Configuration, LDAP, OEM, OEM 13c, Oracle

OEM 13c and LDAP Authentication

LDAPStructuresAdvancedUsing LDAP to provide Oracle Enterprise Manager authentication was quite an interesting task. The biggest challenge was finding resources that did a decent job of mapping the elements of an LDAP tree to where Enterprise Manager needed them. I could find stuff about LDAP and then stuff about OEM, but never together in a way that worked for me. Granted I may have not searched hard enough, but in the end, I was able to pull together what I needed and decided to share with you just in case you are in the same boat. Our ultimate goal is the allow us to manage Oracle Enterprise Manager users through an LDAP server.

In this first part, we will get OEM 13c talking to my Microsoft 2008 R2 Server. Let’s take a look at look the environment.
home_core

Let’s assume that your enterprise is already using LDAP for authentication and OEM 13c is installed and monitoring targets in your environment.  In this example, we will look at the Weblogic configuration and then Windows 2008 server setup to explore where the LDAP elements come from for OEM integration.

Weblogic Configuration

  1. Log into Weblogic and select Security Realmsweblogic1
  2. Click on myrealmweblogic2
  3. Select the Providers tabweblogic3
  4. Lock & Edit then select Newweblogic4
  5. Give the Provider a Name and select LDAPAuthenticator from the Type dropdown then click OKweblogic5
  6. You should see the new Authentication Provider in the provider list. Click this new link.weblogic6
  7. Select the Provider Specific tab and enter the required information.weblogic7

Now that we are here, let’s figure out how to get information to populate those required fields. In order to do this, we need to take a look at a Windows Active Directory configuration.

Windows 2k8 Server Active Directory

Below is Active Directory tree that we will traverse to configure OEM Authentication
LDAP1

There is a tool that you can use to get the correct syntax from LDAP necessary to populate the Weblogic setup page.

ADAC

Traverse the tree to the Organizational Unit where the “users” live.  beta -> OEM Users -> LDAP Accounts -> Demo Accounts. 
LDAP3

Then click in the address bar at the top. You will be subsequently be presented with LDAP syntax required for the Principal which is the user account that has the necessary privileges browse the Active Directory tree. What we should understand here is that LDAP syntax left to right works it’s way from the bottom up.

Principal: CN=my_demo_oem,OU=Demo Accounts,OU=LDAP Accounts,OU=OEM Users,DC=beta,dc=dbaontap,DC=com
LDAP2

One thing you will notice here that we cannot get down to the user name (CN=my_demo_oem) from this screen, which is what we really want. That said, double click on the Name and a window with the Account Details will open.
LDAP6

Credential: <password of the Principal login>
Confirm Credential: <password of the Principal login>

Continue to use this process for each element of the setup.

User Base DN: OU=OEM Users,DC=beta,dc=dbaontap,DC=com
LDAP4
This is highest level in the tree that can contain users with authentication privileges into OEM. Basically saying that any user created within/under the OEM Users Organizational Unit will have user accounts in OEM.

LDAP7

Group Base DN: OU=Security,OU=Groups,DC=beta,dc=dbaontap,DC=com

LDAP5

Highest level in AD where GROUPS will be resolved to OEM ROLES. Quite similar to the User Base DN.

Before going any further, as with most things we can get this information the command line ldifde. You can find plenty of examples on Google. Now that you have all the LDAP setup information return back to the Weblogic Provider Specific tab and enter the information as appropriate.

weblogic7

If you don’t like entering stuff via the Weblogic GUI or don’t have access to Weblogic and have access to the OMS, you can use the EMCLI command line tool. This entire setup can be configured with the following command: (emcli is located in “Fusion Middleware Home/bin”)

./emctl config auth ad -ldap_host “beta.dbaontap.com” -ldap_port “389” -ldap_principal “CN=my_demo_oem,OU=Demo Accounts,OU=LDAP Accounts,OU=OEM Users,DC=beta,dc=dbaontap,DC=com” -ldap_credential “0Racle#1234” -user_base_dn “OU=OEM Users,DC=beta,dc=dbaontap,DC=com” -group_base_dn “OU=Security,OU=Groups,DC=beta,dc=dbaontap,DC=com” -sysman_pwd “password”

If all works, you should get the following message:

Oracle Enterprise Manager Cloud Control 13c Release 1
Copyright (c) 1996, 2015 Oracle Corporation.  All rights reserved.
Configuring LDAP Authentication … Started
Successfully validated connection to LDAP server
Configuring LDAP Authentication … Successful
If this is a multi-OMS environment, restart all OMS(s) using: ’emctl stop oms -all’ and ’emctl start oms’
If use_ssl has been specified and the LDAP server certificate is self-signed, as part of the validation process, we have imported it into the keystore configured for Weblogic Server.

At this point you will need to stop and start the OMS:

./emctl stop oms -all
Oracle Enterprise Manager Cloud Control 13c Release 1
Copyright (c) 1996, 2015 Oracle Corporation. All rights reserved.
Stopping Oracle Management Server…
WebTier Successfully Stopped
Oracle Management Server Successfully Stopped
Oracle Management Server is Down
JVMD Engine is Down
Stopping BI Publisher Server…
BI Publisher Server Successfully Stopped
AdminServer Successfully Stopped
BI Publisher Server is Down

./emctl start oms
Oracle Enterprise Manager Cloud Control 13c Release 1
Copyright (c) 1996, 2015 Oracle Corporation. All rights reserved.
Starting Oracle Management Server…
WebTier Successfully Started
Oracle Management Server Successfully Started
Oracle Management Server is Up
JVMD Engine is Up
Starting BI Publisher Server …
BI Publisher Server Already Started
BI Publisher Server is Up

By default, you are still required to create the corresponding user in OEM even after you configure the authentication. Fortunately, you can enable auto-provisioning which will do this for you upon the first successful login to OEM by the user.

./emctl set property -name “oracle.sysman.core.security.auth.autoprovisioning” -value “true”

Oracle Enterprise Manager Cloud Control 13c Release 1
Copyright (c) 1996, 2015 Oracle Corporation. All rights reserved.
SYSMAN password: <enter the sysman password here>
Property oracle.sysman.core.security.auth.autoprovisioning for oms kappa.localdomain:4889_Management_Service has been set to value true OMS restart is not required to reflect the new property value

This can both be verified or modified within OEM. After logging in with the SYSMAN user: Setup ->Manage Cloud Control -> Management Servers
OEM3

Under the Management Servers dropdown, select Configuration properties
OEM4

Here you can see the Current Settings of a number of properties
OEM5

 

Once this complete, all user accounts under the User Base DN in Active Directory will show up in the users tab in Weblogic and the users will be able to login into OEM with their Active Directory credentials. Take a look at the images below:
OEM_LDAP2

 

Log back into Weblogic and take a look the users: Security Realms -> myrealm -> Users and Groups

We can confirm that this account was created from the querying LDAP on the Win2k8 server because the Provider associated with the account is the one created when we configured the new Provider earlier.
OEM_LDAP

Log into OEM with your Active Directory user credentials
OEM1

 

OEM2

There we have it. Next time we will look at the role Groups and Roles play in this configuration.

Enjoy!

dbaOnTap


Also published on Medium.

One Commnet on “OEM 13c and LDAP Authentication