Become Oracle Apps DBA: Integrate OID with AD Part I
This is one of the things that I've done on our system at work that's been the most satisfying. For years I've felt terrible for making our users remember one more username and password when they already had a perfectly good set supplied by the Active Directory (AD) people at our institution. Why should they be forced to keep two?
Oracle OID has made it possible for use to pass the buck on authentication over to the AD people. We simply set up the provisioning so that our OID instance grabs only our department's users (this AD authenticates many other depts as well). We don't have to grab their password (one less sensitive thing to store on our system) since I set up the external authentication plug-in, it just makes a call to the AD server each time someone logs in from that user group. Plus, and this is the big one, we can use the Resource Application Descriptors for each user on the OID to store database accounts for them to use with things like Forms, Reports, OAS 10.1.3.2 apps, and Discoverer (in a very hacky way).
The one big problem that we ran into was grabbing users from two different AD Domains. This meant connecting to two separate DC's to get all our users which made the set up a little more complicated. We stored the users in separate containers on our side which caused some problems since the OID wanted to make both of them the subscriber base (which you should really only have one). It caused some problems with registering new components and eventually made an OAS upgrade post-installation assistant fail (which resulted in about 3 hours of back and forth with Oracle Support in Australia). However, once that was resolved it's run smooth as silk ever since.
I believe the natural extension of this is looking into using Kerberos authentication with the database itself, not just the middle tier. Unfortunately, our edition of the database is missing certain features that would allow us to do such a thing. But maybe you folks at home could give it a try and let me know how it works for you.
