Oracle9i Net Services Administrator's Guide Release 1 (9.0.1) Part Number A90154-01 |
|
This chapter explains how to export data stored in a tnsnames.ora
file or an Oracle Names server to an LDAP-compliant directory server.
This chapter contains these topics:
"Directory Server Support" for an overview of directory server support of Oracle Net Services
See Also:
If a tnsnames.ora
file already exists, its net service names can be exported to a directory server. The export is performed for one domain at a time.
The tasks to export data from a tnsnames.ora
file are as follows:
Task 1: Create Structure in Directory Server
Task 2: Create Oracle Contexts
Task 3: Configure Directory Server Usage
Task 4: Export Objects To a Directory Server
In the directory server, create the directory information tree (DIT) with the structure in which you want to import net service names. Create the structure leading up to the top of the Oracle Context.
For example, if the tnsnames.ora
file supports a domain structure acme.com
and you want to replicate this domain in the directory, create domain component entries of dc=com
and dc=acme
in the directory, as depicted in Figure 10-1.
You can replicate the domain structure you currently use with tnsnames.ora
, or you can develop an entirely different structure. Introducing an entirely different structure can change the way in which clients enter the net service name in the connect string. Therefore, Oracle Corporation recommends considering relative and absolute naming issues prior to changing the structure.
See Also:
|
Create an Oracle Context under each DIT location that you created in Task 1. The Oracle Context has a relative distinguished name (RDN) of (cn=OracleContext
). The Oracle Context stores network object entries, as well as other entries for other Oracle components. In Figure 10-2, cn=OracleContext
is created under dc=acme,dc=com
.
To create the Oracle Context, you must use Oracle Net Configuration Assistant.
See Also:
|
If not already done as a part of creating the Oracle Contexts, configure the Oracle home for directory server usage. The Oracle home you configure should be the one that will perform the export.
See Also:
Chapter 8, "Setting Up Directory Server Usage" for further information about configuring directory server usage |
To export net service names contained in a tnsnames.ora
file to a directory:
tnsnames.ora
file you want to export is not the one loaded into Oracle Net Manager, then use File > Open Network Configuration to select the tnsnames.ora
file to export.
The Directory Server Migration Wizard starts.
If net service names with multiple domain were detected in the tnsnames.ora
file, then the Select Domain page appears. Continue to Step 5.
If the net service names are not domain qualified, the Select Net Service Names page appears. Skip to Step 6.
The Select Net Service Names page appears.
The Select Destination Context page appears.
The Directory Server Update page appears with the status of the export operation.
Note: Directory naming does not currently support the following Oracle Names object types: Therefore, you cannot export these entries. If you are using aliases, create duplicate net service names in the directory, as described in "Configuring the Directory Naming Method". If you are using global database links and link qualifiers and require their use, continue to use Oracle Names for this release. |
Database services and net service names stored in an Oracle Names server can be exported directly to a directory server or indirectly to an LDAP Data Interchange Format (LDIF) file, which can then be used to the load the directory server. Data is exported from a specified domain. If the domain has authority for delegated domains, then the data from the delegated domains can also be exported.
New client installations that have been configured for directory server usage can take advantage of directory naming once data is exported to a directory server and directory naming is selected as a naming method. To export data for new client configurations, follow the procedure in "Exporting Data to a Directory Server".
In configurations with clients prior to release 8.1.6 which have not been configured for directory server usage, or clients that do not support directory naming, you have two choices. You can:
If you continue to use Oracle Names servers, data stored in Oracle Names servers and directory server must be maintained and synchronized separately.
Oracle Names LDAP Proxy servers are Oracle Names servers that have been configured to proxy for directory servers. Upon startup, Oracle Names LDAP Proxy servers obtain network object information from the directory server. This provides a single point of definition for all data in the directory server and does not require that data in both Oracle Names server and directory server be maintained separately and simultaneously.
To export data for older client configurations, follow the procedures in both "Exporting Data to a Directory Server" and "Configuring Oracle Names LDAP Proxy Servers".
The tasks to export data from an Oracle Names server are as follows:
Task 1: Create Structure in Directory Server
Task 2: Create Oracle Contexts
Task 3: Configure Directory Server Usage
Task 4: Obtain List of Objects to Export
Task 5: Export Objects To a Directory Server
In the directory server, create the DIT with the structure in which you want to import Oracle Names objects. Create the structure leading up to the top of the Oracle Context.
For example, if Oracle Names has a domain structure acme.com
and you want to replicate this domain in the directory, create domain component entries dc=com
and dc=acme
in the directory, as depicted in Figure 10-3.
You can replicate the domain structure you currently use with Oracle Names, or you can develop an entirely different structure. Introducing an entirely different structure will change the way in which clients enter the connect identifier in the connect string. Therefore, Oracle Corporation recommends that you consider the relative and absolute naming issues prior to changing the structure.
See Also:
|
Create an Oracle Context under each DIT location that you created in Task 1. The Oracle Context has a RDN of (cn=OracleContext
). Oracle Contexts may be required for the root domain and each of its delegated domains. In Figure 10-4, cn=OracleContext
is created under dc=acme,dc=com
.
To create the Oracle Context, you must use Oracle Net Configuration Assistant.
See Also:
|
If not already done as a part of creating the Oracle Contexts, configure the Oracle home for directory server usage. The Oracle home you configure should be the one that will perform the export.
See Also:
Chapter 8, "Setting Up Directory Server Usage" for further information about configuring directory server usage |
Determine the Oracle Names domain structure and the objects within that structure. The Oracle Names Control utility offers commands described in Table 10-1 to help you with this task.
Table 10-1 Oracle Names Control Utility Structural Commands
Command | Description |
---|---|
|
Lists all of the authoritative domains
See Also: |
|
Lists all of the delegated domains
See Also: |
|
Lists all of the authoritative network objects
See Also: |
The Oracle Names Control utility enables you to export network objects from a domain into the directory server using the DUMP_LDAP
command. You can use the DUMP_LDAP
command to export objects directly to a directory server or indirectly to an LDIF file, which can then be used to the load the exported objects to the directory server.
Run DUMP_LDAP
from an authoritative Oracle Name server for the domain. The syntax to export data directly to a directory server is as follows:
namesctlNAMESCTL> DUMP_LDAP [
source
] [
destination
] [
options]
{-h host} {-p port} {-D user_dn} {-w password}
See Also:
|
The syntax to export data to a LDIF file is as follows:
namesctl NAMESCTL> DUMP_LDAP [source] [destination] [options] {-f filename}
If the directory server's DIT structure has been designed to match the current Oracle Names structure, review the following examples to understand how to export data:
"Configuring Oracle Names LDAP Proxy Servers" for examples of exporting data to a dissimilar DIT structure
See Also:
Figure 10-5 shows an Oracle Names domain structure of acme.com
. It contains a database service called db
. The DIT has been designed with domain entries that match the Oracle Names domain structure. With this DIT structure, db.acme.com
can be exported to cn=OracleContext,dc=acme,dc=com
.
Either of the following syntaxes can be used to export data from Oracle Names to the configured DIT structure:
NAMESCTL> DUMP_LDAP acme.com (dn:dc=acme,dc=com) -f sample.ldif NAMESCTL> DUMP_LDAP acme.com -f sample.ldif
In the first line of syntax, the destination distinguished name (DN), excluding cn=OracleContext
, is explicitly specified. It is not necessary to specify the destination DN, as shown in the second line of syntax, because the destination DIT structure is domain based and matches the domain model used in Oracle Names. Note that cn=OracleContext
is automatically inserted.
The database service db
is exported to cn=OracleContext,dc=acme,dc=com
and has a DN location of (dn:cn=db,cn=OracleContext,dc=acme,dc=com)
.
Data can be exported from a root domain and its delegated domains in Oracle Names to a directory server that uses a similar DIT in one step rather than one domain at a time.
Figure 10-6 shows an Oracle Names structure that contains a root domain of acme.com
and delegated domains of sales.acme.com
and dev.acme.com
. Database services db
, orders
, and widgets
reside in acme.com
, sales.acme.com
and dev.acme.com
, respectively. The directory server's DIT is similar to the Oracle Names domain structure.
