Home » RDBMS Server » Security » AD Creation using DBMS_LDAP - Password creation solutions
| AD Creation using DBMS_LDAP - Password creation solutions [message #512543] |
Tue, 21 June 2011 00:07  |
meim
Messages: 35
Registered: July 2009
|
Member |
|
|
Hello,
I am not sure if this the right place to post my question.
I have an idea of implementation and not sure if it is doable, so need your opinion if possible.
I am using DBMS_LDAP package to create user through DB to AD Server. The process is completed successfully with user creation.
However, am facing problem with user password. It seems the password is created in "userPassword" attribute, but the account get to be disabled after creation and i couldn't reset password or enable the user through DB level, and reconnect with the created password. I got to have to do this from AD server side.
I found solution that i can do this through setting-up SSL connection and Oracle Wallet. However, this may got to be more complicated to be done.
Therefore, I am wondering about another solution if it is possible to do which is executing a script located in AD Server from Oracle DB to create password and enable the user?
Your help/opinion/guide is highly appreciated.
Thanks
|
|
|
|
|
|
| Re: AD Creation using DBMS_LDAP - Password creation solutions [message #512556 is a reply to message #512547] |
Tue, 21 June 2011 00:48  |
meim
Messages: 35
Registered: July 2009
|
Member |
|
|
Here the code i tried
declare
GC$ldap_host VARCHAR2(256) := '';
GC$ldap_port VARCHAR2(256) := '';
GC$ldap_user VARCHAR2(256) := '';
GC$ldap_passwd VARCHAR2(256) := '';
GC$ldap_base VARCHAR2(256) := '';
retval PLS_INTEGER;
my_session DBMS_LDAP.SESSION;
user_dn VARCHAR2(256);
user_array DBMS_LDAP.MOD_ARRAY;
user_vals DBMS_LDAP.STRING_COLLECTION;
v_pass DBMS_LDAP.BERVAL_COLLECTION;
userID varchar2(10) := '';
passwd varchar2(9) := '12345678';
BEGIN
retval := -1;
-- Insert into LDAP --
DBMS_LDAP.USE_EXCEPTION := TRUE;
my_session := DBMS_LDAP.init(GC$ldap_host,GC$ldap_port);
retval := DBMS_LDAP.simple_bind_s(my_session, GC$ldap_user,GC$ldap_passwd);
user_array := DBMS_LDAP.create_mod_array(20);
-- Properties --
user_vals(1) := userID;
DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'sAMAccountName',user_vals);--
user_vals(1) := userID;
DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'userPrincipalName',user_vals);
user_vals(1) := userID;
DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'uid',user_vals);--
DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'cn',user_vals);
user_vals(1) := 'test name';
DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'sn',user_vals);
user_vals(1) := 'test name';
DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'givenname',user_vals);
user_vals(1) := passwd;
DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'userPassword',user_vals);
user_vals(1) := 'user';
DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'objectclass',user_vals);
--- set up user DN
user_dn := 'cn='||userID||', '|| GC$ldap_base;
retval := DBMS_LDAP.add_s(my_session,user_dn,user_array);
DBMS_OUTPUT.PUT_LINE(RPAD('add_s Returns ',25,' ') || ': '|| TO_CHAR(retval));
DBMS_LDAP.free_mod_array(user_array);
retval := DBMS_LDAP.unbind_s(my_session);
DBMS_OUTPUT.PUT_LINE(RPAD('unbind_res Returns ',25,' ') || ': ' ||
TO_CHAR(retval));
DBMS_OUTPUT.PUT_LINE('Resultt -> OK');
-- Handle Exceptions
EXCEPTION
WHEN OTHERS THEN
DBMS_OUTPUT.PUT_LINE(' Error Message : '||SQLERRM );
DBMS_OUTPUT.PUT_LINE(' Exception encountered .. exiting');
END Insert_User; |
|
|
|
|
|
| Re: AD Creation using DBMS_LDAP - Password creation solutions [message #512564 is a reply to message #512556] |
Tue, 21 June 2011 01:00 |
meim
Messages: 35
Registered: July 2009
|
Member |
|
|
in some point also i tried to convert the password to unicode and modified the create entry using, the password changed but i counld authenticate with this password and created user.
