RE: Configuration of Oracle LDAP for network resolution
Date: Wed, 16 Sep 2009 13:12:22 -0400
While we're on the question of LDAP, does anyone know the keywords to extract security certificate information from LDAP? Particularly Common_Name, Email Address, and expiration date.
Senior Oracle DBA/NA Team Lead
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Mark Anderson Sent: Wednesday, September 16, 2009 12:52 PM To: gil.cota_at_netcabo.pt
Subject: Re: Configuration of Oracle LDAP for network resolution
If I understand you correctly, you will want both iAS 10.1.2.3 and Identity Management 10.1.4.3. They will work together; the Application Server will serve out Identity Management to your LDAP clients. You will
also, as you are no doubt aware, need a database instance nearby for Identity Management to store the identity information in (service names,
IP addresses, port numbers).
N.B. You can't get CPU patches for iAS 10.1.2.0.2 or 10.1.2.2.0 anymore,
and I believe July was the last CPU patch for Identity Management 10.1.4.2 -- that's why I mention the specific versions above.
According to my notes, this is what I did when we set up Oracle Internet
Directory for network resolution. The versions of software referenced in
my notes are outdated now, and you may not be using HP-UX as we are, but
this may get you started if you consult the corresponding current-version documents for your OS.
- I created a 10.2.0.3.0 database in its own $ORACLE_HOME. The default OID installation creates a database instance (I think 10.1.0.5.0) in the
Application Server + Identity Management $ORACLE_HOME but we chose to use the optional separate database so that we could upgrade and patch that database on the same schedule as our other databases, rather than on a schedule dictated by the availability of Application Server + Identity Management upgrades and patches.
2. I created a new instance of the Metadata Repository Creation Assistant and used it to create a metadata repository in the target database (ref: "Oracle Application Server Metadata Repository Creation Assistant User's Guide, 10g (10.1.4.0.1) for Microsoft Windows", Sections 1.6.1 "Run the Prerequisite Check Tool", 2.1 "Installing in a Database that Uses the File System" and 4.7 "Removing OracleAS Metadata Repository Using the cleanMR Script"). The metadata repository is the set of schemas where the identity information will be stored. The Metadata Repository Creation Assistant will only be used to create the schemas; then you will throw it away because it has no other function than to help with the OID installation. I used the Windows MRCA only because the HP-UX 10.1.4.0.1 MRCA was documented to be broken by Oracle.
Your MRCA connects to the database over the network and does not care if
the database is running on a different OS.
3. I installed a new instance of OID 10.1.4.0.1 + iAS 10.1.2 iAS in its own new $ORACLE_HOME, separate from the database $ORACLE_HOME. I told OID to use the metadata repository I had just created in the previous step. (ref: "Oracle Application Server Installation Guide, 10g Release 2
(10.1.2) for HP-UX Itanium", Sections 3.8 "Environment Variables", 5.3 "Order of Installation for the Infrastructure", 5.25 "Installing Oracle Internet Directory Only", 5.27 "Install Fragment: The First Few Screens of the Installation" and 5.28 "Install Fragment: The Last Few Screens of
4. This step is probably not directly applicable to you. We exported the
identity information for our various databases from a preexisting OID at
$ORACLE_HOME/bin/ldapsearch -h localhost -p 389 -b dc=alaska,dc=edu "objectclass=orclNetService" > OIDP_names_load.ldif
... and imported the connect information into the freshly created target
OID at localhost:10010:
$ORACLE_HOME/bin/ldapadd -c -v -D cn=orcladmin -w "<orclAdmin password>"
-h localhost -p 10010 -f OIDP_names_load.ldif > ldapadd.out
(Ref: Metalink Doc ID 436998.1 "Considerations For Migrating Entries From One OID To Another", section "TO MIGRATE CUSTOM DATABASE ENTRIES"). The original source for our identity information was Oracle Names, but I
was not involved in the extraction of identity information from Names and have no notes for it. The step above was the extraction of the identity information from a flawed OID installation into which the Names
information had been loaded, and the import of that OID data into a correctly constructed OID instance.
Gil Cota wrote:
> Hi all,
> I'm trying to configure an Oracle LDAP for network resolution, What
> software should I use ? (Oracle iAS 126.96.36.199 or Identity Management ? )
> Does anyone have a document that can guide me step by step ?
> Thanks and Regards,