RE: Oracle / AD Questions
Date: Wed, 2 Oct 2024 15:04:42 -0700
Message-ID: <1d1101db1517$162fbce0$428f36a0$_at_comcast.net>
The setup instructions for Kerberos and sssd authentication are not long at all. If you are on OEL8/RHEL8 the packages/rpms you need, already come with the OS. It is really just configuration or the /etc/krb5.conf file and the /etc/sssd/sssd.conf file, along with an admin account to join the realm.
From: oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> On Behalf Of Ilmar Kerm
Sent: Wednesday, October 2, 2024 12:08 PM
To: Scott Canaan <srcdco_at_rit.edu>
Cc: ORACLE-L <oracle-l_at_freelists.org>
Subject: Re: Oracle / AD Questions
Kerberos will give you nice passwordless single-sign on, but it indeed requires Linux configuration and the setup instructions are quite long.
What I like about Radius it is so easy, Windows server people start Radius server on their side and you add just a few lines in database sqlnet.ora and done. But it will not give SSO, users still need to type in their Windows password to authenticate.
There is also an option to install an Oracle password filter on Active Directory side, then Oracle (since 18c) can authenticate directly against AD. I doubt many AD admins agree to this since it is quite invasive.
On Wed, 2 Oct 2024 at 20:47, Scott Canaan <srcdco_at_rit.edu <mailto:srcdco_at_rit.edu> > wrote:
We aren’t running Oracle on Azure. Our sys admin is saying we can only use Kerberos on Linux.
Scott Canaan ‘88
Sr Database Administrator
Information & Technology Services
Finance & Administration
Rochester Institute of Technology
o: (585) 475-7886 | f: (585) 475-7520
srcdco_at_rit.edu <mailto:srcdco_at_rit.edu> | c: (585) 339-8659
CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
From: Ilmar Kerm <ilmar.kerm_at_gmail.com <mailto:ilmar.kerm_at_gmail.com> > Sent: Wednesday, October 2, 2024 2:44 PM To: Scott Canaan <srcdco_at_rit.edu <mailto:srcdco_at_rit.edu> > Cc: ORACLE-L <oracle-l_at_freelists.org <mailto:oracle-l_at_freelists.org> > Subject: Re: Oracle / AD Questions
We use Radius, to authenticate human database users. Very easy to deploy and has worked well over a decade
https://ilmarkerm.eu/blog/2023/05/authenticating-oracle-database-users-with-radius/
But will soon move to Azure AD Oauth authentication, to remove the need for creating users and managing their privileges.
Ilmar Kerm
On Wed, 2 Oct 2024 at 20:27, Scott Canaan <dmarc-noreply_at_freelists.org <mailto:dmarc-noreply_at_freelists.org> > wrote:
We are looking at connecting our Oracle databases to AD so we can centralize user creation and administration. All of our Oracle databases run on Linux. Our Linux sys admins say that they don’t support AD on Linux. Is it still possible to connect to AD without having AD installed in the Linux environment?
Oracle 19c
Red Hat 8
Scott Canaan ‘88
Sr Database Administrator
Information & Technology Services
Finance & Administration
Rochester Institute of Technology
o: (585) 475-7886 | f: (585) 475-7520
srcdco_at_rit.edu <mailto:srcdco_at_rit.edu> | c: (585) 339-8659
CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
--
Ilmar Kerm
--
http://www.freelists.org/webpage/oracle-l
Received on Thu Oct 03 2024 - 00:04:42 CEST