Active directory vs OID

Hi,
Can anyone please give me pros and cons of using active directory vs OID.
We are in process of centralizing tnsnames.ora.
Thanks in advance!

Not sure about windows, but on the solaris end, there is a command line app called 'schemasynch' that will do what you want. It is located in $ORACLE_HOME/bin.
It's a one shot deal program. ie: it doesn't keep directories in synch.
Instructions for it can be found in the OID Admin Guide.
http://otn.oracle.com/docs/products/oracle9i/doc_library/release2/network.920/a96574/syntax.htm#639824
For a continuous synch' approach there is
http://otn.oracle.com/docs/products/oracle9i/doc_library/release2/network.920/a96574/odip_age.htm#115461
Cheers
Kevin

Similar Messages

  • Active directory to oid sync

    hi all,
    recently i've been given the assignment of sync one Active Directory to one OID.
    Said so seams easy .....
    ...... so I installed a fresh copy of Win2000 adv server with Active Directory PLUS another Win2000 adv server with Oracle AS infra.
    Then a got a copy of this document:
    http://www.oracle.com/technology/obe/obe_as_10g/im/ads_import/import.htm?_template=/ocom/technology/content/print
    unfortunately the "dipassistant" command at the end of the document comes out with an error:
    dipassistant ERROR: DIP_GEN_UNKNOWN_FAILURE
    I also looked on metalink for some help, and I found the note n. 267153.1
    At the begining of the document it is explained how to verify if it possible to read the "container": cn=users,dc=domain,dc=com
    Running an ldapsearch on the Active Directory is usefull for verifying any access issues.....
    The command does not come out with errors, but it also does not come out with any output (I put few users on the Active Dir).
    Thank you in advance for the time

    Thanks Andres,
    I tried to query the Active directory in the way you said ....but nothing !
    ldapsearch
    -p 389
    -h adhost
    -D "cn=Administrator,cn=users,dc=domain,dc=com" \
    -w "mypassword"
    -b "cn=users.oracle.com"
    -s base "objectclass=*"
    and in these formats too:
    (-b "dc=users.paan.com"
    -b "cn=users,dc=paan,dc=com)
    I'm really lost, what else could be wrong ?
    I'm wondering if there is anything missing from the document i'm following for the Sync.
    http://www.oracle.com/technology/obe/obe_as_10g/im/ads_import/import.htm?_template=/ocom/technology/content/print
    Conceptually the syncronization seams to be a straighforward process, but in reality I find it quite complicated...........maybe i'm missing some key information.....
    Any ideas to suggest ?
    thank

  • Db10g external password authentication with Active Directory via OID

    HI ALL
    - i have the synchronization AD-to-OID
    - i have the external authorization of AD users via SSO (external authorization plug-in)
    - i have the DB10g enterprise authorization of OID native users who have their password in OID (global schema)
    - but i cann't configure the DB10g autorization of AD-to-OID synchronized users who don't have their password in OID
    error:
    ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
    i.e. those users are not recognized as users with external passwords.
    Any ideas, please ...

    Funny thing - LDAP (OID and Active Directory) defines a generic heirachical database. Like any other generic database, you need to define the schema to define what data is to be captured.
    Each LDAP application expects a certain schema. That includes Enterprise User Security (part of the Advanced Security Option).
    To accomplish what you want to do
    1) get familiar with the Enterprise User Security capability (see the EUS documentation at tahiti)
    2) learn to configure SQLNet / Oracle Networking to use LDAPthat is responsib (''cause it's Oracle Networking responsible for the login)
    3) Reverse the schema from OID and transport it to AD
    Aside from that, it's a no-brainer.

