Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For additional information, visit the Oracle Accessibility Program Web site at
JAWS, a Windows screen reader, may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, JAWS may not always read a line of text that consists solely of a bracket or brace.
Accessibility of Links to External Web Sites in Documentation
This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.
2 Microsoft Active Directory Support
This document describes how Microsoft Active Directory is used as an LDAP directory server by the Oracle database.
2.1 About Microsoft Active Directory
Active Directory is the LDAP-compliant directory server included with Windows 2000. Active Directory stores all Windows 2000 information, including users, groups, and policies. Active Directory also stores information about network resources (such as databases) and makes this information available to application users and network administrators. Active Directory enables users to access network resources with a single login. The scope of Active Directory can range from storing all the resources of a small computer network to storing all the resources of several wide areas networks (WANs).
2.2 Accessing Active Directory
When using Oracle features that support Active Directory, ensure that the Active Directory computer can be successfully reached using all possible TCP/IP hostname forms to reach the domain controller. For example, if the hostname of the domain controller is server1 in the domain acme.com, then ensure that you can ping that computer using all of the following:
server1.acme.com
acme.com
server1
Active Directory often issues referrals back to itself in one or more of these forms, depending upon the operation being performed. If any of the forms cannot reach the Active Directory computer, then some LDAP operations may fail.
3 Oracle Components that Integrate with Active Directory
The following Oracle database features support or have been specifically designed to integrate with Active Directory:
Oracle Database provides the Directory Naming feature which makes use of a directory server. This feature has been enabled to work with Microsoft Active Directory.
Directory Naming enables clients to connect to the database making use of information stored centrally in an LDAP-compliant directory server such as Active Directory. For example, any net service name previously stored in the tnsnames.ora file can now be stored in Active Directory.
3.2 Automatic Discovery of Directory Servers
Oracle Net Configuration Assistant provides automatic discovery of directory servers. When you select Active Directory as the directory server type, Oracle Net Configuration Assistant automatically discovers the directory server location and performs related tasks.
Oracle database services, net service names, and enterprise role entries in Active Directory can be displayed and tested in two Windows 2000 tools:
Windows Explorer
Active Directory Users and Computers
Windows Explorer displays the hierarchical structure of files, directories, and local and network drives on your computer. It can display and test Oracle database service and net service name objects.
Active Directory Users and Computers is an administrative tool installed on Windows servers configured as domain controllers. This tool enables you to add, modify, delete, and organize Windows 2000 accounts and groups, and publish resources in the directory of your organization. Like Windows Explorer, it can display and test Oracle database service and net service name objects. Additionally, it can manage access control.
3.4 User Interface Extensions for Oracle Net Directory Naming
The property menus of Oracle database service and net service name objects in Windows Explorer and Active Directory Users and Computers have been enhanced. When you right-click these Oracle directory objects, you now see two new options for testing connectivity:
Test
Connect with SQL*Plus
The Test option tests whether the username, password, and net service name you initially entered can actually connect to the Oracle database. The Connect with SQL*Plus option starts SQL*Plus, which enables you to perform database administration, run scripts, and so on.
3.5 Enhancement of Directory Object Type Descriptions
Oracle directory object type descriptions in Active Directory have been enhanced to make them easier to understand. In the right pane of Figure 1, for example, the Type column reveals that sales is an Oracle Net Service name.
Figure 1 Directory Object Type Descriptions in Active Directory
The Oracle database and configuration tools can use the login credentials of the Windows user currently logged on, to connect to Active Directory automatically (that is, without having to re-enter the login credentials). This feature has two benefits:
Oracle clients and databases can securely connect to Active Directory and retrieve the net service name.
Oracle configuration tools can connect automatically to Active Directory and configure the Oracle database and net service name objects. The enabled tools include Oracle Net Configuration Assistant and Database Configuration Assistant.
3.7 Oracle Directory Objects in Active Directory
If the Oracle database and Oracle Net Services are installed and configured to access Active Directory, then Active Directory Users and Computers displays Oracle directory objects, as illustrated in Figure 2:
Figure 2 Oracle Directory Objects in Active Directory Users and Computers
Table 1 describes the Oracle directory objects appearing in Figure 2
Table 1 Oracle Directory Objects
Object
Description
oranet.dev
The domain in which you created your Oracle Context. This domain (also known as the administrative context) contains various Oracle entries to support directory naming. Oracle Net Configuration Assistant automatically discovers this information during Oracle database integration with Active Directory.
