Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0) |
Part I Directory Server Administration
2. Directory Server Instances and Suffixes
3. Directory Server Configuration
Managing Entries Using ldapmodify and ldapdelete
Adding Entries Using ldapmodify
Modifying Entries Using ldapmodify
Deleting Entries Using ldapdelete
Deleting Entries Using ldapmodify
Searching Entries Using ldapsearch
To Move or Rename an Entry Using ldapmodify
Guidelines and Limitations for Using the Modify DN Operation
General Guidelines for Using the Modify DN Operation
Guidelines for Using the Modify DN Operation With Replication
Grouping Entries for Simplified Management
To Compress the Size of Entries in Database
To Create and Modify a Smart Referral
Checking Valid Attribute Syntax
To Turn On Automatic Syntax Checking
Tracking Modifications to Directory Entries
To Turn Off Entry Modification Tracking
Attribute Encryption and Performance
Attribute Encryption Usage Considerations
To Configure Attribute Encryption
6. Directory Server Access Control
7. Directory Server Password Policy
8. Directory Server Backup and Restore
9. Directory Server Groups, Roles, and CoS
10. Directory Server Replication
13. Directory Server Attribute Value Uniqueness
15. Directory Server Monitoring
Part II Directory Proxy Server Administration
16. Directory Proxy Server Tools
17. Directory Proxy Server Instances
19. Directory Proxy Server Certificates
20. Directory Proxy Server Load Balancing and Client Affinity
21. Directory Proxy Server Distribution
22. Directory Proxy Server Virtualization
23. Virtual Data Transformations
24. Connections Between Directory Proxy Server and Back-End LDAP Servers
25. Connections Between Clients and Directory Proxy Server
26. Directory Proxy Server Client Authentication
27. Directory Proxy Server Logging
28. Directory Proxy Server Monitoring and Alerts
Part III Directory Service Control Center Administration
The best way to manage entries depends on the context:
If you mostly use DSCC for administration and you want to search or modify just a few entries, use DSCC. For more information about DSCC, see Directory Service Control Center Interface.
If you want to search or modify a large number of entries, use the command-line utilities ldapmodify and ldapdelete.
DSCC enables you to view all readable unencrypted attributes of an entry and to edit its writable attributes. It also enables you to add and remove attributes, set multi-valued attributes, and manage the object classes of the entry. For more information about how to use DSCC to manage entries, see the DSCC online help. For more information about DSCC in general, see Directory Service Control Center Interface.
You can add or edit a directory entry directly through DSCC on the Entry Management tab page for a Directory Server instance. There are buttons that launch wizards for adding and editing entries.
The following procedure explains how to extend entries, adding additional user-defined attributes to existing entries. For example, a new application accessing the directory requires that you store additional information on each entry, and you need to create a few entries for testing purposes.
Click the link to the Directory instance; click the Schema tab; scroll to User-Defined Object Classes, and click the Add button to open the wizard.
Alternatively, you can update the directory schema over LDAP or by editing configuration files. For more information, see Chapter 11, Directory Server Schema.
You must create the object class, because adding an object class attribute value to an entry is the LDAP way of extending the list of attributes the entry can have.
The form-based editor shows you all the attributes you can edit, but not object classes you can add to extend the entry.
For example, if you extend the schema with example-objectclass that allows the example-attribute attribute to add to the LDIF.
dn: uid=bjensen,ou=People,dc=example,dc=com cn: Babs Jensen mail: bjensen@example.com objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: example-objectclass sn: Jensen uid: bjensen example-attribute: Extended entry
The Text View editor has a check routine built in, so you can check that your edits are valid with a single click. When everything is the way you want it, apply your changes.
The ldapmodify and ldapdelete command-line utilities provide full functionality for adding, editing, and deleting your directory contents. You can use these utilities to manage both the configuration entries of the server and the data in the user entries. The utilities can also be used to write scripts to perform bulk management of one or more directories.
The ldapmodify and ldapdelete commands are used in procedures throughout this book. The following sections describe the basic operations that you will need to perform procedures. For more information about the ldapmodify and ldapdelete commands, see Oracle Directory Server Enterprise Edition Reference.
Input to the command-line utilities is always in LDIF, and it can be provided either directly from the command-line or through an input file. The following section provides information about LDIF input, and subsequent sections describe the LDIF input for each type of modification.
For information about formatting LDIF input correctly, see the Guidelines for Providing LDIF Input in Oracle Directory Server Enterprise Edition Reference.
The following sections describe these basic operations:
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Note - Ensure that you use the ldapmodify utility provided with the Directory Server Enterprise Edition software.
You can add one or more entries to the directory by using the -a option of ldapmodify. The following example creates a structural entry to contain users and then creates a user entry:
$ ldapmodify -a -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - Enter bind password: dn: ou=People,dc=example,dc=com objectclass: top objectclass: organizationalUnit ou: People description: Container for user entries dn: uid=bjensen,ou=People,dc=example,dc=com objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgPerson uid: bjensen givenName: Barbara sn: Jensen cn: Babs Jensen telephoneNumber: (408) 555-3922 facsimileTelephoneNumber: (408) 555-4000 mail: bjensen@example.com userPassword: secret
The -D and -w options give the bind DN and password, respectively, of a user with permissions to create these entries. The -a option indicates that all entries in the LDIF will be added. Then each entry is listed by its DN and its attribute values, with a blank line between each entry. The ldapmodify utility creates each entry after it is entered, and the utility reports any errors.
By convention, the LDIF of an entry lists the following attributes:
The DN of the entry.
The list of object classes.
The naming attribute (or attributes). This is the attribute used in the DN, and it is not necessarily one of the required attributes.
The list of required attributes for all object classes.
Any allowed attributes that you want to include.
When typing a value for the userPassword attribute, provide the clear text version of the password. The server will encrypt this value and store only the encrypted value. Be sure to limit read permissions to protect clear passwords that appear in LDIF files.
You can also use an alternate form of the LDIF that does not require the -a option on the command line. The advantage of this form is that you can combine entry addition statements and entry modification statements, as shown in the following example.
$ ldapmodify -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - Enter bind password: dn: ou=People,dc=example,dc=com changetype: add objectclass: top objectclass: organizationalUnit ou: People description: Container for user entries dn: uid=bjensen,ou=People,dc=example,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgPerson uid: bjensen givenName: Barbara sn: Jensen cn: Barbara Jensen telephoneNumber: (408) 555-3922 facsimileTelephoneNumber: (408) 555-4000 mail: bjensen@example.com userPassword: secret
The changetype: add keyword indicates that the entry with the given DN should be created with all of the subsequent attributes. All other options and LDIF conventions are the same as explained earlier in this section.
In both examples, you can use the -f filename option to read the LDIF from a file instead of from the terminal input. The LDIF file must contain the same format as used for the terminal input, depending upon your use of the -a option.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Note - Ensure that you use the ldapmodify utility that is provided as a part of the Directory Server Enterprise Edition software.
Use the changetype: modify keyword to add, replace, or remove attributes and their values in an existing entry. When you specify changetype: modify, you must also provide one or more change operations to indicate how the entry is to be modified. The three possible LDIF change operations are shown in the following example:
dn: entryDN changetype: modify add: attribute attribute: value... - replace: attribute attribute: newValue... - delete: attribute [attribute: value] ...
Use a hyphen (-) on a line to separate operations on the same entry, and use a blank line to separate groups of operations on different entries. You can also give several attribute: value pairs for each operation.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
The following example shows how you can use the same add LDIF syntax to add values to existing multi-valued attribute and to attributes that do not yet exist:
$ ldapmodify -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - Enter bind password: dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify add: cn cn: Babs Jensen - add: mobile mobile: (408) 555-7844
This operation might fail and the server will return an error if any of the following are true:
The given value already exists for an attribute.
The value does not follow the syntax defined for the attribute.
The attribute type is not required or allowed by the entry’s object classes.
The attribute type is not multi-valued and a value already exists for it.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
The attribute;binary subtype indicates that attribute values must be transported over LDAP as binary data, regardless of their actual syntax. This subtype is designed for complex syntax that does not have LDAP string representations, such as userCertificate. The binary subtype should not be used outside of this purpose.
When used with the ldapmodify command, appropriate subtypes can be added to attribute names in any of the LDIF statements.
