Skip Navigation Links | |
Exit Print View | |
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Starting and Stopping the Server
2. Configuring the Server Instance
3. Configuring the Proxy Components
4. Configuring Security Between Clients and Servers
5. Configuring Security Between the Proxy and the Data Source
6. Managing Oracle Unified Directory With Oracle Directory Services Manager
Populating a Stand-Alone Directory Server With Data
Importing Data Using import-ldif
To Import Data in Offline Mode
To Replace Existing Data During an Offline Import
To Append Imported Data to Existing Data
To Import Fractional Files by Using Filters
To Include or Exclude Attributes During Import
To Import a Compressed LDIF File
To Record Rejected or Skipped Entries During Import
To Import Data From a MakeLDIF Template
To Run an Import in Online Mode
Exporting Data Using export-ldif
To Export Part of a Back End by Using Filters
To Include or Exclude Attributes During Export
To Export to LDIF and Then Compress the File
To Run an Export in Online Mode
Creating MakeLDIF Template Files
Attribute Value Reference Tags
Tuning the JVM and Java Arguments
Overview of the Backup and Restore Process
To Back Up All Back Ends with Encryption and Signed Hashes
To Perform an Incremental Backup on All Back Ends
To Back Up a Specific Back End
To Perform an Incremental Backup on a Specific Back End
To Schedule a Backup as a Task
Backing Up the Server Configuration
Backing Up for Disaster Recovery
To Back Up the Directory Server For Disaster Recovery
Backing up and Restoring Data Using File System Snapshots
To Take a ZFS Snapshot On a Dedicated Backup Server
To Restore a Directory Server From a ZFS Snapshot
To Restore a Back End From Incremental Backups
To Schedule a Restore as a Task
To Restore the Configuration File
To Restore a Directory Server During Disaster Recovery
Restoring Replicated Directory Servers
Overview of the ldapsearch Command
ldapsearch Location and Format
Specifying Filter Types and Operators
Using UTF-8 Encoding in Search Filters
Using Special Characters in Search Filters
To Search for Specific User Attributes
To Perform a Search With Base Scope
To Perform a Search With One-Level Scope
To Perform a Search With Subtree Scope
To Return Attribute Names Only
To Return User Attributes Only
To Search For Specific Object Classes
To Return a Count of All Entries in the Directory
To Perform a Search With a Compound Filter
To Perform a Search Using a Filter File
To Limit the Number of Entries Returned in a Search
Searching Data With Oracle Directory Services Manager
Using Advanced Search Features
Searching for Special Entries and Attributes
To Search for Operational Attributes
To Search the Configuration Entry
To Search the Monitoring Entry
To Search Over SSL With Blind Trust
To Search Over SSL Using a Trust Store
To Search Over SSL With No Trust Store
To Search Over SSL Using a Keystore
To Search Using SASL With DIGEST-MD5 Client Authentication
To Search Using SASL With the GSSAPI Mechanism
To Search Using SASL With the PLAIN Mechanism
To View the Available Controls
To Search Using the Account Usability Request Control
To Search Using the Authorization Identity Request Control
To Search Using the Get Effective Rights Control
To Search Using the LDAP Assertion Control
To Search Using the LDAP Subentry Control
To Search Using the Manage DSA IT Control
To Search Using the Matched Values Filter Control
To Search Using the Password Policy Control
To Search Using the Persistent Search Control
To Search Using the Proxied Authorization Control
To Search Using the Server-Side Sort Control
To Search Using the Simple Paged Results Control
Searching Using the Virtual List View Control
To Search Using the Virtual List View Control
To Search Using Virtual List View With a Specific Target
To Search Using Virtual List View With a Known Total
Searching in Verbose Mode and With a Properties File
To Search Using a Properties File
Searching Internationalized Entries
Adding, Modifying, and Deleting Directory Data
To Add an Entry Using the --defaultAdd Option With ldapmodify
To Add Entries Using an LDIF Update Statement With ldapmodify
To Add an Attribute to an Entry
To Add an International Attribute
To Modify an Attribute With Before and After Snapshots
To Delete an Entry With ldapmodify
To Delete an Entry With ldapdelete
To Delete Multiple Entries by Using a DN File
Configuring Indexes on the Local DB Back End
To Create a New Local DB Index
To Enable or Disable Compact Encoding
To Enable or Disable Entry Compression
Ensuring Attribute Value Uniqueness
Overview of the Unique Attribute Plug-In
Configuring the Unique Attribute Plug-In Using dsconfig
To Ensure Uniqueness of the Value of the uid Attribute
To Ensure Uniqueness of the Value of Any Other Attribute
Replication and the Unique Attribute Plug-In
Configuring Virtual Attributes
To List the Existing Virtual Attributes
To Create a New Virtual Attribute
To Enable or Disable a Virtual Attribute
To Display the Configuration of a Virtual Attribute
To Change the Configuration of a Virtual Attribute
Extensions to the Collective Attributes Standard
Collective Attributes and Conflict Resolution
Excluding Collective Attributes From Specific Entries
Configuring Collective Attributes
To Create a New Collective Attribute
To Delete a Collective Attribute
To List the Collective Attributes That Apply to an Entry
Inherited Collective Attributes
Specifying Inherited Collective Attributes
Managing Data With Oracle Directory Services Manager
View the Attributes of an Entry
Add an Entry Based on an Existing Entry
Delete an Entry and its Subtree
10. Managing Users and Groups With dsconfig
11. Managing Password Policies
A referral is a pointer that is used to redirect a client's request to another server. Typically, referrals indicate to the client application that the requested entry or branch of the directory tree is not present on the server but is located on another remote server or at another branch of the directory tree. The client must then perform the operation again on the remote server named in the referral.
Referrals can be used in the following cases:
When a client application requests an entry that does not exist on the local server, and the server has been configured to return the default referral.
When an entire suffix has been disabled for maintenance, backup, or security reasons. The server will return the referrals defined by that suffix.
When an object should be identified by different names. Referrals are useful to accommodate namespace changes.
When "search paths" are needed for collecting results from multiple servers.
In all cases, a referral is an LDAP URL that contains the host name, port number, and optionally a DN on the local host or on another server.
Note - Unless an LDAP client provides authentication, any search request initiated by means of an LDAP URL is anonymous (unauthenticated).
The format of an LDAP URL is described in RFC 4516 and is summarized as follows:
ldap[s]://hostname:port/base_dn?attributes?scope?filter
An LDAP URL includes the following components:
Indicates whether to connect to the server (ldap:), or connect to the server over SSL (ldaps:).
Specifies the host name or IP address of the LDAP server.
Specifies the port number of the LDAP server. If no port is specified, the default LDAP port (389) or LDAPS port (636) is used.
Specifies the distinguished name (DN) of an entry in the directory. This DN identifies the entry that is the starting point of the search. If no base DN is specified, the search starts at the root of the directory tree.
Returns the specified attributes. Use commas to separate more than one attribute. If no attributes are specified, the search returns all attributes.
Specifies the scope of the search:
base. Search only the base entry specified by base_dn.
one. Search one level below the base entry specified by base_dn
sub. Search the base entry and all entries below the specified base_dn
If no scope is specified, the server performs a base search.
Specifies the search filter to apply to entries within the specified scope of the search. If no filter is specified, the server uses the default (objectclass=*).
Note - Any spaces must be escaped using a character appropriate to your shell.
The following LDAP URL specifies a search for all entries that have the surname Jensen at any level under dc=example,dc=com. No port is specified, so the default (389) is used. No attributes are specified, so all attributes will be returned.
ldap://example.com/dc=example,dc=com??sub?(sn=Jensen)
The following LDAP URL specifies a search for the cn and telephoneNumber attributes at any level under dc=example,dc=com. The server contacts the remote server at port 2389. Because no search filter is specified, the server uses the default filter (objectclass=*).
ldap://example.com:2389/dc=example,dc=com?cn,telephoneNumber?sub
You can create a referral by adding a new entry that contains a referral object class and a ref attribute. The ref attribute must contain an LDAP URL.
This example creates a referral on server B for a user entry that exists on server A.
$ ldapsearch -h serverA -p 1389 -b dc=example,dc=com "uid=user.199" cn dn: uid=user.199,ou=People,dc=example,dc=com cn: Alfred Altay
$ ldapmodify -h serverB -p 2389 -D "cn=directory manager" -w password dn: uid=aaltay,ou=People,dc=example,dc=com changetype: add objectclass: top objectclass: extensibleObject objectclass: referral uid: aaltay ref: ldap://serverA:1389/dc=example,dc=com??sub?(uid=user.199) Processing ADD request for uid=aaltay,ou=People,dc=example,dc=com ADD operation successful for DN uid=aaltay,ou=People,dc=example,dc=com
$ ldapsearch -h serverB -p 2389 -D "cn=directory manager" -w password \ -b dc=example,dc=com "uid=aaltay" SearchReference(referralURLs={ldap://localhost:1389/dc=example,dc=com??sub?})
You can view or modify a referral by using ldapsearch or ldapmodify with the manageDsaIT control. This control informs the server that you intend to manage the referral object as a regular entry and prevents the server from sending a referral result for requests that read or update referral objects.
$ ldapsearch -h serverB -p 2389 -D "cn=Directory Manager" -w password \ -b dc=example,dc=com --control managedsait "(uid=aaltay)" ref dn: uid=aamar,ou=People,dc=example,dc=com ref: ldap://serverA:1389/dc=example,dc=com??sub?(uid=user.199)
This example changes the server to which the referral points and the base DN under which the entry is located.
$ ldapmodify -h serverB -p 2389 -D "cn=Directory Manager" -w password \ --control managedsait dn: uid=aaltay,ou=People,dc=example,dc=com changetype: modify replace: ref ref: ldap://serverC:1389/ou=People,dc=example,dc=com??sub?(uid=user.199) Processing MODIFY request for uid=aaltay,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=aaltay,ou=People,dc=example,dc=com
You can delete a referral by using ldapdelete with the manageDsaIT control. This control informs the server that you intend to manage the referral object as a regular entry and prevents the server from sending a referral result for requests that read or update referral objects.
$ ldapsearch -h serverB -p 2389 -D "cn=Directory Manager" -w password \ -b dc=example,dc=com --control managedsait "(uid=aaltay)" ref dn: uid=aamar,ou=People,dc=example,dc=com ref: ldap://serverA:1389/dc=example,dc=com??sub?(uid=user.199)
$ ldapdelete -h serverB -p 2389 -D "cn=Directory Manager" -w password \ --control managedsait "uid=aaltay,ou=People,dc=example,dc=com" Processing DELETE request for uid=aaltay,ou=People,dc=example,dc=com DELETE operation successful for DN uid=aaltay,ou=People,dc=example,dc=com