5 Oracle Directory Integration Platform Tools

This chapter describes the following command-line tools used to administer Oracle Directory Integration Platform:

• manageDIPServerConfig

• manageSyncProfiles

• syncProfileBootstrap

• expressSyncSetup

• provProfileBulkProv

• oidprovtool (Provisioning Registration Tool)

• dipStatus

• schemasync

Notes: Best security practice is to provide a password only in response to a prompt from the command. You must set the environment variables WLS_HOME and ORACLE_HOME before executing any of the Oracle Directory Integration Platform commands. The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute the Oracle Directory Integration Platform commands in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

5.1 manageDIPServerConfig

The Manage DIP Server Configuration utility, manageDIPServerConfig, allows you to manage the Oracle Directory Integration Platform server configuration.

5.1.1 Syntax for manageDIPServerConfig

manageDIPServerConfig

manageDIPServerConfig {get | set} -h HOST -p PORT -D wlsuser -attribute {sslmode |
refreshinterval | quartzthreadcount | quartzdbretryinterval | oidhostport |
keystorelocation} [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] 
[-value ATTRIBUTE_VALUE] [-help]

5.1.2 Arguments for manageDIPServerConfig

get | set

Operation to perform.

• get: Displays the current value of the config parameter in DIP configuration file

• set: Updates the value of the config parameter in DIP configuration file.

-h | -host

Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed

-p | -port

Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.

-D | -wlsuser

WebLogic Server login ID.

Note: You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute manageDIPServerConfig from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary.

-attr | -attribute

Identifies the attribute that manageDIPServerConfig performs the operation on. The following is a list and description of the attributes manageDIPServerConfig can perform operations on:

• sslmode: The SSL mode Oracle Directory Integration Platform uses to connect to Oracle Internet Directory. Supported values are 1 and 2. Use 1 to connect to Oracle Internet Directory using SSL Mode 1 (No Authentication). Use 2 to connect to Oracle Internet Directory using SSl Mode 2 (Server Only Authentication).

• refreshinterval: The time interval (amount of time in seconds) that controls how often the Oracle Directory Integration Platform server refreshes profile configuration details.

• quartzthreadcount: Controls how many profiles can be scheduled in parallel. The default value is 15. If you have more than 15 profiles, increase the quartzthreadcount attribute accordingly.

• quartzdbretryinterval: Controls how often Oracle Directory Integration Platform's Quartz scheduler attempts to reconnect to the Oracle Internet Directory database.

• oidhostport: Identifies the host and port of the Oracle Internet Directory associated with Oracle Directory Integration Platform. Specify values for the oidhostport attribute in the form of host:port.

• keystorelocation: Specifies the absolute path to the Java Keystore (JKS) based on the host where Oracle Directory Integration Platform is deployed. When you specify the value for the keystorelocation attribute, be sure you use the appropriate path separators (that is, / for UNIX and Linux platforms, and \ for Windows platforms).

-ssl

Executes the command in SSL mode.

Note: The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

-keystorePath

The full path to the keystore.

-keystoreType

The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12

-val | -value

The value to set for the attribute This parameter is required with the set operation.

-help

Provides usage help for the command.

5.1.3 Tasks and Examples for manageDIPServerConfig

manageDIPServerConfig get -h myhost.mycompany.com -p 7005 -D weblogic \
   -attr sslmode

manageDIPServerConfig set -h myhost.mycompany.com -p 7005 -D weblogic \
   -attr sslmode -val 2

5.2 manageSyncProfiles

The Manage Synchronization Profiles utility, manageSyncProfiles, allows you to manage synchronization profiles.

5.2.1 Syntax for manageSyncProfiles

managSyncProfiles

manageSyncProfiles {activate | deactivate | copy | deregister | get | isexists |
update | testProfile | validateProfile | validateMapRules | register | 
updatechgnum | associateProfile | dissociateProfile | getAllAssociatedProfiles |
getAssociatedProfile | list } -h HOST -p PORT -D wlsuser [-ssl -keystorePath 
PATH_TO_KEYSTORE -keystoreType TYPE] [-profile] [-newProfile]
[-associateProfile][-file] [-params 'prop1 val1 prop2 val2 ...']
[-conDirHost] [-conDirPort] [-conDirBindDn] [-mode] [-conDirType] [-conDirSSL] 
[-profileStatus] [-help]

5.2.2 Arguments for manageSyncProfiles

Operations

activate

Changes a profile state to ENABLE

deactivate

Changes a profile state to DISABLE

copy

Copies an existing profile profile to profile newProfile

deregister

Deletes an existing profile from OID.

get

Gets the profile details from OID.

isexists

Checks if the profile profile exists in OID.

update

Modifies an existing profile profile in OID.

testProfile

Changes the state of a disabled profile profile to TEST and schedules the profile for testing to ensure the profile successfully performs synchronization. After executing the manageSyncProfiles command with the testProfile operation, the results of the test are available in the following log file, where DOMAIN_HOME represents the Oracle WebLogic Server Domain home and ORACLE_WEBLOGIC_MANAGED_SERVER_NAME represents the name of the managed server where Oracle Directory Integration Platform is deployed:

DOMAIN_HOME/servers/ORACLE_WEBLOGIC_MANAGED_SERVER_NAME/logs/ORACLE_WEBLOGIC_MANAGED_SERVER_NAME.log

Note: The testProfile operation cannot schedule profiles that are in ENABLE state for testing.

validateProfile

Validates the syntax of the values in the specified profile for correctness.

validateMapRules

Validates the map rules provided.

register

Creates a new profile in OID.

updatechgnum

Updates the last applied change number in the profile to latest.

associateProfile

Associates associateProfileName with profileName to prevent information back flow.

dissociateProfile

Dissociates an associated profile to profileName

getAllAssociatedProfiles

Lists all the profiles to which profile profileName is associated.

getAssociatedProfile

Displays the profile name associated with profile profileName.

list

Displays all profiles registered in OID.

Options

-h | host

Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.

-p | -port

Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.

-D | wlsuser

Oracle WebLogic Server login ID

Note: You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute a command from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to manageSyncProfiles, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.

-ssl

Executes the command in SSL mode.

Note: The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

-keystorePath

The full path to the keystore.

-keystoreType

The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12

-pf | -profile

The name of the synchronization profile to use when performing the operation.

-newpf | -newProfile

The name of the new profile which will be a copy of profile.

-assopf

The name of the profile that will be associated with profile

-f | -file

The full path and file name of the profile properties file containing the properties. See the "Example Properties File for Synchronization Profiles" appendix in Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform for an example of such a file.

-params

A value is of the form prop1 val1 prop2 val2 ... where prop is the name of a profile property and val is the new value for that property. This keyword is used only for modification of a profile. You can specify as many key values as required

-conDirHost

Host where connected directory server is running.

-conDirPort

Port at which connected directory server listens.

-conDirBindDn

Connected directory server bind DN.

Examples:

• Active Directory

  administrator@idm2003.net
  

• Sun ONE or iPlanet

  cn=Directory Manager
  

• Oracle Internet Directory

  cn=orcladmin
  

Note: You are prompted for the connected directory bind DN password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute manageSyncProfiles from a script, you can redirect input from a file containing the connected directory bind DN password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to manageSyncProfiles, put each on a separate line in the file, in the following order:connected directory bind DN password, then Oracle WebLogic Server login password.

-mode

Synchronization mode map rules to be used: import or export

-conDirType

Connected directory type. Supported values are ActiveDirectory, EDirectory, iPlanet, OpenLDAP, ADAM, Tivoli, ExchangeServer2003, and OID.

-conDirSSL

SSL mode value used to connect connected directory server

-prfSt | -profileStatus

Displays status for the profile. Used only with the list operation.

-help

Provides command usage help.

5.2.3 Tasks and Examples for manageSyncProfiles

manageSyncProfiles register -h myhost.mycompany.com -p 7005 -D weblogic \
  -f /opt/ldap/odip/iPlImport.profile 

manageSyncProfiles deregister -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

manageSyncProfiles updatechgnum -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

manageSyncProfiles activate -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

manageSyncProfiles deactivate -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

manageSyncProfiles get -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

manageSyncProfiles testProfile -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

manageSyncProfiles associateprofile -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile -assopf myProfile1 

 manageSyncProfiles dissociateprofile -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

 manageSyncProfiles getAllAssociatedProfiles -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

 manageSyncProfiles getAssociatedProfile -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

 manageSyncProfiles update -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile -f /opt/ldap/odip/iPlImport.profile 

 manageSyncProfiles validateMapRules -h myhost.mycompany.com -p 7005 \
   -D weblogic -f /opt/ldap/odip/iPlImport.map -conDirHost server.example.com \  
   -conDirPort 8000 -conDirBindDn administrator@idm2003.net -mode IMPORT \
   -conDirType IPLANET 

 manageSyncProfiles isexists -h myhost.mycompany.com -p 7005 -D weblogic \
   -pf myProfile 

 manageSyncProfiles copy -h myhost.mycompany.com -p 7005 -D weblogic \
   -pf myProfile -newpf yourProfile 

manageSyncProfiles list -h myhost.mycompany.com -p 7005 -D weblogic -profileStatus
 

5.3 syncProfileBootstrap

The Synchronization Profile Bootstrap utility, syncProfileBootstrap, performs the initial migration of data between a connected directory and Oracle Internet Directory for a synchronization profile.

5.3.1 Syntax for syncProfileBootstrap

syncProfileBootstrap

syncProfileBootstrap -h HOST -p PORT -D wlsuser {-file FILENAME |-profile
-PROFILE_NAME} [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE]
[-loadParallelism INTEGER] [-loadRetry INTEGER][-help]

5.3.2 Arguments for syncProfileBootstrap

-h | -host

Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.

-p | -port

Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.

-D | wlsuser

Oracle WebLogic Server login ID

Note: You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute syncProfileBootstrap from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary.

-f | -file

Bootstrap properties file.

-pf | -profile

The name of the synchronization profile to use when performing the operation.

-ssl

Executes the command in SSL mode.

Note: The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

-keystorePath

The full path to the keystore.

-keystoreType

The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12

-lp | -loadParallelism

Indicator that loading to Oracle Internet Directory is to take place in parallel by using multiple threads. For example, -loadparallelism 5 means that 5 threads are to be created, each of which tries to load the entries in parallel to Oracle Internet Directory.

-lr | -loadRetry

The number of times the retry should be made (when the load to the destination fails) before marking the entry as bad entry.

-help

Provides command usage help.

5.3.3 Tasks and Examples for syncProfileBootstrap

manageSyncProfileBootstrap -h myhost.mycompany.com -p 7005 -D weblogic \
  -pf myProfile -lp 5

manageSyncProfileBootstrap -h myhost.mycompany.com -p 7005 -D weblogic \
  -f /opt/ldap/odip/bootstrap.properties -lr 3  

5.4 expressSyncSetup

The Express Synchronization Setup utility, expressSyncSetup, creates import and export synchronizations profiles.

5.4.1 Syntax for expressSyncSetup

expressSyncSetup

expressSyncSetup -h HOST -p PORT -D wlsuser -pf PROFILE 
-conDirType CONNECTED_DIRECTORY_TYPE -conDirURL CONNECTED_DIRECTORY_URL
-conDirBindDN CONNECTED_DIRECTORY_BIND_DN -conDircontainer SYNC_CONTAINER 
[-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-enableProfiles {true |
false}] [-help]

5.4.2 Arguments for expressSyncSetup

-h | -host

Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.

-p | -port

Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.

-D | wlsusser

Oracle WebLogic Server login ID

Note: You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute expressSyncSetup from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to expressSyncSetup, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.

-pf | -profile

Profile name.

-conDirType

Connected directory type. Supported values are ActiveDirectory, EDirectory, iPlanet, OpenLDAP, ADAM, Tivoli, ExchangeServer2003, and OID.

-conDirUrl

URL where the connected directory is running. The format is host:port.

-conDirBindDN

Connected directory server bind DN. For example:

administrator@idm2003.net

cn=orcladmin, cn=Directory Manager

Note: You are prompted for the connected directory bind DN password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute expressSyncSetup from a script, you can redirect input from a file containing the connected directory bind DN password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to expressSyncSetup, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.

-conDirContainer

The synchronization container. For example:

ou=sales,dc=us,dc=com

OU=Groups,DC=imtest,DC=com

CN=Users,DC=imtest,DC=com

-ssl

Executes the command in SSL mode.

Note: The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

-keystorePath

The full path to the keystore.

-keystoreType

The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12

-enableProfiles

Specify true to enable created profiles, false if not.

-help

Provides command usage help.

5.4.3 Tasks and Examples for expressSyncSetup

expressSyncSetup -h myhost.mycompany.com -p 7005 -D weblogic -pf myProfile \ 
  -conDirType ACTIVEDIRECTORY -conDirUrl server.mycompany.com:5432 \
  -conDirBindDN administrator@idm2003.net -conDirContainer ou=sales,dc=us,dc=com \
  -enableProfiles false \

expressSyncSetup -help 

5.5 provProfileBulkProv

The Provisioning Profile Bulk utility, provProfileBulkProv, performs initial migration of data from an LDIF file to Oracle Internet Directory for a provisioning profile.

5.5.1 Syntax for provProfileBulkProv

provProfileBulkProv

provProfileBulkProv -h HOST -p PORT -D wlsuser -file LDIF_FILE -realm REALM_DN
[-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE]
[-encoding INPUT_ENCODING] [-help]

5.5.2 Arguments for provProfileBulkProv

-h | -host

Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.

-p | -port

Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.

-D | -wlsuser

Oracle WebLogic Server login ID

Note: You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute provProfileBulkProv from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary.

-f | -file

LDIF file containing the data to be migrated.

-realm

The realm in which the users are to be provisioned.

-ssl

Executes the command in SSL mode.

Note: The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

-keystorePath

The full path to the keystore.

-keystoreType

The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12

-encoding

Input file encoding.

-help

Provides command usage help.

5.5.3 Tasks and Examples for provProfileBulkProv

provProfileBulkprov -h myhost.mycompany.com -p 7005 -D weblogic \
  -f /opt/ldap/odip/users.ldif -realm cn=aaaa,ou=bbbb,dc=cccc

5.6 oidprovtool

Provisioning enables you to ensure that an application is notified of directory changes, such as changes to user or group information. Such changes can affect whether the application allows a user access to its processes and resources.

When you install an application that you want to provision, you must create a provisioning integration profile by using the Provisioning Registration Tool (oidprovtool).

You can use the Provisioning Registration Tool to:

• Create a new provisioning profile. A new provisioning profile is created and set to the enabled state so that Oracle Directory Integration Platform can process it.

• Disable an existing provisioning profile.

• Enable a disabled provisioning profile.

• Modify an existing provisioning profile.

• Delete an existing provisioning profile.

• Get the current status of a given provisioning profile.

• Clear all of the errors in an existing provisioning profile.

The Provisioning Registration Tool shields the location and schema details of the provisioning profile entries from the callers of the tool. From the callers' perspective, the combination of an application and a realm uniquely identify a provisioning profile. The constraint in the system is that there can be only one provisioning profile for each application for each realm.

Once a profile is created, its mode—that is, INBOUND, OUTBOUND, or BOTH—cannot be changed by using the modify operation. To change the mode, you must delete, then re-create, the profile.

The Oracle directory integration platform server automatically monitors provisioning profile configuration changes in Oracle Internet Directory, including the creation, modification, and deletion of provisioning profiles. For this reason, you do not need to manually enable or disable a provisioning profile.

Note: For improved security, do not supply a password on the command line. The oidprovtool command prompts you for a password if you do not supply one on the command line.

5.6.1 Syntax for oidprovtool

oidprovtool

oidprovtool operation=[create|modify] ldap_host=oid_hostname ldap_port=port 
ldap_user_dn="bindDN" ldap_user_password=password 
[profile_mode=INBOUND|OUTBOUND|BOTH]
application_dn="DN" application_type=type [application_name=name] 
[application_display_name=display name] organization_dn=DN 
[application_isdasvisible=TRUE|FALSE] [manage_application_defaults=TRUE|FALSE] 
[enable_bootstrap=TRUE|FALSE]  [user_data_location=DN] 
[default_provisioning_policy=PROVISIONING_REQUIRED|PROVISIONING_NOT_REQUIRED] 
interface_name=SCHEMA.PACKAGE [interface_type=PLSQL|JAVA] 
interface_version=1.1|2.0|3.0] interface_connect_info=connection_string 
schedule=number_seconds lastchangenumber=number 
max_prov_failure_limit=number  
max_events_per_schedule=number max_events_per_invocation=number 
event_mapping_rules="OBJECT_TYPE:FILTER:DOMAIN" 
event_permitted_operations="OBJECT:DOMAIN:OPERATION(attributes,...)" 
event_subscription="USER|GROUP:DOMAIN:OPERATION(attributes,...)" 
max_events_per_schedule=number max_retries=number profile_group=number
profile_status=ENABLED | DISABLED profile_debug=debug_level 

oidprovtool {operation=enable|disable|delete|status|reset} 
application_dn=DN [organization_dn=DN] [ldap_host=oid_hostname] [ldap_port=port]
[ldap_user_dn=bindDN] [ldap_user_password=password] [profile_debug=debug_level]

5.6.2 Arguments for oidprovtool

operation=create | modify | enable | disable | delete | status | reset

Required. The operation to perform using oidprovtool. You can only perform one operation at a time. The operations are:

• create—Creates a new provisioning profile.

• modify—Modifies the given properties of an existing provisioning profile.

• enable—Enables a provisioning profile.

• disable—Disables a provisioning profile.

• delete—Deletes a provisioning profile.

• status—Shows the current status of a given provisioning profile.

• reset—Clears all errors for a provisioning profile.

ldap_host=oid_hostname

Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.

ldap_port=port

Optional. The LDAP listening port of Oracle Internet Directory. The default is 3060.

ldap_user_dn=bindDN

Required. The DN of the superuser or a user that has sufficient permissions to perform provisioning subscription operations. The default is cn=orcladmin.

ldap_user_password=password

Optional.The user password used to bind to the directory. If you do not specify the password on the command line, you are prompted for it. Best security practice is to provide the password in response to a prompt.

profile_mode=OUTBOUND | INBOUND | BOTH

Optional for the create operation only. The direction of the provisioning events. The default is OUTBOUND (data is provisioned from Oracle Internet Directory to the application).

application_dn=DN

Required. The distinguished name of the application to which the provisioning subscription belongs. The combination of the application DN and organization DN uniquely identifies a provisioning profile. For example, here is the application DN for Portal:

"orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext"

application_type=type

Required. The type of application being provisioned.

application_name=name

Optional. The name of the application being provisioned. If not provided, defaults to the distinguished name assigned to application_dn.

application_display_name=name

Optional. The display name of the application being provisioned. If not provided, defaults to the value assigned to application_name.

organization_dn=DN

Optional. If not provided, defaults to the default identity management realm. The distinguished name of the organization to which the provisioning subscription belongs, for example "dc=company,dc=com". The combination of the application DN and organization DN uniquely identifies a provisioning profile.

