Oracle9i Net Services Administrator's Guide Release 2 (9.2) Part Number A96580-02 |
|
|
View PDF |
This chapter explains how to configure access to an LDAP-compliant directory server.
This chapter contains these topics:
See Also:
"Directory Server Support" for an overview of directory server support of Oracle Net Services |
Many Oracle products have features that use an LDAP-compliant directory server to centrally store entries. Examples of features that use a directory are Oracle Net directory naming and Oracle Advanced Security enterprise user. If you want to use these features, you must establish a directory server for them, as well as enable your computers to use the directory server.
Directory server usage can be configured during or after installation, as described in the following sections:
Oracle Universal Installer launches Oracle Net Configuration Assistant during software installation. Oracle Net Configuration Assistant enables you to configure usage of a directory server. Directory server usage configuration varies depending upon the installation mode you selected during installation, as described in these topics:
After a Custom installation on the database server, Oracle Net Configuration Assistant prompts you to configure usage to a directory server. Directory server usage configuration enables:
Note: Directory usage configuration is not performed during a Enterprise Edition or Standard Edition installation on the database server. For these installation types, Oracle Net Configuration Assistant can be run in standalone mode. See "Configuring Directory Usage After Installation" for details. |
During directory server usage configuration, Oracle Net Configuration Assistant prompts you to:
If an Oracle Context does not exist, then Oracle Net Configuration Assistant prompts you to create one. During Oracle Context creation, you are prompted for directory administrator authentication credentials. If the Oracle Context is created successfully, then the authenticated user is added to the following groups:
cn=OracleContextAdmins,cn=Groups,cn=OracleContext,...
)
As a member of OracleContextAdmins, a user has full privileges for the entire Oracle Context.
cn=OracleDBCreators,cn=OracleContext,...
)
As a member of OracleDBCreators, a user can use Database Configuration Assistant to register a database service entry.
cn=OracleNetAdmins,cn=OracleContext,...
)
As a member of OracleNetAdmins, a user can use Oracle Net Manager to create, modify, and delete net service names and net service aliases, as well as modify Oracle Net attributes of database services.
A directory administrator can add other users to these groups.
Note: Additional groups are created during Oracle Context creation, as described in the Oracle9i Directory Service Integration and Deployment Guide. |
During directory usage configuration, Oracle Net Configuration Assistant verifies that the Oracle schema was created. The Oracle schema defines the Oracle entries and their attributes. If the schema does not exist or is an older release, then you are prompted to create or upgrade it. During Oracle schema creation, you are prompted for authentication credentials.
When directory usage configuration completes, directory usage configuration information is stored in an ldap.ora
file. You are then prompted to select naming methods. You can select directory naming.
After Oracle Net Configuration Assistant completes configuration, Database Configuration Assistant creates the database. The service name of the database is automatically created under the Oracle Context.
See Also:
|
During client installation, Oracle Net Configuration Assistant prompts you to configure the use of a directory server for enabling directory naming. If directory server usage is not configured, then the client cannot use directory naming to look up connect identifier entries in the directory.
During directory server usage configuration, Oracle Net Configuration Assistant prompts you to:
During directory usage configuration, Oracle Net Configuration Assistant verifies that the Oracle schema was installed. If the Oracle schema or Oracle Context was not configured by the database server, then you cannot complete directory server usage configuration on the client.
When directory usage configuration completes, Oracle Net Configuration Assistant stores the directory usage configuration information in the ldap.ora
file.
For Standard Edition and Enterprise Edition installations, Oracle Net Configuration Assistant automatically configures directory naming as a naming method. For a Custom installation, you are prompted to select naming methods after directory usage configuration completes. You can select directory naming.
You can configure directory usage with Oracle Net Configuration Assistant at any time.
To configure directory server usage:
The Welcome page appears.
The Directory Usage Configuration page appears.
Text description of the illustration dircongi.gif
The Directory Usage Configuration page options are described in Table 8-1.
