Skip Navigation Links | |
Exit Print View | |
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Starting and Stopping the Server
2. Configuring the Server Instance
3. Configuring the Proxy Components
4. Configuring Security Between Clients and Servers
5. Configuring Security Between the Proxy and the Data Source
6. Managing Oracle Unified Directory With Oracle Directory Services Manager
10. Managing Users and Groups With dsconfig
Managing Root User, Global Administrator, and Administrator Accounts
Working With Multiple Root Users
Root Users and the Privilege Subsystem
Managing Root Users With dsconfig
To View the Default Root User Privileges
To Edit the Default Root User Privileges
To Change a Root User's Password
To Change a Root User's Privileges
Setting Root User Resource Limits
Managing Global Administrators
To Create an Administrator with Root User Privileges
To Change the Directory Manager's Password
To Reset and Generate a New Password for a User
Managing a User's Account Information
To View a User's Account Information
To View Account Status Information
Setting Resource Limits on a User Account
To Set Resource Limits on an Account
To Create a Static Group With groupOfNames
To Create a Static Group With groupOfUniqueNames
To Create a Static Group With groupOfEntries
To List All Members of a Static Group
To List All Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Group
To List All Members of a Dynamic Group
To List All Dynamic Groups of Which a User Is a Member
To Determine Whether a User Is a Member of a Dynamic Group
Defining Virtual Static Groups
To Create a Virtual Static Group
To List All Members of a Virtual Static Group
To List All Virtual-Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Virtual Static Group
Simulating ODSEE Roles in an Oracle Unified Directory Server
To Determine Whether a User is a Member of a Role
To Alter Membership by Using the nsRoleDN Attribute
11. Managing Password Policies
Referential integrity is a database mechanism for ensuring that all references are properly maintained after delete, rename, or move operations. For example, if an entry is removed from the directory, the directory server also removes the entry from any groups of which the entry is listed as a member.
The referential integrity mechanism is configured as a plug-in in the directory server and can be enabled using the dsconfig command. For more information, see Managing the Server Configuration With dsconfig.
By default, the referential integrity plug-in is disabled. When you enable the plug-in by using dsconfig, it performs integrity updates on the member and uniquemember attributes immediately after a delete, rename, or move operation. Whenever you delete, rename, or move a user or group entry in the directory, the operation is logged to the referential integrity log file, instance-dir/OUD/logs/referint.
After a specified time, known as the update interval, the server performs a search on the specified attributes and matches the results with the DNs of the deleted or modified entries recorded in the log. If the log file shows that an entry was deleted, the corresponding attribute is deleted. If the log file shows that an entry was changed, the corresponding attribute value is modified accordingly.
You can configure the properties of the referential integrity plug-in to suit your requirements. The following properties can be configured:
Enabled. Turn on the referential integrity plug-in.
plugin type. By default, the delete, rename, and move operations are set. You can change a plug-in type to only delete, for example.
Attribute type. By default, the attribute types are set to member,uniquemember but can be changed to some other attribute. If you use or define attributes containing DN values, you can use the referential integrity plug-in to monitor these attributes.
Base-DN. By default, the scope is to use all public naming contexts but this can be changed to a specific context.
Log file. By default, logs/referint is the log file. You can record the referential integrity updates in a different file. For example, if you want to record changes in a replicated environment, you can write to the changelog file on a replication server, so that it can be replicated to a consumer server.
Update interval. By default, the update interval is set to 0 seconds, which will run referential integrity immediately after a delete, rename, or move operation. To minimize the impact of the updates on system performance, increase the amount of time between updates. Typical update intervals are as follows:
0 seconds, update immediately
90 seconds (updates every 90 seconds)
3600 seconds (updates every hour)
10,800 seconds (updates every 3 hours)
28,800 seconds (updates every 8 hours)
86,400 seconds (updates once a day)
604,800 seconds (updates once a week)
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-plugin-prop \ --plugin-name "Referential Integrity" --set enabled:true