Oracle® Internet Directory Application Developer's Guide 10g (9.0.4) Part Number B10461-01 |
|
This appendix provides syntax, usage notes, and examples for LDAP Data Interchange Format (LDIF) and LDAP command-line tools. It contains these topics:
The standardized file format for directory entries is as follows:
dn: distinguished_name attribute_type: attribute_value .
.
. objectClass: object_class_value .
.
.
The following example shows a file entry for an employee. The first line contains the DN. The lines that follow the DN begin with the mnemonic for an attribute, followed by the value to be associated with that attribute. Note that each entry ends with lines defining the object classes for the entry.
dn: cn=Suzie Smith,ou=Server Technology,o=Acme, c=US
cn: Suzie Smith
cn: SuzieS
sn: Smith
mail: ssmith@us.Acme.com
telephoneNumber: 69332
photo: /ORACLE_HOME/empdir/photog/ssmith.jpg
objectClass: organizationalPerson
objectClass: person objectClass: top
The next example shows a file entry for an organization:
dn: o=Acme,c=US
o: Acme
ou: Financial Applications
objectClass: organization objectClass: top
A list of formatting rules follows. This list is not exhaustive.
To see the mandatory and optional attribute types for an object class, use Oracle Directory Manager. See Oracle Internet Directory Administrator's Guide.
Tip:
See Also:
This section tells how to use command-line tools for starting, stopping, restarting, and monitoring Oracle Internet Directory servers. It contains these topics:
Use the OID Monitor to initiate, monitor, and terminate directory server processes. If you elect to install a replication server, OID Monitor controls it. When you issue commands through OID Control Utility (OIDCTL) to start or stop directory server instances, your commands are interpreted by this process.
Starting OID Monitor restarts any Oracle Internet Directory processes that were previously stopped.
To start the OID Monitor:
oidmon [connect=
connect_string] [host=virtual/host_name][sleep=
seconds] start
Table A-1 Arguments for Starting OID Monitor
For example:
oidmon connect=
dbs1sleep=15 start
To start OID Monitor on a virtual host:
oidmon connect=dbsl host=virtual_host start
Stopping the OID Monitor also stops all other Oracle Internet Directory processes.
To stop the OID Monitor daemon, at the system prompt, type:
oidmon [connect=
connect_string][host=virtual/host_name]
stop
For example:
oidmon connect=dbs1 stop
While starting and stopping OID Monitor, use the host
parameter to specify the virtual host name. The syntax is:
oidmon [connect=connect_string] host=virtual_host start|stop
OID Control Utility is a command-line tool for starting and stopping the directory server. The commands are interpreted and executed by the OID Monitor process.
This section contains these topics:
Use the OID Control Utility to start and stop Oracle directory server instances.
The syntax for starting an Oracle directory server instance is:
oidctl connect=
connect_stringserver=
oidldapdinstance=
server_instance_number[configset=
configset_number]
[host=virtual/host_name][flags=
' -p port_number -work maximum_number_of_worker_threads_per_server -debug debug_level -l change_ logging'
-server number_of_server_processes]
start
Argument | Description |
---|---|
|
Specifies a debug level during Oracle directory server instance startup |
|
Turns replication change logging on and off. To turn it off, enter
Turning off change logging for a given node by specifying |
|
Specifies a port number during server instance startup. The default port number is 389. |
|
Specifies the number of server processes to start on this port |
|
Specifies the SSL port number during server instance startup. Default port if not set is 636. See Also:
|
|
Specifies the maximum number of worker threads for this server |
|
Configset number used to start the server. This defaults to |
|
If you already have a |
|
Specifies the virtual host or rack nodes on which to start the directory server |
|
Instance number of the server to start. Should be a number between 1 and 1000. |
|
Type of server to start (valid values are OIDLDAPD and OIDREPLD). This is not case-sensitive. |
|
Starts the server specified in the |
For example, to start a directory server instance whose net service name is dbs1, using configset5,at
port 12000, with a debug level of 1024, an instance number 3
, and in which change logging is turned off, type at the system prompt:
oidctl connect=
dbs1server=oidldapd instance=3 configset=5 flags=
'-p 12000
'
-debug 1024 -lstart
When starting and stopping an Oracle directory server instance, the server name and instance number are mandatory, as are the commands start
or stop
. All other arguments are optional.
All keyword value pairs within the flags arguments must be separated by a single space.
Single quotes are mandatory around the flags.
The configset identifier defaults to zero (configset0
) if not set.
At the system prompt, type:
oidctl connect=connect_string server=oidldapd instance=server_instance_number stop
For example:
oidctl connect=
dbs1server=oidldapd instance=3 stop
If the directory server fails to start, you can override all user-specified configuration parameters to start the directory server and then return the configuration sets to a workable state by using the ldapmodify operation.
To start the directory server by using its hard-coded default parameters instead of the configuration parameters stored in the directory, type at the system prompt:
oidctl connect=connect_string flags='-p port_number -f'
The -f
option in the flags starts the server with hard-coded configuration values, overriding any defined configuration sets except for the values in configset0
.
To see debug log files generated by the OID Control Utility, navigate to $
ORACLE_HOME/ldap/log
.
Use the OID Control Utility to start and stop Oracle directory replication server instances.
The syntax for starting the Oracle directory replication server is:
oidctl connect=connect_string server=oidrepld instance=server_instance_number [configset=configset_number] flags=' -p directory_server_port_number -d debug_ level -h directory_server_host_name -m [true | false]-z transaction_size ' start
For example, to start the replication server with an instance=1, at port 12000, with debugging set to 1024, type at the system prompt:
oidctl connect=dbs1 server=oidrepld instance=1 flags='-p 12000 -h eastsun11 -d 1024' start
When starting and stopping an Oracle directory replication server, the -h
flag, which specifies the host name, is mandatory. All other flags are optional.