  • Oracle forms authentication with active directory without OID

    Hi Gurus,
    I need to implement active directory authentication in oracle forms.
    My scenario is this:
    1. The user is created in active directory
    2. The user is imported in our aplication, and then I assign the roles in Oracle, and create the user in my aplicattion.
    When the user logs, the system have to validate the password with MS-AD. If the password is right, then, the system start a session in Oracle.
    My questions are:
    1. How can I validate the password in AD ? Is it in clear text, unix crypt, AES ?
    2. In case the user has changed the password in AD, how can obtain he logs in oracle with the new password ?
    We use oracle enterprise edition, but we don't have oracle applications, so i can't use identity management.
    Thanks in advance for your help

    You will need Oracle SSO and OID to implement Active Directory authentication for Oracle Forms. It comes with Oracle Application Server. You will need to read up on how to use AD instead of OID as the user store for Oracle Single Sign-on (SSO). Forms will use SSO to login not really knowing which user store is used so there is no config needed on the Forms side (except enabling SSO).

  • Db10g external password authentication from Active Directory via OID

    HI ALL
    - i have a synchronization AD-to-OID (OAS 10.1.2 (Infra)cold failover cluster, 2 nodes)
    - i have external authorization of AD users via SSO (external authorization plug-in)
    - i have RAC DB(10.1.0.3, 2 nodes) enterprise authorization of OID native users who have their passwords in OID (global schema)
    - but i cann't configure DB autorization of AD-to-OID synchronized users who don't have their passwords in OID
    error:
    ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
    i.e. those users are not recognized as users with external passwords.
    Any ideas, please ...

    I've gone through that thread a few times already, but it only covers infrastructure based on Sun JDS, which seems to pose less problems than Active Directory. Many others refer only to hand-compiled OpenLDAP installations which are quite different to configure... sigh
    I have, however, managed to get the base system running - meaning I can see Solaris ask LDAP for locally unknown user and group names - but all I get back is Unknown Object.
    Here's a snoop dump of one of the failed requests, in hope someone here can shed some light on the problem:
    request from my server to the LDAP box:
    LDAP: [Base Object]
    LDAP: ou=people,OU=Austria,DC=AT,DC=OurADdomain,DC=com
    LDAP: [Scope]
    LDAP: wholeSubtree
    LDAP: Equality Match *[3]
    LDAP: [Attr Descr]
    LDAP: objectClass
    LDAP: [Value]
    LDAP: posixAccount
    LDAP: *[3]
    LDAP: [OctetString]
    LDAP: uid
    LDAP: [OctetString]
    LDAP: myusername
    reply from the LDAP server:
    LDAP: [Error Message]
    LDAP: 0000208D: NameErr: DSID-031001CD
    LDAP: , problem 2001 (NO_OBJECT), data
    a) our Active Directory 2003 R2 with the default Unix schema does not seem to implement the objectClass=posixAccount attribute, although the documentation on MSDN suggests that attribute should be there. I'm atm about to get some MS guy to solve this..
    b) The base object DN seems to always get prefixed with ou=people - why? I didn't enter that field with ldapclient, and that orgunit does not exist in AD per default. How can I prevent Solaris from modifying my search path in that way? I think this is one of the reasons why I keep getting no-object-errors.
    c) Our AD doesn't seem to offer a way to create/modify the unix object classes shadowExpire, shadowFlag and others for password management. Are those strictly necessary - i.e. will I run into new problems with those if I managed to solve a) and b)?

  • Oracle 9i/10G DB authentication using Active Directory (with out OID)

    Hello All,
    We want to use a Single-Password authentication scheme using the Active
    Directory as the primary source for userId/Password.
    We don't want to use the Active Directory and OID bridge.
    As we have many databases and would like to configure all Databases to use Active
    Directory for Authentication. Our goal is to have single id/password across all
    the databases and any user should be able to login from any computer using their
    windows id/password, note that we don't want to use the OSAuthentication.
    We have read the documents provided by oracle for authentication using Active
    Directory, we were able to create Oracle Schema in Active Directory and were
    also able to register a DB with Active Directory and then created user as global
    user in Oracle Database and provided the DN of the user. When we tried
    authenticate with all this setup it comes back and says invalid ID/Password !!!
    And with 10G database we get the Oracle Error ORA-03113: end-of-file on communication channel !!
    Has any one tried or have information on Integrating Oracle to Auth against Active Directory?
    Envoirnment:
    Oracle DB Version: 9.2.0 and also tried on 10.0.1 with same results
    Operating System: Windows 2000/ Windows 2000 Server
    Constraint: We don't want to user OID ( as we don't have license for this
    product ! )

