Integrating Oracle Portal and Microsoft Active Directory … · Integrating Oracle Portal and...

Integrating Oracle Portal andIntegrating Oracle Portal andMicrosoft Active DirectoryMicrosoft Active DirectoryLarry Meets Bill

Presented By:Craig Warman - Computer Resource Team, Inc. (USA)

Paper Section: 1

Overview of What’s Ahead• Oracle Portal 10g utilizes Oracle Internet

Directory (OID) as its repository for user identity management

• Many organizations, however, have standardized with Microsoft Active Directory (AD) to manage user credentials

Paper Section: 1

Overview of What’s Ahead• This presentation describes how Oracle

Directory Integration and Provisioning can be utilized to enable synchronization between OID and AD, including:

• Establishment of Synchronization Profiles• When to modify mapping files• Synchronization startup and "bootstrapping"• Deployment of the Oracle-supplied Active

Directory External Authentication Plug-in• Windows Native Authentication for “zero

sign-on” capability (brief discussion)

Paper Section: 2

Three-Tier Deployment

Oracle AS10gInfrastructure& Application

ServerComponents

Client Tier ApplicationServer Tier Database TierApplicationServer Tier

Paper Section: 2

Three-Tier Deployment

App Server Installation(s)

Containing Oracle 9iAS Components

ApplicationServer Tier Database TierClient Tier

Infrastructure Providing

Centralized Services

Customer Database

Instance(s)

This collection of application server installations, infrastructures, and customer databases is called an Application Server Enterprise

Infrastructure Providing

Centralized Services

Paper Section: 2

• A type of 9iAS installation that provides centralized:

• Security and management services• Configuration information• Data repositories

• It must be installed into its own Oracle Home

• In many production installations it resides on its own physical server

The Infrastructure Server

Paper Section: 2


Oracle Internet

DirectoryMetadata

Repository

Oracle 9iAS Single

Sign-On

Enables users to access multiple accounts and

applications with a single username and password

Paper Section: 2


Oracle Internet

DirectoryMetadata

Repository

Oracle 9iAS Single

Sign-On

Single Sign-On stores and manages its information

using calls to OID

Paper Section: 2

Oracle Internet

DirectoryMetadata

Repository

Oracle 9iAS Single

Sign-On

The Infrastructure ServerUses browser-based

cookies to help manage user sessions

Applications that directly delegate authentication to the SSO server are known as Partner Applications:

• Oracle Portal• Forms• Reports• Discoverer

Paper Section: 2

Oracle Internet

DirectoryMetadata

Repository

Oracle 9iAS Single

Sign-On


A Lightweight Directory Access Protocol (LDAP)

compliant directory service

Provides centralized storage of information about:

• Users• Groups

• Applications• Resources

Paper Section: 2


Oracle Internet

DirectoryMetadata

Repository

Oracle 9iAS Single

Sign-OnProvides OID’s

Information Storage

Paper Section: 2


Oracle Internet

DirectoryMetadata

Repository

Oracle 9iAS Single

Sign-On ActiveDirectoryOracle Directory Integration Platform

Enables synchronization between OID and various third-party directories such asNetegrity, iPlanet, Microsoft Active

Directory, and others

• Enables synchronization between OID and other LDAP repositories

• Includes a connector specifically for one-way or two-way synchronization with Microsoft Active Directory

The Directory Integrationand Provisioning (DIP) Tool

Important Note:This connector cannot extract

passwords from the AD repository

So the Oracle-supplied Active Directory External Authentication Plug-in must be utilized in order to validate user-supplied passwords “behind the scenes” during a user

login sequence

Paper Section: 3

• Additionally, the account must have List Contentand Read Properties permission on the cn=Deleted Objects container so that it can synchronize user deletions back to OID.

• An Active Directory account capable of reading user and group profiles must be established for use by OID DIP during the synchronization process.

Active Directory AccountFor Synchronization

Paper Section: 4

This may be accomplished by granting the account Domain Administrativeprivileges, by making it a member of

the Domain Administrators group, or by granting it Replicate Directory Changes

permission

We’ll create and use an account called

[email protected] Welcome1 as the

password for this purpose

• Invoke the Oracle Directory Integration and Provisioning Server Administrator console

• On Windows: Accessed through the Windows Start menu, under Programs : Oracle Infrastructure (home) : Integrated Management Tools : Oracle Directory Integration and Provisioning Server Administration.

• On Unix: dipassistant -gui• Login using the orcladmin account. The Oracle

Directory Integration and Provisioning Server Administrator console window will appear.

Synchronization Profile CreationPaper Section: 5

Detailed information about this tool appears in Chapter 3 of the Oracle Identity

Management Integration Guide, which is available online at http://download-

east.oracle.com/docs/cd/B14099_04/manage.1012/b14085/diptools.htm

• Select Active Directory Configuration in the System Objects list on the left-hand side of the window.

