| Oracle® Identity Management User Reference 10g (10.1.4.2) Part Number E10531-01 |
|
|
View PDF |
| Oracle® Identity Management User Reference 10g (10.1.4.2) Part Number E10531-01 |
|
|
View PDF |
This chapter describes the following command-line tools used to administer Oracle Directory Integration Platform:
dipassistant (Directory Integration Platform Assistant)
odisrvreg (Oracle Directory Integration Platform Server Registration)
oidprovtool (Provisioning Registration Tool)
schemasync (Schema Synchronization Tool)
Note:
For improved security, do not enter a password with the Oracle Directory Integration Platform tools unless prompted for one.The Directory Integration Platform Assistant (dipassistant) is a command-line tool for administering the Oracle Directory Integration Platform server.
operation
The name of the operation to perform using dipassistant. See the appropriate operation documentation for operation specific syntax, arguments, and usage. The following operations are available:
bootstrap (bs) - Performs the initial migration of data between a connected directory and Oracle Internet Directory. See "The dipassistant bootstrap Operation" for more information about this operation.
bulkprov (bp) - Creates user entries and provisions or de-provisions them to applications in bulk. See "The dipassistant bulkprov Operation" for more information about this operation.
chgpasswd (cpw) - Changes the password for the dipadmin account. See "The dipassistant chgpasswd Operation" for more information about this operation.
createprofile (cp) - Creates a new synchronization profile from. See "The dipassistant createprofile Operation" for more information about this operation.
createprofilelike (cpl) - Creates a new synchronization profile by using an existing profile as a template. See "The dipassistant createprofilelike Operation" for more information about this operation.
deleteprofile (dp) - Deletes a synchronization profile. See "The dipassistant deleteprofile Operation" for more information about this operation.
expressconfig (ec) - Performs an express configuration of the third-party directory connector. See "The dipassistant expressconfig Operation" for more information about this operation.
extauth (ea) - Configures external authentication plug-in for the connected directory. See "The dipassistant extauth Operation" for more information about this operation.
listprofiles (lp) - Shows a list of all synchronization profile names in Oracle Internet Directory. See "The dipassistant listprofiles Operation" for more information about this operation.
loaddata (ld) - See "The dipassistant loaddata Operation" for more information about this operation.
modifyprofile (mp) - Modifies an existing synchronization profile. See "The dipassistant modifyprofile Operation" for more information about this operation.
reassociate (rs) - Moves and reassociates directory integration profiles from one Oracle Internet Directory server to another. See "The dipassistant reassociate Operation" for more information about this operation.
showprofile (sp) - See "The dipassistant showprofile Operation" for more information about this operation.
validatemapfile (sp) - Validates an attribute mapping file. See "The dipassistant validatemapfile Operation" for more information about this operation.
wpasswd (wp) - See "The dipassistant wpasswd Operation" for more information about this operation.
Note:
Several of the dipassistant operations include the
grpID parameter. This parameter is the same as the grpID parameter, which can be used when starting Oracle Directory Integration Platform with the oidctl command.-gui
Launches the Oracle Directory Integration Platform Server Administration Tool, which is a graphical user interface that enables you to perform the same operations as dipassistant. See the Oracle Identity Management Integration Guide for more information about the Oracle Directory Integration Platform Server Administration Tool.
-help
Displays the command-line help for the dipassistant tool. To see a list of all operations, type:
dipassistant -help
To see the arguments and syntax for a particular operation, type:
dipassistant operation_name -help
The bootstrap (bs) operation performs the initial migration of data between a connected directory and Oracle Internet Directory.
dipassistant bootstrap {-profile profile_name [-h oid_hostname] [-p port] [-U ssl_mode][-D "bindDN"] [-w password][-log log_file] [-logseverity 1-15] [-trace trace_file] [-tracelevel level] [-loadparallelism number_threads] [-loadretry retry_count]}|{-f config_file}
-profile profile_name
Either -f or -profile is required. The name of the synchronization profile to use when performing the bootstrap operation. If you do not provide a synchronization profile, you can provide the name of a configuration file instead. If a profile is provided, then the following optional arguments may be supplied on the command-line.
-h oid_hostname
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
-p port
Optional. The LDAP listening port of Oracle Internet Directory. The default is 389.
-U ssl_mode
Optional. A number between 1 and 3 that represents the SSL mode of Oracle Internet Directory. The SSL modes are as follows:
1 – SSL mode with no authentication
2 – SSL mode with server-only authentication
3 – SSL mode with both client and server authentication
-D "bindDN"
Optional. The DN of the super user, that is, cn=orcladmin, or any user that is a member of the Directory Integration Platform Administrators group (cn=dipadmingrp,cn=odi,cn=oracle internet directory).
-w password
Optional. The password used to bind to the directory.
-log log_file
Optional. The path and file name of the log file. The default is ORACLE_HOME/ldap/odi/bootstrap.log.
-logseverity
Optional. A number between 1 and 15 that corresponds to the level of events that should be logged. The levels are as follows.
1 – INFO
2 – WARNING
4 – DEBUG
8 – ERROR
To specify multiple levels, add the numbers together. For example, the default log severity is 9, INFO and ERROR (1+8=9).
-trace trace_file
Optional. The full path and file name of the trace logging file. The default location is ORACLE_HOME/ldap/odi/log/bootstrap.trc. If the file exists it will be overwritten.
-tracelevel level
Optional. The number that corresponds to the level of information to write to the trace logging file. To specify multiple levels, add the numbers together. The default trace level is 3 (1+2=3).
1 - Starting and stopping of threads
2 - Refreshing of profiles
4 - Initialization, execution, and enddetails of connectors
8 - Details during connector execution
16 - Change record of the connector
32 - Mapping details of the connector
64 - Execution time details of the connector
-loadparallelism number_threads
Optional. The number of concurrent threads for loading data into Oracle Internet Directory. The default is 5.
-loadretry retry_count
Optional. If the loading of an entry fails, the number of times to retry to load the entry before the entry is marked as a bad entry. The default is 5.
-f config_file
Either -f or -profile is required. The full path and file name of a configuration file containing the properties described in "Configuration File Properties for dipassistant bootstrap". If you do not provide a configuration file, you can provide the name of a synchronization profile instead.
odip.bootstrap.srctype
Required. The source of the bootstrap data. Valid values are LDAP or LDIF.
odip.bootstrap.desttype
Required. The destination for the bootstrap data. Valid values are LDAP or LDIF.
odip.bootstrap.srcurl
Required. For LDAP, the host_name:port of the directory server that is the source of the bootstrap data. For LDIF, the absolute path of the file that contains the bootstrap source data.
odip.bootstrap.desturl
Required. For LDAP, the host_name:port of the directory server that is the destination for the bootstrap data. For LDIF, the absolute path of the destination LDIF file.
odip.bootstrap.srcsslmode
Optional. Set to TRUE to require SSL-based authentication to the to connect to the source of the bootstrapping data. The default is FALSE (SSL not used).
odip.bootstrap.destsslmode
Optional. Set to TRUE to require SSL-based authentication to the to connect to the destination for the bootstrapping data. The default is FALSE (SSL not used).
odip.bootstrap.srcdn
Required for LDAP only. The source DN used to bind to the source directory. The default is the DN of the Oracle Directory Integration Platform administrator, for example "cn=dipadmin".
odip.bootstrap.destdn
Required for LDAP only. The destination DN used to bind to the destination directory. The default is the DN of the Oracle Directory Integration Platform administrator, for example "cn=dipadmin".
