{"id":3444,"date":"2019-11-28T22:44:46","date_gmt":"2019-11-28T21:44:46","guid":{"rendered":"http:\/\/www.oradba.ch\/?p=3444"},"modified":"2019-11-28T22:44:52","modified_gmt":"2019-11-28T21:44:52","slug":"oracle-enterprise-user-security-with-multiple-ldap-ora","status":"publish","type":"post","link":"https:\/\/www.oradba.ch\/wordpress\/2019\/11\/oracle-enterprise-user-security-with-multiple-ldap-ora\/","title":{"rendered":"Oracle Enterprise User Security with multiple ldap.ora"},"content":{"rendered":"\n

Recently I came across the situation where I have to configure Enterpriser User Security for a database server with multiple databases for different directories. This is quite tricky when using a shared Oracle Home and a central TNS_ADMIN directory for SQLNet configuration. A common TNS_ADMIN also implies the use of only one ldap.ora<\/em> file. Several ldap servers can be registered in one ldap.ora<\/em>, but this is primarily used for failover configuration in a high-availability LDAP server architecture. The use of multiple EUS contexts in different LDAP servers is not supported. At least not in one single file. But there are some workarounds.<\/p>\n\n\n\n

Oracle does look for the ldap.ora file in a few different places. The following sequence is maintained:<\/p>\n\n\n\n

  1. $LDAP_ADMIN<\/em> environment variable setting<\/li>
  2. $ORACLE_HOME\/ldap\/admin<\/em> directory<\/li>
  3. $TNS_ADMIN<\/em> environment variable setting<\/li>
  4. $ORACLE_HOME\/network\/admin<\/em> directory<\/li><\/ol>\n\n\n\n

    Notes on this order can be found at different places in the Oracle documentation e.g Oracle Database Database Net Services Reference 19c Overview of Directory Server Usage File<\/a>, Oracle Database Security Guide 19c About Using a dsi.ora File<\/a> or in the Oracle Support Note 363283.1<\/a> What Is The Search Order For The LDAP.ORA File?<\/p>\n\n\n\n

    If you don’t trust the documentation, you can also verify the search order with strace<\/em>. First define a few values for TNS_ADMIN<\/em> and LDAP_ADMIN<\/em> to be sure we do not use the default values.<\/p>\n\n\n\n

    export LDAP_ADMIN=\"\/u01\/config\"\nexport TNS_ADMIN=\"\/u00\/app\/oracle\/network\/admin\"<\/pre>\n\n\n\n
    If we make sure, that LDAP is the first names resolution in sqlnet.ora<\/em> we could use strace<\/em> with tsnping<\/em>.<\/p>\n\n\n\n
    oracle@eusdb:~\/ [TEUS01] grep -i NAMES.DIRECTORY_PATH $TNS_ADMIN\/sqlnet.ora\nNAMES.DIRECTORY_PATH=(LDAP, TNSNAMES, EZCONNECT )\n\noracle@eusdb:~\/ [TEUS01] strace -o \/u01\/config\/tnsping.txt tnsping TEUS01\n\nTNS Ping Utility for Linux: Version 19.0.0.0.0 - Production on 28-NOV-2019 20:47:33\n\nCopyright (c) 1997, 2019, Oracle.  All rights reserved.\n\nUsed parameter files:\n\/u00\/app\/oracle\/network\/admin\/sqlnet.ora\n\nUsed TNSNAMES adapter to resolve the alias\nAttempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = eusdb)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = TEUS01)))\nOK (30 msec)<\/pre>\n\n\n\n
    Checking the output does show the different directories<\/p>\n\n\n\n
    oracle@eusdb:~\/ [TEUS01] grep -i ldap.ora \/u01\/config\/tnsping.txt\nstat(\"\/u01\/config\/ldap.ora\", 0x7ffd149f6af0) = -1 ENOENT (No such file or directory)\nstat(\"\/u00\/app\/oracle\/product\/19.0.0.0\/ldap\/admin\/ldap.ora\", 0x7ffd149f6af0) = -1 ENOENT (No such file or directory)\nstat(\"\/u00\/app\/oracle\/network\/admin\/ldap.ora\", 0x7ffd149f6af0) = -1 ENOENT (No such file or directory)\nstat(\"\/u00\/app\/oracle\/product\/19.0.0.0\/network\/admin\/ldap.ora\", 0x7ffd149f6af0) = -1 ENOENT (No such file or directory)\nstat(\"\/u00\/app\/oracle\/product\/19.0.0.0\/network\/admin\/ldap.ora\", 0x7ffd149f6be0) = -1 ENOENT (No such file or directory)<\/pre>\n\n\n\n
    As you can see the search order does match the documented search order. But how does that help us? It’s actually relatively simple. To use different LDAP server configuration per database, we do have to make sure, that each database has an individual ldap.ora file. This can be ensured by one the following points:<\/p>\n\n\n\n