Delphix Toolkit (dxToolkit)

Expand all | Collapse all

LDAP user for delphix_source and delphix_target OS users

Jump to Best Answer
  • 1.  LDAP user for delphix_source and delphix_target OS users

    Posted 11-28-2017 11:54:00 AM

    Hello everyone,


    Currently I am working with a client that insist on delphix OS accounts to be LDAP accounts. They are using Centrify as their main Identity Management.  

    Here at the customer, I am trying to understand how Centrify works, so that we can gather what we are required to do to use Delphix with LDAP account in Source and Target Systems.

    There will be 1 LDAP user (user_name=delphix)

    In Centrify, LDAP users cannot be part of local groups.

    LDAP user can use, local commands, programs etc. with "dzdo" command added as a prefix.

    Also, for local commands to be run, they need to be specified in the tools configuration. 

    for example, 

                        /oracle/product/11.4.0.2/bin/* 

    means that LDAP user can run everything under the specified directory.


    So it comes to the point that I need to supply the list of commands delphix agent (LDAP delphix user in this case) needs to run.

    As I understand there will also be a need to configure Privileged Profiles in Delphix Engine?


    Is that correct? Is there any other clients that used LDAP user in both source and target servers?
























    #dxToolkit
    #Virtualization


  • 2.  RE: LDAP user for delphix_source and delphix_target OS users
    Best Answer

    Posted 11-28-2017 02:42:00 PM
    Rahim,

    At present, the "delphix" OS account that you describe (a.k.a. usually referred to as "delphix_os" in the Delphix documentation) needs to belong to the same OS group(s) to which the Oracle software owner OS account belongs.

    The Oracle software owner account is usually called "oracle", and this OS account is generally designated primarily as a member of an OS group called "oinstall" as well as another secondary OS group called "dba", which is usually referred to in Oracle documentation as OSDBA.  There are often additional Oracle-related OS groups such as "oper", "asmadmin", etc.  Because Oracle is not specific on this, each Oracle installation tends to vary on names and memberships, which is "primary", which is "secondary", etc.

    So, if the Oracle-related OS groups and OS accounts are also managed by LDAP (Centrify), then you probably can create the "delphix" OS account similarly, with the same OS group memberships if possible?

    By default, Delphix employs the open-source "sudo" package for privilege escalation to "root", as described in the documentation HERE.  Delphix supports other privilege packages, including "dzdo", as documented HERE, but there is an expectation that the Delphix OS account has the ability to execute certain Oracle commands without privilege escalation, so hopefully Centrify permits this?

    Please let us know what you think?

    Thanks!

    -Tim



  • 3.  RE: LDAP user for delphix_source and delphix_target OS users

    Posted 12-01-2017 06:09:00 AM
    Hello Tim,

    Thanks for your prompt and detailed answer.

    I have checked the documentation about privildged profiles and will implement it at the client with Centrify + dzdo.

    The root problem was, I was being informed by unix teams at the client that they cannot add LDAP user into local groups in target server. I have checked it myself and found out that we can actually add LDAP users into local groups. After this clarification things got easier.

    I am sure we gonna implement the priviledged profiles here with no problems.

    Thanks a lot,
    BR,
    -Rahim