Note:
If the source DN or the destination DN contains multibyte character-set characters, then these need to be supplied in theUTF-16 format. For example:
odip.bootstrap.srcdn = CN=nlstest1,ou=\u7F8E\u56FD\u5730\u533A,dc=idm2003,dc=net
odip.bootstrap.srcpasswd
Optional. The password used to bind to the source directory. In the case of LDAP binding, this is used as a security credential. Oracle Corporation recommends that you not specify the password in this file.
odip.bootstrap.destpasswd
Optional. The password used to bind to the destination directory. In the case of LDAP binding, this is used as a security credential. Oracle Corporation recommends that you not specify the password in this file.
odip.bootstrap.mapfile
Optional. Location of the map file that contains the attribute and domain mappings.
odip.bootstrap.logfile
Optional. The path and file name of the log file. The default is ORACLE_HOME/ldap/odi/bootstrap.log.
odip.bootstrap.logseverity
Optional. A number between 1 and 15 that corresponds to the level of events that should be logged. The levels are as follows.
1 – INFO
2 – WARNING
4 – DEBUG
8 – ERROR
To specify multiple levels, add the numbers together. For example, the default log severity is 9, INFO and ERROR (1+8=9).
odip.bootstrap.loadparallelism
Optional. The number of concurrent threads for loading data into Oracle Internet Directory. The default is 5.
odip.bootstrap.loadretry
Optional. If the loading of an entry fails, the number of times to retry to load the entry before the entry is marked as a bad entry. The default is 5.
odip.bootstrap.trcfile
Optional. The full path and file name of the trace logging file. The default location is ORACLE_HOME/ldap/odi/log/bootstrap.trc. If the file exists it will be overwritten.
odip.bootstrap.trclevel
Optional. The number that corresponds to the level of information to write to the trace logging file. To specify multiple levels, add the numbers together. The default trace level is 3 (1+2=3).
1 - Starting and stopping of threads
2 - Refreshing of profiles
4 - Initialization, execution, and enddetails of connectors
8 - Details during connector execution
16 - Change record of the connector
32 - Mapping details of the connector
64 - Execution time details of the connector
odip.bootstrap.srcencode
Optional. The native character set encoding of the LDIF file. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, WE8MSWIN1252, JA16SJIS, or AL32UTF8. You should specify a character set if the LDIF file:
Was generated by a third-party directory utility.
Contains Globalization Support data.
Was processed on a different platform.
Using the bootstrap operation you can perform the following tasks:
The following example uses a synchronization profile named iPlanetProfile to perform bootstrapping.
Example:
dipassistant bootstrap –profile iPlanetProfile -h myhost –port 3060 -D cn=dipadmin
The following example uses a configuration file named bootstrap.cfg to perform bootstrapping. The configuration file contains the properties described in "Configuration File Properties for dipassistant bootstrap".
Example:
dipassistant bootstrap –f bootstrap.cfg
The bulkprov (bp) operation allows administrators to create user entries and provision them in bulk to various applications, or to delete user entries and de-provision them in bulk form various applications. You can also use this operation to modify the attributes of user entries. This operation takes an LDIF file as input. See Appendix A, "LDIF File Format" for more information about the proper formatting of the input LDIF file.
For example, here is a sample user entry in LDIF format:
dn: cn=John Smith,cn=users,dc=us,dc=mycompany,dc=com changetype: add cn: John Smith cn: John sn: Smith mail: jsmith@mycompany.com uid: jsmith_us orclisenabled: True
The bulkprov operation invoked with this input file would add the user entry and provision it to the applications configured in the directory. If the configured applications all have a default provisioning policy of PROVISIONING_REQUIRED, then users will be created with this provisioning status by default for each of the applications.
The bulkprov operation also invokes any configured plug-ins for the application. These plug-ins can override the default provisioning policy by means of specifying plug-ins, which determine the provisioning policy, perform data validations, and assign defaults. If the application-specific attributes is maintained elsewhere, then you can provide a plug-in to manage that application's data.
You must ensure that the distinguished name (DN) for each user specified in the LDIF file is a valid DN within the realm. DN validation is not performed automatically. If the LDIF file specifies a DN outside of the realm and that does not fall in one of the user search bases, then the new users will not be visible when you search for users in the Oracle Internet Directory Provisioning Console or the Oracle Internet Directory Self-Service Console.
To delete user entries and de-provision them from applications, you would supply an LDIF file with user entries such as this:
dn: cn=John Smith,cn=users,dc=us,dc=mycompany,dc=com changetype: delete
dipassistant bulkprov -f ldif_file [-h oid_hostname] [-p port] [-U ssl_mode] [-D bindDN] [-w password] [-realm realm_name] [-E character_set]
-h oid_hostname
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
-p port
Optional. The LDAP listening port of Oracle Internet Directory. The default is 389.
-U ssl_mode
Optional. A number between 1 and 3 that represents the SSL mode of Oracle Internet Directory. The SSL modes are as follows:
1 – SSL mode with no authentication
2 – SSL mode with server-only authentication
3 – SSL mode with both client and server authentication
-D "bindDN"
Optional. The DN of the super user, that is, cn=orcladmin, or any user that is a member of the Directory Integration Platform Administrators group (cn=dipadmingrp,cn=odi,cn=oracle internet directory).
-w password
Optional. The password used to bind to the directory.
-realm realm_name
The realm in which the users are to be provisioned. If not specified, then the default identity management realm specified in the Root Oracle Context will be used.
-E "character_set"
Optional. The native character set encoding. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, ISO-8859-1, JA16SJIS, or AL32UTF8.
The chgpasswd (cpw) operation resets the password of the Oracle Directory Integration Platform administrator (dipadmin) account. The default password for the dipadmin account is same as ias_admin password chosen during installation. To reset the password, you must provide the security credentials of the Oracle Internet Directory administrator (orcladmin) account.
dipassistant chgpasswd [-h oid_hostname] [-p port] [-U ssl_mode] [-D bindDn] [-w password]
In addition to the arguments provided on the command line, the tool will prompt you for the new Oracle Directory Integration Platform administrator (dipadmin) account password.
-h oid_hostname
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
-p port
Optional. The LDAP listening port of Oracle Internet Directory. The default is 389.
-U ssl_mode
Optional. A number between 1 and 3 that represents the SSL mode of Oracle Internet Directory. The SSL modes are as follows:
1 – SSL mode with no authentication
2 – SSL mode with server-only authentication
3 – SSL mode with both client and server authentication
-D "bindDN"
Optional. The DN of the super user, that is, cn=orcladmin, or any user that is a member of the Directory Integration Platform Administrators group (cn=dipadmingrp,cn=odi,cn=oracle internet directory).
