11
Synchronizing with Multiple Directories

Oracle Internet Directory release 2.1.1 enables synchronization with supported third party metadirectory solutions. Synchronization with these metadirectory solutions occurs through the use of change logs. This chapter describes how that change log information is generated and used by supporting solutions. It also provides instructions for enabling other directories to synchronize with Oracle Internet Directory.

This chapter contains these topics:

The Synchronization Process

Changes in an Oracle Internet Directory are recorded as entries in the change log object store. Other directories must have access to that store if they are to synchronize with Oracle Internet Directory. You grant them this access by registering them with Oracle Internet Directory.

Each entry in the change log store has a change number. Another directory retrieves from Oracle Internet Directory only those entries with change numbers equal to or greater than the last change it retrieved. For example, suppose that the entry that a directory last retrieved had a change number of 250. Entries that this directory subsequently retrieves must have change numbers of 250 or greater.

Note:
If the entry with the change number matching the last change retrieved is not returned in the search results, then it means that some of the entries in the Oracle Internet Directory change log have been purged. The directory must then read the entire Oracle Internet Directory change log to synchronize its copy with that of Oracle Internet Directory.

Once you have registered another directory with Oracle Internet Directory, that directory can authenticate to Oracle Internet Directory and retrieve updates from it. It does this by following the processes described in this section.

See Also:
Enabling Other Directories to Synchronize with Oracle Internet Directory for instructions on registering directories with Oracle Internet Directory

This section contains these topics:

How a Directory Retrieves Changes the First Time from Oracle Internet Directory

In this example, my_other_directory acquires changes from Oracle Internet Directory by issuing the following command through ldapsearch:

ldapsearch -h host -p port -b "cn=changeLog" -s one  

(&(objectclass=changeLogEntry)  

(changeNumber >= orclLastAppliedChangeNumber ) 

( ! (modifiersname =cn=my_other_directory,cn=Subscriber Profile,

     cn=ChangeLog Subscriber,cn=Oracle Internet Directory ) ) )

When the directory is retrieving changes for the first time, the value for orclLastAppliedChangeNumber is the number you set in "Task 2: Register a Directory as a Change Subscription Object in Oracle Internet Directory".

The argument (!(modifiersname=client_bind_dn)) in the filter ensures that Oracle Internet Directory does not return changes made by the other directory itself.

How a Connected Directory Updates the orclLastAppliedChangeNumber Attribute in Oracle Internet Directory

After retrieving changes from Oracle Internet Directory, the connected directory updates the orclLastAppliedChangeNumber attribute in its change subscription object. This allows Oracle Internet Directory to purge changes that connected directories have already applied. It also enables the connected directory to retrieve only the most recent changes, ignoring those it has already applied.

This example uses an input file named mod.ldif in which the last applied change number is 121. The connected directory updates orclLastAppliedChangeNumber in its change subscription object as follows:

Edit mod.ldif:

dn: cn=my_other_directory,cn=Subscriber Profile,

    cn=ChangeLog Subscriber,cn=Oracle Internet Directory
changetype:modify
replace: orclLastAppliedChangeNumber
orclLastAppliedChangeNumber: 121

Use ldapmodify to load the edited mod.ldif file:
```
ldapmodify -h host -p port -f mod.ldif
```
See Also:
"Change Log Purging" for information about purging changes according to change numbers.

How a Directory Retrieves Changes After the First Time from Oracle Internet Directory

To retrieve changes after the first time, the other directory issues a command by using ldapsearch. The following example returns all the changes with changeNumber equal to or greater than 121, except those related to operations performed by the other directory itself.

ldapsearch -h my_host> -p my_port_number -b "cn=changeLog" -s one" 
(&(objectclass=changeLogEntry)  (changeNumber >=  122 ) 

( ! (modifiersname = cn=my_other_directory,cn=Subscriber Profile,

     cn=ChangeLog Subscriber,cn=Oracle Internet Directory ) ) )

Enabling Other Directories to Synchronize with Oracle Internet Directory

To enable other directories to retrieve the changes stored in Oracle Internet Directory, you perform the tasks described in this section. This section contains these topics:

Task 1: Perform Initial Bootstrapping

To bootstrap a directory to synchronize data between a local directory and Oracle Internet Directory, execute these steps:

Retrieve the current change number from Oracle Internet Directory by executing the following command:
```
oidcurrentchange.sh -connect net_service_name
```
This displays the current change number. Later, you will use this number to fill the orclLastAppliedChangeNumber field when you register the directory.
Use ldifwrite to export data from Oracle Internet Directory into an LDIF file.

Convert the LDIF file to a format suitable to the client directory, then load it into the client directory.

Note:
Initial bootstrapping is not required with a newly installed Oracle Internet Directory. In this case, the current change number of the newly installed Oracle Internet Directory is 0 (zero).

See Also:
"ldifwrite Syntax" for instructions on using ldifwrite

Task 2: Register a Directory as a Change Subscription Object in Oracle Internet Directory

To enable other directories to synchronize with an Oracle Internet Directory, you must register them with Oracle Internet Directory. This gives the directories access to change log objects stored in Oracle Internet Directory.

About Directory Registration

To register a directory, you make an entry for it in Oracle Internet Directory. This entry is called a change subscription object, and it is placed under the following container in the Oracle Internet Directory schema:

cn=Subscriber Profile,cn=ChangeLog Subscriber,cn=Oracle Internet Directory

This change subscription object provides a unique credential for a directory to bind with Oracle Internet Directory and to retrieve changes from it.

Associate the change subscription object with the auxiliary object class orclChangeSubscriber, which has several attributes, two of them mandatory. The two mandatory attributes are:

userPassword

Password to be used by the directory when accessing the change log object in Oracle Internet Directory

orclLastAppliedChangeNumber

Number of the change applied during the last synchronization. This attribute allows the directory to retrieve only the changes in Oracle Internet Directory it has not already applied.

Registering a Directory

To register a directory, use ldapadd. The following example uses an input file, named add.ldif, to create a change subscription object, my_other_directory, under the container
cn=Subscriber Profile,cn=ChangeLog Subscriber,cn=Oracle Internet Directory.

Edit file add.ldif:

dn: cn=my_other_directory,cn=Subscriber Profile,cn=ChangeLog Subscriber,

    cn=Oracle Internet Directory
userpassword:my_secret_code
orclLastAppliedChangeNumber: current_change_number_in_directory_before_

                                initial_boot_strapping
objectclass: orclChangeSubscriber
objectclass: top

Add the entry:

ldapadd -h <host > -p < port > -f add.ldif

Deregistering a Directory

To deregister a directory, use ldapdelete. Enter the following command:

ldapdelete -h host -p port cn=directory_name,cn=Subscriber Profile,

cn=ChangeLog Subscriber,cn=Oracle Internet Directory

Task 3: Grant Directories Access to the Oracle Internet Directory Change Log Object Store

Once you have registered a directory with Oracle Internet Directory, you must grant it read access to the cn=changeLog entry in Oracle Internet Directory.

See Also:
Chapter 9, "Managing Directory Access Control" for instructions on setting access control policies

`userPassword`	Password to be used by the directory when accessing the change log object in Oracle Internet Directory
`orclLastAppliedChangeNumber`	Number of the change applied during the last synchronization. This attribute allows the directory to retrieve only the changes in Oracle Internet Directory it has not already applied.

11 Synchronizing with Multiple Directories