Skip Headers

Oracle Internet Directory Administrator's Guide
Release 9.2

Part Number A96574-01
Go To Documentation Library
Home
Go To Product List
Book List
Go To Table Of Contents
Contents
Go To Index
Index

Master Index

Feedback

Go to previous page Go to next page

30
Oracle Directory Integration Server Administration

This chapter discusses the Oracle directory integration server and tells you how to configure and manage it. It contains these topics:

About the Oracle Directory Integration Server

The Oracle directory integration server is the central component of the Oracle Directory Integration Platform. It is a server process that does the following:

You can run multiple directory integration server instances on any host.

Registering the Oracle Directory Integration Server

To authenticate the node to run the Oracle Directory Integration Platform, install the directory integration server, then register it with Oracle Internet Directory. You register it by using the by using the Oracle directory integration server registration tool (odisrvreg). You must separately register each directory integration server installed on a different host by running odisrvreg on that host. To run this tool, you need the privileges of an Oracle Internet Directory administrator.

As part of registration, the tool creates an entry in the directory and sets the password for the directory integration server. If the registration entry already exists, then you can use the tool to reset the existing password. The odisrvreg tool also creates a local file called odisrvwallet, at $ORACLE_HOME/ldap/odi/conf. This file acts as a private wallet for the directory integration server, which uses it on startup to bind to the directory.

Table 30-1 describes the parameters odisrvreg uses. You can also run odisrvreg in SSL mode to make communication between the tool and the directory fully secure, using the -U, -W, and -P parameters that are also in Table 30-1.

To register the directory integration server in non-SSL mode, enter this command:

odisrvreg -h hostname -p port -D binddn  -w bindpasswd

Table 30-1  Descriptions of ODISRVREG Arguments
Argument Description

-h hostname

Oracle directory server host name

-p port_number

Port number on which the directory server is running

-D binddn

Bind DN. The bind DN must have authorization to create the registration entry for the directory integration server.

-w bindpasswd

Bind password

-U ssl mode

SSL mode. For no authorization, specify 0. For one-way authorization, specify 1.

-W wallet

SSL wallet. Enter the full path name of the SSL wallet file.This wallet is a text wallet created by using the ExportWallet option of the Oracle Wallet Manager.

On UNIX, the path name could be:

/home/my_dir/my_wallet.dat

On Windows NT, the path name could be:

C:\my_dir\my_wallet.dat

See Also: Oracle Advanced Security Administrator's Guide for instructions on using the Oracle Wallet Manager

-P wallet_password

Password for opening the SSL wallet

To register the Oracle directory integration server in SSL mode--that is, to run the registration tool in SSL mode, enter the following:

odisrvreg -h hostname -p port -D binddn  -w bindpasswd
-U ssl_mode -W wallet -P wallet_password

The -U, -W, and -P parameters, shown here on a separate line for clarity, are actually used on the same command line as the others.

Operational Information about the Oracle Directory Integration Server

This section introduces structural and operational information about the directory integration server and contains these topics:

The Oracle Directory Integration Server and Configuration Set Entries

Each directory integration server can execute a set of connections supporting synchronization between Oracle Internet Directory and connected directories. A set of connectors enables the directory integration server to support these connections. The configuration set entry lists this set of connectors, and passes it as one of the command-line arguments to the server.

Whenever a connector is scheduled to do synchronization, the directory integration server starts up a separate thread. This thread opens an LDAP connection to the directory server, then closes the connection before exiting.

The server has three types of threads of execution in the process:

Table 30-2  Oracle Directory Integration Server Threads
Thread Description

Main thread

Daemon thread of the Oracle directory integration server. It starts up the scheduler and periodically sends refresh signals to it, to look for changed profiles and to refresh its cache. This thread also looks for the shutdown signal from the OID Monitor (oidmon). This signal causes the thread to shut itself down after it sends a signal to the scheduler to shut down.

Scheduler thread

Schedules the connectors for synchronization based on their scheduling interval. On receipt of a refresh signal from the main thread, this scheduler thread refreshes the synchronization profiles to the latest values.

Connector thread

Spawned by the scheduler at their individual scheduling intervals. Upon invocation, a connector thread invokes the connector executable named in the profile and performs the mapping and filtering of the attributes. A connector thread terminates when its synchronization cycle is over.

If no integration profiles are listed for the configuration set, the Oracle directory integration server waits indefinitely until integration profiles are added to that configuration set. This wait also occurs if integration profiles are configured for the configuration set, but they are all disabled.

If the configuration set specified in the command line does not exist in the directory, then the Oracle directory integration server logs this information in the log file and exits.

