New Features for DBA’s

Subscribe to Posts by Email


 

Subscriber Count

    698

Disclaimer

All information is offered in good faith and in the hope that it may be of use for educational purpose and for Database community purpose, but is not guaranteed to be correct, up to date or suitable for any particular purpose. db.geeksinsight.com accepts no liability in respect of this information or its use. This site is independent of and does not represent Oracle Corporation in any way. Oracle does not officially sponsor, approve, or endorse this site or its content and if notify any such I am happy to remove. Product and company names mentioned in this website may be the trademarks of their respective owners and published here for informational purpose only. This is my personal blog. The views expressed on these pages are mine and learnt from other blogs and bloggers and to enhance and support the DBA community and this web blog does not represent the thoughts, intentions, plans or strategies of my current employer nor the Oracle and its affiliates or any other companies. And this website does not offer or take profit for providing these content and this is purely non-profit and for educational purpose only. If you see any issues with Content and copy write issues, I am happy to remove if you notify me. Contact Geek DBA Team, via geeksinsights@gmail.com

Pages
«  
  »

18c Database : Integration with Microsoft Active Directory

Starting 18c, you can integrate the oracle database with Microsoft active directory services which will be a great feature and long awaiting one, Until now many of us using open ldap or third party ldap services to configure the same which is a overhead to the sys admins to manage two different directory services for user management and authentication for oracle databases.

This will be same like as configuring LDAP services with proper domain and user name and using ldap.ora file only, but if you have already a ldap in use, you can create a file called dsi.ora appending DSI_ prefix to the parameters. That means you can have ldap and ad both working as authentication mechanisms for database.

The high level steps involved in this are:-

Sysadmin:

  1. Create a Active directory user account and configure read privileges on the domain we need.
  2. Extend the Active directory schema for Oracle specific attribute

DBA:

On the database host. and edit ldap.ora or dsi.ora file

DSI_DIRECTORY_SERVERS = (ad-server.test.com:389:636)
DSI_DEFAULT_ADMIN_CONTEXT = "o=test,c=US"
DSI_DIRECTORY_SERVER_TYPE = ad

The parameter in ldap.ora/dsi.ora  "DIRECTORY_SERVER_TYPE = ad" need to set to ad (active directory)

Create certificates for secure connections

For Oracle Database, use the orapki utility to get the Oracle Database server certificate.

orapki wallet add -wallet ./ -pwd pwd -dn "CN=`hostname`, OU=Department, O=Company, L=City, ST=Street, C=Country"  -keysize 1024 -self_signed -validity 365

For Active directory , use active directory certificate generate process to obtain certificate.

 

Configure the database with AD authentication

./dbca -silent -configureDatabase -sourceDB ad -registerWithDirService true -dirServiceUserName cn=example,cn=users,dc=adintg,dc=examplecorp,dc=com -dirServiceUser oracle -dirServicePassword password -ldapDirectoryAccessType PASSWORD -walletPassword password

ALTER SYSTEM SET LDAP_DIRECTORY_ACCESS = 'PASSWORD';

ALTER SYSTEM SET LDAP_DIRECTORY_SYSAUTH = 'yes';

-Thanks

Suresh

March 23rd, 2018 | Tags: , , , , | Category: 18c Database

3 comments to 18c Database : Integration with Microsoft Active Directory

  • siddesh
    October 13, 2018 at 9:32 am

    Hi Suresh,

    For Oracle Database, use the orapki utility to get the Oracle Database server certificate.

    orapki wallet add -wallet ./ -pwd pwd -dn “CN=`hostname`, OU=Department, O=Company, L=City, ST=Street, C=Country” -keysize 1024 -self_signed -validity 365

    For Active directory , use active directory certificate generate process to obtain certificate.

    Question:
    Instead of self certificate, for AD I need to add AD Root certificate ?

    Thanks
    Siddesh

  • Claus
    March 9, 2019 at 10:36 pm

    You forgot to mention that this integration requires the password filter dll to be installed on the AD domain controllers plus a schema extension of AD. While the schema extension might get accepted by AD admins, large enterprises will never install a 3rd party dll like this Oracle password filter on their AD servers. I had this discussion with large customers and none of them accepted this.

  • mac
    March 23, 2019 at 8:10 pm

    ORA-28030: ORA-28030: Server encountered problems accessing LDAP directory service

    ORA-01017: invalid username/password; logon denied

    i have done my configuration but when i test it, i get the following error:
    ORA-01017: invalid username/password; logon denied. I started tailing the alert file before trying to login and saw this in the alert file as well:
    ORA-28030: ORA-28030: Server encountered problems accessing LDAP directory service

    My environment is setup with oracle linux 7.5 and Windows server 2012r2.
    Is there anything i am not doing? If yes, then how do i get this to work?