Internat Directory / SSL X509v3 / Wallet Solution
I'm looking for success stories of LDAP and SSL solutions utilizing Oracles tools. I am basically looking for industry successes as well as troubles.
Lance,
You've got the wrong forum. This one is for users of Oracle's Project applications (Project Costing, Project Billing, etc.). Try one of the technical forums on TechNet at http://technet.oracle.com/
Similar Messages
-
OWM says "The directory OH /owm/wallets/oracle" does not exist
Hello, RHEL 6, x86-64
Oracle 11.2.0.4 Ent Edition
I just upgraded the database from 11.2.0.3 to 11.2.0.4. User reports "ORA-28365: wallet is not open" while trying to access tables in a certain schema.
I have little experience with Wallet so I find out that I can "open" the wallet using OWM. I start OWM and follow the instructions in section 9.4.3 of http://docs.oracle.com/cd/B28359_01/network.111/b28530/asowalet.htm#i1006711, and after step 2 which is to select a directory for the wallet, it tells me, ""The directory <OH>/owm/wallets/oracle" does not exist". Ahh! (By the way, this was when I was pointed to the ORIGINAL oracle home (11.2.0.3) because I wanted to see if the wallet existed there.
Now I am moderately panicked. What do I try next? I gotta get the wallet open!
Thank you in advance for taking the time.
Humbly,Hi,
If you have TDE encrypted objects, one must open the wallet from the sqlplus.
1) make sure the sqlnet.ora from your $ORACLE_HOME/network/admin has ENCRYPTION_WALLET_LOCATION parameter set, example:
ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /home/oracle/wallet)
2) connect as sysdba and run:
alter system set encryption wallet open identified by "wallet_password";
3) select wallet status and path from : select * from v$encryption_wallet;
4) select again from the encrypted objects -
Hi everyone,
I installed SSL certificate according to Active Directory Connector Guide(part 2.2.3.4.).
But I have an error :
ConnectorServer.exe Error: 0 : Error processing request
System.NotSupportedException: The server mode SSL must use a certificate with the associated private key.
Dou you have any idea ?
Thanks.
Best regards.Hi,
I did all requirements but I have an error.
In Connector Server log :
ConnectorServer.exe Error: 0 : Error processing request
System.NotSupportedException: The server mode SSL must use a certificate with the associated private key.
In OIM diagnostic log :
org.identityconnectors.framework.common.exceptions.ConnectorException: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Do you have any idea ?
Thanks. -
Multiple sites; sites bypassed when SSL is activated: solution:restart SSL
This is a tip.
I had a problem that Leopard bypasses a site when it was SSL activated and one make changes in any other site (as example adding another site,etc). In my case, the SSL site worked well, but when another site was added and if I press the SSL site, the result page was the new site.
(but in the listing the order of the sites was: SSL, new site, *), also I checked the dns and restarting the web services with out any solution.
The way I corrected it was:
1)Disable SSL in the SSL site (deactivate SSL),
2)restart the web services
3)Restart the SSL site (activate SSL)
then you can access the SSL site without being redirected to another site.
some Leopard things...Two different sites, one with .info and one with .net. One works perfectly without issue and they each have similar settings in Server, however one only seems to want to work using https prefix. The sites are both different and therefore needs to be accessed with http at this point. The problem is when I go to http://example.info it takes me to http://example.net which is not what needs to be occuring. This occurs internally and externally. Before the move I did my server was doing DNS as well and those settings have not changed or been modified except when I had to change their outside static IPs.
-
SSL Portal Wallet configuration
I'm trying to setup my application server using SSL, it all configured and works fine, the problems comes when I try to change the SSLwallet file path, if I change this path in ssl.conf the forms service works fine, it detects the certificate without problems, but if I try to access portal, I get a No resonse from Application Web Server after the SSO page, if I go back to the original path for the SSLwallert everything works fine except I get no certificate. I believe I'm missing something in the configuration in order for this to work. Could somebody point me into the right direction?
I worked this out by replacing all the wallet files in the oraclehome the wallet containing the certificate,
but now I come to another issue. When I set up SSO for Forms after the login page I get redirected to the SSO url (ex. http:\\myinfrasite:4443) and the problem is that this url doesn't have the S in the httpS, if I make the login through portal I get no such problem. I guess that I have a missconfiguration for the URL that forms uses in SSO, but i cant find that url anywhere -
SSL with Network Solutions @ POP Setting
Hi,
Having a difficulty setting up my mail where the instructions by Network Solutions is to use Password as authentication and NOT to check the SSL setting in the outgoing mail. The system automatically checks the SSL no amtter how many times i uncheck it.
