Syntax for LDIF and Command-Line Tools, 10 of 10

The OID Migration Tool (ldifmigrator) Syntax

Use the OID Migration Tool when you are migrating data from application-specific repositories into Oracle Internet Directory. The OID Migration Tool produces an LDIF file, which is suitable for loading into a directory server by using the standard command-line tools. The input to this tool is a pseudo-LDIF file containing substitution variables. The tool is called ldifmigrator and it exists in ORACLE_HOME/bin.

The syntax of the ldifmigrator tool is as follows:

ldifmigrator [options] {parameter_name=value ...}
{s_SubVar=value ... }

Table A-38 describes the command-line parameters used by this tool in further detail:

Table A-38 ldifmigrator Parameters

Parameter	Mandatory?	Description
`Input_file`	Yes	The file containing the substitution variables
`Output_file`	Yes	The name of the file to be generated by this tool
`-lookup`	No	If this flag is specified, then values of certain substitution variables will be obtained from the directory server. Please see the following table for the names of the variables that are specified using host parameters. The host is mandatory when -`lookup` flag is specified.
`Host`	Yes (only in lookup mode)	The directory server name. This parameter is mandatory when `-lookup` flag is specified.
`Port`	No	The port on which the directory server is listening. If not specified the port `389` will be used
`DN`	Yes (only in lookup mode)	Bind DN. This is a mandatory parameter when `-lookup` flag is specified.
`Password`	No	Bind password
`Subscriber`	No	The subscriber whose attributes will be used as substitution variable. If not specified, then the default identity management realm specified in the Root Oracle Context will be used.
`s_SubsVar1.N`	No	Custom substitution variables specified by the user

The following table describes a set of pre-defined substitution variables. If it is running in the lookup mode, the OID Migration Tool can automatically determine the values of these variables by looking them up in the Oracle Internet Directory.

Table A-39 Predefined Substitution Variables

Variable Name	Meaning	How OID Migration Tool Determines the Value for This Variable
%s_UserContainerDN%	Distinguished name of the entry under which all users are supposed to be added.	This is assigned the value of the attribute: `orclCommonUserSearchBase` from the entry `cn=Common,cn=Products` under the realm- specific Oracle context.
%s_GroupContainerDN%	Distinguished name of the entry under which all public groups are supposed to be added.	This is assigned the value of the attribute: `orclCommonGroupSearchBase` from the entry `cn=Common,cn=Products` under the realm- specific Oracle context.
%s_UserNicknameAttribute%	The nickname attribute to be used for user entries in the identity management realm.	This is assigned the value of the attribute: `orclCommonNicknameAttribute` from the entry `cn=Common,cn=Products` under the realm- specific Oracle context.
%s_SubscriberDN%	Distinguished name of the LDAP entry corresponding to the identity management realm.	If a simple subscriber name is given, the migration tool will resolve it to a DN using the attribute `orclSubscriberSearchBase` and the `orclSubscriberNickNameAttr` from the entry `cn=Common,cn=Products` under the root Oracle context.
%s_SubscriberOracleContextDN%	Distinguished name of the realm-specific Oracle Context.	First the realm DN is computed as described earlier and then the string `cn=OracleContext` is pre-pended to it.
%s_RootOracleContextDN%	Distinguished name of the Root Oracle Context.	This is currently hard-coded to `cn=OracleContext`.
%s_CurrentUserDN%	Distinguished name of the User who is loading the LDIF file. This is sometimes required to bootstrap the creation of groups which require at least one member in them.	The migration tool expects this DN to be specified on the command line as part of the authentication information.

The OID Migration Tool obtains the values of the pre-defined substitution variables only in the lookup mode. Users can override the value of any of the previous variables in the lookup mode by specifying the variable and a different value in the command line. The user can also specify substitution variables other than the ones listed in the following table and their values in the command line.

Examples: Using the OID Migration Tool

Consider the input file sample.dat whose contents are as follows:

dn: cn=jdoe, %s_UserContainerDN%
sn: Doe
%s_UserNicknameAttribute%: jdoe
objectClass: inetOrgPerson
objectClass: orclUserV2
title: Member of Technical Staff
homePhone: 415-584-5670
homePostalAddress: 234 Lez Drive$ Redwood City$ CA$ 94402
ou: %s_UserOrganization%

The following sections describe how the OID Migration Tool can be used to transform the previous template into a valid LDIF ready to be loaded into Oracle Internet Directory.

Using the Migration Tool in the Lookup Mode

In this example, the Oracle directory server is present in the environment, and the deployment wants the migration tool to lookup the directory server to figure out certain substitution variables. It will issue the following command:

$ldifmigrator "input_file=sample.dat" "output_file=sample.ldif" -lookup 
"host=ldap.acme.com" "subscriber=acme" "s_UserOrganization=Development"

On executing this command, the directory server running on ldap.acme.com will be contacted and the following values of the substitution variables for the subscriber acme will be obtained:

Variable Name Value Obtained from ldap.acme.com

% s_UserContainerDN%

cn=Users,o=acme,dc=com

%s_UserNicknameAttribute%

uid

Variable Name	Value Obtained from ldap.acme.com
% s_UserContainerDN%	`cn=Users,o=acme,dc=com`
%s_UserNicknameAttribute%	`uid`

In addition to these variables, the OID Migration Tool also honors the command-line variable called s_UserOrganization and substitutes all occurrences of it with the value Development. In this case the output of the tool stored in sample.ldif is as follows (the substituted values are shown in italics):

dn: cn=jdoe,cn=Users,o=Acme,dc=com
sn: Doe
uid: jdoe
objectClass: inetOrgPerson
objectClass: orclUserV2
title: Member of Technical Staff
homePhone: 415-584-5670
homePostalAddress: 234 Lez Drive$ Redwood City$ CA$ 94402
ou: Development

Using the OID Migration Tool Without the Lookup Option

The same output as shown in the previous example could have been obtained by specifying all of the values in the command line (without using the -lookup option). The following command-line example describes how one would use the Migration tool without the lookup mode:

$ldifmigrator "input_file=sample.dat" "output_file=sample.ldif"  "s_
UserContainerDN=cn=Users,o=Acme,dc=com" "s_UserNicknameAttribute=uid" "s_
UserOrganization=Development"

Overriding Substitution Values Obtained from the Lookup Mode

In some cases, a deployment would like to use the OID Migration Tool in the lookup mode but would also like to override the values of one or more of the pre-defined substitution variables. This can be done by specifying the override value in the command line. The following command line shows how one can set the UserNickNameAttribute to cn overriding the default of uid:

$ldifmigrator "input_file=sample.dat" "output_file=sample.ldif" -lookup 
"host=ldap.acme.com" "subscriber=acme" "s_UserOrganization=Development" 

"s_UserNicknameAttribute=cn"

On executing this command, the directory server running on ldap.acme.com will be contacted and the following values of the substitution variables for the subscriber acme will be obtained:

Table A-40 Substitution Variables for the subscriber "acme"

Variable Name	Value Obtained from ldap.acme.com
% s_UserContainerDN%	cn=Users,o=acme,dc=com
%s_UserNicknameAttribute%	uid (this is over-ridden by command-line specification)

Since s_UserNicknameAttribute is specified on the command line, the OID Migration Tool will ignore the value obtained from the directory and use the value specified in the command line. In addition to these variables, the migration tool will also honor the command-line variable called s_UserOrganization and substitute all occurrences of it with the value Development. In this case the output of the tool stored in sample.ldif will be as follows (the substituted values are shown in italics):

dn: cn=jdoe,cn=Users,o=Acme,dc=com
sn: Doe
cn: jdoe
objectClass: inetOrgPerson
objectClass: orclUserV2
title: Member of Technical Staff
homePhone: 415-584-5670
homePostalAddress: 234 Lez Drive$ Redwood City$ CA$ 94402
ou: Development

Load Capability

Using the load capability the users of this tool could directly load the data into Oracle Internet Directory. If an entry is already present in the directory then that directory entry will be logged to the file. The addition of the directory entries could fail for other reasons as well, for instance not enough permission to add or parent entry not being present. The command line tool will now take a new option -load, which will load the user information to the directory.

Reconcile Capability

The user migration tool capabilities available in Oracle Application Server 10g (9.0.4) are only useful when an older version of the iAS component is the only source of truth for all users being migrated to Oracle Internet Directory. However, in a practical deployment, the following scenarios arise:

The users to be migrated have already been defined in Oracle Internet Directory.
More than one distinct application needs to be migrated to Oracle Internet Directory.

To address these requirements, a new option -reconcile, has been added to the user migration tool. This option requires an argument: -reconcile SAFE | SAFE_EXTENDED | NORMAL.

Table A-41 Different Modes for Use of -reconcile

Optional Arguments	Description
-reconcile SAFE	checks for the existence of the user entry in the directory
-reconcile NORMAL	checks that all the new attributes will be added and those attributes that are already present in the Oracle Internet Directory will have their values replaced with the new ones
-reconcile SAFE_EXTENED	all the new attributes will be added, but for the existing attributes if you try to add a new value then it will add this new value to the existing set of values.

Example 47-1 -reconcile SAFE option.

This option should be used when the user would like to append the only those attributes that are not already present in the directory. In the case of the above user entry, the user migration tool will parse this LDIF entry and substitute the values for s_subscriber_user_base and s_nickname_attr. After this, the tool will retrieve the jsmith entry from the directory. If the directory does not contain an entry for jsmith then it would simply add this entry for the first time. On the other hand if the entry already exists with attributes as defined above then it will add only those attributes that are not present in directory. In the above case it will add only homePhone and homePostalAddress.

Now the Jsmith entry in the directory will be:

dn: cn=jsmith, dc=oracle, dc=com
cn: jsmith
sn: Smith
orclGlobalID: 86A8485163303EBEE034080020AB67AA
uid: jsmith
objectClass: inetOrgPerson
objectClass: orclUser2
title: Member of Technical Staff 

homePhone: 650-584-5670
homePostalAddress: 232 Gonzalez Drive$ San Francisco$ CA$ 94404

Example 47-2 -reconcile NORMAL option.

This option can be used when the user would like to overwrite attributes that are present in the directory. In the case of the above user entry, the user migration tool will parse this LDIF entry and substitute the values for s_subscriber_user_base and s_nickname_attr. After this, the tool will retrieve the jsmith entry from the directory. If the directory does not contain an entry for jsmith then it would simply add this entry for the first time. On the other hand if the entry already exists with attributes as defined above then it will add only those attributes that are not present in directory. In addition to this the attribute that is already present will be deleted and freshly added with new value. In the above case it will add homePhone and homePostalAddress and replace the attribute value for the attribute title with the new value.

Now the Jsmith entry in the directory will be:

dn: cn=jsmith, dc=oracle, dc=com
cn: jsmith
sn: Smith
orclGlobalID: 86A8485163303EBEE034080020AB67AA
uid: jsmith
objectClass: inetOrgPerson
objectClass: orclUser2
title: Principle Member of Technical Staff 

homePhone: 650-584-5670
homePostalAddress: 232 Gonzalez Drive$ San Francisco$ CA$ 94404

Example 47-3 -reconcile SAFE_EXTENDED option.

This option can be used when the user would like to add the values to existing attributes. In the case of the above user entry, the user migration tool will parse this LDIF entry and substitute the values for s_subscriber_user_base and s_nickname_attr. After this, the tool will retrieve the jsmith entry from the directory. If the directory does not contain an entry for jsmith then it would simply add this entry for the first time. On the other hand if the entry already exists with attributes as defined above then it will add the attributes homePhone and homePostalAddress and the new value will be added to the existing title attribute.

Now the Jsmith entry in the directory will be:

dn: cn=jsmith, dc=oracle, dc=com
cn: jsmith
sn: Smith
orclGlobalID: 86A8485163303EBEE034080020AB67AA
uid: jsmith
objectClass: inetOrgPerson
objectClass: orclUser2
title: Member of Technical Staff 

title: Principle Member of Technical Staff 

homePhone: 650-584-5670
homePostalAddress: 232 Gonzalez Drive$ San Francisco$ CA$ 94404

Table A-42 -reconcile SAFE type LDIF records

Sno	Entry Changetype	Attribute Changetype	Action
1	Add/No Change type	-	Add only new attributes.
2	Modrdn/Moddn	-	The ldifmigrator tool will not support this change type.
3	Delete	-	Do not delete the entry from the directory.
4	Modify	add	Add this attribute. If the entry doesn't exist in the directory then ignore the record as invalid. If the attribute does not exist then add this attribute, otherwise ignore.
5	-do-	replace	If the entry does not contain the attribute then it will be added. Otherwise Ignore change to the attribute, that is, do not apply the change. When the entry is not present in the directory then ignore it as the invalid entry.
6	-do-	delete	Ignore the change to the attribute, that is, do not apply the change.

Sno	Entry Changetype	Attribute Changetype	Description
1	Add/No Change type	-	Adds the attributes that are not populated in the directory and replaces the attributes that are already populated
2	Modrdn/Moddn	-	The ldifmigrator tool will not support this change type.
3	Delete	-	Delete the entry from the directory
4	Modify	add	If entry doesn't contain the attribute then it will be added. When it contains the attribute then replace it with the specified attribute. If the entry doesn't exist in the directory then ignore the record as invalid.
5	-do-	replace	If entry doesn't contain the attribute then it will be added. When it contains the attribute then replace it with the specified attribute. If the entry itself does not exist in the directory then ignore the record as invalid
6	-do-	delete	Remove the specified attribute from the directory.

