Re: How to setup LDAP

From: Dan Norris <>
Date: Thu, 24 Jan 2008 11:08:53 -0800 (PST)
Message-ID: <>


I'm not sure I understand your question to the list then. OID is required if you want to perform LDAP authentication for database users and remain supported AFAIK. I'm also interested in hearing of any other solutions, but I don't know that any other solutions exist--if they do, I doubt very much that they're supported.


----- Original Message ----
From: "" <>
To: Dan Norris <>
Cc: Oracle L <>
Sent: Thursday, January 24, 2008 12:32:34 PM
Subject: Re: How to setup LDAP

Hi Dan,

Thank you for the information. Unfortunately

OID is not an option here.

I want to know any one on this list

ever has setup user authentication via LDAP and how did they implement




"Dan Norris" <>

Jan 23 2008 12:10 PM


Mayen Shah/ITS/Lazard@Lazard NYC, "Oracle

L" <>



Re: How to setup LDAP


You need to configure your database for EUS and configure OID to handle

those incoming users. If you're like most sites, I expect that Appendix

C will also be of keen interest. The doc is

You will need OID and using OID for this purpose does require a separate

license. Until you mentioned it, I forgot about this "catch"

in the refactored license scheme in 10g. However, I recall the Oracle sales

people telling me that while OID does require licensing, since you typically

only need 2-4 CPUs of OID to support a medium-sized database enterprise,

the pricing is much lower than the old way of having to buy ASO for all

your DBs. So, it isn't completely free, but it's a lot cheaper than what

you had to license in 9i. 

Sorry I forgot to mention that--it is important for sure!


----- Original Message ----

From: "" <>


Sent: Wednesday, January 23, 2008 10:38:58 AM

Subject: Re: How to setup LDAP

Hello Everyone, 

My apologies for not giving any feed back soon. (Got distracted with other

production issues). My problem is still unresolved.

Here is what I want to achieve. 

Database version and

Local tnsnames.ora 

Currently I am using database authentication for user login to the database.

I want to continue using local tnsnames. Only requirement is to change

user authentication from database to LDAP authentication. I am sure some

on our list must have done similar setup.

Simply creating user as below does not work.

Create user LDAPTEST identified globally as 'CN=LDAPTEST,ou=Service Accounts,ou=Users,ou=Administrative,ou=.Lazard,dc=lazard,dc=com';

User gets created without error but connection fails with invalid username/password

error. I verified with our sa and DN is correct. I am sure I am missing

something but could not find more information. Search on metalink/google

mostly points me to OID and I was told by oracle sales rep that OID is

licensed product. 

Any help/pointer is greatly appreciated.

Thank you. 


"Dan Norris" <> 

Jan 14 2008 01:10 PM


Mayen Shah/ITS/Lazard@Lazard NYC 

cc, "Jared

Still" <> 


Re: How to setup LDAP

>>> The user

administration and global authentication portion WAS NOT FREE.

That's almost correct. When 10g was introduced, the ASO license was refactored

such that EE now includes password-based Enterprise User Security. If you

want certificate-based security, that still requires the ASO option to

be licensed. I'm not sure that the price list shows that very well, but

it is verifiable--I think it's in the docs where they show the features

and options list and what editions they're available in. 


----- Original Message ----

From: "" <>


Cc:; Jared Still <>

Sent: Monday, January 14, 2008 11:41:09 AM

Subject: RE: How to setup LDAP

Oracle OID has the identity management framework and that had two parts

the database naming (tnsnames/onames functionality) and the external/global

user administration and authentication functionality. When I converted/complemented

ONAMES with OID I found from Oracle Sales and Metalink that the database

naming partition of OID was free since Oracle 10g treats ONAMES as “He

who shall not be named”, pun not intended. The user administration and

global authentication portion WAS NOT FREE. 


The database naming (tnsnames

functionality) can be done with sqlnet.ora directory path including LDAP

and an ldap.ora or using DNS entries that advertise a well known ldap host.


You should clarify with your

account representative on the use of the OID identity management framework

for external/global user administration since that part is a separately

licensed ($$) component. I believe this is mentioned in Rich’s and Jared’s



I haven’t been following

the entire thread, but I also found out that in 10g the distribution of

OID coming through the RBDMS install is not production and one through

IAS app distribution is. I discovered that when I was looking for the onamesproxy

which we tested in 9.2 OID and not available in 10g OID.


Please feel free to correct

if your experience and information is current and different.




Krish Hariharan 

President/Executive Architect, Quasar Database Technologies, LLC

(303) 808-5172

Received on Thu Jan 24 2008 - 13:08:53 CST

Original text of this message