12 Synchronizing with Tables in Oracle Database
Know more about the DBReader
configuration and dbexport
configuration files to synchronize data stored in Oracle Database tables with the Oracle back-end directory and an Oracle back-end directory with an Oracle Database.
Note:
Note:
-
Multi-valued attribute synchronization from the database to the Oracle back-end directory is not supported.
The Oracle Directory Integration Platform application does not support database delete operations. You can, however, create an outside trigger that will directly delete entries in the Oracle back-end directory whenever a row is deleted in the database. Information about how to create such a trigger is outside of the scope of this documentation.
You can use either the Oracle Enterprise Manager user interface or the WLST command-line utility to configure Oracle Database import and export profiles.
See Managing Synchronization Profiles Using Fusion Middleware Control, for help creating and managing profiles using the user interface Managing Synchronization Profiles Using manageSyncProfiles, for help creating and managing profiles using the WLST
manageSyncProfiles
command utility.
Topics:
Note:
Before reading this chapter, be sure to familiarize yourself with the introductory chapters about Oracle Directory Integration Platform—specifically:
12.1 Overview of the Additional Configuration Information File
Using DBReader
configuration files, you can modify from the command line to synchronize data stored in Oracle Database tables with the Oracle back-end directory.
The synchronization can be either incremental—for example, one database table row at a time—or all the database tables at once.
Modify the dbexport
configuration files, if you want to create from the command line an export profile that will synchronize an Oracle back-end directory with an Oracle Database.
12.1.1 Preparing the Additional Configuration Information File
To create an import profile that synchronizes data from Oracle Database into the Oracle back-end directory, open the sample file DBReader.cfg.master
in the $ORACLE_HOME/ldap/odi/conf
directory, and edit it to your specifications.
To create an export profile that synchronizes data from the Oracle back-end directory into the Oracle Database, open the sample file dbexport.cfg.master
in the $ORACLE_HOME/ldap/odi/conf
directory, and edit it to your specifications.
12.1.2 Understanding the Format of the Additional Configuration Information File
It is very important to follow the correct format of this file. The various sections are divided using TAG names. Every TAG section has a list of parameters and their respective values. The general layout is as follows:
[TAG] PARAMETER1: value PARAMETER2: value [TAG] PARAMETER1: value PARAMETER2: value\ VALUE continuation\ value continuation\ end of value continuation [TAG] PARAMETER1: value PARAMETER2: value\ end of value continuation
12.1.3 Understanding the DBReader.cfg.master Configuration File
During synchronization from Oracle database to the Oracle back-end directory, the DBReader.cfg.master
file governs the retrieval of data from the database. It provides the Oracle Directory Integration Platform with the following information:
-
The
SELECT
statement to execute -
Either the attributes or the database columns to be used in incremental synchronization. Generally, this is either an attribute that contains a timestamp or a change sequence number that the next SQL statement should use to retrieve incremental data.
The DBReader.cfg.master
file looks like this:
[DBQUERY] SELECT: SELECT\ EMPNO EmpNum,\ ENAME,\ REPLACE(EMAIL,'@example.com','') UID,\ EMAIL,\ TELEPHONE,\ TO_CHAR(LAST_UPDATE_DATE,'YYYYMMDDHH24MISS') Modified_Date\ FROM\ EMPLOYEE\ WHERE\ LAST_UPDATE_DATE>TO_DATE, (:Modified_Date,'YYYYMMDDHH24MISS')\ ORDER BY\ LAST_UPDATE_DATE [SYNC-PARAMS] CHANGEKEYATTRS: Modified_Date
Note that the entire SELECT
statement is put as a value in the SELECT
parameter in the section represented by the tag DBQUERY
. Because it is a lengthy value, the value continuation character is put as the last character in every line until the SELECT
statement ends.
Also note the WHERE
condition that is present in the SELECT
statement. The WHERE condition picks up changes based on the Modified_Date
. To copy modified user records to the Oracle back-end directory, update the WHERE clause to pick up the records. In this example, the Modified_Date
is the key for incremental synchronization. Because it is a date, it must be presented in string format.
The CHANGEKEYATTRS
parameter value is the name of the columns to be used while performing incremental synchronization. The values of these columns are always stored in the orclodipcondirlastappliedchgnum
attribute of the profile. Every time the SELECT
statement is executed, the current values of this attribute are put into the SQL statement accordingly. This ensures that the data is always retrieved incrementally.
If there are multiple column names in the CHANGEKEYATTRS
—for example, column1:column2
—then the value in the orclodipcondirlastappliedchgnum
attribute of the profile is stored as value1~value2
and so on, with value1
corresponding to column1
and value2
to column2
.
