7
Managing Directory Entries

This chapter covers topics in the following sections.

• Managing Entries by Using Oracle Directory Manager

• Managing Entries by Using Command Line Tools

• Managing Entries by Using Bulk Tools

  See Also: Chapter 2 for an overview of directory entries, Directory Information Trees, Distinguished Names, and Relative Distinguished Names "Using Audit Log" for instructions on how to search for entries in the audit log

Managing Entries by Using Oracle Directory Manager

This section discusses the following tasks:

• Searching for Entries

• Searching for Audit Log Entries

• Viewing Directory Entry Attributes

• Adding Entries

• Modifying Entries

Searching for Entries

You can display all entries by using the navigator pane, or search for one or more specific entries by using Oracle Directory Manager's search feature.

To display an entry by using the navigator pane, expand Entry Management to display its subtree:

The root of the tree is listed first, then the second level, and so forth, moving from left to right. The subtree lists the RDN of each entry in hierarchical order. To see the lower level entries within any subtree, click the plus sign (+) to the left of the parent entry.

To search for a directory entry:

1. In the navigator pane, select Entry Management. The Search fields appear in the right pane:

   
   

2. In the Root of the Search text box, enter the DN of the root of your search.

   For example, suppose you want to search for an employee who works in the Manufacturing division in the IMC organization in the Americas. The DN of the root of your search would be:

   ou=Manufacturing,ou=Americas,o=IMC,c=US
   
   
   

   You would therefore type that DN in the Root of the Search text box.

   You can also select the root of your search by browsing the directory tree. To do this:

   1. Click the Browse button to the right of the Root of the Search text box. The Select Distinguished Name (DN) Path: Tree View dialog box appears:

      
      

   2. Click the + next to Tree View to display its entries.

   3. Continue navigating to the entry that represents the level you want for the root of your search.

   4. Select that entry and click OK. The DN for the root of your search appears in the Root of the Search text box in the right pane.

3. In the Max Results (entries) text box in the search window of Oracle Directory Manager, type the maximum number of entries you want your search to retrieve. The default is 100.

4. In the Max Search Time (seconds) box, type the maximum number of seconds for the duration of your search. The value you enter here must be at least that of the default, namely, 25.

5. In the Search Depth list, select the level to which you want to search. The options are:
   • Base: To retrieve a particular directory entry. Along with this search depth, you use the Search criteria bar to select the attribute objectClass and the filter Present.

   • One Level: To limit your search to all entries beginning one level down from the root of your search

   • Subtree: To search entries within the entire subtree, including the root of your search

6. In the Search Criteria field, use the lists and text boxes on the search criteria bar to focus your search.

   
   

   1. In the menu at the left end of the search criteria bar, select an attribute of the entry for which you want to search.

      Note: Not all attributes are used in every entry. Be sure that the attribute you specify actually corresponds to one in the entry for which you are looking. Otherwise, the search will fail.

   2. In the text box at the right end of the search criteria bar, type the value for the attribute you just selected. For example, if the attribute you selected was cn, you could type the particular common name you want to find.

   3. In the menu in the middle of the search criteria bar, select a filter. Options are:

      Filter	Description
      Begins With	To search by using only the first few characters of the attribute's value. For example, cn Begins With Fr retrieves all entries in which the first few letters of the cn attribute are Fr. These would include Frank, Fran, Frances, Franklin, etc.
      Ends With	To search for an entry by using only the last few characters of the specified attribute's value.
      Contains	To search for an entry in which the attribute you specified includes, but is not necessarily limited to, the value you enter. For example, cn Contains Wins retrieves all entries in which the cn attribute contains the letters wins. These would include Winslow, Czerwinski, Winship, etc.
      Exact Match	To search for an entry whose specified attribute is the same as the value you enter. For example, cn Exactly Matches Franklin Baldwins retrieves all entries in which the cn attribute has the value Franklin Baldwins.
      Greater or Equal	To search for an entry in which the specified attribute is numerically or alphabetically greater than or equal to the value you enter. For example, cn Greater or Equal Frank retrieves all entries with cn attributes that range from the first Frank to the end of the alphabet.
      Less or Equal	To search for entries in which the specified attribute is numerically or alphabetically less than or equal to the value you enter. For example, cn Less or Equal Frank retrieves all cn attributes from the first Frank to the beginning of the alphabet.
      Present	To determine if an entry with the specified attribute is present at that level of the tree. You do not need to enter a value to use this relationship. The phrase cn Present retrieves all entries with the cn attribute at that level of the tree.

7. Beneath the Search Criteria field are five buttons described in Table 7-1. Use these buttons to further refine your search by enhancing the search criteria bar.

   Table 7-1 Search Criteria Buttons

   Button	Description
   New	Creates a new search criteria bar in the Search Criteria field. This button is enabled only when the Search Criteria field is empty.
   And	Creates another search criteria bar in the Search Criteria field. Matches all entries with one specified attribute with those that also have another specified attribute. For example, cn=Baldwins And title=Laborer retrieves all Baldwins who are also laborers.
   Or	Creates another search criteria bar in the Search Criteria field. Matches all entries with either one specified attribute or another. For example, title=Laborer Or title=Foreman retrieves all employees who are either laborers or foremen.
   Not	Negates the criterion in the selected search criteria bar and retrieves all entries that do not have the specified criterion. For example, cn=Frank And Not title=Laborer retrieves all persons named Frank who are not laborers.
   Delete	Deletes a selected search criteria bar

8. Click Search. The results of your search appear in the Distinguished Name window of the right pane.

Searching for Audit Log Entries

You can search for audit log entries by using either Oracle Directory Manager or the ldapsearch command line tool.

To use Oracle Directory Manager to view audit log entries, in the navigator pane, select Audit Log Management. The corresponding right pane appears.

Use this pane to search for particular types of entries in the audit log.

The results of the search appear in the lower box. You can scroll both horizontally and vertically to see all the information.

To view the properties of a particular audit log entry, select it in the lower box and click View Properties. The Audit Log Entry dialog box displays the properties for the audit log entry you selected:

See Also: "Searching for Entries"

Viewing Directory Entry Attributes

Once you have displayed the results of your search, click the entry whose attributes you want to view. An Entry dialog box displays the attributes for that entry:

Some attributes may also be DNs. For example, one attribute for a given employee might be that employee's manager who, in turn, has a DN. In this case, when you display the Entry dialog box for the employee, you would see a Browse button next to the Manager text box. To find information about that manager, click Browse. The Directory: Entry Management dialog box appears. Follow the steps mentioned in "Searching for Entries".

Adding Entries

You can use Oracle Directory Manager to add entries as described in the following sections:

• Adding a New Entry

• Adding an Entry by Copying an Existing Entry

• Adding Group Entries

  Note: This release of Oracle Internet Directory does not support the adding of JPEG images by using Oracle Directory Manager. You may add a JPEG image by using the ldapadd command. For more information, see "Example: Adding a User Entry by Using ldapadd".

Adding a New Entry

To add or delete entries with Oracle Directory Manager, you must have write access to the parent entry and you must know the DN for the new entry.

.

See Also: Access Control and Authorization and Chapter 9 for information on access privileges

To add a new entry:

1. Either click the Create button on the tool bar, or select Create Entry from the Operation menu. The New Entry dialog box appears:

   
   

2. In the Distinguished Name field, type the full DN. You may also click Browse to locate the DN of the parent for the entry you want to add, then type the RDN for your new entry to the left of that parent DN.

3. To specify the object classes you want to use for the new entry, click the Add button to the right of the Object Classes window. The Super Class Selector dialog box appears:

   
   

4. In the Super Class Selector dialog box, select an object class, then click Select. As you select from the object class list, mandatory and optional attributes populate the windows in the tab pages in the lower half of the New Entry dialog box. You must enter values into the mandatory attributes fields. You are not required to enter values into the optional attributes fields.

5. When you have selected the object classes and provided values for the appropriate attributes, click OK.

Adding an Entry by Copying an Existing Entry

You can use Oracle Directory Manager to create a new entry by copying from an existing entry and changing its DN. You should also change the attributes, such as name and address, so that they correspond to the new DN. To add an entry, you must have write access to its parent.

Tip: You can find a template for the new DN by looking up other similar entries in the search pane.

To add an entry by copying an existing entry:

1. When you click Entry Management in the navigator pane, the Search pane appears. Use it to search for an entry that you want to use as a template.

   See Also: "Managing Entries by Using Oracle Directory Manager" for instructions on using the search pane The online help

2. Double-click an entry from those retrieved. The Entry dialog box for that entry appears:

   
   

   This entry will serve as your template in the Create Like pane.

3. Click the Create Like button in the Entry dialog box.

   A New Entry: Create Like window appears:

   
   
4. Change critical fields to tailor this particular entry to the one that you want to create. You must always change the DN and the common name in this operation, or the pane will not save your new entry data. For example, if you create an entry for Henri Latrobe using the entry for Henri Latour as the template, then you have to change cn=Henri Latour in the DN to cn=Henri Latrobe. You also have to change the Henri Latour value in the common name attribute to Henri Latrobe, and any other attributes that must be unique, such as employee number and telephone number.

