8
Setting Up Directory Server Usage

This chapter explains how to configure access to an LDAP-compliant directory server.

This chapter contains these topics:

Directory Configuration Overview
Configuring Directory Usage During Installation
Configuring Directory Usage After Installation
Administering the OracleNetAdmins Group

See Also:
"Directory Server Support" for an overview of directory server support of Oracle Net Services

Directory Configuration Overview

Many Oracle products have features that use an LDAP-compliant directory server to centrally store entries. Examples of features that use a directory are Oracle Net directory naming and Oracle Advanced Security enterprise user. If you want to use these features, you must establish a directory server for them, as well as enable your computers to use the directory server.

Directory server usage can be configured during or after installation, as described in the following sections:

Configuring Directory Usage During Installation

Oracle Universal Installer launches Oracle Net Configuration Assistant during software installation. Oracle Net Configuration Assistant enables you to configure usage of a directory server. Directory server usage configuration varies depending upon the installation mode you selected during installation, as described in these topics:

Directory Usage Configuration During a Custom Installation on the Database Server

After a Custom installation on the database server, Oracle Net Configuration Assistant prompts you to configure usage to a directory server. Directory server usage configuration enables:

Database Configuration Assistant, which runs after Oracle Net Configuration Assistant during installation, to register a database service entry in the directory server
You to use Oracle Net Manager to create net service names and net service aliases in the directory server, as well as to modify Oracle Net attributes of the database service entry

The database server to look up database service, net service name, and net service alias entries in the directory server

Note:

Directory usage configuration is not performed during a Enterprise Edition or Standard Edition installation on the database server. For these installation types, Oracle Net Configuration Assistant can be run in standalone mode. See "Configuring Directory Usage After Installation" for details.

During directory server usage configuration, Oracle Net Configuration Assistant prompts you to:

Select the type of directory server, that is, Oracle Internet Directory or Microsoft Active Directory
Identify the location of the directory server
Select the default Oracle Context from which the database server can look up, create, and modify directory naming entries

If an Oracle Context does not exist, then Oracle Net Configuration Assistant prompts you to create one. During Oracle Context creation, you are prompted for directory administrator authentication credentials. If the Oracle Context is created successfully, then the authenticated user is added to the following groups:

OracleContextAdmins (cn=OracleContextAdmins,cn=Groups,cn=OracleContext,...)

As a member of OracleContextAdmins, a user has full privileges for the entire Oracle Context.
OracleDBCreators (cn=OracleDBCreators,cn=OracleContext,...)

As a member of OracleDBCreators, a user can use Database Configuration Assistant to register a database service entry.
OracleNetAdmins (cn=OracleNetAdmins,cn=OracleContext,...)

As a member of OracleNetAdmins, a user can use Oracle Net Manager to create, modify, and delete net service names and net service aliases, as well as modify Oracle Net attributes of database services.

A directory administrator can add other users to these groups.

Note:

Additional groups are created during Oracle Context creation, as described in the Oracle9i Directory Service Integration and Deployment Guide.

During directory usage configuration, Oracle Net Configuration Assistant verifies that the Oracle schema was created. The Oracle schema defines the Oracle entries and their attributes. If the schema does not exist or is an older release, then you are prompted to create or upgrade it. During Oracle schema creation, you are prompted for authentication credentials.

When directory usage configuration completes, directory usage configuration information is stored in an ldap.ora file. You are then prompted to select naming methods. You can select directory naming.

After Oracle Net Configuration Assistant completes configuration, Database Configuration Assistant creates the database. The service name of the database is automatically created under the Oracle Context.

See Also:

"Adding Users To the OracleNetAdmins Group" to add users to the NetAdmins group
Oracle9i Directory Service Integration and Deployment Guide for further information about how to register a database service with Database Configuration Assistant
Oracle Advanced Security Administrator's Guide for further information about adding users to the OracleDBCreators group
Oracle operating system-specific installation guide

Directory Usage Configuration During a Client Installation

During client installation, Oracle Net Configuration Assistant prompts you to configure the use of a directory server for enabling directory naming. If directory server usage is not configured, then the client cannot use directory naming to look up connect identifier entries in the directory.

