Thursday, May 17, 2007

How to setup more than one AD Domains for OID External Authentication (10.1.2 vs 10.1.4)

You might be wondering why I am comparing 2 versions, when we started our integration, 10.1.4 was released and I read technet documentation but could not find any information on metalink (all the info is for 10.1.2 and 9.0.4) and at my earlier project I worked on integrating SiteMinder against 10.1.2, thats how I got some insight into differences which I am sharing with you.

The above combinations are integrated with 11.5.10.2 instances, To login to 11i Users are externally authenticated by AD or Siteminder and 10gAS is used as a intermediary to accomplish it.

We have multiple domains, so I worked on seting up multiple plug-in for external authentication. But at the end we ended up using AD Global Catalog.

10.1.2 - Source:

1) Go to $ORACLE_HOME/ldap/admin
2) Make a copy of oidspada.pls file, and save it as oidspada2.pls
3) Modify oidspada2.pls
* Replace OIDADPSWD with OIDADPSWD2 (Global replace)
4) Make a copy of oidspadi.sh file and save it as oidspadi2.sh (Global Replace)
* replace "oidspada.pls" with "oidspada2.pls"
* replace "adwhencompare" with "adwhencompare2"
* replace "adwhenbind" with "adwhenbind2"
* replace "OIDADPSWD" with "OIDADPSW2"
5) Run oidspad2.sh
It will register new profiles for new domain.

10.1.4 - Source:

1) Configure external authentication for one domain
2) Dump the configuration information into LDIF file
ldapsearch -p 3060 -D cn=orcladmin -w welcome -s sub -L -b "cn=plugin,cn=subconfigsubentry" cn="oidexplg_*_ad" >> output.ldif
3) Modify the output.ldif
cn=oidexplg_compare_ad with cn=oidexplg_compare_ad2
cn=oidexplg_bind_ad with cn=oidexplg_bind_ad2
Change the values for orclpluginflexfield;host and orclpluginflexfield;port for the external directory host name and port number
Modify orclpluginsubscriberdnlist for the plug-in invocation naming context.
4) Upload the new plug-in information
$ORACLE_HOME/ldap/bin/ldapadd -h host -p port -D cn=orcladmin -w orcladminPwd -v -f input.ldif

Test using ldapbind and ldapcompare against both the domains
a) ldapbind -h oidHost -p port -D "cn=ADUser,cn=Users,dc=uk,dc=acme,dc=com" -w adpassword
b) ldapcompare -h oidHost -p port -D "cn=orcladmin" -w iasadminpswd -b "cn=ADUser,cn=Users,dc=uk,dc=acme,dc=com" -a userPassword -v adpassword

a) ldapbind -h oidHost -p port -D "cn=ADUser,cn=Users,dc=us,dc=acme,dc=com" -w adpassword
b) ldapcompare -h oidHost -p port -D "cn=orcladmin" -w iasadminpswd -b "cn=ADUser,cn=Users,dc=us,dc=acme,dc=com" -a userPassword -v adpassword



Good Luck

Configure OID External Authentication Plug-In (10.1.2 vs 10.1.4) against Microsoft AD

We recently integrated our 11.5.10.2 instance with 10gAS (10.1.4 Identity management) using external Authentication from Microsoft Active Directory. Automatic USER provisioning from AD to OID to 11i.

The way external authentication happens in 10.1.2 and 10.1.4 is quite different.In 10.1.2 it uses pl/sql plug-in and 10.1.4 it uses java plug-in.

In 10.1.2 you have to run "$ORACLE_HOME/ldap/admin/oidspadi.sh" to register adwhencompare & adwhenbind profiles.

In 10.1.4 you need to run "$ORACLE_HOME/ldap/jlib/oidexcfg.jar oidexcfg -h oidhost -p port -D cn=orcladmin -w password -t AD" to modify the oidexcfg_compare_ad and oidexcfg_bind_ad plug-in's, the same can also be modified by login to ODM and going to Plug-in Management.

After registering run the following commands to check if AD can authenticate you
1) ldapbind -h oidHost -p port -D "cn=ADUser,cn=Users,dc=acme,dc=com" -w adpassword
2) ldapcompare -h oidHost -p port -D "cn=orcladmin" -w iasadminpswd -b "cn=ADUser,cn=Users,dc=acme,dc=com" -a userPassword -v adpassword

In 10.1.4 you can still use pl/sql plug-in for external authentication but make sure you are not hitting bug#5912665

Another important thing is - In 10.1.2 "orclUserPrincipalName" objectclass contains the external identity used for validating to Active Directory and in 10.1.4 "orclSourceObjectDN" is used instead.

Good Luck