Migration of tnsnames.ora to LDAP (Sun Java System Directory Server)

In this post, I did show how easy it is to use OID to resolve your network service names.

Apart OID, AD (Microsoft Active Directory) is also supported.

However, I do not want to use such products, as my customer already have a Sun Java System Directory Server running.

It is quite easy. Here are the steps with the SunOne Console.

1) expand the schema
login to the Directory Server as cn=directory manager
click schema in the configuration tab
In the Attributes subtab, click create, and type it orclnetdescstring as attribute name, and select OctetString as Syntax, and uncheck multi-valued, click OK.
In the Object Classes subtab, Create a class named OrclService , add cn as required attribute and orclnetdescstring as allowed attribute. Click OK

2) start adding services
either with your prefered ldap GUI (like Siemens DirX Manager) or with command line
lsc01.diff
dn: ou=intranet, dc=lcsys, dc=ch
ou: intranet
objectClass: top
objectClass: organizationalunit

dn: ou=applications, ou=intranet, dc=lcsys, dc=ch
ou: applications
objectClass: top
objectClass: organizationalunit

dn: ou=TNSnames, ou=applications, ou=intranet, dc=lcsys,dc=ch
ou: TNSnames
objectClass: top
objectClass: organizationalunit

dn: cn=OracleContext, ou=TNSnames, ou=applications, ou=intranet, dc=lcsys, dc=ch
cn: OracleContext
objectClass: top
objectClass: orclservice

dn: cn=lsc01, cn=OracleContext, ou=TNSnames, ou=applications, ou=intranet, dc=lcsys, dc=ch
cn: lsc01
objectClass: top
objectClass: orclservice
orclnetdescstring: (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST=blade01.lcsys.ch)(PORT = 1521))(CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = lsc01.lcsys.ch)))

which I can add with

ldapadd -h blade01 -p 34001 -D “cn=Directory Manager” -w *** -f lsc01.ldif

adding new entry ou=intranet, dc=lcsys, dc=ch

adding new entry ou=applications, ou=intranet, dc=lcsys, dc=ch

adding new entry ou=TNSnames, ou=applications, ou=intranet, dc=lcsys, dc=ch

adding new entry cn=OracleContext,ou=TNSnames, ou=applications, ou=intranet, dc=lcsys, dc=ch

adding new entry cn=lsc01, cn=OracleContext, ou=TNSnames, ou=applications, ou=intranet, dc=lcsys, dc=ch

Configuring sqlnet.ora and ldap.ora is the last step :

sqlnet.ora
TNSPING.TRACE_LEVEL = SUPPORT
TNSPING.TRACE_DIRECTORY = /tmp
NAMES.DIRECTORY_PATH= (LDAP)

ldap.ora
DIRECTORY_SERVERS= (blade01:34001)
DEFAULT_ADMIN_CONTEXT = "ou=TNSnames, ou=applications, ou=intranet, dc=lcsys, dc=ch"

try to tnsping, it should work. If it does not, check /tmp/tnsping.trc


$ tnsping LSC01

TNS Ping Utility for Solaris: Version 9.2.0.8.0 - Production on 09-OCT-2006 15:50:42

Copyright (c) 1997, 2006, Oracle Corporation.  All rights reserved.

Used parameter files:
/export/home/schnela1/tmp/sqlnet.ora

Used LDAP adapter to resolve the alias

Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = blade01)(PORT = 1521))(CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = lsc01.lcsys.ch)))
OK (0 msec)

note that using something else than OID or AD is not supported

29 thoughts on “Migration of tnsnames.ora to LDAP (Sun Java System Directory Server)”

  1. instead of using the GUI to extend the schema, you could modify the ldif files in $ORACLE_HOME/ldap/admin of an OID installation and replace the subschemacomponent by “schema” (SunOne)

  2. Laurnet:

    I don’t want to use OID for TNS Resolution, we have Microsoft’s ADAM Ldap Directory in production. How would I go about setting this directory up to do the TNS Resoludaion.

    I have a bunch of DBA’s beating at my door for this.

    ken.marvin@alticor.com

    Thank You in advance for you response.

    Ken Marvin
    Alticor, Inc.

    (616)787-1087

  3. Ken,
    AD is supported, but by reading Limitations of Directory Naming Support with Microsoft Active Directory it seems the limitations are hardly acceptable, so you may wish to use something like oracle virtual directory if you have more than one network service domain per NT domain.

    Is setting up an OID an option for you?

    did you ever try with AD, because I did not, and I am not sure with what they mean with Microsoft Active Directory can support only one Oracle Context.

  4. Laurent:

    OID is not an option as we already have Microsoft’s ADAM as our LDAP directory. We would like to keep the number of directories to a minimum and our expertise is with ADAM and not OID. ADAM is not Active Directory its Microsofts LDAP Directory. It is Windows Server 2003 Active Directory Application Mode (ADAM for short) here is a link to it.

    http://www.microsoft.com/windowsserver2003/adam/default.mspx

    It is an LDAP directory that can even be run on XP if you like. It is a free product from Microsoft. Down Load it and give it a try. We are a Global Company and it performs very well for our clients around the world.

    I just need to know how to apply the needed schema mods to ADAM for the TNSNAMES.ORA to be setup in LDAP. If this can be setup in Open LDAP then it should be able to be setup in ADAM.

    I would like to get this setup and working in ADAM and then publish the setup procedures so anyone else can setup it up with ADAM.

    Thank You,

    Ken Marvin
    ken.marvin@alticor.com

  5. Laurent:

    When you say to start adding services I am having an issue with the following I get an error “The object connot be added because the parent is not on the list of possible superiors.” Got any ideas on this one? I think if I can get past this it just might work with ADAM

    dn: cn=lsc01, cn=OracleContext, ou=TNSnames, ou=applications, ou=intranet, dc=lcsys, dc=ch
    cn: lsc01
    objectClass: top
    objectClass: orclservice
    orclnetdescstring: (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST=blade01.lcsys.ch)(PORT = 1521))(CONNECT_DATA = (SERVER = DEDICATED)(SERVICE_NAME = lsc01.lcsys.ch)))

    Thank You,

    Ken Marvin

  6. Laurent:

    Sorry to keep bugging you.

    In the Object Classes subtab, Create a class named OrclService , add cn as required attribute and orclnetdescstring as allowed attribute. Click OK

    When creating the class named OrclService what should I set for the following:

    ClassType: ie. Structural?
    Category: ie. container?

    Under Relationship:

    Parent Class: ie. top?
    Auxiliary Classes: ?
    Possible Superior: ?

    Thanks again,

    Ken Marvin

  7. Hi Kevin,
    Thanks for coming back to me.

    I do not know the ClassType and Category. This seems to be MS specific.

    Fo parent class, I use top. I would try to let auxiliary and superior empty.

    Good luck, please update this thread if you need more input or if you have a working solution :)

  8. Laurent:

    Does the LDAP directory need to have Anonymous access or is there a way to use a Bind ID with ORACLE?

    Thank You,

    Ken Marvin

  9. Yes, you need anonymous access. there is no way to specify a bind credential in the ldap.ora.

    Maybe you could do some SSL client authentication to identify the client (if you have client + server certificates + ldaps (ssl)

  10. anonymous access is also a reason why I used a proxy ldap server (ovid). So I could grant anonymous access only to one branch of the ldap tree but not to the tree itself

  11. Hi Laurent
    Thanks for your intersting and really good infos.

    We werde using Oracle Names Server for a long time (since 1999) for TNS resolution.
    Since in 10g Oracle Names isn’t supported anymore I tried migrating to LDAP, using AD/AM, which all works mostly perfect, if it is manually configured.

    When I try to use the funtion “export NetService Names” out of the Directory Manu in the NetManager GUI, I get this messages:
    1. “No Oracle Contexts found in the current directoy server” (free translated out of the german message)
    2. “unable to connect to directory”

    Do you have an idea what could be missing in the directory, so this message occures.
    Or, in the other hand: do you know about a document, which describes what exactly must be in the schema, that it is accepted by oracle?

    ThHanks in advance
    Jimmy

  12. Hi Laurent
    Thanks for that quick response!
    I have only cn=OracleContext, dc=ch,dc=CompanyDomain,dc=com.
    What does cn=LSC01 mean? (Is it specific for your site, or is it an undocumented must?)

    Thanks
    Jimmy

  13. Hello Laurent

    Ok, now it’s clear for me.
    The name resolution itself works with no problems.
    I just have the task to configure some TAF Connection Strings within the directory, which (according to oracle Document 461030.1 could be made with the Oracle Net Manager using the function “Export Net Service Names”.

    I assumed it to be the best way, using a GUI (we are a WinTel based IT) because also my colleagues should be able to modify / create ConnectionStrings within the directory….

    However, something seems to be missing, whe one uses AD/AM as the LDAP- Service…

    Thanks for assistance and all the best for the future.
    Jimmy

  14. Hi Laurent,

    Do you know of a way to have Oracle database users authenticate directly against Sun Java System Directory Server?

    Best regards,
    Brian

  15. Yes, the thin driver also bypasses tnsnames, but I have been unable to get the thin driver to work. I can connect using sqlplus and other interfaces, but not with the jdbc thin driver. Below is the jdbc connection string and the error message.

    url=jdbc:oracle:thin:@ldap://ajax.hq.cellmania.com:389/cmora02d,ou=TNSnames,ou=applications,ou=intranet,dc=hq,dc=cellmania,dc=com

    Error:
    JNDI Package failurejavax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name ‘cn=cmora02d,ou=TNSnames,ou=applications,ou=intranet,dc=hq,dc=cellmania,dc=com’

  16. To get the jdbc thin driver to work, I found open source virtual directory like myvd does the trick.

Leave a Reply

Your email address will not be published.


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>