5 Oracle Directory Integration Platform Tools
Note:
-
Best security practice is to provide a password only in response to a prompt from the command.
-
You must set the environment variables
WLS_HOME
andORACLE_HOME
before executing any of the Oracle Directory Integration Platform commands. -
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute the Oracle Directory Integration Platform commands in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
5.1 Working With Oracle Directory Integration Platform Utilities
Understand how to work with Oracle Directory Integration Platform utilities.
This section contains the following topics:
5.1.1 Executing the Manage DIP Server Configuration Utility
Follow the example to understand how to manage DIP server configuration using manageDIPServerConfig
utility.
The following example illustrates how to execute the manageDIPServerConfig utility command:
manageDIPServerConfig get -h myhost.mycompany.com -p 7005 -D weblogic \ -attr sslmode
manageDIPServerConfig set -h myhost.mycompany.com -p 7005 -D weblogic \ -attr sslmode -val 2
For more information about the command, see Manage DIP Server Configuration Utility
5.1.2 Executing the Manage Synchronization Profiles Utility
Follow the examples to understand the usage of manageSyncProfiles
utility.
Perform various actions using manageSyncProfiles
by following the examples given below:
manageSyncProfiles register -h myhost.mycompany.com -p 7005 -D weblogic \ -f /opt/ldap/odip/iPlImport.profile
manageSyncProfiles deregister -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles updatechgnum -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles activate -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles deactivate -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles get -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles testProfile -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles associateprofile -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile -assopf myProfile1
manageSyncProfiles dissociateprofile -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles getAllAssociatedProfiles -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles getAssociatedProfile -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile
manageSyncProfiles update -h myhost.mycompany.com -p 7005 \ -D weblogic -pf myProfile -f /opt/ldap/odip/iPlImport.profile
manageSyncProfiles validateMapRules -h myhost.mycompany.com -p 7005 \ -D weblogic -f /opt/ldap/odip/iPlImport.map -conDirHost server.example.com \ -conDirPort 8000 -conDirBindDn administrator@idm2003.net -mode IMPORT \ -conDirType IPLANET
manageSyncProfiles isexists -h myhost.mycompany.com -p 7005 -D weblogic \ -pf myProfile
manageSyncProfiles copy -h myhost.mycompany.com -p 7005 -D weblogic \ -pf myProfile -newpf yourProfile
manageSyncProfiles list -h myhost.mycompany.com -p 7005 -D weblogic -profileStatus
For more information about the command, see Manage Synchronization Profiles Utility
5.1.3 Executing Synchronization Profile Bootstrap Utility
Follow the example to understand how to synchronize profile bootstrap using the syncProfileBootstrap
utility.
The following example illustrates how to use syncProfileBootstrap utility:
manageSyncProfileBootstrap -h myhost.mycompany.com -p 7005 -D weblogic \ -pf myProfile -lp 5
manageSyncProfileBootstrap -h myhost.mycompany.com -p 7005 -D weblogic \ -f /opt/ldap/odip/bootstrap.properties -lr 3
For more information about the command, see Synchronization Profile Bootstrap Utility
5.1.4 Executing Express Synchronization Setup Utility
Follow the example to understand how to use expressSyncSetup
utility.
Use the example below to use expressSyncSetup
utility along with its arguments to express synchronization setup:
expressSyncSetup -h myhost.mycompany.com -p 7005 -D weblogic -pf myProfile \ -conDirType ACTIVEDIRECTORY -conDirUrl server.mycompany.com:5432 \ -conDirBindDN administrator@idm2003.net -conDirContainer ou=sales,dc=us,dc=com \ -enableProfiles false \
expressSyncSetup -help
For more information about the command, see Express Synchronization Setup Utility
5.1.5 Executing Provisioning Profile Bulk Utility
Follow the example to use provProfileBulkProv
utility and its arguments to provision profile bulk utility.
The following example illustrates how to use provProfileBulkProv utility:
provProfileBulkprov -h myhost.mycompany.com -p 7005 -D weblogic \ -f /opt/ldap/odip/users.ldif -realm cn=aaaa,ou=bbbb,dc=cccc
For more information about the command, see Provisioning Profile Bulk Utility.
