Contents

Title and Copyright Information

Send Us Your Comments

Preface

What's New in Oracle Internet Directory?

Part I Getting Started

1 Introduction

What Is a Directory?

Online Directories

The Difference Between Online Directories and Relational Databases

The Problem: Multiple Special Purpose Directories

The Solution: The LDAP-Compliant General Purpose Directory

What Is LDAP?

LDAP and Simplified Directory Management

LDAP Version 3

What Is Oracle Internet Directory?

Oracle Internet Directory and Oracle8i

Oracle Internet Directory Components

The Advantages of Oracle Internet Directory

Scalability

High Availability

Security

2 Concepts and Architecture

Entries

Attributes

Kinds of Attribute Information

Single-Valued and Multi-Valued Attributes

Common LDAP Attributes

Attribute Syntax

Attribute Matching Rules

Attribute Options

Object Classes

Subclasses, Superclasses, and Inheritance

Object Class Types

Abstract Object Classes

Structural Object Classes

Auxiliary Object Classes

Naming Contexts

The Directory Schema

Security

Authentication

Anonymous Authentication

Simple Authentication

Authentication Using Secure Sockets Layer (SSL)

Access Control and Authorization

Data Integrity

Data Privacy

Password Encryption

National Language Support

Oracle Internet Directory Architecture

An Oracle Internet Directory Node

An Oracle Directory (LDAP) Server Instance

Configuration Set Entries

Example: How Oracle Internet Directory Works

Distributed Directories: An Overview

Distributed Directories: Replication

Directory Replication Groups and Replication Agreements

Oracle Advanced Symmetric Replication (ASR)

Replication Architecture

Change Log Purging

Conflict Resolution in Replication

Levels at Which Replication Conflicts Occur

Typical Causes of Conflicts

Automated Resolution of Conflicts

How Replication Works: An Overview

How Replication Works: A Closer Look

How the Replication Process Adds a New Entry to a Consumer

How the Replication Process Deletes an Entry

How the Replication Process Modifies an Entry

How the Replication Process Modifies a Relative Distinguished Name

How the Replication Process Modifies a Distinguished Name

Distributed Directories: Partitioning

About Knowledge References (Referrals)

Kinds of Knowledge Reference

Synchronizing with Other Directories in a Metadirectory Environment

About Metadirectories

How Oracle Internet Directory Works with a Metadirectory Solution

3 Preliminary Tasks

Task 1: Start the OID Monitor Daemon

Starting the OID Monitor

Stopping the OID Monitor

Task 2: Start a Server Instance

Starting an Oracle Directory Server Instance

Stopping an Oracle Directory Server Instance

Starting an Oracle Directory Replication Server Instance

Stopping an Oracle Directory Replication Server Instance

Restarting Directory Server Instances

Troubleshooting Directory Server Instance Startup

Task 3: Reset the Default Security Configuration

Upgrading from an Earlier Release of Oracle Internet Directory

Upgrading in a Single Node Environment

Upgrading in a Multi-Node Environment

Upgrading One Node at a Time

Upgrading All the Nodes at the Same Time

LDIF-Based Upgrading

Host Upgrade Procedure for Password Encryption

4 Using the Administration Tools

Using Oracle Directory Manager

Starting Oracle Directory Manager

Connecting to a Directory Server

Navigating Oracle Directory Manager

Overview of Oracle Directory Manager

The Oracle Directory Manager Menu Bar

The Oracle Directory Manager Toolbar

Connecting to Additional Directory Servers

Disconnecting from a Directory Server

Performing Administration Tasks by Using Oracle Directory Manager

Using Command Line Tools

Using Bulk Tools

Using OID Control Utility

Using the Catalog Management Tool

Using the OID Database Password Utility

Using the Replication Tools

Using the OID Database Statistics Collection Tool

Administration Tasks at a Glance

Part II Managing Oracle Internet Directory

5 Managing an Oracle Directory Server

Managing Server Configuration Set Entries

Preliminary Considerations

Managing Server Configuration Set Entries by Using Oracle Directory Manager

Viewing Configuration Set Entries by Using Oracle Directory Manager

Adding Configuration Set Entries by Using Oracle Directory Manager

Modifying Configuration Set Entries by Using Oracle Directory Manager

Deleting Configuration Set Entries by Using Oracle Directory Manager

Managing Server Configuration Set Entries by Using Command Line Tools

Adding Configuration Set Entries by Using ldapadd

Modifying and Deleting Configuration Set Entries by Using ldapmodify

Setting System Operational Attributes

Setting System Operational Attributes by Using Oracle Directory Manager

Setting System Operational Attributes by Using ldapmodify

Managing Naming Contexts

Publishing Naming Contexts by Using Oracle Directory Manager

Publishing Naming Contexts by Using ldapmodify

Managing Password Encryption

Managing Password Encryption by Using Oracle Directory Manager

Managing Password Encryption by Using ldapmodify

Configuring Searches

Configuring Searches by Using Oracle Directory Manager

Setting the Maximum Number of Entries Returned in Searches by Using Oracle Directory Manager

Setting the Maximum Amount of Time For Searches by Using Oracle Directory Manager

Configuring Searches by Using ldapmodify

Managing Super, Guest, and Proxy Users

Managing User Names and Passwords by Using Oracle Directory Manager

Managing User Names and Passwords by Using ldapmodify

Setting Debug Logging Levels

Setting Debug Logging Levels by Using Oracle Directory Manager

Setting Debug Logging Levels by Using the OID Control Utility

Using Audit Log

Structure of Audit Log Entries

Position of Audit Log Entries in the DIT

Auditable Events

Setting the Audit Level

Setting the Audit Level by Using Oracle Directory Manager

Setting the Audit Level by Using ldapmodify

Searching for Audit Log Entries

Searching for Audit Log Entries by Using Oracle Directory Manager

Searching for Audit Log Entries by Using ldapsearch

Purging the Audit Log

Viewing Active Server Instance Information

Changing the Password to an Oracle Data Server

6 Managing the Directory Schema

About the Directory Schema

About Object Class Management

Guidelines for Adding Object Classes

Guidelines for Modifying Object Classes

Guidelines for Deleting Object Classes

Managing Object Classes by Using Oracle Directory Manager

Searching for Object Classes by Using Oracle Directory Manager

Viewing Properties of Object Classes by Using Oracle Directory Manager

Adding Object Classes by Using Oracle Directory Manager

Modifying Object Classes by Using Oracle Directory Manager

Deleting Object Classes by Using Oracle Directory Manager

Managing Object Classes by Using Command Line Tools

Example: Adding a New Object Class

Example: Adding a New Attribute to an Auxiliary or User-Defined Object Class

About Attribute Management

Rules for Adding Attributes

Rules for Modifying Attributes

Rules for Deleting Attributes

Managing Attributes by Using Oracle Directory Manager

Searching for Attributes by Using Oracle Directory Manager

Adding an Attribute by Using Oracle Directory Manager

Adding a New Attribute by Using Oracle Directory Manager

Creating a New Attribute from an Existing One by Using
Oracle Directory Manager

Modifying an Attribute by Using Oracle Directory Manager

Indexing an Attribute When You Create It

Viewing Indexed Attributes by Using Oracle Directory Manager

Indexing an Attribute When You Create It by Using Oracle Directory Manager

Dropping an Index from an Attribute by Using Oracle Directory Manager

Managing Attributes by Using Command Line Tools

Adding and Modifying Attributes by Using ldapmodify

Indexing an Attribute by Using Command Line Tools

About Indexing

Indexing an Attribute for Which No Directory Data Exists by Using ldapmodify

Indexing an Attribute for Which Directory Data Exists by Using the Catalog Management Tool

7 Managing Directory Entries

Managing Entries by Using Oracle Directory Manager

Searching for Entries by Using Oracle Directory Manager

Searching for Audit Log Entries by Using Oracle Directory Manager

Viewing Attributes by Using Oracle Directory Manager

Adding Entries by Using Oracle Directory Manager

Adding a New Entry by Using Oracle Directory Manager

Adding an Entry by Copying an Existing Entry in Oracle Directory Manager

Example: Adding a User Entry by Using Oracle Directory Manager

Adding Group Entries by Using Oracle Directory Manager

Modifying Entries by Using Oracle Directory Manager

Example: Modifying a User Entry by Using Oracle Directory Manager

Managing Entries by Using Command Line Tools

Command Line Tools for Managing Entries

Example: Adding a User Entry by Using ldapadd

Example: Modifying a User Entry by Using ldapmodify

Managing Entries by Using Bulk Tools

Importing an LDIF File by Using bulkload

Task 1: Back Up the Oracle Server

Task 2: Find Out the Oracle Internet Directory Password

Task 3: Check Input for Schema and Data Consistency Violations

Task 4: Generate the Input Files for SQL*Loader

Task 5: Load the Input Files

If Bulk Loading Fails

Converting Directory Data to LDIF

Modifying a Large Number of Entries

Deleting a Large Number of Entries

Managing Entries with Attribute Options

Example: Adding an Attribute Option

Example: Deleting an Attribute Option

Example: Searching for Entries with Attribute Options

Managing Knowledge References (Referrals)

Configuring Smart Knowledge References

Configuring Default Knowledge References

8 Managing Secure Sockets Layer (SSL)

Supported Cipher Suites

SSL Client Scenarios

Configuring SSL Parameters

Configuring SSL Parameters by Using Oracle Directory Manager

Configuring SSL Parameters by Using Command Line Tools

Issues Specific to This Release of Oracle Internet Directory

9 Managing Directory Access Control

Overview of Access Control Policy Administration

Access Control Management Constructs

orclACI

Access Control Policy Points (ACPs)

orclEntryLevelACI

Privilege Groups

Access Control Information Components

Object: To What Are You Granting Access?

Subject: To Whom Are You Granting Access?

Operations: What Access Are You Granting?

How ACL Evaluation Works

About ACL Evaluation

ACL Evaluation Precedence Rules

Assigning More Than One ACI to the Same Object

Granting Exclusionary Access to Objects

ACL Evaluation For Groups

Access Level Requirements for LDAP Operations

Managing Access Control by Using Oracle Directory Manager

Configuring the Display of ACPs in Oracle Directory Manager

Configuring Searches for ACPs When Using Oracle Directory Manager

Viewing an ACP by Using Oracle Directory Manager

Modifying Existing ACPs and their ACI Directives by Using
Oracle Directory Manager

Adding Structural Access Items to an Existing ACP by
Using Oracle Directory Manager

Adding Content Access Items to an Existing ACP by Using
Oracle Directory Manager

Modifying Structural Access Items of an Existing ACP by Using
Oracle Directory Manager

Modifying Content Access Items of an Existing ACP by Using
Oracle Directory Manager

Adding an ACP and Creating Access Items by Using Oracle Directory Manager

Example: Managing ACPs by Using Oracle Directory Manager

Create a New ACP

Create Another ACI

Create a Third ACI

Create a Fourth ACI

Granting Entry-Level Access by Using Oracle Directory Manager

Managing Access Control by Using Command Line Tools

Examples: Managing Access Control

Example: Setting Up an Inheritable ACP by Using ldapmodify

Example: Setting Up Entry-Level ACIs by Using ldapmodify

Typical Access Control Policies

10 Managing Directory Replication

Installing and Configuring Replication

Task 1: Install Oracle Internet Directory on All Nodes in the DRG

Task 2: Decide Which Node Will Serve as the ASR Master Definition Site (MDS)

Task 3: At the MDS, Set Up ASR for a Directory Replication Group

Prepare the Net8 Environment for Replication

Configure Oracle ASR For Directory Replication

Task 4: Start Oracle Directory Server Instances on All the Nodes

Task 5: Configure Replication

Location of Oracle Directory Replication Server Configuration Parameters

Oracle Directory Replication Server Parameters

Viewing and Modifying Replication Configuration Parameters by Using Oracle Directory Manager

Modifying Replication Configuration Parameters by Using
Command Line Tools

Replication Agreement Parameters

Location of Replication Agreement Parameters

Viewing and Modifying Replication Agreement Parameters by Using
Oracle Directory Manager

Modifying Replication Agreement Parameters by Using ldapmodify

Task 6: Start the Replication Servers on All the Nodes

Using the Change Log Flag

Using the Multimaster Flag

Adding a Replication Node

Task 1: Stop the Oracle Directory Replication Server on All Nodes

Task 2: Configure the New Node into the LDAP Replication Group on
All the Existing Nodes

Task 3: Identify a Sponsor Node and Switch the Sponsor Node to Read-Only Mode

Task 4: Backup the Sponsor Node by Using ldifwrite

Task 5: Perform ASR Add Node Setup

Task 6: Switch the Sponsor Node to Updatable Mode

Task 7: Start the Oracle Directory Replication Server on All Nodes Except
t he New Node

Task 8: Load Data into the New Node by Using bulkload

Task 9: Start LDAP Server on the New Node

Task 10: Configure the LDAP Replication Agreement on the New Node

Task 11: Start the Oracle Directory Replication Server on the New Node

Deleting a Replication Node

Task 1: Stop the Oracle Directory Replication Server on All Nodes

Task 2: Stop All Processes in the Node to be Deleted

Task 3: Delete the Node from the Master Definition Site

Task 4: Start the Oracle Directory Replication Server on All Nodes

Task 5: Delete the Node from the Replication Group

Task 6: Restart the Oracle Directory Replication Server on the Remaining Nodes

Resolving Conflicts Manually

Monitoring Replication Change Conflicts

Examples of Conflict Resolution Messages

Example 1: An Attempt to Modify a Non-Existent Entry

Example 2: An Attempt to Add an Existing Entry

Example 3: An Attempt to Delete a Non-Existent Entry

Using the Human Intervention Queue Manipulation Tool

Moving a Change from the Human Intervention Queue into the Retry Queue

Moving a Change from the Human Intervention Queue into the Purge Queue

Examples: Using the Human Intervention Queue Manipulation Tool

Using the OID Reconciliation Tool

Reconciling Inconsistent Data by Using the OID Reconciliation Tool

How the OID Reconciliation Tool Works

11 Synchronizing with Multiple Directories

The Synchronization Process

How a Directory Retrieves Changes the First Time from Oracle Internet Directory

How a Connected Directory Updates the orclLastAppliedChangeNumber
Attribute in Oracle Internet Directory

How a Directory Retrieves Changes After the First Time from
Oracle Internet Directory

Enabling Other Directories to Synchronize with Oracle Internet Directory

Task 1: Perform Initial Bootstrapping

Task 2: Register a Directory as a Change Subscription Object in
Oracle Internet Directory

About Directory Registration

Registering a Directory

Deregistering a Directory

Task 3: Grant Directories Access to the Oracle Internet Directory Change
Log Object Store

12 Managing National Language Support (NLS)

The NLS_LANG Environment Variable

Using NLS with LDIF Files

An LDIF file Containing Only ASCII Strings

An LDIF file Containing UTF-8 Encoded Strings

CASE 1: Native Strings (Non-UTF-8)

CASE 2: UTF-8 Strings

CASE 3: BASE64 Encoded UTF-8 Strings

CASE 4: BASE64 Encoded Native Strings

Using NLS with Command Line Tools

Specifying the -E Argument When Using Each Tool

Examples: Using the -E Argument with Command Line Tools

Setting NLS_LANG in the Client Environment

Using NLS with Bulk Tools

Using NLS with bulkload

Using NLS with ldifwrite

Using NLS with bulkdelete

Using NLS with bulkmodify

Part III Deploying Oracle Internet Directory

13 Deployment Considerations

The Expanding Role of Directories

Logical Organization Of Directory Information

Directory Entry Naming

DIT Hierarchy and Structure

Physical Distribution: Partitions and Replicas

An Ideal Deployment

Partitioning Considerations

Replication Considerations

Failover Considerations

About Capacity Planning, Sizing, and Tuning

Capacity Planning

Sizing Considerations

Tuning Considerations

14 Capacity Planning

About Capacity Planning

Getting to Know Directory Usage Patterns: A Case Study

I/O Subsystem Requirements

About the I/O Subsystem

Rough Estimates of Disk Space Requirements

Detailed Calculations of Disk Space Requirements

Memory Requirements

Network Requirements

CPU Requirements

CPU Configuration

Rough Estimates of CPU Requirements

Detailed Calculations of CPU Requirements

Summary of Capacity Plan for Acme Corporation

15 Tuning

About Tuning

Tools for Performance Tuning

CPU Usage Tuning

Tuning CPU for Oracle Internet Directory Processes

Tuning Oracle Internet Directory Processes When CPU Is 100 Percent Utilized

Tuning Oracle Internet Directory Processes When CPU Is Under-Utilized

Tuning CPU for Oracle Foreground Processes

Taking Advantage of Processor Affinity on SMP Systems

Other Alternatives for a CPU Constrained System

Memory Tuning

Tuning the System Global Area (SGA) for Oracle8i

Other Alternatives for a Memory-Constrained System

Disk Tuning

Balancing Tablespaces

RAID

Database Tuning

Required Parameter

Parameters Dependent on Oracle Internet Directory Server Configuration

Using Multi-Threaded Server (MTS)

SGA Parameters Dependent on Hardware Resources

Performance Troubleshooting

16 High Availability And Failover

About High Availability and Failover for Oracle Internet Directory

Oracle Internet Directory and Oracle8i Technology Stack

Failover Options on Clients

Alternate Server List from User Input

Alternate Server List from the Oracle Internet Directory Server

Failover Options in the Public Network Infrastructure

Hardware-Based Connection Redirection

Software-Based Connection Redirection

Availability and Failover Capabilities in Oracle Internet Directory

Failover Options in the Private Network Infrastructure

IP Address Takeover (IPAT)

Redundant Links

High Availability Deployment Examples

Part IV Appendixes

A Syntax for LDIF and Command Line Tools

LDAP Data Interchange Format (LDIF) Syntax

Command Line Tools Syntax

ldapadd Syntax

ldapaddmt Syntax

ldapbind Syntax

ldapcompare Syntax

ldapdelete Syntax

ldapmoddn Syntax

ldapmodify Syntax

ldapmodifymt Syntax

ldapsearch Syntax

Examples of ldapsearch Filters

Bulk Tools Syntax

bulkdelete Syntax

bulkload Syntax

bulkmodify Syntax

ldifwrite Syntax

Catalog Management Tool Syntax

OID Monitor Syntax

Starting the OID Monitor

Stopping the OID Monitor

OID Control Utility Syntax

Starting and Stopping an Oracle Directory Server Instance

Starting an Oracle Directory Server Instance

Stopping an Oracle Directory Server Instance

Starting and Stopping an Oracle Directory Replication Server Instance

Starting an Oracle Directory Replication Server Instance

Stopping an Oracle Directory Replication Server Instance

Restarting Directory Server Instances

Troubleshooting Directory Server Instance Startup

OID Database Password Utility Syntax

OID Database Statistics Collection Tool Syntax

Syntax

Parameters

Examples: Using the OID Database Statistics Collection Tool

B Adding a DSA Using the Database Copy Procedure

Assumptions

Sponsor Directory Site Environment

New Directory Site Environment

Tasks To Be Performed on the Sponsor Node

Tasks To Be Performed on the New Node

Verification Process

C Using Oracle Wallet Manager

Overview

Managing Wallets

Starting Oracle Wallet Manager

Creating a New Wallet

Opening an Existing Wallet

Closing a Wallet

Saving Changes

Saving the Open Wallet to a New Location

Saving in System Default

Deleting the Wallet

Changing the Password

Using Auto Login

Enabling Auto Login

Disabling Auto Login

Using Oracle Wallet Manager with Oracle Application Server

Managing Certificates

Managing User Certificates

Creating a Certificate Request

Exporting a User Certificate Request

Importing the User Certificate into the Wallet

Removing a User Certificate from a Wallet

Managing Trusted Certificates

Importing a Trusted Certificate

Removing a Trusted Certificate

Exporting a Trusted Certificate

Exporting All Trusted Certificates

Exporting a Wallet

D Using Access Control Directive Format

Schema for orclACI

Schema for orclEntryLevelACI

E Schema Elements

IETF Requests for Comments (RFCs) Enforced by Oracle Internet Directory

IETF Drafts Enforced by Oracle Internet Directory

Proprietary Oracle Internet Directory Schema Elements

LDAP Syntax

LDAP Syntax Enforced by Oracle Internet Directory

Commonly Used LDAP Syntax Recognized by Oracle Internet Directory

Additional LDAP Syntax Recognized by Oracle Internet Directory

Size of Attribute Values

Matching Rules

F Migrating Data from Other LDAP-Compliant Directories

About the Data Migration Process

Migrating Data

Task 1: Export Data from the Non-Oracle Internet Directory Server into LDIF
File Format

Task 2: Analyze the LDIF User Data for Any Required Schema Additions
Referenced in the LDIF Data

Task 3: Extend the Schema in Oracle Internet Directory

Task 4: Remove Any Proprietary Directory Data from the LDIF File

Task 5: Remove Operational Attributes from the LDIF File

Task 6: Remove Incompatible userPassword Attribute Values from the LDIF File

Task 7: Run the bulkload.sh -check Mode and Determine Any Remaining
Schema Violations or Duplication Errors

G Troubleshooting

Installation Errors

Administration Error Messages and Causes

Oracle Database Server Error Due to Schema Modifications

Standard Error Messages Returned from Oracle Directory Server

Additional Error Messages

Glossary

Index