5 Oracle Directory Integration Platform Tools

Learn about the various command-line tools that are used to administer Oracle Directory Integration Platform.

Note:

• Best security practice is to provide a password only in response to a prompt from the command.

• You must set the environment variables WLS_HOME and ORACLE_HOME before executing any of the Oracle Directory Integration Platform commands.

• The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute the Oracle Directory Integration Platform commands in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

• Working With Oracle Directory Integration Platform Utilities

• Manage DIP Server Configuration Utility

• Manage Synchronization Profiles Utility

• Synchronization Profile Bootstrap Utility

• Express Synchronization Setup Utility

• Provisioning Profile Bulk Utility

• Oracle Directory Integration Platform Status Utility

• Schema Elements Synchronization Utility

• Manage Provisioning Profiles Utility

5.1 Working With Oracle Directory Integration Platform Utilities

Understand how to work with Oracle Directory Integration Platform utilities.

This section contains the following topics:

• Executing the Manage DIP Server Configuration Utility

• Executing the Manage Synchronization Profiles Utility

• Executing Synchronization Profile Bootstrap Utility

• Executing Express Synchronization Setup Utility

• Executing Provisioning Profile Bulk Utility

• Executing DIP Status Utility

• Executing the Schema Synchronization utility for OID and third-party Directory Server

• Comparing the Schema between two Oracle Internet Directory Servers

• Synchronizing the Schema between two Oracle Internet Directory Servers

• Executing the Manage Provisioning Profiles Utility

5.1.1 Executing the Manage DIP Server Configuration Utility

Follow the example to understand how to manage DIP server configuration using manageDIPServerConfig utility.

The following example illustrates how to execute the manageDIPServerConfig utility command:

manageDIPServerConfig get -h myhost.mycompany.com -p 7005 -D weblogic \
   -attr sslmode

manageDIPServerConfig set -h myhost.mycompany.com -p 7005 -D weblogic \
   -attr sslmode -val 2

For more information about the command, see Manage DIP Server Configuration Utility

5.1.2 Executing the Manage Synchronization Profiles Utility

Follow the examples to understand the usage of manageSyncProfiles utility.

Perform various actions using manageSyncProfiles by following the examples given below:

manageSyncProfiles register -h myhost.mycompany.com -p 7005 -D weblogic \
  -f /opt/ldap/odip/iPlImport.profile 

manageSyncProfiles deregister -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

manageSyncProfiles updatechgnum -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

manageSyncProfiles activate -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

manageSyncProfiles deactivate -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

manageSyncProfiles get -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

manageSyncProfiles testProfile -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

manageSyncProfiles associateprofile -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile -assopf myProfile1 

 manageSyncProfiles dissociateprofile -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

 manageSyncProfiles getAllAssociatedProfiles -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

 manageSyncProfiles getAssociatedProfile -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile 

 manageSyncProfiles update -h myhost.mycompany.com -p 7005 \
   -D weblogic -pf myProfile -f /opt/ldap/odip/iPlImport.profile 

 manageSyncProfiles validateMapRules -h myhost.mycompany.com -p 7005 \
   -D weblogic -f /opt/ldap/odip/iPlImport.map -conDirHost server.example.com \  
   -conDirPort 8000 -conDirBindDn administrator@idm2003.net -mode IMPORT \
   -conDirType IPLANET 

 manageSyncProfiles isexists -h myhost.mycompany.com -p 7005 -D weblogic \
   -pf myProfile 

 manageSyncProfiles copy -h myhost.mycompany.com -p 7005 -D weblogic \
   -pf myProfile -newpf yourProfile 

manageSyncProfiles list -h myhost.mycompany.com -p 7005 -D weblogic -profileStatus
 

For more information about the command, see Manage Synchronization Profiles Utility

5.1.3 Executing Synchronization Profile Bootstrap Utility

Follow the example to understand how to synchronize profile bootstrap using the syncProfileBootstrap utility.

