Oracle DIP filtering

In the course of a major redesign of AD Domains at the site I work for, the question arose how to select only those users, which completely migrated to the consolidated domain.
It was impossible to just wait with moving these accounts into the groups, defined as source for synchronization, as it was equally impossible to delete these accounts from the "old" domains.
All in all, there was to be a fortnight overlap, during which accounts would be 'active' in both domains.

Now, it just proves there's yet another meaning to the word "Single" in Single Sign On server: the scenario described above will cause SSO/WNA to fail.
Which is understandable: upon inspection of the user credentials, two entries are found, and there's no way of telling which should be used (well, actually there is by inspecting the Kerberos ticket, but it is not implemented for good reason).

The Problem

After identifying the SSO/WNA problem, synchronization from the new domain was halted, and users removed from OID. However, there were several parties involved, that could simply not wait for the complete consolidation to be completed. Those parties had consolidated into the new environment, and needed back SSO/WNA. Other parties, yet to be migrated, were not eager to loose their SSO/WNA for at least two weeks.

So: catch-22, rock-and-hard-place, etc...

Working towards the solution

First of all, I implemented separate synchronization profiles for users and groups. There are two blog entries: one on user synchronization, and another one on group synchronization.

Then, the filtering needed to be adapted in order to allow for a simple alteration of the contents of a field to signal completion. Now, I know filtering on basis of exsistance of objectclasses, but not really on the contents. Given some examples in the documentation, it sould be possible.
After some testing, I came up with:

(|(&(objectclass=user)(description=*oracle*))(isDeleted=TRUE))

This allows for Descriptions in Active Directory like "User has been granted access to Oracle", or just simply "oracle" - as long as there's the word "oracle" somewhere in the description.

Of course, you may want to use another attribute.

Wall-to-wall SSO and EUS

After introducing Kerberos, and getting SSO to the database working, it's time for some excitement: combine Single Sign On (SSO) with Enterprise User Security (EUS).
Sure, I blogged about Enterprise Security a long time ago (See the "Enterprise Security" entries of 2005), but there I used certificates; in fact another identity.
In this entry, some of the 2005 stuff returns, but parts will differ.

The latest and the greatest.

For those of you how wonder why I bother to blog about this "ancient" version, read the statement of direction on SSO server (note 979951.1 on MOS). Basically, when you use Portal, Forms or Discoverer, you need OSSO 10GR3 (even Forms 11G).
It's not that ancient when it will be around for some time...

Goal.

What I want, is the same a the previous entry on SSO, but I do not wish to create users: I want to use EUS instead.

Preparations.

In addition to what's already in place, I need a complete SSO infrastructure.
The brave may want to do this Enterprise-sized setup, for now I'll just go with the "all-in-one" Identity Management install. Even patched it to 10.1.4.3.

Steps

In order to achieve all this, I would need to:

1. Set up synchronization between Active Directory and OID
2. Set up Enterprise Security in the database(s)
   
3. Set up a trusted relation between OSSO Application Server and AD
4. As a bonus: try to persuade Forms menu security to use EUS

I will blog about these - stay tuned...

How to setup WNA with Oracle

Just a short note on how to set up Windows Native Authentication (WNA) with Oracle Internet Directory (OID), V10.1.2.2 (patched 10G Rel 2).
Of course, it requires you have your setup done, that is, OID is in place, it synchronises with Actice Directory (from AD to OID minimal, or two way), and the external authentication plugin works. Maybe I will publish on those steps and update this entry with the links. (I did, I did! See this entry on OID AD sync in 10.1.4)

1. Create an account in Active Directory for your Single Sign On server. The accout is the short name, i.e. login.home.local should be created in AD as login.
2. Generate a keytab file for this account on the AD machine; take care, the process is highly case-sensitive!
   
   
   ktpass -princ HTTP/login.home.local@BORTEL.AD.LOCAL -pass <ad_passwd> -ptype KRB5_NT_PRINCIPAL +desonly -crypto des-cbc-md5 -mapuser login -out login.keytab
   
   
   
   The entry, following the "-princ" flag is uppercase "HTTP/", followed by the fully qualified domain name (FQDN) of your Single Sign On server in lower case, followed by "@YOUR_AD_DOMAIN", where your Active Directory entry should be in uppercase.
3. Transfer the generated keytab file (in this example, login.keytab) in binary(!) mode to your Single Sign On server. the location is
   $ORACLE_HOME/j2ee/OC4J_SECURITY/config
4. Create the Kerberos configuration file, krb5.conf. Many Unixes locate the file in /etc. The contents of the file:
   
   
   [libdefaults]
   default_realm = BORTEL.AD.LOCAL
   
   [realms]
   BORTEL.AD.LOCAL = {
   kdc = pdc01.bortel.ad.local:88
   }
   
   [domain_realm]
   .home.local = BORTEL.AD.LOCAL
   
   
   Don't be fooled with the "LOCAL" stuff; default_realm is the Active Directory realm (domain, in Windows terminology), the realms entry tells how your AD server is called, and on what port it listens - port 88 is the default for Kerberos.
   The last line is very important: it explains the mapping between your default OID context and AD - mind the leading dot. The login account, created in step 1 is login@BORTEL.AD.LOCAL, so users can be found 'under' BORTEL.AD.LOCAL. Similar for OID: the corresponding entries for other users can be found in OID under dc=home, dc=local.
   Your setup will differ, and your AD domain probably has an internal named domain, whereas your OID probably has "company_name.com".
5. Check time on AD and SSO servers; time should be (almost) the same!
6. Test your Kerberos config:
   
   
   kinit –k –t $ORACLE_HOME/j2ee/OC4J_SECURITY/config/login.keytab HTTP/login.home.local
   
   
   It should not respond with anything, just give back the cursor.
   
