasks in 28.4 Oracle Unified Directory Used as a Proxy Server for an External LDAP Directory with Enterprise User Security

  2. Configure the secondary domain.

    In this example, the secondary domain is dc=ad2,dc=com.

    For this secondary domain, complete the steps in 28.4.1.1 User Identities in Microsoft Active Directory

  3. Create a new naming context for the EUS domain, which is dc=ad2,dc=com in this example.

    Complete the steps in 28.4.2.1.2 to configure Enterprise User Security for an existing Oracle Unified Directory Proxy Server instance.

  4. Update the Oracle context with the new naming context.
    1. Create an LDIF file.

      In the following myconfig.ldif example, make the following substitutions:

      • Replace dc=ad1,dc=com with the DN of your first domain.
      • Replace orclcommonusersearchbase with the users location in the secondary domain.
      • orclcommongroupsearchbase with the groups location in the secondary domain.
      dn: cn=Common,cn=Products,cn=OracleContext,dc=ad1,dc=com
      changetype: modify
      add: orclcommonusersearchbase
      orclcommonusersearchbase: cn=users,dc=ad2,dc=com
      orclcommongroupsearchbase: cn=groups,dc=ad2,dc=com
      
    2. Update OUD configuration using the LDIF file you created in step 4a.
      ldapmodify -h oudhost -p 1389 -D "cn=directory manager" 
      
      -w password -f myconfig.ldif

Troubleshooting OUD/EUS integration: Invalid username/password; logon denied

Oracle’s Enterprise User Security (EUS) enables you to store user identities in LDAP-compliant directory service for Oracle Database authentication.

Enterprise User Security enables you to centrally manage database users across the enterprise. Enterprise users are created in LDAP-compliant directory service, and can be assigned roles and privileges across various enterprise databases registered with the directory.

Users connect to Oracle Database by providing credentials that are stored in Oracle Unified Directory. The database executes LDAP search operations to query user specific authentication and authorization information.

Here are steps to troubleshoot EUS when the “Invalid username/password; login denied” is reported to DB users by EUS:

First, this error is reported in 2 cases:

  • the DB is not able to find a LDAP user that corresponds to the provided name on the DB side,
  • the user password is invalid.

Assuming the password is correct, follow the procedure below to identify the root cause:

#1 Check EUS configuration

The database reads its configuration from the entry cn=common,cn=products,cn=oraclecontext,$BASEDN:

  • The location of users and groups is configured in the attributes orclcommonusersearchbase and orclusercommongroupsearchbase. They are referred to as users and groups containers.
  • The username supplied to sqlplus must correspond to the value of orclcommonnicknameattribute in the user entry. For instance, if I connect to sqlplus using sqlplus joe/password, and orclcommonnicknameattribute=uid, then the database will look for an entry containing the attribute uid=joe.
  • The user entry DN must start with orclcommonnamingattribute. For instance, if orclcommonnamingattribute=cn, the user entry must be cn=joeuser,<orclcommonusersearchbase>.

You can read the configuration using the following command:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -b cn=common,cn=products,cn=oraclecontext,$BASEDN  "(objectclass=*)" orclcommonusersearchbase orclcommongroupsearchbase orclcommonnicknameattribute orclcommonnamingattribute
dn: cn=Common,cn=Products,cn=OracleContext,dc=eusovd,dc=com
orclcommonusersearchbase: ou=people,dc=eusovd,dc=com
orclcommongroupsearchbase: ou=groups,dc=eusovd,dc=com
orclcommonnicknameattribute: uid
orclcommonnamingattribute: cn

#2 Check the User Entry

You  must ensure that there is an LDAP entry in the user container that matches the username supplied by SQL+. Target LDAP entry must be an instance of inetorgperson and contain the attribute defined inorclcommonnicknameattribute:

$ OracleUnifiedDirectory/bin/ldapsearch -h $LDAPSERVER -p $PORT -D $DN -w $PWD -b ou=people,$BASEDN  "(uid=joe)"                         
dn: cn=joe,ou=people,dc=eusovd,dc=com
userPassword: {SSHA}DdW5je5GCUnT2jVTeMdfPR9NWwkBt40FwWImpA==
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: top
uid: joe
cn: joe
sn: joe

#3 Check the User-schema mappings

If the user entry exists and can be read by the database entry, the problem can be that there is no user-schema mapping. EUS maps the LDAP user entry to a database schema following a mapping rule that is defined in Enterprise Manager console. The mapping associates either a user DN to a schema or all users of a subtree to a schema. It can be defined at the domain level or at the database level.

