How to integrate Oracle9iAS Portal with Active Directory

by Guest Contributor | Jul 31, 2003 7:00:00 AM

Tags: Guest Contributor

Takeaway: The Oracle Internet Directory provided by Oracle9i AS Portal v9.0.2 doesn't have native integration with Microsoft Active Directory. But you can still integrate the two systems for enterprise wide single sign-on with a Java servlet.

By Sanjeev Malik

One tough challenge architects face is implementing enterprisewide single sign-on systems. As enterprise portals become more important than ever, companies are facing the challenge of minimizing user hassle without decreasing security.

Oracle9iAS Portal (9iAS Release 2) provides Oracle Internet Directory (OID) based authentication, which helps companies implement enterprisewide single sign-on. OID supports the industry standard LDAP v3 protocol and Oracle Portal, which provides the basis for the custom login procedure. With these two capabilities, companies can integrate Oracle9iAS Portal authentication with third-party directory servers and easily implement single sign-on with existing user IDs and passwords.

Many organizations use Microsoft Active Directory for their network authentication. So, it becomes an obvious choice for companies to use existing Microsoft Active Directory-based user IDs and passwords for Oracle9iAS Portal authentication.

Oracle9iAS v9.0.2 or higher allows companies to integrate Oracle9iAS with third-party directory servers such as iPlanet. However, it doesn't provide out-of-the-box integration with Microsoft Active Directory. Oracle9iAS 9.0.4 will have such out-of-the-box integration with Microsoft Active Directory, but, until then, companies can still integrate Microsoft Active Directory authentication with Oracle 9iAS Portal 9.0.2 or 9.0.3. Let's discuss how this can be done.

Batch user creation
To use the Portal security framework, you need to have Portal users and groups created in OID. There are various ways you can accomplish this. You can use the OID Administrator tool, Portal user and group administration under the Administer tab, or the LDAP batch upload. If your company has a large user base in Microsoft Active Directory, I recommend the LDAP batch load, which I will explain here.

For batch upload, you can use standard LDAP Data Interchange Format (LDIF) utilities. Microsoft provides a LDIFDE utility to export Microsoft Active Directory data, which generates an ASCII text file in LDIF format that can be used to import users into OID.

Depending on the complexity of the directory tree and the differences between Microsoft Active Directory and OID, you may want to generate the LDIF file by a scripting language, such as Perl or VBScript. You can find a sample script program for exporting the data from Microsoft Active Directory in the Microsoft Knowledge Base.

You can also use standard OID utilities, such as ldapadd, ldapmodify, or bulkload to import data. See Chapter 7 "Managing Directory Entries" in the Oracle Internet Directory Administrator's Guide Release 9.0.2 (you'll need an Oracle.com user ID and password to access this guide), for an explanation of these utilities.

Password synchronization
Password synchronization is also a major challenge because both Active Directory and OID use different encryption mechanisms for creating passwords. I tried various methods for password synchronization but was unable to build a robust, scalable, and secure solution until I decided to change the OID password after successful authentication with Microsoft Active Directory.

The custom login application I created asks Portal users to enter their Microsoft Active Directory username and password as shown in Figure A. Then, it authenticates with Active Directory using the given user ID and password. If the Microsoft Active Directory authentication is successful, it changes the OID password to match. That way, the Oracle 9iAS Portal password in OID will always synchronize with Microsoft Active Directory.


Active Directory authentication
Using JNDI for portability, I built the Java servlet shown in Listing A (login.java) that takes a username and password as input. The servlet uses a JNDI call to authenticate the data with Active Directory. Once Active Directory authentication is successful, it searches the user in OID and, if the user exists, it changes the OID password for that user to the given password. The JNDI calls are surprisingly fast and each call finishes in a few seconds.

Development and deployment
To use the code, you need to make sure that supporting Java classes for the servlet and JNDI are in your Java CLASSPATH. Once the code is compiled, put the class files (login.class, DirectoryServices.class) in the $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes directory.

Then, create a property file (login.properties) with the following entries:
OracleInternetDirectoryServer = ldap://youroidservername:port
ActiveDirectoryLDAPServer = ldap://primarydomainservername:port
PortalSSO = http://PortalSSOServer.domain.com
ActiveDirectoryDomain = ActiveDirectoryDomainName
OracleInternetDirectoryAdmin = orcladmin
OracleInternetDirectoryAdminPassword = PasswordForOrcladmin

Next, update the Portal SSO configuration table to register your Java servlet:
SQL> connect orasso/orasso@iasdb
SQL> update WWSSO_LS_CONFIGURATION_INFO_T
set LOGIN_URL='http://<host.domain>:<port>/j2ee/servlet/login UNUSED UNUSED’;
SQL> commit;

You should then be able to use Active Directory authentication with the Oracle9iAS Portal.

Print/View all Posts Comments on this article

How to integrate Oracle 9iAS Portal with AD without OID?bigfool1104@...  | 09/08/03

Yes, it is possible.DamnIT  | 09/15/03

Integrating Oracle 9iAS with Active Directoryfaysoft@...  | 02/02/04

Tweaks in the sample codej.evertse@...  | 04/24/04

Redirect not workingmss2@...  | 07/14/04