Unfortunately, Oracle doesn’t provide specific
instructions for using any LDAP server other than their Oracle
Internet Directory which is too large and complex for our simple
needs. Further, Oracle also stated that Oracle Names Server is being
deprecated in favor of LDAP. These instructions will help to configure
OpenLDAP for Oracle Names Resolution.
Requirements
:
- RedHat Linux 9 installed and operational including network
- RPMS installed from RedHat CDs
openldap-2.0.27-8
openldap-servers-2.0.27-8
openldap-clients-2.0.27-8
slapd.conf
Configure slapd.conf similar to the following:
include
/etc/openldap/schema/core.schema
include
/etc/openldap/schema/cosine.schema
include
/etc/openldap/schema/inetorgperson.schema
include
/etc/openldap/schema/nis.schema
include
/etc/openldap/schema/redhat/rfc822-MailMember.schema
include
/etc/openldap/schema/redhat/autofs.schema
include
/etc/openldap/schema/redhat/kerberosobject.schema
include
/etc/openldap/schema/oidbase.schema
include
/etc/openldap/schema/oidnet.schema
include
/etc/openldap/schema/oidrdbms.schema
database
ldbm
suffix
"dc=example, dc=com"
rootdn
"dc=example, dc=com"
rootpw
{SSHA}fZyQ6cZiBwXU9bmU2u+pSqvNt/ok5UfW
directory
/var/lib/ldap
index
objectClass,uid,uidNumber,gidNumber,memberUid eq
index
cn,mail,surname,givenname eq,subinitial
This
configuration includes oidbase.schema,
oidnet.schema and oidrdbms.schema,
which include attribute definitions needed by our directory. These
files can be grabbed from $ORACLE_HOME/ldap/admin directory, but we
need to convert them to OpenLDAP format. The converted files are
provided at the end under schemas. Copy them to /etc/openldap/schema
directory. The password for rootpw is generated with slappasswd
command.
Start
OpenLDAP Server :
Change
directory to /etc/openldap
#
slapd –f slapd.conf --- You cannot stop after starting
#
chown ldap.ldap slapd.conf
#/etc/rc.d/init.d/ldap
start
Creating the Directory layout
Notice
that we already defined the base DN using the suffix keyword in slapd.conf:
suffix
"dc=example, dc=com"
We
need to create an actual entry for this in the LDAP directory itself
using an LDIF-formatted file and ldapadd. Create a file named directory.ldif
containing:
dn:
dc=example, dc=com
objectClass:
top
objectClass:
dcObject
objectClass:
organization
dc:
example
o:
Example, Inc.
Be
sure to not leave any trailing spaces, as they may confuse ldapadd. Import LDIF entries into the directory using:
#
ldapadd –x –h localhost –D 'dc=example,dc=com' –f
directory.ldif –W
This
will prompt for LDAP password. Type your rootdn password.
Next,
create OracleContext in the directory under dc=example,dc=com to serve as
a container for net service entries. Import the following LDIF
entries using the above ldapadd command after creating a file named
orclcontext.ldif containing:
dn:
cn=OracleContext,dc=example,dc=com
objectclass:
orclContext
cn:
OracleContext
Now
add net service entries. Create a file named netservice.ldif
containing the following entries and import them using ldapadd
command. A typical LDIF entry will look something like this for each
database.
dn:
cn=orcl,cn=OracleContext,dc=example,dc=com
objectclass:
top
objectclass:
orclNetService
cn:
orcl
orclNetDescString:
(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname)(PORT=1521)))(CONNECT_DATA=(SID=ORCL)))
To
delete from LDAP :
# ldapdelete
-x -h localhost -D 'dc=example,dc=com'
'cn=orcl,cn=OracleContext,dc=example,dc=com' -W
Client
Configuration :
You
will also need to configure the client to use LDAP in its resolution
order. Oracle client version 8.1.6 and above can use LDAP directly
for lookups. If you have any clients lower than 8.1.6, you'll have to
use the Oracle Names LDAP Proxy.
