Skip Headers

Oracle9i Net Services Administrator's Guide
Release 2 (9.2)

Part Number A96580-02
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Feedback

Go to previous page Go to next page
View PDF

8
Setting Up Directory Server Usage

This chapter explains how to configure access to an LDAP-compliant directory server.

This chapter contains these topics:

Directory Configuration Overview

Many Oracle products have features that use an LDAP-compliant directory server to centrally store entries. Examples of features that use a directory are Oracle Net directory naming and Oracle Advanced Security enterprise user. If you want to use these features, you must establish a directory server for them, as well as enable your computers to use the directory server.

Directory server usage can be configured during or after installation, as described in the following sections:

Configuring Directory Usage During Installation

Oracle Universal Installer launches Oracle Net Configuration Assistant during software installation. Oracle Net Configuration Assistant enables you to configure usage of a directory server. Directory server usage configuration varies depending upon the installation mode you selected during installation, as described in these topics:

Directory Usage Configuration During a Custom Installation on the Database Server

After a Custom installation on the database server, Oracle Net Configuration Assistant prompts you to configure usage to a directory server. Directory server usage configuration enables:

During directory server usage configuration, Oracle Net Configuration Assistant prompts you to:

If an Oracle Context does not exist, then Oracle Net Configuration Assistant prompts you to create one. During Oracle Context creation, you are prompted for directory administrator authentication credentials. If the Oracle Context is created successfully, then the authenticated user is added to the following groups:

A directory administrator can add other users to these groups.


Note:

Additional groups are created during Oracle Context creation, as described in the Oracle9i Directory Service Integration and Deployment Guide.


During directory usage configuration, Oracle Net Configuration Assistant verifies that the Oracle schema was created. The Oracle schema defines the Oracle entries and their attributes. If the schema does not exist or is an older release, then you are prompted to create or upgrade it. During Oracle schema creation, you are prompted for authentication credentials.

When directory usage configuration completes, directory usage configuration information is stored in an ldap.ora file. You are then prompted to select naming methods. You can select directory naming.

After Oracle Net Configuration Assistant completes configuration, Database Configuration Assistant creates the database. The service name of the database is automatically created under the Oracle Context.

See Also:

Directory Usage Configuration During a Client Installation

During client installation, Oracle Net Configuration Assistant prompts you to configure the use of a directory server for enabling directory naming. If directory server usage is not configured, then the client cannot use directory naming to look up connect identifier entries in the directory.

During directory server usage configuration, Oracle Net Configuration Assistant prompts you to:

During directory usage configuration, Oracle Net Configuration Assistant verifies that the Oracle schema was installed. If the Oracle schema or Oracle Context was not configured by the database server, then you cannot complete directory server usage configuration on the client.

When directory usage configuration completes, Oracle Net Configuration Assistant stores the directory usage configuration information in the ldap.ora file.

For Standard Edition and Enterprise Edition installations, Oracle Net Configuration Assistant automatically configures directory naming as a naming method. For a Custom installation, you are prompted to select naming methods after directory usage configuration completes. You can select directory naming.

See Also:

"Directory Naming Method Configuration Steps"

Configuring Directory Usage After Installation

You can configure directory usage with Oracle Net Configuration Assistant at any time.

To configure directory server usage:

  1. Start Oracle Net Configuration Assistant.

    See Also:

    "Oracle Net Configuration Assistant"

    The Welcome page appears.

  2. Select Directory Service Usage Configuration, and then click Next.

    The Directory Usage Configuration page appears.

    Text description of dircongi.gif follows.

    Text description of the illustration dircongi.gif

    The Directory Usage Configuration page options are described in Table 8-1.

    Table 8-1  Directory Usage Configuration Page in Oracle Net Configuration Assistant
    Option Description

    Select the directory server you want to use

    Select this option to enable this computer's Oracle home to use a directory server that is already configured for Oracle directory usage. This option is intended for clients to use directory naming.

    Once configuration is complete, the software in the Oracle home can then look up entries in the directory server. This option prompts you to:

    • Select the type of directory server
    • Identify the location of the directory server
    • Select a default Oracle Context from which this client can look up directory naming entries

    Note: If no Oracle schema or Oracle Context exists, then you cannot complete usage configuration using this option. You must first use the Select the directory server you want to use, and then configure the directory server for Oracle usage option to create the Oracle schema or Oracle Context.

    Select the directory server you want to use, and configure the directory server for Oracle usage.

    Select this option to configure a directory server for Oracle directory-enabled features and enable the Oracle home to use that directory. This option is intended for administrators to first configure the directory for Oracle features.

    Once configuration is complete, the software in the Oracle home can then look up entries in the directory server. This option prompts you to:

    • Select the type of directory server
    • Identify the location of the directory server
    • Select or enter a location in the directory server that contains an Oracle Context from which this computer can look up, create, or modify directory naming entries

    If an Oracle Context does not exist under the selected location, then Oracle Net Configuration Assistant prompts you to create one. Likewise, if the Oracle schema does not exist or is an older release, you are prompted to create or upgrade it. During the creation or upgrade of an Oracle schema or Oracle Context, you are prompted for directory administrator authentication credentials. To create an Oracle Context, the following must exist in the directory server:

    • Current release of the Oracle schema
    • A directory entry under which you want the Oracle Context to be created

    If the Oracle Context is created successfully, then the authenticated user is added to the following groups:

    • OracleContextAdmins (cn=OracleContextAdmins,cn=Groups,cn=OracleContext,...)
    • OracleDBCreators (cn=OracleDBCreators,cn=OracleContext,...)
    • OracleNetAdmins (cn=OracleNetAdmins,cn=OracleContext,...)

