I configured DNS on my Windows Server 2016 (takes some time, probably 15 minutes):
ipconfig /registerdns
So I was able to do
nslookup virtual.domain1
from another Windows machine.
And followed the steps described in this guide:
dsquery user -name administrator
"CN=Administrator,CN=Users,DC=virtual,DC=domain1"
dsadd user "CN=oracle02,CN=Users,DC=virtual,DC=domain1" -pwd ***
dsacls "CN=Users,DC=virtual,DC=domain1" /I:S /G "oracle02:RP;;user" "oracle02:WP;LockoutTime;user"
dsacls "CN=Users,DC=virtual,DC=domain1"
Owner: VIRTUALDOMAIN\Domain Admins
Group: VIRTUALDOMAIN\Domain Admins
...
Inherited to user
Allow VIRTUALDOMAIN\oracle02 SPECIAL ACCESS
READ PROPERTY
Allow VIRTUALDOMAIN\oracle02 SPECIAL ACCESS for lockoutTime
WRITE PROPERTY
The command completed successfully
dsquery group -name ora*
"CN=ORA_VFR_11G,CN=Users,DC=virtual,DC=domain1"
"CN=ORA_VFR_12C,CN=Users,DC=virtual,DC=domain1"
"CN=ORA_VFR_MD5,CN=Users,DC=virtual,DC=domain1"
get-ADUser oracle02 -Properties orclCommonAttribute
DistinguishedName : CN=oracle02,CN=Users,DC=virtual,DC=domain1
Enabled : True
GivenName :
Name : oracle02
ObjectClass : user
ObjectGUID : c95aa763-cc62-4c05-b38e-82444dc82105
orclCommonAttribute :
SamAccountName : oracle02
SID : S-1-5-21-518566821-4215415469-1285754680-2606
Surname :
UserPrincipalName :
On Linux machine where Oracle Database is run in a Docker container:
sudo docker exec -u 0 -it --workdir / oracle18se /bin/bash
and then in the container:
echo "172.28.46.146 server1" >> /etc/hosts
or alternatively on Linux host:
sudo docker exec -it oracle18se /bin/bash
and then in the container:
su -
and enter root user password.
dsi.ora file:
DSI_DIRECTORY_SERVERS = (server1.virtual.domain1:389:636)
DSI_DEFAULT_ADMIN_CONTEXT = "DC=virtual,DC=domain1"
DSI_DIRECTORY_SERVER_TYPE = AD
using command line:
cd $ORACLE_BASE/admin/ORCLCDB
mkdir wallet
cd wallet
echo "DSI_DIRECTORY_SERVERS = (server1.virtual.domain1:389:636)" >> dsi.ora
echo "DSI_DEFAULT_ADMIN_CONTEXT = \"DC=virtual,DC=domain1\"" >> dsi.ora
echo "DSI_DIRECTORY_SERVER_TYPE = AD" >> dsi.ora
Generating the certificate:
To determine the host address from Docker container I used
/sbin/ip route|awk '/default/ { print $3 }'
Uploading from a Windows machine to Ubuntu host:
pscp AD_CA_Root_cert.txt guber@tor:/home/guber/temp
Uploading from Ubuntu host to Oracle Linux container:
scp guber@172.17.0.1:/home/guber/temp/AD_CA_Root_cert.txt .
After I copied the certificate to the container and I created Oracle Wallet:
orapki wallet create -wallet /opt/oracle/admin/ORCLCDB/wallet -auto_login
The following files were created:
cwallet.sso cwallet.sso.lck ewallet.p12 ewallet.p12.lck
Did Step 7 from the guide:
ALTER SYSTEM SET LDAP_DIRECTORY_ACCESS = 'PASSWORD' SCOPE=SPFILE;
ALTER SYSTEM SET LDAP_DIRECTORY_SYSAUTH = YES SCOPE=SPFILE;
SHUTDOWN IMMEDIATE
STARTUP
SHOW PARAMETER LDAP
Configured container’s DNS:
echo "nameserver 172.28.46.146" > /etc/resolv.conf
echo "nameserver 172.28.0.1" >> /etc/resolv.conf
echo "nameserver 10.0.0.15" >> /etc/resolv.conf
nslookup virtual.domain1
Server: 172.28.46.146
Address: 172.28.46.146#53
Name: virtual.domain1
Address: 172.28.46.146
Name: virtual.domain1
Address: 192.168.137.192
Name: virtual.domain1
Address: fdae:1665:8a78::6dc
Did Step 8 from the guide:
In Windows Command Prompt:
dsadd user "cn=test3,cn=Users,dc=virtual,dc=domain1" -pwd Password333 -memberof "cn=ORA_VFR_12C,cn=Users,dc=virtual,dc=domain1"
dsmod user "cn=test3,cn=Users,dc=virtual,dc=domain1" -pwd Password3
powershell get-ADUser test4 -Properties orclCommonAttribute
The user becomes a member of ORA_VFR_12C:
while ORA_VER_11G and ORA_VER_MD5 groups remain empty. Also dsmod command sets orclCommonAttribute attribute:
DistinguishedName : CN=test4,CN=Users,DC=virtual,DC=domain1
Enabled : True
GivenName :
Name : test4
ObjectClass : user
ObjectGUID : cb89cf79-12e9-471a-ae68-39a5f42092c5
orclCommonAttribute : {MR-SHA512}cGRwIT/MiI6VhTAPxzcJ4gLF7eac2qKzYOEAeFrAZUZ7nQTPYd5yDU801F6/fhzZ9GDibWtEMmrds4VcvsGRXL
P7ZLtYutPF1zE6wXWyR9Q=
SamAccountName : test4
SID : S-1-5-21-518566821-4215415469-1285754680-2618
Surname :
UserPrincipalName :
Then in the docker container:
export ORACLE_SID=ORCLCDB
cd $ORACLE_HOME/bin
./sqlplus sys as sysdba
alter session set "_ORACLE_SCRIPT"=true;
create user test3 identified globally as 'cn=test3,cn=Users,dc=virtual,dc=domain1';
grant create session to test3;
Now I am able to connect with SQL Developer with SID, but not Service Name:
To query ‘test3’ user from DBA_USERS table we should connect as SYSDBA with SID:
select * from dba_users where username like '%TEST%';
‘test3′ user has fields AUTHENTICATION_TYPE=’GLOBAL’ and EXTERNAL_NAME=’cn=test3,cn=Users,dc=virtual,dc=domain1′ while regular users have AUTHENTICATION_TYPE=’PASSWORD’ .
