RE: Anyone configured Active Directory Auth to Oracle 11g?

Thanks, but this wasn't for sysdba or sysoper.
This is for basic users/applications that need os authentication in 11g.

Thanks,

Chris Taylor
Sr. Oracle DBA
Ingram Barge Company
Nashville, TN 37205

"Quality is never an accident; it is always the result of intelligent effort."
-- John Ruskin (English Writer 1819-1900)

CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential and 
may also be privileged. If you are not the named recipient, please notify the 
sender immediately and delete the contents of this message without disclosing 
the contents to anyone, using them for any purpose, or storing or copying the 
information on any medium.

From: Guenadi Jilevski [mailto:gjilevski@xxxxxxxxx]
Sent: Friday, October 28, 2011 9:54 AM
To: Taylor, Chris David
Cc: David Robillard; oracle-l mailing list
Subject: Re: Anyone configured Active Directory Auth to Oracle 11g?

Hi,

To enable Oracle Internet Directory (OID) server to authorize SYSDBA and 
SYSOPER connections:

1. Configure the administrative user by using the same procedures you would use 
to configure a
typical user.

2. In OID, grant the SYSDBA or SYSOPER enterprise role to the user for the 
database the user will
administer.

3. Set the LDAP_DIRECTORY_SYSAUTH initialization parameter to YES. When set to 
YES, the
LDAP_DIRECTORY_SYSAUTH parameter enables SYSDBA and SYSOPER users to
authenticate to the database, by a strong authentication method.

4. Ensure that the LDAP_DIRECTORY_ACCESS initialization parameter is not set to 
NONE. The
possible values are PASSWORD or SSL.
5. Later, the administrative user can log in by including the net service name 
in the CONNECT
statement.


Regards.

Guenadi Jilevski


On Fri, Oct 28, 2011 at 5:39 PM, Taylor, Chris David 
<ChrisDavid.Taylor@xxxxxxxxxxxxxxx<mailto:ChrisDavid.Taylor@xxxxxxxxxxxxxxx>> 
wrote:
David,

Thank you, that is very helpful.

Chris Taylor
Sr. Oracle DBA
Ingram Barge Company
Nashville, TN 37205
"Quality is never an accident; it is always the result of intelligent effort."
-- John Ruskin (English Writer 1819-1900)

CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential and 
may also be privileged. If you are not the named recipient, please notify the 
sender immediately and delete the contents of this message without disclosing 
the contents to anyone, using them for any purpose, or storing or copying the 
information on any medium.

-----Original Message-----
From: David Robillard 
[mailto:david.robillard@xxxxxxxxx<mailto:david.robillard@xxxxxxxxx>]
Sent: Friday, October 28, 2011 9:35 AM
To: Taylor, Chris David
Cc: oracle-l mailing list
Subject: Re: Anyone configured Active Directory Auth to Oracle 11g?

Hello Chris,

> According to 11g docs, you can do the below but I'm obviously missing 
> something since I don't know much about AD:

I'm not 100 % sure, but I think you need Oracle Internet Directory
(OID) for this to work. I don't think you can use any LDAP server for this, but 
you should double check with Oracle Support. BTW, there is a very detailed how 
to on enterprise user authentication in David C.
Knox's book < Effective Oracle Database 10g Security by Design > [1].
The book is on 10g, but I think the theory and setup is very similar in 11g.

I do know that you can use any Kerberos infrastructure for user authentication 
to the database. So you can use your Active Directory Kerberos to authenticate 
users to your 11g database. But to do this, you need the Oracle Advanced 
Security Option (OASO). See [2] for more info on Kerberos authentication and 
[3] to help manage the AD Kerberos from a Linux machine.

> What is O=oracle, and C=US?  The CN and OU I understand I think it's fairly 
> easy to find the AD toolkit...
>
> Anyone mind helping me out?

Those are LDAP attributes. O stands for Organization and C stands for Country. 
But you might not have then in your company's LDAP tree. If you plan on working 
with LDAP systems, do yourself a favor and grab a copy of Gerald Carter's book 
< LDAP System Administration > [4].
Granted that it's a little old and It focuses on OpenLDAP, but the LDAP theory 
is explained very clearly. It did help me understand LDAP a lot more and then 
configure various LDAP servers (i.e. AD, OpenLDAP and Oracle Internet 
Directory).

HTH,

David

[1] 
http://www.amazon.com/exec/obidos/tg/detail/-/0072231300/qid06156504/sr=8-1/ref=pd_csp_1/103-7294785-2887052?v=glance&s=books&nP7846
[2] 
http://download.oracle.com/docs/cd/E11882_01/network.112/e10746/asokerb.htm#ASOAG060
[3] http://fuhm.net/software/msktutil/
[4] http://shop.oreilly.com/product/9781565924918.do
--
David Robillard
http://www.linkedin.com/in/davidrobillard
http://itdavid.blogspot.com/

> Thanks,
>
>
> Chris Taylor
> Sr. Oracle DBA
> Ingram Barge Company
> Nashville, TN 37205
> Office: 615-517-3355<tel:615-517-3355>
> Cell: 615-663-1673<tel:615-663-1673>
> Email:
> chris.taylor@xxxxxxxxxxxxxxx<mailto:chris.taylor@xxxxxxxxxxxxxxx><mailto:chris.taylor@xxxxxxxxxxxxxxx<mailto:chris.taylor@xxxxxxxxxxxxxxx>>


--
http://www.freelists.org/webpage/oracle-l



--
http://www.freelists.org/webpage/oracle-l


Other related posts: