DB Security/Enterprise User Security (EUS) : Logon Trigger for auditing LDAP user logged on to Oracle DB

Use Case: 

Find a way to identify the AD domain user logged into a database configured with EUS

Pre-requisite: DB Users/Groups have already been centralized in an LDAP like Active Directory(AD) using Enterprise User Security (EUS)

Details:After logging in using sqlplus if we issue the following SQL we still see the shared schema user(which was used to map the Oracle DB Default Domain to the LDAP Container)

SQL> show user
GLOBAL_IDENT_SCHEMA_USER

Now the question is if we see a runaway query or a transaction causing blocking, how do we tie that back to the exact  external user instead of a Global Schema? How would we identify this information from within Oracle Enterprise Manager (OEM)session info?

A workaround could be to issue the following SQL query
SQL>  SELECT SYS_CONTEXT('USERENV','EXTERNAL_NAME') FROM DUAL;
SYS_CONTEXT('USERENV','EXTERNAL_NAME')

--------------------------------------------------------------------------------

cn=Sudipto Desmukh,cn=Users, dc=corp, dc=kdemo,dc=com

But wouldn't it be great if this is available in v$session for anyone to see real-time without specifically issuing a SQL query ?

We are able to create a logon trigger (attached) which populates enterprise user session information to client_info of V$SESSION.

create or replace trigger sys.on_logon after logon on database 

declare 

v_externalname varchar2(64) := ''; 

begin 

SELECT substr(sys_context('userenv','external_name'),1,63) into v_externalname FROM dual; 

if v_externalname is not null 

then 

DBMS_APPLICATION_INFO.SET_CLIENT_INFO (v_externalname ); 

end if; 

end; 

/ 

We should be able to pull up the blocking session information, if any from OEM tied to this enterprise user. An illustration of the result :

References:

1) How To Know The DN Of The Users Authenticated Via Enterprise User Security (EUS) Using Audit Records (Doc ID 465674.1)

2) How to Identify users using a shared global schema in Enterprise User Security

EUS with OUD: ORA-28030 Network Issues -- Hosts and DNS

Use Case : Centralize Database Users/Roles using Enterprise User Security to enable Password-based authentication via Oracle Unified Directory(OUD) connecting to Active Directory 

Issue : After following all the pre-requistes and steps needed to setup EUS, we get the below error while trying to connect to the DB using AD user/password.

SQL> CONNECT username@service_name;
ORA-28030: Server encountered problems accessing LDAP directory service

DB Trace Logs show the following -
*** ACTION NAME:() 2016-08-15 13:16:50.270
*** MODULE NAME:(sqlplus@recoverdwp (TNS V1-V3)) 2016-08-15 13:16:50.270
*** SERVICE NAME:(desanew) 2016-08-15 13:16:50.270
*** SESSION ID:(159.13) 2016-08-15 13:16:50.270
kzld_discover received ldaptype: OID
kzld found pwd in wallet
KZLD_ERR: Failed to bind to LDAP server. Err=-1
KZLD_ERR: -1
KZLD is doing LDAP unbind
KZLD_ERR: found err from kzldini.

Cause inference 
The OUD server, as defined in ldap.ora, is not reachable from the RDBMS Server's machine. Also looks like the SASL bind requires that both forward and reverse lookup are defined in DNS for the target OUD hostname.

A database can bind to OUD by using password/SASL-based authentication. SASL (Simple Authentication and Security Layer) is a standard defined in the Internet Engineering Task Force RFC 2222. It is a method for adding authentication support to connection-based protocols such as LDAP.   

Solution
The following are the two options to fix/workaround this issue -
 
1) Edit  file /etc/hosts and add the IP address to the DB Server, FQDN and alias, eg:xxx.xxx.xxx.xxx   hostname.domain_name   hostname
This step would need to be repeated for all DB Servers which need to be configured for EUS.

2) Ensure that the forward and reverse lookup are properly defined in the DNS  for OUD Hosts. (nslookup should succeed for both IP and HostName)
This is a one-time activity and will be available for all DB Servers in the network

References
Note 331538.1   (Ora-7445 [Gslcoish_saslhostconnectedto()+78] Connecting as Enterprise User)
Note 1270342.1 (EUS User Can Not Login To The Database)

How to create new Admin users in Oracle Internet Directory (OID)

A lot of us end up using the superuser 'cn=orcladmin'  to connect to OID for all use-cases.

Certainly this is not the best practice as the superuser 'cn=orcladmin' is a privileged user having more privileges than are needed certain admin functions having access to multiple realms on OID. 

While there is no documented way to create a second superuser for OID, like cn=orcladmin. But, a user with the same privileges as the realm Admin (cn=orcladmin,dc=<companyName,dc=com) can be created and used for the following use cases : 

• Use in OAM Console for Identity Store credentials
• Providing ODSM login capability to admin users to view/modify the LDAP Tree for their realm
• Any kind of CRUD based LDAP APIs used in Java Code
• Separate password policies can be created for these users which are different from the cn=orcladmin superuser etc.