The only solution is to set the authientication to MD5 Challenge-responce in order for the SSL not to be auto checked by the computer it self.
I have mails going OUT, but some mails do not arrive as they are bounced back to the sender.
Does anyone else have a similar problem or solution for this?
Much apreciate the help,
Richard
PS using OS Mountain lionFirst result in google for "Network Solutions Email setup" is this page:
Below are the most common settings needed to set up most POP3/IMAP Email Clients or Devices:
http://www.networksolutions.com/support/pop-imap-settings/ -
Solution Directory -- Create System for Solution Monitoring
Hi Experts,
I created an ERP solution in SolMan but I don´t know how to create systems DEV, QAS and PRD as graphics for process monitoring.
I allready configured in SMSY the systems, RFCs and logical component.
Regards.Hi,
I would suggest to go through http://service.sap.com/rkt-solman for your Solution Manager release.
It provide complete details regarding benefits and configuring solution manager services including Solutin Monitoring as well.
Hope it helps.
Regards,
Srikishan -
whatis this **** error and how do we overcome it? Apple does not provide a solution!
Create a new profile as a test to check if your current profile is causing the problems.
See [[Basic Troubleshooting#Make_a_new_profile|Basic Troubleshooting: Make a new profile]]
If that new profile works then you can transfer some files from the old profile to that new profile (be careful not to copy corrupted files)
See http://kb.mozillazine.org/Transferring_data_to_a_new_profile_-_Firefox -
Keep getting security warnings about ssl certificate, forum solutions are not helping so far
I cannot log onto common websites like mozilla.org , google.com , facebook.com etc. I get an error message saying the "certifcate is not trusted because the user is unknown" i corrected the date and time on my pc and tried the "delete cert8.db file." method can someone suggest anything else to solve the problem. I have ran full pc virus checks and network checks with avast, the only way i can access these sites is with the use of a linux usb boot drive, but with windows it wont let me.
Also check the date and time and time zone in the clock on your computer: (double) click the clock icon on the Windows Taskbar.
*https://support.mozilla.org/kb/Secure+Connection+Failed
''(I've updated the tags because you posted with Iceweasel on Linux)'' -
ORA-28759 when trying to open wallet
Hello,
I have a problem when I try to do a https request via utl_http.
Database version is
SYS@tcp_iig9_test> select * from v$version;
BANNER
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
PL/SQL Release 11.2.0.1.0 - Production
CORE 11.2.0.1.0 Production
TNS for 32-bit Windows: Version 11.2.0.1.0 - Production
NLSRTL Version 11.2.0.1.0 - ProductionThe database is running on a Windows Server 2008 32 bit Standard SP2.
I create a simple wallet using orapki on the database server the following way
c:\> orapki wallet create -wallet wallet-client -auto_loginthe wallet is created successfully, I have the ewallet.e12 file and a cwallet.sso file in the wallet-client directory:
C:\wallet-client>dir
Volume in drive C is System
Volume Serial Number is 5C03-B54D
Directory of C:\wallet-client
10/11/2010 01:58 AM <DIR> .
10/11/2010 01:58 AM <DIR> ..
10/11/2010 01:58 AM 3,589 cwallet.sso
10/11/2010 01:58 AM 3,512 ewallet.p12
2 File(s) 7,101 bytes
2 Dir(s) 475,807,744 bytes freeJust to be sure I opened the wallet with the wallet manager successfully.
after that I want to do a request with the following code:
SYS@tcp_iig9_test> r
1 declare
2 vReq varchar2(2000);
3 begin
4 utl_http.set_wallet('file:c:\wallet-client', '<pwd>');
5 vReq := utl_http.request('https://supporthtml.oracle.com');
6* end;
declare
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1722
ORA-28759: failure to open file
ORA-06512: at line 5Note that I do not care if the certificate chain is OK at this time (the root certificate of the oracle support portal would be from verisign which is in the wallet btw.).
same thing happens if I pass the path to the wallet directly to utl_http.request :
SYS@tcp_iig9_test> r
1 declare
2 vReq varchar2(2000);
3 begin
4 vReq := utl_http.request('https://supporthtml.oracle.com', null, 'file:c:/wallet-client', '<pwd>');
5* end;
declare
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1722
ORA-28759: failure to open file
ORA-06512: at line 4To add: I created ACL's like here:
http://www.morganslibrary.org/reference/dbms_network_acl_admin.html
and after the ACL's where created correctly I ended up with the above error.
To exclude this has anything to do with Network ACL's I tested the whole stuff with the sys user (as seen above) - the error persists.