    See Also:

    Create additional or upgrade existing Oracle Context

    Select this option to create an additional Oracle Context in the directory, or upgrade the Oracle Context to the current release.

    To create an Oracle Context, the following must exist in the directory server:

    • Current release of the Oracle schema
    • A directory entry under which you want the Oracle Context to be created

    During the creation or upgrade of an Oracle Context, you are prompted for directory administrator authentication credentials.

    If the Oracle Context is created successfully, then the authenticated user is added to the following groups:

    • OracleContextAdmins (cn=OracleContextAdmins,cn=Groups,cn=OracleContext,...)
    • OracleDBCreators (cn=OracleDBCreators,cn=OracleContext,...)
    • OracleNetAdmins (cn=OracleNetAdmins,cn=OracleContext,...)

    Create or upgrade the Oracle Schema

    Select this option to create the Oracle schema in the directory, or upgrade the Oracle schema to the current release. During Oracle schema creation or upgrade, you are prompted for authentication credentials.

  3. Select the appropriate option, and then follow the prompts in the wizard and online help to complete directory server usage configuration.

Administering the OracleNetAdmins Group

Members of OracleNetAdmins (cn=OracleOracleNetAdmins,cn=OracleContext,...) have create, modify, and read access to Oracle Net objects and attributes. Oracle Net Configuration Assistant establishes these access rights for this group during Oracle Context creation.

This section contains the following topics:

Establishing Access For the OracleNetAdmins Group

The owner of the OracleNetAdmins group can perform the following functions:

By default, the owner of the OracleNetAdmins group is the OracleNetAdmins group itself. This means that any member of the OracleNetAdmins group can add or delete other members from the OracleNetAdmins group. If you prefer that another group other than OracleNetAdmins add or delete other OracleNetAdmins members, you can change the owner attribute of the OracleNetAdmins group to another group.

The owner cannot be an individual user entry, such as cn=scott, but must be a group entry, where the group entry is one comprised of the LDAP schema object classes GroupOfUniqueNames and orclPriviledgeGroup.

To add a group as an owner of an OracleNetAdmins group:

  1. Create an LDAP Data Interchange Format (LDIF) file:
    1. Specify the group you want to add as an owner.

      You can use the following sample LDIF file. Enter the appropriate distinguished name (DN) for cn=OracleNetAdmins and the DN of the group that you want to add.

      dn: cn=OracleNetAdmins,cn=OracleContext,... 
          changetype: modify 
          add: owner 
          owner: <DN of group to add> 
      
      
    2. Optionally, specify the group to delete as an owner.
      dn: cn=OracleNetAdmins,cn=OracleContext,... 
          changetype: modify 
          add: owner 
          owner: <DN of group to add> 
      
      

      For example, the following LDIF syntax changes the ownership from the OracleNetAdmins group to another group named cn=AcmeSecurityAdmins. The group can be either be inside or outside the Oracle Context; in this case, it is outside the Oracle Context.

      dn: cn=OracleNetAdmins,cn=OracleContext,... 
           changetype: modify 
           add: owner 
           owner: cn=AcmeSecurityAdmins 
      
      dn: cn=OracleNetAdmins,cn=OracleContext,... 
           changetype: modify 
           delete: owner 
           owner: cn=OracleNetAdmins,cn=OracleContext,... 
      
      
  2. Use the following ldapmodify syntax to delete the user:
    ldapmodify -h directory_host -p port -D binddn -w password -f ldif_file
    
    
    Table 8-2  ldapmodify Arguments
    Argument Description

    -h directory_host

    Specify the directory server host.

    -p port

    Specify the listening TCP/IP port for the directory server. If you do not specify this option, the default port (389) is used.

    -D binddn

    Specify the directory administrator or user DN.

    -w password

    Specify the password for the directory administrator or directory user.

    -f ldif_file

    Specify the input file name.

Adding Users To the OracleNetAdmins Group

To add a user to the OracleNetAdmins group with ldapmodify:

  1. Create an LDIF file that specifies that you want to add a user to the OracleNetAdmins group.

    You can use the following sample LDIF file. Use the appropriate DN for cn=OracleNetAdmins and the user that you want to add.

    dn: cn=OracleNetAdmins,cn=OracleContext,...
    changetype: modify
    add: uniquemember
    uniquemember: <DN of user being added to group>
    
    
  2. Enter the following ldapmodify syntax to add a user:
    ldapmodify -h directory_host -p port -D binddn -w password -f ldif_file
    
    

Removing Users From the OracleNetAdmins Group

To remove a user from the OracleNetAdmins group with ldapmodify:

  1. Create an LDIF file that specifies that you want to add a user to the OracleNetAdmins group.

    You can use the following sample LDIF file. Enter the appropriate DN for cn=OracleNetAdmins and the user that you want to delete.

    dn: cn=OracleNetAdmins,cn=OracleContext,...
    changetype: modify
    delete: uniquemember
    uniquemember: <DN of user being deleted from group>
    
    
  2. Use the following ldapmodify syntax to delete the user:
    ldapmodify -h directory_host -p port -D binddn -w password -f ldif_file