All methods have their advantages and disadvantages and thus their justification. But now let’s speak about password authentication. This works basically always the same way, no matter if database or directory based. The picture below shows the schematic diagram of the password authentication process. <\/p>\n\n\n\n
![\"\"](\"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/DB_logon.png?resize=625%2C129&ssl=1\")
- The user does send the logon request with its username to the database.<\/li>
- The database generates a session key, to encrypt communication.<\/li>
- The client generates the password hash and sends it encrypted to the DB server.<\/li>
- The database now compares the password hashes.
- either the hash from USER$<\/li>
- or the hash from the directory server<\/li><\/ul><\/li><\/ul>\n\n\n\n
The key aspect is that the database always verifies the password hashes. Either with the hash in the database or, in case of directory-based authentication, with the hash from the directory. The process is used when using Oracle Centrally Managed Users (CMU) but also with Oracle Enterprise User Security in combination with an Oracle Directory e.g. Oracle Unified Directory EUS AD Proxy. In case of a regular LDAP directory, the hash is read from userPassword<\/em> or another attribute. However, this is not possible in MS Active Directory, where passwords are stored internally in the Security Account Manager (SAM) and cannot be read directly. This is one of the reasons why Active Directory is not fully LDAP v3 compliant. But that is an other story \ud83d\ude09 <\/p>\n\n\n\n
This is now the moment where the Oracle password filter comes into play. Microsoft does provide a functionality within Windows called password filter<\/a>. These filters provide a way to implement password policies and change notification. When a password change request is made, the Local Security Authority<\/em> (LSA) calls the password filters registered on the system. Each password filter is called twice: first to validate the new password and then, after all filters have validated the new password, to notify the filters that the change has been made. The following illustration shows this process.<\/p>\n\n\n\n
![\"\"](\"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/password_filter.png?resize=625%2C202&ssl=1\")
Password filter and change notification<\/figcaption><\/figure><\/div>\n\n\n\n Oracle Password Filter<\/h2>\n\n\n\n
The Oracle password filter solves relatively simply the problem that the hash cannot be read. The filter uses the password change notification and stores the password accordingly in an additional LDAP attribute. The database or directory server on the other hand is then able to read the user password hash. Oracle Databases and Active Directory starts to like each other \ud83e\udd13. But usually Windows or Security Admins are not so happy any more. The fact that a foreign DLL has to be installed on the domain controller sometimes causes headaches or just endless discussions…<\/p>\n\n\n\n
The latest version of the password filter is delivered as EXE file opwdintg.exe<\/em>. It is part of any Oracle Database binaries as of release 18c. Older version of Oracle Database, Oracle Internet Directory and Oracle Unified Directory do also include the password filter in an other form e.g. setup.exe or a jar file. Nevertheless it is crucial, that you get the latest version which is right now part of Oracle Database 19.8.0.0. This is also the valid version when you use OUD or OID, see MOS Note 2640135.1<\/a> How to Get the Latest oidpwdcn.dll (New Name orapwdfltr.dll)<\/em>. Alternatively you can also download a generic patch 23191994<\/a> for fusion middleware.<\/p>\n\n\n\n
But what exactly happens when you install the Oracle password filter? Oracle performs the following steps during installation:<\/p>\n\n\n\n
- Add an Active Directory schema extension for an additional user attribute <\/em>orcleCommonAttribute<\/em>. Once installed a schema extension can not be removed any more.<\/li>
- Create some generic groups to control the password filter plugin. The filter will only update the <\/em>orcleCommonAttribute<\/em> attribute for users which are part directly or indirectly of one of the group.
- ORA_VFR_MD5<\/em> is required when the Oracle Database WebDAV client is used <\/li>
- ORA_VFR_11G<\/em> enables the use of the Oracle Database 11G password verifier<\/li>
- ORA_VFR_12C<\/em> enables the use of the Oracle Database 12C password verifier<\/li><\/ul><\/li>
- Install the Oracle password filter DLL orapwdfltr.dll<\/em>. This requires a reboot of the domain controller.<\/li><\/ul>\n\n\n\n
The following screenshots show the installation of the Oracle password filer.<\/p>\n\n\n\n
![\"\"](\"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/install_schema.png?resize=625%2C326&ssl=1\")
Schema Extension done by the Oracle Password Filter<\/figcaption><\/figure><\/div>\n\n\n\n ![\"\"](\"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/install_filter.png?resize=625%2C326&ssl=1\")
DLL Installation by the Oracle Password Filter<\/figcaption><\/figure><\/div>\n\n\n\n After a reboot the installation of the Oracle password filter is finished. Now let’s see what’s new there. First we review the AD schema change. This can be done by starting the Microsoft Management Console (MMC) and open the Active Directory Schema Snap-In. See the old documentation install the Schema Snap-In <\/a>if the snap-in is not available. The following screenshot does show the details about the new attribute.<\/p>\n\n\n\n
![\"\"](\"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/schema_extension.png?resize=446%2C502&ssl=1\")
New orcleCommonAttribute<\/figcaption><\/figure><\/div>\n\n\n\n In the registry we see under LSA an additional entry for the notification packages. orapwdfltr<\/em> the name of the DLL installed on the domain server.<\/p>\n\n\n\n
![\"\"](\"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/lsa_registry_entries.png?resize=625%2C388&ssl=1\")
New LSA notification packages<\/figcaption><\/figure><\/div>\n\n\n\n And finally the new groups and the new attribute <\/em>orcleCommonAttribute<\/em>. <\/p>\n\n\n\n
![\"\"](\"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/ad_groups.png?resize=625%2C367&ssl=1\")
New generic Oracle groups<\/figcaption><\/figure><\/div>\n\n\n\n Although the attribute <\/em>orcleCommonAttribute<\/em> in the picture below does only get propagated after a password reset. The user KING is part of the group Trivadis LAB Users<\/em>. This group itself is member of ORA_VFR_11G<\/em>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/user_preference_king.png?resize=434%2C585&ssl=1\")
Attributes of user KING<\/figcaption><\/figure><\/div>\n\n\n\n Yeah, but it’s an Oracle tool…<\/h2>\n\n\n\n
In one of my many conversations with customers about these password filters I was asked if they could examine the source code. Mmm, no! It is quite common that neither Oracle nor Microsoft publish their source code. In this case Oracle uses an API or functionality defined and documented by Microsoft. But this does not convince everyone. That’s why I have tried to investigate this in detail. One of my first attempts was a test if I can decompile the DLL. This would be possible if it is written in .net or something similar, but not with C or C++. You can use an online disassembler<\/a>, but the result will not help you. <\/p>\n\n\n\n
Analysis of the executable installation file opwdintg.exe<\/em> with exiftool<\/a>, reveal that it is only a self extracting cabinet.<\/p>\n\n\n\n
exiftool opwdintg.exe \nExifTool Version Number : 12.00\nFile Name : opwdintg.exe\nDirectory : .\nFile Size : 193 kB\nFile Modification Date\/Time : 2020:09:04 06:17:15+02:00\nFile Access Date\/Time : 2020:09:04 06:18:43+02:00\nFile Inode Change Date\/Time : 2020:09:04 06:17:15+02:00\nFile Permissions : rw-r--r--\nFile Type : Win64 EXE\nFile Type Extension : exe\nMIME Type : application\/octet-stream\nMachine Type : AMD AMD64\nTime Stamp : 2013:10:14 08:48:22+02:00\nImage File Characteristics : Executable, Large address aware\nPE Type : PE32+\nLinker Version : 11.0\nCode Size : 32768\nInitialized Data Size : 163840\nUninitialized Data Size : 0\nEntry Point : 0x7f1c\nOS Version : 6.3\nImage Version : 6.3\nSubsystem Version : 5.2\nSubsystem : Windows GUI\nFile Version Number : 11.0.9600.16428\nProduct Version Number : 11.0.9600.16428\nFile Flags Mask : 0x003f\nFile Flags : (none)\nFile OS : Windows NT 32-bit\nObject File Type : Executable application\nFile Subtype : 0\nLanguage Code : English (U.S.)\nCharacter Set : Unicode\nCompany Name : Microsoft Corporation\nFile Description : Win32 Cabinet Self-Extractor\nFile Version : 11.00.9600.16428 (winblue_gdr.131013-1700)\nInternal Name : Wextract\nLegal Copyright : \u00a9 Microsoft Corporation. All rights reserved.\nOriginal File Name : WEXTRACT.EXE .MUI\nProduct Name : Internet Explorer\nProduct Version : 11.00.9600.16428<\/code><\/pre>\n\n\n\nYou can invoke the executable with two additional parameters C and T to extract the content into the directory specified with T.<\/p>\n\n\n\n
c:\\vagrant>opwdintg.exe \/C \/T:c:\\vagrant\\opwdintg<\/code><\/pre>\n\n\n\nIn the directory you will find three files:<\/p>\n\n\n\n
- instpflt.bat<\/strong><\/em> Batch file used to install the password filter.<\/li>
- etadschm.bat<\/strong><\/em> Batch file used to do the schema extension for <\/em>orcleCommonAttribute<\/em> and create the 3 AD groups.<\/li>
- orapwdfltr.dll<\/strong><\/em> the Oracle password filter dll itself.<\/li><\/ul>\n\n\n\n
Even if you cannot decompile orapwdfltr.dll<\/em>, you can still examine the batch files. As expected, the batch files do exactly what we have already verified graphically above. Schema extension, create groups and register Oracle password filter.<\/p>\n\n\n\n
With pev<\/a>, a PE file analysis toolkit, we can check other stuff like the functions exported by the DLL. As you can see in the output below, the functions correspond to Microsoft’s specifications for password filters<\/a>. An indication that the DLL does what it should. However, pev<\/em> provides other tools to analyse the DLL, hashes, import functions etc. But we will skip that at this point.<\/p>\n\n\n\n
readpe --exports orapwdfltr.dll \nExported functions\n Library\n Name: orapwdfltr.dll\n Functions\n Function\n Ordinal: 1\n Address: 0x1080\n Name: InitializeChangeNotify\n Function\n Ordinal: 2\n Address: 0x2ea0\n Name: PasswordChangeNotify\n Function\n Ordinal: 3\n Address: 0x1080\n Name: PasswordFilter<\/code><\/pre>\n\n\n\nA few words about Security<\/h2>\n\n\n\n
But what about security? There are basically two aspects. First, the fact that the DLL is a rather critical component. There are known malware that exploit exactly this method to get the passwords. It is therefore a best practice to configure LSA security to allow only signed DLLs for LSA. Ok, besides that you should also know which DLL you have installed and why. But here we are at the point where it gets a bit difficult. Oracle has forgotten to sign orapwdfltr.dll<\/em> in the past. Therefore, if LSA security is enabled the password filter will not work. See also MOS note 2612535.1<\/a> or 2616566.1<\/a>. Among other things, Oracle has proposed to turn off the LSA security. Certainly not the way to go. But luckily there is already a bug 31134430<\/a> and patch 23191994<\/a> available for this issue. The fix does include a signed version of the orapwdfltr.dll<\/em>, as you can see in the following code block. <\/p>\n\n\n\n
signtool.exe verify \/pa \/v orapwdfltr.dll\n\nVerifying: orapwdfltr.dll\n\nSignature Index: 0 (Primary Signature)\nHash of file (sha256): 2A14712107D424FF5577EF5C3D111CF66DB40F6226047ADC4F31389D69F437EB\n\nSigning Certificate Chain:\n Issued to: VeriSign Class 3 Public Primary Certification Authority - G5\n Issued by: VeriSign Class 3 Public Primary Certification Authority - G5\n Expires: Wed Jul 16 16:59:59 2036\n SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\n\n Issued to: Symantec Class 3 Extended Validation Code Signing CA - G2\n Issued by: VeriSign Class 3 Public Primary Certification Authority - G5\n Expires: Sun Mar 03 16:59:59 2024\n SHA1 hash: 5B8F88C80A73D35F76CD412A9E74E916594DFA67\n\n Issued to: Oracle America Inc.