Question on External Authentication Plug-in

I have 2 windows domains with no global catalog server. The documentation shows how to setup external authentication plug-in when you have just one domain. Can anyone provide a link on how to setup the plug-in when you have more than one domain? Thanks for your help.

Yes it is possible,
>i want to know if its possible or not in a very easy and efficiant way<
……well I think so, but one could argue about the „easy & efficient” part of it……..
Anyway here are a few possibilities:
https://help.apple.com/logicpro/mac/10/#lgcp215834c2
……don’t know of any trial possibilities………
Cheers!

Similar Messages

OracleAS SSO - Microsoft Active Directory External Authentication Plug-in

hi ,
I recently inherited support of a Oracle SSO/OID environment where we use AD and a external Authentication Plug-
in to talk to it as user credentials are managed in AD,
We have a lot of domain controllers for AD in our env , so my questions is
1) How do I find out which AD server is the plugin currently referring to ,
I need to know this info ASAP as lot of AD servers are getting decomissioned and I want to make sure the SSO env
is not talking to a AD server that would get decomissioned soon

hi,
Look in the integration part in oidadmin. ActiveChgImp
$ORACLE_HOME/bin/oidadmin
or look for ad2oid.properties
or look at this URL http://www.oracle.com/technology/obe/obe_as_10g/im/ads_import/import.htm
is what I used to configure ours
Regards

Error while Configuring AD external authentication plug in

Hi
While configuring Active directory external authentication plug I am getting following error
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
Please enter Active Directory host name: clmad101.ad.company.com
Do you want to use SSL to connect to Active Directory? (y/n) n
Please enter Active Directory port number [389]: 389
Please enter DB connect string:SQLPLUS sys/manager1 @infradb.ad.company-.com @md61nthiims1.ad.company.com:1521
Please enter ODS password:
Please enter confirmed ODS password:
Please enter OID host name: md61nthiims1.ad.company.com
Please enter OID port number [389]: 389
Please enter orcladmin password:
Please enter confirmed orcladmin password:
Please enter the subscriber common user search base [orclcommonusersearchbase]:
CN=Users,dc=ad,dc=company,dc=com
Please enter the Plug-in Request Group DN:
Please enter the exception entry property [(!(objectclass=orcladuser))]: (|(!obj
ectclass=orcladuser))(cn=orcladmin))
Do you want to setup the backup Active Directory for failover? (y/n) n
Installing Plug-in Packages ...
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Registering Plug-ins ...
adding new entry cn=adwhencompare,cn=plugin,cn=subconfigsubentry
adding new entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry
Done.
Is there anythign wrong in the DB connect string??
Thanks

Did you check the debug information from the external auth plugin.?
This is mentioned in metalink note https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=277382.1
here an excerpt:
D) Enabled plug in debugging at the database level. Reference documentation: Oracle Internet Directory Administrator's Guide 10g (9.0.4) Chapter 43 Integration with the Microsoft Windows Environment - Troubleshooting Integration with Microsoft Windows Under section "Debugging the Microsoft Active Directory External Authentication Plug-in"
...enable the plug-in debugging. To do this, enter:
> sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.pls
To check the plug-in debugging log, enter:
> sqlplus system/manager
SQL> select * from ods.plg_debug_log order by id;
(To delete the plug-in debugging log:
> sqlplus system/manager
SQL> truncate table ods.plg_debug_log
To disable the plug-in debugging:
> sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls
E) Dump the plug-in profile to make sure it is enabled and configured correctly:
> ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <orcladmin password> -b "cn=plugin,cn=subconfigsubentry" -L -s sub "(objectclass=*)" "*"
please take also a look into the DIPTESTER tool available in
http://www.oracle.com/technology/sample_code/products/oid/java_diptester.tar
regards
--Olaf

Plug-in Request Group field into the external authentication plug-in

Hi all,
I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
Is possible to do this?
Thank you.
Message was edited by:
user571491

