Implementing LDAP for Oracle

At the beginning there was tnsnames.ora. It was sufficient for few static databases. LDAP is for Oracle Database what DNS is for /etc/hosts. You ask for name and it gives you the connection description.

As an additional, but very importane feature you can store additional attributes that are related to the database. I extensively use this feature. Many projects that I use have its own attributes that are related to database.

For the LDAP uniqe numbering I applied to IANA for Private Enterprise Number and received one. It is 35297.

Nice links:

• http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-ldap-quickstart.html

# yum install openldap openldap-servers openldap-clients

Configure ldap to be used as Oracle repository for service names

# cd /home
# svn checkout https://github.com/rbogusze/oracleinfrastructure/trunk/oi_ldap

Include the main ldap configuration

# cd /etc/openldap/
# mv slapd.conf slapd.conf_org
# ln -s /home/oi_ldap/slapd.conf .

Change the LDAP Password by editing

# vi /home/oi_ldap/slapd.conf
rootpw          secret

# /etc/init.d/ldap restart
# chkconfig ldap on
# cd /home/oi_ldap/
# ldapadd -x -D "cn=Manager,dc=orainf,dc=com" -W -f orainf.ldif

See if it works

# ldapsearch -x -b 'dc=orainf,dc=com' '(objectclass=*)'

Add example entries

# ldapadd -x -D "cn=Manager,dc=orainf,dc=com" -W -f example.ldif

Download ldapvi to edit entries in ldap

For RHEL4

# cd
# wget http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el4.rf.i386.rpm
# rpm -i rpmforge-release-0.3.6-1.el4.rf.i386.rpm

For RHEL5

# cd
# wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm
# rpm -i rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm
# yum install ldapvi

# ldapvi -D "cn=Manager,dc=orainf,dc=com" --host logwatch --discover

Or / And GUI browser, eg jxplorer

Install java from

http://www.java.com/en/download/linux_manual.jsp
# mkdir /usr/java/
# cd /usr/java/
# chmod 755 jre-6u18-linux-i586-rpm.bin
# ./jre-6u18-linux-i586-rpm.bin

Create orainf user

# adduser orainf
# passwd orainf

Login as orainf, install jxplorer if you want. http://jxplorer.org/

$ ./JXv3.2_install_linux.bin
Install into home directory.

Connection:
Host: logwatch Port: 389
Protocol: LDAP v3
Base DN: <leave empty>
Level: User + Password
User DN: cn=Manager,dc=orainf,dc=com
Password: secret

Now you can use a GUI to edit LDAP attributes.

Login as orainf, install oracle 10g or 11g client

Install 10g client

$ ./runInstaller
Select Installation Type -> Administrator
Path: /home/orainf/oracle/product/10.2.0
Mark: Perform typical configuration on Net Conf Assistant

Set environment
$ vi .bash_profile
export ORACLE_BASE=/home/orainf/oracle
export ORACLE_HOME=$ORACLE_BASE/product/10.2.0
export TNS_ADMIN=$ORACLE_HOME/network/admin
export PATH=$PATH:$ORACLE_HOME/bin
export LD_LIBRARY_PATH=$ORACLE_HOME/lib

or

Install 11g client

Prepare the OS for 11g client installation

Yum repositories http://public-yum.oracle.com/

# cd /etc/yum.repos.d
# wget http://public-yum.oracle.com/public-yum-el5.repo
# vim public-yum-el5.repo
Change enabled=0 to enabled=1 in ol5_u8_base
# wget http://public-yum.oracle.com/RPM-GPG-KEY-oracle-el5 -O /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle


# yum install oracle-validated pdksh unixODBC
# service iptables stop

Download linux_11gR2_client.zip from Oracle

$ cksum linux_11gR2_client.zip 
1997033971 642016988 linux_11gR2_client.zip
$ unzip linux_11gR2_client.zip

Or for 64-bit download linux.x64_11gR2_client.zip from Oracle

$ cksum linux.x64_11gR2_client.zip 
3654981652 706187979 linux.x64_11gR2_client.zip
$ unzip linux.x64_11gR2_client.zip

Run installer
$ cd client
$ ./runInstaller
Select Installation Type -> Administrator
Oracle Base: /home/orainf/oracle
Software Location: /home/orainf/oracle/product/11.2.0/client_1
Mark: Perform typical configuration on Net Conf Assistant

Set environment
$ vi .bash_profile
export ORACLE_BASE=/home/orainf/oracle
export ORACLE_HOME=$ORACLE_BASE/product/11.2.0/client_1
export TNS_ADMIN=$ORACLE_HOME/network/admin
export PATH=$PATH:$ORACLE_HOME/bin
export LD_LIBRARY_PATH=$ORACLE_HOME/lib

To avoid the error when running tnsping: libclntsh.so.11.1: cannot restore segment prot after reloc: Permission denied

$ tnsping
tnsping: error while loading shared libraries: /home/orainf/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1: 
cannot restore segment prot after reloc: Permission denied

Disable SELinux
http://www.crypt.gen.nz/selinux/disable_selinux.html

# vi /etc/selinux/config
SELINUX=disabled

Disable firewall
# service iptables stop
# chkconfig iptables off
# reboot

Perform standard tnsnames configuration to make sure that networking is fine. Pick a database that you know is running fine and accepts connections. Make the required changes in connection description.

$ cd $TNS_ADMIN
$ echo "TEST2=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=host2)(PORT=1521))(CONNECT_DATA=(SID=TEST2)))" >> tnsnames.ora

Try to connect to listener on host2

$ tnsping TEST2
should be OK

Now if we are sure that we can connect, lets connect using LDAP as a provider for network description.

$ cd $TNS_ADMIN
$ mv tnsnames.ora tnsnames.ora_before_ldap
$ vi sqlnet.ora
NAMES.DIRECTORY_PATH= (LDAP,TNSNAMES)

$ vi ldap.ora
DEFAULT_ADMIN_CONTEXT = "dc=orainf, dc=com"
DIRECTORY_SERVERS = (logwatch:389:636)
DIRECTORY_SERVER_TYPE = OID

Try to connect to listener on host2
$ tnsping TEST2
should be OK

# /etc/init.d/ldap restart

Checking configuration files for slapd: slaptest: bad configuration file! [FAILED](FAILED.md)

But

# slaptest -f orainf.schema

config file testing succeeded

Solution: make sure that the whole path to configuration file is accesible to ldap user

$ tnsping TEST2
TNS-03505: Failed to resolve name

You can try to enable network tracing using
# netmgr

In my case it turned out that Quering the directory for dn: cn=TEST2,cn=OracleContext,dc=orainf, dc=com and I was prepared for cn=TEST2,dc=orainf, dc=com

whis was caused by error in LDAP configuration