The following syntax is used to export data from the acme.com
root domain and its delegated domains to the configured DIT structure:
NAMESCTL> DUMP_LDAP acme.com -R -f sample.ldif
The following table shows how database objects in acme.com
, sales.acme.com
, and dev.acme.com
are mapped to DNs in the directory server.
If you are not ready to upgrade clients to a version that supports directory naming, you must use Oracle Names LDAP Proxy servers. Generally, client configurations do not require modification. However, if the directory server's DIT structure does not match the Oracle Names domain structure, you must also reconfigure the NAMES.DEFAULT_DOMAIN
parameter in the sqlnet.ora
file to point to the new domain structure.
The tasks to create Oracle Names LDAP Proxy servers are as follows:
Task 1: Upgrade Oracle Names Servers to Release 9.0
Task 2: Start Oracle Names Servers
Task 3: Populate the Directory Server
Task 4: Configure Oracle Names Servers as Proxies
Upgrade all Oracle Names servers within a region to Oracle Names release 9.0. Releases prior to 9.0 do not support Oracle Names LDAP Proxy servers.
Start each of the Oracle Names servers to generate the cktop.ora
file. Use either Oracle Net Manager or the Oracle Names Control utility.
Use Oracle Net Manager... | Use Oracle Names Control utility... |
---|---|
From the command line, enter:
|
Starting release 9.0 Oracle Names servers creates a ckptop.ora
file in $ORACLE_HOME/network/names
on UNIX and ORACLE_HOME
\network\names
on Windows NT, or in the file specified by the names.ora
file parameter NAMES.TOPOLOGY_CHECKPOINT_FILE
. This file contains topology data that defines the domains in the administrative region and the Oracle Names servers that have authority for them. Specifically, topology data consists of definitions for all parent domains and Oracle Names servers in the region. The Oracle Names servers use this information to understand the structure of the domain tree.
Oracle Names LDAP Proxy servers require the generated ckptop.ora
file. If the Oracle Names structure has multiple administrative regions, Oracle Corporation recommends mirroring the current Oracle Names domain structure in the directory DIT structure. Using a different structure may require modifying the topology defined for the Oracle Names LDAP Proxy servers. Support for topology modification is not currently supported. The following constitutes a topology change:
If you have not already done so, populate the directory:
"Configuring Directory Usage After Installation" for instructions on creating an Oracle Context
See Also:
ldap.ora
file.
To do this, select the "Select the directory server you want to use" option in Oracle Net Configuration Assistant.
Configure each Oracle Names server within a region to load directory server information from a specific DN.
To configure Oracle Names Servers as proxy servers:
Use Oracle Net Manager... | Use Oracle Names Control utility... |
---|---|
From the command line, enter:
|
NAMES.ADMIN_REGION
parameter in the names.ora
file to the directory server's DN or read the directory server's DN from an LDIF input file.
The syntax for an Oracle Names LDAP Proxy server to load the data from a directory server is as follows:
NAMES.ADMIN_REGION=
(REGION=
(TYPE=ldap) [(USERID=user_dn)] [(PASSWORD=password)] [(HOST=host)] [(PORT=port)] [(SUBTREE_LIST=] [(SUBTREE=(BASE=base_DN)[(SCOPE=sub|one))] [(SUBTREE=(BASE=base_DN)[(SCOPE=sub|one))] [)])
Values from equivalent ldap.ora
file parameters are used as defaults for the USER
, HOST
, and SUBTREE
parameters.
Set the NAMES.ADMIN_REGION
sub-parameter as follows:
Sub-Parameter | Description |
---|---|
|
Specify that the Oracle Names LDAP Proxy server is to load data directly from a directory server. |
|
(Optional) This entry is necessary if data is restricted.