The following example illustrates how to use syncProfileBootstrap utility:

manageSyncProfileBootstrap -h myhost.mycompany.com -p 7005 -D weblogic \
  -pf myProfile -lp 5

manageSyncProfileBootstrap -h myhost.mycompany.com -p 7005 -D weblogic \
  -f /opt/ldap/odip/bootstrap.properties -lr 3  

For more information about the command, see Synchronization Profile Bootstrap Utility

5.1.4 Executing Express Synchronization Setup Utility

Follow the example to understand how to use expressSyncSetup utility.

Use the example below to use expressSyncSetup utility along with its arguments to express synchronization setup:

expressSyncSetup -h myhost.mycompany.com -p 7005 -D weblogic -pf myProfile \ 
  -conDirType ACTIVEDIRECTORY -conDirUrl server.mycompany.com:5432 \
  -conDirBindDN administrator@idm2003.net -conDirContainer ou=sales,dc=us,dc=com \
  -enableProfiles false \

expressSyncSetup -help 

For more information about the command, see Express Synchronization Setup Utility

5.1.5 Executing Provisioning Profile Bulk Utility

Follow the example to use provProfileBulkProv utility and its arguments to provision profile bulk utility.

The following example illustrates how to use provProfileBulkProv utility:

provProfileBulkprov -h myhost.mycompany.com -p 7005 -D weblogic \
  -f /opt/ldap/odip/users.ldif -realm cn=aaaa,ou=bbbb,dc=cccc

For more information about the command, see Provisioning Profile Bulk Utility.

5.1.6 Executing DIP Status Utility

Follow the example to learn how to execute DIP status using the dipStatus utility.

The following example illustrates how to use dipStatus utility:

dipStatus -h myhost.mycompany.com -p 7005 -D weblogic

dipStatus -help

For more information about the command, see Oracle Directory Integration Platform Status Utility

5.1.7 Executing the Schema Synchronization utility for OID and third-party Directory Server

Understand how to synchronize the schema between Oracle Internet Directory and a third-party directory server.

Use the following example to synchronize the schema between Oracle Internet Directory and a third-party directory server.

schemasync -srchost myhost1.mycompany.com -srcport 3060 -srcdn "cn=orcladmin" \
   -dsthost myhost2.mycompany.com -dstport 3060 \
   -dstdn "uid=superuser,ou=people,dc=mycompany,dc=com" -ldap

For more information about the command, see Schema Elements Synchronization Utility

5.1.8 Comparing the Schema between two Oracle Internet Directory Servers

Use the schemasync command-line tool to compare the schema between two Oracle Internet Directory servers:

schemasync -srchost myhost1.mycompany.com -srcport 3060 -srcdn "cn=orcladmin" \
   -dsthost myhost2.mycompany.com -dstport 3060 "cn=orcladmin"

5.1.9 Synchronizing the Schema between two Oracle Internet Directory Servers

Use the schemasync command-line tool to actually synchronize an OID server schema to another OID server:

schemasync -srchost myhost1.mycompany.com -srcport 3060 -srcdn "cn=orcladmin" \
   -dsthost myhost2.mycompany.com -dstport 3060 "cn=orcladmin" -ldap

5.1.10 Executing the Manage Provisioning Profiles Utility

When you install an application that you want to provision, you must create a provisioning integration profile by using the Manage Provisioning Profiles Utility. For more information about the command, see Manage Provisioning Profiles Utility.

You can use the Manage Provisioning Profiles Utility to:

• Create a new provisioning profile. A new provisioning profile is created and set to the enabled state so that Oracle Directory Integration and Provisioning can process it.

• Modify an existing provisioning profile.

• Delete an existing provisioning profile.

• Disable an existing provisioning profile.

• Enable a disabled provisioning profile.

To understand how to manage provisioning profiles using the manageProvProfiles utility, see Tasks and Examples for manageProvProfiles in Administering Oracle Directory Integration Platform.

5.2 Manage DIP Server Configuration Utility

The Manage DIP Server Configuration utility, manageDIPServerConfig, allows you to manage the Oracle Directory Integration Platform server configuration.

5.2.1 manageDIPServerConfig

Learn about the syntax of manageDIPServerConfig utility and the accepted arguments.

