RE: Someone using LDAP to authenticate users to NDS?
- From: DENNIS WILLIAMS <DWILLIAMS@xxxxxxxxxxxxx>
- To: "'oracle-l@xxxxxxxxxxxxx'" <oracle-l@xxxxxxxxxxxxx>
- Date: Sat, 14 Feb 2004 08:00:21 -0600
Ana
<Caveat> I haven't implemented LDAP using something other than OID, nor
have I heard from anyone who has </Caveat>
That said, I have followed this issue. In theory, here is how I
understand it would work.
1. Oracle client can use NDS or "any" LDAP to authenticate Oracle users.
2. NDS cannot populate the LDAP information for your users itself.
3. You must run OID so Oracle security can populate the LDAP information.
4. Once OID has the security information, it can produce an LDIF to populate
NDS. Or the dbms_ldap that Michael mentions.
5. The transfer process would have to be run periodically to keep NDS
populated with updated user information, like new users.
Another way just occurred to me. If you understand the format of information
that Oracle Client expects (probably by reading the LDIF file), you could
write your own security program. Just a simple screen program that would
allow your security administrator to enter the LDAP information for a new
user, produce a small LDIF file, and load that file into NDS. You would
still have to install OID once on a test box in order to play with it enough
to have it kick out a sample LDIF, but you wouldn't need to run OID in your
production environment. Damn I'm so smart on a Saturday morning. Think I'll
take off the rest of the weekend.
Dennis Williams
DBA
Lifetouch, Inc.
dwilliams@xxxxxxxxxxxxx
-----Original Message-----
From: Ana Choto [mailto:achoto@xxxxxxxxxxxx]
Sent: Friday, February 13, 2004 3:24 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: RE: Someone using LDAP to authenticate users to NDS?
Thanks for the info. Unfortunately the way management wants to do it is
through Novell. They want to authenticate Oracle users to Novell's NDS
instead of the other way around. Don't want to use OID either, so I'm at a
loss here. I'm still researching the issue. But, so far I haven't found
anything useful.
Thanks
Ana E. Choto
American University
e-Operations - Information Technology
Phone (202) 885-2275
Fax (202) 885-2224
"Michael Fontana"
<mfontana@xxxxxxx
et> To
Sent by: <oracle-l@xxxxxxxxxxxxx>
oracle-l-bounce@f cc
reelists.org
Subject
RE: Someone using LDAP to
02/13/2004 03:00 authenticate users to NDS?
PM
Please respond to
oracle-l@freelist
s.org
Oracle has a package, dbms_ldap, which will read and load foreign LDAPs.
Don't have much detail about how the developers are using it here, but
it seems to basically load the foreign ldap data into a relational
table. Probably not too efficient, but they're happy with it.
Script to implement can be found in $ORACLE_HOME/rdbms/admin/catldap.sql
Michael Fontana
Sr. DBA
NTT/Verio
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of DENNIS WILLIAMS
Sent: Friday, January 30, 2004 2:35 PM
To: 'oracle-l@xxxxxxxxxxxxx'
Subject: RE: Someone using LDAP to authenticate users to NDS?
Ana
Correction: . . . can you switch to OID? The latter (OID) is
obviously simpler to implement with Oracle, compared to the issues of
using two LDAPs.
Dennis Williams
DBA, 80%OCP, 100% DBA
Lifetouch, Inc.
dwilliams@xxxxxxxxxxxxx
-----Original Message-----
From: DENNIS WILLIAMS
Sent: Friday, January 30, 2004 2:08 PM
To: 'oracle-l@xxxxxxxxxxxxx'
Subject: RE: Someone using LDAP to authenticate users to NDS?
Ana
Thanks for clarifying what NDS is.
You can get some of our previous discussion threads by going to
Google and searching on oracle-l ldap.
Your approach will depend somewhat on your purpose for LDAP. Also,
does your organization have a strong commitment to NDS, or can you
switch to OID. The latter is obviously simpler.