Hi all,
I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
Is possible to do this?
Thank you.
Message was edited by:
user571491

AD External Authentication Plug-In verification issue

We are working on a Proof of Concept instance to integrate MS AD with OID for the first time for E-Biz 11i.
1) I completed the bulk load of all the existing users from AD to OID successfully
2) completed enabling the syncrhonization profile
3) Ran the txkrun.pl successfully
4) However i wanted to check the External authentication plug-in and i get the below issue.
How to debug ldapcompare ? Where is the logfile for ldapcompare ?
ldapcompare -h OID_Host -p 389 -D "cn=orcladmin" -w ******* -b "cn=lastname\, firstname,ou=consultants,ou=users,ou=usaeast,dc=adadmin,dc=lps,dc=netsrv,dc=us" -a userPassword -v abcdefgh
The value abcedefgh is not contained in the attribute userPassword in DN cn=lastname\, firstname,ou=consultants,ou=users,ou=usaeast,dc=adadmin,dc=lps,dc=netsrv,dc=us.
An ldapbind on the same AD server is successful, but ldapcompare is failing.

I get invalid credentials. Though the network password is correct. I feel its somewhere i messed up the 3rd party plug-in configuration. Is there a method to get debug information for ldapcompare command ?
From metalink NOTE : 277382.1
"When using the above command, ldapcompare binds to OID using the OID admin user (typically "cn=orclAdmin") and password. Then it provides the AD username and requests that the value supplied as AD-USER-PASSWORD be compared to whatever is stored in AD username's userPassword attribute. Because OID does not store a value in its own user entries/userPassword attributes for AD-synchronized entries, this ldapcompare call will cause OID to invoke the plug-in and verify the userPassword value in AD instead.
If the plug-in works, the ldapcompare should return a message saying that the given password is contained in the userpassword attribute, e.g.
"

Oracle Virtual Directory vs. Oracle External Authentication Plug-in

I am working in Windows 2003 Server platform and I have Oracle Portal 10g R2 with Oracle Single Sign On 10g R2 setup. I also have Microsoft Active Directory setup. I want to use Microsoft Active Directory users from Oracle Portal and as per my understanding I could use Oracle External Authentication Plug-in or Oracle Virtual Directory for this purpose. I would like to use Oracle Virtual Directory if possible. Could someone please tell me if I could use Oracle Virtual Directory or not?
Thanks.

Yeah, I could use Oracle External Authentication Plug-in, but I am having issues with running the oidspadi.sh script on my Windows 2003 server environment. I am running this script using Cygwin's latest software, but for some reason I get the following error message.
: command not found8:
: command not found8:
: command not found3:
: command not found7:
: command not found1:
: command not found8:
: command not found9:
: command not found0: clear
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
: command not found7:
: command not found0:
oidspadi.sh: line 103: syntax error near unexpected token 'fi'
'idspadi.sh: line 103:' fi
Therefore, I was trying to find an alternative solution, which will be using Virtual Directory. Right now, I have installed Oracle Virtual Directory on my testing system and I have both Active Directory server and OID server part of LDAP Browser. My goal is to using Oracle Portal to log-in and first look for the user in OID if not found then look in Active Directory. Can this be accomplished using Oracle Virtual Directory?
Please let me know.

Invoking 'active directory external authentication plug-in' from login.jsp

Hi
I am using the Oracle AS 10g on Unix. We have a web application in JAVA based on OC4J Framework.
Currently user use application url for accessing the login page, enters credentials and then the authentication is done through LDAP.
Now we have to remove the login page from application. i.e. once user is successfully logged in Windows on his pc, and tries to access our application through it's url, he must be automatically authenticated using the credentials entered in windows and display the welcome page of application. Same as any intranet application.
For this requirement, we have 'active directory external authentication plug-in' installed on server.
What we need to know is how this process will work and changes required in our jsp page to invoke this plug-in and authenticate user by accessing windows-credentials automatically.
kindly let me know

Hi
I am currently using NTLM to fetch the windows username and then creating an anonymous connection with the LDAP Server.
Then i serach using the user name in ldap directory.
NTLM is no longer required , instead we have 'active directory external authentication plug-in' installed on LDAP.
as far as i know the plug-in will process the kerberos ticket generated by windows to automatically authenticate.