5.1.6 Executing DIP Status Utility
Follow the example to learn how to execute DIP status using the dipStatus
utility.
The following example illustrates how to use dipStatus utility:
dipStatus -h myhost.mycompany.com -p 7005 -D weblogic
dipStatus -help
For more information about the command, see Oracle Directory Integration Platform Status Utility
5.1.7 Executing the Schema Synchronization utility for OID and third-party Directory Server
Understand how to synchronize the schema between Oracle Internet Directory and a third-party directory server.
Use the following example to synchronize the schema between Oracle Internet Directory and a third-party directory server.
schemasync -srchost myhost1.mycompany.com -srcport 3060 -srcdn "cn=orcladmin" \ -dsthost myhost2.mycompany.com -dstport 3060 \ -dstdn "uid=superuser,ou=people,dc=mycompany,dc=com" -ldap
For more information about the command, see Schema Elements Synchronization Utility
5.1.8 Comparing the Schema between two Oracle Internet Directory Servers
Use the schemasync
command-line tool to compare the schema between two Oracle Internet Directory servers:
schemasync -srchost myhost1.mycompany.com -srcport 3060 -srcdn "cn=orcladmin" \
-dsthost myhost2.mycompany.com -dstport 3060 "cn=orcladmin"
5.1.9 Synchronizing the Schema between two Oracle Internet Directory Servers
Use the schemasync
command-line tool to actually synchronize an OID server schema to another OID server:
schemasync -srchost myhost1.mycompany.com -srcport 3060 -srcdn "cn=orcladmin" \
-dsthost myhost2.mycompany.com -dstport 3060 "cn=orcladmin" -ldap
5.1.10 Executing the Manage Provisioning Profiles Utility
-
Create a new provisioning profile. A new provisioning profile is created and set to the enabled state so that Oracle Directory Integration and Provisioning can process it.
-
Modify an existing provisioning profile.
-
Delete an existing provisioning profile.
-
Disable an existing provisioning profile.
-
Enable a disabled provisioning profile.
To understand how to manage provisioning profiles using the manageProvProfiles
utility, see Tasks and Examples for manageProvProfiles in Administering Oracle Directory Integration Platform.
5.2 Manage DIP Server Configuration Utility
The Manage DIP Server Configuration utility, manageDIPServerConfig
, allows you to manage the Oracle Directory Integration Platform server configuration.
5.2.1 manageDIPServerConfig
Learn about the syntax of manageDIPServerConfig utility and the accepted arguments.
Syntax
The syntax for manageDIPServerConfig utility is as follows:
manageDIPServerConfig {get | set} -h HOST -p PORT -D wlsuser -attribute {sslmode | refreshinterval | quartzthreadcount | quartzdbretryinterval | oidhostport | keystorelocation} [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-value ATTRIBUTE_VALUE] [-help]
Arguments
The manageDIPServerConfig Utility accepts the following arguments:
get | set
Operation to perform.
-
get: Displays the current value of the config parameter in DIP configuration file
-
set: Updates the value of the config parameter in DIP configuration file.
-h | -host
Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed
-p | -port
Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.
-D | -wlsuser
WebLogic Server login ID.
Note:
You are prompted for the Oracle WebLogic Server login password. You
cannot provide the password as a command-line
argument. Best security practice is to provide a
password only in response to a prompt from the
command. If you must execute
manageDIPServerConfig
from a
script, you can redirect input from a file
containing the Oracle WebLogic Server login password. Use file
permissions to protect the file and delete it when
it is no longer necessary.
