Database authorization with AD authenticatin

888 867-5309

Is there a supported configuration to allow database users to authenticate with MS Active Directory but authorization and all other security is maintained within the database.  

The database is 12.2 on AIX 7.1  

Brian.B

Unfortunately, I can give you a firm answer, but here are my thoughts anyway. You would be better off upgrading to 19c  if you want to do database authentication. There is better compatibility between Oracle and AD with 18c, something that doesn't exist as well in 12cR2. You can grant privileges and assign roles to user, probably including external users. Hence I don't see why you can't provide relevant grants through the database. I am planning on doing some AD authentication of users once I get further along with 19c upgrades.

SandiM

I have recently setup and tested AD authentication with and without AD authorization in an Oracle 18c database. The setup requires special attention and needs to be done in a specific order.

Working with the AD folks, we created one AD security group that maps to a Shared Schema on the database side, and additional AD security groups that map to database roles.

The shared schema is used for application access so on the database side I granted roles the application needs.

The AD groups that map to database roles are used for database access via Toad or SQLPlus.

Those few simple tests went well, but we're just getting started.

I found the Oracle Database Security Guide 18c E83683-09 March 2019 chapters 3&5 quite useful.

Brian.B

I am hoping to do the same in 19c. I will look through that guide. Thanks.

WorkCoverQLD DBA

Hi SandiM. I'm interested in how you convinced the AD team to "expand" the AD schema using an Oracle supplied utility.. They were ok with that ?