OID External Authentication Plugin - Conceptual question

Hi-
Does anyone know the answer to this: If I enable the External Authentication Plugin for OID (to AD) does that mean that if I have any accounts in OID which do not exist in AD, they won't be able to authenticate?
Also, if anyone knows of some conceptual documentation on this, please let me know. All I could find was how to install it, but not how it works. (do I need to match users on CN or uid or what?)
Thanks

Hi,
Once you are done with user accounts synchorinzation successfully using dipassistant tool from edirectory to OID. Inorder to update/flush the user accounts password that which are synchronized to OID, in such case OID eDirectory External Authenctiation plugin will be used (oidspediri.sh file) located under <ORACLE_HOME>ldap/admin. Provide th neccessary eDirectory Details.
Regards,
ABP

Similar Messages

OID external authentication plugin for edirectory

How do I get more info on, or has anyone managed to, add a plugin to OID to enable external authetication to eDirectory?
Please add insight to this, if you have this experience.
Thanks

Hi,
Once you are done with user accounts synchorinzation successfully using dipassistant tool from edirectory to OID. Inorder to update/flush the user accounts password that which are synchronized to OID, in such case OID eDirectory External Authenctiation plugin will be used (oidspediri.sh file) located under <ORACLE_HOME>ldap/admin. Provide th neccessary eDirectory Details.
Regards,
ABP

OID External Authentication issue

Hi..
I have configured synchronization profile to import users from TDS to OID using DIP but it does not work as change log is not enabled on TDS side.
Now i have configured External Authentication Plugin and i craeted same users in in TDS and also in OID but external authenctication does not work.
Can you please point out if i missing some point or is synchronization profile is must for External Authentication.
Find the product version details -
OID 11.1.1.6
Tivoli Directory Server 6.1
Regards
Santosh
Edited by: user601746 on Jan 8, 2013 1:02 AM

Got the solution.
I used bootstrap loading to create users from TDS to OID then configure external authentication..works fine... :)

OID external authentication - having trouble excuting oidspadi.sh

Hi all,
I am setting up External Authentication for OID, and have trouble with it. My version is Oracle application server infrastructure 10.1.2 (OID 10.1.2) on windows.
hailie@Server1 /cygdrive/e/oracle/OraInfra/ldap/admin
$ export ORACLE_HOME="E:\oracle\OraInfra"
hailie@Server1 /cygdrive/e/oracle/OraInfra/ldap/admin
$ sh oidspadi.sh
oidspadi.sh: line 28: $'\r': command not found
oidspadi.sh: line 38: $'\r': command not found
oidspadi.sh: line 43: $'\r': command not found
oidspadi.sh: line 47: $'\r': command not found
oidspadi.sh: line 51: $'\r': command not found
oidspadi.sh: line 58: $'\r': command not found
oidspadi.sh: line 59: $'\r': command not found
oidspadi.sh: line 60: $'clear\r': command not found
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
oidspadi.sh: line 67: $'\r': command not found
oidspadi.sh: line 70: $'\r': command not found
oidspadi.sh: line 103: syntax error near unexpected token `fi'
'idspadi.sh: line 103: ` fi
Edited by: Hailie on Jan 16, 2009 8:05 AM
Edited by: Hailie on Jan 16, 2009 8:45 AM
Edited by: Hailie on Jan 16, 2009 11:32 AM

After I removed all the blank lines in oidspadi.sh:
hailie@Server1 /cygdrive/e/oracle/OraInfra/ldap/admin
$ sh oidspadi.sh
oidspadi.sh: line 53: $'clear\r': command not found
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
oidspadi.sh: line 91: syntax error near unexpected token `fi'
'idspadi.sh: line 91: `fi
Thank you for your help.
Hailie
Edited by: Hailie on Jan 16, 2009 8:43 AM
Edited by: Hailie on Jan 16, 2009 8:46 AM
Edited by: Hailie on Jan 16, 2009 11:36 AM