-attr | -attribute
Identifies the attribute that manageDIPServerConfig
performs the operation on. The following is a list and description of the attributes manageDIPServerConfig
can perform operations on:
-
sslmode
: The SSL mode Oracle Directory Integration Platform uses to connect to Oracle Internet Directory. Supported values are 1 and 2. Use 1 to connect to Oracle Internet Directory using SSL Mode 1 (No Authentication). Use 2 to connect to Oracle Internet Directory using SSl Mode 2 (Server Only Authentication). -
refreshinterval
: The time interval (amount of time in seconds) that controls how often the Oracle Directory Integration Platform server refreshes profile configuration details. -
quartzthreadcount
: Controls how many profiles can be scheduled in parallel. The default value is 15. If you have more than 15 profiles, increase thequartzthreadcount
attribute accordingly. -
quartzdbretryinterval
: Controls how often Oracle Directory Integration Platform's Quartz scheduler attempts to reconnect to the Oracle Internet Directory database. -
oidhostport
: Identifies the host and port of the Oracle Internet Directory associated with Oracle Directory Integration Platform. Specify values for the oidhostport attribute in the form ofhost:port
. -
keystorelocation
: Specifies the absolute path to the Java Keystore (JKS) based on the host where Oracle Directory Integration Platform is deployed. When you specify the value for thekeystorelocation
attribute, be sure you use the appropriate path separators (that is, / for UNIX and Linux platforms, and \ for Windows platforms).
-ssl
Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
-keystorePath
The full path to the keystore.
-keystoreType
The type of the keystore identified by -keystorePath
. For example: -keystorePath jks
or -keystorePath PKCS12
-val | -value
The value to set for the attribute This parameter is required with the set operation.
-help
Provides usage help for the command.
5.3 Manage Synchronization Profiles Utility
You can use the Manage Synchronization Profiles utility, manageSyncProfiles
, to manage synchronization profiles.
5.3.1 manageSyncProfiles
Learn about the syntax and the arguments accepted by manageSyncProfiles.
Syntax
The syntax followed for using manageSyncProfiles is as follows:
manageSyncProfiles {activate | deactivate | copy | deregister | get | isexists | update | testProfile | validateProfile | validateMapRules | register | updatechgnum | associateProfile | dissociateProfile | getAllAssociatedProfiles | getAssociatedProfile | list } -h HOST -p PORT -D wlsuser [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-profile] [-newProfile] [-associateProfile][-file] [-params 'prop1 val1 prop2 val2 ...'] [-conDirHost] [-conDirPort] [-conDirBindDn] [-mode] [-conDirType] [-conDirSSL] [-profileStatus] [-help]
Arguments
The manageSyncProfiles utility accepts the following arguments:
Operations
activate
Changes a profile state to ENABLE
deactivate
Changes a profile state to DISABLE
copy
Copies an existing profile to profile newProfile
deregister
Deletes an existing profile from OID.
get
Gets the profile details from OID.
isexists
Checks if the profile profile exists in OID.
update
Modifies an existing profile profile in OID.
testProfile
Changes the state of a disabled profile profile to TEST and schedules the profile for testing to ensure the profile successfully performs synchronization. After executing the manageSyncProfiles command with the testProfile operation, the results of the test are available in the following log file, where DOMAIN_HOME represents the Oracle WebLogic Server Domain home and ORACLE_WEBLOGIC_MANAGED_SERVER_NAME represents the name of the managed server where Oracle Directory Integration and Provisioning is deployed:
$DOMAIN_HOME/servers/ORACLE_WEBLOGIC_MANAGED_SERVER_NAME/logs/ORACLE_WEBLOGIC_MANAGED_SERVER_NAME.log
Note:
The testProfile operation cannot schedule profiles that are in ENABLE state for testing.
validateProfile
Validates the syntax of the values in the specified profile for correctness.
validateMapRules
Validates the map rules provided.
register
Creates a new profile in OID.
updatechgnum
Updates the last applied change number in the profile to latest.
associateProfile
Associates associateProfileName with profileName to prevent information back flow.
dissociateProfile
Dissociates an associated profile to profileName
getAllAssociatedProfiles
Lists all the profiles to which profile profileName is associated.
getAssociatedProfile
Displays the profile name associated with profile profileName.
list
Displays all profiles registered in OID.
Options
-h | host
Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.
-p | -port
Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration and Provisioning application is deployed.
-D | wlsuser
Oracle WebLogic Server login ID
Note:
You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute a command from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to manageSyncProfiles
, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.
-ssl
Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
-keystorePath
The full path to the keystore.
-keystoreType
The type of the keystore identified by -keystorePath
. For example: -keystorePath jks
or -keystorePath PKCS12
-pf | -profile
The name of the synchronization profile to use when performing the operation.
-newpf | -newProfile
The name of the new profile which will be a copy of profile.
