Oracle DBMS_LDAP and LDAPS (SSL/TLS encrypted LDAP)

We were in need of connecting from Oracle to Microsoft AD’s SSL/TLS encrypted LDAP port, tcp/636, to facilitate connections without exposing passwords to network. There weren’t much good instructions so I had to gather the info from multiple sources. I just wanted to show the process here for simplicity.

The process

• Check what certificate AD server is using. If it is commercial, install commercial vendor’s root-CA and intermediate-CA certs to Oracle wallet on the server as Trusted certs. If self-signed, install self-signed public key part from CA and intermediate CA to Oracle wallet as trusted cert. Oracle has no other means of knowing or checking if the certs it sees are trustworthy. I don’t believe it checks for CRL’s either. I used Oracle Wallet Manager, orapki will do the stuff too from command line. If you can browse to a site using the cert you require, you can store the cert from the browser in .cer format for the Wallet.

• If you want to do mutual authentication, you have to import also user certificate for the server to authenticate itself with. A single server cert works just fine and it can be self-signed, if the AD server trust the Certificate Authority. According to Digicert, Oracle doesn’t approve of wildcard certs, you have to request a duplicate without that property for the server name. In this case, generate a CSR from Wallet manager or orapki and install the received cert as User certificate for that CSR.

• Add access to LDAP server via network ACL. Use resolvable name and LDAPS port tcp/636. Regular LDAP port is tcp/389, but it is for plain text version.

BEGIN
-- this requires that you already have an ACL created
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL (acl => 'my_net_perms.xml', 
  host => 'myldapserver.domain.com', lower_port => 636, 
  upper_port => 636);
END;

• Connect to LDAPS port and change the connection to TLS. The following is based on source code from http://www.oracle-base.com.

SET SERVEROUTPUT ON
DECLARE
-- Adjust as necessary.
l_ldap_host VARCHAR2(256) := 'myldapserver.domain.com';
--SSL
l_ldap_port VARCHAR2(256) := '636';
--no SSL
-- l_ldap_port VARCHAR2(256) := '389';
l_ldap_user VARCHAR2(256) := 'domain\username';
l_ldap_passwd VARCHAR2(256) := 'password';

l_retval PLS_INTEGER; 
l_session DBMS_LDAP.session;

begin
-- allow exceptions
dbms_ldap.use_exception := true;
-- connect to host
l_session := DBMS_LDAP.init(hostname => l_ldap_host, portnum => l_ldap_port);
-- change the connection to SSL/TLS
-- sslauth needs to be 2 for the one-way verification to happen, 3 for two-way
l_retval := DBMS_LDAP.open_ssl (ld => l_session, sslwrl =>
  'file:drive:\path\wallet\', sslwalletpasswd => 'walletpwd',
  sslauth => 2); 
-- bind to session
l_retval := DBMS_LDAP.simple_bind_s(ld => l_session, dn => l_ldap_user, 
  passwd => l_ldap_passwd);
end;

Originally it seemed via Wireshark that Oracle supports only a handful of ciphers in DBMS_LDAP, but in the end it changed nicely to a modern cipher, at least in version 12.2 database.

Sources and help

• Oracle DocID 263700.1
• https://oracle-base.com/articles/9i/ldap-from-plsql-9i
• http://blog.whitehorses.nl/2010/05/27/access-to-https-via-utl_http-using-the-orapki-wallet-command/
• https://yusufanilakduygu.wordpress.com/2017/11/24/orapki-utility-to-manage-oracle-wallets/