Oracle Names Resolution with OpenLDAP

Installation and basic configuration of OpenLDAP

We first need to install the basic OpenLDAP package and its associated management tools. Do that by issuing this command:

yum -y install openldap-servers openldap-clients

Amongst other things, this causes a sample LDAP database to be installed. We copy that sample and make it our actual, functional database. The location of the sample database is different on RHEL5.x as compared to RHEL6.x.

For Red Hat 5.x and its clones, issue this command:

cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

On Red Hat 6.x and its clones, this command will work:

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Next, we create a new password with which to authenticate the eventual administrator of  the LDAP server:

slappasswd

Supply your desired password twice, then copy the response you receive, which will be an encrypted string, like this: {SSHA}eEqXaBpCEyxh3mNbuHfrFLW82h2DKexT. Paste that into a text editor so that you can re-use it in just a moment.

Now download a file called slapd.conf.

Save that in root’s home directory (i.e., /root). If you are running RHEL 5.x, issue these commands:

mv /etc/openldap/slapd.conf /etc/openldap/slapd.conf.orig
mv /root/slapd.conf /etc/openldap

That simply renames the existing, default slapd.conf and then copies the downloaded version in its place.

If you are running RHEL 6.x, no slapd.conf is provided by default, but a completely new slapd.d directory exists (which we don’t actually want to exist!) so you issue these commands instead:

mv /root/slapd.conf /etc/openldap
mv /etc/openldap/slapd.d /etc/openldap/slapd.d.el6

In either case, you end up with my version of a slapd.conf configuration file sitting where it can be functional. You should open it in a text editor and knock it into a shape that suits your environment’s specifics. In particular, look to the end of the file where you will see these sorts of lines:

database        bdb
suffix          "dc=dizwell,dc=home"
rootdn          "cn=admin,dc=dizwell,dc=home"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
# rootpw                {crypt}ijFYNcSNctBYg
rootpw {SSHA}eEqXaBpCEyxh3mNbuHfrFLW82h2DKexT

You alter the suffix so that it names your own domain, each component of the domain name being handled by a separate “dc=” (i.e., “domain component”) designator. If you are running on, for example, mydomain.home.tv, you’d set the suffix to be “dc=mydomain,dc=home,dc=tv”. Here, I’m configuring ‘dizwell.home’: note that there are no spaces between the component parts of your domain name. Commas, yes; but spaces, no.

You also alter the rootdn. This sets up who may edit entries in your LDAP database. The line you see above is saying that a user called “admin” is allowed to edit directory entries for the dizwell.home domain. You can specify any name you like, but all subsequent code examples in this article will assume the name ‘admin’ applies.

Finally, you specify the password which that admin user will provide when editing entries -and at this point, you paste in the encrypted password you obtained earlier.

With those edits saved, we can now start the server daemon. On RHEL 5.x that’s done with this command:

 service ldap start

On RHEL 6.x, you issue this instead:

service slapd start

While you’re there, you might as well arrange for the service to re-start automatically at every server boot, too. Again, the commands are slightly different, depending on your choice of distro version. If you’re using RHEL 5.x, you’d type this:

chkconfig ldap on

And if you’re a RHEL 6.x user, you’d type this:

chkconfig slapd on

Now create (or download) a file, called /root/initldap.ldif, which contains this:

dn: dc=dizwell,dc=home
objectclass: dcObject
objectclass: organization
o: Dizwell LDAP Server
dc: dizwell

dn: cn=admin,dc=dizwell,dc=home
objectclass: organizationalRole
cn: admin

Don’t mess with the formatting here! The blank line after the “dc: dizwell” line is essential (without it, you’d get “undefined attribute type” errors in the next step). The file simply sets up an initial, basic hierarchy for the dizwell.home domain. It first says the domain exists, then it says there’s a user within the domain called ‘admin’. Change the words ‘dizwell’, ‘home’ and ‘admin’ to match your own circumstances (and ensure they match the contents of the slapd.conf file you edited earlier).

We insert the contents of this “ldif” file (that is, the LDAP Data Interchange Format) into the LDAP database using the following command:

ldapadd -a -x -D 'cn=admin,dc=dizwell,dc=home' -W -f initldap.ldif

You’ll be prompted to supply the same password as you used before (and whose encrypted form was pasted into the slapd.conf file). You should then see this response:

Enter LDAP Password:
adding new entry "dc=dizwell,dc=home"

adding new entry "cn=admin,dc=dizwell,dc=home"

You can then query the directory to check its contents:

ldapsearch -h 127.0.0.1 -x -b "dc=dizwell,dc=home"

If you get a response showing two components that look very much like the contents of your initldap file, so far so good: your basic LDAP configuration is working. Now we have to make it capable of handling Oracle names resolution requests!