Column names are retrieved into Oracle Directory Integration Platform as attribute
value pairs and subsequently mapped into LDAP attribute values according to set mapping
rules. For this reason, all columns names retrieved in the SELECT
statement must be simple names rather than expressions. For example, you can have the
expression REPLACE(EMAIL,'@example.com','')
, but it retrieves the
expression value as UID
.
When the profile is created, the orclodipcondirlastappliedchgnum
attribute must be set to some value. All changes after this date—that is, rows in the table with LAST_UPDATE_DATE
greater than this value—are retrieved. For example, if the orclodipcondirlastappliedchgnum
attribute is set to 20000101000000
, then all employee changes since January 1, 2000 are retrieved.
Because of the ORDER BY
clause, all the database rows returned are in the order of LAST_UPDATE_DATE
—that is, the changes retrieved and applied to the directory are in chronological order. Once the last change is retrieved and applied:
-
The
orclodipcondirlastappliedchgnum
attribute value is set to theModified_Date
from the last row retrieved. -
The profile is updated.
Whenever the Oracle Directory Integration Platform executes the profile again, it uses the previously stored value.
12.1.4 Understanding the dbexport.cfg.master Configuration File
The dbexport.cfg.master
file describes the structure of the Oracle database. It provides the Oracle Directory Integration Platform with the following information:
-
Primary Table. The database table that all of the other tables in the profile are connected to. Every
dbexport.cfg.master
file should have one primary table. -
Primary Keys. Specifies the primary key(s) for the table(s) to which you are syncing. Primary keys should be defined for all table names that are involved in this configuration.
If a primary key consists of multiple columns, list each column name separated by a comma. For example:
id,name,dob
. -
Table Relations. Defines the relationships between the primary table and all of the other tables involved in the profile by specifying the connecting attribute(s). In the sample file,
id
is the connecting attribute.If needed, use a comma separated list to specify multiple attributes, for example:
id,name
.
The dbexport.cfg.master
file looks like this:
[INTERFACEDETAILS] Writer: oracle.ldap.odip.gsi.DatabaseWriter CheckAllEntries: null SkipErrorToSyncNextChange: false UpdateSearchCount: 100 SearchDeltaSize: 500 [SYNC-PARAMS] PRIMARY_TABLE: table1 [PRIMARY-KEYS] table1:id table2:id [TABLE-RELATIONS] table1^table2:id
Note:
The SkipErrorToSyncNextChange
parameter determines how the Oracle
directory integration and provisioning server handles an error when processing a
change during synchronization. By default, the
SkipErrorToSyncNextChange
parameter is assigned a value of
false, which means that the Oracle directory integration and provisioning server
will continue processing a change until the error is resolved. If you assign a value
of true to the SkipErrorToSyncNextChange
parameter, the Oracle
directory integration and provisioning server will skip any changes that cause an
error.
12.2 Updating the Configuration File
You must configure the DBReader.map.master
and dbexport.map.master
configuration files.
Topics:
12.2.1 The DBReader.map.master Configuration File
You can update the DBReader.map.master configuration file to configure mapping rules.
In a directory synchronization environment, a typical set of entries from one domain can be moved to another domain. Similarly, a set of attributes can be mapped to another set of attributes.
Mapping rules govern the conversion of attributes between a connected directory and the Oracle back-end directory. Each connector stores a set of these rules in the orclodipAttributeMappingRules attribute of its synchronization profile. The Oracle Directory Integration Platform uses these rules to map attributes as needed when exporting from the directory and interpreting data imported from a connected directory or file. When the Oracle Directory Integration Platform imports changes into the Oracle back-end directory, it converts the connected directory's change record into an LDAP change record following the mapping rules. Similarly, during export, the connector translates the Oracle back-end directory changes to the format understood by the connected directory.
12.2.2 The dbexport.map.master Configuration File
You can configure the dbexport.map.master
configuration File to configure mapping rules.
In a directory synchronization environment, a typical set of entries from one domain can be moved to another domain. Similarly, a set of attributes can be mapped to another set of attributes.
Mapping rules govern the conversion of attributes between a connected directory and the Oracle back-end directory. Each connector stores a set of these rules in the orclodipAttributeMappingRules
attribute of its synchronization profile. The Oracle Directory Integration Platform uses these rules to map attributes as needed when exporting from the directory and interpreting data imported from a connected directory or file. When the Oracle Directory Integration Platform imports changes into the Oracle back-end directory, it converts the connected directory's change record into an LDAP change record following the mapping rules. Similarly, during export, the connector translates the Oracle back-end directory changes to the format understood by the connected directory.
