Using Pluggable Databases

You can use Enterprise User Security with Pluggable Databases (PDBs), introduced in Oracle Database 12c Release 1 (12.1). Each PDB has its own Enterprise User Security metadata, such as global users, global roles, and so on. Each PDB should have its own identity in the directory. A PDB is like any regular database registered with the directory, except for the following restrictions:

  • You must use the default wallet location. This holds true whether the database-to-directory connection is SSL or password-based. If the wallet_location parameter is present in the sqlnet.ora file, then enterprise user logins will fail.

  • Client-side SSL authentication uses the Container Database (CDB)-wide wallet configured for the listener. The PDB-specific wallet is used for database-to-directory authentication.

  • If the client-to-database authentication uses SSL, and the database-to-directory authentication also uses SSL, then two wallets need to be configured for the database with certificates. The first wallet is the CDB-wide wallet and the second wallet is the PDB-specific wallet.

  • Current user database link is not supported in the CDB environment.

Note:

LDAP_DIRECTORY_ACCESS parameter is the same for all PDBs. Even if only a subset of PDBs register with the directory, each PDB sees the LDAP_DIRECTORY_ACCESS value as if the PDB is registered.