OID-LDAP trigger
The following sections show you how to set up transparent password synchronization for an Oracle Internet Directory LDAP (OID-LDAP) trigger system.
Before you begin, ensure that you have researched and carried out the steps outlined in Implementing Transparent Password Synchronization .
Bravura Pass can intercept password changes on OID-LDAP trigger systems using a pre-change and post-change strength filter, psldap* for:
Unix-based OID-LDAP servers
Windows-based OID-LDAP servers
Before you start, you should have the encrypted communication key (COMMKEY), or a copy of the idmsetup.inf configuration file. The idmsetup.inf configuration file is located on the Bravura Security Fabric server in the psconfig directory.
To install the OID-LDAP password filter plugin (psldap.so) on a Unix-based OID-LDAP server:
If you did not select Unix Installation Packages when you installed the Connector Pack, run setup on the Bravura Security Fabric server to modify your Connector Pack installation.
Ensure that the appropriate Unix package is selected on the component selection page. Click Next , then complete the installation procedure.
Copy the
psunix-<os>.<cpu>.tar.gzfile from the unix directory to a scratch directory (such as /tmp) on the OID-LDAP server.Log into the LDAP server with administrative privileges, and extract the files from the psunix archive. For example, type:
cd /tmp tar -zxvf psunix-solaris9.sparc64.tar.gz
Run
install.shand select LDAP Transparent Synch option.sh install.sh -c 4 [ -inf <path>/idmsetup.inf ]
Follow the instructions displayed by the installer script.
In the configuration process, verify that the script correctly identifies your operating system type. If not, override it.
In the installation process, follow the instructions and input the information prompted by each input field. To skip a field, press Enter to use the default value.
Verify that the
psldap-oidldap.soshared object file is copied to /usr/local/psunix/default/.Ensure that
/etc/psunix.cfgand/etc/psunix.d/configuration files are readable by the Oracle account:chmod a+rx /etc/psunix.cfg chmod -R a+rx /etc/psunix.d
Stop the OID-LDAP Application Server.
Copy the
psldap-oidldap.sofile from the /usr/local/psunix/default/ directory to: $ORACLE_HOME/lib on the database server aspsldap.so. You can place this binary somewhere else, but you must edit files in the next steps accordingly.ORACLE_HOME is the destination directory specified during the Oracle Application Server Infrastructure installation.
For example:
cp /usr/local/psunix/default/psldap-oidldap.so u01/app/oracle/lib/psldap.so
Edit the listener.ora file in $ORACLE_HOME/network/admin to permit access to the shared object. Add the path to the library to the oracle environment variable EXTPROC_DLLS. This must match the path to the psldap.so binary.
For example:
SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /u01/app/oracle) (PROGRAM = extproc) (ENVS="EXTPROC_DLLS=/u01/app/oracle/lib/psldap.so") ) )Edit
psldap-oidldap-plugin.sql, in the psunix-<os>.<cpu>/addon/transparent-synch/ldap directory to set the path to the library in the plugin. This must match the path to thepsldap.sobinary.For example:
CREATE OR REPLACE LIBRARY psldap_lib AS '/u01/app/oracle/lib/psldap.so'; / SHOW ERRORS
Install
psldap-oidldap-plugin.sql. This file contains stored procedures needed for the plugin. You can install it, for example, by executing the command:sqlplus ods/<odspassword> @<pathto psldap-oidldap-plugin.sql>
on the database server, where ods is the OID Database Schema owner
For example:
$ORACLE_HOME/bin/sqlplus ods/mypass @psldap-oidldap-plugin.sql
Set up the plugin in the LDAP server. This can be done either from the GUI by hand, or using the supplied
pluginreg.dat. Usingpluginreg.datfrom the LDAP server, run the command:ldapadd -p <portnum> -h <hostname> -D cn=orcladmin -w <orcladminpassword> -v -f <pathto psldap-oidldap-pluginreg.dat>
where:
portis the port that the OID-LDAP server listens on - default is 389hostnameis the host name of OID-LDAP server - localhost can be used.
For example:
$ORACLE_HOME/bin/ldapadd -p 389 -h myhost -D cn=orcladmin -w mypass -v -f psldap-oidldap-pluginreg.dat
Restart the Oracle listener:
lsnrctl stop lsnrctl start dbstart
To install the OID-LDAP password filter plugin (psldap.dll) on a Windows Server 2003-based LDAP server:
Log into the server hosting the OID-LDAP Application Server with administrative privileges.
Stop the OID-LDAP Application Server.
Copy
psldap-oidldap.dllfrom addon \transparent-synch\ldap\ on the Bravura Security Fabric server to $ORACLE_HOME/lib on the OID-LDAP server aspsldap.dll.You can place this binary somewhere else, but you must edit files in the next steps accordingly.
