Overview Oracle Fusion Middleware Online Documentation Library

6-2 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory Figure 6–1 Oracle Virtual Directory Multi-Layered Access Control and Authentication

6.2 Understanding Oracle Virtual Directory Authentication

This topic describes Oracle Virtual Directory authentication and contains the following sections: ■ Pass-Through Authentication ■ CRAM-MD5 and SASL Binding ■ Proxy Account Authentication ■ Client Certificate Authentication

6.2.1 Pass-Through Authentication

When an adapter has pass-through mode enabled and a user is to be authenticated to Oracle Virtual Directory, Oracle Virtual Directory uses the user-id and password credentials it receives to log in to the remote directory on the users behalf for LDAP Listener Oracle Virtual Directory Standard LDAP DB LDAP Client Virtual Directory Access Control Source Access Control User Client Binds to Oracle Virtual Directory Oracle Virtual Directory binds to remote directory with client ID or server ID Oracle Client Identity passed if using passcredentials Understanding Oracle Virtual Directory Security 6-3 password authentication only. If the authentication bind to the remote directory fails, Oracle Virtual Directory will fail the attempted bind by the user. In this mode, the remote directory is responsible for confirming a users credentials. When passcredentials is set to never or is not supported by the selected adapter, Oracle Virtual Directory must perform the authentication of clients itself. In order for this to work, passwords in external directories must be stored in clear text or must use the CRYPT, SHA, or SSHA one-way encryption hash. For Oracle Virtual Directory to determine which encryption hash is being used, a prefix of the form {crypt} must be applied to the encrypted text. If the proxied source does not use this format, you must set up a mapping rule to define it. The mapping rule adds the prefix telling Oracle Virtual Directory how to handle a particular encryption format. If no prefix is present, a normal text comparison is made. In passcredentials never mode, authentication is completed by Oracle Virtual Directory by performing the hash algorithm specified in the value returned from the adapter of the password provided by the user and comparing the result with the value returned from the adapter.

6.2.2 CRAM-MD5 and SASL Binding

CRAM-MD5 is a challenge-response authentication mechanism CRAM based on the HMAC-MD5 MAC algorithm, a widely used cryptographic hash function with a 128-bit hash value or MD5. CRAM-MD5 is a Simple Authentication and Security Layer SASL bind mechanism used to authenticate to Oracle Virtual Directory. If the client supports CRAM-MD5, you can use it to keep passwords secret over the wire without using SSL. However, the CRAM-MD5 SASL mechanism requires that the server has a plain text version of the password that it uses to exchange information other than the password that lets the server determine whether a given password provided by an LDAP client is valid. If this mode is used, passwords must be stored in clear text in all local standard and proxied sources.

6.2.3 Proxy Account Authentication

Oracle Virtual Directory uses a proxy or default account when authenticating users for which no password is available, when proxying users whose bind DN is outside of the adapters namespace, or when passcredentials is set to never. Oracle Virtual Directory also uses the adapters proxy user-id and password to authenticate both the Oracle Virtual Directory Root Manager Account and Anonymous to the connected LDAP Adapter directory. The default account is also used for users who authenticate using certificates. Therefore, when passcredentials mode is enabled, it is important to understand that the default account should be set to a non-privileged account for example, anonymous in remote directory as there are many conditions when the proxy account may be required to handle accounts that cannot be mapped to the current adapter. Note: When a client binds without the use of a clear text password for example, with a certificate, the server cannot pass the users credentials to the proxied directory. The Oracle Virtual Directory uses the configured adapter account to perform the bind verification and perform the LDAP service requested. This is equivalent to what happens when passcredentials is set to never.