If the configuration set is not specified, then configuration set 0 is assumed, and all the provisioning profiles are considered for scheduling.

See Also:

Standard Sequences of Directory Integration Server Events

Any specific instance of the Oracle directory integration server supports either provisioning or synchronization. The directory integration server runs as a shared server process while handling the synchronization and provisioning event propagations.

The three threads described in Table 30-2 work together to create these typical process flow sequences:

Main Thread Process Sequence

On startup, the main thread comes up. This daemon thread of the server starts up the scheduler. It verifies the registration of the instance in the directory. If, the instance is not registered--that is, if the instance is not started up by OID Monitor, then it performs self-registration in Oracle Internet Directory with the config set number and the instance number details.

The main thread periodically checks for the refresh time and signals the scheduler to refresh. It also periodically checks for the shutdown signal. On receipt of the shutdown signal, it signals the scheduler thread to shutdown.

Once the scheduler thread dies, the main thread unregisters and dies.

Scheduler Thread Process Sequence

When it is started by the main thread, the scheduler thread reads the configuration set to find the integration profiles to be scheduled. It creates a list of profiles to be scheduled and schedules them based on their scheduling interval. While creating the list of profiles, it validates the attributes. If any of the profile attributes have invalid values, the profile is not considered for synchronization or provisioning.

When it receives the refresh signal, the scheduler thread refreshes the integration profiles.

When it receives the shutdown signal, the scheduler thread waits until all the connectors complete the synchronization or provisioning event propagation. It then returns control to the main thread.

Connector Thread Process Sequence

As part of initialization, the connector thread establishes connection with Oracle Internet Directory and the connected directory. If the data interface type is LDIF or tagged then appropriate files are opened. The connector thread:

After applying all the changes, return back to the scheduler.

Managing Configuration Set Entries

You can create, modify, and view configuration set entries by using either Oracle Directory Manager or the appropriate command line tools.

In addition to listing all the integration profiles that the directory integration server is to execute, a configuration set also associates the host with the integration profile for synchronization. When a connector is registered, an integration profile is created and added to the configuration set. This configuration set entry determines the behavior of the directory integration server.

You can control the runtime behavior of the directory integration server by using a different configuration set entry when you start it. For example, you can start instance 1 of the directory integration server on host H1 with configset1, and instance 2 of the directory integration server on host H1 with configset2. The behavior of instance 1 of the directory integration server depends on configset 1, and that of instance 2 depends on configset2. By dividing different agents on host H1 between the two configuration set entries, you are distributing the load of running the agents on host H1 between the two directory integration server instances. Similarly, running different configuration sets and different instances on different hosts helps balance the load between the servers.

Managing the Oracle Directory Integration Server

This section contains these topics:

Starting the Oracle Directory Integration Server

The Oracle directory integration server executable, odisrv, resides in the $ORACLE_HOME/bin directory.

The way you start the directory integration server depends on whether your installation includes the OID Monitor and the OID Control Utility. These tools--along with other server and client components--are parts of a typical server installation. In such installations, you start the directory integration server by using these tools.


Note:

Although you can start the directory integration server without using the OID Monitor and the OID Control Utility, Oracle Corporation recommends that you use them. This way, if the directory integration server unexpectedly terminates, the OID Monitor automatically restarts it.


Client-only installations do not include the OID Monitor and the OID Control Utility. In such installations, you start the directory integration server from the command line.

The directory server can be started in non-SSL mode, or in SSL mode for tighter security. Table 30-3 describes the parameters for each type of invocation.


Note:

When the Oracle directory integration server is invoked in the default mode, it supports only the Oracle Directory Provisioning Integration Service, and not the Oracle Directory Synchronization Service.


Using the OID Monitor and Control Utilities to Start the Oracle Directory Integration Server

To start the directory integration server in non-SSL mode:

  1. Be sure that OID Monitor is running. To verify this, enter the following at the command line:
    ps -ef | grep oidmon
    
    

    If OID Monitor is not running, then start it by following the instructions in "Task 1: Start the OID Monitor".

  2. Start the directory integration server by using the OID Control utility by entering:
    oidctl [connect=net_service_name] server=odisrv [instance=instance_number]  
    [config=configuration_set_number] [flags="[host=hostname] [port=port_number] 
    [debug=debug_level] [refresh=interval_between_refresh]
    [maxprofiles=number_of_profiles] "] start

    Table 30-3 describes the arguments in this command.