External Authentication general-type questions

Greetings all,
I was recently shown how to get Oracle to allow Windows NT Authentication the way SQL 2005 etc. can. I was able to get it working. It's actually simple, you just have to have this line in your SQLNET.ORA file:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
and make sure a couple initialization parameters are set (OS_AUTHENT_PREFIX to NULL and REMOTE_OS_AUTHENT to TRUE - the first can't be changed once the database is built!).
My first question is does Oracle support external authentications to operating systems other than NT, i.e. SUN, UNIX, LDAP etc? And is it a similar architecture?
Secondly, the only ways I've ever connected to Oracle are 1) through SQL*Plus, 2) Using OLE DB from Windows and 3) Using ODBC.
Is external authentication supported when logging in any way other than through OLE DB? If so, how?
Appreciating any general information!
Thanks
Joe

1. The name of the product is SQL Server not SQL. SQL is a language.
2. Oracle supports all major forms of internal and external authentication. The ones you listed and many more. The docs are at http://tahiti.oracle.com
3. External authentication is support across the board. But you've got to be working with a database holding nothing more important than your mother's cookie recipes to think that operating system authentication in a Windows environment is secure: It is not.
Your first responsibility, unless you are just playing games at home or in school, is to secure the data and that means an environment more secure than the one you've chosen.

OID External Authentication Plug-in and OVD

Hello, ppl.
I have success installed AD, OVD(11g), OID(10g), and BI Publisher with SSO (10g).
When i synchronize AD -> OID, and use External Auth Plug-in, synchronized users can success login to BI Publisher.
When i synchronize AD -> OID through OVD, and use External Auth Plug-in which look in the AD, synchronized users can success login to BI Publisher.
But when i synchronize AD -> OID through OVD, and switch External Auth Plug-in from AD to OVD, synchronize users can not login to BI Publisher.
How can i use External Auth Plug-in with OVD, did any one have solution?
In the future, OVD can contains multiple forests from AD's, now AD have one forest(dc).
Help :)
Thanks.
Jeff.

I write custom plug-in for OVD.
When user bind, then log write...
OVD bind command's
1) ldapbind -h <OVD_HOST> -p 6501 -D "[email protected]" -w Oracle10g
ldap_bind: Invalid credentials
2) ldapbind -h <OVD_HOST> -p 6501 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g
bind successful
3) ldapbind -h <OVD_HOST> -p 6501 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g2
ldap_bind: Invalid credentials
AD bind command's
1) ldapbind -h <AD_HOST> -p 389 -D "[email protected]" -w Oracle10g
bind successful
2) ldapbind -h <AD_HOST> -p 389 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g
bind successful
In my log file for OVD bind command's, just second and third command written.
Did any one know, why first command not binded and why not logged?
public void bind(Chain chain, Credentials creds, DirectoryString dn, BinarySyntax password, Bool result) throws DirectoryException, ChainException {
//pre bind
try {
chain.nextBind(creds, dn, password, result);
} catch (DirectoryException e) {
try {
FileWriter out = new FileWriter("c://mylogs//bind_error.txt");
out.write("bind: " + dn.toString());
out.close();
} catch (IOException ioe) {
ioe.printStackTrace();
//post bind
try {
FileWriter out = new FileWriter("c://mylogs//bind.txt");
out.write("bind: " + dn.toString());
out.close();
} catch (IOException ioe) {
ioe.printStackTrace();
...

External authentication with OID

I know that OID 10g is capable of performing external authentication against AD, Sun OneDirectory, Novell eDirectory and openLDAP, but what about something else like Oracle Virtual Directory?
As I understand, there is an out of the box script that will create and external authentication plugin that calls a few procedures from the auth_external package. The auth_external package also an out-of-the-box package with a few procedures (authenticate_user and change_passwd) I've seen so far. I haven't looked in the ODS schema, but I'm assuming this auth_external package is wrapped and not generally viewable.
Anyone out there have any ideas, how this auth_external package works, or better yet... does anyone know if the out-of-the-box solution for external authentication will work with any LDAP directory (in this case a virtual one)?
Thanks.

