Leave a Comment:
31 comments
This can be a pretty daunting task at first (especially if you don’t have a good grasp of basic LDAP syntax) but it is extremely beneficial in certain environments. For instance, we use our institution’s AD for authentication but have our authorization rules set up on the OID and Oracle accounts for the end-users, giving the ma “single sign-on” experience. Very much worth the effort.
ReplyThanks for sharing your experience with readers. Its true that its worth knowing LDAP syntax and basics.
ReplyHi I feel integrating OID with AD is not a easy task.It is mentioned EAP (External Authentication plugin) can be used for AD-OID sync but I have few issues on this. In my environment I want to establish a single password concept for both thin client and thick client. EAP works good for thin client but does not support thick client. Hence it looks like password filter and server chaining are few options to resolve thick cient issue. Could you please give me an idea whether EAP can be used for both thick and thin client. In my environment the password is in AD and no where. IF EAP can be used then How it can be done?
Sisir,
EAP can be used in OID so that OID on user behalf will do ldapbind and ldapcompare for password in AD or third party directory server.
Do let me know what kind of think clients (give me an example) you are trying to use for EAP.
Server chaining for Directory server is available from 10.1.4 OID and not 10.1.2
I’ll cover EAP in my coming post on this site
ReplyBilal,
Check this OID-AD INtegration Guide here
http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir.htm#sthref612
ReplyHi,
I am having a portal with a numberic login.
For example : user( 010999)/pass
I would like to make the username alphanumeric
( amolchawathe/password)
Can you guide me how it can take place either through a change in OID or some kind of a portal API.
Your inputs would be appreciated.
Thanks
Amol
Hi Atual,
Want to understand what could be the use of integrating AD with OID without the use of SSO?
thanks
Pravin
ReplyHi,
do the installation of Oracle Password Filter (sync password from OID and AD) modify AD schema or other thing in AD ?
Thanks,
i don’t like to modify anything in AD.
@ cristiano,
Password Filter for AD should be installed on AD server .
Check below link for steps
http://download.oracle.com/docs/cd/E14571_01/oid.1111/e10031/odip_adpasswordsync.htm#CHDEDIIA
Replyonly to know: i have seen that password filter is a manner to syncronize Active Directory Password in OID, but if you don’t want to store it in OI you can use External Authetnication Plugin (OID).
ReplyHi Atul,
We are trying to integrate EDIR and OID 11g.
Will you please let me know if there is any other way to do it without DIP. Also the requirement is that it should run daily once.
Thanks & look forward to your valuable reply.
ReplyAuthenticate Portal user using AD
Question is :
Would it be possible to authenticate with AD and if user does not exists in AD then authenticate using OID.
We have more users in OID. Not all users have AD userid /password but they do have account in OID.
Is it possible to do ?
Reply@ Sanjay,
Which application you are using to authenticate against AD ?
Check in Active Directory if there is an option to authenticate against OID is user is not available in AD.
ReplyHi,
We are using oracle 10g forms and oracle 10g forms and reports services and MS AD .. how i configure the single password authentication for operating system and forms application.
Can you please list down the step ..
Regards
Ameet
@ Ameet,
I am not sure if directory kereberos authentication is possible in Forms/Reports 10g however to achieve 10g forms/reports with MS-AD for windows native authentication (0 sign-On)
1. Integrate Forms with 10g SSO (Orcale ASSSO) using http://download.oracle.com/docs/cd/B14099_19/web.1012/b14032/sso.htm
2. You then integrate 10g SSO (Orcale ASSSO) with Active Directory for kerberos using http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir003.htm#sthref827
ReplyThanks Atul for your reply.
What is better for our env,please give us suggestion ..
We have already 4 forms application deployed,should i install complete apps server (Infra & Apps) then deployed these four applications and then to proceed for AD sync??
ReplyDBMS_LADP package is helpful in sync ? can i perform this task with this package without SSO and OID ?
