LDAP user for delphix_source and delphix_target OS users

  • 0
  • 1
  • Problem
  • Updated 8 months ago
  • Solved

Hello everyone,


Currently I am working with a client that insist on delphix OS accounts to be LDAP accounts. They are using Centrify as their main Identity Management.  

Here at the customer, I am trying to understand how Centrify works, so that we can gather what we are required to do to use Delphix with LDAP account in Source and Target Systems.

There will be 1 LDAP user (user_name=delphix)

In Centrify, LDAP users cannot be part of local groups.

LDAP user can use, local commands, programs etc. with "dzdo" command added as a prefix.

Also, for local commands to be run, they need to be specified in the tools configuration. 

for example, 

                    /oracle/product/11.4.0.2/bin/* 

means that LDAP user can run everything under the specified directory.


So it comes to the point that I need to supply the list of commands delphix agent (LDAP delphix user in this case) needs to run.

As I understand there will also be a need to configure Privileged Profiles in Delphix Engine?


Is that correct? Is there any other clients that used LDAP user in both source and target servers?
Photo of rahim.cetinel@accurasas.com

Posted 8 months ago

  • 0
  • 1
Photo of Tim Gorman

Tim Gorman, Field Services

  • 2,794 Points 2k badge 2x thumb
Official Response
Rahim,

At present, the "delphix" OS account that you describe (a.k.a. usually referred to as "delphix_os" in the Delphix documentation) needs to belong to the same OS group(s) to which the Oracle software owner OS account belongs.

The Oracle software owner account is usually called "oracle", and this OS account is generally designated primarily as a member of an OS group called "oinstall" as well as another secondary OS group called "dba", which is usually referred to in Oracle documentation as OSDBA.  There are often additional Oracle-related OS groups such as "oper", "asmadmin", etc.  Because Oracle is not specific on this, each Oracle installation tends to vary on names and memberships, which is "primary", which is "secondary", etc.

So, if the Oracle-related OS groups and OS accounts are also managed by LDAP (Centrify), then you probably can create the "delphix" OS account similarly, with the same OS group memberships if possible?

By default, Delphix employs the open-source "sudo" package for privilege escalation to "root", as described in the documentation HERE.  Delphix supports other privilege packages, including "dzdo", as documented HERE, but there is an expectation that the Delphix OS account has the ability to execute certain Oracle commands without privilege escalation, so hopefully Centrify permits this?

Please let us know what you think?

Thanks!

-Tim