By William Sescu
[vc_row][vc_column width=”1/1″][vc_column_text]Security in OUD plays a very important role. Keeping your patch level up to date is just one of those topics, like explained in my recent blog.
https://www.dbi-services.com/blog/oud-11-1-2-3-patch-25840309-oud-bundle-patch-11-1-2-3-170718/
Another one are privileges. You don’t need to do all of your work with the cn=Directory Manager. The cn=Directory Manager is the most powerful user in an Oracle Unified Directory. You can see it as the root user. However, for just managing Connect strings via the netmgr it is kinda oversized.
OK. You could create another root user in cn=Root DNs,cn=config with less privileges, but this would have the disadvantage that it is not replicated.
I would just like to have an user, e.g. cn=oud,ou=people,dc=dbi,dc=com which I can use only for creating/deleting TNS Connect strings. But what are the minimum privileges for doing this job?
First of all, we need to create the user. Specifying the Common Name, the Lastname and the password is enough.
[/vc_column_text][image_with_animation image_url=”17712″ animation=”Fade In” img_link_target=”_self”][vc_column_text]If we try now to add a new connect string via the netmgr, we will get immediately the famous “TNS-04411: Directory service: permission denied” error.
... at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93) at java.awt.EventDispatchThread.run(EventDispatchThread.java:82) oracle.net.common.dataStore.DataStoreException: error writing ServiceAlias to: LDAPDataStore [svr: dbidg01:1389, type: OID, ctxt: cn=OracleContext,dc=dbi,dc=com, home: /u01/app/oracle/product/12.2.0/dbhome_1] original exception message: TNS-04411: Directory service: permission denied caused by: oracle.net.config.DirectoryServiceException: TNS-04411: Directory service: permission denied caused by: oracle.net.ldap.NNFLException original stack trace: oracle.net.config.ServiceAliasException: TNS-04411: Directory service: permission denied caused by: oracle.net.config.DirectoryServiceException: TNS-04411: Directory service: permission denied caused by: oracle.net.ldap.NNFLException oracle.net.config.DirectoryServiceException: TNS-04411: Directory service: permission denied caused by: oracle.net.ldap.NNFLException oracle.net.ldap.NNFLException
To resolve this error, we need to make sure, that the user has the password reset privilege and any of the following the uniqueMember attribute:
- cn=oraclenetadmins,dc=oraclecontext,dc=dbi,dc=com
- cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=dbi,dc=com
To create net service names or net service aliases with the netmgr, you need to assign the OracleNetAdmins group (cn=OracleNetAdmins,cn=OracleContext…) to that user.
The OracleContextAdmins group is a super-user group for the Oracle Context and members of the OracleContextAdmins group can add all supported types of entries to the Oracle Context. The directory user (in most cases the cn=Directory Manager) that created Oracle Context is automatically added to these groups. Other users can be added to these groups by the directory administrator.
To add the cn=oud,ou=people,dc=dbi,dc=com user to the particular groups, run the following ldapmodify command:
[dbafmw@dbidg01 bin]$ ldapmodify --hostname dbidg01 --port 1389 --bindDN cn="Directory Manager" --bindPasswordFile ~/.oudpwd dn: cn=oud,ou=people,dc=dbi,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset Processing MODIFY request for cn=oud,ou=people,dc=dbi,dc=com MODIFY operation successful for DN cn=oud,ou=people,dc=dbi,dc=com dn: cn=oraclenetadmins,cn=oraclecontext,dc=dbi,dc=com changetype: modify add: uniquemember uniquemember: cn=oud,ou=people,dc=dbi,dc=com Processing MODIFY request for cn=oraclenetadmins,cn=oraclecontext,dc=dbi,dc=com MODIFY operation successful for DN cn=oraclenetadmins,cn=oraclecontext,dc=dbi,dc=com dn: cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=dbi,dc=com changetype: modify add: uniquemember uniquemember: cn=oud,ou=people,dc=dbi,dc=com Processing MODIFY request for cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=dbi,dc=com MODIFY operation successful for DN cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=dbi,dc=com [dbafmw@dbidg01 bin]$
Now, let’s connect again via netmgr and add a new entry.[/vc_column_text][image_with_animation image_url=”17713″ animation=”Fade In” img_link_target=”_self”][image_with_animation image_url=”17714″ animation=”Fade In” img_link_target=”_self”][image_with_animation image_url=”17715″ animation=”Fade In” img_link_target=”_self”][vc_column_text]That’s it. 🙂
Conclusion
Not only patching, but also a minimum set of privileges makes your OUD more secure.[/vc_column_text][/vc_column][/vc_row]
![Thumbnail [60x60]](https://www.dbi-services.com/blog/wp-content/uploads/2022/12/oracle-square.png)
![Thumbnail [90x90]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/DWE_web-min-scaled.jpg)