v_pass(1) := UTL_RAW.cast_to_raw(convert('"98765432"','AL16UTF16LE'));
DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_REPLACE ,'userPassword',v_pass);
also, I tried using the attribute "unicodePwd" but no luck as i got error saying "No Such attribute"
DBMS_LDAP.populate_mod_array(emp_array,DBMS_LDAP.MOD_ADD,'unicodePwd',new_pwd_berval);
|
|
|
|
|
|
|
|
| Re: AD Creation using DBMS_LDAP - Password creation solutions [message #512619 is a reply to message #512573] |
Tue, 21 June 2011 03:51 |
meim
Messages: 35
Registered: July 2009
|
Member |
|
|
My apology for this unclear post.I believe i had raised two questions while i should focus in one. Let me summarize them again and will go for detail for first question:
Q1- How to create/reset password for AD account using DBMS_LDAP package
Q2- How to execute script located in another server (AD Server) through Oracle DB (located in another Server)
------------------------------------------------------------------
For user creation using DBMS_LDAP package I did following:
1- I execute the code i mentioned in my reply (message #512556). This Code should generate me an AD entry with following (sAMAccountName, userPrincipalName, uid, cn, sn, givenname, userPassword, objectclass ).
2- I made a test to check if the user is created in step1 by authenticate using the created user & password, using following code:
BEGIN
retval := -1;
DBMS_LDAP.USE_EXCEPTION := TRUE;
my_session := DBMS_LDAP.init(GC$ldap_host,GC$ldap_port);
retval := DBMS_LDAP.simple_bind_s(my_session, GC$ldap_user, GC$ldap_passwd);
DBMS_OUTPUT.PUT_LINE(RPAD('simple_bind_s Returns ',25,' ') || ': ' || TO_CHAR(retval));
v_authenticated := true ;
if v_authenticated then
DBMS_OUTPUT.PUT_LINE('Resultt -> Connect OK');
else
DBMS_OUTPUT.PUT_LINE('false');
end if;
retval := DBMS_LDAP.unbind_s(my_session);
DBMS_OUTPUT.PUT_LINE(RPAD('unbind_res Returns ',25,' ') || ': ' ||TO_CHAR(retval));
However, I got the following message:
Quote:Error Message : ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid credentials. 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece
3- To double check that account is really created, We checked this user creation from AD Server side (this done by the responsible team), and it appears that the account is created and locked, so they reset the password and enable the user.
4- I repeat step 2 after activating the account from AD Server Side (in step 3), and i got the connection and authnication.
5- I did another test (create another user) by repeating step 1 and 2. step 2 failed again and i couldn't authenticate. Therefore, i tried to modify the password from DB side using following code:
BEGIN
retval := -1;
-- Insert into LDAP --
DBMS_LDAP.USE_EXCEPTION := TRUE;
my_session := DBMS_LDAP.init(GC$ldap_host,GC$ldap_port);
retval := DBMS_LDAP.simple_bind_s(my_session, GC$ldap_user, GC$ldap_passwd);
user_array := DBMS_LDAP.create_mod_array(2);
v_pass(1) := UTL_RAW.cast_to_raw(convert('"uaeu12345"','AL16UTF16LE'));
DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_REPLACE ,'userPassword',v_pass);
user_dn := 'cn='||userID||', '|| GC$ldap_base;
retval := DBMS_LDAP.modify_s(my_session,user_dn,user_array);
retval := DBMS_LDAP.unbind_s(my_session);
DBMS_OUTPUT.PUT_LINE(RPAD('unbind_res Returns ',25,' ') || ': ' ||TO_CHAR(retval));
DBMS_OUTPUT.PUT_LINE('Resultt -> OK');
end;
The code run successfully and print out all messages as following:
Quote:simple_bind_s Returns : 0
unbind_res Returns : 0
Resultt -> OK
I am using Active Directory Explorer Software to monitor those changes, and i could see the userpassword attribute changes.
Therefore, after many search i found that password creation/resetting is done through password policies in AD Server, and that's will required to set-up SSL and Oracle wallet if we want to achieve this from DB side.
We have the script to activate AD user in AD Server, that's why i jumped to Q2 (mentioned above).
I hope this made it clear.
Thanks,
|
|
|
|
Goto Forum:
Current Time: Tue Nov 26 21:15:00 CST 2024
|
] 
Blog
Search
Help
Members
Register
Login
Home