During directory server usage configuration, Oracle Net Configuration Assistant prompts you to:

Specify the type of directory server
Identify the location of the directory server
Select a default Oracle Context from which the client can look up directory naming entries

During directory usage configuration, Oracle Net Configuration Assistant verifies that the Oracle schema was installed. If the Oracle schema or Oracle Context was not configured by the database server, then you cannot complete directory server usage configuration on the client.

When directory usage configuration completes, Oracle Net Configuration Assistant stores the directory usage configuration information in the ldap.ora file.

For Standard Edition and Enterprise Edition installations, Oracle Net Configuration Assistant automatically configures directory naming as a naming method. For a Custom installation, you are prompted to select naming methods after directory usage configuration completes. You can select directory naming.

Configuring Directory Usage After Installation

You can configure directory usage with Oracle Net Configuration Assistant at any time.

To configure directory server usage:

Start Oracle Net Configuration Assistant.

See Also:
"Oracle Net Configuration Assistant"

The Welcome page appears.

Select Directory Service Usage Configuration, and then click Next.

The Directory Usage Configuration page appears.

Text description of dircongi.gif follows.

Text description of the illustration dircongi.gif

The Directory Usage Configuration page options are described in Table 8-1.

Table 8-1 Directory Usage Configuration Page in Oracle Net Configuration Assistant

Option	Description
Select the directory server you want to use	Select this option to enable this computer's Oracle home to use a directory server that is already configured for Oracle directory usage. This option is intended for clients to use directory naming. Once configuration is complete, the software in the Oracle home can then look up entries in the directory server. This option prompts you to: Select the type of directory server Identify the location of the directory server Select a default Oracle Context from which this client can look up directory naming entries Note: If no Oracle schema or Oracle Context exists, then you cannot complete usage configuration using this option. You must first use the Select the directory server you want to use, and then configure the directory server for Oracle usage option to create the Oracle schema or Oracle Context.
Select the directory server you want to use, and configure the directory server for Oracle usage.	Select this option to configure a directory server for Oracle directory-enabled features and enable the Oracle home to use that directory. This option is intended for administrators to first configure the directory for Oracle features. Once configuration is complete, the software in the Oracle home can then look up entries in the directory server. This option prompts you to: Select the type of directory server Identify the location of the directory server Select or enter a location in the directory server that contains an Oracle Context from which this computer can look up, create, or modify directory naming entries If an Oracle Context does not exist under the selected location, then Oracle Net Configuration Assistant prompts you to create one. Likewise, if the Oracle schema does not exist or is an older release, you are prompted to create or upgrade it. During the creation or upgrade of an Oracle schema or Oracle Context, you are prompted for directory administrator authentication credentials. To create an Oracle Context, the following must exist in the directory server: Current release of the Oracle schema A directory entry under which you want the Oracle Context to be created If the Oracle Context is created successfully, then the authenticated user is added to the following groups: OracleContextAdmins (`cn=OracleContextAdmins,cn=Groups,cn=OracleContext,...`) OracleDBCreators (`cn=OracleDBCreators,cn=OracleContext,...`) OracleNetAdmins (`cn=OracleNetAdmins,cn=OracleContext,...`) See Also: Directory server vendor documentation for directory entry configuration instructions Oracle9i Directory Service Integration and Deployment Guide for further information about all the additional groups created during Oracle Context creation "Adding Users To the OracleNetAdmins Group" to add users to the OracleNetAdmins group Oracle Advanced Security Administrator's Guide for further information about adding users to the OracleDBCreators group
Create additional or upgrade existing Oracle Context	Select this option to create an additional Oracle Context in the directory, or upgrade the Oracle Context to the current release. To create an Oracle Context, the following must exist in the directory server: Current release of the Oracle schema A directory entry under which you want the Oracle Context to be created During the creation or upgrade of an Oracle Context, you are prompted for directory administrator authentication credentials. If the Oracle Context is created successfully, then the authenticated user is added to the following groups: OracleContextAdmins (`cn=OracleContextAdmins,cn=Groups,cn=OracleContext,...`) OracleDBCreators (`cn=OracleDBCreators,cn=OracleContext,...`) OracleNetAdmins (`cn=OracleNetAdmins,cn=OracleContext,...`)
Create or upgrade the Oracle Schema	Select this option to create the Oracle schema in the directory, or upgrade the Oracle schema to the current release. During Oracle schema creation or upgrade, you are prompted for authentication credentials.