All keyword value pairs within the flags arguments must be separated by a single space.
Single quotes are mandatory around the flags.
The configset identifier defaults to zero (configset0
) if not set.
At the system prompt, type:
oidctl connect=connect_string server=OIDREPLD instance=server_instance_number stop
For example:
oidctl connect=
dbs1server=oidrepld instance=1 stop
The Oracle directory integration and provisioning server executable, odisrv
, resides in the $
ORACLE_HOME
/bin
directory.
The way you start the directory integration and provisioning server depends on whether your installation is:
In this case, your installation includes, among other server and client components, the OID Monitor and the OID Control Utility. In such installations, you start and stop the directory integration and provisioning server by using these tools.
In this case, the way you start the directory integration and provisioning server depends on whether you are using the Oracle Directory Integration and Provisioning platform for high availability.
tnsnames.ora
file with the right host and SID to which the OID Monitor must connect.
You can start the directory integration and provisioning server in either SSL mode for tighter security, or non-SSL mode. You need to use a connect string to connect to the database.
To start the directory integration and provisioning server in non-SSL mode:
ps -ef | grep oidmon
If OID Monitor is not running, then start it by following the instructions in "The OID Monitor (oidmon) Syntax".
oidctl [connect=connect_string] server=odisrv [instance=instance_number] [config=configuration_set_number] [flags="[host=hostname
] [port=port_number] [debug=debug_level] [refresh=interval_between_refresh]
[grpID=group_identifier_of_provisioning_profile]
[maxprofiles=number_of_profiles]
[ sslauth=ssl_mode ]"] start
Table A-5 describes the arguments in this command.
Argument | Description |
---|---|
|
If you already have a |
|
Type of server to start. In this case, the server you are starting is |
|
Specifies the instance number to assign to the directory integration and provisioning server. This instance number must be unique. OID Monitor verifies that the instance number is not already associated with a currently running instance of this server. If it is associated with a currently running instance, then OID Monitor returns an error message. |
|
Specifies the number of the configuration set that the directory integration and provisioning server is to execute. This argument is mandatory. |
|
Oracle directory server host name |
|
Oracle directory server port number |
|
The required debugging level of the directory integration and provisioning server
|
|
Specifies the interval, in minutes, between server refreshes for any changes in the integration profiles. |
|
Specifies the maximum number of profiles that can be executed concurrently for this server instance |
|
SSL modes:
|
In a client-only installation, where the OID Monitor and OID Control tools are not available, the Oracle directory integration and provisioning server can be started without OID Monitor or OID Control Utility, either in non-SSL mode or, for tighter security, in SSL mode. The parameters described in Table A-5 remain the parameters for each type of invocation.
To start the directory integration and provisioning server, enter the following at the command line:
odisrv [host=host_name] [port=port_number]
config=configuration_set_number [instance=instance_number] [debug=debug_level] [refresh=interval_between_refresh] [maxprofiles=number_of_profiles] [sslauth=ssl_mode]
The way you stop the directory integration and provisioning server depends on the tool that you used to start it.
If you started the directory integration and provisioning server by using OID Monitor and the OID Control utility, then you use them to stop it, as follows:
ps -ef | grep oidmon
If OID Monitor is not running, then start it by following the instructions in "The OID Monitor (oidmon) Syntax".
oidctl [connect=connect_string] server=odisrv instance=instance stop
In a client-only installation, where the OID Monitor and OID Control tools are not available, the Oracle directory integration and provisioning server can be started without OID Control. To stop the server without these tools, use the stopodiserver.sh tool, which is located in the $
ORACLE_HOME
/ldap/admin
directory.
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
See Also:
"The StopOdiServer.sh Tool Syntax" for instructions about using the stopodiserver.sh tool |
When you want to refresh the server cache immediately, rather than at the next scheduled time, use the RESTART
command. When the Oracle Internet Directory server restarts, it maintains the same parameters it had before it stopped.
To restart an Oracle Internet Directory server instance, at the system prompt, type:
oidctl connect=connect_string server={oidldapd|oidrepld|odisrv}
instance=server_instance_number restart
OID Monitor must be running whenever you restart directory server instances.
If you try to contact a server that is not running, you receive from the SDK the error message 81--LDAP_SERVER_DOWN
.
If you change a configuration set entry that is referenced by an active server instance, you must stop that instance and restart it to effect the changed value in the configuration set entry on that server instance. You can either issue the STOP
command followed by the START
command, or you can use the RESTART
command. RESTART
both stops and restarts the server instance.
For example, suppose that Oracle directory server instance1 is started, using configset3, and with the net service name dbs1
. Further, suppose that, while instance1 is running, you change one of the attributes in configset3. To enable the change in configset3 to take effect on instance1, you enter the following command:
oidctl connect=dbs1 server=oidldapd instance=1 restart
If there are more than one instance of the Oracle directory server running on that node using configset3, then you can restart all the instances at once by using the following command syntax:
oidctl connect=dbs1 server=oidldapd restart
Note that this command restarts all the instances running on the node, whether they are using configset3 or not.
When starting a directory server, a directory replication server, or a directory integration and provisioning server, use the host
parameter to specify the virtual host name.
To start a directory server on a virtual host:
oidctl [connect=connect_string] host=virtual_host_name server=oidldapd instance=instance_number configset=configset_number flags= "..." start
To stop a directory server on a virtual host:
oidctl host=virtual_host_name server=oidldapd instance=instance_number stop
To start a directory replication server on a virtual host:
oidctl [connect=connect_string] host=virtual_host_name server=oidrepld instance=instance_number flags= "..." start
To stop a directory replication server on a virtual host:
oidctl host=virtual_host_name server=oidrepld instance=instance_number stop
To start a directory integration and provisioning server on a virtual host:
oidctl [connect=connect_string] host=virtual_host_name server=odisrv instance=instance_number configset=configset_number flags= "..." start
To stop a directory integration and provisioning server on a virtual host:
oidctl host=virtual/host_name server=odisrv instance=instance_number stop
When the directory server is started to run on the virtual host, it binds and listens to requests on the specified LDAP port on the IP address or IP addresses that correspond to the virtual host only.
When communicating with the directory server, the directory replication server uses the virtual host name. Further, the replicaID
attribute that represents the unique replication identification for the Oracle Internet Directory node is generated once. It is independent of the host name and hence requires no special treatment in cold failover configuration.
When communicating with the directory server, the directory integration and provisioning server uses the virtual host name.
This section tells you how to use the following tools:
Oracle Internet Directory uses indexes to make attributes available for searches. When Oracle Internet Directory is installed, the cn=catalogs
entry lists available attributes that can be used in a search. You can index only those attributes that have:
If you want to use additional attributes in search filters, then you must add them to the catalog entry. You can do this at the time you create the attribute by using Oracle Directory Manager. However, if the attribute already exists, then you can index it only by using the Catalog Management tool.
Before running catalog.sh, be sure that the directory server is either stopped or in read-only mode. Otherwise, data will be inconsistent.
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
The Catalog Management tool uses this syntax:
catalog.sh -connect connect_string {-add|-delete} {-attr attr_name|-file file_ name}
When you enter the catalog.sh
command, the following message appears:
This tool can only be executed if you know the OiD user password. Enter OiD password:
If you enter the correct password, the command is executed. If you give an incorrect password, the following message is displayed:
Cannot execute this tool
To effect the changes after running the Catalog Management tool, stop, then restart, the Oracle directory server.
See Also:
|
The ldapadd command-line tool enables you to add entries, their object classes, attributes, and values to the directory. To add attributes to an existing entry, use the ldapmodify command, explained in "ldapmodify Syntax".
See Also:
"Adding Configuration Set Entries by Using ldapadd" in Oracle Internet Directory Administrator's Guide for an explanation of using ldapadd to configure a server with an input file |
ldapadd uses this syntax:
ldapadd
[arguments
] -f file_name
where file_name is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".
The following example adds the entry specified in the LDIF file my_ldif_file.ldi
:
ldapadd -p 389 -h myhost -f my_ldif_file.ldi
Optional Arguments | Description |
---|---|
|
Specifies that you have included binary file names in the file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced. |
|
Tells ldapadd to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapadd stops when it encounters an error.) |
|
When authenticating to the directory, specifies doing so as the entry specified in binddn--that is, the DN of the user seeking authentication. Use this with the |
|
Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide. |
|
Specifies the input name of the LDIF format import data file. For a detailed explanation of how to format an LDIF file, see "LDAP Data Interchange Format (LDIF) Syntax". |
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
|
Same as |
|
Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined.You must already have a valid ticket granting ticket. |
|
Instructs the tool to send the |
|
Shows what would occur without actually performing the operation |
|
Specifies the number of referral hops that a client should process. The default value is 5. |
|
Connects to the directory on TCP port directory_server_port_number. If you do not specify this option, the tool connects to the default port (389). |
|
Specifies wallet password required for one-way or two-way SSL connections |
|
Specifies SSL authentication mode: |
|
Specifies verbose mode |
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
|
Provides the password required to connect |
|
Specifies wallet location required for one-way or two-way SSL connections.
For example, on UNIX, you could set this parameter as follows:
On Windows NT, you could set this parameter as follows: |
|
Specifies the input name of the DSML format import data file. |
ldapaddmt is like ldapadd: It enables you to add entries, their object classes, attributes, and values to the directory. It is unlike ldapadd in that it supports multiple threads for adding entries concurrently.
While it is processing LDIF entries, ldapaddmt logs errors in the add.log
file in the current directory.
ldapaddmt uses this syntax:
ldapaddmt -T number_of_threads -h host -p port -f file_name
where file_name is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".
The following example uses five concurrent threads to process the entries in the file myentries.ldif
.
ldapaddmt -T 5 -h node1 -p 3000 -f myentries.ldif
Note: Increasing the number of concurrent threads improves the rate at which LDIF entries are created, but consumes more system resources. |
Optional Arguments | Description |
---|---|
|
Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced. |
|
Tells the tool to proceed in spite of errors. The errors will be reported. (If you do not use this option, the tool stops when it encounters an error.) |
|
When authenticating to the directory, specifies doing so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the |
|
Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide. |
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
|
Same as -k, but performs only the first step of the kerberos bind |
|
Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined. You must already have a valid ticket granting ticket. |
|
Instructs the tool to send the |
|
Shows what would occur without actually performing the operation. |
|
Specifies the number of referral hops that a client should process. The default value is 5. |
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
|
Specifies wallet password required for one-way or two-way SSL connections |
|
Sets the number of threads for concurrently processing entries |
|
Specifies SSL Authentication Mode: |
|
Specifies verbose mode |
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
|
Provides the password required to connect |
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet" |
|
Specifies the input name of the DSML format import data file. |
The ldapbind command-line tool enables you to see whether you can authenticate a client to a server.
ldapbind uses this syntax:
ldapbind [arguments]
Optional Arguments | Description |
---|---|
-D "binddn" |
When authenticating to the directory, specifies doing so as the entry specified in binddn--that is, the DN of the user seeking authentication. Use this with the |
-E ".character_set" |
Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide. |
-h ldaphost |
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-n |
Shows what would occur without actually performing the operation |
-p ldapport |
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password |
Specifies the wallet password required for one-way or two-way SSL connections |
-U SSLAuth |
Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required |
-V ldap_version |
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password |
Provides the password required to connect |
-W wallet_location |
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet" |
-O sasl_security_properties |
Specifies SASL security properties. The security property supported is -O "auth". This security property is for DIGEST-MD5 SASL mechanism. It enables authentication with no data integrity or data privacy. |
-Y sasl_mechanism |
Specifies a SASL mechanism. These mechanisms are supported: |
-R sasl_realm |
Specifies a SASL realm |
The ldapcompare command-line tool enables you to match attribute values you specify in the command line with the attribute values in the directory entry.
ldapcompare uses this syntax:
ldapcompare [
arguments
]
The following example tells you whether Person Nine
's title is associate
.
ldapcompare -p 389 -h myhost -b "cn=Person Nine,ou=EuroSInet Suite,o=IMC,c=US" -a title -v associate
Optional Arguments | Description |
---|---|
-a attribute name |
Specifies the attribute on which to perform the compare. This argument is mandatory. |
-b "basedn" |
Specifies the distinguished name of the entry on which to perform the compare. This argument is mandatory. |
-v attribute value |
Specifies the attribute value to compare. This argument is mandatory. |
-D binddn |
When authenticating to the directory, specifies doing so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the |
-d debug-level |
Sets the debugging level. See the chapter on "Logging, Auditing, and Monitoring the Directory" in Oracle Internet Directory Administrator's Guide. |
-E "character_set" |
Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide. |
-f file_name |
Specifies the input file name |
-h ldaphost |
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
|
Instructs the tool to send the |
-O ref_hop_limit |
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport |
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password |
Specifies wallet password required for one-way or two-way SSL connections |
-U SSLAuth |
Specifies SSL authentication mode: |
-V ldap_version |
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password |
Provides the password required to connect |
-W wallet_location |
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows:
On Windows NT, you could set this parameter as follows: |
The ldapdelete command-line tool enables you to remove entire entries from the directory that you specify in the command line.
ldapdelete uses this syntax:
ldapdelete
[
arguments] ["
entry_DN"
| -f input_file_name]
The following example uses port 389 on a host named myhost.
ldapdelete -p 389 -h myhost "ou=EuroSInet Suite, o=IMC, c=US"
Optional Argument | Description |
---|---|
-D "binddn" |
When authenticating to the directory, uses a full DN for the binddn parameter--that is, the DN of the user seeking authentication; typically used with the |
-d debug-level |
Sets the debugging level. See "Setting Debug Logging Levels by Using the OID Control Utility"in Oracle Internet Directory Administrator's Guide. |
-E "character_set" |
Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide. |
-f input_file_name |
Specifies the input file name |
-h ldaphost |
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-k |
Authenticates using authentication instead of simple authentication. To enable this option, you must compile with Kerberos defined. You must already have a valid ticket granting ticket. |
|
Instructs the tool to send the |
-n |
Shows what would be done, but doesn't actually delete |
-O ref_hop_limit |
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport |
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password |
Specifies wallet password required for one-way or two-way SSL connections |
-U SSLAuth |
Specifies SSL authentication mode: |
-v |
Specifies verbose mode |
-V ldap_version |
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password |
Provides the password required to connect. |
-W wallet_location |
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet" |
The ldapmoddn command-line tool enables you to modify the DN or RDN of an entry.
ldapmoddn uses this syntax:
ldapmoddn [arguments]
The following example uses ldapmoddn to modify the RDN component of a DN from "cn=mary smith"
to "cn=mary jones"
. It uses port 389, and a host named myhost
.
ldapmoddn -p 389 -h myhost -b "cn=mary smith,dc=Americas,dc=imc,dc=com" -R "cn=mary jones"
Argument | Description |
---|---|
-b "basedn" |
Specifies DN of the entry to be moved. This argument is mandatory. |
-D "binddn" |
When authenticating to the directory, do so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the |
-E "character_set" |
Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide. |
-f file_name |
Specifies the input file name |
-h ldaphost |
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
|
Instructs the tool to send the |
-N newparent |
Specifies new parent of the RDN. Either this argument or the -R argument must be specified. |
-O ref_hop_limit |
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport |
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password |
Specifies wallet password required for one-way or two-way SSL connections |
-r |
Specifies that the old RDN is not retained as a value in the modified entry. If this argument is not included, the old RDN is retained as an attribute in the modified entry. |
-R newrdn |
Specifies new RDN. Either this argument or the -N argument must be specified. |
-U SSLAuth |
Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required |
-V ldap_version |
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password |
Provides the password required to connect. |
-W wallet_location |
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows:
On Windows NT, you could set this parameter as follows: |
The ldapmodify tool enables you to act on attributes.
ldapmodify uses this syntax:
ldapmodify
[arguments
] -f file_name
where file_name is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".
The list of arguments in the following table is not exhaustive. These arguments are all optional.
Argument | Description |
---|---|
-a |
Denotes that entries are to be added, and that the input file is in LDIF format. |
-b |
Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. |
-c |
Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.) |
-D "binddn" |
When authenticating to the directory, specifies doing so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the |
-E "character_set" |
Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide. |
-h ldaphost |
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
|
Instructs the tool to send the |
-n |
Shows what would occur without actually performing the operation. |
|
Can be used with the |
-O ref_hop_limit |
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport |
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password |
Specifies wallet password required for one-way or two-way SSL connections |
-U SSLAuth |
Specifies SSL authentication mode: |
-v |
Specifies verbose mode |
-V ldap_version |
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password |
Overrides the default, unauthenticated, null bind. To force authentication, use this option with the |
-W wallet_location |
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows:
On Windows NT, you could set this parameter as follows: |
To run modify
, delete
, and modifyrdn
operations using the -f
flag, use LDIF for the input file format (see "LDAP Data Interchange Format (LDIF) Syntax") with the specifications noted in this section:
If you are making several modifications, then, between each modification you enter, add a line that contains a hyphen (-) only. For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: modify
add: work-phone
work-phone: 510/506-7000
work-phone: 510/506-7001
-delete: home-fax
Unnecessary space characters in the LDIF input file, such as a space at the end of an attribute value, will cause the LDAP operations to fail.
Line 1: Every change record has, as its first line, the literal dn:
followed by the DN value for the entry, for example:
dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
Line 2: Every change record has, as its second line, the literal changetype:
followed by the type of change (add, delete, modify, modrdn
), for example:
changetype: modify
or
changetype: modrdn
Format the remainder of each record according to the following requirements for each type of change:
changetype: add
Uses LDIF format (see "LDAP Data Interchange Format (LDIF) Syntax").
changetype: modify
The lines that follow this changetype consist of changes to attributes belonging to the entry that you identified previously in Line 1. You can specify three different types of attribute modifications--add, delete, and replace--which are explained next:
add:
attribute nameattribute name:
value1attribute name:
value2...
For example:
dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: modify
add: work-phone
work-phone: 510/506-7000
work-phone: 510/506-7001
delete:
attribute name[attribute name:
value1]
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: modify
delete: home-fax
replace:
attribute name[attribute name:
value1...]
If you do not provide any attributes with replace
, then the directory adds an empty set. It then interprets the empty set as a delete request, and complies by deleting the attribute from the entry. This is useful if you want to delete attributes that may or may not exist.
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: modify
replace: work-phone
work-phone: 510/506-7002
changetype:delete
This change type deletes entries. It requires no further input, since you identified the entry in Line 1 and specified a changetype of delete in Line 2.
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: delete
changetype:modrdn
The line following the change type provides the new relative distinguished name using this format:
newrdn: RDN
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: modrdn
newrdn: cn=Barbara
Fritchy-Blomberg
To specify an attribute as single-valued, include in the attribute definition entry in the LDIF file the keyword SINGLE-VALUE with surrounding white space.
This example adds a new attribute called myAttr
. The LDIF file for this operation is:
dn: cn=subschemasubentry changetype: modify add: attributetypes attributetypes: (1.2.3.4.5.6.7 NAME `myAttr' DESC `New attribute definition' EQUALITY caseIgnoreMatch SYNTAX `1.3.6.1.4.1.1466.115.121.1.15' )
On the first line, enter the DN specifying where this new attribute is to be located. All attributes and object classes they are stored in cn=subschemasubentry
.
The second and third lines show the proper format for adding a new attribute.
The last line is the attribute definition itself. The first part of this is the object identifier number: 1.2.3.4.5.6.7
. It must be unique among all other object classes and attributes. Next is the NAME
of the attribute. In this case the attribute NAME is myAttr
. It must be surrounded by single quotes. Next is a description of the attribute. Enter whatever description you want between single quotes. At the end of this attribute definition in this example are optional formatting rules to the attribute. In this case we are adding a matching rule of EQUALITY caseIgnoreMatch
and a SYNTAX of Directory String
. This example uses the object ID number of 1.3.6.1.4.1.1466.115.121.1.15 instead of the SYNTAXES name which is "Directory String".
Put your attribute information in a file formatted like this example. Then run the following command to add the attribute to the schema of your Oracle directory server.
ldapmodify -h yourhostname -p 389 -D "orcladmin" -w "welcome" -v -f /tmp/newattr.ldif
This ldapmodify command assumes that your Oracle directory server is running on port 389, that your super user account name is orcladmin
, that your super user password is welcome
and that the name of your LDIF file is newattr.ldif
. Substitute the host name of your computer where you see yourhostname.
If you are not in the directory where the LDIF file is located, then you must enter the full directory path to the file at the end of your command. This example assumes that your LDIF file is located in the /tmp
directory.
The ldapmodifymt command-line tool enables you to modify several entries concurrently.
ldapmodifymt uses this syntax:
ldapmodifymt -T number_of_threads [arguments
] -ffile_name
where file_name is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".
See Also:
"ldapmodify Syntax" for additional formatting specifications used by ldapmodifymt |
The following example uses five concurrent threads to modify the entries in the file myentries.ldif
.
ldapmodifymt -T 5 -h node1 -p 3000 -f myentries.ldif
The arguments in the following table are all optional.
Argument | Description |
---|---|
|
Denotes that entries are to be added, and that the input file is in LDIF format. (If you are running ldapadd, this flag is not required.) |
|
Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. |
|
Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.) |
|
When authenticating to the directory, specifies doing so as the entry is specified in |
|
Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide. |
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
|
Instructs the tool to send the |
|
Shows what would occur without actually performing the operation. |
|
Specifies the number of referral hops that a client should process. The default value is 5. |
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
|
Specifies wallet password required for one-way or two-way SSL connections |
|
Sets the number of threads for concurrently processing entries |
|
Specifies SSL authentication mode: |
|
Specifies verbose mode |
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
|
Overrides the default, unauthenticated, null bind. To force authentication, use this option with the -D option. |
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet"
On Windows NT, you could set this parameter as follows: |
The ldapsearch command-line tool enables you to search for and retrieve specific entries in the directory.
The ldapsearch tool uses this syntax:
ldapsearch [
arguments
]
filter[
attributes
]
The filter format must be compliant with RFC-2254.
See Also:
RFC-2254 available at |
Separate attributes with a space. If you do not list any attributes, all attributes are retrieved.
Argument | Description |
---|---|
-b "basedn" |
Specifies the base DN for the search. This argument is mandatory. |
-s scope |
This argument is mandatory. Specifies search scope: base, one, or sub Base: Retrieves a particular directory entry. Along with this search depth, you use the search criteria bar to select the attribute |
-A |
Retrieves attribute names only (no values) |
-a deref |
Specifies alias dereferencing: never, always, search, or find |
-B |
Allows printing of non-ASCII values |
-D "binddn" |
When authenticating to the directory, specifies doing so as the entry specified in binddn--that is, the DN of the user seeking authentication. Use this with the |
-d debug level |
Sets debugging level to the level specified (see the chapter on "Logging, Auditing, and Monitoring the Directory" in Oracle Internet Directory Administrator's Guide) |
-E "character_set" |
Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide. |
-f file |
Performs sequence of searches listed in file |
-F sep |
Prints ` |
-h ldaphost |
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-L |
Prints entries in LDIF format ( |
-l timelimit |
Specifies maximum time (in seconds) to wait for ldapsearch command to complete |
|
Instructs the tool to send the |
-n |
Shows what would be done without actually searching |
-O ref_hop_limit |
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport |
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password |
Specifies wallet password required for one-way or two-way SSL connections |
-S attr |
Sorts the results by attribute attr |
-t |
Writes to files in |
-u |
Includes user friendly entry names in the output |
-U SSLAuth |
Specifies the SSL authentication mode: |
-v |
Specifies verbose mode |
-w passwd |
Specifies bind passwd for simple authentication |
-W wallet_location |
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows:
On Windows NT, you could set this parameter as follows: |
-z sizelimit |
Specifies maximum number of entries to retrieve |
-X |
Prints the entries in DSML v1 format. |
Study the following examples to see how to build your own search commands.
The following example performs a base-level search on the directory from the root.
ldapsearch -p 389 -h myhost -b "" -s base -v "objectclass=*"
-b
specifies base DN for the search, root in this case.
-s
specifies whether the search is a base search (base
), one level search (one
) or subtree search (sub
).
"objectclass=*"
specifies the filter for search.
The following example performs a one level search starting at "ou=HR, ou=Americas, o=IMC, c=US"
.
ldapsearch -p 389 -h myhost -b "ou=HR, ou=Americas, o=IMC, c=US" -s one -v "objectclass=*"
The following example performs a subtree search and returns all entries having a DN starting with "cn=us"
.
ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*"
The following example actually retrieves only two entries, even if there are more than two matches.
ldapsearch -h myhost -p 389 -z 2 -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" -s one "objectclass=*"
The following example returns only the DN
attribute values of the matching entries:
ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "objectclass=*" dn
The following example retrieves only the distinguished name along with the surname (sn
) and description (description
) attribute values:
ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*" dn sn description
The following example retrieves entries with common name (cn
) attributes that have an option specifying a language code attribute option. This particular example retrieves entries in which the common names are in French and begin with the letter R.
ldapsearch -p 389 -h myhost -b "c=US" -s sub "cn;lang-fr=R*"
Suppose that, in the entry for John, no value is set for the cn;lang-it
language code attribute option. In this case, the following example does not return John's entry:
ldapsearch -p 389 -h myhost -b "c=us" -s sub "cn;lang-it=Giovanni"
The following example retrieves all user attributes and the createtimestamp
and orclguid
operational attributes:
ldapsearch -p 389 -h myhost -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" -s sub "cn=Person*" * createtimestamp orclguid
The following example retrieves entries modified by Anne Smith:
ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifiersname=cn=Anne Smith))"
The following example retrieves entries modified between 01 April 2001 and 06 April 2001:
ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifytimestamp >= 20000401000000)
(modifytimestamp <= 20000406235959))"
Each of the following examples searches on port 389 of host sun1, and searches the whole subtree starting from the DN "ou=hr,o=acme,c=us"
.
The following example searches for all entries with any value for the objectclass attribute.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=*"
The following example searches for all entries that have orcl
at the beginning of the value for the objectclass
attribute.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=orcl*"
The following example searches for entries where the objectclass
attribute begins with orcl
and cn
begins with foo.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "(&(objectclass=orcl*)(cn=foo*))"
The following example searches for entries in which the common name (cn
) is not foo
.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "(!(cn=foo))"
The following example searches for entries in which cn
begins with foo
or sn
begins with bar
.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "(|(cn=foo*)(sn=bar*))"
The following example searches for entries in which employeenumber
is less than or equal to 10000.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "employeenumber<=10000"
This section contains these topics:
Table A-16 lists the tasks you can perform by using the Directory Integration and Provisioning Assistant and the corresponding commands. It also points you to instructions for performing each task.
Tasks | Commands | More Information |
---|---|---|
Create, modify, or delete a synchronization profile |
|
"Creating, Modifying, and Deleting Synchronization Profiles" |
See all the profile names in Oracle Internet Directory |
|
"Listing All Synchronization Profiles in Oracle Internet Directory" |
See the details of a specific profile |
|
|
Make Oracle Internet Directory and the connected directory identical before beginning synchronization |
|
"Bootstrapping a Directory by Using the Directory Integration and Provisioning Assistant" |
Set the wallet password that the Oracle directory integration and provisioning server later uses to connect to Oracle Internet Directory |
|
"Setting the Wallet Password for the Oracle Directory Integration and Provisioning Server" |
Reset the password of the administrator of the Oracle Directory Integration Platform |
|
"Changing the Password of the Administrator of the Oracle Directory Integration and Provisioning Platform" |
Move integration profiles from one identity management node to another |
|
"Moving an Integration Profile to a Different Identity Management Node" |
The command-line interface for the Directory Integration and Provisioning Assistant is:
dipassistant command [-help]
command := Directory Integration and Provisioning Assistant command
Directory Integration and Provisioning Assistant command :=createprofile [cp] | modifyprofile [mp] | deleteprofile [dp] | listprofiles[lsprof] | showprofile[sp] | bootstrap [bs] | wpasswd [wp] | chgpasswd [cpw] | reassociate [rs]
For help on a particular command, enter:
dipassistant command -help
The syntax for creating, modifying, or deleting synchronization profiles by using the Directory Integration and Provisioning Assistant is:
dipassistant createprofile | modifyprofile | deleteprofile [-host host name] [-port port number] [-dn bind_DN] [-passwd password]
{-file file name | -profile profile name } [propName1=value] [propName2=value]... [-configset configset_number]
For example:
dipassistant createprofile -host myhost -port 3060 -passwd xxxx
-file import.profile -configset 1 dipassistant modifyprofile -host myhost -port 3060 -passwd xxxx
-file import.profile -dn xxxx -passwd xxxx -profile myprofile
[propName1=value] [propName2=value]... dipassistant deleteprofile -profile myprofile [-host myhost] [-port 3060] [-dn xxxx] [-passwd xxxx] [-configset 1]
Table A-17 describes the parameters for creating, modifying, and deleting synchronization profiles by using the Directory Integration and Provisioning Assistant.
Parameter | Description |
---|---|
|
Host where Oracle Internet Directory is running. The default value is the name of the local host. |
|
Port at which Oracle Internet Directory was started. The default is 389. |
|
The Bind DN to be used in identifying to the directory. The default value is the DN of the Oracle Directory Integration and Provisioning platform administrator. |
|
The password of the bind DN to be used while binding to the directory. |
|
The file containing all the profile parameters. See Also: Table A-18 for a list of parameters and their description |
|
Number of the configuration set entry with which the profile needs to be associated |
|
Profile that needs to modified |
The properties expected by createprofile
and modifyprofile
commands are described in Table A-18. When modifying an already existing profile, no defaults are assumed. Only those attributes specified in the file are changed.
The command-line interface to the bootstrap command is:
dipassistant bootstrap { -profile profile_name [-host host_name] [-port port_
number] -dn bind_DN
[-passwd password] [-log log_file] [-logseverity severity]
[-trace trace_file] [-tracelevel trace_level] [-loadparallelism <#nThrs>]
[-loadretry <retryCnt>] | -cfg file_name }
For example, either:
dipassistant bs -cfg bootstrap cfg
or
dipassistant bs -host myhost -port 3060 -dn cn=orcladmin -password xxxx -profile iPlanetProfile
Parameter | Description |
---|---|
|
A configuration file containing all the parameters required for performing the bootstrapping. See Also: Table A-20 for a list of parameters and their description |
|
Host where Oracle Internet Directory is running |
|
Port at which Oracle Internet Directory was started |
|
The Bind Dn to be used in identifying to the directory |
|
The password of the Bind DN to be used while binding to the directory |
|
The profile name. |
|
Log file. If this parameter is not specified, then, by default, the log information is written to |
|
Log severity 1 - 15. 1 - INFO, 2 - WARNING, 3 - DEBUG, 4 - ERROR. Or any combination of these. If not specified, then INFO and ERROR messages alone will be logged. |
|
Trace file for debugging purpose |
|
Trace level |
|
When the loading to the destination fails, the number of times the retry should be made before marking the entry as bad entry |
|
Indicator that loading to Oracle Internet Directory is to take place in parallel by using multiple threads. For example, |
The default password for the dipadmin
account is same as ias_admin
password chosen during installation. This command lets you reset the password of dipadmin
account. To reset that password, you must provide the security credentials of the orcladmin
account.
For example:
$ dipassistant chgpasswd -passwd orcladmin password -host oid.heman.com
-port 3060
The Assistant then prompts for the new password as follows:
New Password: Confirm Password:
The listprofiles command prints a list of all the synchronization profiles in Oracle Internet Directory. For example:
$ dipassistant listprofiles -passwd dipadmin password -host oid.heman.com
-port 3060
This command prints the following sample list:
IplanetExport IplanetImport ActiveImport ActiveExport LdifExport LdifImport TaggedExport TaggedImport OracleHRAgent ActiveChgImp
The showprofile command prints the details of a specific synchronization profile For example:
$ dipassistant showprofile -passwd dipadmin password -host oid.heman.com
-port 3060 -profile ActiveImport
This command prints the following sample output:
odip.profile.version = 1.0 odip.profile.lastchgnum = 0 odip.profile.interface = LDAP odip.profile.oidfilter = orclObjectGUID odip.profile.schedinterval = 60 odip.profile.name = ActiveImport odip.profile.syncmode = IMPORT odip.profile.retry = 5 odip.profile.debuglevel = 0 odip.profile.status = DISABLE
The WPasswd
command enables you to set the wallet password that the Oracle directory integration and provisioning server later uses to connect to Oracle Internet Directory. To use this command, enter:
dipassistant wp
The Directory Integration and Provisioning Assistant prompts you to enter, and then confirm, the password.
You can use the Directory Integration and Provisioning Assistant to move directory integration profiles to another node and to reassociate them with it. For example, if the middle-tier components are associated with a particular Oracle Identity Management infrastructure, then all the integration profiles existing in that infrastructure node can be moved to a new infrastructure node.
Table A-21 describes the reassociation rules.
The usage is as follows
dipassistant reassociate [-src_ldap_host <hostName>] [-src_ldap_port <portNo>] [-src_ldap_dn <bindDn>] [-src_ldap_passwd <password>] -dst_ldap_host <hostName> [-dst_ldap_port <portNo>] [-dst_ldap_dn <bindDn>] [-dst_ldap_passwd <password>] [-log <logfile>] Options: -src_ldap_host <hostName> : Host where OID-1 runs -src_ldap_port <portNo> : Port at which OID-1 runs -src_ldap_dn <bindDn> : Bind Dn to connect to OID-1 -src_ldap_passwd <password> : Bind Dn password to connect to OID-1 -dst_ldap_host <hostName> : Host where OID-2 runs -dst_ldap_port <portNo> : Port at which OID-2 runs -dst_ldap_dn <bindDn> : Bind Dn to connect to OID-2 -dst_ldap_passwd <password> : Bind Dn password to connect to OID-2 -log <logFile> : Log file
Defaults:
src_ldap_host - localhost, src_ldap_port & dst_ldap_port - 389 src_ldap_dn & dst_ldap_dn - cn=orcladmin account
Examples:
dipassistant reassociate -src_ldap_host oid1.mycorp.com \ -dst_ldap_host oid2.mycorp.com -src_ldap_passwd xxxx \ -dst_ldap_passwd xxxx dipassistant rs -help
Note if the location of the log file is not specified then by default it will be created as $ORACLE_HOME/ldap/odi/log/reassociate.log
.
In this release, the Directory Integration and Provisioning Assistant does not support the following:
The following elements of the Directory Integration and Provisioning Assistant are untested:
The bootstrapping command of the Directory Integration and Provisioning Assistant has the limitations described in Table A-22.
Use LdapUploadAgentFile.sh
to load mapping and configuration information when you are synchronizing directories.
ldapUploadAgentFile.sh -name profile_name -config configset_the_profile_is_associated_with -LDAPhost directory_server_host -LDAPport directory_server_port -binddn DN_that_can_modify_the_profile > -bindpass password_for_the_bind_DN -attrtype "MAP" | "ATTR" -filename complete_path_of_file_to_be_uploaded
See Also:
Chapter 33, "Oracle Directory Synchronization Service" in Oracle Internet Directory Administrator's Guide for a description of when to use |
You can create an integration profile by using the command-line tool ldapcreateConn.sh. This tool is in the following directory:
$
ORACLE_HOME
/ldap/admin/.
The following example creates an integration profile named "HRMS" in configuration set 2:
ldapcreateConn.sh-name agent_name> [ -type <IMPORT | EXPORT > ] \
[ -agentpwd agent_password ] \
[ -config configset_to_associate_with ] \
[ -LDAPhost directory_server_host ]
[ -LDAPport directory_server_port ] \
[ -binddn DN_of_super_user] \
[ -bindpass Bind_password ] \ [ [-retry maximum_retry_count_on_synchronization_errors ] \
[ -poll polling_interval_for_synchronization ] \ [ -host host_on_which_to_run_agent ] \
[ -conndirurl connected_directory_URL ] \ [ -conndiracct connected_directory_account_information ] \
[ -conndirpwd connected_directory_account_password ] \ [ -execmd command_line_for_the_agent ] \
[ -iftype interface_type ] \ [ -condirfilter connected_directory_matching_filter ]\
[ -oidfilter OID_matching_filter ] \ [ -U SSL_authentication_mode ]
[ -W wallet_location ]\
[ -P wallet_password ]
You can deregister a synchronization profile by using the command-line tool ldapDeleteConn.sh
. This tool is in the directory $
ORACLE_HOME
/ldap/admin/
.
The syntax is:
ldapdeleteConn.sh [ -name Profile_Name ] -LDAPhost <LDAP server host> (default is local host)] [ -LDAPport directory_server_port> (default 389)] [ -binddn SuperUserDN (default cn=orcladmin ) ] [ -bindpass password (default=welcome) ] [ -config configset_associated_with_agent ] [ -U <SSL_authentication_mode> ] [ -W Wallet_location ] [ -P Wallet_password ] [ -help | -usage ]
The following example deregisters a profile entry and dissociates it from the configuration set 2 (config 2
) entry:
ldapDeleteConn.sh name HRMS config 2
In a client-only installation where OID Monitor and OIDCTL tools are not available, you can start the directory integration and provisioning server without OIDCTL. To stop the server, use the stopOdiServer.sh tool.
The path name for this tool is: $
ORACLE_HOME
/ldap/admin/stopodiserver.sh
The usage is:
$ORACLE_HOME/ldap/admin/stopodiserver.sh[ -LDAPhost LDAP_server_host ] [ -LDAPport LDAP_server_port ] [ -binddn super_user_dn (default cn=orcladmin ) ] [ -bindpass bind_password (default=welcome) ] -instance instance_number_to_stop
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
The schemasync tool enables you to synchronize schema elements--namely attributes and object classes--between an Oracle directory server and third-party LDAP directories.
The usage for schemasync is as follows:
$ORACLE_HOME/bin/schemasync-srchost source_LDAP_directory -srcport source_LDAP_port_numbert -srcdn privileged_DN_in_source_directory_to_access_schema -srcpwd password -dsthost destination_LDAP_directory -dstport destination_LDAP_port -dstdn privileged_dn_in_destination_directory_to_access_schema -dstpwd password [-ldap]
The errors that occur during schema synchronization are logged in the
following log files:
To register an Oracle directory integration and provisioning server with the directory, this tool creates an entry in the directory and sets the password for the directory integration and provisioning server. If the registration entry already exists, then you can use the tool to reset the existing password. The odisrvreg
tool also creates a local file called odisrvwallet_
hostname
, at $
ORACLE_HOME
/ldap/odi/conf
. This file acts as a private wallet for the directory integration and provisioning server, which uses it on startup to bind to the directory.
Table A-26 describes the parameters that you use with the Oracle Directory Integration and Provisioning Server Registration Tool. You can also run odisrvreg
in SSL mode to make communication between the tool and the directory fully secure, using the -U
, -W
, and -P
parameters that are also described in Table A-26.
To register the directory integration and provisioning server, enter this command:
odisrvreg -h host_name -p port -D binddn -w bindpasswd -I passwd [-U ssl_mode -W wallet -P wallet_password]
Use the Provisioning Subscription Tool to administer provisioning profile entries in the directory. More specifically, use it to perform these activities:
The Provisioning Subscription Tool shields the location and schema details of the provisioning profile entries from the callers of the tool. From the callers' perspective, the combination of an application and a subscriber uniquely identify a provisioning profile. The constraint in the system is that there can be only one provisioning profile for each application for each subscriber.
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
The name of the executable is oidProvTool, located in $
ORACLE_HOME
/bi
n.
To invoke this tool, use this command:
oidprovtool param1=param1_value param2=param2_value param3=param3_value ...
The Provisioning Subscription Tool accepts the following parameters:
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|