Option | Description |
---|---|
Select the directory server you want to use |
Select this option to enable this computer's Oracle home to use a directory server that is already configured for Oracle directory usage. This option is intended for clients to use directory naming. Once configuration is complete, the software in the Oracle home can then look up entries in the directory server. This option prompts you to:
Note: If no Oracle schema or Oracle Context exists, then you cannot complete usage configuration using this option. You must first use the Select the directory server you want to use, and then configure the directory server for Oracle usage option to create the Oracle schema or Oracle Context. |
Select the directory server you want to use, and configure the directory server for Oracle usage. |
Select this option to configure a directory server for Oracle directory-enabled features and enable the Oracle home to use that directory. This option is intended for administrators to first configure the directory for Oracle features. Once configuration is complete, the software in the Oracle home can then look up entries in the directory server. This option prompts you to:
If an Oracle Context does not exist under the selected location, then Oracle Net Configuration Assistant prompts you to create one. Likewise, if the Oracle schema does not exist or is an older release, you are prompted to create or upgrade it. During the creation or upgrade of an Oracle schema or Oracle Context, you are prompted for directory administrator authentication credentials. To create an Oracle Context, the following must exist in the directory server:
If the Oracle Context is created successfully, then the authenticated user is added to the following groups:
See Also:
|
Create additional or upgrade existing Oracle Context |
Select this option to create an additional Oracle Context in the directory, or upgrade the Oracle Context to the current release. To create an Oracle Context, the following must exist in the directory server:
During the creation or upgrade of an Oracle Context, you are prompted for directory administrator authentication credentials. If the Oracle Context is created successfully, then the authenticated user is added to the following groups: |
Create or upgrade the Oracle Schema |
Select this option to create the Oracle schema in the directory, or upgrade the Oracle schema to the current release. During Oracle schema creation or upgrade, you are prompted for authentication credentials. |
Members of OracleNetAdmins (cn=OracleOracleNetAdmins,cn=OracleContext,...
) have create, modify, and read access to Oracle Net objects and attributes. Oracle Net Configuration Assistant establishes these access rights for this group during Oracle Context creation.
This section contains the following topics:
Note: Members of the OracleContextAdmins groups can also add and delete members of the OracleNetAdmins group. See the Oracle9i Directory Service Integration and Deployment Guide. |
The owner of the OracleNetAdmins group can perform the following functions:
By default, the owner of the OracleNetAdmins group is the OracleNetAdmins group itself. This means that any member of the OracleNetAdmins group can add or delete other members from the OracleNetAdmins group. If you prefer that another group other than OracleNetAdmins add or delete other OracleNetAdmins members, you can change the owner attribute of the OracleNetAdmins group to another group.
The owner cannot be an individual user entry, such as cn=scott
, but must be a group entry, where the group entry is one comprised of the LDAP schema object classes GroupOfUniqueNames
and orclPriviledgeGroup
.
To add a group as an owner of an OracleNetAdmins group:
You can use the following sample LDIF file. Enter the appropriate distinguished name (DN) for cn=OracleNetAdmins
and the DN of the group that you want to add.
dn: cn=OracleNetAdmins,cn=OracleContext,...
changetype: modify
add: owner
owner: <DN of group to add
>
dn: cn=OracleNetAdmins,cn=OracleContext,...
changetype: modify
add: owner
owner: <DN of group to add
>
For example, the following LDIF syntax changes the ownership from the OracleNetAdmins group to another group named cn=AcmeSecurityAdmins
. The group can be either be inside or outside the Oracle Context; in this case, it is outside the Oracle Context.
dn: cn=OracleNetAdmins,cn=OracleContext,... changetype: modify add: owner owner: cn=AcmeSecurityAdmins dn: cn=OracleNetAdmins,cn=OracleContext,... changetype: modify delete: owner owner: cn=OracleNetAdmins,cn=OracleContext,...
ldapmodify
syntax to delete the user:
ldapmodify -h directory_host
-p port -D binddn -w password -f ldif_file
To add a user to the OracleNetAdmins group with ldapmodify
:
You can use the following sample LDIF file. Use the appropriate DN for cn=OracleNetAdmins
and the user that you want to add.
dn: cn=OracleNetAdmins,cn=OracleContext,...
changetype: modify
add: uniquemember
uniquemember: <DN of user being added to group
>
ldapmodify
syntax to add a user:
ldapmodify -h directory_host -p port -D binddn -w password -f ldif_file
To remove a user from the OracleNetAdmins group with ldapmodify
:
You can use the following sample LDIF file. Enter the appropriate DN for cn=OracleNetAdmins
and the user that you want to delete.
dn: cn=OracleNetAdmins,cn=OracleContext,...
changetype: modify
delete: uniquemember
uniquemember: <DN of user being deleted from group
>
ldapmodify
syntax to delete the user:
ldapmodify -h directory_host
-p port -D binddn -w password -f ldif_file