Use External Password Authentication if you want some or all
of your Oracle 10g Application Server users to authenticate by using
their user credentials stored in Active Directory, or if you do not want your
Active Directory user passwords to be stored in OID. External Password Authentication
allows you to set up OID so that when a user authenticates against OID, OID
checks the users credentials against the Active Directory server rather than
OID.
Another reason to set up external authentication is because
Active Directory import connector cannot migrate hashed passwords from Active
Directory to OID. This is because Microsoft uses a proprietary hashing algorithm
called Unicode password encryption that is not supported in OID. Therefore,
if you want to authenticate by using your Microsoft password, you must set up
the External Password Plug-in.
1.
Run the script called oidspadi.sh
from the $ORACLE_HOME/ldap/admin
directory.
2.
During the execution of this command, provide the following
basic information about OID and AD:
Enter your AD server FQDN or IP address.
Enter n for no to the SSL question.
Enter the port number that the AD server is running on.
Enter the database connect string for the OID database.
Enter the ODS database schema user password.
Enter the OID host name.
Now, enter the port number that the OID server is running on.
Enter the password for the orcladmin user.
Now, enter the subscriber search base. This is the DN of the users
container in OID that you want to authenticate to AD.
Leave Plug-in Request Group DN blank. Press [Enter] without a
value.
The Exception Entry Property value acts as a filter and determines which
users will authenticate against OID and which users will authenticate against
AD. If you leave this value as null, all users in your realm will authenticate
by using their credentials stored in AD.
For example, the value (&(objectclass=inetorgperson)(cn=orcladmin))
indicates to OID that every user except the user "cn=orcladmin"
will authenticate by using the credentials stored in AD.
Here, do not set up the backup Active Directory failover. Select n for
no.
To synchronize passwords from OID to AD, it is necessary that
you set up OID to communicate with the AD server over SSL. Configsets in OID
allow you to configure custom startup settings for the OID server. By calling
a specific configset when you start OID, you invoke whatever parameters are
associated with that configset. To create a new configset with SSL parameters
needed for running OID in SSL mode, perform the following steps:
1.
Start the Oracle Directory Manager. In the login dialog
box, enter the username as orcladmin and the password as the Oracle
Application Server administrator password.
2.
Navigate to the Server Management > Directory
Server entry.
3.
Select the green box from the menu to create a new configset.
4.
You can configure your new configset in the Configuration Set2
form. Enter the following values:
In the SASL Mechanism field, enter:
DIGEST-MD5
In the SASL Cypher Choice field, enter:
DIGEST-MD5
DES
3DES
In the Non SSL Port field, enter a port number such as 3060.
Click OK. You should now see a new configset in your list of Directory
Server.
5.
Select your new configset. Select the SSL Settings tab.
6.
Make the following changes:
Set the SSL Authentication to SSL Server Authentication.
Set the SSL Enable field to Both SSL and Non-SSL.
Set the SSL Wallet URL to the location where your wallet exists. For now,
you can set the SSL Wallet URL to the location where you will eventually
create a new wallet. Enter file:/u01.
Set the SSL port number.
7.
Restart the OID Server by using your new server configset.
You must configure a wallet that is necessary for SSL connectivity
between OID and AD. This enables you to safely move sensitive data such as passwords
between OID and AD.
1.
Start the Oracle Wallet Manager.
# owm
2.
From the Wallet menu in Oracle Wallet Manager, select
New.
If you get a message indicating that your default wallet directory does
not exist and prompts you if you want to create it, select No.
3.
Enter a password for the new wallet. Remember this password because you
will need it later. Click OK.
4.
When prompted to create a certificate request, select Yes.
5.
In the Certificate Request Form, enter the following details:
Common Name: OID to AD cert req
Organizational Unit: OID server
Organization: Oracle Corp
Locality/City: Colorado Springs
State/Province: Colorado
Select United States from the Country list.
Change the Key Size to 1024 bits.
Click OK.
6.
Your request for the certificate is now complete.
7.
Move the certificate request file from the server to your PC by using
FTP. Copy the contents of the file.
8.
Open a new browser and navigate to the Oracle Certificate Authority user
page. Click the Server / SubCA Certificates tab.
9.
Click Request a Certificate.
10.
Paste the certificate request in the PKCS#10 Request field.
11.
Enter the contact information:
Name:
E-Mail ID:
Click Submit.
12.
Note the request ID. Click OK.
13.
Open a new browser and navigate to the Oracle Certificate Authority administration
page. Click the Certificate Management tab.
14.
Select your certificate and click OK.
15.
Select your certificate request and click View Details.
16.
Verify the certificate details and click Approve.
17.
