Wednesday, May 29, 2013

Oracle Unified Directory 11.1.2.1.0: TNS and EUS - Part 1: TNS Resolving

Part two of OUD.

Start it up

# su - oracle
$ /oracle/Middleware/asinst-1/OUD/bin/start-ds
Just to make things happen, I shut down the firewall:
# service iptables stop
But at least, I can do things like:
frank@ubuntu64:~$ ldapsearch -D "cn=Directory Manager" -w Welcome1 -h oud -p 1389 -b dc=home,dc=local cn=groups -LLL dn: cn=Groups,cn=OracleContext,dc=home,dc=local cn: Groups objectClass: orclContainer objectClass: top

TNS Name resolution

Easy, if you have many database instances, and it comes automatically if you want Enterprise User Security (EUS) as well.
First step is to register the database (needed for EUS; if you just want TNS name resolving, use the Net Manager ($ORACLE_HOME/bin/netmgr), navigate to Command-> Directory-> Export Net Service Names). you can do that with the Database Creation Assistant, but the timing is wrong: dbca usually comes in when the networking is not yet configured.
So, let's do the ldap part of network configuration:
[oracle@idm1 ~]$ cd $ORACLE_HOME/network/admin [oracle@idm1 admin]$ cat ldap.ora DIRECTORY_SERVERS= (oud.home.local:1389:1636) DEFAULT_ADMIN_CONTEXT = "dc=home,dc=local" DIRECTORY_SERVER_TYPE = OID
I want to use the command line version of dbca:
dbca -silent -configureDatabase -sourceDB $ORACLE_SID \ -registerWithDirService true -dirServiceUserName "cn=Directory Manager" \ -dirServicePassword Welcome1 -walletPassword Welkom123
However, it comes back with
Manager is an invalid command line argument.
So I used the GUI. DBCA should be patched to be able to pass parameters with spaces (something with replacing $* with "$@"?!?)
The result is that the instance is registered:
frank@ubuntu64:~$ ldapsearch -D "cn=Directory Manager" -w Welcome1 -h oud -p 1389 -b dc=home,dc=local cn=idm1 -LLL dn: cn=idm1,cn=OracleContext,dc=home,dc=local orclVersion: 112000 orclcommonrpwdattribute: {SASL-MD5}XjChkyAf9xCbtif/veeBqg== objectClass: orclApplicationEntity objectClass: orclService objectClass: orclDBServer_92 objectClass: orclDBServer objectClass: top orclServiceType: DB orclSid: idm1 orclOracleHome: /oracle/db/product/11.2.0 cn: idm1 orclSystemName: idm1.home.local userPassword:: e1NTSEF9ZDdHb1BJeHZ4cktQdVduWE1vYzRlVklFaUprT1NpRGtsWFhEcWc9PQ= = orclNetDescString: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=idm1.home.local)( PORT=1521))(CONNECT_DATA=(SERVICE_NAME=idm1.home.local))) orclDBGlobalName: idm1 orclNetDescName: 000:cn=DESCRIPTION_0
Now, if I did a tnsping, I used to use tnsnames.ora. However, now I can also use the LDAP server. in order to do that, I have to tell the client environment to use LDAP:
[oracle@idm1 admin]$ tnsping idm1 TNS Ping Utility for Linux: Version 11.2.0.3.0 - Production on 22-MAY-2013 14:33:08 Copyright (c) 1997, 2011, Oracle. All rights reserved. Used parameter files: Used TNSNAMES adapter to resolve the alias Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = idm1.home.local)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = idm1.home.local))) OK (10 msec) [oracle@idm1 admin]$ vi sqlnet.ora [oracle@idm1 admin]$ cat sqlnet.ora NAMES.DIRECTORY_PATH= (LDAP, TNSNAMES) [oracle@idm1 admin]$ tnsping idm1 TNS Ping Utility for Linux: Version 11.2.0.3.0 - Production on 22-MAY-2013 14:33:52 Copyright (c) 1997, 2011, Oracle. All rights reserved. Used parameter files: /oracle/db/product/11.2.0/network/admin/sqlnet.ora Used LDAP adapter to resolve the alias Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=idm1.home.local)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=idm1.home.local))) OK (10 msec)
So, there you have it: Using Oracle Unified Directory server as mechanism to resolve TNS Names.

8 comments:

Dik Pater said...

Frank,

works like a charm also for RDBMS 12c.

Regards,

Dik

Unknown said...

Good stuff...

