|
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) Part No. B14085-01 |
|
 Previous |
 Next |
|
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) Part No. B14085-01 |
|
|
Previous |
Next |
This appendix provides syntax, usage notes, and examples for LDIF and LDAP command-line tools. It contains these topics:
Starting, Stopping, Restarting, and Monitoring Oracle Internet Directory Servers
The Oracle Directory Integration and Provisioning Server Registration Tool (odisrvreg)
The Directory Integration and Provisioning Assistant (dipassistant) Syntax
OID Database Statistics Collection Tool (oidstats.sh) Syntax
The standardized file format for directory entries is as follows:
dn: distinguished_name attribute_type: attribute_value ... objectClass: object_class_value ...
Table A-1 Properties in an LDIF File
| Property | Value | Description |
|---|---|---|
dn:
|
RDN,RDN,RDN,...
|
Separate RDNs with commas. |
attribute_type:
|
attribute_value
|
This line repeats for every attribute in the entry, and for every attribute value in multi-valued attributes. |
objectClass:
|
object_class_ value
|
This line repeats for every object class. |
The following example shows a file entry for an employee. The first line contains the DN. The lines that follow the DN begin with the mnemonic for an attribute, followed by the value to be associated with that attribute. Note that each entry ends with lines defining the object classes for the entry.
dn: cn=Suzie Smith,ou=Server Technology,o=Acme, c=US
cn: Suzie Smith
cn: SuzieS
sn: Smith
mail: ssmith@us.Acme.com
telephoneNumber: 69332
photo: $ORACLE_HOME/empdir/photog/ssmith.jpg
objectClass: organizationalPerson objectClass: person
objectClass: top
The next example shows a file entry for an organization:
dn: o=Acme,c=US o: Acme ou: Financial Applications objectClass: organization objectClass: top
A list of formatting rules follows. This list is not exhaustive.
All mandatory attributes belonging to an entry being added must be included with non-null values in the LDIF file.
|
Tip: To see the mandatory and optional attribute types for an object class, use Oracle Directory Manager. See the section about viewing properties of object classes by using Oracle Directory Manager in Oracle Internet Directory Administrator's Guide. |
Non-printing characters and tabs are represented in attribute values by base-64 encoding.
The entries in your file must be separated from each other by a blank line.
A file must contain at least one entry.
Lines can be continued to the next line by beginning the continuation line with a space or a tab.
Add a blank line between separate entries.
Reference binary files, such as photographs, with the absolute address of the file, preceded by a forward slash ("/").
The DN contains the full, unique directory address for the object.
The lines listed after the DN contain both the attributes and their values. DNs and attributes used in the input file must match the existing structure of the DIT. Do not use attributes in the input file that you have not implemented in your DIT.
Sequence the entries in an LDIF file so that the DIT is created from the top down. If an entry relies on an earlier entry for its DN, make sure that the earlier entry is added before its child entry.
When you define schema within an LDIF file, insert a white space between the opening parenthesis and the beginning of the text, and between the end of the text and the ending parenthesis.
|
See Also:
|
This section tells how to use command-line tools for starting, stopping, restarting, and monitoring Oracle Internet Directory servers. It contains these topics:
Use the OID Monitor (oidmon) to initiate, monitor, and terminate directory server processes. If you elect to install a replication server, OID Monitor controls it. When you issue commands through OID Control Utility (oidctl) to start or stop directory server instances, your commands are interpreted by this process.
Starting OID Monitor restarts any Oracle Internet Directory processes that were previously stopped.
Set the following environment variables:
ORACLE_HOME
ORACLE_SID or a proper TNS CONNECT string
NLS_LANG (APPROPRIATE_LANGUAGE.AL32UTF8). The default language set at installation is AMERICAN_AMERICA.
PATH. In the PATH environment variable, specify the Oracle LDAP binary—that is, ORACLE_HOME/bin—before the UNIX binary directory.
oidmon [connect=connect_string] [host=virtual/host_name][sleep=seconds] start
Table A-2 Arguments for Starting OID Monitor
For example:
oidmon connect=dbs1sleep=15 start
To start OID Monitor on a virtual host:
oidmon connect=dbsl host=virtual_host start
Stopping the OID Monitor also stops all other Oracle Internet Directory processes.
To stop the OID Monitor daemon, at the system prompt, type:
oidmon [connect=connect_string][host=virtual/host_name] stop
Table A-3 Arguments for Stopping OID Monitor
For example:
oidmon connect=dbs1 stop
While starting and stopping OID Monitor, use the host parameter to specify the virtual host name. The syntax is:
oidmon [connect=connect_string] host=virtual_host start|stop
|
Note: If you are going to start Oracle Internet Directory servers on a virtual host, then, when using bothoidmon and oidctl, be sure to specify the host argument as the virtual host.
If the OID Monitor is started with the To determine the physical host name, execute the |
OID Control Utility is a command-line tool for starting and stopping the directory server. The commands are interpreted and executed by the OID Monitor process.
|
Note: Although you can start the directory server without using OID Monitor and the OID Control Utility, Oracle Corporation recommends that you use them. This way, if the directory server unexpectedly terminates, then OID Monitor automatically restarts it. |
This section contains these topics:
Starting and Stopping an Oracle Directory Server Instance by Using the OID Control Utility
Troubleshooting Directory Server Instance Startup when Using the OID Control Utility
Starting the Oracle Directory Integration and Provisioning Server by Using the OID Control Utility
Stopping the Oracle Directory Integration and Provisioning Server
Restarting Oracle Internet Directory Server Instances by Using the OID Control Utility
Use the OID Control Utility to start and stop Oracle directory server instances.
The syntax for starting an Oracle directory server instance is:
oidctl connect=connect_string server=oidldapd instance=server_instance_number [configset=configset_number] [host=virtual/host_name][flags=' -p port_number -work maximum_number_of_worker_threads_per_server -debug debug_level -l change_logging' -server number_of_server_processes] start
Table A-4 Arguments for Starting a Directory Server by Using OIDCTL
| Argument | Description |
|---|---|
-debug debug_level
|
Specifies a debug level during Oracle directory server instance startup |
-l change_logging
|
Turns replication change logging on and off. To turn it off, enter -l false. To turn it on, do any one of the following:
Turning off change logging for a given node by specifying |
-p port_number
|
Specifies a port number during server instance startup. The default port number is 389. |
-server number_of_server_processes
|
Specifies the number of server processes to start on this port |
-sport
|
Specifies the SSL port number during server instance startup. Default port if not set is 636.
See Also:
|
-work maximum_number_of_worker_threads_per_server
|
Specifies the maximum number of worker threads for this server |
configset=configset_number
|
Configset number used to start the server. This defaults to configset0 if not set. This should be a number between 0 and 1000.
|
connect=connect_string
|
If you already have a tnsnames.ora file configured, then this is the net service name specified in that file, located in $ORACLE_HOME/ldap/odi/archive/profile_name_prefix_useracl.ldif.
|
host=virtual/host_name
|
Specifies the virtual host or Oracle Application Server Cluster (Identity Management) nodes on which to start the directory server |
instance=server_instance_number
|
Instance number of the server to start. Should be a number between 1 and 1000. |
server=oidldapd
|
Type of server to start (valid values are OIDLDAPD and OIDREPLD). This is not case-sensitive. |
start
|
Starts the server specified in the server argument. |
For example, to start a directory server instance whose net service name is dbs1, using configset5,at port 12000, with a debug level of 1024, an instance number 3, and in which change logging is turned off, type at the system prompt:
oidctl connect=dbs1 server=oidldapd instance=3 configset=5 flags='-p 12000 -debug 1024 -l ' start
When starting and stopping an Oracle directory server instance, the server name and instance number are mandatory, as are the commands start or stop. All other arguments are optional.
All keyword value pairs within the flags arguments must be separated by a single space.
Single quotes are mandatory around the flags.
The configset identifier defaults to zero (configset0) if not set.
If the directory server fails to start, you can override all user-specified configuration parameters to start the directory server and then return the configuration sets to a workable state by using the ldapmodify operation.
To start the directory server by using its hard-coded default parameters instead of the configuration parameters stored in the directory, type at the system prompt:
oidctl connect=connect_string flags='-p port_number -f'
The -f option in the flags starts the server with hard-coded configuration values, overriding any defined configuration sets except for the values in configset0.
To see debug log files generated by the OID Control Utility, navigate to $ORACLE_HOME/ldap/log.
Use the OID Control Utility to start and stop Oracle directory replication server instances.
The syntax for starting the Oracle directory replication server is:
oidctl connect=connect_string server=oidrepld instance=server_instance_number [configset=configset_number] flags=' -p directory_server_port_number -d debug_level -h directory_server_host_name -m [true | false] -z transaction_size ' start
Table A-5 Arguments for Starting a Directory Replication Server by Using OIDCTL
| Argument | Description |
|---|---|
connect=connect_string
|
If you already have a tnsnames.ora file configured, then this is the name specified in that file, which is located in $ORACLE_HOME/network/admin
|
server=oidrepld
|
Type of server to start (valid values are OIDLDAPD and OIDREPLD). This is not case-sensitive.
|
instance=server_instance_number
|
Instance number of the server to start. Should be a number between 1 and 1000. |
configset=configset_number
|
Configset number used to start the server. The default is configset0. This should be a number between 0 and 1000.
|
-p directory_server_port_number
|
Port number that the replication server uses to connect to the directory on TCP port directory_server_port_number. If you do not specify this option, the tool connects to the default port (389).
|
-d debug_level
|
Specifies a debug level during replication server instance startup |
-h directory_server_host_name
|
Specifies the directory_server_host_name to which the replication server connects, rather than to the default host, that is, your local computer. Directory_server_host_name can be a computer name or an IP address. (Replication server only)
|
-m [true|false]
|
Turns conflict resolution on and off. Valid values are true and false. The default is true. (Replication server only)
|
-z transaction_size
|
Specifies the number of changes applied in each replication update cycle. If you do not specify this, the number is determined by the Oracle directory server size limit parameter, which has a default setting of 1024. You can configure this latter setting. |
start
|
Starts the server specified in the server argument.
|
For example, to start the replication server with an instance=1, at port 12000, with debugging set to 1024, type at the system prompt:
oidctl connect=dbs1 server=oidrepld instance=1 flags='-p 12000 -h eastsun11 -d 1024' start
When starting and stopping an Oracle directory replication server, the -h flag, which specifies the host name, is mandatory. All other flags are optional.
All keyword value pairs within the flags arguments must be separated by a single space.
Single quotes are mandatory around the flags.
The configset identifier defaults to zero (configset0) if not set.
The Oracle directory integration and provisioning server executable, odisrv, resides in the $ORACLE_HOME/bin directory.
The way you start the directory integration and provisioning server depends on whether your installation is:
A typical Oracle Internet Directory installation
In this case, your installation includes, among other server and client components, the OID Monitor and the OID Control Utility. In such installations, you start and stop the directory integration and provisioning server by using these tools.
|
Note: Although you can start the directory integration and provisioning server without using the OID Monitor and the OID Control Utility, Oracle Corporation recommends that you use them. This way, if the directory integration and provisioning server unexpectedly terminates, the OID Monitor automatically restarts it. |
An Oracle Directory Integration and Provisioning-only installation
In this case, the way you start the directory integration and provisioning server depends on whether you are using Oracle Directory Integration and Provisioning for high availability.
If you are using Oracle Directory Integration and Provisioning for high availability, then Oracle Corporation recommends that you start the directory integration and provisioning server by using the OID Monitor and the OID Control Utility. This requires configuring the tnsnames.ora file with the right host and SID to which the OID Monitor must connect.
If you are not using Oracle Directory Integration and Provisioning for high availability, then Oracle Corporation recommends that you start the directory integration and provisioning server without using the OID Monitor.
You can start the directory integration and provisioning server in either SSL mode for tighter security, or non-SSL mode. You need to use a connect string to connect to the database.
|
Note: When the Oracle directory integration and provisioning server is invoked in the default mode, it supports only the Oracle Provisioning Service, and not the Oracle Directory Synchronization Service. |
To start the directory integration and provisioning server in non-SSL mode:
Be sure that OID Monitor is running. To verify this on UNIX, enter the following at the command line:
ps -ef | grep oidmon
If OID Monitor is not running, then start it by following the instructions in "The OID Monitor (oidmon) Syntax".
Start the directory integration and provisioning server by using the OID Control Utility. Do this by entering:
oidctl [connect=connect_string] server=odisrv [instance=instance_number]
[config=configuration_set_number] [flags="[host=hostname] [port=port_number]
[debug=debug_level] [refresh=interval_between_refreshes]
[grpID=group_identifier_of_provisioning_profile]
[maxprofiles=number_of_profiles]
[sslauth=ssl_mode ]"] start
Table A-6 describes the arguments in this command.
Table A-6 Description of Arguments for Starting the Oracle Directory Integration and Provisioning Server
| Argument | Description |
|---|---|
connect=connect_string
|
If you already have a tnsnames.ora file configured, then this is the net service name specified in that file, located in $ORACLE_HOME/network/admin
|
server=odisrv
|
Type of server to start. In this case, the server you are starting is odisrv. This is not case-sensitive. This argument is mandatory.
|
instance=instance_number
|
Specifies the instance number to assign to the directory integration and provisioning server. This instance number must be unique. OID Monitor verifies that the instance number is not already associated with a currently running instance of this server. If it is associated with a currently running instance, then OID Monitor returns an error message. |
config=configuration_set_number
|
Specifies the number of the configuration set that the directory integration and provisioning server is to execute. This argument is mandatory. |
host=hostname
|
Oracle directory server host name |
port=port_number
|
Oracle directory server port number |
debug=debug_level
|
The required debugging level of the directory integration and provisioning server
See Also: The section about setting debug logging levels in Oracle Internet Directory Administrator's Guide for a description of the various debug levels |
refresh=interval_between_refreshes
|
Specifies the interval, in minutes, between server refreshes for any changes in the integration profiles.
Default is 2 minutes (Refresh=2). |
grpID=group_identifier_of_provisioning_profile
|
Specifies the group of profiles to be scheduled |
maxprofiles=number_of_profiles
|
Specifies the maximum number of profiles that can be executed concurrently for this server instance |
sslauth=ssl_mode
|
SSL modes:
|
In a standalone installation of Oracle Directory Integration and Provisioning, the Oracle directory integration and provisioning server can be started without OID Monitor or OID Control Utility, either in non-SSL mode or, for tighter security, in SSL mode. The parameters described in Table A-6 remain the parameters for each type of invocation.
To start the directory integration and provisioning server, enter the following at the command line:
odisrv [host=host_name] [port=port_number] config=configuration_set_number [instance=instance_number] [debug=debug_level] [refresh=interval_between_refresh] [maxprofiles=number_of_profiles] [sslauth=ssl_mode]
The way you stop the directory integration and provisioning server depends on the tool that you used to start it.
If you started the directory integration and provisioning server by using OID Monitor and the OID Control utility, then you use them to stop it, as follows:
Before you stop the directory integration and provisioning server, be sure that the OID Monitor is running. To verify this, enter the following at the command line:
ps -ef | grep oidmon
If OID Monitor is not running, then start it by following the instructions in "The OID Monitor (oidmon) Syntax".
Stop the directory integration and provisioning server by entering:
oidctl [connect=connect_string] server=odisrv instance=instance stop
In a client-only installation, where the OID Monitor and OID Control tools are not available, the Oracle directory integration and provisioning server can be started without OID Control. To stop the server without these tools, use the Directory Integration and Provisioning Assistant.
|
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
If the Oracle directory integration and provisioning server is stopped by any means other than the methods mentioned in this section, then the server cannot be started from the same host. In that case, the footprint of the previous execution in the directory needs to be removed by using the following command:
|
|
See Also: "The Directory Integration and Provisioning Assistant (dipassistant) Syntax" for instructions about using the Directory Integration and Provisioning Assistant |
When you want to refresh the server cache immediately, rather than at the next scheduled time, use the RESTART command. When the Oracle Internet Directory server restarts, it maintains the same parameters it had before it stopped.
To restart an Oracle Internet Directory server instance, at the system prompt, type:
oidctl connect=connect_string server={oidldapd|oidrepld|odisrv} instance=server_instance_number restart
OID Monitor must be running whenever you restart directory server instances.
If you try to contact a server that is not running, you receive from the SDK the error message 81—LDAP_SERVER_DOWN.
If you change a configuration set entry that is referenced by an active server instance, you must stop that instance and restart it to effect the changed value in the configuration set entry on that server instance. You can either issue the STOP command followed by the START command, or you can use the RESTART command. RESTART both stops and restarts the server instance.
For example, suppose that Oracle directory server instance1 is started, using configset3, and with the net service name dbs1. Further, suppose that, while instance1 is running, you change one of the attributes in configset3. To enable the change in configset3 to take effect on instance1, you enter the following command:
oidctl connect=dbs1 server=oidldapd instance=1 restart
If there are more than one instance of the Oracle directory server running on that node using configset3, then you can restart all the instances at once by using the following command syntax:
oidctl connect=dbs1 server=oidldapd restart
Note that this command restarts all the instances running on the node, whether they are using configset3 or not.
|
Important Note: The restart process takes only a few seconds to execute, but during that time clients cannot access the Oracle directory server instance. |
When starting a directory server, a directory replication server, or a directory integration and provisioning server, use the host parameter to specify the virtual host name.
Starting and Stopping a Directory Server on Either a Virtual Host or an Oracle Application Server Cluster (Identity Management) Node
To start a directory server on a virtual host:
oidctl [connect=connect_string] host=virtual_host_name server=oidldapd instance=instance_number configset=configset_number flags= "..." start
To stop a directory server on a virtual host:
oidctl host=virtual_host_name server=oidldapd instance=instance_number stop
Starting and Stopping a Directory Replication Server on Either a Virtual Host or an Oracle Application Server Cluster (Identity Management) Node
To start a directory replication server on a virtual host:
oidctl [connect=connect_string] host=virtual_host_name server=oidrepld instance=instance_number flags= "..." start
To stop a directory replication server on a virtual host:
oidctl host=virtual_host_name server=oidrepld instance=instance_number stop
Starting and Stopping a Oracle Directory Integration and Provisioning Server on Either a Virtual Host or an Oracle Application Server Cluster (Identity Management) Node
To start a directory integration and provisioning server on a virtual host:
oidctl [connect=connect_string] host=virtual_host_name server=odisrv instance=instance_number configset=configset_number flags= "..." start
To stop a directory integration and provisioning server on a virtual host:
oidctl host=virtual/host_name server=odisrv instance=instance_number stop
When the directory server is started to run on the virtual host, it binds and listens to requests on the specified LDAP port on the IP address or IP addresses that correspond to the virtual host only.
When communicating with the directory server, the directory replication server uses the virtual host name. Further, the replicaID attribute that represents the unique replication identification for the Oracle Internet Directory node is generated once. It is independent of the host name and hence requires no special treatment in an Oracle Application Server Cold Failover Cluster (Infrastructure).
When communicating with the directory server, the directory integration and provisioning server uses the virtual host name.
The OPMN Control utility (opmnctl) enables you to manage Oracle Application Server components in an integrated way. If you use it to start an Oracle Internet Directory server, then you do not need to separately start OID Monitor or the directory-designated database. Instead, opmnctl starts those components for you.
|
Note: This section only discusses how to use the OPMN Control utility to start and stop Oracle Internet Directory servers. For detailed information on how to use the OPMN Control utility, see Oracle Process Manager and Notification Server Administrator's Guide. |
You can use opmnctl to do the following:
Start and stop a default, that is, out-of-the-box, directory server instance
On a given node, stop, then restart, all running Oracle Internet Directory servers—that is, directory servers, directory replication server, and directory integration and provisioning server
Once you have used opmnctl to start the default directory server, you cannot then use it to start or stop a particular instance of an Oracle Internet Directory server. To start or stop particular instances, do either of the following:
Use opmnctl to stop all running Oracle Internet Directory servers on a node, then use it to restart those same servers
Use opmnctl to start or stop the particular directory servers as described in "Starting and Stopping an Oracle Directory Server Instance by Using the OID Control Utility"
For example, to start a particular instance of a directory server:
Add a new configuration set entry for the new instance:
ldapadd -p port number -D cn-orcladmin -w password for orcladmin -f configset1
Start the new directory server instance with the new configuration set entry:
oidctl connect=connect string server=oidldapd instance=new instance number configset=1 start
To start the OID Monitor and a default instance of the directory server, enter:
opmnctl startproc ias-component=OID
To stop the OID Monitor and a default instance of the directory server, enter:
opmnctl stopproc ias-component=OID
To stop all running Oracle Internet Directory server instances, including the directory server, the directory replication server, and the directory integration and provisioning server, enter:
opmnctl stopproc ias-component=OID
To restart all of the Oracle Internet Directory servers that were previously stopped by using opmnctl, enter:
opmnctl startproc ias-component=OID
|
See Also: Oracle MetaLink Note276332.1—"How to Edit OPMN.XML to Start Additional OID Processes" available on Oracle MetaLink athttp://metalink.oracle.com/
|
The OID Diagnostic tool (oiddiag) collects diagnostic information that helps triage issues reported on OID. The tool connects to the database used as the Directory Store (also called Metadata Repository) of OID and reads the information. The tool makes no recommendations on potential fixes to issues. Rather, it collects information to help OID Support and Development understand a problem and determine its solution. The tool can collect four types of diagnostic information:
DIT
Data consistency
Server manageability statistics
System and process information
This section contains these topics:
|
Note: To collect server manageability information, you must configure server manageability. |
|
See Also: Oracle Internet Directory Administrator's Guide for information on configuring Oracle Internet Directory server manageability |
To invoke the OID server diagnostic tool, type:
oiddiag arguments
Table A-7 lists arguments to oiddag.
Table A-7 Arguments to oiddiag
| Argument | Description |
|---|---|
listdiags=true[targetfile=file_name]
|
Writes to an output file a list of the diagnostics that oiddiag can collect. The default file is $ORACLE_HOME/ldap/log/oiddiag.txt. You can specify a different output target file by using the targetfile argument.
|
collect_all = true[outfile=file_name]
|
Collects all the diagnostic information that oiddiag can collect and writes it to an output file. The default output file is $ORACLE_HOME/ldap/log/oiddiagtimestamp.log. The timestamp format is YYYYMMDDHHmmss. You can specify a different output file by using the outfile argument.
|
collect_sub = true[infile= input_file_name] [outfile= output_file_name]
|
Collects a sub-set of the diagnostic information and writes it to an output file. You must provide the specific list of diagnostics in an input file. The default input file is $ORACLE_HOME/ldap/log/oiddiag.txt . The default output file is $ORACLE_HOME/ldap/log/oiddiagtimestamp.log. The timestamp format is YYYYMMDDHHmmss. You can specify a different input or output file by using the infile or outfile argument, respectively.
|
If you use either the option collect_all=true or the option collect_sub=true, oiddiag prompts for the following parameters:
The fully domain-qualified database host name
The database listener port number
The database service name
The ODS database user password
You can find the hostname, port number and service name in the file tnsnames.ora. For example, in the following tnsnames.ora file, the hostname, port number and service names are, respectively, sun16.us.oracle.com, 1521, and orcl.us.oracle.com:
ORCL =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = sun16.us.oracle.com)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl.us.oracle.com)
)
)
The following are examples of oiddiag usage:
Write to the output file list.txt a list of the diagnostics that oiddiag can collect:
oiddiag listdiags=true targetfile=list.txt
Collect all the diagnostics and write them to the default output file:
oiddiag collect_all=true
Collect the specific diagnostics listed in the file diagin.txt and write them to the default output file:
oiddiag collect_sub=true infile=diagin.txt
This section tells you how to use the following tools:
|
Note: Various UNIX shells interpret some characters—for example, asterisks (*)—as special characters. Depending on the shell you are using, you may need to escape these characters. |
Oracle Internet Directory uses indexes to make attributes available for searches. When Oracle Internet Directory is installed, the cn=catalogs entry lists available attributes that can be used in a search. You can index only those attributes that have:
An equality matching rule
Matching rules supported by Oracle Internet Directory
If you want to use additional attributes in search filters, then you must add them to the catalog entry. You can do this at the time you create the attribute by using Oracle Directory Manager. However, if the attribute already exists, then you can index it only by using the Catalog Management tool (catalog.sh).
Before running catalog.sh, be sure that the directory server is either stopped or in read-only mode. Otherwise, data will be inconsistent.
|
Caution: Do not use the catalog.sh-delete option on indexes created by the Oracle Internet Directory base schema. Removing indexes from base schema attributes can adversely impact the operation of Oracle Internet Directory.
|
|
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
The Catalog Management tool uses this syntax:
catalog.sh -connect connect_string {-add|-delete} {-attr attr_name|-file file_name}
Table A-8 Arguments for the Catalog Management Tool (catalog.sh)
| Argument | Description |
|---|---|
-connect connect_string
|
Specifies the connect string to connect to the directory database. This argument is mandatory.
See Also: Oracle9i Net Services Administrator's Guide in the Oracle Database Documentation Library |
-add -attr attr_name
|
Indexes the specified attribute |
-delete -attr attr_name
|
Drops the index from the specified attribute |
-add -file file_name
|
Indexes attributes (one for each line) in the specified file |
-delete -file file_name
|
Drops the indexes from the attributes in the specified file |
When you enter the catalog.sh command, the following message appears:
This tool can only be executed if you know the OiD user password. Enter OiD password:
If you enter the correct password, the command is executed. If you give an incorrect password, the following message is displayed:
Cannot execute this tool
To effect the changes after running the Catalog Management tool, stop, then restart, the Oracle directory server.
|
See Also:
|
The ldapadd command-line tool enables you to add entries, their object classes, attributes, and values to the directory. To add attributes to an existing entry, use the ldapmodify command, explained in "ldapmodify Syntax".
|
See Also: The chapter on directory server administration in Oracle Internet Directory Administrator's Guide for an explanation of using ldapadd to configure a server with an input file |
ldapadd uses this syntax:
ldapadd[arguments] -f file_name
where file_name is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".
The following example adds the entry specified in the LDIF file my_ldif_file.ldi:
ldapadd -p 389 -h myhost -f my_ldif_file.ldi
Table A-9 Arguments for ldapadd
| Optional Arguments | Description |
|---|---|
-b
|
Specifies that you have included binary file names in the file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced. |
-c
|
Tells ldapadd to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapadd stops when it encounters an error.) |
-D "binddn"
|
When authenticating to the directory, specifies doing so as the entry specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-E "character_set"
|
Specifies native character set encoding. See the appendix on globalization support in Oracle Internet Directory Administrator's Guide. |
-f file_name
|
Specifies the input name of the LDIF format import data file. For a detailed explanation of how to format an LDIF file, see "LDAP Data Interchange Format (LDIF) Syntax". |
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-K
|
Same as -k, but performs only the first step of the Kerberos bind
|
-k
|
Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined.You must already have a valid ticket granting ticket. |
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
-n
|
Shows what would occur without actually performing the operation |
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p directory_server_port_number
|
Connects to the directory on TCP port directory_server_port_number. If you do not specify this option, then the tool connects to the default port (389).
|
-P wallet_password
|
Specifies wallet password required for one-way or two-way SSL connections |
-U SSLAuth
|
Specifies SSL authentication mode:
|
-v
|
Specifies verbose mode |
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Provides the password required to connect |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections.
For example, on UNIX, you could set this parameter as follows: On Windows NT, you could set this parameter as follows: |
-X dsml_file
|
Specifies the input name of the DSML format import data file. |
ldapaddmt is like ldapadd: It enables you to add entries, their object classes, attributes, and values to the directory. It is unlike ldapadd in that it supports multiple threads for adding entries concurrently.
While it is processing LDIF entries, ldapaddmt logs errors in the add.log file in the current directory.
ldapaddmt -T number_of_threads -h host -p port -f file_name
where file_name is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".
The following example uses five concurrent threads to process the entries in the file myentries.ldif.
ldapaddmt -T 5 -h node1 -p 3000 -f myentries.ldif
Table A-10 Arguments for ldapaddmt
| Optional Arguments | Description |
|---|---|
-b
|
Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced. |
-c
|
Tells the tool to proceed in spite of errors. The errors will be reported. (If you do not use this option, the tool stops when it encounters an error.) |
-D "binddn"
|
When authenticating to the directory, specifies doing so as the entry is specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-E "character_set"
|
Specifies native character set encoding. See the appendix on globalization support in Oracle Internet Directory Administrator's Guide. |
-h ldap_host
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-K
|
Same as -k, but performs only the first step of the kerberos bind |
-k
|
Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined. You must already have a valid ticket granting ticket. |
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
-n
|
Shows what would occur without actually performing the operation. |
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password
|
Specifies wallet password required for one-way or two-way SSL connections |
-T
|
Sets the number of threads for concurrently processing entries |
-U SSLAuth
|
Specifies SSL authentication mode:
|
-v
|
Specifies verbose mode |
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Provides the password required to connect |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet" |
-X dsml_file
|
Specifies the input name of the DSML format import data file. |
The ldapbind command-line tool enables you to see whether you can authenticate a client to a server.
ldapbind uses this syntax:
ldapbind [arguments]
Table A-11 Arguments for ldapbind
| Arguments | Description |
|---|---|
-D "binddn"
|
When authenticating to the directory, specifies doing so as the entry specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-E ".character_set"
|
Specifies native character set encoding. See the appendix on globalization support in Oracle Internet Directory Administrator's Guide. |
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
| -n | Shows what would occur without actually performing the operation |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password
|
Specifies the wallet password required for one-way or two-way SSL connections |
-U SSLAuth
|
Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required |
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Provides the password required to connect |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet" |
-O sasl_security_properties
|
Specifies SASL security properties. The security property supported is -O "auth". This security property is for DIGEST-MD5 SASL mechanism. It enables authentication with no data integrity or data privacy. |
-Y sasl_mechanism
|
Specifies a SASL mechanism. These mechanisms are supported:
|
-R sasl_realm
|
Specifies a SASL realm |
The ldapcompare command-line tool enables you to match attribute values you specify in the command line with the attribute values in the directory entry.
ldapcompare [arguments]
The following example tells you whether Person Nine's title is associate.
ldapcompare -p 389 -h myhost -b "cn=Person Nine,ou=EuroSInet Suite,o=IMC,c=US" -a title -v associate
Table A-12 Arguments for ldapcompare
| Optional Arguments | Description |
|---|---|
-a attribute name
|
Specifies the attribute on which to perform the compare. This argument is mandatory. |
-b "basedn"
|
Specifies the distinguished name of the entry on which to perform the compare. This argument is mandatory. |
-v attribute_value
|
Specifies the attribute value to compare. This argument is mandatory. |
-D binddn
|
When authenticating to the directory, specifies doing so as the entry is specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-d debug_level
|
Sets the debugging level. See the section on setting the debug logging level by using OIDCTL in Oracle Internet Directory Administrator's Guide. |
| -E "character_set" | Specifies native character set encoding. See the appendix on globalization support in Oracle Internet Directory Administrator's Guide. |
-f file_name
|
Specifies the input file name |
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
|
-P wallet_password
|
Specifies wallet password required for one-way or two-way SSL connections |
-U SSLAuth
|
Specifies SSL authentication mode:
|
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Provides the password required to connect |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet"
On Windows NT, you could set this parameter as follows: |
The ldapdelete command-line tool enables you to remove entire entries from the directory that you specify in the command line.
ldapdelete [arguments] ["entry_DN" | -f input_file_name]
|
Note: If you specify the entry DN, then do not use the-f option.
|
The following example uses port 389 on a host named myhost.
ldapdelete -p 389 -h myhost "ou=EuroSInet Suite, o=IMC, c=US"
Table A-13 Arguments for ldapdelete
| Optional Argument | Description |
|---|---|
-D "binddn"
|
When authenticating to the directory, uses a full DN for the binddn parameter—that is, the DN of the user seeking authentication; typically used with the -w password option.
|
-d debug_level
|
Sets the debugging level. See the section on setting the debug logging level by using OIDCTL in Oracle Internet Directory Administrator's Guide. |
| -c | Tells ldapdelete to proceed in spite of errors. The errors will be reported. (If you do not use this option, then ldapdelete stops when it encounters an error.) |
-E "character_set"
|
Specifies native character set encoding. See the appendix on globalization support in Oracle Internet Directory Administrator's Guide. |
-f input_file_name
|
Specifies the input file name |
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
|
| -k | Authenticates using authentication instead of simple authentication. To enable this option, you must compile with Kerberos defined. You must already have a valid ticket granting ticket. |
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
| -n | Shows what would be done, but doesn't actually delete |
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password
|
Specifies wallet password required for one-way or two-way SSL connections |
-U SSLAuth
|
Specifies SSL authentication mode:
|
| -v | Specifies verbose mode |
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Provides the password required to connect. |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Windows NT, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet".
|
The ldapmoddn command-line tool enables you to modify the DN or RDN of an entry.
The ldapmoddn command-line tool uses this syntax:
ldapmoddn [arguments]
The following example uses ldapmoddn to modify the RDN component of a DN from "cn=mary smith" to "cn=mary jones". It uses port 389, and a host named myhost.
ldapmoddn -p 389 -h myhost -b "cn=mary smith,dc=Americas,dc=imc,dc=com" -R "cn=mary jones"
Table A-14 Arguments for ldapmoddn
| Argument | Description |
|---|---|
-b "basedn"
|
Specifies DN of the entry to be moved. This argument is mandatory. |
-D "binddn"
|
When authenticating to the directory, do so as the entry is specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-E "character_set"
|
Specifies native character set encoding. See the appendix on globalization support in Oracle Internet Directory Administrator's Guide. |
-f file_name
|
Specifies the input file name |
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
-N newparent
|
Specifies new parent of the RDN. Either this argument or the -R argument must be specified. |
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password
|
Specifies wallet password required for one-way or two-way SSL connections |
-r
|
Specifies that the old RDN is not retained as a value in the modified entry. If this argument is not included, the old RDN is retained as an attribute in the modified entry. |
-R newrdn
|
Specifies new RDN. Either this argument or the -N argument must be specified. |
-U SSLAuth
|
Specifies SSL authentication mode:
|
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Provides the password required to connect. |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet"
On Windows NT, you could set this parameter as follows: |
The ldapmodify tool enables you to act on attributes.
ldapmodify [arguments] -f file_name
where file_name is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".
The list of arguments in the following table is not exhaustive. These arguments are all optional.
Table A-15 Arguments for ldapmodify
| Argument | Description |
|---|---|
-a
|
Denotes that entries are to be added, and that the input file is in LDIF format. |
-b
|
Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. |
-c
|
Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.) |
-D "binddn"
|
When authenticating to the directory, specifies doing so as the entry is specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-E "character_set"
|
Specifies native character set encoding. See the appendix on globalization support in Oracle Internet Directory Administrator's Guide... |
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
|
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
-n
|
Shows what would occur without actually performing the operation. |
-o log_file_name
|
Can be used with the -c option to write the erroneous LDIF entries in the logfile. You must specify the absolute path for the log file name.
|
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
|
| -P wallet_password | Specifies wallet password required for one-way or two-way SSL connections |
-U SSLAuth
|
Specifies SSL authentication mode:
|
-v
|
Specifies verbose mode |
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Overrides the default, unauthenticated, null bind. To force authentication, use this option with the -D option.
|
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet"
On Windows NT, you could set this parameter as follows: |
To run modify, delete, and modifyrdn operations using the -f flag, use LDIF for the input file format (see "LDAP Data Interchange Format (LDIF) Syntax") with the specifications noted in this section:
If you are making several modifications, then, between each modification you enter, add a line that contains a hyphen (-) only. For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US changetype: modify add: work-phone work-phone: 510/506-7000 work-phone: 510/506-7001 - delete: home-fax
Unnecessary space characters in the LDIF input file, such as a space at the end of an attribute value, will cause the LDAP operations to fail.
Line 1: Every change record has, as its first line, the literal dn: followed by the DN value for the entry, for example:
dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
Line 2: Every change record has, as its second line, the literal changetype: followed by the type of change (add, delete, modify, modrdn), for example:
changetype: modify
or
changetype: modrdn
Format the remainder of each record according to the following requirements for each type of change:
Uses LDIF format (see "LDAP Data Interchange Format (LDIF) Syntax").
The lines that follow this changetype consist of changes to attributes belonging to the entry that you identified previously in Line 1. You can specify three different types of attribute modifications—add, delete, and replace—which are explained next:
Add attribute values. This option to changetype modify adds more values to an existing multi-valued attribute. If the attribute does not exist, it adds the new attribute with the specified values:
add: attribute name attribute name: value1 attribute name: value2...
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US changetype: modify add: work-phone work-phone: 510/506-7000 work-phone: 510/506-7001
Delete values. If you supply only the delete line, all the values for the specified attribute are deleted. Otherwise, if you specify an attribute line, you can delete specific values from the attribute:
delete: attribute name [attribute name: value1]
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US changetype: modify delete: home-fax
Replace values. Use this option to replace all the values belonging to an attribute with the new, specified set:
replace: attribute name [attribute name: value1 ...]
If you do not provide any attributes with replace, then the directory adds an empty set. It then interprets the empty set as a delete request, and complies by deleting the attribute from the entry. This is useful if you want to delete attributes that may or may not exist.
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US changetype: modify replace: work-phone work-phone: 510/506-7002
This change type deletes entries. It requires no further input, since you identified the entry in Line 1 and specified a changetype of delete in Line 2.
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US changetype: delete
The line following the change type provides the new relative distinguished name using this format:
newrdn: RDN
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US changetype: modrdn newrdn: cn=Barbara Fritchy-Blomberg
To specify an attribute as single-valued, include in the attribute definition entry in the LDIF file the keyword SINGLE-VALUE with surrounding white space.
Example: Using ldapmodify to Add an Attribute
This example adds a new attribute called myAttr. The LDIF file for this operation is:
dn: cn=subschemasubentry changetype: modify add: attributetypes attributetypes: (1.2.3.4.5.6.7 NAME 'myAttr' DESC 'New attribute definition' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
On the first line, enter the DN specifying where this new attribute is to be located. All attributes and object classes they are stored in cn=subschemasubentry.
The second and third lines show the proper format for adding a new attribute.
The last line is the attribute definition itself. The first part of this is the object identifier number: 1.2.3.4.5.6.7. It must be unique among all other object classes and attributes. Next is the NAME of the attribute. In this case the attribute NAME is myAttr. It must be surrounded by single quotes. Next is a description of the attribute. Enter whatever description you want between single quotes. At the end of this attribute definition in this example are optional formatting rules to the attribute. In this case we are adding a matching rule of EQUALITY caseIgnoreMatch and a SYNTAX of Directory String. This example uses the object ID number of 1.3.6.1.4.1.1466.115.121.1.15 instead of the SYNTAXES name which is "Directory String".
Put your attribute information in a file formatted like this example. Then run the following command to add the attribute to the schema of your Oracle directory server.
ldapmodify -h yourhostname -p 389 -D "orcladmin" -w "welcome" -v -f /tmp/newattr.ldif
This ldapmodify command assumes that your Oracle directory server is running on port 389, that your super user account name is orcladmin, that your super user password is welcome and that the name of your LDIF file is newattr.ldif. Substitute the host name of your computer where you see yourhostname.
If you are not in the directory where the LDIF file is located, then you must enter the full directory path to the file at the end of your command. This example assumes that your LDIF file is located in the /tmp directory.
The ldapmodifymt command-line tool enables you to modify several entries concurrently.
ldapmodifymt uses this syntax:
ldapmodifymt -T number_of_threads [arguments] -f file_name
where file_name is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".
The following example uses five concurrent threads to modify the entries in the file myentries.ldif.
ldapmodifymt -T 5 -h node1 -p 3000 -f myentries.ldif
|
Note: The ldapmodifymt tool logs error messages in the fileadd.log, which is located in the directory where you are running the command.
|
The arguments in the following table are all optional.
Table A-16 Arguments for ldapmodifymt
| Argument | Description |
|---|---|
-a
|
Denotes that entries are to be added, and that the input file is in LDIF format. (If you are running ldapadd, this flag is not required.) |
-b
|
Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. |
-c
|
Tells ldapmodifymt to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.) |
-D "binddn"
|
When authenticating to the directory, specifies doing so as the entry is specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-E "character_set"
|
Specifies native character set encoding. See the appendix on globalization support in Oracle Internet Directory Administrator's Guide. |
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
-n
|
Shows what would occur without actually performing the operation. |
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password
|
Specifies wallet password required for one-way or two-way SSL connections |
-T
|
Sets the number of threads for concurrently processing entries |
-U SSLAuth
|
Specifies SSL authentication mode:
|
-v
|
Specifies verbose mode |
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Overrides the default, unauthenticated, null bind. To force authentication, use this option with the -D option. |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet"
On Windows NT, you could set this parameter as follows: |
The ldapsearch command-line tool enables you to search for and retrieve specific entries in the directory.
The ldapsearch tool uses this syntax:
ldapsearch [arguments]filter[attributes]
The filter format must be compliant with RFC-2254.
|
See Also: RFC-2254 available athttp://www.ietf.org for further information about the standard for the filter format
|
Separate attributes with a space. If you do not list any attributes, all attributes are retrieved.
|
Note:
|
Table A-17 Arguments for ldapsearch
| Argument | Description |
|---|---|
-b "basedn"
|
Specifies the base DN for the search. This argument is mandatory. |
-s scope
|
This argument is mandatory. Specifies search scope: base, one, or sub Base: Retrieves a particular directory entry. Along with this search depth, you use the search criteria bar to select the attribute objectClass and the filter Present. One Level: Limits your search to all entries beginning one level down from the root of your search Subtree: Searches entries within the entire subtree, including the root of your search
|
-A
|
Retrieves attribute names only (no values) |
-a deref
|
Specifies alias dereferencing: never, always, search, or find |
-B
|
Allows printing of non-ASCII values |
-D "binddn"
|
When authenticating to the directory, specifies doing so as the entry specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-d debug level
|
Sets debugging level to the level specified (see the section on setting the debug logging level in Oracle Internet Directory Administrator's Guide) |
-E "character_set"
|
Specifies native character set encoding. See the appendix on globalization support in Oracle Internet Directory Administrator's Guide. |
-f file
|
Performs sequence of searches listed in file |
-F sep
|
Prints sep instead of = between attribute names and values
|
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
|
-L
|
Prints entries in LDIF format (-B is implied)
|
-l timelimit
|
Specifies maximum time (in seconds) to wait for ldapsearch command to complete |
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
-n
|
Shows what would be done without actually searching |
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
|
-P wallet_password
|
Specifies wallet password required for one-way or two-way SSL connections |
-S attr
|
Sorts the results by attribute attr |
-t
|
Writes to files in /tmp
|
-u
|
Includes user-friendly entry names in the output |
-U SSLAuth
|
Specifies the SSL authentication mode:
|
-v
|
Specifies verbose mode |
-w passwd
|
Specifies bind passwd for simple authentication |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet"
On Windows NT, you could set this parameter as follows: |
-z sizelimit
|
Specifies maximum number of entries to retrieve |
-X
|
Prints the entries in DSML v1 format. |
Study the following examples to see how to build your own search commands.
The following example performs a base-level search on the directory from the root.
ldapsearch -p 389 -h myhost -b "" -s base -v "objectclass=*"
-b specifies base DN for the search, root in this case.
-s specifies whether the search is a base search (base), one level search (one) or subtree search (sub).
"objectclass=*" specifies the filter for search.
The following example performs a one level search starting at "ou=HR, ou=Americas, o=IMC, c=US".
ldapsearch -p 389 -h myhost -b "ou=HR, ou=Americas, o=IMC, c=US" -s one -v "objectclass=*"
The following example performs a subtree search and returns all entries having a DN starting with "cn=us".
ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*"
The following example actually retrieves only two entries, even if there are more than two matches.
ldapsearch -h myhost -p 389 -z 2 -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" -s one "objectclass=*"
The following example returns only the DN attribute values of the matching entries:
ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "objectclass=*" dn
The following example retrieves only the distinguished name along with the surname (sn) and description (description) attribute values:
ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*" dn sn description
The following example retrieves entries with common name (cn) attributes that have an option specifying a language code attribute option. This particular example retrieves entries in which the common names are in French and begin with the letter R.
ldapsearch -p 389 -h myhost -b "c=US" -s sub "cn;lang-fr=R*"
Suppose that, in the entry for John, no value is set for the cn;lang-it language code attribute option. In this case, the following example does not return John's entry:
ldapsearch -p 389 -h myhost -b "c=us" -s sub "cn;lang-it=Giovanni"
The following example retrieves all user attributes and the createtimestamp and orclguid operational attributes:
ldapsearch -p 389 -h myhost -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" -s sub "cn=Person*" * createtimestamp orclguid
The following example retrieves entries modified by Anne Smith:
ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifiersname=cn=Anne Smith))"
The following example retrieves entries modified between 01 April 2001 and 06 April 2001:
ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifytimestamp >= 20000401000000) (modifytimestamp <= 20000406235959))"
|
Note: Becausemodifiersname and modifytimestamp are not indexed attributes, use catalog.sh to index these two attributes. Then, restart the Oracle directory server before issuing the two previous ldapsearch commands.
|
Each of the following examples searches on port 389 of host sun1, and searches the whole subtree starting from the DN "ou=hr,o=acme,c=us".
The following example searches for all entries with any value for the objectclass attribute.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=*"
The following example searches for all entries that have orcl at the beginning of the value for the objectclass attribute.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=orcl*"
The following example searches for entries where the objectclass attribute begins with orcl and cn begins with foo.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "(&(objectclass=orcl*)(cn=foo*))"
The following example searches for entries in which the common name (cn) is not foo.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "(!(cn=foo))"
The following example searches for entries in which cn begins with foo or sn begins with bar.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "(|(cn=foo*)(sn=bar*))"
The following example searches for entries in which employeenumber is less than or equal to 10000.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "employeenumber<=10000"
This section contains these topics:
|
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
|
Note: All bulk tools require you to enter the correct password to access the ODS database. |
The bulkdelete command-line tool enables you to delete a subtree efficiently. It can be used when both an Oracle directory server and Oracle directory replication servers are in operation. It uses a SQL interface to benefit performance. For this release, the bulkdelete tool runs on only one node at a time.
|
Note: Make sure that when bulkmodify is invoked, server-side entry cache is disabled. |
This tool does not support filter-based deletion. That is, it deletes an entire subtree below the root of the subtree. If the base DN is a user-added DN, rather than a DN created as part of the installation of the directory, it is included in the delete. You must restrict LDAP activity against the subtree during deletion.
The bulkdelete tool uses this syntax:
bulkdelete.sh -connect connect_string -base "base_dn" -size number_of_entries -encode "character_set"
Table A-18 Arguments for bulkdelete
| Mandatory Argument | Description |
|---|---|
-connect connect_string
|
Specifies the connect string to connect to the directory database. This argument is mandatory.
See Also: Oracle9i Net Services Administrator's Guide in the Oracle Database Documentation Library |
-base "base_dn"
|
Specifies the base DN of the subtree to be deleted. This argument is mandatory. |
-size number_of_entries
|
Specifies the number of entries to be committed as a part of one transaction. |
-encode "character_set"
|
Specifies native character set encoding.
See Also: The appendix on globalization support in Oracle Internet Directory Administrator's Guide. |
This section contains these topics:
The bulkload command-line tool is useful for loading large number of entries to a directory server. It uses Oracle SQL*Loader to load directory entries. The bulkload tool expects the input file to be in LDIF.
|
See Also:
|
The bulkload tool performs its operation in following phases:
Check
In the check phase, all entries of LDIF files are verified for valid LDAP schema and duplicate entries. If there are any errors reported by bulkloader, then the user needs to rectify the error and retry bulkload.
Generate
In the generate phase, the LDIF input is converted into intermediate files that can be used by SQL*Loader to load the data into the Oracle Internet Directory directory store.
Load
The Intermediate files generated in generate phase are loaded into the Oracle Database which is the Oracle Internet Directory directory store. Bulkloader supports two types of loading of data:
Incremental Mode Loading
Incremental mode enables you to append data to existing directory data. Loading in this mode is faster than other "add" methods, but slower than bulk mode loading.
Use this mode when you want to append a small amount of data. Here, "small amount" is a relative number. It depends upon existing data in directory, the amount of data to be loaded, and the hardware capabilities to handle the load.
In this mode, bulkload does not drop and rebuild catalog indexes. Instead, it uses SQL*Loader in insert mode to add data to the database and update indexes through inserts.
To invoke incremental mode, you must specify -append along with other options.
When using bulkload in incremental mode, you must put the directory server in the read-modify mode. During read-modify mode, search and modify operations are allowed but add, delete, and modifyDN operations are restricted.
|
See Also: Oracle Internet Directory Administrator's Guide for instructions on using Oracle Directory Manager to set access rights |
Bulk Mode Loading
In bulk mode, you must be able to add or append large number of entries to a directory. By default, bulkload runs in bulk mode. Bulk mode is faster than incremental mode.
In bulk mode, all Oracle Internet Directory server instances should be stopped. In this mode, Bulkloader drops existing indexes and re-creates them after loading of data. For data loading, it uses SQL*Loader direct-path mode.
Index Creation
After the load is complete, the indexes are re-created if the load was done in "bulk" mode. Also, the bulkload tool provides an option just to re-create all indexes. This is useful in case if previous index creation was unsuccessful for some reason.
Directory Data Recovery
A failure in the 'load' phase of bulkload operation can leave directory data in inconsistent state. The bulkload tool can revert back to original state that existed prior to the invocation of bulkload. Use the -recover option to recover directory data in case of Bulkload failure.
The bulkload tool can be used in single node as well as multiple node environments.
Single Node Environment
Loading in 'bulk' mode
The typical usage scenario is to load directory data after Oracle Internet Directory installation. You would want to 'check' the LDIF file for schema errors, 'generate' the intermediate files and 'load' the data into the Oracle Internet Directory store. The 'parallel' option is normally faster since the load and index creation happens in parallel. The invocation of bulkload will be something like:
bulkload.sh -connect coonect_string -check -generate -load -parallel LDIF_file
You can break this operation into separate 'check, 'generate' and 'load' invocations. The 'check' can also be avoided if the LDIF data is from another Oracle Internet Directory directory node.
Loading in 'incremental' or 'append' Mode
If you need to add directory entries to an Oracle Internet Directory store already containing some user LDIF data, then use the 'incremental' or 'append' mode. This mode is normally faster than other methods of adding entries to the directory. However, be sure that the directory server instances are in read-modify mode before bulkload begins to append data. The typical invocation of bulkload will be something like:
bulkload.sh -connect coonect_string -check -generate -load -append LDIF_file
Index recreation
The bulkload operation either updates or creates the indexes. However, due to issues like improper sizing, the indexes may not be updated or created properly. For this reason, the bulkload tool enables you to re-create all the indexes. The invocation of bulkload is:
bulkload.sh -connect coonect_string -index
Data recovery on errors
Due to issues like improper disk sizing, the 'load' phase of bulkload may fail. If this happens, then directory data can be inconsistent. For this reason, bulkloader enables you to recover the directory data to the state that existed prior to the invocation of bulkload. The invocation is:
bulkload.sh -connect coonect_string -recover
Multi-Node Environment
Bulk Mode Loading
Specify the connect strings of all the Oracle Internet Directory nodes involved. The invocation of the bulkload tool is something like:
bulkload.sh -connect "coonect_string1 coonect_string2 coonect_string2" -check -generate -load -parallel LDIF_file
The bulkload tool does the following:
It prompts the user to put all Oracle Internet Directory LDAP servers on all the nodes in 'read-modify' mode.
It prompts the user to bring down the Oracle Internet Directory servers on the node corresponding to connect_string1
The 'check' and 'generate' are performed on the node corresponding to connect_string1
The 'load' is performed on the node corresponding to connect_string1
The bulkload tool prompts the user to bring up the Oracle Internet Directory servers on the node corresponding to connect_string1
Steps 2, 4 and 5 are repeated for all the nodes.
Now, all the Oracle Internet Directory servers can be changed to read/write mode.
Incremental Mode Loading
Here, the approach is the same as in bulk mode loading except that the Oracle Internet Directory servers need not be shut down. All of them must be in 'read-only' mode.
After generating a file with the generate option, you can use the load option to load multiple computers with the identical SQL*Loader file. Do this only when creating a new replica node.
|
See Also: The chapter on Oracle directory replication administration in Oracle Internet Directory Administrator's Guide |
When you load the same data into multiple nodes in a replicated network, ensure that the orclGUID parameter (global IDs) is consistent across all the nodes. You can accomplish this by generating the bulkload data file once only (using the -generate option), and then using the same data file to load the other nodes (using the -load option).
In multi-node environments, be sure that all nodes have same schema before running the bulkload tool.
If you see bad entries logged in badentry.ldif but do not rectify them, then data can be inconsistent.
The 'check' mode of the bulkload tool does not check and report the lack of parent-child relationships between entries.
The 'incremental' or 'append' mode is only for adding new entries—and not new attribute values—to existing entries.
In multi-node environments, the first connect string specified must refer to the local node.
The bulkload tool uses this syntax:
bulkload.sh -connect connect_string <[-check] [-generate] [-restore]
[-numThread] [-parallel] [-encode] [-append]
[-load] | [-index] | [-recover] absolute_path_to_LDIF_data_file
Table A-19 lists and describes the arguments.
Table A-19 Arguments for bulkload.sh
| Argument | Description | Mandatory? |
|---|---|---|
-connect
|
Specifies the net service name defined in the tnsnames.ora file. For loading data in single node, specify its connect-string—for example orcl. For loading data in multiple nodes, specify connect-strings of all nodes—for example, orcl1 orcl2 orcl3
See Also: Oracle9i Net Services Administrator's Guide in the Oracle Database Documentation Library |
Yes |
-check
|
Checks LDAP schema for inconsistencies and for existence of duplicate DNs in the file | No |
-generate
|
Creates intermediate files suitable for loading into Oracle Internet Directory using SQL*Loader | No |
-restore
|
Assumes operational attributes, such as orclguid, creatorsname, and createtimestamp, are already present in the specified LDIF file. When used with -generate, bulkload.sh avoids creating duplicate operational attribute values in the output SQL*Loader files. When used with -check, bulkload.sh suppresses errors associated with finding pre-existing operational attribute values in LDIF files.
|
No |
-numThread n
|
Specifies the number of threads to be created. - numThread is useful only in -generate mode. The default value is number of CPUs on machine + 1 | No |
-parallel
|
Specifies that the loading should be done in parallel. Useful with -load option | No |
-encode
|
Specifies native character set encoding
See Also: The appendix on globalization support in Oracle Internet Directory Administrator's Guide. |
No |
-append
|
Specifies append incremental mode (Default is bulkmode append) | No |
-load
|
Loads files resulting from generate phase into specified database | No |
-index
|
Re-creates indexes on all catalog tables | No |
-recover
|
In case of bulkload.sh failure, recovers directory with original data | No |
-file_name
|
Absolute path of ldif file | No |
The LDIF data file path must be fully specified for check or generate operations.
While calling bulkload at least one of -check, -generate, -load, -recover or -index actions must be specified.
There are certain combinations of options that should be called together for effective bulkloading.
The -restore flag should only be used when ldif file contains operational attributes such as orclguid, creatorsname, and so forth.
The path name to the LDIF data file should be fully specified, and the data file must be specified for the -check or -generate actions.
-numThread is useful only if given with -generate option.
-parallel should be called with -load only.
-recover or -index should not be specified with any other option.
|
See Also: The chapter on Oracle directory replication administration in Oracle Internet Directory Administrator's Guide for further information and resources for bulkloading multiple nodes in a replicated environment |
The bulkmodify command-line tool enables you to modify a large number of existing entries in an efficient way. The bulkmodify tool supports the following:
Subtree based modification
A single attribute filter. For example, the filter could be objectclass=*, objectclass=oneclass, or telephonenumber=*.
Attribute value addition and replacement. It modifies all matched entries in bulk.
The bulkmodify tool performs schema checking on the specified attribute name and value pair during initialization. All entries that meet the following criteria are modified:
They are under the specified subtree.
They meet the single filter condition.
They contain the attribute to be modified as either mandatory or optional.
The directory server and directory replication server may be running concurrently while bulk modification is in progress, but the bulk modification does not affect the replication server. You must perform bulk modification against all replicas.
You must restrict user access to the subtree during bulk modification. If necessary, ACI restriction can be applied to the subtree being updated by bulkmodify.
You cannot use bulkmodify to add a value to single-valued attributes that already contain one value. If a second value is added, you must alter the directory schema to make that attribute multi-valued.
The bulkmodify tool uses this syntax:
bulkmodify -c connect_string -b "base_dn" {-a|-r} attr_name -v att_value [-f filter] [-s size]
Table A-20 Arguments for bulkmodify
| Argument | Description |
|---|---|
-c connect_string
|
Specifies the connect string for the directory database. This argument is mandatory.
See Also: Oracle9i Net Services Administrator's Guide in the Oracle Database Documentation Library |
-b "base_dn"
|
Specifies the base DN of the subtree to be modified. This argument is mandatory. |
-a attr_name
|
Specifies the attribute name for addition. This argument is mandatory. |
-r attr_name
|
Specifies the attribute name for replacement. This argument is mandatory. |
-v attr_value
|
Specifies the attribute value for either addition or replacement. This argument is mandatory. |
-f filter
|
Specifies the filter to be used |
-s number_of_entries
|
Specifies the number of entries to be committed as a part of one transaction. If not specified, default is 100. |
-E "character_set"
|
Specifies native character set encoding. See the appendix on globalization support in Oracle Internet Directory Administrator's Guide. |
The filter specified with the -f option must contain a single attribute.
If a filter is not specified, the default filter objectclass=* is assumed.
There can be only one attribute name specified in the -a or -r option in each execution.
There can be only one value specified in the -v option in each execution. For example, the following bulkmodify command adds the telephone number 408-123-4567 to the entries of all employees who have Anne Smith as their manager:
bulkmodify -c my_database -b "c=US" -a telephoneNumber -v "408-123-4567" -f "manager=Anne Smith"
To assure that the modified entries are read, after completing the bulkmodify procedure, restart the Oracle Internet Directory server.
The ldifwrite command-line tool enables you to convert to LDIF all or part of the information residing in an Oracle Internet Directory. Once you have converted the information, you can load it into a new node in a replicated directory or another node for backup storage.
|
Note: The ldifwrite tool output does not include operational data of the directory itself—for example,cn=subschemasubentry, cn=catalogs, and cn=changelog entries. To export these entries into LDIF format, use ldapsearch with the -L flag.
|
The ldifwrite tool performs a subtree search, including all entries below the specified DN, including the DN itself.
The ldifwrite tool uses this syntax:
ldifwrite [ -c connect_string ] -b "base_DN" -f file_name [ -E encoding ] [ -t num_threads ]
Table A-21 Arguments for ldifwrite
| Mandatory Argument | Description |
|---|---|
-c connect_string
|
Specifies the net service name for the directory that is the source of the data, as defined in the tnsnames.ora file. This argument is mandatory.
See Also: Oracle9i Net Services Administrator's Guide in the Oracle Database Documentation Library |
-b "base_dn"
|
Specifies the base of the subtree to be written out in LDIF format. This argument is mandatory.
If the base DN is the replication agreement entry, then you can back up part of the naming context based on the LDAP naming context configuration. In this case, the syntax is:
See Also: The section on rules for partial replication filtering in Oracle Internet Directory Administrator's Guide |
-f file_name
|
Specifies the name of the LDIF file to be created. This argument is mandatory. |
-E "character_set"
|
Specifies native character set encoding.
See Also: See the appendix on globalization support in Oracle Internet Directory Administrator's Guide, specifically the section on using globalization support with ldifwrite |
-t num_threads
|
Specifies the number of threads used to read data from the directory store and write LDIF output to a file. The default is the number of CPUs + 1. |
This example writes all the entries under ou=Europe,o=imc,c=us into the output1.ldi file.
ldifwrite -c nldap -b "ou=Europe, o=imc, c=us" -f output1.ldif
All the arguments are mandatory.
The LDIF file and the intermediate file are always written to the current directory.
The ldifwrite tool includes the operational attributes of each entry in the directory, including createtimestamp, creatorsname, and orclguid.
When prompted for the Oracle Internet Directory password, enter the password of the ODS database user account. The default password is ods.
This example uses the following naming context objects defined in partial replication:
dn: cn=includednamingcontext000001,
cn=replication namecontext,
orclagreementid=000001,
orclreplicaid=node replica identifier,
cn=replication configuration
orclincludednamingcontexts: c=us
orclexcludednamingcontexts: ou=Americas, c=us
orclexcludedattributes: userpassword
objectclass: top
objectclass: orclreplnamectxconfig
In this example, all entries under c=us are backed up except ou=Americas,c=us. The userpassword attribute is also excluded. The command is
ldifwrite -c connect_string -b "cn=includednamingcontext000001,cn=replication namecontext,orclagreementid=000001,orclreplicaid=node replica identifier,cn=replication configuration" -f file_name
The schemasync tool enables you to synchronize schema elements—namely attributes and object classes—between an Oracle directory server and third-party LDAP directories.
The usage for schemasync is as follows:
$ORACLE_HOME/bin/schemasync
-srchost source_LDAP_directory -srcport source_LDAP_port_numbert -srcdn privileged_DN_in_source_directory_to_access_schema -srcpwd password -dsthost destination_LDAP_directory -dstport destination_LDAP_port -dstdn privileged_dn_in_destination_directory_to_access_schema -dstpwd password [-ldap]
|
Note: the -ldap parameter is optional. If it is specified, then the schema changes are applied directly from the source LDAP directory to the destination LDAP directory. If it is not specified, then the schema changes are placed in the following LDIF files:
if you do not specify - |
The errors that occur during schema synchronization are logged in the following log files:
$ORACLE_HOME/ldap/odi/log/attributetypes.log
$ORACLE_HOME/ldap/odi/log/objectclasses.log
To register an Oracle directory integration and provisioning server with the directory, this tool creates an entry in the directory and sets the password for the directory integration and provisioning server. If the registration entry already exists, then you can use the tool to reset the existing password. The odisrvreg tool also creates a local file called odisrvwallet_hostname, at $ORACLE_HOME/ldap/odi/conf. This file acts as a private wallet for the directory integration and provisioning server, which uses it on startup to bind to the directory.
Table A-22 describes the parameters that you use with the Oracle Directory Integration and Provisioning Server Registration Tool. You can also run odisrvreg in SSL mode to make communication between the tool and the directory fully secure, using the -U, -W, and -P parameters that are also described in Table A-22.
To register the directory integration and provisioning server, enter this command:
odisrvreg -h host_name -p port -D binddn -w bindpasswd [-U ssl_mode -W wallet –P wallet_password]
Table A-22 Arguments for the ODISRVREG Tool
| Argument | Description |
|---|---|
-h host_name
|
Oracle directory server host name |
-p port_number
|
Port number on which the directory server is running |
-D binddn
|
Bind DN. The bind DN must have authorization to create the registration entry for the directory integration and provisioning server |
-lhost
|
In an Oracle Application Server Cold Failover Cluster (Infrastructure), the virtual hostname |
-w bindpasswd
|
Bind password |
-U SSL mode
|
For no authorization, specify 0. For one-way authorization, specify 1.
|
-W Wallet location
|
Location of the Oracle Wallet containing the SSL certificate |
-P Wallet password
|
Wallet password to open the Oracle wallet |
The Directory Integration and Provisioning Assistant (dipassistant) is a command-line tool for administering the Oracle directory integration and provisioning server. The syntax for the Directory Integration and Provisioning Assistant is:
dipassistant [-gui | command] [-help] command := createprofile [cp] | createprofilelike [cpl] | modifyprofile [mp] | deleteprofile [dp] | listprofiles[lp | lsprof] | showprofile[sp] | expressconfig[ec] | bootstrap [bs] | wpasswd [wp] | chgpasswd [cpw] | reassociate [rs]
For help on a particular command, enter:
dipassistant command -help
Table A-23 lists the tasks you can perform with the Directory Integration and Provisioning Assistant. It also points you to instructions for performing each task.
Table A-23 Summary of Functionality of the Directory Integration and Provisioning Assistant
| Tasks | Commands | More Information |
|---|---|---|
| Use the Oracle Directory Integration and Provisioning Server Administration tool, which is the graphical version of the Directory Integration and Provisioning Assistant | -gui
|
"The Oracle Directory Integration and Provisioning Server Administration Tool"
|
| Create, modify, or delete a synchronization profile | createprofile
|
"Creating, Modifying, and Deleting Synchronization Profiles"
|
| See all the profile names in Oracle Internet Directory | listprofiles
|
"Listing All Synchronization Profiles in Oracle Internet Directory"
|
| See the details of a specific profile | showprofile
|
"Viewing the Details of a Specific Synchronization Profile"
|
| Creates and configures import and export profiles for synchronization with Microsoft Active Directory | expressconfig
|
"Performing an Express Configuration of the Active Directory Connector Profiles"
|
| Make Oracle Internet Directory and the connected directory identical before beginning synchronization | bootstrap
|
"Bootstrapping a Directory by Using the Directory Integration and Provisioning Assistant"
|
| Set the wallet password that the Oracle directory integration and provisioning server later uses to connect to Oracle Internet Directory | wpasswd
|
"Setting the Wallet Password for the Oracle Directory Integration and Provisioning Server"
|
| Reset the password of the administrator of the Oracle Directory Integration Platform | chgpasswd
|
"Changing the Password of the Administrator of Oracle Directory Integration and Provisioning"
|
| Move integration profiles from one identity management node to another | reassociate
|
"Moving an Integration Profile to a Different Identity Management Node"
|
The syntax for creating, modifying, or deleting synchronization profiles by using the Directory Integration and Provisioning Assistant is:
dipassistant createprofile [-h hostName] [-p port] [-D bindDn] [-w password] -f fileName -configset Configset Number dipassistant createprofilelike [-h hostName] [-p port] [-D bindDn] [-w password] -profile origProfName -newprofile newProfName dipassistant modifyprofile [-h hostName] [-p port] [-D bindDn] [-w password] {-f fileName | -profile profName [-updlcn] } [propName1=value] [propName2=value]... dipassistant deleteprofile -profile profName [-h hostName] [-p port] [-D bindDn] [-w password] [-configset Configset Number]
Table A-24 describes the parameters for creating, modifying, and deleting synchronization profiles by using the Directory Integration and Provisioning Assistant.
Table A-24 Parameters for Creating, Modifying, and Deleting Synchronization Profiles by Using the Directory Integration and Provisioning Assistant
| Parameter | Description |
|---|---|
-h | -host
|
Host where Oracle Internet Directory is running. The default value is the name of the local host. |
-p | -port
|
Port at which Oracle Internet Directory was started. The default is 389. |
-D | -dn
|
The bind DN to be used in identifying to the directory. The default value is the DN of the Oracle Directory Integration and Provisioning administrator. |
-w | -passwd
|
The password of the bind DN to be used while binding to the directory. |
-f | -file
|
The configuration file containing the profile parameters.
See Also: Table A-25 for a list of parameters and their description |
-configset
|
An integer greater than 0 that represents the configuration set with which to associate the profile. |
-profile
|
A text string representing the name of profile to be modified, deleted, or used as a template for creating a new profile. |
-newProfile | -name
|
A text string representing the name of profile to be created in Oracle Internet Directory. |
-updlcn
|
Updates the last applied changed number in the specified profile |
The following example uses a configuration file named import.profile to create a new profile and associate the new profile with configuration set 1:
dipassistant createprofile -h myhost -p 3060 -D cn=dipadmin -w welcome1 -f import.profile -configset 1
The following example creates a new profile named iPlImport with values copied from a profile named iPllmportTemplate.
dipassistant createprofilelike -h myhost -p 3060 -D cn=dipadmin -w welcome1 -profile iPlImportTemplate -newProfile iPlImport
The following example uses a configuration file named changes.profile to modify a profile named myprofile.
dipassistant modifyprofile -profile myprofile -h myhost -p 3060 -D cn=dipadmin -w welcome1 -f changes.profile
The following example deletes the myprofile profile.
dipassistant deleteprofile -profile myprofile -h myhost -p 3060 -D cn=dipadmin -w welcome1 -configset 1
For the createprofile, createprofilelike, and modifyprofile commands, you specify a configuration file containing the properties listed in Table A-25. When modifying an already existing profile, no defaults are assumed. Only those attributes specified in the file are changed. When using Directory Integration and Provisioning Assistant, you reference a property name in the format odip.profile.property_name. However, in Oracle Internet Directory, the property name is stored in the format orclodipproperty_name. Both property name formats are listed in Table A-25.
Table A-25 Properties Expected by createprofile and modifyprofile Commands
| Property | Description | Default |
|---|---|---|
odip.profile.agentexecommand / orclodipagentexecommand
|
In the case of a NON-LDAP interface, the command to produce the information in LDIF format | - |
odip.profile.condiraccount / orclodipcondiraccessaccount
|
DN or user name used to connect to the third party directory. | - |
odip.profile.condirfilter / orclodipcondirmatchingfilter
|
Filter that needs to be applied to the changes read from the connected directory before importing to Oracle Internet Directory | - |
odip.profile.condirpassword / orclodipcondiraccesspassword
|
Password used for identification to the third-party directory. | - |
odip.profile.condirurl / orclodipcondirurl
|
Location of third-party directory [hostname:port]
|
- |
odip.profile.configfile
|
Name of the file that contains the additional profile-specific information to be used for execution | - |
odip.profile.configinfo / orclodipadditionalconfiginfo
|
Contains additional profile-specific information to be used for execution | - |
odip.profile.debuglevel / orclodipprofiledebuglevel
|
Specifies the profile debug level | - |
odip.profile.interface / orclodipinterfacetype
|
Indicator as to whether the LDAP or LDIF or DB or TAGGED format is to be used for data exchange | LDAP |
odip.profile.lastchgnum / orclodipcondirlastappliedchangenumber
|
Last applied change number. In the case of an export profile this number refers to Oracle Internet Directory's last applied change number However, n the case of the import profile, this number refers to the last applied change number in the connected directory | - |
odip.profile.mapfile / orclodipattributemappingrules
|
Name of the file that contains the mapping rules | - |
odip.profile.name / orclodipagentname
|
Name of the profile | - |
odip.profile.oidfilter / orclodipoidmatchingfilter
|
Filter that needs to be applied to the changes that are read from the Oracle Internet Directory before exporting to the connected directory | - |
odip.profile.password / orclODIPAgentPassword
|
Password for accessing this profile | - |
odip.profile.retry / orclodipsyncretrycount
|
Maximum number of times the Oracle directory integration and provisioning server should attempt to execute an entry | 4 |
odip.profile.schedinterval/orclodipschedulinginterval
|
Interval between successive executions of this profile by the integration server. If the previous execution has not completed then the next execution will not resume until it completes. | 1 Minute |
odip.profile.status / orclodipagentcontrol
|
Either DISABLE or ENABLE
|
DISABLE |
odip.profile.syncmode / orclodipasynchronizationmode
|
Direction of synchronization. When the changes are propagated from the third party to Oracle Internet Directory, the synchronization mode is IMPORT. When the changes are propagated to the third party directory, the synchronization mode is EXPORT. | IMPORT |
The listprofiles command prints a list of all the synchronization profiles in Oracle Internet Directory. The syntax for this command is:
dipassistant listprofiles [-h hostName] [-p port] [-D bindDn] [-w password] [-configset Configset Number]
Table A-26 describes the parameters of the listprofiles command.
Table A-26 Parameters of the listprofiles Command
| Parameter | Description |
|---|---|
-h | -host
|
Host where Oracle Internet Directory is running. The default value is the name of the local host. |
-p | -port
|
Port at which Oracle Internet Directory was started. The default is 389. |
-D | -dn
|
The bind DN to be used in identifying to the directory. The default value is the DN of the Oracle Directory Integration and Provisioning administrator. |
-w | -passwd
|
The password of the bind DN to be used while binding to the directory. |
-configset
|
An integer greater than 0 that represents the configuration set with which to associate the profile. |
The following example prints a list of all the synchronization profiles in Oracle Internet Directory:
dipassistant listprofiles -h myhost -p 3060 -D cn=dipadmin -w welcome1
By default, the preceding command prints the following list of sample profiles created during installation. However, your deployment of Oracle Internet Directory may contain additional synchronization profiles.
IplanetExport IplanetImport ActiveImport ActiveExport LdifExport LdifImport TaggedExport TaggedImport OracleHRAgent ActiveChgImp
The showprofile command prints the details of a specific synchronization profile. The syntax for this command is:
dipassistant showprofile -profile profName [-h hostName] [-p port] [-D bindDn] [-w password]
Table A-27 describes the parameters of the showprofile command.
Table A-27 Parameters of the showprofile Command
| Parameter | Description |
|---|---|
-h | -host
|
Host where Oracle Internet Directory is running. The default value is the name of the local host. |
-p | -port
|
Port at which Oracle Internet Directory was started. The default is 389. |
-D | -dn
|
The bind DN to be used in identifying to the directory. The default value is the DN of the Oracle Directory Integration and Provisioning administrator. |
-w | -passwd
|
The password of the bind DN to be used while binding to the directory. |
-profile
|
A text string representing the name of profile to show. |
For example, the following showprofile command prints the details for the ActiveImport sample profile that is created during installation:
dipassistant showprofile -h myhost -p 3060 -D cn=dipadmin -w welcome1 -profile ActiveImport
The preceding command prints the following details of the ActiveImport sample profile:
odip.profile.version = 2.0 odip.profile.lastchgnum = 0 odip.profile.interface = LDAP odip.profile.oidfilter = orclObjectGUID odip.profile.schedinterval = 60 odip.profile.name = ActiveImport odip.profile.syncmode = IMPORT odip.profile.condirfilter = "searchfilter=(|(objectclass=group)(objectclass=organizationalunit) (&(objectclass=user)(!(objectclass=computer))))" odip.profile.retry = 5 odip.profile.debuglevel = 0 odip.profile.status = DISABLE
The expressconfig command performs an express configuration of the Active Directory connector. When you run this command, it performs all required configurations outlined in Table A-23, "Summary of Functionality of the Directory Integration and Provisioning Assistant". This command also creates two profiles, an import profile and an export profile. The syntax for performing an express configuration is as follows:
dipassistant expressconfig [-h hostName] [-p port] [-3rdpartyds 3rd party ds] [-configset Configset Number]
Table A-28 describes the parameters of the expressconfig command.
Table A-28 Parameters of the expressconfig Command
| Parameter | Description |
|---|---|
-h | -host| -oidhost
|
Host where Oracle Internet Directory is running. The default value is the name of the local host. |
-p |-port | -oidport
|
Port at which Oracle Internet Directory was started. The default is 389. |
-3rdpartyds
|
The third-party directory service to configure. |
-configset
|
An integer greater than 0 that represents the configuration set with which to associate the profile. |
The bootstrap command performs the initial migration of data between a connected directory and Oracle Internet Directory. The syntax for this command is as follows:
dipassistant bootstrap { -profile profName [-h hostName] [-p port] [-D bindDn]
[-w password] [-log logFile] [-logseverity severity] [-trace traceFile]
[-tracelevel level] [-loadparallelism #nThrs] [-loadretry retryCnt] |
-f filename }
Table A-29 describes the parameters of the bootstrap command.
Table A-29 Parameters of the bootstrap Command
| Parameter | Description |
|---|---|
-f | cfg
|
A configuration file containing all the parameters required for performing the bootstrapping.
See Also: Table A-30 for a list of parameters and their description |
-h | -host
|
Host where Oracle Internet Directory is running. The default value is the name of the local host. |
-p | -port
|
Port at which Oracle Internet Directory was started. The default is 389. |
-D | -dn
|
The bind DN to be used in identifying to the directory. The default value is the DN of the Oracle Directory Integration and Provisioning administrator. |
-w | -passwd
|
The password of the bind DN to be used while binding to the directory. |
-profile
|
A text string representing the name of profile to use when performing the bootstrapping. |
-log
|
Log file. If this parameter is not specified, then, by default, the log information is written to OH/ldap/odi/bootstrap.log
|
-logseverity
|
Log severity 1 - 15. 1 – INFO, 2 – WARNING, 3 – DEBUG, 4 – ERROR. Or any combination of these. If not specified, then INFO and ERROR messages alone will be logged. |
-trace
|
Trace file for debugging purpose |
-tracelevel
|
Trace level |
-loadparallelism
|
Indicator that loading to Oracle Internet Directory is to take place in parallel by using multiple threads. For example, -loadparallelism 5 means that 5 threads are to be created, each of which tries to load the entries in parallel to Oracle Internet Directory.
|
-loadretry
|
When the loading to the destination fails, the number of times the retry should be made before marking the entry as bad entry |
When you use the bootstrap command, you can use either the -profile parameter to specify a synchronization profile or the -f parameter to a configuration file. The following example uses a synchronization profile named iPlanetProfile to perform bootstrapping:
dipassistant bootstrap –profile iPlanetProfile -h myhost –port 3060 -D cn=dipadmin -w welcome1
The following example uses a configuration file named bootstrap.cfg to perform bootstrapping:
dipassistant bootstrap –f bootstrap.cfg
When you use the -f parameter with the bootstrap command, you must specify a configuration file containing the properties listed in Table A-30.
Table A-30 Bootstrapping Configuration File Properties
| Property | Description | Mandatory | Default |
|---|---|---|---|
odip.bootstrap.srctype
|
Indicator of whether source of the bootstrapping is LDAP or LDIF. Valid values are either LDAP or LDIF.
|
Yes | - |
odip.bootstrap.desttype
|
Indicator of whether destination of the bootstrapping is LDAP or LDIF. Valid values are either LDAP or LDIF.
|
Yes | - |
odip.bootstrap.srcurl
|
In the case of LDAP source type, location of the source directory. In the case of LDIF, the location of the LDIF file.
Note: For LDAP, the expected format is |
Yes | - |
odip.bootstrap.desturl
|
In the case of LDAP, location of the destination directory. In the case of LDIF, the location of the LDIF file.
Note: For LDAP, the expected format is |
Yes | - |
odip.bootstrap.srcsslmode
|
Indicator of whether SSL-based authentication must be used to connect to the source of the bootstrapping. A value of TRUE indicates that SSL-based authentication must be used.
|
No | FALSE
|
odip.bootstrap.destsslmode
|
Indicator of whether SSL-based authentication must be used to connect to the destination of the bootstrapping. TRUE indicates that SSL-based authentication must be used.
Note: In the case of LDIF, this parameter is meaningless. |
No | FALSE
|
odip.bootstrap.srcdn
|
Supplement to the source URL. In the case of LDIF binding, this parameter is meaningless. However in the case of LDAP, this parameter specifies the Bind DN. | Only in the case of LDAP | - |
odip.bootstrap.destdn
|
Supplement to the destination URL. In the case of LDIF binding, this parameter is meaningless. However in the case of LDAP, this parameter specifies the Bind DN. | Only in the case of LDAP | - |
odip.bootstrap.srcpasswd
|
Bind password to the source. In the case of LDAP binding, this is used as security. Oracle Corporation recommends that you not specify the password in this file. | No | - |
odip.bootstrap.destpasswd
|
Bind password. In the case of LDAP binding, this is used as security credential.
Oracle Corporation recommends that you not specify the password in this file. |
No | - |
odip.bootstrap.mapfile
|
Location of the map file that contains the attribute and domain mappings. | No | - |
odip.bootstrap.logfile
|
Location of the log file. If this file already exists then it will be appended. The default log file is bootstrap.log created under $ORACLE_HOME/ldap/odi/log directory.
|
No | The file bootstrap.log created under the directory $ORACLE_HOME/ldap/odi/
|
odip.bootstrap.logseverity
|
Type of log messages that needs to be logged.
INFO – 1 WARNING - 2 DEBUG – 4 ERROR - 8 Note: A combination of these types can also be given. For example, if you are interested only in WARNING and ERROR message, then specify a value of 8+2—that is, 10. Similarly, for all types of message, use 1 + 2 + 4 + 8 = 15 |
No | 1 + 8 = 9 |
odip.bootstrap.loadparallelism
|
Numeric value indicating the number of writer threads used to load the processed data to the destination | No | 1- |
odip.bootstrap.loadretry
|
In the event of a failure to load an entry, indicator of how many times to retry | No | 5 |
odip.bootstrap.trcfile
|
Location of the trace file. If this file already exists, then it is overwritten. | No | $ORACLE_HOME/ldap/odi/log/bootstrap.trc |
odip.bootstrap.trclevel
|
The tracing level | No | 3 |
odip.bootstrap.srcencode
|
The encoding used by the LDIF file if the file: Is generated by using a utility of a third-party directory Contains NLS data Is processed on a different platform By default, the Directory Integration and Provisioning Assistant assumes that the file is processed on the system on which it was generated. | Yes |
|
The wp command enables you to set the wallet password that the Oracle directory integration and provisioning server later uses to connect to Oracle Internet Directory. To use this command, enter:
dipassistant wp
The Directory Integration and Provisioning Assistant prompts you to enter, and then confirm, the password.
This chgpasswd command resets the password of dipadmin account. The default password for the dipadmin account is same as ias_admin password chosen during installation. To reset the password, you must provide the security credentials of the orcladmin account. The syntax for resetting the password is as follows:
dipassistant chgpasswd [-h hostName] [-p port] [-D bindDn] [-w password]
Table A-31 describes the parameters of the chgpasswd command.
Table A-31 Parameters of the chgpasswd Command
| Parameter | Description |
|---|---|
-h | -host
|
Host where Oracle Internet Directory is running. The default value is the name of the local host. |
-p | -port
|
Port at which Oracle Internet Directory was started. The default is 389. |
-D | -dn
|
The bind DN to be used in identifying to the directory. The default value is the DN of the Oracle Directory Integration and Provisioning administrator. |
-w | -passwd
|
The password of the bind DN to be used while binding to the directory. |
The following is an example of the chgpasswd command:
dipassistant chgpasswd -h myhost -p 3060 -D cn=dipadmin -w welcome1
The Directory Integration and Provisioning Assistant then prompts for the new password as follows:
New Password: Confirm Password:
You can use the reassociate command of the Directory Integration and Provisioning Assistant to move directory integration profiles to another node and to reassociate them with it. For example, if the middle-tier components are associated with a particular Oracle Identity Management infrastructure, then all the integration profiles existing in that infrastructure node can be moved to a new infrastructure node and reassociated with it.
Table A-32 describes the reassociation rules.
Table A-32 Scenarios for Reassociating Directory Integration Profiles
| Scenario | Actions Taken |
|---|---|
| Integration profile does not exist on the second Oracle Internet Directory node | The integration profile is copied to the second Oracle Internet Directory node and is disabled after copying. It must be enabled by the application. The lastchangenumber attribute in the integration profile is modified to the current last change number on the second Oracle Internet Directory node.
|
| Integration profile exists on the second Oracle Internet Directorynode | Both integration profiles are reconciled in the following manner:
|
The syntax for the reassociate command is as follows:
dipassistant reassociate [-src_ldap_host hostName] [-src_ldap_port port] [-src_ldap_dn bindDn] [-src_ldap_passwd password] -dst_ldap_host hostName [-dst_ldap_port port] [-dst_ldap_dn bindDn] [-dst_ldap_passwd password] [-log logfile]
Table A-33 describes the parameters of the reassociate command.
Table A-33 Parameters of the reassociate Command
| Parameter | Description |
|---|---|
-src_ldap_host host_name
|
Host where Oracle Internet Directory-1 runs |
-src_ldap_port port_number
|
Port where Oracle Internet Directory-1 runs |
-src_ldap_dn bind_DN
|
Bind DN for connecting to Oracle Internet Directory-1 |
-src_ldap_passwd password
|
Bind DN password for connecting to Oracle Internet Directory-1 |
-dst_ldap_host host_name
|
Host where Oracle Internet Directory-2 runs |
-dst_ldap_portport_number
|
Port where Oracle Internet Directory-2 runs |
-dst_ldap_dn bind_DN
|
Bind DN for connecting to Oracle Internet Directory-2 |
-dst_ldap_passwd password
|
Bind DN password for connecting to Oracle Internet Directory-2 |
-log log_file
|
Log file |
The reassociate command defaults are as follows:
src_ldap_host - localhost, src_ldap_port & dst_ldap_port - 389 src_ldap_dn & dst_ldap_dn - cn=orcladmin account
The following is an example of the reassociate command:
dipassistant reassociate -src_ldap_host oid1.mycorp.com \ -dst_ldap_host oid2.mycorp.com -src_ldap_passwd srcpassword \ -dst_ldap_passwd dstpassword
Note if the location of the log file is not specified then by default it will be created as $ORACLE_HOME/ldap/odi/log/reassociate.log.
In this release, the Directory Integration and Provisioning Assistant does not support the following:
SSL-based authentications to Oracle Internet Directory
Schema synchronization
Automatic profile creation at the end of the bootstrapping process when used with the -cfg option
Mapping file validation
Creation of a failed entries file
The following elements of the Directory Integration and Provisioning Assistant are untested:
Bootstrapping of the connected directory over the SSL connection
The use of the modifyprofile command while synchronization is happening for that profile
The bootstrapping command of the Directory Integration and Provisioning Assistant has the limitations described in Table A-34.
Table A-34 Limitations of Bootstrapping in the Directory Integration and Provisioning Assistant
| Type of Bootstrapping | Limitation |
|---|---|
| LDIF-to-LDIF | None |
| LDAP-to-LDIF | For a large number of entries, bootstrapping can fail with an error of size limit exceeded. To resolve this, the connected directory server from which you are bootstrapping should:
|
| LDIF -to-LDAP | None |
| LDAP-to-LDAP | Same as LDAP-to-LDIF |
For initial bootstrapping, you should perform the following steps:
Generate a dump of the entries in the connected directory to an LDIF file using a proprietary tool on the connected directory server.
Configure the properties file so that entries are created in Oracle Internet Directory using the LDIF-to-LDAP approach.
Use the Provisioning Subscription Tool (oidprovtool) to administer provisioning profile entries in the directory. More specifically, use it to:
Create a new provisioning profile. A new provisioning profile is created and set to the enabled state so that Oracle Directory Integration and Provisioning can process it
Disable an existing provisioning profile
Enabled a disabled provisioning profile
Modify an existing provisioning profile
Delete an existing provisioning profile
Get the current status of a given provisioning profile
Clear all of the errors in an existing provisioning profile
The Provisioning Subscription Tool shields the location and schema details of the provisioning profile entries from the callers of the tool. From the callers' perspective, the combination of an application and a subscriber uniquely identify a provisioning profile. The constraint in the system is that there can be only one provisioning profile for each application for each subscriber.
Once a profile is created, its mode—that is, INBOUND, OUTBOUND, or BOTH—cannot be changed by using the operation=modify operation. To change the mode, you must delete, then re-create, the profile.
When you create, change, or delete a profile, you do not need to first disable it, then re-enable it. Instead, you can use the operation=modify option. The changes are detected at runtime by the directory integration and provisioning server.
|
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
The name of the executable is oidprovtool, located in $ORACLE_HOME/bin.
To invoke this tool, use this command:
oidprovtool param1=param1_value param2=param2_value param3=param3_value ...
The Provisioning Subscription Tool accepts the parameters listed and described in Table A-35:
Table A-35 Provisioning Subscription Tool Parameters
| Name | Description | Operations | Mandatory/Optional |
|---|---|---|---|
application_dn
|
The distinguished name of the application for which the provisioning subscription operation is being performed. The combination of the application_dn and the organization_dn parameters help the subscription tool to uniquely identify a provisioning profile.
|
all | M |
event_mapping_rules
|
Inbound events only. Multivalued.Used to map the type of object received from an application and a qualifying filter condition to determine the domain of interest for this event.Format : OBJECT_TYPE: filter condition: domain of interestMultiple rules are allowed.Example 1: EMP::cn=users,dc=acme,dc=com
This means that if the object type received is Example 2: This means that if the object type received is |
create/modify | Mandatory for inbound events only |
event_permitted_operations
|
This is a multi valued attribute. It is used to define the types of EVENT an application is privileged to send to the Oracle Provisioning Integration Service. Format :
Example 1: This means that the Example 2: This means that the |
create/modify | Mandatory for inbound events only |
event_subscription
|
Events for which Directory Integration and Provisioning should send notification to this application. Format of this string:"
Multiple values may be specified by listing the parameter multiple times each with different values. No defaults. |
create/modify | Mandatory for outbound events only |
interface_additional_info
|
Additional information for the interface. This is not currently used. | create/modify | O |
interface_connect_info
|
Database connect string Format of this string: [HOST]:[PORT]:[SID]: [PASSWORD]USER_ID]:[
|
create/modify | M |
interface_name
|
Database schema name for the PLSQL package. Format of the value should be: [Schema].[PACKAGE_NAME]
|
create/modify | M |
interface_type
|
The type of interface to which events are to be propagated.Valid value: PLSQL. If not specified, then this is assumed to be the default. | create/modify | O |
interface_version
|
The version of the interface protocol. Valid values: 1.0 or 1.1 or 2.0 1.0 and 1.1 will be the old interface. If not specified, 2.0 is used as the default. | create | O |
lastchangenumber
|
The last change number in OID subsequent to which the events should be propagated to the application. Used only in OUBOUNT mode. Default in create is the current last change number in OID. | create/modify | O |
ldap_host
|
Host-name of the directory server on which the subscription operations are to be performed. If not specified, the default value of 'localhost' is assumed. | all | O |
ldap_port
|
The TCP/IP port on which the directory server is listening for requests. If not specified, the default value of '389' is assumed. | all | O |
ldap_user_dn
|
The LDAP distinguished name of the user on whose behalf the operation is to be performed. Not all users have the necessary permissions to perform Provisioning Subscription operations. The default is cn=orcladmin.
See Also: The chapter on access control in Oracle Internet Directory Administrator's Guide for instructions on granting or denying directory users the permission to perform provisioning subscription operations |
all | O |
ldap_user_password
|
The password of the user on whose behalf the operation is to be performed. | all | O |
max_events_per_schedule
|
The maximum number of events that should be propagated in one schedule. Default is 100. Can be used to control load situations. | create/modify | O |
max_retries
|
The number of times the Oracle directory integration and provisioning server should retry a failed event delivery. If not specified, a default value of 5 is assumed. | createmodify | O |
operation
|
The subscription operation to be performed. The legal values for this parameter are: create, modify, enable, disable, delete, status and reset. Only one operation can be performed for each invocation of the tool. | all | M |
organization_dn
|
The distinguished name of the organization for which the provisioning subscription operation is being performed. The combination of the application_dn and the organization_dn parameters help the subscription tool to uniquely identify a provisioning profile. The default is the default identity management realm.
|
all | O |
profile_debug
|
The debugging level with which the profile is executed by the Oracle directory integration and provisioning server. | All | O |
profile_group
|
The group of the profile. Default is 0. This is required to address scalability issues when different DIP server instances will be used to execute different selected groups. | create/modify | O |
profile_mode
|
IBOUND/OUTBOUND/BOTH. Default is OUTBOUND.
|
Create | O |
profile_status
|
The status of the profile (ENABLED/ DISABLED). Default is ENABLED.
|
Create | O |
schedule
|
The scheduling information for this profile. The value is the length of the time interval in seconds after which Directory Integration and Provisioning will process this profile. If not specified, a default of 3600 is assumed. | create/modify | O |
Example A-1 Creating a Profile by Using the Provisioning Subscription Tool
This example illustrates how to create a provisioning profile by using the Provisioning Subscription Tool.
oidprovtool operation=create ldap_host=host ldap_port=port ldap_user_dn=bind_DN ldap_user_password=password application_dn=DN_of_application organization_dn=realm_DN schedule=60 interface_type=PLSQL interface_name=PLSQL_package_name interface_version=2.0 interface_connect_info=DB_host:DB_listener_port:SID:User:Password" event_subscription="USER:realm_DN:ADD(cn,sn,..)" event_subscription="USER:realm_DN:MODIFY(mail,telephonenumber,...)"
The OID Database Password Utility is used to:
Change the password to the Oracle Internet Directory database.
Oracle Internet Directory uses a password when connecting to an Oracle database. The default for this password matches the value you specified during installation for the Oracle Application Server administrator's password. You can change this password by using the OID Database Password Utility.
Create a wallet, named oidpwdlldap1, for the Oracle Internet Directory database password, and a wallet, named oidpwdrsid, for the Oracle directory replication server password.
The sid is obtained not from the environment variable SID but from the connected database.
With the create_wallet=true option, you need to provide the ODS password to authenticate yourself to the ODS database before the ODS wallet can be generated. Note that the default ODS password is the same as that for the Oracle Application Server administrator.
Unlock a locked directory superuser account, namely, cn=orcladmin.
The OID Database Password Utility syntax is:
oidpasswd [connect=connect_string ] [change_oiddb_pwd=true |
create_wallet=true current_password=password_for_the_ODS_database_user | unlock_su_acct=true]
This section contains these topics
Changing the Password to the Oracle Internet Directory Database
Changing the Password to the Oracle Internet Directory Database
To change the Oracle Internet Directory database password, enter
oidpasswd [connect=connect string ][change_oiddb_pwd=true]
If no options are provided, the tool still changes the Oracle Internet Directory database password.
The OID Database Password Utility prompts you for the current password. Type the current password, then the new password, then a confirmation of the new password.
The OID Database Password Utility assumes by default that the password being changed is that of the local database (as defined by ORACLE_HOME and ORACLE_SID). If you are changing the password on a remote database, you must use the connect=connect_string option.
For example:
$ oidpasswd current password: ods new password: newsupersecret confirm password: newsupersecret password set.
|
Note:
|
To create wallets for the Oracle Internet Directory database password and the directory replication server password, enter:
oidpasswd [connect=connect string] create_wallet=true
The argument create_wallet is mandatory in this case. Except for connect string, no other option can be specified.
To unlock a locked account for the directory super user, cn=orcladmin, enter:
oidpasswd [connect=connect string] unlock_su_acct=true
The argument unlock_su_acct is mandatory. Except for connect string, no other option can be specified.
If you forget the Oracle Internet Directory super user password, you can use the oidpasswd tool to reset it. You must provide the Oracle Internet Directory database password. When you first install Oracle Internet Directory, the super user password and Oracle Internet Directory database password are the same. After installation, however, you can change the OID super user password using ldapmodify. You can change the Oracle Internet Directory database password using the oidpasswd tool separately. The syntax for changing the Oracle Internet Directory database password is:
oidpasswd conn=connect_string reset_su_password=true
The oidpasswd tool prompts you for the OID database password. For example:
oidpasswd conn=inst1 reset_su_password=true
OID DB user password:
password:
confirm password:
OID super user password reset successfully
When an ACP is set with an ACI that has the keyword DenyGroupOverride, neither the OID super user nor members of DirectoryAdminGroup can access the subtree under that ACP. If necessary, you can use the oidpasswd tool to reset that ACP so that the subtree is accessible by the OID super user. You must provide the Oracle Internet Directory database password. The syntax is:
oidpasswd conn=connect_string manage_su_password=true
The oidpasswd utility prompts you to enter the OID database password and to choose which super user restricted ACPs to reset, as shown in the following examples:
oidpasswd conn=inst1 manage_su_acl=true OID DB user password: The super user restricted ACP list [1] o=oracle,c=us [2] ou=personnel,o=oracle,c=us Enter 'resetall' or the number(s) of the ACP to be reset separated by [,] 2 OID super user restriction reset successfully oidpasswd conn=inst1 manage_su_acl=true OID DB user password: The super user restricted ACP list [1] o=oracle,c=us [2] ou=personnel,o=oracle,c=us Enter 'resetall' or the number(s) of the ACP to be reset separated by [,] resetall OID super user restriction reset successfully oidpasswd conn=inst1 manage_su_acl=true OID DB user password: The super user restricted ACP list [1] o=oracle,c=us [2] ou=personnel,o=oracle,c=us Enter 'resetall' or the number(s) of the ACP to be reset separated by [,] 1,3,5 ACP [3] not found in the list ACP [5] not found in the list OID super user restriction reset successfully oidpasswd conn=inst1 manage_su_acl=true OID DB user password: The super user restricted ACP list [1] ou=personnel,o=oracle,c=us Enter 'resetall' or the number(s) of the ACP to be reset separated by [,] 1,resetall OID super user restriction reset successfully
Once you have reset some ACPs so that the super user can access them, you can use ldapmodify to make the subtrees inaccessible to the super user again. A sample LDIF file is shown in the following example:
dn: o=oracle, c=us changetype: modify delete: orclaci orclaci: access to entry AppendToAll by SuperUser (browse,add,delete,proxy) orclaci: access to attr=(*) AppendToAll by SuperUser (search,read,write,compare)
The ldapmodify syntax, with an LDIF file named acl.dat, is:
ldapmodify -p port_number -D cn=orcladmin -w admin_password -f acl.dat
Use the oidstats.sh tool to analyze the various database ods schema objects to estimate the statistics. It is located in the following directory: $ORACLE_HOME/ldap/admin/. The tool will prompt for 'ods' database user password. You must run this utility whenever there are significant changes in directory data—including the initial load of data into the directory.
If you load data into the directory by any means other than the bulkload tool (bulkload.sh), then you must run the OID Database Statistics Collection tool after loading. Statistics collection is essential for the Oracle Optimizer to choose an optimal plan in executing the queries corresponding to the LDAP operations. You can run OID Database Statistics Collection tool at any time, without shutting down any of the Oracle Internet Directory daemons.
|
Note: If you do not use the bulkload utility to populate the directory, then you must run the oidstats.sh tool to avoid significant search performance degradation. |
|
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
The OID Database Statistics Collection Tool uses this syntax:
oidstats.sh [ -connect connect_string ] [ -all ] [ -cat catalog_name ] [ -pct percent ] [ -help | -usage ]
Table A-36 lists and describes the parameters.
Table A-36 Parameters for the OID Database Statistics Collection Tool
| Parameter | Description | Default |
|---|---|---|
connect connect_string
|
Database connect string | ORACLE_SID
|
all
|
Estimate statistics on all catalog tables plus DN catalogue | All catalogs |
cat catalog_name
|
Estimate statistics either on all catalogs (all) or on a particular one, for example, ct_cn | None |
pct percent
|
Percent of data to sample | 100 |
Examples: Using the OID Database Statistics Collection Tool
Each of the following examples assume that the ORACLE_SID and the default user name and password are in effect.
The following example estimates statistics based on 100 percent sample data of all tables:
oidstats.sh -all -pct 100
The following example estimates statistics based on 50 percent sample data of all tables:
oidstats.sh -all -pct 50
The following example estimates statistics based on 50 percent sample data of CT_CN table:
oidstats.sh -cat ct_cn -pct 50
The following example estimates statistics based on 40 percent sample data of all catalog tables:
oidstats.sh -cat all -pct 40
Use the OID Migration Tool when you are migrating data from application-specific repositories into Oracle Internet Directory. The OID Migration Tool produces an LDIF file, which is suitable for loading into a directory server by using the standard command-line tools. The input to this tool is a pseudo-LDIF file containing substitution variables. The tool is called ldifmigrator and it exists in $ORACLE_HOME/bin.
The syntax of the ldifmigrator tool is as follows:
ldifmigrator [options] {parameter_name=value ...}
{s_SubVar=value ... }
Table A-37 describes the command-line parameters used by this tool in further detail:
Table A-37 ldifmigrator Parameters
| Parameter | Mandatory? | Description |
|---|---|---|
Input_file
|
Yes | The file containing the substitution variables |
Output_file
|
Yes | The name of the file to be generated by this tool |
-lookup
|
No | If this flag is specified, then values of certain substitution variables will be obtained from the directory server. Please see the following table for the names of the variables that are specified using host parameters. The host is mandatory when -lookup flag is specified.
|
Host
|
Yes (only in lookup mode) | The directory server name. This parameter is mandatory when -lookup flag is specified.
|
Port
|
No | The port on which the directory server is listening. If not specified the port 389 will be used
|
DN
|
Yes (only in lookup mode) | Bind DN. This is a mandatory parameter when -lookup flag is specified.
|
Password
|
No | Bind password |
Subscriber
|
No | The subscriber whose attributes will be used as substitution variable. If not specified, then the default identity management realm specified in the Root Oracle Context will be used. |
s_SubsVar1.N
|
No | Custom substitution variables specified by the user |
Table A-38 describes a set of pre-defined substitution variables. If it is running in the lookup mode, the OID Migration Tool can automatically determine the values of these variables by looking them up in the Oracle Internet Directory.
