Clarifying EUS and Kerberos

One of our sales consultants had some questions on OVD, Enterprise User Security (EUS) and Kerberos. Remember EUS is the Oracle Database feature that lets you centralize the management of user & roles to your enterprise directory. 

The database supports multiple models of authentication.

They are:

  • username and password
  • digital certificates (aka x.509)
  • Kerberos
  • RADIUS

The first three are supported by EUS. The last - RADIUS is not.

Username and password is the easiest but does mean that in EUS we have to have a MD5 or SHA1 password stored in the enterprise directory. For Active Directory we have a DLL that uses Microsoft's Password Notifier API to do this for us since AD doesn't do this automatically. For Sun (and Fedora though we haven't officially certified it) the standard userpassword attribute is already hashed properly.

If you are using Kerberos the upside is that you don't need to exchange passwords. Instead the client gets a ticket from the KDC (these days that's likely to be Microsoft AD though I have run into MIT recently) and then the ticket can be used to validate their credentials against the database (this is a simplification of Kerberos. But if you really want to know more you can read the details ). In Kerberos the database verifies the credentials. It only uses EUS to map the user to a database schema and database role.

Now to answer some specific questions - which I can update later:

Q1 - the LDAP listener is not Kerberos ( authentication ) enabled?

A1 - Correct, OVD currently does not support Kerberos authentication. This is not generally a limitation since no common LDAP client application that I'm aware of requires Kerberos authentication. Also Kerberos protocol does not easily open itself up to virtualization. Perhaps this will change when the world starts to adopt STS technologies.

Q2 - the LDAP adapter act as a client and is Kerberos enabled?

A2 - Yes, OVD can take a simple bind (e.g. username and password) from an LDAP client application and verify that password against Active Directory using Kerberos. This is useful if a company doesn't have SSL enabled on AD (but has SSL on OVD) and wants to securely validate passswords against AD.

Q3 - I can't use my Kerberos ticket ( obtained while login in to a windows domain ) to authenticate to OVD and do a query" ?

A3 - This depends because LDAP is like database - most of the time end-users are not connecting directly to the system - they use client applications. If the client application is web-based and configured to do Windows SSO - then yes. If it's a 3rd party application that cannot, then you will need to re-type your credentials. Even if we could accept Kerberos tokens - OVD (just as ANY other Kerberos enabled application) is dependent upon the client application to support it as well. This is why Kerberos never took off in great numbers prior to the release of Active Directory (which gave everyone who ran Windows a KDC whether they wanted it or not) and the Web.

Comments:

I'm glad to hear you're getting questions about this from the wild. I'm doing a session on integrating OID, AD, and EUS for database logins at OOW in a few weeks. Maybe I'll see you there? I think it's scheduled for mid-day on Thursday. Officially, the content builder says that it is full and there's a short waiting list when I last looked. Hopefully, they'll move me to a larger room!

Posted by Dan Norris on September 02, 2008 at 10:35 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

bocadmin_ww

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today