1. Administering Oracle Internet Directory
  2. Basic Administration
  3. Managing Directory Entries in Oracle Internet Directory

13 Managing Directory Entries in Oracle Internet Directory

You can manage Oracle Internet Directory directory entries using Oracle Directory Services Manager and LDAP command-line utilities:

The following topics describe managing directory entries:

13.1 Introduction to Managing Directory Entries

The primary function of most directories is to store information about users and return that information in response to requests. Applications that request information from the directory server are called clients of the server.

As administrator, you manage users, groups, and other types of entries by using Oracle Directory Services manager or the command-line tools.

See Also:

Understanding the Concepts and Architecture of Oracle Internet Directory, for introductory information about entries, object classes, and attributes.

13.2 Managing Entries by Using Oracle Directory Services Manager

You display entries, including users and groups, by using the Data Browser in Oracle Directory Services Manager.

The current chapter focuses on users and other types of entries. Managing Dynamic and Static Groups in Oracle Internet Directory discusses groups and group entries in more detail.

This section contains these topics:

See Also:

for information on setting or modifying access control on an entry.

13.2.1 Displaying Entries by Using Oracle Directory Services Manager

Entries of some object class types have generic icons in the data tree.

Other object entries are shown with a specific icon. For example:

Object Class Icon

User
User Icon

Group
Group Icon

OrganizationalUnit
OrganizationalUnit Icon

Organization
Organization Icon

Domain
Domain Icon

Country
Country Icon

Generic
Generic Icon

When an access control list (ACL) has been set on an entry, the icon changes; a small key appears to the right of the icon. For example:

Object Class Icon with ACL

User
User Icon with ACL

Group

Group Icon with ACL

See Also:

Managing Directory Access Control.

To display entries by using the Data Browser in Oracle Directory Services Manager:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.

  2. From the task selection bar, select Data Browser.

  3. If desired, expand items in the data tree in the left panel to view the entries in each subtree.

  4. If desired, mouse over each icon in the tool bar to read the icon's action.

  5. Select the Refresh the entry icon to refresh only the entry in the right pane. Select the Refresh subtree entries icon to refresh child entries of the selected entry.

  6. To limit the number of entries displayed in a subtree, select the entry at the root of the subtree, then click the Filter child entries icon and specify a filter, as follows:

    1. In the Max Results field, specify a number from 1 to 1000, indicating the maximum number of entries to return.

    2. From the list at the left end of the search criteria bar, select an attribute of the entries you want to view.

    3. From the list in the middle of the search criteria bar, select a filter.

    4. In the text box at the right end of the search criteria bar, type the value for the attribute you just selected. For example, if the attribute you selected was cn, you could type the particular common name you want to find.

    5. Click + to add this search criterion to the LDAP Query field.

    6. To view the LDAP filter you have selected, select Show LDAP filter.

    7. To further refine your search, use the list of conjunctions (AND, OR, NOT AND, and NOT OR) and the lists and text fields on the search criteria bar to add additional search criteria. Click + to add a search criterion to the LDAP Query field. Click X to delete a search criterion from the LDAP Query field.

  7. When you have finished configuring the search criteria, click OK. The child entries that match the filter are shown under the selected entry. The filter is applied for first level children only, not for the entire subtree. Click the Refresh icon to remove the filter.

13.2.2 Searching for Entries by Using Oracle Directory Services Manager

You can invoke simple and advanced search for entries using Oracle Directory Services Manager.

To search for a directory entry:

  1. Invoke Oracle Directory Services Manager as described in Invoking Oracle Directory Services Manager.

  2. From the task selection bar, choose Data Browser.

  3. To perform a simple keyword search, enter text in the field next to the Search icon to specify keywords to search for in the attributes cn, uid, sn, givenname, mail and initials.

  4. Click the Simple Search arrow to the right of the text field or press the Enter key. Search results, if any, are displayed below the data tree. Click the information icon to view information about this search. Click the Refresh the search results entries icon to refresh the results. Click the Close search result icon to dismiss the search.

  5. To perform a more complex search, click Advanced. The Search Dialog appears.

  6. In the Root of the Search field, enter the DN of the root of your search.

    For example, suppose you want to search for an employee who works in the Manufacturing division in the IMC organization in the Americas. The DN of the root of your search would be:

    ou=Manufacturing,ou=Americas,o=IMC,c=US

    You would therefore type that DN in the Root of the Search text box.

