Skip Navigation Links | |
Exit Print View | |
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Starting and Stopping the Server
2. Configuring the Server Instance
3. Configuring the Proxy Components
4. Configuring Security Between Clients and Servers
5. Configuring Security Between the Proxy and the Data Source
6. Managing Oracle Unified Directory With Oracle Directory Services Manager
Populating a Stand-Alone Directory Server With Data
Importing Data Using import-ldif
To Import Data in Offline Mode
To Replace Existing Data During an Offline Import
To Append Imported Data to Existing Data
To Import Fractional Files by Using Filters
To Include or Exclude Attributes During Import
To Import a Compressed LDIF File
To Record Rejected or Skipped Entries During Import
To Import Data From a MakeLDIF Template
To Run an Import in Online Mode
Exporting Data Using export-ldif
To Export Part of a Back End by Using Filters
To Include or Exclude Attributes During Export
To Export to LDIF and Then Compress the File
To Run an Export in Online Mode
Creating MakeLDIF Template Files
Attribute Value Reference Tags
Tuning the JVM and Java Arguments
Overview of the Backup and Restore Process
To Back Up All Back Ends with Encryption and Signed Hashes
To Perform an Incremental Backup on All Back Ends
To Back Up a Specific Back End
To Perform an Incremental Backup on a Specific Back End
To Schedule a Backup as a Task
Backing Up the Server Configuration
Backing Up for Disaster Recovery
To Back Up the Directory Server For Disaster Recovery
Backing up and Restoring Data Using File System Snapshots
To Take a ZFS Snapshot On a Dedicated Backup Server
To Restore a Directory Server From a ZFS Snapshot
To Restore a Back End From Incremental Backups
To Schedule a Restore as a Task
To Restore the Configuration File
To Restore a Directory Server During Disaster Recovery
Restoring Replicated Directory Servers
Overview of the ldapsearch Command
ldapsearch Location and Format
Specifying Filter Types and Operators
Using UTF-8 Encoding in Search Filters
Using Special Characters in Search Filters
To Search for Specific User Attributes
To Perform a Search With Base Scope
To Perform a Search With One-Level Scope
To Perform a Search With Subtree Scope
To Return Attribute Names Only
To Return User Attributes Only
To Search For Specific Object Classes
To Return a Count of All Entries in the Directory
To Perform a Search With a Compound Filter
To Perform a Search Using a Filter File
To Limit the Number of Entries Returned in a Search
Searching Data With Oracle Directory Services Manager
Using Advanced Search Features
Searching for Special Entries and Attributes
To Search for Operational Attributes
To Search the Configuration Entry
To Search the Monitoring Entry
To Search Over SSL With Blind Trust
To Search Over SSL Using a Trust Store
To Search Over SSL With No Trust Store
To Search Over SSL Using a Keystore
To Search Using SASL With DIGEST-MD5 Client Authentication
To Search Using SASL With the GSSAPI Mechanism
To Search Using SASL With the PLAIN Mechanism
To View the Available Controls
To Search Using the Account Usability Request Control
To Search Using the Authorization Identity Request Control
To Search Using the Get Effective Rights Control
To Search Using the LDAP Assertion Control
To Search Using the LDAP Subentry Control
To Search Using the Manage DSA IT Control
To Search Using the Matched Values Filter Control
To Search Using the Password Policy Control
To Search Using the Persistent Search Control
To Search Using the Proxied Authorization Control
To Search Using the Server-Side Sort Control
To Search Using the Simple Paged Results Control
Searching Using the Virtual List View Control
To Search Using the Virtual List View Control
To Search Using Virtual List View With a Specific Target
To Search Using Virtual List View With a Known Total
Searching in Verbose Mode and With a Properties File
To Search Using a Properties File
Searching Internationalized Entries
Adding, Modifying, and Deleting Directory Data
To Add an Entry Using the --defaultAdd Option With ldapmodify
To Add Entries Using an LDIF Update Statement With ldapmodify
To Add an Attribute to an Entry
To Add an International Attribute
To Modify an Attribute With Before and After Snapshots
To Delete an Entry With ldapmodify
Configuring Indexes on the Local DB Back End
To Create a New Local DB Index
To Enable or Disable Compact Encoding
To Enable or Disable Entry Compression
