Home » RDBMS Server » Security » AD Creation using DBMS_LDAP - Password creation solutions
AD Creation using DBMS_LDAP - Password creation solutions [message #512543] Tue, 21 June 2011 00:07 Go to next message
meim
Messages: 35
Registered: July 2009
Member
Hello,

I am not sure if this the right place to post my question.

I have an idea of implementation and not sure if it is doable, so need your opinion if possible.

I am using DBMS_LDAP package to create user through DB to AD Server. The process is completed successfully with user creation.

However, am facing problem with user password. It seems the password is created in "userPassword" attribute, but the account get to be disabled after creation and i couldn't reset password or enable the user through DB level, and reconnect with the created password. I got to have to do this from AD server side.

I found solution that i can do this through setting-up SSL connection and Oracle Wallet. However, this may got to be more complicated to be done.

Therefore, I am wondering about another solution if it is possible to do which is executing a script located in AD Server from Oracle DB to create password and enable the user?

Your help/opinion/guide is highly appreciated.


Thanks
Re: AD Creation using DBMS_LDAP - Password creation solutions [message #512547 is a reply to message #512543] Tue, 21 June 2011 00:17 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Quote:
It seems the password is created in "userPassword" attribute, but the account get to be disabled after creation and i couldn't reset password or enable the user through DB level, and reconnect with the created password.

Copy and paste what you did and got (in text mode inside the post, no image).

Before, Please read OraFAQ Forum Guide and How to use [code] tags and make your code easier to read.
Make sure that lines of code do not exceed 80 characters when you format.
Indent the code, use code tags and align the columns in result.
Use the "Preview Message" button to verify.
Also always post your Oracle version, with 4 decimals.

Regards
Michel
Re: AD Creation using DBMS_LDAP - Password creation solutions [message #512556 is a reply to message #512547] Tue, 21 June 2011 00:48 Go to previous messageGo to next message
meim
Messages: 35
Registered: July 2009
Member
Here the code i tried

declare

    GC$ldap_host   VARCHAR2(256)   := ''; 
    GC$ldap_port   VARCHAR2(256)   := ''; 
    GC$ldap_user   VARCHAR2(256)   := '';
    GC$ldap_passwd VARCHAR2(256)   := '';
    GC$ldap_base   VARCHAR2(256)   := '';
 
    retval PLS_INTEGER;

    my_session DBMS_LDAP.SESSION;
    user_dn     VARCHAR2(256);
    user_array  DBMS_LDAP.MOD_ARRAY;
    user_vals   DBMS_LDAP.STRING_COLLECTION;
    v_pass    DBMS_LDAP.BERVAL_COLLECTION; 
    
    userID varchar2(10) := '';
    passwd varchar2(9) := '12345678';
  


BEGIN
     retval := -1;
     
     -- Insert into LDAP --
     DBMS_LDAP.USE_EXCEPTION := TRUE;
     
     my_session := DBMS_LDAP.init(GC$ldap_host,GC$ldap_port);
     retval := DBMS_LDAP.simple_bind_s(my_session, GC$ldap_user,GC$ldap_passwd);
     
     user_array := DBMS_LDAP.create_mod_array(20);
     
     -- Properties --
     user_vals(1) := userID; 
     DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'sAMAccountName',user_vals);--
     
     user_vals(1) := userID;
     DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'userPrincipalName',user_vals);
     
     user_vals(1) := userID;
     DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'uid',user_vals);--
     DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'cn',user_vals);
     
     user_vals(1) := 'test name';
     DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'sn',user_vals);
     
     user_vals(1) := 'test name';
     DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'givenname',user_vals);
     
     user_vals(1) := passwd;
     DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'userPassword',user_vals);
     
     user_vals(1) := 'user';
     DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_ADD, 'objectclass',user_vals);
          
     --- set up user DN
     user_dn := 'cn='||userID||', '|| GC$ldap_base;
 
     retval := DBMS_LDAP.add_s(my_session,user_dn,user_array);
     DBMS_OUTPUT.PUT_LINE(RPAD('add_s Returns ',25,' ') || ': '|| TO_CHAR(retval));
     
     DBMS_LDAP.free_mod_array(user_array);
     
     retval := DBMS_LDAP.unbind_s(my_session);
     
     DBMS_OUTPUT.PUT_LINE(RPAD('unbind_res Returns ',25,' ') || ': ' ||
     TO_CHAR(retval));  
     DBMS_OUTPUT.PUT_LINE('Resultt -> OK');


-- Handle Exceptions
EXCEPTION

  WHEN OTHERS THEN

  DBMS_OUTPUT.PUT_LINE(' Error Message : '||SQLERRM );
  DBMS_OUTPUT.PUT_LINE(' Exception encountered .. exiting');

END Insert_User;
Re: AD Creation using DBMS_LDAP - Password creation solutions [message #512560 is a reply to message #512556] Tue, 21 June 2011 00:51 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
1/ Remove the exception block
2/ Copy and paste what you did and got.

