|
Ihr Spezialist für komplexe IT-Systeme
|
|
Ihr Spezialist für komplexe IT-Systeme
|
22. November 2004
Table of Contents
Normally I have nothing to do with Microsoft products. But I have seen an interesting talk at an Oracle conference and I am curious by nature. Therefore I have chosen to install a copy of Microsofts Windows 2003 Server (you can download a evaluation version free of charge from Microsoft) and test the integration of Oracle Net Services with Active Directory.
The W2k3 server was configured to function as an PDC, a DNS-Server was also configured to ensure proper DNS resolution on the test system.
dsHeuristics according to Microsoft KB326690 (Anonymous LDAP operations to Active Directory are disabled on Windows Server 2003 domain controllers) to 0000002. The leading zeros are importend! If you already have dsHeuristics
set, make sure that you only change the 7th character.
Ok, our next job is, to extend the AD schema with Oracle specific classes. I tried to perform that with Oracles Net Configuration Assistant (netca) without luck (tried netca in 9iR2 as well as in 10g). So I used commandline tools to get the work done.
I made changes to the LDIF files supplied by Oracle, so copy the following files to a private work directory:
I prepared the changes to these files as an patch [ ora-ad-sbs.patch ]:
diff -ur ad-orig/adContextCreateCommon.sbs ad-mypatch/adContextCreateCommon.sbs --- ad-orig/adContextCreateCommon.sbs Mon Nov 22 19:10:22 2004 +++ ad-mypatch/adContextCreateCommon.sbs Mon Nov 22 19:25:22 2004 @@ -24,6 +24,7 @@ dn: %s_OracleContextDN% changetype: add cn: OracleContext +orclVersion: 90000 objectclass: top objectclass: orclContext diff -ur ad-orig/adSchemaCreateBase.sbs ad-mypatch/adSchemaCreateBase.sbs --- ad-orig/adSchemaCreateBase.sbs Mon Nov 22 19:10:03 2004 +++ ad-mypatch/adSchemaCreateBase.sbs Mon Nov 22 19:25:34 2004 @@ -93,9 +93,12 @@ subClassOf: 2.5.6.0 mustContain: 2.5.4.3 mayContain: 2.16.840.1.113894.7.1.1 +possSuperiors: 2.16.840.1.113894.7.2.3 possSuperiors: 2.5.6.4 possSuperiors: 2.5.6.5 possSuperiors: 1.2.840.113556.1.5.67 +possSuperiors: 1.2.840.113556.1.3.23 +possSuperiors: 1.2.840.113556.1.5.12 showinadvancedviewonly: FALSE adminDescription: Oracle Context Description: Oracle Context @@ -190,3 +193,9 @@ objectclass: orclContainer cn: OracleSchemaVersion +dn: cn=BASE,cn=OracleSchemaVersion,cn=configuration,%s_AdDomainDN% +changetype: add +objectclass: orclSchemaVersion +cn: BASE +orclProductVersion: 90000 + diff -ur ad-orig/adSchemaCreateNet.sbs ad-mypatch/adSchemaCreateNet.sbs --- ad-orig/adSchemaCreateNet.sbs Mon Nov 22 19:10:09 2004 +++ ad-mypatch/adSchemaCreateNet.sbs Mon Nov 22 19:22:52 2004 @@ -371,5 +371,5 @@ changetype: add objectclass: orclSchemaVersion cn: NET -orclProductVersion: 81600 +orclProductVersion: 90000 diff -ur ad-orig/adSchemaCreateRDBMS.sbs ad-mypatch/adSchemaCreateRDBMS.sbs --- ad-orig/adSchemaCreateRDBMS.sbs Mon Nov 22 19:10:14 2004 +++ ad-mypatch/adSchemaCreateRDBMS.sbs Mon Nov 22 19:22:32 2004 @@ -235,5 +235,5 @@ changetype: add objectclass: orclSchemaVersion cn: RDBMS -orclProductVersion: 81600 +orclProductVersion: 90000
To apply this patch you use the patch command as follows:
[frank@s0002 patch-test]$ patch -p1 < ora-ad-sbs.patch
patching file adContextCreateCommon.sbs
patching file adSchemaCreateBase.sbs
patching file adSchemaCreateNet.sbs
patching file adSchemaCreateRDBMS.sbs
[frank@s0002 patch-test]$
When you look into the files, you notice that they include a lot of tags which have to get replaced by proper values for your setup. I used the following mapping for the replacement:
| Tag-Name | my value |
|---|---|
| %s_OracleContextDN% | cn=OracleContext,cn=configuration,dc=fm-berger,dc=de |
| %s_AdUsersDomainDN% | dc=fm-berger,dc=de |
| %s_CurrentUserDN% | cn=Administrator,cn=users,dc=fm-berger,dc=de |
| %s_AdDomainDN% | dc=fm-berger,dc=de |
Table 1.
After replacing the tags, it is time to load the schema into AD. I used Oracles ldapadd command for that job:
[frank@s0002 patch-test]$$ORACLE_HOME/bin/ldapadd \-h 192.168.1.90 \-p 389 \-D cn=Administrator,cn=users,dc=fm-berger,dc=de \-w foobar \-f adSchemaCreateBase.sbs
You have to replace the italic sections of that command with your own values. Run that command to load the LDIF-files in the following order:
I am always getting an error loading the last file. It fails to create the OracleDefaultDomain node. That seems to be some AD specific problem. If you try to create that node after waiting a few seconds it works just fine...
After doing the Schema extension and creating an initial OracleContext in AD it is time to load your Oracle Service Name Descriptions into AD. I used the following LDIF to perform that task:
dn: cn=B04,cn=OracleContext,cn=configuration,dc=fm-berger,dc=de
changetype:add
objectclass: top
objectclass: orclNetService
cn: B04
orclNetDescString: (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)
(HOST = 192.168.1.80)(PORT = 1521)) )
(CONNECT_DATA = (SERVICE_NAME = B04) ) )
You have to adjust the content of that file for your setup. Please write the orclNetDescString string as one line! Afterwards you
can load it with the ldapadd as shown in the privious section.
Your Oracle Client will use an anonymous LDAP bind to retrieve that information,
so you have to give the user role Anonymous Logon
read permissions for that entry (I used ADSI Edit for that).
To let the Oracle Client perform its Service-Lookups using AD you have
to adjust $ORACLE_HOME/network/admin/sqlnet.ora and
$ORACLE_HOME/network/admin/ldap.ora. During my
tests I used the following files.
sqlnet.ora:
NAMES.DIRECTORY_PATH=(ldap)
ldap.ora:
DIRECTORY_SERVERS=(192.168.1.90:389) DIRECTORY_SERVER_TYPE=ad DEFAULT_ADMIN_CONTEXT="cn=Configuration,dc=fm-berger,dc=de"