Syntax

The syntax for manageDIPServerConfig utility is as follows:

manageDIPServerConfig {get | set} -h HOST -p PORT -D wlsuser -attribute {sslmode |
refreshinterval | quartzthreadcount | quartzdbretryinterval | oidhostport |
keystorelocation} [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] 
[-value ATTRIBUTE_VALUE] [-help]

Arguments

The manageDIPServerConfig Utility accepts the following arguments:

get | set

Operation to perform.

• get: Displays the current value of the config parameter in DIP configuration file

• set: Updates the value of the config parameter in DIP configuration file.

-h | -host

Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed

-p | -port

Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.

-D | -wlsuser

WebLogic Server login ID.

Note:

You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute manageDIPServerConfig from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary.

-attr | -attribute

Identifies the attribute that manageDIPServerConfig performs the operation on. The following is a list and description of the attributes manageDIPServerConfig can perform operations on:

• sslmode: The SSL mode Oracle Directory Integration Platform uses to connect to Oracle Internet Directory. Supported values are 1 and 2. Use 1 to connect to Oracle Internet Directory using SSL Mode 1 (No Authentication). Use 2 to connect to Oracle Internet Directory using SSl Mode 2 (Server Only Authentication).

• refreshinterval: The time interval (amount of time in seconds) that controls how often the Oracle Directory Integration Platform server refreshes profile configuration details.

• quartzthreadcount: Controls how many profiles can be scheduled in parallel. The default value is 15. If you have more than 15 profiles, increase the quartzthreadcount attribute accordingly.

• quartzdbretryinterval: Controls how often Oracle Directory Integration Platform's Quartz scheduler attempts to reconnect to the Oracle Internet Directory database.

• oidhostport: Identifies the host and port of the Oracle Internet Directory associated with Oracle Directory Integration Platform. Specify values for the oidhostport attribute in the form of host:port.

• keystorelocation: Specifies the absolute path to the Java Keystore (JKS) based on the host where Oracle Directory Integration Platform is deployed. When you specify the value for the keystorelocation attribute, be sure you use the appropriate path separators (that is, / for UNIX and Linux platforms, and \ for Windows platforms).

-ssl

Executes the command in SSL mode.

Note:

The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

-keystorePath

The full path to the keystore.

-keystoreType

The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12

-val | -value

The value to set for the attribute This parameter is required with the set operation.

-help

Provides usage help for the command.

5.3 Manage Synchronization Profiles Utility

You can use the Manage Synchronization Profiles utility, manageSyncProfiles, to manage synchronization profiles.

5.3.1 manageSyncProfiles

Learn about the syntax and the arguments accepted by manageSyncProfiles.

Syntax

The syntax followed for using manageSyncProfiles is as follows:

manageSyncProfiles {activate | deactivate | copy | deregister | get | isexists |
update | testProfile | validateProfile | validateMapRules | register | 
updatechgnum | associateProfile | dissociateProfile | getAllAssociatedProfiles |
getAssociatedProfile | list } -h HOST -p PORT -D wlsuser [-ssl -keystorePath 
PATH_TO_KEYSTORE -keystoreType TYPE] [-profile] [-newProfile]
[-associateProfile][-file] [-params 'prop1 val1 prop2 val2 ...']
[-conDirHost] [-conDirPort] [-conDirBindDn] [-mode] [-conDirType] [-conDirSSL] 
[-profileStatus] [-help]

Arguments

The manageSyncProfiles utility accepts the following arguments:

Operations

activate

Changes a profile state to ENABLE

deactivate

Changes a profile state to DISABLE

copy

Copies an existing profile to profile newProfile

deregister

Deletes an existing profile from OID.

get

Gets the profile details from OID.

isexists

Checks if the profile profile exists in OID.

update

Modifies an existing profile profile in OID.

testProfile

Changes the state of a disabled profile profile to TEST and schedules the profile for testing to ensure the profile successfully performs synchronization. After executing the manageSyncProfiles command with the testProfile operation, the results of the test are available in the following log file, where DOMAIN_HOME represents the Oracle WebLogic Server Domain home and ORACLE_WEBLOGIC_MANAGED_SERVER_NAME represents the name of the managed server where Oracle Directory Integration and Provisioning is deployed:

$DOMAIN_HOME/servers/ORACLE_WEBLOGIC_MANAGED_SERVER_NAME/logs/ORACLE_WEBLOGIC_MANAGED_SERVER_NAME.log

Note:

The testProfile operation cannot schedule profiles that are in ENABLE state for testing.

validateProfile

Validates the syntax of the values in the specified profile for correctness.

validateMapRules

Validates the map rules provided.

register

Creates a new profile in OID.

updatechgnum

Updates the last applied change number in the profile to latest.

associateProfile

Associates associateProfileName with profileName to prevent information back flow.

dissociateProfile

Dissociates an associated profile to profileName

getAllAssociatedProfiles

Lists all the profiles to which profile profileName is associated.

getAssociatedProfile

Displays the profile name associated with profile profileName.

list

Displays all profiles registered in OID.

Options

-h | host

Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.

-p | -port

Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration and Provisioning application is deployed.

-D | wlsuser

Oracle WebLogic Server login ID

Note:

You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute a command from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to manageSyncProfiles, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.

-ssl

Executes the command in SSL mode.

Note:

The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

-keystorePath

The full path to the keystore.

-keystoreType

The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12

-pf | -profile

The name of the synchronization profile to use when performing the operation.

-newpf | -newProfile

The name of the new profile which will be a copy of profile.

-assopf

The name of the profile that will be associated with profile

-f | -file

The full path and file name of the profile properties file containing the properties. See the appendix in Example Properties File for Synchronization Profiles in Administering Oracle Directory Integration Platform for an example of such a file.

-params

A value is of the form prop1 val1 prop2 val2 ... where prop is the name of a profile property and val is the new value for that property. This keyword is used only for modification of a profile. You can specify as many key values as required

-conDirHost

Host where connected directory server is running.

-conDirPort

Port at which connected directory server listens.

-conDirBindDn

Connected directory server bind DN.

Examples:

• Active Directory

  administrator@idm2003.net
  

• Sun ONE or iPlanet

  cn=Directory Manager
  

• Oracle Internet Directory

  cn=orcladmin
  

Note:

You are prompted for the connected directory bind DN password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute manageSyncProfiles from a script, you can redirect input from a file containing the connected directory bind DN password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to manageSyncProfiles, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.

-mode

Synchronization mode map rules to be used: import or export

-conDirType

Connected directory type. Supported values are ActiveDirectory, EDirectory, iPlanet, OpenLDAP, ADAM, Tivoli, ExchangeServer2003, and OID.

-conDirSSL

SSL mode value used to connect connected directory server

-prfSt | -profileStatus

Displays status for the profile. Used only with the list operation.

-help

Provides command usage help.

5.4 Synchronization Profile Bootstrap Utility

The Synchronization Profile Bootstrap utility, syncProfileBootstrap, performs the initial migration of data between a connected directory and Oracle Internet Directory for a synchronization profile.

5.4.1 syncProfileBootstrap

Understand about the syntax and the various arguments of syncProfileBootstrap utility. Each argument provides you with an option to perform the initial migration between connected directory and Oracle Internet Directory.

Syntax

The syntax followed for using syncProfileBootstrap is as follows:

syncProfileBootstrap -h HOST -p PORT -D wlsuser {-file FILENAME |-profile
-PROFILE_NAME} [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE]
[-loadParallelism INTEGER] [-loadRetry INTEGER][-help]

Arguments

The syncProfileBootstrap utility accepts the following arguments:

-h | -host

Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.

-p | -port

Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.

-D | wlsuser

Oracle WebLogic Server login ID

Note:

You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute syncProfileBootstrap from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary.

-f | -file

Bootstrap properties file.

-pf | -profile

The name of the synchronization profile to use when performing the operation.

-ssl

Executes the command in SSL mode.

Note:

The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

-keystorePath

The full path to the keystore.

-keystoreType

The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12

-lp | -loadParallelism

Indicator that loading to Oracle Internet Directory is to take place in parallel by using multiple threads. For example, -loadparallelism 5 means that 5 threads are to be created, each of which tries to load the entries in parallel to Oracle Internet Directory.

-lr | -loadRetry

The number of times the retry should be made (when the load to the destination fails) before marking the entry as bad entry.