OracleContext
The top-level Oracle entry in the Active Directory tree. It contains Oracle database service and net service name object information. All Oracle software information is placed in this folder.
orcl
The Oracle database service name used in this example.
4 Requirements for Using Oracle Database with Active Directory
To use Net Directory Naming with Active Directory, you must have certain Microsoft and Oracle software releases, and you must create an Oracle Schema and an Oracle Context. These requirements are discussed in the following sections:
The Oracle schema and Oracle Context can both be created by running Oracle Net Configuration Assistant.
Regardless of the Oracle client and Oracle database releases you are using, you must be running in a Windows 2000 domain to integrate Net Directory Naming with Active Directory.
If you are using Active Directory with Oracle Database, ping the DNS domain name of your Windows 2000 domain. If this does not work, then perform either of the following tasks:
Set your Windows 2000 primary domain controller IP address as your DNS.
For example, if your Windows 2000 domain is sales, the DNS domain name for this domain is sales.acme.com. The IP address is of the form 001.002.003.0.
Add the DNS domain name of your Windows 2000 domain and your domain controller IP address to your hosts or lmhosts file.
On the Windows 2000 computer, either 001.002.003.0 can be set as the DNS, or 001.002.003.0 acme.com can be added to the hosts or lmhosts file.
If this step is not performed, then errors such as the following are returned when using Active Directory:
Cannot Chase Referrals
4.1 Directory Naming Software Requirements
For client computers from which you want to manage Oracle Database enterprise users, roles and domains, you must have Oracle8i Client release 8.1.6 or later and one of the following Microsoft products:
Windows XP, Windows 2000, or Windows Server 2003
Windows NT 4.0 with Active Directory Service Interfaces (ADSI)
For the database, you must have Oracle8i Database release 8.1.6 or later. This is required for registering the database service as an object in Active Directory. The database can use either of the following Microsoft products:
Windows 2000 or Windows Server 2003
Windows NT 4.0 with ADSI
Both the client computers and the database must be members of a Windows 2000 domain.
4.2 Oracle Schema Creation
You must create an Oracle schema to use net directory naming features with Active Directory. A schema is a set of rules for Oracle Net Services and Oracle database entries and their attributes stored in Active Directory. The following restrictions apply to creating an Oracle schema to use with Active Directory:
Only one Oracle schema can be created for each forest.
Schema creation is performed on a Windows 2000 domain controller.
The Windows 2000 domain controller must be the operations master that allows schema updates. See your Windows operating system documentation for instructions.
To create an Oracle schema:
Log in as a member of the Schema Administrator group. Domain administrators are in the Schema Administrator group by default.
Use Oracle Net Configuration Assistant to create the Oracle schema. You can create your schema during or after database installation.
Oracle schema creation can fail while Oracle Net Configuration Assistant is configuring Active Directory as the directory server if the Active Directory display is not configured to accept all 24 default languages. Before running Oracle Net Configuration Assistant to complete directory access configuration, verify that the display specifiers for all 24 languages are populated by entering the following at the command prompt:
domaincontext is the domain context for this Active Directory server. For example dc=acme,dc=com.
tempfile is a file where you want to put the output.
If the command reports that less than 24 entries were found, you can still use Oracle Net Configuration Assistant. However, the report will indicate that Oracle schema creation failed, rather than simply reporting that display specifiers for some languages were not created.
You must create an Oracle Context to use net directory naming features with Active Directory. Oracle Context is the top-level Oracle entry in the Active Directory tree. It contains Oracle database service and Oracle Net service name object information.
You can create only one Oracle Context for each Windows 2000 domain (administrative context).
You must have the right to create domain and enterprise objects in order to create the Oracle Context in Active Directory with Oracle Net Configuration Assistant.
Use Oracle Net Configuration Assistant to create your Oracle Context. You can create the Oracle Context during or after Oracle Database Custom installation.