    Table 30-3  Description of Arguments for Starting the Oracle Directory Integration Server
    Argument Description

    connect=net_service_name

    If you already have a tnsnames.ora file configured, then this is the net service name specified in that file, located in $ORACLE_HOME/network/admin

    server=odisrv

    Type of server to start. In this case, the server you are starting is odisrv. This is not case-sensitive. This argument is mandatory.

    instance=instance_number

    Specifies the instance number to assign to the directory integration server. This instance number must be unique. OID Monitor verifies that the instance number is not already associated with a currently running instance of this server. If it is associated with a currently running instance, then OID Monitor returns an error message.

    config=configuration_set_number

    Specifies the number of the configuration set that the the directory integration server is to execute. This argument is mandatory.

    host=hostname

    Oracle directory server host name

    port=port_number

    Oracle directory server port number

    debug=debug_level

    The required debugging level of the directory integration server

    See Also: Table 30-4 for a description of the various debug levels

    refresh=interval_between_refresh

    Specifies the interval, in minutes, between server refresh for any changes in the integration profiles.
    Default is 2 minutes (Refresh=2).

    maxprofiles=number_of_profiles

    Specifies the maximum number of profiles that can be executed concurrently for this server instance

    sslauth=ssl_mode

    SSL modes (0: NO Auth, 1: One Way)

    wloc=wallet

    SSL wallet. Enter the full path name of the SSL wallet file.This wallet is a text wallet created by using the ExportWallet option of the Oracle Wallet Manager.

    On UNIX, the path name could be:

    /home/my_dir/my_wallet.dat

    On Windows NT, the path name could be:

    C:\my_dir\my_wallet.dat
    

    See Also: Oracle Advanced Security Administrator's Guide for instructions on using the Oracle Wallet Manager

    wpass=wallet_password

    Password used for opening the SSL wallet

To start the directory server in SSL mode, use the following command:

oidctl [connect=net_service_name] server=odisrv [instance=instance_number]  
[config=configuration_set_number] [flags="[host=hostname] [port=port_number] 
[debug=debug_level] [refresh=interval_between_refresh] [maxprofiles=number_of_
profiles]
[ sslauth=ssl_mode ] [ wloc=wallet ] [ wpass=wallet_password] "] start

As you can see, the only difference is the use of the SSL-related flags:

sslauth=ssl_mode, wloc=wallet, and wpass=wallet_password

Starting the Oracle Directory Integration Server Without Using OID Monitor and the OID Control Utility

The directory server can also be started without OID Monitor or OID Control Utility, either in non-SSL mode or, for tighter security, in SSL mode. The parameters described in Table 30-3 remain the parameters for each type of invocation.

To start the directory integration server in non-SSL mode, enter the following at the command line:

odisrv [host=host_name] [port=port_number]
config=configuration_set_number [instance=instance_number] [debug=debug_level] [refresh=interval_between_refresh] [maxprofiles=number_of_profiles]

To start the directory integration server in SSL mode, enter the following at the command line:

odisrv [host=host_name] [port=port_number] config=configuration_set_number 
[instance=instance_number] [debug=debug_level] [refresh=interval_between_
refresh] [maxprofiles=number_of_profiles][refresh=interval_between_refresh] 
[maxprofiles=number_of_profiles] [sslauth=ssl_mode] [wloc=wallet] [wpass=wallet_
password]

Again you can see that the only difference is the use of the SSL-related flags:

[sslauth=ssl_mode] [wloc=wallet] [wpass=wallet_password]

Stopping the Oracle Directory Integration Server

You stop the directory integration server by using the same tool that you used to start it: by using OID Monitor and the OID Control Utility, or by using odisrv.

Using OID Monitor and the OID Control Utility to Stop the Oracle Directory Integration Server

If you started the directory integration server by using OID Monitor and the OID Control utility, then you use them to stop it, as follows:

  1. Before you stop the directory integration server, be sure that the OID Monitor is running. To verify this, enter the following at the command line:
    ps -ef | grep oidmon
    
    

    If OID Monitor is not running, then start it by following the instructions in "Task 1: Start the OID Monitor".

  2. You then can stop the directory integration server by entering:
    oidctl [connect=net_service_name] server=odisrv instance=instance stop
    

Stopping the Directory Integration Server Without Using OID Monitor and the OID Control Utility

In a client-only installation where the OID Monitor and OID Control tools are not available, the Oracle directory integration server can be started without OID Control. To stop the server without these tools, use the stopodis.sh tool, which is located in the $ORACLE_HOME/ldap/admin directory.