-help

Provides command usage help.

5.5 Express Synchronization Setup Utility

Understand how to use the Express Synchronization Setup utility, expressSyncSetup, to create import and export synchronizations profiles.

5.5.1 expressSyncSetup

Understand about the syntax and the various arguments of expressSyncSetup utility.

Syntax

The syntax followed for using expressSyncSetup is as follows:

expressSyncSetup -h HOST -p PORT -D wlsuser -pf PROFILE 
-conDirType CONNECTED_DIRECTORY_TYPE -conDirURL CONNECTED_DIRECTORY_URL
-conDirBindDN CONNECTED_DIRECTORY_BIND_DN -conDircontainer SYNC_CONTAINER 
[-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-enableProfiles {true |
false}] [-help]

Arguments

The expressSyncSetup utility accepts the following arguments:

-h | -host

Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.

-p | -port

Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.

-D | wlsusser

Oracle WebLogic Server login ID

Note:

You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute expressSyncSetup from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to expressSyncSetup, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.

-pf | -profile

Profile name.

-conDirType

Connected directory type. Supported values are ActiveDirectory, EDirectory, iPlanet, OpenLDAP, ADAM, Tivoli, ExchangeServer2003, and OID.

-conDirUrl

URL where the connected directory is running. The format is host:port.

-conDirBindDN

Connected directory server bind DN. For example:

administrator@idm2003.net

cn=orcladmin, cn=Directory Manager

Note:

You are prompted for the connected directory bind DN password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute expressSyncSetup from a script, you can redirect input from a file containing the connected directory bind DN password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to expressSyncSetup, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.

-conDirContainer

The synchronization container. For example:

ou=sales,dc=us,dc=com

OU=Groups,DC=imtest,DC=com

CN=Users,DC=imtest,DC=com

-ssl

Executes the command in SSL mode.

Note:

The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

-keystorePath

The full path to the keystore.

-keystoreType

The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12

-enableProfiles

Specify true to enable created profiles, false if not.

-help

Provides command usage help.

5.6 Provisioning Profile Bulk Utility

The Provisioning Profile Bulk utility, provProfileBulkProv, performs initial migration of data from an LDIF file to Oracle Internet Directory for a provisioning profile.

5.6.1 provProfileBulkProv

Understand about the syntax and the various arguments of provProfileBulkProv utility.

Syntax

The syntax followed for using provProfileBulkProv is as follows:

provProfileBulkProv -h HOST -p PORT -D wlsuser -file LDIF_FILE -realm REALM_DN
[-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE]
[-encoding INPUT_ENCODING] [-help]

Arguments

The provProfileBulkProv utility accepts the following arguments:

-h | -host

Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed.

-p | -port

Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.

-D | -wlsuser

Oracle WebLogic Server login ID

Note:

You are prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute provProfileBulkProv from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary.

-f | -file

LDIF file containing the data to be migrated.

-realm

The realm in which the users are to be provisioned.

-ssl

Executes the command in SSL mode.

Note:

The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

-keystorePath

The full path to the keystore.

-keystoreType

The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12

-encoding

Input file encoding.

-help

Provides command usage help.

5.7 Oracle Directory Integration Platform Status Utility

The dipStatus utility allows you to check the status of Oracle Directory Integration Platform and whether it is registered.

5.7.1 dipStatus

Understand about the syntax and the various arguments of dipStatus utility.

Syntax

The syntax followed for using dipStatus is as follows:

dipStatus -h HOST -p PORT -D wlsuser [-ssl -keystorePath PATH_TO_KEYSTORE
-keystoreType TYPE] [-help]

Arguments

The dipStatus utility accepts the following arguments:

-h | -host

Host name of the WebLogic server running the Managed Server where Oracle Directory Integration Platform is deployed.

-p | -port

Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.

-D | -wlsuser

WebLogic Server login ID.

Note:

You are prompted for the WebLogic server login password. You cannot provide the password as a command-line argument.

Best security practice is to provide a password only in response to a prompt from the command. If you must execute dipStatus from a script, you can redirect input from a file containing the WebLogic Server password. Use file permissions to protect the file and delete it when it is no longer necessary.