When searching the documentation for ORA-28759 I get here: http://download.oracle.com/docs/cd/B28359_01/network.111/b28530/asossl.htm#ASOAG9698
Which begs the question: what has this to do with SQL*Net SSL authentication? Anyway; I added the WALLET_PATH to my sqlnet.ora on the server just to be sure:
WALLET_LOCATION =
(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=c:\wallet-info)))which resulted in exactly the same behaviour (yes I did bounce the listener and the oracle service just to be sure)...
A google search came back with the same advice: add the correct WALLET_LOCATION to your sqlnet.ora for version 10.2.x. Just to add: I tested the same thing on 10.2.0.4 WITHOUT adding WALLET_LOCATION to the sqlnet.ora successfully, so I am really wondering what I am missing here.
Yes, I do have read / write privilages to the directory (to test I wrote a file using utl_file ), yes I am darn sure I passed the correct password for the wallet, and yes I am darn sure the wallet is correct (as said I opened it successfully using wallet manager).
Did anyone encounter a similar issue?
cheersFound the solution: as noted in the 11gR2 documentation for set_wallet (http://download.oracle.com/docs/cd/E11882_01/appdev.112/e16760/u_http.htm#i998681): If the wallet is auto-login enabled, the password may be omitted and should be set to NULL. The password passed to utl_http.request should (well, moreover a must ) be set to null when auto-login is enabled, after that it works...This is different to 10gR2...Yeah well, if you can read, you'll be in the lead...
It get's funny though if you open the wallet with wallet manager (this fancy GUI bloatware I used to check if I entered the password correct in the first place). Once the wallet is opened and saved with Wallet Manager the error is back wheter I pass a password or not.
cheers -
Authentication Plug-ins for active directory Multiple Domains(oidspad2.sh)
hi ,
i have use note 294791.1 from metalink to try link to active directory i have 2 one is staff and another is student
i first ran oidspadi.sh to create plugin for staff it works then i edit the 2 script to oidspad2.pls and oidspad2.sh with the require changes inside the files then i ran it it work but now the problem is the first ad now cant work this is my changes below
FOR oidspad2.pls
Rem
Rem $Header: oidspada.pls 02-aug-2004.04:45:11 saroy Exp $
Rem
Rem oidspads.pls
Rem
Rem Copyright (c) 2002, 2004, Oracle. All rights reserved.
Rem
Rem NAME
Rem oidspada.pls - 9.0.4 OID Password Active Directory
Rem External Authentication Plug-in
Rem
Rem
Rem NOTES
Rem <other useful comments, qualifications, etc.>
Rem
Rem MODIFIED (MM/DD/YY)
Rem saroy 08/02/04 - Fix for bug 3807482
Rem qdinh 01/27/04 - bug 3374115
Rem dlin 01/08/04 - pingan perf
Rem dlin 08/22/03 - 3111770 bug fix
Rem dlin 08/27/03 - change the way to get name
Rem dlin 08/13/03 - bug 2962082 fix
Rem dlin 02/21/03 - plug-in install changes
Rem dlin 02/13/03 - dlin_bug-2625027
Rem dlin 02/05/03 - fix ssl & failover
Rem dlin 01/31/03 - dlin_adextauth1
Rem dlin 01/30/03 - Created
Rem
SET echo off;
SET serveroutput off;
SET feedback off;
SET verify off;
CREATE OR REPLACE PACKAGE OIDADPSW2 AS
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
AD_HANDLE DBMS_LDAP.session DEFAULT NULL;
END OIDADPSW2;
SHOW ERROR
CREATE OR REPLACE PACKAGE BODY OIDADPSW2 AS
SUBTYPE LDAP_SESSION IS RAW(32);
SUBTYPE LDAP_MESSAGE IS RAW(32);
SUBTYPE LDAP_BER_ELEMENT IS RAW(32);
SUBTYPE ATTRLIST IS DBMS_LDAP.STRING_COLLECTION;
SUBTYPE MOD_ARRAY IS RAW(32);
SUBTYPE BERLIST IS DBMS_LDAP.BERVAL_COLLECTION;
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_bind_replace()');
DBMS_LDAP.USE_EXCEPTION := FALSE;
result := 49;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := 1;
plg_debug('Can not get ADUserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_bind_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_bind_replace() ===');
RETURN;
END IF;
plg_debug( 'Go to AD for authentication');
-- externally authenticate user
IF ('&1' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&2', &3);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
-- Should free the old session if retry logic kept failing
-- to cause the number of outstanding sessions exceeding the
-- limit session number
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&4', &5);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
-- SSL bind
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&6', &7);
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&8', '&9', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM
-- or LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&10', &11);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&12', '&13', 2);
IF (retval != 0) THEN
plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session1);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
-- for failover to connect to the secondary server
IF ('&14' = 'y' AND retval != 0) THEN
IF ('&15' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&16', &17);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&18', &19);
plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'retry simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&20', &21);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&22', '&23', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&24', &25);
plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&26', '&27', 2);
IF (retval != 0) THEN
plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
END IF;
IF (retval = 0) THEN
result := 0;
plg_debug('AD auth return TRUE');
ELSE
result := retval;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_bind_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
OIDADPSW2.AD_HANDLE := NULL;
plg_debug( ' exception unbind_res returns ' || TO_CHAR(retval));
errormsg := 'Exception: when_bind_replace plugin';
plg_debug( 'Exception in when_bind_replace(). Error code is ' ||
TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
END;
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_compare_replace()');
result := DBMS_LDAP.COMPARE_FALSE;
DBMS_LDAP.USE_EXCEPTION := FALSE;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('Can not get ADuserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_compare_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_compare_replace() ===');
RETURN;
END IF;
-- externally authenticate user
IF ('&28' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&29', &30);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&31', &32);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&33', &34);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&35', '&36', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&37', &38);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&39', '&40', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
-- for failover to connect to the secondary AD
IF ('&41' = 'y' AND retval != 0) THEN
IF ('&42' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&43', &44);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&45', &46);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&47', &48);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&49', '&50', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&51', &52);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&53', '&54', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session1);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
END IF;
IF (retval = 0) THEN
result := DBMS_LDAP.COMPARE_TRUE;
plg_debug('AD auth return TRUE');
ELSE
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_compare_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
errormsg := 'Exception: when_compare_replace plugin';
plg_debug( 'Exception in when_compare_replace(). Error code is ' ||
TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
OIDADPSW2.AD_HANDLE := NULL;
END;
END OIDADPSW2;
SHOW ERRORS
EXIT;
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
FOR oidspadi.sh
#!/bin/sh
# $Header: oidspadi.sh 13-may-2005.13:48:51 saroy Exp $
# oidspadi.sh
# Copyright (c) 2002, 2005, Oracle. All rights reserved.
# NAME
# oidspadi.sh - AD external authentication plug-in install
# DESCRIPTION
# <short description of component this file declares/defines>
# NOTES
# <other useful comments, qualifications, etc.>
# MODIFIED (MM/DD/YY)
# saroy 05/13/05 - Fix for bug 4233817
# saroy 02/18/05 - Fix for bug 4054414
# saroy 11/02/04 - Fix for bug 3980370
# qdinh 01/19/04 - bug 3374115
# dlin 07/10/03 - turn off debug
# dlin 02/21/03 - plug-in install changes
# dlin 02/13/03 - dlin_bug-2625027
# dlin 07/22/02 - Creation
ADHOST="A"
ADPORT="1"
ADSSLPORT="1"
WALLETLOC="A"
WALLETPWD="A"
WALLETPWD2="A"
CONNECT="A"
ODSPWD="A"
ODSPWD2="A"
OIDHOST="A"
OIDPORT="1"
ORCLADMINPWD="A"
ORCLADMINPWD2="A"
PRGDN="A"
SCUSB="A"
EP="A"
ISSSL="n"
ISFAILOVER="n"
ISFAILOVERSSL="n"
SECADHOST="A"
SECADPORT="1"
SECADSSLPORT="1"
SECWALLETLOC="A"
SECWALLETPWD="A"
SECWALLETPWD2="A"
clear
echo "---------------------------------------------"
echo " OID Active Directory Plug-in Configuration"
echo "---------------------------------------------"
echo " "
echo "Please make sure Database and OID are up and running."
