The demonstration is tested on following environment,
Windows Domain controller: DC01.lab.dbaplus.ca - Windows 2022 Workstation 1: wkstn01 – Windows 11 + Oracle Client 19.3+ RU 19.22 Workstation 2: wkstn02 – Oracle Linux 9.3 + Oracle Client 19.3
1. Enable Anonymous Bind Operations to Active Directory (AD)
Tenically, this step does not expose any AD objects to anonymous access until the permission on the AD objects is explicitly granted to ANONYMOUS LOGON. Explicit permission granting is described in step 3.
To enable anonymous LDAP operations, the 7th bit of AD attribute dSHeuristics has to be set to 2.
The dSHeuristics is a Unicode string attribute. Each character in the string represents a heuristic that is used to determine the behavior of Active Directory.
* Before enabling, ldapsearch command should return errors like folloiwng,
C:\>ldapsearch -h DC01.lab.dbaplus.ca -p 389 -D cn=Users -b "dc=lab,dc=dbaplus,dc=ca" "(objectclass=user)" ldap_search: Operations error ldap_search: additional info: 000004DC: LdapErr: DSID-0C090A5A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7cssss
* Start ADSI Edit on domain controller to update dSHeuristics
Connect to "Configuration" Context by,
Click menu "Action", then click "Connect to".
In the popup window, select a well known Naming context (Configuration), then click "Ok". On the left pane of ADSI Edit window, you will see top level item "Configuration [DC01.lab.dbaplus.ca]", DC01.lab.dbaplus.ca is my Windows domain controller server name, you would see your own name.
Double-click Configuration [DC01.lab.dbaplus.ca] to expand the tree,
Configuration [DC01.lab.dbaplus.ca]
-> CN=Configuration,DC=lab,DC=dbaplus,DC=ca
-> CN=Services
-> CN=Windows NT
-> CN=Directory Service
Right click "CN=Directory Service", then click "Properties", in "CN=Directory Service Properties" window, select 'dSHeuristics', then click "Edit".
If the dSHeuristics string was already in existence before this operation(Value is not '<not set>'), no characters in the dSHeuristics string other than the seventh character should be modified. If the dSHeuristics string did not yet exist before this operation, the first through sixth characters would be set to their default values, resulting in a dSHeuristics string of "0000002" in this case.
After the value is changed, Click Ok to exit "String Attribute Editor" window and back to "CN=Directory Service Properties" window, click "Apply" , then click "ok".
* After enabling, ldapsearch succeeds because anonymous bind operations are allowed now. However, the command does not return any objects because no permission are granted on AD objects yet,
C:\>ldapsearch -h DC01.lab.dbaplus.ca -p 389 -D cn=Users -b "dc=lab,dc=dbaplus,dc=ca" "(objectclass=user)" C:\>
2. Extending the Active Directory Schema for Oracle Net Naming to include Oracle Schema and Oracle Context
This step cannot be rollback. Therefore, it is strongly recommended to back up the AD. This step will create a group of AD objects (containers, schemas, etc.), such as
* Default naming context [DC01.lab.dbaplus.ca]
->DC=lab,DC=dbaplus,DC=ca
->CN=OracleContext
* Configuration [DC01.lab.dbaplus.ca]
->CN=Configuration,DC=lab,DC=dbaplus,DC=ca
->CN=OracleSchemaVersion
* Schema [DC01.lab.dbaplus.ca]
->CN=Schema,CN=Configuration,DC=lab,DC=dbaplus,DC=ca
CN=orclContainer
CN=orclContext
CN=orclDBDistinguishedName
CN=orclDBEnterpriseDomain
CN=orclDBEnterpriseRole
CN=orclDBEntRoleAssigned
CN=orclDBEntryLevelMapping
CN=orclDBEntUser
CN=orclDBGlobalName
CN=orclDBNativeUser
CN=orclDBRoleOccupant
CN=orclDBServer
CN=orclDBServerMember
CN=orclDBServerRole
CN=orclDBSubtreeLevelMapping
CN=orclDBTrustedDomain
CN=orclDBtrustedUser
CN=orclNetAddress
CN=orclNetAddressList
CN=orclNetAddressString
CN=orclNetAddrList
CN=orclNetAuthenticationService
CN=orclNetAuthenticationType
CN=orclNetAuthParams
CN=orclNetConnParamList
CN=orclNetDescList
CN=orclNetDescName
CN=orclNetDescription
CN=orclNetDescriptionList
CN=orclNetDescString
CN=orclNetFailover
CN=orclNetHandlerName
CN=orclNetInstanceName
CN=orclNetLoadBalance
CN=orclNetParamList
CN=orclNetProtocol
CN=orclNetProtocolStack
CN=orclNetSdu
CN=orclNetServer
CN=orclNetService
CN=orclNetServiceName
CN=orclNetShared
CN=orclNetSourceRoute
CN=orclOracleHome
CN=orclProductVersion
CN=orclSchemaVersion
CN=orclService
CN=orclServiceType
CN=orclSid
CN=orclSystemName
CN=orclVersion
Log as a domain user onto a client computer where Oracle 19c software (client or server) is installed. My demonstration was done on Windows 11 with Oracle 19.22 Client installed, computer name is wkstn01.
