18
May

Integrating OUD and EUS

 

This blog post provides an introduction to the Oracle Unified Directory (OUD), Enterprise User Security (EUS), and its integration. An index of all future posts on OUD and EUS integration will be available here.

What is EUS?

  • Oracle’s EUS enables one to manage database users across the enterprise from a centralized location.
  • Users connect to the Oracle Database by providing credentials stored in the OUD. The database executes LDAP search operations to query user-specific authentication and authorization information.

Benefits of EUS:

  • Improved Productivity
    • Frees user from needing to remember multiple database login names and passwords. Time spent on password reset requests is saved.
    • Saves database administrators’ time. DBAs do not need to manage the same user many times (i.e., in multiple databases).
  • Audit & Compliance
    • Eliminates need to examine each database individually to find out who has which privileges.
  • Security
    • Makes it easy to verify that user access to all databases is disabled and to ensure compliance with password policy requirements.
    • With EUS, user access can be disabled or removed with a single click or action.

High-level steps for EUS & OUD integration:

We can categorize this process into three steps:

  1. Preparing the OUD
  2. Preparing the database
  3. Associating enterprise identities with the database

Preparing the OUD:

Scenarios:

  1. User identities stored in the OUD
  2. User identities stored in an external, LDAP-compliant directory service with the OUD used as a proxy server

In a series of posts, I will cover detailed steps of both the above-mentioned integration scenarios. Please click the links below for respective blog posts:

Scenario 1: User identities stored in the OUD
Scenario 2: Using the OUD as a proxy server

Preparing the database:

Database preparation involves configuring and registering the OUD with the database. It can be achieved by using a GUI method or a command line tool.

For the GUI method, click here.

Associating OUD identities with the database:

After preparing the OUD and the database for EUS, users from the directory can be authenticated to the database. However, they have to be associated with a schema in the database. This can be achieved by using Database Control or a command line tool called EUSM.

For Database Control or the EUSM tool and various scenarios, refer to this link.

Troubleshooting

Commonly seen errors during EUS integration are discussed here.

Need help?

Do you have an EUS OUD integration project? Or, are you migrating from OID to OUD?

If you need consulting help, please reach us at [email protected]

  
15
May

Using LdapSearch and LDAPModify with OID

Oracle Internet Directory (OID) LdapSearch and LdapModify examples:

To use the ldap utilities that come with OID, set ORACLE_HOME to the OID installation directory. For example,

export ORACLE_HOME=/opt/app/middleware/Oracle_IDM1

Various options commonly used:

-h hostname of the OID server
-p OID LDAP port
-D BindDN. You can use the default admin account, cn=orcladmin or any other account with proper privileges
-w Specify password for Bind DN. Alternatively, use -q to prompt for the password.

#Eg 1:

All entries on host ldap.ziontech.net using port 3060, and return all attributes and values

$ORACLE_HOME/bin/ldapsearch -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" "objectClass=*"

#Eg 2:
All entries on host ldap.ziontech.net using port 3060, and return only attributes names. Same as above, but return only attribute names

$ORACLE_HOME/bin/ldapsearch -A -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" "objectClass=*"

#Eg 3:
All entries on host ldap.ziontech.net using port 3060, return all attributes, and de-reference any aliases found

$ORACLE_HOME/bin/ldapsearch -a always -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" "objectClass=*"

#Eg 4:
All entries on host ldap.ziontech.net using port 3060 under base dc=ziontech,dc=net, and return all attributes and values. Same as Eg 1, but under specified base using -b

$ORACLE_HOME/bin/ldapsearch -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -b "dc=ziontech,dc=net" "objectClass=*"

#Eg 5:

Same as Eg4, except return only specified attributes mail, cn, sn, givenname

$ORACLE_HOME/bin/ldapsearch -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -b "dc=ziontech,dc=net" "objectClass=*" mail cn sn givenname

#Eg 6:
Same as Eg 4, but start using option -s to limit the scope to base, or one. Default is sub.

