Oracle Unified Directory 11.1.2.1.0: TNS and EUS - Part 2: Enterprise User Security

Enterprise User Security: Step by Step

I want to set OUD up in the way I've done it with OID 10.1.4.3:

• Use a Shared Schema in every database
• map this shared schema within the security domain in OUD
• create enterpise users in OUD
• Use a group in OUD to assign the enterprise roles to
• Assign Enterprise Users (defined in OUD) to these groups

Planning

Implementing Enterprise User security involves the following steps:

1. Make the database known to your Directory Service and allow it to communicate with the Directory Server.
2. Create a general account in the database, that will serve as catch-all for the Enterprise users
3. Create Enterprise Roles in each database instance, and grant database roles to these Enterprise Roles.
4. On the Directory Server, create (a) group(s), and possibly users (you may want to consider using your main login, which will be MS Active Directory [MSAD] in many cases. OVD and DIP come in place here).
5. Create a search path in the Directory Server to indicate where to find valid accounts.
6. On the Directory Server, create the Enterprise Roles.
7. Map the database specific Enterprise Roles on the Directory Roles.
8. Map the group(s) to the database specific general account.

Steps 1, 2, 3 and 5 have to be done for each database instance.
Step 4 and 6 are executed only once. If you have DIP in place, all you have to do is add an account to the group to allow that account to use ALL database instances!

Step 1: database and directory server.

Actually, by registering the database the way I did, I completed step 1.
You may verify this entry using the command line version of the Enterprise User Security Manager, EUSM, like this:

[oracle@idm1 ~]$ eusm listdomaininfo domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1" DOMAIN INFOMATION FOR DOMAIN: OracleDefaultDomain ------------------------------------------------- Current user DB links status: DISABLED Allowed user authentication methods: ALL LIST OF DATABASES ----------------- idm1

Steps 2 and 3: The general account and Enterprise Roles

create user global_schema identified globally as ''; create role er_connect identified globally; grant connect to er_connect; create role er_resource identified globally; grant resource to er_resource; create role er_dba identified globally; grant dba to er_dba;

Step 4: Create User and Group on Directory Server

First of all, start weblogic to access the Oracle Directory Server Manager (ODSM):

[oracle@oud ~]$ /oracle/user_projects/domains/OUD_domain/bin/startWebLogic.sh

Login to ODSM and create user "frank", group "EnterpriseDBA" and make frank a member of this group.

Create user

Basic info; last name is obligatory!

Oracle EUS needs orcluser and
orclUserV2 object classes.
Add them!

Add group.
Not sure about difference between
Static, Dynamic or Virtual, static it is.

Name it

Add "frank" as member - press the plus sign

Browse through, and select "frank"

Done!

Step 5: Directory Server: create account search path

I will use the EUSM command line:

[oracle@idm1 ~]$ eusm createmapping domain_name="OracleDefaultDomain" map_type=SUBTREE" map_dn="cn=Users,dc=home,dc=local" schema="global_schema" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"

And verify:

[oracle@idm1 ~]$ eusm listmappings domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"LIST OF DATABASE SCHEMA MAPPINGS:: ------------------------------------ Mapping Name: MAPPING0 Mapping Type: SUBTREE Mapping DN: cn=Users,dc=home,dc=local Mapping schema:global_schema Mapping Level :DOMAIN

It is also visible in ODSM:

Step 6: Directory Server: create Enterprise Roles

Now, create the Enterprise Roles in the Directory Server, again using the command line interface (CLI):

[oracle@idm1 ~]$ eusm createRole enterprise_role="OUD_DBA" domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1" [oracle@idm1 ~]$ eusm createRole enterprise_role="OUD_Connect" domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1" [oracle@idm1 ~]$ eusm createRole enterprise_role="OUD_Resource" domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"

Again, you can use eusm to verify the action (as there's no feedback...):

[oracle@idm1 ~]$ eusm listenterpriseroles domain_name="OracleDefaultDomain" \ > realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 \ > ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1" LIST OF ENTERPRISE ROLES IN DOMAIN: OracleDefaultDomain ------------------------------------------------- OUD_Connect OUD_DBA OUD_Resource

This, too, can been seen in ODSM

Step 7: Map Enterprise roles (database to directory)

Make sure you use "sys as sysdba" for db_user, and the SID, not the service_name in the connect string:

[oracle@idm1 ~]$ eusm addglobalrole enterprise_role="OUD_Resource" \ > domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" \ > Database_name="idm1" global_role="er_resource" dbuser="sys as sysdba" \ > dbuser_password="manager" dbconnect_string="idm1.home.local:1521:idm1" \ > ldap_host=oud.home.local ldap_port=1389 \ > ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1" [oracle@idm1 ~]$ eusm addglobalrole enterprise_role="OUD_DBA" \ > domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" \ > Database_name="idm1" global_role="er_dba" dbuser="sys as sysdba" \ > dbuser_password="manager" dbconnect_string="idm1.home.local:1521:idm1" \ > ldap_host=oud.home.local ldap_port=1389 \ > ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1" [oracle@idm1 ~]$ eusm addglobalrole enterprise_role="OUD_connect" \ > domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" \ > Database_name="idm1" global_role="er_connect" dbuser="sys as sysdba" \ > dbuser_password="manager" dbconnect_string="idm1.home.local:1521:idm1" \ > ldap_host=oud.home.local ldap_port=1389 \ > ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"

Step 8: Grant the Directory Enterprise Roles to the group

[oracle@idm1 ~]$ eusm grantrole enterprise_role="OUD_DBA" domain_name="OracleDefaultDomain" \ > realm_dn="dc=home,dc=local" group_dn="cn=EnterpriseDBA,cn=Groups,dc=home,dc=local" \ > ldap_host=oud.home.local ldap_port=1389 \ > ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"

Eating the pudding

One snag, I did not document earlier; you need to fill in the Optional(!) attribute userpassword for your user. If you don't you will run into this:

[oracle@idm1 ~]$ sqlplus frank/DemoOud1@idm1 SQL*Plus: Release 11.2.0.3.0 Production on Fri Jun 14 13:10:56 2013 Copyright (c) 1982, 2011, Oracle. All rights reserved. ERROR: ORA-28274: No ORACLE password attribute corresponding to user nickname exists.

After rectifing this issue, I got enterpise secrity:

[oracle@idm1 ~]$ sqlplus frank/DemoOud1@idm1 SQL*Plus: Release 11.2.0.3.0 Production on Fri Jun 14 13:11:13 2013 Copyright (c) 1982, 2011, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning option SQL> select * from session_roles; ROLE ------------------------------ ER_DBA DBA SELECT_CATALOG_ROLE HS_ADMIN_SELECT_ROLE EXECUTE_CATALOG_ROLE HS_ADMIN_EXECUTE_ROLE DELETE_CATALOG_ROLE EXP_FULL_DATABASE IMP_FULL_DATABASE DATAPUMP_EXP_FULL_DATABASE DATAPUMP_IMP_FULL_DATABASE GATHER_SYSTEM_STATISTICS SCHEDULER_ADMIN WM_ADMIN_ROLE JAVA_ADMIN JAVA_DEPLOY XDBADMIN XDB_SET_INVOKER 18 rows selected. SQL>