Oracle Database Name Resolution with OpenLDAP.doc

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

1/18

DBA Tips Archive for Oracle

Oracle Database Name Resolution with OpenLDAP

by Jeff Hunter, Sr. Database Aministrator

Contents

!ntrouction "onfi#ure LDAP Directory

"onfi#ure Oracle "lients for LDAP

$ana#e Net Ser%ice Names

&ser !nterfaces

'roubleshootin#

About the Author

Introduction

Anyone who has e%er wor(e with the Oracle Database is most li(ely familiar with thetnsnames.orafile. 'he tnsnames.ora file is a te)t file that contains client sie efinitions for net

ser%ice names, sometimes call aliases, neee to lo# in to an Oracle instance. 'his pro%ies localname resolution by mappin# net ser%ice names to connect escription information for Oracleinstances* similar to how the local hostsfile for an operatin# system maps machine names to !P

aresses. 'he tnsnames.ora file is commonly foun in its efault location uner theORACLE_HOME/network/adminirectory.

One of the a%anta#es of usin# a local tnsnames.ora file is that it is easy to create an eitentries. 'his is especially true when there are only a few entries to maintain an the file onlynees to be istribute to a small number of Oracle client machines. 'he primary isa%anta#e oflocal namin# is when there are a lar#e number of client machines on the networ(, say + ore%en a + clients, each re-uire to ha%e their own tnsnames.ora file. 'his problem #etscompoune when fre-uent chan#es to the tnsnames.ora are re-uire as a result of ain# ormo%in# atabase an the file has to be reistribute to those clients.

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

2/18

A more efficient solution is to centrali/e the list of atabase names in a repository that e%eryOracle client can access. !n this article, ! will emonstrate how to confi#ure Oracle atabasenamin# in an LDAP irectory. LDAP is for tnsnames.ora what DNS is for a local hosts file li(e/etc/hosts. Similar to how the local tnsnames.ora file wor(s, when a client performs a loo(up

for a net ser%er name in LDAP, it is #i%en the appropriate connect escriptor information for the

Oracle instance or ser%ice name.

Support for net ser%ice name resolution throu#h LDAP starte in Net0 with Oracle atabaserelease 0.+.1. Note that the name Net0 was chan#e to Oracle Net in Oracle2i. Oracle Net runson both the client machine an the atabase ser%er an allows transparent atabasecommunication o%er a networ(. 3efore LDAP, Oracle Nameswas the ser%ice use to support acentrali/e namin# ser%ice an a way to eliminate the local tnsnames.ora file on client machines.Althou#h this technolo#y wor(e well, it was a proprietary solution that in4t offer theinte#rate solution with other stanars base namin# ser%ices li(e irectory namin# foun inLDAP. Oracle2iwas the terminal release of Oracle Names an Oracle stron#ly recommensusers to mi#rate to irectory namin# usin# LDAP.

'he LDAP implementation use in this #uie is OpenLDAP Software runnin# on the "entOS 5platform. 'his #uie assumes the LDAP irectory is alreay confi#ure an runnin# on amachine name ldapsrv.idevelopment.info. 'he LDAP irectory use in this #uie has been

initiali/e with a base DN of dc=idevelopment,dc=info. Ob%iously, the name of your LDAP

ser%er an the base DN will iffer an the e)amples presente in this #uie will nee to bemoifie accorin#ly for you en%ironment. Refer to the followin# two tutorials on how to installOpenLDAP Software an initiali/e the LDAP irectory on the ser%er.

"entOS 5

!nstall an "onfi#ure OpenLDAP!nitiali/e a New LDAP Directory

"entOS 1

!nstall an "onfi#ure OpenLDAP!nitiali/e a New LDAP Directory

Althou#h Oracle pro%ies an officially supporte LDAP implementation name Oracle !nternetDirectory 6O!D7, it is part of a much lar#er an comple) !entity $ana#ement software prouctthat is inte#rate into their Oracle 8usion $ileware an Oracle Applications. Since ! am usin#

the LDAP irectory for nothin# more than atabase name loo(ups, this option woul be e)tremeo%er(ill. Not to mention that OpenLDAP is open source an comes at a total cost of 9. whileO!D will set you bac( a #oo chun( of chan#e.

'he solution escribe in this article is not supporte by Oracle Support.

