7 Replies Latest reply on Apr 28, 2020 3:23 PM by User51642 Yong Huang

    Cannot use 18c Net Manager to connect to OUD

    User51642 Yong Huang

      We just set up Oracle Unified Directory 12.2.1.4 and added database connect identifiers (commonly called TNS entries). We can successfuly use them in tnsping or sqlplus. Net Manager from Oracle 12c or older client can also log into it to add or delete or update the connect identifiers. But when we launch Net Manager from 18c or 19c client trying to connect to OUD, even before we're prompted to enter username and password, the Net Manager GUI does not show "Directory" under the top line "Oracle Net Configuration", which only has "Local" under it. What could be wrong? Our client side %oracle_home%\network\admin\ldap.ora has these lines:

      DIRECTORY_SERVERS= (<the new oud server hostname>:1389)

      DEFAULT_ADMIN_CONTEXT = "dc=..."

      DIRECTORY_SERVER_TYPE = OID

      Again, these settings are correct because 12c or 11g Net Manager can use it with no problem.

       

      I remember 18c has some new features or restrictions related to Net Services. Here's a problem we solved last year. We actually have two OID directory servers (we currently use OID, thinking of migrating to OUD), say oid1 and oid2. An F5 load balancer sits in front of them called oid. For thousands of clients in our company, we give them ldap.ora that uses oid.ourcompany.com as the directory server name. But if we DBAs use oid as the OID hostname in ldap.ora, 18c+ Net Manager has the same problem: "Directory" is not shown. The solution for us DBAs is to directly use oid1 or oid2, bypassing the load balancer. But in the new installation this time, we *are* specifying the OUD server hostname directly; there's no load balancer. It's just that the symptom is exactly the same as our last year's problem and the fact that a 12c/11g client is a good workaround makes us think the root cause is the same. But checking 18c New Features documentation doesn't reveal anything relevant.

       

      So, my question is: How do we configure OUD and/or 18c or 19c Oracle client so we can use Net Manager to manage connect identifiers stored in OUD?

        • 1. Re: Cannot use 18c Net Manager to connect to OUD
          Etienne Remillon-Oracle

          Hi Yong,

           

          Given specifics on versions and components, I would suggest to open a Service Request with the DB product as it seems a client component par of DB.

           

          Best regards

          Etienne Remillon

          • 2. Re: Cannot use 18c Net Manager to connect to OUD
            Bhanuchandar Bobbili

            Here are few thoughts:

             

            1) For OUD connection use below format in ldap.ora.

             

            DIRECTORY_SERVERS= (172.16.30.174:1389:1636)

            DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com"

            DIRECTORY_SERVER_TYPE = OID

             

            2) Netca requires Anonymous binding to OUD.

             

            Note: Please mark my post as helpful / answered if it helped you.

            • 3. Re: Cannot use 18c Net Manager to connect to OUD
              User51642 Yong Huang

              Yes I tried specifying both 1389 and 1389:1636. I even tried OUD instead of OID on the server type line. It made no difference. Are you saying the 18c+ netca or netmgr requires anonymous binding but older versions don't? Or connecting to OUD requires it but OID does not? What's the practical implication?

              • 4. Re: Cannot use 18c Net Manager to connect to OUD
                Bhanuchandar Bobbili

                let's have a webex call to look into your issue.

                 

                • DIRECTORY_SERVER_TYPE value is always OID , it doesn't accept OUD value.
                • Is your OUD a Proxy Server or Directory Server?
                • In which DN your TNS Entries exist in OUD?
                • Can you upload screenshot of Netmgr
                • OID has a flag called orclanonymousbindsflag
                • 5. Re: Cannot use 18c Net Manager to connect to OUD
                  User51642 Yong Huang

                  That's OK, Bhanu. Thank you though. We opened an SR (3-22888459841) in case you can review it. Our OUD is a directory server, not proxy. As I said, we *can* use 11g or 12c Oracle client Net Manager to connect and manipulate the connect identifiers in this new OUD, and with 18c Oracle client, we *can* run "tnsping <abcd>" or "sqlplus <user>/<password>@<abcd>", where <abcd> is a connect identifier inside OUD, although Net Manager doesn't show "Directory" and so cannot connect. You don't have problems using 18c or 19c Net Manager to connect to OUD? Anything special you did in installation?

                   

                  Attached are the images showing 18c Net Manager connecting to our current production OID (left) and to the newly installed OUD (right)

                  18cNetManagerConnToOIDAndOUD.jpg

                  • 6. Re: Cannot use 18c Net Manager to connect to OUD
                    Bhanuchandar Bobbili
                    • Do you see any errors in NetMgr logs?
                    • Also can you run netca & see if it picks up ldap.ora. Attaching 2 pics. Your netca should show host, port from ldap.ora

                    Netca_1_ldap_ora.jpgNetca_2_OracleContext.jpg

                    • 7. Re: Cannot use 18c Net Manager to connect to OUD
                      User51642 Yong Huang

                      Hi Bhanu,

                       

                      Net Manager has no logs as far as I know. Let me know where you find the logs.

                      Using NetCA, in the step "Directory Usage Configuration", there're two options, OID and Microsoft AD. No OUD. I pick OID and specify our OUD server hostname, ports (1389 and 1636), User DN "cn=Directory Manager" (no quotes). On the next screen I got this error

                       

                      The directory has not been configured for this usage. It does not contain the required Oracle Schema, or the Oracle Schema version is not correct. Select how you want to proceed.

                         (*) I want to continue without using a directory service.

                      ( ) I want to verify service information and try again.

                       

                      In C:\oracle\cfgtoollogs\netca\trace_OraClient18Home1-2004212PM2828.log, I see

                       

                      [AWT-EventQueue-0] [ 2020-04-21 14:32:07.922 CDT ] [ConfigureLDAP.testConnection:485] Trying SSL No auth with credls.

                      [AWT-EventQueue-0] [ 2020-04-21 14:32:08.312 CDT ] [ConfigureLDAP.testConnection:491] ConfigException during SSL no auth: TNS-04410: Directory service authentication failed

                        caused by: oracle.net.config.DirectoryServiceException: TNS-04410: Directory service authentication failed

                        caused by: oracle.net.ldap.NNFLException

                       

                      On the other hand, I *can* use NetCA to create ldap.ora by specifying the details of our OID. The ldap.ora thus created is exactly the same as we've been using all the time. NetCA is just not ready to deal with OUD. But that's not the root cause. The ldap.ora correctly created for OID can simply be edited with info for OUD, but this ldap.ora can only be used by 11g, 12c but not 18c, 19c Net Manager.

                       

                      I did some strace running netmgr from 11g and 18c Linux clients and compared the output. So far there's nothing like a breakthrough.

                       

                      We set up another OUD on a different server. The problem is exactly reproduced there. Also, the records in our OUD can be added/deleted/modified by running corresponding ldif* commands passing .ldif files, but obviously we prefer to use a GUI tool such as Net Manager.