Skip Headers
Oracle® Authentication Services for Operating Systems Administrator's Guide
10g (10.1.4.0.1-OAS4OS)
E12023-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Previous
Previous
 
Next
Next
View PDF

5 Configuring Active Directory Integration

If you have users in Active Directory, and you want to use the credentials stored in Active Directory for Linux or UNIX authentication, you can configure integration with Active Directory. Setting up integration with Active Directory requires several steps:

This chapter contains the following sections:

5.1 Setting up a Plug-in to Augment Active Directory Entries for Linux Authentication

User entries in Active Directory do not include key information required for Linux authentication. Therefore, when you synchronize users from Active Directory into Oracle Internet Directory by using the Active Directory connector of Oracle Directory Integration Platform, you must augment those user entries with the required information. To facilitate this, the product includes a PL/SQL plug-in that can be enabled on Oracle Internet Directory.

Enable the plug-in as follows:

  1. Use a text editor to make the following changes to $ORACLE_HOME/ldap/admin/posixattr_when_add.pls:

    • In line 71, replace the value of v_homeDirectory with the desired home directory.

    • In line 72, replace the value of v_loginShell with the desired login shell.

    • In line 73, replace the value of v_gidNumber with the GID number of the users

  2. Load the plug-in package into the database by typing:

    sqlplus ods/odspwd@$ORACLE_HOME/ldap/admin/posixattr_when_add.pls 
    

    where odspwd is the password of the ODS user.

  3. Use a text editor to make the following change in $ORACLE_HOME/ldap/admin/posixattr_when_add.ldif: Replace the value of orclpluginsubscriberdnlist with your realm's DN.

  4. Add the plug-in to Oracle Internet Directory by running the following command:

     ldapadd -h host -p port -D cn=orcladmin -w password \
             -f $ORACLE_HOME/ldap/admin/posixattr_when_add.ldif
    

5.2 Configuring Oracle Directory Integration Platform

Oracle Directory Integration Platform is documented in the Oracle Identity Management Integration Guide. The following procedure refers to that document in several places.

To enable Oracle Directory Integration Platform for Active Directory integration with Oracle Authentication Services for Operating Systems, perform these steps:

  1. Verify the synchronization requirements, as described in "Verifying Synchronization Requirements," under "Configuring Synchronization with a Third-Party Directory," in Chapter 18 of the Oracle Identity Management Integration Guide.

  2. Create a synchronization profile by running dipassistant expressconfig, as described in Step 1 of "Creating Synchronization Profiles with Express Configuration," under "Configuring Synchronization with a Third-Party Directory," in Chapter 18 of the Oracle Identity Management Integration Guide.

  3. Edit the profiles resulting from the express configuration. To understand mapping rules, see: "Configuring Mapping Rules," in Chapter 6 of the Oracle Identity Management Integration Guide.

    Make the following changes:

    1. Change the domain rules to point to the following domain in Oracle Internet Directory: ou=People,dc=us,dc=oracle,dc=com.

    2. Comment out this line:

      userPrincipalName: : :user:uid: :inetorgperson:userPrincipalName
      
    3. Uncomment this line

      #sAMAccountName: : :user:uid: :inetorgperson
      
    4. Add this line:

      cn: : :person:gecos: :person:
      

    See the sample synchronization profile in Appendix D. The customizations are shown in boldface.

  4. Continue with Steps 2-5 of "Creating Synchronization Profiles with Express Configuration," under "Configuring Synchronization with a Third-Party Directory," in Chapter 18 of the Oracle Identity Management Integration Guide.

5.3 Configuring SSL Between Oracle Directory Integration Platform and Active Directory

To secure communications between Oracle Directory Integration Platform and Active Directory using SSL, perform the following steps:

  1. Shut down the Oracle Directory Integration Platform server by executing the following command as the user who installed Oracle Internet Directory:

    oidctl configset=1 connect=db_connect_string instance=1 server=odisrv stop 
    

    where db_connect=string is the backend database connect string that was set during installation of Oracle Internet Directory.

  2. Configure Oracle Directory Integration Platform to use SSL server authentication by executing the following command:

    dipassistant modifyprofile -h oid_host -profile profile_name -p oid_port \
              -D oid_dn odip.profile.condirurl=host:port:2
    

    The value 2 in the URL specifies SSL server authentication.

  3. Export the Active Directory SSL server certificate to a file and import the result into an Oracle Wallet by executing the following commands:

    orapki wallet create -wallet /usr/lib/oracle/oid/wallet/ad -pwd wallet_pwd
    orapki wallet add -cert Exported_AD_Cert_File -trusted_cert \
                      -pwd wallet_pwd
    
  4. Edit the file $ORACLE_HOME/ldap/odi/conf/odi.properties to set values for the wallet location (certWalletFile) and the file to store the wallet password (certWalletPwdF), as follows:

    certWalletFile: /usr/lib/oracle/oid/wallet/adcert
    certWalletPwdF: /usr/lib/oracle/oid/wallet/ad/certWalletPwd
    

    Ensure that there are no trailing spaces at the ends of the lines.

  5. Create the certWalletPwdF file by executing the following command:

    dipassistant wpasswd 
    

    Enter your wallet password when prompted.

  6. To start the Oracle Directory Integration Platform server, execute the following command as root:

    oidctl configset=1 connect=xe instance=1 server=odisrv flags='port=OID_port grpid=defaultgroup' start
    

    where OID_port is the Oracle Internet Directory port number.

5.4 Configuring SSL Between Oracle Directory Integration Platform and Oracle Internet Directory

To secure communications between Oracle Directory Integration Platform and Oracle Internet Directory using SSL, perform the following steps:

  1. To shut down the Oracle Directory Integration Platform server, execute the following command as root:

    oidctl configset=1 connect=xe instance=1 server=odisrv stop 
    
  2. Edit the file $ORACLE_HOME/ldap/odi/conf/odi.properties to set values for the wallet location (certWalletFile) and the file to store the wallet password (certWalletPwdF), as follows:

    certWalletFile: /usr/lib/oracle/oid/wallet/servercertWalletPwdF: /usr/lib/oracle/oid/wallet/server/certWalletPwd 
    

    Ensure that there are no trailing spaces at the ends of the lines.

  3. Create the certWalletPwdF file by executing the following command:

    dipassistant wpasswd 
    

    Enter your wallet password when prompted.

  4. Start the Oracle Directory Integration Platform server by executing the following command as root:

    oidctl configset=1 connect=xe instance=1 server=odisrv flags='port=OID_port grpid=defaultgroup' start
    

    where OID_port is the Oracle Internet Directory port number.

5.5 Setting Up the External Authentication Plug-in

Enable the External Authentication plug-in shipped with Oracle Internet Directory so that Linux authentication uses the credentials stored in Active Directory.

To configure and enable this plug-in, use the extauth operation of the Directory Integration Assistant (dipassistant) utility. The command syntax is:

dipassistant extauth [-h hostName] [-p port] -D bindDN -w bindPassword \
                     -t extDirType

See thee dipassistant section of the chapter entitled "Oracle Directory Integration Platform Tools" in the Oracle Identity Management User Reference for more information on how to use the extauth operation.

If you want to set up an external authentication plug-in to work with multiple external authentication domains, you must perform some manual instructions after you run the external configuration tool. See "Configuring External Authentication Against Multiple Domains," under "Configuring External Authentication Plug-ins," in Chapter 18 of the Oracle Identity Management Integration Guide.