12 Referential Integrity

Referential Integrity is a new feature of Oracle Internet Directory. If Referential Integrity is enabled, whenever you update an entry in the directory, the server also updates other entries that refer to that entry. For example, if you remove a user's entry from the directory, and the user is a member of a group, the server also removes the user from the group. If Referential Integrity is not enabled, the user remains a member of the group until manually removed.

Referential Integrity takes effect in two situations:

• Delete–When an entry is deleted, all the DN attributes that refer to this entry DN are removed.

• Modify–When an entry's DN is modified (renamed), all the attributes that refer to this entry DN are modified.

This chapter contains the following topics:

• Configuring and Enabling Referential Integrity

• Disabling Referential Integrity

12.1 Configuring and Enabling Referential Integrity

To configure and enable Referential Integrity, perform the following steps:

1. Edit the file $ORACLE_HOME/ldap/server/plugin/rimoddn.java, as follows:

   1. Go to line 107 in the file. It looks like this:

      conn = DriverManager.getConnection(
             "jdbc:oracle:thin:ods/ODSPWD@OHOST:OPORT:OSID");
      
      

   2. Replace ODSPWD with your Oracle Internet Directory ODS password.

   3. Replace OHOST with your Oracle Internet Directory back end database host name.

   4. Replace OPORT with your Oracle Internet Directory back end database port number.

   5. Replace OSID with your Oracle Internet Directory back end database ORACLE_SID.

2. Compile $ORACLE_HOME/ldap/server/plugin/rimoddn.java, as follows:

   % $ORACLE_HOME/jdk/bin/javac -classpath \
       $ORACLE_HOME/jdbc/lib/classes12.zip:$ORACLE_HOME/ldap/jlib/ospf.jar \
       rimoddn.java 
   
   

3. The file rimoddn.java now contains the ODS password in clear text. Either remove the password from the file or modify the permissions on the file to prevent unauthorized access.

4. Register the plug-ins:

   % ldapadd -h hostname -p port -D cn=orcladmin -w orcladmin_pwd -v -f \
      $ORACLE_HOME/ldap/admin/oidriplg.dat
   
   

   From this point on, all the ldapmoddn and ldapdelete operations on DN reference attributes are recorded.

   
   

   See Also: Chapter 32, " Oracle Internet Directory Server Plug-in Framework"

   
   

5. Edit $ORACLE_HOME/ldap/admin/oidrimdx.pls, as follows:

   1. Go to line 42 in the file. It looks like this:

      v_attrlist := ODS.MODDELREF.t_attrlist('uniquemember', 'owner');
      
      

      This line specifies the default values uniquemember and owner.

   2. If you have more DN attribute references to be modified, add the additional attributes to the line. For example, to specify that the DN attribute, manager be modified, change the line to:

      v_attrlist := ODS.MODDELREF.t_attrlist('uniquemember', 'owner', 'manager');
      
      

      
      

      Note: Use all lowercase letters when specifying the attributes. Each attribute you add must be searchable. If necessary, run the catalog command to index the attribute.

      
      
      
      

      See Also: "catalog". "Indexing an Attribute by Using Command-Line Tools"

      
      

6. Run $ORACLE_HOME/ldap/admin/oidrimdx.pls at frequent intervals. The exact frequency depends upon site-specific needs, but every 15 minutes to 24 hours is a reasonable range.

   The script$ORACLE_HOME/ldap/admin/oidrimdx.pls consumes the records from the Referential Integrity storage table and deletes or modifies the DN references in all associated tables.

   The command to run it is:

   % sqlplus ods/odspassword@connect_string @$ORACLE_HOME/ldap/admin/oidrimdx.pls
   
   

   To run this command, you must be either the dba or Oracle Internet Directory administrator. On a UNIX or Linux system, you can set up a cron job to run the program as one of those users. If you incorporate the command line into a script or crontab file, ensure that file permissions prevent unauthorized users from viewing the ODS password.

7. If the entry cache is enabled, invalidate it every time you run $ORACLE_HOME/ldap/admin/oidrimdx.pls. The oidrimdx.pls program modifies tables in the database directly, which makes entries in the cache incorrect. Each time you run oidrimdx.pls, quickly disable and then enable the entry cache, as follows:

   % ldapmodify -h host -p port -D cn=orcladmin -w orcladmin_pwd <<EOF
   dn:
   changetype: modify
   replace: orclecacheenabled
   orclecacheenabled: 0
   EOF
   
   % ldapmodify -h host -p port -D cn=orcladmin -w orcladmin_pwd <<EOF
   dn:
   changetype: modify
   replace: orclecacheenabled
   orclecacheenabled: 1
   EOF
   
   

   If you are running oidrimdx.pls from a cron job, and the entry cache is enabled, you should include the commands to invalidate the cache.

12.2 Disabling Referential Integrity

To disable Referential Integrity, perform the following steps:

1. Delete the plug-ins, as follows:

   % ldapdelete -h hostname -p port -D cn=orcladmin -w orcladmin_pwd \
   "cn=ri_postdelete,cn=plugin,cn=subconfigsubentry"
   % ldapdelete -h hostname -p port -D cn=orcladmin -w orcladmin_pwd \
   "cn=ri_postmoddn,cn=plugin,cn=subconfigsubentry
   
   

2. Stop running $ORACLE_HOME/ldap/admin/oidrimdx.pls. If you have been using a cron job, delete or disable it.