AD external authentication plug-in

Is it possible to authenticate the users stored in AD just by configuring the external authentication plug-in, or it is necessary to populate OID with users and groups stored in AD?
All the user information is in AD, and we don't want, if possible, to replicate the users in both places.

I am planning to do the same. We'd like to use the passwords stored in the AD to authenticate our users. We do not want to store and maintain the passwords ourselves.
Celso -- Could you tell me more about your experience on installation of the AD external authentication plug-in? Do you use the PL/Sql program in book "OID ADMIN Guide" chapter 47? How much work is involved with populate OID with users and groups stored in AD? Is the whole installation hard or easy?
Partrick -- Could I not populate OID from AD, instead, create user via OID itself (oiddas)? I am trying to avoid any "non plug-in related" work.
Thanks,
Xiaoyun

OID External Authentication Plug-in and OVD

Hello, ppl.
I have success installed AD, OVD(11g), OID(10g), and BI Publisher with SSO (10g).
When i synchronize AD -> OID, and use External Auth Plug-in, synchronized users can success login to BI Publisher.
When i synchronize AD -> OID through OVD, and use External Auth Plug-in which look in the AD, synchronized users can success login to BI Publisher.
But when i synchronize AD -> OID through OVD, and switch External Auth Plug-in from AD to OVD, synchronize users can not login to BI Publisher.
How can i use External Auth Plug-in with OVD, did any one have solution?
In the future, OVD can contains multiple forests from AD's, now AD have one forest(dc).
Help :)
Thanks.
Jeff.

I write custom plug-in for OVD.
When user bind, then log write...
OVD bind command's
1) ldapbind -h <OVD_HOST> -p 6501 -D "[email protected]" -w Oracle10g
ldap_bind: Invalid credentials
2) ldapbind -h <OVD_HOST> -p 6501 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g
bind successful
3) ldapbind -h <OVD_HOST> -p 6501 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g2
ldap_bind: Invalid credentials
AD bind command's
1) ldapbind -h <AD_HOST> -p 389 -D "[email protected]" -w Oracle10g
bind successful
2) ldapbind -h <AD_HOST> -p 389 -D "cn=smith,cn=users,dc=domain,dc=local" -w Oracle10g
bind successful
In my log file for OVD bind command's, just second and third command written.
Did any one know, why first command not binded and why not logged?
public void bind(Chain chain, Credentials creds, DirectoryString dn, BinarySyntax password, Bool result) throws DirectoryException, ChainException {
//pre bind
try {
chain.nextBind(creds, dn, password, result);
} catch (DirectoryException e) {
try {
FileWriter out = new FileWriter("c://mylogs//bind_error.txt");
out.write("bind: " + dn.toString());
out.close();
} catch (IOException ioe) {
ioe.printStackTrace();
//post bind
try {
FileWriter out = new FileWriter("c://mylogs//bind.txt");
out.write("bind: " + dn.toString());
out.close();
} catch (IOException ioe) {
ioe.printStackTrace();
...

Reconfigure Active Directory External Authentication plug in to use ssl

Assuming this is the proper place to post this question:
I've quickly gone through the IM integration documentation trying to find out how to reconfigure the ad external auth plugin to use ssl and have come up empty handed. Does anyone know how to do this? Should I just rerun oidspadi.sh?
Also, where can i view the configuration information that was entered the last time this was configured?
thanks for any help!
chris

Rerun oidspadi.sh and select SSL option. You can get adwhencompare and adwhenbind plug-ins detail under plug-in management in Oracle directory manager.

Bug with Active Directory external authentication plug-in??

