How-To Document

How to set up Enterprise User Security with Oracle Virtual Directory and Oracle Directory Server Enterprise Edition

Update: 10-May-2011

Introduction

Enterprise User Security simplifies user management by enabling database user accounts to be centrally managed in an LDAP directory. From a user's standpoint, managing passwords in multiple databases is confusing and from an administrator's perspective, managing user authorizations in multiple databases is an error prone and costly management task.

Enterprises which have already deployed Oracle Directory Server Enterprise Edition (ODSSE), formerly known as SUN Directory Server Enterprise Edition, can leverage their existing directory infrastruction by introducing Oracle Virtual Directory to solve the database management burden.

Pre-Requisites:

Install Oracle Virtual Directory (OVD) 11.1.1.2.0 OVD is part of the Identity management Software included in Oracle FMW 11g R1 (11.1.1.2.0)
Install Oracle Database 11g
Oracle Directory Server EE 6, or later is already installed

Tasks overview:

General steps to prepare Oracle Virtual Directory for the Enterprise User Security Integration
Prepare Oracle Directory Server EE
Configure Oracle Virtual Directory for the Integration
Prepare the Database
1. Configure the Database to use an LDAP directory
2. Register the Database with Oracle Directory Server
Example Enterprise User Security Use Cases
1. Configure Enterprise Users: Map all users to a global database schema
Troubleshooting Tips

Note: To watch the viewlets your browser needs to be configure with the Adobe Flash Player.

Feel free to send comments.

1. General steps to prepare Oracle Virtual Directory for the Enterprise User Security Integration

1.1 Create a backup copy of the ORACLE_HOME/ovd/eus/ directory. All the configuration files required for the Enterprise User Security integration are in the eus directory. Making a backup copy of the eus directory allows you to edit the template-like files in the original eus directory based on your environment, and still keep copies of the original files.

1.2 At this point you've already installed OVD and a listener creation has been part of the installation. If for any reason no listener exist, create an LDAP listener that is secured with SSL No Authentication Mode by referring to "Creating and Managing Oracle Virtual Directory Listeners."

1.3 Create and add the subschemasubentry and Dynamic Groups plug-ins as global server plug-ins. Refer to "Managing Global Server Plug-ins" for steps on creating server plug-ins.

Step 1.2. and 1.3 require access to Oracle Directory Services Manager (ODSM). You can access ODSM via e.g.

http://ostullic-rh4.us.oracle.com:7005/odsm

Note: Watch the viewlet how to create the two global server plug-ins.

2. Prepare Oracle Directory Server EE

Assumption: NamingContext dc=us,dc=oracle,dc=com has already been created in Oracle Directory Server EE.

Note: Steps 2.1 - 2.3 will be executed on the system where OVD is installed.

2.1 Install required schema extensions in Oracle Directory Server EE

Navigate to ORACLE_HOME/ovd/eus

Extend the iPlanet LDAP attribute and objectclass using the following command:

ORACLE_HOME/bin/ldapmodify -h odsee_Host_Name -p odsee_Port \
-D cn="directory manager" -c -q -v -a -f ./iPlanetSchema.ldif

Note: during the schema load you'll see some error messages related to schema objects already exist. You can ignore them hence using ldapmodify with the "-c" option.

2.2 Create a realm in ODSEE by performing the following steps:

In the OVD Open the realmiPlanet.ldif file and replace all instances of the dc=us,dc=oracle,dc=com string with the name of your domain.

Run the following command to create a realm in ODSEE using the realmiPlanet.ldif file:

ORACLE_HOME/bin/ldapmodify -h odsee_Host_Name -p odsee_Port \
-D cn="directory manager" -q -v -a -f ./realmiPlanet.ldif

This will create the following OracleContext container:

2.3 Configure the user and group containers by creating new user and group containers.

If you want to use an existing user and group container see the OVD Administrator's Guide for details.

The default location for user and groups:

Note: Watch the viewlet how to prepare the Oracle Directory Server EE.

3. Configure Oracle Virtual Directory for the Integration

3.1 Start the Oracle Virtual Directory server

3.1.1. Login to FMW control the default URL: http://yourserver.domain:7001/em. You can find the URL at the end of the installation log file in the directory oraInventory/logs directory.

3.1.2 Start OVD (if not already started)

3.2 Create three new Local Store Adapters

3.2.1 Create three new Local Store Adapters using the following settings. Refer to "Creating Local Store Adapters" for information on creating Local Store Adapters.

