11 LDAP Parameters in the Connect Identifier

This chapter describes the LDAP parameters that you can directly specify in the database client connect identifier, when using the Directory Naming method.

11.1 About Using LDAP Parameters in the Connect Identifier

The Directory Naming method provides an alternative method to specify LDAP name lookup, by using LDAP parameters in the connect identifier.

This eliminates the need for external configuration files (ldap.ora and sqlnet.ora) to connect to the database. The values that are specified as part of ldap.ora and sqlnet.ora for LDAP name lookup are directly passed in the connect identifier.

If ldap.ora or sqlnet.ora is present and you use LDAP parameters in the connect identifier, then the connect identifier values take precedence.

11.2 Allowed Parameters in the Connect Identifier

These are the LDAP parameters that you can use in the connect identifier.

11.2.1 Protocol-Specific Parameters

These connect identifier parameters (PROTOCOL, HOST, PORT, NAME, and CONTEXT) are name-value pairs that define the LDAP connection.

Purpose

To configure name-value pairs that define the LDAP connection.

Usage Notes

Parameter Description Required

PROTOCOL

Protocol, either LDAP or LDAPS.

The LDAPS protocol uses a Transport Layer Security (TLS) connection.

Yes

HOST

Host name where your LDAP directory server is running.

Yes

PORT

Port number for the LDAP connection.

The default port for the LDAP protocol is 389 and for the LDAPS protocol is 636.

No

NAME

LDAP entry to resolve the connect descriptor.

This entry must be contained in the OracleContext container of a given context.

Yes

CONTEXT

Directory naming context containing OracleContext.

The default value for this parameter is: cn=OracleContext

For example, a context can be:

cn=OracleContext,dc=example,dc=com

No

Example

Here is a sample connect identifier, specified with all the LDAP connection parameters:

scott/password@ldaps://ldapserver:636/cn=orcl,cn=OracleContext,dc=example,dc=com

11.2.2 AUTHENTICATE_BIND

The AUTHENTICATE_BIND parameter specifies whether the LDAP naming adapter should use a wallet for authentication.

Purpose

To specify whether the LDAP naming adapter should attempt to authenticate using a specified wallet, when it connects to the LDAP directory to resolve the service name in the connect string.

Usage Notes

When set to FALSE, the LDAP connection is established using an anonymous bind.

When set to TRUE, the LDAP connection is authenticated using an Oracle wallet. You must specify the wallet location using the WALLET_LOCATION parameter.

Values

TRUE | FALSE

Default

FALSE

Example

AUTHENTICATE_BIND=TRUE

11.2.3 AUTHENTICATE_BIND_METHOD

The AUTHENTICATE_BIND_METHOD parameter specifies authentication method for the client LDAP naming adapter.

Purpose

To specify the authentication method that the client LDAP naming adapter should use while connecting to the LDAP directory to resolve connect string names.

Usage Notes

The simple authentication method over LDAPS (LDAP over TLS connection) is supported.

You store the directory entry DN and password in an Oracle wallet. When the client connects to the LDAP server, it is authenticated using the credentials stored in this wallet. The wallet trust store must contain root certificates issued by the certificate authority of the LDAP server.

The LDAP naming adapter uses the oracle.ldap.client.dn and oracle.ldap.client.password entries from the wallet for authenticating to the LDAP server. If these entries are not present, then the client attempts an anonymous authentication using LDAPS.

Values

  • LDAPS_SIMPLE_AUTH

  • NONE

Default

NONE

Example

AUTHENTICATE_BIND_METHOD=LDAPS_SIMPLE_AUTH

11.2.4 DIRECTORY_SERVER_TYPE

The DIRECTORY_SERVER_TYPE parameter specifies the directory server to be used for LDAP-based name lookup.

Purpose

With the Directory Naming method, connect identifiers are mapped to connect descriptors contained in an LDAP-compliant directory server. You can specify a directory server to be used, such as Oracle Internet Directory, Oracle Unified Directory, or Microsoft Active Directory.

Values

  • OID for Oracle Internet Directory or Oracle Unified Directory

  • AD for Microsoft Active Directory

Default

OID

Example

DIRECTORY_SERVER_TYPE=AD

11.2.5 WALLET_LOCATION

The WALLET_LOCATION parameter specifies the directory where an Oracle wallet is stored.

Purpose

To specify the LDAP directory where the client wallet is stored. This wallet is used for making Transport Layer Security (TLS) connections to the LDAP directory.

Note:

This is a client-side parameter, and is not applicable to the database connection.

Usage Notes

The database client searches for the client wallet in this order:

  1. The client first looks for the WALLET_LOCATION parameter value in the connect identifier.

  2. If no wallet is present, then the client searches for the WALLET_LOCATION parameter value in the sqlnet.ora file.

  3. If no wallet is present, then the client uses the wallet from the operating system's default certificate store.

Default

None

Example

WALLET_LOCATION=/home/oracle/wallet