This is part 3 of a multi-part blog post on using OpenLDAP for Net Service Name Resolution. Part 1 can be found here.
Configuration for Net Service Name Resolution
Ok, now that you have an OpenLDAP server installed and configured (optionally with master/slave replication configured), it’s time to “teach” it how to handle Oracle Net Service Names. The first thing you’ll want to do is create a directory under /etc/openldap, thus:
Now, you need to populate that directory with the schema definitions for OID objects. There are four files, and they can be downloaded here: alias.schema, oidbase.schema, oidnet.schema, and oidrdbms.schema. Once you’ve downloaded them, copy them to the directory you just created:
cp /root/*.schema /etc/openldap/oidschema
Now, you’ll need to edit the slapd.conf file, to point to the newly added files. If you look in slapd.conf, you’ll see that the files are already referenced in slapd.conf, but are simply commented out. So, open slapd.conf in your favorite editor, and look for lines that look like this:
Just remove the leading ‘#’ from each of those lines and save the file. Finally, restart the LDAP server, thus:
service slapd restart
Ok, now, if you’re doing replication, you should do all the steps up to here, on both the master and slave servers. From this point forward, you should only execute on the master, and replication will propagate the change to the slave.
Now, we need to setup the object which will serve as the base for the OID information. You’ll need to download oidbase.ldif, and make some (now familiar) edits. The file as downloaded will look like this:
o: Oracle Internet Directory
Again, edit the bolded text above, as appropriate for your domain, etc. Ok, once you’ve edited it, you’ll need to load it into the LDAP server. That can be done with this command:
ldapadd -c -x -D "cn=admin,dc=proquest,dc=com" -W -f oidbase.ldif
So, at this point, the LDAP server knows about Oracle Net Service Names, and is ready for you to start loading them. Let’s start with a single Net Service Name, and see if we can get things working. So, you’ll find a sample, dummy Net Service Name definition in this file: service_name_test.ldif
If you open that file in your favorite editor, you’ll see this:
As always, at a minimum, you should modify the file for your domain specification. If you wish, you can substitute the values for ‘cn’ and the ‘ocrlNetDescString’ with a real-world example from your environment, but it’s not strictly necessary. The host/port/service name, etc, specified above don’t actually need to exist, to test if your Oracle client is capable of resolving a Net Service Name and return the correct connect descriptor. Of course, the subsequent connection would fail, but, that’s irrelevant to testing whether you’ve correctly configured your LDAP server. So, now that you have your first Net Service Name in an LDIF file, you can load it into the LDAP server by executing this command:
ldapadd -c -x -D "cn=admin,dc=proquest,dc=com" -W -f service_name_test.ldif
So, this is a major milestone. At this point, you’ve installed OpenLDAP, done the basic configuration, added the information for managing Oracle Net Service Names, and finally, added your very first Net Service Name definition. And, if you’ve elected to setup replication, that should also be fully functional.
Configuring the Oracle Client
So, now that you’ve done all that, how do you get the Oracle client to utilize your shiny new LDAP server? Well, that’s actually pretty easy and straightforward. You’ll need to create or modify two different files in your $ORACLE_HOME/network/admin, (or, $TNSADMIN, if you have that variable configured). First, you’ll need to tell your Oracle client to use LDAP for Net Service Name resolution. That can be done by creating or modifying $ORACLE_HOME/network/admin/sqlnet.ora, and setting the NAMES.DIRECTORY_PATH parameter. A barebones, minimal sqlnet.ora would simply contain one line, that looks like this:
That’s it. there can be many other lines in a typical sqlnet.ora file, but the above line is all that’s needed, if you wish to configure your client for Net Service Name resolution via LDAP. (Note that if you’re running a recent version of RAC, it’s likely that your remote_listener parameter is in EZCONNECT format, so, you’l need to have that in the list of available naming methods, in addition to LDAP.) Once that’s done, you’ve told the Oracle client to use LDAP. Now, you need to tell it where to find the LDAP server. That can be done via the ldap.ora file. At a minimum, your ldap.ora file should look something like this:
DEFAULT_ADMIN_CONTEXT = "dc=proquest,dc=com"
DIRECTORY_SERVER_TYPE = OID
Once again, you’ll need to modify the above file, in this case for your domain specification as well as your LDAP server hostname. At this point, you’re ready to try a tnsping, to confirm everything is configured correctly.
So, try this:
If you see something like:
TNS Ping Utility for Linux: Version 220.127.116.11.0 - Production on 09-OCT-2013 05:33:59 Copyright (c) 1997, 2013, Oracle. All rights reserved.
Used parameter files: /oracle/database/product/12.1.0/db/network/admin/sqlnet.ora
Used LDAP adapter to resolve the alias Attempting to contact (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=mydb)))
then congratulations! You have a working LDAP server that’s been configured to resolve Oracle Net Service Names!
What about Aliases?
So, what if you have a tnsnames.ora file with lots of Net Service Names that have aliases. For example, suppose you have a line in your tnsnames.ora that looks like this:
mydb,myalias = (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=mydb)))
This is very similar to the example above, but note that in addition to the Net Service name, mydb, there is a Net Service Alias, myalias. How can you deal with a Net Service Alias in LDAP? What to do? Well, fortunately, the OID schema is able to handle a Net Service Alias. First, download the service_alias_test.ldif file. If you open this file in your favorite editor, you’ll see a file that looks like this:
alias cn: myalias
As always, update the domain for your specific details. Once that’s done, you can add that alias to the LDAP server, via ldapadd:
ldapadd -c -x -D "cn=admin,dc=proquest,dc=com" -W -f service_alias_test.ldif
Note, aliases directly reference an existing Net Service Name, so, the Net Service Name must be loaded into the LDAP server, or any attempt to create the alias will fail. So, be sure to always load the Net Service Name first, then add any alias(es) later.
So, that’s it. You now have a fully configured OpenLDAP server, that is setup to serve Oracle Net Service Names.
So, now what? What happens if you have a tnsnames.ora file with hundreds, or even thousands of entries? Converting a large file, to LDAP format, for loading into your LDAP server, could be a very laborious and time consuming task, indeed. What about modifying specific Net Service Names? Is there a GUI available to do that? In the next installment, I’ll introduce a simple C program filter, called tns2ldif.c, which I think you’ll find very convenient for converting large numbers of entries in your tnsnames.ora to LDIF. Also, I’ll look at a GUI based tool for editing individual Net Service Names. Stay tuned for my next blog, OpenLDAP – Care and feeding of your LDAP server.
Mark J. Bobak