Note:

To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:


See Also:

"The stopodis.sh Tool" for instructions about using the stopodis.sh tool


Note:

If the Oracle directory integration server is stopped by any means other than the methods mentioned in this section, then the server cannot be started from the same host. In that case, the footprint of the previous execution in the directory needs to be removed by using the following command:

$ORACLE_HOME/ldap/admin/stopodis.sh [-host directory_server_host] [-port directory_server_port] [-binddn super_user_dN (default is cn=orcladmin)] [-bindpass super_user_password (default is welcome)] -instance number_of_the_instance_to_stop -clean


Using the Restart Command

If you use OID Monitor and the OID Control utility, then you can both stop and restart the directory integration server in one command, namely, restart. This is useful when you want to refresh the server cache immediately, rather than at the next scheduled time. When the directory integration server restarts, it maintains the same parameters it had before it stopped.

To restart the directory integration server:

  1. Make sure that OID Monitor is running. To verify this, enter the following at the command line:
    ps -ef | grep oidmon
    
    

    If OID Monitor is not running, then start it by following the instructions in "Task 1: Start the OID Monitor".

  2. At the command line, enter:
    oidctl [connect=net_service_name] server=odisrv instance=instance_number 
    restart
    

Setting the Debug Level

You can specify the kinds of server and profile events to be listed in a log file by using the debug flag.

To specify multiple types of debugging:

  1. Add the numeric values of the individual types as indicated in Table 30-4.
  2. At the command line, specify the total value. For example, the following command sets the debug level to 484:
    oidctl server=odisrv flags="debug=7" start
    
    

The various types of debug events are listed in Table 30-4 and Table 30-5.

Table 30-4  Debug Types for Server Debugging
Debug Event Type (Server Debugging) Numeric Value

Starting and stopping of different threads.

1

Detail level - shows the refresh details

2

When a nonzero debug level is specified, each trace statement in the server log file includes:

The various trace-statement types are:

If you do not set a value for the debug flag, then the default level is 0 (zero), and none of the debug events in the previous tables are logged. However, errors and exceptions are always logged.

Finding the Log Files

The log file is located in the
$ORACLE_HOME/ldap/log/odisrv_instance_number.log directory.

For example, if the server was started as server instance number 3, then the log file would have this path name: $ORACLE_HOME/ldap/log/odisrv03.log.

All the profile-specific debug events are stored in the profile-specific trace file in $ORACLE_HOME\ldap\odi\log\profile_name.trc.

Changing the Synchronization Status Attribute

While synchronization is in progress for an export operation, the server constantly updates the synchronization status attribute, orcllastappliedchangenumber. In Oracle Directory Manager, this field is called OID last applied change number.

To change this attribute manually from Oracle Directory Manager:

  1. Disable the agent by using Oracle Directory Manager.
  2. Make the attribute changes.
  3. Re-enable the agent after the change.

Viewing Oracle Directory Integration Server Information

When the directory integration server starts, it generates specific runtime information and stores it in the directory. This information includes:

You can view this information for the directory integration server by using either Oracle Directory Manager or ldapsearch.

Viewing Oracle Directory Integration Server Runtime Information by Using Oracle Directory Manager

To view runtime information for the directory integration server instance by using Oracle Directory Manager:

  1. In the navigator pane, expand Oracle Internet Directory Servers > directory_server_instance > Server Management, then select Directory Integration Server. The Active Processes box appears in the right pane.
  2. Click View Properties. The Server Process dialog box displays the information.

Viewing Oracle Directory Integration Server Runtime Information by Using ldapsearch

To view registration information for the directory integration server instance by using ldapsearch, perform a base search on its entry. For example:

ldapsearch -p 389 -h my_host -b cn=instance1,cn=odisrv,cn=subregistrysubentry -s 
base -v "objectclass=*"

This example search returns the following:

dn: cn=instance1,cn=odisrv,cn=subregistrysubentry
cn: instance1
orcldiaconfigdns: "orclDIAName=HR,cn=subscriber profile,cn=changelog subscriber, 
cn=oracle internet directory"
orcldiaconfigrefreshflag: 0
orclhostname: my_host
orclconfigsetnumber: 1
objectclass: top
objectclass: orclDIA

Managing the Oracle Directory Integration Platform in a Replicated Environment

If you use the Oracle Directory Integration Platform in a replicated environment with more than one node, then set the orcldiprepository attribute in DSE root to 1. This makes the directory server generate change log entries for changes from the other Oracle Internet Directory nodes. By default, the directory server does not generate these change log entries. The change log entries are required for directory data to be synchronized with third-party directories and metadirectories.


Go to previous page Go to next page
Oracle
Copyright © 1999, 2002 Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Home
Go To Product List
Book List
Go To Table Of Contents
Contents
Go To Index
Index

Master Index

Feedback