Wallet encryption
Перейти к навигации
Перейти к поиску
Are you expanding the ad scheme? The data archive can authentize and authorize microsoft active directory users with a database directly without intermediate catalogs or oracle enterprise user security.
introduction to centrally controlled visitors with microsoft active directory cmu users provides simpler integration with microsoft active directory to resolve centralized authentication and authorization of users. From the oracle database in active directory. Authentication setting for centrally controlled users you can configure password authentication, kerberos authentication or authentication of a public key (pki). With centrally controlled users, you have the opportunity to control authorization for you active directory to enter the oracle register. Integration of the oracle database with mail policies or social networks microsoft active directory as part of the oracle-microsoft active directory, oracle database databases, e director oracle database. Setting centrally controlled visitors through an oracle autonomous database you can deploy centrally controlled users (cmu) to oracle autonomous batase. Errors that may occur when the microsoft active directory gamer is trying to enter the oracle database. Centrally controlled visitors with microsoft active directory
Centrally controlled users (cmu) provide simpler integration with microsoft active directory to resolve centralized authentication and authorization of users.
On the oracular registry of the microsoft active directory integration centrally controlled users provides a simpler integration with microsoft active directory to resolve centralized authentication and authorization of users. As centrally controlled gamers with microsoft active directory integration works. Comparison of users and groups of microsoft active directory directly with the regulars of the oracle database. @> supported authentication methods oracle database-microsoft active directory integration supports three general authentication methods. General schemes and administrative users. As an option, the multetenant oracle option has an impact on centrally managed users users of the multiplayer information base in the databases of the connected connect to another microsoft active catalog. 6.1.1 on oracle database microsoft integration integration
Centrally controlled users provide simpler integration with microsoft active directory to resolve centralized authentication and authorization of users.
the minimum requirements for the version: for the operating system of the active directory server - microsoft windows server 2008 r2.
This integration allows organizations to use active directory for the central management of customers and roles in several oracle data databases through one catalog in the company with other information technology services. Active directory users can authentize the oracle database using the accounting files stored in active directory. Active directory users can sometimes be associated with the database regulars (plans and roles through the active directory groups. Microsoft active directory users can be compared with exclusive or common users of the oracle information base (plans and are related to the roles of the database through member de in categories . Gmail or facebook active directory, in the list of which password expiration time and blocking after the described number of unsuccessful attempts to access the system were awarded to the oracle, when users enter the network.
To oracle to oracle database 18c issue 1 (18.1) authentication and authorization of the database user are integrated with active directory by setting up the confidentiality of oracle enterprise, and also installation and installation of oracle internet directory (or oracle universal directory). Texture as before is simple and can continue to be used users who are required to use oracle enterprise domain and game access to the database of users between trusted databases, complex roles of the organization and the presence of a single portal for audit privileges to the base of data and roles.
Most of the companies do not have these complex requirements. Instead, they have the opportunity to get centrally controlled users (cmu) with active directory. This integration is sewn specifically for organizations that are not averse to using active directory as their centralized solution for identification.Oracle net named service continues to work as after catalogs. The use of cmu with active directory is back compatible with oracle buyers currently supported. This means that ldap binding operations are not used to authenticate the password, and you will want to add an oracle filter to active directory along with the expansion of the active directory scheme to carry password checking. Organizations using kerberos or pki @>- People who currently use strong authentication, such as kerberos or infrastructure public key (pki). These users are already implementing a centralized system for identifying
- Users who use the safety of consumers oracle enterprise, oracle internet directory, oracle unified directory, oracle directory, and you need to integrate with acti ve directory. />,@>> 6.1.2 as centrally controlled players with microsoft active directory works
Integration works by compiling users of microsoft active directory and groups directly with oracle registry users.
To cmu oracle database with the integration of active directory for official purposes, the oracle database must be able to enter the service record specially created for the information platform in active directory. The information database uses this account account to request active directory for the user information, and the group when the gamer is included in the unified register. This active directory account should have all the privileges necessary for obtaining information about people and group, as well as the ability to write updates related to password politicians in active directory (for example, unsuccessful attempts to enter practice, clear attempts to enter the system). Users can be authenticated using passwords, kerberos or pki and be assigned an exclusive scheme or a general scheme. Parting the user active directory with a common scheme is determined by the association of the user with the active directory group, which is displayed with the general scheme. Active directory groups are also compared with global roles. The active directory safety administrator may assign the user to groups displayed with the general bases global users (schemas) and/or global roles and, therefore, update the privileges and roles that are assigned to the active directory user in the database. 6.1.3 the centrally controlled user-microsoft active directory architecture
Cmu with the active directory architecture allows the management of the oracle information base and the roles. The next drawing illustrates the function of cmu oracle database. In our figure, users, through programs in the role of non -administrative users, or administrative users, are connected to the oracle database by authentication of password, kerberos or public key infrastructure (pki). The connection of the database with active directory allows you to display these users and roles with customers and groups active directory. In the event that you are going to use password authentication, you must install the oracle filter in active directory. You will get the opportunity to use the oracle utility for the installation of the oracle filter, which if it will be necessary to generate oracle password checks for private users. The utility can also be used to expand the active directory scheme to keep the oracle password checking. Through the oracle centrally manageed admining, active directory administrator can manage authentication, user management, account politicians and group tasks of active directory users and groups that were compared with other oracle registry visitors.
6.1.4 the supported authentication methods
Integration of the oracle-microsoft active directory database support three general authentication methods.
These methods of these methods authentications are as follows:
- Authentication of the password
- Authentication kerberos
- Authentication of the infrastructure of the open key (pki) (pki) ( authentication based on certificates)
Authentication adjustment for centrally controlled users
6.1.5, supported by centrally. Management customers with microsoft active directory
Cmu with active directory support exclusively displayed users, users displayed with common schemes and consumers of administrative. :
- Users of catalogs who have quick and trouble-free access to the oracle registry using the general system. Part of the catalog group displayed with the general scheme (registry user).The use of general schemes allows the centralized management of the active catalog of registry users and is the recommended optimal method compared with the help of exclusive schemes (described later). If there are only one user related to the scheme (for example, the administrator responsible for backuping the database) is easier to manage the addition of another backup administrator or delete the existing administrator, making changes necessarily in active directory instead of all kinds of changes in all related databases. Although the design can change his own tasks in the team and have new privileges of the information base through the new group in active directory.
Active directory users can accidentally (or for the purpose) be a member of several groups in active directory, which are displayed with diverse general schemes in the same information database. The user can also provide an exclusive display with the registry system. In cases where the player involves a certain number of possible comparisons of the circuit at the entrance to the system, key details of the priority are used:
- If an exclusive display is for the player, then this display has priority over all other general display .
- If there are several general schemes for the user, then the comparison of the common user with the lowest diagram identifier (user_id) has priority.
It recommends only it is recommended for the presence of one possible display on the client, so unexpected schemes do not arise. In the database.