To enter a binary value, you may type it directly in the LDIF text or read it from another file. The LDIF syntax for reading it from a file is shown in the following example:
$ ldapmodify -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - Enter bind password: version: 1 dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify add: userCertificate;binary userCertificate;binary:< file:///local/cert-file
To use the :< syntax to specify a file name, you must begin the LDIF statement with the line version: 1. When ldapmodify processes this statement, it will set the attribute to the value that is read from the entire contents of the given file.
By default, the search returns the binary attributes when used with the ;binary option. Set the compat-flag to norfc4522 to disable rfc4522 compliance.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Language and pronunciation subtypes of attributes designate localized values. When you specify a language subtype for an attribute, the subtype is added to the attribute name as follows:
attribute;lang-CC
where attribute is an existing attribute type, and cc is the two-letter country code to designate the language. You may optionally add a pronunciation subtype to a language subtype to designate a phonetic equivalent for the localized value. In this case the attribute name is as follows:
attribute;lang-CC;phonetic
To perform an operation on an attribute with a subtype, you must explicitly match its subtype. For example, if you want to modify an attribute value that has the lang-fr language subtype, you must include lang-fr in the modify operation as follows:
$ ldapmodify -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - Enter bind password: dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify add: homePostalAddress;lang-fr homePostalAddress;lang-fr: 34, rue de la Paix
Note - If the attribute value contains non-ASCII characters, they must be UTF-8 encoded.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
The following example shows how to change the value of an attribute by using the replace syntax in LDIF:
$ ldapmodify -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - Enter bind password: dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify replace: sn sn: Morris - replace: cn cn: Barbara Morris cn: Babs Morris
All current values of the specified attributes are removed, and all given values are added.
After changing an attribute value, you can use the ldapsearch command to verify the change.
When you modify an attribute value, do not unintentionally include trailing spaces at the end of the value. The trailing spaces are stored in the server as part of the attribute's value, and leads to unexpected values being stored
When you verify the change using DSCC or the ldapsearch command, the value you see might be plain text or some other unexpected value. This depends on which Directory Server client you use.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
The following example shows how to delete an attribute entirely and to delete only one value of a multi valued attribute:
$ ldapmodify -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - Enter bind password: dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify delete: facsimileTelephoneNumber - delete: cn cn: Babs Morris
When using the delete syntax without specifying an attribute: value pair, all values of the attribute are removed. If you specify an attribute: value pair, only that value is removed.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
To modify one value of a multi valued attribute with the ldapmodify command, you must perform two operations as shown in the following example:
$ ldapmodify -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - Enter bind password: dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify delete: mobile mobile: (408) 555-7845 - add: mobile mobile: (408) 555-5487
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Note - Ensure that you use the ldapdelete utility that is provided as a part of the Directory Server Enterprise Edition software.
Use the ldapdelete command-line utility to delete entries from the directory. This utility binds to the directory server and deletes one or more entries based on their DN. You must provide a bind DN that has permission to delete the specified entries.
You cannot delete an entry that has children. The LDAP protocol forbids the situation where child entries would no longer have a parent. For example, you cannot delete an organizational unit entry unless you have first deleted all entries that belong to the organizational unit.
The following example shows only one entry in the organizational unit. This entry and then its parent entry can be deleted.
$ ldapdelete -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - Enter bind password: uid=bjensen,ou=People,dc=example,dc=com ou=People,dc=example,dc=com
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Note - Ensure that you use the ldapmodify utility that is provided as a part of the Directory Server Enterprise Edition software.
When using the ldapmodify utility, you can also use the changetype: delete keywords to delete entries. All of the same limitations apply as when using ldapdelete, as described in the previous section. The advantage of using LDIF syntax for deleting entries is that you can perform a mix of operations in a single LDIF file.
The following example performs the same delete operations as the previous example:
$ ldapmodify -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - dn: uid=bjensen,ou=People,dc=example,dc=com changetype: delete dn: ou=People,dc=example,dc=com changetype: delete
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Note - Ensure that you use the ldapsearch utility that is provided as a part of the Directory Server Enterprise Edition software.
You can use the ldapsearch command-line utility to locate and retrieve directory entries.
For more information about using ldapsearch, common ldapsearch options, accepted formats, and examples, refer to Oracle Directory Server Enterprise Edition Reference.
This procedure uses the modify DN operation. Before starting this operation, ensure that you are familiar with the section Guidelines and Limitations for Using the Modify DN Operation.