\n Issued by: Symantec Class 3 Extended Validation Code Signing CA - G2\n Expires: Wed Jan 27 16:59:59 2021\n SHA1 hash: 1CB08E9B70B917E64407A4F2665799D58B171F89\n\nThe signature is timestamped: Wed Apr 22 18:33:05 2020\nTimestamp Verified by:\n Issued to: DigiCert Assured ID Root CA\n Issued by: DigiCert Assured ID Root CA\n Expires: Sun Nov 09 17:00:00 2031\n SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\n\n Issued to: DigiCert SHA2 Assured ID Timestamping CA\n Issued by: DigiCert Assured ID Root CA\n Expires: Tue Jan 07 05:00:00 2031\n SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297\n\n Issued to: TIMESTAMP-SHA256-2019-10-15\n Issued by: DigiCert SHA2 Assured ID Timestamping CA\n Expires: Wed Oct 16 17:00:00 2030\n SHA1 hash: 0325BD505EDA96302DC22F4FA01E4C28BE2834C5\n\nSuccessfully verified: orapwdfltr.dll\n\nNumber of files successfully Verified: 1\nNumber of warnings: 0\nNumber of errors: 0<\/code><\/pre>\n\n\n\nAlternatively you can also check the windows property of orapwdfltr.dll<\/em>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/orapwdfltr.dll_.png?resize=303%2C380&ssl=1\")
Properties of orapwdfltr.dll<\/em><\/figcaption><\/figure>\n\n\n\n The other security challenge is the password hash itself. In a regular LDAP, ACIs are usually defined to restrict access to password attributes. However, no ACIs are defined when installing the Oracle password filter. It is therefore strongly recommended to restrict access to this attribute. Generally only the Oracle service accounts, which are used to setup Oracle AD integration, has to read it. <\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
When my workmate Martin Berger published his blog post about the issue with LSA and the password filter<\/a>, there was no official solution beside disabling LSA security. Fortunately it is a bit better in the meantime. The bug fix did found its way in the latest release of Oracle Database 19c (19.8.0.0) and in the generic fusion middleware patch 23191994<\/a>. This official signed version of the password filter can be used for either Oracle Centrally Managed Users (CMU), Oracle Enterprise User Security (EUS) or Oracle Unified Directory DIP. It is a fact that this password filter means a change on the domain server. Every change represents a potential risk. Nevertheless, this change is comprehensible and is, according to Microsoft, a documented procedure. By carefully assigning the Oracle groups (ORA_VFR_11g, ORA_VFR_11C, etc), you can ensure that only those users who need the hash in orcleCommonAttribute<\/em> have set it. It is also recommended to define ACIs to limit access to orcleCommonAttribute<\/em> restrictively.<\/p>\n\n\n\n
SSL and Kerberos authentication are basically secure methods. Additionally these authentication methods allow Single Sign On. Unfortunately, practice shows that many tools cannot handle this. Password authentication on the other hand offers greater flexibility. The Oracle password filter is not bad nor dangerous. In my humble opinion it is worth to consider this solution.<\/p>\n\n\n\n
References<\/h2>\n\n\n\n
A few links related to this blog post:<\/p>\n\n\n\n
- Blog post by my workmate Martin Berger about Oracle EUS authentication with LSA activated on AD<\/a> Thanks for bringing up this topic at Trivadis as well with Oracle Support<\/li>
- Oracle Enterprise User Security AD Integration<\/a><\/li>
- Oracle Support Note 2640135.1<\/strong><\/a><\/strong> OUD 12c – How to Get the Latest oidpwdcn.dll (New Name orapwdfltr.dll)<\/em><\/li>
- Oracle Support Note 2612535.1<\/a><\/strong> EUS Login Failure of AD Users Proxied by OUD: LdapErr: DSID-0C090CE0, comment: Error in attribute conversion operation<\/em><\/li>
- Oracle Support Note 2616566.1<\/a><\/strong> OUD 11g – OIDPWDCN.DLL Plug-in Fails On AD 2012 R2 With Error “The password notification DLL oidpwdcn failed to load with error 577”<\/em><\/li>
- Oracle Bug 31134430<\/a><\/strong> need to have orapwdfltr.dll<\/em> signed by Microsoft.<\/li>
- Oracle Patch 23191994<\/a><\/strong> “signed” version of the oidpwdcn.dll<\/em> for Oracle Unified Directory.<\/li>
- Microsoft Windows Dev Center Password Filter Programming Considerations<\/a> <\/li>
- Microsoft Windows Dev Center Installing and Registering a Password Filter DLL<\/a> <\/li>
- Microsoft Windows Dev Center Password Filter<\/a> <\/li>
- Microsoft Windows Dev Center Password Filter Functions<\/a> <\/li>
