Académique Documents
Professionnel Documents
Culture Documents
Oracle Database Name Resolution with OpenLDAP by Jeff Hunter, Sr. Database A ministrator
Contents
!ntro uction "onfi#ure LDAP Directory "onfi#ure Oracle "lients for LDAP $ana#e Net Ser%ice Names &ser !nterfaces 'roubleshootin# About the Author
Introduction
Anyone who has e%er wor(e with the Oracle Database is most li(ely familiar with the tnsnames.ora file. 'he tnsnames.ora file is a te)t file that contains client si e efinitions for net ser%ice names, sometimes call aliases, nee e to lo# in to an Oracle instance. 'his pro%i es local name resolution by mappin# net ser%ice names to connect escription information for Oracle instances* similar to how the local hosts file for an operatin# system maps machine names to !P a resses. 'he tnsnames.ora file is commonly foun in its efault location un er the ORACLE_HOME/network/admin irectory. One of the a %anta#es of usin# a local tnsnames.ora file is that it is easy to create an e it entries. 'his is especially true when there are only a few entries to maintain an the file only nee s to be istribute to a small number of Oracle client machines. 'he primary isa %anta#e of local namin# is when there are a lar#e number of client machines on the networ(, say +,, or e%en a +,,, clients, each re-uire to ha%e their own tnsnames.ora file. 'his problem #ets compoun e when fre-uent chan#es to the tnsnames.ora are re-uire as a result of a in# or mo%in# atabase an the file has to be re. istribute to those clients.
A more efficient solution is to centrali/e the list of atabase names in a repository that e%ery Oracle client can access. !n this article, ! will emonstrate how to confi#ure Oracle atabase namin# in an LDAP irectory. LDAP is for tnsnames.ora what DNS is for a local hosts file li(e /etc/hosts. Similar to how the local tnsnames.ora file wor(s, when a client performs a loo(up for a net ser%er name in LDAP, it is #i%en the appropriate connect escriptor information for the Oracle instance or ser%ice name. Support for net ser%ice name resolution throu#h LDAP starte in Net0 with Oracle atabase release 0.+.1. Note that the name Net0 was chan#e to Oracle Net in Oracle2i. Oracle Net runs on both the client machine an the atabase ser%er an allows transparent atabase communication o%er a networ(. 3efore LDAP, Oracle Names was the ser%ice use to support a centrali/e namin# ser%ice an a way to eliminate the local tnsnames.ora file on client machines. Althou#h this technolo#y wor(e well, it was a proprietary solution that i n4t offer the inte#rate solution with other stan ar s base namin# ser%ices li(e irectory namin# foun in LDAP. Oracle2i was the terminal release of Oracle Names an Oracle stron#ly recommen s users to mi#rate to irectory namin# usin# LDAP. 'he LDAP implementation use in this #ui e is OpenLDAP Software runnin# on the "entOS 5 platform. 'his #ui e assumes the LDAP irectory is alrea y confi#ure an runnin# on a machine name ldapsrv.idevelopment.info. 'he LDAP irectory use in this #ui e has been initiali/e with a base DN of dc=idevelopment,dc=info. Ob%iously, the name of your LDAP ser%er an the base DN will iffer an the e)amples presente in this #ui e will nee to be mo ifie accor in#ly for you en%ironment. Refer to the followin# two tutorials on how to install OpenLDAP Software an initiali/e the LDAP irectory on the ser%er.
Althou#h Oracle pro%i es an officially supporte LDAP implementation name Oracle !nternet Directory 6O!D7, it is part of a much lar#er an comple) ! entity $ana#ement software pro uct that is inte#rate into their Oracle 8usion $i leware an Oracle Applications. Since ! am usin# the LDAP irectory for nothin# more than atabase name loo(ups, this option woul be e)treme o%er(ill. Not to mention that OpenLDAP is open source an comes at a total cost of 9,.,, while O!D will set you bac( a #oo chun( of chan#e. 'he solution escribe in this article is not supporte by Oracle Support.
Ne)t, ownloa the four schema specification files to the newly create irectory. 'hese files were ta(en from the O!D schema ob;ects an sli#htly mo ifie to wor( with OpenLDAP.
Open the main confi#uration file for the OpenLDAP ser%er 6/etc/openldap/slapd.conf7 an a lin(s to the O!D schema files.
incl&de"/etc/openldap/oid/schema/oid'ase.schema incl&de"/etc/openldap/oid/schema/oidnet.schema incl&de"/etc/openldap/oid/schema/oidrd'ms.schema incl&de"/etc/openldap/oid/schema/alias.schema
After ma(in# mo ifications to the confi#uration file, restart the LDAP ser%er aemon.
root!ldapsrv"#$%"service ldap restart (toppin)"slapd*"""""""""""""""""""""""""""""""""""""""""""" ""O+""$ (tartin)"slapd*"""""""""""""""""""""""""""""""""""""""""""" ""O+""$
8inally, create the followin# LDAP recor that efines the orclContext ob;ect class. 'o o this, create a new LD!8 file with the followin# contents. $o ify the e)ample entry below to match your base DN.
root!ldapsrv"#$%"vi oracleContext.ldif dn*"cn=OracleConte,t,dc=idevelopment,dc=info o'-ectclass*"orclConte,t cn*"OracleConte,t
'his #ui e assumes the irectory has been initiali/e with a base DN of dc=idevelopment,dc=info as escribe in the followin# tutorial: !nitiali/e a New LDAP Directory &se the ldapadd comman to loa the new ob;ect class to the irectory.
root!ldapsrv"#$%"ldapadd -x -W -D "cn=Manager,dc=idevelopment,dc=info" -f oracleContext.ldif Enter"L.A/"/assword*"********* addin)"new"entr0"1cn=OracleConte,t,dc=idevelopment,dc=info1
LDAP Naming
ethod ! "s#lnet$ora%
Start by specifyin# the namin# metho s throu#h the 2AME(..3REC4OR5_/A4H parameter in the ORACLE_HOME/network/admin/s6lnet.ora file on the client machine. 'he (eywor for irectory namin# is LDAP. 'he followin# parameter settin# will confi#ure a client to attempt name resolution throu#h the local tnsnames.ora file first, an then throu#h the LDAP irectory.
2AME(..3REC4OR5_/A4H="742(2AME(,"L.A/8
!f your client confi#uration will not inclu e a tnsnames.ora file for local name resolution, remo%e the 42(2AME( (eywor an only inclu e L.A/.
2AME(..3REC4OR5_/A4H="7L.A/8
.3REC4OR5_(ER9ER_45/E"="O3.
<%en thou#h the LDAP implementation use in this #ui e is OpenLDAP, we still nee to set the .3REC4OR5_(ER9ER_45/E parameter to O!D for Oracle !nternet Directory. 'he efault a ministrati%e conte)t specifie in the ldap.ora file 6.E>A?L4_A.M32_CO24E@47 is the LDAP e-ui%alent of the efault Oracle Net omain name 62AME(..E>A?L4_.OMA327 specifie in the s6lnet.ora file. Since there is no strict format for the namin# structure in the tar#et LDAP omain, the .E>A?L4_A.M32_CO24E@4 pro%i es a mechanism to specify the conte)t in which un-ualifie net ser%er names are resol%e 8or e)ample, consi er the efault a ministrati%e conte)t use in this #ui e of =dc=idevelopment,dc=info=. Oracle Net will create a fully istin#uishe name 6 n7 from an un-ualifie net ser%er name which will then be passe to the LDAP irectory as shown in the followin# e)ample:
""""Oracle"2et"will"alwa0s"""""">rom".E>A?L4_A.M32_CO24E@4 """""""add"these"parts""""""""""""""""in"ldap.ora """""""""""""A""""""""""""""""""""""""""""""A """"_________A__________""""""""""""""""""""A "__A___"""""""""________A_______""__________A___________ A""""""A"""""""A""""""""""""""""AA""""""""""""""""""""""A 7dn*"cn=testd'B,cn=OracleConte,t,dc=idevelopment,dc=info8 """"""""A_____A """""""""""A 4he"&n6&alified"net"service ""name"that"was"s&pplied
!f the 2AME(..E>A?L4_.OMA32 parameter is specifie in the s6lnet.ora file, it is i#nore when irectory namin# is use . !nstea , the e-ui%alent functionality escribe abo%e will be pro%i e throu#h the .E>A?L4_A.M32_CO24E@4 parameter in ldap.ora. !n the abo%e e)ample, Oracle Net will translate the un-ualifie net ser%er name 6testd'B7 to a fully -ualifie istin#uishe name 6dn*" cn=testd'B,cn=OracleConte,t,dc=idevelopment,dc=info7 which is then passe to the LDAP irectory. !f a match is foun , the LDAP ser%er then returns the connect escriptor information to the client which will be use to initiate a connection to the specifie Oracle instance or ser%ice name.
"reate an LD!8 file name newCnetservicename.ldif with information similar to the followin# e)ample:
root!ldapsrv"#$%"vi ne -netservicename.ldif dn*"cn=testd'B,cn=OracleConte,t,dc=idevelopment,dc=info o'-ectclass*"top o'-ectclass*"orcl2et(ervice cn*"testd'B orcl2et.esc(trin)*"7.E(CR3/43O2=7A..RE((=7/RO4OCOL=4C/87HO(4=testnodeB8 7/OR4=BDEB887CO22EC4_.A4A=7(ER93CE_2AME=testd'B.idevelopment.info888
'he last line of the e)ample abo%e shoul loo( familiar if you ha%e e%er mana#e entries in the tnsnames.ora file. 'he new recor will be store within the OracleConte,t schema that was create earlier in this #ui e. After mo ifyin# the e)ample recor for your en%ironment, a it to the irectory usin# ldapadd.
'est that the Oracle client is able to resol%e the net ser%ice name throu#h LDAP usin# an un-ualifie an fully -ualifie net ser%ice name.
oracle!testnode:"#$F"tnsping testd!" 42("/in)"?tilit0"for"Lin&,*"9ersion"BB.E.G.:.G"C"/rod&ction"on"EGCA?HCEGBE" B<*GI*EE Cop0ri)ht"7c8"B<<I,"EGBB,"Oracle.""All"ri)hts"reserved. ?sed"parameter"files* /&GB/app/oracle/prod&ct/BB.E.G/d'home_B/network/admin/s6lnet.ora ?sed"L.A/"adapter"to"resolve"the"alias Attemptin)"to"contact"7.E(CR3/43O2=7A..RE((=7/RO4OCOL=4C/87HO(4=testnodeB8 7/OR4=BDEB887CO22EC4_.A4A=7(ER93CE_2AME=testd'B.idevelopment.info888 O+"7BG"msec8 oracle!testnode:"#$F"tnsping testd!".idevelopment.info 42("/in)"?tilit0"for"Lin&,*"9ersion"BB.E.G.:.G"C"/rod&ction"on"EGCA?HCEGBE" B<*G;*B; Cop0ri)ht"7c8"B<<I,"EGBB,"Oracle.""All"ri)hts"reserved. ?sed"parameter"files* /&GB/app/oracle/prod&ct/BB.E.G/d'home_B/network/admin/s6lnet.ora
'ser Interfaces
After a in# or mo ifyin# a few of these net ser%ice name recor s usin# LD!8, it shoul n4t be lon# before you start as(in# yourself whether or not there is a more efficient metho for mana#in# irectory entries. >our first thou#ht may be to fire up the Oracle client tool Net Manager. &nfortunately, Net $ana#er an many other Oracle client tools only wor( with Oracle !nternet Directory* not OpenLDAP or any other #eneric LDAP ser%er. Althou#h ! was able to successfully authenticate to the OpenLDAP irectory usin# Net $ana#er, ! was not able to a , %iew, or mo ify any of the irectory entries in the OracleConte,t schema. 'here are se%eral free LDAP a min pro ucts that you mi#ht fin useful* some of which are liste below.
webmin . 6mana#e user account, DNS, LDAP, an much more usin# a web interface7 J?plorer . 6stan alone client7 Apache Directory Stu io phpLDAPa min
$y personal fa%orite is phpLDAPa min 6also (nown as PLA7. phpLDAPa min is a free an popular web.base LDAP client that is easy to install an customi/e. !ts hierarchical tree.%iewer an a %ance search functionality ma(e it intuiti%e to browse an a minister an LDAP irectory. Since it is web.base , the LDAP browser wor(s on many platforms, ma(in# your LDAP ser%er easy to mana#e from any location. &se the followin# instructions to install the phpLDAPa min software alon# with PHP an the Apache H''P Ser%er. 8or the purpose of this e)ample, ! installe the phpLDAPa min web application on the same ser%er hostin# the OpenLDAP irectory 6ldapsrv.idevelopment.info7.
!f the application ser%er alrea y has the Apache H''P Ser%er installe , this section may be s(ippe . $a(e certain that the Apache H''P ser%er is starte an confi#ure to launch on boot. 'he Apache H''P Ser%er can be installe on "entOS, Re Hat <nterprise Linu), or Oracle Linu) usin# the followin#: +. !nstall Apache H''P Ser%er.
%"#%m -# install httpd
A. 'he php.l ap pac(a#e is a ynamic share ob;ect 6DSO7 for the Apache Beb ser%er that a s Li#htwei#ht Directory Access Protocol 6LDAP7 support to PHP an is re-uire by phpLDAPa min.
Install phpLDAPadmin
After %erifyin# that the Apache H''P Ser%er is runnin# an accessible, ownloa an install phpLDAPa min.
1. Cerify that your LDAP ser%er 6ldapsrv in this e)ample7 pro%i es access to the schema
usin# an anonymous bin . <nsure that you can see your schema without ha%in# to bin to the LDAP ser%er. 8or e)ample:
%"ldapsearch -x -h ldapsrv -! )) -s !ase s%!schema*%!entr# %"e,tended"L.3> % %"L.A/v:
%"'ase"KL"with"scope"'aseO'-ect %"filter*"7o'-ectclass=M8 %"re6&estin)*"s&'schema(&'entr0 % % dn* s&'schema(&'entr0*"cn=(&'schema %"search"res< search*"E res<*"G"(&ccess %"n&mResponses*"E %"n&mEntries*"B
of this writin#7 to the application ser%er. http:DDphpl apa min.sourcefor#e.netDwi(iDin e).phpDDownloa E. &npac( the phpLDAPa min archi%e.
%"%n+ip phpldapadmin-".&.&.+ip 5. Put the resultin# NphpldapadminN irectory /var/www/html7.
%"mv phpldapadmin-".&.& /var/ /html/phpldapadmin 6. !n the NphpldapadminN confi# irectory 6i.e. .oc&mentRoot/phpldapadmin/confi)7 copy Nconfi).php.e,ampleN to Nconfi).phpN an mo ify any settin#s in confi).php
ser%er.
%"cp orcl,et*ervice.xml /var/ /html/phpldapadmin/templates/creation/
@. Downloa the followin# Modification Template that will pro%i e a custom interface use to mo ify e)istin# Oracle net ser%ice names in phpLDAPa min. o orclNetSer%ice.)ml "opy the orcl2et(ervice.,ml file to the
.oc&mentRoot/phpldapadmin/templates/modification
ser%er.
%"cp orcl,et*ervice.xml /var/ /html/phpldapadmin/templates/modification/
A. Open your web browser an na%i#ate to the phpLDAPa min web application. http:DDFhostnameGDphpl apa minD !f you are repeatin# the steps in this section an recei%e any errors tryin# to brin# up the web site 6for e)ample 4'he connection to the ser%er was reset while the pa#e was loa in#.47 clear your coo(ies an cache from the browser an restart the Apache H''P ser%ice. E. Lo# in to your LDAP irectory from the phpLDAPa min home pa#e.
5. 8rom the base DN 6left pane7, e)pan your irectory tree an na%i#ate to the
OracleConte,t schema. !f you ha%e any atabases re#istere name 6cn=Ktns_aliasL7 to %iew or mo ify that entry.
!f you installe the two templates escribe in the pre%ious steps, this will brin# up a pa#e 6ri#ht pane7 that allows you to choose which template to e it the entry with. !n the e)ample below, the choices are: Oracle: Net Ser%ice Name (our custom Modification Template) (phpLDAPadmin default modification Default screen) Select the 4Oracle* Net &ervice Name4 template.
1. &se this template to mo ify the Connect Descriptor attribute for the selecte net ser%ice name. Notice in this form that the Net &ervice Name fiel is rea .only.
H. !t shoul be note that it is not re-uire to use the custom mo ification template 6Oracle: Net Ser%ice Name7 to up ate the net ser%ice name entry. !f you selecte the Default template, the entry form pro%i es all up atable fiel s an the actual name of the attributes 6as oppose to the titles ! use in place of the attribute names7. 0. 'o create a new net ser%ice name, clic( the Create ne+ entry here option un er the OracleContext schema.
2. Just as we saw when mo ifyin# an entry, a list of a%ailable templates will be liste which can be use to create a new entry. Since we will be creatin# a net ser%ice name entry, select the custom template Oracle* Net &ervice Name. Remember, you can always select the Default template which pro%i es a form with attributes that are a can i ate for bein# up ate .
+,. 'he Oracle: Net Ser%ice Name template ma(es it easy to enter a Net &ervice Name an the Connect Descriptor.
++. After a in# the new net ser%ice name, ;ump on to the Oracle client machine an try to lo# on to the atabase throu#h LDAP.
oracle!testnode:"#$F"s-lpl%s scott/tiger.racd! """""""""" (PLM/l&s*"Release"BB.E.G.:.G"/rod&ction"on"4&e"A&)"EB"EG*QQ*DE"EGBE Cop0ri)ht"7c8"B<;E,"EGBB,"Oracle.""All"ri)hts"reserved. Connected"to* Oracle".ata'ase"BB)"Enterprise"Edition"Release"BB.E.G.:.G"C"=Q'it" /rod&ction Rith"the"/artitionin),"Real"Application"Cl&sters,"A&tomatic"(tora)e" Mana)ement,"Oracle"La'el"(ec&rit0, OLA/,".ata"Minin)"and"Real"Application"4estin)"options (PLL
Trou,leshooting
&-L Developer
One of the first Oracle client tools ! attempte to confi#ure to use LDAP for name resolution was SIL De%eloper. &nfortunately, ;ust li(e with the Oracle Net $ana#er client, SIL De%eloper only wor(s with Oracle !nternet Directory 6O!D7. Selectin# the LDAP "onnection 'ype in the New D Select Database "onnection wi/ar , SIL De%eloper will return an error after choosin# the LDAP Ser%er from the pull. own selection.
(tat&s"*">ail&re"C L.A/*"error"code":E"C"2o"(&ch"O'-ect$
8or e)ample:
Loo(in# at the lo# file for the LDAP ser%er shows that SIL De%eloper sent an LDAP re-uest that i n4t match the O!D LDAP structure that we impro%ise in OpenLDAP. 'he re-uest sent by SIL De%eloper was e)pectin# a stan ar O!D LDAP structure that i n4t match our implementation. 'he wor(aroun is to create an Advanced "onnection 'ype with a "ustom JD3" &RL similar to the followin#:
-d'c*oracle*thin*!ldap*//ldapsrv*:;</testd'B,cn=OracleConte,t,dc=idevelopment, dc=info
where ldapsrv*:;< is the name of the LDAP ser%er:port, testd'B is the net ser%ice name store in LDAP, an cn=OracleConte,t,dc=idevelopment,dc=info is the entry location in the irectory. 8or e)ample:
All articles, scripts an material locate at the !nternet a ress of http:DDwww.i e%elopment.info is the copyri#ht of Jeffrey $. Hunter an is protecte un er copyri#ht laws of the &nite States. 'his ocument may not be hoste on any other site without my e)press, prior, written permission. Application to host any of the material elsewhere can be ma e by contactin# me at ;hunterKi e%elopment.info.
! ha%e ma e e%ery effort an ta(en #reat care in ma(in# sure that the material inclu e on my web site is technically accurate, but ! isclaim any an all responsibility for any loss, ama#e or estruction of ata or any other property which may arise from relyin# on it. ! will in no case be liable for any monetary ama#es arisin# from such loss, ama#e or estruction. Last mo ifie on Be nes ay, ,A.Jul.@,+A +,:E2:+@ <D' Pa#e "ount: 0H,2