Specify a directory user with read privileges in the form of a DN. For example,
Note: Do not prefix the DN with |
|
(Optional) This entry is required if data is restricted. Specify the password for the directory user. |
|
(Optional) Specify the directory server host name. |
|
(Optional) Specify the listening TCP/IP port for the directory server. |
|
(Optional) Specify the time limit in seconds that the Oracle Names LDAP Proxy server can spend performing a search of directory objects. This time limit cannot be greater than the time limit set for searches in the directory server. By default, the time limit is set to 10 seconds, which is sufficient for most searches.
See Also: "Increasing Search Size Limit" for instructions for increasing the time limit of |
|
(Optional) Use the
Note: Do not prefix the DN with "
|
The following example shows an Oracle Names LDAP Proxy server configured to load the data from an Oracle Context that is directly under the DN (dn:dc=acme,dc=com)
and all Oracle Contexts under the DN subtree (dn:dc=us,dc=acme,dc=com)
.
NAMES.ADMIN_REGION= (REGION= (TYPE=LDAP) (HOST=ldap_server) (PORT= 1389) (SUBTREE_LIST= (SUBTREE=(BASE=dc=acme,dc=com)) (SUBTREE=(BASE=dc=us,dc=acme,dc=com)(scope=sub)) ) ) )
The syntax for an Oracle Names LDAP Proxy server to load the data from an LDIF file is as follows:
NAMES.ADMIN_REGION=
(REGION=
(TYPE=ldif) [(FILE=ldif_file)]))
Table 10-3 Sub-Parameters of the NAMES.ADMIN_REGION Parameter for LDIF
The following example shows an Oracle Names LDAP Proxy server configured to load data from LDIF file onames.ldif
.
NAMES.ADMIN_REGION= (REGION= (TYPE=LDIF) (FILE=/private/eminer/nn/90/proxy/onames.ldif))
The following LDIF file excerpt shows a DN of (dn:cn=sales,cn=OracleContext,dc=acme,dc=com)
that contains net service names sales
and hr
.
dn: cn=sales,cn=OracleContext,dc=us,dc=acme,dc=com objectclass: top objectclass: orclNetService cn: sales orclNetDescString: (DESCRIPTION=(ADDRESS_ LIST=(ADDRESS=(PROTOCOL=tcp)(Host=sales-pc)(Port=1521)))(CONNECT_DATA=(SERVICE_ NAME=sales.us.acme.com))) dn: cn=hr,cn=OracleContext,dc=us,dc=acme,dc=com objectclass: top objectclass: orclNetService cn: hr orclNetDescString: (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(COMMUNITY=TCP_ COMMUNITY)(PROTOCOL=tcp)(Host=hr-pc)(Port=1521)))(CONNECT_DATA=(SERVICE_ NAME=hr.us.acme.com)))
Run each of the Oracle Names servers with the new configuration. Use either Oracle Net Manager or the Oracle Names Control utility.
Use Oracle Net Manager... | Use Oracle Names Control utility... |
---|---|
From the command line, enter:
|
See Also:
"Oracle Names LDAP Proxy Server Error Reporting" region load operation troubleshooting advice |
If your directory server's structure has been designed with a DIT that is dissimilar to the current Oracle Names domain structure, review the following examples to understand how to export data:
Figure 10-7 shows an Oracle Names domain structure of acme.com
. It contains a database service called db
. The directory server has been designed with a DIT of cn=OracleContext,o=acme,c=us
.
The following syntax can be used to export data from the acme.com
domain to the configured DIT structure:
NAMESCTL> DUMP_LDAP acme.com (dn:c=us,o=acme) -f sample.ldif
Because the DIT is different from the Oracle Names structure, the destination DN must be explicitly specified. cn=OracleContext
is automatically pre-appended to the left of the destination DN. In other words, you do not need to explicitly specify cn=OracleContext
in the DN.
Data can be exported from an Oracle Names administrative region to a directory server that uses a dissimilar DIT. RDNs in the destination DN must be specified without a value for the delegated domains.
Figure 10-8 shows an Oracle Names structure that contains a root domain of acme.com
and delegated domains of sales.acme.com
and dev.acme.com
. Database services of db
, orders
, and widgets
reside in acme.com
, sales.acme.com
and dev.acme.com
, respectively. The directory server's DIT has a top-level structure of o=acme,c=us
that correlates to the acme.com
in Oracle Names. The subtrees, ou=sales
and ou=dev
, correlate to the sales.acme.com
and dev.acme.com
delegated domains in Oracle Names.
