My Oracle Support Banner

OUD - How To Prevent a Non-Admin From Returning orclcommonattribute Used For EUS and OUD Proxy With Active Directory (Doc ID 2450495.1)

Last updated on APRIL 20, 2021

Applies to:

Oracle Unified Directory - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Goal

 When Active Directory (AD) users log into a database using EUS and OUD Proxy, the orclcommonattribute is used to store the password in the user's AD entry. The value of the orclcommonattribute is a hashed password.

This article goes over how to prevent non-admin users from retrieving the orclcommonattribute by configuring Virtual ACIs on OUD Proxy.

 

- Example of Issue

- Non-admin user can return orclcommonattribute when ldapsearch run against OUD Proxy -

> ./ldapsearch -p <PROXY_LDAP_PORT> -D "cn=<CN1>,ou=eususers,<SUFFIX_DN>" -w <PASSWORD> -b "ou=eususers,<SUFFIX_DN>" "cn=*" orclcommonattribute
dn: CN=<CN1>,OU=EUSUsers,<SUFFIX_DN>
orclcommonattribute: <HASHED_PASSWORD>

dn: CN=<CN2>OU=EUSUsers,<SUFFIX_DN>
orclcommonattribute: <HASHED_PASSWORD>

...

 The non-admin user is a user that has no administrative privileges but can log into the database successfully through sqlplus using EUS.

- Anonymous user can return orclcommonattribute when ldapsearch run against OUD Proxy -

./ldapsearch -p <PROXY_LDAP_PORT> -b "ou=eususers,<SUFFIX_DN>" "cn=*" orclcommonattribute
dn: CN=<CN1>,OU=EUSUsers,<SUFFIX_DN>
orclcommonattribute: <HASHED_PASSWORD>

dn: CN=<CN2>,OU=EUSUsers,<SUFFIX_DN>
orclcommonattribute: <HASHED_PASSWORD>

...

- Going directly against AD as non-admin user will return orclcommonattribute -

./ldapsearch -h <AD_HOST> -D "CN=<CN1>,OU=EUSUsers,<SUFFIX_DN>" -w <PASSWORD> -b "ou=eususers,<SUFFIX_DN>" "cn=*" orclcommonattribute
dn: CN=<CN1>,OU=EUSUsers,<SUFFIX_DN>
orclCommonAttribute: <HASHED_PASSWORD>

dn: CN=<CN2>,OU=EUSUsers,<SUFFIX_DN>
orclCommonAttribute: <HASHED_PASSWORD>
...

 

- Going directly against AD anonymously causes an error -

./ldapsearch -h <AD_HOST> -b "ou=eususers,<SUFFIX_DN>" "cn=*" orclcommonattribute
SEARCH operation failed
Result Code: 1 (Operations Error)
Additional Information: 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580

 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
 - Example of Issue
Solution
 - Create Virtual ACIs on OUD Proxy
 - Configuring Virtual ACIs by Using Wildcards in the LDAP URL
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.