A
Syntax for LDIF and Command Line Tools

This appendix provides syntax, usage notes, and examples for LDAP Data Interchange Format and LDAP command line tools in the following sections:

• Using LDAP Data Interchange Format (LDIF)

• Using Command Line Tools

• Using Bulk Tools

• Using the Catalog Management Tool

• Using the OID Database Password Utility

Using LDAP Data Interchange Format (LDIF)

The standardized file format for directory entries is as follows:

Property	Value	Description
dn:	RDN,RDN,RDN, ...	Separate RDNs with commas.
attribute:	attribute_value	This line repeats for every attribute in the entry, and for every attribute value in multi-valued attributes.
objectClass:	object_class_ value	This line repeats for every object class.

Example 14-1 LDIF File Entry for an Employee

dn: cn=Suzie Smith,ou=Server Technology,o=Acme, c=US

cn: Suzie Smith

cn: SuzieS

sn: Smith

email: ssmith@us.Acme.com

telephoneNumber: 69332

photo:/ORACLE_HOME/empdir/photog/ssmith.jpg

objectClass: organizational person

objectClass: person 
objectClass: top

In Example 14-1, the first line contains the DN. The lines that follow the DN begin with the mnemonic for an attribute, followed by the value to be associated with that attribute. Note that each entry ends with lines defining the object classes for the entry.

Example 14-2 LDIF File Entry for an Organization

dn: o=Acme,c=US

o: Oracle

ou: Financial Applications

objectClass: organization 
objectClass: top

LDIF Formatting Notes

The following list of LDIF formatting rules is not exhaustive.

• All mandatory attributes belonging to an entry being added must be included with non-null values in the LDIF file.

  Tip: To see the mandatory and optional attribute types for an object class, you can use Oracle Directory Manager. See "Viewing Properties of Object Classes".

• Non-printing characters and tabs are represented in attribute values by base-64 encoding.

• The entries in your data file must be separated from each other by a blank line.

• A file must contain at least one entry.

• Lines can be continued to the next line by beginning the continuation line with a space or a tab.

• Add a blank line between separate entries.

• Reference binary files, such as photographs, with the absolute address of the file, preceded by a forward slash ("/").

• The DN contains the full, unique directory address for the object.

• The lines listed after the DN contain both the attributes and their values. DNs and attributes used in the input file must match the existing structure of the DIT. Do not use attributes in the input file that you have not implemented in your DIT.

• Sequence the entries in an LDIF file so that the DIT is created from the top down. If an entry relies on an earlier entry for its DN, make sure that the earlier entry is added before its child entry.

• When you define schema within an LDIF file, insert a white space between the opening parenthesis and the beginning of the text, and between the end of the text and the ending parenthesis.

  See Also: The various resources listed in "Further Reading" for a complete list of LDIF formatting rules "Using NLS with LDIF Files".

Using Command Line Tools

This section tells you how to use the following tools:

• ldapsearch

• ldapbind

• ldapadd

• ldapaddmt

• ldapmodify

• ldapmodifymt

• ldapdelete

• ldapcompare

• ldapmoddn

ldapsearch

The ldapsearch command line tool searches for and retrieves specific entries in the directory.

To run ldapsearch at the command line, use this syntax:

ldapsearch [options] filter [attributes]

The filter format should be compliant with RFC-2254. For further information about this standard, search for the standard at: http://www.ietf.org/rfc/rfc2254.txt

Separate attributes with a space.

If you do not list any attributes, all attributes are retrieved.

Mandatory Arguments	Descriptions
-b basedn	Specifies base dn for search
-s scope	Specifies search scope: base, one, or sub.

Optional Arguments	Descriptions
-A	Retrieves attribute names only (no values)
-a deref	Specifies alias dereferencing: never, always, search, or find
-B	Allows printing of non-ASCII values
-D binddn	When authenticating to the directory, specifies doing so as the entry specified in binddn. Use this with the -w password option.
-d debug level	Sets debugging level to the level specified (see Table 5-5)
-E "character_set"	Specifies native character set encoding. See Chapter 11.
-f file	Performs sequence of searches listed in file
-F sep	Prints `sep' instead of `=' between attribute names and values
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local machine. ldaphost can be a machine name or an IP address.
-L	Prints entries in LDIF format (-B is implied)
-l timelimit	Specifies maximum time (in seconds) to wait for ldapsearch command to complete
-n	Shows what would be done without actually searching
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password (required for one-way or two-way SSL connections)
-S attr	Sorts the results by attribute attr
-t	Writes to files in /tmp
-u	Includes user friendly entry names in the output
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-w passwd	Specifies bind passwd (for simple authentication)
-W wallet_location	Specifies wallet location (required for one-way or two-way SSL connections)
-z sizelimit	Specifies maximum number of entries to retrieve

Examples of ldapsearch Filters

Study the following examples to see how to build your own search commands. Each of these examples searches on port 389 of host sun1, and searches the whole subtree starting from the DN "ou=hr,o=acme,c=us".

