Clarifying EUS and Kerberos
By Mark Wilcox - CTO - Oracle Consulting Security-Oracle on Sep 02, 2008
One of our sales consultants had some questions on OVD, Enterprise User Security (EUS) and Kerberos. Remember EUS is the Oracle Database feature that lets you centralize the management of user & roles to your enterprise directory.
The database supports multiple models of authentication.
- username and password
- digital certificates (aka x.509)
The first three are supported by EUS. The last - RADIUS is not.
Username and password is the easiest but does mean that in EUS we have to have a MD5 or SHA1 password stored in the enterprise directory. For Active Directory we have a DLL that uses Microsoft's Password Notifier API to do this for us since AD doesn't do this automatically. For Sun (and Fedora though we haven't officially certified it) the standard userpassword attribute is already hashed properly.
If you are using Kerberos the upside is that you don't need to exchange passwords. Instead the client gets a ticket from the KDC (these days that's likely to be Microsoft AD though I have run into MIT recently) and then the ticket can be used to validate their credentials against the database (this is a simplification of Kerberos. But if you really want to know more you can read the details ). In Kerberos the database verifies the credentials. It only uses EUS to map the user to a database schema and database role.
Now to answer some specific questions - which I can update later:
Q1 - the LDAP listener is not Kerberos ( authentication ) enabled?
A1 - Correct, OVD currently does not support Kerberos authentication. This is not generally a limitation since no common LDAP client application that I'm aware of requires Kerberos authentication. Also Kerberos protocol does not easily open itself up to virtualization. Perhaps this will change when the world starts to adopt STS technologies.
Q2 - the LDAP adapter act as a client and is Kerberos enabled?
A2 - Yes, OVD can take a simple bind (e.g. username and password) from an LDAP client application and verify that password against Active Directory using Kerberos. This is useful if a company doesn't have SSL enabled on AD (but has SSL on OVD) and wants to securely validate passswords against AD.
Q3 - I can't use my Kerberos ticket ( obtained while login in to a windows domain ) to authenticate to OVD and do a query" ?
A3 - This depends because LDAP is like database - most of the time end-users are not connecting directly to the system - they use client applications. If the client application is web-based and configured to do Windows SSO - then yes. If it's a 3rd party application that cannot, then you will need to re-type your credentials. Even if we could accept Kerberos tokens - OVD (just as ANY other Kerberos enabled application) is dependent upon the client application to support it as well. This is why Kerberos never took off in great numbers prior to the release of Active Directory (which gave everyone who ran Windows a KDC whether they wanted it or not) and the Web.