- pev<\/a> the PE file analysis toolkit<\/li>
- ExifTool<\/a> by Phil Harvey<\/li>
- stackoverflow<\/em> discussion about the signtool<\/a><\/li><\/ul>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
When it comes to the conception and implementation of a central user administration of Oracle databases, authentication is one of the central topics. Often there is a need for integration with an existing directory service or IAM solution. Whereby usually MS Active Directory is involved. But Oracle Databases and MS Active Directories are not yet […]<\/p>\n","protected":false},"author":1,"featured_media":7486,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[180,181,154,5,142,11,1],"tags":[],"class_list":["post-7444","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-18c","category-19c","category-enterprise-user-security","category-oracle-database","category-oud","category-security","category-uncategorized"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/DB_logon_hash.png?fit=914%2C337&ssl=1","jetpack_shortlink":"https:\/\/wp.me\/p1aErb-1W4","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":14169,"url":"https:\/\/www.oradba.ch\/wordpress\/2023\/11\/easy-setup-of-kerberos-authentication-for-oracle-databases\/","url_meta":{"origin":7444,"position":0},"title":"Easy setup of Kerberos Authentication for Oracle Databases","author":"Stefan","date":"8. November 2023","format":false,"excerpt":"I have previously published a couple of blog posts related to Kerberos authentication for databases. In this post, I want to provide a simple, step-by-step tutorial for configuring Kerberos authentication. This tutorial is based on my lab setup within Oracle Cloud Infrastructure (OCI). Within this environment, I run both a\u2026","rel":"","context":"In "19c"","block_context":{"text":"19c","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/19c\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/CDBkrb5.png?fit=1010%2C600&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/CDBkrb5.png?fit=1010%2C600&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/CDBkrb5.png?fit=1010%2C600&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/CDBkrb5.png?fit=1010%2C600&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":2642,"url":"https:\/\/www.oradba.ch\/wordpress\/2018\/06\/oracle-18c-new-security-features\/","url_meta":{"origin":7444,"position":1},"title":"Oracle 18c new Security Features","author":"Stefan","date":"14. June 2018","format":false,"excerpt":"Today I had the opportunity to give a presentation on Oracle 18c new Security Features at the SOUG day in Baden. It was a great opportunity to discuss the security enhancements in the latest Oracle database release. This release introduces some new security features that simplify the secure operation of\u2026","rel":"","context":"In "18c"","block_context":{"text":"18c","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/18c\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/IMG_1555-300x225.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":9608,"url":"https:\/\/www.oradba.ch\/wordpress\/2022\/02\/free-oracle-unified-directory-for-oracle-net-services\/","url_meta":{"origin":7444,"position":2},"title":"Free Oracle Unified Directory for Oracle Net Services","author":"Stefan","date":"14. February 2022","format":false,"excerpt":"The tnsnames.ora is a configuration file for Oracle database name resolution. It contains network service names that are mapped to connection descriptors for the local naming method. With the help of tnsnames.ora Oracle clients respectively the users can easily access Oracle databases. The connection descriptors provides all relevant information like\u2026","rel":"","context":"In "19c"","block_context":{"text":"19c","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/19c\/"},"img":{"alt_text":"Oracle Net Service Names","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":13925,"url":"https:\/\/www.oradba.ch\/wordpress\/2023\/09\/oracle-sqlnet-tls-configuration-simplified\/","url_meta":{"origin":7444,"position":3},"title":"Oracle SQLNet TLS configuration simplified","author":"Stefan","date":"12. September 2023","format":false,"excerpt":"Most security measures for Oracle databases are usually aimed at protecting and hardening the database itself. This includes secure configuration, implementation of the least privilege principle, reduction of the attack surface, encryption at REST, database audit and much more. Sometimes, however, it is forgotten that the database also communicates with\u2026","rel":"","context":"In "Howto"","block_context":{"text":"Howto","link":"https:\/\/www.oradba.ch\/wordpress\/category\/howto\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/ca_list.