Use the Local_Storage_Adapter template for each adapter

The Adapter Suffix for one of the Local Store Adapters must be cn=OracleContext; the Adapter Suffix for another of the Local Store Adapters must be cn=OracleSchemaVersion; and the Adapter Suffix for the other the Local Store Adapters must be dc=com, unless your ODSEE domain is something like dc=example,dc=net, in which case the Adapter Suffix must be dc=net.

The Database File and Backup File fields for each of the adapters must be unique.

Note: Watch the viewlet how to configure the Local Store adapters.

3.3 Update and load the entries into the Local Store Adapters

Note: For the changes in step 3.3.1 and 3.3.3 navigate to the following directory on the OVD host: ORACLE_HOME/ovd/eus/

3.3.1. Extend the Oracle Virtual Directory schema with the loadOVD.ldif file using the following command. The loadOVD.ldif file contains entries for Oracle Context and schemaversion that Enterprise User Security queries.

ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host -OVD_Port -D bindDN -q -v -a -f loadOVD.ldif

3.3.2. Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname, and memberurl attributes in the file. If you have a DN mapping between Oracle Directory Server EE and Oracle Virtual Directory, use the DN that you see from Oracle Virtual Directory.

3.3.3. Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command:

ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host -OVD_Port -D bindDN -q -v -a -f realmRoot.ldif

3.4 Create a LDAP Adapter for Enterprise User Security

Create an LDAP Adapter for Enterprise User Security using the following settings and by entering the ODSEE host information, including the appropriate Remote Base and Mapped Namespace. Refer to "Creating LDAP Adapters" for information on creating LDAP Adapters.

Use the EUS_Sun template for the adapter.
The proxy DN user must be able to read the userPassword attribute in the Oracle Directory Server EE.

Note: Watch the viewlet how to configure the OVD LDAP Adapter for EUS.

3.5 Configure the Enterprise User Security plug-ins

3.5.1 Click the Advanced tab, click the EUS_Sun entry under Mapping Templates, and then click the Apply to deploy the mapping

3.5.2 Click the Adapter tab and access the LDAP Adapter for Enterprise User Security and click the Plug-ins tab.

3.5.3 Select the ObjectclassMapper plug-in, click the Create Namespace button, enter cn=OracleContext,

<YOUR
DOMAIN>

in the Namespace field, and then click the OK button.

3.5.4 Click the Create Mapping button, then select EUS_Sun.py, then enter a unique mapping name, then click the Create Namespace button, then enter the name of your domain in the Namespace field, and then click the OK button.

3.5.5 Click the Apply button

Note: Watch the viewlet how to configure the EUS OVD plug-ins.

3.6 Configure the Access Control Lists (ACLs) for the integration

To protect EUS related information you'll have to create ACL's to prevent unauthorized access to directory data. Refer to "Configuring Access Control Lists for the Enterprise User Security Integration" for details about each ACL (10 in total).

Note: Watch the viewlet how to configure an example OVD ACL's.

3.7 Update the realm information with Root Oracle Context

Edit the modifyRealm.ldif file to use your Oracle Directory Server EE domain name.

replace the string dc=subarashii,dc=com with your domain name (e.g. dc=us,dc=oracle,dc=com)

If you use DN mappings between OVD and ODSEE, use the mapped DN in Oracle Virtual Directory.
Update the realm information using the following command:

ORACLE_HOME/bin/ldapmodify -h Oracle_Virtual_Directory_Host -p port \ -D bindDN -q -v -f modifyRealm.ldif

4. Prepare the database

4.1 Configure the database to use a directory

Follow the steps outlined in the DB 10.1.2 EUS tutorial at step "Tell the Database to use an LDAP directory". These steps will configure NetServices to use a directory server for database service resolution.

Even though these screens refer to the configuration of a DB 10.1.2, the screens for netca are still the same when you apply the configuration steps for a 11.2 netca.

4.2 Register the database with Oracle Directory Server

Next is to "Register the Database with the directory". Follwo step 4.1 the screens shown are the same for a 11.2 database.