I'm configuring the plugin on Windows. I installed the cygwin unix emulation software already. It kept saying incorrect connect string or ODS password specified when I tried to enter values for the following 2 questions
1) Please enter DB connect string: hostname.domain:1521:orcl.domain
2) Please enter ODS password: ODS (I viewed the ODS schema password in OID and it's ODS)
I'm using
OID 10.1.2.1.0
Portal 10.1.4
Thanks

Hi,
I've got the same error.
The user is not found.
Tue Aug 24 17:20:36 CEST 2004 [ERROR] AJPRequestHandler-ApplicationServerThread-6 Could not get attributes for user, [email protected]
oracle.ldap.util.NoSuchUserException: User does not exist - SIMPLE NAME = [email protected]
at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1041)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:820)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:767)
at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:483)
at oracle.security.sso.server.auth.SSOServerAuth.authenticate(SSOServerAuth.java:561)
at oracle.security.sso.server.auth.SSOKerbeAuth.authenticate(SSOKerbeAuth.java:111)
at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:833)
at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:318)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
at oracle.security.jazn.oc4j.JAZNFilter.doFilter(Unknown Source)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:604)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:317)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:790)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:208)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:125)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
at java.lang.Thread.run(Thread.java:534)

Active Directory External Authentication Plug-in

Right now, this script is a UNIX shell script and I'm using windows so I have to install a UNIX emulation software. I have 2 questions
1) Is there a windows version of this script? I searched everywhere but I couldn't find any.
2) If there's no windows version, after I executed the script, can I uninstall the UNIX emulation software from my windows server?
Thanks

Hi,
I've got the same error.
The user is not found.
Tue Aug 24 17:20:36 CEST 2004 [ERROR] AJPRequestHandler-ApplicationServerThread-6 Could not get attributes for user, [email protected]
oracle.ldap.util.NoSuchUserException: User does not exist - SIMPLE NAME = [email protected]
at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1041)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:820)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:767)
at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:483)
at oracle.security.sso.server.auth.SSOServerAuth.authenticate(SSOServerAuth.java:561)
at oracle.security.sso.server.auth.SSOKerbeAuth.authenticate(SSOKerbeAuth.java:111)
at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:833)
at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:318)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
at oracle.security.jazn.oc4j.JAZNFilter.doFilter(Unknown Source)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:604)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:317)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:790)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:208)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:125)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
at java.lang.Thread.run(Thread.java:534)

OID Configure external authentication plug-in in OID

Hi,
How to authenticate Apps 11i/R12/12i Users against AD password?
How to know if your E-Business Suite is integrated with SSO/OID?
Thanks

Hi,
I believe all your questions are answered in these documents.
Note: 437822.1 - How to integrate Active Directory with Applicactions 11i , with SSO/OID enable?
Note: 233436.1 - Installing Oracle Application Server 10g with Oracle E-Business Suite Release 11i to configure 11i with Oracle Internet Directory.
Note: 376811.1 - Integrating Oracle E-Business Suite Release 12 with 10g AS Oracle Internet Directory and Oracle Single Sign-On
Note: 444573.1 - Basic checks for user integration when using Oracle E-Business Suite 11i with Oracle AS 10g
Regards,
Hussein

Authentication Plug-ins for active directory Multiple Domains(oidspad2.sh)