#4 Check the global schema associated with the user

If there is a user-schema mapping, ensure that the schema has the CONNECT privilege.

The global schema was defined using the following commands:

SQL> CREATE USER global_ident_schema_user IDENTIFIED GLOBALLY;
User created.
SQL> GRANT CONNECT TO global_ident_schema_user;

ZionTech blogging about integration of OUD and EUS

Here are good posts about OUD and EUS integration :

EUS OUD related posts as of now are here:

Using EUSM to manage EUS mappings in OUD

By Sylvain Duloutre on Oct 17, 2013

EUSM is a command line tool that can be used to manage the EUS settings starting with the 11.1 release of Oracle. In the 11.1 release the tool is not yet documented in the Oracle EUS documentation, but this is planned for a coming release.

The same commands used by EUSM can be performed from the Database Console GUI or from Grid Control*.

For more details, search for the document ID 1085065.1on https://support.oracle.com/epmos/faces/DocumentDisplay?id=1085065.1.

The examples below don’t include all the EUSM options, only the options that are used by EUS.

EUSM is user friendly and intuitive. Typing eusm help <option> lists the parameters to be used for any of the available options. Here are the options related to connectivity with OUD :

ldap_host=”gnb.fr.oracle.com” – name of the OUD server.

ldap_port=1389 – nonSSL (SASL) port used for OUD connections.

ldap_user_dn=”cn=directory manager” – OUD administrator name
ldap_user_password=”welcome1″ – OUD administrator password

Find below common commands:

To List Enterprise roles in OUD

eusm listEnterpriseRoles domain_name=<Domain> realm_dn=<realm> ldap_host=<hostname> ldap_port=<port> ldap_user_dn=<oud administrator> ldap_user_password=<oud admin password>

To List Mappings

eusm listMappings domain_name=<Domain> realm_dn=<realm> ldap_host=<hostname> ldap_port=<port> ldap_user_dn=<oud admin> ldap_user_password=<oud admin password>

To List Enterprise Role Info

eusm listEnterpriseRoleInfo enterprise_role=<rdn of enterprise role> domain_name=<Domain> realm_dn=<realm> ldap_host=<hostname> ldap_port=<port> ldap_user_dn=”<oud admin>” ldap_user_password=<oud admin password>

To Create Enterprise Role

eusm createRole enterprise_role=<rdn of the enterprise role> domain_name=<Domain> realm_dn=<realm> ldap_host=<hostname> ldap_port=<port> ldap_user_dn=”<oud admin>” ldap_user_password=<oud admin password>

To Create User-Schema Mapping

eusm createMapping database_name=<SID of target database> realm_dn=”<realm>” map_type=<ENTRY/SUBTREE> map_dn=”<dn of enterprise user>” schema=”<name of the shared schema>” ldap_host=<oud hostname> ldap_port=<port> ldap_user_dn=”<oud admin>” ldap_user_password=”<oud admin password>”

To Create Proxy Permission

eusm createProxyPerm proxy_permission=<Name of the proxypermission> domain_name=<Domain> realm_dn=”<realm>” ldap_host=<hostname> ldap_port=<port> ldap_user_dn=”<oud admin>” ldap_user_password=<oud admin password>

To Grant Proxy permission to Proxy group

eusm grantProxyPerm proxy_permission=<Name of the proxy permission> domain_name=<Domain> realm_dn=”<realm>” ldap_host=<hostname> ldap_port=<port> ldap_user_dn=”<oud admin>” ldap_user_password=<password> group_dn=”<dn of the enterprise group>”

To Map proxy permission to proxy user in DB

eusm addTargetUser proxy_permission=<Name of the proxy permission> domain_name=<Domain> realm_dn=”<realm>” ldap_host=<hostname> ldap_port=<port> ldap_user_dn=”<oud admin>” ldap_user_password=<oud admin password> database_name=<SID of the target database> target_user=<target database user> dbuser=<Database user with DBA privileges> dbuser_password=<database user password> dbconnect_string=<database_host>:<port>:<DBSID>