sqlnet.ora
NAMES.DEFAULT_DOMAIN=example.com
NAMES.DIRECTORY_PATH=(LDAP,
TNSNAMES)
ldap.ora
DEFAULT_ADMIN_CONTEXT="dc=example,dc=com"
DIRECTORY_SERVERS=ldap-server:port
DIRECTORY_SERVER_TYPE=ad
Schemas :
$ cat oidbase.schema
attributetype
( 2.16.840.1.113894.7.1.1 NAME 'orclVersion'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.7.1.2 NAME 'orclOracleHome'
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.7.1.3 NAME 'orclSystemName'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.7.1.4 NAME 'orclServiceType'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.7.1.5 NAME 'orclSid'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.7.1.6 NAME 'orclProductVersion'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15' )
objectClass
( 2.16.840.1.113894.7.2.2 NAME 'orclContainer' SUP 'top'
STRUCTURAL
MUST
( cn ) )
objectClass
( 2.16.840.1.113894.7.2.3 NAME 'orclContext' SUP 'top' STRUCTURAL
MUST
( cn ) )
objectClass
( 2.16.840.1.113894.7.2.6 NAME 'orclSchemaVersion' SUP 'top'
STRUCTURAL
MUST
( cn $ orclProductVersion ) )
attributetype
( 2.16.840.1.113894.3.1.12 NAME 'orclNetDescName'
EQUALITY
distinguishedNameMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.12'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.3.1.13 NAME 'orclNetDescString'
EQUALITY
caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
objectClass
( 2.16.840.1.113894.7.2.1001 NAME 'orclService' SUP 'top'
STRUCTURAL
MUST
( cn )
MAY
( orclServiceType $ orclOracleHome $ orclSystemName $ orclSid $
orclNetDescName $ orclNetDescString $ orclVersion $ Description ) )
$ cat
oidnet.schema
attributetype
( 2.16.840.1.113894.3.1.1 NAME 'orclNetSourceRoute'
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.5'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.3.1.2 NAME 'orclNetLoadBalance'
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.5'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.3.1.3 NAME 'orclNetFailover'
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.5'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.3.1.4 NAME 'orclNetSdu'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.3.1.5 NAME 'orclNetServer'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.3.1.6 NAME 'orclNetServiceName'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.3.1.7 NAME 'orclNetInstanceName'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.3.1.8 NAME 'orclNetHandlerName'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.3.1.9 NAME 'orclNetParamList'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15' )
attributetype
( 2.16.840.1.113894.3.1.10 NAME 'orclNetAuthenticationType'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.3.1.11 NAME 'orclNetAuthParams'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.3.1.14 NAME 'orclNetAddressString'
EQUALITY
caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.3.1.15 NAME 'orclNetProtocol'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.3.1.16 NAME 'orclNetShared'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.3.1.17 NAME 'orclNetAddrList'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15' )
attributetype
( 2.16.840.1.113894.3.1.18 NAME 'orclNetProtocolStack'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.3.1.19 NAME 'orclNetDescList'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15' )
attributetype
( 2.16.840.1.113894.3.1.20 NAME 'orclNetConnParamList'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15' )
attributetype
( 2.16.840.1.113894.3.1.21 NAME 'orclNetAuthenticationService'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
