Here are some of the commonly seen issues during integrating a database with Directory Services:
Create an ldap.ora in $ORACLE_HOME/network/admin that points to your directory services instance. The file may be created using the Network Configuration Assistant (netca) or any text editor. Below is an example of the content of the file.
DIRECTORY_SERVERS= (oud.ziontech.net:1389:1636) DEFAULT_ADMIN_CONTEXT = "dc=ziontech,dc=net" DIRECTORY_SERVER_TYPE = OID
I will keep updating this post with any new issues that I encounter.
EUS can be enabled for an OUD proxy server during installation or can be configured later if a proxy instance is already existing. In this post, I will cover steps on how to create a new OUD proxy instance for EUS using a GUI and Active Directory as the backend.
Change to OUD_install_dir directory. For example:
cd /opt/app/mw/Oracle_OUD/
Ensure JAVA_HOME environment variable is set to a supported JVM.
export JAVA_HOME=/opt/app/jdk
Set INSTANCE_NAME environment variable.
export INSTANCE_NAME=oud-proxy
Run the oud-proxy-setup command to configure the proxy server installation.
./oud-proxy-setup
The utility launches the graphical installer.
Screenshots for reference:
Then, import the content of the files by running the following command
$OUD_INSTANCE_ROOT/OUD/bin/import-ldif -n oraclecontext -l eusData.ldif -F --hostname localhost --port 4444 --bindDN "cn=directory manager" --bindPasswordFile /tmp/password.txt
This completes preparing the OUD proxy for EUS. The next steps are to prepare the database and create user mappings.
After preparing the OUD and the database for EUS, users from the directory can be authenticated to the database. However, they have to be associated with a schema in the database.
Directory identities are mapped to database schemas. The database schema can be dedicated or a shared schema. Directory groups are mapped to database roles.
CREATE USER global_ident_schema_user IDENTIFIED GLOBALLY; GRANT CONNECT TO global_ident_schema_user;
To map a directory user directly to a database schema, the first step is to get the complete DN of this particular user from the OUD.
A complete DN looks like this:
uid=nasir,ou=people,dc=ziontech,dc=net
Now, on the database run the following statements to create a user called ldap_nasir locally in the database. This will be authenticated using OID credentials.
create user ldap_nasir identified globally as 'uid=nasir,ou=people,dc=ziontech,dc=net';
We can also alter an existing user in the database so that the user will now use OUD credentials to login.
alter user existing_user identified globally as 'uid=nasir,ou=people,dc=ziontech,dc=net';
Mapping roles
CREATE ROLE hr_access IDENTIFIED GLOBALLY; GRANT SELECT ON hr.employees TO hr_access;
To create the enterprise role, hr_access:
Note: You will be required to log in to the database before you can select the global role.
The enterprise user, Nasir, can now access the hr.employees table in the database.
After preparing Oracle Unified Directory (OUD), the database itself must be prepared for Enterprise User Security (EUS). Preparing a database involves configuring the database, registering the database, mapping the user(s) or group(s) to a schema.
Similar to OUD, there is more than one way to achieve this. We will use GUI.
Set the required environment variables for database. For example:
export ORACLE_BASE=/opt/app/db/ export ORACLE_SID=dbdev export ORACLE_HOME=/opt/app/db/11.2.0
Run Net Configuration Assistant (netca) tool to configure OUD for the database.
On database machine, run:
$ORACLE_HOME/bin/netca
Screenshots for reference:
NetCA creates an ldap.ora file in the $ORACLE_HOME/network/admin directory which stores the connection information details about the directory.
The Database Configuration Assistant (DBCA) tool enables to register the database with OUD.
To register the database with the directory: Start DBCA using the dbca command.
$ORACLE_HOME/bin/dbca
Screenshots for reference:
Once the database is prepared, we need to associate enterprise users to database. Please refer to this post to learn about various user/group mappings available.
To integrate the Oracle Unified Directory (OUD) with Enterprise User Security (EUS), the following has to be performed:
EUS can be configured for an OUD server using one of the following options:
This post outlines steps for enabling EUS during instance creation.
cd OUD-base-location Ensure that your JAVA_HOME environment variable is set.
Screenshots for reference:
After the OUD has been enabled for EUS, the realm information must be updated in the OUD configuration by performing the following steps:
Locate the LDIF template file at install_dir/config/EUS/modifyRealm.ldif
ldapmodify -h oud.ziontech.net -p 1636 -D "cn=Directory Manager" -Z -v -f /opt/app/middleware/Oracle_OUD1/config/EUS/modifyRealm.ldif
With this, we have an OUD instance ready for EUS. The next steps are to prepare the database and create user mappings.
This blog post provides an introduction to the Oracle Unified Directory (OUD), Enterprise User Security (EUS), and its integration. An index of all future posts on OUD and EUS integration will be available here.
We can categorize this process into three steps:
Scenarios:
In a series of posts, I will cover detailed steps of both the above-mentioned integration scenarios. Please click the links below for respective blog posts:
Scenario 1: User identities stored in the OUD
Scenario 2: Using the OUD as a proxy server
Database preparation involves configuring and registering the OUD with the database. It can be achieved by using a GUI method or a command line tool.
For the GUI method, click here.
After preparing the OUD and the database for EUS, users from the directory can be authenticated to the database. However, they have to be associated with a schema in the database. This can be achieved by using Database Control or a command line tool called EUSM.
For Database Control or the EUSM tool and various scenarios, refer to this link.
Commonly seen errors during EUS integration are discussed here.
Do you have an EUS OUD integration project? Or, are you migrating from OID to OUD?
If you need consulting help, please reach us at support@ziontech.com.