   I did get the following error, though:
   
   kinit: KRB5 error code 52 while getting initial credentials"
   The solution is listed in Microsoft KB832572, and is simply setting the 'Do not require Kerberos preauthentication' option with AD for the 'login' account. It's located under Account options on the Account details tab - last entry (you will need to scroll down in the option).
7. Make a copy of the configuration files for safekeeping:
   
   cp $ORACLE_HOME/sso/conf/policy.properties $ORACLE_HOME/sso/conf/policy.properties.org
   cp $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml.org
   cp $ORACLE_HOME/opmn/conf/opmn.xml $ORACLE_HOME/opmn/conf/opmn.xml.org
   cp $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml.org
   cp $ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml.org
   cp $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml.org
   
8. Run the ssoca shell:
   
   cd $ORACLE_HOME/sso/bin
   ./ssoca
   [snip]
   Usage5: To configure the Single Sign-On server to enable Windows Native Authentication, do:
   java -jar ossoca.jar wna -mode sso -oh -ad_realm -kdc_host_port -keytab -ssohost -oid -verbose
   where:
   oh = Oracle Home Path, AD_realm = Active Directory Realm Name, kdc = Kerberos KDC in the format "hostname:port", keytab = path of the keytab file that you created for the SSO server, sso_host = SSO server hostname with domain, oid_server = OID server in the format "ldap://oid.acme.com:389"
   
   
   The actual command will become:
   
   ./ssoca wna –mode sso –oh $ORACLE_HOME \
   –ad_realm BORTEL.AD.LOCAL –kdc_host_port pdc01.bortel.ad.local:88 \
   -keytab $ORACLE_HOME/j2ee/OC4J_SECURITY/config/login.keytab \
   –verbose
   
   
9. Test your WNA - you should now be able to go to the OIDDAS pages without being asked to login.

How to log on as orcladmin with WNA?

Finally have WNA working, but now there is another "problem": how can I login as orcladmin (or any other user, for that matter)? Because every time, I switch to anything administrative on my oiddas page, Windows Native Authentication kicks in, and presents me with less privileged pages.

The only workaround I have found so far, is to disable WNA for the time being.
In IE, it is located in the Advanced Options (Enable Integrated Windows Authentication, under Security), under FireFox, you would have to remove the Single Sign On server from network.negotiate-auth.trusted-uris, in the about:config.

If anyone has another solution, please comment!

ldapbindssl

Trying to get password synchronisation from Active Directory to Oracle internet Directory (OID) to work. The password filter is a bit hard to find ("CD 1 of the Application Server"), actually it is in de utils directory of this download.
Looks great, upto the part where I try ldapbindssl.
The first attempt resulted in

D:\>ldapbindssl -h idmhost -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Ldap bindERROR
System Error Code: 997
LDAP Error Code: 52
Error Message: Server Unavailable

I realized, idmhost was not enough, and changed that to the fully qualified name. This changed the error codes returned:

D:\>ldapbindssl -h idmhost.home.local -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Ldap bindERROR
System Error Code: 1396
LDAP Error Code: 52
Error Message: Server Unavailable

Not very helpful at all. Searching the internet resulted in just one reference.

However, the System Error Codes are actually Microsoft error codes. So, the 1396 error actually means

ERROR_WRONG_TARGET_NAME (Logon Failure: The target account name is incorrect.)

And - there is a note on that one (and a bug...): Mealink note 430907.1.

Unfortunately, the note just explains you made a mistake in the Subject of your certificate, there is no example of how it should look. Created a new certicificate (self-signed) with the subject cn=idmhost.home.local. Imported that, but now the error is:

D:\>ldapbindssl -h idmhost.home.local -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Ldap bindERROR
System Error Code: 1790
LDAP Error Code: 52

And error 1790 means ERROR_TRUST_FAILURE (Network logon failed)

Still have to figure that one out...
Edit: Apparently, someone picked this up - just read the note again, and it now says:
For Example, if the OID server hostname is "oid.oracle.com" then the SUBJECT attribute of the server certificate must also be "oid.oracle.com".
Edit: Managed to get things working, this is the condensed how-to:
On the OID server:
- Create the wallet:

orapki wallet create -wallet ./ -auto_login

- Add the request:

orapki wallet add -wallet ./ -dn "cn=idmhost.home.local" -keysize 1024

- you can now export the request, and have it sent to a CA:

orapki wallet export -wallet ./ -dn "cn=idmhost.home.local" -request ./idmhost.req

- or, simply sign the request:

orapki wallet add -wallet ./ -dn "cn=idmhost.home.local" -keysize 1024 -self_signed -validity 3650

- Now, export the self-signed certificate:

orapki wallet export -wallet ./ -dn "cn=idmhost.home.local" -cert ./idmhost.cert

Get this certificate over to the MS Windows machine (I used cut-n-paste, and saved in a cer-file), and use the certificate wizard (click on the .cer file).
After that, the test went OK:

D:\>ldapbindssl -h idmhost.home.local -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Bind Successful