objectClass
( 2.16.840.1.113894.3.2.5 NAME 'orclNetService' SUP 'top'
STRUCTURAL
MUST
( cn )
MAY
( orclNetDescName $ orclNetDescString $ orclVersion $ Description )
)
objectClass
( 2.16.840.1.113894.3.2.4 NAME 'orclNetDescriptionList' SUP 'top'
STRUCTURAL
MUST
( cn )
MAY
( orclNetDescList $ orclNetSourceRoute $ orclNetLoadBalance $
orclNetFailover $ orclNetShared $ orclVersion $ Description ) )
objectClass
( 2.16.840.1.113894.3.2.3 NAME 'orclNetDescription' SUP 'top'
STRUCTURAL
MUST
( cn )
MAY
( orclNetAddrList $ orclNetProtocolStack $ orclNetSdu $ orclSid $
orclNetServer $ orclNetServiceName $ orclNetInstanceName $
orclNetHandlerName $ orclOracleHome $ orclNetAuthenticationType $
orclNetAuthenticationService $ orclNetAuthParams $ orclNetParamList $
orclNetConnParamList $ orclNetSourceRoute $ orclNetLoadBalance $
orclNetFailover $ orclNetShared $ orclVersion $ Description ) )
objectClass
( 2.16.840.1.113894.3.2.2 NAME 'orclNetAddressList' SUP 'top'
STRUCTURAL
MUST
( cn )
MAY
( orclNetAddrList $ orclNetSourceRoute $ orclNetLoadBalance $
orclNetFailover $ orclNetShared $ orclVersion $ Description ) )
objectClass
( 2.16.840.1.113894.3.2.1 NAME 'orclNetAddress' SUP 'top'
STRUCTURAL
MUST
( cn )
MAY
( orclNetAddressString $ orclNetProtocol $ orclNetShared $
orclVersion $ Description ) )
$ cat
oidrdbms.schema
attributetype
( 2.16.840.1.113894.2.1.1 NAME 'orclDBtrustedUser'
EQUALITY
distinguishedNameMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.12' )
attributetype
( 2.16.840.1.113894.2.1.2 NAME 'orclDBServerMember'
EQUALITY
distinguishedNameMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.12' )
attributetype
( 2.16.840.1.113894.2.1.3 NAME 'orclDBEntUser'
EQUALITY
distinguishedNameMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.12' )
attributetype
( 2.16.840.1.113894.2.1.4 NAME 'orclDBEntRoleAssigned'
EQUALITY
distinguishedNameMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.12' )
attributetype
( 2.16.840.1.113894.2.1.5 NAME 'orclDBServerRole'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15' )
attributetype
( 2.16.840.1.113894.2.1.6 NAME 'orclDBTrustedDomain'
EQUALITY
caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.2.1.7 NAME 'orclDBRoleOccupant'
EQUALITY
distinguishedNameMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.12' )
attributetype
( 2.16.840.1.113894.2.1.8 NAME 'orclDBDistinguishedName'
EQUALITY
distinguishedNameMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.12'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.2.1.9 NAME 'orclDBNativeUser'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
attributetype
( 2.16.840.1.113894.2.1.10 NAME 'orclDBGlobalName'
EQUALITY
caseIgnoreMatch
SYNTAX
'1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
)
objectClass
( 2.16.840.1.113894.2.2.1 NAME 'orclDBServer' SUP 'orclService'
STRUCTURAL
MAY
( userCertificate $ orclDBtrustedUser $ orclDBGlobalName ) )
objectClass
( 2.16.840.1.113894.2.2.2 NAME 'orclDBEnterpriseDomain' SUP top
STRUCTURAL
MUST
cn
MAY
( orclDBServerMember $ orclDBEntUser $ orclDBTrustedDomain ) )
objectClass
( 2.16.840.1.113894.2.2.3 NAME 'orclDBEnterpriseRole' SUP top
STRUCTURAL
MUST
cn
MAY
( orclDBServerRole $ orclDBEntRoleAssigned $ description $ seeAlso $
o $ ou $ orclDBRoleOccupant ) )
objectClass
( 2.16.840.1.113894.2.2.4 NAME 'orclDBEntryLevelMapping' SUP top
STRUCTURAL
MUST
cn
MAY
( orclDBDistinguishedName $ orclDBNativeUser ) )
objectClass
( 2.16.840.1.113894.2.2.5 NAME 'orclDBSubtreeLevelMapping' SUP top
STRUCTURAL
MUST
cn
MAY
( orclDBDistinguishedName $ orclDBNativeUser ) )