-w password
Optional. The password used to bind to the directory.
The createprofile (cp) operation creates a new synchronization profile for Oracle Internet Directory and an external directory.
dipassistant createprofile [-h oid_hostname] [-p port] [-U ssl_mode] [-D bindDN] [-w password] -f prop_file -grpID connector_group_identifier
-h oid_hostname
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
-p port
Optional. The LDAP listening port of Oracle Internet Directory. The default is 389.
-U ssl_mode
Optional. A number between 1 and 3 that represents the SSL mode of Oracle Internet Directory. The SSL modes are as follows:
1 – SSL mode with no authentication
2 – SSL mode with server-only authentication
3 – SSL mode with both client and server authentication
-D "bindDN"
Optional. The DN of the super user, that is, cn=orcladmin, or any user that is a member of the Directory Integration Platform Administrators group (cn=dipadmingrp,cn=odi,cn=oracle internet directory).
-w password
Optional. The password used to bind to the directory.
-f prop_file
Required. The full path and file name of the profile properties file containing the properties described in "Configuration File Properties for dipassistant createprofile".
-grpID connector_group_identifier
Required. A unique identifier that represents the connector group with which to associate the profile.
WARNING:
Because the configuration file can contain sensitive information, Oracle recommends that you delete this file after creating the profile.
odip.profile.agentexecommand
In the case of a NON-LDAP interface, the command to produce the information in LDIF format. This is stored in the orclODIPAgentExeCommand attribute of the profile entry.
odip.profile.condiraccount
DN or user name used to connect to the third party directory. This is stored in the orclODIPConDirAccessAccount attribute of the profile entry.
odip.profile.condirpassword
The password used to connect to the third party directory. This is stored in the orclODIPConDirAccessPassword attribute of the profile entry.
odip.profile.condirfilter
Filter that needs to be applied to the changes read from the connected directory before importing to Oracle Internet Directory. This is stored in the orclODIPConDirMatchingFilter attribute of the profile entry.
odip.profile.condirurl
The hostname:port of the third party directory. This is stored in the orclODIPConDirURL attribute of the profile entry.
odip.profile.configfile
Name of the file that contains the additional profile-specific information to be used for execution.
odip.profile.configinfo
Contains additional profile-specific information to be used for execution. This is stored in the orclODIPAgentConfigInfo attribute of the profile entry.
odip.profile.debuglevel
Specifies the debugging level. This is stored in the orclODIPProfileDebugLevel attribute of the profile entry.
odip.profile.directorytype
Required parameter for all property files that were created with versions of Oracle Directory Integration Platform earlier than 10g (10.1.4.2). Identifies the connected directory type. This is stored in the orclODIPConDirURL attribute of the profile entry.
odip.profile.interface
The format used for data exchange—LDAP, LDIF, DB or TAGGED. LDAP is the default. This is stored in the orclODIPProfileInterfaceType attribute of the profile entry.
odip.profile.lastchgnum
Last applied change number. In the case of an export profile this number refers to Oracle Internet Directory's last applied change number. However, in the case of the import profile, this number refers to the last applied change number in the connected directory. This is stored in the orclODIPConDirLastAppliedChgNum attribute of the profile entry. You can use the ldapsearch command to determine the last change number in Oracle Internet Directory. For example:
ldapsearch -D cn=orcladmin -b "" -s base objectclass=* lastchangenumber
odip.profile.mapfile
Name of the file that contains the mapping rules. This is stored in the orclODIPAttributeMappingRules attribute of the profile entry.
odip.profile.name
Name of the synchronization profile. This is stored in the orclODIPAgentName attribute of the profile entry.
odip.profile.oidfilter
Filter that needs to be applied to the changes that are read from the Oracle Internet Directory before exporting to the connected directory. This is stored in the orclODIPOIDMatchingFilter attribute of the profile entry.
odip.profile.password
The password to access this profile. This is stored in the orclODIPAgentPassword attribute of the profile entry.
odip.profile.retry
Maximum number of times the Oracle Directory Integration Platform server should attempt to execute an entry. This is stored in the orclODIPSyncRetryCount attribute of the profile entry. Default is 4.
odip.profile.schedinterval
Interval between successive executions of this profile by the integration server. If the previous execution has not completed then the next execution will not resume until it completes. This is stored in the orclODIPSchedulingInterval attribute of the profile entry. Default is 1 minute.
odip.profile.status
Whether to ENABLE or DISABLE this profile. This is stored in the orclODIPAgentControl attribute of the profile entry. The default is DISABLE.
odip.profile.syncmode
Direction of synchronization. When the changes are propagated from the third party to Oracle Internet Directory, the synchronization mode is IMPORT. When the changes are propagated to the third party directory, the synchronization mode is EXPORT. This is is stored in the orclODIPSchedulingInterval attribute of the profile entry. Default is IMPORT.
Using the createprofile operation you can perform the following tasks:
The following example uses a configuration file named import.profile to create a new profile and associate the new profile with configuration set 1.
Example:
dipassistant createprofile -h myhost -p 3060 -D cn=dipadmin -f import.profile -grpID myImportGroup
The createprofilelike (cpl) operation creates a new synchronization profile by using an existing profile as a template.
dipassistant createprofilelike [-h oid_hostname] [-p port] [-U ssl_mode] [-D bindDN] [-w password] -profile orig_profile_name -newprofile new_profile_name -grpID connector_group_identifier
-h oid_hostname
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
-p port
Optional. The LDAP listening port of Oracle Internet Directory. The default is 389.
-U ssl_mode
Optional. A number between 1 and 3 that represents the SSL mode of Oracle Internet Directory. The SSL modes are as follows:
1 – SSL mode with no authentication
2 – SSL mode with server-only authentication
3 – SSL mode with both client and server authentication
-D "bindDN"
Optional. The DN of the super user, that is, cn=orcladmin, or any user that is a member of the Directory Integration Platform Administrators group (cn=dipadmingrp,cn=odi,cn=oracle internet directory).
-w password
Optional. The password used to bind to the directory.
-profile orig_profile_name
Required. The name of the existing profile to be used as a template.
-newprofile new_profile_name
Required. The name of the new profile to be created.
-grpID connector_group_identifier
Required. A unique identifier that represents the connector group with which to associate the profile.
Using the createprofilelike operation you can perform the following tasks:
The following example creates a new profile named iPlImport with values copied from a profile named iPllmportTemplate.
Example:
dipassistant createprofilelike -h myhost -p 3060 -D cn=dipadmin -profile iPlImportTemplate -newProfile iPlImport -grpID myImportProfile
The deleteprofile (dp) operation deletes a synchronization profile from Oracle Internet Directory.
dipassistant deleteprofile -profile profile_name [-h oid_hostame] [-p port] [-U ssl_mode] [-D bindDN] [-w password] -grpID connector_group_identifier
-profile profile_name
Required. The name of the profile to be deleted.
-h oid_hostname
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
-p port
Optional. The LDAP listening port of Oracle Internet Directory. The default is 389.
