Oracle DBA Tips Corner

     Return to the Oracle DBA Tips Corner.

click me  

Configuring Oracle Net8 with LDAP

by Jeff Hunter, Sr. Database Administrator

Contents

  1. Overview of Net8 and LDAP
  2. Configuring Net8 Clients for LDAP
  3. Defining Net Server Names in an LDAP Directory
  4. Create an LDAP User to Manager Net Server Names
  5. Creating a Net Server Name

Overview of Net8 and LDAP

Beginning with Release 8.1.6, Oracle has built support into Net8 for the use of LDAP as a name resolution method. LDAP is now preferred over Oracle Names in cases where you need a centralized repository for net server names.

One of the great things about LDAP is that you can create your own object classes and attributes. This allows you to use LDAP directories for a wide variety of creative purposes. Oracle currently supports LDAP for the following uses:

Global users and global roles are defined in an LDAP directory service and can be managed centrally. A user can change his password once, for example, and have that change apply to all databases across the board. Similarly, net server names may also be defined and managed separately. Oracle's clear goal is to take all bits and pieces of information that DBAs usually need to replicate for each database, and allow those to be centrally managed. LDAP is the core technology supporting this effort, and it will play an increasingly important role in our Oracle environment.

Configuring Net8 Clients for LDAP

Specify the LDAP Naming Method - (sqlnet.ora)

You specify naming methods through the NAMES.DIRECTORY_PATH parameter in your sqlnet.ora file. The keyword for directory naming is LDAP. The following parameter setting will configure a client to attempt name resolution through the local tnsnames.ora file first, and then through the LDAP directory. 

NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP)
Addressing an LDAP Server - (ldap.ora)

Once you've specified LDAP as a naming method, you need to identify an LDAP directory server for the client to contact. You do this in the ldap.ora file using the two parameters DIRECTORY_SERVERS and DIRECTORY_SERVER_TYPE.

DIRECTORY_SERVERS

The DIRECTORY_SERVERS parameter specifies the network address of one or more LDAP directory servers. A directory server address consists of a hostname and two port numbers. The first port number is used to unsecured connections. The second port number is optional and is used for SSL (Secured Socket Layer) connections. The following example illustrates the default port numbers that OID uses for the two connection types: 
DIRECTORY_SERVERS= (ldap.idevelopment.info:389:636)
DIRECTORY_SERVER_TYPE
The DIRECTORY_SERVER_TYPE parameter identifies the brand of LDAP server that you are using. The following three values represent valid types:

  • OID - Oracle Internet Directory
  • AD - Microsoft Active Directory
  • NDS - Novell Directory Services

The following is an example setting that uses Oracle Internet Directory as the LDAP server: 

DIRECTORY_SERVER_TYPE = OID
NOTE: Net8 does not support mixing LDAP directory products. The DIRECTORY_SERVER_TYPE setting applies to all the directory server addresses listed for the DIRECTORY_SERVERS parameter.
Specify a Default Administrative Context - (ldap.ora)

The default administrative context is the LDAP equivalent of the default Net8 domain. LDAP directory structures do not necessarily need to correspond to any sort of domain name structure, so a new mechanism is needed to specify the context in which unqualified net server names are resolved. This mechanism is the default administrative context, which you specify using the DEFAULT_ADMIN_CONTEXT parameter in your ldap.ora file. For example: 

DEFAULT_ADMIN_CONTEXT = "dc=idevelopment,dc=info"
Net8 always adds these parts   From DEFAULT_ADMIN_CONTEXT in ldap.ora
           |                                    |
    _______|___________                         |
 __|___         _______|_________  _____________|_________
|      |       |                 ||                       |
(dn:cn= TESTDB ,cn=OracleContext, dc=idevelopment,dc=info)
       |______|
          |
     The unqualified net service
      name that you supplied
Net8 creates a full distinguished name from a simple unqualified net server name

Once Net8 has translated an unqualified net server name into a distinguished name, it passes that name to the LDAP directory to be used. The LDAP directory then returns the definition of the name, giving Net8 information it needs to make the connection to the appropriate database service.

NOTE: The NAMES.DEFAULT_DOMAIN parameter in sqlnet.ora is ignored when directory naming is used. Instead, equivalent functionality (implemented in a manner suitable to LDAP) is provided through the DEFAULT_ADMIN_CONTEXT parameter in ldap.ora.

Defining Net Server Names in an LDAP Directory

As a prerequisite to using LDAP for net server name resolution, you need to have the Oracle Internet Directory installed. You also need to have the LDAP schema for Net8 in place. This schema comprises the LDAP object classes on which the entries defining net service names are based. The LDAP schema for Net8 is installed by default when you install OID.

Create the Administrative Context

All the examples in this section use an administrative context based on DNS. The domain used is idevelopment.info, which requires the following LDAP entry: 

(dn: dc=idevelopment, dc=info)
Underneath that entry, Net8 expects to find the cn=OracleContext entry. Using Oracle Directory Manger, locate the folder named "Entry Management" and add the following entries: 
dn: dc=info
objectclass: domain
objectclass: top
dc: info

dn: dc=idevelopment,dc=info
objectclass: domain
objectclass: top
dc: idevelopment
Create the OracleContext entry 
dn: cn=OracleContext,dc=idevelopment,dc=info
objectclass: orclContext
objectclass: top
cn: OracleContext
 Create an LDAP User to Manager Net Server Names

Creating LDAP User

If you have only one admin context, you can create the directory user underneath that context. You may want to create an additional entry named OracleNetAdmins, and collect all the Net8 directory users underneath that. I typically use the entry OracleNetAdmins to store this user information.

A user is simply another entry in an LDAP directory, but it is based in part on the object class named person. 

dn: cn=OracleNetAdmins,cn=OracleContext,dc=idevelopment,dc=info
objectclass: orclContext
objectclass: top
cn: OracleNetAdmins

dn: cn=jhunter,cn=OracleNetAdmins,cn=OracleContext,dc=idevelopment,dc=info
userpassword: {MD4}4AC9DBA1A08FC124DD57C915D540BD3F
objectclass: orclContext
objectclass: top
objectclass: person
cn: jhunter
sn: Jeffrey Hunter
NOTE: The person object class comes with two mandatory attributes, cn and sn, that you should fill in with the user's login name and full name, respectively. The password attribute is not mandatory and is consequently found under the Optional Properties tab. Because of its placement, it's easy to overlook the password. When creating a user, be sure that you go to the Optional Properties tab and specify a password.

Granting Access to LDAP User

After creating a directory user, you must give that user some access rights. If you want the user to be able to manager net server names that fall under dc=idevelopment,dc=info, then you must grant the user access to that part of the LDAP directory tree. To do that, highlight the entry for dc=pit in the ODM's left pane, and click the tab in right pane title Subtree Access. You can then grant a user access to that entry, and on all those entries that fall beneath it.

In the dialog box on the right under Subtree Access, make sure to choose the "Structural Access Items". (The top box). Click the "Create" button under "Structual Access Items".

Use the "By Whom" tab and enter the name of the user to grant access to: 

cn=jhunter,cn=OracleNetAdmins,cn=OracleContext,dc=idevelopment,dc=info
After identifying the user, you need to specify the rights that you are granting to that user. You do that from the "Access Rights" tab. Here you would select to grant: 
Browse, Add and Delete
After creating a user and granting access rights, you can use the Java application "Net Manager" to log in to the LDAP directory and create net service names definitions.
Creating a Net Server Name

The easiest way to define net service names in an LDAP directory is to use the Oracle application "Net Manager".

Copyright (c) 1998-2010 Jeffrey M. Hunter. All rights reserved.

All articles, scripts and material located at the Internet address of http://www.idevelopment.info is the copyright of Jeffrey M. Hunter and is protected under copyright laws of the United States. This document may not be hosted on any other site without my express, prior, written permission. Application to host any of the material elsewhere can be made by contacting me at jhunter@idevelopment.info.

I have made every effort and taken great care in making sure that the material included on my web site is technically accurate, but I disclaim any and all responsibility for any loss, damage or destruction of data or any other property which may arise from relying on it. I will in no case be liable for any monetary damages arising from such loss, damage or destruction.

Last modified on
Sunday, 07-Sep-2003 00:00:00 EDT
Page Count: 29857