application_isdasvisible=TRUE | FALSE

Optional. Determines whether the application is visible as a provisioning-integrated application in the Oracle Internet Directory Provisioning Console. The default value is TRUE.

manage_application_default=TRUE | FALSE

Optional. Determines whether the Oracle Internet Directory Provisioning Console manages the application's default values. The default value is TRUE.

enable_bootstrap=TRUE | FALSE

Optional. Indicates whether the application should receive provisioning events for users that existed in Oracle Internet Directory before creating the application's provisioning integration profile. The default value is FALSE.

user_data_location=DN

Optional. Identifies the DN of the container in which to store application-specific user information.

default_provisioning_policy=PROVISIONING_REQUIRED | PROVISIONING_NOT_REQUIRED

Optional. Specifies the application's default provisioning policy. The default value is PROVISIONING_REQUIRED.

interface_name=SCHEMA.PACKAGE

Required for create or modify operations. The database schema name for the PLSQL package. The format of the value is schema.package_name, for example here is the schema and PLSQL package information for Portal:

interface_name=PORTAL.WWSEC_OID_SYNC

interface_version=1.1 | 2.0 | 3.0

The version of the interface protocol. Allowed values are 1.1, 2.0, or 3.0. The default value is 2.0.

interface_type=PLSQL | JAVA

Optional. The type of interface to which events will be propagated. The default is PLSQL.

interface_connect_info=connection_string

Required for create or modify operations. To connect to an Oracle database and propagate events, use one of the following formats for the connection string:

• DBURL=ldap://ldaphost:ldapport/service:username:password (recommended)

• host:port:sid:username:password

• DBSVC=service:username:password

schedule=number_seconds

Optional for create and modify operations only. The number of seconds between executions of this profile. The default is 3600, which means the profile is scheduled to be executed every hour.

lastchangenumber=number

Optional for create and modify operations on OUTBOUND events only. The last change number in Oracle Internet Directory after which all qualifying events should be provisioned to the application. Defaults to the latest current change number.

max_prov_failure_limit=number

Optional. Determines the number of times the Oracle Provisioning System attempts to provision a user. The default is 1.

max_events_per_schedule=number

Optional for create and modify operations only. The maximum number of events that the Oracle directory integration platform server sends to an application during one execution of a provisioning profile. The default is 100.

max_events_per_invocation=number

Optional for create and modify operations only. The maximum number of events that can be packaged and sent to a target in one invocation of the interface.

event_mapping_rules="OBJECT_TYPE:FILTER:DOMAIN"

Required for create and modify operations on INBOUND events only. This rule maps the object type received from the application (using an optional filter condition) to a domain in Oracle Internet Directory A provisioning profile can have multiple mapping rules defined.

The following example shows two mapping rules. The first rule shows that an employee object (EMP) whose locality attribute equals America (l=AMERICA) should be mapped to the domain l=AMER,cn=users,dc=company,dc=com. The second rule shows that an employee object (EMP) should be mapped to the domain cn=users,dc=company,dc=com (no filter conditions).

event_mapping_rules="EMP:l=AMERICA:l=AMER,cn=users,dc=company,dc=com"
event_mapping_rules="EMP::cn=users,dc=company,dc=com"

event_permitted_operations="OBJECT:DOMAIN:OPERATION(attributes,...)

Required for create and modify operations on INBOUND events only. This property is used to define the types of events that the application is allowed to send to the Oracle Directory Integration Platform service. A provisioning profile can have multiple permitted operations defined.

For example, if you wanted to permit the application to send events whenever a user object was added or deleted, or when certain attributes were modified, you would have three permitted operations such as this:

event_permitted_operations="USER:dc=mycompany,dc=com:ADD(*)"
event_permitted_operations="USER:dc=mycompany,dc=com:MODIFY(cn,sn,mail,password)"
event_permitted_operations="USER:dc=mycompany,dc=com:DELETE(*)"

event_subscription="USER | GROUP:DOMAIN:OPERATION(attributes,...)"