Enterprise role to Global role mapping

eusm addGlobalRole enterprise_role=<rdn of the enterprise role> domain_name=<Domain> realm_dn=”<realm>” database_name=<SID of the target database> global_role=<name of the global role defined in the target database> dbuser=<database user> dbuser_password=<database user password> dbconnect_string=<database_host>:<port>:<DBSID> ldap_host=<oid_hostname> ldap_port=<port> ldap_user_dn=”<oud admin>” ldap_user_password=<oud admin password>

New Oracle White Paper about Directory Services Integration with Database Enterprise User Security

I’ve written a new Oracle White Paper about Directory Services Integration with
Database Enterprise User Security based on 2 recent posts,https://blogs.oracle.com/sduloutr/entry/oud_eus_take_2_db and https://blogs.oracle.com/sduloutr/entry/oud_eus_take_1_db

The official document is available at http://www.oracle.com/technetwork/database/security/dirsrv-eus-integration-133371.pdf

OUD&EUS Take 2: DB Accounts Proxy-ed by OUD into existing Directories

By Sylvain Duloutre on Aug 27, 2013

This post is the second one of a serie focusing on Enterprise User Security (EUS) and Oracle Unified DIrectory (OUD).

Enterprise User Security (EUS), an Oracle Database Enterprise Edition feature, leverages the Oracle Directory Services and gives you the ability to centrally manage database users and role memberships in an LDAP directory. EUS reduces administration costs and increases security.

DB Accounts Proxy-ed by OUD into existing Directories

Most enterprises already have existing corporate directories in place, and prefer the EUS implementation. An EUS implementation leverages the existing directory infrastructure and user information base without putting in place synchronization between directories. In this way, OUD acts as a real-time interpreter for Oracle database information requests to user data.

Using OUD enables the database to interact with third-party directories. OUD leverages existing user and group information in the existing third-party directory infrastructure by forwarding LDAP requests and responses back and forth to the third-party directory holding user data. User data, database meta-data such as DB registration information, user/role Mappings, and other EUS specific meta-data are stored locally in OUD, without requiring any schema changes to store EUS configuration in the existing third-party directory.

As of release 11gR2PS1, OUD is certified with EUS to support Active Directory, Oracle Directory Server Enterprise Edition, and Novell eDirectory. Working with these products, OUD eliminates user data duplication and synchronization and consequently lowers total cost of ownership (TCO).

  1. Centralizing Accounts into Microsoft Active Directory

You can integrate Active Directory for password-based authentication or integrate Active Directory with Kerberos authentication.

Active Directory Integration for Password-based authentication

Such a scenario requires deployment of an additional component: the OUD Password Change Notification plug-in (oidpwdcn.dll). Microsoft uses a proprietary implementation to hash passwords in Active Directory that is incompatible with the Oracle DB requirements. The OUD Password Change Notification plug-in isnotified when a password change occurs, and stores hashes in Active Directory. The oidpwdcn dll must be installed on every Active Directory domain controller.

Active Directory Schema extension is required to store the hashed passwords.

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Active Directory. User passwords are retrieved from the hashed password stored by the OUD Password Change Notification plug-in. EUS metadata are stored and retrieved from OUD.

The database version must be 10.1 or later as earlier versions use a different and incompatible password format.

eus_ad[1]

Figure 2: EUS Account management with Active Directory

Active Directory Integration with Kerberos Authentication

In this scenario, Kerberos is used for DB authentication. EUS with DB Kerberos authentication does not require any changes to the database beyond standard EUS configuration. The database establishes a connection to OUD. OUD looks up the requested DB information in Active Directory. All database clients must be Kerberos-enabled to use this option. This capability is only supported with DB version 10.1 or higher.

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Active Directory. EUS metadata are stored and retrieved from OUD. Access to the hashed user password is not required, so no schema extensions and no Password Change Notification dll have to be deployed on Active Directory.

eus_kerberos[1]

Figure 3: EUS Account management with Kerberos and Active Directory

  1. Centralizing Accounts into ODSEE

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Oracle Directory Server Enterprise Edition (ODSEE) . EUS metadata are stored and retrieved from OUD.

This integration does not require any changes in the database (beyond what is usually required for EUS, nor for database clients that use username/password authentication.

eus_dsee[1]

Figure 4: EUS Account management with DSEE

  1. Centralizing Accounts into Novell eDirectory

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Novell eDirectory. EUS metadata are retrieved from OUD.

