DB Security/Enterprise User Security (EUS) : Logon Trigger for auditing LDAP user logged on to Oracle DB

Use Case: 

Find a way to identify the AD domain user logged into a database configured with EUS

Pre-requisite: DB Users/Groups have already been centralized in an LDAP like Active Directory(AD) using Enterprise User Security (EUS)

Details:After logging in using sqlplus if we issue the following SQL we still see the shared schema user(which was used to map the Oracle DB Default Domain to the LDAP Container)

SQL> show user
GLOBAL_IDENT_SCHEMA_USER

Now the question is if we see a runaway query or a transaction causing blocking, how do we tie that back to the exact  external user instead of a Global Schema? How would we identify this information from within Oracle Enterprise Manager (OEM)session info?

A workaround could be to issue the following SQL query
SQL>  SELECT SYS_CONTEXT('USERENV','EXTERNAL_NAME') FROM DUAL;
SYS_CONTEXT('USERENV','EXTERNAL_NAME')

--------------------------------------------------------------------------------

cn=Sudipto Desmukh,cn=Users, dc=corp, dc=kdemo,dc=com

But wouldn't it be great if this is available in v$session for anyone to see real-time without specifically issuing a SQL query ?

We are able to create a logon trigger (attached) which populates enterprise user session information to client_info of V$SESSION.

create or replace trigger sys.on_logon after logon on database 

declare 

v_externalname varchar2(64) := ''; 

begin 

SELECT substr(sys_context('userenv','external_name'),1,63) into v_externalname FROM dual; 

if v_externalname is not null 

then 

DBMS_APPLICATION_INFO.SET_CLIENT_INFO (v_externalname ); 

end if; 

end; 

/ 

We should be able to pull up the blocking session information, if any from OEM tied to this enterprise user. An illustration of the result :

References:

1) How To Know The DN Of The Users Authenticated Via Enterprise User Security (EUS) Using Audit Records (Doc ID 465674.1)

2) How to Identify users using a shared global schema in Enterprise User Security

Database Security - Enterprise User Security (EUS)

About Enterprise User Security (EUS)

• Enterprise User Security (EUS) is a way of integrating Oracle Database with LDAP compliant directory server like Oracle Internet Directory (OID) or Microsoft AD
  so that database Users , Passwords & Roles can be centrally managed in a LDAP Directory Server.
• Belongs to Database Security category of the IdM stack.

Advantages 

• Offers low costs & centralized authentication.
• Increases security & compliance.
• No data migration needed , clients continue to use existing directories.

Architecture

• Oracle Virtual Directory (OVD) has a EUS Adapter and EUS Plugins OOTB.
• The LDAP Directory (OID or AD or Novell or Sun eDirectory) needs to be setup for EUS.
• The Oracle Database/s need to be EUS enabled using NETCA & DBCA utility.
• The Database/s can be logged into using a centralized EUS User/s later.
• Kerberos authentication can be enabled to do native authentication for SQL clients like sql plus & SQL Developer.

Useful Resources 

1. EUS DataSheet with Architecture
2. Enterprise User Security Guide
3. Integrating Enterprise Security with AD
4. Oracle Whitepaper
5. Atul Kumar’s Blog
6. How To Configure EUS with OVD 11.1.1.6 and Active Directory - AD (Doc ID 1449132.1)
7. Expected Issues - How To Avoid Extending The Active Directory Schema With extendAD For OVD-OID-AD-EUS 11g Integration? (Doc ID 1159337.1)