5. Click OK to save your changes.

   See Also: The online help for this dialog box for details about adding information into fields

Example: Adding a User Entry by Using Oracle Directory Manager

In this example, we create a user named Anne Smith and assign her a password.

1. Login as the administrator.

2. Expand Oracle Internet Directory Services > server instance, and select Entry Management.

3. On the toolbar, click the Create button. The New Entry dialog box appears.

4. In the Distinguished Name field, type the full DN. You may also click the Browse button to locate the DN of the parent for this entry, then type the RDN, namely, cn=Anne Smith, to the left of that parent DN.

5. Click the Add button to the right of the Object Classes window. The Super Class Selector dialog box appears.

6. In the Super Class Selector dialog box, select the person object class, then click Select. This returns you to the New Entry dialog box.

7. In the New Entry dialog box, click the Optional Properties tab, and scroll to the userPassword window.

8. Type the password for Anne Smith. The Optional Properties tab in the New Entry dialog box now looks something like the following:

   
   

Adding Group Entries

A group entry is one that contains a list of entries, for example, an e-mail list. You associate it with either the groupOfNames or groupOfUniqueNames object class, which has the object class orclPrivilegeGroup as a subclass.

You determine membership in the group the group by adding DNs to the multi-valued attribute member if the entry belongs to the groupOfNames object class, or uniqueMember if the entry belongs to the groupOfUniqueNames object class.

To add a group entry:

1. Either click the Create button on the tool bar, or select Create Entry from the Operation menu. The New Entry dialog box appears.

2. In the Distinguished Name field, type the full DN. You may also use the Browse button to locate the DN of the parent for the entry you want to add, then type the RDN for your new entry to the left of that parent DN.

3. To specify the object classes you want to use for the new entry, click the Add button to the right of the Object Classes window. The Super Class Selector dialog box appears.

4. In the Super Class Selector dialog box, select the top object class, then click the Select button. The top object class appears in the Object Classes window of the New Entry dialog box.

5. In the same way, click the Add button to the right of the Object Classes window and, from the Super Class Selector dialog box, select the groupOfNames or groupOfUniqueNames object class. Click the Select button. The object class you selected appears in the Object Classes window of the New Entry dialog box.

   
   

6. Enter the mandatory and optional attributes for your group entry.

   Note the Browse button next to the member window. Clicking Browse displays the Directory: Entry Management dialog box. Use this dialog box to search for a particular entry you want to add to the list. In the Distinguished Name window of the Directory: Entry Management dialog box, select the entry, then click the OK button. This returns you to the New Entry dialog box. The entry you just selected is added to the list in the members window.

7. After you have completed the attribute fields, click OK.

   See Also: "Privilege Groups" for instructions on setting access control policies for group entries

Modifying Entries

Oracle Directory Manager is governed by standard LDAP conventions, including the following:

• You cannot change object classes that are used by an entry once you have assigned object classes to that entry and populated its attributes with data.

  For example, if you configure an entry to use object classes Person and Organizational Role, you cannot later add another object class to this entry.

• You may not add mandatory attributes to an object class already in use by some entries. You may add optional attributes to object classes that are already in use by entries. If you add optional attributes to an object class already in use by some entries, no special rules apply--they are added as empty attributes to those entries.

To modify an entry:

1. Perform a search for the entry you want to modify.

2. In the Distinguished Name window of the Search pane, select the entry you want to modify.

3. Click Edit. The Entry dialog box appears.

   
   

4. In the Entry dialog box, modify the values of any editable attributes, then click OK.

Example: Modifying a User Entry by Oracle Directory Manager

In this example, we modify the password for the entry we created for Anne Smith in the section "Example: Adding a User Entry by Using Oracle Directory Manager".

1. Perform a search for the Anne Smith entry.

2. In the Distinguished Name window of the Search pane, select the entry for Anne Smith.

3. Click Edit.

4. In the Entry dialog box, scroll to the userPassword window and modify the value.

5. Click OK.

Managing Entries by Using Command Line Tools

The following table summarizes some of the more common entry management tasks and the corresponding tool(s) for each one.

Task	Tool
	ldapsearch	ldapbind	ldapadd	ldapaddmt	ldapmodify	ldapmodifymt	ldapdelete	ldapcompare	ldapmoddn
Add a single entry			X
Add multiple entries concurrently				X
Add new configuration set entries			X
Compare attribute values you specify with those in a directory entry								X
Configure a server with an input file			X
Delete an entry					X		X
Modify attribute values					X
Modify configuration set entries					X
Modify DN or RDN of an entry					X				X
Modify several entries concurrently						X
Move an entry or subtree under a new parent									X
Rename a subtree									X
Rename an entry									X
Search for an entry	X
Verify that you can connect a client to a server		X

The following table lists each of the command line tools, and tells you where to find syntax and usage notes for each one.

