OUD - How to Prevent a Non-Admin from Returning the "orclcommonattribute" Used for EUS and OUD Proxy
(Doc ID 2450495.1)
Last updated on MAY 15, 2023
Applies to:
Oracle Unified Directory - Version 11.1.2.3.0 and laterInformation in this document applies to any platform.
Goal
When Active Directory (AD) users log into a database using EUS and OUD Proxy, the orclcommonattribute is used to store the password in the user's AD entry. The value of the orclcommonattribute is a hashed password.
This article goes over how to prevent non-admin users from retrieving the orclcommonattribute by configuring Virtual ACIs on OUD Proxy.
- Example of Issue
- Non-admin user can return the orclcommonattribute when ldapsearch runs against OUD Proxy -
> ./ldapsearch -p <PROXY_LDAP_PORT> -D "cn=<CN1>,ou=EUS_USERS,<SUFFIX_DN>" -w <PASSWORD> -b "ou=EUS_USERS,<SUFFIX_DN>" "cn=*" orclcommonattribute
dn: CN=<CN1>,OU=EUS_USERS,<SUFFIX_DN>
orclcommonattribute: <HASHED_PASSWORD>
dn: CN=<CN2>OU=EUS_USERS,<SUFFIX_DN>
orclcommonattribute: <HASHED_PASSWORD>
...
The non-admin user is a user that has no administrative privileges but can log into the database successfully through sqlplus using EUS.
- Anonymous users can return the orclcommonattribute when ldapsearch runs against OUD Proxy -
./ldapsearch -p <PROXY_LDAP_PORT> -b "ou=EUS_USERS,<SUFFIX_DN>" "cn=*" orclcommonattribute
dn: CN=<CN1>,OU=EUS_USERS,<SUFFIX_DN>
orclcommonattribute: <HASHED_PASSWORD>
dn: CN=<CN2>,OU=EUS_USERS,<SUFFIX_DN>
orclcommonattribute: <HASHED_PASSWORD>
...
- Going directly against AD as a non-admin user will return orclcommonattribute -
./ldapsearch -h <AD_HOST> -D "CN=<CN1>,OU=EUS_USERS,<SUFFIX_DN>" -w <PASSWORD> -b "ou=EUS_USERS,<SUFFIX_DN>" "cn=*" orclcommonattribute
dn: CN=<CN1>,OU=EUS_USERS,<SUFFIX_DN>
orclCommonAttribute: <HASHED_PASSWORD>
dn: CN=<CN2>,OU=EUS_USERS,<SUFFIX_DN>
orclCommonAttribute: <HASHED_PASSWORD>
...
- Going directly against AD anonymously causes an error -
SEARCH operation failed
Result Code: 1 (Operations Error)
Additional Information: 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
- Example of Issue |
Solution |
- Create Virtual ACIs on OUD Proxy |
- Configuring Virtual ACIs by Using Wildcards in the LDAP URL |
References |