-ssl

Executes the command in SSL mode.

Note:

The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

-keystorePath

The full path to the keystore.

-keystoreType

The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12

-help

Provides usage help for the command.

5.8 Schema Elements Synchronization Utility

The schemasync utility enables you to synchronize schema elements—namely attributes and object classes—between an Oracle Internet Directory server and a third-party LDAP directory.

5.8.1 schemasync

Understand about the syntax, the various arguments and the command-line tools of schemasync utility.

Syntax

The syntax followed for using schemasync is as follows:

schemasync -srchost hostname -srcport port -srcdn bindDN -srcpwd password  -dsthost hostname -dstport port -dstdn bindDN -dstpwd password [-ldap]

Arguments

The schemasync utility accepts the following arguments:

-srchost hostname

Required. The host name of the source directory server.

-srcport port

Required. The LDAP listening port of the source directory server, for example 3060.

-srcdn bindDN

Required. The DN of the user used to bind to the source directory. This user must have permissions to modify the directory schema, for example the superuser (cn=orcladmin).

-srcpwd password

Optional. The user password used to bind to the source directory. If you do not specify the password on the command line, you are prompted for it. Best security practice is to provide the password in response to a prompt.

-dsthost hostname

Required. The host name of the destination directory server.

-dstport port

Required. The LDAP listening port of the destination directory server, for example 3060.

-dstdn bindDN

Optional. The DN of the user used to bind to the destination directory. This user must have permissions to modify the directory schema, for example the superuser.

-dstpwd password

Required. The user password used to bind to the destination directory. If you do not specify the password on the command line, you are prompted for it. Best security practice is to provide the password in response to a prompt.

-ldap

Optional. If specified, then the schema changes are applied directly from the source LDAP directory to the destination LDAP directory. If it is not specified, then the schema changes are placed in the following LDIF files:

• ORACLE_HOME/ldap/odi/data/attributetypes.ldif: This file has the new attribute definitions.

• ORACLE_HOME/ldap/odi/data/objectclasses.ldif: This file has the new object class definitions.

If you do not specify -ldap, then you must use ldapmodify to upload the definitions from these two files, first attribute types and then object classes.

Related Command-Line Tools

To know more about command-line tools for schemasync, See ldapmodify

5.9 Manage Provisioning Profiles Utility

Provisioning enables you to ensure that an application is notified of directory changes, such as changes to user or group information. Such changes can affect whether the application allows a user access to its processes and resources.

5.9.1 manageProvProfiles

Use the manageProvProfiles command to manage provisioning profiles.

When you install an application that you want to provision, you must create a provisioning integration profile using the manageProvProfiles command located in the ORACLE_HOME/bin directory.

The manageProvProfiles utility shields the location and schema details of the provisioning profile entries from the callers of the tool. From the callers' perspective, the combination of an application and a realm uniquely identify a provisioning profile. The constraint in the system is that there can be only one provisioning profile for each application for each realm.

Once a profile is created, its mode—that is, INBOUND, OUTBOUND, or BOTH—cannot be changed by using the modify operation. To change the mode, you must delete, then re-create, the profile.

The Oracle Directory Integration Platform server automatically monitors provisioning profile configuration changes in Oracle Unified Directory or Oracle Internet Directory, including the creation, modification, and deletion of provisioning profiles. For this reason, you do not need to manually enable or disable a provisioning profile.

Note:

For improved security, do not enter a password with the manageProvProfiles command unless prompted for one.

Syntax

The syntax followed for using manageProvProfiles is as follows:

manageProvProfiles operation=[create|modify] ldap_host=backend_hostname ldap_port=port 
ldap_user_dn="bindDN"
[profile_mode=INBOUND|OUTBOUND|BOTH]
application_dn="DN" application_type=type [application_name=name] 
[application_display_name=display name] organization_dn=DN 
[application_isdasvisible=TRUE|FALSE] [manage_application_defaults=TRUE|FALSE] 
[enable_bootstrap=TRUE|FALSE] [user_data_location=DN] 
[default_provisioning_policy=PROVISIONING_REQUIRED|PROVISIONING_NOT_REQUIRED] 
interface_name=SCHEMA.PACKAGE [interface_type=PLSQL|JAVA] 
interface_version=1.1|2.0|3.0] 
schedule=number_seconds lastchangenumber=number 
max_prov_failure_limit=number  
max_events_per_schedule=number max_events_per_invocation=number 
event_mapping_rules="OBJECT_TYPE:FILTER:DOMAIN" 
event_permitted_operations="OBJECT:DOMAIN:OPERATION(attributes,...)" 
event_subscription="USER|GROUP:DOMAIN:OPERATION(attributes,...)" 
max_events_per_schedule=number max_retries=number profile_group=number
profile_status=ENABLED | DISABLED profile_debug=debug_level 

manageProvProfiles {operation=enable|disable|delete|status|reset} 
application_dn=DN [organization_dn=DN] [ldap_host=backend_hostname] [ldap_port=port]
[ldap_user_dn=bindDN] [profile_debug=debug_level]

Arguments

The manageProvProfiles utility accepts the following arguments:

operation=create | modify | enable | disable | delete | status | reset

is required for the operation to perform using manageProvProfiles. You can only perform one operation at a time. The operations are:

• create—Creates a new provisioning profile.

• modify—Modifies the given properties of an existing provisioning profile.

• enable—Enables a provisioning profile.

• disable—Disables a provisioning profile.

• delete—Deletes a provisioning profile.

• status—Shows the current status of a given provisioning profile.

• reset—Clears all errors for a provisioning profile.

ldap_host=backend_hostname

Optional. The host name of the Oracle Unified Directory or Oracle Internet Directory server. If not provided then the name of the local host is used.

ldap_port=port

Optional. The LDAP listening port of the back-end directory. The default port for Oracle Unified Directory or Oracle Internet Directory is 389.

ldap_user_dn=bindDN

Required. The DN of the superuser or a user that has sufficient permissions to perform provisioning subscription operations. The default is cn=orcladmin.The default value for Oracle Unified Directory is "cn=directory manager" and for Oracle Internet Directory is "cn=orcladmin".

profile_mode=OUTBOUND | INBOUND | BOTH

Optional for the create operation only. The direction of the provisioning events. The default is OUTBOUND (data is provisioned from Oracle Unified Directory or Oracle Internet Directory to the application).

application_dn=DN

Required. The distinguished name of the application to which the provisioning subscription belongs. The combination of the application DN and organization DN uniquely identifies a provisioning profile. For example, here is the application DN for Portal:

"orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext"

application_type=type

Required. The type of application being provisioned.

application_name=name

Optional. The name of the application being provisioned. If not provided, defaults to the distinguished name assigned to application_dn.

application_display_name=name

Optional. The display name of the application being provisioned. If not provided, defaults to the value assigned to application_name.

organization_dn=DN

Optional. If not provided, defaults to the default identity management realm. The distinguished name of the organization to which the provisioning subscription belongs, for example "dc=company,dc=com". The combination of the application DN and organization DN uniquely identifies a provisioning profile.

application_isdasvisible=TRUE | FALSE

Optional. Determines whether the application is visible as a provisioning-integrated application in the Oracle Internet Directory. The default value is TRUE.

Note:

This argument is for Oracle Delegated Administration Services 10g Releases (10.1.4.x).

manage_application_default=TRUE | FALSE

Optional. Determines whether the Oracle Internet Directory manages the application's default values. The default value is TRUE.

Note:

This argument is for Oracle Delegated Administration Services 10g Releases (10.1.4.x).

enable_bootstrap=TRUE | FALSE

Optional. Indicates whether the application should receive provisioning events for users that existed in Oracle Internet Directory before creating the application's provisioning integration profile. The default value is FALSE.

user_data_location=DN

Optional. Identifies the DN of the container in which to store application-specific user information.

default_provisioning_policy=PROVISIONING_REQUIRED | PROVISIONING_NOT_REQUIRED

Optional. Specifies the application's default provisioning policy. The default value is PROVISIONING_REQUIRED.

interface_name=SCHEMA.PACKAGE

Required for create or modify operations. The database schema name for the PLSQL package. The format of the value is schema.package_name, for example here is the schema and PLSQL package information for Portal:

interface_name=PORTAL.WWSEC_OID_SYNC

interface_version=1.1 | 2.0 | 3.0

The version of the interface protocol. Allowed values are 1.1, 2.0, or 3.0. The default value is 2.0.