Table A-38 Predefined Substitution Variables
| Variable Name | Meaning | How OID Migration Tool Determines the Value for This Variable |
|---|---|---|
| %s_UserContainerDN% | Distinguished name of the entry under which all users are supposed to be added. | This is assigned the value of the attribute: orclCommonUserSearchBase from the entry cn=Common,cn=Products under the realm- specific Oracle context.
|
| %s_GroupContainerDN% | Distinguished name of the entry under which all public groups are supposed to be added. | This is assigned the value of the attribute: orclCommonGroupSearchBase from the entry cn=Common,cn=Products under the realm- specific Oracle context.
|
| %s_UserNicknameAttribute% | The nickname attribute to be used for user entries in the identity management realm. | This is assigned the value of the attribute: orclCommonNicknameAttribute from the entry cn=Common,cn=Products under the realm- specific Oracle context.
|
| %s_SubscriberDN% | Distinguished name of the LDAP entry corresponding to the identity management realm. | If a simple subscriber name is given, the migration tool will resolve it to a DN using the attribute orclSubscriberSearchBase and the orclSubscriberNickNameAttr from the entry cn=Common,cn=Products under the root Oracle context.
|
| %s_SubscriberOracleContextDN% | Distinguished name of the realm-specific Oracle Context. | First the realm DN is computed as described earlier and then the string cn=OracleContext is pre-pended to it.
|
| %s_RootOracleContextDN% | Distinguished name of the Root Oracle Context. | This is currently hard-coded to cn=OracleContext.
|
| %s_CurrentUserDN% | Distinguished name of the User who is loading the LDIF file. This is sometimes required to bootstrap the creation of groups which require at least one member in them. | The migration tool expects this DN to be specified on the command line as part of the authentication information. |
The OID Migration Tool obtains the values of the pre-defined substitution variables only in the lookup mode. Users can override the value of any of the previous variables in the lookup mode by specifying the variable and a different value in the command line. The user can also specify substitution variables other than the ones listed in the following table and their values in the command line.
Consider the input file sample.dat whose contents are as follows:
dn: cn=jdoe, %s_UserContainerDN% sn: Doe %s_UserNicknameAttribute%: jdoe objectClass: inetOrgPerson objectClass: orclUserV2 title: Member of Technical Staff homePhone: 415-584-5670 homePostalAddress: 234 Lez Drive$ Redwood City$ CA$ 94402 ou: %s_UserOrganization%
The following sections describe how the OID Migration Tool can be used to transform the previous template into a valid LDIF ready to be loaded into Oracle Internet Directory.
In this example, the Oracle directory server is present in the environment, and the deployment wants the migration tool to lookup the directory server to figure out certain substitution variables. It will issue the following command:
ldifmigrator "input_file=sample.dat" "output_file=sample.ldif" -lookup "host=ldap.acme.com" "subscriber=acme" "s_UserOrganization=Development"
On executing this command, the directory server running on ldap.acme.com will be contacted and the following values of the substitution variables for the subscriber acme will be obtained:
| Variable Name | Value Obtained from ldap.acme.com |
|---|---|
| % s_UserContainerDN% | cn=Users,o=acme,dc=com
|
| %s_UserNicknameAttribute% | uid
|
In addition to these variables, the OID Migration Tool also honors the command-line variable called s_UserOrganization and substitutes all occurrences of it with the value Development. In this case the output of the tool stored in sample.ldif is as follows (the substituted values are shown in italics):
dn: cn=jdoe,cn=Users,o=Acme,dc=com sn: Doe uid: jdoe objectClass: inetOrgPerson objectClass: orclUserV2 title: Member of Technical Staff homePhone: 415-584-5670 homePostalAddress: 234 Lez Drive$ Redwood City$ CA$ 94402 ou: Development
The same output as shown in the previous example could have been obtained by specifying all of the values in the command line (without using the -lookup option). The following command-line example describes how one would use the Migration tool without the lookup mode:
$ldifmigrator "input_file=sample.dat" "output_file=sample.ldif" "s_UserContainerDN=cn=Users,o=Acme,dc=com" "s_UserNicknameAttribute=uid" "s_UserOrganization=Development"
In some cases, a deployment would like to use the OID Migration Tool in the lookup mode but would also like to override the values of one or more of the pre-defined substitution variables. This can be done by specifying the override value in the command line. The following command line shows how one can set the UserNickNameAttribute to cn overriding the default of uid:
$ldifmigrator "input_file=sample.dat" "output_file=sample.ldif" -lookup "host=ldap.acme.com" "subscriber=acme" "s_UserOrganization=Development" "s_UserNicknameAttribute=cn"
On executing this command, the directory server running on ldap.acme.com will be contacted and the following values of the substitution variables for the subscriber acme will be obtained:
Table A-39 Substitution Variables for the subscriber "acme"
| Variable Name | Value Obtained from ldap.acme.com |
|---|---|
| % s_UserContainerDN% | cn=Users,o=acme,dc=com |
| %s_UserNicknameAttribute% | uid (this is over-ridden by command-line specification) |
Since s_UserNicknameAttribute is specified on the command line, the OID Migration Tool will ignore the value obtained from the directory and use the value specified in the command line. In addition to these variables, the migration tool will also honor the command-line variable called s_UserOrganization and substitute all occurrences of it with the value Development. In this case the output of the tool stored in sample.ldif will be as follows (the substituted values are shown in italics):
dn: cn=jdoe,cn=Users,o=Acme,dc=com sn: Doe cn: jdoe objectClass: inetOrgPerson objectClass: orclUserV2 title: Member of Technical Staff homePhone: 415-584-5670 homePostalAddress: 234 Lez Drive$ Redwood City$ CA$ 94402 ou: Development
Using the load capability the users of this tool could directly load the data into Oracle Internet Directory. If an entry is already present in the directory then that directory entry will be logged to the file. The addition of the directory entries could fail for other reasons as well, for instance not enough permission to add or parent entry not being present. The command line tool will now take a new option -load, which will load the user information to the directory.
The user migration tool capabilities available in Oracle Application Server 10g Release 2 (10.1.2) are useful only when an older version of the Oracle Application Server component is the only source of truth for all users being migrated to Oracle Internet Directory. However, in a practical deployment, the following scenarios arise:
The users to be migrated have already been defined in Oracle Internet Directory.
More than one distinct application needs to be migrated to Oracle Internet Directory.
To address these requirements, a new option –reconcile, has been added to the user migration tool. This option requires an argument: –reconcile SAFE | SAFE_EXTENDED | NORMAL.
Table A-40 Different Modes for Use of -reconcile
| Optional Arguments | Description |
|---|---|
-reconcile SAFE
|
Verifies the existence of the user entry in the directory |
–reconcile NORMAL
|
Verifies that all the new attributes will be added and those attributes already in the directory will have their values replaced with the new ones |
–reconcile SAFE_EXTENED
|
All the new attributes will be added. However, if you try to add a new value for existing attributes, then it will add it to the existing set of values. |
Example A-2 -reconcile SAFE option.
This option should be used to append only those attributes not already in the directory. In the case of the preceding user entry, the OID Migration Tool parses this LDIF entry and substitutes the values for s_subscriber_user_base and s_nickname_attr. After this, it retrieves the jsmith entry from the directory. If the directory does not contain an entry for jsmith, then it simply adds this entry for the first time. On the other hand, if the entry already exists with attributes as defined earlier, then it adds only those attributes not present in directory. In the preceding case, it adds only homePhone and homePostalAddress.
Now the Jsmith entry in the directory becomes:
dn: cn=jsmith, dc=oracle, dc=com cn: jsmith sn: Smith orclGlobalID: 86A8485163303EBEE034080020AB67AA uid: jsmith objectClass: inetOrgPerson objectClass: orclUser2 title: Member of Technical Staff homePhone: 650-584-5670 homePostalAddress: 232 Gonzalez Drive$ San Francisco$ CA$ 94404
Example A-3 -reconcile NORMAL option.
This option can be used to overwrite attributes present in the directory. In the case of the preceding user entry, the user migration tool parses this LDIF entry and substitutes the values for s_subscriber_user_base and s_nickname_attr. It then retrieves the jsmith entry from the directory. If the directory does not contain an entry for jsmith, then it simply adds this entry for the first time. On the other hand, if the entry already exists with attributes as defined earlier, then it adds only those attributes not present in directory. In addition, the attribute already present is deleted and freshly added with a new value. In the preceding case it will add homePhone and homePostalAddress and replace the attribute value for the attribute title with the new value.
Now the Jsmith entry in the directory becomes:
dn: cn=jsmith, dc=oracle, dc=com cn: jsmith sn: Smith orclGlobalID: 86A8485163303EBEE034080020AB67AA uid: jsmith objectClass: inetOrgPerson objectClass: orclUser2 title: Principle Member of Technical Staff homePhone: 650-584-5670 homePostalAddress: 232 Gonzalez Drive$ San Francisco$ CA$ 94404
Example A-4 -reconcile SAFE_EXTENDED option.
This option can be used when the user would like to add the values to existing attributes. In the case of the preceding user entry, the user migration tool will parse this LDIF entry and substitute the values for s_subscriber_user_base and s_nickname_attr. After this, the tool will retrieve the jsmith entry from the directory. If the directory does not contain an entry for jsmith then it would simply add this entry for the first time. On the other hand if the entry already exists with attributes as defined earlier then it will add the attributes homePhone and homePostalAddress and the new value will be added to the existing title attribute.
Now the Jsmith entry in the directory becomes:
dn: cn=jsmith, dc=oracle, dc=com cn: jsmith sn: Smith orclGlobalID: 86A8485163303EBEE034080020AB67AA uid: jsmith objectClass: inetOrgPerson objectClass: orclUser2 title: Member of Technical Staff title: Principle Member of Technical Staff homePhone: 650-584-5670 homePostalAddress: 232 Gonzalez Drive$ San Francisco$ CA$ 94404
Table A-41 -reconcile SAFE Type LDIF Records
| Sno | Entry Changetype | Attribute Changetype | Action |
|---|---|---|---|
| 1 | Add/No Change type | - | Add only new attributes. |
| 2 | Modrdn/Moddn | - | The OID Migration Tool does not support this change type. |
| 3 | Delete | - | Do not delete the entry from the directory. |
| 4 | Modify | add | Add this attribute. If the entry doesn't exist in the directory then ignore the record as invalid. If the attribute does not exist then add this attribute, otherwise ignore. |
| 5 | -do- | replace | If the entry does not contain the attribute then it will be added. Otherwise Ignore change to the attribute, that is, do not apply the change. When the entry is not present in the directory then ignore it as the invalid entry. |
| 6 | -do- | delete | Ignore the change to the attribute, that is, do not apply the change. |
Table A-42 -reconcile NORMAL Type LDIF Records
| Sno | Entry Changetype | Attribute Changetype | Description |
|---|---|---|---|
| 1 | Add/No Change type | - | Adds the attributes that are not populated in the directory and replaces the attributes that are already populated |
| 2 | Modrdn/Moddn | - | The ldifmigrator tool will not support this change type. |
| 3 | Delete | - | Delete the entry from the directory |
| 4 | Modify | add | If entry doesn't contain the attribute then it will be added. When it contains the attribute then replace it with the specified attribute. If the entry doesn't exist in the directory then ignore the record as invalid. |
| 5 | -do- | replace | If entry doesn't contain the attribute then it will be added. When it contains the attribute then replace it with the specified attribute. If the entry itself does not exist in the directory then ignore the record as invalid |
| 6 | -do- | delete | Remove the specified attribute from the directory. |
Table A-43 -reconcile SAFE_EXTENDED type LDIF records
| Sno | Entry Changetype | Attribute Changetype | Description |
|---|---|---|---|
| 1 | Add/No Change type | - | Add only new attributes. If the entry does not exist then create a new entry. |
| 2 | Modrdn/Moddn | - | The ldifmigrator tool will not support this change type. |
| 3 | Delete | - | Do not delete the entry from the directory. |
| 4 | Modify | add | Add this attribute. If the entry doesn't exist in the directory then ignore the record as invalid. If the attribute does not exist then add this attribute, otherwise add the new values to the directory. |
| 5 | -do- | replace | If the entry does not contain the attribute then it will be added. Otherwise Ignore change to the attribute, that is, do not apply the change. When the entry is not present in the directory then ignore it as the invalid entry. |
| 6 | -do- | delete | Ignore the change to the attribute, that is, do not apply the change. |
The OID Migration Tool can display these error messages:
Table A-44 Error Messages of OID Migration Tool
| Message | Reason | Remedial Action |
|---|---|---|
| Environment variable ORACLE_HOME not defined | ORACLE_HOME is not defined. | Set the environment variable ORACLE_HOME |
| Error while parsing the input parameters. Please verify | Not all the required parameters are provided. The required parameters are Input_File, Output_File and at least one substitution variable | Specify the input parameters properly. Use the -help option to print the usage.
|
| Input_File parameter not specified. Please specify | Input_File parameter is a mandatory parameter. | Specify the input parameters properly. Use the -help option to print the usage.
|
| Output_File parameter not specified. Please specify | Output_File parameter is a mandatory parameter. | Specify the input parameters properly. Use the -help option to print the usage.
|
| The specified input file does not exist | The specified file location is invalid. | Check the input file path |
| Check the input file. Zero byte input file | The input file does not contain any entries. | Provide a valid file with pseudo LDIF entries |
| Cannot create the output file. Output file already exists | The output file already exists | Check the Output_File flag |
| Access denied, cannot read from the input file | The specified input file does not have read permission | Check the read permission of the input file. |
| Access denied, cannot create the output file | You do not have permission to create the output file. | Check the permission of the directory under which the output file needs to be created. |
| Directory server name not specified. When -lookup option is used the host parameter should be specified | When the -lookup option is specified, the host parameter is mandatory.
|
Specify the host parameter. |
| Bind Dn parameter name not specified. When -lookup option is used the dn parameter should be specified | When the -lookup option is specified, the DN parameter is mandatory.
|
Specify the DN parameter. |
| The port number specified is invalid | The port number should be a numeric value. | Check the port number parameter |
| Unable to establish connection to directory. Please verify the input parameters: host, port, dn & password | The directory server may not be running on the specified host and port, or credentials may be invalid. | Check the host, port, DN and password parameters. Check $ORACLE_HOME/ldap/install/LDIFMig_YYYY_MM_DD_HH_SS.log file. |
| Naming exception occurred while retrieving the subscriber information from the directory. Please verify the input parameters | The specified identity management realm does not exist in the directory | Check the realm parameter |
| Not all the substitution variables are defined in the directory server specified | If the identity management realm entry does not contain the required attributes, then this error occurs. | Check the realm entry in the directory |
| Error occurred while migrating LDIF data to Oracle Internet Directory | This might occur if something goes wrong in the middle of a process—for example, a failure of the directory server or disk. | Report the error message to the administrator |
When an error condition occurs, the log messages are logged to this file: $ORACLE_HOME/ldap/install/LDIFMig_YYYY_MM_DD_HH_SS.log.
