Use Microsoft Active Directory with Autonomous Database
This configuration allows Active Directory users to access Autonomous Database using their Active Directory credentials including passwords and Kerberos.
- Prerequisites to Configure CMU with Microsoft Active Directory on Autonomous Database
You can configure Autonomous Database to authenticate and authorize Microsoft Active Directory users. - Configure CMU with Microsoft Active Directory on Autonomous Database
You can configure Autonomous Database to authenticate and authorize Microsoft Active Directory users. - Kerberos Authentication for CMU with Microsoft Active Directory
You can configure Autonomous Database to use Kerberos authentication for CMU with Microsoft Active Directory users. This configuration allows CMU Active Directory (CMU-AD) users to access an Autonomous Database instance using Kerberos credentials. - Add Microsoft Active Directory Roles on Autonomous Database
To add Active Directory roles, map the database global roles to Active Directory groups withCREATE ROLE
orALTER ROLE
statements (and include theIDENTIFIED GLOBALLY AS
clause). - Add Microsoft Active Directory Users on Autonomous Database
To add Active Directory users to access a database, map database global users to Active Directory groups or users withCREATE USER
orALTER USER
statements (withIDENTIFIED GLOBALLY AS
clause). - Tools Restrictions with Active Directory on Autonomous Database
- Connect to Autonomous Database with Active Directory User Credentials
After the ADMIN user completes the CMU Active Directory configuration steps and creates global roles and global users, users log in to the database using their Active Directory username and password. - Verify Active Directory User Connection Information with Autonomous Database
When users log in to the database using their Active Directory username and password, you can verify and audit the user activity. - Remove Active Directory Users and Roles on Autonomous Database
To remove Active Directory users and roles from Autonomous Databases, use standard database commands. This does not remove the related Active Directory users or groups that were mapped from the dropped database users or roles. - Disable Active Directory Access on Autonomous Database
Describes the steps to remove the CMU configuration from your Autonomous Database (and disable the LDAP access from your Autonomous Database to Active Directory).
Parent topic: Manage Users
Prerequisites to Configure CMU with Microsoft Active Directory on Autonomous Database
Depending on where the Active Directory servers reside, there are two options for configuring Autonomous Database with Centrally Managed Users (CMU) with Microsoft Active Directory:
-
Active Directory (AD) servers publicly accessible: the Active Directory servers are accessible from Autonomous Database through the public internet.
-
Active Directory (AD) servers reside on a private endpoint: the Active Directory servers reside on a private endpoint and are not accessible from Autonomous Database through the public internet. For this case, an extra configuration step is required as shown in last step in Configure CMU with Microsoft Active Directory on Autonomous Database where you set the database property
ROUTE_OUTBOUND_CONNECTIONS
.
See Use Azure Active Directory (Azure AD) with Autonomous Database for information on using Azure Active Directory with Autonomous Database. The CMU option supports Microsoft Active Directory servers but does not support the Azure Active Directory service.
The integration of Autonomous Database with Centrally Managed Users (CMU) provides integration with Microsoft Active Directory. CMU with Active Directory works by mapping Oracle database global users and global roles to Microsoft Active Directory users and groups.
The following are required prerequisites to configure the connection from Autonomous Database to Active Directory:
-
You must have Microsoft Active Directory installed and configured. See AD DS Getting Started for more information.
-
You must create an Oracle service directory user in Active Directory. See Connecting to Microsoft Active Directory for information on the Oracle service directory user account.
-
An Active Directory system administrator must have installed Oracle password filter on the Active Directory servers, and set up Active Directory groups with Active Directory users to meet your requirements.
Note
This is not required if you are using Kerberos authentication for CMU Active Directory. See Kerberos Authentication for CMU with Microsoft Active Directory for more information.If you use password authentication with CMU Active Directory for Autonomous Database, you must use the included utility
opwdintg.exe
to install the Oracle password filter on Active Directory, extend the schema, and create three newORA_VFR
groups for three types of password verifier generation. See Connecting to Microsoft Active Directory for information on installing the Oracle password filter. -
You need the CMU configuration database wallet,
cwallet.sso
and the CMU configuration filedsi.ora
to configure CMU for your Autonomous Database:-
If you have configured CMU for an on-premise database, you can obtain these configuration files from your on-premise database server.
-
If you have not configured CMU for an on-premise database, you need to create these files. Then you upload the configuration files to the cloud to configure CMU on your Autonomous Database instance. You can validate the wallet and the
dsi.ora
by configuring CMU for an on-premise database and verifying that an Active Directory user can successfully log on to the on-premise database with these configuration files.