-assopf
The name of the profile that will be associated with profile
-f | -file
The full path and file name of the profile properties file containing the properties. See the appendix in Example Properties File for Synchronization Profiles in Administering Oracle Directory Integration Platform for an example of such a file.
-params
A value is of the form prop1 val1 prop2 val2 ...
where prop
is the name of a profile property and val
is the new value for that property. This keyword is used only for modification of a profile. You can specify as many key values as required
-conDirHost
Host where connected directory server is running.
-conDirPort
Port at which connected directory server listens.
-conDirBindDn
Connected directory server bind DN.
Examples:
-
Active Directory
administrator@idm2003.net
-
Sun ONE or iPlanet
cn=Directory Manager
-
Oracle Internet Directory
cn=orcladmin
Note:
You are prompted for the connected directory bind DN password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute manageSyncProfiles
from a script, you can redirect input from a file containing the connected directory bind DN password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to manageSyncProfiles
, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.
-mode
Synchronization mode map rules to be used: import
or export
-conDirType
Connected directory type. Supported values are ActiveDirectory
, EDirectory
, iPlanet
, OpenLDAP
, ADAM
, Tivoli
, ExchangeServer2003
, and OID
.
-conDirSSL
SSL mode value used to connect connected directory server
-prfSt | -profileStatus
Displays status for the profile. Used only with the list
operation.
-help
Provides command usage help.
5.4 Synchronization Profile Bootstrap Utility
The Synchronization Profile Bootstrap utility, syncProfileBootstrap
, performs the initial migration of data between a connected directory and Oracle Internet Directory for a synchronization profile.
5.4.1 syncProfileBootstrap
Understand about the syntax and the various arguments of syncProfileBootstrap
utility. Each argument provides you with an option to perform the initial migration between connected directory and Oracle Internet Directory.
Syntax
The syntax followed for using syncProfileBootstrap is as follows:
syncProfileBootstrap -h HOST -p PORT -D wlsuser {-file FILENAME |-profile -PROFILE_NAME} [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-loadParallelism INTEGER] [-loadRetry INTEGER][-help]
Arguments
The syncProfileBootstrap utility accepts the following arguments:
-h | -host
Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.
-p | -port
Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.
-D | wlsuser
Oracle WebLogic Server login ID
Note:
You are prompted for the Oracle WebLogic Server login password. You
cannot provide the password as a command-line
argument. Best security practice is to provide a
password only in response to a prompt from the
command. If you must execute
syncProfileBootstrap
from a
script, you can redirect input from a file
containing the Oracle WebLogic Server login password. Use file
permissions to protect the file and delete it when
it is no longer necessary.
-f | -file
Bootstrap properties file.
-pf | -profile
The name of the synchronization profile to use when performing the operation.
-ssl
Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
-keystorePath
The full path to the keystore.
-keystoreType
The type of the keystore identified by -keystorePath
. For example: -keystorePath jks
or -keystorePath PKCS12
-lp | -loadParallelism
Indicator that loading to Oracle Internet Directory is to take place in parallel by using multiple threads. For example, -loadparallelism 5 means that 5 threads are to be created, each of which tries to load the entries in parallel to Oracle Internet Directory.
-lr | -loadRetry
The number of times the retry should be made (when the load to the destination fails) before marking the entry as bad entry.
-help
Provides command usage help.
5.5 Express Synchronization Setup Utility
Understand how to use the Express Synchronization Setup utility, expressSyncSetup
, to create import and export synchronizations profiles.
5.5.1 expressSyncSetup
Understand about the syntax and the various arguments of expressSyncSetup
utility.
Syntax
The syntax followed for using expressSyncSetup is as follows:
expressSyncSetup -h HOST -p PORT -D wlsuser -pf PROFILE -conDirType CONNECTED_DIRECTORY_TYPE -conDirURL CONNECTED_DIRECTORY_URL -conDirBindDN CONNECTED_DIRECTORY_BIND_DN -conDircontainer SYNC_CONTAINER [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-enableProfiles {true | false}] [-help]
Arguments
The expressSyncSetup utility accepts the following arguments:
-h | -host
Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.
-p | -port
Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.