Ensuring Attribute Value Uniqueness
Overview of the Unique Attribute Plug-In
Configuring the Unique Attribute Plug-In Using dsconfig
To Ensure Uniqueness of the Value of the uid Attribute
To Ensure Uniqueness of the Value of Any Other Attribute
Replication and the Unique Attribute Plug-In
Configuring Virtual Attributes
To List the Existing Virtual Attributes
To Create a New Virtual Attribute
To Enable or Disable a Virtual Attribute
To Display the Configuration of a Virtual Attribute
To Change the Configuration of a Virtual Attribute
Extensions to the Collective Attributes Standard
Collective Attributes and Conflict Resolution
Excluding Collective Attributes From Specific Entries
Configuring Collective Attributes
To Create a New Collective Attribute
To Delete a Collective Attribute
To List the Collective Attributes That Apply to an Entry
Inherited Collective Attributes
Specifying Inherited Collective Attributes
Managing Data With Oracle Directory Services Manager
View the Attributes of an Entry
Add an Entry Based on an Existing Entry
Delete an Entry and its Subtree
10. Managing Users and Groups With dsconfig
11. Managing Password Policies
The directory server provides a full set of LDAPv2- and LDAPv3-compliant client tools to manage directory entries. You can add, update, or remove entries by using the ldapmodify and ldapdelete utilities. The LDAP command-line utilities require LDAP Data Interchange Format (LDIF)-formatted input, entered through the command line or read from a file.
Before you make modifications to directory data, make sure that you understand the following concepts:
The privilege and access control mechanisms.
For information about setting privileges, Chapter 9, Controlling Access To Data.
The structure of your directory server.
The schema of your directory server.
You can add one or more entries to a directory server by using the ldapmodify command. ldapmodify opens a connection to the directory server, binds to it, and performs the modification to the database (in this case, an "add") as specified by the command-line options.
ldapmodify enables you to add entries in one of two ways:
Using the --defaultAdd option. Use the --defaultAdd option to add new entries to the directory when data is entered on the command line. Press Ctrl-D (UNIX, Linux) or Ctrl-Z (Windows) when finished, or use an input file with your changes.
Using LDIF update statements. LDIF update statements define how ldapmodify changes the directory entry. LDIF update statements contain the DN of the entry to be modified, changetype that defines how a specific entry is to be modified (add, delete, modify, modrdn), and a series of attributes and their changed values.
Note - Any newly added entry must conform to the directory's schema. If you add any entry that does not conform to the schema, the server responds with an Object Class Violation error. You can view the details of the error in the errors log.
The root entry is the topmost entry in the directory and must contain the naming context, or root suffix. You can set up the root entry when you first install the directory server using the graphical user interface (GUI) or the command-line. If you install the directory without any data, create a root entry using the ldapmodify command with the --defaultAdd option.
$ ldapmodify --hostname localhost --port 1389 --defaultAdd \ --bindDN "cn=Directory Manager" --bindPassword password dn: dc=example,dc=com objectclass: domain objectclass: top dc: example (Press Ctrl-D on Unix, Linux) (Press Ctrl-Z on Windows), then press ENTER. Processing ADD request for dc=example,dc=com ADD operation successful for DN dc=example,dc=com
Note - The --bindDN and --bindPassword options specify the bind DN and password, respectively, of the user with permissions to add new entiries. You can provide the clear-text version of the password. The server encrypts this value and store only the encrypted one. Be sure to limit read permissions to protect clear passwords that appear in LDIF files. To avoid this security issue, use SSL or startTLS.
$ ldapsearch --hostname localhost --port 1389 --baseDN "dc=example,dc=com" \ --searchScope base --bindDN "cn=Directory Manager" --bindPassword password \ "(objectclass=*)" dn: dc=example,dc=com objectClass: domain objectClass: top dc: example
Before you add an entry, ensure that the suffix to which you want to add the entry exists in your database (for example, ou=People,dc=example,dc=com).