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

3/18

Configure LDAP Directory

'he process starts with confi#urin# the OpenLDAP irectory with similar capabilities of Oracle!nternet Directory 6O!D7. 'his in%ol%es importin# four Oracle specific schema specification files

that implement the structure of a net ser%ice name entry an the connect escriptor informationthat shoul be returne to the client that as(s for the name to be resol%e.

8irst, create the followin# irectory on the LDAP ser%er:

root!ldapsrv #$%mkdir -p /etc/openldap/oid/schema

Ne)t, ownloa the four schema specification files to the newly create irectory. 'hese fileswere ta(en from the O!D schema ob;ects an sli#htly moifie to wor( with OpenLDAP.

oibase.schema

oinet.schema

oirbms.schema

alias.schema

Open the main confi#uration file for the OpenLDAP ser%er 6/etc/openldap/slapd.conf7 an

a lin(s to the O!D schema files.

incl&de /etc/openldap/oid/schema/oid'ase.schemaincl&de /etc/openldap/oid/schema/oidnet.schemaincl&de /etc/openldap/oid/schema/oidrd'ms.schemaincl&de /etc/openldap/oid/schema/alias.schema

After ma(in# moifications to the confi#uration file, restart the LDAP ser%er aemon.

root!ldapsrv #$% service ldap restart(toppin) slapd* O+ $(tartin) slapd* O+ $

8inally, create the followin# LDAP recor that efines the orclContextob;ect class. 'o o this,

create a new LD!8 file with the followin# contents. $oify the e)ample entry below to matchyour base DN.

root!ldapsrv #$% vi oracleContext.ldif

dn* cn=OracleContet,dc=idevelopment,dc=infoo'-ectclass* orclContetcn* OracleContet

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

4/18

'his #uie assumes the irectory has been initiali/e with a base DN ofdc=idevelopment,dc=infoas escribe in the followin# tutorial:

!nitiali/e a New LDAP Directory

&se the ldapaddcomman to loa the new ob;ect class to the irectory.

root!ldapsrv #$% ldapadd -x -W -D "cn=Manager,dc=idevelopment,dc=info" -foracleContext.ldifEnter LA assword* *********addin) new entr0 1cn=OracleContet,dc=idevelopment,dc=info1

Configure Oracle Clients for LDAP

'he ne)t step is to setup the Oracle Net confi#uration files on the client for net ser%ice name

resolution throu#h LDAP. 'he client in this case is the machine bein# use to connect to theOracle instance. 'he client machine will nee to ha%e the Oracle "lient or Oracle Databasesoftware installe which inclues the Oracle Net software.

LDAP Naming ethod ! "s#lnet$ora%

Start by specifyin# the namin# methos throu#h the 2AME(.3REC4OR5_A4Hparameter in the

ORACLE_HOME/network/admin/s6lnet.ora file on the client machine. 'he (eywor for

irectory namin# is LDAP. 'he followin# parameter settin# will confi#ure a client to attemptname resolution throu#h the local tnsnames.ora file first, an then throu#h the LDAP irectory.

2AME(.3REC4OR5_A4H= 742(2AME(, LA8

!f your client confi#uration will not inclue a tnsnames.ora file for local name resolution, remo%ethe 42(2AME((eywor an only inclue LA.

2AME(.3REC4OR5_A4H= 7LA8

LDAP &erver Information ! "ldap$ora%

Ne)t, create a new file in the same irectory name ORACLE_HOME/network/admin/ldap.ora.

'his file will contain information necessary to connect to the LDAP ser%er an inclues threeentries similar to the followin#. $oify the contents escribe below to the name of your LDAPser%er, LDAP listenin# port, an the efault aministrati%e conte)t within your LDAP irectory.

3REC4OR5_(ER9ER(= 7ldapsrv.idevelopment.info*:;A?L4_AM32_CO24E@4 = 1dc=idevelopment,dc=info1

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

5/18

3REC4OR5_(ER9ER_45E = O3

A?L4_OMA32parameter is specifie in the s6lnet.orafile, it is i#nore

when irectory namin# is use. !nstea, the e-ui%alent functionality escribe abo%e willbe pro%ie throu#h the E>A?L4_AM32_CO24E@4parameter in ldap.ora.

!n the abo%e e)ample, Oracle Net will translate the un-ualifie net ser%er name 6testd'B7 to a

fully -ualifie istin#uishe name 6dn*

cn=testd'B,cn=OracleContet,dc=idevelopment,dc=info 7 which is then passe to the

LDAP irectory. !f a match is foun, the LDAP ser%er then returns the connect escriptorinformation to the client which will be use to initiate a connection to the specifie Oracleinstance or ser%ice name.

anage Net &ervice Names

At this point, the LDAP irectory (nows what the structure of an Oracle net ser%ice name recorshoul loo( li(e an the Oracle client (nows how to access the LDAP ser%er. 'he ne)t step is toa a new Oracle net ser%ice name recor to the LDAP irectory. 'he metho use in thissection is to create a template recor in the LDAP Data !nterchan#e 8ormat, or LD!8, file formatan loa it usin# the LDAP client tool ldapadd.

Add Net &ervice Name

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

6/18

"reate an LD!8 file name newnetservicename.ldifwith information similar to the

followin# e)ample:

root!ldapsrv #$% vi ne-netservicename.ldif

dn* cn=testd'B,cn=OracleContet,dc=idevelopment,dc=infoo'-ectclass* topo'-ectclass* orcl2et(ervicecn* testd'Borcl2etesc(trin)* 7E(CR343O2=7ARE((=7RO4OCOL=4C87HO(4=testnodeB87OR4=BDB887CO22EC4_A4A=7(ER93CE_2AME=testd'B.idevelopment.info888

'he last line of the e)ample abo%e shoul loo( familiar if you ha%e e%er mana#e entries in thetnsnames.orafile. 'he new recor will be store within the OracleContetschema that was

create earlier in this #uie.

After moifyin# the e)ample recor for your en%ironment, a it to the irectory usin# ldapadd.

root!ldapsrv #$% ldapadd -x -W -D "cn=Manager,dc=idevelopment,dc=info" -fne-netservicename.ldif

Enter LA assword* *********addin) new entr0 1cn=testd'B,cn=OracleContet,dc=idevelopment,dc=info1

'est that the Oracle client is able to resol%e the net ser%ice name throu#h LDAP usin# anun-ualifie an fully -ualifie net ser%ice name.

oracle!testnode: #$F tnsping testd!

42( in) ?tilit0 for Lin&* 9ersion BB..G.:.G rod&ction on GA?GBB

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

7/18

?sed LA adapter to resolve the aliasAttemptin) to contact 7E(CR343O2=7ARE((=7RO4OCOL=4C87HO(4=testnodeB87OR4=BDB887CO22EC4_A4A=7(ER93CE_2AME=testd'B.idevelopment.info888O+ 7G msec8

odify Net &ervice Name

!n aition to ain# new entries, any e)istin# LDAP recor can be moifie by creatin# theappropriate LD!8 file an usin# the ldapmodif0comman. 8or e)ample, if the testd'B

atabase mo%e to another host, say newtestnodeB, create an LD!8 recor similar to the

followin#:

root!ldapsrv #$% vi modif#-netservicename.ldif

dn* cn=testd'B,cn=OracleContet,dc=idevelopment,dc=info

chan)et0pe* modif0replace* orcl2etesc(trin)orcl2etesc(trin)* 7E(CR343O2=7ARE((=7RO4OCOL=4C87HO(4=newtestnodeB87OR4=BDB887CO22EC4_A4A=7(ER93CE_2AME=testd'B.idevelopment.info888

&pate the irectory recor usin# ldapmodif0.

root!ldapsrv #$% ldapmodif# -x -W -D "cn=Manager,dc=idevelopment,dc=info" -fmodif#-netservicename.ldif -vldap_initialiJe7 ldap*//ldapsrv 8Enter LA assword* *********replace orcl2etesc(trin)*

7E(CR343O2=7ARE((=7RO4OCOL=4C87HO(4=newtestnodeB87OR4=BDB887CO22EC4_A4A=7(ER93CE_2AME=testd'B.idevelopment.info888modif0in) entr0 1cn=testd'B,cn=OracleContet,dc=idevelopment,dc=info1modif0 complete

'est the new recor from the Oracle client.

oracle!testnode: #$F tnsping testd!