-D | wlsusser
Oracle WebLogic Server login ID
Note:
You are prompted for the Oracle WebLogic Server login password. You
cannot provide the password as a command-line argument. Best security practice
is to provide a password only in response to a prompt from the command. If you
must execute expressSyncSetup
from a script, you can redirect
input from a file containing the Oracle WebLogic Server login
password. Use file permissions to protect the file and delete it when it is no
longer necessary. If you must provide more than one password to
expressSyncSetup
, put each on a separate line in the file,
in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.
-pf | -profile
Profile name.
-conDirType
Connected directory type. Supported values are ActiveDirectory
, EDirectory
, iPlanet
, OpenLDAP
, ADAM
, Tivoli
, ExchangeServer2003
, and OID
.
-conDirUrl
URL where the connected directory is running. The format is host:port.
-conDirBindDN
Connected directory server bind DN. For example:
administrator@idm2003.net
cn=orcladmin
, cn=Directory Manager
Note:
You are prompted for the connected directory bind DN password. You cannot provide the
password as a command-line argument. Best security practice is to provide a
password only in response to a prompt from the command. If you must execute
expressSyncSetup
from a script, you can redirect input from
a file containing the connected directory bind DN password. Use file permissions
to protect the file and delete it when it is no longer necessary. If you must
provide more than one password to expressSyncSetup
, put each on
a separate line in the file, in the following order: connected directory bind DN
password, then Oracle WebLogic Server login password.
-conDirContainer
The synchronization container. For example:
ou=sales,dc=us,dc=com
OU=Groups,DC=imtest,DC=com
CN=Users,DC=imtest,DC=com
-ssl
Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
-keystorePath
The full path to the keystore.
-keystoreType
The type of the keystore identified by -keystorePath
. For example: -keystorePath jks
or -keystorePath PKCS12
-enableProfiles
Specify true
to enable created profiles, false
if not.
-help
Provides command usage help.
5.6 Provisioning Profile Bulk Utility
The Provisioning Profile Bulk utility, provProfileBulkProv
, performs initial migration of data from an LDIF file to Oracle Internet Directory for a provisioning profile.
5.6.1 provProfileBulkProv
Understand about the syntax and the various arguments of provProfileBulkProv
utility.
Syntax
The syntax followed for using provProfileBulkProv is as follows:
provProfileBulkProv -h HOST -p PORT -D wlsuser -file LDIF_FILE -realm REALM_DN [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-encoding INPUT_ENCODING] [-help]
Arguments
The provProfileBulkProv utility accepts the following arguments:
-h | -host
Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.
-p | -port
Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.
-D | -wlsuser
Oracle WebLogic Server login ID
Note:
You are prompted for the Oracle WebLogic Server login password. You
cannot provide the password as a command-line argument. Best security practice
is to provide a password only in response to a prompt from the command. If you
must execute provProfileBulkProv
from a script, you can
redirect input from a file containing the Oracle WebLogic Server
login password. Use file permissions to protect the file and delete it when it
is no longer necessary.
-f | -file
LDIF file containing the data to be migrated.
-realm
The realm in which the users are to be provisioned.
-ssl
Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
-keystorePath
The full path to the keystore.
-keystoreType
The type of the keystore identified by -keystorePath
. For example: -keystorePath jks
or -keystorePath PKCS12
-encoding
Input file encoding.
-help
Provides command usage help.
5.7 Oracle Directory Integration Platform Status Utility
The dipStatus
utility allows you to check the status of Oracle Directory Integration Platform and whether it is registered.
5.7.1 dipStatus
Understand about the syntax and the various arguments of dipStatus
utility.
Syntax
The syntax followed for using dipStatus is as follows:
dipStatus -h HOST -p PORT -D wlsuser [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-help]
Arguments
The dipStatus utility accepts the following arguments:
-h | -host
Host name of the WebLogic server running the Managed Server where Oracle Directory Integration Platform is deployed.
-p | -port
Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.
-D | -wlsuser
WebLogic Server login ID.
Note:
You are prompted for the WebLogic server login password. You cannot provide the password as a command-line argument.
Best security practice is to provide a password only in response to a prompt from the command. If you must execute dipStatus
from a script, you can redirect input from a file containing the WebLogic Server password. Use file permissions to protect the file and delete it when it is no longer necessary.
