Home Learn the Basics View Content Add Content Create Pages Build Portlets Administer Page Groups Administer the Portal Try the Hands-On Exercises
Home
Home
Previous PageGo to page 1 of 15Go to page 2 of 15Go to page 3 of 15Current page 4 of 15Go to page 5 of 15Go to page 6 of 15Go to page 7 of 15Go to page 8 of 15Go to page 9 of 15Go to page 10 of 15Go to page 11 of 15Go to page 12 of 15Go to page 13 of 15Go to page 14 of 15Go to page 15 of 15Next Page
 
Windows Integration: Configuring External Authentication

Configuring the External Authentication Plug-in Policy

It is possible that you may want some or all of your Oracle 10g Application Server users to authenticate using their user credentials stored in Active Directory, or that you don't want your Active Directory user passwords stored in OID at all. If this is your desired authentication model, OID has a feature called "External Password Authentication". External Password Authentication allows you to setup OID so that when a user authenticates against OID, OID will actually check the users credentials against the Active Directory server rather than OID.

Another reason you may need to setup external authentication has to do with the fact that the AD import connector we setup on the previous pages, cannot migrate hashed passwords from AD to OID. This is because Microsoft uses a proprietary hashing algorithm called Unicode password encryption that is not supported in OID. OID supports the most commonly used password encryption's such as MD5, MD4, SHA, SSHA, and Crypt to name a few. Microsoft does not support any of these. So if you want to authenticate using your Microsoft passwords you will need to setup the External Password Plug-in.

In this section you will learn how to configure Oracle Internet Directory to authenticate users using credentials stored in AD.

PREREQUISITES

OID 10g AS infrastructure must be installed

The OID server must be running

OID must be configured to import AD users

The procedure for configuring External Authentication is quite simple. A single script needs to be run from the $ORACLE_HOME/ldap/admin directory. The script is called "oidspadi.sh".

Durring execution of this command you will need to provide some basic information about OID and AD.

Enter the AD server FQDN or IP address.

In our example we will not be using SSL so we choose "n" for no to the SSL question.

Now enter the port number that the AD server is running on.

Now enter the database connect string for the OID database.

Now we need to enter the "ods" database schema user password. This is probably set to the same password you use for the cn=orcladmin users.

Now enter the FQDN or IP address of the server that OID is running on.

Now enter the port number that OID server is running on.

Now enter the password for the orcladmin user.

Now enter the subscriber search base. This is the DN of the users container in OID that you want to authenticate to AD.

Leave the "Plug-in Request Group DN" blank. Just hit enter without a value.

One value in particular worth pointing out is the "Exception Entry Property". This value acts as a filter and determines where users will authenticate. If you leave this value null, all users in your realm will authenticate using their credentials stored in AD. The value you enter here will determine which users will authenticate against OID and which users will authenticate against AD.

Here is an example value for the "Exception entry property":

(&(objectclass=inetorgperson)(cn=orcladmin))

This value tells OID that every user except the user "cn=orcladmin" will authenticate using credentials stored in AD.

Let's assume you want to exclude the "orcladmin" and the "portal" user from external authentication. The "portal" user is "cn=portal, ....", then the value you specify would be:

(|(cn=orcladmin)(cn=portal))

The objectclass is not required in the statement.

Let's suppose you want all users that have the objectclass orclADUser present in their user entry in OID to authenticate against the AD server, but everyone else you want to authenticate locally against OID. In this case, you would put:

(!(objectclass=orclADUser))

If you want to combine both conditions, then you would use the value of:

(|(|(cn=orcladmin)(cn=portal))(!(objectclass=orclADUser)))

This value tells the OID server that the "orcladmin" and "portal" users and anyone who does not have the "orclADUser" objectclass in their user entry will authenticate locally with their OID credentials.

 

For our example we will not setup the backup Active Directory failover. Select "n" for no.

The graphic below shows an example of how to setup External Auth.

After running this script you will be able to externally authenticate your 10g Application Server users against AD.

 

Here is a viewlet to show you how to execute this command.
Oracle Logo Next Page