This chapter describes the following command-line tools used to administer Oracle Directory Integration Platform:
oidprovtool (Provisioning Registration Tool)
Notes:
Best security practice is to provide a password only in response to a prompt from the command.
You must set the environment variables WLS_HOME
and ORACLE_HOME
before executing any of the Oracle Directory Integration Platform commands.
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute the Oracle Directory Integration Platform commands in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
The Manage DIP Server Configuration utility, manageDIPServerConfig
, allows you to manage the Oracle Directory Integration Platform server configuration.
manageDIPServerConfig {get | set} -h HOST -p PORT -D wlsuser -attribute {sslmode | refreshinterval | quartzthreadcount | quartzdbretryinterval | oidhostport | keystorelocation} [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-value ATTRIBUTE_VALUE] [-help]
Operation to perform.
get: Displays the current value of the config parameter in DIP configuration file
set: Updates the value of the config parameter in DIP configuration file.
Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed
Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.
WebLogic Server login ID.
Note:
You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute manageDIPServerConfig
from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary.
Identifies the attribute that manageDIPServerConfig
performs the operation on. The following is a list and description of the attributes manageDIPServerConfig
can perform operations on:
sslmode
: The SSL mode Oracle Directory Integration Platform uses to connect to Oracle Internet Directory. Supported values are 1 and 2. Use 1 to connect to Oracle Internet Directory using SSL Mode 1 (No Authentication). Use 2 to connect to Oracle Internet Directory using SSl Mode 2 (Server Only Authentication).
refreshinterval
: The time interval (amount of time in seconds) that controls how often the Oracle Directory Integration Platform server refreshes profile configuration details.
quartzthreadcount
: Controls how many profiles can be scheduled in parallel. The default value is 15. If you have more than 15 profiles, increase the quartzthreadcount
attribute accordingly.
quartzdbretryinterval
: Controls how often Oracle Directory Integration Platform's Quartz scheduler attempts to reconnect to the Oracle Internet Directory database.
oidhostport
: Identifies the host and port of the Oracle Internet Directory associated with Oracle Directory Integration Platform. Specify values for the oidhostport attribute in the form of host:port
.
keystorelocation
: Specifies the absolute path to the Java Keystore (JKS) based on the host where Oracle Directory Integration Platform is deployed. When you specify the value for the keystorelocation
attribute, be sure you use the appropriate path separators (that is, / for UNIX and Linux platforms, and \ for Windows platforms).
Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
The full path to the keystore.
The type of the keystore identified by -keystorePath
. For example: -keystorePath jks
or -keystorePath PKCS12
The value to set for the attribute This parameter is required with the set operation.
Provides usage help for the command.
The Manage Synchronization Profiles utility, manageSyncProfiles
, allows you to manage synchronization profiles.
manageSyncProfiles {activate | deactivate | copy | deregister | get | isexists | update | testProfile | validateProfile | validateMapRules | register | updatechgnum | associateProfile | dissociateProfile | getAllAssociatedProfiles | getAssociatedProfile | list } -h HOST -p PORT -D wlsuser [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-profile] [-newProfile] [-associateProfile][-file] [-params 'prop1 val1 prop2 val2 ...'] [-conDirHost] [-conDirPort] [-conDirBindDn] [-mode] [-conDirType] [-conDirSSL] [-profileStatus] [-help]
Changes a profile state to ENABLE
Changes a profile state to DISABLE
Copies an existing profile profile to profile newProfile
Deletes an existing profile from OID.
Gets the profile details from OID.
Checks if the profile profile exists in OID.
Modifies an existing profile profile in OID.
Changes the state of a disabled profile profile to TEST and schedules the profile for testing to ensure the profile successfully performs synchronization. After executing the manageSyncProfiles command with the testProfile operation, the results of the test are available in the following log file, where DOMAIN_HOME represents the Oracle WebLogic Server Domain home and ORACLE_WEBLOGIC_MANAGED_SERVER_NAME represents the name of the managed server where Oracle Directory Integration Platform is deployed:
DOMAIN_HOME/servers/ORACLE_WEBLOGIC_MANAGED_SERVER_NAME/logs/ORACLE_WEBLOGIC_MANAGED_SERVER_NAME.log
Note:
The testProfile operation cannot schedule profiles that are in ENABLE state for testing.
Validates the syntax of the values in the specified profile for correctness.
Validates the map rules provided.
Creates a new profile in OID.
Updates the last applied change number in the profile to latest.
Associates associateProfileName with profileName to prevent information back flow.
Dissociates an associated profile to profileName
Lists all the profiles to which profile profileName is associated.
Displays the profile name associated with profile profileName.
Displays all profiles registered in OID.
Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.
Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.
Oracle WebLogic Server login ID
Note:
You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute a command from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to manageSyncProfiles
, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.
Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
The full path to the keystore.
The type of the keystore identified by -keystorePath
. For example: -keystorePath jks
or -keystorePath PKCS12
The name of the synchronization profile to use when performing the operation.
The name of the new profile which will be a copy of profile.
The name of the profile that will be associated with profile
The full path and file name of the profile properties file containing the properties. See the "Example Properties File for Synchronization Profiles" appendix in Oracle Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform for an example of such a file.
A value is of the form prop1 val1 prop2 val2 ...
where prop
is the name of a profile property and val
is the new value for that property. This keyword is used only for modification of a profile. You can specify as many key values as required
Host where connected directory server is running.
Port at which connected directory server listens.
Connected directory server bind DN.
Examples:
Active Directory
administrator@idm2003.net
Sun ONE or iPlanet
cn=Directory Manager
Oracle Internet Directory
cn=orcladmin
Note:
You are prompted for the connected directory bind DN password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute manageSyncProfiles
from a script, you can redirect input from a file containing the connected directory bind DN password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to manageSyncProfiles
, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.
Synchronization mode map rules to be used: import
or export
Connected directory type. Supported values are ActiveDirectory
, EDirectory
, iPlanet
, OpenLDAP
, ADAM
, Tivoli
, ExchangeServer2003
, and OID
.
SSL mode value used to connect connected directory server
Displays status for the profile. Used only with the list
operation.
Provides command usage help.
manageSyncProfiles register -h myhost.mycompany.com -p 7005 -D weblogic \ -f /opt/ldap/odip/iPlImport.profile
manageSyncProfiles deregister -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles updatechgnum -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles activate -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles deactivate -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles get -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles testProfile -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles associateprofile -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile -assopf myProfile1
manageSyncProfiles dissociateprofile -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles getAllAssociatedProfiles -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles getAssociatedProfile -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles update -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile -f /opt/ldap/odip/iPlImport.profile
manageSyncProfiles validateMapRules -h myhost.mycompany.com -p 7005 \ -D weblogic -f /opt/ldap/odip/iPlImport.map -conDirHost server.example.com \ -conDirPort 8000 -conDirBindDn administrator@idm2003.net -mode IMPORT \ -conDirType IPLANET
manageSyncProfiles isexists -h myhost.mycompany.com -p 7005 -D weblogic \ -pf myProfile
manageSyncProfiles copy -h myhost.mycompany.com -p 7005 -D weblogic \ -pf myProfile -newpf yourProfile
manageSyncProfiles list -h myhost.mycompany.com -p 7005 -D weblogic -profileStatus
The Synchronization Profile Bootstrap utility, syncProfileBootstrap
, performs the initial migration of data between a connected directory and Oracle Internet Directory for a synchronization profile.
syncProfileBootstrap -h HOST -p PORT -D wlsuser {-file FILENAME |-profile -PROFILE_NAME} [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-loadParallelism INTEGER] [-loadRetry INTEGER][-help]
Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.
Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.
Oracle WebLogic Server login ID
Note:
You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute syncProfileBootstrap
from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary.
Bootstrap properties file.
The name of the synchronization profile to use when performing the operation.
Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
The full path to the keystore.
The type of the keystore identified by -keystorePath
. For example: -keystorePath jks
or -keystorePath PKCS12
Indicator that loading to Oracle Internet Directory is to take place in parallel by using multiple threads. For example, -loadparallelism 5 means that 5 threads are to be created, each of which tries to load the entries in parallel to Oracle Internet Directory.
The number of times the retry should be made (when the load to the destination fails) before marking the entry as bad entry.
Provides command usage help.
The Express Synchronization Setup utility, expressSyncSetup
, creates import and export synchronizations profiles.
expressSyncSetup -h HOST -p PORT -D wlsuser -pf PROFILE -conDirType CONNECTED_DIRECTORY_TYPE -conDirURL CONNECTED_DIRECTORY_URL -conDirBindDN CONNECTED_DIRECTORY_BIND_DN -conDircontainer SYNC_CONTAINER [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-enableProfiles {true | false}] [-help]
Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.
Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.
Oracle WebLogic Server login ID
Note:
You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute expressSyncSetup
from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to expressSyncSetup
, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.
Profile name.
Connected directory type. Supported values are ActiveDirectory
, EDirectory
, iPlanet
, OpenLDAP
, ADAM
, Tivoli
, ExchangeServer2003
, and OID
.
URL where the connected directory is running. The format is host:port.
Connected directory server bind DN. For example:
administrator@idm2003.net
cn=orcladmin
, cn=Directory Manager
Note:
You are prompted for the connected directory bind DN password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute expressSyncSetup
from a script, you can redirect input from a file containing the connected directory bind DN password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to expressSyncSetup
, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.
The synchronization container. For example:
ou=sales,dc=us,dc=com
OU=Groups,DC=imtest,DC=com
CN=Users,DC=imtest,DC=com
Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
The full path to the keystore.
The type of the keystore identified by -keystorePath
. For example: -keystorePath jks
or -keystorePath PKCS12
Specify true
to enable created profiles, false
if not.
Provides command usage help.
expressSyncSetup -h myhost.mycompany.com -p 7005 -D weblogic -pf myProfile \ -conDirType ACTIVEDIRECTORY -conDirUrl server.mycompany.com:5432 \ -conDirBindDN administrator@idm2003.net -conDirContainer ou=sales,dc=us,dc=com \ -enableProfiles false \
expressSyncSetup -help
The Provisioning Profile Bulk utility, provProfileBulkProv
, performs initial migration of data from an LDIF file to Oracle Internet Directory for a provisioning profile.
provProfileBulkProv -h HOST -p PORT -D wlsuser -file LDIF_FILE -realm REALM_DN [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-encoding INPUT_ENCODING] [-help]
Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.
Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.
Oracle WebLogic Server login ID
Note:
You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute provProfileBulkProv
from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary.
LDIF file containing the data to be migrated.
The realm in which the users are to be provisioned.
Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
The full path to the keystore.
The type of the keystore identified by -keystorePath
. For example: -keystorePath jks
or -keystorePath PKCS12
Input file encoding.
Provides command usage help.
Provisioning enables you to ensure that an application is notified of directory changes, such as changes to user or group information. Such changes can affect whether the application allows a user access to its processes and resources.
When you install an application that you want to provision, you must create a provisioning integration profile by using the Provisioning Registration Tool (oidprovtool
).
You can use the Provisioning Registration Tool to:
Create a new provisioning profile. A new provisioning profile is created and set to the enabled state so that Oracle Directory Integration Platform can process it.
Disable an existing provisioning profile.
Enable a disabled provisioning profile.
Modify an existing provisioning profile.
Delete an existing provisioning profile.
Get the current status of a given provisioning profile.
Clear all of the errors in an existing provisioning profile.
The Provisioning Registration Tool shields the location and schema details of the provisioning profile entries from the callers of the tool. From the callers' perspective, the combination of an application and a realm uniquely identify a provisioning profile. The constraint in the system is that there can be only one provisioning profile for each application for each realm.
Once a profile is created, its mode—that is, INBOUND, OUTBOUND, or BOTH—cannot be changed by using the modify
operation. To change the mode, you must delete, then re-create, the profile.
The Oracle directory integration platform server automatically monitors provisioning profile configuration changes in Oracle Internet Directory, including the creation, modification, and deletion of provisioning profiles. For this reason, you do not need to manually enable or disable a provisioning profile.
Note:
For improved security, do not supply a password on the command line. The oidprovtool
command prompts you for a password if you do not supply one on the command line.
oidprovtool operation=[create|modify] ldap_host=oid_hostname ldap_port=port ldap_user_dn="bindDN" ldap_user_password=password [profile_mode=INBOUND|OUTBOUND|BOTH] application_dn="DN" application_type=type [application_name=name] [application_display_name=display name] organization_dn=DN [application_isdasvisible=TRUE|FALSE] [manage_application_defaults=TRUE|FALSE] [enable_bootstrap=TRUE|FALSE] [user_data_location=DN] [default_provisioning_policy=PROVISIONING_REQUIRED|PROVISIONING_NOT_REQUIRED] interface_name=SCHEMA.PACKAGE [interface_type=PLSQL|JAVA] interface_version=1.1|2.0|3.0] interface_connect_info=connection_string schedule=number_seconds lastchangenumber=number max_prov_failure_limit=number max_events_per_schedule=number max_events_per_invocation=number event_mapping_rules="OBJECT_TYPE:FILTER:DOMAIN" event_permitted_operations="OBJECT:DOMAIN:OPERATION(attributes,...)" event_subscription="USER|GROUP:DOMAIN:OPERATION(attributes,...)" max_events_per_schedule=number max_retries=number profile_group=number profile_status=ENABLED | DISABLED profile_debug=debug_level oidprovtool {operation=enable|disable|delete|status|reset} application_dn=DN [organization_dn=DN] [ldap_host=oid_hostname] [ldap_port=port] [ldap_user_dn=bindDN] [ldap_user_password=password] [profile_debug=debug_level]
operation=create | modify | enable | disable | delete | status | reset
Required. The operation to perform using oidprovtool
. You can only perform one operation at a time. The operations are:
create—Creates a new provisioning profile.
modify—Modifies the given properties of an existing provisioning profile.
enable—Enables a provisioning profile.
disable—Disables a provisioning profile.
delete—Deletes a provisioning profile.
status—Shows the current status of a given provisioning profile.
reset—Clears all errors for a provisioning profile.
Optional. The host name of the Oracle Internet Directory server. If not provided then the name of the local host is used.
Optional. The LDAP listening port of Oracle Internet Directory. The default is 3060.
Required. The DN of the superuser or a user that has sufficient permissions to perform provisioning subscription operations. The default is cn=orcladmin
.
Optional.The user password used to bind to the directory. If you do not specify the password on the command line, you are prompted for it. Best security practice is to provide the password in response to a prompt.
profile_mode=OUTBOUND | INBOUND | BOTH
Optional for the create
operation only. The direction of the provisioning events. The default is OUTBOUND (data is provisioned from Oracle Internet Directory to the application).
Required. The distinguished name of the application to which the provisioning subscription belongs. The combination of the application DN and organization DN uniquely identifies a provisioning profile. For example, here is the application DN for Portal:
"orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext"
Required. The type of application being provisioned.
Optional. The name of the application being provisioned. If not provided, defaults to the distinguished name assigned to application_dn
.
Optional. The display name of the application being provisioned. If not provided, defaults to the value assigned to application_name
.
Optional. If not provided, defaults to the default identity management realm. The distinguished name of the organization to which the provisioning subscription belongs, for example "dc=company,dc=com
". The combination of the application DN and organization DN uniquely identifies a provisioning profile.
application_isdasvisible=TRUE | FALSE
Optional. Determines whether the application is visible as a provisioning-integrated application in the Oracle Internet Directory Provisioning Console. The default value is TRUE.
manage_application_default=TRUE | FALSE
Optional. Determines whether the Oracle Internet Directory Provisioning Console manages the application's default values. The default value is TRUE.
Optional. Indicates whether the application should receive provisioning events for users that existed in Oracle Internet Directory before creating the application's provisioning integration profile. The default value is FALSE.
Optional. Identifies the DN of the container in which to store application-specific user information.
default_provisioning_policy=PROVISIONING_REQUIRED | PROVISIONING_NOT_REQUIRED
Optional. Specifies the application's default provisioning policy. The default value is PROVISIONING_REQUIRED.
Required for create
or modify
operations. The database schema name for the PLSQL package. The format of the value is schema.package_name
, for example here is the schema and PLSQL package information for Portal:
interface_name=PORTAL.WWSEC_OID_SYNC
interface_version=1.1 | 2.0 | 3.0
The version of the interface protocol. Allowed values are 1.1, 2.0, or 3.0. The default value is 2.0.
Optional. The type of interface to which events will be propagated. The default is PLSQL.
interface_connect_info=connection_string
Required for create
or modify
operations. To connect to an Oracle database and propagate events, use one of the following formats for the connection string:
DBURL=ldap://ldaphost:ldapport/service:username:password (recommended)
host:port:sid:username:password
DBSVC=service:username:password
Optional for create
and modify
operations only. The number of seconds between executions of this profile. The default is 3600, which means the profile is scheduled to be executed every hour.
Optional for create
and modify
operations on OUTBOUND
events only. The last change number in Oracle Internet Directory after which all qualifying events should be provisioned to the application. Defaults to the latest current change number.
Optional. Determines the number of times the Oracle Provisioning System attempts to provision a user. The default is 1.
max_events_per_schedule=number
Optional for create
and modify
operations only. The maximum number of events that the Oracle directory integration platform server sends to an application during one execution of a provisioning profile. The default is 100.
max_events_per_invocation=number
Optional for create
and modify
operations only. The maximum number of events that can be packaged and sent to a target in one invocation of the interface.
event_mapping_rules="OBJECT_TYPE:FILTER:DOMAIN"
Required for create
and modify
operations on INBOUND
events only. This rule maps the object type received from the application (using an optional filter condition) to a domain in Oracle Internet Directory A provisioning profile can have multiple mapping rules defined.
The following example shows two mapping rules. The first rule shows that an employee object (EMP
) whose locality attribute equals America (l=AMERICA
) should be mapped to the domain l=AMER,cn=users,dc=company,dc=com
. The second rule shows that an employee object (EMP
) should be mapped to the domain cn=users,dc=company,dc=com
(no filter conditions).
event_mapping_rules="EMP:l=AMERICA:l=AMER,cn=users,dc=company,dc=com" event_mapping_rules="EMP::cn=users,dc=company,dc=com"
event_permitted_operations="OBJECT:DOMAIN:OPERATION(attributes,...)
Required for create
and modify
operations on INBOUND
events only. This property is used to define the types of events that the application is allowed to send to the Oracle Directory Integration Platform service. A provisioning profile can have multiple permitted operations defined.
For example, if you wanted to permit the application to send events whenever a user object was added or deleted, or when certain attributes were modified, you would have three permitted operations such as this:
event_permitted_operations="USER:dc=mycompany,dc=com:ADD(*)" event_permitted_operations="USER:dc=mycompany,dc=com:MODIFY(cn,sn,mail,password)" event_permitted_operations="USER:dc=mycompany,dc=com:DELETE(*)"
event_subscription="USER | GROUP:DOMAIN:OPERATION(attributes,...)"
Required for create
and modify
operations on OUTBOUND
events only. This property is used to define the types of events that the Oracle Directory Integration Platform service should send to the application. A provisioning profile can have multiple event subscriptions defined.
For example, if you wanted the directory integration server to send events to the application whenever a user or group object was added or deleted, you would have four event subscriptions such as this:
event_subscription="GROUP:dc=mycompany,dc=com:ADD(*)" event_subscription="GROUP:dc=mycompany,dc=com:DELETE(*)" event_subscription="USER:dc=mycompany,dc=com:ADD(*)" event_subscription="USER:dc=mycompany,dc=com:DELETE(*)"
max_events_per_schedule=number
Optional for create
and modify
operations only. The maximum number of events to be provisioned in one schedule. The default is 100.
Optional for create
and modify
operations only. The number of times a failed event should be retried. The default is 5.
Required for create
and modify
operations only. The group number of the profile. Default is "DEFAULT". This is required to address scalability issues when different Oracle Directory Integration Platform server instances will be used to execute different selected groups.
profile_status=ENABLED | DISABLED
Required for the create operation only. Determines whether the profile is enabled or disabled. The default is ENABLED.
Required. The debug level for the profile.
Using the Provisioning Registration Tool (oidprovtool
) you can perform the following tasks:
The following example creates a new provisioning profile that makes Portal aware of updates to the user and group information that is maintained in Oracle Internet Directory.
oidprovtool operation=create ldap_host=myhost.mycompany.com ldap_port=3060 \ ldap_user_dn="cn=orcladmin" application_dn="orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext" \ organization_dn="dc=us,dc=mycompany,dc=com" interface_name=PORTAL.WWSEC_OID_SYNC \ interface_type=PLSQL interface_connect_info=myhost:1521:iasdb:PORTAL:password \ schedule=360 event_subscription="USER:dc=us,dc=mycompany,dc=com:DELETE" \ event_subscription="GROUP:dc=us,dc=mycompany,dc=com:DELETE" \ event_subscription="USER:dc=us,dc=mycompany,dc=com:MODIFY(orclDefaultProfileGroup,userpassword)" \ event_subscription="GROUP:dc=us,dc=mycompany,dc=com:MODIFY(uniqueMember)" \ profile_mode=OUTBOUND
The following example modifies an existing provisioning profile for the Portal application. It changes the event subscription for the attributes that are provisioned when a user entry is modified.
oidprovtool operation=modify ldap_host=myhost.mycompany.com ldap_port=3060 \ ldap_user_dn="cn=orcladmin" application_dn="orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext" \ organization_dn="dc=us,dc=mycompany,dc=com" \ subscription="USER:dc=us,dc=mycompany,dc=com:MODIFY(orclDefaultProfileGroup,userpassword,mail,cn,sn)"
The following example disables a provisioning profile for the Portal application.
oidprovtool operation=delete ldap_host=myhost.mycompany.com ldap_port=3060 \ ldap_user_dn="cn=orcladmin" application_dn="orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext" \ organization_dn="dc=us,dc=mycompany,dc=com"
The following example disables a provisioning profile for the Portal application.
oidprovtool operation=disable ldap_host=myhost.mycompany.com ldap_port=3060 \ ldap_user_dn="cn=orcladmin" application_dn="orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext" \ organization_dn="dc=us,dc=mycompany,dc=com"
The dipStatus
utility allows you to check the status of Oracle Directory Integration Platform and whether it is registered.
dipStatus -h HOST -p PORT -D wlsuser [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-help]
Host name of the WebLogic server running the Managed Server where Oracle Directory Integration Platform is deployed.
Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.
WebLogic Server login ID.
Note:
You are prompted for the WebLogic server login password. You cannot provide the password as a command-line argument.
Best security practice is to provide a password only in response to a prompt from the command. If you must execute dipStatus
from a script, you can redirect input from a file containing the WebLogic Server password. Use file permissions to protect the file and delete it when it is no longer necessary.
Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
The full path to the keystore.
The type of the keystore identified by -keystorePath
. For example: -keystorePath jks
or -keystorePath PKCS12
Provides usage help for the command.
The schemasync
utility enables you to synchronize schema elements—namely attributes and object classes—between an Oracle Internet Directory server and a third-party LDAP directory.
The errors that occur during schema synchronization are logged in the following files:
ORACLE_HOME
/ldap/odi/log/attributetypes.log
ORACLE_HOME
/ldap/odi/log/objectclasses.log
schemasync -srchost hostname -srcport port -srcdn bindDN -srcpwd password -dsthost hostname -dstport port -dstdn bindDN -dstpwd password [-ldap]
Required. The host name of the source directory server.
Required. The LDAP listening port of the source directory server, for example 3060.
Required. The DN of the user used to bind to the source directory. This user must have permissions to modify the directory schema, for example the superuser (cn=orcladmin
).
Optional. The user password used to bind to the source directory. If you do not specify the password on the command line, you are prompted for it. Best security practice is to provide the password in response to a prompt.
Required. The host name of the destination directory server.
Required. The LDAP listening port of the destination directory server, for example 3060.
Optional. The DN of the user used to bind to the destination directory. This user must have permissions to modify the directory schema, for example the superuser.
Required. The user password used to bind to the destination directory. If you do not specify the password on the command line, you are prompted for it. Best security practice is to provide the password in response to a prompt.
Optional. If specified, then the schema changes are applied directly from the source LDAP directory to the destination LDAP directory. If it is not specified, then the schema changes are placed in the following LDIF files:
ORACLE_HOME/ldap/odi/data/attributetypes.ldif: This file has the new attribute definitions.
ORACLE_HOME/ldap/odi/data/objectclasses.ldif: This file has the new object class definitions.
If you do not specify -ldap
, then you must use "ldapmodify" to upload the definitions from these two files, first attribute types and then object classes.
Using the schemasync
command-line tool, you can perform the following tasks:
The following example shows how to synchronize the schema between Oracle Internet Directory and a third-party directory server.
schemasync -srchost myhost1.mycompany.com -srcport 3060 -srcdn "cn=orcladmin" \ -dsthost myhost2.mycompany.com -dstport 3060 \ -dstdn "uid=superuser,ou=people,dc=mycompany,dc=com" -ldap