integrating microsoft active directory and oracle internet

Integrating Microsoft Active Directory and Oracle Internet Directory with Database Logins: Enterprise User Security

Dan NorrisPiocon Technologies, Inc.www.dannorris.comdannorris@dannorris.com

2

About This Session

•Terminology

•Concepts

•Components

•Building Solutions

About Dan

About Dan

About Dan

About Dan

About Dan

4

Terminology & Concepts

•Enterprise Users

•Enterprise Roles

•Shared Schemas

•Proxy Users

5

Terminology & Concepts (2)

•Global Roles

•Kerberos Principal

•LDAP

•Certificates

6

Components

•Oracle Database Enterprise Edition

•Identity Management 10.1.4 (OID + DIP)

•Windows 2003 Server (KDC)

•Certificate Authority (openssl)

7

Components (2)

•Oracle Wallets (DB > OID password, also for OID server authentication)

•ldapbindssl.exe - from OID sample code page - http://is.gd/2pT6

•Oracle password filter for MSAD (on CD #1 in utils/adpwdfilter/setup.exe)

8

Connecting The Dots (Password)

OID

DB

MSAD DIP Sync

Passwd Filter

Client

1. Client > AD2. Passwd > OID3. OID <-> AD

Sync4. Client > DB5. DB > OID6. DB > Client

LDA

P

SQL*Net

LDAPS

Wallet

Wallet

Pass

wd

Cha

nge

9

Connecting The Dots (Kerberos)

OID

DB

MSAD(KDC) DIP Sync

Client

Ker

bero

s Kerberos LDA

P

SQL*Net

1. OID <-> AD Sync

2. Client > KDC3. Client > DB4. DB > OID5. DB > Client

Wallet

via ASOvia ASO

10

Building The Solution

1) Install Oracle Identity Management 10.1.4 (http://is.gd/2pT0) including OID and DIP components

2) Install Oracle Database 11g EE (http://is.gd/2pWp), nothing special

3) Install MS Windows 2003 Server + enable Active Directory

11

Building The Solution

4) Register Database in with OID (enables EUS), create a wallet for DB password (dbca does both things)

5) Ensure the wallet is set for autologin using Wallet Manager (owm)

6) Create an enterprise domain (using OEM is easiest). At this point, EUS is fully functional (you should test it).

12

Building The Solution

13

Building The Solution

14

Building The Solution

15

Building The Solution

16

Building The Solution7) Establish OID sync with AD using

dipassistant –gui Verify accounts are sync’d using oidadmin. At this point, Kerberos auth can be used.

17

Building The Solution8) Configure new wallet for OID to enable

server authentication over LDAPS (use owm, possibly openssl)

18

Building The Solution9) Configure new LDAPS port on OID

using wallet (recommend new port)

19

Building The Solution9) (cont’d) Configure new LDAPS port on

OID using wallet (recommend new port)

Created configset2, then run “oidctl server=oidldapd instance=2 configset=2 start”

20

Building The Solution

10)Install Oracle’s AD Password Filter on MSAD server

11)Create users in AD, require them to change their password

21

Building The Solution

12)Configure client with Kerberos parameters in sqlnet.ora (if necessary)

SQLNET.KERBEROS5_CONF=c:\krb5\krb5.conf

SQLNET.KERBEROS5_CONF_MIT=TRUESQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle

SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)SQLNET.KERBEROS5_CC_NAME=OSMSFT://

then login:C:\> sqlplus /@db11gr1

22

Building The Solution

23

Implementation Tips (1)

Use the correct ktpass command (+DesOnly); 368321.1, 577738.1 and Ch 7 of ASO guide are wrong (check output carefully!)