    I have a thread started similar to your request.
    OS Authenication on Windows
    Somewhere I read this. It works on Oracle 9i on Linux, but I have not tried it with Oracle 9i on Windows.
    SHOW PARAMETER OS_AUTHENT_PREFIX;
    SHOW PARAMETER REMOTE_OS_AUTHENT;
    CREATE USER OPS$SOMEUSER IDENTIFIED EXTERNALLY;
    GRANT CREATE SESSION TO OPS$SOMEUSER;
    For the username, I wonder if we are supposed to put the Windows Domain name as part of the username? Such as, for a Windows domain user MyDomain\SomeUser
    CREATE USER OPS$MYDOMAIN\SOMEUSER IDENTIFIED EXTERNALLY;
    I really wish Oracle or somebody created a guide or book on how to do this.

  • Active Directory exports to OID (concerning password storage)

    I dont know if this is answered somewhere else but I am hoping to get an answer from people who have synchronized OID to active directory already.
    My question is do the AD passwords get stored in OID along with all the other user information during the sync? I know you must use an external plugin to authorize users against their passwords that come from AD.
    I am just curious about this since it will probably be an issue for me down the line. Thanks!

    Hi Seth
    Its your choice. If you are using the External Authentciation feature in OID it is not necessary to store AD passwords in OID.
    Keep this in mind about password synchronization between OID and AD. Currently all attributes are capable of two way synchronization between OID and AD except one. That is the users password. It is possible to synchronize a password from OID to AD but not from AD to OID.
    This is primarily becaue Microsoft uses proprietary password hashing called "Unicode Password Hash" which as I said is proprietary to Microsoft. OID like most other LDAP servers supports open source password hashing such as MD5, MD4, SHA, SSHA and Crypt to name a few. Microsoft does not support any of these to my knowledge. So even if you could pass a user password from Active Directory to OID OID does not support MS password hashing.
    We are however able to synchronize passwords from OID to AD over SSL. This is done with a feature called "Reversible Encrypted Password". By default this feature is turned off. When you enable this feature OID will store the users password in two different attributes. One is the traditional "userpassword" attribute which uses the hashing schemes I mentioned earlier. The other is a password attribute that stores the users password in an encrypted format that can be reversible to clear text. This clear text password can then be sent over SSL using a wallet to the AD server.
    In version 10.1.3 (Mid 2005)of OID we plan to release a feature that will allow passwords from AD to be synched with OID. Until then Passwords can only be synched from OID to AD.
    Jay

  • Integrating Oracle Portal & Microsoft Active Directory

    Dear friends
    I Integrated Oracle Portal & Microsoft Active Directory without any error or problems but it just integrate the users under Users Container in active directory, I have some OU,Groups and policies and I categorized my users under them, so when I run "sh oidspadi.sh" and set "cn=...." with other values except "Users" it can not add all of the users under specific groups or policies.
    Please let me know how can I add all of my users in active directory to OID?
    Thanks
    Babak Saraie

    I'm not familiar with iPlanet, but if it can allow basic
    authentication and connect to AD, it should be possible to do what
    you want.
    Personally, I would rather that the browser did not
    automatically log me in. For example, if someone was having
    problems with their "view" on the intranet web site, if they
    visited your office, you would have to log off, let them log on
    (and wait while their profile was created) just to let them open a
    browser.
    Is it really asking too much for them to enter their
    username/password into a browser prompt once each day? Heck, most
    browsers will remember usernames and passwords so you don't have to
    type it. You just click OK.
    That's just my perspective.
    M!ke