For details on the wallet file for CMU, see Create the Wallet for a Secure Connection and Verify the Oracle Wallet.
For details on the
dsi.ora
file for CMU, see Creating the dsi.ora File.For details on configuring Active Directory for CMU and troubleshooting CMU for on-premise databases, see How To Configure Centrally Managed Users For Database Release 18c or Later Releases (Doc ID 2462012.1).
-
-
Port 636 of the Active Directory servers must be open to Autonomous Database in Oracle Cloud Infrastructure. This allows Autonomous Database to access the Active Directory servers.
-
When the Active Directory servers are on a public endpoint:
-
The Active Directory servers must be accessible from Autonomous Database through the public internet.
-
You can also extend your on-premise Active Directory to Oracle Cloud Infrastructure where you can set up Read Only Domain Controllers (RODCs) for the on-premise Active Directory. This allows you to use the RODCs in Oracle Cloud Infrastructure to authenticate and authorize on-premise Active Directory users for access to Autonomous Databases.
See Extend Active Directory integration in Hybrid Cloud for more information.
-
Parent topic: Use Microsoft Active Directory with Autonomous Database
Configure CMU with Microsoft Active Directory on Autonomous Database
To configure Autonomous Database for CMU to connect to Active Directory:
When you perform the configuration steps, connect to the database as the ADMIN user.
Note for CMU with Active Directory on Autonomous Database:
-
Only "password authentication" and Kerberos are supported for CMU with Autonomous Database. When you are using CMU authentication with Autonomous Database, other CMU authentication methods such as PKI are not supported.
See Disable Active Directory Access on Autonomous Database for instructions to disable the access from Autonomous Database to Active Directory.
See ENABLE_EXTERNAL_AUTHENTICATION Procedure for information on DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION
.
See Configuring Centrally Managed Users with Microsoft Active Directory for more information on configuring CMU with Microsoft Active Directory.
Parent topic: Use Microsoft Active Directory with Autonomous Database
Kerberos Authentication for CMU with Microsoft Active Directory
Kerberos can be configured with or without CMU-AD. Just configuring Kerberos requires you to create and maintain a database user for every Kerberos user. Configuring Kerberos with CMU allows you to map an Active Directory group of Kerberos users to a single database user, shared schema, so database access can be controlled by Active Directory group membership. See Configure Kerberos Authentication with Autonomous Database for details on configuring Kerberos without CMU-AD.
When implementing both the Kerberos authentication and CMU-AD for authorization, Oracle recommends implementing Kerberos authentication first, and then adding CMU-AD authorization.
Notes for using Kerberos authentication with CMU-AD:
-
You do not need to add the password filter when using Kerberos authentication with CMU-AD. See Prerequisites to Configure CMU with Microsoft Active Directory on Autonomous Database for more information.
-
Adding or removing Active Directory users is supported, in the same manner as with CMU with Active Directory when you are using password authentication. See Add Microsoft Active Directory Users on Autonomous Database for more information.
-
The existing restrictions about authenticating against the Autonomous Database Built-in Tools with CMU with Active Directory password also apply to CMU with Active Directory with Kerberos authentication. See Tools Restrictions with Active Directory on Autonomous Database for more information.
-
Use
DBMS_CLOUD_ADMIN.DISABLE_EXTERNAL_AUTHENTICATION
to disable CMU-AD with Kerberos authentication. See DISABLE_EXTERNAL_AUTHENTICATION Procedure for more information. -
When the CMU-AD servers are on a private endpoint, to use CMU-AD with Kerberos authentication the server host name used for generating the key tab must be set to the value of attribute
PUBLIC_DOMAIN_NAME
in theCLOUD_IDENTITY
column ofV$PDBS
. This value is different from the FQDN for a private endpoint database.
Parent topic: Use Microsoft Active Directory with Autonomous Database
Add Microsoft Active Directory Roles on Autonomous Database
To add Active Directory roles, map the
database global roles to Active Directory groups with CREATE ROLE
or
ALTER ROLE
statements (and include the IDENTIFIED GLOBALLY
AS
clause).
To add global roles for Active Directory groups on Autonomous Database:
See Configuring Authorization for Centrally Managed Users for more information on configuring roles with Microsoft Active Directory.
Parent topic: Use Microsoft Active Directory with Autonomous Database
Add Microsoft Active Directory Users on Autonomous Database
To add Active Directory users to access a database, map database global
users to Active Directory groups or users with CREATE USER
or ALTER
USER
statements (with IDENTIFIED GLOBALLY AS
clause).
The integration of Autonomous Database with Active Directory works by mapping Microsoft Active Directory users and groups directly to Oracle database global users and global roles.