For this example, create an input file called new.ldif with the following contents:
dn: uid=Marcia Garza,ou=People,dc=example,dc=com cn: Marcia Garza sn: Garza givenName: Marcia objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson ou: Accounting ou: People l: Santa Clara uid: mgarza mail: mgarza@example.com roomnumber: 5484 userpassword: donuts
$ ldapmodify --hostname localhost --port 1389 --bindDN "cn=Directory Manager" \ --bindPassword password --defaultAdd --filename /tmp/new.ldif
Make sure that there are no trailing spaces after add. If a space exists after add, the server base-64 encodes the value to represent the space, which can cause problems.
For this example, create an input LDIF file named new.ldif.
dn: uid=Marcia Garza,ou=People,dc=example,dc=com changetype: add cn: Marcia Garza sn: Garza givenName: Marcia objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson ou: Accounting ou: People l: Santa Clara uid: mgarza mail: mgarza@example.com roomnumber: 5484 userpassword: donuts
Do not include the -a option as the changetype attribute specifies the action.
$ ldapmodify --hostname localhost --port 1389 --bindDN "cn=Directory Manager" \ --bindPassword password --filename /tmp/new.ldif Processing ADD request for uid=Marcia Garza,ou=People,dc=example,dc=com ADD operation successful for DN uid=Marcia Garza,ou=People,dc=example,dc=com
The LDIF changetype:add statement adds an entry to the directory. To add attributes to an entry, use the changetype:modify statement, as shown in the following examples. You can combine multiple commands within a file by separating each command with a dash ("-").
Use the modify change type, because you are modifying an existing entry with the addition of a new attribute. Make sure that there are no trailing spaces after modify. After the changetype, specify add: newAttributeName and, on the following line, the value of the new attribute.
For this example, create an input LDIF file called add_attribute.ldif, as follows:
dn: uid=Marcia Garza,ou=People,dc=example,dc=com changetype: modify add: telephonenumber telephonenumber: +1 408 555 8283
Note - To add multiple attributes, separate the attributes with a dash (-), for example:
dn: uid=Marcia Garza,ou=People,dc=example,dc=com changetype: modify add: telephonenumber telephonenumber: +1 408 555 8283 - add: building building: sc09
$ ldapmodify --hostname localhost --port 1389 --bindDN "cn=Directory Manager" \ --bindPassword password --filename /tmp/add_attribute.ldif Processing MODIFY request for uid=Marcia Garza,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=Marcia Garza,ou=People,dc=example,dc=com
You can use ldapmodify to add access control instructions (ACIs) to manage access rights for a user's account. For more information, see Chapter 9, Controlling Access To Data and ACI Syntax in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory.
The following example allows a user to modify her own directory attributes.
dn: uid=Marcia Garza,ou=People,dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///uid=Marcia Garza,ou=People,dc=example,dc=com") (targetattr="*")(version 3.0; acl "mgarza rights"; allow (write) userdn="ldap:///self";)
$ ldapmodify --hostname localhost --port 1389 --bindDN "cn=Directory Manager" \ --bindPassword password --filename /tmp/add_aci.ldif Processing MODIFY request for uid=Marcia Garza,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=Marcia Garza,ou=People,dc=example,dc=com
The directory server represents international locales using a language tag in the form attribute;language-subtype. For example, homePostalAddress;lang-jp:address specifies the postal address with the locale in Japan (subtype=jp).
Affix the language subtype, lang-cc, where cc is the country code.
$ ldapmodify --hostname localhost --port 1389 --bindDN "cn=Directory Manager" \ --bindPassword password dn: uid=jarrow,ou=People,dc=example,dc=com changetype: modify add: homePostalAddress;lang-jp homePostalAddress;lang-jp: 1-8-15 Azuchimachi, Chuo-ku (Press Ctrl-D on Unix, Linux) (Press Ctrl-Z on Windows), then press ENTER.