hi ,
i have use note 294791.1 from metalink to try link to active directory i have 2 one is staff and another is student
i first ran oidspadi.sh to create plugin for staff it works then i edit the 2 script to oidspad2.pls and oidspad2.sh with the require changes inside the files then i ran it it work but now the problem is the first ad now cant work this is my changes below
FOR oidspad2.pls
Rem
Rem $Header: oidspada.pls 02-aug-2004.04:45:11 saroy Exp $
Rem
Rem oidspads.pls
Rem
Rem Copyright (c) 2002, 2004, Oracle. All rights reserved.
Rem
Rem NAME
Rem oidspada.pls - 9.0.4 OID Password Active Directory
Rem External Authentication Plug-in
Rem
Rem
Rem NOTES
Rem <other useful comments, qualifications, etc.>
Rem
Rem MODIFIED (MM/DD/YY)
Rem saroy 08/02/04 - Fix for bug 3807482
Rem qdinh 01/27/04 - bug 3374115
Rem dlin 01/08/04 - pingan perf
Rem dlin 08/22/03 - 3111770 bug fix
Rem dlin 08/27/03 - change the way to get name
Rem dlin 08/13/03 - bug 2962082 fix
Rem dlin 02/21/03 - plug-in install changes
Rem dlin 02/13/03 - dlin_bug-2625027
Rem dlin 02/05/03 - fix ssl & failover
Rem dlin 01/31/03 - dlin_adextauth1
Rem dlin 01/30/03 - Created
Rem
SET echo off;
SET serveroutput off;
SET feedback off;
SET verify off;
CREATE OR REPLACE PACKAGE OIDADPSW2 AS
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
AD_HANDLE DBMS_LDAP.session DEFAULT NULL;
END OIDADPSW2;
SHOW ERROR
CREATE OR REPLACE PACKAGE BODY OIDADPSW2 AS
SUBTYPE LDAP_SESSION IS RAW(32);
SUBTYPE LDAP_MESSAGE IS RAW(32);
SUBTYPE LDAP_BER_ELEMENT IS RAW(32);
SUBTYPE ATTRLIST IS DBMS_LDAP.STRING_COLLECTION;
SUBTYPE MOD_ARRAY IS RAW(32);
SUBTYPE BERLIST IS DBMS_LDAP.BERVAL_COLLECTION;
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_bind_replace()');
DBMS_LDAP.USE_EXCEPTION := FALSE;
result := 49;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := 1;
plg_debug('Can not get ADUserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_bind_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_bind_replace() ===');
RETURN;
END IF;
plg_debug( 'Go to AD for authentication');
-- externally authenticate user
IF ('&1' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&2', &3);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
-- Should free the old session if retry logic kept failing
-- to cause the number of outstanding sessions exceeding the
-- limit session number
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&4', &5);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
ELSE
-- SSL bind
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&6', &7);
     plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&8', '&9', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM
-- or LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&10', &11);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&12', '&13', 2);
     IF (retval != 0) THEN
     plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session1);
     plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
     END IF;
     END IF;
END IF;
-- for failover to connect to the secondary server
IF ('&14' = 'y' AND retval != 0) THEN
IF ('&15' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&16', &17);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&18', &19);
     plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'retry simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
          plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
     END IF;
     END IF;
ELSE
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&20', &21);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&22', '&23', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&24', &25);
     plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&26', '&27', 2);
     IF (retval != 0) THEN
     plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
     END IF;
END IF;
IF (retval = 0) THEN
result := 0;
plg_debug('AD auth return TRUE');
ELSE
     result := retval;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_bind_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
     retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
     OIDADPSW2.AD_HANDLE := NULL;
     plg_debug( ' exception unbind_res returns ' || TO_CHAR(retval));
errormsg := 'Exception: when_bind_replace plugin';
plg_debug( 'Exception in when_bind_replace(). Error code is ' ||
          TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
END;
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_compare_replace()');
result := DBMS_LDAP.COMPARE_FALSE;
DBMS_LDAP.USE_EXCEPTION := FALSE;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('Can not get ADuserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_compare_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_compare_replace() ===');
RETURN;
END IF;
-- externally authenticate user
