Long time ago, ldapsearch without password and without ssl was the way to go. But clear-text authentication (so called simple-bind) is a security leak. More and more, directory server vendors and administrators are closing the default non-ssl port and enforce authentication.
And if you use ldap for TNS naming, things will break.
Back in 2003, Microsoft Active Directory deactivated anonymous bind. So using AD was no longer an option… well, with Oracle 11g client for Microsoft Windows, one was able to set the new sqlnet.ora parameter NAMES.LDAP_AUTHENTICATE_BIND=1. But only for Windows. And of course only if you have a kerberos ticket, but this is always the case if you are in an AD domain.
Later in 2019, Microsoft published advisory ADV190023 to disable non-ssl bind. This breaked again TNS resolution over LDAP. I filed ER 19529903 but cannot tell when it’s going to be fixed.
If you use another directory service, e.g. openldap, then it is the same game. Your directory server admin doesn’t like non-encrypted network traffic.
How to deal with this?
First, patience (if you are reading this article, you probably googled for a long time). It is never working at first try.
Then, let’s do it.
The first thing to ask to your admin is how to connect with openldap.
/usr/bin/ldapsearch -H ldaps://ldap.example.com:636 -b "dc=example,dc=com" cn=db01 -D "" -LLL
dn: cn=db01,cn=OracleContext,dc=example,dc=com objectclass: top objectclass: orclservice objectclass: orcldbserver objectclass: orclnetservice objectclass: orcldbserver_92 objectclass: orclapplicationentity orclnetdescstring: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=srv01.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=db01.example.com))) orclservicetype: db cn: db01
This is the first step. It must work.
In openldap, you have your rootca certificates defined either in /etc/openldap or in your .ldaprc
cat ~/.ldaprc
TLS_CACERTDIR /etc/pki/tls/certs
Ok, now let’s try to get the Oracle ldapsearch work.
First let’s create a wallet
orapki wallet add -wallet . -pwd *** -cert allca.pem -trusted_cert
orapki wallet display -wallet .
Trusted Certificates: Subject: CN=Root CA,O=My Unit,C=CH
ldapbind -h ldap.example.com -p 636 -D "" -W
file://home/oracle/walletdir -U 3 -P ""
bind successful
Bind successful. What an amazing moment in your dba life!
Now we have a wallet, let’s configure sqlnet.ora
NAMES.DEFAULT_DOMAIN=example.com
NAMES.DIRECTORY_PATH=(ldap)
#TNSPING.TRACE_LEVEL=support
#TNSPING.TRACE_DIRECTORY=/tmp
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/oracle/walletdir)))
NAMES.LDAP_AUTHENTICATE_BIND=1
and ldap.ora, notice the ::
DIRECTORY_SERVERS = (ldap.example.com::636)
DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com"
DIRECTORY_SERVER_TYPE = OID
This works like a charm
tnsping db01
Used LDAP adapter to resolve the alias Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=srv01.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=db01.example.com))) OK (0 msec)
The steps which you shared are working and I appreciate your efforts thanks for share with us.