The following syntax is used to export data from the acme.com
root domain and its delegated domains to the configured DIT structure:
NAMESCTL> DUMP_LDAP acme.com (dn:ou,o=acme,c=us) -R -f sample.ldif
Note that organizationalUnitName (ou
) contains no value, so that the sales
and dev
subdomain of acme.com
in the source region can be mapped to an ou
.
The following table shows how database objects in acme.com
, sales.acme.com
, and dev.acme.com
are mapped to DNs in the directory server. All objects are created under cn=OracleContext
RDNs in the directory server.
If acme.com
contained a subdomain of mktg.dept.acme.com
, network objects in that subdomain would not be exported. This is because the destination DN (dn:ou,o=acme,c=us) permits only one level of delegated domains. In order to export objects from mktg.dept.acme.com
, the following syntax would be required:
NAMESCTL> DUMP_LDAP acme.com (dn:ou,ou,o=acme,c=us) -f sample.ldif
This syntax enables up to two levels of delegated domains to be exported. By adding additional wildcards, you can specify any level of depth.
Data can be exported from multiple domains to one node in the destination DIT.
Figure 10-9 shows an Oracle Names structure that contains a root domain of acme.com
and delegated domains of sales.acme.com
and dev.acme.com
. Database services of db
, orders
, and widgets
reside in acme.com
, sales.acme.com
and dev.acme.com
, respectively. The directory server's DIT has a structure of o=IS,c=uk
that contains no subtrees that correlate to the Oracle Names delegated domains.
All data can be exported from the root domain and the delegated domains to cn=OracleContext,o=IS,c=uk
in the DIT with the following syntax:
NAMESCTL> DUMP_LDAP acme.com (dn:o=IS,c=uk) -R -f sample.ldif
The following table shows how database objects in acme.com
, sales.acme.com
, and dev.acme.com
are mapped to DNs in the directory server. All objects are created under cn=OracleContext
RDNs in the directory server.
If one of the delegated domains contained a database object named db
, it would not be exported. This is because the db
database object's name would conflict with the db
object exported from db.acme.com
.
In the previous examples, you saw how data can be exported to a non-DC DIT and how data can be exported from multiple domains to a one node in the DIT. This example combines these two types of exports to demonstrate how to export data to a DIT with a very different structure.
Figure 10-10 shows an Oracle Names structure that contains a root domain of acme.com
and four delegated domains, each of which contains at least one database service object. The directory server's DIT has a top-level structure of dc=acme,dc=com
that correlates to the acme.com
domain in Oracle Names. The two subtrees, dc=intranet
and dc=storefront
, are unrelated to the delegated domains in Oracle Names.
In order to export data from the Oracle Names domain structure to the DIT, each domain must be exported separately:
DUMP_LDAP IS.acme.com (dn:dc=intranet,dc=com,dc=acme) -f sample.ldif DUMP_LDAP hr.acme.com (dn:dc=intranet,dc=com,dc=acme) -f sample.ldif DUMP_LDAP warehouse.acme.com (dn:dc=storefront,dc=com,dc=acme) -f sample.ldif DUMP_LDAP sales.acme.com (dn:dc=storefront,dc=com,dc=acme) -R -f sample.ldif
The first two DUMP_LDAP
commands export database objects to cn=Oraclecontext,dc=intranet,dc=acme,dc=com
. The last two DUMP_LDAP
commands export database objects to cn=Oraclecontext,dc=storefront,dc=acme,dc=com
. The -R
option in the DUMP_LDAP sales.acme.com
command enables the database service objects to be exported from sales.acme.com
, europe.sales.acme.com
, and pacific.sales.acme.com
.
The following table shows how database objects in the Oracle Names domains are mapped to DNs in the directory server. All objects are created under cn=OracleContext
RDNs in the directory server.
|
Copyright © 1996-2001, Oracle Corporation. All Rights Reserved. |
|