Oracle recommends that these users are privileges through global roles. This type of grant of privileges contributes to the management of authorization by centralized management of privileges and roles for the visitor, and not go into each database to replenish privileges and roles for the user.
Have the following administrative privileges: sysdba, sysoper, sysbackup, sysdg, syskm and sysrac.
You cannot provide these administrative privileges through global roles. In order to authorize the active directory user with these administrative privileges, you must compare the user of the catalog with the user of the registry (exclusively or with the general scheme), which has a systemic administrative privilege already provided in the registry user account.
Construction of authorization for centrally controlled users
6.1.6 as an oracle multetenant option, influences centrally controlled users
Users of the multiplayer database in databases (pdb). It can be connected to the general catalog of microsoft active and also, if it is necessary, users in the pdb allotted for them are able to connect to another microsoft active catalog. General configuration, so that the entire cdb can authentize and authorize users against one active directory server, active directory mulitple servers in one active directory operating room in reliable windows domains, in the form of a general configuration. In the role of alternatives, individual pdb can authentize and authorize users against various active directory servers in a small and same operating system or in various (trusted or incorrect) windows domains, based on their individual configurations.
6.1.7 centrally managed customers with active links to registers
Cmu supports both fixed bookmarks to user databases and connected user information addresses, however not current addresses of the user database.
There are no special. The requirement for all coming cmu-ctive directory for using fixed links of the user information base. Cmu-cctive directory users using the password, kerberos or authentication pki can use fixed links to the information base of visitors, as ordinary information database users do. Authentication kerberos also works with a strong authentication of the oracle registry with links to registers. To order more information, see my oracle support note 1370327.1.
For players of the cmu-active catalog for the use of connected links to user registers, only the authentication of the password is supported, and how much the sources and target databases should to be configured by the cmu-active album in order to resolve only one and the same active directory user to enter both registers using password authentication.
Bad topic: introduction to centrally controlled users with microsoft active directory
6.2 settings of the database oracle-microsoft active directory active integration
, Before you can use microsoft active directory for user authentication and registration, you must configure the oracle database in aptive direct ory.
oracle database-microsoft active directory connection before setting up this connection, you are going to find out and configure microsoft active directory. Or with an existing oracle database.
6.2.1. On setting up the oracle-microsoft active directory connection
Before setting up this connection, you must have microsoft connection active directory installed and configured. Handbook for password authentication, kerberos or publicly accessible key infrastructure (pki). Before you display database users and global roles of active directory users and groups, you want to be sure that users and groups active directory have been developed. You compare database users and global roles of active directory users and groups using the create user, create a role, change the user, change the sql role -playing operators with a global proposal. The active directory system administrator should also configure new active directory groups with active directory users to hill your requirements.
The active directory system administrator guarantees the installation of active directory connection with or without sasl. The oracle database automatically tries the active directory connection with sasl bind, of course, the porn video will not be possible, it will try this procedure without binding sasl, but will still be fixed using tls. It means, regardless of because the microsoft active director administrator may include sasl settings configured on active directory, the oracle information base will not be connected, even if the sasl binding fails. Active directory
You can configure the microsoft active directory connection during the organo information base or with the existing oracle database. The user account in microsoft active directory and the desire to provide > the user's account directory oracle service is focused on cooperation between the oracle database and ldap catalogs. The directory of the catalog can use the executable oracle opwdintg.Exe file on the active directory server to mount the password filter and expand the active directory scheme. In addition, they did not do this, then use oracle universal installer (oui) to install the oracle program. For the central controlled users, for active directory. Step 5: request active directory certificate for safe connection after setting up the dsi.Ora or ldap.Ora file, you want to prepare microsoft active directory and oracle certificates of the database for safe connection. Step 6: create a wallet for a safe connection after copying the active directory certificate, you do not mind adding it to the oracle wallet. step 7: settings microsoft active directory connection after that you are ready to connect an information base to active directory using the settings that you still work for. This archive of information was created successfully. Parental theme: setting up the integration of the oracle-microsoft active directory
6.2.2.1 step 1: create a directory oracle service account for microsoft active directory and the provision of permissions
The user's account directory oracle service directory is sewn specifically for cooperation between the oracle database and the ldap catalogs service. Administrative privileges for releasing the viewer and providing a permitting documentation for a user account. Create an oracle service directory user account as a user of active directory. Create a service user account in the list. Depending on windows domains, what your active directory users will use, you can choose where the service user account will be sold. Follow these tips: - if the active directory users are in a small domain, then create this accounting registration in this domain. This will help to produce - The chosen domain must trust all new domains. Access to the properties of active directory users in these windows domains with granted permits.
- All other domains must maintain simple tls/ssl binding in order to allow the access user of the service from a trusted domain.
- All other domain administrators must present the necessary minimum permits for the gmail or facebook user of the trusted domain service.User account in active directory the following tolerances to the properties of users active directory, which need to access the oracle databases: reading directory users who can enter the oracle database) who will use password authentication to open the oracle database ) управляющий доступ (из свойства orclcommonattribute пользователей active directory, которые окажутся использовать аутентификацию пароля для входа в базу данных oracle)
> 6.2.2.2 шаг 2: для аутентификации пароля установите фильтр пароля и расширяйте схему microsoft active directory
You can put the executable oracle opwdintg.Exe file on the active directory server for installing the password filter and expand the active directory scheme.
Take into account that orclcmmmmonattribute stores oracle verifier with the player active directory. This attribute is also used to authenticize the password with other products or oracle functions, such as the safety of corporate user players. To consider security, you are able to abandon everyone except the oracle service directory user from getting to the orclcmmmonattribt property. My oracle support account: go into your accounting registration in my support for oracle, and then find the doc 2462012.1 identifier. Download upwdintg.Exe helpers. This version is the latest version. If the family does not have a my oracle support account: register for a my oracle support account so that you have the opportunity to get a new version of opwdintg.Exe from doc id 2462012.1.
@> Using a safe copy method (for example, sftp), copy opwdintg.Exe into a temporary directory (for example, c: \ temp) on each windows domain controller. Active directory administrator. Now the opwdintg.Exe utility requires english for windows operating systems. Windows domain controller. If you reinstall the updated password filter using the new opwdintg.Exe, but you need to restart the domain controller. Click on the opwdintg.Exe utility. For example: cd c: \ temp
- Perform a utility from the command line by typing the following command :. \ Opwdintg.Exe
Are you expanding the advertising scheme? [Yes/no]: enter yes. The expansion of the active directory scheme requires configuring the windows language of the windows. Continue? [Yes/no]: enter yes. It is worth paying attention to the following:
- You can expand the active directory scheme only once. If you make an attempt to expand the scheme again, errors appear, but you will get a wonderful opportunity to ignore these mistakes.
- This step creates the following 3 groups of verification. If such groups already exist, then mistakes will appear, but you will get the opportunity to ignore these errors. These verification groups can be moved from the installed user ad folder or abroad of this structure of the folder for user objects.