-ssl
Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
-keystorePath
The full path to the keystore.
-keystoreType
The type of the keystore identified by -keystorePath
. For example: -keystorePath jks
or -keystorePath PKCS12
-help
Provides usage help for the command.
5.8 Schema Elements Synchronization Utility
The schemasync
utility enables you to synchronize schema elements—namely attributes and object classes—between an Oracle Internet Directory server and a third-party LDAP directory.
5.8.1 schemasync
Understand about the syntax, the various arguments and the command-line tools of schemasync
utility.
Syntax
The syntax followed for using schemasync is as follows:
schemasync -srchost hostname -srcport port -srcdn bindDN -srcpwd password -dsthost hostname -dstport port -dstdn bindDN -dstpwd password [-ldap]
Arguments
The schemasync utility accepts the following arguments:
-srchost hostname
Required. The host name of the source directory server.
-srcport port
Required. The LDAP listening port of the source directory server, for example 3060.
-srcdn bindDN
Required. The DN of the user used to bind to the source directory. This user must have permissions to modify the directory schema, for example the superuser (cn=orcladmin
).
-srcpwd password
Optional. The user password used to bind to the source directory. If you do not specify the password on the command line, you are prompted for it. Best security practice is to provide the password in response to a prompt.
-dsthost hostname
Required. The host name of the destination directory server.
-dstport port
Required. The LDAP listening port of the destination directory server, for example 3060.
-dstdn bindDN
Optional. The DN of the user used to bind to the destination directory. This user must have permissions to modify the directory schema, for example the superuser.
-dstpwd password
Required. The user password used to bind to the destination directory. If you do not specify the password on the command line, you are prompted for it. Best security practice is to provide the password in response to a prompt.
-ldap
Optional. If specified, then the schema changes are applied directly from the source LDAP directory to the destination LDAP directory. If it is not specified, then the schema changes are placed in the following LDIF files:
-
ORACLE_HOME/ldap/odi/data/attributetypes.ldif: This file has the new attribute definitions.
-
ORACLE_HOME/ldap/odi/data/objectclasses.ldif: This file has the new object class definitions.
If you do not specify -ldap
, then you must use ldapmodify to upload the definitions from these two files, first attribute types and then object classes.
Related Command-Line Tools
To know more about command-line tools for schemasync, See ldapmodify
5.9 Manage Provisioning Profiles Utility
Provisioning enables you to ensure that an application is notified of directory changes, such as changes to user or group information. Such changes can affect whether the application allows a user access to its processes and resources.
5.9.1 manageProvProfiles
Use the manageProvProfiles
command to manage provisioning profiles.
When you install an application that you want to provision, you must create a provisioning integration profile using the manageProvProfiles
command located in the ORACLE_HOME/bin
directory.
The manageProvProfiles
utility shields the location and schema details of the provisioning profile entries from the callers of the tool. From the callers' perspective, the combination of an application and a realm uniquely identify a provisioning profile. The constraint in the system is that there can be only one provisioning profile for each application for each realm.
Once a profile is created, its mode—that is, INBOUND, OUTBOUND, or BOTH—cannot be changed by using the modify
operation. To change the mode, you must delete, then re-create, the profile.
The Oracle Directory Integration Platform server automatically monitors provisioning profile configuration changes in Oracle Unified Directory or Oracle Internet Directory, including the creation, modification, and deletion of provisioning profiles. For this reason, you do not need to manually enable or disable a provisioning profile.
Note:
For improved security, do not enter a password with the manageProvProfiles
command unless prompted for one.
