Infrastructure at your Service

Oracle Team

OUD 11.1.2.3 – What are the minimum privileges for administering connect strings in OUD?

Security in OUD plays a very important role. Keeping your patch level up to date is just one of those topics, like explained in my recent blog.

https://blog.dbi-services.com/oud-11-1-2-3-patch-25840309-oud-bundle-patch-11-1-2-3-170718/

Another one are privileges. You don’t need to do all of your work with the cn=Directory Manager. The cn=Directory Manager is the most powerful user in an Oracle Unified Directory. You can see it as the root user. However, for just managing Connect strings via the netmgr it is kinda oversized.
OK. You could create another root user in cn=Root DNs,cn=config with less privileges, but this would have the disadvantage that it is not replicated.

I would just like to have an user, e.g. cn=oud,ou=people,dc=dbi,dc=com which I can use only for creating/deleting TNS Connect strings. But what are the minimum privileges for doing this job?

First of all, we need to create the user. Specifying the Common Name, the Lastname and the password is enough.

If we try now to add a new connect string via the netmgr, we will get immediately the famous “TNS-04411: Directory service: permission denied” error.

...
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
oracle.net.common.dataStore.DataStoreException: error writing ServiceAlias to: LDAPDataStore [svr: dbidg01:1389, type: OID, ctxt: cn=OracleContext,dc=dbi,dc=com, home: /u01/app/oracle/product/12.2.0/dbhome_1]
original exception message: TNS-04411: Directory service: permission denied
  caused by: oracle.net.config.DirectoryServiceException: TNS-04411: Directory service: permission denied
  caused by: oracle.net.ldap.NNFLException
original stack trace: oracle.net.config.ServiceAliasException: TNS-04411: Directory service: permission denied
  caused by: oracle.net.config.DirectoryServiceException: TNS-04411: Directory service: permission denied
  caused by: oracle.net.ldap.NNFLException
oracle.net.config.DirectoryServiceException: TNS-04411: Directory service: permission denied
  caused by: oracle.net.ldap.NNFLException
oracle.net.ldap.NNFLException

To resolve this error, we need to make sure, that the user has the password reset privilege and any of the following the uniqueMember attribute:

  • cn=oraclenetadmins,dc=oraclecontext,dc=dbi,dc=com
  • cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=dbi,dc=com

To create net service names or net service aliases with the netmgr, you need to assign the OracleNetAdmins group (cn=OracleNetAdmins,cn=OracleContext…) to that user.

The OracleContextAdmins group is a super-user group for the Oracle Context and members of the OracleContextAdmins group can add all supported types of entries to the Oracle Context. The directory user (in most cases the cn=Directory Manager) that created Oracle Context is automatically added to these groups. Other users can be added to these groups by the directory administrator.

To add the cn=oud,ou=people,dc=dbi,dc=com user to the particular groups, run the following ldapmodify command:

[dbafmw@dbidg01 bin]$ ldapmodify --hostname dbidg01 --port 1389 --bindDN cn="Directory Manager" --bindPasswordFile ~/.oudpwd
dn: cn=oud,ou=people,dc=dbi,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset
Processing MODIFY request for cn=oud,ou=people,dc=dbi,dc=com
MODIFY operation successful for DN cn=oud,ou=people,dc=dbi,dc=com

dn: cn=oraclenetadmins,cn=oraclecontext,dc=dbi,dc=com
changetype: modify
add: uniquemember
uniquemember:  cn=oud,ou=people,dc=dbi,dc=com
Processing MODIFY request for cn=oraclenetadmins,cn=oraclecontext,dc=dbi,dc=com
MODIFY operation successful for DN cn=oraclenetadmins,cn=oraclecontext,dc=dbi,dc=com

dn: cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=dbi,dc=com
changetype: modify
add: uniquemember
uniquemember:  cn=oud,ou=people,dc=dbi,dc=com
Processing MODIFY request for cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=dbi,dc=com
MODIFY operation successful for DN cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=dbi,dc=com

[dbafmw@dbidg01 bin]$

Now, let’s connect again via netmgr and add a new entry.

That’s it. :-)

Conclusion

Not only patching, but also a minimum set of privileges makes your OUD more secure.

 

Leave a Reply

Oracle Team
Oracle Team