8
Setting Up Directory Server Usage

This chapter explains how to configure access to an LDAP-compliant directory server.

This chapter contains these topics:

Directory Configuration Overview

Many Oracle products have features that use an LDAP-compliant directory server to centrally store entries. Examples of features that use a directory are Oracle Net directory naming and Oracle Advanced Security enterprise user. If you want to use these features, you must establish a directory server for them, as well as enable your computers to use the directory server.

Directory server usage can be configured during or after installation, as described in the following sections:

Configuring Directory Usage During Installation

Oracle Universal Installer launches Oracle Net Configuration Assistant during software installation. Oracle Net Configuration Assistant enables you to configure usage of a directory server. Directory server usage configuration varies depending upon the installation mode you selected during installation, as described in these topics:

Directory Usage Configuration During a Custom Installation on the Server

After a Custom installation on the server, Oracle Net Configuration Assistant prompts you to configure usage to a directory server. Directory server usage configuration enables:

Oracle Database Configuration Assistant, which runs after Oracle Net Configuration Assistant, to register a database service entry in the directory server
Oracle Net Manager to create net service names in the directory server, as well as to modify Oracle Net attributes of the database service entry and the net service name entries

The server to look up database service and net service name entries in the directory server

Note:

Directory usage configuration is not performed during a Enterprise Edition or Standard Edition installation on the server. For these installation types, Oracle Net Configuration Assistant can be run in standalone mode. See "Configuring Directory Usage After Installation" for details.

During directory server usage configuration, Oracle Net Configuration Assistant prompts you to:

Select the type of directory server, that is, Oracle Internet Directory or Microsoft Active Directory
Identify the location of the directory server
Select a location in the directory server that contains an Oracle Context from which this server can look up, create, and modify connect identifiers

The Oracle Context (cn=OracleContext) is the root of a directory subtree under which all Oracle software relevant information is kept.

The configuration information is stored in an ldap.ora file that the server reads to locate the directory server and access Oracle entries.

If an Oracle Context does not exist in the directory under the selected administrative context, then Oracle Net Configuration Assistant prompts you to create it. During Oracle Context creation, you are prompted for directory administrator authentication credentials. If the Oracle Context is created successfully, then the authenticated user is added to the following groups:

OracleDBCreators (cn=OracleDBCreators,cn=OracleContext)

As a member of OracleDBCreators, a user can use Oracle Database Configuration Assistant to register a database service entry.
OracleNetAdmins (cn=OracleNetAdmins,cn=OracleContext)

As a member of OracleNetAdmins, a user can use Oracle Net Manager to create, modify, and delete net service names, as well as modify Oracle Net attributes of database services.

A directory administrator can add other users to these groups.

Note:

Additional groups are created during Oracle Context creation, as described in the Oracle Directory Service Integration and Deployment Guide.

In addition, Oracle Net Configuration Assistant verifies that the Oracle schema was created. The Oracle schema defines the Oracle entries and their attributes. If the schema does not exist or is an older version, you are prompted to create or upgrade it. During Oracle schema creation, you are prompted for authentication credentials.

After Oracle Net Configuration Assistant completes configuration, Oracle Database Configuration Assistant creates the database. The service name for the database is automatically created under the Oracle Context.

See Also:

"Adding Users to and Removing Users from the OracleNetAdmins Group" to add users to the NetAdmins group
Oracle Advanced Security Administrator's Guide for further information about adding users to the OracleDBCreators group
Oracle installation guide

Directory Usage Configuration During a Client Installation

During client installation, Oracle Net Configuration Assistant prompts you to configure the use of a directory server. Directory server usage configuration enables the client to look up connect identifier entries in the directory. If directory server access is not configured, the client cannot use directory naming.

Oracle Net Configuration Assistant typically performs the necessary directory server usage configuration during client installation and stores the following in a read-only ldap.ora file.

During directory server access configuration, Oracle Net Configuration Assistant prompts you to:

Specify the type of directory server
Identify the location of the directory server
Select a location in the directory that contains an Oracle Context from which this client can look up connect identifiers

This setting information is stored in a ldap.ora file that the client reads to locate the directory server and to access Oracle entries.

In addition, Oracle Net Configuration Assistant verifies that the Oracle schema was installed. If an Oracle Context or the Oracle schema was not configured by the server, you cannot complete directory server usage configuration on the client.

Configuring Directory Usage After Installation

Directory usage can be configured with Oracle Net Configuration Assistant at any time.

To configure directory server usage:

Start Oracle Net Configuration Assistant.

See Also:
"Oracle Net Configuration Assistant"

The Welcome page appears.

Select Directory Service Usage Configuration, and then choose Next.

The Directory Usage Configuration page appears.

Text description of dircongi.gif follows.

Text description of the illustration dircongi.gif

The Directory Usage Configuration page options are described in Table 8-1.

Table 8-1 Directory Usage Configuration Page in Oracle Net Configuration Assistant

Option	Description
Select the directory server you want to use	Select this option to enable this computer to use a directory server that is already configured to use directory-enabled features. This option is ideal for clients that use a directory server that has already been configured for these features. Once configuration is complete, this option enables this computer to look up entries in the directory. This option prompts you to: Select the type of directory server Identify the location of the directory server Select a location in the directory server that contains an Oracle Context from which this client can look up connect identifiers Note: If no Oracle Context or Oracle schema exists, then you cannot complete usage configuration using this option. You must first use the "Select the directory server you want to use, and configure the directory server for Oracle usage" option to create the Oracle Context and Oracle schema.
Select the directory server you want to use, and configure the directory server for Oracle usage.	Select this option to configure a directory server for directory-enabled features and enable this computer to use that directory. This option is designed for administrators when first configuring these features. Once configuration is complete, this computer can then look up entries in the directory server. This option prompts you to: Select the type of directory server Identify the location of the directory server Select or enter a location in the directory server that contains an Oracle Context from which this server can access and create Oracle entries If an Oracle Context does not exist under the selected location, then Oracle Net Configuration Assistant prompts you to create one. Likewise, if the Oracle schema does not exist or is an older version, you are prompted to create or upgrade it. During Oracle Context or Oracle schema creation or upgrade, you are prompted for directory administrator authentication credentials. To create an Oracle Context, the following must exist in the directory server: A directory entry under which you want the Oracle Context to be created Oracle schema If the Oracle Context is created successfully, then the authenticated user is added to the following groups: OracleDBCreators (`cn=OracleDBCreators,cn=OracleContext`) OracleNetAdmins (`cn=OracleNetAdmins,cn=OracleContext`) See Also: Directory server vendor documentation for directory entry configuration instructions Oracle Directory Service Integration and Deployment Guide for further information about all the user groups "Adding Users to and Removing Users from the OracleNetAdmins Group" to add users to the OracleNetAdmins group Oracle Advanced Security Administrator's Guide for further information about adding users to the OracleDBCreators group
Create additional or upgrade existing Oracle Context	Select this option to create an additional Oracle Context in the directory, or upgrade the Oracle Context to the current release. To create an Oracle Context, the following must exist in the directory server: A directory entry under which you want the Oracle Context to be created Oracle schema During Oracle Context creation or upgrade, you are prompted for directory administrator authentication credentials. If the Oracle Context is created successfully, then the authenticated user is added to the following groups: OracleDBCreators (`cn=OracleDBCreators,cn=OracleContext`) OracleNetAdmins (`cn=OracleNetAdmins,cn=OracleContext`)
Create or upgrade the Oracle Schema	Select this option to create the Oracle schema in the directory, or upgrade the Oracle schema to the current release. During Oracle schema creation or upgrade, you are prompted for authentication credentials.

Select the appropriate option, and then follow the prompts in the wizard and online help to complete directory server access configuration.

Adding Users to and Removing Users from the OracleNetAdmins Group

The directory user who creates the Oracle Context is a member of the OracleNetAdmins (cn=OracleNetAdmins,cn=OracleContext) group. Using directory tools, such as ldapmodify, a directory administrator or the directory user who created the Oracle Context can add users to this group.

To add a user to the OracleNetAdmins group with ldapmodify:

Create an LDAP Data Interchange Format (LDIF) file that specifies that you want to add a user to the OracleNetAdmins group. You can use the following sample LDIF file. Use the appropriate distinguished name (DN) for cn=OracleNetAdmins and the user that you want to add.
```
dn: cn=OracleNetAdmins,cn=OracleContext,...
changetype: modify
add: uniquemember
uniquemember: <DN of user being added to group>
```

Enter the following ldapmodify syntax to add a user:

ldapmodify -h directory_host -p port -D binddn -w password -f ldif_file

Table 8-2 ldapmodify Arguments

Argument	Description
`-h` `directory_host`	Specify the directory server host.
`-p` `port`	Specify the listening TCP/IP port for the directory server. If you do not specify this option, the default port (389) is used.
`-D` `binddn`	Specify the directory administrator or user DN.
`-w` `password`	Specify the password for the directory administrator or directory user.
`-f` `ldif_file`	Specify the input file name.

To remove a user from the OracleNetAdmins group with ldapmodify:

Create an LDIF file that specifies that you want to add a user to the OracleNetAdmins group. You can use the following sample LDIF file. Enter the appropriate DN for cn=OracleNetAdmins and the user that you want to add.
```
dn: cn=OracleNetAdmins,cn=OracleContext,...
changetype: modify
delete: uniquemember
uniquemember: <DN of user being delete from group>
```

Use the following ldapmodify syntax to delete the user:

ldapmodify -h directory_host -p port -D binddn -w password -f ldif_file

8Setting Up Directory Server Usage