The domain user has to be a member of Schema Administrator group or as a member who has rights to update the schema into schema master domain. Schema master domain administrators are schema administrators by default.
The client computer must be a part of the schema master domain, you may work on domain controller if Oracle Client is installed on it.
* Start Oracle Net Configuration Assistant (NETCA)
* In "Welcome" window
Select the "Directory Usage Configuration" option, then click Next.
* In "Directory Usage Configuration, Directory Type" window, select "Microsoft Active Directory" from the dropdown list, then click Next.
* In "Directory Usage Configuration" window, click "Select the directory server you want to use, and configure the directory server for Oracle usage.(Create or upgrade the Oracle Schema and Context as necessary), then click Next.
* In "Directory Usage Configuration, Directory Location" window, enter following information,
Hostname: the computer name of AD domain controler, DC01.lab.dbaplus.ca in my test.
User Distinguished Name (DN): AD user whose has schema administrator privilege
Password: password of the user which is entered for DN.
Note: User DN must be format username@<domain name>, for my test, it is administrator@lab.dbaplus.ca
Then click Next.
* In "Directory Usage Configuration, No Oracle Schema" window, click "Yes, I want to add the required Oracle Schema. I have the authorization necessary to do so.", then click Next.
If did not enter correct User DN and /or password, you get following errors,
The Assistant is unable to create or upgrade the Oracle Schema for the following reason: An error occurred while trying to create the Oracle Schema for the following reason: oracle.net.config.ConfigException: TNS-04424: Operation not allowed with anonymous LDAP user credentials
You may need to upgrade directory schema from a specific computer which directly supports your directory type.
If this is the case, click OK, then click Back until back to "Directory Usage Configuration, Directory Location" window to re-enter correct User DN and password.
If you did not get previous errors, you should get following errors
The Assistant is unable to create or upgrade the Oracle Schema for the following reason: ConfigException: Oracle Schema creation was successful, but Active Directory Display Specifier creation failed. oracle.net.config.ConfigException: TNS-04420: Problem running LDAPMODIFY
You may need to upgrade directory schema from a specific computer which directly supports your directory type.
This error can be ignored, just click OK. The NETCA application will return to "Welcome" window.
* In "Welcome" window
Select "Directory Usage Configuration", then click Next.
* In "Directory Usage Configuration, Directory Type" window, select "Microsoft Active Directory" from the dropdown list, then click Next.
* In "Directory Usage Configuration" window, click "Select the directory server you want to use, and configure the directory server for Oracle usage.(Create or upgrade the Oracle Schema and Context as necessary), then click Next.
* In "Directory Usage Configuration, Directory Location" window, enter same Hostname, User DN and Password as before. Then click Next.
* In "Directory Usage Configuration, No Oracle Context" window, click "Yes, I want to add a new Oracle Context", then click Next.
* In "Directory Usage Configuration, Choose Oracle Context Location" window, select your domain DN which is the fist item in the dropdown list. It is "DC=lab,DC=dbaplus,DC=ca" in my test. Then click Next.
It will show successful messages
Directory usage configuration complete!