Syntax
The syntax followed for using manageProvProfiles
is as follows:
manageProvProfiles operation=[create|modify] ldap_host=backend_hostname ldap_port=port ldap_user_dn="bindDN" [profile_mode=INBOUND|OUTBOUND|BOTH] application_dn="DN" application_type=type [application_name=name] [application_display_name=display name] organization_dn=DN [application_isdasvisible=TRUE|FALSE] [manage_application_defaults=TRUE|FALSE] [enable_bootstrap=TRUE|FALSE] [user_data_location=DN] [default_provisioning_policy=PROVISIONING_REQUIRED|PROVISIONING_NOT_REQUIRED] interface_name=SCHEMA.PACKAGE [interface_type=PLSQL|JAVA] interface_version=1.1|2.0|3.0] schedule=number_seconds lastchangenumber=number max_prov_failure_limit=number max_events_per_schedule=number max_events_per_invocation=number event_mapping_rules="OBJECT_TYPE:FILTER:DOMAIN" event_permitted_operations="OBJECT:DOMAIN:OPERATION(attributes,...)" event_subscription="USER|GROUP:DOMAIN:OPERATION(attributes,...)" max_events_per_schedule=number max_retries=number profile_group=number profile_status=ENABLED | DISABLED profile_debug=debug_level manageProvProfiles {operation=enable|disable|delete|status|reset} application_dn=DN [organization_dn=DN] [ldap_host=backend_hostname] [ldap_port=port] [ldap_user_dn=bindDN] [profile_debug=debug_level]
Arguments
The manageProvProfiles
utility accepts the following arguments:
operation=create | modify | enable | disable | delete | status | reset
is required for the operation to perform using manageProvProfiles
. You can only perform one operation at a time. The operations are:
-
create—Creates a new provisioning profile.
-
modify—Modifies the given properties of an existing provisioning profile.
-
enable—Enables a provisioning profile.
-
disable—Disables a provisioning profile.
-
delete—Deletes a provisioning profile.
-
status—Shows the current status of a given provisioning profile.
-
reset—Clears all errors for a provisioning profile.
ldap_host=backend_hostname
Optional. The host name of the Oracle Unified Directory or Oracle Internet Directory server. If not provided then the name of the local host is used.
ldap_port=port
Optional. The LDAP listening port of the back-end directory. The default port for Oracle Unified Directory or Oracle Internet Directory is 389
.
ldap_user_dn=bindDN
Required. The DN of the superuser or a user that has sufficient permissions to perform provisioning subscription operations. The default is cn=orcladmin
.The default value for Oracle Unified Directory is "cn=directory manager"
and for Oracle Internet Directory is "cn=orcladmin"
.
profile_mode=OUTBOUND | INBOUND | BOTH
Optional for the create
operation only. The direction of the provisioning events. The default is OUTBOUND (data is provisioned from Oracle Unified Directory or Oracle Internet Directory to the application).
application_dn=DN
Required. The distinguished name of the application to which the provisioning subscription belongs. The combination of the application DN and organization DN uniquely identifies a provisioning profile. For example, here is the application DN for Portal:
"orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext"
application_type=type
Required. The type of application being provisioned.
application_name=name
Optional. The name of the application being provisioned. If not provided, defaults to the distinguished name assigned to application_dn
.
application_display_name=name
Optional. The display name of the application being provisioned. If not provided, defaults to the value assigned to application_name
.
organization_dn=DN
Optional. If not provided, defaults to the default identity management realm. The distinguished name of the organization to which the provisioning subscription belongs, for example "dc=company,dc=com
". The combination of the application DN and organization DN uniquely identifies a provisioning profile.
application_isdasvisible=TRUE | FALSE
Optional. Determines whether the application is visible as a provisioning-integrated application in the Oracle Internet Directory. The default value is TRUE.
Note:
This argument is for Oracle Delegated Administration Services 10g Releases (10.1.4.x).
manage_application_default=TRUE | FALSE
Optional. Determines whether the Oracle Internet Directory manages the application's default values. The default value is TRUE.
Note:
This argument is for Oracle Delegated Administration Services 10g Releases (10.1.4.x).
enable_bootstrap=TRUE | FALSE
Optional. Indicates whether the application should receive provisioning events for users that existed in Oracle Internet Directory before creating the application's provisioning integration profile. The default value is FALSE.
user_data_location=DN
Optional. Identifies the DN of the container in which to store application-specific user information.
default_provisioning_policy=PROVISIONING_REQUIRED | PROVISIONING_NOT_REQUIRED
Optional. Specifies the application's default provisioning policy. The default value is PROVISIONING_REQUIRED.
interface_name=SCHEMA.PACKAGE
Required for create
or modify
operations. The database schema name for the PLSQL package. The format of the value is schema.package_name
, for example here is the schema and PLSQL package information for Portal:
interface_name=PORTAL.WWSEC_OID_SYNC
interface_version=1.1 | 2.0 | 3.0
The version of the interface protocol. Allowed values are 1.1, 2.0, or 3.0. The default value is 2.0.
