integrating microsoft active directory and oracle internet
TRANSCRIPT
Integrating Microsoft Active Directory and Oracle Internet Directory with Database Logins: Enterprise User Security
Dan NorrisPiocon Technologies, [email protected]
2
About This Session
•Terminology
•Concepts
•Components
•Building Solutions
About Dan
About Dan
About Dan
About Dan
About Dan
4
Terminology & Concepts
•Enterprise Users
•Enterprise Roles
•Shared Schemas
•Proxy Users
5
Terminology & Concepts (2)
•Global Roles
•Kerberos Principal
•LDAP
•Certificates
6
Components
•Oracle Database Enterprise Edition
•Identity Management 10.1.4 (OID + DIP)
•Windows 2003 Server (KDC)
•Certificate Authority (openssl)
7
Components (2)
•Oracle Wallets (DB > OID password, also for OID server authentication)
•ldapbindssl.exe - from OID sample code page - http://is.gd/2pT6
•Oracle password filter for MSAD (on CD #1 in utils/adpwdfilter/setup.exe)
8
Connecting The Dots (Password)
OID
DB
MSAD DIP Sync
Passwd Filter
Client
1. Client > AD2. Passwd > OID3. OID <-> AD
Sync4. Client > DB5. DB > OID6. DB > Client
LDA
P
SQL*Net
LDAPS
Wallet
Wallet
Pass
wd
Cha
nge
9
Connecting The Dots (Kerberos)
OID
DB
MSAD(KDC) DIP Sync
Client
Ker
bero
s Kerberos LDA
P
SQL*Net
1. OID <-> AD Sync
2. Client > KDC3. Client > DB4. DB > OID5. DB > Client
Wallet
via ASOvia ASO
10
Building The Solution
1) Install Oracle Identity Management 10.1.4 (http://is.gd/2pT0) including OID and DIP components
2) Install Oracle Database 11g EE (http://is.gd/2pWp), nothing special
3) Install MS Windows 2003 Server + enable Active Directory
11
Building The Solution
4) Register Database in with OID (enables EUS), create a wallet for DB password (dbca does both things)
5) Ensure the wallet is set for autologin using Wallet Manager (owm)
6) Create an enterprise domain (using OEM is easiest). At this point, EUS is fully functional (you should test it).
12
Building The Solution
13
Building The Solution
14
Building The Solution
15
Building The Solution
16
Building The Solution7) Establish OID sync with AD using
dipassistant –gui Verify accounts are sync’d using oidadmin. At this point, Kerberos auth can be used.
17
Building The Solution8) Configure new wallet for OID to enable
server authentication over LDAPS (use owm, possibly openssl)
18
Building The Solution9) Configure new LDAPS port on OID
using wallet (recommend new port)
19
Building The Solution9) (cont’d) Configure new LDAPS port on
OID using wallet (recommend new port)
Created configset2, then run “oidctl server=oidldapd instance=2 configset=2 start”
20
Building The Solution
10)Install Oracle’s AD Password Filter on MSAD server
11)Create users in AD, require them to change their password
21
Building The Solution
12)Configure client with Kerberos parameters in sqlnet.ora (if necessary)
SQLNET.KERBEROS5_CONF=c:\krb5\krb5.conf
SQLNET.KERBEROS5_CONF_MIT=TRUESQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)SQLNET.KERBEROS5_CC_NAME=OSMSFT://
then login:C:\> sqlplus /@db11gr1
22
Building The Solution
23
Implementation Tips (1)
Use the correct ktpass command (+DesOnly); 368321.1, 577738.1 and Ch 7 of ASO guide are wrong (check output carefully!)
Note that ktpass behaves differently in different versions. See 368321.1 for details (-mapuser)
Review all sqlnet.ora parameters (SQLNET.KERBEROS5_CC_NAME=OSMSFT://)
24
Implementation Tips (2)
ML 398524.1 shows how to debug (get all LDAP calls from DB to OID): alter system set events ‘28033 trace name context forever, level 9’;
Using openssl self-signed certificates requires extendedKeyUsage= serverAuth in openssl.cnf file
EUS doesn’t support OID’s external auth plugin for MSAD (ML 454414.1)
25
Implementation Tips (3)
Watch out for OID passwd expiration policy for DB DN. Wallet must be regenerated for passwd changes (ML 558119.1)
Careful on the CN used in the LDAPS wallet—must match LDAP server hostname (FQDN)
26
References (1)
• 158599.1 – Oracle Advanced Security: Interoperability with Microsoft KDC on Windows 2000
• 261178.1 – Enterprise User Security Configuration: Resolving ORA-28030 Errors
• 294136.1 – Kerberos: High Level Introduction and Flow• 331252.1 – Configuration Oracle ASO with MS Win 2k3
AD Kerberos KDC• 333405.1 – ORA-28047: Database is not a Member of
any Enterprise Domain in OID• 368321.1 – MS Env: Configuring Oracle ASO Kerberos
Adapter with W2k3 AD• 398524.1 – How to Debug Problems with Enterprise
User Security• 437185.1 – ORA-1017 or ORA-28274 while connecting
as EUS user who is the AD user synchronized with OID
27
References (2)
• 452385.1 – OID Server Chaining & EUS: AD Passwd Change Notification Plug-in
• 453853.1 – Step by Step Guide to Troubleshooting 10g EUS – Password Authentication
• 454414.1 – Can EUS Users Authenticate With Passwords Stored in AD?
• 458095.1 – ORA-28030 in 11g database while configuring EUS
• 558119.1 – ORA-28030 After Regenerating Wallet Password Using dbca
• 577738.1 – Step by Step Guide for 10g EUS – Kerberos Authentication
• Openssl-users mailing list thread at http://is.gd/2rpw
28
References (3)
• Oracle Identity Management Integration Guide• Chapter 18: Configuring Synchronization with a Third-Party
Directory• Chapter 19: Integrating with MSAD• Chapter 20: Deploying the Oracle Password Filter for MSAD
• Oracle Database Advanced Security Administrator’s Guide, Chapter 7: Configuring Kerberos Authentication
• Oracle Database Enterprise User Security Administrator’s Guide
• Chapter 2: Getting Started with Enterprise User Security• Chapter 4: Enterprise User Security Configuration Tasks
and Troubleshooting• Appendix C: Integrating Enterprise User Security with MS
AD
RAC SIG Events• See www.oracleracsig.org for details
–Webcasts: Average 2x per month, live–Conference Events:
• Scalability Customer Panel, Sunday @ 8:30a• Birds of a Feather, Sunday @ 4p • Experts Panel, Monday @ 2:30p• Extreme OLTP session (Telecom), Wednesday @ 1p
–Forums (via OTN): Lots of participation from RAC SIG as well as Oracle gurus
• Join the RAC SIG at www.oracleracsig.org!
33
Save the Date!
May 3-7, 2009Orange County Convention Center West
Orlando, Florida
09
34
Wrap-up
• Questions & Answers• Evaluations – Please Complete
Presenter: Dan Norris
•Contact Info: Email: [email protected]: 630-607-7422Web: www.piocon.com
•Stop by and ask more questions of our experts in BI, FMW, DBA, and more…
Visit Booth2738
Integrating Microsoft Active Directory and Oracle Internet Directory with Database Logins: Enterprise User Security
Dan NorrisPiocon Technologies, [email protected]
LegalThe information contained herein should be deemed reliable but not guaranteed. The author has made every attempt to provide current and accurate information. If you have any comments or suggestions, please contact the author at:
You may request redistribution permission from [email protected].
Copyright © 2008, Piocon Technologies
37