View the certificate request approval information and note the serial
number of the issued certificate. Click OK.
18.
Navigate back to the Oracle Certificate Authority user page. Click the
Server / SubCA Certificates tab.
19.
Verify whether Certificate and ID / Serial No. are selected in the Search
fields. Enter your serial number in the text field and click Go.
20.
Select the serial number and click View Details.
21.
Select the certificate. Right-click and select Copy.
22.
Save the contents of the certificate to your local machine.
23.
Navigate to the Oracle Certificate Authority user page. Click the Server
/ SubCA Certificates tab.
24.
Click Download CA Certificate.
25.
Click Advanced.
26.
Select the contents of the Base64-Encoded Certificate.
27.
Save the contents of the certificate to your local machine.
28.
Transfer the two files to your OID server.
29.
Locate and open your AD root certificate file. Click the Details
tab. Select Copy to File.
30.
Click Next in the Certificate Export Wizard screen.
Next, complete the wallet and test it to make sure it is working.
To import the root certificate issued by the Oracle Certificate Authority, perform
the following steps:
1.
Open Oracle Wallet Manager. Select Import Trusted Certificate
from the Operations menu.
2.
In the Import Trusted Certificate dialog box, select Select a file
that contains the certificate. Click OK.
3.
Navigate to the directory where your OCA root certificate file is located.
Select the OCA root certificate file. Click OK. You should now
see the new trusted certificate in the Trusted Certificate tree.
4.
Click Operations menu in Oracle Wallet Manager. Select Import
User Certificate.
5.
In the Import Certificate dialog box, select Select a file
that contains the certificate. Click OK.
6.
Navigate to the directory where your new user certificate is located.
Select the user certificate file. Click OK.
7.
After this, you should see the certificate status change from Requested
to Ready.
8.
The root certificate from the AD server must also be imported into the
wallet. From the Operations menu, select Import Trusted Certificate.
Navigate to the directory where your AD root certificate is located. Select
the AD root certificate file. Click OK.
9.
After this, you should see another new trusted certificate in the Trusted
Certificate tree.
10.
From the Wallet menu, select Auto Login. Click Save As
to save the wallet to a file.
11.
Save the wallet to a file. Save the file to the /u01
directory.
12.
Enter the following test command
to verify whether you are able to bind to the AD server's SSL port from
the OID server side:
Do not include the name of the wallet file in this line.
The last line in the file looks like this by default:
certWalletPwdF: <Absolute Path of the WalletPasswordFile>/certWalletPwd
This is the location of the encrypted wallet password file that the DIP
server will use to access the wallet. This file has not been generated
yet but will be generated in the next step. However, it is necessary for
you to set the location of the file before it exists.
For instance, if you plan to put the encrypted wallet password file in
a directory called /u01/app/oracle/product/904/ldap/odi/conf
and you want to name the encrypted wallet password file certWalletPwd,
then this last line will look like this:
Copy the ewallet.p12
file you created on the previous page to the $ORACLE_HOME/ldap/odi/confdirectory.
Example:
# cp /u01/ewallet.p12 $ORACLE_HOME/ldap/odi/conf
4.
Create the certWalletPwd
file.
Example:
# dipassistant wpasswd
This command will read the information in your odi.properties
file for the location where it will create this file. When prompted, enter
the password for the wallet you created previously.
To synchronize passwords from OID to AD, it is necessary to
set up a reversible encrypted password for users. This password is in addition
to the userpassword attribute, which already exists for all users. Whenever
a user changes his password on the OID side, the password is typically stored
by using a one-way hash algorithm, such as SSHA.
This form of the password is not compatible with the proprietary
Unicodepassword attribute in AD. So you must have a clear text password to send
to the AD server. This Unicode hashing algorithm is proprietary to Microsoft.
When synchronizing with other LDAP server, such as iPlanet from Sun, this step
is not necessary because this LDAP server supports the more open and commonly
used hashing algorithm such as SHA, SSHA, MD5, MD4, and Crypt to name a few,
which are also supported in OID.
If you enable the password policy in OID for User Password
Reversible Encryption, then OID will enable you to store the password in the
new attribute that will store an encrypted version of the password that can
also be decrypted by the DIP server.
The attribute that stores this reversible password is called
orclreversiblepassword.
1.
Start the Oracle Directory Manager. Enter the
username and password. Click Login.
2.
Navigate to the Password Policy for subscriber
folder, which is under the Password Policy Management folder.
3.
On the General tabbed page, you see an option called User Password
Reversible Encryption.
Change the value of this option to Enable.
Apply the change.
This new password attribute will not be populated until the user changes
his password.
Place
the cursor over this icon to hide all screenshots.
Bookmark