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=*"

This search will find all entries with any value for the objectclass attribute.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"objectclass=orcle*"

This search will find all entries that have orcle at the beginning of the value for the objectclass attribute.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"(&(objectclass=orcle*)(cn=foo*))"

This search returns entries where the objectclass attribute begins with orcle and cn begins with foo.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "(!(cn=foo))"

This search returns entries where the common name (cn) is not foo.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"(|(cn=foo*)(sn=bar*))"

This search returns entries where cn begins with foo or sn begins with bar.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"employeenumber<=10000"

This search returns entries where employeenumber is less than or equal to 10000.

ldapbind

Use the ldapbind command line tool to see whether you can authenticate a client to a server.

To run ldapbind, type at the command line:

ldapbind [options]

Optional Arguments	Descriptions
-D binddn	When authenticating to the directory, specifies doing so as the entry specified in binddn. Use this with the -w bindpassword option.
-E ".character_set"	Specifies native character set encoding. See Chapter 11.
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local machine. ldaphost can be a machine name or an IP address.
-n	Shows what would occur without actually performing the operation
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password (required for one-way or two-way SSL connections)
-U SSLAuth	Specifies SSL authentication mode (1 for no authentication required, 2 for one way authentication required, 3 for two way authentication required)
-w password	Provides the password required to connect
-W wallet_location	Specifies wallet location (required for one-way or two-way SSL connections)

ldapadd

Use the ldapadd command line tool to add entries, their object classes, attributes, and values to the directory. To add attributes to an existing entry, use the ldapmodify command, explained in "ldapmodify".

See Also: "Adding Configuration Set Entries by Using ldapadd" for an explanation of using ldapadd to configure a server with an input file

To run the ldapadd command, type at the command line:

ldapadd options -f filename

where filename is the name of an LDIF file written with the specifications explained in detail later in this section.

Optional Arguments	Descriptions
-b	Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced.
-c	Tells ldapadd to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapadd stops when it encounters an error.)
-D binddn	When authenticating to the directory, specifies doing so as the entry specified in binddn. Use this with the -w bindpassword option.
-E "character_set"	Specifies native character set encoding. See Chapter 11.
-f filename	Specifies the input name of the LDIF format import data file. For a detailed explanation of how to format an LDIF file, see "Using LDAP Data Interchange Format (LDIF)".
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local machine. ldaphost can be a machine name or an IP address.
-K	Same as -k, but performs only the first step of the Kerberos bind
-k	Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined. You must already have a valid ticket granting ticket.
-n	Shows what would occur without actually performing the operation
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password (required for one-way or two-way SSL connections)
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-w password	Provides the password required to connect
-W wallet_location	Specifies wallet location (required for one-way or two-way SSL connections)

ldapaddmt

ldapaddmt is like ldapadd: it adds entries, their object classes, attributes, and values to the directory. It is unlike ldapadd in that it supports multiple threads for adding entries concurrently.

While it is processing LDIF entries, ldapaddmt logs errors in the add.log file in the current directory.

To run ldapaddmt, use this command syntax:

ldapaddmt -T number_of_threads -h host -p port -f filename

where filename is the name of an LDIF file written with the specifications explained in detail later in this section.

The following example uses five concurrent threads to process the entries in the file myentries.ldif.

ldapaddmt -T 5 -h node1 -p 3000 -f myentries.ldif

Increasing the number of concurrent threads improves the rate at which LDIF entries are created, but consumes more system resources.

Optional Arguments	Descriptions
-b	Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced.
-c	Tells the tool to proceed in spite of errors. The errors will be reported. (If you do not use this option, the tool stops when it encounters an error.)
-D binddn	When authenticating to the directory, specifies doing so as the entry is specified in binddn. Use this with the -w password option.
-E "character_set"	Specifies native character set encoding. See Chapter 11
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local machine. ldaphost can be a machine name or an IP address.
-K	Same as -k, but performs only the first step of the kerberos bind
-k	Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined. You must already have a valid ticket granting ticket.
-n	Shows what would occur without actually performing the operation.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password (required for one-way or two-way SSL connections)
-T	Sets the number of threads for concurrently processing entries
-U SSLAuth	Specifies SSL Authentication Mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-w password	Provides the password required to connect
-W wallet_location	Specifies wallet location (required for one-way or two-way SSL connections)

ldapmodify

The ldapmodify tool acts on attributes.

