|Oracle Internet Directory Administrator's Guide
Part Number A86101-01
Oracle Internet Directory release 2.1.1 enables synchronization with supported third party metadirectory solutions. Synchronization with these metadirectory solutions occurs through the use of change logs. This chapter describes how that change log information is generated and used by supporting solutions. It also provides instructions for enabling other directories to synchronize with Oracle Internet Directory.
This chapter contains these topics:
Changes in an Oracle Internet Directory are recorded as entries in the change log object store. Other directories must have access to that store if they are to synchronize with Oracle Internet Directory. You grant them this access by registering them with Oracle Internet Directory.
Each entry in the change log store has a change number. Another directory retrieves from Oracle Internet Directory only those entries with change numbers equal to or greater than the last change it retrieved. For example, suppose that the entry that a directory last retrieved had a change number of 250. Entries that this directory subsequently retrieves must have change numbers of 250 or greater.
If the entry with the change number matching the last change retrieved is not returned in the search results, then it means that some of the entries in the Oracle Internet Directory change log have been purged. The directory must then read the entire Oracle Internet Directory change log to synchronize its copy with that of Oracle Internet Directory.
Once you have registered another directory with Oracle Internet Directory, that directory can authenticate to Oracle Internet Directory and retrieve updates from it. It does this by following the processes described in this section.
Enabling Other Directories to Synchronize with Oracle Internet Directory for instructions on registering directories with Oracle Internet Directory
This section contains these topics:
In this example,
my_other_directory acquires changes from Oracle Internet Directory by issuing the following command through ldapsearch:
ldapsearch -h host -p port -b "cn=changeLog" -s one
(changeNumber >= orclLastAppliedChangeNumber )
( ! (modifiersname =cn=my_other_directory,cn=Subscriber Profile,
cn=ChangeLog Subscriber,cn=Oracle Internet Directory ) ) )
When the directory is retrieving changes for the first time, the value for
orclLastAppliedChangeNumber is the number you set in "Task 2: Register a Directory as a Change Subscription Object in Oracle Internet Directory".
)) in the filter ensures that Oracle Internet Directory does not return changes made by the other directory itself.
After retrieving changes from Oracle Internet Directory, the connected directory updates the
orclLastAppliedChangeNumber attribute in its change subscription object. This allows Oracle Internet Directory to purge changes that connected directories have already applied. It also enables the connected directory to retrieve only the most recent changes, ignoring those it has already applied.
This example uses an input file named
mod.ldif in which the last applied change number is 121. The connected directory updates
orclLastAppliedChangeNumber in its change subscription object as follows:
"Change Log Purging" for information about purging changes according to change numbers.
To retrieve changes after the first time, the other directory issues a command by using ldapsearch. The following example returns all the changes with
changeNumber equal to or greater than 121, except those related to operations performed by the other directory itself.
ldapsearch -h my_host> -p my_port_number -b "cn=changeLog" -s one" (&(objectclass=changeLogEntry) (changeNumber >= 122 )
( ! (modifiersname = cn=my_other_directory,cn=Subscriber Profile,
cn=ChangeLog Subscriber,cn=Oracle Internet Directory ) ) )
To enable other directories to retrieve the changes stored in Oracle Internet Directory, you perform the tasks described in this section. This section contains these topics:
To bootstrap a directory to synchronize data between a local directory and Oracle Internet Directory, execute these steps:
This displays the current change number. Later, you will use this number to fill the
orclLastAppliedChangeNumber field when you register the directory.
To enable other directories to synchronize with an Oracle Internet Directory, you must register them with Oracle Internet Directory. This gives the directories access to change log objects stored in Oracle Internet Directory.
To register a directory, you make an entry for it in Oracle Internet Directory. This entry is called a change subscription object, and it is placed under the following container in the Oracle Internet Directory schema:
This change subscription object provides a unique credential for a directory to bind with Oracle Internet Directory and to retrieve changes from it.
Associate the change subscription object with the auxiliary object class
orclChangeSubscriber, which has several attributes, two of them mandatory. The two mandatory attributes are:
Password to be used by the directory when accessing the change log object in Oracle Internet Directory
Number of the change applied during the last synchronization. This attribute allows the directory to retrieve only the changes in Oracle Internet Directory it has not already applied.
To register a directory, use ldapadd. The following example uses an input file, named add.ldif, to create a change subscription object,
my_other_directory, under the container
cn=Subscriber Profile,cn=ChangeLog Subscriber,cn=Oracle Internet Directory.
To deregister a directory, use ldapdelete. Enter the following command:
ldapdelete -h host -p port cn=directory_name,cn=Subscriber Profile,
cn=ChangeLog Subscriber,cn=Oracle Internet Directory
Once you have registered a directory with Oracle Internet Directory, you must grant it read access to the
cn=changeLog entry in Oracle Internet Directory.
Chapter 9, "Managing Directory Access Control" for instructions on setting access control policies