You may want to study LDAP in some detail, particularly the LDIF
format, since that is probably how OID and NDS will exchange
information.
LDIF is simply a format, like XML (from a simple DBA's crude
understanding). Each application, like Oracle, must specify what
information it expects and the format it expects it in. So somehow this
information must be populated. The formats can be rather complex.
Dennis Williams
DBA
Lifetouch, Inc.
dwilliams@xxxxxxxxxxxxx
-----Original Message-----
From: Ana Choto [mailto:achoto@xxxxxxxxxxxx]
Sent: Friday, January 30, 2004 1:49 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: RE: Someone using LDAP to authenticate users to NDS?
Thanks Dennis,
NDS is the Novell Directory Server. I don't know much about LDAP, just
what I've been reading since asked to look into authenticating our users
via LDAP. I've also been reading information on OID.
We have several Oracle instances in versions starting on 8.1.6 to 9i R2.
Operating systems NT, Windows 2000 and Sun Sparc Solaris 5.8.
We have users that log on to the network, oracle, unix, and/or Datatel
(The db is Unidata. Yes, not a relational database, but it's our main
application for registration, finances, etc). We have our datawarehouse
and other web applications on Oracle.
What we want to do is to have one place where to authenticate users and
where to keep their information. The intent is not only ease of
management, but to enforce password management in all of our
applications the same way it's done in Novell. We're planning on using
profiles in the Oracle Databases. We have already created a test
profile that enforces the same password rules as NDS'.
I've opened a TAR with Oracle support and I'm waiting to hear from them.
I've searched Metalink, and what I've read suggest OID is the way to go.
I just have to figure out, as you say, how to synchronize the LDAP's.
Thanks
Ana E. Choto
American University
e-Operations - Information Technology
Phone (202) 885-2275
Fax (202) 885-2224
DENNIS WILLIAMS
<DWILLIAMS@LIFETO
UCH.COM>
To
Sent by: "'oracle-l@xxxxxxxxxxxxx'"
oracle-l-bounce@f <oracle-l@xxxxxxxxxxxxx>
reelists.org
cc
Subject
01/30/2004 02:14 RE: Someone using LDAP to
PM authenticate users to NDS?
Please respond to
oracle-l@freelist
s.org
Ana
I have been studying some of these issues, but haven't implemented
anything yet, so I sincerely hope you get some good responses. I hadn't
heard of NDS before, so if you can explain that a little, you may get
more assistance.
LDAP as you know is an industry standard.
OID supports LDAP, as do other vendor offerings, like Microsoft
ActiveDirectory.
I think a number of people have implemented LDAP using OID.
Today, if you choose to use another LDAP, you probably have to also
implement OID and figure out how to keep the two LDAPs synchronized. In
theory this is possible, but I haven't heard from anyone who has
implemented this.
My guess is that as LDAP systems mature, standardization and
interaction will mature as well. Eventually Oracle will have to satisfy
customers who have chosen an LDAP other than OID because they support
more applications than Oracle.
Dennis Williams
DBA
Lifetouch, Inc.
dwilliams@xxxxxxxxxxxxx
-----Original Message-----
From: Ana Choto [mailto:achoto@xxxxxxxxxxxx]
Sent: Friday, January 30, 2004 1:03 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: Someone using LDAP to authenticate users to NDS?
We're looking into authenticating our users via LDAP to NDS. We are on
8.1.7.2 and Solaris 5.8. We're also using 9iAS release 1.
I understand that LDAP is not suported in 9i and above and that OID may
be the way to go. We don't have OID installed in 8i, we probably go
that way when upgrading to 9i, but that is not going to happen in the
near future.
Is someone out there doing this type of authentication? If so, what are
your thoughts? And how did you go about setting this up without OID?
Thanks
Ana E. Choto
American University
e-Operations - Information Technology
Phone (202) 885-2275
Fax (202) 885-2224
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put
'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put
'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put
'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put
'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put
'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Other related posts:
