Migration of tnsnames.ora to LDAP (Sun Java System Directory Server)

In this post, I did show how easy it is to use OID to resolve your network service names.

Apart OID, AD (Microsoft Active Directory) is also supported.

However, I do not want to use such products, as my customer already have a Sun Java System Directory Server running.

It is quite easy. Here are the steps with the SunOne Console.

1) expand the schema
login to the Directory Server as cn=directory manager
click schema in the configuration tab
In the Attributes subtab, click create, and type it orclnetdescstring as attribute name, and select OctetString as Syntax, and uncheck multi-valued, click OK.
In the Object Classes subtab, Create a class named OrclService , add cn as required attribute and orclnetdescstring as allowed attribute. Click OK

2) start adding services
either with your prefered ldap GUI (like Siemens DirX Manager) or with command line
lsc01.diff
dn: ou=intranet, dc=lcsys, dc=ch
ou: intranet
objectClass: top
objectClass: organizationalunit

dn: ou=applications, ou=intranet, dc=lcsys, dc=ch
ou: applications
objectClass: top
objectClass: organizationalunit

dn: ou=TNSnames, ou=applications, ou=intranet, dc=lcsys,dc=ch
ou: TNSnames
objectClass: top
objectClass: organizationalunit

dn: cn=OracleContext, ou=TNSnames, ou=applications, ou=intranet, dc=lcsys, dc=ch
cn: OracleContext
objectClass: top
objectClass: orclservice

dn: cn=lsc01, cn=OracleContext, ou=TNSnames, ou=applications, ou=intranet, dc=lcsys, dc=ch
cn: lsc01
objectClass: top
objectClass: orclservice
orclnetdescstring: (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST=blade01.lcsys.ch)(PORT = 1521))(CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = lsc01.lcsys.ch)))

which I can add with

ldapadd -h blade01 -p 34001 -D “cn=Directory Manager” -w *** -f lsc01.ldif

adding new entry ou=intranet, dc=lcsys, dc=ch

adding new entry ou=applications, ou=intranet, dc=lcsys, dc=ch

adding new entry ou=TNSnames, ou=applications, ou=intranet, dc=lcsys, dc=ch

adding new entry cn=OracleContext,ou=TNSnames, ou=applications, ou=intranet, dc=lcsys, dc=ch

adding new entry cn=lsc01, cn=OracleContext, ou=TNSnames, ou=applications, ou=intranet, dc=lcsys, dc=ch

Configuring sqlnet.ora and ldap.ora is the last step :
sqlnet.ora TNSPING.TRACE_LEVEL = SUPPORT TNSPING.TRACE_DIRECTORY = /tmp NAMES.DIRECTORY_PATH= (LDAP)

ldap.ora DIRECTORY_SERVERS= (blade01:34001) DEFAULT_ADMIN_CONTEXT = "ou=TNSnames, ou=applications, ou=intranet, dc=lcsys, dc=ch"

try to tnsping, it should work. If it does not, check /tmp/tnsping.trc
$ tnsping LSC01


TNS Ping Utility for Solaris: Version 9.2.0.8.0 - Production on 09-OCT-2006 15:50:42
Copyright (c) 1997, 2006, Oracle Corporation.  All rights reserved.
Used parameter files:

/export/home/schnela1/tmp/sqlnet.ora

Used LDAP adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = blade01)(PORT = 1521))(CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = lsc01.lcsys.ch)))
OK (0 msec)

note that using something else than OID or AD is not supported

29 thoughts on “Migration of tnsnames.ora to LDAP (Sun Java System Directory Server)”

Laurent Schneider October 20, 2006 at 10:36

instead of using the GUI to extend the schema, you could modify the ldif files in $ORACLE_HOME/ldap/admin of an OID installation and replace the subschemacomponent by “schema” (SunOne)
Naresh Kumar Yadav November 22, 2006 at 19:12

thanx a lot for the info.
Ken Marvin February 21, 2007 at 17:40

Laurnet:

I don’t want to use OID for TNS Resolution, we have Microsoft’s ADAM Ldap Directory in production. How would I go about setting this directory up to do the TNS Resoludaion.

I have a bunch of DBA’s beating at my door for this.

[email protected]

Thank You in advance for you response.

Ken Marvin
Alticor, Inc.

(616)787-1087
laurentschneider Post authorFebruary 22, 2007 at 18:15

Ken,
AD is supported, but by reading Limitations of Directory Naming Support with Microsoft Active Directory it seems the limitations are hardly acceptable, so you may wish to use something like oracle virtual directory if you have more than one network service domain per NT domain.

Is setting up an OID an option for you?

did you ever try with AD, because I did not, and I am not sure with what they mean with Microsoft Active Directory can support only one Oracle Context.
laurentschneider Post authorFebruary 22, 2007 at 18:27

for ovid, you can have a look at Set up ovid to use tns with your ldap server
Ken Marvin February 22, 2007 at 20:19

Laurent:

OID is not an option as we already have Microsoft’s ADAM as our LDAP directory. We would like to keep the number of directories to a minimum and our expertise is with ADAM and not OID. ADAM is not Active Directory its Microsofts LDAP Directory. It is Windows Server 2003 Active Directory Application Mode (ADAM for short) here is a link to it.

http://www.microsoft.com/windowsserver2003/adam/default.mspx

It is an LDAP directory that can even be run on XP if you like. It is a free product from Microsoft. Down Load it and give it a try. We are a Global Company and it performs very well for our clients around the world.

I just need to know how to apply the needed schema mods to ADAM for the TNSNAMES.ORA to be setup in LDAP. If this can be setup in Open LDAP then it should be able to be setup in ADAM.

I would like to get this setup and working in ADAM and then publish the setup procedures so anyone else can setup it up with ADAM.

Thank You,

Ken Marvin
[email protected]
Ken Marvin March 1, 2007 at 21:13

Laurent:

When you say to start adding services I am having an issue with the following I get an error “The object connot be added because the parent is not on the list of possible superiors.” Got any ideas on this one? I think if I can get past this it just might work with ADAM

dn: cn=lsc01, cn=OracleContext, ou=TNSnames, ou=applications, ou=intranet, dc=lcsys, dc=ch
cn: lsc01
objectClass: top
objectClass: orclservice
orclnetdescstring: (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST=blade01.lcsys.ch)(PORT = 1521))(CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = lsc01.lcsys.ch)))

Thank You,

Ken Marvin
Ken Marvin March 1, 2007 at 21:52

Laurent:

Sorry to keep bugging you.

In the Object Classes subtab, Create a class named OrclService , add cn as required attribute and orclnetdescstring as allowed attribute. Click OK

When creating the class named OrclService what should I set for the following:

ClassType: ie. Structural?
Category: ie. container?

Under Relationship:

Parent Class: ie. top?
Auxiliary Classes: ?
Possible Superior: ?

Thanks again,

Ken Marvin
laurentschneider Post authorMarch 2, 2007 at 09:17

Hi Kevin,
Thanks for coming back to me.

I do not know the ClassType and Category. This seems to be MS specific.

Fo parent class, I use top. I would try to let auxiliary and superior empty.

Good luck, please update this thread if you need more input or if you have a working solution 🙂
Ken Marvin March 2, 2007 at 13:48

Laurent:

Does the LDAP directory need to have Anonymous access or is there a way to use a Bind ID with ORACLE?

Thank You,

Ken Marvin
laurentschneider Post authorMarch 2, 2007 at 14:06

Yes, you need anonymous access. there is no way to specify a bind credential in the ldap.ora.

Maybe you could do some SSL client authentication to identify the client (if you have client + server certificates + ldaps (ssl)
laurentschneider Post authorMarch 2, 2007 at 14:07

anonymous access is also a reason why I used a proxy ldap server (ovid). So I could grant anonymous access only to one branch of the ldap tree but not to the tree itself
Jimmy Rüedi June 12, 2008 at 12:54

Hi Laurent
Thanks for your intersting and really good infos.

We werde using Oracle Names Server for a long time (since 1999) for TNS resolution.
Since in 10g Oracle Names isn’t supported anymore I tried migrating to LDAP, using AD/AM, which all works mostly perfect, if it is manually configured.