To run the ldapmodify command, use this command syntax:

ldapmodify [options] -f filename

where filename is the name of an LDIF file written with the specifications explained in detail later in this section.

The list of arguments in the following table is not exhaustive.

Optional Arguments	Description
-a	Denotes that entries are to be added, and that the input file is in LDIF format.
-b	Specifies that you have included binary file names in the data file, which are preceded by a forward slash character.
-c	Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.)
-D binddn	When authenticating to the directory, specifies doing so as the entry is specified in binddn. Use this with the -w bindpassword option.
-E "character_set"	Specifies native character set encoding. See Chapter 11.
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local machine. ldaphost can be a machine name or an IP address.
-n	Shows what would occur without actually performing the operation.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password (required for one-way or two-way SSL connections)
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-w bindpassword	Overrides the default, unauthenticated, null bind. To force authentication, use this option with the -D option.
-W wallet_location	Specifies wallet location (required for one-way or two-way SSL connections)

To run modify, delete, and modifyrdn operations using the -f flag, use LDIF for the input file format (see "Using LDAP Data Interchange Format (LDIF)") with the specifications noted below:

Always separate entries with a blank line.

Unnecessary space characters in the LDIF input file, such as a space at the end of an attribute value, will cause the LDAP operations to fail.

Line 1: Every change record has, as its first line, the literal dn: followed by the DN value for the entry, for example:

dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US

Line 2: Every change record has, as its second line, the literal "changetype:" followed by the type of change (add, delete, modify, modrdn), for example:

changetype:modify

or

changetype:modrdn

Format the remainder of each record according to the following requirements for each type of change:

• changetype:add

  Uses LDIF format (see "Using LDAP Data Interchange Format (LDIF)").

• changetype:modify

  The lines that follow this changetype consist of changes to attributes belonging to the entry that you identified in Line 1 above. You can specify three different types of attribute modifications--add, delete, and replace--which are explained immediately below:

  • Add attribute values. This option to changetype modify adds more values to an existing multi-valued attribute. If the attribute does not exist, it will add the new attribute with the specified values:

    add: attribute name
    attribute name: value1
    attribute name: value2...
    

    For example:

    dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
    changetype:modify
    add: work-phone
    work-phone:510/506-7000
    work-phone:510/506-7001
    

  • Delete values. If you supply only the "delete" line, all the values for the specified attribute are deleted. Otherwise, if you specify an attribute line, you can delete specific values from the attribute:

    delete: attribute name
    [attribute name: value1]
    

    For example:

    dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
    changetype:delete
    delete: home-fax
    

  • Replace values. Use this option to replace all the values belonging to an attribute with the new, specified set:

    replace:attribute name
    [attribute name:value1 ...]
    

    If you do not provide any attributes with "replace," the directory adds an empty set. It then interprets the empty set as a delete request, and complies by deleting the attribute from the entry. This is useful if you want to delete attributes that may or may not exist.

    For example:

    dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US 
    changetype:modify
    replace: work-phone
    work-phone:510/506-7002
    
    
    

  • changetype:delete

    This change type deletes entries. It requires no further input, since you identified the entry in Line 1 and specified a changetype of delete in Line 2.

    For example:

    dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
    changetype:delete
    
    
    

  • changetype:modrdn

    The line following the change type provides the new RDN (relative distinguished name) using this format:

    newrdn: RDN
    
    

    For example:

    dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
    changetype:modrdn
    newrdn: cn=Barbara Fritchy-Blomberg
    

ldapmodifymt

Use the ldapmodifymt command line tool to modify several entries concurrently.

To run ldapmodifymt, use this command syntax:

ldapmodifymt -T number_of_threads [options] -f filename

where filename is the name of an LDIF file written with the specifications explained in detail later in this section.