- Ora_vfr_md5 is required when you use the oracle database webdav client.
- Ora_vfr_11g includes the use of the oracle 11g verifier registry.
- Ora_vfr_12c includes the use of the oracle 12c verifier registry.
- If you have never reinforced the active directory scheme, after expansion, the expansion of the active directory scheme cannot be returned. Whether a password filter has already been installed. Launch opwdintg.Exe to reinstall the password filter after this tips. Otherwise, after the computer restart, password checking will not be generated further when active directory users change their passwords. /> If you have not done this yet, then use oracle universal installer (oui) for oracle installation.
Follow the instructions in the instrument instruments instruments. For your platform, the installation of the oracle program.
6.2.2.4 step 4: create a dsi.Ora or ldap.Ora file
Dsi.Ora and ldap.Ora files for centrally controlled users for active directory.
Comparison of files dsi.Ora and ldap.Ora how you use dsi.Ora and ldap.Ora. About what is happening, how ldap.Ora applies with other services. The dsi.Ora configuration file sets information to find active directory servers for centrally controlled users. User users. > 6.2.2.4.1 comparison of files dsi.Ora and ldap.Ora
As a client use dsi.Ora and ldap.Ora, is determined by how ldap. Ora is used with various services.
The dsi.Ora file indicates the connection for centrally controlled visitors for active directory. The ldap.Ora file can also specify the connect with the active directory server. However, since many separate pdb does not want to make its own ldap.Ora, and ldap.Ora is already allowed to be used (or, say, apply in the future) for ordinary services, such as clean names, oracle recommends using dsi.Ora for the central time. Managed users.
6.2.2.4.2.2 on the application of the file dsi.Ora
You use the dsi.Ora file to specify the active directory servers for central control users.
You must manually create a dsi.Ora file to identify active directory servers. The dsi.Ora file provides information about the active directory connection for all lists if it is in similar places where you can place the ldap.Ora file. The dsi.Ora file in the specific location of the pdb wallet has priority over the main dsi.Ora file only for such a pdb. > oracle recommends using catalogs to record files for $ oracle_base, but not $ oracle_home. Starting with the oracle 18c information base, if you want to install the $ oracle_home catalog for reading only for familiarization. Therefore, you are obliged to place the dsi.Ora file in the catalog, which is located abroad $ oracle_home to accommodate the configuration dsi.Ora for future issues. When you create a dsi.Ora, oracle database searchs file in the following order:
1. If the wallet_location configuration is included in the sqlnet.Ora file, then for the database, then for the database not related to the multitarine, or the root container of the multi -flow information base, oracle is looking for its cells, in the area, which is listed in sqlnet.Ora. For pdb, the oracle multi -altitude information database is looking for a pdb at the pdb purse point, which is located in the wallet_location_specific_in_sqlnet.Ora/pdb_guid catalog. 2. If the wallet_location settings is not included in the sqlnet.Ora file, then the oracle information is looking for this film in the location of the wallet, by default. 3. If the oracle archive is not able to find dsi.Ora in the place of wallet, then the oracle information is looking for a package in the following aspects of the order. This is the same place that the oracle database is looking for a ldap.Ora file. $ Ldap_admin envirgent envircty setting up a variable environment $ oracle_home/ldap/admin directory $ tons_admin environment variable > oracle recommends playing only dsi.Ora to find active directory servers for centrally controlled users. If both dsi.Ora and ldap.Ora are configured in the same basis for the centrally controlled by you, for active directory and both are in general and the same catalog, then dsi.Ora has a priority over the ldap.Ora file. If they are in multilateral catalogs, then oracle uses the first, which is building materials in the list of priorities above in order to choose the active directory server. If you enter, enter the catalogs server in one dsi.Ora or ldap.Ora found, there is no active catalog, all that, in the center of managed customers, do not go on. > You can specify dsi.Ora files for individual pdb in a multi -user database. Pdb-specific dsi.Ora will reduce the general settings in other words dsi.Ora or ldap.Ora for this one pdb. Various pdb is able to connect to different active directory servers for cmu. The dsi.Ora file for a separate pdb consists in the same catalog that is a wallet for such a pdb. The file for the personal pdb will remain in the pdb wallet in wallet_location_specific_in_sqlnet.Ora/pdb_guid/directory.
When the wallet_location parameter in the sqlnet.Ora file is not installed, then the default default default default default default default default default default default default default default. The location of the wallet for a separate container in the multi -user basis of information is $ oracle_base/admin/db_uname/pdb_guid/wallet/directory. For this, pdb to use the location of the wallet, by default, you cannot install wallet_location in sqlnet.Ora. To select pdb_guid from the root of the cdb, complete the following content of the click:
As the wallet_location parameter in sqlnet.Ora can affect dsi.Ora
Setting or not setting the wallet_location of sqlnet.Ora parameter has the following effects:
- If wallet_location is not installed in sqlnet.Ora, in which case you can also place dsi.Ora in the assortment of the wallet, immediately for the root container cdb, located in the list of $ oracle_base/admin/db_unique_name/wallet. Still, this will only connect the cdb container with an active catalog, but not the entire cdb database. Also connect only the root container cdb to active directory, and not the entire cdb image. Dsi.Ora after the start of the database, then that they serve either the copy of the database, or re -declare the next ddl to conduct updated content in the dsi.Ora effective:
Wednesday, you must install the ldap_directory_access parameter in each other pdb, and not completely cdb.
6.2.2.4.3. Creating a dsi.Ora
File of dsi.Ora configuration sets information to find out the active directory servers for centrally controlled users.
Enter the host where the oracle information is located. Dsi.Ora file, written by an order of magnitude search for the dsi.Ora file. (See related topics.) If this catalog is not available, then create a catalog. Then go to this directory to equip the dsi.Ora file. The name of the catalog server should be a fully qualified name. You can also get several active directory servers if you intend to use several windows domains. For example: dsi_directory_servers = (ad-server.Production.Examplecorp.Com:389:636, sparky.Examplecorp.Com:389:636) cmu. You can configure domain catalog domains with the highest availability, and with one of the following methods:
- The use of the load balancer in front of the servers of the active directory domain is listing each active catalog domain. The server called host or ip-to-hand boxes in the list of - the use of a domain name that returns another server of a domain catalog active directory
The use of a load balancer is a more respected choice, especially if you already use one for active directory domain servers. The load balancer allows you to manage and add or subtract or subtract the servers of the active directory domains behind the load balancer without the need to make any changes to the dsi.Ora file. Indication of the list of domain catalogs active directory is simpler and cheaper, but it connects you with the servers of the active directory domain, so modifications: not heard or released servers) are usually reflected in dsi.Ora. The use of the domain name offers some high real help and failure tolerance, and this is hardly an impeccable solution. Dns will need to return different servers instead of one and the same server every time. Cmu will try the first returned server from the search for a domain name and if it fails, then authentication will fail. However, the use of domain names provides you with a certain opportunity to apply any servers of the domain archive without the need to indicate the list of computing complexes in dsi.Ora. People and groups are located. This characteristic is optional. By default, oracle discovers active directory users and communities in the context of the default active directory. Oracle recommends that the user not install this characteristic. Install this property only if the user dreams of limiting the search area for players and groups active directory. For example: dsi_default_admin_context = "ou = sales, dc = production, dc = examplecorp, dc = com"
dsi_dirant ry_server_type which determines access to the active catalogs server. You can install its cells in ad for active directory. Enter this value in the upper region. /> You can use the ldap.Ora file to specify active directory servers for centrally controlled users.