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":14123,"url":"https:\/\/www.oradba.ch\/wordpress\/2023\/10\/simplified-keytab-creation-using-linux-tools-joelkallmanday\/","url_meta":{"origin":7444,"position":4},"title":"Simplified Keytab creation using Linux Tools #JoelKallmanDay","author":"Stefan","date":"11. October 2023","format":false,"excerpt":"Today's \u00a0#JoelKallmanDay, my topic is about simplifying the configuration of Kerberos authentication of Oracle databases using Linux tools. I have already written a few things about Kerberos in the past. The blog posts on this topic are usually tagged with Kerberos. Today I want to show you an alternative method\u2026","rel":"","context":"In "Howto"","block_context":{"text":"Howto","link":"https:\/\/www.oradba.ch\/wordpress\/category\/howto\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/kerberos_overview.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/kerberos_overview.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/kerberos_overview.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/kerberos_overview.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/kerberos_overview.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/kerberos_overview.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":9217,"url":"https:\/\/www.oradba.ch\/wordpress\/2022\/03\/easy-replacement-of-tnsnames-ora-with-ldap-directory-server\/","url_meta":{"origin":7444,"position":5},"title":"Easy replacement of tnsnames.ora with LDAP Directory Server","author":"Stefan","date":"1. March 2022","format":false,"excerpt":"The tnsnames.ora is a configuration file for Oracle database respectively Oracle Net Service Names resolution. It contains network service names that are mapped to connection descriptors for the local naming method. With the help of tnsnames.ora Oracle clients respectively the users can easily access Oracle databases. The connection descriptors provides\u2026","rel":"","context":"In "19c"","block_context":{"text":"19c","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/19c\/"},"img":{"alt_text":"Oracle Net Service Names","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/OracleNamesLDAP_basic.png?resize=1400%2C800&ssl=1 4x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/7444","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/comments?post=7444"}],"version-history":[{"count":25,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/7444\/revisions"}],"predecessor-version":[{"id":7485,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/7444\/revisions\/7485"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/media\/7486"}],"wp:attachment":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/media?parent=7444"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/categories?post=7444"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/tags?post=7444"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Oracle Enterprise User Security AD Integration<\/a><\/li>
- etadschm.bat<\/strong><\/em> Batch file used to do the schema extension for <\/em>orcleCommonAttribute<\/em> and create the 3 AD groups.<\/li>
- ORA_VFR_11G<\/em> enables the use of the Oracle Database 11G password verifier<\/li>
- Create some generic groups to control the password filter plugin. The filter will only update the <\/em>orcleCommonAttribute<\/em> attribute for users which are part directly or indirectly of one of the group.
- Add an Active Directory schema extension for an additional user attribute <\/em>orcleCommonAttribute<\/em>. Once installed a schema extension can not be removed any more.<\/li>