Can someone from Oracle please comment on this? is "AUTH_EXTERNAL" package "out of box" or do we have to write it?
I am following instructions from
http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14082/plugin_cust_ext_auth.htm
LINE/COL ERROR
143/9 PL/SQL: Statement ignored
143/19 PLS-00201: identifier 'AUTH_EXTERNAL.AUTHENTICATE_USER' must be
declared
241/11 PL/SQL: Statement ignored
241/11 PLS-00201: identifier 'AUTH_EXTERNAL.CHANGE_PASSWD' must be
declared
251/11 PL/SQL: Statement ignored
251/11 PLS-00201: identifier 'AUTH_EXTERNAL.RESET_PASSWD' must be
declared
LINE/COL ERROR
-------- -----------------------------------------------------------------

Shared Services External Authentication using LDAP in 9.3.1

Hi,
I have installed Hyperion Shared Services with native directory. And now planning to setup external authentication using LDAP. I need some guidance to understanding how the external authentication works.
Questions:
1. Is it possible to setup Shared Services to use both Native and LDAP user directory? What I mean is some users will be able to login using Native directory, and some others will need to login using User Directory (external authentication).
2. For User Directory (say we use LDAP), when the user is added into Shared Services, can they be assigned with Groups created in Native directory? We want to explore to use just the external authentication and define all of the groups within shared services.
If not possible, can we manage the Groups of the User directory using shared services? How is the groups work with external authentication?
Any feedback would be much appreciated.
Thanks,
Lian

Hi,
Yes you can use both Native and external authentication. When you add the external provider the native is left by defaut anyway.
Yes you can add your external users to native groups. You can also provision the groups in the AD if you wish.
Gee

OID 10.1.4 and external authentication (AD)

Has anyone gotten this to work with MS Active Directory? We were able to sync the AD users with OID, but have not be able to authenticate them. As long as they have their passwords stored in OID, it works, but we do not want to maintain the password sync'ing between AD and OID. We want to do external authentication.
Anyone who has gotten this to work in 10.1.4 (using the java plugins), please respond with any secrets or methods you have used to get this to work.
Thank you.
Shirley

I got the java plugins working here. The configuration is not a big deal. I still not implemented SSL though, so I didnt had to issue certificates.
Configuration is easier than on version 10.1.2, as all the plugin parameters are available on oidadmin.
I have two problems that remain unfixed.
One is on AD. Since we have several domain controllers, when the user changes his password in Windows the change is done on whatever domain controller that the user connected to when logging on windows, and it sometimes takes a long time for this to be replicated to the domain controller that configured on the plugin. So the user cannot use SSO for a few hours. Sometimes he can logon with the old password, sometimes even with both passwords (the old and the new one). I want to make clear that this is a Microsoft AD problem, that reproduces even with simple tools like ldapbind.
The other is the plugin failover, it is still broken like it was on 10.1.2. Authentication attemps always try it the primary domain controller, and wait for a operating system timeout before trying the secondary. So if the PDC is down, it takes several minutes for the authentication process to complete, which is very annoying, as no user waits on a browser screen for several minutes, and usually keeps trying until all oidldapd backend processes hang. It is a little better than 10.1.2. That version was so dumb that it tried two connections before giving up and going to the secondary, even if you did not setup SSL.
For this last one the recommendation on metalink is to put a loadbalancer in front of the domain controllers and configure the plugin to connect to it.
Regards,
Luis