-U ssl_mode
Optional. A number between 1 and 3 that represents the SSL mode of Oracle Internet Directory. The SSL modes are as follows:
1 – SSL mode with no authentication
2 – SSL mode with server-only authentication
3 – SSL mode with both client and server authentication
-D "bindDN"
Optional. The DN of the super user, that is, cn=orcladmin, or any user that is a member of the Directory Integration Platform Administrators group (cn=dipadmingrp,cn=odi,cn=oracle internet directory).
-w password
Optional. The password used to bind to the directory.
-grpID connector_group_identifier
Required. A unique identifier that represents the connector group with which the profile is associated.
The expressconfig (ec) operation performs an express configuration of the third-party directory connector. It performs all required configurations and also creates two profiles, an import profile and an export profile. For more information about configuring third-party directory connectors, see the Oracle Identity Management Integration Guide.
dipassistant expressconfig [-h oid_hostname] [-p port] [-U ssl_mode] [-3rdpartyds third_party_ds ] [-grpID connector_group_identifier]
In addition to the arguments supplied on the command-line, the tool will prompt you for the following information:
Oracle Internet Directory credentials. You must specify the DN and password of the super user, that is, cn=orcladmin, or any user that is a member of the Directory Integration Platform Administrators group (cn=dipadmingrp,cn=odi,cn=oracle internet directory).
Third-party directory connection details and credentials of a privileged user. You need to specify whether the connection uses SSL mode. You are also prompted for the DN of the subtree to be synchronized, except when the third-party directory is Microsoft Active Directory.
If the third-party directory is Microsoft Active Directory, then the DN of the subtree to be synchronized is automatically set to "cn=users, default_naming_context". To synchronize deletions, you must have the necessary administrative privileges in Microsoft Active Directory, for example administrator@mycompany.com if the host on which Microsoft Active Directory is installed is myhost@mycompany.com.
Name to identify the synchronization profiles to be created. For example, if you specify the name abc, then the tool creates two profiles: abcImport and abcExport.
Appropriate ACLs on the cn=users container (Optional). You can choose to enable users and groups to be managed by Oracle components under the cn=users container. If you customize ACLs in this way, then the original ACLs are saved in ORACLE_HOME/ldap/odi/archive/profile_name_prefix_useracl.ldif.
-h oid_hostname
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
-p port
Optional. The LDAP listening port of Oracle Internet Directory. The default is 389.
-U ssl_mode
Optional. A number between 1 and 3 that represents the SSL mode of Oracle Internet Directory. The SSL modes are as follows:
1 – SSL mode with no authentication
2 – SSL mode with server-only authentication
3 – SSL mode with both client and server authentication
-3rdpartyds third_party_ds
Optional. The third-party directory service to which you are connecting. If not provided on the command-line, the tool will prompt you for this information. The following values are supported:
ActiveDirectory or AD
SunJava or iPlanet
eDirectory or edir
OpenLDAP
Note:
The preceding values are not case-sensitive-grpID connector_group_identifier
Optional. A unique identifier that represents the connector group with which to associate the profile.
The extauth (ea) operation configures external authentication plug-in for the connected directory.
dipassistant exauth [-h hostName] [-p port] -D bindDN -w bindPassword -t extDirType
-h oid_hostname
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
-p oid_port
Optional. The LDAP listening port of Oracle Internet Directory. The default is 389.
-D bindDN
Optional. The DN of the super user (cn=orcladmin), or any other user that is a member of the Directory Integration Platform Administrators goup (cn=dipadmingrp, cn=odi, cn=oracle internet directory).
-w bindPassword
Optional. The password used to bind to the directory.
-t extDirType
The external directory type. The values allowed are:
AD (Active Directory)
iPlanet
eDirectory
OpenLDAP
The listprofiles (lp) operation prints a list of all the synchronization profiles in Oracle Internet Directory.
dipassistant listprofiles [-h oid_hostname] [-p port] [-U ssl_mode] [-D bindDN] [-w password] [-grpID connector_group_identifier]
-h oid_hostname
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
-p port
Optional. The LDAP listening port of Oracle Internet Directory. The default is 389.
-U ssl_mode
Optional. A number between 1 and 3 that represents the SSL mode of Oracle Internet Directory. The SSL modes are as follows:
1 – SSL mode with no authentication
2 – SSL mode with server-only authentication
3 – SSL mode with both client and server authentication
-D "bindDN"
Optional. The DN of the super user, that is, cn=orcladmin, or any user that is a member of the Directory Integration Platform Administrators group (cn=dipadmingrp,cn=odi,cn=oracle internet directory).
-w password
Optional. The password used to bind to the directory.
-grpID connector_group_identifier
Optional. A unique identifier that represents the connector group with which to associate the profile.
Using the listprofiles operation you can perform the following tasks:
The following example prints a list of all the synchronization profiles in Oracle Internet Directory.
Example:
dipassistant listprofiles -h myhost -p 3060 -D cn=dipadmin
By default, the preceding command prints the following list of sample profiles created during installation. However, your deployment of Oracle Internet Directory may contain additional synchronization profiles.
IplanetExport IplanetImport ActiveImport ActiveExport LdifExport LdifImport TaggedExport TaggedImport OracleHRAgent ActiveChgImp
The loaddata operation loads data from a CSV file into Oracle Internet Directory.
dipassistant loaddata -f properties_file | [-h oid_hostname] [-p port] [-U ssl_mode] [-D bindDn] [-w password] [-c control_file] [-a application] [-g groupDN] -data data_file [-map map_file] [-log log_file] [-logseverity 1-15] [-trace trace_file] [-tracelevel level]
-f properties_file
Required for loading data with a properties file. The full path and file name of a properties file containing the properties described in "Configuration File Properties for dipassistant loaddata".
See the following sample properties file, which demonstrates how to load data from a CSV file into Oracle Internet Directory:
$ORACLE_HOME/ldap/odi/samples/csv2ldp.properties
See the following sample properties file, which demonstrates how to load data from a CSV file into Oracle Internet Directory and make the data available to Oracle Instant Portal. In addition to creating new users in Oracle Internet Directory, the properties file also adds each user to the group required by Oracle Instant Portal. If you need the new users to be available in Oracle Instant Portal and you do not use the following properties file, then you must manually add each user to the required Oracle Instant Portal group.
$ORACLE_HOME/ldap/odi/samples/load2oip.properties
-h oid_hostname
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
-p port
Optional. The LDAP listening port of Oracle Internet Directory. The default is 389.
-U ssl_mode
Optional. A number between 1 and 3 that represents the SSL mode of Oracle Internet Directory. The SSL modes are as follows:
1 – SSL mode with no authentication
2 – SSL mode with server-only authentication
3 – SSL mode with both client and server authentication
-D "bindDN"
Optional. The DN of the super user, that is, cn=orcladmin, or any user that is a member of the Directory Integration Platform Administrators group (cn=dipadmingrp,cn=odi,cn=oracle internet directory).
-w password
Optional. The password used to bind to the directory.
-c control_file
Required for loading data from a data file. The full path and file name of a control file. See "odip.bootstrap.srcctl" for more information.
-a application
Optional. The name of an application that will use the loaded data. In Oracle Identity Management 10g (10.1.4.2), the only valid value for this argument is portal, for Oracle Instant Portal.