If you have been using the ldap.Ora file for a long time, for example, set seming services, then you should use the dsi.Ora settings of the centrally controlled by you, to connect to the active directory for authentication of visitors and confirmation . Even at that moment, active directory is already used for the internet naming services, you can create and use the dsi.Ora file to determine the active directory servers for centrally controlled users. Even if the database of information does not at present on the face of ldap.Ora for another service, oracle recommends using dsi.Ora and, if ldap.Ora will be used in the future for network names.
.Raa is used for naming services, and then do not add any deformations to ldap.Ora. Just use dsi.Ora cmu-active catalog settings. Dbca graphic interface or silent dbca mode to replenish the setting of the complex on active directory servers. When using dsi.Ora, the steps are completed by the connection setting in active directory can be made separately. The .Ra file is stored in the catalog of $ oracle_home/network/admin. Typically, the ldap.Ora file cannot be in its catalog, which is wallet_location, which is indicated in the sqlnet.Ora, if wallet_location is not installed in $ oracle_home/network/admin.
Order for ldap.Ora
After creating the file ldap.Ora, oracle batabase searchs in his eyes in the following order:
1. $ Ldap_admin envirgail installation of a variable
2. $ Oracle_home/ldap/admin directory
3. $ Tns_admin environement purable
4.$ Oracle_home/network/admin directory
Changing the contents of ldap.Ora
If you change the contents of ldap.Ora after the first days of the database, after this is either necessary to restore the copy of the database, or re -talk about the next ddl to make the updated files in ldap.Ora effective:
Among the abundance in the root of the cdb.
6.2.2.4.5 services and can be used to configure the connection with active directory for centrally controlled users. File ldap.Ora, on the basis of a search procedure for the ldap.Ora file. (See related topics.) If this album is not, then create a catalog. Then go to this directory to form the ldap.Ora file. And then open ldap.Ora. In addition, you have the opportunity to have more active directory servers if you are going to use several windows domains. The name of the catalog server can remain with a completely qualified name. For example: directory_servers = (ad-server.Production.Examplecorp.Com:389:636, sparky.Production.Examplecorp.Com:389:636) @> dedefault_admin_admin_admin_contex. It is a search where where citizens and groups are where active directory is located. This indicator is optional. By default, oracle discovers customers and active directory groups in the sense of default active directory. Oracle recommends that a person not install this parameter. Install this parameter only if you want to limit the search area for users and active directory. For example: default_admin_context = "ou = sales, dc = production, dc = examplecorp, dc = com"
Diefory_server_type, which determines access to the ldap server. You will need to implant it in ad for active directory. Enter this value in the upper case. Directory_server_type = ad
Parental theme: step 4: create a file dsi.Ora or ldap.Ora
6.2.2.2.5. 5: request active directory certificate for harmless connection
As soon as you tuned the dsi.Ora or ldap.Ora file, you plan to prepare the microsoft active directory and oracle database certificates for safe connection.
Request active directory certificate from the active directory manager.
Management of the lists of a certificate review (crl) with an orappi utility
6.2.2.6 step 6: create a wallet for a harmless connection
After you have copied the active directory certificate, you do not mind adding it to the oracle wallet.
copy the text file of the document, for example, ad_ca_root_cert.Txt) from the active directory server to a temporary directory (for example, /tmp) on a browning host. If the location of the wallet is not listed in the sqlnet.Ora file, in this case, the database will be searched in the following institutions; in my order, a wallet. The location of the catalog may need to be created. Db_unique_name/wallet/ for pdb in a multi -user database:
$ Oracle_base/admin/db_uname/pdb_guid/kosel to find pdb_guid from the root of cdb, do this click :
If you plant sqlnet.Ora to indicate the location of the wallet, then the specified location of the wallet is intended for the non -multinant of the information base, or the root container of the multiplayer registry. For a specific pdb multiplayer information base, its wallet is located at wallet_location_specific_in_sqlnet.Ora/pdb_guid. You can also place a separate pdb dsi.Ora in wallet_location_specific_in_sqlnet.Ora/pdb_guid.
In the indicated example, dn indicates the fact that the dns domain is production.Examplecorp.Com. The name of the windows domain is just production.
If wallet_location is indicated in sqlnet.Ora, then you need to add active directory certificates to the location of the pdb wallet (it is better to say wallet_location_specified_in_sqlnet.Ora/pdb_guid, wallet_location_ specified_in_sqlnet.Ora/pdb_guid for each individual pdb). You still get a chance to add active directory certificate to wallet_location_specific_in_sqlnet.Ora. However, the toy will become effective only for a root container, but not for the entire cdb.
Changes in the wallet come into force immediately, and do not require the restart of the database.
6.2.2.7 step 7: set up microsoft active directory
Next are you ready to connect the database to active directory using the settings that are still in the house .
On setting up the microsoft active directory connection to configure microsoft active directory, you can install parameters on bank of information, or use dbca. It can configure the connection of active directory services services manually using the parameters of the oracle database system specific for ldap. And carries the active directory certificate for mining. Dbca only works when ldap.Ora is configured for a cmu-active catalog. Dbca silent mode can write a new collection or change the existing database of documentation to integrate the database of microsoft Wallet backup and restore active directory oracle. To configure the microsoft active directory connection, the client can set parameters in the data bank or apply dbca.
Dbca recognizes only ldap.Ora, which is configured for centrally controlled users. And it creates a wallet must in the recommended place by default. To use the location of the wallet, automatically, you should not install wallet_location in sqlnet.Ora. Manually access using the parameters of the registry system
6.2.2.7.7.2 manual access setting using the database system
You can configure the active directory service. Help using the oracle database system parameters specific to oracle consumers. A copy of the database as a person who has the privilege of the alter system system. For example, in the database of information that is not a multitarine:
Sqlplus sec_admin, enter access code: password > in a multi -user environment, enter the appropriate pdb.
sqlplus sec_admin@pdb_name enter access code: password to select an affordable pdb in cdb, enter the root container cdb, and at the end of request a pdb_name presentation of dba_pdbs data_pdbs. To check the current container, run the show con_name command.