See Also:
Oracle Database Installation Guide for Windows for installation procedures
Oracle Net Services Administrator’s Guide for configuration procedures
5 Configuring Oracle Database To Use Active Directory
Oracle Net Configuration Assistant enables you to configure client computer and Oracle database to access a directory server. When you choose directory access configuration from Oracle Net Configuration Assistant, it then prompts you to specify a directory server type to use. When you select Active Directory as the directory server type, the Automatic Discovery of Directory Servers feature of Oracle Net Configuration Assistant automatically:
Discovers the Active Directory server location
Configures access to the Active Directory server
Creates the Oracle context (also known as your domain)
If the Active Directory server is shut down while client connections are accessing an Oracle database, another Active Directory server is automatically discovered and begins providing connection information. This minimizes client connection downtime.
Note:
Regardless of the Oracle client and database releases you are using, you must be running in a Windows 2000 domain to take advantage of the automatic directory server discovery features of Oracle Net Configuration Assistant. If you are not running in a Windows 2000 domain, Oracle Net Configuration Assistant does not automatically discover your directory server, and instead prompts you for additional information, such as the Active Directory location.
When using Oracle Net directory naming, client computers connect to a database by specifying the database or net service name entry that appears in the Oracle Context. For example, if the database entry under the Oracle Context in Active Directory is orcl, and the client and Oracle database are in the same domain, then a user connects to the database through SQL*Plus by entering the following connect string:
SQL> CONNECT scott/tiger@orcl
If the client and Oracle database are in different domains, a user connects to the database through SQL*Plus by entering:
SQL> CONNECT scott/tiger@orcl.domain
where domain is the domain in which the Oracle database is located.
These connect strings follow DNS-style conventions. While Active Directory also supports connections using X.500 naming conventions, Oracle recommends DNS-style conventions because they are easier to use.
DNS-style conventions enable client users to access an Oracle database through a directory server by entering minimal connection information, even when the client computer and Oracle database are in separate domains. Names following the X.500 convention are longer, especially when the client and Oracle database are located in different domains (also known as administrative contexts).
See Also:
"Configuration Management Concepts" in the Oracle Net Services Administrator’s Guide for more information about X.500 naming conventions
"Unlocking and Changing Passwords" in Oracle Database Installation Guide for Windows
6.2 Testing Connectivity from Microsoft Tools
Oracle directory objects in Active Directory are integrated with two Microsoft tools:
Windows Explorer
Active Directory Users and Computers
You can perform the following tasks from within these Microsoft tools:
Connect with SQL*Plus to an Oracle database
Test Oracle database connectivity
To test connectivity:
Start Windows Explorer or Active Directory Users and Computers.
Choose Start>Programs>Administrative Tools >Active Directory Users and Computers.
Note:
All clients accessing an Oracle database through Active Directory require read access on all net service name objects in the Oracle Context and must be able to authenticate anonymously with Active Directory. Oracle Net Configuration Assistant automatically sets this up.
Expand the domain in which your Oracle Context is located.
Expand your Oracle Context.
Right-click a database service or Oracle Net Service name object.
A menu appears with several options. This sections covers the Test and Connect with SQL*Plus options.
A status message appears describing the status of your connection attempt.
7 Access Control List Management for Oracle Directory Objects
Access Control Lists provide Active Directory security by specifying:
A user that can access the object attributes in the object.
An authentication method to access the entry.
Access rights, or what the user can do, based on the read/write attributes of the object.
7.1 Security Groups
Security groups are automatically created when the Oracle Context is created in Active Directory. The user configuring access (and thus creating the Oracle Context) is automatically added to each group. The relevant groups are:
The OracleDBCreators group is for the person registering the Oracle database. The domain administrator is automatically a member of this group. Users in this group can:
Create new Oracle database objects in the Oracle Context.
Modify the Oracle database objects that they create.
Read, but not modify, the membership for this group.
7.1.2 OracleNetAdmins
Users in the OracleNetAdmins group can:
Create, modify, and read Oracle Net Services objects and attributes.
Read the group membership of this group.
7.2 Accessing the Security Groups
You can add or remove users in the security groups with Active Directory Users and Computers.
Note:
Use Active Directory Users and Computers to perform the procedures described in this section. Windows Explorer does not provide the necessary functionality.
To add or remove users:
Choose Start>Programs>Administrative Tools>Active Directory Users and Computers.
Choose Advanced Features from the View main menu.
This enables you to view and edit information that is normally hidden.
Expand the domain (administrative context) in which your Oracle Context is located.
Expand Users.
The security groups appear in the right window pane.
