Brad's Blog: Creating Entra ID Enabled Net Service TNS Entries

Oracle Net Services provides name service resolution for Oracle database clients when looking up the connect string for a target database. Cloud native Entra ID integration for Oracle database users is a new capability that provides centralized multi-factor authentication to end users and service accounts.

As customers explore transitioning their LDAP-based name service database entries to Entra ID integration (a.k.a. MSIE), one method is to duplicate all database entries with new entries that are tagged with _MSIE and incorporate the requisite TLS encrypted connectivity and Entra ID properties such as authentication method (e.g. interactive, passthrough, or service account), Entra ID tenant ID, Entra ID web app client ID and Entra ID web app database server URI.

A new manage_tns tool has been introduced to simplify creating and loading the Entra ID entries into the existing LDAP-based directory naming service. Here is how to use manage_tns to duplicate all existing entries with new entries that include the _MSIE tag and include the Entra ID properties.

Step 1: Install python3-ldap and the manage_tns tool on to a Linux host

$ sudo install python3-ldap
$ cd /u01
$ curl -so manage_tns.sh https://raw.githubusercontent.com/oudlabs/manage_tns/refs/heads/main/manage_tns.sh
$ chmod 0700 manage_tns.sh

Step 2: Backup the primary naming context

$ /u01/manage_tns.sh export -h <dshost> -p <ldaps_port> -f tnsnames.ora --suffix "DC=example,DC=com"

Sample output:

Step 3: Export the database entries from the naming context with MSIE data

$ /u01/manage_tns.sh exportmsie -h <dshost> -p <ldaps_port> -f tnsnames-msie.ora --suffix "DC=example,DC=com" --dbport 2484 --method interactive --tenantid 7f4c6e3e-a1e0-43fe-14c5-c2f051a0a3a1 --clientid e5124a85-ac3e-14a4-f2ca-1ad635cf781a --serveruri "https://dbauthdemo.com/16736175-ca41-8f33-af0d-4616ade17621"

Directory Server: ldaps://tns1.example.com:1636

Sample output:

Directory Server: ldaps://tns1.example.com:1636
User: Loging into directory service anonymously
Exporting pdb3...done
Export to tnsnames-msie.ora complete
$ cat tnsnames-msie.ora
PDB3_MSIE=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=TCPS)(HOST=pdb3.example.com)(PORT=2484))
(SECURITY=
(SSL_SERVER_DN_MATCH=TRUE)
(WALLET_LOCATION=SYSTEM)
(TOKEN_AUTH=AZURE_INTERACTIVE)
(TENANT_ID=7f4c6e3e-a1e0-43fe-14c5-c2f051a0a3a1)
(CLIENT_ID=e5124a85-ac3e-14a4-f2ca-1ad635cf781a)
(AZURE_DB_APP_ID_URI=https://dbauthdemo.com/16736175-ca41-8f33-af0d-4616ade17621))
(CONNECT_DATA=
(SERVER=DEDICATED)
(SERVICE_NAME=pdb3.example.com)))

Step 4: Update the database server URI for every database in tnsnames-msie.ora

PDB3_MSIE=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=TCPS)(HOST=pdb3.example.com)(PORT=2484))
(SECURITY=
(SSL_SERVER_DN_MATCH=TRUE)
(WALLET_LOCATION=SYSTEM)
(TOKEN_AUTH=AZURE_INTERACTIVE)
(TENANT_ID=7f4c6e3e-a1e0-43fe-14c5-c2f051a0a3a1)
(CLIENT_ID=e5124a85-ac3e-14a4-f2ca-1ad635cf781a)
(AZURE_DB_APP_ID_URI=https://dbauthdemo.com/16781793-df98-94e1-2c51-8a91e8878171 ))
(CONNECT_DATA=
(SERVER=DEDICATED)
(SERVICE_NAME=pdb3.example.com)))

Step 5: Load the MSIE tagged entries

$ /u01/manage_tns.sh load -h <dshost> -p <ldaps_port> --suffix "DC=example,DC=com" -f tnsnames-msie.ora

Step 6: Confirm that Oracle database clients can authenticate with Entra ID integration into each of the databases

See the following blog posts on how to setup the respective Oracle database clients:

I hope you found this information helpful and insightful.

Blessings!

Brad's Blog

Monday, September 29, 2025

Creating Entra ID Enabled Net Service TNS Entries