Change the ldap_directory_access parameter, which determines the type of access to the ldap catalog. If you use a multi -use environment, install ldap_directory_access in any pdb, but not radically cdb. The installation of this parameter in the root of the cdb will apply it, only to the root, wallet backup solutions not to pdbs.
Permissible values is the password, and the password requires (to turn off the connection) the active directory server certificate, and when you create a wallet, you need to enable the accounting data user active directory for oracle for oracle .
For example: alter system set ldap_directory_access = 'password'; you can well set this parameter in the spfile file or in the init.Ora file (if the init.Ora file is used). Then restart the database.
Install the ldap_directory_sysaute parameter so that administrative users from active directory can go to the oracle database with sysdba, sysoper, sysbackup, sysdg, syskm or sysrac administrative privilege. Set ldap_directory_sysauth in each pdb, but not at the root of cdb. The installation of this parameter in the general cdb will use tea, only to the root, but not to pdbs. > alter system set ldap_directory_sysauth = yes scope = spfile; you can also install this parameter in the spfile file or in the init.Ora file (if the init.Ora file is used). Then restart a single register. - If you are in a non-multinant environment, then restart the database: weplowd necpiate startup
- Since you are in a multi-user environment, then close and re-open the pdb: change the pdb_name pdb_name register close the immediate ; change the connected information base pdb_name open;
6.2.2.7.7.3 settings of access using the database setting assistant
oracle database assistant (dbca) completes the ldap configuration of the connect and automatically creates means - and it stores the active directory certificate for operation. Dbca works only when ldap.Ora is configured for a cmu-active catalog. . By default, the dbca utility is located in the album $ oracle_home/bin. Get the option of the network configuration when writing an information base). The window “indicate the information about the configuration of the network” will appear. If the field of integration of the catalogs service is not visible, then the ldap.Ora file is not left correctly. Check the ldap.Ora configuration, you have done earlier, and after you corrected the file, repeated dbca. Enter the personal entry of the user directory directory oracle. User account. Dn is possible directly from the active directory server or from the administrator of the active directory system. (This setting sets the ldap_directory_access parameter.) If necessary, select the allive admin privies authentication flag, which provides the opportunity for players active directory to authentify and learn about the registry scheme with administrative privileges (e.G. Sysdba, sysoper, sys sbackup, etc.). In another situation, centrally controlled inhabitants from active directory cannot enter the register with administrative privileges. (This indicator corresponds to the ldap_directory_sysauth parameter) in the multiplayer environment dbca recognizes and sets the active directory connection to connect the registry instance. You are going to manually configure the pdb connection if you want to connect another active directory server to pdb. The user's account directory oracle service.After that, dbca automatically checks the accounting of the user directory service, creates a wallet, stores a hembler accounting and imports a certificate. Related topics
Step 4: create a dsi.Ora or ldap.Ora file, using an assistant to set up the database silent mode
6.2.7.7.4 setting up access using the assistant for configuration by silent mode
Suggesting that ldap.Ora (not dsi.Ora) was developed in a timely place and correctly configured, dbca silent mode it can create a dbca mode. A new database or change your documentation database to integrate the database of microsoft active directory-oracle. Of course, ldap.Ora is created with the right concentration in the place you need. For example, to create a single copy that is not related to the multitarine: cd $ oracle_home/bin ./Dbca-silent-createedatabase-gdbname inst1.Production.Examplecorp.Com-templatenam general_purpose.Dbc- tificatepath /tmp/ad_ca_root_cert.Txt-walletpassword wallet_password -syspassword sys_password -systempassword system_password for configuring the root container cdb or non -non -lenter registry:
Cd $ oracle_home/bin ./Dbca -silent -configuredataata base -sourcedb db_name -rigisterwithdirservice true -dirserviceuser oracle - dirserviceusernam p/ad_ca_root_cert.Txt -walletpassword wallet_paspsword для настройки подключаемой реестры в cdb:
Cd $ oracle_home/bin ./Dbca-silent -configurepluggabledatabase -pdbname pdb_name -sourcedb db_name -registerwithdirserviceservicerevicerermermermermermermermermermermermermermermermermermermermermermermermermersicerenmermermermermersicericericericericericericericericericericericericericericericerise , cn = users, dc = production, dc = examplecorp, dc = com -dirservicepassword service_password -dirservicerticaticationatepath /tmp/ad_ca_root_cert.Txt-walletpassword wall let_password
About using the file ldap.Ora Parental topic: step 7: set up the microsoft active directory connection
6.2.2.8 step 8: check oracle wallet
The orappi utility may make sure that that the wallet for such an information base was successfully created. If wallet_location is not installed in sqlnet.Ora, then the location of the wallet, by default, are the following: in a notching environment, the catalog of the wallet is in the $ oracle_base/admin/db_unque_name/wallet.
@> In the multi-user environment, it is in some of the following locations:
- For the root of the cdb wallet in $ oracle_base/admin/db_unique_name/wallet/catalog. - For a pdb wallet $ oracle_base/admin/db_unique_name/pdb_guid/wallet/directory.
On the command line enter the following commands: ls -ltr. Wallet_location (to check that the wallet catalog contains a wallet files)
$ Ls -ltr $ oracle_base/db_unque_name/pdb_guid/swellet -------------------------------- -1 creator_user creator_group 1597 november 27 22:47 cwallet.Sso -rw ------- 1 creator_user creator_group november 1552 27 27 22:47 ewallet.P12 -rw-rw-r- 1 creator creator_group 86 27 november 22: november 22: november 22: november 22: november 22: november 22: november 22: november 22: november 22: november 22: november 22: november 22 48 dsi. Ora orappi wallet display -wallet wallet_location. .Password oracle.Security .Username. 6.2.2.9 step 9: check the integration
In order to check integration, you need to install the variables of the environmental_home, oracle_base and oracle_sid, and at the end to find answers to all the questions of the ldap parameter. Enter the host, where the database is used for integration. Oracle_base =/app export oraqle_sid = sales_db
Enter the database of the database as a user who has an administrative privilege of sysdba. For example: sqlplus sec_admin as sysdba enter access code: password in multetenant environment, enter the appropriate pdb. For example:
sqlplus sec_admin@pdb_name in the role of sysdba enter password: password to find the available pdb in the cdb, go into the root container cdb, and then request the pdb_name column in dba_pdbs data dictionary. To check the current container, run the show con_name command.
Check the parameters of ldap: show parameter ldap The value of the type of name ------------------------------------------------------------- ----------------------------------------------directory_access streas password ldap_directory_sysauth the line
Parental topic: connection to microsoft active directory
6.3 setting up authentication for centrally controlled users
You can configure password authentication, authentification of kerberos or authentication of an open key infrastructure (pki) .Аутентификация для центрально управляемых пользователей влечет за кожей использование фильтра пароля с active directory для генерирования и хранения проверки паролей реестры oracle в active directory. Настройка аутентификации kerberos для центрально управляемых пользователей если вы сами затеяли использовать аутентификацию kerberos, то нужно настроить kerberos in the oracle register, which will be integrated with microsoft active directory. Users if you want to use pki certificates to authentically managed users, you need to configure the safety of the transport class in the oracle register, which will be integrated with microsoft active directory.
