Password-based Oracle Database-Microsoft Active Directory integration using Oracle Unified Directory and Microsoft Active Directory
This integration enables organizations to use Active Directory to centrally manage users and roles in multiple Oracle databases with a single directory along with other Information Technology services.
Active Directory users can authenticate to the Oracle database by using credentials that are stored in Active Directory.
Active Directory users can also be associated with database users (schemas) and roles by using Active Directory groups.
Microsoft Active Directory users can be mapped to exclusive or shared Oracle Database users (schemas), and be associated with database roles through their group membership in the directory.
Active Directory account policies such as password expiration time and lockout after a specified number of failed login attempts are honored by the Oracle Database when users login.
centrally managed users (CMUs) with Active Directory.
This integration is designed for organizations that prefer to use Active Directory as their centralized identity management solution. Oracle Net Naming Services continues to work as it did before with directory services.
Option1: Mapping Microsoft Active Directory users and groups directly to Oracle database users and roles.
Option2: Mapping Active Directory architecture enables Oracle Database users and roles to be managed in Active Directory
How Authentication happens when users and groups are directed to Oracle database users and roles
End-Stage→ Oracle database must able to login account created for the database in MS-AD.
Step 1: query Active Directory for user and group information when a user logs into the database
Step 2: Active Directory service account has all the privileges required to query the user and group information
Step 3: User authenticate using passwords assigned to an exclusive schema.
Step 4: Mapping of an Active Directory user to a shared schema is determined by the association of the user to an Active Directory group that is mapped to the shared schema
Configuring the Oracle Database-Microsoft Active Directory Integration
PrereqMicrosoft Active Directory installed and configured
Configure the Oracle Database connection to Active Directory
Configure the database and Active Directory for password
The Active Directory users and groups have been created
Map Database users and global roles to Active Directory users and groups (
CREATE USER, CREATE ROLE, ALTER USER, ALTER ROLE SQL statements with the GLOBALLY clause)Set up new Active Directory groups with Active Directory users
Connecting to Microsoft Active Directory
Create Oracle Service Directory user Account on MS AD
Create AD user and check permissions with Reading or Write propertiesInstall Password Filter and extend the AD schema
Use the Oracleopwdintg.exe executable on the Active Directory server to install the password filter and extend the Active Directory schema.The
opwdintg.exe executable installs the Oracle password filter, extends the Active Directory schema, and creates Active Directory groups to allow Oracle Database password authentication with Active Directory. This procedure adds an orclCommonAttribute attribute to the Active Directory schema for user accounts.Execute
opwdintg.exe utilityCreate dsi.ora File
You must manually create thedsi.ora file to identify the Active Directory servers. Request AD Certificate for Secure Connection
Create a Wallet for Secure connection
create a wallet in location $ORACLE_BASE/admin/db_unique_name/wallet/configure using orapki utility
Configure AD Connection
Configure the Active Directory services connection manually by using LDAP-specific Oracle Database system parametersEnsure dsi.ora and ldap.ora in wallet location
connect database with user@TNS_service name
Modify the
LDAP_DIRECTORY_ACCESS parameter, which determines the type of LDAP directory access.Set the
LDAP_DIRECTORY_SYSAUTH parameter to YES, so that administrative users from Active Directory can log in to Oracle Database with the SYSDBA, SYSOPER, SYSBACKUP, SYSDG, SYSKM, or SYSRAC administrative privilege.Verify Oracle Wallet
Login to server and in Wallet location check so, p12 and ora filesTest Integration
Configure ORACLE_HOME, ORACLE_SID, PATH, and ORACLE_BASE and connect to database usingsqlplus user@TNS_servicename
Configuration of CMU and AD users
Mapping a Directory Group to a Shared Database Global UserMost users of the database will be mapped to a shared global database user (schema) through membership in a directory group.
eg:
| Country + Application + RO+ RW specific AD Group | Mapped Oracle Role | Privilege | shared global database user |
| ADM-VUT_PRD_UBS_DB | FCUBS_RW | select, update,delete | READONLYUSR |
| ADM-VUT_PRD_UBS_RO_DB | FCUBS_RO | select | FCUBS, OBDX, AB, IEXTN |
No comments:
Post a Comment