16
12
19
 Leave a comment

Inegrating Oracle Database 18 with MS Active Directory

Posted by | Oracle |

I configured DNS on my Windows Server 2016 (takes some time, probably 15 minutes):

ipconfig /registerdns

So I was able to do

nslookup virtual.domain1

from another Windows machine.

And followed the steps described in this guide:

dsquery user -name administrator

"CN=Administrator,CN=Users,DC=virtual,DC=domain1"

dsadd user "CN=oracle02,CN=Users,DC=virtual,DC=domain1" -pwd ***
dsacls "CN=Users,DC=virtual,DC=domain1" /I:S /G "oracle02:RP;;user" "oracle02:WP;LockoutTime;user"
dsacls "CN=Users,DC=virtual,DC=domain1"

Owner: VIRTUALDOMAIN\Domain Admins
Group: VIRTUALDOMAIN\Domain Admins
...
Inherited to user
Allow VIRTUALDOMAIN\oracle02          SPECIAL ACCESS
                                      READ PROPERTY
Allow VIRTUALDOMAIN\oracle02          SPECIAL ACCESS for lockoutTime
                                      WRITE PROPERTY
The command completed successfully

dsquery group -name ora*

"CN=ORA_VFR_11G,CN=Users,DC=virtual,DC=domain1"
"CN=ORA_VFR_12C,CN=Users,DC=virtual,DC=domain1"
"CN=ORA_VFR_MD5,CN=Users,DC=virtual,DC=domain1"

get-ADUser oracle02 -Properties orclCommonAttribute

DistinguishedName   : CN=oracle02,CN=Users,DC=virtual,DC=domain1
Enabled             : True
GivenName           :
Name                : oracle02
ObjectClass         : user
ObjectGUID          : c95aa763-cc62-4c05-b38e-82444dc82105
orclCommonAttribute :
SamAccountName      : oracle02
SID                 : S-1-5-21-518566821-4215415469-1285754680-2606
Surname             :
UserPrincipalName   :

On Linux machine where Oracle Database is run in a Docker container:

sudo docker exec -u 0 -it --workdir / oracle18se /bin/bash

and then in the container:

echo "172.28.46.146 server1" >> /etc/hosts

or alternatively on Linux host:

sudo docker exec -it oracle18se /bin/bash

and then in the container:

su -

and enter root user password.

dsi.ora file:

DSI_DIRECTORY_SERVERS = (server1.virtual.domain1:389:636)
DSI_DEFAULT_ADMIN_CONTEXT = "DC=virtual,DC=domain1"
DSI_DIRECTORY_SERVER_TYPE = AD

using command line:

cd $ORACLE_BASE/admin/ORCLCDB
mkdir wallet
cd wallet
echo "DSI_DIRECTORY_SERVERS = (server1.virtual.domain1:389:636)" >> dsi.ora
echo "DSI_DEFAULT_ADMIN_CONTEXT = \"DC=virtual,DC=domain1\"" >> dsi.ora
echo "DSI_DIRECTORY_SERVER_TYPE = AD" >> dsi.ora

Generating the certificate:

To determine the host address from Docker container I used

/sbin/ip route|awk '/default/ { print $3 }'

Uploading from a Windows machine to Ubuntu host:

pscp AD_CA_Root_cert.txt guber@tor:/home/guber/temp

Uploading from Ubuntu host to Oracle Linux container:

scp guber@172.17.0.1:/home/guber/temp/AD_CA_Root_cert.txt .

After I copied the certificate to the container and I created Oracle Wallet:

orapki wallet create -wallet /opt/oracle/admin/ORCLCDB/wallet -auto_login

The following files were created:

cwallet.sso  cwallet.sso.lck  ewallet.p12  ewallet.p12.lck

Did Step 7 from the guide:

ALTER SYSTEM SET LDAP_DIRECTORY_ACCESS = 'PASSWORD' SCOPE=SPFILE;
ALTER SYSTEM SET LDAP_DIRECTORY_SYSAUTH = YES SCOPE=SPFILE;
SHUTDOWN IMMEDIATE
STARTUP
SHOW PARAMETER LDAP

Configured container’s DNS:

echo "nameserver 172.28.46.146" > /etc/resolv.conf
echo "nameserver 172.28.0.1" >> /etc/resolv.conf
echo "nameserver 10.0.0.15" >> /etc/resolv.conf
nslookup virtual.domain1

Server:         172.28.46.146
Address:        172.28.46.146#53

Name:   virtual.domain1
Address: 172.28.46.146
Name:   virtual.domain1
Address: 192.168.137.192
Name:   virtual.domain1
Address: fdae:1665:8a78::6dc

Did Step 8 from the guide:

In Windows Command Prompt:

dsadd user "cn=test3,cn=Users,dc=virtual,dc=domain1" -pwd Password333 -memberof "cn=ORA_VFR_12C,cn=Users,dc=virtual,dc=domain1"
dsmod user "cn=test3,cn=Users,dc=virtual,dc=domain1" -pwd Password3
powershell get-ADUser test4 -Properties orclCommonAttribute

The user becomes a member of ORA_VFR_12C:

while ORA_VER_11G and ORA_VER_MD5 groups remain empty. Also dsmod command sets orclCommonAttribute attribute:

DistinguishedName   : CN=test4,CN=Users,DC=virtual,DC=domain1
Enabled             : True
GivenName           :
Name                : test4
ObjectClass         : user
ObjectGUID          : cb89cf79-12e9-471a-ae68-39a5f42092c5
orclCommonAttribute : {MR-SHA512}cGRwIT/MiI6VhTAPxzcJ4gLF7eac2qKzYOEAeFrAZUZ7nQTPYd5yDU801F6/fhzZ9GDibWtEMmrds4VcvsGRXL
                      P7ZLtYutPF1zE6wXWyR9Q=
SamAccountName      : test4
SID                 : S-1-5-21-518566821-4215415469-1285754680-2618
Surname             :
UserPrincipalName   :

Then in the docker container:

export ORACLE_SID=ORCLCDB
cd $ORACLE_HOME/bin
./sqlplus sys as sysdba

alter session set "_ORACLE_SCRIPT"=true;
create user test3 identified globally as 'cn=test3,cn=Users,dc=virtual,dc=domain1';
grant create session to test3;

Now I am able to connect with SQL Developer with SID, but not Service Name:

To query ‘test3’ user from DBA_USERS table we should connect as SYSDBA with SID:

select * from dba_users where username like '%TEST%';

‘test3′ user has fields AUTHENTICATION_TYPE=’GLOBAL’ and EXTERNAL_NAME=’cn=test3,cn=Users,dc=virtual,dc=domain1′ while regular users have AUTHENTICATION_TYPE=’PASSWORD’ .

Leave a Reply

Your email address will not be published. Required fields are marked *