To add global users for Active Directory groups or users on Autonomous Database:
See Configuring Authorization for Centrally Managed Users for more information on configuring users with Microsoft Active Directory.
Parent topic: Use Microsoft Active Directory with Autonomous Database
Tools Restrictions with Active Directory on Autonomous Database
Notes for using Autonomous Database tools with Active Directory:
- Oracle APEX is not supported for Active Directory users with Autonomous Database. See Create Oracle APEX Workspaces in Autonomous Database for information on using regular database users with Autonomous Database.
-
Database Actions is not supported for Active Directory users with Autonomous Database. See Provide Database Actions Access to Database Users for information on using regular database users with Autonomous Database.
-
Oracle Machine Learning Notebooks are not supported for Active Directory users with Autonomous Database. See Add Existing Database User Account to Oracle Machine Learning Components for information on using regular database users with Autonomous Database.
Parent topic: Use Microsoft Active Directory with Autonomous Database
Connect to Autonomous Database with Active Directory User Credentials
After the ADMIN user completes the CMU Active Directory configuration steps and creates global roles and global users, users log in to the database using their Active Directory username and password.
Do not log in using a Global User name. Global User names do not have a password and connecting with a Global User name will not be successful. You must have a global user mapping in your Autonomous Database in order to log in to the database. You cannot log in to the database with only global role mappings.
After configuring CMU with Active Directory on Autonomous Database and setting up Active Directory authorization, with global roles and global users, you can connect to your database using any of the connection methods described in Connect to Autonomous Database. When you connect, if you want to use an Active Directory user then use Active Directory user credentials. For example, provide a username in this form, "AD_DOMAIN\AD_USERNAME" (double quotes must be included), and use your AD_USER_PASSWORD for the password.
If your Autonomous Database instance is in Restricted
Mode, this mode only allows users with the RESTRICTED SESSION
privilege
to connect to the database. The ADMIN user has this privilege. You can use restricted
access mode to perform administrative tasks such as indexing, data loads, or other
planned activities. See Change Autonomous Database Operation Mode to Read/Write Read-Only or Restricted for more information.
Parent topic: Use Microsoft Active Directory with Autonomous Database
Verify Active Directory User Connection Information with Autonomous Database
When users log in to the database using their Active Directory username and password, you can verify and audit the user activity.
For example, when the user pfitch
logs in:
CONNECT "production\pfitch"/password@exampleadb_medium;
The Active Directory user's log on username (samAccountName) is
pfitch
and widget_sales_group
is the Active
Directory Group name, and widget_sales
is the database global user.
After pfitch
logs in to the database, the command SHOW
USER
shows the global user name:
SHOW USER;
USER is "WIDGET_SALES"
The following command shows the DN (Distinguished Name) of the Active Directory user:
SELECT SYS_CONTEXT('USERENV', 'ENTERPRISE_IDENTITY') FROM DUAL;
For example you can verify this centrally managed user's enterprise identity:
SQL> SELECT SYS_CONTEXT('USERENV', 'ENTERPRISE_IDENTITY') FROM DUAL;
SYS_CONTEXT('USERENV','ENTERPRISE_IDENTITY')
----------------------------------------------------------------------
cn=Peter Fitch,ou=sales,dc=production,dc=examplecorp,dc=com
The following command shows the
"AD_DOMAIN\AD_USERNAME
":
SELECT SYS_CONTEXT('USERENV', 'AUTHENTICATED_IDENTITY') FROM DUAL;
For example, the Active Directory authenticated user identity is captured and audited when the user logs on to the database:
SQL> SELECT SYS_CONTEXT('USERENV', 'AUTHENTICATED_IDENTITY') FROM DUAL;
SYS_CONTEXT('USERENV','AUTHENTICATED_IDENTITY')
----------------------------------------------------------------------
production\pfitch
See Verifying the Centrally Managed User Logon Information for more information.
Parent topic: Use Microsoft Active Directory with Autonomous Database
Remove Active Directory Users and Roles on Autonomous Database
To remove Active Directory users and roles from Autonomous Databases, use standard database commands. This does not remove the related Active Directory users or groups that were mapped from the dropped database users or roles.
To remove users or roles from Autonomous Database:
Parent topic: Use Microsoft Active Directory with Autonomous Database
Disable Active Directory Access on Autonomous Database
Describes the steps to remove the CMU configuration from your Autonomous Database (and disable the LDAP access from your Autonomous Database to Active Directory).
After you configure your Autonomous Database instance to access CMU Active Directory, you can disable the access as follows:
See DISABLE_EXTERNAL_AUTHENTICATION Procedure for more information.
Parent topic: Use Microsoft Active Directory with Autonomous Database