Required for create and modify operations on OUTBOUND events only. This property is used to define the types of events that the Oracle Directory Integration Platform service should send to the application. A provisioning profile can have multiple event subscriptions defined.

For example, if you wanted the directory integration server to send events to the application whenever a user or group object was added or deleted, you would have four event subscriptions such as this:

event_subscription="GROUP:dc=mycompany,dc=com:ADD(*)"
event_subscription="GROUP:dc=mycompany,dc=com:DELETE(*)"
event_subscription="USER:dc=mycompany,dc=com:ADD(*)"
event_subscription="USER:dc=mycompany,dc=com:DELETE(*)" 

max_events_per_schedule=number

Optional for create and modify operations only. The maximum number of events to be provisioned in one schedule. The default is 100.

max_retries=number

Optional for create and modify operations only. The number of times a failed event should be retried. The default is 5.

profile_group=number

Required for create and modify operations only. The group number of the profile. Default is "DEFAULT". This is required to address scalability issues when different Oracle Directory Integration Platform server instances will be used to execute different selected groups.

profile_status=ENABLED | DISABLED

Required for the create operation only. Determines whether the profile is enabled or disabled. The default is ENABLED.

profile_debug=debug_level

Required. The debug level for the profile.

5.6.3 Tasks and Examples for oidprovtool

Using the Provisioning Registration Tool (oidprovtool) you can perform the following tasks:

• Creating a Provisioning Profile

• Modifying a Provisioning Profile

• Deleting a Provisioning Profile

• Disabling a Provisioning Profile

5.6.3.1 Creating a Provisioning Profile

The following example creates a new provisioning profile that makes Portal aware of updates to the user and group information that is maintained in Oracle Internet Directory.

Example:

oidprovtool operation=create ldap_host=myhost.mycompany.com ldap_port=3060 \
ldap_user_dn="cn=orcladmin" application_dn="orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext" \
organization_dn="dc=us,dc=mycompany,dc=com" interface_name=PORTAL.WWSEC_OID_SYNC \
interface_type=PLSQL interface_connect_info=myhost:1521:iasdb:PORTAL:password \
schedule=360 event_subscription="USER:dc=us,dc=mycompany,dc=com:DELETE" \
event_subscription="GROUP:dc=us,dc=mycompany,dc=com:DELETE" \
event_subscription="USER:dc=us,dc=mycompany,dc=com:MODIFY(orclDefaultProfileGroup,userpassword)" \
event_subscription="GROUP:dc=us,dc=mycompany,dc=com:MODIFY(uniqueMember)" \
profile_mode=OUTBOUND 

5.6.3.2 Modifying a Provisioning Profile

The following example modifies an existing provisioning profile for the Portal application. It changes the event subscription for the attributes that are provisioned when a user entry is modified.

Example:

oidprovtool operation=modify ldap_host=myhost.mycompany.com ldap_port=3060 \
ldap_user_dn="cn=orcladmin" application_dn="orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext" \
organization_dn="dc=us,dc=mycompany,dc=com" \
subscription="USER:dc=us,dc=mycompany,dc=com:MODIFY(orclDefaultProfileGroup,userpassword,mail,cn,sn)"

5.6.3.3 Deleting a Provisioning Profile

The following example disables a provisioning profile for the Portal application.

Example:

oidprovtool operation=delete ldap_host=myhost.mycompany.com ldap_port=3060 \
ldap_user_dn="cn=orcladmin" application_dn="orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext" \
organization_dn="dc=us,dc=mycompany,dc=com"

5.6.3.4 Disabling a Provisioning Profile

The following example disables a provisioning profile for the Portal application.

