Re: Anyone configured Active Directory Auth to Oracle 11g?
Date: Fri, 28 Oct 2011 17:53:35 +0300
Message-ID: <CADFytLiL0yCq4n8zgZm8Ssw63S6w6WTiiegP2o_RC8VS-MtAOA_at_mail.gmail.com>
Hi,
To enable Oracle Internet Directory (OID) server to authorize SYSDBA and SYSOPER connections:
- Configure the administrative user by using the same procedures you would use to configure a typical user.
- In OID, grant the SYSDBA or SYSOPER enterprise role to the user for the database the user will administer.
- Set the LDAP_DIRECTORY_SYSAUTH initialization parameter to YES. When set to YES, the LDAP_DIRECTORY_SYSAUTH parameter enables SYSDBA and SYSOPER users to authenticate to the database, by a strong authentication method.
- Ensure that the LDAP_DIRECTORY_ACCESS initialization parameter is not set to NONE. The possible values are PASSWORD or SSL.
- Later, the administrative user can log in by including the net service name in the CONNECT statement.
Regards.
Guenadi Jilevski
On Fri, Oct 28, 2011 at 5:39 PM, Taylor, Chris David < ChrisDavid.Taylor_at_ingrambarge.com> wrote:
> David,
>
> Thank you, that is very helpful.
>
> Chris Taylor
> Sr. Oracle DBA
> Ingram Barge Company
> Nashville, TN 37205
>
> "Quality is never an accident; it is always the result of intelligent
> effort."
> -- John Ruskin (English Writer 1819-1900)
>
> CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential
> and may also be privileged. If you are not the named recipient, please
> notify the sender immediately and delete the contents of this message
> without disclosing the contents to anyone, using them for any purpose, or
> storing or copying the information on any medium.
>
> -----Original Message-----
> From: David Robillard [mailto:david.robillard_at_gmail.com]
> Sent: Friday, October 28, 2011 9:35 AM
> To: Taylor, Chris David
> Cc: oracle-l mailing list
> Subject: Re: Anyone configured Active Directory Auth to Oracle 11g?
>
> Hello Chris,
>
> > According to 11g docs, you can do the below but I'm obviously missing
> something since I don't know much about AD:
>
> I'm not 100 % sure, but I think you need Oracle Internet Directory
> (OID) for this to work. I don't think you can use any LDAP server for this,
> but you should double check with Oracle Support. BTW, there is a very
> detailed how to on enterprise user authentication in David C.
> Knox's book < Effective Oracle Database 10g Security by Design > [1].
> The book is on 10g, but I think the theory and setup is very similar in
> 11g.
>
> I do know that you can use any Kerberos infrastructure for user
> authentication to the database. So you can use your Active Directory
> Kerberos to authenticate users to your 11g database. But to do this, you
> need the Oracle Advanced Security Option (OASO). See [2] for more info on
> Kerberos authentication and [3] to help manage the AD Kerberos from a Linux
> machine.
>
> > What is O=oracle, and C=US? The CN and OU I understand I think it's
> fairly easy to find the AD toolkit...
> >
> > Anyone mind helping me out?
>
> Those are LDAP attributes. O stands for Organization and C stands for
> Country. But you might not have then in your company's LDAP tree. If you
> plan on working with LDAP systems, do yourself a favor and grab a copy of
> Gerald Carter's book < LDAP System Administration > [4].
> Granted that it's a little old and It focuses on OpenLDAP, but the LDAP
> theory is explained very clearly. It did help me understand LDAP a lot more
> and then configure various LDAP servers (i.e. AD, OpenLDAP and Oracle
> Internet Directory).
>
> HTH,
>
> David
>
> [1]
> http://www.amazon.com/exec/obidos/tg/detail/-/0072231300/qid=1106156504/sr=8-1/ref=pd_csp_1/103-7294785-2887052?v=glance&s=books&n=507846
> [2]
> http://download.oracle.com/docs/cd/E11882_01/network.112/e10746/asokerb.htm#ASOAG060
> [3] http://fuhm.net/software/msktutil/
> [4] http://shop.oreilly.com/product/9781565924918.do
> --
> David Robillard
> http://www.linkedin.com/in/davidrobillard
> http://itdavid.blogspot.com/
>
> > Thanks,
> >
> >
> > Chris Taylor
> > Sr. Oracle DBA
> > Ingram Barge Company
> > Nashville, TN 37205
> > Office: 615-517-3355
> > Cell: 615-663-1673
> > Email:
> > chris.taylor_at_ingrambarge.com<mailto:chris.taylor_at_ingrambarge.com>
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>
-- http://www.freelists.org/webpage/oracle-lReceived on Fri Oct 28 2011 - 09:53:35 CDT