This integration does not require any changes in the database beyond what is usually required for EUS, nor for database clients that use username/password authentication.

Using Novell eDirectory doesn’t require an Oracle password filter. You have to enable Universal Password in eDirectory, and allow the administrator to retrieve the user password. Refer to Novell’s eDirectory documentation on Password Management for more information.

This configuration can only be used with DB versions 10.1 or higher due to incompatible password formats in earlier DB versions.

eus_edir[1]

Figure 5: EUS Account management with DSEE

Enabling EUS support in OUD 11gR2 using command line interface

Enterprise User Security (EUS) allows Oracle Database to use users & roles stored in LDAP for authentication and authorization.
Since the 11gR2 release, OUD natively supports EUS. EUS can be easily configured during OUD setup. ODSM (the graphical admin console) can also be used to enable EUS for a new suffix.

However, enabling EUS for a new suffix using command line interface is currently not documented, so here is the procedure:

Let’s assume that EUS support was enabled during initial setup.
Let’s o=example be the new suffix I want to use to store Enterprise users. The following sequence of command must be applied for each new suffix:

// Create a local database holding EUS context info
dsconfig create-workflow-element –set base-dn:cn=OracleContext,o=example –set enabled:true –type db-local-backend –element-name exampleContext -n
// Add a workflow element in the call path to generate on the fly attributes required by EUS
dsconfig create-workflow-element –set enabled:true –type eus-context –element-name eusContext –set next-workflow-element:exampleContext -n
// Add the context to a workflow for routing
dsconfig create-workflow –set base-dn:cn=OracleContext,o=example –set enabled:true –set workflow-element:eusContext –workflow-name exampleContext_workflow -n
//Add the new workflow to the appropriate network group
dsconfig set-network-group-prop –group-name network-group –add workflow:exampleContext_workflow -n

// Create the local database for o=example
dsconfig create-workflow-element –set base-dn:o=example –set enabled:true –type db-local-backend –element-name example -n

// Create a workflow element in the call path to the user data to generate on the fly attributes expected by EUS
dsconfig create-workflow-element –set enabled:true –set eus-realm:o=example –set next-workflow-element:example –type eus –element-name eusWfe
// Add the db to a workflow for routing
dsconfig create-workflow –set base-dn:o=example –set enabled:true –set workflow-element:eusWfe –workflow-name example_workflow -n
//Add the new workflow to the appropriate network group
dsconfig set-network-group-prop –group-name network-group –add workflow:example_workflow -n 

// Add the appropriate acis for EUS
dsconfig set-access-control-handler-prop \
–add global-aci:'(target=“ldap:///o=example”)(targetattr=”authpassword”)(version 3.0; acl “EUS reads authpassword”; allow (read,search,compare) userdn=“ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))”;)’
dsconfig set-access-control-handler-prop \
–add global-aci:'(target=“ldap:///o=example”)(targetattr=”orclaccountstatusevent”)(version 3.0; acl “EUS writes orclaccountstatusenabled”; allow (write) userdn=“ldap:///??sub?(&(objectclass=orclservice)(objectclass=orcldbserver))”;)’

Last but not least you must adapt the content of the ${OUD}/config/EUS/eusData.ldif  file with your suffix value then inport it into OUD.

Enabling support of EUS and Fusion Apps in OUD

Since the 11gR2 release, OUD supports Enterprise User Security (EUS) for database authentication and also Fusion Apps. I’ll plan to blog on that soon. Meanwhile, the R2 OUD graphical setup does not let you configure both EUS and FusionApps support at the same time.

INBOX)67103[1]

However, it can be done manually using the dsconfig command line. The simplest way to proceed is to select EUS from the setup tool, then manually add support for Fusion Apps using dsconfig using the commands below:

– create a FA workflow element with eusWfe as next element:
dsconfig create-workflow-element \
–set enabled:true \
–set next-workflow-element:Eus0 \
–type fa \
–element-name faWfe

– modify the workflow so that it starts from your FA workflow element instead of Eus:
dsconfig set-workflow-prop \
–workflow-name userRoot0 \
–set workflow-element:faWfe

Note: the configuration changes may slightly differ in case multiple databases/suffixes are configured on OUD.