6.3. Oracle password checking in active directory. On setting an authentication of password for centrally controlled users to configure the authentication of password, you need to expand the password filter, expand the active directory scheme, adding one user attribute and providing groups for generating different versions of passwords in active directory . Password authentication tuning for a centrally controlled user you must configure password authentication on active directory servers, and in addition, if the active directory viewers will be able to enter the oracle registers with administrative privileges. Entering the unified oracle register, taking into account the authentication of the password for authentication of the password, centrally controlled users get a choice of how to get into the archive of the information.
6.3.1.1. On the adjustment of password authentication for centrally controlled users
Password authentication settings must be expanded by a password filter, expand the active directory scheme, adding one consumer attribute; and creating groups for generating various verifiers password models in active directory.
For active directory users to open the oracle database with administrative privileges, you must also install a password file with the oracle database.
Authentication of the password, since the oracle database does not transmit active directory users through the ldapbind for authentication with active directory, you need to install the oracle filter and expand the active directory. The oracle filter, which you install in active directory, creates an oracle-specific password checking when active directory users update their passwords. The oracle filter does not generate all the important checks of the oracle password, in what circumstances it is first installed; the oracle filter generates an oracle password check only as a user when the client changes his active directory password. Password checking for cooperation with you the oracle information base for issues of 11g, 12c and 18c. The oracle password filter uses active directory named ora_vfr_md5 (for webdav), ora_vfr_11g (to create 11g) and ora_vfr_12c (for manufacturing 12c and 18c) to determine which oracle database checks to create. These groups should be created in active directory to ensure verification of oracle passwords for students of the group members. These are individual groups that list, what specific checks should generate for active directory users. For example, if ten directory users need to register with the so -created oracle database release 18c information that has just been created, which was reported with oracle database release and 12c, the active directory ora_vfr_12c will have ten active direc users tory as the participants. The oracle filter will generate only 12c verifiers for these ten active directory users when they change passwords with active directory (verifiers 18c are the same as verifiers 12c). If you do not need to hack oracle databases for a long time to clean the oracle password checks for a long time. In addition, you have the opportunity to manually clean the orclcommonattribute attribute for this user. Oracle password verifiers will no longer be generated after the user is removed from ora_vfr groups.
6.3.1.2 setting up of the password for a centrally controlled user
You will need to configure password on the active directory servers, or in the oracl databases, expand the active directory diagram. The utility tool for performing this task, opwdintg.Exe, is in $ oracle_home/bin. This utility sets the password filter in active directory, expands the active directory scheme to keep the oracle password check, and provides active directory password checking groups.The password filter will allow microsoft active directory user accounts for authentication of the oracle database when connecting to consumers using webdav, 11g and 12c verifiers. The server, and at the end, ask the active directory administrator to launch the opwdintg.Exe utility tool. Ora_vfr_md5, ora_vfr_11g and ora_vfr_12c. If these pages do not exist, then re -start the tool of the utility opwdintg.Exe. Release 12c authentication, then add the user to the ora_vfr_12c group. (Oracle database release 18c uses the same test as oracle database release 12c.)
- If the client and server allow only authentication than oracle database release 12c the availability of oracle is the release of the information base 11g, or 12.1.0.1 of customers), then add the user to the ora_vfr_11g public. Ora_vfr_md5 groups.
This outline makes it possible for fine -grained management of generating the oracle database passwords. Only the necessary checks are developed for the required users. For example, since in microsoft active directory user groups are added to the ora_vfr_12c and ora_vfr_11g groups, and 11g checks will be generated for pfith. This guarantees, and this is selected in applicability the highest quality and most powerful check, while in other cases verifier 11g is selected for visitors to oracle database 11g.
As a user with administrative privileges, enter the host in which the database is located, and it is obliged to be used to connect microsoft active directory. Orapwd file = '/app/oraricle/product/18.1/db_1/dbs/orapwdb181' format = 12.2 this indicator will be guaranteed that you can offer various administrative privileges such as sysopoer and sysbackup for a global user.
> Log in the copy of the registers as a user who has a privilege of system alter. Remote_login_passwordfile a parameter for exclusive in the spfile file or maybe in the init.Ora file. Turning off the immediate launch
Step 2: to authentify the password, set the password filter and expand the microsoft active directory
6.3.1.3 entrance to the oracle database. The use of password authentication
For authentication of the password centrally controlled users have a choice of how to enter the register.
To connect to active directory, the active directory user can order the following user syntax, if he sometimes uses the password authentication:
The next connection suggests that the domain windows address - production: If the active directory user is in the same active directory domain, as the user's account of the directory directory user, set up in the database, then the active directory user can use this user name (samaccountname) to enter the system in the database:
Alternatively, the user can use his name of the windows windows user with a domain name dns. Centrally controlled users
6.3.2 setting up of kerberos authentication for centrally managed users
If you plan to use the authentication of kerberos, then you must configure kerberos in the oracole database it will be integrated with microsoft active directory.
comparison of a group of catalogs with a common basic user global exclusively displays the user of the catalog with the database global user autabling authentication 6.3.3.3 setting up authentication using pki certificates for centrally managed users
If you plan to use pki certificates to authentize central users, you need to configure the transportation of level in the oracle database, which will be integrated with microsoft active directory .
, While the authentication of kerberos with cmu requires the use of the microsoft active directory-ctive kerberos server, the pki authentication can use the third side. Ca services, and not just the one who has microsoft active directory-active directory.
The display of the global global user with the global user database setting up the safety of the transport level of the transport level wednesday
Parental topic: authentication settings for centrally controlled users
6.4 settings of authorization for centrally managed users
With users centrally managed, you can control authorization for active directory users for access to oracle databases. Or leave the user from each database in your organization.
On the configuration of authorization for centrally controlled users you can control the authorization of the user for the database in active directory. In the general global database, the user > many databases will be compared with a single user of the global registry (schema) through membership in the catalog group. Compared with the groups of catalogs, additional privileges and roles provided to participants are higher than the fact that they were issued using the entry schemes into the electronic account. Global database user. As before, but with the help of cmus they can be controlled using centralized authentication and registration if these substances use general schemes. You can try the visitor’s information by turning into reality a set of sql requests on the oracle database side. You can control the authorization of the user for the database in the active catalog. This minimizes the work that should be done in all the oracle data bank when catalog users are hired, change the tasks together or leave the company. The user of the catalog will be assigned to the active directory group, which is compared with the global user of the oracle (schema) database. When a person fits the database, the information database will request active directory in order to purchase groups that are a user. If your deployment uses general schemes, then one of the groups will be displayed with the scheme of the general information base, and the filmman will be assigned to this scheme of registers. The user will receive the roles and privileges that are provided by the registry scheme. Since several users will be assigned the same general database scheme, only a compact set of roles and privileges should be given for a multicomponent scheme. In some circumstances, it is impossible to provide privileges and roles of the general scheme. Users will be assigned a corresponding set of roles and circuits using global roles of the registry. Global roles are compared with active directory groups. Thus, different customers can have different roles and benefits, even if they are compared with the first and boring general registry scheme. The recently hired user will be assigned to the active directory group displayed with a common scheme, and then for 1-well or five additional groups displayed to global roles in order to obtain additional roles and benefits necessary for the implementation of their tasks. The combination of general schemes and global roles allows centralized authorization management with minimal changes in the database. The data archive is initially required to be provided with a set of general schemes and global roles displayed with the corresponding groups of active catalogs, but in those cases the player’s authorization can occur in active directory.
