Documente Academic
Documente Profesional
Documente Cultură
Agenda
Database Registration and Name
Resolution
Single Sign-On
Windows Native Authentication
Kerberos
Security Integration for .NET Applications
Enterprise User Security and Virtual Directory
Directory
Client OS
Server OS
AD
OID
Windows
Windows
Yes
Yes
Comments
Windows
Any
Yes
Yes
Linux/Unix
Any
No
Yes
AD Integration
solutions can help
Windows
Environment
Active
Directory
Repository of
Database
Names and
Connect
Descriptors
Client
Systems
1 User signs
on to Desktop
2 User issues
Connect Request
3Retrieves
Connect
Descriptor
Active
Directory
Oracle Database
4 - Connect to
Database using
Connect
Descriptor
(Any Platform)
Machine Name:
w2k3s.adnet.dev
Domain: adnet.dev
Tools installed
Support Tools (under Support directory on CD) -- ADSI
Edit is part of it
Admin Tools (under i386 directory on CD) -- AD users &
computers, etc
(These are available on Windows 2003 media,)
D E M O N S T R A T I O N
Database
Registration and
Name Resolution
Single Sign-On
Single Sign-On
Authentication
Client
OS
Server
OS
Comments
Included and configured in all db editions
MS KDC is used implicitly
Windows Native
Authentication
Windows
Windows
Kerberos
Any
Any
default)
Enterprise User Security supported
EUS and AD integration solutions needed
to support authorization through Windows
group membership
2 - User
attempts
to sign on to
Oracle
Active
Directory/KDC
3 Negotiate
security protocol
and exchange
security tokens
5 Find
Windows Group
memberships
(if os_roles is
true)
4 - Identify as a specific
External User
6 Assign roles based on
database roles or group
memberships (based on
os_roles)
D E M O N S T R A T I O N
Windows Native
Authentication
Kerberos Authentication
name by default
cross-domain setup
Removal of 30 character limit on the Kerberos user
name
Kerberos Authentication
Configuration
Kerberos Authentication
MS KDC
User
signs on to
desktop
User
attempts
to sign on to
Oracle
Database
Identify as a specific
External User and assign
database roles accordingly
Example:
SQL> CREATE USER KRBUSER IDENTIFIED EXTERNALLY AS
'KerberosUser@SOMEORGANIZATION.COM';
SQL> Grant connect, resource to KRBUSER;
Security
Integration for
.NET Applications
Oracle Virtual
Directory:
Centralize DB
User Account
Management
Audience Questions
How many have databases
on an OS besides Windows?
platforms
Organization have implemented enterprise directory
services
Oracle Enterprise User Security is all about how to
centralize database account management
Oracle Enterprise User Security allows to externalize
database accounts and roles to an LDAP server
Oracle Virtual Directory allows EUS to work with 3rd
party directories, not just OID
Business Challenges
Built Database Warehouse for reporting
Wanted to leverage Active Directory & existing provisioning
to manage credentials and role membership
Did not want to synchronize to another directory
Oracle Solution
Enterprise User Security & OVD
OVD connects to AD
EUS allows employees to use
Windows password and existing
provisioning system to manage access
Return On Investment
Allowed to rapidly deploy secure
access to Database warehouse
Did not need to bring up yet another
directory service just to manage
database accounts
Eliminated help desk calls
Summary
EUS centralizes database account management into
a directory
EUS works across heterogeneous operating systems
OVD enables EUS to work with 3rd party directories
without synchronization
Q&
A
QUESTIONS
ANSWERS
search.oracle.com
or
oracle.com