• An Express Configuration form will appear on the right-hand side of the window.

• Here’s how to fill in the fields…• Click the Apply button once entries are complete. • A confirmation dialogue should then appear…


Note that any Connector Name may be supplied (the value New is shown

in this example) – the Import Profile Name and Export Profile Name values are then generated

based on that name.

• Select Configuration Set 1 in the System Objectslist on the left-hand side of the window.

• Next, select the Import version of the newly-created profile on the right-hand side of the window, and click the Edit button.




• A tabbed window will appear for the currently-selected profile. The following changes should be made…


Be sure to change the Profile Status to ENABLE

The Scheduling Interval and Maximum Number of Retries

values may be adjusted to determine the synchronization

frequency and maximum number of retry errors before failure,

respectively





The Active Directory account and password may be modified using the Connected Directory

Account and Connected Directory Account Password









Check this field periodically to ensure that synchronizations

are succeeding

The Bootstrap Status will be set to BOOTSTRAP SUCCESSFUL

after completing the instructions in this presentation

Click the OK button to save any changes

• If the Active Directory structure used by the organization is non-standard or complex (such as one that spans multiple domains or employsan unusual group hierarchy) then the mappingmay need modification.

• The Domain Rules in the .map file define the mapping characteristics between AD and OID.

• Each rule defines one mapping.• A basic configuration will need only one rule - but

if the mapping is complex then multiple rules may defined.

Profile Mapping (optional)Paper Section: 6

Detailed information about mapping files can be obtained from Metalink note #261342.1,

available online at http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument

?p_database_id=NOT&p_id=261342.1

• The Oracle Directory Integration and Provisioning Server Administrator generates these files.

• They are located in the ldap\odi\conf directory of the current Oracle Home, and are named such that they match the profile to which they correspond…


• If the mapping files change then dipassistantmust be invoked from the command line, makingcertain to have first set the ORACLE_HOMEenvironmental variable:

dipassistant modifyprofile-port 13061-profile NewImport-D "cn=orcladmin" -w admin01odip.profile.mapfile=NewImport.map


Substitute as highlighted

• The following message should be displayed:Profile successfully modified.

• An initial migration of data from AD to OID (called a "bootstrap") is made by invoking dipassistant from the command line, makingcertain to have first set the ORACLE_HOMEenvironmental variable:

dipassistant bootstrap-port 13061-profile NewImport-D "cn=orcladmin"-w admin01

Bootstrap ExecutionPaper Section: 7


• Messages similar to the following should be displayed:

-----------------------------------------------Bootstrapping in progress.....Bootstrapping completed.#entries read ..................... 125#entries filtered ................. 0#entries ignored .................. 0#successfully processed entries ... 125#failures ......................... 0Please see the log file for more information.-----------------------------------------------Updating the profile's last change number ..... Done.


• Upon completion of the bootstrap process,return to the Oracle Directory Integration and Provisioning Server Administrator console and click the Refresh button.

• Select and Edit the current profile, then check the Status tab to see that the bootstrap success was recorded…


Refresh button

Check here for bootstrap success


• Invoke the Oracle Directory Manager console toexamine the migrated user and group entries

• On Windows: Accessed through the Windows Start menu, under Programs : Oracle Infrastructure (home) : Integrated Management Tools : Oracle Directory Manager.

• On Unix: oidadmin• Login using the orcladmin account.• Migrated user and group entries appear under

the Entry Management fork, typically starting withdc=com and working backwards throughthe domain name string…

• The directory integration and provisioning server is started by executing the following from the command line, making certain to have first set the ORACLE_HOME environmental variable:

oidctl connect=iasdb server=odisrv instance=2 configset=1 flags="port=13061" start

Synchronization StartupPaper Section: 8




Substitute the SQL*net connect string to the infrastructure's metadata repository

(Oracle database) here




Note that these values may need substitution

depending on your particular configuration



• This process will be maintained by the Oracle Process Monitor (OPMN) from this point forward, so it should not require manual startup/shutdown beyond this initial deployment.


Refresh button

Check here for synchronization

success

• Profile configuration changes may be needed whenever a long period of time elapses after the last most recent successful synchronization.

• The Oracle Directory Integration and Provisioning Server Administrator console generates the configuration file.

• This file is located in the ldap\odi\conf directory of the current Oracle Home, and named such that it matches the profile to which it corresponds…

Profile Configuration Changes (optional)Paper Section: 9

Detailed information about how and when to modify this file can be obtained from Metalink

note #312691.1, available online at http://metalink.oracle.com/

metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=261342.1

• If the configuration file changes then dipassistant must be invoked from the command line, making certain to have first set the ORACLE_HOME environmental variable:

dipassistant modifyprofile-port 13061-profile NewImport-D "cn=orcladmin" -w admin01odip.profile.configfile=NewImport.cfg

Profile Configuration Changes (optional)Paper Section: 9


• The following message should be displayed:Profile successfully modified.

