Skip to Main Content
Forums

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Cannot use 18c Net Manager to connect to OUD

User51642 Yong HuangApr 16 2020 — edited Apr 28 2020

We just set up Oracle Unified Directory 12.2.1.4 and added database connect identifiers (commonly called TNS entries). We can successfuly use them in tnsping or sqlplus. Net Manager from Oracle 12c or older client can also log into it to add or delete or update the connect identifiers. But when we launch Net Manager from 18c or 19c client trying to connect to OUD, even before we're prompted to enter username and password, the Net Manager GUI does not show "Directory" under the top line "Oracle Net Configuration", which only has "Local" under it. What could be wrong? Our client side %oracle_home%\network\admin\ldap.ora has these lines:

DIRECTORY_SERVERS= (<the new oud server hostname>:1389)

DEFAULT_ADMIN_CONTEXT = "dc=..."

DIRECTORY_SERVER_TYPE = OID

Again, these settings are correct because 12c or 11g Net Manager can use it with no problem.

I remember 18c has some new features or restrictions related to Net Services. Here's a problem we solved last year. We actually have two OID directory servers (we currently use OID, thinking of migrating to OUD), say oid1 and oid2. An F5 load balancer sits in front of them called oid. For thousands of clients in our company, we give them ldap.ora that uses oid.ourcompany.com as the directory server name. But if we DBAs use oid as the OID hostname in ldap.ora, 18c+ Net Manager has the same problem: "Directory" is not shown. The solution for us DBAs is to directly use oid1 or oid2, bypassing the load balancer. But in the new installation this time, we *are* specifying the OUD server hostname directly; there's no load balancer. It's just that the symptom is exactly the same as our last year's problem and the fact that a 12c/11g client is a good workaround makes us think the root cause is the same. But checking 18c New Features documentation doesn't reveal anything relevant.

So, my question is: How do we configure OUD and/or 18c or 19c Oracle client so we can use Net Manager to manage connect identifiers stored in OUD?

Comments

Hi Yong,

Given specifics on versions and components, I would suggest to open a Service Request with the DB product as it seems a client component par of DB.

Best regards

Etienne Remillon

1 person found this helpful
Bhanuchandar Bobbili

Here are few thoughts:

1) For OUD connection use below format in ldap.ora.

DIRECTORY_SERVERS= (172.16.30.174:1389:1636)

DEFAULT_ADMIN_CONTEXT = "dc=example,dc=com"

DIRECTORY_SERVER_TYPE = OID

2) Netca requires Anonymous binding to OUD.

Note: Please mark my post as helpful / answered if it helped you.

User51642 Yong Huang

Yes I tried specifying both 1389 and 1389:1636. I even tried OUD instead of OID on the server type line. It made no difference. Are you saying the 18c+ netca or netmgr requires anonymous binding but older versions don't? Or connecting to OUD requires it but OID does not? What's the practical implication?

Bhanuchandar Bobbili

let's have a webex call to look into your issue.

  • DIRECTORY_SERVER_TYPE value is always OID , it doesn't accept OUD value.
  • Is your OUD a Proxy Server or Directory Server?
  • In which DN your TNS Entries exist in OUD?
  • Can you upload screenshot of Netmgr
  • OID has a flag called orclanonymousbindsflag
User51642 Yong Huang

That's OK, Bhanu. Thank you though. We opened an SR (3-22888459841) in case you can review it. Our OUD is a directory server, not proxy. As I said, we *can* use 11g or 12c Oracle client Net Manager to connect and manipulate the connect identifiers in this new OUD, and with 18c Oracle client, we *can* run "tnsping <abcd>" or "sqlplus <user>/<password>@<abcd>", where <abcd> is a connect identifier inside OUD, although Net Manager doesn't show "Directory" and so cannot connect. You don't have problems using 18c or 19c Net Manager to connect to OUD? Anything special you did in installation?

Attached are the images showing 18c Net Manager connecting to our current production OID (left) and to the newly installed OUD (right)

18cNetManagerConnToOIDAndOUD.jpg

Bhanuchandar Bobbili
  • Do you see any errors in NetMgr logs?
  • Also can you run netca & see if it picks up ldap.ora. Attaching 2 pics. Your netca should show host, port from ldap.ora

Netca_1_ldap_ora.jpgNetca_2_OracleContext.jpg

User51642 Yong Huang

Hi Bhanu,

Net Manager has no logs as far as I know. Let me know where you find the logs.

Using NetCA, in the step "Directory Usage Configuration", there're two options, OID and Microsoft AD. No OUD. I pick OID and specify our OUD server hostname, ports (1389 and 1636), User DN "cn=Directory Manager" (no quotes). On the next screen I got this error

 

The directory has not been configured for this usage. It does not contain the required Oracle Schema, or the Oracle Schema version is not correct. Select how you want to proceed.

   (*) I want to continue without using a directory service.

( ) I want to verify service information and try again.

In C:\oracle\cfgtoollogs\netca\trace_OraClient18Home1-2004212PM2828.log, I see

 

[AWT-EventQueue-0] [ 2020-04-21 14:32:07.922 CDT ] [ConfigureLDAP.testConnection:485] Trying SSL No auth with credls.

[AWT-EventQueue-0] [ 2020-04-21 14:32:08.312 CDT ] [ConfigureLDAP.testConnection:491] ConfigException during SSL no auth: TNS-04410: Directory service authentication failed

  caused by: oracle.net.config.DirectoryServiceException: TNS-04410: Directory service authentication failed

  caused by: oracle.net.ldap.NNFLException

On the other hand, I *can* use NetCA to create ldap.ora by specifying the details of our OID. The ldap.ora thus created is exactly the same as we've been using all the time. NetCA is just not ready to deal with OUD. But that's not the root cause. The ldap.ora correctly created for OID can simply be edited with info for OUD, but this ldap.ora can only be used by 11g, 12c but not 18c, 19c Net Manager.

I did some strace running netmgr from 11g and 18c Linux clients and compared the output. So far there's nothing like a breakthrough.

We set up another OUD on a different server. The problem is exactly reproduced there. Also, the records in our OUD can be added/deleted/modified by running corresponding ldif* commands passing .ldif files, but obviously we prefer to use a GUI tool such as Net Manager.

Xiaogang Zheng

Is the problem resolved? I have the same issue. Need to know the solution.
Thanks

User51642 Yong Huang

Hi Xiaogang, we have abandoned this product and installed OID instead. OID may be an overkill for this job but it's more mature and stable. We love it.
As far as I know, Oracle has created Bug 31217992 for this problem. The bug seems to be unpublished. So I don't know the details.

Xiaogang Zheng

Thank you very much for your answer.

1 - 10

Post Details

Added on Apr 16 2020
#identity-management, #oracle-unified-directory-oud-oracle-directory-server-enterprise-edition-sun-dsee
10 comments
1,220 views