Active Directory Synchronization

1.   The ability to connect to Active Directory from Oracle may be verified using the following commands on appserver.oraclegiants.com:

export ORACLE_HOME=/home/oracle/OracleHomes/OraHome_1_infra

cd $ORACLE_HOME/bin

./ldapbind -p 389 -h oraclegiantsAD.oraclegiants.com -D "carrb@oraclegiants.com" -w "password"

You should see a message “bind successful”

2.   The next step in the configuration process is to create a synchronization profile.  For more detailed information see the Oracle Identity Management Guide.  Begin by starting the Oracle Directory Integration and Provisioning Server Administration (aka Oracle DIP Console) tool.  Do this by executing the following command: 

dipassistant –gui

Login as orcladmin when the login box appears.

Select Active Directory Configuration on the left hand side of the screen.  Fill in the fields as follows.

Active Directory Host:  oraclegiantsAD.oraclegiants.com

Port:  389

Account Name:  carrb@oraclegiants.com

Account Password:  password

Connector Name:  AD_OID

Configuration Set:  1

Click Apply    

Next, click on Configuration Set1 on the left-hand side of the screen.  Then click Refresh. 

Select AD_OIDImport and click Edit

Change the profile status to Enable

The default Scheduling Interval is every 60 seconds.  .

Click OK

 3.   The first time you migrate data from AD to OID is known as bootstrap.  To run the bootstrap execute the following

./dipassistant bootstrap –port 389  –profile AD_OIDImport –D “cn=orcladmin” –w password

 -----------------------------------------------

Bootstrapping in progress.....

Bootstrapping completed.

 #entries read ..................... 404

 #entries filtered ................. 0

 #entries ignored .................. 0

 #successfully processed entries ... 403

 #failures ......................... 1

Please see the log file for more information.

-----------------------------------------------

 To see the status of the bootstrap return to the Oracle DIP Console and click Refresh, then Edit the AD_OIDImport profile and then click on the Status tab.

Finally run this command to start the Directory Integration and Provisioning Server:

./oidctl connect=infra server=odisrv instance=2 configset=1 flags=”port=389” start

4.   ,

“It is possible that you may want some or all of your Oracle 10g Application Server users to authenticate using their user credentials stored in Active Directory, or that you don't want your Active Directory user passwords stored in OID at all. If this is your desired authentication model, OID has a feature called "External Password Authentication". External Password Authentication allows you to setup OID so that when a user authenticates against OID, OID will actually check the users credentials against the Active Directory server rather than OID.

Another reason you may need to setup external authentication has to do with the fact that the AD import connector we setup on the previous pages, cannot migrate hashed passwords from AD to OID. This is because Microsoft uses a proprietary hashing algorithm called Unicode password encryption that is not supported in OID. OID supports the most commonly used password encryption's such as MD5, MD4, SHA, SSHA, and Crypt to name a few. Microsoft does not support any of these. So if you want to authenticate using your Microsoft passwords you will need to setup the External Password Plug-in.” (source: oracle.com)

A prerequisite for External Password Authentication is that OID must be configured to import AD users.  We accomplished this in steps #1 and 2 above.

To configure External Authentication, run the $ORACLE_HOME/ldap/admin /oidspadi.sh script.  This script will prompt for several parameters about your AD and OID systems.

Enter the AD server (fully qualified domain name) or IP address: oraclegiantsAD.oraclegiants.com

SSL: n

Enter the port number that the AD server is running on:  389

OID database:  infra

Enter the "ods" database schema user password: password

Enter the FQDN of the server that OID is running on:  appserver.oraclegiants.com

Enter the port number that OID server is running on:  389

Enter the password for the orcladmin user:  password

Enter the subscriber search base. This is the DN of the users container in OID that you want to authenticate to AD:  cn=users,dc=oraclegiants,dc=edu

Leave the "Plug-in Request Group DN" blank. Just hit enter without a value.

An important value is the "Exception Entry Property". This value acts as a filter and determines where users will authenticate. If you leave this value null, all users will authenticate using their credentials stored in AD. The value you enter here will determine which users will authenticate against OID and which users will authenticate against AD.

Here is the "Exception entry property" currently configured: (|(cn=orcladmin)(cn=portal) (cn=portal_admin) (cn=ias_admin))

This value tells OID that every user except the user "cn=orcladmin" and “cn=portal” will authenticate using credentials stored in AD.

Currently oraclegiants is not setup for the backup Active Directory failover.

OID is now populated with users and groups via bootstrap migration from Active Directory.  The Oracle Directory Integration and Provisioning tool has been setup so that it will utilize the Active Directory Connector to keep this account information synchronized.  Oracle has been instructed to authenticate user migrated from AD using the Active Directory External Authentication Plug-in.

Long story short:  It’s now possible to login to Portal via SSO using one of the migrated AD users with its corresponding AD password.

As an example the AD user carrb@oraclegiants.com is able to authenticate using his AD password of “password”.  Also the OID user “portal” is able to authenticate using the OID password of “carrb1”.

Note:  the username format must be user@oraclegiants.com

5.   Configure Zero Sign-on (Windows Native Authentication)

The Oracle SSO server has a feature which enables Microsoft Internet Explorer users to automatically authenticate to their web applications using their desktop credentials.  This is known as Windows Native Authentication (a.k.a. Auto Sign-on or Zero Sign-on).  To accomplish this we need to configure "Active Directory External Authentication Plug-in" in order to validate user-supplied passwords "behind the scenes" during a user login.   This will be covered in a later post....