Hi Lyall,
I tried to implement Centrally Managed Users with Microsoft Active
Directory (not Kerberos SSO), but still not in production... but yes, AD
account login + password is working fine, AD groups login is working fine
and also AD groups to Oracle roles mapping is working fine
But the route was not quite straightforward...Here are key documents to
help with this topic
Oracle Support Document 2462012.1 (How to Configure Centrally Managed Users
For Database Release 18c or Later Releases ) can be found at:
https://support.oracle.com/epmos/faces/DocumentDisplay?id=2462012.1
In this doc is attached current version of the opwdintg.exe
Oracle Support Document 2716598.1 (Mandatory Patches for Centrally Managed
Users A.K.A CMU 18C / 19C.) can be found at:
https://support.oracle.com/epmos/faces/DocumentDisplay?id=2716598.1
Oracle Support Document 2470608.1 (Tracing CMU connection issues) can be
found at:
https://support.oracle.com/epmos/faces/DocumentDisplay?id=2470608.1
nice blog from Simon Pane
https://blog.pythian.com/part-3-implementing-oracle-database-active-directory-password-synchronization-using-oracle-cmu/
My notes:
- I choose CMU (not Kerberos SSO) because is it working with any client and
is not necessary doing any work on client side
- Oracle design is not very comfortable for AD admins, I have to
persuade them to extend AD schema and install password filter on all domain
controllers
- 3 months I have to wait for Oracle to solve my crazy problem - during
changing AD account password domain controller crashed!!! - bug was in
oracle dll opwdintg.exe
- for me is not very good the oracle global name is joined with AD through
distinguished name - our AD DN names are automatically generated and
included organizational chart, after changing organizational chart DN is
changed and I have to alter oracle username global name
Marian
pi 4. 6. 2021 o 22:02 Lyall Barbour <lyallbarbour@xxxxxxxxxxxxxxx>
napísal(a):
Hello,
The Insurance company I work for was purchased by AllState, for our IT
department and applications. My job is safe! ....for now.
But the mandates are flowing down. Encryption is being implemented
everywhere. We've purchased Advanced Security and are creating Wallets all
over the place and encrypting tablespaces left and right.
The latest Project is being pushed unto the app teams. Application
authentication into databases must be tighter.
I've setup Oracle internet directory 10g in 2010, 11. Now with Oracle 18c
seems like I can skip the Identity Manager stuff and straight use
- an AD manager account
- Oracle wallet, ldap.ora, dsi.ora on db server
- configure those files to see AD with the manager account
- create AD account, groups wanting access to Oracle db
- create Oracle db accounts, roles GLOBALLY
And Bob's my Uncle...?
Anyone do this in the 18/19c Security Guide yet? Can confirm?
TIA
Lyall Barbour
--
Sent from my Android phone with mail.com Mail. Please excuse my brevity.
-- //www.freelists.org/webpage/oracle-l
