Skip Navigation Links | |
Exit Print View | |
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Starting and Stopping the Server
2. Configuring the Server Instance
3. Configuring the Proxy Components
4. Configuring Security Between Clients and Servers
5. Configuring Security Between the Proxy and the Data Source
6. Managing Oracle Unified Directory With Oracle Directory Services Manager
Populating a Stand-Alone Directory Server With Data
Importing Data Using import-ldif
To Import Data in Offline Mode
To Replace Existing Data During an Offline Import
To Append Imported Data to Existing Data
To Import Fractional Files by Using Filters
To Include or Exclude Attributes During Import
To Import a Compressed LDIF File
To Record Rejected or Skipped Entries During Import
To Import Data From a MakeLDIF Template
To Run an Import in Online Mode
Exporting Data Using export-ldif
To Export Part of a Back End by Using Filters
To Include or Exclude Attributes During Export
To Export to LDIF and Then Compress the File
To Run an Export in Online Mode
Creating MakeLDIF Template Files
Attribute Value Reference Tags
Tuning the JVM and Java Arguments
Overview of the Backup and Restore Process
To Back Up All Back Ends with Encryption and Signed Hashes
To Perform an Incremental Backup on All Back Ends
To Back Up a Specific Back End
To Perform an Incremental Backup on a Specific Back End
To Schedule a Backup as a Task
Backing Up the Server Configuration
Backing Up for Disaster Recovery
To Back Up the Directory Server For Disaster Recovery
Backing up and Restoring Data Using File System Snapshots
To Take a ZFS Snapshot On a Dedicated Backup Server
To Restore a Directory Server From a ZFS Snapshot
To Restore a Back End From Incremental Backups
To Schedule a Restore as a Task
To Restore the Configuration File
To Restore a Directory Server During Disaster Recovery
Restoring Replicated Directory Servers
Overview of the ldapsearch Command
ldapsearch Location and Format
Specifying Filter Types and Operators
Using UTF-8 Encoding in Search Filters
Using Special Characters in Search Filters
To Search for Specific User Attributes
To Perform a Search With Base Scope
To Perform a Search With One-Level Scope
To Perform a Search With Subtree Scope
To Return Attribute Names Only
To Return User Attributes Only
To Search For Specific Object Classes
To Return a Count of All Entries in the Directory
To Perform a Search With a Compound Filter
To Perform a Search Using a Filter File
To Limit the Number of Entries Returned in a Search
Searching Data With Oracle Directory Services Manager
Using Advanced Search Features
Searching for Special Entries and Attributes
To Search for Operational Attributes
To Search the Configuration Entry
To Search the Monitoring Entry
To Search Over SSL With Blind Trust
To Search Over SSL Using a Trust Store
To Search Over SSL With No Trust Store
To Search Over SSL Using a Keystore
To Search Using SASL With DIGEST-MD5 Client Authentication
To Search Using SASL With the GSSAPI Mechanism
To Search Using SASL With the PLAIN Mechanism
To View the Available Controls
To Search Using the Account Usability Request Control
To Search Using the Authorization Identity Request Control
To Search Using the Get Effective Rights Control
To Search Using the LDAP Assertion Control
To Search Using the LDAP Subentry Control
To Search Using the Manage DSA IT Control
To Search Using the Matched Values Filter Control
To Search Using the Password Policy Control
To Search Using the Persistent Search Control
To Search Using the Proxied Authorization Control
To Search Using the Server-Side Sort Control
To Search Using the Simple Paged Results Control
Searching Using the Virtual List View Control
To Search Using the Virtual List View Control
To Search Using Virtual List View With a Specific Target
To Search Using Virtual List View With a Known Total
Searching in Verbose Mode and With a Properties File
To Search Using a Properties File
Searching Internationalized Entries