Table A-43 -reconcile NORMAL type LDIF records

Sno Entry Changetype Attribute Changetype Description

1

Add/No Change type

-

Adds the attributes that are not populated in the directory and replaces the attributes that are already populated

2

Modrdn/Moddn

-

The ldifmigrator tool will not support this change type.

3

Delete

-

Delete the entry from the directory

4

Modify

add

If entry doesn't contain the attribute then it will be added. When it contains the attribute then replace it with the specified attribute. If the entry doesn't exist in the directory then ignore the record as invalid.

5

-do-

replace

If entry doesn't contain the attribute then it will be added. When it contains the attribute then replace it with the specified attribute. If the entry itself does not exist in the directory then ignore the record as invalid

6

-do-

delete

Remove the specified attribute from the directory.

Table A-44 -reconcile SAFE_EXTENDED type LDIF records

Sno	Entry Changetype	Attribute Changetype	Description
1	Add/No Change type	-	Add only new attributes. If the entry does not exist then create a new entry.
2	Modrdn/Moddn	-	The ldifmigrator tool will not support this change type.
3	Delete	-	Do not delete the entry from the directory.
4	Modify	add	Add this attribute. If the entry doesn't exist in the directory then ignore the record as invalid. If the attribute does not exist then add this attribute, otherwise add the new values to the directory.
5	-do-	replace	If the entry does not contain the attribute then it will be added. Otherwise Ignore change to the attribute, that is, do not apply the change. When the entry is not present in the directory then ignore it as the invalid entry.
6	-do-	delete	Ignore the change to the attribute, that is, do not apply the change.

OID Migration Tool Error Messages

The OID Migration Tool can display these error messages:

Table A-45 Error Messages of OID Migration Tool

Message	Reason	Remedial Action
Environment variable ORACLE_HOME not defined	ORACLE_HOME is not defined.	Set the environment variable ORACLE_HOME
Error while parsing the input parameters. Please verify	Not all the required parameters are provided. The required parameters are Input_File, Output_File and at least one substitution variable	Specify the input parameters properly. Use the `-help` option to print the usage.
Input_File parameter not specified. Please specify	Input_File parameter is a mandatory parameter.	Specify the input parameters properly. Use the `-help` option to print the usage.
Output_File parameter not specified. Please specify	Output_File parameter is a mandatory parameter.	Specify the input parameters properly. Use the `-help` option to print the usage.
The specified input file does not exist	The specified file location is invalid.	Check the input file path
Check the input file. Zero byte input file	The input file does not contain any entries.	Provide a valid file with pseudo LDIF entries
Cannot create the output file. Output file already exists	The output file already exists	Check the Output_File flag
Access denied, cannot read from the input file	The specified input file does not have read permission	Check the read permission of the input file.
Access denied, cannot create the output file	You do not have permission to create the output file.	Check the permission of the directory under which the output file needs to be created.
Directory server name not specified. When -lookup option is used the host parameter should be specified	When the `-lookup` option is specified, the host parameter is mandatory.	Specify the host parameter.
Bind Dn parameter name not specified. When -lookup option is used the dn parameter should be specified	When the `-lookup` option is specified, the DN parameter is mandatory.	Specify the DN parameter.
The port number specified is invalid	The port number should be a numeric value.	Check the port number parameter
Unable to establish connection to directory. Please verify the input parameters: host, port, dn & password	The directory server may not be running on the specified host and port, or credentials may be invalid.	Check the host, port, DN and password parameters. Check `$``ORACLE_HOME``/ldap/install/LDIFMig_YYYY_MM_DD_HH_SS.log file`.
Naming exception occurred while retrieving the subscriber information from the directory. Please verify the input parameters	The specified identity management realm does not exist in the directory	Check the realm parameter
Not all the substitution variables are defined in the directory server specified	If the identity management realm entry does not contain the required attributes, then this error occurs.	Check the realm entry in the directory
Error occurred while migrating LDIF data to Oracle Internet Directory	This might occur if something goes wrong in the middle of a process--for example, a failure of the directory server or disk.	Report the error message to the administrator

When an error condition occurs, the log messages are logged to this file:
ORACLE_HOME/ldap/install/LDIFMig_YYYY_MM_DD_HH_SS.log.