RE: Configuration of Oracle LDAP for network resolution

From: Goulet, Richard <>
Date: Wed, 16 Sep 2009 13:12:22 -0400
Message-ID: <>

While we're on the question of LDAP, does anyone know the keywords to extract security certificate information from LDAP? Particularly Common_Name, Email Address, and expiration date.

Dick Goulet
Senior Oracle DBA/NA Team Lead
PAREXEL International

-----Original Message-----
[] On Behalf Of Mark Anderson Sent: Wednesday, September 16, 2009 12:52 PM To:
Cc: 'oracle-l'
Subject: Re: Configuration of Oracle LDAP for network resolution


If I understand you correctly, you will want both iAS and Identity Management They will work together; the Application Server will serve out Identity Management to your LDAP clients. You will

also, as you are no doubt aware, need a database instance nearby for Identity Management to store the identity information in (service names,

IP addresses, port numbers).

N.B. You can't get CPU patches for iAS or anymore,

and I believe July was the last CPU patch for Identity Management -- that's why I mention the specific versions above.

According to my notes, this is what I did when we set up Oracle Internet

Directory for network resolution. The versions of software referenced in

my notes are outdated now, and you may not be using HP-UX as we are, but

this may get you started if you consult the corresponding current-version documents for your OS.

  1. I created a database in its own $ORACLE_HOME. The default OID installation creates a database instance (I think in the

Application Server + Identity Management $ORACLE_HOME but we chose to use the optional separate database so that we could upgrade and patch that database on the same schedule as our other databases, rather than on a schedule dictated by the availability of Application Server + Identity Management upgrades and patches.

2. I created a new instance of the Metadata Repository Creation Assistant and used it to create a metadata repository in the target database (ref: "Oracle Application Server Metadata Repository Creation Assistant User's Guide, 10g ( for Microsoft Windows", Sections 1.6.1 "Run the Prerequisite Check Tool", 2.1 "Installing in a Database that Uses the File System" and 4.7 "Removing OracleAS Metadata Repository Using the cleanMR Script"). The metadata repository is the set of schemas where the identity information will be stored. The Metadata Repository Creation Assistant will only be used to create the schemas; then you will throw it away because it has no other function than to help with the OID installation. I used the Windows MRCA only because the HP-UX MRCA was documented to be broken by Oracle.

Your MRCA connects to the database over the network and does not care if

the database is running on a different OS.

3. I installed a new instance of OID + iAS 10.1.2 iAS in its own new $ORACLE_HOME, separate from the database $ORACLE_HOME. I told OID to use the metadata repository I had just created in the previous step. (ref: "Oracle Application Server Installation Guide, 10g Release 2

(10.1.2) for HP-UX Itanium", Sections 3.8 "Environment Variables", 5.3 "Order of Installation for the Infrastructure", 5.25 "Installing Oracle Internet Directory Only", 5.27 "Install Fragment: The First Few Screens of the Installation" and 5.28 "Install Fragment: The Last Few Screens of

the Installation".

4. This step is probably not directly applicable to you. We exported the

identity information for our various databases from a preexisting OID at

localhost:389 ...

$ORACLE_HOME/bin/ldapsearch -h localhost -p 389 -b dc=alaska,dc=edu "objectclass=orclNetService" > OIDP_names_load.ldif

... and imported the connect information into the freshly created target

OID at localhost:10010:

$ORACLE_HOME/bin/ldapadd -c -v -D cn=orcladmin -w "<orclAdmin password>"

-h localhost -p 10010 -f OIDP_names_load.ldif > ldapadd.out

(Ref: Metalink Doc ID 436998.1 "Considerations For Migrating Entries  From One OID To Another", section "TO MIGRATE CUSTOM DATABASE ENTRIES"). The original source for our identity information was Oracle Names, but I

was not involved in the extraction of identity information from Names and have no notes for it. The step above was the extraction of the identity information from a flawed OID installation into which the Names

information had been loaded, and the import of that OID data into a correctly constructed OID instance.

Good luck,


Gil Cota wrote:
> Hi all,
> I'm trying to configure an Oracle LDAP for network resolution, What
> software should I use ? (Oracle iAS or Identity Management ? )
> Does anyone have a document that can guide me step by step ?
> Thanks and Regards,
> Gil


Received on Wed Sep 16 2009 - 12:12:22 CDT

Original text of this message