Adding, Modifying, and Deleting Directory Data
To Add an Entry Using the --defaultAdd Option With ldapmodify
To Add Entries Using an LDIF Update Statement With ldapmodify
To Add an Attribute to an Entry
To Add an International Attribute
To Modify an Attribute With Before and After Snapshots
To Delete an Entry With ldapmodify
To Delete an Entry With ldapdelete
To Delete Multiple Entries by Using a DN File
To Enable or Disable Compact Encoding
To Enable or Disable Entry Compression
Ensuring Attribute Value Uniqueness
Overview of the Unique Attribute Plug-In
Configuring the Unique Attribute Plug-In Using dsconfig
To Ensure Uniqueness of the Value of the uid Attribute
To Ensure Uniqueness of the Value of Any Other Attribute
Replication and the Unique Attribute Plug-In
Configuring Virtual Attributes
To List the Existing Virtual Attributes
To Create a New Virtual Attribute
To Enable or Disable a Virtual Attribute
To Display the Configuration of a Virtual Attribute
To Change the Configuration of a Virtual Attribute
Extensions to the Collective Attributes Standard
Collective Attributes and Conflict Resolution
Excluding Collective Attributes From Specific Entries
Configuring Collective Attributes
To Create a New Collective Attribute
To Delete a Collective Attribute
To List the Collective Attributes That Apply to an Entry
Inherited Collective Attributes
Specifying Inherited Collective Attributes
Managing Data With Oracle Directory Services Manager
View the Attributes of an Entry
Add an Entry Based on an Existing Entry
Delete an Entry and its Subtree
10. Managing Users and Groups With dsconfig
11. Managing Password Policies
This section describes how to index attributes using the dsconfig command-line tool. Indexes are configured per server and index configuration is not replicated.
You can use dsconfig to create local database indexes and Virtual List View (VLV) indexes. A local database index is used to find entries that match search criteria. A VLV index is used to process searches efficiently with VLV controls.
Unindexed searches are denied by default, unless the user has the unindexed-search privilege. For more information, see To Change a Root User's Privileges.
You can determine whether a search is indexed in two ways:
Try to perform the search anonymously. (The server rejects unindexed anonymous searches by default.)
Use the debugsearchindex operational attribute. This attribute provides the indexes used in the search, the number of candidate entries from each index, and the final indexed status. Include the debugsearchindex attribute in your ldapsearch command, as follows:
$ ldapsearch -h localhost -p 1389 -b "dc=example,dc=com" "(objectClass=*)" debugsearchindex
The Local DB back end supports the following index types:
approximate — Improves the efficiency of searches using approximate search filters.
equality - Improves the efficiency of searches using equality search filters.
ordering - Improves the efficiency of searches using "greater than or equal to" or "less than or equal to" search filters. In the future, this index type might also be used for server-side sorting.
presence - Improves the efficiency of searches using presence search filters.
substring - Improves the efficiency of searches using substring search filters.
The directory server supports indexing for only a subset of extensible matching operations, including indexes based on collation matching rules and the relative time and partial date and time matching rules. For more information, see Searching Internationalized Entries and Relative Time Matching Rules and Partial Date Or Time Matching Rules in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory.
When you create a new local DB back end with dsconfig, the following default indexes are created automatically:
aci (presence index)
ds-sync-hist (ordering index)
entryuuid (equality index)
objectclass (equality index)
This procedure demonstrates the steps for creating a new local DB index.
Note - After you have created a new index, you must rebuild the indexes using the rebuild-index utility. The directory server cannot use the new index until the indexes have been rebuilt. For more information, see rebuild-index in Oracle Fusion Middleware Command-Line Usage Guide for Oracle Unified Directory.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X -n \ create-local-db-index \ --backend-name backend --index-name attribute \ --set index-type:index-type
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X -n \ list-local-db-indexes \ --backend-name backend
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X -n \ set-local-db-index-prop \ --backend-name backend --index-name attribute \ --set property:value
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X -n \ get-local-db-index-prop \ --backend-name backend --index-name attribute
$ stop-ds $ rebuild-index --baseDN baseDN --index attribute $ start-ds
$ rebuild-index -h localhost -p 4444 -D "cn=Directory manager" -w password -X \ --baseDN dc=example,dc=com --index aci Rebuild Index task 20110201162742312 scheduled to start immediately ... Rebuild Index task 20110201162742312 has been successfully completed
Example 7-7 Creating a New Equality Index
This example creates a new equality index for the employeeNumber attribute, verifies the index properties, and sets the index entry limit to 5000.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X -n \ create-local-db-index \ --backend-name userRoot --index-name employeeNumber \ --set index-type:equality $ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X -n \ list-local-db-indexes \ --backend-name userRoot Local DB Index : Type : index-type ---------------:---------:----------- ... employeeNumber : generic : equality ... $ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X -n \ get-local-db-index-prop \ --backend-name userRoot --index-name employeeNumber Property : Value(s) -------------------------------:--------------- attribute : employeenumber index-entry-limit : 4000 index-extensible-matching-rule : - index-type : equality $ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X -n \ set-local-db-index-prop \ --backend-name userRoot --index-name employeeNumber --set index-entry-limit:5000 $ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X -n \ get-local-db-index-prop \ --backend-name userRoot --index-name employeeNumber Property : Value(s) -------------------------------:--------------- attribute : employeenumber index-entry-limit : 5000 index-extensible-matching-rule : - index-type : equality $ rebuild-index -h localhost -p 4444 -D "cn=Directory manager" -w password -X \ --baseDN dc=example,dc=com --index employeeNumber
Example 7-8 Adding a Substring Index
This example adds a substring index to the index created in the previous example.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X -n \ set-local-db-index-prop \ --backend-name userRoot --index-name employeeNumber \ --add index-type:substring $ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X -n \ get-local-db-index-prop \ --backend-name userRoot --index-name employeeNumber Property : Value(s) -------------------------------:--------------- attribute : employeenumber index-entry-limit : 5000 index-extensible-matching-rule : - index-type : equality, substring $ rebuild-index -h localhost -p 4444 -D "cn=Directory manager" -w password -X \ --baseDN dc=example,dc=com --index employeeNumbe
A VLV index applies to a particular search on a given base entry and its subtree. The sort order, scope of the index, base DN, and filter must be defined when you create the index.
Note - After you have created a new VLV index, you must rebuild the indexes using the rebuild-index command, appending vlv. in front of the index name. The directory server cannot use the new index until the indexes have been rebuilt. For more information, see rebuild-index in Oracle Fusion Middleware Command-Line Usage Guide for Oracle Unified Directory.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ create-local-db-vlv-index \ --backend-name backend --index-name name --set sort-order:attributes \ --set scope:scope --set base-dn:baseDN --set filter:filter
where:
index-name specifies a unique index name, which cannot be altered after the VLV index is created.
sort-order specifies the names of the attributes by which the entries are sorted and their order of precedence, from highest to lowest.
scope specifies the LDAP scope of the query being indexed and can be one of base-object, single-level, subordinate-subtree, or whole-subtree.
base-dn specifies the base DN used in the search query being indexed.
filter specifies the LDAP filter used in the query being indexed and can be any valid LDAP filter.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ list-local-db-vlv-indexes \ --backend-name backend
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ get-local-db-vlv-index-prop \ --backend-name backend --index-name name
$ stop-ds $ rebuild-index --baseDN baseDN --index vlv.name $ start-ds
$ rebuild-index -h localhost -p 4444 -D "cn=Directory manager" -w password -X \ --baseDN baseDN --index vlv.name
Example 7-9 Creating a New VLV Index
The following example creates a new VLV index to sort entries first by surname and then by common name for queries sn=*. The example then rebuilds the index online.
$ dsconfig -D "cn=directory manager" -w password -n create-local-db-vlv-index \ --backend-name userRoot --index-name myVLVIndex --set sort-order:"sn cn" \ --set scope:base-object --set base-dn:dc=example,dc=com --set filter:sn=* $ rebuild-index -h localhost -p 4444 -D "cn=Directory manager" -w password -X \ -b "dc=example,dc=com" --index vlv.myVLVIndex