In this module, you see how to create enterprise users in
OID by using a feature called "Enterprise Security Manager" that enables
your users to authenticate to your databases by using their credentials and
roles stored in OID.
If your infrastructure is like most, you have an LDAP server
that stores your user identities, roles, and privileges for the purpose of authenticating
your users against their application. The LDAP server also gives you a place
to centrally manage your users and the ability to apply a consistent security
policy to all your applications. The LDAP server also enables you to easily
delegate administration tasks to others.
Traditionally, database authentication is performed by creating
database schema users in the database itself. These schema users have their
user identities, passwords, roles, and privileges stored in the database. When
the user logs in to the database either directly by using SQL*Plus or through
some application, the users credentials and privileges are checked inside the
database. This model creates fragmented administrative control of users that
access their applications. Every database you have creates a new administrative
management point and a potential for fragmented administration and security
policies in your corporate infrastructure.
A better model would be to have these users created as "Enterprise
Users" in the OID LDAP server. With this model, you can have your users
authenticate against the LDAP server and apply a consistent security policy
for all your users accessing your databases and database applications. It is
also an easier way of managing users and their access to applications. This
model also limits the number database schema user accounts in the database to
only those that are actually administering the database.
In this section, you will see how to configure your database
to connect with the OID LDAP server.
1.
From your database instance, start Oracle Net Configuration Assistant.
Type netca at the command prompt.
Example:
# netca
Select Directory Usage Configuration and then click Next.
2.
Select the Directory Type as Oracle Internet Directory. Click
Next.
3.
Enter the Fully Qualified Domain Name(FQDN) of the OID server and the
port number on which OID is running. Click Next.
Note: It is important to remember that the Network Configuration
Assistant will attempt to make an anonymous connection with the OID server
to discover the default Oracle Context in OID. By default, OID allows
anonymous connections. But if you have turned off anonymous user connectivity
for OID, you will need to temporarily enable it to allow for this discovery.
4.
Select the user context in OID for the realm of users you want to connect
to the database. Click Next.
5.
Directory usage configuration is complete. Click Next.
6.
Click Finish to quit Oracle Net Configuration Assistant.
Database network connectivity to the LDAP server is now complete.
Configuring
your database for LDAP authentication with OID
In this section, you will enable the database
to authenticate users in OID.
1.
Start Database Configuration Assistant. From the command prompt type
dbca.
Example:
# dbca
Click Next on the welcome screen.
2.
Select Configure Database Options and then click Next.
3.
Select the database you want to configure for Enterprise Users and specify
a user with DBA role. Click Next.
4.
Select Yes, register the database. Enter the user DN of the user
in OID that has authority to register the database with OID. Typically,
this is the cn=orcladmin
user. Enter the password for the wallet that will be generated as a result
of registering the database with OID. After entering all the details,
click Next.
5.
Click Finish.
6.
You wil be prompted to restart the database, click No.
7.
Click OK to complete the database registration with OID.
8.
The database configuration has completed sucessfully. Click No
to exit from the Database Configuration Assistant.
In this section you will create a schema user
in the database that will be used as sort of a proxy user that will enable your
LDAP users to authenticate against the database. Then we will map this schema
user to your LDAP users in OID to enable then to authenticate against the database.
1.
Login to the database using SQL*Plus as sysdba. Create a schema
user which has permission to create sessions against the database. In
this example the user name will be "guest".
2.
Now you need to configure the schema mappings for the "guest"
user we just created with the users in the OID server.
Start Oracle Enterprise Security Manager using the following command.
# oemapp esm
Enter cn=orcladmin,
the password for this OID user, the FQDN of the OID server and the port
number that OID is running on. Click OK.
While OracleDefaultDomain is highlighted select the Database Schema
Mapping tab. Then click the Add button.
4.
Navigate to the user repository where your OID users are located. The
directory entry field should contain the DN of where your "Users"
container in OID is located. By selecting the cn=Users container,
you are enabling all users in this container to connect to the database.
