Oracle Unified Directory 11.1.2.1.0: TNS and EUS - Part 1: TNS Resolving

Part two of OUD.

Start it up

# su - oracle
$ /oracle/Middleware/asinst-1/OUD/bin/start-ds

Just to make things happen, I shut down the firewall:

# service iptables stop

But at least, I can do things like:

frank@ubuntu64:~$ ldapsearch -D "cn=Directory Manager" -w Welcome1 -h oud -p 1389 -b dc=home,dc=local cn=groups -LLL dn: cn=Groups,cn=OracleContext,dc=home,dc=local cn: Groups objectClass: orclContainer objectClass: top

TNS Name resolution

Easy, if you have many database instances, and it comes automatically if you want Enterprise User Security (EUS) as well.
First step is to register the database (needed for EUS; if you just want TNS name resolving, use the Net Manager ($ORACLE_HOME/bin/netmgr), navigate to Command-> Directory-> Export Net Service Names). you can do that with the Database Creation Assistant, but the timing is wrong: dbca usually comes in when the networking is not yet configured.
So, let's do the ldap part of network configuration:

[oracle@idm1 ~]$ cd $ORACLE_HOME/network/admin [oracle@idm1 admin]$ cat ldap.ora DIRECTORY_SERVERS= (oud.home.local:1389:1636) DEFAULT_ADMIN_CONTEXT = "dc=home,dc=local" DIRECTORY_SERVER_TYPE = OID

I want to use the command line version of dbca:

dbca -silent -configureDatabase -sourceDB $ORACLE_SID \ -registerWithDirService true -dirServiceUserName "cn=Directory Manager" \ -dirServicePassword Welcome1 -walletPassword Welkom123

However, it comes back with

Manager is an invalid command line argument.

So I used the GUI. DBCA should be patched to be able to pass parameters with spaces (something with replacing $* with "$@"?!?)
The result is that the instance is registered:

frank@ubuntu64:~$ ldapsearch -D "cn=Directory Manager" -w Welcome1 -h oud -p 1389 -b dc=home,dc=local cn=idm1 -LLL dn: cn=idm1,cn=OracleContext,dc=home,dc=local orclVersion: 112000 orclcommonrpwdattribute: {SASL-MD5}XjChkyAf9xCbtif/veeBqg== objectClass: orclApplicationEntity objectClass: orclService objectClass: orclDBServer_92 objectClass: orclDBServer objectClass: top orclServiceType: DB orclSid: idm1 orclOracleHome: /oracle/db/product/11.2.0 cn: idm1 orclSystemName: idm1.home.local userPassword:: e1NTSEF9ZDdHb1BJeHZ4cktQdVduWE1vYzRlVklFaUprT1NpRGtsWFhEcWc9PQ= = orclNetDescString: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=idm1.home.local)( PORT=1521))(CONNECT_DATA=(SERVICE_NAME=idm1.home.local))) orclDBGlobalName: idm1 orclNetDescName: 000:cn=DESCRIPTION_0

Now, if I did a tnsping, I used to use tnsnames.ora. However, now I can also use the LDAP server. in order to do that, I have to tell the client environment to use LDAP:

[oracle@idm1 admin]$ tnsping idm1 TNS Ping Utility for Linux: Version 11.2.0.3.0 - Production on 22-MAY-2013 14:33:08 Copyright (c) 1997, 2011, Oracle. All rights reserved. Used parameter files: Used TNSNAMES adapter to resolve the alias Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = idm1.home.local)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = idm1.home.local))) OK (10 msec) [oracle@idm1 admin]$ vi sqlnet.ora [oracle@idm1 admin]$ cat sqlnet.ora NAMES.DIRECTORY_PATH= (LDAP, TNSNAMES) [oracle@idm1 admin]$ tnsping idm1 TNS Ping Utility for Linux: Version 11.2.0.3.0 - Production on 22-MAY-2013 14:33:52 Copyright (c) 1997, 2011, Oracle. All rights reserved. Used parameter files: /oracle/db/product/11.2.0/network/admin/sqlnet.ora Used LDAP adapter to resolve the alias Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=idm1.home.local)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=idm1.home.local))) OK (10 msec)

So, there you have it: Using Oracle Unified Directory server as mechanism to resolve TNS Names.