IF ('&28' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&29', &30);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&31', &32);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
ELSE
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&33', &34);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&35', '&36', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&37', &38);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&39', '&40', 2);
IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
END IF;
-- for failover to connect to the secondary AD
IF ('&41' = 'y' AND retval != 0) THEN
IF ('&42' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&43', &44);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&45', &46);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
     ELSE
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&47', &48);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&49', '&50', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&51', &52);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&53', '&54', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session1);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
     END IF;
END IF;
IF (retval = 0) THEN
result := DBMS_LDAP.COMPARE_TRUE;
plg_debug('AD auth return TRUE');
ELSE
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_compare_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
errormsg := 'Exception: when_compare_replace plugin';
plg_debug( 'Exception in when_compare_replace(). Error code is ' ||
          TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
     retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
     OIDADPSW2.AD_HANDLE := NULL;
END;
END OIDADPSW2;
SHOW ERRORS
EXIT;
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
FOR oidspadi.sh
#!/bin/sh
# $Header: oidspadi.sh 13-may-2005.13:48:51 saroy Exp $
# oidspadi.sh
# Copyright (c) 2002, 2005, Oracle. All rights reserved.
# NAME
# oidspadi.sh - AD external authentication plug-in install
# DESCRIPTION
# <short description of component this file declares/defines>
# NOTES
# <other useful comments, qualifications, etc.>
# MODIFIED (MM/DD/YY)
# saroy 05/13/05 - Fix for bug 4233817
# saroy 02/18/05 - Fix for bug 4054414
# saroy 11/02/04 - Fix for bug 3980370
# qdinh 01/19/04 - bug 3374115
# dlin 07/10/03 - turn off debug
# dlin 02/21/03 - plug-in install changes
# dlin 02/13/03 - dlin_bug-2625027
# dlin 07/22/02 - Creation
ADHOST="A"
ADPORT="1"
ADSSLPORT="1"
WALLETLOC="A"
WALLETPWD="A"
WALLETPWD2="A"
CONNECT="A"
ODSPWD="A"
ODSPWD2="A"
OIDHOST="A"
OIDPORT="1"
ORCLADMINPWD="A"
ORCLADMINPWD2="A"
PRGDN="A"
SCUSB="A"
EP="A"
ISSSL="n"
ISFAILOVER="n"
ISFAILOVERSSL="n"
SECADHOST="A"
SECADPORT="1"
SECADSSLPORT="1"
SECWALLETLOC="A"
SECWALLETPWD="A"
SECWALLETPWD2="A"
clear
echo "---------------------------------------------"
echo " OID Active Directory Plug-in Configuration"
echo "---------------------------------------------"
echo " "
echo "Please make sure Database and OID are up and running."
echo " "
LDAP_DIR=${ORACLE_HOME}/ldap
LDAP_LOG=${LDAP_DIR}/log
## ORACLE_HOME
if [ -z $ORACLE_HOME ] ; then
echo " ORACLE_HOME must be set for this installation script"
exit 0
fi
# gather required information
if [ ${ADHOST} = "A" ] ; then
printf "Please enter Active Directory host name: "
read ADHOST
fi
## active directory host name is required
if [ "${ADHOST}" = "" ]
then
echo "Active Directory host name is required";
exit 1;
fi
printf "Do you want to use SSL to connect to Active Directory? (y/n) "
read ISSSL
if [ "${ISSSL}" = "n" ]
then
if [ ${ADPORT} = "1" ] ; then
printf "Please enter Active Directory port number [389]: "
read ADPORT
if [ "${ADPORT}" = "" ]
then
ADPORT="389"
fi
fi
fi
if [ "${ISSSL}" = "y" ]
then
if [ ${ADSSLPORT} = "1" ] ; then
printf "Please enter Active Directory SSL port number [636]: "
read ADSSLPORT
if [ "${ADSSLPORT}" = "" ]
then
ADSSLPORT="636"
fi
fi
if [ ${WALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read WALLETLOC
fi
## wallet location is required
if [ "${WALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${WALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read WALLETPWD ; stty echo ; echo
fi
if [ "${WALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${WALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read WALLETPWD2 ; stty echo ; echo
fi
if [ "${WALLETPWD}" != "${WALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
if [ ${CONNECT} = "A" ] ; then
echo " "
printf "Please enter DB connect string: "
read CONNECT
fi
if [ ${ODSPWD} = "A" ] ; then
printf "Please enter ODS password: "
stty -echo ; read ODSPWD ; stty echo ; echo
fi
## password is required
if [ "${ODSPWD}" = "" ]
then
echo "ODS password is required";
exit 1;
fi
if [ ${ODSPWD2} = "A" ] ; then
printf "Please enter confirmed ODS password: "
stty -echo ; read ODSPWD2 ; stty echo ; echo
fi