Oracle Internet Directory supports versions 1.1, 2.0, or 3.0.

Oracle Unified Directory support versions 2.0 and 3.0.

interface_type=PLSQL | JAVA

Optional. The type of interface to which events will be propagated. The default is PLSQL.

Note:

For JAVA type, only interface protocol version 3.0 is supported.

schedule=number_seconds

Optional for create and modify operations only. The number of seconds between executions of this profile. The default is 3600, which means the profile is scheduled to be executed every hour.

lastchangenumber=number

Optional for create and modify operations on OUTBOUND events only. The last change number in Oracle Internet Directory after which all qualifying events should be provisioned to the application. Defaults to the latest current change number.

max_prov_failure_limit=number

Optional. Determines the number of times the Oracle Provisioning System attempts to provision a user. The default is 1.

max_events_per_schedule=number

Optional for create and modify operations only. The maximum number of events that the Oracle directory integration platform server sends to an application during one execution of a provisioning profile. The default is 100.

max_events_per_invocation=number

Optional for create and modify operations only. The maximum number of events that can be packaged and sent to a target in one invocation of the interface.

event_mapping_rules="OBJECT_TYPE:FILTER:DOMAIN"

Required for create and modify operations on INBOUND events only. This rule maps the object type received from the application (using an optional filter condition) to a domain in Oracle Internet Directory A provisioning profile can have multiple mapping rules defined.

The following example shows two mapping rules. The first rule shows that an employee object (EMP) whose locality attribute equals America (l=AMERICA) should be mapped to the domain l=AMER,cn=users,dc=company,dc=com. The second rule shows that an employee object (EMP) should be mapped to the domain cn=users,dc=company,dc=com (no filter conditions).

event_mapping_rules="EMP:l=AMERICA:l=AMER,cn=users,dc=company,dc=com"
event_mapping_rules="EMP::cn=users,dc=company,dc=com"

event_permitted_operations="OBJECT:DOMAIN:OPERATION(attributes,...)

Required for create and modify operations on INBOUND events only. This property is used to define the types of events that the application is allowed to send to the Oracle Directory Integration and Provisioning service. A provisioning profile can have multiple permitted operations defined.

For example, if you wanted to permit the application to send events whenever a user object was added or deleted, or when certain attributes were modified, you would have three permitted operations such as this:

event_permitted_operations="USER:dc=mycompany,dc=com:ADD(*)"
event_permitted_operations="USER:dc=mycompany,dc=com:MODIFY(cn,sn,mail,password)"
event_permitted_operations="USER:dc=mycompany,dc=com:DELETE(*)"

event_subscription="USER | GROUP:DOMAIN:OPERATION(attributes,...)"

Required for create and modify operations on OUTBOUND events only. This property is used to define the types of events that the Oracle Directory Integration and Provisioning service should send to the application. A provisioning profile can have multiple event subscriptions defined.

For example, if you wanted the directory integration server to send events to the application whenever a user or group object was added or deleted, you would have four event subscriptions such as this:

event_subscription="GROUP:dc=mycompany,dc=com:ADD(*)"
event_subscription="GROUP:dc=mycompany,dc=com:DELETE(*)"
event_subscription="USER:dc=mycompany,dc=com:ADD(*)"
event_subscription="USER:dc=mycompany,dc=com:DELETE(*)" 

max_retries=number

Optional for create and modify operations only. The number of times a failed event should be retried. The default is 5.

profile_group=number

Required for create and modify operations only. The group number of the profile. Default is "DEFAULT". This is required to address scalability issues when different Oracle Directory Integration Platform server instances will be used to execute different selected groups.

profile_status=ENABLED | DISABLED

Required for the create operation only. Determines whether the profile is enabled or disabled. The default is ENABLED.

profile_debug=debug_level

Required. The debug level for the profile.

Note:

For security reasons, the ldap_user_password and interface_connect_info arguments are no longer accepted on the command line.