  • Apply OID search filter for Active Directory Export Sync Profile

    - currenlty we have active directory export profile working successfully
    - the filter we apply at OID side is SynchronizeToAD!=OID
    that means synchronize all ldap data that has a attribute value other than "OID"
    - This works very well
    Problem:
    - We now need to make the export sync work based on a different condition. The condition being....
    SynchronizeToAD=AD3 ( Note the equality condition here, the previous one was not equal to )
    - The moment we set it to the above conditions it seems to invalidate the filter. Now it behaves as if there is no filter. All changes are synchronized regardless of the attribute value
    Question:
    1) Need a way to control synchronization based on attribute value.
    2) So far tried the below filter value with out success
    2a) (&(!(SynchronizeToAD=OID))(!(SynchronizeToAD=AD)))
    2b) SynchronizeToAD=AD3
    - In the directory we have 3 values for this attribute(SynchronizeToAD) - AD , AD3 and OID
    Please provide us with valid search filter to accomplish the above.
    The OID profile attribute that we are trying to set is odip.profile.oidfilter

    - currenlty we have active directory export profile working successfully
    - the filter we apply at OID side is SynchronizeToAD!=OID
    that means synchronize all ldap data that has a attribute value other than "OID"
    - This works very well
    Problem:
    - We now need to make the export sync work based on a different condition. The condition being....
    SynchronizeToAD=AD3 ( Note the equality condition here, the previous one was not equal to )
    - The moment we set it to the above conditions it seems to invalidate the filter. Now it behaves as if there is no filter. All changes are synchronized regardless of the attribute value
    Question:
    1) Need a way to control synchronization based on attribute value.
    2) So far tried the below filter value with out success
    2a) (&(!(SynchronizeToAD=OID))(!(SynchronizeToAD=AD)))
    2b) SynchronizeToAD=AD3
    - In the directory we have 3 values for this attribute(SynchronizeToAD) - AD , AD3 and OID
    Please provide us with valid search filter to accomplish the above.
    The OID profile attribute that we are trying to set is odip.profile.oidfilter

  • Oracle Discoverer 10G and mapping Active Directory to use SSO/OID

    Could anybody point me please to the right direction?
    1. I've setup Oracle 10gIAS but turned off SSO and my users running discoverer /portals with no SSO.
    2. My goal is to turn on SSO and synchronize it with Active directory on the windows box.
    Thanks you in advance

    Hi Randy;
    As you mention all notes refer to SSO&OID for Active Directory integration.AFAIK there is no way to do it, please log a Sr and confirm this wiht oracle support
    Regard
    Helios

  • OID and MS Active Directory Synchronization

    Hi,
    I've read that these 2 LDAP services can be synchronized with the "Active Directory Connector" SO does this mean that if users and groups are stored in the MS active directory it is possible to have the users and groups synchronized with the OID so that these are available directly in Oracle Portal or do they still need to be added manually somehow into portal ??
    Thanks in advance,
    Brandon

    You can find documentation at :
    - http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics01.htm
    - http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics02.htm
    - Note 267153.1 (How To Setup OID Synchronization with Microsoft Active Directory Quick Start Guide) with related docs
    Best regards,
    Nicolas Stiévenard

  • OID and MS Active Directory  LDAP information Synchronization

    Do you know have to do the integration between OID and MS active Directory? How to synchronize the LDAP information between two?

    Hi, I have the same question.
    Thanks,
    Malin

  • OID and MS Active directory integration in 9ias

    How to integrate OID with MS Active directory ?
    We have 9ias and Portal . How to use the username/password in MS AD for Portal authentication ? As far as I know 9ias is using OID , so the question comes down to how to replicate MS AD information to OID ?