-g groupDN
Optional. The group DN of the application specified with the -a argument. In Oracle Identity Management 10g (10.1.4.2), the only valid value for this argument is the group DN for Oracle Instant Portal.
-data data_file
Required for loading data from a data file. The full path and file name of a CSV file containing the data to load. See "odip.bootstrap.srcurl" for more information.
-map map_file
Required for loading data from a data file. The full path and file name of a mapping file. See "odip.bootstrap.mapfile" for more information.
-log log_file
Optional. The full path and file name of a log file. The default is $ORACLE_HOME/ldap/odi/log/loaddata.trc.
-logseverity 1-15
Optional. A number between 1 and 15 that corresponds to the level of events that should be logged. The levels are as follows.
1—INFO
2—WARNING
4—DEBUG
8—ERROR
To specify multiple levels, add the numbers together. For example, the default log severity is 9, INFO and ERROR (1+8=5).
-trace trace_file
Optional. The full path and file name of the trace logging file.
-tracelevel level
Optional. The number that corresponds to the level of information to write to the trace logging file. To specify multiple levels, add the numbers together. The default trace level is 3 (1+2=3).
odip.bootstrap.srctype
Required. The source type of the data to be loaded. The only valid value for this property is CSV.
odip.bootstrap.dsttype
Required. The destination type of the data to be loaded. The only valid value for this property is LDAP.
odip.bootstrap.srcurl
Required. The absolute path of the CSV file that contains the data to load into Oracle Internet Directory. See the following sample data file:
$ORACLE_HOME/ldap/odi/samples/csvsample.data
odip.bootstrap.srcctl
Required. The absolute path of the file containing source control information about how the data is stored. See the following sample source control file:
$ORACLE_HOME/ldap/odi/samples/csvsample.ctl
odip.bootstrap.desturl
Required. The LDAP host_name:port of the directory server that is the destination for the data.
odip.bootstrap.destdn
Required. The DN used to bind to the destination directory. The default is the DN of the Oracle Directory Integration Platform administrator, for example "cn=dipadmin".
odip.bootstrap.destpasswd
Required. The password used to bind to the destination directory. In the case of LDAP binding, this is used as a security credential. Oracle Corporation recommends that you remove the value assigned to this property from the properties file immediately after loading data.
odip.bootstrap.mapfile
Required. The absolute path of the map file that contains the attribute and domain mappings. See the following sample map file:
$ORACLE_HOME/ldap/odi/samples/csvload.map.sample
odip.bootstrap.logfile
Optional. The path and file name of the log file. The default is ORACLE_HOME/ldap/odi/loaddata.log.
odip.bootstrap.trcfile
Optional. The full path and file name of the trace logging file. The default location is $ORACLE_HOME/ldap/odi/log/loaddata.trc. If the file exists it will be overwritten.
Using the loaddata operation you can perform the following task:
Loading Data with a Properties File into Oracle Internet Directory
Loading Data from a Data File into Oracle Internet Directory
The following example uses a properties file named loadcsv.properties to load a CSV file into Oracle Internet Directory.
Example:
dipassistant loaddata –f loadcsv.properties
The modifyprofile (mp) operation enables you to change certain properties of a synchronization profile. You can specify a profile property to change on the command-line, or you can supply a configuration file that lists the properties you want to change and their new values. See "Configuration File Properties for dipassistant createprofile" for a description of the properties of a synchronization profile.
dipassistant modifyprofile [-h oid_hostname] [-p port] [-U ssl_mode] [-D bindDN] [-w password] {-f prop_file | -profile profile_name [-updlcn] [propName1=value] [propName2=value]...}
-h oid_hostname
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
-p port
Optional. The LDAP listening port of Oracle Internet Directory. The default is 389.
-U ssl_mode
Optional. A number between 1 and 3 that represents the SSL mode of Oracle Internet Directory. The SSL modes are as follows:
1 – SSL mode with no authentication
2 – SSL mode with server-only authentication
3 – SSL mode with both client and server authentication
-D "bindDN"
Optional. The DN of the super user, that is, cn=orcladmin, or any user that is a member of the Directory Integration Platform Administrators group (cn=dipadmingrp,cn=odi,cn=oracle internet directory).
-w password
Optional. The password used to bind to the directory.
-f prop_file
The full path and file name of the profile properties file containing the properties you want to change and their new values. The properties are described in "Configuration File Properties for dipassistant createprofile".
-profile profile_name
The name of the synchronization profile you want to modify.
-updlcn
Optional. Used to update the last change number of the synchronization profile with the last change number of the source directory.
propName=value
The name of the property whose value you want to change and the new value for that property. The properties are described in "Configuration File Properties for dipassistant createprofile".
Using the modifyprofile operation you can perform the following tasks:
The following example uses a properties file named changes.profile to modify a profile named myprofile.
Example:
dipassistant modifyprofile -profile myprofile -h myhost -p 3060 -D cn=dipadmin -f changes.profile
The following example uses the -U option to connect to Oracle Internet Directory in SSL mode.
dipassistant modifyprofile -profile myprofile -h myhost -p 636 -U 2 -D cn=dipadmin -f changes.profile
The reassociate (rs) operation moves synchronization profiles to another node and reassociates the profiles with the new node. For example, if the middle-tier components are associated with a particular Oracle Identity Management infrastructure, then all the profiles existing in that infrastructure node can be moved to a new infrastructure node and the profiles will be reassociated accordingly.
If a profile does not exist on the new node, it is copied to the new Oracle Internet Directory node and disabled after copying. It must be enabled by the application. The lastchangenumber attribute in the integration profile is modified to the current last change number on the second Oracle Internet Directory node.
If a profile is moved to a node that already has a corresponding profile, both integration profiles are reconciled in the following manner:
Any new attribute in the profile on node 1 is added to the profile on node 2.
For existing same attributes, the values in profile on node 1 override the attributes in the profile on node 2.
The profile is disabled after copying. It needs to be enabled by the application.
The lastchangenumber attribute in the integration profile is modified to the current last change number on the second Oracle Internet Directory node.
dipassistant reassociate [-src_ldap_host oid1_hostname] [-src_ldap_port port] [-src_sslmode ssl_mode] [-src_ldap_dn bindDN] [-src_ldap_passwd password] -dst_ldap_host oid2_hostname [-dst_ldap_port port] [-dst_sslmode ssl_mode][-dst_ldap_dn bindDN] [-dst_ldap_passwd password] [-log logfile]
-src_ldap_host oid1_hostname
Optional. The host name of the source Oracle Internet Directory server. If not provided then the name of the local host is used.
-src_ldap_port port
Optional. The LDAP listening port of the source Oracle Internet Directory server. The default is 389.
-src_sslmode ssl_mode
Optional. The SSL authentication mode of the source Oracle Internet Directory server. The SSL modes are as follows:
1 – SSL mode with no authentication
2 – SSL mode with server-only authentication
3 – SSL mode with both client and server authentication
-src_ldap_dn bindDN
The DN of the super user on the source Oracle Internet Directory server (cn=orcladmin).