For parts of this procedure, you can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help. Other parts of the procedure can only be done using the command line.
Note - When modifying the DNs of entries that are a uniquemember of a group, you must have the referential integrity plug-in enabled. Referential integrity ensures that the group members get adjusted when the entry is moved. For information about how to enable and configure the referential integrity plug-in, see To Configure the Referential Integrity Plug-In.
On the current parent entry of the entry to be moved, ensure that the ACI allows the export operations by using the syntax allow (export ...)
On the future parent entry of the entry to be moved, ensure that the ACI allows the import operations. by using the syntax allow (import ...)
For information about using ACIs, see Chapter 6, Directory Server Access Control.
To ensure compatibility with previous releases of Directory Server, the modify DN operation is not enabled by default.
If you have already enabled the modify DN operation previously, go to the next step.
To enable the modify DN operation globally for a server, use this command:
$ dsconf set-server-prop -h host -p port moddn-enabled:on
This step uses the modify DN operation. Do one of the following:
Move the entry.
For example, the following command moves the entry uid=bjensen from the subtree for contractors, ou=Contractors,dc=example,dc=com to the subtree for employees, ou=People,dc=example,dc=com:
$ ldapmodify -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - Enter bind password: dn: uid=bjensen,ou=Contractors,dc=example,dc=com changetype: modrdn newrdn: uid=bjensen deleteoldrdn: 0 newsuperior: ou=People,dc=example,dc=com
Rename the entry.
For example, the following command renames the entry uid=bbjensen to uid=bjensen:
$ ldapmodify -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - Enter bind password: dn: uid=bbjensen,ou=People,dc=example,dc=com changetype: modrdn newrdn: uid=bjensen deleteoldrdn: 1
Pay attention to the following attributes when writing the LDIF statement:
dn - Specifies the entry to rename or move.
changetype: modrdn - Specifies that a modify DN operation is to be used.
newrdn - Gives the new naming attribute.
deleteoldrdn - Indicates whether the previous naming attribute should be removed from the entry (1 is yes, 0 is no).
Note that you cannot remove a naming attribute from the entry if that attribute is obligatory in the entry definition.
newsuperior - Specifies the new superior attribute of the entry.
For information about the ldapmodify command and its options, see the ldapmodify(1) man page.
$ dsconf set-server-prop -h host -p port db-lock-count:value
If you modify this property, you must restart the server for the change to take effect.
When you use the modify DN operation, as described in the previous section, use the guidelines described in the following sections.
Do not use the modify DN operation to move an entry from one suffix to another suffix, or to rename or move the root suffix.
Do not use the entryid operational attribute in your application because it is reserved for internal use only. The entryid attribute of an entry can change when an entry is moved.
Enable the modify DN operation globally for all suffixes on a server, or individually on each suffix where you wish to run the operation. By default the modify DN operation is disabled.
Extend the ACI rights on each suffix where you wish to run the modify DN operation. The Import access right allows an entry to be imported to the specified DN. The Export access right allows an entry to be exported from the specified DN.
Before performing a modify DN operation, ensure that the operation would not break client authentication. If you move an entry that refers to a client certificate, client authentication will break. After moving an entry, validate your certificates.
Before performing a modify DN operation, ensure that the operation would not break your application. The rename or move of an entry can affect several suffixes, or can change the following characteristics of the entry:
The scope of a filtered role of an entry.
The nested role of an entry, where the nested role contains a filtered role.
The dynamic group membership of an entry.
Caution - Using the modify DN operation without complying with the following requirements can break replication and bring down your directory service. |
Enable the modify DN operation on all servers in your replication topology. If the modify DN operation is supported on the master server but not on the consumer server, replication will fail. A message similar to the following will be written to the error log on the supplier server:
Unable to start a replication session with MODDN enabled
To restart replication, reconfigure the replication topology to enable the modify DN operation on all servers. and then start a replication session in one of the following ways:
By following the instructions in To Force Replication Updates.
By changing an entry on the supplier server. The change is replicated to the consumer servers.
Enable and configure the referential integrity plug-in on all master replicas in the topology. This action ensures that the server maintains referential integrity for groups and roles. For information about how to enable and configure the referential integrity plug-in, see To Configure the Referential Integrity Plug-In.
After performing a modify DN operation, allow time for the referential integrity plug-in to replicate its changes.