This user can be created as follows : 

1. Create an LDIF file with the following content
   dn: cn=myadmin,cn=Users,dc=oracle,dc=com
   givenname: myadmin
   sn: myadmin
   cn: myadmin
   uid: myadmin
   mail: myadmin@oracle.com
   objectclass: top
   objectclass: person
   objectclass: inetOrgPerson
   objectclass: orclUser
   objectclass: orclUserV2
   objectclass: organizationalPerson
   
   
   
2. Run ldapadd
   ldapadd -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <password> -f <LDIF_filename>

        Alternatively, we can use the 'Import' function available in Data Browser tab in ODSM .

3.  Confirm that you are able to bind successfully as the newly created user

  ldapbind -h <OID_host> -p <OID_port> -D      "cn=myadmin,cn=users,dc=oracle,dc=com" -w <password>

4. Get the existing group memberships for the orcladmin user

  ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w    <password> "<DN_of_orcladmin>" "dn"

Alternatively use 'Import' feature in Data Browser tab of ODSM to import the SuperUser.ldif file attached (essentially contains the all groups to be added for a Realm Admin in LDIF format)

Reference : Doc ID 454796.1

Good reads : 

1) Creating read-only users in OID
2) How to unlock superuser cn=orcladmin account in OID

Creating Read-Only Users in Oracle Internet Directory (OID)

A lot of us end up using the superuser 'cn=orcladmin'  to connect to OID for all use-cases.

Certainly this is not the best practice as the superuser 'cn=orcladmin' is a privileged user having way more privileges than are needed for non-admin functions. We should create read-only LDAP users for the following use cases :

• LDAP Monitoring at the F5/Load Balancer level (LDAP health check using ldapbind) 
• Use for username/password for Authenticators in Weblogic Console (which are for only authentication purposes)
• Providing ODSM login capability to non-admin users to view the LDAP Tree (based on allowed ACLs)
• Any kind of query only LDAP APIs used in Java Code
• Separate password policies can be created for read-only users which are different from superusers/realm-admins

Only three tabs are visible in ODSM for read-only users : Home, Data Browser, Schema.

Security and Advanced tabs are not visible.

One of the ways in which the read-only users can be created is : 

1. Create a text file (e.g., readonly.ldif) with the following:
   dn: cn=readonly, cn=Users,< subscriber domain >
   userpassword: < password >
   objectclass: top
   objectclass: person
   objectclass: organizationalPerson
   objectclass: inetorgperson
   objectclass: orcluser
   objectclass: orcluserV2
   mail: readonly
   givenname: readonly
   uid: readonly
   description: account to have readonly access
   sn: readonly
   cn: readonly

 2. Load the above file with ldapadd command :
ldapadd -h <OID_host> -p <OID_port> -D cn=orcladmin -w <password> -v -f readonly.ldif

Alternatively, we can use the 'Import' function available in Data Browser tab in ODSM .

The key is to make sure the user is not a member of any groups.

3. Check Group Memberships:

To verify the user is NOT a member of any group, issue the following search:

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s sub -b "" "(uniquemember=<full_user_DN>)" "dn"

4.Confirm that you are able to bind successfully as the newly created user
ldapbind -h <OID_host> -p <OID_port> -D "cn=myadmin,cn=users,dc=oracle,dc=com" -w <password>

Reference : Doc ID 746612.1

Good read : How to unlock superuser cn=orcladmin account in OID

OID 11.1.1.7 - Unlocking superuser orcladmin account

We weren't able to login to WebCenter Portal which uses OID as the Authentication store today.
On investigation we found out that the superuser orcladmin account was itself locked.

Note -
1.There are 2 orcladmin accounts: the superuser account, cn=orcladmin, and the REALM administrator cn=orcladmin, for example: cn=orcladmin,cn=users,dc=oracle,dc-com.

2. The superuser account is hard coded and is not seen in the Oracle Directory Manager (ODM), nor the Oracle Directory Services Manager (ODSM) in 11g.

Following commands* executed from a command line tool helped to fix this issue -

export ORACLE_HOME=/u01/app/oracle/middleware/Oracle_IDM1/

export ORACLE_INSTANCE=/u01/app/oracle/admin/OID_Domain/oid_inst_2/

cd /u01/app/oracle/middleware/Oracle_IDM1/ldap/bin

>./oidpasswd connect=OIDDB unlock_su_acct=true      #find connect string from #/u01/app/oracle/admin/OID_Domain/oid_inst1/config/tnsnames.ora

OID DB user password:<ODS Schema pwd>

*This is just a representation of what i had to do in my environment to fix this.

Post this, you would need to login to ODSM, go to Data Browser tab and change the password for cn=orcladmin,cn=Users,dc=<companyName>,dc=com and change the password which in all probability might have expired as well.

Reference : https://support.oracle.com/epmos/faces/DocumentDisplay?id=251354.1

Atul Kumar's post here also helps with similar issues.

To change password policies have a look at this Oracle Doc