Pages: 1 2 3 4

8 thoughts on “Oracle Names Resolution with OpenLDAP

    1. dizwell Post author

      Thanks for the suggestion Georger. (In case anyone else is wondering what he’s encouraging me to try, Apache Directory Studio is another GUI LDAP browser that integrates nicely into the Eclipse IDE). I did look at it before writing the article and if you were a full-on developer, it’s pretty obviously the way you’d choose to go. But if you just want to browse the LDAP hierarchy and add a new key here and there, I think Georger’s assessment is right: ADS is complete overkill. For basic browsing and the occasional ‘new’, a lot of these tools look and feel much the same, but Jxplorer had the advantages (for me) of being nicely cross-platform and just a 4MB download.

      Always good that alternatives get a mention, though, that’s for sure. I’ll edit the article to make a mention of it directly, how’s that?

      Reply
      1. Georger

        Hi,
        That would be great. Anyone who’s using some LDAP other than Active Directory would benefit from knowing about Apache Directory Studio.

        Reply
  2. Shyamal Thatte

    Hi,

    After configuration, windows clients are able to connect. However Linux oracle clients do not resolve. This is probably due to OID specific LDAP components.

    e.g. ldapsearch -h -x -b “dc=xxxx,dc=xxxx,dc=com”
    returns error as the syntax is incorrect.

    Following error in the trace file

    nnflilc: Opening sync conn to serv1.xxxx.xxxx.com:389
    nnflalc: entry
    nnflalc: bind call returns 0
    nnflalc: exit
    nnflilc: exit
    nnflrlc: exit
    nnflobc: exit
    nnflcgc: exit
    nnflboot: exit
    nnflrne: entry
    nnflcgc: entry
    nnflcgc: exit
    nnfln2x: entry
    nnflgcp: entry
    nnflgcp: exit
    nnfln2x: exit
    nnflrne: Quering the directory for dn: cn=rpqr,cn=OracleContext
    nnflqbf: entry
    nnflqbf: Search: Base: cn=rpqr,cn=OracleContext, Scope: 0, filter: (objectclass=*)
    nnflqbf: Search: Attrs[0]: objectclass
    nnflqbf: exit
    nnflrne: exit

    Reply
      1. Shyamal Thatte

        Update – Oracle instant client on linux works. However connecting from a full database installation doe not work.

        Reply
  3. Kevin

    Diz,

    trying to ldapadd the oidbase.ldf..it loads but don’t see an entry for the Oracle Internel (typo?) Directory. get successful add with the comment that OracleContext:

    heregoes:
    ldapadd -c -x -D “cn=Manager,dc=ipacc,dc=com” -W -f oidbase.ldif

    adding new entry “dc=ipacc,dc=com”
    ldap_add: Already exists (68) (like u said)
    adding new entry “cn=OracleContext,dc=ipacc,dc=com”

    Da seach:

    ldapsearch -x -b “dc=ipacc,dc=com” ‘(objectclass=*)’

    # LDAPv3
    # base with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #

    # ipacc.com
    dn: dc=ipacc,dc=com
    objectClass: dcObject
    objectClass: organization
    o: yumrepos LDAP Server
    dc: ipacc

    # Manager, ipacc.com
    dn: cn=Manager,dc=ipacc,dc=com
    objectClass: organizationalRole
    cn: Manager

    # OracleContext, ipacc.com
    dn: cn=OracleContext,dc=ipacc,dc=com
    objectClass: orclContext
    cn: OracleContext

    << I would have expected to see the contents of the oidbase.ldif loaded.

    Da ldif file:

    dn: dc=ipacc,dc=com |
    objectClass: top |
    objectClass: dcObject | < what I would expect to see in the ldapsearch
    objectClass: organization |
    o: Oracle Internet Directory |
    dc: ipacc |

    dn: cn=OracleContext,dc=ipacc,dc=com
    objectclass: orclContext
    cn: OracleContext

    slapd.conf has the includes so I know it sees 'em. Looks like a collision on the dn
    to me…any ideas??

    Reply
  4. Kevin

    Hey Diz,

    Really think it is the ldif for oidbase. I can get a ‘thin’ connection to the db using
    ldap e.g. sqlplus blah/blah@”cn=d_db,cn=OracleContext,dc=ipacc,dc=com”

    this connects but will not tnsping (b/t/w I am on OEL 6).

    Thnks!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>