LDAP Authentication and the Recovery Appliance

The Recovery Appliance offers support for LDAP authentication, which grants named users reduced privileges to manage the Recovery Appliance through the RACLI. These user names, whether LDAP users or native OS users, appear in audit logs for the Recovery Appliance. Direct SSH access for root and oracle users can be removed from Recovery Appliance nodes.

An existing company LDAP infrastructure can be leveraged to allow OS-level LDAP configuration for computer server nodes. This requires shadow/posix user accounts on the LDAP server. The LDAP users need to belong to the raadmin group.

The LDAP user can belong to the following groups:

  • raadmin - required
  • dbmusers - used for monitoring Exadata.
  • oinstall

The group identifier (GID) is standardized for these groups.

  • During RA 23.1 (or later) install, you can use ra_preinstall.pl to define a specific GID.
  • During patch/upgrade from RA 19.x to RA 23.x, you can specify raadmin GID with ra_preinstall.pl.

Note:

If you have an existing RA 23.1 system with a conflicting GID for raadmin group, please open a support case so Oracle can review.

  1. Configure a Recovery Appliance compute server (RA DB node) to authenticate an OS user with LDAP following your data center (DC) standard.

    • Standard Linux packages in Exadata 22.x+ should generally be sufficient.
    • If additional packages are required, select the most relevant path.
      • You have an existing LDAP client authentication setup procedure used on Exadata systems
        1. Continue using the same process to configure LDAP client authentication on Recovery Appliance.
        2. Because these are non-standard, there is a chance you may need to uninstall them during OS and RA patching.
        3. Refer to MOS Note 2014361.1
      • You have never configured LDAP on an Engineered system and require non-standard Linux packages.
        1. Contact Oracle Support to confirm any risks with installing non-standard Linux packages on the compute server (RA DB) nodes.
  2. Confirm your LDAP-authenticated user is accessible on all of the Recovery Appliance compute server (RA DB) nodes in the cluster.

    getent passwd <USER_NAME>

    This confirms that the client configuration is correct for the name services and that the users are present.

  3. Add the authenticated user as a Recovery Appliance named OS admin user. With RACLI on a compute server node, issue the command to add that LDAP user as an admin_user.

    racli add admin_user --user_name=USER_NAME [--user_uid=USER_ID --user_gid=GROUP_ID]
    --user_name

    System user name to add to RACLI admin group.

    --user_uid

    Set the user identifier for the newly created admin user. Value must be >= 1003.

    During the installation of RA 19.x or later, you can define the raadmin uid with ra_preinstall.pl.

    --user_gid

    Set the initial login group identifier for the newly created admin user. A group number must refer to an already existing group. Value must be >= 1003.

    During the installation of RA 21.1 or later, you can define the gid with ra_preinstall.pl.

Additional non-standard packages

If you require additional packages which are non-standard please review the two paths forward and pick the one which most aligns to your environment.

  1. If you have an existing LDAP client authentication setup procedure that is used on your Exadata systems which include the nonstandard packages.

    Continue using the same process to configure LDAP client authentication which you have been successfully using on your other Engineered systems.

    Because these are nonstandard, there is a chance you would need to uninstall them during OS Updates and RACLI Updates.

  2. If you have never configured LDAP on an Engineered system, and require non-standard Linux packages.

    Contact Support to confirm any risks with installing nonstandard Linux packages on the Database/Compute Server nodes.