Active director user, be exclusively displayed with the global base user. This deserves a new visitor in the database, which is displayed directly with the user of active directory. New players and outgoing users will need updates for each database that they are members. Administrative privileges are proposed exclusively by the scheme, not the role. But even in these situations, general systems are used with administrative privileges in order to ease to manage the authorization of the user. The use of a general sysoper privilege scheme will easily add new users to the active directory page displayed with the sysoper scheme without the need to create a new diagram of players in the database. Even if only one user is assigned to a single system, you can still control the centrally with us.
When using global roles to provide privileges and roles to the user, remember that the maximum number of roles included in the session is 150.
Such options for global display of users are supported for access:
- Map-general global users, in it, catalog users are assigned to the general scheme of the register (user) by comparing the group catalogs with a general field of the field users of catalogs who showed themselves to be members of the group are able to connect to the database using such a common scheme. The use of general schemes allows the centralized control of the authorization of the user in the active catalog. This visitor is a little not so supported as a scheme of the general registry, created to directly penetrate the database using either sql*plus or a user of a scheme for two -level or three -level applications. Oracle recommends that you provide the privileges of the information base for these users through global roles, which facilitates authorization management. Nevertheless, these visitors can also have direct grants of privileges in the oracle database, although it is not at all.This is due to the fact that two -level and three -level applications use a global user as a database scheme, so the global user has full privileges of the information base at the facility principles as the owner.
General for a catalog announcement is a member of several groups. Still, only one of these categories should be compared with the general scheme. Registers will be displayed with a single user of the global information base (scheme) through membership in the catalog group. User system system. .Com domain to a common user global registry named widget_sales: create user widget_sales, identified globally as 'cn = widget_sales_group, u = sales, dc = production, dc = examplecorp, dc = com';
All members of widget_sales_group will be assigned to the general widget_sales scheme, when they enter the unified register. > global roles of the database, compared with catalous groups, give participants additional privileges and roles above the fact that they were provided using the entry scheme into the system. The privilege of creating a role or an alternative system of roles. A unit of production. Examplecorp.Com domain for the global data platform widget_sales_role: creating the role of widget_sales_role, identified globally as 'cn = widget_sales_group, u = sales, dc = production, dc = examplecorp, dc = clause'; wednesday to maintain a common role called c # widget_sales_role:
Create the role of c ## widget_sales_role, identified worldwide as' cn = widget_sales_group, u = sales, dc = production, dc = amexplecorp, dc = com 'container = all; all members of widget_sales_group will be authorized using the role of the database widget_sales_role when the movie includes the database.
6.4.4. Global user
You can on a debit card of the user microsoft active directory only for the capital user of the oracle database.
Log in the copy of the database as a visitor, which was provided by the privilege of create user or exte user system. For example, to the credit card of the existing user active directory called peter fitch (whose samaccountname is pfich) in the unit of trade organization. Fitch, ou = sales, dc = production, dc = examplecorp, dc = com ';
6.4.5 changing or transferring the user display
You can transform the active directory user for the capital display of the database using the alter user operator. > perform alte user operator with identified globally as a item. For example: the petr_fitch alter is identified around the world as 'cn = peter fitch, ou = sales, dc = production, dc = examplecorp, dc = com';
6.4.6 setting up administrative users
Administrative players are able to function how they had passed, but, through cmus, can be controlled using centralized authentication and confirmation, if if they use general schemes. @> Setting up administrative users of the database with general access accounts @> administrators of the register can also be compared with exclusive schemes in databases. Management of consumer bases for several customer databases, when the cinema joins, moves and laid out the organization. ). > parental theme: setting up administrative users
6.4.6.2 setting up administrative users of the database using an exclusive display
Database administrators can also be compared with exclusive schemes in databases. /> Make sure the password file for the current registry copy costs at 12.2 format.Orapwd file = pwd_file format = 12.2 enter the password for sys: password
To the registry copy as a user who can create visitors and offer administrative privileges to other users. Dc = examplecorp, dc = com ';
Give this user an administrative privilege. For example, to provide the user with the administrative privilege of syskm: grant syskm to peter_fitch;
Input in the entrance to the user system
After setting up and registering a centrally controlled user, you can test the information of a strawberry lover, turning into reality a set of sql requests on the side oracle data.
Log in the database as a centrally controlled user from active directory, which you just set up and authorized. For example, to enter the instance base of the inst1 information base as a corporate user pfitch, which is located in the production of the windows: sqlplus /nolog connect "production \ pfitch"@inst1 enter access code: password
Check the card check global user.Cardemeted global user is a registry user account that has a centralized user authorization. Peter_fitch user is considered a global user with an exclusive display for the active directory pfitch consumer, while the widget_sales user is considered a global user with a general mapping user for active directory group widget_sales_group, a member of which is pfitsh. The user global account has his own scheme. "Peter_fitch" or
Is user "widget_sales"
Find the roles that were issued to the centrally controlled user. Select the role from the session_roles order on the role; the conclusion similar to the following appears:
The role ---------------------------- -------------------------------------------- --- vidget_sales_role ...