ORACLE_HOME is the destination directory specified during the Oracle Application Server Infrastructure installation.
Copy
psldap.cfgfrom the addon transparent-synch\ldap\ directory on the Bravura Security Fabric server to %ORACLE_HOME%\lib on the OID-LDAP server.Copy the
libidapi.dllfile from the <instance>\lib\ directory on your Bravura Pass server to <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ lib\.Copy the
idapitool.exefile from the <instance>\lib\ directory on your Bravura Pass server to <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ .Edit
psldap.cfgas follows:comm-keyDefines the private key used for encryption. This key must match the one set during installation on the Bravura Security Fabric server.comm-key = "<encrypted commkey value>";
targetidThis option is used to specify the ID of the target system associated with this interceptor.targetid = "ldap";
libcurlThe full path to the libcurl shared object required when using SSL. An empty value uses the system default location, otherwise the full path can specified. A value of ’0’ disables libcurl which ultimately disables SSL and web proxy facilities.libcurl = "0";
urlThe URL option specifies the service endpoint of the API SOAP Service.url = "http://host.domain.com/default/idapi";
userThe user ID the API SOAP Service is configured to use.user = "_API_USER";
pswThe password the API SOAP Service is configured to use. Use the idapitool program to acquire this value from the known plain text value. See theapi.pdf for idapitool usage information.psw = "the_encrypted_password_created_by_idapitool";
You can generate the encrypted password with the following command:
idapitool.exe -url http://host.domain.com/default/idapi -user _API_USER -psw Letmein1 -q
Optionally, edit these keys:
proxyThe proxy option specifies the address and port.proxy = "http://idapi_proxy.mydomain.com:3128";
proxyuserThe username to authenticate against the proxy. (optional)proxyuser = "proxyuser";
proxypathThe password to authenticate against the proxy. (optional)proxypass = "proxypass";
capathThe CA directory or file holding the root certificates to trust. This value is required if using SSL.capath = "";
certThe certificate for client authentication. This value is optional when using SSL and may be used if client verification is required by the server.cert = "ldap.crt";
ignoreWhether or not to enforce strict name checking of the server certificate.ignore = "0";
timeoutSpecifies the timeout when communicating with IDAPI SOAP service. The default timeout is 300 seconds.timeout = "300";
retry-attemptsSpecifies the retry attempts for failed IDAPI calls. The default retry-attempts value is 2.retry-attempts = "2";
retry-delaySpecifies the retry delay between IDAPI calls. The default retry-delay is 5 seconds.retry-delay = "5";
fail-if-unavailable Specifies if password changes should fail if the IDAPI SOAP service cannot be contacted. The default behavior is to always fail if IDAPI SOAP service is unavailable.
fail-if-unavailable = "true";
strength-check-onlyIf this option is set to true, the password reset operation will not occur. The default value is set to true.strength-check-only = "true";
On the OID-LDAP server create the following registry keys:
HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\<instance>\
Entry name PsldapCfg
Value Path to psldap.cfg file
Data type REG_DWORD
HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\<instance>\
Entry name PsInstallDir
Value The full directory path of the psldap.cfg file
Data type REG_SZ
Edit the listener.ora file in $ORACLE_HOME/network/admin to permit access to the shared object. Add the path to the library to the oracle environment variable EXTPROC_DLLS. This must match the path to the psldap.so binary.
For example:
SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = C:\oracle) (PROGRAM = extproc) (ENVS="EXTPROC_DLLS=C:\oracle\lib\psldap.dll") ) )Edit
psldap-oidldap-plugin.sqlto set the path to the library in the plugin. This must match the path to thepsldap.sobinary.For example:
CREATE OR REPLACE LIBRARY psldap_lib AS 'C:\oracle\lib\psldap.dll'; / SHOW ERRORS
Install
psldap-oidldap-plugin.sql. This file contains stored procedures needed for the plugin. You can install it, for example, by executing the command:sqlplus ods/<odspassword> @<pathto psldap-oidldap-plugin.sql>
on the database server, where ods is the OID Database Schema owner
For example:
$ORACLE_HOME/bin/sqlplus ods/mypass @psldap-oidldap-plugin.sql
Set up the plugin in the LDAP server. This can be done either from the GUI by hand, or using the supplied pluginreg.dat. Using pluginreg.dat from the LDAP server, run the command:
ldapadd -p <portnum> -h <hostname> -D cn=orcladmin -w <orcladminpassword> -v -f <path to psldap-oidldap-pluginreg.dat>
where:
portis the port that the OID-LDAP server listens on - default is 389hostnameis the host name of OID-LDAP server - localhost can be used.
For example:
$ORACLE_HOME/bin/ldapadd -p 389 -h myhost -D cn=orcladmin -w mypass -v -f psldap-oidldap-pluginreg.dat
Restart the Oracle listener using the Windows Service Control Manager.