echo " "
LDAP_DIR=${ORACLE_HOME}/ldap
LDAP_LOG=${LDAP_DIR}/log
## ORACLE_HOME
if [ -z $ORACLE_HOME ] ; then
echo " ORACLE_HOME must be set for this installation script"
exit 0
fi
# gather required information
if [ ${ADHOST} = "A" ] ; then
printf "Please enter Active Directory host name: "
read ADHOST
fi
## active directory host name is required
if [ "${ADHOST}" = "" ]
then
echo "Active Directory host name is required";
exit 1;
fi
printf "Do you want to use SSL to connect to Active Directory? (y/n) "
read ISSSL
if [ "${ISSSL}" = "n" ]
then
if [ ${ADPORT} = "1" ] ; then
printf "Please enter Active Directory port number [389]: "
read ADPORT
if [ "${ADPORT}" = "" ]
then
ADPORT="389"
fi
fi
fi
if [ "${ISSSL}" = "y" ]
then
if [ ${ADSSLPORT} = "1" ] ; then
printf "Please enter Active Directory SSL port number [636]: "
read ADSSLPORT
if [ "${ADSSLPORT}" = "" ]
then
ADSSLPORT="636"
fi
fi
if [ ${WALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read WALLETLOC
fi
## wallet location is required
if [ "${WALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${WALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read WALLETPWD ; stty echo ; echo
fi
if [ "${WALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${WALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read WALLETPWD2 ; stty echo ; echo
fi
if [ "${WALLETPWD}" != "${WALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
if [ ${CONNECT} = "A" ] ; then
echo " "
printf "Please enter DB connect string: "
read CONNECT
fi
if [ ${ODSPWD} = "A" ] ; then
printf "Please enter ODS password: "
stty -echo ; read ODSPWD ; stty echo ; echo
fi
## password is required
if [ "${ODSPWD}" = "" ]
then
echo "ODS password is required";
exit 1;
fi
if [ ${ODSPWD2} = "A" ] ; then
printf "Please enter confirmed ODS password: "
stty -echo ; read ODSPWD2 ; stty echo ; echo
fi
if [ "${ODSPWD}" != "${ODSPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
if [ "${CONNECT}" = "" ]
then
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD} "
else
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD}@${CONNECT} "
fi
# Check if ODS password and connect string is correct
${ORACLE_HOME}/bin/sqlplus -L ods/${ODSPWD}@${CONNECT} << END 1>/dev/null 2>/dev/null
exit;
END
if [ $? -ne 0 ]; then
echo "Incorrect connect string or ODS password specified"
exit 1;
fi
if [ ${OIDHOST} = "A" ] ; then
echo " "
printf "Please enter OID host name: "
read OIDHOST
fi
## oid host is required
if [ "${OIDHOST}" = "" ]
then
echo "OID host name is required";
exit 1;
fi
if [ ${OIDPORT} = "1" ] ; then
printf "Please enter OID port number [389]: "
read OIDPORT
if [ "${OIDPORT}" = "" ]
then
OIDPORT="389"
fi
fi
# Check if OID host and port is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect OID host or port specified"
exit 1;
fi
if [ ${ORCLADMINPWD} = "A" ] ; then
printf "Please enter orcladmin password: "
stty -echo ; read ORCLADMINPWD ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" = "" ]
then
echo "orcladmin password is required";
exit 1;
fi
if [ ${ORCLADMINPWD2} = "A" ] ; then
printf "Please enter confirmed orcladmin password: "
stty -echo ; read ORCLADMINPWD2 ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" != "${ORCLADMINPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
# Check if orcladmin password is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect orcladmin password specified"
exit 1;
fi
echo " "
if [ ${SCUSB} = "A" ] ; then
printf "Please enter the subscriber common user search base [orclcommonusersearchbase]: "
read SCUSB
if [ "${SCUSB}" = "" ]
then
SCUSB=`${ORACLE_HOME}/bin/ldapsearch -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} -s base -b 'cn=common,cn=products,cn=oraclecontext' -L 'objectclass=*' orclcommonusersearchbase | head -2 | grep -v 'dn:' | awk '{printf $2}'`
fi
fi
if [ ${PRGDN} = "A" ] ; then
printf "Please enter the Plug-in Request Group DN: "
read PRGDN
fi
if [ ${EP} = "A" ] ; then
printf "Please enter the exception entry property [(!(objectclass=orcladuser))]: "
read EP
if [ "${EP}" = "" ]
then
EP='(!(objectclass=orcladuser))'
fi
fi
echo " "
printf "Do you want to setup the backup Active Directory for failover? (y/n) "
read ISFAILOVER
if [ "${ISFAILOVER}" = "y" ]
then
if [ ${SECADHOST} = "A" ] ; then
printf "Please enter the backup Active Directory host name: "
read SECADHOST
if [ "${SECADHOST}" = "" ]
then
echo "Backup Active Directory host name is required";
exit 1;
fi
fi
printf "Do you want to use SSL to connect to the backup Active Directory? (y/n) "
read ISFAILOVERSSL
if [ "${ISFAILOVERSSL}" = "n" ]
then
if [ ${SECADPORT} = "1" ] ; then
printf "Please enter the backup Active Directory port number [389]: "
read SECADPORT
if [ "${SECADPORT}" = "" ]
then
SECADPORT="389"
fi
fi
fi
if [ "${ISFAILOVERSSL}" = "y" ]
then
if [ ${SECADSSLPORT} = "1" ] ; then
printf "Please enter the backup Active Directory SSL port number [636]: "
read SECADSSLPORT
if [ "${SECADSSLPORT}" = "" ]
then
SECADSSLPORT="636"
fi
fi
if [ ${SECWALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read SECWALLETLOC
fi
## wallet location is required
if [ "${SECWALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${SECWALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read SECWALLETPWD ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${SECWALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read SECWALLETPWD2 ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" != "${SECWALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
fi
# install the plug-in PL/SQL packages
echo " "
echo "Installing Plug-in Packages ..."
