One such feature enhancement introduced a new password storage scheme that is used by Enterprise User Security (EUS) and Centrally managed Users (CMU) architectures for password based user authentication to the Oracle database.
This new password scheme is a proprietary blend of multiple rounds of PBKDF2 SHA-512, which is much stronger than the storage scheme used for earlier Oracle database versions (e.g. 10g and 11g). The full list of password storage schemes offered by OUD 12cPS4 are available here.
With the EUS architecture configuration where OUD is the identity store for authentication, identity management solutions like Oracle Identity Manager, SailPoint and others can simply update the password using normal password update and OUD password policy will automatically generate this password hash for database authentication.
With the EUS or CMU architectures where Active Directory (AD) is the identity store, the individual user's orclCommonAttribute value needs to be updated with this new hash in order for password based authentication to work properly.
The standard method of updating the user's orclCommonAttribute attribute value is through the deployment of the password filter to all AD domain controllers. When a user updates their password with Ctrl-Alt-Delete feature of Windows, the Oracle's password filter (orapwdfltr.dll) captures the clear text password that was entered by the user, hashes the password, and stores the hashed value into the orclCommonAttribute attribute of the user's AD object. See Doc ID 2640135.1 for more information on how to obtain and deploy the latest version of this password filter.
There is an alternative approach to populating the user's orclCommonAttribute in AD that has the same end result but does not require the password filter. You can use the OUD encode-password command to generate the hashed value of the password and then update orclCommonAttribute in the user's AD entry. This approach could be dove tailed into your provisioning solution as well. Here is a sample workflow:
1. Install OUD.
Note: If integrating with Identity Management solution, OUD would most likely need to be installed on the host(s) where the Identity Management solution is running in order to securely handle the password.
2. Use the OUD encode-password command to generated the hash of the user's password.
3. Use ldapmodify or equivalent API to update the orclCommonAttribute of the user's entry in AD.
4. Test that the authentication works with the updated password.
I hope that you found this helpful!