5. Example Enterprise User Security Use Cases

In this example we'll pick a simple Enterprise User Security use case (mapping users to a shared DB schema). For more details see

Oracle Database Enterprise User Security Administrator's Guide 11g Release 2 (11.2)

The following steps assume access to dbconsole. To start dbconsole set your ORACLE_HOME and execute the command:

$ORACLE_HOME/bin/emctl start dbconsole

From your browser you can access dbconsole e.g.:

http://ostullic-rh4.us.oracle.com:1158/em

Navigate to Enterprise User Security:

Note: The link to Enterprise User Security is only visible if you've properly configured the directory access via netca. Make sure your $ORACLE_HOME/network/admin/ldap.ora looks similar to the one listed in troubleshooting section 6.3.

Login to the Enterprise Security Manager:

5.1 Configure Enterprise Users: Map all users to a global database schema

Open a terminal window and connect to the database with "as sysdba"

Create a shared schema:

create user dsee_schema_user identified globally

Grant connect to this schema user:
grant connect to dsee_schema_user

This schema is created so that later users who are defined in ODSEE can connect through it (it's like a role).
The users in ODSEE need to be matched to this schema.

Note: Watch the viewlet how to configure EUS users to access a global database schema using the 11.2 DB console..

Connect to your database with olaf/welcome1; Olaf is an enterprise user defined in ODSEE; global_ident_schema_user
is identified as the session_user connecting to the database; but Olaf's identity is preserved by the external_name,
which reveals his identity stored in ODSEE under the user subtree:

[oracle@ostullic-rh4 admin]$ sqlplus olaf/welcome1

SQL*Plus: Release 11.2.0.1.0 Production on Sun Mar 4 11:50:53 2010

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options
SQL> select sys_context('userenv','external_name') from dual;

SYS_CONTEXT('USERENV','EXTERNAL_NAME')
--------------------------------------------------------------------------------
cn=olaf,ou=Users,dc=us,dc=oracle,dc=com

SQL> select sys_context('userenv','session_user') from dual;

SYS_CONTEXT('USERENV','SESSION_USER')
--------------------------------------------------------------------------------
DSEE_SCHEMA_USER

SQL> select * from session_roles;

ROLE
------------------------------
CONNECT

Olaf, Jenny and all other users in the cn=Users,dc=us,dc=oracle,dc=com subtree can now connect to your database;
they are limited in what they can do only by the privileges granted to the global_ident_schema_user schema, in this example "connect".

For our sample configurationt All users have the same privileges, since they connect through the same global schema which is not recommended and should be changed.

For other examples see:

How to set up Enterprise User Security with OID 10g and DB 10g

or

Oracle Database Enterprise User Security Administrator's Guide 11g Release 2 (11.2)

6. Troubleshooting Tips

6.1 Errors that may occur while managing EUS from DBconsole will be logged in:

- ORACLE_HOME/YOUR-HOST-NAME-FQN_INSTANCENAME/sysman/log/emoms.trc
- ORACLE_HOME/YOUR-HOST-NAME-FQN_INSTANCENAME/sysman/log/emoms.log

6.2 Enable the dump transaction plug-in for OVD

To trace failures on the OVD side enable the dump transaction plug-in:

Trace messages will be listed in the ORACLE_INSTANCE/diagnostics/logs/OVD/ovd1

1. Search for the failed transaction in access.log
2. Notice the ECID (Execution Context Identifier) for the transaction
3. Open diagnostics.log
4. Search for the ECID from step 2

When your finished disable dump transaction plug-in in OVD

6.3 Example EUS user entry LDIF file.

These users must contain the objectclasses: orcluser and orcluserV2

[oracle@ostullic-oel4 ~]$ ldapsearch -L -h odseeserver -p 389 -D "cn=directory manager" -w pwd -b "cn=olaf,ou=users,dc=us,dc=oracle,dc=com" -s base "objectclass=*"
dn: cn=olaf,ou=Users,dc=us,dc=oracle,dc=com
uid: olaf
givenName: olaf
sn: stullich
cn: olaf
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: orclUser
objectClass: orclUserV2

6.4 Example $ORACLE_HOME/network/admin/ldap.ora content

[oracle@ostullic-oel4 admin]$ cat ldap.ora
# ldap.ora Network Configuration File: /u01/app/oracle/product/db112/dbhome1/network/admin/ldap.ora
# Generated by Oracle configuration tools.

#OID DIRECTORY_SERVERS= (stakb16.us.oracle.com:3060:3131)
DIRECTORY_SERVERS= (stakb16.us.oracle.com:6501:7501)

DEFAULT_ADMIN_CONTEXT = "dc=us,dc=oracle,dc=com"

DIRECTORY_SERVER_TYPE = OID

Send comments to Olaf.Stullich@oracle.com