echo " "
# install plug-in debug tool
cp $ORACLE_HOME/ldap/admin/oidspdsu.pls $LDAP_LOG
chmod +w $LDAP_LOG/oidspdsu.pls
echo "EXIT;" >> $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$LDAP_LOG/oidspdsu.pls
rm $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspdof.pls
# install plug-in packages
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
#stty -echo; eval ${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# register the plug-ins
echo " "
echo "Registering Plug-ins ..."
echo " "
$ORACLE_HOME/bin/ldapadd -h ${OIDHOST} -p ${OIDPORT} -D cn=orcladmin -w ${ORCLADMINPWD} << EOF
dn: cn=adwhencompare2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapcompare
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhencompare2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginattributelist:userpassword
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
dn: cn=adwhenbind2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapbind
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhenbind2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
EOF
cat <<DONE
Done.
DONEHi,
This is a problem that is not made clear in the note. What is probably happening here is that both plugins are being fired when a user logs in. OID will only read the value returned from the final plugin to fire. This can be a problem if the user authenticates correctly against the first plug-in but fails on the second. This is entirely legitimate as this note tells you to configure this way but the OID only observes the final result. The note doesn't tell us this.
Here's an example:
We've two OID User users in different containers: cn=Al is in container cn=usersA,dc=oracle,dc=com and cn=BOB is in container cn=usersB,dc=oracle,dc=com.
We have two plugins: pluginA and PluginB. Installed in that order.
When Al logs in the two plugins fire. pluginA finds Al and returns a true, but then pluginB fires and returns a false undoing the good result. OID only accepts the final answer and so rejects the user. When Bob logins in both plugins fire again but it's the second plugin that returns the answer again. This is true and bob gets in.
There's a couple of ways around this and one of the more effective ways is to associate the plugin with the dn. So in our example, we associate the pluginA to fire only for the dn cn=usersA,dc=oracle,dc=com and pluginB only to fire when a user is in cn=usersB,dc=oracle,dc=com. This gets around the problem of mulitple plugins firing and giving conflicting answers as the appropriate plugin only fires once.
I've used this solution in a realtime environment when connecting and provisioning multiple ADs into one OID and found it to be extremely effective.
Another solution is to associate the plugins with groups.
Both of these options may be configured easily by modifying the plugin properties in ODM. Don't forget to restart OID after you've made the changes.
HTH!
Phil.
If -
Oracle Wallet Manager question..
Hello,
I have a question on Oracle Wallet Manager and will appreciate if you can help me with this:
In our environment, there are distributed databases and background processes running on different systems ( windows NT and SGI IRIX ) the application uses Oracle Background processes which have Database account names and login to processes running on different machines..
In an environment which has 250+ systems, changing passwords every 60 days or so becomes very cumbersome and problematic: If one network link is down, the password change is not done on one system and the next time the application tries to access a remote process it does not work..
Currently, the password changes are restricted to once a year ..
In the long run, it would be a better solution to replace this set-up with a industry standard secure architecture (i.e. one using PKI tokens, Certificate Authority etc..)
Currently, I am looking at Oracle Wallet Manager as a possible solution .. will appreciate, if you can give me some feedback, whether this will be feasible ..
Thank you ..
--osmanI would like to share my idea.
Use Oracle Internet Directory (LDAP), single sign-on, SSL (Oracle Wallet), keberos and Windows Native Authentication.
Check OracleAS 10g (10.1.2) documentations.
We did all the above which were included in the the integration of OracleAS 9.0.4 with Oracle Applications 11.5.10. -
Need some hel in SSL Configuration in R12
Hi All,
I am facing challenges in configuring SSL in R12. I am not able to get bigger picture of the SSL Configuration. If any body does this before please share you knowledge
Thanks in Advance.
ReddyHi Hussein
The below are the steps I am trying to implement.
Section 3 : Middle Tier Setup
The default location for the wallet in Release 12 is $INST_TOP/certs/Apache. This directory contains a wallet with demo certificates. If you wish to use these certificates for testing start with Step 8 below to configure SSL
Decided to test the application with demo certificates.
Step 8: Update the Context File.
Updated the context file as per the recommendations.
Step 9 - Run Autoconfig
Finished
Section 4: Database Tier Setup
Here I got confused. Whether to proceed or not ?