Example:

oidprovtool operation=disable ldap_host=myhost.mycompany.com ldap_port=3060 \
ldap_user_dn="cn=orcladmin" application_dn="orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext" \
organization_dn="dc=us,dc=mycompany,dc=com"

5.7 dipStatus

The dipStatus utility allows you to check the status of Oracle Directory Integration Platform and whether it is registered.

5.7.1 Syntax for dipStatus

dipStatus

dipStatus -h HOST -p PORT -D wlsuser [-ssl -keystorePath PATH_TO_KEYSTORE
-keystoreType TYPE] [-help]

5.7.2 Arguments for dipStatus

-h | -host

Host name of the WebLogic server running the Managed Server where Oracle Directory Integration Platform is deployed.

-p | -port

Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.

-D | -wlsuser

WebLogic Server login ID.

Note: You are prompted for the WebLogic server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute dipStatus from a script, you can redirect input from a file containing the WebLogic Server password. Use file permissions to protect the file and delete it when it is no longer necessary.

-ssl

Executes the command in SSL mode.

Note: The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

-keystorePath

The full path to the keystore.

-keystoreType

The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12

-help

Provides usage help for the command.

5.7.3 Examples for dipStatus

dipStatus -h myhost.mycompany.com -p 7005 -D weblogic

dipStatus -help

5.8 schemasync

The schemasync utility enables you to synchronize schema elements—namely attributes and object classes—between an Oracle Internet Directory server and a third-party LDAP directory.

The errors that occur during schema synchronization are logged in the following files:

• ORACLE_HOME/ldap/odi/log/attributetypes.log

• ORACLE_HOME/ldap/odi/log/objectclasses.log

5.8.1 Syntax for schemasync

schemasync

schemasync -srchost hostname -srcport port -srcdn bindDN -srcpwd password  -dsthost hostname -dstport port -dstdn bindDN -dstpwd password [-ldap]

5.8.2 Arguments for schemasync

-srchost hostname

Required. The host name of the source directory server.

-srcport port

Required. The LDAP listening port of the source directory server, for example 3060.

-srcdn bindDN

Required. The DN of the user used to bind to the source directory. This user must have permissions to modify the directory schema, for example the superuser (cn=orcladmin).

-srcpwd password

Optional. The user password used to bind to the source directory. If you do not specify the password on the command line, you are prompted for it. Best security practice is to provide the password in response to a prompt.

-dsthost hostname

Required. The host name of the destination directory server.

-dstport port

Required. The LDAP listening port of the destination directory server, for example 3060.

-dstdn bindDN

Optional. The DN of the user used to bind to the destination directory. This user must have permissions to modify the directory schema, for example the superuser.

-dstpwd password

Required. The user password used to bind to the destination directory. If you do not specify the password on the command line, you are prompted for it. Best security practice is to provide the password in response to a prompt.

-ldap

Optional. If specified, then the schema changes are applied directly from the source LDAP directory to the destination LDAP directory. If it is not specified, then the schema changes are placed in the following LDIF files:

• ORACLE_HOME/ldap/odi/data/attributetypes.ldif: This file has the new attribute definitions.

• ORACLE_HOME/ldap/odi/data/objectclasses.ldif: This file has the new object class definitions.

If you do not specify -ldap, then you must use "ldapmodify" to upload the definitions from these two files, first attribute types and then object classes.

5.8.3 Tasks and Examples for schemasync

Using the schemasync command-line tool, you can perform the following tasks:

• Synchronizing the Schema between Oracle Internet Directory and a Third-Party Directory

5.8.3.1 Synchronizing the Schema between Oracle Internet Directory and a Third-Party Directory

The following example shows how to synchronize the schema between Oracle Internet Directory and a third-party directory server.

Example:

schemasync -srchost myhost1.mycompany.com -srcport 3060 -srcdn "cn=orcladmin" \
   -dsthost myhost2.mycompany.com -dstport 3060 \
   -dstdn "uid=superuser,ou=people,dc=mycompany,dc=com" -ldap

5.8.4 Related Command-Line Tools for schemasync

• See "ldapmodify"