For example:

ldapmodifymt -T 5 -h node1 -p 3000 -f myentries.ldif

Optional Arguments	Descriptions
-a	Denotes that entries are to be added, and that the input file is in LDIF format. (If you are running ldapadd, this flag is not required.)
-b	Specifies that you have included binary file names in the data file, which are preceded by a forward slash character.
-c	Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.)
-D binddn	When authenticating to the directory, specifies doing so as the entry is specified in binddn. Use this with the -w bindpassword option.
-E "character_set"	Specifies native character set encoding. See Chapter 11.
-h ldaphost	Tells ldapmodify to connect to ldaphost, rather than to the default directory. ldaphost can be an IP address.
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local machine. ldaphost can be a machine name or an IP address.
-n	Shows what would occur without actually performing the operation.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password (required for one-way or two-way SSL connections)
-T	Sets the number of threads for concurrently processing entries
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-w bindpassword	Overrides the default, unauthenticated, null bind. To force authentication, use this option with the -D option.
-W wallet_location	Specifies wallet location (required for one-way or two-way SSL connections)

See Also: "ldapmodify" for additional formatting specifications used by ldapmodifymt

ldapdelete

The ldapdelete command line tool removes entire entries from the directory that you specify in the command line.

To delete an entry by using ldapdelete, use this command syntax:

ldapdelete [options] "entry_DN"

The following example uses port 389 on a host named myhost.

ldapdelete -p 389 -h myhost ou=EuroSInet Suite, o=IMC, c=US"

Optional Arguments	Descriptions
-D binddn	When authenticating to the directory, uses a full DN for the binddn parameter; typically used with the -w password option.
-d debug-level	Sets the debugging level. See "Setting Debug Logging Levels by Using the OID Control Utility".
-E "character_set"	Specifies native character set encoding. See Chapter 11.
-f filename	Specifies the input filename
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local machine. ldaphost can be a machine name or an IP address.
-k	Authenticates using authentication instead of simple authentication. To enable this option, you must compile with Kerberos defined. You must already have a valid ticket granting ticket.
-n	Shows what would be done, but doesn't actually delete
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password (required for one-way or two-way SSL connections)
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-w password	Provides the password required to connect.
-W wallet_location	Specifies wallet location (required for one-way or two-way SSL connections)

ldapcompare

The ldapcompare command line tool matches attribute values you specify in the command line with the attribute values in the directory entry.

To run ldapcompare, use this command syntax:

ldapcompare [options] 

The following example tells you whether Person Nine's title is associate.

ldapcompare -p 389 -h myhost -b "cn=Person Nine, ou=EuroSInet Suite, o=IMC, 
c=US" -a title -v associate

Mandatory Arguments	Descriptions
-a attribute name	Specifies the attribute on which to perform the compare
-b basedn	Specifies the distinguished name of the entry on which to perform the compare
-v attribute value	Specifies the attribute value to compare

Optional Arguments	Descriptions
-D binddn	When authenticating to the directory, specifies doing so as the entry is specified in binddn. Use this with the -w password option.
-d debug-level	Sets the debugging level. See "Setting Debug Logging Levels by Using the OID Control Utility".
-E "character_set"	Specifies native character set encoding. See Chapter 11.
-f filename	Specifies the input filename
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local machine. ldaphost can be a machine name or an IP address.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password (required for one-way or two-way SSL connections)
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-w password	Provides the password required to connect
-W wallet_location	Specifies wallet location (required for one-way or two-way SSL connections)

ldapmoddn

The ldapmoddn command line tool modifies the DN or RDN of an entry.

To run ldapmoddn, use the following syntax:

ldapmoddn [options]

The following example uses ldapmoddn to modify the RDN component of a DN from "cn=dcpl" to " cn=thanh mai". It uses port 389, and a host named myhost.

ldapmoddn -p 389 -h myhost -b "cn=dcpl,dc=Americas,dc=imc,dc=com" -R "cn=thanh 
mai"

Mandatory Argument	Description
-b basedn	Specifies DN of the entry to be moved

Optional Arguments	Descriptions
-D binddn	When authenticating to the directory, do so as the entry is specified in binddn. Use this with the -w password option.
-E "character_set"	Specifies native character set encoding. See Chapter 11.
-f filename	Specifies the input filename
-h ldaphost	Specifies name of the host node of the directory server
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local machine. ldaphost can be a machine name or an IP address.
-N newparent	Specifies new parent of the RDN
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password (required for one-way or two-way SSL connections)
-r	Specifies that the old RDN is not retained as a value in the modified entry. If this argument is not included, the old RDN is retained as an attribute in the modified entry.
-R newrdn	Specifies new RDN
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-w password	Provides the password required to connect.
-W wallet_location	Specifies wallet location (required for one-way or two-way SSL connections)

Using Bulk Tools

This section tells you how to use the following bulk tools:

• bulkload

• ldifwrite

• bulkmodify

• bulkdelete

bulkload

The bulkload command line tool uses Oracle SQL*Loader to create directory entries from data residing in or created by other applications. When using bulkload, you specify any options and the input filename. The bulkload tool expects the input file to be in the LDAP Data Interchange Format (LDIF).

o

See Also: "Using LDAP Data Interchange Format (LDIF)".