Thanks
Reddy -
Oracle Application Server 10.1.3.5 and SSL
Hi,
We want to use SSL in combination with Oracle Application Server 10.1.3.5. I installed Oracle Application Server 10.1.3.5 on Windows 2008R2 64 bit. After that I installed 64 bit java(jdk-6-26-windows-x64.exe) to run jvm in 64bit. I'm facing the following problem. The wallet manager won't run on Windows 2008R2 64bit because we're using 64bit jdk. There is also a commandline version; mkwallet. When I start this up it says "Oracle Wallet Commandline tool for 32bit Windows" I also can't create a certificate or certificate request. When I install a 32bit java version I also get a different JAVA_HOME, and that I don't want.
What if I install Oracle Application Server 10.1.3.5 on a 32bit OS and use there also a 32bit jdk, then use wallet manager to generate a certificate? Can I than use this wallet on the 64bit windows and 64bit jdk?
What other options are there available in this situation to use SSL? Is for example keytool from java an option?
Kind regards,
Herman
Edited by: user1950921 on 21-nov-2011 3:59Hi,
Here an update on this situation. I installed Oracle SOA Suite 10.1.3.5 on Windows 2008r2 64bit in a seperate environment. After that I installed the 32bit version of the jdk we used in the test and production environment. In the seperate environment I can startup Oracle Wallet Manager. Here I created a certificate request and then import the reply certificates from the CA. Then the wallet says "Certificate ready". In the directory where the wallet is, I put the certificate request, and the reply certificates. After that I copy the wallet-directory to the test environment(with a 64bit jdk) and in the ssl.conf file I point to the copied wallet-directory. After a restart of the app-server I got SSL.
Edited by: user1950921 on 2-dec-2011 0:11 -
Listener TCPS Oracle Database SSL
Hello,
I would like to switch my listener from tcp to tcps.
But we don't know how to do this, my configuration,
SERVER:
From server "*listener.ora*":
SID_LIST_LISTENER =*
+(SID_LIST =+
+(SID_DESC =+
+(SID_NAME = PLSExtProc)+
+(ORACLE_HOME = /opt/u01/app/oracle/product/10.2.0)+
+(PROGRAM = extproc)+
+)+
+)+
SSL_CLIENT_AUTHENTICATION = FALSE*
WALLET_LOCATION =*
+(SOURCE =+
+(METHOD = FILE)+
+(METHOD_DATA =+
+(DIRECTORY = /etc/ORACLE/WALLETS/oracle)+
+)+
+)+
LISTENER =*
+(DESCRIPTION_LIST =+
+(DESCRIPTION =+
+(ADDRESS = (PROTOCOL = TCP)(HOST = tibcoone)(PORT = 1521))+
+)+
+)+
TRACE_LEVEL_LISTENER = ADMIN*
From server "*sqlnet.ora*":
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)*
SSL_VERSION = 0*
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)*
SSL_CLIENT_AUTHENTICATION = FALSE*
TRACE_LEVEL_SERVER = ADMIN*
WALLET_LOCATION =*
+(SOURCE =+
+(METHOD = FILE)+
+(METHOD_DATA =+
+(DIRECTORY = /etc/ORACLE/WALLETS/oracle)+
+)+
+)+
SQLNET.WALLET_OVERRIDE = TRUE*
From server "*tnsnames.ora*":
TIB =*
+(DESCRIPTION =+
+(ADDRESS_LIST =+
+(ADDRESS = (PROTOCOL = TCP)(HOST = tibcoone)(PORT = 1521))+
+)+
+(CONNECT_DATA =+
+(SERVICE_NAME = TIB)+
+)+
+)+
WALLET_LOCATION =*
+(SOURCE =+
+(METHOD = FILE)+
+(METHOD_DATA =+
+(DIRECTORY = /etc/ORACLE/WALLETS/oracle)+
+)+
+)+
EXTPROC_CONNECTION_DATA =*
+(DESCRIPTION =+
+(ADDRESS_LIST =+
+(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))+
+)+
+(CONNECT_DATA =+
+(SID = PLSExtProc)+
+(PRESENTATION = RO)+
+)+
+)+
Version database server is:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit
Two files in the path from Wallet:
/etc/ORACLE/WALLETS/oracle/ewallet.p12
/etc/ORACLE/WALLETS/oracle/cwallet.sso
Server SQL> select parameter, value from v$option where upper(parameter) like '%SECURITY%';
Enterprise User Security TRUE
Oracle Label Security FALSE
CLIENT:
From client "*sqlnet.ora*":
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)*
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)*
SSL_CLIENT_AUTHENTICATION = FALSE*
WALLET_LOCATION =*
+(SOURCE =+
+(METHOD = File)+
+(METHOD_DATA =+
+(DIRECTORY = "C:\Documents and Settings\user\ORACLE\WALLETS"))+
+)+
SSL_SERVER_DN_MATCH = OFF*
From client "*tnsnames.ora*":
TIB_CLIENT =*
+(DESCRIPTION =+
+(ADDRESS_LIST =+
+(ADDRESS = (PROTOCOL = TCPS)(HOST = tibcoone)(PORT = 1521))+
+)+
+(CONNECT_DATA =+
+(SERVICE_NAME = TIB)+
+)+
+(SECURITY =+
+(SSL_SERVER_CERT_DN = "cn=US,cn=CertForOracle,c=US,o=Company"))+
+)+
My problem:
server$ lsnrctl start
Instance "TIB", status READY, has 1 handler(s) for this service...
