8.2.4 Configure the LDAP Naming Adapter to Use Wallets
The client LDAP naming adapter authenticates the LDAP bind while connecting to the LDAP directory to resolve connect string names. You can configure the adapter to use an Oracle wallet during the authentication.
- Obtain an LDAP server certificate, create an Oracle wallet, and store the certificate and LDAP user credentials in the wallet truststore:
- Obtain an LDAP server certificate from the LDAP directory server using
openssl s_client:openssl s_client -connect LDAP server host:port -showcerts -outform PEMThe
-connect LDAP server host:portoption specifies the LDAP directory server host name and port for the connection. The-showcertsoption displays the LDAP server certificate list sent by the server. The-outform PEMoption extracts the server certificate to your file system directory (for example,/tmp/ldapservercert.txt) in aPEMformat. - Create an empty Oracle wallet:
orapki wallet create -wallet wallet_directoryThe
-wallet wallet_directoryoption specifies the location of the file system directory where you want to create the wallet. - Add the LDAP server certificate to the wallet:
orapki wallet add -wallet wallet_directory -trusted_cert -certThe
-certoption specifies the location of the file system directory (for example,/tmp/ldapservercert.txt) where you have stored the LDAP server certificate. - Create an entry in the wallet with the DN of the LDAP user name:
mkstore -wrl wallet_directory -createEntry oracle.ldap.client.dn dn_of_ldap_usernameFor example:
mkstore -wrl /app/wallet -createEntry oracle.ldap.client.dn cn=userinldap,dc=example,dc=comFor Microsoft Active Directory, you can also specify the
userPrincipalNameor down-level logon name (sAMAccountName) attribute. - Create an entry in the wallet with the LDAP password:
mkstore -wrl wallet_directory -createEntry oracle.ldap.client.password ldap_password - Enable auto-login for the wallet:
orapki wallet create -wallet wallet_directory -auto_loginNote:
- The
mkstorewallet management command line tool is deprecated with Oracle AI Database 26ai, and can be removed in a future release.To manage wallets, Oracle recommends that you use the
orapkicommand line tool. -
Auto-login wallets are protected by file system permissions. Use operating system utilities to protect the wallet directory by granting read and write permissions only to the client.
- Oracle has introduced a new auto-login wallet version (7) with
Oracle AI Database 26ai. Version 6 of the Oracle local auto-login wallet is
deprecated.
You can update your local auto-login wallet by modifying it with
orapki.
- The
- Obtain an LDAP server certificate from the LDAP directory server using
- Use the
WALLET_LOCATIONparameter to specify your wallet directory in thesqlnet.orafile:WALLET_LOCATION= (SOURCE= (METHOD=file) (METHOD_DATA= (DIRECTORY=wallet_directory)))For example:
WALLET_LOCATION= (SOURCE= (METHOD=FILE) (METHOD_DATA= (DIRECTORY=/app/wallet/)))For detailed information on configuring this parameter, see WALLET_LOCATION.
Note:
The parameterWALLET_LOCATIONis deprecated for use with Oracle AI Database 26ai for the Oracle Database server. It is not deprecated for use with the Oracle Database client or listener.For Oracle Database server, Oracle recommends that you use the
WALLET_ROOTsystem parameter instead of usingWALLET_LOCATION. - Configure authentication settings for your LDAP connection in the
sqlnet.orafile:-
Set
NAMES.LDAP_AUTHENTICATE_BIND=TRUEto specify that the LDAP connection is authenticated using the wallet directory (defined byWALLET_LOCATION). -
Set
NAMES.LDAP_AUTHENTICATE_BIND_METHOD=LDAPS_SIMPLE_AUTHto use simple authentication method over LDAPS (LDAP over TLS connection).
For detailed information on configuring these settings, see NAMES.LDAP_AUTHENTICATE_BIND and NAMES.LDAP_AUTHENTICATE_BIND_METHOD.
-
- Using Oracle Net Manager, add one or more directory entries to the LDAP server.
- Using SQL*Plus or any other database client, verify names resolution.
Related Topics
Parent topic: Configuring the Directory Naming Method