External authentication question

Hello,
I am running an apex app in a secured environment. The authentication is handled by the environment, and a username passed to apex pages in a server variable, which I am able to use to set apex_application.g_user. Now, the user is only able to access apex pages via the security proxies, which make sure that the user is authenticated, etc. All page requests go through these security proxy servers.
Now, my question is this: I've set the g_user in a custom page sentry function. I don't know a whole lot about this stuff, and so just deleted all of the session-verification stuff from the function that I copied, and return true always. Because, I'm thinking, the security proxies take care of all that. Is that okay? Or should I set that value somewhere else, and leave things that I don't understand alone? If so, where?
Here's my page_sentry function:
create or replace FUNCTION custom_Page_Sentry_Func (p_htmldb_user VARCHAR2 DEFAULT 'APEX_PUBLIC_USER' )RETURN BOOLEAN AS
l_authenticated_username VARCHAR2(256) := nvl(UPPER(OWA_UTIL.GET_CGI_ENV('HTTP_IV_USER')),'NOT_AF_AUTH');
IS_USER NUMBER := 0;
L_CURRENT_SID NUMBER;
BEGIN
--The server is behind the login system, so if the ApEx pages are shown, the login has succeeded (and we will find the cookie)
-- If logged in user is not a user (doesn't exists in USERS table)
-- THEN create a record in the table
SELECT COUNT(*)
INTO IS_USER
FROM USERS
WHERE USERNAME = l_authenticated_username ;
IF IS_USER = 0 THEN
INSERT INTO USERS (USERNAME,SSN) VALUES (l_authenticated_username,'111111111');
END IF;
apex_application.g_user := l_authenticated_username;
RETURN TRUE;
END custom_Page_Sentry_Func;
Thanks, -warren

I am setting g_user so that I can see auditing info in the DB, etc.
The database won't be aware of that value unless you set it into a context, e.g., by using dbms_session.set_identifier or some such device. You would pass v('APP_USER') into such a call that you could run as the VPD block of your application (edit application securiyt attributes to find that field).
But my apex "user" is APEX_PUBLIC_USER, same user for everyone. I'm not going to inadvertantly change that by calling the things that get called in the nmlt (or whatever it's called) page sentry function with my externally authenticated username, am I?
Correct.
Scott

OID external plugin to delete a user in OID

Hi,
My requirement is that when the value of a attribute (e.g. employeeType) in OID 11g is set to a particular value for a user, then that user in OID should be deleted / disabled automatically.
Can this be achieved using e.g. OID external plugin ?
Thanks

Hi
There is a standard report available for deleting the BP's, "BUPA_TEST_DELETE"..tcode for the same is "BUPA_DEL".
Please provide the System version details in next reply ->
Other approaches ->
1) You can unassign or block this vendor contact person by using transaction code BP. Find out the business partner number of the vendor contact person and go to the status tab in T-code BP for the role vendor in business partner maintanance and click on block business partner. This will ensure that you are unable to select this business partner in the search criteria.
2) There is a Standard SAP report to delete the Business partner.
Use Transaction SE38 and execute the report BUPA_TEST_DELETE.
You can select Business partner or partners and delete.
3) Either using BBPMAININT (Manage Business Partner - Web Transaction)- Try either - Edit / Delete / Block; this Contact person.
4) You can do it from transaction USERS_GEN. You can delete and/or assign user from there.
Related links ->
Re: Central Person already exists
regarding business partner, central person and organizational unit relation
Hope this will help. Do let me know.
Regards
- Atul

Question on External Authentication Plug-in

I have 2 windows domains with no global catalog server. The documentation shows how to setup external authentication plug-in when you have just one domain. Can anyone provide a link on how to setup the plug-in when you have more than one domain? Thanks for your help.

Yes it is possible,
>i want to know if its possible or not in a very easy and efficiant way<
……well I think so, but one could argue about the „easy & efficient” part of it……..
Anyway here are a few possibilities:
https://help.apple.com/logicpro/mac/10/#lgcp215834c2
……don’t know of any trial possibilities………
Cheers!

OracleAS SSO - Microsoft Active Directory External Authentication Plug-in

hi ,
I recently inherited support of a Oracle SSO/OID environment where we use AD and a external Authentication Plug-
in to talk to it as user credentials are managed in AD,
We have a lot of domain controllers for AD in our env , so my questions is
1) How do I find out which AD server is the plugin currently referring to ,
I need to know this info ASAP as lot of AD servers are getting decomissioned and I want to make sure the SSO env
is not talking to a AD server that would get decomissioned soon

hi,
Look in the integration part in oidadmin. ActiveChgImp
$ORACLE_HOME/bin/oidadmin
or look for ad2oid.properties
or look at this URL http://www.oracle.com/technology/obe/obe_as_10g/im/ads_import/import.htm
is what I used to configure ours
Regards

