Migration from OID to OUD: Adapting EUS metadata

Enterprise User Security is an important component of Oracle Database Enterprise Edition. It enables you to address administrative and security challenges for a large number of enterprise database users by centralizing users and roles in a LDAP directory.

It is possible to use either Oracle Internet Directory (OID) or Oracle Unified Directory (OUD) as LDAP repository for EUS.

To migrate from OID to OUD,
– enable EUS support in OUD
– copy your user and groups in <your_context)
– copy across EUS metadata (in cn=oracleContext,<your suffix)

EUS metadata as stored in OID must be slighly adapted before being impoorted to OUD otherwise the DB won’t be able to authenticate against OUD and will raise the following error:

ORA-28043: invalid bind credentials for DB-OID connection

Migrating the DB entry from OID to OUD requires some specific steps for SASL/DIGEST-MD5 authentication. In OID, the password hash used for SASL/DIGEST-MD5 authentication is stored in authpassword;oid, with the {SASL/MD5} prefix.
In OUD, this must be stored in orclcommonrpwdattribute with the {SASL-MD5} prefix.

For instance:

In OID:
ldapsearch [conn details] -b cn=oraclecontext,dc=example,dc=com -s one “(cn=orcl11g)” authpassword
dn: cn=orcl11g,cn=oraclecontext,dc=example,dc=com
authpassword;oid: {SASL/MD5}ola+G+GFsSeiu6QcRiAh9g==
authpassword;oid: {SASL/MD5-DN}3UeqmU5Axd+XVAM9Lxf28g==
authpassword;oid: {SASL/MD5-U}BD6uyBcSiFbGtlPzq6TtUA==

In OUD:
ldapsearch [conn details] -b cn=oraclecontext,dc=example,dc=com -s one “(objectclass=orcldbserver)” orclcommonrpwdattribute
dn: cn=orcl11g,cn=OracleContext,dc=example,dc=com
orclcommonrpwdattribute: {SASL-MD5}ola+G+GFsSeiu6QcRiAh9g==

Advertisements

OUD as a OAM Identity Store

Since 11gR2, OUD can be used natively as a OAM Identity Store. Select  “OUD: Oracle Unified Directory” as Store Type as described here.

As an alternate solution, you can also configure OVD as Identity Store with OAM and then configure LDAP adapter for OVD with OUD details.Configuring Identity store for OAM is documented here. Choose “OVD: Oracle Virtual Directory” as store type and provide store details as per the document. Configuring LDAP adapter for OVD is documented here. Provide your OUD details required as per the document.