• This plug-in validates user-supplied passwords with AD "behind the scenes" during a user login sequence.

• Important: These steps involve execution of Unix shell scripts. When installation takes place on a Windows platform, it will be necessary to obtain an emulation utility such as Cygwin.

Active Directory External Authentication Plug-In

Paper Section: 10

• Execute the oidspadi.sh script from within the Unix emulation utility, making certain to have first set the ORACLE_HOME environmental variable…

Detailed information about this process appears in Chapter 16 of the Oracle Identity

Management Integration Guide, which is available online at http://download-

east.oracle.com/docs/cd/B14099_04/manage.1012/b14085/odip_actdir.htm#CHDIEJEF

• This plug-in validates user-supplied passwords with AD "behind the scenes" during a user login sequence.

• Important: These steps involve execution of Unix shell scripts. When installation takes place on a Windows platform, it will be necessary to obtain an emulation utility such as Cygwin.


Paper Section: 10

export ORACLE_HOME="d:\oracle\infsrv"

cd $ORACLE_HOME/ldap/adminsh oidspadi.sh------------------------------------------OID Active Directory Plug-in Configuration------------------------------------------

Please make sure Database and OID are up and running.

Please enter Active Directory host name: shuttle.crtinc.com

Do you want to use SSL to connect to Active Directory? (y/n) n

Please enter Active Directory port number [389]: 389


Please enter DB connect string: iasdbPlease enter ODS password: admin01Please enter confirmed ODS password: admin01

Please enter orcladmin password: admin01Please enter confirmed orcladmin password: admin01

Please enter the subscriber common user search base: cn=Users,dc=crtinc,dc=com

Please enter the Plug-in Request Group DN:Please enter the exception entry property[(!(objectclass=orcladuser))]:

Do you want to setup the backup Active Directory for failover? (y/n) n

This tells the connector to avoid authenticating users

defined by Oracle (eg. if they didn’t get migrated from

Active Directory then don’t try to authenticate them

there). Without this it won’t be possible for users such as portal or orcladmin to log in!

Procedure created.No errors.Procedure created.No errors.No errors.No errors.

Registering Plug-ins ...adding new entry cn=adwhencompare,cn=plugin,cn=subconfigsubentry

adding new entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry

------------------------------------------------------Done.

------------------------------------------------------

• Upon completion of the plug-in deployment process, return to the Oracle Directory Managerconsole and navigate to the click the Plug-In Management fork.

• Make sure that the Plug-in Enable property is set for both adwhencompare and adwhenbind…


Paper Section: 10

Be sure the Plug-In Enableproperty is set

here…

…and here.

• At this point:• OID has been populated with an initial set of users

and groups via bootstrap migration from Active directory

• The Oracle Directory Integration and Provisioning tool has been configured such that it will use the Active Directory Connector to keep this information synchronized.

• The Oracle Directory Server has been directed to authenticate users migrated from Active Directory using the Oracle-supplied Active Directory External Authentication Plug-in.

TestingPaper Section: 11

• It should now be possible to log in to Oracle Portal using one of the migrated Active Directory users.

• Do this by entering the following URL into a browser:

http://{machine name}:{port}/pls/portal


• It should now be possible to log in to Oracle Portal using one of the migrated Active Directory users.

• Do this by entering the following URL into a browser:

http://{machine name}:{port}/pls/portal


• Log in with one of the migrated Active Directory user accounts, using its current AD password.

• Note that the username should be of the form:name@ad_domain.com


• This feature allows users to authenticate with their desktop credentials when using Internet Explorer (only)

• Passes a Kerberos session ticket through the browser to the Oracle SSO server as a background operation.

• The login process is automatic - thus sometimes called "Zero Authentication"

Windows Native Authentication (WNA)Paper Section: 12

• The Active Directory / OID synchronization and External Authentication configuration steps outlined in this presentation satisfy the prerequisites for setting up WNA.

Step-by-step setup instructions are provided in the Windows Native Authentication OBE

document, which is available online at http://www.oracle.com/technology/obe/

obe_as_10g/im/wna/wna.htm

Paper Section: 12

Summary• This presentation described how Oracle

Directory Integration and Provisioning can be utilized to enable synchronization between OID and AD, including:

• Establishment of Synchronization Profiles• When to modify mapping files• Synchronization startup and "bootstrapping"• Deployment of the Oracle-supplied Active

Directory External Authentication Plug-in• Windows Native Authentication for “zero

sign-on” capability (brief discussion)

Integrating Oracle Portal andIntegrating Oracle Portal andMicrosoft Active DirectoryMicrosoft Active Directory

Presented By:Craig Warman - Computer Resource Team, Inc. (USA)

Date post:	27-Apr-2018
Category:	Documents
Upload:	vuliem
View:	220 times
Download:	3 times

Integrating Oracle Portal and Microsoft Active Directory … · Integrating Oracle Portal and...

Documents