Note - If the attribute value contains non-ASCII characters, they must be UTF-8 encoded.
Use the LDIF update statement changetype:modify to make changes to existing directory data. The following procedures provide examples of modifying directory entries.
For more information, see ldapmodify in Oracle Fusion Middleware Command-Line Usage Guide for Oracle Unified Directory.
Ensure that there are no trailing spaces after modify.
This example modifies a user's existing telephone number.
$ ldapmodify -h localhost -p 1389 D "cn=Directory Manager" -w password \ dn: uid=Marcia Garza,ou=People,dc=example,dc=com changetype: modify replace: telephonenumber telephonenumber: +1 408 555 8288 Processing MODIFY request for uid=Marcia Garza,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=Marcia Garza,ou=People,dc=example,dc=com
Note - To modify multiple attributes, separate the attributes with a dash (-), for example:
dn: uid=Marcia Garza,ou=People,dc=example,dc=com changetype: modify replace: telephonenumber telephonenumber: +1 408 555 6465 - add: facsimiletelephonenumber facsimiletelephonenumber: +1 408 222 4444 - replace: l l: Sunnyvale
The ldapmodify command provides the options, --preReadAttribute and --postReadAttribute, that return the modified attribute value with a before and after snapshot, respectively.
This example modifies a user's existing telephone number.
$ ldapmodify -h localhost -p 1389 D "cn=Directory Manager" -w password \ --preReadAttributes telephoneNumber --postReadAttributes telephoneNumber dn: uid=Marcia Garza,ou=People,dc=example,dc=com changetype: modify replace: telephonenumber telephonenumber: +1 408 555 8288 Processing MODIFY request for uid=Marcia Garza,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=Marcia Garza,ou=People,dc=example,dc=com Target entry before the operation: dn: uid=Marcia Garza,ou=People,dc=example,dc=com telephonenumber: +1 408 555 4283 Target entry after the operation: dn: uid=Marcia Garza,ou=People,dc=example,dc=com telephonenumber: +1 408 555 8288
This example deletes the location (l) attribute from an entry.
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password dn: uid=Marcia Garza,ou=People,dc=example,dc=com changetype: modify delete: l (Press CTRL-D for Unix, Linux) (Press CTRL-Z for Windows), then press ENTER. Processing MODIFY request for uid=Marcia Garza,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=Marcia Garza,ou=People,dc=example,dc=com
Note - Type control-D (UNIX, Linux) or control-Z (Windows) to complete the input.
The distinguished name (DN) of an entry uniquely identifies and describes that entry. A distinguished name consists of the name of the entry itself as well as the names, in order from bottom to top, of the objects above it in the directory.
The relative distinguished name (RDN) is the leftmost element in an entry DN. For example, the RDN for uid=Marcia Garza,ou=People,dc=example,dc=com is uid=Marcia Garza. To change an RDN, use the changetype:moddn LDIF update statement.
You can specify if the old RDN should be retained in the directory by using the deleteoldrdn attribute. A deleteoldrdn value of 0 indicates that the existing RDN should be retained in the directory. A value of 1 indicates that the existing RDN should be replaced by the new RDN value.
Note - You cannot rename an RDN if it has any children, due to the possible orphaning of the subtree elements. This is a violation of the LDAP protocol.
In this example, an employee Marcia Garza wants to change to her married name, Marcia Peters.
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password dn: uid=Marcia Garza,ou=Marketing,dc=example,dc=com changetype: moddn newrdn: uid=Marcia Peters deleteoldrdn: 1 Processing MODIFY DN request for uid=Marcia Garza,ou=People,dc=example,dc=com MODIFY DN operation successful for DN uid=Marcia Garza,ou=People,dc=example,dc=com
In this example, certain attributes might still list the user's previous name.
