Oracle Internet Directory Administrator's Guide 10g (10.1.4.0.1) Part Number B15991-01 |
|
|
View PDF |
Referential Integrity is a new feature of Oracle Internet Directory. If Referential Integrity is enabled, whenever you update an entry in the directory, the server also updates other entries that refer to that entry. For example, if you remove a user's entry from the directory, and the user is a member of a group, the server also removes the user from the group. If Referential Integrity is not enabled, the user remains a member of the group until manually removed.
Referential Integrity takes effect in two situations:
Delete–When an entry is deleted, all the DN attributes that refer to this entry DN are removed.
Modify–When an entry's DN is modified (renamed), all the attributes that refer to this entry DN are modified.
This chapter contains the following topics:
To configure and enable Referential Integrity, perform the following steps:
Edit the file $ORACLE_HOME/ldap/server/plugin/rimoddn.java
, as follows:
Go to line 107 in the file. It looks like this:
conn = DriverManager.getConnection( "jdbc:oracle:thin:ods/ODSPWD@OHOST:OPORT:OSID");
Replace ODSPWD
with your Oracle Internet Directory ODS password.
Replace OHOST
with your Oracle Internet Directory back end database host name.
Replace OPORT
with your Oracle Internet Directory back end database port number.
Replace OSID
with your Oracle Internet Directory back end database ORACLE_SID.
Compile $ORACLE_HOME/ldap/server/plugin/rimoddn.java
, as follows:
% $ORACLE_HOME/jdk/bin/javac -classpath \ $ORACLE_HOME/jdbc/lib/classes12.zip:$ORACLE_HOME/ldap/jlib/ospf.jar \ rimoddn.java
The file rimoddn.java
now contains the ODS password in clear text. Either remove the password from the file or modify the permissions on the file to prevent unauthorized access.
Register the plug-ins:
% ldapadd -h hostname -p port -D cn=orcladmin -w orcladmin_pwd -v -f \ $ORACLE_HOME/ldap/admin/oidriplg.dat
From this point on, all the ldapmoddn
and ldapdelete
operations on DN reference attributes are recorded.
Edit $ORACLE_HOME/ldap/admin/oidrimdx.pls
, as follows:
Go to line 42 in the file. It looks like this:
v_attrlist := ODS.MODDELREF.t_attrlist('uniquemember', 'owner');
This line specifies the default values uniquemember
and owner
.
If you have more DN attribute references to be modified, add the additional attributes to the line. For example, to specify that the DN attribute, manager
be modified, change the line to:
v_attrlist := ODS.MODDELREF.t_attrlist('uniquemember', 'owner', 'manager');
Note:
|
Run $ORACLE_HOME/ldap/admin/oidrimdx.pls
at frequent intervals. The exact frequency depends upon site-specific needs, but every 15 minutes to 24 hours is a reasonable range.
The script$ORACLE_HOME/ldap/admin/oidrimdx.pls
consumes the records from the Referential Integrity storage table and deletes or modifies the DN references in all associated tables.
The command to run it is:
% sqlplus ods/odspassword@connect_string @$ORACLE_HOME/ldap/admin/oidrimdx.pls
To run this command, you must be either the dba or Oracle Internet Directory administrator. On a UNIX or Linux system, you can set up a cron
job to run the program as one of those users. If you incorporate the command line into a script or crontab
file, ensure that file permissions prevent unauthorized users from viewing the ODS password.
If the entry cache is enabled, invalidate it every time you run $ORACLE_HOME/ldap/admin/oidrimdx.pls. The oidrimdx.pls program modifies tables in the database directly, which makes entries in the cache incorrect. Each time you run oidrimdx.pls
, quickly disable and then enable the entry cache, as follows:
% ldapmodify -h host -p port -D cn=orcladmin -w orcladmin_pwd <<EOF dn: changetype: modify replace: orclecacheenabled orclecacheenabled: 0 EOF % ldapmodify -h host -p port -D cn=orcladmin -w orcladmin_pwd <<EOF dn: changetype: modify replace: orclecacheenabled orclecacheenabled: 1 EOF
If you are running oidrimdx.pls
from a cron job, and the entry cache is enabled, you should include the commands to invalidate the cache.
To disable Referential Integrity, perform the following steps:
Delete the plug-ins, as follows:
% ldapdelete -h hostname -p port -D cn=orcladmin -w orcladmin_pwd \ "cn=ri_postdelete,cn=plugin,cn=subconfigsubentry" % ldapdelete -h hostname -p port -D cn=orcladmin -w orcladmin_pwd \ "cn=ri_postmoddn,cn=plugin,cn=subconfigsubentry
Stop running $ORACLE_HOME/ldap/admin/oidrimdx.pls
. If you have been using a cron job, delete or disable it.