    Hi, I have the same question.
    Thanks,
    Malin

  • OID and Active Directory

    1 Does Oracle OID integrate with Active Directory to synch data with Active Directory periodically?
    2 Marshall data from Active Directory on demand (live link)?
    3 Does Oracle Single Sign-on solution work with multiple directories (i.e. OID and AD both being used by Oracle Single Sign-on)
    4 Can Oracle Single-Sing-on work with a Desktop login into a Domain (also called NT Authentication or Desktop authentication).

    This is what I have to share with you....For further details refer link http://otn.oracle.com/products/oid/index.html and Oracle Internet Directory Administrator's Guide.
    1 Does Oracle OID integrate with Active Directory to synch data with Active Directory periodically?
    For synchronizing from Microsoft Active Directory to Oracle Internet Directory, you need to track changes in Microsoft Active Directory and configure your Active directory connector giving its URL, user account and password to be used by the Active Directory connector, its DIT info on domain which contain the users/groups. And in the Active Directory synchronization profile you'll have to set the mapping rule.
    2 Marshall data from Active Directory on demand (live link)?
    Yes, its possible to migrate data between directories. Configure your Active Directory connector and External auth Plug-in. And use the Directory Integration and Provisioning Assistant.
    3 Does Oracle Single Sign-on solution work with multiple directories (i.e. OID and AD both being used by Oracle Single Sign-on)
    Yes, its possible. When a user tries to log in, the OracleAS Single Sign-On server tries to verify the credentials the user enters against those stored in Oracle Internet Directory. If the user credentials are not there, then the Oracle directory server invokes the Active Directory external authentication plug-in. This plug-in verifies the user credentials in Microsoft Windows. If the verification is successful, then the Oracle directory server notifies the OracleAS Single Sign-On accordingly.
    4 Can Oracle Single-Sing-on work with a Desktop login into a Domain (also called NT Authentication or Desktop authentication).
    Oracle Application Server Single Sign-On enables native authentication, also called autologin, in a Microsoft Windows environment. Once logged into the Windows desktop, the user automatically has access to Oracle components. OracleAS Single Sign-On automatically logs the user into the Oracle environment using user's Kerberos credentials.

  • Active Directory special symbols into OID

    we are having dificulties to import special symbols in user accounts into OID from Active Directory.
    Any suggestions?
    TIA

    Have a look at Metalink note 102940.1
    The setting of the charset might be applicable when importing the data in your scenario.
    cu
    Andreas

Maybe you are looking for

  • Pdf file transfer using ftp in java

    Hi, I am tried to get a pdf file from ftp. I am using the following code. This code works fine with .txt files but not with .pdf files. The pdf file generated is empty. import java.awt.Desktop; import java.io.File; import java.io.FileNotFoundExceptio

  • Usual preview instead of custom preview after canceling of step.

    Hi. I try to made workitem with dialog, like Form step. Macros u201Cexit_cancelledu201D used in method in case of user cancel form. Also u201CAdaptation work item preview in Business Workplaceu201D function assigned to step. SBWP preview shows screen

  • Java L&F: html on jlabel *always* bold

    I'm trying to use HTML with a JLabel that is serving as a JTable cell editor. The UI default for the table and its cell renderers in the Java L&F (as well as most other L&Fs) is NOT bold. Is there some way to use HTML and not have it rendered as bold

  • Where to run SQL statements in Oracle Database 11gR1 ?

    Folks, Hello. I have just installed Oracle Database 11gR1 and login to Database Control page. There are 4 tabs on the top: Database, Setup, Preference, Help and Logout. I just create a table "table1" in "Database" tap. But I don't see anywhere to run

  • How to get the GL Daily Balances for an Account

    Hi, We need to create a report to see the daily balances (as at date) from 11i GL. Our accounting periods are defined as calender months. Ex: Account Combination X.XXX.XXXX.XXX Balance as at 11-AUG-09 Please let us know the tables which we need to qu