Open the sample file dbexport.map.master
in the $ORACLE_HOME/ldap/odi/conf
directory, and edit it to your specifications.
The mapping rule format for the dbexport.map.master
configuration file specifies a destination table name and a destination column name instead of a destination objectclass and destination attribute.
For example, here is a sample map rule:
uid:1::inetorgperson:id::table2:
In this example, uid
is the source attribute and inetorgperson
is the source objectclass. Next, id
is the destination column and table2
is the destination table name. You must include in the map file whichever column is designated as the primary key, and you must also specify that it is a required attribute. In the example mapping rule, the :1
following the uid
source attribute indicates that uid
is a required attribute.
12.3 Preparing the Directory Integration Profile
You can create a directory integration profile by using the Oracle Enterprise Manager Fusion Middleware Control user interface.
See Managing Synchronization Profiles Using Fusion Middleware Control.
When you use Oracle Enterprise Manager Fusion Middleware Control, you must upload the additional configuration information file and the mapping file by using the update
operation of the manageSyncProfiles
command. For help using the manageSyncProfiles
command, see Managing Synchronization Profiles Using manageSyncProfiles.
To configure the directory integration profile, follow the general instructions in "Registering Connectors in Oracle Directory Integration Platform", but with these specific instructions in mind:
-
Do not set a value for the agent execution command (
orclodipAgentExeCommand
) attribute. -
Set the interface type (
orclodipDataInterfaceType
) attribute toDB
.
12.4 Example: Synchronizing a Relational Database Table to the Back-end Directory
This section demonstrates how to synchronize a relational database table with the Oracle back-end directory.
Note:
Directory Integration Platform database profiles do not support delete operations. You can, however, create a separate trigger outside of DIP that will directly delete entries in the Oracle back-end directory whenever a row is deleted in the database. Information about how to create such a trigger is outside of the scope of this documentation.
This section contains these topics:
12.4.1 About the Example Scenario
This example shows how the following relational database table containing employee data is synchronized with the Oracle back-end directory.
EMPNO | ENAME | LAST_UPDATE_DATE | TELEPHONE | |
---|---|---|---|---|
98357 |
JOHN DOE |
2-JAN-2000 |
JOHN.DOE@EXAMPLE.COM |
435-324-3455 |
98360 |
ROGER BECK |
3-JUL-2001 |
ROGER.BECK@EXAMPLE.COM |
435-324-3600 |
98365 |
JIMMY WONG |
4-MAR-2001 |
JIMMY.WONG@EXAMPLE.COM |
435-324-2390 |
98370 |
GEORGE TWINSLEY |
6-FEB-2002 |
GEORGE.TWINSLEY@EXAMPLE.COM |
435-324-9232 |
You can find a sample profile (DBReader.properties
), configuration, and mapping files for this example in the $ORACLE_HOME/ldap/odi/conf
directory.
In this example:
-
The name of the table is
Employee
. -
The Profile Name is
TESTDBIMPORT
. -
The employee number (
EMPNO
) is used to join a database record with a directory entry. It is specified in the OID Matching Filter (orclOdipOIDMatchingFilter
) attribute described in the attributes reference chapter of the Oracle Identity Management User Reference. -
This table is present in the
testsync
/testsyncpwd
schema in a database. The database is located on the hostmachine.example.com
, the database listener port is1526
, and the serviceName isias.example.com
. The database URL ismachine.example.com:1526:ias.example.com
. -
Appropriate read/write permissions were given explicitly to this profile, namely:
orclodipagentname=testdbimport, cn=subscriber profile, cn=changelog subscriber, cn=oracle internet directory
-
The profile is created in configuration set 1.
12.4.2 Configure the Additional Configuration Information File
This example uses the same Additional Configuration Information file described earlier in "Overview of the Additional Configuration Information File".
12.4.3 Configure the Mapping File
The mapping file for this example contains the following:
DomainRules NONLDAP:dc=testdbsync,dc=com:uid=%,dc=testdbsync,dc=com AttributeRules ename: : : :cn: :person ename : : : :sn: :person uid : : : :uid: :inetOrgperson: EMail: : : :mail: :inetOrgperson Telephone: : : :telephonenumber: :inetOrgperson empnum: : : :employeenumber: :inetOrgperson
This mapping file specifies the following:
-
Directory entries are created as
uid=%,dc=testdbsync,dc=com
. The percent sign (%
) is a placeholder for the actual value ofuid
. Theuid
must be present in the mapping rules so that it has a value after the mapping. Otherwise, the DN construction fails. -
Both the
cn
andsn
attributes need to have the same value asename
. -
The
uid
element must have the value of theEMail
prefix, which is the element of the e-mail address prior to the at sign (@) character. -
The
empnum
attribute becomesemployeenumber
in the directory entry. -
The
telephone
attributes becomestelephone number
in the directory entry.