Regards
Michel
Re: AD Creation using DBMS_LDAP - Password creation solutions [message #512564 is a reply to message #512556] Tue, 21 June 2011 01:00 Go to previous messageGo to next message
meim
Messages: 35
Registered: July 2009
Member
in some point also i tried to convert the password to unicode and modified the create entry using, the password changed but i counld authenticate with this password and created user.


 v_pass(1) := UTL_RAW.cast_to_raw(convert('"98765432"','AL16UTF16LE'));
     DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_REPLACE ,'userPassword',v_pass);



also, I tried using the attribute "unicodePwd" but no luck as i got error saying "No Such attribute"

DBMS_LDAP.populate_mod_array(emp_array,DBMS_LDAP.MOD_ADD,'unicodePwd',new_pwd_berval);


Re: AD Creation using DBMS_LDAP - Password creation solutions [message #512565 is a reply to message #512560] Tue, 21 June 2011 01:02 Go to previous messageGo to next message
meim
Messages: 35
Registered: July 2009
Member
That was what i did and i got user created! what else is required to provide?
Re: AD Creation using DBMS_LDAP - Password creation solutions [message #512573 is a reply to message #512565] Tue, 21 June 2011 01:14 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Quote:
However, am facing problem with user password. It seems the password is created in "userPassword" attribute

How do you know that: show.

Quote:
and i couldn't reset password

How? What do you get: show.

Quote:
or enable the user through DB level,

How? What do you get: show.

Quote:
and reconnect with the created password.

How? What do you get: show.

How the user has been created in DB? Show its creation statement, show its parameters from Oracle dictionary...
In short, show all what is useful to diagniose.

Regards
Michel
Re: AD Creation using DBMS_LDAP - Password creation solutions [message #512619 is a reply to message #512573] Tue, 21 June 2011 03:51 Go to previous message
meim
Messages: 35
Registered: July 2009
Member
My apology for this unclear post.I believe i had raised two questions while i should focus in one. Let me summarize them again and will go for detail for first question:

Q1- How to create/reset password for AD account using DBMS_LDAP package
Q2- How to execute script located in another server (AD Server) through Oracle DB (located in another Server)

------------------------------------------------------------------

For user creation using DBMS_LDAP package I did following:

1- I execute the code i mentioned in my reply (message #512556). This Code should generate me an AD entry with following (sAMAccountName, userPrincipalName, uid, cn, sn, givenname, userPassword, objectclass ).

2- I made a test to check if the user is created in step1 by authenticate using the created user & password, using following code:

BEGIN

     retval := -1;
     
   
     DBMS_LDAP.USE_EXCEPTION := TRUE;
     my_session := DBMS_LDAP.init(GC$ldap_host,GC$ldap_port);
     retval := DBMS_LDAP.simple_bind_s(my_session, GC$ldap_user, GC$ldap_passwd);
     
     DBMS_OUTPUT.PUT_LINE(RPAD('simple_bind_s Returns ',25,' ') || ': ' || TO_CHAR(retval));
     v_authenticated := true ;
     
     
     if v_authenticated then 
         
         DBMS_OUTPUT.PUT_LINE('Resultt -> Connect OK');
      
     else
     
         DBMS_OUTPUT.PUT_LINE('false');
        
     end if;
     
      retval := DBMS_LDAP.unbind_s(my_session);
     DBMS_OUTPUT.PUT_LINE(RPAD('unbind_res Returns ',25,' ') || ': ' ||TO_CHAR(retval));  


However, I got the following message:

Quote:
Error Message : ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid credentials. 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece



3- To double check that account is really created, We checked this user creation from AD Server side (this done by the responsible team), and it appears that the account is created and locked, so they reset the password and enable the user.


4- I repeat step 2 after activating the account from AD Server Side (in step 3), and i got the connection and authnication.


5- I did another test (create another user) by repeating step 1 and 2. step 2 failed again and i couldn't authenticate. Therefore, i tried to modify the password from DB side using following code:

BEGIN

     retval := -1;
     
     -- Insert into LDAP --
     DBMS_LDAP.USE_EXCEPTION := TRUE;
     
     my_session := DBMS_LDAP.init(GC$ldap_host,GC$ldap_port);
     retval := DBMS_LDAP.simple_bind_s(my_session, GC$ldap_user, GC$ldap_passwd);
    
     user_array := DBMS_LDAP.create_mod_array(2);
      
     v_pass(1) := UTL_RAW.cast_to_raw(convert('"uaeu12345"','AL16UTF16LE'));
     DBMS_LDAP.populate_mod_array(user_array,DBMS_LDAP.MOD_REPLACE ,'userPassword',v_pass);
     

     user_dn := 'cn='||userID||', '|| GC$ldap_base;
     retval := DBMS_LDAP.modify_s(my_session,user_dn,user_array);
     
     retval := DBMS_LDAP.unbind_s(my_session);
     
     DBMS_OUTPUT.PUT_LINE(RPAD('unbind_res Returns ',25,' ') || ': ' ||TO_CHAR(retval));  
     DBMS_OUTPUT.PUT_LINE('Resultt -> OK');


end; 


The code run successfully and print out all messages as following:
Quote:
simple_bind_s Returns : 0
unbind_res Returns : 0
Resultt -> OK


I am using Active Directory Explorer Software to monitor those changes, and i could see the userpassword attribute changes.

Therefore, after many search i found that password creation/resetting is done through password policies in AD Server, and that's will required to set-up SSL and Oracle wallet if we want to achieve this from DB side.

We have the script to activate AD user in AD Server, that's why i jumped to Q2 (mentioned above).


I hope this made it clear.


Thanks,

Previous Topic: how can i configure one user open one session
Next Topic: Limit Sessions per User in RAC
Goto Forum:
  


Current Time: Thu Mar 28 12:49:47 CDT 2024