42( in) ?tilit0 for Lin&* 9ersion BB..G.:.G rod&ction on GA?GBB

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

8/18

Delete Net &ervice Name

&se the ldapdeletecomman to elete a recor 6an Oracle net ser%ice name entry7 from the

LDAP irectory.

root!ldapsrv #$% ldapdelete -x -W -D "cn=Manager,dc=idevelopment,dc=info""cn=testd!,cn=$racleContext,dc=idevelopment,dc=info" -v

ldap_initialiJe7 ldap*//ldapsrv 8Enter LA assword* *********deletin) entr0 1cn=testd'B,cn=OracleContet,dc=idevelopment,dc=info1

'ser Interfaces

After ain# or moifyin# a few of these net ser%ice name recors usin# LD!8, it shouln4t belon# before you start as(in# yourself whether or not there is a more efficient metho for

mana#in# irectory entries. >our first thou#ht may be to fire up the Oracle client toolNetManager. &nfortunately, Net $ana#er an many other Oracle client tools only wor( with Oracle!nternet Directory* not OpenLDAP or any other #eneric LDAP ser%er. Althou#h ! was able tosuccessfully authenticate to the OpenLDAP irectory usin# Net $ana#er, ! was not able to a,%iew, or moify any of the irectory entries in the OracleContetschema.

'here are se%eral free LDAP amin proucts that you mi#ht fin useful* some of which are listebelow.

webmin 6mana#e user account, DNS, LDAP, an much more usin# a web interface7

J?plorer 6stanalone client7

Apache Directory Stuio

phpLDAPamin

$y personal fa%orite is phpLDAPamin 6also (nown as PLA7. phpLDAPamin is a free anpopular webbase LDAP client that is easy to install an customi/e. !ts hierarchical tree%ieweran a%ance search functionality ma(e it intuiti%e to browse an aminister an LDAP irectory.Since it is webbase, the LDAP browser wor(s on many platforms, ma(in# your LDAP ser%ereasy to mana#e from any location.

&se the followin# instructions to install the phpLDAPamin software alon# with PHP an theApache H''P Ser%er. 8or the purpose of this e)ample, ! installe the phpLDAPamin webapplication on the same ser%er hostin# the OpenLDAP irectory6ldapsrv.idevelopment.info7.

Install Apache (TTP &erver

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

9/18

!f the application ser%er alreay has the Apache H''P Ser%er installe, this section may bes(ippe. $a(e certain that the Apache H''P ser%er is starte an confi#ure to launch on boot.

'he Apache H''P Ser%er can be installe on "entOS, ReHat

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

10/18

% 'ase K with scope 'aseO'-ect% filter* 7o'-ectclass=8% re6&estin)* s&'schema(&'entr0%

%dn*s&'schema(&'entr0* cn=(&'schema

% search res&ltsearch* res&lt* G (&ccess

% n&mResponses* % n&mEntries* B

@. Cerify any aitional prere-uisites.

http:phplapamin.sourcefor#e.netwi(iine).phpPreRe-uisites

3. Downloa the current %ersion of phpLDAPamin 6phpldapadminB...Jipat the timeof this writin#7 to the application ser%er.

http:phplapamin.sourcefor#e.netwi(iine).phpDownloa

E. &npac( the phpLDAPamin archi%e.

% %n+ip phpldapadmin-.&.&.+ip

5. Put the resultin# NphpldapadminNirectory anywhere in your DocumentRoot 6i.e.

/var/www/html7.

%mv phpldapadmin-.&.& /var//html/phpldapadmin

6. !n the NphpldapadminNconfi# irectory 6i.e. oc&mentRoot/phpldapadmin/confi)7

copy Nconfi).php.eampleNto Nconfi).phpNan moify any settin#s in confi).php

to customi/e the phpLDAPamin en%ironment.

% cd /var//html/phpldapadmin/config% cp config.php.example config.php

7. 'he only moification ! mae to the confi).phpfile was to Fserversset9al&e:

/ A convenient name that will appear in the tree viewer and thro&)ho&t phpLAadmin to identif0 this LA server to &sers. /Fserversset9al&e7NserverN,NnameN,Nievelopment.infoN8

0. Restart the Apache H''P ser%ice.

% apachectl restart

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

11/18

anage Net &ervice Names using phpLDAPadmin

$ana#in# LDAP recors usin# the phpLDAPamin web interface is fairly selfe)planatory. !nthis final section, !4ll pro%ie the methos ! use to mana#e net ser%ice names in OpenLDAP usin#phpLDAPamin. ! will pro%ie two custom templates that ! wrote which ma(es creatin# an

moifyin# net ser%ice names in phpLDAPamin simple an strai#htforwar.

Cisit the phpLDAPamin website to learn more about templates.

http:phplapamin.sourcefor#e.netwi(iine).php'emplates

+. Downloa the followin# Create Templatethat will pro%ie a custom interface use tocreate new Oracle net ser%ice names in phpLDAPamin.

o orclNetSer%ice.)ml

"opy the orcl2et(ervice.mlfile to the

oc&mentRoot/phpldapadmin/templates/creation irectory on the application

ser%er.

