Enterprise User Security: Step by Step
I want to set OUD up in the way I've done it with OID 10.1.4.3:- Use a Shared Schema in every database
- map this shared schema within the security domain in OUD
- create enterpise users in OUD
- Use a group in OUD to assign the enterprise roles to
- Assign Enterprise Users (defined in OUD) to these groups
Planning
Implementing Enterprise User security involves the following steps:- Make the database known to your Directory Service and allow it to communicate with the Directory Server.
- Create a general account in the database, that will serve as catch-all for the Enterprise users
- Create Enterprise Roles in each database instance, and grant database roles to these Enterprise Roles.
- On the Directory Server, create (a) group(s), and possibly users (you may want to consider using your main login, which will be MS Active Directory [MSAD] in many cases. OVD and DIP come in place here).
- Create a search path in the Directory Server to indicate where to find valid accounts.
- On the Directory Server, create the Enterprise Roles.
- Map the database specific Enterprise Roles on the Directory Roles.
- Map the group(s) to the database specific general account.
Step 4 and 6 are executed only once. If you have DIP in place, all you have to do is add an account to the group to allow that account to use ALL database instances!
Step 1: database and directory server.
Actually, by registering the database the way I did, I completed step 1.You may verify this entry using the command line version of the Enterprise User Security Manager, EUSM, like this:
[oracle@idm1 ~]$ eusm listdomaininfo domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"
DOMAIN INFOMATION FOR DOMAIN: OracleDefaultDomain
-------------------------------------------------
Current user DB links status: DISABLED
Allowed user authentication methods: ALL
LIST OF DATABASES
-----------------
idm1
Steps 2 and 3: The general account and Enterprise Roles
create user global_schema identified globally as '';
create role er_connect identified globally;
grant connect to er_connect;
create role er_resource identified globally;
grant resource to er_resource;
create role er_dba identified globally;
grant dba to er_dba;
Step 4: Create User and Group on Directory Server
First of all, start weblogic to access the Oracle Directory Server Manager (ODSM):
[oracle@oud ~]$ /oracle/user_projects/domains/OUD_domain/bin/startWebLogic.sh
Login to ODSM and create user "frank", group "EnterpriseDBA" and make frank a member of this group.Create user |
Basic info; last name is obligatory! |
Oracle EUS needs orcluser and orclUserV2 object classes. Add them! |
Add group. Not sure about difference between Static, Dynamic or Virtual, static it is. |
Name it |
Add "frank" as member - press the plus sign |
Browse through, and select "frank" |
Done! |
Step 5: Directory Server: create account search path
I will use the EUSM command line:
[oracle@idm1 ~]$ eusm createmapping domain_name="OracleDefaultDomain" map_type=SUBTREE" map_dn="cn=Users,dc=home,dc=local" schema="global_schema" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"
And verify:
[oracle@idm1 ~]$ eusm listmappings domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"LIST OF DATABASE SCHEMA MAPPINGS::
------------------------------------
Mapping Name: MAPPING0
Mapping Type: SUBTREE
Mapping DN: cn=Users,dc=home,dc=local
Mapping schema:global_schema
Mapping Level :DOMAIN
It is also visible in ODSM:Step 6: Directory Server: create Enterprise Roles
Now, create the Enterprise Roles in the Directory Server, again using the command line interface (CLI):
[oracle@idm1 ~]$ eusm createRole enterprise_role="OUD_DBA" domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"
[oracle@idm1 ~]$ eusm createRole enterprise_role="OUD_Connect" domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"
[oracle@idm1 ~]$ eusm createRole enterprise_role="OUD_Resource" domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"
Again, you can use eusm to verify the action (as there's no feedback...):
[oracle@idm1 ~]$ eusm listenterpriseroles domain_name="OracleDefaultDomain" \
> realm_dn="dc=home,dc=local" ldap_host=oud.home.local ldap_port=1389 \
> ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"
LIST OF ENTERPRISE ROLES IN DOMAIN: OracleDefaultDomain
-------------------------------------------------
OUD_Connect
OUD_DBA
OUD_Resource
This, too, can been seen in ODSMStep 7: Map Enterprise roles (database to directory)
Make sure you use "sys as sysdba" for db_user, and the SID, not the service_name in the connect string:
[oracle@idm1 ~]$ eusm addglobalrole enterprise_role="OUD_Resource" \
> domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" \
> Database_name="idm1" global_role="er_resource" dbuser="sys as sysdba" \
> dbuser_password="manager" dbconnect_string="idm1.home.local:1521:idm1" \
> ldap_host=oud.home.local ldap_port=1389 \
> ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"
[oracle@idm1 ~]$ eusm addglobalrole enterprise_role="OUD_DBA" \
> domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" \
> Database_name="idm1" global_role="er_dba" dbuser="sys as sysdba" \
> dbuser_password="manager" dbconnect_string="idm1.home.local:1521:idm1" \
> ldap_host=oud.home.local ldap_port=1389 \
> ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"
[oracle@idm1 ~]$ eusm addglobalrole enterprise_role="OUD_connect" \
> domain_name="OracleDefaultDomain" realm_dn="dc=home,dc=local" \
> Database_name="idm1" global_role="er_connect" dbuser="sys as sysdba" \
> dbuser_password="manager" dbconnect_string="idm1.home.local:1521:idm1" \
> ldap_host=oud.home.local ldap_port=1389 \
> ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"
Step 8: Grant the Directory Enterprise Roles to the group
[oracle@idm1 ~]$ eusm grantrole enterprise_role="OUD_DBA" domain_name="OracleDefaultDomain" \
> realm_dn="dc=home,dc=local" group_dn="cn=EnterpriseDBA,cn=Groups,dc=home,dc=local" \
> ldap_host=oud.home.local ldap_port=1389 \
> ldap_user_dn="cn=Directory Manager" ldap_user_password="Welcome1"
Eating the pudding
One snag, I did not document earlier; you need to fill in the Optional(!) attribute userpassword for your user. If you don't you will run into this:
[oracle@idm1 ~]$ sqlplus frank/DemoOud1@idm1
SQL*Plus: Release 11.2.0.3.0 Production on Fri Jun 14 13:10:56 2013
Copyright (c) 1982, 2011, Oracle. All rights reserved.
ERROR:
ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
After rectifing this issue, I got enterpise secrity:
[oracle@idm1 ~]$ sqlplus frank/DemoOud1@idm1
SQL*Plus: Release 11.2.0.3.0 Production on Fri Jun 14 13:11:13 2013
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning option
SQL> select * from session_roles;
ROLE
------------------------------
ER_DBA
DBA
SELECT_CATALOG_ROLE
HS_ADMIN_SELECT_ROLE
EXECUTE_CATALOG_ROLE
HS_ADMIN_EXECUTE_ROLE
DELETE_CATALOG_ROLE
EXP_FULL_DATABASE
IMP_FULL_DATABASE
DATAPUMP_EXP_FULL_DATABASE
DATAPUMP_IMP_FULL_DATABASE
GATHER_SYSTEM_STATISTICS
SCHEDULER_ADMIN
WM_ADMIN_ROLE
JAVA_ADMIN
JAVA_DEPLOY
XDBADMIN
XDB_SET_INVOKER
18 rows selected.
SQL>