Select the Subtree Level radio button. In the Schema field
enter the name of the database schema user we created earlier in this
section. In our example this user name was "guest". Then click
OK button.
5.
Back on Oracle Enterprise Security Manager screen click the Apply
Button.
To create enterprise roles perform the following steps:
1.
Drop the user guest from
the database by using the following commands:
#sqlplus /as sysdba
SQL> drop user guest cascade;
Recreate the user guest
by using the follwoing command:
SQL> create user guest
identified globally;
Create a new database role mydbaccess
by using the following command:
SQL> create role mydbaccess
identified globally;
Assign create session permissions to the role mydbaccess:
SQL> grant create session
to mydbaccess;
This is the only time you create an Enterprise Role and map this role
to a particular user in OID.
2.
Map the role mydbaccess
to a particular user in the OID user realm.
Start the Enterprise Security Manager.
# oemapp esm
In the login dialog box enter the OID super user name (cn=orcladmin),
password, FQDN and port number for the OID server. Click OK.
3.
On the ESM navigation pane, navigate through Realms
> domain name>Enterprise Domain> OracleDefualtDomain. From
the Operations menu, select Create Enterprise Role.
4.
In the "Role Name" field enter a name for your new Enterprise
Role dbaccessentrole. In our example we will give this role the name of
"dbaccessentrole". Click OK to continue.
In the ESM navigation pane, navigate as follows: OracleDefaultDomain
> Enterprise Roles
Highlight the new enterprise role dbaccessentrole. Select the Database
Global Role tab and then click the Add button.
5.
In the next dialog box, double click on the database name db10g.
This will make a database login screen appear.
Login to the database as the system
user and then click OK.
6.
You will now see a list of database roles
including the name of the new role mydbaccess
that you created earlier.
Highlight this role and click OK.
7.
After selecting the role, in the main ESM
navigation pane click the Apply button.
Click the Users tab, then click on the Add button.
In the add Add Enterprise Users dialog box navigate to the Users
node. Upon selection of the Users
node the Selection field gets automatically filled with the complete DN
of the Users node.
In the Search Criteria section, select the check box Include Subtrees.
In the Show Names Containing field, enter the name of a user you want
to grant access to this new Enterprise Role and then click the Search
Now button.
In our example we will search for the name Paul Needham. If the user
exists in this realm then the search result should show up in the bottom
of this form. Highlight the user and click the OK button.
This user Paul Needham will be the only user who can access this new
Enterprise Role.
To configure the enterprise roles for group authentication
perform the following steps:
1.
Create a new group in OID using the DAS web application
and assign two users to this group. To view the process of creating users
click image below.
2.
Map the Enterprise Role to the new user group MYDBAPP
in OID. To map the enterprise role perform the following:
Start the Enterprise Security Manager.
Example
# oemapp
esm
At the login screen enter the super user name (cn=orcladmin),
password, FQDN and port number for the OID server and then click OK.
3.
On the ESM navigation pane, navigate through Realms
> domain name> Enterprise Domain> OracleDefualtDomain
Highlight the new Enterprise Role name dbaccessentrole.
Then select Users tab and click Add button.
4.
In the add Add Enterprise Users dialog box navigate
to the Groups node. Upon
selection of the Groups
node the Selection field gets automatically filled with the complete DN
of the Groups node.
In the Search Criteria section, select the check box
Include Subtrees.
In the Show Names Containing field, enter the name of
the group myDBApp that
you want to map to this Enterprise Role and then click the Search Now
button.
From the result highlight the group and click the OK
button.
5.
On the main ESM navigation pane click Apply.
6.
To test the user connections with the database perform
the following steps in the image:
Since nlewis and pneedham are both part of the MyDBApp
group, and this group has been mapped to the dbaccessentrole
Enterprise Role, both users can connect to the database.
Place the cursor on this icon to hide all screenshots.
Bookmark