WNA and Firefox

Where IE supports Windows Native Authentication sort of 'Out of the Box', Firefox does not. Here's how to enable Windows Native Authentication (WNA) in forefox:
- type 'about:config' in the address bar
- navigate to the entry 'network.negotiate-auth.trusted-uris' (tip: set the search filter to "network.negotiate"
- enter the domains you want WNA to act upon, e.g. "home.local".
Multiple domains are to be separated by commas; e.g. "home.local,home.networked" - earlier releases indicate that a leading dot is required (e.g. ".home.local" instaed of "home.local")

Enterprise network issues

Just had a situation where I set up an enterprise user on a registered database. Logging on to the instance works on the machine itself:

SQL> create user global_id_schema_user identified globally;
User created.

SQL> grant connect to global_id_schema_user;
Grant succeeded.

SQL> connect bortel
Enter password:
Connected.
SQL> select sys_context('userenv','external_name') from dual;

SYS_CONTEXT('USERENV','EXTERNAL_NAME')
--------------------------------------------------------------------------------
cn=bortel,cn=users,dc=***,dc=nl

SQL> select * from session_roles;

ROLE
------------------------------
CONNECT

However, trying to connect from a remote station, I got the following error:

SQL> conn bortel@oinfra
Enter password:
ERROR:
ORA-12514: TNS:listener does not currently know of service requested in connect descriptor

This strikes as odd, as the database registered successfully.
The TNSPING utility shows

M:\>tnsping oinfra

TNS Ping Utility for 32-bit Windows: Version 10.2.0.3.0 - Production on 17-AUG-2007 11:14:15

Copyright (c) 1997, 2006, Oracle. All rights reserved.

Used parameter files:
C:\oracle\DB92\network\admin\sqlnet.ora

Used LDAP adapter to resolve the alias
Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=machine.at.certain.domain)(PORT=1521))
(CONNECT_DATA=(SERVICE_NAME=oinfra.machine.at.certain.domain)))
OK (10 msec)

Looks like the service_name is not within the listener. I know this setup uses hardcoded aliases in listener.ora (which is going to change - this client will switch to instances registering themselves, using local_listener). Sure enough, on the database server:

me@machine> lsnrctl services listener_machine

LSNRCTL for HPUX: Version 10.2.0.2.0 - Production on 17-AUG-2007 11:29:21

Copyright (c) 1991, 2005, Oracle. All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=oinfra)))
Services Summary...
Service "oinfra" has 1 instance(s).
Instance "oinfra", status UNKNOWN, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:136 refused:0
LOCAL SERVER
The command completed successfully

Not a trace of the fully qualified service name "oinfra.machine.at.certain.domain".
The solution to this is to add GLOBAL_DBNAME to the listener.ora file:

SID_LIST_LISTENER_MACHINE =
 (SID_LIST =
   (SID_DESC =
     (SID_NAME = oinfra)
     (global_dbname=oinfra.machine.at.certain.domain)
     (ORACLE_HOME = /oracle/....)
     (connection_data =
       (sid = oinfra)
     )
   )
 )

Then, do a reload of the listener configuration, and check the results:

me@machine>lsnrctl reload listener_machine

LSNRCTL for HPUX: Version 10.2.0.2.0 - Production on 17-AUG-2007 11:55:55
Copyright (c) 1991, 2005, Oracle. All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=oinfra)))
The command completed successfully
me@machine>lsnrctl services listener_machine

LSNRCTL for HPUX: Version 10.2.0.2.0 - Production on 17-AUG-2007 11:56:04
Copyright (c) 1991, 2005, Oracle. All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=oinfra)))
Services Summary...
Service "oinfra.machine.at.certain.domain" has 1 instance(s).
Instance "oinfra", status UNKNOWN, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0
LOCAL SERVER
The command completed successfully

After that, the remote login succeeds:

SQL> conn bortel@oinfra
Enter password:
Connected.