if [ "${ODSPWD}" != "${ODSPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
if [ "${CONNECT}" = "" ]
then
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD} "
else
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD}@${CONNECT} "
fi
# Check if ODS password and connect string is correct
${ORACLE_HOME}/bin/sqlplus -L ods/${ODSPWD}@${CONNECT} << END 1>/dev/null 2>/dev/null
exit;
END
if [ $? -ne 0 ]; then
echo "Incorrect connect string or ODS password specified"
exit 1;
fi
if [ ${OIDHOST} = "A" ] ; then
echo " "
printf "Please enter OID host name: "
read OIDHOST
fi
## oid host is required
if [ "${OIDHOST}" = "" ]
then
echo "OID host name is required";
exit 1;
fi
if [ ${OIDPORT} = "1" ] ; then
printf "Please enter OID port number [389]: "
read OIDPORT
if [ "${OIDPORT}" = "" ]
then
OIDPORT="389"
fi
fi
# Check if OID host and port is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect OID host or port specified"
exit 1;
fi
if [ ${ORCLADMINPWD} = "A" ] ; then
printf "Please enter orcladmin password: "
stty -echo ; read ORCLADMINPWD ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" = "" ]
then
echo "orcladmin password is required";
exit 1;
fi
if [ ${ORCLADMINPWD2} = "A" ] ; then
printf "Please enter confirmed orcladmin password: "
stty -echo ; read ORCLADMINPWD2 ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" != "${ORCLADMINPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
# Check if orcladmin password is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect orcladmin password specified"
exit 1;
fi
echo " "
if [ ${SCUSB} = "A" ] ; then
printf "Please enter the subscriber common user search base [orclcommonusersearchbase]: "
read SCUSB
if [ "${SCUSB}" = "" ]
then
SCUSB=`${ORACLE_HOME}/bin/ldapsearch -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} -s base -b 'cn=common,cn=products,cn=oraclecontext' -L 'objectclass=*' orclcommonusersearchbase | head -2 | grep -v 'dn:' | awk '{printf $2}'`
fi
fi
if [ ${PRGDN} = "A" ] ; then
printf "Please enter the Plug-in Request Group DN: "
read PRGDN
fi
if [ ${EP} = "A" ] ; then
printf "Please enter the exception entry property [(!(objectclass=orcladuser))]: "
read EP
if [ "${EP}" = "" ]
then
EP='(!(objectclass=orcladuser))'
fi
fi
echo " "
printf "Do you want to setup the backup Active Directory for failover? (y/n) "
read ISFAILOVER
if [ "${ISFAILOVER}" = "y" ]
then
if [ ${SECADHOST} = "A" ] ; then
printf "Please enter the backup Active Directory host name: "
read SECADHOST
if [ "${SECADHOST}" = "" ]
then
echo "Backup Active Directory host name is required";
exit 1;
fi
fi
printf "Do you want to use SSL to connect to the backup Active Directory? (y/n) "
read ISFAILOVERSSL
if [ "${ISFAILOVERSSL}" = "n" ]
then
if [ ${SECADPORT} = "1" ] ; then
printf "Please enter the backup Active Directory port number [389]: "
read SECADPORT
if [ "${SECADPORT}" = "" ]
then
SECADPORT="389"
fi
fi
fi
if [ "${ISFAILOVERSSL}" = "y" ]
then
if [ ${SECADSSLPORT} = "1" ] ; then
printf "Please enter the backup Active Directory SSL port number [636]: "
read SECADSSLPORT
if [ "${SECADSSLPORT}" = "" ]
then
SECADSSLPORT="636"
fi
fi
if [ ${SECWALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read SECWALLETLOC
fi
## wallet location is required
if [ "${SECWALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${SECWALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read SECWALLETPWD ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${SECWALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read SECWALLETPWD2 ; stty echo ; echo
fi
     if [ "${SECWALLETPWD}" != "${SECWALLETPWD2}" ]
     then
     echo "The input passwords are not matched";
     exit 1;
     fi
fi
fi
# install the plug-in PL/SQL packages
echo " "
echo "Installing Plug-in Packages ..."
echo " "
# install plug-in debug tool
cp $ORACLE_HOME/ldap/admin/oidspdsu.pls $LDAP_LOG
chmod +w $LDAP_LOG/oidspdsu.pls
echo "EXIT;" >> $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$LDAP_LOG/oidspdsu.pls
rm $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspdof.pls
# install plug-in packages
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
#stty -echo; eval ${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# register the plug-ins
echo " "
echo "Registering Plug-ins ..."
echo " "
$ORACLE_HOME/bin/ldapadd -h ${OIDHOST} -p ${OIDPORT} -D cn=orcladmin -w ${ORCLADMINPWD} << EOF
dn: cn=adwhencompare2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapcompare
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhencompare2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginattributelist:userpassword
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
dn: cn=adwhenbind2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapbind
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhenbind2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
EOF
cat <<DONE
Done.
DONE