When I try to use the funtion “export NetService Names” out of the Directory Manu in the NetManager GUI, I get this messages:
1. “No Oracle Contexts found in the current directoy server” (free translated out of the german message)
2. “unable to connect to directory”

Do you have an idea what could be missing in the directory, so this message occures.
Or, in the other hand: do you know about a document, which describes what exactly must be in the schema, that it is accepted by oracle?

ThHanks in advance
Jimmy
Laurent Schneider Post authorJune 12, 2008 at 13:21

no, I do not know such document, except of course the one you are currently reading 😉

if you have cn=LSC01,cn=OracleContext,

it should work
Jimmy Rüedi June 12, 2008 at 16:01

Hi Laurent
Thanks for that quick response!
I have only cn=OracleContext, dc=ch,dc=CompanyDomain,dc=com.
What does cn=LSC01 mean? (Is it specific for your site, or is it an undocumented must?)

Thanks
Jimmy
Laurent Schneider Post authorJune 12, 2008 at 16:36

LSC01 is a database of mine.

cn: lsc01
objectClass: top
objectClass: orclservice
orclnetdescstring: (…)
Jimmy Rüedi June 12, 2008 at 17:09

Hello Laurent

Ok, now it’s clear for me.
The name resolution itself works with no problems.
I just have the task to configure some TAF Connection Strings within the directory, which (according to oracle Document 461030.1 could be made with the Oracle Net Manager using the function “Export Net Service Names”.

I assumed it to be the best way, using a GUI (we are a WinTel based IT) because also my colleagues should be able to modify / create ConnectionStrings within the directory….

However, something seems to be missing, whe one uses AD/AM as the LDAP- Service…

Thanks for assistance and all the best for the future.
Jimmy
Laurent Schneider Post authorJune 12, 2008 at 17:19

thanks
Brian August 8, 2008 at 02:43

Hi Laurent,

Do you know of a way to have Oracle database users authenticate directly against Sun Java System Directory Server?

Best regards,
Brian
Laurent Schneider Post authorAugust 8, 2008 at 09:21

OViD ?
http://www.oracle.com/technology/products/id_mgmt/ovds/pdf/oeus_and_ovd_data_sheet.pdf
Brian August 8, 2008 at 13:57

Laurent – that is it – you’re awesome!!
Laurent Schneider Post authorAugust 8, 2008 at 16:31

Brian,
Good luck !!!
Ed October 29, 2008 at 23:01

Will this work with JDBC thin driver? If so, would you post configuraton?
Laurent Schneider Post authorOctober 29, 2008 at 23:56

it is related to the access to sqlnet.ora, not to the client. When you connect directly with host:port:sid, you bypass tns resolution, do not you?
Ed October 30, 2008 at 15:48

Yes, the thin driver also bypasses tnsnames, but I have been unable to get the thin driver to work. I can connect using sqlplus and other interfaces, but not with the jdbc thin driver. Below is the jdbc connection string and the error message.

url=jdbc:oracle:thin:@ldap://ajax.hq.cellmania.com:389/cmora02d,ou=TNSnames,ou=applications,ou=intranet,dc=hq,dc=cellmania,dc=com

Error:
JNDI Package failurejavax.naming.NameNotFoundException: [LDAP: error code 32 – No Such Object]; remaining name ‘cn=cmora02d,ou=TNSnames,ou=applications,ou=intranet,dc=hq,dc=cellmania,dc=com’
Laurent Schneider Post authorOctober 30, 2008 at 18:10

Hey Ed, I did not know about this ldap connection with jdbc thin

http://download.oracle.com/docs/cd/B28359_01/java.111/b31224/urls.htm#CHDBICFA

maybe you can try
url=jdbc:oracle:thin:@ldap://ajax.hq.cellmania.com:389/ou=TNSnames,ou=applications,ou=intranet,dc=hq,dc=cellmania,dc=com/cmora02d
Ed October 30, 2008 at 20:33

I will try and if works will let you know or if I find another solution.
Ed October 30, 2008 at 20:33

I will try and if works will let you know or if I find another solution.

Thank you
Ed October 31, 2008 at 19:37

To get the jdbc thin driver to work, I found open source virtual directory like myvd does the trick.

Comments are closed.