Re: Anyone configured Active Directory Auth to Oracle 11g?

From: Guenadi Jilevski <gjilevski_at_gmail.com>
Date: Fri, 28 Oct 2011 17:53:35 +0300
Message-ID: <CADFytLiL0yCq4n8zgZm8Ssw63S6w6WTiiegP2o_RC8VS-MtAOA_at_mail.gmail.com>

Hi,
To enable Oracle Internet Directory (OID) server to authorize SYSDBA and SYSOPER connections:

Configure the administrative user by using the same procedures you would use to configure a typical user.
In OID, grant the SYSDBA or SYSOPER enterprise role to the user for the database the user will administer.
Set the LDAP_DIRECTORY_SYSAUTH initialization parameter to YES. When set to YES, the LDAP_DIRECTORY_SYSAUTH parameter enables SYSDBA and SYSOPER users to authenticate to the database, by a strong authentication method.
Ensure that the LDAP_DIRECTORY_ACCESS initialization parameter is not set to NONE. The possible values are PASSWORD or SSL.
Later, the administrative user can log in by including the net service name in the CONNECT statement.

Regards.

Guenadi Jilevski

On Fri, Oct 28, 2011 at 5:39 PM, Taylor, Chris David < ChrisDavid.Taylor_at_ingrambarge.com> wrote:

> David,
>
> Thank you, that is very helpful.
>
> Chris Taylor
> Sr. Oracle DBA
> Ingram Barge Company
> Nashville, TN 37205
>
> "Quality is never an accident; it is always the result of intelligent
> effort."
> -- John Ruskin (English Writer 1819-1900)
>
> CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential
> and may also be privileged. If you are not the named recipient, please
> notify the sender immediately and delete the contents of this message
> without disclosing the contents to anyone, using them for any purpose, or
> storing or copying the information on any medium.
>
> -----Original Message-----
> From: David Robillard [mailto:david.robillard_at_gmail.com]
> Sent: Friday, October 28, 2011 9:35 AM
> To: Taylor, Chris David
> Cc: oracle-l mailing list
> Subject: Re: Anyone configured Active Directory Auth to Oracle 11g?
>
> Hello Chris,
>
> > According to 11g docs, you can do the below but I'm obviously missing
> something since I don't know much about AD:
>
> I'm not 100 % sure, but I think you need Oracle Internet Directory
> (OID) for this to work. I don't think you can use any LDAP server for this,
> but you should double check with Oracle Support. BTW, there is a very
> detailed how to on enterprise user authentication in David C.
> Knox's book < Effective Oracle Database 10g Security by Design > [1].
> The book is on 10g, but I think the theory and setup is very similar in
> 11g.
>
> I do know that you can use any Kerberos infrastructure for user
> authentication to the database. So you can use your Active Directory
> Kerberos to authenticate users to your 11g database. But to do this, you
> need the Oracle Advanced Security Option (OASO). See [2] for more info on
> Kerberos authentication and [3] to help manage the AD Kerberos from a Linux
> machine.
>
> > What is O=oracle, and C=US? The CN and OU I understand I think it's
> fairly easy to find the AD toolkit...
> >
> > Anyone mind helping me out?
>
> Those are LDAP attributes. O stands for Organization and C stands for
> Country. But you might not have then in your company's LDAP tree. If you
> plan on working with LDAP systems, do yourself a favor and grab a copy of
> Gerald Carter's book < LDAP System Administration > [4].
> Granted that it's a little old and It focuses on OpenLDAP, but the LDAP
> theory is explained very clearly. It did help me understand LDAP a lot more
> and then configure various LDAP servers (i.e. AD, OpenLDAP and Oracle
> Internet Directory).
>
> HTH,
>
> David
>
> [1]
> http://www.amazon.com/exec/obidos/tg/detail/-/0072231300/qid=1106156504/sr=8-1/ref=pd_csp_1/103-7294785-2887052?v=glance&s=books&n=507846
> [2]
> http://download.oracle.com/docs/cd/E11882_01/network.112/e10746/asokerb.htm#ASOAG060
> [3] http://fuhm.net/software/msktutil/
> [4] http://shop.oreilly.com/product/9781565924918.do
> --
> David Robillard
> http://www.linkedin.com/in/davidrobillard
> http://itdavid.blogspot.com/
>
> > Thanks,
> >
> >
> > Chris Taylor
> > Sr. Oracle DBA
> > Ingram Barge Company
> > Nashville, TN 37205
> > Office: 615-517-3355
> > Cell: 615-663-1673
> > Email:
> > chris.taylor_at_ingrambarge.com<mailto:chris.taylor_at_ingrambarge.com>
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Oct 28 2011 - 09:53:35 CDT

This message: [ Message body ]
Next message: Bobak, Mark: "RE: Oracle Home naming (and out-of-place patching)"
Previous message: D'Hooge Freek: "RE: Oracle Home naming (and out-of-place patching)"
In reply to: Taylor, Chris David: "RE: Anyone configured Active Directory Auth to Oracle 11g?"
Next in thread: Taylor, Chris David: "RE: Anyone configured Active Directory Auth to Oracle 11g?"
Reply: Taylor, Chris David: "RE: Anyone configured Active Directory Auth to Oracle 11g?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message