Note that ktpass behaves differently in different versions. See 368321.1 for details (-mapuser)

Review all sqlnet.ora parameters (SQLNET.KERBEROS5_CC_NAME=OSMSFT://)

24

Implementation Tips (2)

ML 398524.1 shows how to debug (get all LDAP calls from DB to OID): alter system set events ‘28033 trace name context forever, level 9’;

Using openssl self-signed certificates requires extendedKeyUsage= serverAuth in openssl.cnf file

EUS doesn’t support OID’s external auth plugin for MSAD (ML 454414.1)

25

Implementation Tips (3)

Watch out for OID passwd expiration policy for DB DN. Wallet must be regenerated for passwd changes (ML 558119.1)

Careful on the CN used in the LDAPS wallet—must match LDAP server hostname (FQDN)

26

References (1)

• 158599.1 – Oracle Advanced Security: Interoperability with Microsoft KDC on Windows 2000

• 261178.1 – Enterprise User Security Configuration: Resolving ORA-28030 Errors

• 294136.1 – Kerberos: High Level Introduction and Flow• 331252.1 – Configuration Oracle ASO with MS Win 2k3

AD Kerberos KDC• 333405.1 – ORA-28047: Database is not a Member of

any Enterprise Domain in OID• 368321.1 – MS Env: Configuring Oracle ASO Kerberos

Adapter with W2k3 AD• 398524.1 – How to Debug Problems with Enterprise

User Security• 437185.1 – ORA-1017 or ORA-28274 while connecting

as EUS user who is the AD user synchronized with OID

27

References (2)

• 452385.1 – OID Server Chaining & EUS: AD Passwd Change Notification Plug-in

• 453853.1 – Step by Step Guide to Troubleshooting 10g EUS – Password Authentication

• 454414.1 – Can EUS Users Authenticate With Passwords Stored in AD?

• 458095.1 – ORA-28030 in 11g database while configuring EUS

• 558119.1 – ORA-28030 After Regenerating Wallet Password Using dbca

• 577738.1 – Step by Step Guide for 10g EUS – Kerberos Authentication

• Openssl-users mailing list thread at http://is.gd/2rpw

28

References (3)

• Oracle Identity Management Integration Guide• Chapter 18: Configuring Synchronization with a Third-Party

Directory• Chapter 19: Integrating with MSAD• Chapter 20: Deploying the Oracle Password Filter for MSAD

• Oracle Database Advanced Security Administrator’s Guide, Chapter 7: Configuring Kerberos Authentication

• Oracle Database Enterprise User Security Administrator’s Guide

• Chapter 2: Getting Started with Enterprise User Security• Chapter 4: Enterprise User Security Configuration Tasks

and Troubleshooting• Appendix C: Integrating Enterprise User Security with MS

AD

RAC SIG Events• See www.oracleracsig.org for details

–Webcasts: Average 2x per month, live–Conference Events:

• Scalability Customer Panel, Sunday @ 8:30a• Birds of a Feather, Sunday @ 4p • Experts Panel, Monday @ 2:30p• Extreme OLTP session (Telecom), Wednesday @ 1p

–Forums (via OTN): Lots of participation from RAC SIG as well as Oracle gurus

• Join the RAC SIG at www.oracleracsig.org!

33

Save the Date!

May 3-7, 2009Orange County Convention Center West

Orlando, Florida

09

34

Wrap-up

• Questions & Answers• Evaluations – Please Complete

Presenter: Dan Norris

•Contact Info: Email: dnorris@piocon.comPhone: 630-607-7422Web: www.piocon.com

•Stop by and ask more questions of our experts in BI, FMW, DBA, and more…

Visit Booth2738

Integrating Microsoft Active Directory and Oracle Internet Directory with Database Logins: Enterprise User Security

Dan NorrisPiocon Technologies, Inc.www.dannorris.comdannorris@dannorris.com

LegalThe information contained herein should be deemed reliable but not guaranteed. The author has made every attempt to provide current and accurate information. If you have any comments or suggestions, please contact the author at:

dnorris@piocon.com

You may request redistribution permission from dnorris@piocon.com.

Copyright © 2008, Piocon Technologies

37