My Oracle Support Banner

OUD - How To Prevent a Non-Admin From Returning orclcommonattribute Used For EUS and OUD Proxy With Active Directory (Doc ID 2450495.1)

Last updated on FEBRUARY 03, 2019

Applies to:

Oracle Unified Directory - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Goal

 When Active Directory (AD) users log into a database using EUS and OUD Proxy, the orclcommonattribute is used to store the password in the user's AD entry. The value of the orclcommonattribute is a hashed password.

This article goes over how to prevent non-admin users from retrieving the orclcommonattribute by configuring Virtual ACIs on OUD Proxy.

 

= Issue Reproduced =

- Non-admin user can return orclcommonattribute when ldapsearch run against OUD Proxy -

[oudhost]/refresh/home/Oracle/Middleware/7424ProxyEUS/OUD/bin> ./ldapsearch -p 7424 -D "cn=test1 user,ou=eususers,dc=example,dc=com" -w <PASSWORD> -b "ou=eususers,dc=example,dc=com" "cn=*" orclcommonattribute
dn: CN=test1 user,OU=EUSUsers,DC=example,DC=com
orclcommonattribute: <HASHED_PASSWORD>

dn: CN=test2 user,OU=EUSUsers,DC=example,DC=com
orclcommonattribute: <HASHED_PASSWORD>

...

 The non-admin user is a user that has no administrative privileges but can log into the database successfully through sqlplus using EUS.

- Anonymous user can return orclcommonattribute when ldapsearch run against OUD Proxy -

./ldapsearch -p 7424 -b "ou=eususers,dc=example,dc=com" "cn=*" orclcommonattribute
dn: CN=test1 user,OU=EUSUsers,DC=example,DC=com
orclcommonattribute: <HASHED_PASSWORD>

dn: CN=test2 user,OU=EUSUsers,DC=example,DC=com
orclcommonattribute: <HASHED_PASSWORD>

...

- Going directly against AD as non-admin user will return orclcommonattribute -

./ldapsearch -h win2012r2std -D "CN=test1 user,OU=EUSUsers,DC=example,DC=com" -w <PASSWORD> -b "ou=eususers,dc=example,dc=com" "cn=*" orclcommonattribute
dn: CN=test1 user,OU=EUSUsers,DC=example,DC=com
orclCommonAttribute: <HASHED_PASSWORD>

dn: CN=test2 user,OU=EUSUsers,DC=example,DC=com
orclCommonAttribute: <HASHED_PASSWORD>
...

 

- Going directly against AD anonymously causes an error -

./ldapsearch -h win2012r2std -b "ou=eususers,dc=example,dc=com" "cn=*" orclcommonattribute
SEARCH operation failed
Result Code: 1 (Operations Error)
Additional Information: 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580

 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
 = Issue Reproduced =
Solution
 = Create Virtual ACIs on OUD Proxy =
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.