Integrating Microsoft Active

Directory and Oracle Internet

Directory with Database Logins:
Enterprise User Security
Dan Norris
Piocon Technologies, Inc.
www.dannorris.com
dannorris@dannorris.com

About This Session

Terminology
Concepts
Components
Building Solutions
2

About Dan

About Dan

About Dan

About Dan

About Dan

Terminology & Concepts

Enterprise Users
Enterprise Roles
Shared Schemas
Proxy Users
4

Terminology & Concepts (2)

Global Roles
Kerberos Principal
LDAP
Certificates
5

Components
Oracle Database Enterprise Edition
Identity Management 10.1.4 (OID + DIP)
Windows 2003 Server (KDC)
Certificate Authority (openssl)
6

Components (2)
Oracle Wallets (DB > OID password,
also for OID server authentication)
ldapbindssl.exe - from OID sample code
page - http://is.gd/2pT6
Oracle password filter for MSAD (on CD
#1 in utils/adpwdfilter/setup.exe)
7

Connecting The Dots (Password)

Wallet

Passwd Filter
LDAPS

Client

DIP Sync

OID

LDAP

Passwd Change

MSAD

Wallet

SQL*Net

1. Client > AD
2. Passwd > OID
3. OID <-> AD
Sync
4. Client > DB
5. DB > OID
6. DB > Client

DB
8

Connecting The Dots (Kerberos)

OID

LDAP

os
er
O
rb
Ke a AS

Client

DIP Sync

vi

Kerberos

MSAD
(KDC)

SQL*Net
via ASO

DB

1. OID <-> AD
Sync
2. Client > KDC
3. Client > DB
4. DB > OID
5. DB > Client
Wallet

Building The Solution

1) Install Oracle Identity Management
10.1.4 (http://is.gd/2pT0) including OID
and DIP components
2) Install Oracle Database 11g EE (http://
is.gd/2pWp), nothing special
3) Install MS Windows 2003 Server +
enable Active Directory

10

Building The Solution

4) Register Database in with OID
(enables EUS), create a wallet for DB
password (dbca does both things)
5) Ensure the wallet is set for autologin
using Wallet Manager (owm)
6) Create an enterprise domain (using
OEM is easiest). At this point, EUS is
fully functional (you should test it).
11

Building The Solution

12

Building The Solution

13

Building The Solution

14

Building The Solution

15

Building The Solution

7) Establish OID sync with AD using
dipassistant gui Verify accounts
are syncd using oidadmin. At this
point, Kerberos auth can be used.

16

Building The Solution

8) Configure new wallet for OID to enable
server authentication over LDAPS (use
owm, possibly openssl)

17

Building The Solution

9) Configure new LDAPS port on OID
using wallet (recommend new port)

18

Building The Solution

9) (contd) Configure new LDAPS port on
OID using wallet (recommend new
port)
Created configset2, then run oidctl
server=oidldapd instance=2
configset=2 start

19

Building The Solution

10)Install Oracles AD Password Filter on
MSAD server
11)Create users in AD, require them to
change their password

20

Building The Solution

12)Configure client with Kerberos
parameters in sqlnet.ora (if necessary)
SQLNET.KERBEROS5_CONF=c:\krb5\krb5.conf
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
SQLNET.KERBEROS5_CC_NAME=OSMSFT://

then login:
C:\> sqlplus /@db11gr1
21

Building The Solution

22

Implementation Tips (1)

Use the correct ktpass command
(+DesOnly); 368321.1, 577738.1 and
Ch 7 of ASO guide are wrong (check
output carefully!)
Note that ktpass behaves differently in
different versions. See 368321.1 for
details (-mapuser)
Review all sqlnet.ora parameters
(SQLNET.KERBEROS5_CC_NAME=OSMSFT://)
23

Implementation Tips (2)

ML 398524.1 shows how to debug (get
all LDAP calls from DB to OID): alter
system set events 28033 trace
name context forever, level 9;

Using openssl self-signed certificates

requires extendedKeyUsage=
serverAuth in openssl.cnf file
EUS doesnt support OIDs external
auth plugin for MSAD (ML 454414.1)
24

Implementation Tips (3)

Watch out for OID passwd expiration
policy for DB DN. Wallet must be
regenerated for passwd changes (ML
558119.1)
Careful on the CN used in the LDAPS
walletmust match LDAP server
hostname (FQDN)

25

References (1)

158599.1 Oracle Advanced Security: Interoperability

with Microsoft KDC on Windows 2000
261178.1 Enterprise User Security Configuration:
Resolving ORA-28030 Errors
294136.1 Kerberos: High Level Introduction and Flow
331252.1 Configuration Oracle ASO with MS Win 2k3
AD Kerberos KDC
333405.1 ORA-28047: Database is not a Member of
any Enterprise Domain in OID
368321.1 MS Env: Configuring Oracle ASO Kerberos
Adapter with W2k3 AD
398524.1 How to Debug Problems with Enterprise
User Security
437185.1 ORA-1017 or ORA-28274 while connecting
as EUS user who is the AD user synchronized with OID
26

References (2)

452385.1 OID Server Chaining & EUS: AD Passwd

Change Notification Plug-in
453853.1 Step by Step Guide to Troubleshooting 10g
EUS Password Authentication
454414.1 Can EUS Users Authenticate With
Passwords Stored in AD?
458095.1 ORA-28030 in 11g database while
configuring EUS
558119.1 ORA-28030 After Regenerating Wallet
Password Using dbca
577738.1 Step by Step Guide for 10g EUS Kerberos
Authentication
Openssl-users mailing list thread at http://is.gd/2rpw
27

References (3)

Oracle Identity Management Integration Guide

Chapter 18: Configuring Synchronization with a Third-Party

Directory
Chapter 19: Integrating with MSAD
Chapter 20: Deploying the Oracle Password Filter for MSAD

Oracle Database Advanced Security Administrators

Guide, Chapter 7: Configuring Kerberos Authentication
Oracle Database Enterprise User Security
Administrators Guide

Chapter 2: Getting Started with Enterprise User Security

Chapter 4: Enterprise User Security Configuration Tasks
and Troubleshooting
Appendix C: Integrating Enterprise User Security with MS
AD
28

RAC SIG Events

See www.oracleracsig.org for details
Webcasts: Average 2x per month, live
Conference Events:
Scalability Customer Panel, Sunday @ 8:30a
Birds of a Feather, Sunday @ 4p
Experts Panel, Monday @ 2:30p
Extreme OLTP session (Telecom), Wednesday @ 1p

Forums (via OTN): Lots of participation from RAC

SIG as well as Oracle gurus
Join the RAC SIG at www.oracleracsig.org!

33

Save the Date!

09
May 3-7, 2009
Orange County Convention Center West
Orlando, Florida

34

Wrap-up

Visit Booth
2738

Questions & Answers

Evaluations Please Complete
Presenter: Dan Norris

Contact Info:
Email: dnorris@piocon.com
Phone: 630-607-7422
Web: www.piocon.com

Stop by and ask more questions of our

experts in BI, FMW, DBA, and more

Integrating Microsoft Active

Directory and Oracle Internet
Directory with Database Logins:
Enterprise User Security
Dan Norris
Piocon Technologies, Inc.
www.dannorris.com
dannorris@dannorris.com

Legal
The information contained herein should be deemed reliable
but not guaranteed. The author has made every attempt to
provide current and accurate information. If you have any
comments or suggestions, please contact the author at:
dnorris@piocon.com
You may request redistribution permission from
dnorris@piocon.com.
Copyright 2008, Piocon Technologies

37