$ORACLE_HOME/bin/ldapsearch -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" "objectClass=*" -b "dc=ziontech,dc=net"
$ORACLE_HOME/bin/ldapsearch -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -b "dc=ziontech,dc=net" -s sub "objectClass=*"
$ORACLE_HOME/bin/ldapsearch -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -b "dc=ziontech,dc=net" -s base "objectClass=*"
$ORACLE_HOME/bin/ldapsearch -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -b "dc=ziontech,dc=net" -s one "objectClass=*"

#Eg 7:
Same as Eg5, but limit base to “cn=users,dc=ziontech,dc=net”

$ORACLE_HOME/bin/ldapsearch -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -b "cn=users,dc=ziontech,dc=net" "objectClass=*" mail cn sn givenname

#Eg 8:
Add a user using ldap modify

$ORACLE_HOME/bin/ldapmodify -c -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -f user.ldif

#Contents of user.ldif
dn: cn=testuser,cn=Users, dc=ziontech,dc=net
changetype: add
uid: testuser
mail: testuser
givenName: testuser
cn: testuser
sn: testuser
userPassword: Password1
description: Test User
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: orcluser
objectClass: orcluserV2

#Eg 9:
Add users (more than one) using ldap modify

$ORACLE_HOME/bin/ldapmodify -c -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -f users.ldif

#Contents of users.ldif
dn: cn=testuser1,cn=Users, dc=ziontech,dc=net
changetype: add
uid: testuser1
mail: testuser1
givenName: testuser1
cn: testuser1
sn: testuser1
userPassword: Welcome123
description: testuser1
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: orcluser
objectClass: orcluserV2

dn: cn=testuser2,cn=Users, dc=ziontech,dc=net
changetype: add
uid: testuser2
mail: testuser2
givenName: testuser2
cn: testuser2
sn: testuser2
userPassword: Welcome123
description: testuser2
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: orcluser
objectClass: orcluserV2

dn: cn=testuser3,cn=Users, dc=ziontech,dc=net
changetype: add
uid: testuser3
mail: testuser3
givenName: testuser3
cn: testuser3
sn: testuser3
userPassword: Welcome123
description: testuser3
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: orcluser
objectClass: orcluserV2

#Eg 10
Search for users added above.

$ORACLE_HOME/bin/ldapsearch -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -b "cn=users,dc=ziontech,dc=net" "objectClass=*" cn

#Eg 11
Remove a user

$ORACLE_HOME/bin/ldapmodify -c -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -f removeUser.ldif

# Contents of removeUser.ldif
dn: cn=testuser,cn=Users, dc=ziontech,dc=net
changetype: delete

#Eg 12
Disable a user in OID

$ORACLE_HOME/bin/ldapmodify -c -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -f disableUser.ldif

# Contents of disableUser.ldif
dn: cn=testuser3,cn=Users,dc=ziontech,dc=net
changetype: modify
replace: orclisenabled
orclisenabled: DISABLED

Enable user back
$ORACLE_HOME/bin/ldapmodify -c -h ldap.ziontech.net -p 3060 -D “cn=orcladmin” -w “password” -f enableUser.ldif
# Contents of enableUser.ldif
dn: cn=testuser3,cn=Users,dc=ziontech,dc=net
changetype: modify
replace: orclisenabled
orclisenabled: ENABLED

#Eg 13
Add a group

$ORACLE_HOME/bin/ldapmodify -c -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -f addGroup.ldif

# Contents of addGroup.ldif
dn: cn=testGroup,cn=groups,dc=ziontech,dc=net
changetype: add
cn: testGroup
objectclass: top
objectclass: orclGroup
objectclass: groupOfUniqueNames
owner: cn=orcladmin
displayname: testGroup
description: Group for testing
orclisvisible: true

#Eg 14
Add a member to a group

$ORACLE_HOME/bin/ldapmodify -c -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -f addmemGroup.ldif

# Contents of addmemGroup.ldif
dn: cn=testGroup,cn=groups,dc=ziontech,dc=net
changetype: modify
add: uniquemember
uniquemember: cn=testuser1,cn=Users, dc=ziontech,dc=net
uniquemember: cn=testuser2,cn=Users, dc=ziontech,dc=net

#Eg 15
Search for all groups and its members in OID

$ORACLE_HOME/bin/ldapsearch -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -b "cn=groups,dc=ziontech,dc=net" "objectClass=*"

#Eg 16
Search under base and return all cn and mail matching pattern testuser*

$ORACLE_HOME/bin/ldapsearch -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -b "cn=users,dc=ziontech,dc=net" "(cn=testuser*)" cn mail

#Eg 17
Do a subtree search in the base DN for any object type of Person who also has an attribute that matches any one of the attributes found in the OR filter. Only the DN (default) and CN will be returned.

$ORACLE_HOME/bin/ldapsearch -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -b "dc=ziontech,dc=net" "(&(objectclass=Person)(|(cn=testuser*)(givenname=testuser*)(sn=testuser*)(mail=testuser*)))" cn

#Eg 18
Search the group testGroup to find all its members

$ORACLE_HOME/bin/ldapsearch -h ldap.ziontech.net -p 3060 -D "cn=orcladmin" -w "password" -b "cn=testGroup,cn=Groups,dc=ziontech,dc=net" -s sub "(objectclass=*)" uniquemember