Enterprise User Security-
Enterprise
User Security (EUS) leverages the Directory Services and gives you the
ability to
centrally manage database users and role memberships in an LDAP
directory.
Enterprise
User Security reduces administration cost, increases security, and improves
compliance
through centralized database user account management, centralized
provisioning
and de-provisioning of database users, centralized password
management
and self-service password reset, and centralized management of
authorizations
using global database roles.
EUS Setup -
1.
Login to ODSM and click on the Adapters tab.
Click the Configure adapters for Enterprise User Security (EUS) icon. Provide the connection
details of AD and the mapping base and adapter is created.
2.
Open
a command prompt and run the below command to extend AD schema:
Navigate
to $Middleware_Home/Oracle_IDM1/ovd/eus :
java
extendAD -h <AD_Host_Name> -p 389 -D <AD_Administrator_DN>
-w <AD_Administrator_Password> -AD <root_context> -commonattr
This
will add the orclcommonatr that holds the hashed password that is used to
authenticate the AD user to the DB.
3.
Login
to AD machine and Copy the oidpwd.dll from
$ORACLE_HOME
/ovd/eus/win/oidpwdcn.dll
(For
64bit go to $ORACLE_HOME/ovd/eus/win64/oidpwdcn.dll)
To
C:/Windows/system32 on all AD machines.
4.
Run regedit
and navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
Double
click on Notification Packages in the right pane and add oidpwdcn to the list
Click
ok Close and restart servers.
5.
Login
to DB machine (which has to be configured for EUS) and run netca. From the
options select “Directory usage configuration”. On the next window provide OVD
hostname and port.
This
will create a ldap.ora file in $ORACLE_HOME/network/admin with OVD connection
details.
6.
Run DBCA and select “configure database
options”. Select Register the database option and provide OVD admin
credentials. Leave it on to ‘Dedicated
server mode’ and click finish.
7.
Shutdown
the database and before starting it again make sure ORACLE_BASE is set. Cwallet.sso
file should be present in {ORACLE_BASE}/admin/{Oracle_SID}/wallet folder.
8.
Create
a role and user identified globally.
Create
Role AD_SESSION identified GLOBALLY;
Create
user global_schema identified Globally;
Grant
connect to role and user:-
GRANT
connect to AD_SESSION;
Grant
connect to global_schema;
9.
Start
em console by running ‘emctl start dbconsole’. Login as a dba and click on
server. Click on Enterprise user security and login with OVD admin credentials.
10. Click on
Manage Enterprise Domains > configure > User-schema mappings > create
11. Select subtree
and search for the root context from OVD under which all the users are present.
12. Enter schema as global_schema (created above )
and click continue.
Steps are done now create a user in AD and try
to login to DB with created user credentials.
1. Login to ODSM and click on the Adapters tab. Click the Configure adapters for Enterprise User Security (EUS) icon. Provide the connection details of OVD and the mapping base and adapter is created.
ReplyDeleteMay be here we need to provide AD details?
Sorry Philipp. It was my mistake connection details has to be of AD that time. I have corrected the mistake. Thanks for pointing it out.
Delete5. Login to DB machine (which has to be configured for EUS) and run netca. From the options select “Directory usage configuration”. On the next window provide OVD hostname and port.
ReplyDeleteThis step doesn't work unless you extended AD schema
For an unknown reason netca can't connect to OVD and OVD reports in its log bad certificate. I wonder where can I find more detailed info about that topic?
ReplyDelete