12.4.4 Configure the Directory Integration Profile
The directory integration profile for this example contains the attribute values as described in Table 12-1. A sample integration profile with these values populated and the corresponding mapping and configuration files are available in $ORACLE_HOME/ldap/odi/conf directory. You can create the profile by using Oracle Enterprise Manager Fusion Middleware Control or following the instructions described in “Creating Synchronization Profiles”.
Table 12-1 Directory Integration Profile for TESTDBIMPORT
Attribute | Value |
---|---|
Profile Name ( |
|
Synchronization Mode ( |
|
Profile Status ( |
|
Agent Execution Command ( |
null |
Advanced Configuration Information ( |
Maintains configuration details which are not individually maintained in LDAP attributes. |
Connected Directory Account ( |
|
Connected Directory Account Password ( |
|
Connected Directory URL ( |
Where |
Interface Type ( |
|
Mapping File ( |
Attribute for storing mapping rules. |
OID Matching Filter ( |
This means that Once a database row is retrieved, the Oracle Directory Integration Platform searches the directory for that |
Last Applied Change Number ( |
This means that the first time the profile executes, it retrieves and synchronizes all four rows. Subsequently, it retrieves rows only when the |
12.4.5 Uploading the Additional Configuration Information and Mapping Files
Use the update
operation of the manageSyncProfiles
command to update the additional configuration information and mapping files.
Run the manageSyncProfiles
command, as follows:
manageSyncProfiles update -h HOST -p PORT -D WLS_USER -pf PROFILE_NAME -file FILE_NAME
12.4.6 Understanding Synchronization Process for Relational Database Table with the Oracle Back-End Directory
This section explains the synchronization process for relational database table with the Oracle back-end directory.
In this example, the sequence of steps in the synchronization process is:
-
The Oracle Directory Integration Platform starts a new profile thread for the TESTDBIMPORT profile every time the value specified in the scheduling interval (
odip.profile.schedinterval
) attribute expires. -
The profile thread reads the additional configuration information to get the SQL to execute, and then runs the SQL.
-
For every row retrieved from the database, the mapping rules are applied to the record, and LDAP attributes are created.
-
Depending on the OID Matching Filter (
odip.profile.oidfilter
) attribute, the Oracle Directory Integration Platform determines whether a matching entry exists in the Oracle back-end directory. If it exists, then it is updated. If not, then a new entry is created. After the directory operation, the last applied change number (odip.profile.lastchgnum
) attribute is updated.
Note:
The OID Matching Filter (odip.profile.oidfilter
) attribute supports Oracle Unified Directory and Oracle Directory Server Enterprise Edition, as well as Oracle Internet Directory.
12.4.7 Observations About the Synchronizing a Relational Database Table to the Back-End Directory Example
This topic describes the form of the row after it is retrieved from the database.
EmpNum: 98357 EName: JOHN DOE UID: JOHN.DOE EMAIL: JOHN.DOE@EXAMPLE.COM TELEPHONE: 435-324-3455 Modified_Date: 20000102000000
After the mapping is performed on this record, the output is in the following form:
dn: uid=john.doe,dc=testdbsync,dc=com uid: JOHN.DOE cn: JOHN DOE sn: JOHN DOE mail: JOHN.DOE@EXAMPLE.COM employeenumber: 98357 telephonenumber: 435-324-3455 objectclass: person objectclass: inetorgperson
A subtree search is made in the directory with the filter employeenumber=98357
under the domain dc=testdbsync,dc=com
. If the search yields an existing entry, then that entry is updated. Otherwise, a new entry is created. Because the OID Matching Filter (odip.profile.oidfilter
) attribute is set to employeenumber
, every database record retrieved must have that column. In this case, it is EmpNum
as it maps to employeenumber
.
Any other attributes in the mapping file that are not in the data retrieved by SQL are ignored—for example, the birthday
attribute.
After the profile thread processes all the change records from SQL, it updates the directory with correct values for these attributes:
-
Last Applied Change Number (
odip.profile.lastchgnum
) -
Last Execution Time
(orclOdipLastExecutionTime
) -
Last Successful Execution Time (
orclOdipLastSuccessfulExecutionTime
)