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password dn: uid=Marcia Peters,ou=People,dc=example,dc=com changetype: modify replace: sn sn: Peters - replace: cn cn: Marcia Peters - replace: uid uid: mpeters uid: Marcia Peters - replace: mail mail: mpeters@example.com (Press Ctrl-D on Unix, Linux) (Press Ctrl-Z on Windows), then press ENTER. Processing MODIFY request for uid=Marcia Peters,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=Marcia Peters,ou=People,dc=example,dc=com
If you are moving an entry from one parent to another, extend the access control instruction (ACI) rights on the parent entries. On the current parent entry of the entry to be moved, ensure that the ACI allows the export operations by using the syntax allow(export ...). On the future parent entry of the entry to be moved, ensure that the ACI allows the import operations by using the syntax allow(import...).
In this example, move uid=sgarza from the ou=Contractors,dc=example,dc=com suffix to the ou=People,dc=example,dc=com subtree.
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password dn: uid=sgarza,ou=Contractors,dc=example,dc=com changetype: moddn newrdn: uid=sgarza deleteoldrdn: 0 newsuperior: ou=People,dc=example,dc=com --filename move_entry.ldif Processing MODIFY DN request for uid=sgarza,ou=Contractors,dc=example,dc=com MODIFY DN operation successful for DN uid=sgarza,ou=Contractors,dc=example,dc=com
The following example provides before and after snapshot changes for the ou attribute.
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --preReadAttributes ou --postReadAttributes ou dn: uid=sgarza,ou=People,dc=example,dc=com changetype: modify replace: ou ou: People ou: Product Testing (Press Ctrl-D on Unix, Linux) (Press Ctrl-Z on Windows), then press ENTER. Processing MODIFY request for uid=sgarza,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=sgarza,ou=People,dc=example,dc=com Target entry before the operation: dn: uid=sgarza,ou=People,dc=example,dc=com ou: Contractors ou: Product Testing Target entry after the operation: dn: uid=sgarza,ou=People,dc=example,dc=com ou: People ou: Product Testing
You can use ldapmodify and ldapdelete to remove entries from the directory. The ldapmodify command removes entries and attributes by using the LDIF update statements changetype:delete and changetype:modify with the delete attribute, respectively. The ldapdelete tool removes only entries.
Note - You cannot delete an entry that has children entries. If you want to delete an entry that has children, first delete all the children entries below the targeted entry, then delete the entry.
For more information, see ldapdelete in Oracle Fusion Middleware Command-Line Usage Guide for Oracle Unified Directory.
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password dn: uid=Marcia Garza,ou=People,dc=example,dc=com changetype: delete (Press CTRL-D for Unix) (Press CTRL-Z for Windows), then press ENTER. Processing DELETE request for uid=Marcia Garza,ou=People,dc=example,dc=com DELETE operation successful for DN uid=Marcia Garza,ou=People,dc=example,dc=com The number of entries deleted was 1
$ ldapdelete -h localhost -p 1389 -D "cn=Directory Manager" -w password "uid=mgarza,ou=People,dc=example,dc=com" Processing DELETE request for uid=Marcia Garza,ou=People,dc=example,dc=com DELETE operation successful for DN uid=Marcia Garza,ou=People,dc=example,dc=com
In this example, the file is named delete.ldif. The file must list each DN on a separate line, for example:
uid=mgarza,ou=People,dc=example,dc=com uid=wsmith,ou=People,dc=example,dc=com uid=jarrow,ou=People,dc=example,dc=com uid=mbean,ou=People,dc=example,dc=com
$ ldapdelete -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --continueOnError --filename delete.ldif Processing DELETE request for uid=mgarza,ou=People,dc=example,dc=com DELETE operation successful for DN uid=mgarza,ou=People,dc=example,dc=com Processing DELETE request for uid=wsmith,ou=People,dc=example,dc=com DELETE operation successful for DN uid=wsmith,ou=People,dc=example,dc=com Processing DELETE request for uid=jarrow,ou=People,dc=example,dc=com DELETE operation successful for DN uid=jarrow,ou=People,dc=example,dc=com Processing DELETE request for uid=mbean,ou=People,dc=example,dc=com DELETE operation successful for DN uid=mbean,ou=People,dc=example,dc=com
Note - The --continueOnError option specifies that if an error occurs, the command continues to the next search item.