6.2 LDAP, Oracle, and the Future

051 - LDAP, Oracle, and the Future <p><script> function OpenWin(url, w, h) { if(!w) w = 400; if(!h) h = 300; window. open (url, "_new", "width=" + w + ",height=" + h + ",menubar=no,toobar=no,scrollbars=yes", true); } function Print() { window.focus(); if(window.print) { window.print(); window.setTimeout('window.close();',5000); } } </script></p>
Team-Fly    

 
Oracle Net8 Configuration and Troubleshooting
By Jonathan  Gennick , Hugo Toledo
Table of Contents
Chapter 6.  Net8 and LDAP


6.2 Client Configuration for LDAP

Configuring a Net8 client to use LDAP for net service name resolution is a relatively simple and painless process. You need to do the following:

  • Specify LDAP as a name resolution method.

  • Identify an LDAP directory server on the network for the client to contact with name resolution requests .

  • Specify a default administrative context to use for unqualified net service names .

The first item in the listthe name resolution methodis configured in your sqlnet.ora file. The other two items are configured by editing a file named ldap.ora . The ldap.ora file resides in the same directory as sqlnet.ora and all your other Net8 configuration files.

LDAP, Oracle, and the Future

It's clear to us that LDAP can be used for net service name resolution. It's equally clear that Oracle intends for OID/LDAP to supplant Oracle Names as a centralized net service name repository. If you're an Oracle Names user , you should already be planning your switch to an OID/LDAP solution. To help ease the pain of transition, Oracle is developing the Oracle Names LDAP Proxy. You should see it soon, in a future Oracle release. The Oracle Names LDAP Proxy will make an LDAP repository look like Oracle Names so that you can transition your repository independently of your clients .

LDAP has applications well beyond net service name resolution, however. Database users can now be managed via LDAP, as can roles and the granting of roles. LDAP even transcends Oracle and can be used for email directories and other such applications. We see LDAP as a key technologyone that Oracle DBAs must learn about. In fact, it wouldn't surprise us if someday a new position, that of LDAP directory administrator, emerges as a technical career path .

6.2.1 Specifying the LDAP Naming Method

You specify naming methods through the NAMES.DIRECTORY_PATH parameter in your sqlnet.ora file. The keyword for directory naming is LDAP. The following parameter setting will configure a client to attempt name resolution through an LDAP directory first, and then through the local tnsnames.ora file:

 NAMES.DIRECTORY_PATH=(LDAP,TNSNAMES) 

As with any other name resolution method, you can choose to use LDAP alone, or you can use LDAP in conjunction with a list of other methods.

6.2.2 Addressing an LDAP Server

Once you've specified LDAP as a naming method, you need to identify an LDAP directory server for the client to contact. You do this in the ldap.ora file using the two parameters DIRECTORY_SERVERS and DIRECTORY_SERVER_TYPE.

6.2.2.1 DIRECTORY_SERVERS

The DIRECTORY_SERVERS parameter specifies the network address of one or more LDAP directory servers. A directory server address consists of a hostname and two port numbers. The first port number is used for unsecured connections. The second port number is optional and is used for SSL (Secure Socket Layer) connections. The following example illustrates the default port numbers that OID uses for the two connection types:

 DIRECTORY_SERVERS = (fire.gennick.org:389:636) 

If you have more than one directory server on the network, you can specify a comma-separated list of directory server addresses. The first address then refers to the primary LDAP server. The second and subsequent addresses refer to alternate LDAP servers. Alternates are used when the primary LDAP server cannot be contacted.

6.2.2.2 DIRECTORY_SERVER_TYPE

The DIRECTORY_SERVER_TYPE parameter identifies the brand of LDAP server that you are using. The following three values represent valid types:

OID

Oracle Internet Directory

AD

Microsoft Active Directory

NDS

Novell Directory Services

In the following example, OID is used to indicate that the Oracle Internet Directory is the LDAP server in use:

 DIRECTORY_SERVER_TYPE = OID 

Net8 does not support mixing LDAP directory products. The DIRECTORY_SERVER_TYPE setting applies to all the directory server addresses listed for the DIRECTORY_SERVERS parameter. There appears to be no way to specify that one LDAP server is OID, another AD, and so forth.

6.2.3 Specifying a Default Administrative Context

The default administrative context is the LDAP equivalent of the default Net8 domain. LDAP directory structures do not necessarily need to correspond to any sort of domain name structure, so a new mechanism is needed to specify the context in which unqualified net service names are resolved. This mechanism is the default administrative context, which you specify using the DEFAULT_ADMIN_CONTEXT parameter. For example, the following setting would be appropriate given the net service names shown earlier in Figure 6.2:

 DEFAULT_ADMIN_CONTEXT = "dc=gennick,dc=org" 

The default administrative context shown in this example represents part of the distinguished name for the net service names nick and luke (shown in Figure 6.2). Another part of the distinguished name is cn=OracleContext, which is always added automatically by Net8, so it shouldn't be specified as part of the default administrative context. Figure 6.3 illustrates how Net8 would take the net service name nick and expand it to a fully qualified distinguished name when LDAP naming is used.

Figure 6.3. Net8 creates a full distinguished name from a simple unqualified net service name
figs/n8c_0603.gif

Once Net8 has translated an unqualified net service name into a distinguished name, it passes that name to the LDAP directory being used. The LDAP directory then returns the definition of the name, giving Net8 the information it needs to make the connection to the appropriate database service.

The NAMES.DEFAULT_DOMAIN parameter in sqlnet.ora is ignored when directory naming is used. Instead, equivalent functionalityimplemented in a manner suitable to LDAPis provided through the DEFAULT_ADMIN_CONTEXT parameter in ldap.ora .

6.2.4 Specifying Net Service Names

When you use LDAP, net service names may be specified differently in client applications such as Oracle-supplied utilities (SQL*Plus), third-party applications, or homegrown applications. The differences come into play only when you use fully qualified net service names.

Unqualified net service names are specified in the same manner whether or not LDAP is being used. The following example shows how you would make a SQL*Plus connection to a net service named nick:

 sqlplus system/manager@nick 

Things get different when you want to specify a fully qualified net service name. Traditionally, net service names have been organized along the lines of the Domain Name Service (DNS) used for naming Internet hosts . The fully qualified version of nick , for example, might be nick.gennick.org . LDAP, however, is more flexible than that, and the directory tree for a net service name may not fit neatly into a domain name structure. To specify a fully qualified net service name when LDAP is being used, you use the distinguished name. For example:

 sqlplus system/manager@"cn=nick,cn=OracleContext,dc=gennick,dc=org" 

The quotes are only necessary when you enter a distinguished name on the command line. If you're entering the distinguished name into a text box of a GUI application, as shown in Figure 6.4, you don't need the quotes. You also do not need the quotesthough they may be a good ideawhen issuing a CONNECT command from within SQL*Plus.

Figure 6.4. A distinguished name used as the SQL*Plus hostname
figs/n8c_0604.gif

Notice that cn=OracleContext was explicitly specified in this example; it's necessary to do that. When you specify a complete distinguished name, Net8 won't add that component automatically as it does when you specify a simple unqualified name.


Team-Fly    
Top
 


Oracle Net8 Configuration and Troubleshooting
Oracle Net8 Configuration and Troubleshooting
ISBN: 1565927532
EAN: 2147483647
Year: 2000
Pages: 120

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net