-src_ldap_passwd password
The password used to bind to the source directory.
-dst_ldap_host oid2_hostname
Required. The host name of the destination Oracle Internet Directory server.
-dst_ldap_port port
Optional. The LDAP listening port of the destination Oracle Internet Directory server. The default is 389.
-dst_sslmode ssl_mode
Optional. The SSL authentication mode of the destination Oracle Internet Directory server. The SSL modes are as follows:
1 – SSL mode with no authentication
2 – SSL mode with server-only authentication
3 – SSL mode with both client and server authentication
-dst_ldap_dn bindDN
The DN of the super user on the destination Oracle Internet Directory server (cn=orcladmin).
-dst_ldap_passwd password
The password used to bind to the destination directory.
-log logfile
The file name of the log for the operation.
The showprofile (sp) operation prints the details of a specific synchronization profile.
dipassistant showprofile -profile profile_name [-h oid_hostname] [-p port] [-U ssl_mode] [-D bindDN] [-w password]
-p profile_name
Required. The name of the synchronization profile you want to view.
-h oid_hostname
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
-p port
Optional. The LDAP listening port of Oracle Internet Directory. The default is 389.
-U ssl_mode
Optional. A number between 1 and 3 that represents the SSL mode of Oracle Internet Directory. The SSL modes are as follows:
1 – SSL mode with no authentication
2 – SSL mode with server-only authentication
3 – SSL mode with both client and server authentication
-D "bindDN"
Optional. The DN of the super user, that is, cn=orcladmin, or any user that is a member of the Directory Integration Platform Administrators group (cn=dipadmingrp,cn=odi,cn=oracle internet directory).
-w password
Optional. The password used to bind to the directory.
Using the showprofile operation you can perform the following tasks:
The following example command prints the details for the ActiveImport sample profile that is created during installation.
Example:
dipassistant showprofile -profile ActiveImport -h myhost -p 3060 -D cn=dipadmin
The preceding command prints the following details of the ActiveImport sample profile:
odip.profile.version = 2.0 odip.profile.lastchgnum = 0 odip.profile.interface = LDAP odip.profile.oidfilter = orclObjectGUID odip.profile.schedinterval = 60 odip.profile.name = ActiveImport odip.profile.syncmode = IMPORT odip.profile.condirfilter = searchfilter=(|(objectclass=group)(objectclass=organizationalunit) (&(objectclass=user)(!(objectclass=computer)))) odip.profile.retry = 5 odip.profile.debuglevel = 0 odip.profile.status = DISABLE
The validatemapfile (vmf) operation validates the attribute mapping file from a specified profile or attribute mapping file name.
dipassistant validatemapfile -profile profile_name [-h host_name] [-p port] [-D "bindDn"] [-w password] [-t directory_type]
-h oid_hostname
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
-p port
Optional. The LDAP listening port of Oracle Internet Directory. The default is 389.
-D "binddn"
Required. The DN of the Oracle Internet Directory user needed to bind to the directory (for example, cn=orcladmin) or any user who is a member of the Directory Integration Platform administrator's group (cn=dipadmingrp,cn=odi,cn=oracle internet directory).
-w password
Required. The password used to bind to the directory.
-t | -type directory_type
Required if not specified in the profile. The connected directory type.
-profile profile_name
Required. The name of the profile that contains the attribute mapping file to validate.
-f | -file file_name
Optional. A file containing the following parameters for validating the attribute mapping file:
Using the validatemapfile operation you can perform the following tasks:
Validating an Attribute Mapping File by Specifying the File Name
Validating an Attribute Mapping File by Specifying a Profile Name
The following example validates an attribute mapping file named mapfile.properties:
Example:
dipassistant validatemapfile -f mapfile.properties
The wpasswd (wp) operation sets the wallet password that the Oracle Directory Integration Platform server uses to connect to Oracle Internet Directory.
The Directory Integration Platform Assistant prompts you to enter, and then confirm, the password.
dipassistant can connect to Oracle Internet Directory or a third-party directory in SSL mode. The following topics discuss the tasks you need to perform to connect to the directory using SSL mode:
You need to perform the following tasks before running dipassistant in SSL mode:
Specify the wallet location in the odi.properties file. This file can be found under the $ORACLE_HOME/ldap/odi/conf directory.
Set the wallet password using the dipassistant wpasswd command. See "The dipassistant wpasswd Operation" for more information.
Note:
The preceding steps are required only when connecting to Oracle Internet Directory using the-U 2 (server-only authentication) or -U 3 (server and client authentication) option.These steps are not required when connecting to Oracle Internet Directory using the -U 1 (SSL mode with no authentication) option.dipassistant can connect to a third-party directory in the following scenarios:
dipassistant bootstrap is used to perform an initial migration of data between the third-party directory and Oracle Internet Directory.
dipassistant modifyprofile -updlcn is used to get the last change number from the third-party (connected) directory for an import profile.
Perform the following tasks before using dipassistant to connect to a third-party directory in SSL mode:
Specify the wallet location in the odi.properties file. This file can be found under the $ORACLE_HOME/ldap/odi/conf directory.
Set the wallet password using the dipassistant wpasswd command. See "The dipassistant wpasswd Operation" for more information.
Generate a certificate from the connected directory. An external certificate authority is not required for this.
Export the certificate to Base64 encoded format.
Import the certificate as a trust point into the Oracle wallet using Oracle Wallet Manager.
The odisrvreg command-line tool registers an Oracle Directory Integration Platform server with Oracle Internet Directory. This tool creates an entry in the directory and sets the password for the Directory Integration Platform server. If the registration entry already exists, then you can use the tool to reset the existing password. The odisrvreg tool also creates a local file called odisrvwallet_hostname in ORACLE_HOME/ldap/odi/conf. This file acts as a private wallet for the Directory Integration Platform server, which uses it on startup to bind to the directory.
odisrvreg -h oid_hostname -p port -D bindDN -w "password"[-U SSL_auth_mode -W wallet_location –P wallet_password]
-h oid_hostname
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
-p port
Optional. The LDAP listening port of Oracle Internet Directory. The default is 389.
-D "bindDN"
Required. The DN of the directory super user (cn=orcladmin).
-w password
Required. The password used to bind to the directory.
-U SSL_auth_mode
Optional. The SSL authentication mode:
1 for no authentication required.
2 for one way authentication required. You must also supply a wallet location and wallet password.
3 for two way authentication required. You must also supply a wallet location and wallet password.
-W wallet_location
Required if using one way or two way SSL authentication (-U 2|3). The location of the wallet file that contains the server's SSL certificates.
Example for UNIX:
-W "file:/home/my_dir/my_wallet"
Example for Microsoft Windows:
-W "file:C:\my_dir\my_wallet"
-P wallet_password
Required if using one way or two way SSL authentication (-U 2|3). The wallet password for the wallet specified in the -W argument.
Using the odisrvreg command-line tool, you can perform the following tasks:
The following example shows how to register the Oracle Directory Integration Platform server with Oracle Internet Directory using SSL for secure communications.