Hi,
This is a problem that is not made clear in the note. What is probably happening here is that both plugins are being fired when a user logs in. OID will only read the value returned from the final plugin to fire. This can be a problem if the user authenticates correctly against the first plug-in but fails on the second. This is entirely legitimate as this note tells you to configure this way but the OID only observes the final result. The note doesn't tell us this.
Here's an example:
We've two OID User users in different containers: cn=Al is in container cn=usersA,dc=oracle,dc=com and cn=BOB is in container cn=usersB,dc=oracle,dc=com.
We have two plugins: pluginA and PluginB. Installed in that order.
When Al logs in the two plugins fire. pluginA finds Al and returns a true, but then pluginB fires and returns a false undoing the good result. OID only accepts the final answer and so rejects the user. When Bob logins in both plugins fire again but it's the second plugin that returns the answer again. This is true and bob gets in.
There's a couple of ways around this and one of the more effective ways is to associate the plugin with the dn. So in our example, we associate the pluginA to fire only for the dn cn=usersA,dc=oracle,dc=com and pluginB only to fire when a user is in cn=usersB,dc=oracle,dc=com. This gets around the problem of mulitple plugins firing and giving conflicting answers as the appropriate plugin only fires once.
I've used this solution in a realtime environment when connecting and provisioning multiple ADs into one OID and found it to be extremely effective.
Another solution is to associate the plugins with groups.
Both of these options may be configured easily by modifying the plugin properties in ODM. Don't forget to restart OID after you've made the changes.
HTH!
Phil.
If

Extenal authentication plug-in debugging - how to interpret results?

Hi all
I've managed to get OID to synchronize with MS AD (partly thanks to this forum)
Also, I've installed the External Authentication Plug-In
But I still can't log in to SSO as an AD user...
So I've run the plug-in debugger and it gives results such as:
Begin post-search plug-in
filter string = (&(objectclass=person)(uid=howard_d))
= appears in position 15
length of my_filter string = 35
SAMAccountName = person)(uid=howard_d)
not a valid SAMAccountName
I get a similar result if I try logging in with the full account name of '[email protected]'
(I can bind against AD with these credentials, but not against OID)
Do I need to change my mappings?
Or what other tests can I do to check the external-authentication plug-in?
Thanks again
Howard

If (&(objectclass=person)(uid=howard_d)) is the filter used in AD,
I guess the filter to be used in OID should be "(&(objectclass=person)(SAMAccountName=howard_d))"
or "(SAMAccountName=howard_d)"
I think its the syntax error you are getting.

Question on External Authentication Plug-in

Similar Messages

Maybe you are looking for