Error while Configuring AD external authentication plug in

Hi
While configuring Active directory external authentication plug I am getting following error
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
Please enter Active Directory host name: clmad101.ad.company.com
Do you want to use SSL to connect to Active Directory? (y/n) n
Please enter Active Directory port number [389]: 389
Please enter DB connect string:SQLPLUS sys/manager1 @infradb.ad.company-.com @md61nthiims1.ad.company.com:1521
Please enter ODS password:
Please enter confirmed ODS password:
Please enter OID host name: md61nthiims1.ad.company.com
Please enter OID port number [389]: 389
Please enter orcladmin password:
Please enter confirmed orcladmin password:
Please enter the subscriber common user search base [orclcommonusersearchbase]:
CN=Users,dc=ad,dc=company,dc=com
Please enter the Plug-in Request Group DN:
Please enter the exception entry property [(!(objectclass=orcladuser))]: (|(!obj
ectclass=orcladuser))(cn=orcladmin))
Do you want to setup the backup Active Directory for failover? (y/n) n
Installing Plug-in Packages ...
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Registering Plug-ins ...
adding new entry cn=adwhencompare,cn=plugin,cn=subconfigsubentry
adding new entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry
Done.
Is there anythign wrong in the DB connect string??
Thanks

Did you check the debug information from the external auth plugin.?
This is mentioned in metalink note https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=277382.1
here an excerpt:
D) Enabled plug in debugging at the database level. Reference documentation: Oracle Internet Directory Administrator's Guide 10g (9.0.4) Chapter 43 Integration with the Microsoft Windows Environment - Troubleshooting Integration with Microsoft Windows Under section "Debugging the Microsoft Active Directory External Authentication Plug-in"
...enable the plug-in debugging. To do this, enter:
> sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.pls
To check the plug-in debugging log, enter:
> sqlplus system/manager
SQL> select * from ods.plg_debug_log order by id;
(To delete the plug-in debugging log:
> sqlplus system/manager
SQL> truncate table ods.plg_debug_log
To disable the plug-in debugging:
> sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls
E) Dump the plug-in profile to make sure it is enabled and configured correctly:
> ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <orcladmin password> -b "cn=plugin,cn=subconfigsubentry" -L -s sub "(objectclass=*)" "*"
please take also a look into the DIPTESTER tool available in
http://www.oracle.com/technology/sample_code/products/oid/java_diptester.tar
regards
--Olaf

Oracle Security - External Authentication

The requirement is to enable the user to allow access to DB by making the user enter the user name and password only once while accessing the Cognos reports. (Cognos is a BI tool). So the user will enter the username and password at the time he accesses the Cognos application, after this there should not be any logons to access DB.
Cognos stores the user name and password in a LDAP store (in NDS residing on Windows 2000 Advanced Server). So, the question is, can Oracle leverage on the user information stored in the LDAP for Cognos? The external authentication provided by Oracle suggests that if the user info store can be in LDAP provided it is in OID.
Please let me know if this can be achieved and if so, where can I get details about the same.

According to the 8.1.7 documentation:
"Enterprise user security provides single sign-on to Oracle8i using interoperable X.509 v3 certificates over Secure Sockets Layer (SSL) v3, and supports the following LDAP-compliant directory services:
Oracle Internet Directory Release 2.0.5 or later
Microsoft Active Directory "
So it sounds like they do not support Novell's LDAP implementation.
Here's a page on managing Enterprise Users http://technet.oracle.com/docs/products/oracle8i/doc_library/817_doc/network.817/a85430/asomeus.htm
Here's a page on managing OS Authentication -http://technet.oracle.com/doc/windows/server.815/a68694/output/ch10.htm
I just finished writing a chapter on OS Authentication in my Oracle security book. I would stay away from OS Authentication unless you have a small number of users. I have not yet researched Enterprise Users, but the concensus seems to be that they provide a much more robust solution.

OID External Authentication Plugin - Conceptual question

Similar Messages

Maybe you are looking for