Home > Oracle in general > Authentificate Oracle user passwords against Active Directory using Radius

Authentificate Oracle user passwords against Active Directory using Radius

I developed this topic last year while taking the OCP course. The instructor told us about oracle authentication and because i was a little bit bored i played around with it. My goal was to use oracle external authentication to authenticate against a radius server which authenticates against an active directly (or any other LDAP server).

With this technology you can implement a centralized password and account management quite easily although users still have to be created in the database and they still have to be granted roles and permission to them in the database. Active Directory (i will use this term in the whole article…. as said instead of active directory use can use another other LDAP server as well) is solely used to:

  • verify the users password
  • check the account state and grant access only if the account is not locked

For using this authentication mechanism the “Oracle Advanced Security Option” is needed.

Environment used in this article

In this article we assume the following IP addresses:

  • Radius Server: 192.168.0.1
  • DB Server: 192.168.0.10
  • Active Directory Domain: “ronnyegner-consulting.de”

As Radius Server we use freeRADIUS.

Database Modifications

On Client side

Put the following line in the Clients SQLNET.ORA to enable RADIUS authentication:

SQLNET.AUTHENTICATION_SERVICES=(RADIUS)

On Database Instance

In the database instance put the following lines in the SQLNET.ORA:

SQLNET.AUTHENTICATION_SERVICES= (radius)
SQLNET.RADIUS_PORT= (1812)
SQLNET.RADIUS_AUTHENTICATION_PORT = 1812
SQLNET.RADIUS_SECRET = <path_to_any_directory>/radius.key
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT = 10
#SQLNET.RADIUS_AUTHENTICATION = <hostname or ip of radius server, comma separated for more than one>
SQLNET.RADIUS_AUTHENTICATION = 192.168.0.1     #our radius server is 192.168.0.1 in this example
SQLNET.RADIUS_CHALLENGE_RESPONSE=OFF

The file specified in “SQLNET.RADIUS_SECRET” contains a shared secret for accessing the radius server. It is defined on radius site in the file “client.conf”. An example entry is shown below.

Finally add the following lines to your database parameter file and restart the instance:

REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""

Enable external authentication for users

The following example shows how to create a user with external authentication enabled:

create user <username> identified externally;
 grant create session to <username>;

To modify a users authentication schema:

alter user <username> identified externally;

User names in database must match user name in active directory (without the domain string). If user name in directory server and database differ you can instruct radius to rewrite user names.

Radius Configuration

radiusd.conf

# module configuration section
ldap {
 server = "ads01.ronnyegner-consulting.de"
 identity = "cn=radiusadmin,cn=users,dc=ronnyegner-consulting,dc=de"
 password = test
 basedn = "ou=users,DC=ronnyegner-consulting,DC=de"
 dictionary_mapping = ${raddbdir}/ldap.attrmap
 filter = (&(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(&(objectCategory=person)(objectClass=user)(
 !(userAccountControl:1.2.840.113556.1.4.803:=2)))))
 password_attribute = "userPassword"
 timeout = 10
 timelimit = 10
 net_timeout = 1
 ldap_connections_number = 5
 compare_check_items = no
 }

I will describe the important switched briefly:

  • SERVER: name or ip adress of the active directory server
  • IDENTITY: a username to connect to the active directory
  • PASSWORD: password for the user specified in IDENTITY
  • BASEDB: look for users password under this BASEDN
  • DICTIONARY_MAPPING: this file ships with freeRADIUS
  • FILTER: custom filter written by me…. checks the account password and checks if the account is not locked. String must be written in ONE line!
  • PASSWORD_ATTRIBUTE: which ldap field contains the actual password; you can leave it that way
  • COMPARE_CHECK_ITEMS: Specifies if the module will do a comparison on the check items extracted from the ldap with the corresponding items present in the incoming request.
  • All other should be self-explaining

To enable LDAP authentication add or uncomment in authentication section of “radiusd.conf”

#authentication section
Auth-Type LDAP {
 ldap
 }

client.conf

The file “client.conf” contains settings for the clients accessing the radius server. For the environment used in this article we assumed the database server IP is “192.168.0.10″.

client 192.168.0.10 {
 secret = testing123
 shortname = dbserver     #for identification only... doesnt matter at all
 }

As you can see the shared secret between radius and database server is “testing123″. This string has to be placed in the file specified by “SQLNET.RADIUS_SECRET”.

Categories: Oracle in general Tags: