A
Syntax for LDIF and Command-Line Tools

This appendix provides syntax, usage notes, and examples for LDAP Data Interchange Format (LDIF) and LDAP command-line tools. It contains these topics:

LDAP Data Interchange Format (LDIF) Syntax

The standardized file format for directory entries is as follows:

dn: distinguished_name
attribute_type: attribute_value
.

.

.
objectClass: object_class_value
.

.

.

Property Value Description

dn:

RDN,RDN,RDN,...

Separate RDNs with commas.

attribute_type:

attribute_value

This line repeats for every attribute in the entry, and for every attribute value in multi-valued attributes.

objectClass:

object_class_ value

This line repeats for every object class.

Property	Value	Description
dn:	RDN,RDN,RDN,...	Separate RDNs with commas.
attribute_type:	attribute_value	This line repeats for every attribute in the entry, and for every attribute value in multi-valued attributes.
objectClass:	object_class_ value	This line repeats for every object class.

The following example shows a file entry for an employee. The first line contains the DN. The lines that follow the DN begin with the mnemonic for an attribute, followed by the value to be associated with that attribute. Note that each entry ends with lines defining the object classes for the entry.

dn: cn=Suzie Smith,ou=Server Technology,o=Acme, c=US

cn: Suzie Smith

cn: SuzieS

sn: Smith

mail: ssmith@us.Acme.com

telephoneNumber: 69332

photo: /ORACLE_HOME/empdir/photog/ssmith.jpg

objectClass: organizationalPerson

objectClass: person
objectClass: top

The next example shows a file entry for an organization:

dn: o=Acme,c=US

o: Acme

ou: Financial Applications

objectClass: organization 
objectClass: top

LDIF Formatting Notes

A list of formatting rules follows. This list is not exhaustive.

All mandatory attributes belonging to an entry being added must be included with non-null values in the LDIF file.

Tip:
To see the mandatory and optional attribute types for an object class, use Oracle Directory Manager. See Oracle Internet Directory Administrator's Guide.

Non-printing characters and tabs are represented in attribute values by base-64 encoding.
The entries in your file must be separated from each other by a blank line.
A file must contain at least one entry.
Lines can be continued to the next line by beginning the continuation line with a space or a tab.
Add a blank line between separate entries.
Reference binary files, such as photographs, with the absolute address of the file, preceded by a forward slash ("/").
The DN contains the full, unique directory address for the object.
The lines listed after the DN contain both the attributes and their values. DNs and attributes used in the input file must match the existing structure of the DIT. Do not use attributes in the input file that you have not implemented in your DIT.
Sequence the entries in an LDIF file so that the DIT is created from the top down. If an entry relies on an earlier entry for its DN, make sure that the earlier entry is added before its child entry.

When you define schema within an LDIF file, insert a white space between the opening parenthesis and the beginning of the text, and between the end of the text and the ending parenthesis.

See Also:

The various resources listed in "Related Documentation" for a complete list of LDIF formatting rules

The section "Using Globalization Support with LDIF Files" in Oracle Internet Directory Administrator's Guide

Starting, Stopping, Restarting, and Monitoring Oracle Internet Directory Servers

This section tells how to use command-line tools for starting, stopping, restarting, and monitoring Oracle Internet Directory servers. It contains these topics:

The OID Monitor (oidmon) Syntax

Use the OID Monitor to initiate, monitor, and terminate directory server processes. If you elect to install a replication server, OID Monitor controls it. When you issue commands through OID Control Utility (OIDCTL) to start or stop directory server instances, your commands are interpreted by this process.

Starting the OID Monitor

Starting OID Monitor restarts any Oracle Internet Directory processes that were previously stopped.

To start the OID Monitor:

Set the following environment variables:
- ORACLE_HOME
- ORACLE_SID or a proper TNS CONNECT string
- NLS_LANG (APPROPRIATE_LANGUAGE.AL32UTF8). The default language set at installation is AMERICAN_AMERICA.
- PATH. In the PATH environment variable, specify the Oracle LDAP binary--that is, ORACLE_HOME/bin--before the UNIX binary directory.

At the system prompt, type:

oidmon [connect=connect_string] [host=virtual/host_name][sleep=seconds] 
start



Table A-1   Arguments for Starting OID Monitor
 





Argument


Description





connect=connect_string



Specifies the connect string for the database to which you want to connect. This is the network service name set in the tnsnames.ora file. This argument is optional.




host=virtual/host_name



Specifies the virtual host or rack nodes on which to start OID Monitor




sleep=seconds



Specifies number of seconds after which the OID Monitor should check for new requests from OID Control and for requests to restart any servers that may have stopped. The default sleep time is 10 seconds. This argument is optional.




start



Starts the OID Monitor process

Argument	Description
connect=connect_string	Specifies the connect string for the database to which you want to connect. This is the network service name set in the `tnsnames.ora` file. This argument is optional.
host=virtual/host_name	Specifies the virtual host or rack nodes on which to start OID Monitor
sleep=seconds	Specifies number of seconds after which the OID Monitor should check for new requests from OID Control and for requests to restart any servers that may have stopped. The default sleep time is 10 seconds. This argument is optional.
start	Starts the OID Monitor process

For example:

oidmon connect=dbs1 sleep=15 start

To start OID Monitor on a virtual host:

oidmon connect=dbsl host=virtual_host start

Stopping the OID Monitor

Stopping the OID Monitor also stops all other Oracle Internet Directory processes.

To stop the OID Monitor daemon, at the system prompt, type:

oidmon [connect=connect_string] [host=virtual/host_name] stop

Table A-2 Arguments for Stopping OID Monitor

Argument	Description
`connect=``connect_string`	Specifies the connect string for the database to which you want to connect. This is the connect string set in the `tnsnames.ora` file.
`host=``virtual/host name`	Specifies the virtual host or rack nodes on which to start OID Monitor
`stop`	Stops the OID Monitor process

For example:

oidmon connect=dbs1 stop

Starting and Stopping OID Monitor in a Cold Failover Cluster Configuration

While starting and stopping OID Monitor, use the host parameter to specify the virtual host name. The syntax is:

oidmon [connect=connect_string] host=virtual_host start|stop

Note:
If you are going to start Oracle Internet Directory servers on a virtual host, then, when using both OIDMON and OIDCTL, be sure to specify the host argument as the virtual host.
If the OID Monitor is started with the host=host name argument, and the host name does not match the name of the physical host, then the OID Monitor assumes that the intended host is the logical host. You must use the same host name when using OIDCTL to stop or start any servers, otherwise the OID Monitor does not start or stop the servers.
To determine the physical host name, execute the uname command.

The OID Control Utility (oidctl) Syntax

OID Control Utility is a command-line tool for starting and stopping the directory server. The commands are interpreted and executed by the OID Monitor process.

Note:
Although you can start the directory server without using OID Monitor and the OID Control Utility, Oracle Corporation recommends that you use them. This way, if the directory server unexpectedly terminates, then OID Monitor automatically restarts it.

This section contains these topics:

Starting and Stopping an Oracle Directory Server Instance

Use the OID Control Utility to start and stop Oracle directory server instances.

Starting an Oracle Directory Server Instance

The syntax for starting an Oracle directory server instance is:

oidctl connect=connect_string server=oidldapd instance=server_instance_number 
[configset=configset_number] [host=virtual/host_name][flags=' -p port_number 
-work maximum_number_of_worker_threads_per_server -debug debug_level -l change_
logging' -server number_of_server_processes] start

Table A-3 Arguments for Starting a Directory Server by Using OIDCTL

Argument	Description
`-debug` debug_level	Specifies a debug level during Oracle directory server instance startup
`-l` change_logging	Turns replication change logging on and off. To turn it off, enter `-l false`. To turn it on, do any one of the following: omit the `-l` flag enter simply `-l` enter `-l true` Turning off change logging for a given node by specifying `-l` false has two drawbacks: it prevents replication of updates on that node to other nodes in the DRG, and it prevents application provisioning and synchronization of connected directories, because those two services require an active change log. The default, TRUE, permits replication, provisioning, and synchronization.
`-p` port_number	Specifies a port number during server instance startup. The default port number is 389.
`-server` number_of_server_processes	Specifies the number of server processes to start on this port
`-sport`	Specifies the SSL port number during server instance startup. Default port if not set is 636. See Also: The information about `orclsslenable` attribute in the section "Configuration Set Entry Schema Elements" in Oracle Internet Directory Administrator's Guide "Configuring SSL Parameters"in Oracle Internet Directory Administrator's Guide
`-work` maximum_number_of_worker_threads_per_server	Specifies the maximum number of worker threads for this server
`configset`=configset_number	Configset number used to start the server. This defaults to `configset0` if not set. This should be a number between 0 and 1000.
`connect`=connect_string	If you already have a `tnsnames.ora` file configured, then this is the net service name specified in that file, located in `ORACLE_HOME``/network/admin`.
`host=``virtual/host_name`	Specifies the virtual host or rack nodes on which to start the directory server
`instance`=server_instance_number	Instance number of the server to start. Should be a number between 1 and 1000.
`server`=oidldapd	Type of server to start (valid values are OIDLDAPD and OIDREPLD). This is not case-sensitive.
`start`	Starts the server specified in the `server` argument.

For example, to start a directory server instance whose net service name is dbs1, using configset5,at port 12000, with a debug level of 1024, an instance number 3, and in which change logging is turned off, type at the system prompt:

oidctl connect=dbs1 server=oidldapd instance=3 configset=5 flags='-p 12000 

-debug 1024 -l ' start

When starting and stopping an Oracle directory server instance, the server name and instance number are mandatory, as are the commands start or stop. All other arguments are optional.

All keyword value pairs within the flags arguments must be separated by a single space.

Single quotes are mandatory around the flags.

The configset identifier defaults to zero (configset0) if not set.

Note:
If you choose to use a port other than the default port (389 for non-secure usage or 636 for secure usage), you must tell the clients which port to use to locate the Oracle Internet Directory. If you use the default ports, clients can connect to the Oracle Internet Directory without referencing a port in their connect requests.

Stopping an Oracle Directory Server Instance

At the system prompt, type:

oidctl connect=connect_string server=oidldapd instance=server_instance_number 
stop

For example:

oidctl connect=dbs1 server=oidldapd instance=3 stop

Troubleshooting Directory Server Instance Startup

If the directory server fails to start, you can override all user-specified configuration parameters to start the directory server and then return the configuration sets to a workable state by using the ldapmodify operation.

To start the directory server by using its hard-coded default parameters instead of the configuration parameters stored in the directory, type at the system prompt:

oidctl connect=connect_string flags='-p port_number -f'

The -f option in the flags starts the server with hard-coded configuration values, overriding any defined configuration sets except for the values in configset0.

To see debug log files generated by the OID Control Utility, navigate to $ORACLE_HOME/ldap/log.

Starting and Stopping an Oracle Directory Replication Server Instance

Use the OID Control Utility to start and stop Oracle directory replication server instances.

Starting an Oracle Directory Replication Server Instance

The syntax for starting the Oracle directory replication server is:

oidctl connect=connect_string server=oidrepld instance=server_instance_number 
[configset=configset_number] flags=' -p directory_server_port_number -d debug_
level -h directory_server_host_name -m [true | false]-z transaction_size ' start

Table A-4 Arguments for Starting a Directory Replication Server by Using OIDCTL

Argument	Description
`connect`=connect_string	If you already have a `tnsnames.ora` file configured, then this is the name specified in that file, which is located in ORACLE_HOME/network/admin
`server`=oidrepld	Type of server to start (valid values are OIDLDAPD and OIDREPLD). This is not case-sensitive.
`instance`=server_instance_number	Instance number of the server to start. Should be a number between 1 and 1000.
`configset`=configset_number	Configset number used to start the server. The default is `configset0`. This should be a number between 0 and 1000.
`-p` directory_server_port_number	Port number that the replication server uses to connect to the directory on TCP port directory_server_port_number. If you do not specify this option, the tool connects to the default port (389).
`-d` debug_level	Specifies a debug level during replication server instance startup
`-h` directory_server_host_name	Specifies the directory_server_host_name to which the replication server connects, rather than to the default host, that is, your local computer. Directory_server_host_name can be a computer name or an IP address. (Replication server only)
`-m [`true`\|`false`]`	Turns conflict resolution on and off. Valid values are `true` and `false`. The default is true. (Replication server only)
`-z` transaction_size	Specifies the number of changes applied in each replication update cycle. If you do not specify this, the number is determined by the Oracle directory server sizelimit parameter, which has a default setting of 1024. You can configure this latter setting.
start	Starts the server specified in the server argument.

For example, to start the replication server with an instance=1, at port 12000, with debugging set to 1024, type at the system prompt:

oidctl connect=dbs1 server=oidrepld instance=1 flags='-p 12000 -h eastsun11 -d 
1024' start

When starting and stopping an Oracle directory replication server, the -h flag, which specifies the host name, is mandatory. All other flags are optional.

All keyword value pairs within the flags arguments must be separated by a single space.

Single quotes are mandatory around the flags.

The configset identifier defaults to zero (configset0) if not set.

Stopping an Oracle Directory Replication Server Instance

At the system prompt, type:

oidctl connect=connect_string server=OIDREPLD instance=server_instance_number 
stop

For example:

oidctl connect=dbs1 server=oidrepld instance=1 stop

Starting the Oracle Directory Integration and Provisioning Server

The Oracle directory integration and provisioning server executable, odisrv, resides in the $ORACLE_HOME/bin directory.

The way you start the directory integration and provisioning server depends on whether your installation is:

A typical Oracle Internet Directory installation

In this case, your installation includes, among other server and client components, the OID Monitor and the OID Control Utility. In such installations, you start and stop the directory integration and provisioning server by using these tools.

Note:
Although you can start the directory integration and provisioning server without using the OID Monitor and the OID Control Utility, Oracle Corporation recommends that you use them. This way, if the directory integration and provisioning server unexpectedly terminates, the OID Monitor automatically restarts it.

An Oracle Directory Integration and Provisioning platform-only installation

In this case, the way you start the directory integration and provisioning server depends on whether you are using the Oracle Directory Integration and Provisioning platform for high availability.
- If you are using Oracle Directory Integration and Provisioning platform for high availability, then Oracle Corporation recommends that you start the directory integration and provisioning server by using the OID Monitor and the OID Control Utility. This requires configuring the tnsnames.ora file with the right host and SID to which the OID Monitor must connect.
- If you are not using Oracle Directory Integration and Provisioning platform for high availability, then Oracle Corporation recommends that you start the directory integration and provisioning server without using the OID Monitor.

You can start the directory integration and provisioning server in either SSL mode for tighter security, or non-SSL mode. You need to use a connect string to connect to the database.

Note:
When the Oracle directory integration and provisioning server is invoked in the default mode, it supports only the Oracle Directory Provisioning Integration Service, and not the Oracle Directory Synchronization Service.

Starting the Oracle Directory Integration and Provisioning Server by Using the OID Monitor and Control Utilities

To start the directory integration and provisioning server in non-SSL mode:

Be sure that OID Monitor is running. To verify this on UNIX, enter the following at the command line:
```
ps -ef | grep oidmon
```
If OID Monitor is not running, then start it by following the instructions in "The OID Monitor (oidmon) Syntax".

Start the directory integration and provisioning server by using the OID Control Utility. Do this by entering:

oidctl [connect=connect_string] server=odisrv [instance=instance_number]  
[config=configuration_set_number] [flags="[host=hostname] [port=port_number] 
[debug=debug_level] [refresh=interval_between_refresh] 

[grpID=group_identifier_of_provisioning_profile] 

[maxprofiles=number_of_profiles] 

[ sslauth=ssl_mode ]"] start

Table A-5 describes the arguments in this command.

Table A-5 Description of Arguments for Starting the Oracle Directory Integration and Provisioning Server

Argument	Description
`connect`=connect_string	If you already have a `tnsnames.ora` file configured, then this is the net service name specified in that file, located in $`ORACLE_HOME``/network/admin`
`server`=odisrv	Type of server to start. In this case, the server you are starting is `odisrv`. This is not case-sensitive. This argument is mandatory.
`instance`=`instance_number`	Specifies the instance number to assign to the directory integration and provisioning server. This instance number must be unique. OID Monitor verifies that the instance number is not already associated with a currently running instance of this server. If it is associated with a currently running instance, then OID Monitor returns an error message.
`config`=`configuration_set_number`	Specifies the number of the configuration set that the directory integration and provisioning server is to execute. This argument is mandatory.
`host`=`hostname`	Oracle directory server host name
`port`=`port_number`	Oracle directory server port number
`debug`=`debug_level`	The required debugging level of the directory integration and provisioning server See Also: The chapter on "Logging, Auditing, and Monitoring the Directory" in in Oracle Internet Directory Administrator's Guide for a description of the various debug levels
`refresh=``interval_between_refreshes`	Specifies the interval, in minutes, between server refreshes for any changes in the integration profiles. Default is 2 minutes (Refresh=2).
`maxprofiles=``number_of_profiles`	Specifies the maximum number of profiles that can be executed concurrently for this server instance
`sslauth=s``sl_mode`	SSL modes: 0: SSL is not used--that is, non-SSL mode 1: SSL used for encryption only--that is, with no PKI authentication. A wallet is not used in this case. 2: SSL is used with one-way authentication. This mode requires you to specify a complete path name of an Oracle Wallet, including the file name itself, unlike other Oracle Internet Directory tools that expect only the wallet location. For example, in a server-only installation, or in a complete installation, you would enter something like this: oidctl server=odisrv [instance=instance_number] [configset=configset_number] [grpID=group_identifier_of_provisioning_ profile] flags="host=myhost port=myport sslauth=2 In a client-only installation, you would enter something like this: odisrv [host=host_name] [port=port_number] config=configuration_set_number [instance=instance_number] [debug=debug_level] [refresh=interval_between_refresh] [maxprofiles=number_of_profiles] [refresh=interval_between_refresh] [maxprofiles=number_of_profiles] [sslauth=ssl_mode]

Starting the Oracle Directory Integration and Provisioning Server Without Using the OID Monitor and the OID Control Utility

In a client-only installation, where the OID Monitor and OID Control tools are not available, the Oracle directory integration and provisioning server can be started without OID Monitor or OID Control Utility, either in non-SSL mode or, for tighter security, in SSL mode. The parameters described in Table A-5 remain the parameters for each type of invocation.

To start the directory integration and provisioning server, enter the following at the command line:

odisrv [host=host_name] [port=port_number] 

config=configuration_set_number [instance=instance_number] [debug=debug_level] 
[refresh=interval_between_refresh] [maxprofiles=number_of_profiles] 
[sslauth=ssl_mode]

Stopping the Oracle Directory Integration and Provisioning Server

The way you stop the directory integration and provisioning server depends on the tool that you used to start it.

Stopping the Oracle Directory Integration and Provisioning Server by Using OID Monitor and the OID Control Utility

If you started the directory integration and provisioning server by using OID Monitor and the OID Control utility, then you use them to stop it, as follows:

Before you stop the directory integration and provisioning server, be sure that the OID Monitor is running. To verify this, enter the following at the command line:
```
ps -ef | grep oidmon
```
If OID Monitor is not running, then start it by following the instructions in "The OID Monitor (oidmon) Syntax".

Stop the directory integration and provisioning server by entering:

oidctl [connect=connect_string] server=odisrv instance=instance stop

Stopping the Oracle Directory Integration and Provisioning Server Without Using OID Monitor and the OID Control Utility

In a client-only installation, where the OID Monitor and OID Control tools are not available, the Oracle directory integration and provisioning server can be started without OID Control. To stop the server without these tools, use the stopodiserver.sh tool, which is located in the $ORACLE_HOME/ldap/admin directory.

Note:
To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:

Cygwin 1.3.2.2-1 or later. Visit: http://sources.redhat.com

MKS Toolkit 6.1. Visit:
http://www.datafocus.com/

See Also:
"The StopOdiServer.sh Tool Syntax" for instructions about using the stopodiserver.sh tool

Note:
If the Oracle directory integration and provisioning server is stopped by any means other than the methods mentioned in this section, then the server cannot be started from the same host. In that case, the footprint of the previous execution in the directory needs to be removed by using the following command:
$ORACLE_HOME/ldap/admin/stopodiserver.sh [-host directory_server_host] [-port directory_server_port] [-binddn super_user_dN (default is cn=orcladmin)] [-bindpass super_user_password (default is welcome)] -instance number_of_the_instance_to_stop -clean

Restarting Oracle Internet Directory Server Instances

When you want to refresh the server cache immediately, rather than at the next scheduled time, use the RESTART command. When the Oracle Internet Directory server restarts, it maintains the same parameters it had before it stopped.

To restart an Oracle Internet Directory server instance, at the system prompt, type:

oidctl connect=connect_string server={oidldapd|oidrepld|odisrv} 

instance=server_instance_number  restart

OID Monitor must be running whenever you restart directory server instances.

If you try to contact a server that is not running, you receive from the SDK the error message 81--LDAP_SERVER_DOWN.

If you change a configuration set entry that is referenced by an active server instance, you must stop that instance and restart it to effect the changed value in the configuration set entry on that server instance. You can either issue the STOP command followed by the START command, or you can use the RESTART command. RESTART both stops and restarts the server instance.

For example, suppose that Oracle directory server instance1 is started, using configset3, and with the net service name dbs1. Further, suppose that, while instance1 is running, you change one of the attributes in configset3. To enable the change in configset3 to take effect on instance1, you enter the following command:

oidctl connect=dbs1 server=oidldapd instance=1 restart

If there are more than one instance of the Oracle directory server running on that node using configset3, then you can restart all the instances at once by using the following command syntax:

oidctl connect=dbs1 server=oidldapd restart

Note that this command restarts all the instances running on the node, whether they are using configset3 or not.

Important Note:
During the restart process, clients cannot access the Oracle directory server instance. However, the process takes only a few seconds to execute.

Starting and Stopping Oracle Internet Directory Servers on Either a Virtual Host or a Rack Node

When starting a directory server, a directory replication server, or a directory integration and provisioning server, use the host parameter to specify the virtual host name.

Starting and Stopping a Directory Server on Either a Virtual Host or a Rack Node

To start a directory server on a virtual host:

oidctl [connect=connect_string] host=virtual_host_name server=oidldapd 
instance=instance_number configset=configset_number flags= "..." start

To stop a directory server on a virtual host:

oidctl host=virtual_host_name server=oidldapd instance=instance_number stop

Starting and Stopping a Directory Replication Server on Either a Virtual Host or a Rack Node

To start a directory replication server on a virtual host:

oidctl [connect=connect_string] host=virtual_host_name server=oidrepld 
instance=instance_number flags= "..." start

To stop a directory replication server on a virtual host:

oidctl host=virtual_host_name server=oidrepld instance=instance_number stop

Starting and Stopping a Oracle Directory Integration and Provisioning Server on Either a Virtual Host or a Rack Node

To start a directory integration and provisioning server on a virtual host:

oidctl [connect=connect_string] host=virtual_host_name server=odisrv 
instance=instance_number configset=configset_number flags= "..." start

To stop a directory integration and provisioning server on a virtual host:

oidctl host=virtual/host_name server=odisrv instance=instance_number stop

When the directory server is started to run on the virtual host, it binds and listens to requests on the specified LDAP port on the IP address or IP addresses that correspond to the virtual host only.

When communicating with the directory server, the directory replication server uses the virtual host name. Further, the replicaID attribute that represents the unique replication identification for the Oracle Internet Directory node is generated once. It is independent of the host name and hence requires no special treatment in cold failover configuration.

When communicating with the directory server, the directory integration and provisioning server uses the virtual host name.

Entry and Attribute Management Command-Line Tools Syntax

This section tells you how to use the following tools:

The Catalog Management Tool (catalog.sh) Syntax

Oracle Internet Directory uses indexes to make attributes available for searches. When Oracle Internet Directory is installed, the cn=catalogs entry lists available attributes that can be used in a search. You can index only those attributes that have:

An equality matching rule
Matching rules supported by Oracle Internet Directory

If you want to use additional attributes in search filters, then you must add them to the catalog entry. You can do this at the time you create the attribute by using Oracle Directory Manager. However, if the attribute already exists, then you can index it only by using the Catalog Management tool.

Before running catalog.sh, be sure that the directory server is either stopped or in read-only mode. Otherwise, data will be inconsistent.

Caution:
Do not use the catalog.sh -delete option on indexes created by the Oracle Internet Directory base schema. Removing indexes from base schema attributes can adversely impact the operation of Oracle Internet Directory.

The Catalog Management tool uses this syntax:

catalog.sh -connect connect_string {-add|-delete} {-attr attr_name|-file file_
name}

Argument	Description
`-connect` connect_string	Specifies the connect string to connect to the directory database. This argument is mandatory. See Also: Oracle9i Net Services Administrator's Guide in the Oracle Database Documentation Library
`-add -attr` `attr_name`	Indexes the specified attribute
`-delete -attr` `attr_name`	Drops the index from the specified attribute
`-add -file` `file_name`	Indexes attributes (one for each line) in the specified file
`-delete -file` `file_name`	Drops the indexes from the attributes in the specified file

Table A-6 Arguments for the Catalog Management Tool (catalog.sh)

Argument Description

-connect connect_string

Specifies the connect string to connect to the directory database. This argument is mandatory.
See Also: Oracle9i Net Services Administrator's Guide in the Oracle Database Documentation Library

-add -attr attr_name

Indexes the specified attribute

-delete -attr attr_name

Drops the index from the specified attribute

-add -file file_name

Indexes attributes (one for each line) in the specified file

-delete -file file_name

Drops the indexes from the attributes in the specified file

When you enter the catalog.sh command, the following message appears:

This tool can only be executed if you know the OiD user password.
Enter OiD password:

If you enter the correct password, the command is executed. If you give an incorrect password, the following message is displayed:

Cannot execute this tool

To effect the changes after running the Catalog Management tool, stop, then restart, the Oracle directory server.

See Also:

"The OID Control Utility (oidctl) Syntax" and for instructions on starting and restarting directory servers. Note that OID Monitor must be running before you start a directory server.

"The OID Monitor (oidmon) Syntax" for information about starting OID Monitor

The section "Matching Rules"in Oracle Internet Directory Administrator's Guide for the matching rules supported by Oracle Internet Directory

ldapadd Syntax

The ldapadd command-line tool enables you to add entries, their object classes, attributes, and values to the directory. To add attributes to an existing entry, use the ldapmodify command, explained in "ldapmodify Syntax".

See Also:
"Adding Configuration Set Entries by Using ldapadd" in Oracle Internet Directory Administrator's Guide for an explanation of using ldapadd to configure a server with an input file

ldapadd uses this syntax:

ldapadd [arguments] -f file_name

where file_name is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".

The following example adds the entry specified in the LDIF file
my_ldif_file.ldi:

ldapadd -p 389 -h myhost -f my_ldif_file.ldi

Table A-7 Arguments for ldapadd

Optional Arguments	Description
`-b`	Specifies that you have included binary file names in the file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced.
`-c`	Tells ldapadd to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapadd stops when it encounters an error.)
`-D "``binddn``"`	When authenticating to the directory, specifies doing so as the entry specified in binddn--that is, the DN of the user seeking authentication. Use this with the `-w` password option.
`-E "``character_set``"`	Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide.
`-f` `file_name`	Specifies the input name of the LDIF format import data file. For a detailed explanation of how to format an LDIF file, see "LDAP Data Interchange Format (LDIF) Syntax".
`-h` `ldaphost`	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
`-K`	Same as `-k`, but performs only the first step of the Kerberos bind
`-k`	Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined.You must already have a valid ticket granting ticket.
`-M`	Instructs the tool to send the `ManageDSAIT` control to the server. The `ManageDSAIT` control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
`-n`	Shows what would occur without actually performing the operation
`-O` `ref_hop_limit`	Specifies the number of referral hops that a client should process. The default value is 5.
`-p` `directory_server_port_number`	Connects to the directory on TCP port directory_server_port_number. If you do not specify this option, the tool connects to the default port (389).
`-P` `wallet_password`	Specifies wallet password required for one-way or two-way SSL connections
`-U` `SSLAuth`	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
`-v`	Specifies verbose mode
`-V` `ldap_version`	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
`-w` `password`	Provides the password required to connect
`-W` `wallet_location`	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: `-W "file:/home/my_dir/my_wallet"` On Windows NT, you could set this parameter as follows: `-W "file:C:\my_dir\my_wallet"`
`-X` `dsml_file`	Specifies the input name of the DSML format import data file.

ldapaddmt Syntax

ldapaddmt is like ldapadd: It enables you to add entries, their object classes, attributes, and values to the directory. It is unlike ldapadd in that it supports multiple threads for adding entries concurrently.

While it is processing LDIF entries, ldapaddmt logs errors in the add.log file in the current directory.

ldapaddmt uses this syntax:

ldapaddmt -T number_of_threads -h host -p port -f file_name

where file_name is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".

The following example uses five concurrent threads to process the entries in the file myentries.ldif.

ldapaddmt -T 5 -h node1 -p 3000 -f myentries.ldif

Note:
Increasing the number of concurrent threads improves the rate at which LDIF entries are created, but consumes more system resources.

Table A-8 Arguments for ldapaddmt

Optional Arguments	Description
`-b`	Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced.
`-c`	Tells the tool to proceed in spite of errors. The errors will be reported. (If you do not use this option, the tool stops when it encounters an error.)
`-D "``binddn``"`	When authenticating to the directory, specifies doing so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the `-w` password option.
`-E "``character_set``"`	Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide.
`-h` `ldap_host`	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
`-K`	Same as -k, but performs only the first step of the kerberos bind
`-k`	Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined. You must already have a valid ticket granting ticket.
`-M`	Instructs the tool to send the `ManageDSAIT` control to the server. The `ManageDSAIT` control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
`-n`	Shows what would occur without actually performing the operation.
`-O` `ref_hop_limit`	Specifies the number of referral hops that a client should process. The default value is 5.
`-p` `ldapport`	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
`-P` `wallet_password`	Specifies wallet password required for one-way or two-way SSL connections
`-T`	Sets the number of threads for concurrently processing entries
`-U` `SSLAuth`	Specifies SSL Authentication Mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
`-v`	Specifies verbose mode
`-V` `ldap_version`	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
`-w` `password`	Provides the password required to connect
`-W` `wallet_location`	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet"
`-X` `dsml_file`	Specifies the input name of the DSML format import data file.

ldapbind Syntax

The ldapbind command-line tool enables you to see whether you can authenticate a client to a server.

ldapbind uses this syntax:

ldapbind [arguments]

Table A-9 Arguments for ldapbind

Optional Arguments	Description
-D "binddn"	When authenticating to the directory, specifies doing so as the entry specified in binddn--that is, the DN of the user seeking authentication. Use this with the `-w` password option.
-E ".character_set"	Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide.
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-n	Shows what would occur without actually performing the operation
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies the wallet password required for one-way or two-way SSL connections
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-V ldap_version	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
-w password	Provides the password required to connect
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet"
-O sasl_security_properties	Specifies SASL security properties. The security property supported is -O "auth". This security property is for DIGEST-MD5 SASL mechanism. It enables authentication with no data integrity or data privacy.
-Y sasl_mechanism	Specifies a SASL mechanism. These mechanisms are supported: Y "DIGEST-MD5" Y "EXTERNAL": The SASL authentication in this mechanism is done on top of two-way SSL authentication. In this case the identity of the user stored in the SSL wallet is used for SASL authentication.
-R sasl_realm	Specifies a SASL realm

ldapcompare Syntax

The ldapcompare command-line tool enables you to match attribute values you specify in the command line with the attribute values in the directory entry.

ldapcompare uses this syntax:

ldapcompare [arguments]

The following example tells you whether Person Nine's title is associate.

ldapcompare -p 389 -h myhost -b "cn=Person Nine,ou=EuroSInet Suite,o=IMC,c=US" 
-a title -v associate

Table A-10 Arguments for ldapcompare

Optional Arguments	Description
-a attribute name	Specifies the attribute on which to perform the compare. This argument is mandatory.
-b "basedn"	Specifies the distinguished name of the entry on which to perform the compare. This argument is mandatory.
-v attribute value	Specifies the attribute value to compare. This argument is mandatory.
-D binddn	When authenticating to the directory, specifies doing so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the `-w` password option.
-d debug-level	Sets the debugging level. See the chapter on "Logging, Auditing, and Monitoring the Directory" in Oracle Internet Directory Administrator's Guide.
-E "character_set"	Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide.
-f file_name	Specifies the input file name
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
`-M`	Instructs the tool to send the `ManageDSAIT` control to the server. The `ManageDSAIT` control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
-O ref_hop_limit	Specifies the number of referral hops that a client should process. The default value is 5.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-V ldap_version	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
-w password	Provides the password required to connect
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: `-W "file:/home/my_dir/``my_wallet``"` On Windows NT, you could set this parameter as follows: `-W "file:C:\my_dir\``my_wallet``"`

ldapdelete Syntax

The ldapdelete command-line tool enables you to remove entire entries from the directory that you specify in the command line.

ldapdelete uses this syntax:

ldapdelete [arguments] ["entry_DN" | -f input_file_name]

Note:
If you specify the entry DN, then do not use the -f option.

The following example uses port 389 on a host named myhost.

ldapdelete -p 389 -h myhost "ou=EuroSInet Suite, o=IMC, c=US"

Table A-11 Arguments for ldapdelete

Optional Argument	Description
-D "binddn"	When authenticating to the directory, uses a full DN for the binddn parameter--that is, the DN of the user seeking authentication; typically used with the `-w` password option.
-d debug-level	Sets the debugging level. See "Setting Debug Logging Levels by Using the OID Control Utility"in Oracle Internet Directory Administrator's Guide.
-E "character_set"	Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide.
-f input_file_name	Specifies the input file name
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-k	Authenticates using authentication instead of simple authentication. To enable this option, you must compile with Kerberos defined. You must already have a valid ticket granting ticket.
`-M`	Instructs the tool to send the `ManageDSAIT` control to the server. The `ManageDSAIT` control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
-n	Shows what would be done, but doesn't actually delete
-O ref_hop_limit	Specifies the number of referral hops that a client should process. The default value is 5.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-V ldap_version	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
-w password	Provides the password required to connect.
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet"

ldapmoddn Syntax

The ldapmoddn command-line tool enables you to modify the DN or RDN of an entry.

ldapmoddn uses this syntax:

ldapmoddn [arguments]

The following example uses ldapmoddn to modify the RDN component of a DN from "cn=mary smith" to "cn=mary jones". It uses port 389, and a host named myhost.

ldapmoddn -p 389 -h myhost -b "cn=mary smith,dc=Americas,dc=imc,dc=com" -R 
"cn=mary jones"

Table A-12 Arguments for ldapmoddn

Argument	Description
-b "basedn"	Specifies DN of the entry to be moved. This argument is mandatory.
-D "binddn"	When authenticating to the directory, do so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the `-w` password option.
-E "character_set"	Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide.
-f file_name	Specifies the input file name
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
`-M`	Instructs the tool to send the `ManageDSAIT` control to the server. The `ManageDSAIT` control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
-N newparent	Specifies new parent of the RDN. Either this argument or the -R argument must be specified.
-O ref_hop_limit	Specifies the number of referral hops that a client should process. The default value is 5.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-r	Specifies that the old RDN is not retained as a value in the modified entry. If this argument is not included, the old RDN is retained as an attribute in the modified entry.
-R newrdn	Specifies new RDN. Either this argument or the -N argument must be specified.
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-V ldap_version	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
-w password	Provides the password required to connect.
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: `-W "file:/home/my_dir/``my_wallet``"` On Windows NT, you could set this parameter as follows: `-W "file:C:\my_dir\``my_wallet``"`

ldapmodify Syntax

The ldapmodify tool enables you to act on attributes.

ldapmodify uses this syntax:

ldapmodify [arguments] -f file_name

where file_name is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".

The list of arguments in the following table is not exhaustive. These arguments are all optional.

Table A-13 Arguments for ldapmodify

Argument	Description
-a	Denotes that entries are to be added, and that the input file is in LDIF format.
-b	Specifies that you have included binary file names in the data file, which are preceded by a forward slash character.
-c	Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.)
-D "binddn"	When authenticating to the directory, specifies doing so as the entry is specified in binddn--that is, the DN of the user seeking authentication. Use this with the `-w` password option.
-E "character_set"	Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide.
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
`-M`	Instructs the tool to send the `ManageDSAIT` control to the server. The `ManageDSAIT` control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
-n	Shows what would occur without actually performing the operation.
`-o` log_file_name	Can be used with the `-c` option to write the erroneous LDIF entries in the logfile. You must specify the absolute path for the log file name.
-O ref_hop_limit	Specifies the number of referral hops that a client should process. The default value is 5.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-U SSLAuth	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-V ldap_version	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
-w password	Overrides the default, unauthenticated, null bind. To force authentication, use this option with the `-D` option.
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: `-W "file:/home/my_dir/``my_wallet``"` On Windows NT, you could set this parameter as follows: `-W "file:C:\my_dir\``my_wallet``"`

To run modify, delete, and modifyrdn operations using the -f flag, use LDIF for the input file format (see "LDAP Data Interchange Format (LDIF) Syntax") with the specifications noted in this section:

If you are making several modifications, then, between each modification you enter, add a line that contains a hyphen (-) only. For example:

dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: modify
add: work-phone
work-phone: 510/506-7000
work-phone: 510/506-7001
-
delete: home-fax

Unnecessary space characters in the LDIF input file, such as a space at the end of an attribute value, will cause the LDAP operations to fail.

Line 1: Every change record has, as its first line, the literal dn: followed by the DN value for the entry, for example:

dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US

Line 2: Every change record has, as its second line, the literal changetype: followed by the type of change (add, delete, modify, modrdn), for example:

changetype: modify

changetype: modrdn

Format the remainder of each record according to the following requirements for each type of change:

changetype: add

Uses LDIF format (see "LDAP Data Interchange Format (LDIF) Syntax").
changetype: modify

The lines that follow this changetype consist of changes to attributes belonging to the entry that you identified previously in Line 1. You can specify three different types of attribute modifications--add, delete, and replace--which are explained next:
- Add attribute values. This option to changetype modify adds more values to an existing multi-valued attribute. If the attribute does not exist, it adds the new attribute with the specified values:
```
add: attribute name
attribute name: value1
attribute name: value2...
```
  For example:
```
dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: modify
add: work-phone
work-phone: 510/506-7000
work-phone: 510/506-7001
```
- Delete values. If you supply only the delete line, all the values for the specified attribute are deleted. Otherwise, if you specify an attribute line, you can delete specific values from the attribute:
```
delete: attribute name
[attribute name: value1]
```
  For example:
```
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: modify
delete: home-fax
```
- Replace values. Use this option to replace all the values belonging to an attribute with the new, specified set:
```
replace: attribute name
[attribute name: value1 ...]
```
  If you do not provide any attributes with replace, then the directory adds an empty set. It then interprets the empty set as a delete request, and complies by deleting the attribute from the entry. This is useful if you want to delete attributes that may or may not exist.
  
  For example:
```
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US 
changetype: modify
replace: work-phone
work-phone: 510/506-7002
```
  - changetype:delete
    
    This change type deletes entries. It requires no further input, since you identified the entry in Line 1 and specified a changetype of delete in Line 2.
    
    For example:
```
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US 
changetype: delete
```
  - changetype:modrdn
    
    The line following the change type provides the new relative distinguished name using this format:
```
newrdn: RDN
```
    For example:
```
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
changetype: modrdn
newrdn: cn=Barbara Fritchy-Blomberg
```

To specify an attribute as single-valued, include in the attribute definition entry in the LDIF file the keyword SINGLE-VALUE with surrounding white space.

Example: Using ldapmodify to Add an Attribute

This example adds a new attribute called myAttr. The LDIF file for this operation is:

dn: cn=subschemasubentry 
changetype: modify 
add: attributetypes 
attributetypes: (1.2.3.4.5.6.7 NAME `myAttr' DESC `New attribute definition' 
EQUALITY caseIgnoreMatch SYNTAX
`1.3.6.1.4.1.1466.115.121.1.15' )

On the first line, enter the DN specifying where this new attribute is to be located. All attributes and object classes they are stored in cn=subschemasubentry.

The second and third lines show the proper format for adding a new attribute.

The last line is the attribute definition itself. The first part of this is the object identifier number: 1.2.3.4.5.6.7. It must be unique among all other object classes and attributes. Next is the NAME of the attribute. In this case the attribute NAME is myAttr. It must be surrounded by single quotes. Next is a description of the attribute. Enter whatever description you want between single quotes. At the end of this attribute definition in this example are optional formatting rules to the attribute. In this case we are adding a matching rule of EQUALITY caseIgnoreMatch and a SYNTAX of Directory String. This example uses the object ID number of 1.3.6.1.4.1.1466.115.121.1.15 instead of the SYNTAXES name which is "Directory String".

Put your attribute information in a file formatted like this example. Then run the following command to add the attribute to the schema of your Oracle directory server.

ldapmodify -h yourhostname -p 389 -D "orcladmin" -w "welcome" -v -f 
/tmp/newattr.ldif

This ldapmodify command assumes that your Oracle directory server is running on port 389, that your super user account name is orcladmin, that your super user password is welcome and that the name of your LDIF file is newattr.ldif. Substitute the host name of your computer where you see yourhostname.

If you are not in the directory where the LDIF file is located, then you must enter the full directory path to the file at the end of your command. This example assumes that your LDIF file is located in the /tmp directory.

ldapmodifymt Syntax

The ldapmodifymt command-line tool enables you to modify several entries concurrently.

ldapmodifymt uses this syntax:

ldapmodifymt -T number_of_threads [arguments] -f file_name

where file_name is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".

See Also:
"ldapmodify Syntax" for additional formatting specifications used by ldapmodifymt

The following example uses five concurrent threads to modify the entries in the file myentries.ldif.

ldapmodifymt -T 5 -h node1 -p 3000 -f myentries.ldif

Note:
The ldapmodifymt tool logs error messages in the file add.log, which is located in the directory where you are running the command.

The arguments in the following table are all optional.

Table A-14 Arguments for ldapmodifymt

Argument	Description
`-a`	Denotes that entries are to be added, and that the input file is in LDIF format. (If you are running ldapadd, this flag is not required.)
`-b`	Specifies that you have included binary file names in the data file, which are preceded by a forward slash character.
`-c`	Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.)
`-D "``binddn``"`	When authenticating to the directory, specifies doing so as the entry is specified in `binddn`--that is, the DN of the user seeking authentication. Use this with the `-w` password option.
`-E "``character_set``"`	Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide.
`-h` `ldaphost`	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
`-M`	Instructs the tool to send the `ManageDSAIT` control to the server. The `ManageDSAIT` control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
`-n`	Shows what would occur without actually performing the operation.
`-O` `ref_hop_limit`	Specifies the number of referral hops that a client should process. The default value is 5.
`-p` `ldapport`	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
`-P` `wallet_password`	Specifies wallet password required for one-way or two-way SSL connections
`-T`	Sets the number of threads for concurrently processing entries
`-U` `SSLAuth`	Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
`-v`	Specifies verbose mode
`-V` `ldap_version`	Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol.
`-w` `password`	Overrides the default, unauthenticated, null bind. To force authentication, use this option with the -D option.
`-W` `wallet_location`	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: `-W "file:C:\my_dir\my_wallet"`

ldapsearch Syntax

The ldapsearch command-line tool enables you to search for and retrieve specific entries in the directory.

The ldapsearch tool uses this syntax:

ldapsearch [arguments] filter [attributes]

The filter format must be compliant with RFC-2254.

See Also:
RFC-2254 available at http://www.ietf.org for further information about the standard for the filter format

Separate attributes with a space. If you do not list any attributes, all attributes are retrieved.

Note:

The ldapsearch tool does not generate LDIF output by default. To generate LDIF output from the ldapsearch command-line tool, use the -L flag.

Various UNIX shells interpret some characters--for example, asterisks (*)--as special characters. Depending on the shell you are using, you may need to escape these characters.

Table A-15 Arguments for ldapsearch

Argument	Description
-b "basedn"	Specifies the base DN for the search. This argument is mandatory.
-s scope	This argument is mandatory. Specifies search scope: base, one, or sub Base: Retrieves a particular directory entry. Along with this search depth, you use the search criteria bar to select the attribute `objectClass` and the filter `Present`. One Level: Limits your search to all entries beginning one level down from the root of your search Subtree: Searches entries within the entire subtree, including the root of your search
-A	Retrieves attribute names only (no values)
-a deref	Specifies alias dereferencing: never, always, search, or find
-B	Allows printing of non-ASCII values
-D "binddn"	When authenticating to the directory, specifies doing so as the entry specified in binddn--that is, the DN of the user seeking authentication. Use this with the `-w` password option.
-d debug level	Sets debugging level to the level specified (see the chapter on "Logging, Auditing, and Monitoring the Directory" in Oracle Internet Directory Administrator's Guide)
-E "character_set"	Specifies native character set encoding. See Appendix G, "Globalization Support in the Directory"in Oracle Internet Directory Administrator's Guide.
-f file	Performs sequence of searches listed in file
-F sep	Prints ``sep'` instead of ``=`' between attribute names and values
-h ldaphost	Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
-L	Prints entries in LDIF format (`-B` is implied)
-l timelimit	Specifies maximum time (in seconds) to wait for ldapsearch command to complete
`-M`	Instructs the tool to send the `ManageDSAIT` control to the server. The `ManageDSAIT` control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
-n	Shows what would be done without actually searching
-O ref_hop_limit	Specifies the number of referral hops that a client should process. The default value is 5.
-p ldapport	Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
-P wallet_password	Specifies wallet password required for one-way or two-way SSL connections
-S attr	Sorts the results by attribute attr
-t	Writes to files in `/tmp`
-u	Includes user friendly entry names in the output
-U SSLAuth	Specifies the SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required
-v	Specifies verbose mode
-w passwd	Specifies bind passwd for simple authentication
-W wallet_location	Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: `-W "file:/home/my_dir/``my_wallet``"` On Windows NT, you could set this parameter as follows: `-W "file:C:\my_dir\``my_wallet``"`
-z sizelimit	Specifies maximum number of entries to retrieve
-X	Prints the entries in DSML v1 format.

Examples of ldapsearch Filters

Study the following examples to see how to build your own search commands.

Example 1: Base Object Search

The following example performs a base-level search on the directory from the root.

ldapsearch -p 389 -h myhost -b "" -s base -v "objectclass=*"

-b specifies base DN for the search, root in this case.
-s specifies whether the search is a base search (base), one level search (one) or subtree search (sub).
"objectclass=*" specifies the filter for search.

Example 2: One-Level Search

The following example performs a one level search starting at "ou=HR, ou=Americas, o=IMC, c=US".

ldapsearch -p 389 -h myhost -b "ou=HR, ou=Americas, o=IMC, c=US" -s one -v 
"objectclass=*"

Example 3: Subtree Search

The following example performs a subtree search and returns all entries having a DN starting with "cn=us".

ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*"

Example 4: Search Using Size Limit

The following example actually retrieves only two entries, even if there are more than two matches.

ldapsearch -h myhost -p 389 -z 2 -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" 
-s one "objectclass=*"

Example 5: Search with Required Attributes

The following example returns only the DN attribute values of the matching entries:

ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "objectclass=*" dn

The following example retrieves only the distinguished name along with the surname (sn) and description (description) attribute values:

ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*" dn sn description

Example 6: Search for Entries with Attribute Options

The following example retrieves entries with common name (cn) attributes that have an option specifying a language code attribute option. This particular example retrieves entries in which the common names are in French and begin with the letter R.

ldapsearch -p 389 -h myhost -b "c=US" -s sub "cn;lang-fr=R*"

Suppose that, in the entry for John, no value is set for the cn;lang-it language code attribute option. In this case, the following example does not return John's entry:

ldapsearch -p 389 -h myhost -b "c=us" -s sub "cn;lang-it=Giovanni"

Example 7: Searching for All User Attributes and Specified Operational Attributes

The following example retrieves all user attributes and the createtimestamp and orclguid operational attributes:

ldapsearch -p 389 -h myhost -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" -s sub 
"cn=Person*" * createtimestamp orclguid

The following example retrieves entries modified by Anne Smith:

ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifiersname=cn=Anne
Smith))"

The following example retrieves entries modified between 01 April 2001 and 06 April 2001:

ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifytimestamp >= 20000401000000)

(modifytimestamp <= 20000406235959))"

Note:
Because modifiersname and modifytimestamp are not indexed attributes, use catalog.sh to index these two attributes. Then, restart the Oracle directory server before issuing the two previous ldapsearch commands.

Other Examples:

Each of the following examples searches on port 389 of host sun1, and searches the whole subtree starting from the DN "ou=hr,o=acme,c=us".

The following example searches for all entries with any value for the objectclass attribute.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=*"

The following example searches for all entries that have orcl at the beginning of the value for the objectclass attribute.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"objectclass=orcl*"

The following example searches for entries where the objectclass attribute begins with orcl and cn begins with foo.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"(&(objectclass=orcl*)(cn=foo*))"

The following example searches for entries in which the common name (cn) is not foo.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "(!(cn=foo))"

The following example searches for entries in which cn begins with foo or sn begins with bar.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"(|(cn=foo*)(sn=bar*))"

The following example searches for entries in which employeenumber is less than or equal to 10000.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"employeenumber<=10000"

Oracle Directory Integration and Provisioning Platform Command-Line Tools Syntax

This section contains these topics:

The Directory Integration and Provisioning Assistant

Table A-16 lists the tasks you can perform by using the Directory Integration and Provisioning Assistant and the corresponding commands. It also points you to instructions for performing each task.

Table A-16 Summary of Functionality of the Directory Integration and Provisioning Assistant

Tasks	Commands	More Information
Create, modify, or delete a synchronization profile	`createprofile` `modifyprofile` `deleteprofile`	"Creating, Modifying, and Deleting Synchronization Profiles"
See all the profile names in Oracle Internet Directory	`listprofiles`	"Listing All Synchronization Profiles in Oracle Internet Directory"
See the details of a specific profile	`showprofile`	"Viewing the Details of a Specific Synchronization Profile"
Make Oracle Internet Directory and the connected directory identical before beginning synchronization	`bootstrap`	"Bootstrapping a Directory by Using the Directory Integration and Provisioning Assistant"
Set the wallet password that the Oracle directory integration and provisioning server later uses to connect to Oracle Internet Directory	`wpasswd`	"Setting the Wallet Password for the Oracle Directory Integration and Provisioning Server"
Reset the password of the administrator of the Oracle Directory Integration Platform	`chgpasswd`	"Changing the Password of the Administrator of the Oracle Directory Integration and Provisioning Platform"
Move integration profiles from one identity management node to another	`reassociate`	"Moving an Integration Profile to a Different Identity Management Node"

The command-line interface for the Directory Integration and Provisioning Assistant is:

dipassistant command [-help]

command := Directory Integration and Provisioning Assistant command

Directory Integration and Provisioning Assistant command := 

createprofile [cp] 
| modifyprofile [mp] 
| deleteprofile [dp] 
| listprofiles[lsprof]
| showprofile[sp]
| bootstrap [bs]
| wpasswd [wp]
| chgpasswd [cpw]
| reassociate [rs]

For help on a particular command, enter:

dipassistant command -help

Creating, Modifying, and Deleting Synchronization Profiles

The syntax for creating, modifying, or deleting synchronization profiles by using the Directory Integration and Provisioning Assistant is:

dipassistant createprofile | modifyprofile | deleteprofile 
[-host host name] [-port port number] [-dn bind_DN] [-passwd password] 

{-file file name | -profile profile name } [propName1=value]
[propName2=value]... [-configset configset_number]

For example:

dipassistant createprofile -host myhost -port 3060 -passwd xxxx 

-file import.profile -configset 1 

dipassistant modifyprofile -host myhost -port 3060 -passwd xxxx 

-file import.profile -dn xxxx -passwd xxxx -profile myprofile

[propName1=value]
[propName2=value]... 

dipassistant deleteprofile -profile myprofile [-host myhost] [-port 3060] [-dn 
xxxx] [-passwd xxxx] [-configset 1]

Table A-17 describes the parameters for creating, modifying, and deleting synchronization profiles by using the Directory Integration and Provisioning Assistant.

Table A-17 Parameters for Creating, Modifying, and Deleting Synchronization Profiles by Using the Directory Integration and Provisioning Assistant

Parameter	Description
`-host`	Host where Oracle Internet Directory is running. The default value is the name of the local host.
`-port`	Port at which Oracle Internet Directory was started. The default is 389.
`-dn`	The Bind DN to be used in identifying to the directory. The default value is the DN of the Oracle Directory Integration and Provisioning platform administrator.
`-passwd`	The password of the bind DN to be used while binding to the directory.
`-file`	The file containing all the profile parameters. See Also: Table A-18 for a list of parameters and their description
`-configset`	Number of the configuration set entry with which the profile needs to be associated
`-profile`	Profile that needs to modified

The properties expected by createprofile and modifyprofile commands are described in Table A-18. When modifying an already existing profile, no defaults are assumed. Only those attributes specified in the file are changed.

Table A-18 Properties Expected by createprofile and modifyprofile Commands

Parameter	Description	Default
`odip.profile.name`	Name of the profile	-
`odip.profile.password`	Password for accessing this profile	-
`odip.profile.status`	Either `DISABLE` or `ENABLE`	DISABLE
`odip.profile.syncmode`	Direction of synchronization. When the changes are propagated from the third party to Oracle Internet Directory, the synchronization mode is IMPORT. When the changes are propagated to the third party directory, the synchronization mode is EXPORT.	IMPORT
`odip.profile.retry`	Maximum number of times this profile should be executed in the case of an error before the integration server gives up	4
`odip.profile.schedinterval`	Interval between successive executions of this profile by the integration server. If the previous execution has not completed then the next execution will not resume until it completes.	1 Minute
`odip.profile.agentexecommand`	In the case of a NON-LDAP interface, the command to produce the information in LDIF format	-
`odip.profile.condirurl`	Location of third-party directory [`hostname:port`]	-
`odip.profile.condiraccount`	DN or user name used to connect to the third party directory.	-
`odip.profile.condirpassword`	Password used for identification to the third-party directory.	-
`odip.profile.interface`	Indicator as to whether the LDAP or LDIF or DB or TAGGED format is to be used for data exchange	LDAP
`odip.profile.configfile`	Name of the file that contains the additional profile-specific information to be used for execution	-
`odip.profile.mapfile`	Name of the file that contains the mapping rules	-
`odip.profile.condirfilter`	Filter that needs to be applied to the changes read from the connected directory before importing to Oracle Internet Directory	-
`odip.profile.oidfilter`	Filter that needs to be applied to the changes that are read from the Oracle Internet Directory before exporting to the connected directory	-
`odip.profile.lastchgnum`	Last applied change number. In the case of an export profile this number refers to Oracle Internet Directory's last applied change number However, n the case of the import profile, this number refers to the last applied change number in the connected directory	-

Bootstrapping a Directory by Using the Directory Integration and Provisioning Assistant

The command-line interface to the bootstrap command is:

dipassistant bootstrap { -profile profile_name [-host host_name] [-port port_
number] -dn bind_DN [-passwd password] [-log log_file] [-logseverity severity] 
[-trace trace_file] [-tracelevel trace_level] [-loadparallelism <#nThrs>] 
[-loadretry <retryCnt>] | -cfg file_name }

For example, either:

dipassistant bs -cfg bootstrap cfg


dipassistant bs -host myhost -port 3060 -dn cn=orcladmin -password xxxx -profile  
iPlanetProfile

Table A-19 Parameters of a deleteprofile Command

Parameter	Description
`-cfg`	A configuration file containing all the parameters required for performing the bootstrapping. See Also: Table A-20 for a list of parameters and their description
`-host`	Host where Oracle Internet Directory is running
`-port`	Port at which Oracle Internet Directory was started
`-dn`	The Bind Dn to be used in identifying to the directory
`-password`	The password of the Bind DN to be used while binding to the directory
`-profile`	The profile name.
`-log`	Log file. If this parameter is not specified, then, by default, the log information is written to `OH/ldap/odi/bootstrap.log`
`-logseverity`	Log severity 1 - 15. 1 - INFO, 2 - WARNING, 3 - DEBUG, 4 - ERROR. Or any combination of these. If not specified, then INFO and ERROR messages alone will be logged.
`-trace`	Trace file for debugging purpose
`-trace level`	Trace level
`-loadRetry`	When the loading to the destination fails, the number of times the retry should be made before marking the entry as bad entry
`-loadparallelism`	Indicator that loading to Oracle Internet Directory is to take place in parallel by using multiple threads. For example, `-loadparallelism 5` means that 5 threads are to be created, each of which tries to load the entries in parallel to Oracle Internet Directory.

Properties Expected by the Bootstrapping Command

Table A-20 Bootstrapping Properties

Property	Description	Mandatory	Default
`odip.bootstrap.srctype`	Indicator of whether source of the bootstrapping is LDAP or LDIF. Valid values are either `LDAP` or `LDIF`.	Yes	-
`odip.bootstrap.desttype`	Indicator of whether destination of the bootstrapping is LDAP or LDIF. Valid values are either `LDAP` or `LDIF`.	Yes	-
`odip.bootstrap.srcurl`	In the case of LDAP source type, location of the source directory. In the case of LDIF, the location of the LDIF file. Note: For LDAP, the expected format is `host[:port]`. For LDIF, the expected format is the absolute path of the file.	Yes	-
`odip.bootstrap.desturl`	In the case of LDAP, location of the destination directory. In the case of LDIF, the location of the LDIF file. Note: For LDAP, the expected format is `host[:port]`. For LDIF, the expected format is the absolute path of the file.	Yes	-
`odip.bootstrap.srcsslmode`	Indicator of whether SSL-based authentication must be used to connect to the source of the bootstrapping. A value of `TRUE` indicates that SSL-based authentication must be used.	No	`FALSE`
`odip.bootstrap.destsslmode`	Indicator of whether SSL-based authentication must be used to connect to the destination of the bootstrapping. `TRUE` indicates that SSL-based authentication must be used. Note: In the case of LDIF, this parameter is meaningless.	No	`FALSE`
`odip.bootstrap.srcdn`	Supplement to the source URL. In the case of LDIF binding, this parameter is meaningless. However in the case of LDAP, this parameter specifies the Bind DN.	Only in the case of LDAP	-
`odip.bootstrap.destdn`	Supplement to the destination URL. In the case of LDIF binding, this parameter is meaningless. However in the case of LDAP, this parameter specifies the Bind DN.	Only in the case of LDAP	-
`odip.bootstrap.srcpasswd`	Bind password to the source. In the case of LDAP binding, this is used as security. Oracle Corporation recommends that you not specify the password in this file.	No	-
`odip.bootstrap.destpasswd`	Bind password. In the case of LDAP binding, this is used as security credential. Oracle Corporation recommends that you not specify the password in this file.	No	-
`odip.bootstrap.mapfile`	Location of the map file that contains the attribute and domain mappings.	No	-
`odip.bootstrap.logfile`	Location of the log file. If this file already exists then it will be appended. The default log file is `bootstrap.log` created under `$``ORACLE_HOME``/ldap/odi/log directory.`	No	The file `bootstrap.log` created under the directory `$``ORACLE_HOME``/ldap/odi/`
`odip.bootstrap.logseverity`	Type of log messages that needs to be logged. INFO - 1 WARNING - 2 DEBUG - 4 ERROR - 8 Note: A combination of these types can also be given. For example, if you are interested only in WARNING and ERROR message, then specify a value of 8+2--that is, 10. Similarly, for all types of message, use 1 + 2 + 4 + 8 = 15	No	1 + 8 = 9
`odip.bootstrap.loadparallelism`	Numeric value indicating the number of writer threads used to load the processed data to the destination	No	1-
`odip.bootstrap.loadretry`	In the event of a failure to load an entry, indicator of how many times to retry	No	5
`odip.bootstrap.trcfile`	Location of the trace file. If this file already exists, then it is overwritten.	No	`$``ORACLE_HOME``/ldap/odi/log/bootstrap.trc`
`odip.bootstrap.trclevel`	The tracing level	No	3

Changing the Password of the Administrator of the Oracle Directory Integration and Provisioning Platform

The default password for the dipadmin account is same as ias_admin password chosen during installation. This command lets you reset the password of dipadmin account. To reset that password, you must provide the security credentials of the orcladmin account.

For example:

$ dipassistant chgpasswd -passwd orcladmin password -host oid.heman.com 

-port 3060

The Assistant then prompts for the new password as follows:

New Password: 
Confirm Password:

Listing All Synchronization Profiles in Oracle Internet Directory

The listprofiles command prints a list of all the synchronization profiles in Oracle Internet Directory. For example:

$ dipassistant listprofiles -passwd dipadmin password -host oid.heman.com 

-port 3060

This command prints the following sample list:

IplanetExport 
IplanetImport 
ActiveImport 
ActiveExport 
LdifExport 
LdifImport 
TaggedExport 
TaggedImport 
OracleHRAgent 
ActiveChgImp

Note:
The list shown here is the default set of profiles created during installation.

Viewing the Details of a Specific Synchronization Profile

The showprofile command prints the details of a specific synchronization profile For example:

$ dipassistant showprofile -passwd dipadmin password -host oid.heman.com 

-port 3060 -profile ActiveImport

This command prints the following sample output:

odip.profile.version = 1.0 
odip.profile.lastchgnum = 0 
odip.profile.interface = LDAP 
odip.profile.oidfilter = orclObjectGUID 
odip.profile.schedinterval = 60 
odip.profile.name = ActiveImport 
odip.profile.syncmode = IMPORT 
odip.profile.retry = 5 
odip.profile.debuglevel = 0 
odip.profile.status = DISABLE

Setting the Wallet Password for the Oracle Directory Integration and Provisioning Server

The WPasswd command enables you to set the wallet password that the Oracle directory integration and provisioning server later uses to connect to Oracle Internet Directory. To use this command, enter:

dipassistant wp

The Directory Integration and Provisioning Assistant prompts you to enter, and then confirm, the password.

Moving an Integration Profile to a Different Identity Management Node

You can use the Directory Integration and Provisioning Assistant to move directory integration profiles to another node and to reassociate them with it. For example, if the middle-tier components are associated with a particular Oracle Identity Management infrastructure, then all the integration profiles existing in that infrastructure node can be moved to a new infrastructure node.

Table A-21 describes the reassociation rules.

Table A-21 Scenarios for Reassociating Directory Integration Profiles

Scenario Actions Taken

Scenario	Actions Taken
Integration profile does not exist on the second Oracle Internet Directory node	The integration profile is copied to the second Oracle Internet Directory node and is disabled after copying. It must be enabled by the application. The `lastchangenumber` attribute in the integration profile is modified to the current last change number on the second Oracle Internet Directory node.
Integration profile exists on the second Oracle Internet Directorynode	Both integration profiles are reconciled in the following manner: Any new attribute in the profile on node 1 is added to the profile on node 2 For existing same attributes, the values in profile on node 1 override the attributes in the profile on node 2 The Profile is disabled after copying. It needs to be enabled by the application. The `lastchangenumber` attribute in the integration profile is modified to the current last change number on the second Oracle Internet Directory node

Integration profile does not exist on the second Oracle Internet Directory node

The integration profile is copied to the second Oracle Internet Directory node and is disabled after copying. It must be enabled by the application. The lastchangenumber attribute in the integration profile is modified to the current last change number on the second Oracle Internet Directory node.

Integration profile exists on the second Oracle Internet Directorynode

Both integration profiles are reconciled in the following manner:

Any new attribute in the profile on node 1 is added to the profile on node 2
For existing same attributes, the values in profile on node 1 override the attributes in the profile on node 2
The Profile is disabled after copying. It needs to be enabled by the application.
The lastchangenumber attribute in the integration profile is modified to the current last change number on the second Oracle Internet Directory node

The usage is as follows

dipassistant reassociate [-src_ldap_host <hostName>]
[-src_ldap_port <portNo>] [-src_ldap_dn <bindDn>] [-src_ldap_passwd
<password>] -dst_ldap_host <hostName> [-dst_ldap_port <portNo>]
[-dst_ldap_dn <bindDn>] [-dst_ldap_passwd <password>] [-log <logfile>]
Options:
-src_ldap_host <hostName> : Host where OID-1 runs
-src_ldap_port <portNo> : Port at which OID-1 runs
-src_ldap_dn <bindDn> : Bind Dn to connect to OID-1
-src_ldap_passwd <password> : Bind Dn password to connect to OID-1
-dst_ldap_host <hostName> : Host where OID-2 runs
-dst_ldap_port <portNo> : Port at which OID-2 runs
-dst_ldap_dn <bindDn> : Bind Dn to connect to OID-2
-dst_ldap_passwd <password> : Bind Dn password to connect to OID-2
-log <logFile> : Log file

Defaults:

src_ldap_host - localhost, src_ldap_port & dst_ldap_port - 389
src_ldap_dn & dst_ldap_dn - cn=orcladmin account

Examples:

dipassistant reassociate -src_ldap_host oid1.mycorp.com \
-dst_ldap_host oid2.mycorp.com -src_ldap_passwd xxxx \
-dst_ldap_passwd xxxx

dipassistant rs -help

Note if the location of the log file is not specified then by default it will be created as $ORACLE_HOME/ldap/odi/log/reassociate.log.

Limitations of the Directory Integration and Provisioning Assistant in Oracle Internet Directory 10g (9.0.4)

In this release, the Directory Integration and Provisioning Assistant does not support the following:

SSL-based authentications to Oracle Internet Directory
Schema synchronization
Automatic profile creation at the end of the bootstrapping process when used with the -cfg option
Mapping file validation
Creation of a failed entries file

The following elements of the Directory Integration and Provisioning Assistant are untested:

Bootstrapping of the connected directory over the SSL connection
The use of the modifyprofile command while synchronization is happening for that profile

The bootstrapping command of the Directory Integration and Provisioning Assistant has the limitations described in Table A-22.

Table A-22 Limitations of Bootstrapping in the Directory Integration and Provisioning Assistant

Type of Bootstrapping	Limitation
LDIF-to-LDIF	None
LDAP-to-LDIF	For a large number of entries, bootstrapping can fail with an error of size limit exceeded. To resolve this, the server from which you are bootstrapping should: Support paged results control (OID 1.2.840.113556.1.4.319). Currently, Microsoft Active Directory is the only LDAP directory that supports this control. Have an adequate value for the server side search size limit parameter Use the proprietary Import/Export tool, take the dump of the data, and bootstrap by using either the LDIF-to-LDIF or the LDIF-to-LDAP approach
LDIF -to-LDAP	None
LDAP-to-LDAP	Same as LDAP-to-LDIF

The ldapUploadAgentFile.sh Tool Syntax

Use LdapUploadAgentFile.sh to load mapping and configuration information when you are synchronizing directories.

ldapUploadAgentFile.sh -name  profile_name 
-config configset_the_profile_is_associated_with 
-LDAPhost  directory_server_host
-LDAPport  directory_server_port
-binddn  DN_that_can_modify_the_profile   >
-bindpass password_for_the_bind_DN
-attrtype  "MAP" | "ATTR"
-filename complete_path_of_file_to_be_uploaded

Table A-23 Arguments for ldapUploadAgentFile.sh

Argument	Description
`Name`	The name of the integration profile to which the information needs to be loaded.
`Config`	The configset to which the profile belongs to.
`LDAPhost`	Directory server host
`LDAPport`	Directory server port
`Binddn`	Bind DN of the directory user who has access rights to modify the profile entry. The default is `cn=orcladmin`
`Bindpass`	Password corresponding to the bind DN. The default is `welcome`.
`AttrType`	Type of file to be loaded. "MAP' is specified for loading the mapping file. And "ATTR" is specified for loading the config info file.
`Filename`	Complete path name of the file to be uploaded.

Note:
Alternatively, you can use the Directory Integration and Provisioning Assistant to perform this operation. Enter either of the following:

dipassistant mp [options] odip.profile.mapfile=your map file

dipassistant mp [options] odip.profile.configfile= your configuration file

See Also:
Chapter 33, "Oracle Directory Synchronization Service" in Oracle Internet Directory Administrator's Guide for a description of when to use ldapUploadAgentFile.sh

The ldapCreateConn.sh Tool Syntax

You can create an integration profile by using the command-line tool ldapcreateConn.sh. This tool is in the following directory:

$ORACLE_HOME/ldap/admin/.

The following example creates an integration profile named "HRMS" in configuration set 2:

ldapcreateConn.sh 

-name agent_name> 
[ -type  <IMPORT | EXPORT > ] \   

[ -agentpwd agent_password ] \ 

[ -config configset_to_associate_with ] \

[ -LDAPhost directory_server_host ] 

[ -LDAPport directory_server_port ] \  

[ -binddn DN_of_super_user] \

[ -bindpass   Bind_password ] \                                    [ 
[-retry   maximum_retry_count_on_synchronization_errors ] \

[ -poll polling_interval_for_synchronization ] \                                    
[ -host host_on_which_to_run_agent ] \

[ -conndirurl  connected_directory_URL ] \                                    
[ -conndiracct connected_directory_account_information ] \

[ -conndirpwd connected_directory_account_password ] \                                    
[ -execmd command_line_for_the_agent ]  \

[ -iftype interface_type ]      \                                    [ 
-condirfilter connected_directory_matching_filter ]\ 

[ -oidfilter OID_matching_filter ] \                                    
[ -U SSL_authentication_mode ] 

[ -W wallet_location ]\

[ -P wallet_password ]

Table A-24 Arguments for Registering a Partner Agent by Using ldapcreateConn.sh

Argument	Description
`Name`	The name of the Integration Profile.This must be unique.
`Type`	IMPORT/EXPORT. The default is IMPORT/
`Agentpwd`	The password to protect the profile. The default is `welcome'.
`Config`	The configuration set number. The default is 1.
`LDAPhost`	Directory server host. The default is the current host.
`LDAPport`	Directory server port The default is port 389.
`Binddn`	The bind DN of the Directory user which has the privileges to create Integration profile. The default is `cn=orcladmin'
`Bindpass`	The bind password. The default is `welcome'
`Retry`	Maximum number of retries to be done by the server when encountering a synchronization error. The default is `5'.
`Poll`	The scheduling interval of the profile. The default is `60' seconds.
`Host`	This is currently used. For the time being, it should be set to the machine name on which the DIP server is executing.
`Conndirurl`	The connected directory access Information.
`Conndiracct`	The connected directory account.
`Conndirpwd`	The connected directory account password
`Execmd`	The OS command line to execute the partner agent.
`Iftype`	The interface type. The default is TAGGED.
`Condirfilter`	The connected directory matching filter
`Oidfilter`	The OID matching filter.

Note:
Alternatively, you can use the createprofile option of the Directory Integration and Provisioning Assistant to perform this operation.

The ldapDeleteConn.sh Tool Syntax

You can deregister a synchronization profile by using the command-line tool ldapDeleteConn.sh. This tool is in the directory $ORACLE_HOME/ldap/admin/.

The syntax is:

ldapdeleteConn.sh [ -name Profile_Name ]
 -LDAPhost <LDAP server host> (default is local host)]
            [ -LDAPport directory_server_port> (default 389)]
            [ -binddn SuperUserDN (default cn=orcladmin ) ]
            [ -bindpass   password (default=welcome) ]
            [ -config configset_associated_with_agent ]
            [ -U <SSL_authentication_mode> ]
            [ -W Wallet_location ]
            [ -P Wallet_password ]
            [ -help | -usage ]

The following example deregisters a profile entry and dissociates it from the configuration set 2 (config 2) entry:

ldapDeleteConn.sh name HRMS config 2

Note:
Alternatively, you can use the deleteprofile option of the Directory Integration and Provisioning Assistant to perform this operation.

The StopOdiServer.sh Tool Syntax

In a client-only installation where OID Monitor and OIDCTL tools are not available, you can start the directory integration and provisioning server without OIDCTL. To stop the server, use the stopOdiServer.sh tool.

The path name for this tool is:
$ORACLE_HOME/ldap/admin/stopodiserver.sh

The usage is:

$ORACLE_HOME/ldap/admin/stopodiserver.sh  

[ -LDAPhost LDAP_server_host ]  
[ -LDAPport LDAP_server_port ]  
[ -binddn super_user_dn (default cn=orcladmin ) ]   
[ -bindpass   bind_password (default=welcome) ] 
-instance instance_number_to_stop

Table A-25 Arguments for Stopping the Oracle Directory Integration and Provisioning Server

Argument	Description
`LDAPhost`	Directory server host. The default is the current host.
`LDAPport`	Directory server port. The default is port 389.
`Binddn`	The bind DN of the Directory user which has the privileges to create Integration profile. The default is `cn=orcladmin'
`Bindpass`	The bind password. The default is `welcome'
`Instance`	The instance number of the Oracle directory integration and provisioning server to stop.

The schemasync Tool Syntax

The schemasync tool enables you to synchronize schema elements--namely attributes and object classes--between an Oracle directory server and third-party LDAP directories.

The usage for schemasync is as follows:

$ORACLE_HOME/bin/schemasync 

-srchost source_LDAP_directory  
-srcport source_LDAP_port_numbert 
-srcdn privileged_DN_in_source_directory_to_access_schema 
-srcpwd password
-dsthost destination_LDAP_directory 
-dstport destination_LDAP_port
-dstdn privileged_dn_in_destination_directory_to_access_schema
-dstpwd password 
[-ldap]

Note:
the -ldap parameter is optional. If it is specified, then the schema changes are applied directly from the source LDAP directory to the destination LDAP directory. If it is not specified, then the schema changes are placed in the following LDIF files:

$ORACLE_HOME/ldap/odi/data/attributetypes.ldif
This file has the new attribute definitions.

$ORACLE_HOME/ldap/odi/data/objectclasses.ldifThis file has the new object class definitions.

if you do not specify -ldap, then you must use ldapmodify to upload the definitions from these two files, first attribute types and then object classes.

The errors that occur during schema synchronization are logged in the
following log files:

$ORACLE_HOME/ldap/odi/log/attributetypes.log
$ORACLE_HOME/ldap/odi/log/objectclasses.log

The Oracle Directory Integration and Provisioning Server Registration Tool (odisrvreg)

To register an Oracle directory integration and provisioning server with the directory, this tool creates an entry in the directory and sets the password for the directory integration and provisioning server. If the registration entry already exists, then you can use the tool to reset the existing password. The odisrvreg tool also creates a local file called odisrvwallet_hostname, at $ORACLE_HOME/ldap/odi/conf. This file acts as a private wallet for the directory integration and provisioning server, which uses it on startup to bind to the directory.

Table A-26 describes the parameters that you use with the Oracle Directory Integration and Provisioning Server Registration Tool. You can also run odisrvreg in SSL mode to make communication between the tool and the directory fully secure, using the -U, -W, and -P parameters that are also described in Table A-26.

To register the directory integration and provisioning server, enter this command:

odisrvreg -h host_name -p port -D binddn -w bindpasswd -I passwd [-U ssl_mode -W 
wallet -P wallet_password]

Table A-26 Descriptions of ODISRVREG Arguments

Argument	Description
`-h` `host_name`	Oracle directory server host name
`-p` `port_number`	Port number on which the directory server is running
`-D` `binddn`	Bind DN. The bind DN must have authorization to create the registration entry for the directory integration and provisioning server
`-lhost`	In a cold failover cluster configuration, the virtual hostname
`-w` `bindpasswd`	Bind password
`-U` `SSL mode`	For no authorization, specify 0. For one-way authorization, specify 1.
`-W` `Wallet location`	Location of the Oracle Wallet containing the SSL certificate
`-P` `Wallet password`	Wallet password to open the Oracle wallet

The Provisioning Subscription Tool (oidprovtool) Syntax

Use the Provisioning Subscription Tool to administer provisioning profile entries in the directory. More specifically, use it to perform these activities:

Create a new provisioning profile. A new provisioning profile is created and set to the enabled state so that the Oracle Directory Integration and Provisioning platform can process it
Disable an existing provisioning profile
Enabled a disabled provisioning profile
Delete an existing provisioning profile
Get the current status of a given provisioning profile
Clear all of the errors in an existing provisioning profile

The Provisioning Subscription Tool shields the location and schema details of the provisioning profile entries from the callers of the tool. From the callers' perspective, the combination of an application and a subscriber uniquely identify a provisioning profile. The constraint in the system is that there can be only one provisioning profile for each application for each subscriber.

The name of the executable is oidProvTool, located in $ORACLE_HOME/bin.

To invoke this tool, use this command:

oidprovtool param1=param1_value  param2=param2_value param3=param3_value ...

The Provisioning Subscription Tool accepts the following parameters:

Table A-27 Provisioning Subscription Tool Parameters

Name	Description	Operations	Mandatory/Optional
`operation`	The subscription operation to be performed. The legal values for this parameter are: create, enable, disable, delete, status and reset. Only one operation can be performed for each invocation of the tool.	all	M
`ldap_host`	Host-name of the directory server on which the subscription operations are to be performed. If not specified, the default value of `localhost' is assumed.	all	O
profile_status	The status of the profile (`ENABLED`/ `DISABLED`). Default is `ENABLED`.	Create	O
profile_mode	`IBOUND`/`OUTBOUND`/`BOTH`. Default is `OUTBOUND`.	Create	O
profile_debug	The debugging level with which the profile is executed by the Oracle directory integration and provisioning server.	All	O
sslmode	Indicator of whether to execute the Provisioning Subscription Tool in SSL mode. A value of `0` indicates non-ssl and `1` indicates SSL mode.	All	O
`ldap_port`	The TCP/IP port on which the LDAP server is listening for requests. If not specified, the default value of `389' is assumed.	all	O
`ldap_user_dn`	The LDAP distinguished name of the user on whose behalf the operation is to be performed. Not all users have the necessary permissions to perform Provisioning Subscription operations. Please see the administrative guide to grant or deny LDAP users the permission to perform Provisioning Subscription operations.	all	M
`ldap_user_password`	The password of the user on whose behalf the operation is to be performed.	all	M
`application_dn`	The LDAP distinguished name of the application for which the Provisioning Subscription Operation is being performed. The combination of the application_dn and the organization_dn parameters help the subscription tool to uniquely identify a provisioning profile.	all	M
`organization_dn`	The LDAP distinguished name of the organization for which the Provisioning Subscription Operation is being performed. The combination of the application_dn and the organization_dn parameters help the subscription tool to uniquely identify a provisioning profile.	all	M
`interface_name`	Database schema name for the PLSQL package. Format of the value should be: [Schema].[PACKAGE_NAME]	create only	M
`interface_type`	The type of the interface to which events have to be propagated.Valid Values: PLSQL (if not specified this is assumed as the default)	create only	O
`interface_connect_info`	Database connect string Format of this string:[HOST]:[PORT]:[SID]: [USER_ID]:[PASSWORD]	create only	M
`interface_version`	The version of the interface protocol. Valid Values: 1.0 or 1.11.0 will be the old interface. If not specified, this is used as the default.	create only	O
`interface_additional_info`	Additional information for the interface. This is not currently used.	create only	O
`schedule`	The scheduling information for this profile. The value is the length of the time interval in seconds after which DIP will process this profile. If not specified, a default of 3600 is assumed.	create only	O
`max_retries`	The number of times the Provisioning Service should retry a failed event delivery. If not specified, a default value of 5 is assumed.	create only	O
`event_subscription`	Events for which DIP should send notification to this application. Format of this string:"[USER]GROUP]:[Domain of interest>]:[DELETE]ADD]MODIFY(<list of attributes separated by comma>)]"Multiple values may be specified by listing the parameter multiple times each with different values. If not specified the following defaults are assumed:USER:<org. DN>:DELETEGROUP:<org. DN>:DELETEqQthat is, send user and group delete notifications under the organization DN.	create only	O

A Syntax for LDIF and Command-Line Tools

LDAP Data Interchange Format (LDIF) Syntax

LDIF Formatting Notes

Starting, Stopping, Restarting, and Monitoring Oracle Internet Directory Servers

The OID Monitor (oidmon) Syntax

Starting the OID Monitor

Table A-1 Arguments for Starting OID Monitor

Stopping the OID Monitor

Table A-2 Arguments for Stopping OID Monitor

Starting and Stopping OID Monitor in a Cold Failover Cluster Configuration

The OID Control Utility (oidctl) Syntax

Starting and Stopping an Oracle Directory Server Instance

Starting an Oracle Directory Server Instance

Table A-3 Arguments for Starting a Directory Server by Using OIDCTL

Stopping an Oracle Directory Server Instance

Troubleshooting Directory Server Instance Startup

Starting and Stopping an Oracle Directory Replication Server Instance

Starting an Oracle Directory Replication Server Instance

Table A-4 Arguments for Starting a Directory Replication Server by Using OIDCTL

Stopping an Oracle Directory Replication Server Instance

Starting the Oracle Directory Integration and Provisioning Server

Starting the Oracle Directory Integration and Provisioning Server by Using the OID Monitor and Control Utilities

Table A-5 Description of Arguments for Starting the Oracle Directory Integration and Provisioning Server

Starting the Oracle Directory Integration and Provisioning Server Without Using the OID Monitor and the OID Control Utility

Stopping the Oracle Directory Integration and Provisioning Server

Stopping the Oracle Directory Integration and Provisioning Server by Using OID Monitor and the OID Control Utility

Stopping the Oracle Directory Integration and Provisioning Server Without Using OID Monitor and the OID Control Utility

Restarting Oracle Internet Directory Server Instances

Starting and Stopping Oracle Internet Directory Servers on Either a Virtual Host or a Rack Node

Starting and Stopping a Directory Server on Either a Virtual Host or a Rack Node

Starting and Stopping a Directory Replication Server on Either a Virtual Host or a Rack Node

Starting and Stopping a Oracle Directory Integration and Provisioning Server on Either a Virtual Host or a Rack Node

Entry and Attribute Management Command-Line Tools Syntax

The Catalog Management Tool (catalog.sh) Syntax

Table A-6 Arguments for the Catalog Management Tool (catalog.sh)

ldapadd Syntax

Table A-7 Arguments for ldapadd

ldapaddmt Syntax

Table A-8 Arguments for ldapaddmt

ldapbind Syntax

Table A-9 Arguments for ldapbind

ldapcompare Syntax

Table A-10 Arguments for ldapcompare

ldapdelete Syntax

Table A-11 Arguments for ldapdelete

ldapmoddn Syntax

Table A-12 Arguments for ldapmoddn

ldapmodify Syntax

Table A-13 Arguments for ldapmodify

Example: Using ldapmodify to Add an Attribute

ldapmodifymt Syntax

Table A-14 Arguments for ldapmodifymt

ldapsearch Syntax

Table A-15 Arguments for ldapsearch

Examples of ldapsearch Filters

Example 1: Base Object Search

Example 2: One-Level Search

Example 3: Subtree Search

Example 4: Search Using Size Limit

Example 5: Search with Required Attributes

Example 6: Search for Entries with Attribute Options

Example 7: Searching for All User Attributes and Specified Operational Attributes

Other Examples:

Oracle Directory Integration and Provisioning Platform Command-Line Tools Syntax

The Directory Integration and Provisioning Assistant

Table A-16 Summary of Functionality of the Directory Integration and Provisioning Assistant

Creating, Modifying, and Deleting Synchronization Profiles

Table A-17 Parameters for Creating, Modifying, and Deleting Synchronization Profiles by Using the Directory Integration and Provisioning Assistant

Table A-18 Properties Expected by createprofile and modifyprofile Commands

Bootstrapping a Directory by Using the Directory Integration and Provisioning Assistant

Table A-19 Parameters of a deleteprofile Command

Properties Expected by the Bootstrapping Command

Table A-20 Bootstrapping Properties

Changing the Password of the Administrator of the Oracle Directory Integration and Provisioning Platform

Listing All Synchronization Profiles in Oracle Internet Directory

Viewing the Details of a Specific Synchronization Profile

Setting the Wallet Password for the Oracle Directory Integration and Provisioning Server

Moving an Integration Profile to a Different Identity Management Node

Table A-21 Scenarios for Reassociating Directory Integration Profiles

Limitations of the Directory Integration and Provisioning Assistant in Oracle Internet Directory 10g (9.0.4)

A
Syntax for LDIF and Command-Line Tools