Example:
odisrvreg -h myhost.company.com -p 3040 -D "cn=orcladmin" -U 2 -W "file:/home/my_dir/my_wallet" –P walpasswd123
Provisioning enables you to ensure that an application is notified of directory changes, such as changes to user or group information. Such changes can affect whether the application allows a user access to its processes and resources.
When you install an application that you want to provision, you must create a provisioning integration profile for it by using the Provisioning Registration Tool (oidprovtool). Use this tool to:
Create a new provisioning profile. A new provisioning profile is created and set to the enabled state so that Oracle Directory Integration Platform can process it.
Disable an existing provisioning profile.
Enable a disabled provisioning profile.
Modify an existing provisioning profile.
Delete an existing provisioning profile.
Get the current status of a given provisioning profile.
Clear all of the errors in an existing provisioning profile.
The Provisioning Registration Tool shields the location and schema details of the provisioning profile entries from the callers of the tool. From the callers' perspective, the combination of an application and a realm uniquely identify a provisioning profile. The constraint in the system is that there can be only one provisioning profile for each application for each realm.
Once a profile is created, its mode—that is, INBOUND, OUTBOUND, or BOTH—cannot be changed by using the modify operation. To change the mode, you must delete, then re-create, the profile.
The Oracle directory integration platform server automatically monitors provisioning profile configuration changes in Oracle Internet Directory, including the creation, modification, and deletion of provisioning profiles. For this reason, you do not need to manually enable or disable a provisioning profile.
Note:
For improved security, do not enter a password with theoidprovtool command unless prompted for one.oidprovtool operation=[create|modify] ldap_host=oid_hostname ldap_port=port \ ldap_user_dn="bindDN" ldap_user_password=password \ [profile_mode=INBOUND|OUTBOUND|BOTH] application_dn="DN" application_type=type [application_name=name] \ [application_display_name=display name] organization_dn=DN \ [application_isdasvisible=TRUE|FALSE] [manage_application_defaults=TRUE|FALSE] \ [enable_bootstrap=TRUE|FALSE] [user_data_location=DN] \ [default_provisioning_policy=PROVISIONING_REQUIRED|PROVISIONING_NOT_REQUIRED] \ interface_name=SCHEMA.PACKAGE [interface_type=PLSQL|JAVA] \ interface_version=1.1|2.0|3.0] interface_connect_info=connection_string \ schedule=number_seconds lastchangenumber=number \ max_prov_failure_limit=number \ max_events_per_schedule=number max_events_per_invocation=number \ event_mapping_rules="OBJECT_TYPE:FILTER:DOMAIN" \ event_permitted_operations="OBJECT:DOMAIN:OPERATION(attributes,...)" \ event_subscription="USER|GROUP:DOMAIN:OPERATION(attributes,...)" \ max_events_per_schedule=number max_retries=number profile_group=number \ profile_status=ENABLED | DISABLED profile_debug=debug_level oidprovtool {operation=enable|disable|delete|status|reset} application_dn=DN [organization_dn=DN] [ldap_host=oid_hostname] [ldap_port=port] [ldap_user_dn=bindDN] [ldap_user_password=password] [profile_debug=debug_level]
operation=create | modify | enable | disable | delete | status | reset
Required. The operation to perform using oidprovtool. You can only perform one operation at a time. The operations are:
create - Creates a new provisioning profile.
modify - Modifies the given properties of an existing provisioning profile.
enable - Enables a provisioning profile.
disable - Disables a provisioning profile.
delete - Deletes a provisioning profile.
status - Shows the current status of a given provisioning profile.
reset - Clears all errors for a provisioning profile.
ldap_host=oid_hostname
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
ldap_port=port
Optional. The LDAP listening port of Oracle Internet Directory. The default is 389.
ldap_user_dn=bindDN
Required. The DN of the super user or a user that has sufficient permissions to perform provisioning subscription operations. The default is cn=orcladmin.
ldap_user_password=password
Required. The user password used to bind to the directory.
profile_mode=OUTBOUND | INBOUND | BOTH
Optional for the create operation only. The direction of the provisioning events. The default is OUTBOUND (data is provisioned from Oracle Internet Directory to the application).
application_dn=DN
Required. The distinguished name of the application to which the provisioning subscription belongs. The combination of the application DN and organization DN uniquely identifies a provisioning profile. For example, here is the application DN for Portal:
"orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext"
application_type=type
Required. The type of application being provisioned.
application_name=name
Optional. The name of the application being provisioned. If not provided, defaults to the distinguished name assigned to application_dn.
application_display_name=name
Optional. The display name of the application being provisioned. If not provided, defaults to the value assigned to application_name.
organization_dn=DN
Optional. If not provided, defaults to the default identity management realm. The distinguished name of the organization to which the provisioning subscription belongs, for example "dc=company,dc=com". The combination of the application DN and organization DN uniquely identifies a provisioning profile.
application_isdasvisible=TRUE | FALSE
Optional. Determines whether the application is visible as a provisioning-integrated application in the Oracle Internet Directory Provisioning Console. The default value is TRUE.
manage_application_default=TRUE | FALSE
Optional. Determines whether the Oracle Internet Directory Provisioning Console manages the application's default values. The default value is TRUE.
enable_bootstrap=TRUE | FALSE
Optional. Indicates whether the application should receive provisioning events for users that existed in Oracle Internet Directory before creating the application's provisioning integration profile. The default value is FALSE.
user_data_location=DN
Optional. Identifies the DN of the container in which to store application-specific user information.
default_provisioning_policy=PROVISIONING_REQUIRED | PROVISIONING_NOT_REQUIRED
Optional. Specifies the application's default provisioning policy. The default value is PROVISIONING_REQUIRED.
interface_name=SCHEMA.PACKAGE
Required for create or modify operations. The database schema name for the PLSQL package. The format of the value is schema.package_name, for example here is the schema and PLSQL package information for Portal:
interface_name=PORTAL.WWSEC_OID_SYNC
interface_version=1.1 | 2.0 | 3.0
The version of the interface protocol. Allowed values are 1.1, 2.0, or 3.0. The default value is 2.0.
interface_type=PLSQL | JAVA
Optional. The type of interface to which events will be propagated. The default is PLSQL.
interface_connect_info=connection_string
Required for create or modify operations. To connect to an Oracle database and propagate events, use one of the following formats for the connection string:
DBURL=ldap://ldaphost:ldapport/service:username:password (recommended)
host:port:sid:username:password
DBSVC=service:username:password
schedule=number_seconds
Optional for create and modify operations only. The number of seconds between executions of this profile. The default is 3600, which means the profile is scheduled to be executed every hour.
lastchangenumber=number
Optional for create and modify operations on OUTBOUND events only. The last change number in Oracle Internet Directory after which all qualifying events should be provisioned to the application. Defaults to the latest current change number.
max_prov_failure_limit=number
Optional. Determines the number of times the Oracle Provisioning System attempts to provision a user. The default is 1.
max_events_per_schedule=number
Optional for create and modify operations only. The maximum number of events that the Oracle directory integration platform server sends to an application during one execution of a provisioning profile. The default is 100.
max_events_per_invocation=number
Optional for create and modify operations only. The maximum number of events that can be packaged and sent to a target in one invocation of the interface.
event_mapping_rules="OBJECT_TYPE:FILTER:DOMAIN"
Required for create and modify operations on INBOUND events only. This rule maps the object type received from the application (using an optional filter condition) to a domain in Oracle Internet Directory A provisioning profile can have multiple mapping rules defined.
