LDAP Authentication and the Recovery Appliance
The Recovery Appliance offers support for LDAP authentication, which grants named users reduced privileges to manage the Recovery Appliance through the RACLI. These user names, whether LDAP users or native OS users, appear in audit logs for the Recovery Appliance. Direct SSH access for root
and oracle
users can be removed from Recovery Appliance nodes.
An existing company LDAP infrastructure can be leveraged to allow OS-level LDAP configuration for computer server nodes. This requires shadow/posix user accounts on the LDAP server. The LDAP users need to belong to the raadmin
group.
The LDAP user can belong to the following groups:
raadmin
- requireddbmusers
- used for monitoring Exadata.oinstall
The group identifier (GID) is standardized for these groups.
- During RA 23.1 (or later) install, you can use
ra_preinstall.pl
to define a specific GID. - During patch/upgrade from RA 19.x to RA 23.x, you can specify
raadmin
GID withra_preinstall.pl
.
Note:
If you have an existing RA 23.1 system with a conflicting GID for raadmin
group, please open a support case so Oracle can review.
-
Configure a Recovery Appliance compute server (RA DB node) to authenticate an OS user with LDAP following your data center (DC) standard.
- Standard Linux packages in Exadata 22.x+ should generally be sufficient.
- If additional packages are required, select the most relevant path.
- You have an existing LDAP client authentication setup procedure used on Exadata systems
- Continue using the same process to configure LDAP client authentication on Recovery Appliance.
- Because these are non-standard, there is a chance you may need to uninstall them during OS and RA patching.
- Refer to MOS Note 2014361.1
- You have never configured LDAP on an Engineered system and require non-standard Linux packages.
- Contact Oracle Support to confirm any risks with installing non-standard Linux packages on the compute server (RA DB) nodes.
- You have an existing LDAP client authentication setup procedure used on Exadata systems
-
Confirm your LDAP-authenticated user is accessible on all of the Recovery Appliance compute server (RA DB) nodes in the cluster.
getent passwd <USER_NAME>
This confirms that the client configuration is correct for the name services and that the users are present.
-
Add the authenticated user as a Recovery Appliance named OS admin user. With RACLI on a compute server node, issue the command to add that LDAP user as an
admin_user
.racli add admin_user --user_name=USER_NAME [--user_uid=USER_ID --user_gid=GROUP_ID]
-
--user_name
-
System user name to add to RACLI admin group.
-
--user_uid
-
Set the user identifier for the newly created admin user. Value must be >= 1003.
During the installation of RA 19.x or later, you can define the
raadmin
uid
withra_preinstall.pl
. -
--user_gid
-
Set the initial login group identifier for the newly created admin user. A group number must refer to an already existing group. Value must be >= 1003.
During the installation of RA 21.1 or later, you can define the
gid
withra_preinstall.pl
.
-
Additional non-standard packages
If you require additional packages which are non-standard please review the two paths forward and pick the one which most aligns to your environment.
-
If you have an existing LDAP client authentication setup procedure that is used on your Exadata systems which include the nonstandard packages.
Continue using the same process to configure LDAP client authentication which you have been successfully using on your other Engineered systems.
Because these are nonstandard, there is a chance you would need to uninstall them during OS Updates and RACLI Updates.
- If you have never configured LDAP on an Engineered system, and require non-standard Linux packages.
Contact Support to confirm any risks with installing nonstandard Linux packages on the Database/Compute Server nodes.