Tool	Information
ldapsearch	"ldapsearch"
ldapbind	"ldapbind"
ldapadd	"ldapadd"
ldapaddmt	"ldapaddmt"
ldapmodify	"ldapmodify"
ldapmodifymt	"ldapmodifymt"
ldapdelete	"ldapdelete"
ldapcompare	"ldapcompare"
ldapmoddn	"ldapmoddn"

Example: Adding a User Entry by Using ldapadd

In this example, we add the user entry for Audrey found in the file entry.ldif:

ldapadd -p 389 -b -f entry.ldif

This LDIF file contains the cn, sn, jpegPhoto, and userpassword attributes. For the jpegPhoto attribute, it specifies the path and file name of the corresponding JPEG image.

dn: cn=audrey, c=us
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: audrey
sn: hepburn
jpegPhoto: /photo/audrey.jpg

userpassword: welcome

Note that, in this user entry, the jpegPhoto attribute specifies the path and file name of the JPEG image you want to include as an entry attribute.

Example: Modifying a User Entry by Using ldapmodify

In this example, we change the password for a user named Audrey from welcome to audreyspassword. As in the example above, the data for this user entry is in the file entry.ldif.

ldapmodify -p 389 -b  -f entry.ldif

The LDIF file in this example contains the following:

dn: cn=audrey, c=us
changetype:modify
replace: userpassword
userpassword:audreyspassword

Managing Entries by Using Bulk Tools

This section lists and describes some of the more common tasks you perform with bulk tools. For an overview of these tools, see "Using Bulk Tools".

This section discusses administrative tasks in the following sections:

• Importing an LDIF File by Using bulkload

• Converting Directory Data to LDIF

• Modifying a Large Number of Entries

• Deleting a Large Number of Entries

Importing an LDIF File by Using bulkload

To import an LDIF file, you use the bulkload utility. The steps to process an LDIF file through bulkload are briefly summarized immediately below and are explained in detail later in this section.

• Step 1: Back up the Oracle server

• Step 2: Find out the Oracle Internet Directory password

• Step 3: Check input for schema and data consistency violations

• Step 4: Generate the input files for SQL*Loader

• Step 5: Load the input files

Step 1: Back up the Oracle server

Before you import the file, back up the Oracle server as a safety precaution.

See Also: Oracle8i Backup and Recovery Guide

Step 2: Find out the Oracle Internet Directory password

To use bulkload and the other shell script tools which have commands that end with.sh, you must provide the Oracle Internet Directory password. The default password is ods, although the system administrator can change it by using the OID Database Password Utility.

See Also: "Using the OID Database Password Utility"

Step 3: Check input for schema and data consistency violations

On a Solaris computer, the file bulkload.sh usually resides in
$ORACLE_HOME/ldap/bin. On a Windows NT computer, this file usually resides in ORACLE_HOME\ldap\bin.

Check the input file by typing:

bulkload.sh -connect net_service_name -check path_to_ldif-filename

All schema violations are reported in
$ORACLE_HOME/ldap/log/schemacheck.log

If any violations are detected in the input file, use an ascii text file editor to fix or remove them. If there are any duplicate entries, their DNs are logged in $ORACLE_HOME/ldap/log/duplicate.log.

Step 4: Generate the input files for SQL*Loader

After you have fixed any errors in the input file, re-run bulkload with the -generate option. During this step, LDIF data is converted to SQL*Loader specific format.

bulkload.sh -connect net_service_name -generate ldif-filename

All loading errors are reported in
$ORACLE_HOME/ldap/log

When this command completes successfully, it generates *.dat files in the $ORACLE_HOME/ldap/load directory to be used by SQL*Loader in -load mode. Do not modify these files.

Step 5: Load the input files

After you have generated the input files, re-run bulkload with the -load option. During this step, the *.dat files, which are in Oracle SQL*Loader specific format, are loaded into the database and the attribute indexes are created. The syntax is:

bulkload.sh -connect net_service_name -load

If Bulk Loading Fails

All loading errors are reported in $ORACLE_HOME/ldap/log/ *.bad.
If bulk loading fails, the database could be left in an inconsistent state. It may be necessary to restore the database to its state prior to the bulk loading operation.

Converting Directory Data to LDIF

Converting directory data to LDIF by using LDIF Writer makes the data available for loading into a new node in a replicated directory or into another node for backup storage.

See: "ldifwrite"

Modifying a Large Number of Entries

The bulkmodify utility enables you to modify a large number of existing entries in an efficient way.

See: "bulkmodify"

Deleting a Large Number of Entries

The bulkdelete utility enables you to delete an entire subtree efficiently.

See: "bulkdelete"