Reply@ Ameet, as far as I know dbms_ldap is used for accessing ldap (OID/AD) data using plsql or from database.
I know think you can achieve SSO with dbms_ldap , you would eventually need Single Sign-On software.
Please consult Oracle Support (Forms & Reports Team)
ReplyOK thanks .. Can you send me the all parts of bi-directional integration b/w OID and MS AD.
I need sequence of steps to configure sync …
Reply@ Ameet
For OID 11g integration with AD check
and
and
http://download.oracle.com/docs/cd/E14571_01/oid.1111/e10031/odip_actdir.htm
For OID 10g Interation with AD check
http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir.htm#sthref612
For OID
ReplyHello Amet,
You wrote :
– Users can be created in AD and propagated to OID => OK via import profile
– or Vice Versa => OK via export profile
– or can be created in both and then synched => that what I want to do, but DIP returns ldap error 65 and cann’t synchronize users
How can I do it ?
Thanks in advance
Fontin
@ Fontin,
Paste exact error from DIP.
Did you configure DIP synchronisation profile using EM (assuming this is OID 11g )
check this
http://docs.oracle.com/cd/E21764_01/oid.1111/e10031/odip_actdir.htm#CHDBBAII
ReplyHi! first all congratulations for your blog!
I need some help about sync password from AD to OID.
I don’t know what software I will need…
¿Can you help me sending a list of the necesary software?
I’m using 11g Middleware
Thank you a lot!
Reply@Mario, do you really need to keep password at two places ? If I am you I would use password plug-in feature of OiD where OID can contact AD for password validation.
If you still want to sync password then use DIP directory integration platform. Do let me know if you need more information or documentation link
Reply@Atul Kumar
Scenario:
1 server with AD 2008 R2 (isval.lab)
1 server with OID 11g (oidval.is)
Actually I can sync users from isval.lab to oidval.is but the password is empty so i need to sync the password from AD.
I know that need SSL connection between Windows Server and OID, and password filter on 2008.
I have configure the SSL connection and in windows I was trusted the connection by using ldapbindssl.exe and got Bind Succefull.
But the passwords are not synchronized, and I don’t know what i’m doing wrong…
Reply@ Mario,
Password sync should work using DIP. if this is not working then check synchronization mapping and verify that password attribute is also part of this AD-OID sync. Enable debug in synchronization profile or raise an Service Request with Oracle support.
Check
http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_actdir.htm#CHDIGDEH
and
http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_config_integration.htm#BABBFAAJ
and
http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_adpasswordsync.htm#CHDBIIJC
Reply@Atul Kumar
Hi Atul!
I’ve reinstalled all, at this moment we have:
All software up and running.
And the SSl configuration was:
1.Create wallet with self signed cert
2.Configure OID in mode SSL 2
3.Check SSL Config with odsm (created connection with SSL and Works fine)
4.Change password policies
5.Export Certificate (oid.cer)
6.Import oid.cer on a new keystore
7.Config DIP for work in SSL 2 Mode (works fine)
8.Import oid.cer on Windows 2008 server
9.Create windows 2008 server cert (self signed too)
10.Import Windows Cert on keystore
11.Test connectivity between DIP and W2K8 by port number 636 of AD (works fine)
12.Create Sync Profile with SSL (test connection succesful and Sync Users Too)
13.Install Password filter on W2k8
14.Change password on users already sync (password is not sync)
15.Edit sync map (user->userpassword – interorgperson -> userpassword)
16.Reset password on AD user
17.DIP shows new succefull change (but password is not sync)
What am I doing wrong?
ReplyHi Atul,
I have configured EAP in OID to authenticate from AD. I do not want to synch from AD. I checked the ldap_bin_ad and ldap_compare_ad plugin is configured properly but still the EAP is not working, it says invalid credential.
Can you please help me where can i check if anything is wrong or do i need to configure OID-AD sych (import/export)before EAP ?
Regards
Santosh