Forum Stats

  • 3,836,735 Users
  • 2,262,175 Discussions


Database authorization with AD authenticatin

888 867-5309
888 867-5309 Member Posts: 15 Blue Ribbon
edited Dec 15, 2019 8:52PM in Database Security - General

Is there a supported configuration to allow database users to authenticate with MS Active Directory but authorization and all other security is maintained within the database.  

The database is 12.2 on AIX 7.1  



  • Brian.B
    Brian.B Member Posts: 56 Red Ribbon
    edited Aug 29, 2019 10:58AM

    Unfortunately, I can give you a firm answer, but here are my thoughts anyway. You would be better off upgrading to 19c  if you want to do database authentication. There is better compatibility between Oracle and AD with 18c, something that doesn't exist as well in 12cR2. You can grant privileges and assign roles to user, probably including external users. Hence I don't see why you can't provide relevant grants through the database. I am planning on doing some AD authentication of users once I get further along with 19c upgrades.

  • SandiM
    SandiM Member Posts: 108 Blue Ribbon
    edited Aug 30, 2019 12:01PM

    I have recently setup and tested AD authentication with and without AD authorization in an Oracle 18c database. The setup requires special attention and needs to be done in a specific order.

    Working with the AD folks, we created one AD security group that maps to a Shared Schema on the database side, and additional AD security groups that map to database roles.

    The shared schema is used for application access so on the database side I granted roles the application needs.

    The AD groups that map to database roles are used for database access via Toad or SQLPlus.

    Those few simple tests went well, but we're just getting started.

    I found the Oracle Database Security Guide 18c E83683-09 March 2019 chapters 3&5 quite useful.

  • Brian.B
    Brian.B Member Posts: 56 Red Ribbon
    edited Aug 30, 2019 2:03PM

    I am hoping to do the same in 19c. I will look through that guide. Thanks.

  • WorkCoverQLD DBA
    WorkCoverQLD DBA Member Posts: 13 Blue Ribbon
    edited Dec 15, 2019 8:52PM

    Hi SandiM. I'm interested in how you convinced the AD team to "expand" the AD schema using an Oracle supplied utility.. They were ok with that ?