client@ sqlplus system/pass@TIB_CLIENT
ERROR:
ora-28864 ssl connection closed gracefully
server$ less /opt/u01/app/oracle/product/10.2.0/network/log/listener.log
TNS-12502: TNS:listener received no CONNECT_DATA from client
I cannot connect my client into server database. I get error on client "ora-28864 ssl connection closed gracefully". I get error on server "TNS-12502: TNS:listener received no CONNECT_DATA from client"
Thanks in advance..Hello, Kirill
Thanks for your reply
I checked my server:
The directory exists a file called cwallet.sso is available
- It is ok :)
The user the oracle software is running under has the correct privileges to access the directory and wallet
- It is ok :)
Can you give an example about "*Implementing TCPS authentication*" ?
I currently have:
From server my default port is *1521*,
I changed protocol on my server from TCP to TCPS in "*tnsnames.ora*" and "*listener.ora*":
LISTENER_TIB =+
*(ADDRESS = (PROTOCOL = TCPS)(HOST = tibcoone)(PORT = 1521))*
TIB =+
*(DESCRIPTION =*
*(ADDRESS_LIST =*
*(ADDRESS = (PROTOCOL = TCPS)(HOST = tibcoone)(PORT = 1521))*
*(CONNECT_DATA =*
*(SERVICE_NAME = TIB)*
WALLET_LOCATION =+
*(SOURCE =*
*(METHOD = FILE)*
*(METHOD_DATA =*
*(DIRECTORY = /etc/ORACLE/WALLETS/oracle)*
EXTPROC_CONNECTION_DATA =+
*(DESCRIPTION =*
*(ADDRESS_LIST =*
*(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))*
*(CONNECT_DATA =*
*(SID = PLSExtProc)*
*(PRESENTATION = RO)*
SQL> show parameter local_listener
NAME TYPE VALUE
local_listener string LISTENER_TIB
$cat .bash_profile
TNS_ADMIN=$ORACLE_HOME/network/admin; export TNS_ADMIN
$tnsping LISTENER_TIB 9
OK (10 msec)
OK (0 msec)
OK (0 msec)
OK (10 msec)
From client:
I changed port on my client from TCP to TCPS in 'tnsnames.ora' and I receive error:
ERROR:
ora-28864 ssl connection closed gracefully
What am I doing wrong ?
Thanks and Best regards,
Edited by: user6048424 on 2012-08-06 05:21
Edited by: user6048424 on 2012-08-06 05:22
Maybe you are looking for
-
INTERNET,APPWORLD,WIFI - ISSUES
Hi All, I have BB Curve 8520 Model. Issue with device: 1 . 1ce when is disable the internet setting after using internet the next time i switch ON internet Data internet will not work unless i restart the device. 2. After updating the appworld to
-
Include in ABAP class for Workflow
Hi, In order to use BOR macros inside ABAP class, (From SAP help) came to know that we need to use include <cntn02> . How to add this include to ABAP class for workflow? Regds, Akshay
-
Animate Song Lyrics within a custom length marquee
I am looking for a way to display the lyrics of a song beneath a centered picture. I want the lyrics to scroll within a custom length marquee (approximately 3" centered) Now the hard part; I want to have a 'ball' (round dot) 'bounce' upon each of the
-
[svn] 4803: Fix bug SDK-18434 Bounds for rotated rounded rect is incorrect
Revision: 4803 Author: [email protected] Date: 2009-02-02 16:06:34 -0800 (Mon, 02 Feb 2009) Log Message: Fix bug SDK-18434 Bounds for rotated rounded rect is incorrect Fix: Calculate the bounds of the transformed corner ellipses in the case of matrix
-
I uninstalled Firefox 3.6.13(English(Brish)) and also the Firefox version 4.0b12(English(Britsh)) versions I had installed and reinstalled Firefox 4.0b12 English(Britsh) version.But now in the newly installed 4.0b12 version the feedback button is mis