The distinguished name of your default Oracle Context is:
cn=OracleContext,DC=lab,DC=dbaplus,DC=ca
Depends on luck, you may get following error message,
An error occurred while trying to create or upgrade an Oracle Context for the following reason:
It does not show what "the following reason" is. Based on my test, this error can be ignored, the Oracle Context was created.
3. Configure permission on OracleContext in Active Directory
This step includes two permission grantings,
a. Grant "List contents" & "Read all properties" permissions on AD object "OracleContext" and its all descendant objects to "ANONYMOUS LOGON". It allows anonymous LDAP query on the child objects of OracleContext so that Oracle clients can access OracleContext without authentication.
b. Grant "full control" permission on OracleContext and its all descendant objects to an AD group whose member usually maintenance the database service names in AD, it is ORA_DBA in my test.
Note: the permission should be over-granted, you may want to implement finer access control. For example, use "Read permissions", "Modify permission" and "Delete" instead of "Full control".
* Start ADSI Edit on domain controller
* In left panel of the window
Expand double click "Default naming context [DC01.lab.dbapus.ca]" and expand the tree to show following items
->DC=lab,DC=dbaplus,DC=ca <= In your environment, it should represent your domain
->CN=OracleContext
* Right click "CN=OracleContext", then click "Properties" on the popup menu.
* In "CN=OracleContext Properties" window,
Select "Security" tab, then click "Advanced" button.
* In "Advanced Security Settings for OracleContext" window,
Select "Permissions" tab, click "Add" button.
* In "Permission Entry for OracleContext" window,
Click "Select a principal"
* In "Select User, Computer, Service Account, or Group" window,
Make sure following items:
"Select this object type:" - "User, Group, or Built-in security principal"
"From this location: " - "<your domain name>" (lab.dbaplus.ca in my test)
"Enter the object name to select (examples):" - "ANONYMOUS LOGON"
Optionally, you can click "Check Names" button to make sure "ANONYMOUS LOGON" is valid in your domain.
Then click OK and back to "Permission Entry for OracleContext" window.
* In "Permission Entry for OracleContext" window,
Confirm following items:
"Principal:" - "ANONYMOUS LOGON"
"Type:" - "Allow"
"Applies to:" - "This object and all descendant objects"
"Permissions:" - "List contents" and "Read all properties" selected
Then click Ok, and back to "Advanced Security Settings for OracleContext" window.
* In "Advanced Security Settings for OracleContext" window,
Following same step as "ANONYMOUS LOGON" to add "Full Control" permission to one of your AD group (ORA_DBA in my test).
4. Create Oracle net service name in Active Directory
As a member AD account of the AD group which you granted "Full control" on OracleContext, log onto a Windows domain computer where Oracle Client (19c or higher is recommended) is installed.
* Add LDAP option to NAMES.DIRECTORY_PATH in file sqlnet.ora
NAMES.DIRECTORY_PATH=(LDAP,TNSNAMES,EZCONNECT)
* Add following lines to file ldap.ora, if ldap.ora does not exist, create it instead
DEFAULT_ADMIN_CONTEXT="dc=lab,dc=dbaplus,dc=ca"
DIRECTORY_SERVERS=(DC01.lab.dbaplus.ca:389:636,DC02.lab.dbaplus.ca:389:636)
DIRECTORY_SERVER_TYPE=AD
Note:
a. The context "dc=lab,dc=dbaplus,dc=ca" is for my testing domain. Please change it to your owns.
b. DC01 & DC02 are my domain controllers, it is for HA purpose. It can be only one configured.
c. Port 389 & 636 are default port numbers for LDAP &LDAPS respectively. You have to change them if you are using custom port number in your network.
* Start Oracle Net Manager
* In left panel of the window
Expand "Directory", then select "Service Naming"
Note: If "Directory" does not show up, it could be one of following reasons,
a. The sqlnet.ora and / or ldap.ora are not configured properly.
b. "ANONYMOUS LOGON" are not granted proper permission
c. The directory servers (domain controller) are not reachable to the current computer
Then click the plus icon "+" on the top left corner of the windows
* In "Net service Name Wizard" windows
Follow the wizard, step by step to create a service name.
5. Configure sqlnet.ora and ldap.ora on all Oracle Clients
Copy the files sqlnet.ora and ldap.ora created in step 4 to all Oracle client computers.
No comments:
Post a Comment