Skip to Main Content

Database Software

Announcement

For appeals, questions and feedback, please email oracle-forums_moderators_us@oracle.com

Oracle RDBMS authentication against LDAP

fweisser1Jan 17 2024 — edited Jan 19 2024

Currently, our Oracle DBMS authenticates all database users against accounts solely stored within the database itself. In the future, we want to add users which are authenticated against LDAP, e.g. Microsoft Active Directory.

To my understanding, those new users still have to be entered into the Oracle database, but as "IDENTIFIED GLOBALLY." So far, so good.

If I correctly recap the documentation, authentication still works similarly to the case of users which exist only locally, i.e. Oracle generates a hash of the password entered by the user, looks this user up in LDAP, fetches his or her password has from LDAP and compares this hash with the hash of his or her alleged password. If the comparison evaluates to true, then the user has been successfully authenticated. This is why Microsoft Active Directory needs to be modified by running opwdintg.exe—otherwise, Oracle could not fetch hashes of the passwords of users stored within Microsoft Active Directory.

The question I do have: Why has Oracle chosen this route? Why does Oracle not simply call “ldap_bind()” against the directory server? This would have required no change to its schema and its libraries. Other clients do so as well, and even if the distinguished name was not known to the client, this route can work if the client looks up the user first based on e.g. his or her “sAMAccountName” using a generic read only user, if anonymous access is prohibited, to infer his or her distinguished name. Does Oracle ever intend to add an authentication scheme based on “ldap_bind()?”

In my opinion, the documented way to modify Microsoft Active Directory is both cumbersome and will raise tough and lengthy negotiations with the department operating the directory server especially if the number of future Oracle users is much smaller than the total number of other users stored in the directory service.

Comments
Post Details