Oracle Internet Directory supports versions 1.1
, 2.0
, or 3.0
.
Oracle Unified Directory support versions 2.0
and 3.0
.
interface_type=PLSQL | JAVA
Optional. The type of interface to which events will be propagated. The default is PLSQL
.
Note:
For JAVA
type, only interface protocol version 3.0
is supported.
schedule=number_seconds
Optional for create
and modify
operations only. The number of seconds between executions of this profile. The default is 3600, which means the profile is scheduled to be executed every hour.
lastchangenumber=number
Optional for create
and modify
operations on
OUTBOUND
events only. The last change number in Oracle Internet Directory after which all qualifying events should
be provisioned to the application. Defaults to the latest current change number.
max_prov_failure_limit=number
Optional. Determines the number of times the Oracle Provisioning System attempts to provision a user. The default is 1.
max_events_per_schedule=number
Optional for create
and modify
operations only. The
maximum number of events that the Oracle directory integration platform server sends to
an application during one execution of a provisioning profile. The default is
100.
max_events_per_invocation=number
Optional for create
and modify
operations only. The maximum number of events that can be packaged and sent to a target in one invocation of the interface.
event_mapping_rules="OBJECT_TYPE:FILTER:DOMAIN"
Required for create
and modify
operations on
INBOUND
events only. This rule maps the object type received
from the application (using an optional filter condition) to a domain in Oracle Internet Directory A provisioning profile can have multiple
mapping rules defined.
The following example shows two mapping rules. The first rule shows that an employee object (EMP
) whose locality attribute equals America (l=AMERICA
) should be mapped to the domain l=AMER,cn=users,dc=company,dc=com
. The second rule shows that an employee object (EMP
) should be mapped to the domain cn=users,dc=company,dc=com
(no filter conditions).
event_mapping_rules="EMP:l=AMERICA:l=AMER,cn=users,dc=company,dc=com" event_mapping_rules="EMP::cn=users,dc=company,dc=com"
event_permitted_operations="OBJECT:DOMAIN:OPERATION(attributes,...)
Required for create
and modify
operations on
INBOUND
events only. This property is used to define the types
of events that the application is allowed to send to the Oracle Directory Integration and Provisioning service. A provisioning profile can have multiple
permitted operations defined.
For example, if you wanted to permit the application to send events whenever a user object was added or deleted, or when certain attributes were modified, you would have three permitted operations such as this:
event_permitted_operations="USER:dc=mycompany,dc=com:ADD(*)" event_permitted_operations="USER:dc=mycompany,dc=com:MODIFY(cn,sn,mail,password)" event_permitted_operations="USER:dc=mycompany,dc=com:DELETE(*)"
event_subscription="USER | GROUP:DOMAIN:OPERATION(attributes,...)"
Required for create
and modify
operations on
OUTBOUND
events only. This property is used to define the types
of events that the Oracle Directory Integration and Provisioning service should send to the application. A
provisioning profile can have multiple event subscriptions defined.
For example, if you wanted the directory integration server to send events to the application whenever a user or group object was added or deleted, you would have four event subscriptions such as this:
event_subscription="GROUP:dc=mycompany,dc=com:ADD(*)" event_subscription="GROUP:dc=mycompany,dc=com:DELETE(*)" event_subscription="USER:dc=mycompany,dc=com:ADD(*)" event_subscription="USER:dc=mycompany,dc=com:DELETE(*)"
max_retries=number
Optional for create
and modify
operations only. The number of times a failed event should be retried. The default is 5.
profile_group=number
Required for create
and modify
operations only. The group number of the profile. Default is "DEFAULT". This is required to address scalability issues when different Oracle Directory Integration Platform server instances will be used to execute different selected groups.
profile_status=ENABLED | DISABLED
Required for the create operation only. Determines whether the profile is enabled or disabled. The default is ENABLED.
profile_debug=debug_level
Required. The debug level for the profile.
Note:
For security reasons, the ldap_user_password
and interface_connect_info
arguments are no longer accepted on the command line.