Just to add to above... as we have OUD admin account name as - cn=Directory Manager (with space in between 2 words).

we can achieve dbca silent setup with below way.

dbca -silent -configureDatabase -sourceDB $ORACLE_SID \
-registerWithDirService true -dirServiceUserName "cn=Directory\20Manager" \
-dirServicePassword Welcome1 -walletPassword Welkom123

Note: Username with spaces cannot be registered using DBCA. So, we need to use \20 in between the spaces.

- Gopal

Frank said...

Gopal, thanks for the addition. In fact, in later posts, and in reality, I avoid the use of spaces in accounts, as it is often unclear what action to take to get a space accepted.
Your addition is one I did not realize to be an option. Thanks again.

Gopal Bellamkonda said...


Hi Frank,

When I am trying to registe OR unregister using dbca silent/GUI options, I am getting below error. Pls note that, very first time it worked and I have loaded one tns entry to my OUD.

dbca -silent -configureDatabase -sourceDB myDBprod -unregisterWithDirService true -dirServiceUserName "cn=Directory\20Manager" -dirServicePassword welcome1 -walletPassword Welcome1

Can you please have look and give some direction about this error if you can....


<<
cat /u01/app/oracle/cfgtoollogs/dbca/emprod/emprod.log

Preparing to Configure Database DBCA_PROGRESS : 6%

Error updating provisioning profile -ERROR: [LDAP: error code 32 - The entry orclODIPProfileName=c54c25c9d32638b6b9c12314f90fdd02_cde49d9126a447ee843cb408fd3efec1,cn=Provisioning Profiles,cn=Changelog Subscriber,cn=Oracle Internet Directory specified as the search base does not exist in the Directory Server]

Could not delete Provisioning Profile. DBCA_PROGRESS : DBCA Operation failed.

>>

I do not understand why this is refer to below cn entry. As I am aware this will not be available in OUD side as this seems like OID related entry. Please note that, my environment is not linked to any OID stack & no where in my design OID is exist.

cn=Provisioning Profiles,cn=Changelog Subscriber,cn=Oracle Internet Directory

Thanks in advance.

With regards,
Gopal

Gopal Bellamkonda said...


Hi Frank,

Thanks for your update and as you mentioned, we can have DIR user name should have any spaces and it is a good idea to eliminate the errors.

I got error while I am running DBCA with Silent or GUI level. Can you have a look and let me know if you can able to crack this out.

Below is the command syntax and error info. I have noticed that, It was looking for OID cn entry and no where in my configuraiton OID exist.



dbca -silent -configureDatabase -sourceDB myAppDB -unregisterWithDirService true -dirServiceUserName "cn=Directory\20Manager" -dirServicePassword welcome1 -walletPassword Welcome1

<<<<<
cat /u01/app/oracle/cfgtoollogs/dbca/emprod/emprod.log

Preparing to Configure Database DBCA_PROGRESS : 6%

Error updating provisioning profile -ERROR:

[LDAP: error code 32 - The entry orclODIPProfileName=c54c25c9d32638b6b9c12314f90fdd02_cde49d9126a447ee843cb408fd3efec1,cn=Provisioning Profiles,cn=Changelog Subscriber,cn=Oracle Internet Directory
specified as the search base does not exist in the Directory Server]

Could not delete Provisioning Profile. DBCA_PROGRESS : DBCA Operation failed.
>>>>>

Thanks in advance.

With regards,
Gopal

Frank said...

Gopal, I do not quite understand why the registration is OK, but de-registration fails. The "orclODIPProfileName" mentioned above is part of the Oracle Directory Integration Platform - option within OID that would allow you to integrate OID with AD, for example.
You can manually delete the entry from your LDAP server. You will have to convince the database instance it is no longer registered:
- delete the wallet (if not used for other purposes!)
- update the instance: LDAP_DIRECTORY_ACCESS should become NONE: alter system set ldap_directory_access=NONE scope=spfile;

I think that covers it, but ymmv.

toda said...

Thank you for this clarity, but I have a technical/platform barrier, is/can the OUD functionality exposed to a c# web application via a web service?

I have an application that currently parses the tnsnames file to provide the user a list of available databases.

I would rather source that list from the OUD repository.

Many thanks.

Frank said...

Tod,

certainly can OUD be exposed - the most simple form being standard LDAP calls. If you want to take a look at it, download the open source OpenDJ, which originates from the same Sun software as Oracle. Functionality is the same.
OpenDJ (http://forgerock.com/products/open-identity-stack/opendj) does have REST capabilities you might also want to explore