% cp orcletervice.xml /var//html/phpldapadmin/templates/creation/

@. Downloa the followin#Modification Templatethat will pro%ie a custom interface useto moify e)istin# Oracle net ser%ice names in phpLDAPamin.

o orclNetSer%ice.)ml

"opy the orcl2et(ervice.mlfile to the

oc&mentRoot/phpldapadmin/templates/modification irectory on the application

ser%er.

% cp orcletervice.xml/var//html/phpldapadmin/templates/modification/

. Open your web browser an na%i#ate to the phpLDAPamin web application.

http:FhostnameGphplapamin

!f you are repeatin# the steps in this section an recei%e any errors tryin# to brin#up the web site 6for e)ample 4'he connection to the ser%er was reset while thepa#e was loain#.47 clear your coo(ies an cache from the browser an restart the

Apache H''P ser%ice.E. Lo# in to your LDAP irectory from the phpLDAPamin home pa#e.

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

12/18

5. 8rom the base DN 6left pane7, e)pan your irectory tree an na%i#ate to theOracleContetschema. !f you ha%e any atabases re#istere, clic( on the net ser%ice

name 6cn=Ktns_alias7 to %iew or moify that entry.

!f you installe the two templates escribe in the pre%ious steps, this will brin# up a

pa#e 6ri#ht pane7 that allows you to choose which template to eit the entry with. !n thee)ample below, the choices are:

Oracle: Net Ser%ice Name (our custom Modification Template)

Default(phpLDAPadmin default modification

screen)

Select the 4Oracle* Net &ervice Name4 template.

1. &se this template to moify the Connect Descriptorattribute for the selecte net ser%icename. Notice in this form that the Net &ervice Namefiel is reaonly.

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

13/18

. !t shoul be note that it is not re-uire to use the custom moification template 6Oracle:Net Ser%ice Name7 to upate the net ser%ice name entry. !f you selecte the Defaulttemplate, the entry form pro%ies all upatable fiels an the actual name of the attributes6as oppose to the titles ! use in place of the attribute names7.

0. 'o create a new net ser%ice name, clic( the Create ne+ entry hereoption uner theOracleContextschema.

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

14/18

2. Just as we saw when moifyin# an entry, a list of a%ailable templates will be liste whichcan be use to create a new entry. Since we will be creatin# a net ser%ice name entry,select the custom template Oracle* Net &ervice Name. Remember, you can always selectthe Defaulttemplate which pro%ies a form with attributes that are a caniate for bein#upate.

+. 'he Oracle: Net Ser%ice Name template ma(es it easy to enter a Net &ervice Nameanthe Connect Descriptor.

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

15/18

++. After ain# the new net ser%ice name, ;ump on to the Oracle client machine an try to

lo# on to the atabase throu#h LDAP.

oracle!testnode: #$F slpl%s scott/tigerracd!(PLl&s* Release BB..G.:.G rod&ction on 4&e A&) B G*QQ*D GB

Cop0ri)ht 7c8 B

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

16/18

(tat&s * >ail&re LA* error code : 2o (&ch O'-ect$

8or e)ample:

Loo(in# at the lo# file for the LDAP ser%er shows that SIL De%eloper sent an LDAP re-uest

that in4t match the O!D LDAP structure that we impro%ise in OpenLDAP. 'he re-uest sentby SIL De%eloper was e)pectin# a stanar O!D LDAP structure that in4t match ourimplementation.

'he wor(aroun is to create an Advanced"onnection 'ype with a "ustom JD3" &RL similarto the followin#:

-d'c*oracle*thin*!ldap*//ldapsrv*:;

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

17/18

A,out the Author

Jeffrey Hunter is an Oracle "ertifie Professional, Ja%a De%elopment "ertifie Professional,Author, an an Oracle A"

8/14/2019 Oracle Database Name Resolution with OpenLDAP.doc

18/18

! ha%e mae e%ery effort an ta(en #reat care in ma(in# sure that the material inclue on my web site is technicallyaccurate, but ! isclaim any an all responsibility for any loss, ama#e or estruction of ata or any other property

which may arise from relyin# on it. ! will in no case be liable for any monetary ama#es arisin# from such loss,ama#e or estruction.

Last moifie on

Benesay, Jul@+ +:E2:+@