17
Directory Storage of User Authentication Credentials

This chapter explains how Oracle Internet Directory centrally stores security credentials for easy administration by end users and administrators.

This chapter contains these topics:

• About Centralized Storage of User Authentication Credentials

• Storing Password Verifiers for Authenticating to Oracle Internet Directory

• Storing Passwords for Authenticating to Oracle Components

About Centralized Storage of User Authentication Credentials

Oracle Internet Directory centrally stores security credentials as directory data to make their administration easy for both end users and administrators. When a user leaves a company or changes jobs, that user's privileges should change the same day to guard against misuse of old or unused accounts and privileges. In large enterprises, with user accounts and passwords distributed over multiple databases, an administrator may not be able make all the changes as quickly as good security requires without centralized password administration.

Oracle Internet Directory stores:

• Passwords for authenticating users to the directory itself

• Password verifiers for authenticating users to other Oracle components

Users can store non-Oracle authentication credentials if the non-Oracle applications are directory enabled. These applications must create their own container under the Products entry.

Storing Password Verifiers for Authenticating to Oracle Internet Directory

Oracle Internet Directory stores a user's directory password in the userPassword attribute. You can protect this password by storing it as a base 64 encoded string of a one-way hashed value using one of Oracle Internet Directory's supported hashing algorithms. Storing passwords as one-way hashed values--rather than as encrypted values--more fully secures them because a malicious user can neither read nor decrypt them.

During authentication to a directory server, clients supply a password to the directory server in clear text. The directory server hashes this password by using the hashing algorithm specified in the root directory-specific entry (DSE) attribute orclCryptoScheme. It then verifies it against the hashed password stored in the binding entry's userPassword attribute. If the hashed password values match, then the server authenticates the user. If they do not match, then the server sends the user an "Invalid Credentials" error message.

During installation, Oracle Universal Installer prompts you to set the one-way hashing scheme for protecting users' passwords to the directory. It presents you with these options:

• MD4 --A one-way hash function that produces a 128-bit hash, or message digest

• MD5--An improved, and more complex, version of MD4

• SHA--Secure Hash Algorithm, which produces a 160-bit hash, longer than MD5. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.

• UNIX Crypt--The UNIX hashing algorithm

The hashing algorithm value you specify at installation is stored in the orclCryptoScheme attribute in the root DSE. You can change that value by using either Oracle Directory Manager or ldapmodify.

Managing Password Protection by Using Oracle Directory Manager

You must be a super user to do the following.

To change the type of password protection by using Oracle Directory Manager:

1. In the navigator pane, expand Oracle Internet Directory Servers and select the directory server instance for which you want to reset password hashing. The corresponding tab pages for that directory server appear in the right pane.

2. In the System Operational Attributes tab page, in the Password Encryption field, select the type of password hashing you want to use. Options are:
   • MD4

   • MD5

   • SHA

   • UNIX Crypt

   • None. This option specifies that user passwords are stored in clear text.

3. Click Apply.

Managing Password Protection by Using ldapmodify

The following example changes the password hashing algorithm to SHA by using an LDIF file named my_ldif_file:

ldapmodify -D cn=orcladmin -w welcome -h myhost -p 389 -v -f my_ldif_file

The LDIF file, my_ldif_file, contains:

dn:
changetype: modify
replace: orclcryptoscheme
orclcryptoscheme: SHA

See Also: "Protection of User Passwords for Directory Authentication"

Storing Passwords for Authenticating to Oracle Components

Oracle components store both passwords and password verifiers in Oracle Internet Directory. This section contains these topics:

• About Password Verifiers

• Attributes for Storing Password Verifiers

• Example: How Password Verification Works

• Managing Password Verifier Profiles by Using Oracle Directory Manager

• Managing Password Verifier Profiles by Using Command-Line Tools

About Password Verifiers

Oracle components can store their password values in Oracle Internet Directory as password verifiers. A password verifier is a hashed version of a clear text password. This hashed version is then encoded as a BASE64 encoded string.

You can choose one of these hashing algorithms to derive a password verifier:

• MD4--An improved, and more complex, version of MD4

• SHA--Secure Hash Algorithm, which produces a 160-bit hash, longer than MD5. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.

• UNIX Crypt--The UNIX hashing algorithm

• SASL/MD5--Simple Authentication and Security Layer/MD5, which adds authentication support to connection-based protocols and uses a challenge-response protocol.

• O3LOGON--A proprietary Oracle algorithm for generating verifiers. It is similar to SASL/MD5 in that it uses a challenge-response protocol.

• ORCLWEBDAV--A proprietary algorithm identical to SASL/MD5 which takes the username in the format username@subscriber.

• ORCLLM--Oracle's representation of the SMBLM algorithm. The SMBLM algorithm is Oracle's representation of the LM variant of the SMB/CIFS challenge/response authentication algorithm.

• ORCLNT--Oracle's representation of the SMBNT algorithm. The SMBNT algorithm is Oracle's representation of the NT variant of the SMB/CIFS challenge/response authentication algorithm.

During Oracle application installation, the Oracle Universal Installer creates for that application a password verifier profile entry containing all the necessary password verification information. It places this entry as shown in Figure 17-1: immediately below the application entry, which resides under the products entry, which, in turn, resides under the subscriber-specific or default Oracle context.

This verifier profile entry is applicable only to users under the given subscriber. It does not apply to users under a different subscriber. The orclcommonusersearchbase attribute in the common entry of the subscriber Oracle context must be set to the appropriate value for the verifier generation to be successful. This attribute must be set before verifier generation can take effect.