Select the appropriate option, and then follow the prompts in the wizard and online help to complete directory server usage configuration.

Administering the OracleNetAdmins Group

Members of OracleNetAdmins (cn=OracleOracleNetAdmins,cn=OracleContext,...) have create, modify, and read access to Oracle Net objects and attributes. Oracle Net Configuration Assistant establishes these access rights for this group during Oracle Context creation.

This section contains the following topics:

Establishing Access For the OracleNetAdmins Group
Adding Users To the OracleNetAdmins Group
Removing Users From the OracleNetAdmins Group

Note:
Members of the OracleContextAdmins groups can also add and delete members of the OracleNetAdmins group. See the Oracle9i Directory Service Integration and Deployment Guide.

Establishing Access For the OracleNetAdmins Group

The owner of the OracleNetAdmins group can perform the following functions:

Add or delete members from the OracleNetAdmins group
Add or delete groups which are owners of the OracleNetAdmins group

By default, the owner of the OracleNetAdmins group is the OracleNetAdmins group itself. This means that any member of the OracleNetAdmins group can add or delete other members from the OracleNetAdmins group. If you prefer that another group other than OracleNetAdmins add or delete other OracleNetAdmins members, you can change the owner attribute of the OracleNetAdmins group to another group.

The owner cannot be an individual user entry, such as cn=scott, but must be a group entry, where the group entry is one comprised of the LDAP schema object classes GroupOfUniqueNames and orclPriviledgeGroup.

To add a group as an owner of an OracleNetAdmins group:

Create an LDAP Data Interchange Format (LDIF) file:

Specify the group you want to add as an owner.

You can use the following sample LDIF file. Enter the appropriate distinguished name (DN) for cn=OracleNetAdmins and the DN of the group that you want to add.
```
dn: cn=OracleNetAdmins,cn=OracleContext,... 
    changetype: modify 
    add: owner 
    owner: <DN of group to add> 
```

Optionally, specify the group to delete as an owner.

dn: cn=OracleNetAdmins,cn=OracleContext,... 
    changetype: modify 
    add: owner 
    owner: <DN of group to add>

For example, the following LDIF syntax changes the ownership from the OracleNetAdmins group to another group named cn=AcmeSecurityAdmins. The group can be either be inside or outside the Oracle Context; in this case, it is outside the Oracle Context.

dn: cn=OracleNetAdmins,cn=OracleContext,... 
     changetype: modify 
     add: owner 
     owner: cn=AcmeSecurityAdmins 

dn: cn=OracleNetAdmins,cn=OracleContext,... 
     changetype: modify 
     delete: owner 
     owner: cn=OracleNetAdmins,cn=OracleContext,...

Use the following ldapmodify syntax to delete the user:

ldapmodify -h directory_host -p port -D binddn -w password -f ldif_file

Table 8-2 ldapmodify Arguments

Argument	Description
`-h` `directory_host`	Specify the directory server host.
`-p` `port`	Specify the listening TCP/IP port for the directory server. If you do not specify this option, the default port (389) is used.
`-D` `binddn`	Specify the directory administrator or user DN.
`-w` `password`	Specify the password for the directory administrator or directory user.
`-f` `ldif_file`	Specify the input file name.

Adding Users To the OracleNetAdmins Group

To add a user to the OracleNetAdmins group with ldapmodify:

Create an LDIF file that specifies that you want to add a user to the OracleNetAdmins group.

You can use the following sample LDIF file. Use the appropriate DN for cn=OracleNetAdmins and the user that you want to add.
```
dn: cn=OracleNetAdmins,cn=OracleContext,...
changetype: modify
add: uniquemember
uniquemember: <DN of user being added to group>
```

Enter the following ldapmodify syntax to add a user:

ldapmodify -h directory_host -p port -D binddn -w password -f ldif_file

Removing Users From the OracleNetAdmins Group

To remove a user from the OracleNetAdmins group with ldapmodify:

Create an LDIF file that specifies that you want to add a user to the OracleNetAdmins group.

You can use the following sample LDIF file. Enter the appropriate DN for cn=OracleNetAdmins and the user that you want to delete.
```
dn: cn=OracleNetAdmins,cn=OracleContext,...
changetype: modify
delete: uniquemember
uniquemember: <DN of user being deleted from group>
```