To provide the following requests in order to check the values of the sys_context namespace for the current scheme used in this database session, current login, session login, authentication method, authenticated identification , the identification of the enterprise, the type of identification and the level of the ldap server. - Check the current scheme that is placed in this information base session. The information base scheme is a container of an object that identifies the objects that it offers. The current scheme is a default container to solve project names in the current registry session. Select sys_context ('userenv', 'current_schema') from dual; the conclusion similar to the following, depending on whether this is an exceptional comparison or general comparison:
Sys_context ('userenv', 'current_schema') ------------------------ --------------------------------------------- ----------------------fitch or
Sys_context ('userenv', 'current_schema') --------- --------------------------------------------- -------------- widget_sales
-Check the current user. In this situation, the current user is the same as the current scheme. Connect sys_context ('userenv', 'current_user') from dual; the conclusion similar to the following, depending on whether this will be an exceptional display or general display:
Sys_context ('userenv', 'current_user') ------------- --------------------------------------------- ---------------------fitch or
Sys_context ('userenv', 'current_user') ----------- --------------------------------------------- -------------- widget_sales
-Check the user of the session. Select sys_context ('userenv', 'session_user') from double; > a way out, similar to the following, depending on whether everything will be an exceptional display or general comparison:
Sys_context ('userenv', 'session_user') ------------- ------------------------------------------- ------------------------fitch or
Sys_context ('userenv', 'session_user') ----- ------------------------------------------- ---------------------------sales
-Check the authentication method. Select sys_context ('userenv', 'authentication_method') from dual; the conclusion similar to the following appears:
Sys_context ('userenv', 'autentication_method') ----------------------------------------------------------------- --------------------------------------------- ----- password_global
-Check the authenticated personality for the player of the corporate enterprise. The autistic identification of the user active directory is eliminated, and it is checked when this kind of user is included in the network in the information base. Select sys_context ('userenv', 'authenticated_identity') from dual; the conclusion, similar to the following:
Sys_context ('userenv', 'authenticated_identity') ----------------------------------------------------------------------- -------------------------------------------------------- --- production \ pfitch
-Check the centrally controlled user identity of the enterprise. Select sys_context ('userenv', 'enterprise_identity') from dual; the conclusion similar to the following appears:
Sys_context ('userenv', 'enterprise_identity') -------------------------------------------------------------------------- --------------------------------------------- ---- cn = peter fitch, ou = sales, dc = production, dc = examplecorp, dc = com
-Check the type of identification. Select sys_context ('userenv', 'educification_type') from dual the conclusion similar to the appearance of the following, depending on whether this will be an exceptional comparison or general comparison:
Sys_context ( userenvv ',' identification_type ') ----------------------------------------------------------------------------- ----------------------------------------------------------------- Or
Sys_context ('userenv', 'identification_type') ------------------------------------------------------ ------------------------------ global general
-Check the type of server ldap.Select sys_context ('userenv', 'ldap_server_type') from double; the conclusion similar to the following appears. In this situation, the ldap server type is active directory.
Sys_context ('userenv', 'ldap_server_type') ----------------------------------------------------------------- -----------------------------------------ad
Connect with the unified oracle register using password authentication
Parental theme: configuring authorization for centrally controlled users
6.5 elimination of problems. > 6.5.3 ora-28274 connect errors
Step 1: create a user's account directory oracle service on microsoft active directory and ensuring the resolution
6.5.4 compounds ora-28300
Ora-28030: there is no tolerance for reading the user's recording in the ldap catalog error. You get the opportunity to track this error using the cmu highway. For example:
, To correct a similar problem, additionally), as well as the resolution
1. Provide the user's account with the directory service directory reading properties and remember the blocking time, which they are permits for access to the properties of the user active directory, which is trying to fuck in the database. 2. Install permits for control access to orclcommonattribute users active directory.
Related topics
Step 1: create a user account of the directory oracle on microsoft active directory and give permission to be used to trace files for monitoring errors of connecting cmu
6.5.5. Connection errors on centrally controlled users (cmu). As soon as the active directory user is trying to enter the organs, and if the admission to the system is a failure, visit the assortment that contains tracer files collect and view the trace file that contains complete information. 6 the oracle database integration with the microsoft active directory account policy
As part of the oracle-microsoft integration database, the oracle information database provides compliance with the active directory policy or the active directory social network are introduced into the unified oracle register.
The active directory recording policy settings cover the password policy, the account blocking policy and kerberos policy. The oracle database provides compliance with all gmail or facebook policies for centrally controlled users from active directory. For example, oracle prevents active directory users with a record status, such as a password, the password should change, the account or disconnected account from opening the register is blocked. If you use kerberos authentication, oracle prevents active directory users with an expired kerberos tickets for data in the database. In the case when you use the password authentication, the active directory user account will be blocked during a certain year in active directory after the user is made by a certain number of unsuccessful attempts to consistently when trying to enter the oracole database using incorrect passwords. Given the policy of blocking its registration, oracle effectively prevents the attacks of password against the accounts of active directory users.
6.7 setting of centrally controlled visitors with an autonomous database oracle
Deploy centrally controlled users (cmu) in oracle by an autonomous database. Infrastructure.
6.8 the elimination of problems in the clinic of managed users
Oracle provides errors that help you not correct the general errors that the microsoft active directory is trying enter communication in the oracle data catalog.
The compound error ora-28276 ora-28276: the error of the attribute of the password password ora-01017: the unacceptable input to the user system/access to the practice of password is possible due to the features the question of how special symbols in the oracle database are also allowed in microsoft active directory. Merchants of the ara -28274 -28274 connection: no attribute of the oracle password corresponding to the nickname, there is an error due to troubles with the active directory or directory oracle service. The entrance to the ldap service department is generated due to difficulties with permits with the oracle catalog. using tracing files to monitor the cmu error setting, gdsi trace adjustment is monitored by centrally controlled users (cmu).
Parental theme: setting up centrally controlled users using microsoft active directory
6.8.1 ora-28276 merchants of the connection
Ora-28276: the wrong error of the oracle password attribute is caused by an incorrectly installed attribute of orclcommonatttribute.
This error occurs when the attribute orclcommonattribute was not correctly filled with the user password. For example:
1. Launch opwdintg.Exe to identify a password filter on all windows domain controller in the domain for active directory. 2. Restore each server of the windows domain controller. Each windows domain controller should be restarted after installing the password filter. Otherwise, the password filter did not want to work on the windows domain controller. 3. Assign active directory users to the corresponding group ora_vfr. 4. Reset the user password in active directory. 5. Launch ldapsearch in order to check that the password was generated. The error is possible due to differences in the question of how special characters in the oracle data bank or microsoft active directory are allowed.
The names of visitors and login, which centrally controlled users (cmu) create rules for users of the oracle registry. To fix the problem of ora-01017 errors, attach the user's user's login and password into double quotes. For example: for the user active directory, whose login is peter fich plus whose password is ilovemysalads@_home And who misses the same domain as the user service oracle, the following login is performed:
> if you are active directory located in another domain than the oracle service user, then windows domain (example in this case) should be included in the login:
Recall that for the password you are entered into the invitation, enter the password , there are 22 characters: 20 characters for ilovemysalads@_home! Password, plus two symbols for two double quotes. 3 ora-28274 errors of connection
Attribute ora-28274: no oracle password, there is no error due to problems with the active directory scheme or directory oracle. Active directory scheme, probably did not rise expanded or was poorly filled. In the role of an alternative, the directory oracle service user does not provide for permits for access to the orclcommonatttribute attribute to the user who tried to enter the oracle database. > Solution 1: - launch opwdintg.Exe to identify a password filter on any windows domain controller in a domain for an intensive directory. Each windows domain controller should be restarted after installing the password filter. In a different situation, the password filter is not expected to function on the windows domain controller. The password was generated. In the database.
