OUD&EUS Take 2: DB Accounts Proxy-ed by OUD into existing Directories

This post is the second one of a serie focusing on Enterprise User Security (EUS) and Oracle Unified DIrectory (OUD).

Enterprise User Security (EUS), an Oracle Database Enterprise Edition feature, leverages the Oracle Directory Services and gives you the ability to centrally manage database users and role memberships in an LDAP directory. EUS reduces administration costs and increases security.

DB Accounts Proxy-ed by OUD into existing Directories

Most enterprises already have existing corporate directories in place, and prefer the EUS implementation. An EUS implementation leverages the existing directory infrastructure and user information base without putting in place synchronization between directories. In this way, OUD acts as a real-time interpreter for Oracle database information requests to user data.

Using OUD enables the database to interact with third-party directories. OUD leverages existing user and group information in the existing third-party directory infrastructure by forwarding LDAP requests and responses back and forth to the third-party directory holding user data. User data, database meta-data such as DB registration information, user/role Mappings, and other EUS specific meta-data are stored locally in OUD, without requiring any schema changes to store EUS configuration in the existing third-party directory.

As of release 11gR2PS1, OUD is certified with EUS to support Active Directory, Oracle Directory Server Enterprise Edition, and Novell eDirectory. Working with these products, OUD eliminates user data duplication and synchronization and consequently lowers total cost of ownership (TCO).

1. Centralizing Accounts into Microsoft Active Directory

You can integrate Active Directory for password-based authentication or integrate Active Directory with Kerberos authentication.

Active Directory Integration for Password-based authentication

Such a scenario requires deployment of an additional component: the OUD Password Change Notification plug-in (oidpwdcn.dll). Microsoft uses a proprietary implementation to hash passwords in Active Directory that is incompatible with the Oracle DB requirements. The OUD Password Change Notification plug-in is notified when a password change occurs, and stores hashes in Active Directory. The oidpwdcn dll must be installed on every Active Directory domain controller.

Active Directory Schema extension is required to store the hashed passwords.

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Active Directory. User passwords are retrieved from the hashed password stored by the OUD Password Change Notification plug-in. EUS metadata are stored and retrieved from OUD.

The database version must be 10.1 or later as earlier versions use a different and incompatible password format.

Figure 2: EUS Account management with Active Directory

Active Directory Integration with Kerberos Authentication

In this scenario, Kerberos is used for DB authentication. EUS with DB Kerberos authentication does not require any changes to the database beyond standard EUS configuration. The database establishes a connection to OUD. OUD looks up the requested DB information in Active Directory. All database clients must be Kerberos-enabled to use this option. This capability is only supported with DB version 10.1 or higher.

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Active Directory. EUS metadata are stored and retrieved from OUD. Access to the hashed user password is not required, so no schema extensions and no Password Change Notification dll have to be deployed on Active Directory.

 

Figure 3: EUS Account management with Kerberos and Active Directory

2. Centralizing Accounts into ODSEE

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Oracle Directory Server Enterprise Edition (ODSEE) . EUS metadata are stored and retrieved from OUD.

This integration does not require any changes in the database (beyond what is usually required for EUS, nor for database clients that use username/password authentication.

 

Figure 4: EUS Account management with DSEE

3. Centralizing Accounts into Novell eDirectory

The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Novell eDirectory. EUS metadata are retrieved from OUD.

This integration does not require any changes in the database beyond what is usually required for EUS, nor for database clients that use username/password authentication.

Using Novell eDirectory doesn’t require an Oracle password filter. You have to enable Universal Password in eDirectory, and allow the administrator to retrieve the user password. Refer to Novell's eDirectory documentation on Password Management for more information.

This configuration can only be used with DB versions 10.1 or higher due to incompatible password formats in earlier DB versions.

 

Figure 5: EUS Account management with DSEE

 



Comments:

Bonjour Sylvain,

I'm very interested with the new 11.1.2.1 "Active Directory Integration with Kerberos Authentication" option. I've discovered it in your white-paper and on your blog and the fact it doesn't require to extend the AD schema just shines (plus Kerberos doesn't require ASO on the DB side anymore)

Unfortunately, I did not find any place where this option is documented as I would need. What I've found in the 11.1.2.1 documentation still looks to be only about Password-based EUS/OUD/AD Integration.

Can you help me by pointing the documentation or a support note ? It it works, it would be our preferred production platform compared to OVD/OID.

Best Regards,

Gregory

Posted by Gregory on October 19, 2013 at 09:46 AM CEST #

Salut Gregory,

The current OUD documentation is rather scarse on that specific subject.
Basically you just need to deploy a OUD proxy with EUS enabled as described at http://docs.oracle.com/cd/E37116_01/admin.111210/e22648/eus.htm#CJAGIBFF

The proxy points to AD via a LDAP Proxy workflow element

You also have to modify the attribute orclkrbprincipalattribute in the EUS config (cn=OracleContext) to the attribute name storing the kerberos principal on AD.

That's basically it.

I'll write a post on that specific subject with the detailed procedure when I have a chance

-Sylvain

Posted by guest on October 25, 2013 at 01:56 PM CEST #

Hi Sylvain

Is it possible to configure the OUD proxy to pass through authentications that match a specific dn (i.e. using a network group) to AD without configuring EUS and without modifying the AD schema? We would prefer to not have to use OVD to do this.

Thanks
Richard

Posted by guest on October 29, 2013 at 07:33 AM CET #

Hi,
Yes it is possible to pass through authentication using the PTA (Path-through authentication) workflow element in OUD. Binds only are forwarded to any third party directory including AD.

Posted by sylvain duloutre on November 18, 2013 at 01:08 PM CET #

Can EUS passthrough authentication works with AD without using oidpwdcn.dll

If it is a passthrough, why you are still synching the passwords from AD?

Posted by guest on March 11, 2014 at 06:21 PM CET #

Mr. Sylvain,
I am trying to deploy the scenario "Active Directory Integration with Kerberos Authentication".
I have successfully installed OUD as a proxy to my Active Directory. When I connect to OUD, it is showing my AD directory. I have installed OUD proxy with EUS enabled (I’ve chosen this option during oud-proxy-setup GUI).
However, when I try DBCA, it finishes with a TNS-04409 and TNS-04405 error. The OUD access log shows a “Attribute not allowed” message (orclAci attribute is not defined by any objectclass).

Is there a way to have the orclAci on OUD? (I cannot extend my AD schema)
Am I missing something during OUD installation/configuration?

Best regards
Everton

Posted by Everton on March 12, 2014 at 01:48 PM CET #

EUS requires access to the (hashed) user password.
It is not possible to retrieve the user password from AD, that's the reason why the DLL captures user passwords and store them in another attribute in AD so that it can be made accessible to EUS.

Posted by Sylvain Duloutre on March 17, 2014 at 04:06 PM CET #

Mr. Everton,

Indeed, the orclAci may be present in LDAP entries generated by dbca.
However, this attribute should be filtered out by OUD when EUS support is enabled, so I would suspect a configuration problem on the OUD side.

Using Blog comment is not the most convenient way to discuss so I would encourage you to go to the OUD forum
and post again the problem description and the OUD configuration file
Best Regards,
Sylvain

Posted by guest on March 17, 2014 at 04:38 PM CET #

Post a Comment:
  • HTML Syntax: NOT allowed
About


I am Sylvain Duloutre, I work as a Software Architect in the Oracle Directory Integration Team, the customer-facing part of Directory Services & Identity Management Product Development, working on Technical Field Enablement.

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
9
10
11
12
13
14
16
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today