The bulkload tool syntax is:

bulkload.sh -connect net_service_name [-check] [-generate] [-load]

   [-restore] absolute_path_to_ldif.file

Mandatory Argument	Description
connect net_service_name	Connects to the database using the net service name defined in the tnsnames.ora file

Optional Arguments	Descriptions
check	Checks LDAP schema for inconsistencies and for existence of duplicate DNs in the data file
-encode "character_set"	Specifies native character set encoding. See Chapter 11.
generate	Creates files suitable for loading into Oracle Internet Directory
load	Loads files resulting from generate phase into specified database
restore	Takes the operational attributes, such as orclguid, creatorsname, and createtimestamp, from the LDIF file rather than generating new ones. Use this argument only when the LDIF file contains operational attributes. Use this in conjunction with the generate and check arguments.

Bulk loading must be performed when Oracle Internet Directory processes are not running.

See Also: Chapter 5 for instructions on stopping directory server instances

The LDIF data file path must be fully specified for check or generate operations.

Bulk Loading Multiple Nodes in a Replicated Environment

After generating a file with the generate option, you can use the load option to load multiple machines with the identical SQL*Loader file. Do this only when creating a new replica node.

See Also: "Step 7: Start the Replication Servers on All the Nodes".

The current version of bulkload does not allow you to specify the connection information for all of the nodes in one command.

When you load the same data into multiple nodes in a replicated network, ensure that the orclGUID parameter (global IDs) is consistent across all the nodes. You can accomplish this by generating the bulkload data file once only (using the -generate option), and then using the same data file to load the other nodes (using the -load option).

ldifwrite

The ldifwrite command line tool enables you to convert all or part of the information residing in an Oracle Internet Directory to LDIF. This makes that information available for loading into a new node in a replicated directory or into another node for backup storage. The ldifwrite tool performs a subtree search, including all entries below the specified DN, including the DN itself.

The ldifwrite tool syntax is as follows:

ldifwrite -c net_service_name -b base_DN -f filename 

Mandatory Arguments	Descriptions
-c net_service_name	Specifies the net service name of the directory that is the source of the data, as defined in the tnsnames.ora file.
-b base_DN	Specifies the base of the subtree to be written out in LDIF format
-f filename	Specifies the name of the LDIF file to be created

Optional Argument	Description
-E "character_set"	Specifies native character set encoding. See Chapter 11.

The following example writes all the entries under ou=Europe, o=imc, c=us into the output1.ldi file.

ldifwrite -c nldap -b "ou=Europe, o=imc, c=us" -f output1.ldi

All the arguments are mandatory.

The LDIF file and the intermediate file are always written to the current directory.

The ldifwrite tool includes the operational attributes of each entry in the directory, including createtimestamp, creatorsname, and orclguid.

See Also: "ldifwrite" for information on specifying the -E option and using National Language Support with ldifwrite

bulkmodify

Use the bulkmodify tool to modify a large number of existing entries in an efficient way. The bulkmodify tool supports the following:

• Subtree based modification

• A single attribute filter. For example, the filter could be objectclass=*, objectclass=oneclass, or telephonenumber=*.

• Attribute value addition and replacement. It modifies all matched entries in bulk.

The bulkmodify tool performs schema checking on the specified attribute name and value pair during initialization. All entries that meet the following criteria are modified:

• They are under the specified subtree.

• They meet the single filter condition.

• They contain the attribute to be modified as either mandatory or optional.

The LDAP server and replication server may be running concurrently while bulk modification is in progress, but the bulk modification does not affect the replication server. You must perform bulk modification against all replicas.

Note: LDIF file based modification is not supported by the bulkmodify. This type of modification requires per entry based schema checking, and therefore the performance gain over the existing ldapmodify tool is insignificant.

You must restrict user access to the subtree during bulk modification. If necessary, ACI restriction can be applied to the subtree being updated by bulkmodify.

You cannot use bulkmodify to add a value to single-valued attributes that already contain one value. If a second value is added, you must alter the directory schema to make that attribute multi-valued.

The bulkmodify tool syntax is as follows:

bulkmodify -c net_service_name -b base_dn {-a|-r} attr_name -v att_value [-f 
filter] [-s size]

Mandatory Arguments	Descriptions
-c net_service_name	Specifies the net service name of the directory database to connect to
-b base_dn	Specifies the base DN of the subtree to be modified
-a attr_name	Specifies the attribute name for addition
-r attr_name	Specifies the attribute name for replacement
-v att_value	Specifies the attribute value for either addition or replacement

Optional Arguments	Descriptions
-f filter	Specifies the filter to be used
-s number_of_entries	Specifies the number of entries to be committed as a part of one transaction. If not specified, default is 100.
-E "character_set"	Native character set encoding. See Chapter 11.

The filter specified with the -f option must contain a single attribute.

If a filter is not specified, the default filter objectclass=* is assumed.

There can be only one attribute name specified in the -a or -r option in each execution.

There can be only one value specified in the -v option in each execution. For example, the following bulkmodify command adds the telephone number 408-123-4567 to the entries of all employees who have Anne Smith as their manager:

-c my_database -b "c=US" -a telephoneNumber -v "408-123-4567 -f "manager=Anne 
Smith"

To assure that the modified entries are read, after completing the bulkmodify procedure, restart the Oracle Internet Directory server.

bulkdelete

Use the bulkdelete command line tool for deleting a subtree efficiently. It can be used when both an LDAP server and Replication servers are in operation. It uses a SQL interface to benefit performance. For this release, the bulkdelete tool runs on only one node at a time.

This tool does not support filter-based deletion. That is, it deletes an entire subtree below the root of the subtree. If the base DN is a user-added DN, rather than a DN created as part of the installation of the directory, it is included in the delete. The administrator must restrict LDAP activity against the subtree during deletion.

The bulkdelete tool syntax is as follows:

bulkdelete.sh -connect net_service_name -base "base_dn" -size number_of_entries

The script includes the following arguments:

Mandatory Arguments	Descriptions
- connect net_service_name	Specifies the net service name to connect to the directory database
- base "base_dn"	Specifies the base DN of the subtree to be deleted

Optional Arguments	Descriptions
-size number_of_entries	Specifies the number of entries to be committed as a part of one transaction.
-encode "character_set"	Native character set encoding

Using the Catalog Management Tool

Before running the Catalog Management tool, unset the LANG variable. After you finish running Catalog Management tool, set the LANG variable back to its original value.

To unset LANG:

• Using Korn shell:

  UNSET LANG
  
  
  

• Using C shell:

  UNSETENV LANG
  

The Catalog Management tool syntax is:

catalog.sh -connect net_service_name {add|delete} {-attr attr_name|-file 
filename}

Mandatory Argument	Description
- connect net_service_name	Specifies the net service name to connect to the directory database

Optional Arguments	Descriptions
- add -attr attr_name	Indexes the specified attribute
- delete -attr attr_name	Drops the index from the specified attribute
- add -file filename	Indexes attributes (one per line) in the specified file
-delete -file filename	Drops the indexes from the attributes in the specified file

When you enter the CATALOG.SH command, the following message appears:

This tool can only be executed if you know the OiD user password.
Enter OiD password:

If you enter the correct password, the command is executed. If you give an incorrect password, the following message is displayed:

Cannot execute this tool

After you finish running the Catalog Management tool, set the LANG variable back to its original value.

To set LANG:

• Using Korn shell:

  SET LANG=appropriate_language, EXPORT LANG
  
  

• Using C shell:

  SETENV LANG appropriate_language
  
  
  

To effect the changes after running the Catalog Management tool, stop, then restart, Oracle Directory Server.

See Also: Chapter 5 for instructions on starting and restarting directory servers

Using the OID Database Password Utility

The OID Database Password Utility syntax is as follows:

oidpasswd [connect=net_service_name]

 

The OID Database Password Utility prompts you for the current password. Type the current password, then the new password, then a confirmation of the new password. Note that none of the passwords is echoed to the screen.

The OID Database Password Utility assumes by default that the local database (as defined by ORACLE_HOME and ORACLE_SID) is the database password being changed. If you are changing the password on a remote database, you must use the connect=net_service_name option.

For example:

$ oidpasswd 
current password: ods
new password: newsupersecret
confirm password: newsupersecret
password set.$

Note: User responses are not echoed to the screen.