The following example shows two mapping rules. The first rule shows that an employee object (EMP) whose locality attribute equals America (l=AMERICA) should be mapped to the domain l=AMER,cn=users,dc=company,dc=com. The second rule shows that an employee object (EMP) should be mapped to the domain cn=users,dc=company,dc=com (no filter conditions).
event_mapping_rules="EMP:l=AMERICA:l=AMER,cn=users,dc=company,dc=com" event_mapping_rules="EMP::cn=users,dc=company,dc=com"
event_permitted_operations="OBJECT:DOMAIN:OPERATION(attributes,...)
Required for create and modify operations on INBOUND events only. This property is used to define the types of events that the application is allowed to send to the Oracle Directory Integration Platform service. A provisioning profile can have multiple permitted operations defined.
For example, if you wanted to permit the application to send events whenever a user object was added or deleted, or when certain attributes were modified, you would have three permitted operations such as this:
event_permitted_operations="USER:dc=mycompany,dc=com:ADD(*)" event_permitted_operations="USER:dc=mycompany,dc=com:MODIFY(cn,sn,mail,password)" event_permitted_operations="USER:dc=mycompany,dc=com:DELETE(*)"
event_subscription="USER | GROUP:DOMAIN:OPERATION(attributes,...)"
Required for create and modify operations on OUTBOUND events only. This property is used to define the types of events that the Oracle Directory Integration Platform service should send to the application. A provisioning profile can have multiple event subscriptions defined.
For example, if you wanted the directory integration server to send events to the application whenever a user or group object was added or deleted, you would have four event subscriptions such as this:
event_subscription="GROUP:dc=mycompany,dc=com:ADD(*)" event_subscription="GROUP:dc=mycompany,dc=com:DELETE(*)" event_subscription="USER:dc=mycompany,dc=com:ADD(*)" event_subscription="USER:dc=mycompany,dc=com:DELETE(*)"
max_events_per_schedule=number
Optional for create and modify operations only. The maximum number of events to be provisioned in one schedule. The default is 100.
max_retries=number
Optional for create and modify operations only. The number of times a failed event should be retried. The default is 5.
profile_group=number
Required for create and modify operations only. The group number of the profile. Default is "DEFAULT". This is required to address scalability issues when different Oracle Directory Integration Platform server instances will be used to execute different selected groups.
profile_status=ENABLED | DISABLED
Required for the create operation only. Determines whether the profile is enabled or disabled. The default is ENABLED.
profile_debug=debug_level
Required. The debug level for the profile.
Using the Provisioning Registration Tool (oidprovtool) you can perform the following tasks:
The following example creates a new provisioning profile that makes Portal aware of updates to the user and group information that is maintained in Oracle Internet Directory.
Example:
oidprovtool operation=create ldap_host=myhost.mycompany.com ldap_port=389 \ ldap_user_dn="cn=orcladmin" application_dn="orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext" \ organization_dn="dc=us,dc=mycompany,dc=com" interface_name=PORTAL.WWSEC_OID_SYNC \ interface_type=PLSQL interface_connect_info=myhost:1521:iasdb:PORTAL:password \ schedule=360 event_subscription="USER:dc=us,dc=mycompany,dc=com:DELETE" \ event_subscription="GROUP:dc=us,dc=mycompany,dc=com:DELETE" \ event_subscription="USER:dc=us,dc=mycompany,dc=com:MODIFY(orclDefaultProfileGroup,userpassword)" \ event_subscription="GROUP:dc=us,dc=mycompany,dc=com:MODIFY(uniqueMember)" \ profile_mode=OUTBOUND
The following example modifies an existing provisioning profile for the Portal application. It changes the event subscription for the attributes that are provisioned when a user entry is modified.
Example:
oidprovtool operation=modify ldap_host=myhost.mycompany.com ldap_port=389 \ ldap_user_dn="cn=orcladmin" application_dn="orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext" \ organization_dn="dc=us,dc=mycompany,dc=com" \ subscription="USER:dc=us,dc=mycompany,dc=com:MODIFY(orclDefaultProfileGroup,userpassword,mail,cn,sn)"
The following example disables a provisioning profile for the Portal application.
Example:
oidprovtool operation=delete ldap_host=myhost.mycompany.com ldap_port=389 \ ldap_user_dn="cn=orcladmin" application_dn="orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext" \ organization_dn="dc=us,dc=mycompany,dc=com"
The following example disables a provisioning profile for the Portal application.
Example:
oidprovtool operation=disable ldap_host=myhost.mycompany.com ldap_port=389 \ ldap_user_dn="cn=orcladmin" application_dn="orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext" \ organization_dn="dc=us,dc=mycompany,dc=com"
The schemasync command-line tool enables you to synchronize schema elements—namely attributes and object classes—between an Oracle Internet Directory server and a third-party LDAP directory.
The errors that occur during schema synchronization are logged in the following files:
$ORACLE_HOME/ldap/odi/log/attributetypes.log
$ORACLE_HOME/ldap/odi/log/objectclasses.log
schemasync -srchost hostname -srcport port -srcdn bindDN -srcpwd password -dsthost hostname -dstport port -dstdn bindDN -dstpwd password [-ldap]
-srchost hostname
Required. The host name of the source directory server.
-srcport port
Required. The LDAP listening port of the source directory server, for example 389.
-srcdn bindDN
Required. The DN of the user used to bind to the source directory. This user must have permissions to modify the directory schema, for example the super user (cn=orcladmin).
-srcpwd password
Required. The user password used to bind to the source directory.
-dsthost hostname
Required. The host name of the destination directory server.
-dstport port
Required. The LDAP listening port of the destination directory server, for example 389.
-dstdn bindDN
Required. The DN of the user used to bind to the destination directory. This user must have permissions to modify the directory schema, for example the super user.
-dstpwd password
Required. The user password used to bind to the destination directory.
-ldap
Optional. If specified, then the schema changes are applied directly from the source LDAP directory to the destination LDAP directory. If it is not specified, then the schema changes are placed in the following LDIF files:
$ORACLE_HOME/ldap/odi/data/attributetypes.ldif: This file has the new attribute definitions.
$ORACLE_HOME/ldap/odi/data/objectclasses.ldif: This file has the new object class definitions.
If you do not specify -ldap, then you must use "ldapmodify" to upload the definitions from these two files, first attribute types and then object classes.
Using the schemasync command-line tool, you can perform the following tasks:
The following example shows how to synchronize the schema between Oracle Internet Directory and a third-party directory server.
Example:
schemasync -srchost myhost1.mycompany.com -srcport 389 -srcdn "cn=orcladmin" -dsthost myhost2.mycompany.com -dstport 389 -dstdn "uid=superuser,ou=people,dc=mycompany,dc=com" -dstpwd admin123 -ldap