Figure 17-1 Location of the Password Verifier Profile Entry

Text description of the illustration oidag045.gif

Attributes for Storing Password Verifiers

Unlike the directory, which stores user passwords in the userPassword attribute, Oracle components store user password verifiers in one of two password attribute types--authPassword and orclPasswordVerifier--within the user entry. Each attribute type has appID as an attribute subtype. The appID attribute is a unique identifier representing an Oracle application server or authenticating identity. It is generated during application installation. For example, the appID can be the ORCLGUID of the application entry. This uniquely identifies a particular application.

Table 17-1 Attributes for Storing Password Verifiers in User Entries

Attribute	Description
authPassword;appID	A password for authenticating a user to an application. The password value is the same as that used for authenticating the user to the directory, and is synchronized with it. For example, userpassword. Several different applications can require the user to enter the same clear text password used for the directory, but each application may hash it with a different algorithm. In this case, the same clear text password can become the source of several different password verifiers. This attribute is multivalued and can contain all the other verifiers that different applications use for this user's clear text password. If the userpassword is modified, the authpasswords for all applications are regenerated.
orclPasswordVerifier;appID	A password for authenticating a user to an application. However, unlike passwords stored in the authPassword attribute, it is different from that for authenticating to the directory, and is not synchronized with it. Like authPassword, this attribute is multivalued and can contain all the other verifiers that different applications use for this user's clear text password.

In Figure 17-2, various Oracle components store their password verifiers in Oracle Internet Directory. Oracle9iAS Single Sign-On uses the same password as that for the directory, and hence stores it in the userPassword attribute.The other applications use different passwords and hence store their verifiers in orclPasswordVerifier attribute.

The following is an example of an Application-Verifier Profile:

dn: 
cn=IFSVerifierProfileEntry,cn=IFS,cn=Products,cn=OracleContext,o=Oracle,dc=com
objectclass:top
objectclass:orclpwdverifierprofile
cn:IFSVerifierProfileEntry
orclappid:8FF2DFD8203519C0E034080020C34C50
orclpwdverifierparams;authpassword: crypto:SASL/MDS $ realm:dc=com
orclpwdverifierparams;orclpasswordverifier: crypto:ORCLLM

Figure 17-2 Authentication Model

Text description of the illustration oidag046.gif

Example: How Password Verification Works

Figure 17-3 shows an example of password verification. In this example, the Oracle component stores its password verifiers in the directory.

Figure 17-3 How Password Verification Works

Text description of the illustration oidag047.gif

1. The user tries to log in to an application by entering a user name and a clear text password.

2. The application sends the clear text password to the directory server. If the application stores password verifiers in the directory, then the application requests the directory server to compare this password value with the corresponding one in the directory.

3. The directory server generates a password verifier by using the hashing algorithm specified for the particular application. It compares this password verifier with the corresponding password verifiers the directory. It then notifies the application of the results of the compare operation. For the compare operation to be successful, the application must provide its appID as the subtype of the verifier attribute. For example:

   ldapcompare -p389 -D "<dn of the app entity>" -w "<password>" -b "<dn of the 
   user>" -a orclpasswordverifier; <appID> -v <password of the user>
   
   

4. Depending on the message from the directory server, the application either authenticates the user or not.

If an application does not use the compare operation, then it simply retrieves from the directory the hashed value of clear text password as entered by the user. The application then compares that value with the hash value it computes. If the two values match, then the application authenticates the user.

Managing Password Verifier Profiles by Using Oracle Directory Manager

You can use Oracle Directory Manager to view and modify password verifier profile entries.

Viewing and Modifying a Password Verifier Profile by Using Oracle Directory Manager

To view an application's password verifiers:

1. In the navigator pane, expand Oracle Internet Directory Servers > directory_server_instance, then select Password Verifier Management. The right pane displays two columns:
   • Path to Password Verifier Entry column lists the full DN of each password verifier profile entry

   • Password Verifier Entry column lists the corresponding RDNs of each password verifier profile entry

2. Choose the password verifier you want to view. This displays the Password Verifier Profile dialog box for that password verifier. Table 17-2 lists and describes the fields in this dialog box.

3. To modify the hashing algorithm used to generate a password verifier, enter the new value in the OrclPwdVerifierParams field as described in Table 17-2.

   Table 17-2 Password Verifier Profile Dialog Box

   Field	Description
   Path to Password Verifier Entry	The full DN of this password verifier entry. Use this to locate a particular password verifier entry. You cannot modify this field.
   Password Verifier Entry	RDN of this password verifier. You cannot modify this field.
   Application ID	The unique identifier of the Oracle application. It is generated during application installation. You cannot modify this field.
   Oracle Password Parameters	Parameters containing information for generating this password verifier. Use this field to specify the hashing algorithm for this password verifier. The syntax is: crypto:hashing_algorithm For example, if you are using the ORCLLM hashing algorithm, then you would enter: crypto:ORCLLM If you are using SASL/MD5, for example, you can enter the following: crypto:SASL/MD5 $ realm:dc=com

Managing Password Verifier Profiles by Using Command-Line Tools

Viewing a Password Verifier Profile by Using Command-Line Tools

To view an application's password verifier, perform a search specifying the DN of the password verifier profile.

Modifying a Password Verifier Profile by Using Command-Line Tools

The following example changes the hashing algorithm in an application password verifier profile entry. This password verifier synchronizes with the user's directory password.

ldapmodify -p 389 -h my_host -v <<EOF
dn: cn=MyAppVerifierProfileEntry,cn=MyApp,cn=Products,cn=OracleContext,
    o=my_company,dc=com
changetype: modify
replace: orclPwdVerifierParams
orclPwdVerifierParams;authPassword: crypto:SASL/MD5 $ realm:dc=com
EOF