    You can also select the root of your search by browsing the data tree. To do this:

    1. Click Browse to the right of the Root of the Search field. The Select Distinguished Name (DN) Path: Tree View dialog box appears.

    2. Expand an item in the tree view to display its entries.

    3. Continue navigating to the entry that represents the level you want for the root of your search.

    4. Select that entry, then click OK. The DN for the root of your search appears in the Root of the Search text box in the right pane.

  7. In the Max Results (entries) box, type the maximum number of entries you want your search to retrieve. The default is 200. The directory server retrieves the value you set, up to 1000.

  8. In the Max Search Time (seconds) box, type the maximum number of seconds for the duration of your search. The value you enter here must be at least that of the default, namely, 25. The directory server searches for the amount of time you specify, up to one hour.

  9. In the Search Depth list, select the level in the DIT to which you want to search.

    The options are:

    • Base: Retrieves a particular directory entry. Along with this search depth, you use the search criteria bar to select the attribute objectClass and the filter Present.

    • One Level: Limits your search to all entries beginning one level down from the root of your search.

    • Subtree: Searches entries within the entire subtree, including the root of your search. This is the default.

  10. Set search criteria.

    Optionally, select Show LDAP filter, then type a query string directly into the LDAP Query text field.

    Alternatively, use the lists and text fields on the search criteria bar to focus your search.

    1. From the list at the left end of the search criteria bar, select an attribute of the entry for which you want to search. Because not all attributes are used in every entry, be sure that the attribute you specify actually corresponds to one in the entry for which you are looking. Otherwise, the search fails.

    2. From the list in the middle of the search criteria bar, select a filter.

    3. In the text box at the right end of the search criteria bar, type the value for the attribute you just selected. For example, if the attribute you selected was cn, you could type the particular common name you want to find.

    4. Click + to add this search criterion to the LDAP Query field.

    5. To view the LDAP filter you have selected, select Show LDAP filter.

    6. To further refine your search, use the list of conjunctions (AND, OR, NOT AND, and NOT OR) and the lists and text fields on the search criteria bar to to add additional search criteria. Click + to add a search criterion to the LDAP Query field. Click X to delete a search criterion from the LDAP Query field.

  11. Click Search. Search results, if any, are displayed below the data tree. If an LDAP error icon appears, mouse over it to see the error. Search again with different criteria, if necessary, to correct the error. Click the Search Filter icon to see information about the search. Chick the Refresh the search result entries icon to refresh the results. You can delete the search results by clicking the Close search result icon.

See Also:

Viewing Active Server Instance Information by Using WLST Command — oid_instanceStatus() For instructions on setting the number of entries to display in searches, and to set the time limit for searches

13.2.3 Importing Entries from an LDIF File by Using Oracle Directory Services Manager

You can import entries from an LDIF file using Oracle Directory Services Manager.

To import entries from an LDIF file:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.
  2. Click the Data Browser tab.
  3. Click the Import LDIF icon. The Import File dialog appears.
  4. Enter the path to the LDIF file you want to import, or click Browse and navigate to the file, then click Open in the browser window.
  5. Click OK in the Import File dialog. The LDIF Import Progress window shows the progress of the operation. Expand View Import Progress Table to see detailed progress.

    Click Cancel to stop importing entries. Entries already imported are not aborted.

    The Data Browser tree refreshes to show the new entries.

13.2.4 Exporting Entries to an LDIF File by Using Oracle Directory Services Manager

You can export entries to an LDIF file by using Oracle Directory Services Manager.

To export entries to an LDIF file:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.
  2. Click the Data Browser tab.
  3. Navigate to the top level DN of the subtree you want to export.
  4. Click the Export LDIF icon. The Export File dialog appears. Select Export Operational Attributes if you want to export them.
  5. Click OK. The Download LDIF File dialog appears. By default, the entries are exported to a temporary file on the machine where Oracle Directory Services Manager is deployed. If you want to save a copy of the LDIF file to your computer, click Click here to open the LDIF file and save the file.

    Click OK.

13.2.5 Viewing Attributes for a Specific Entry by Using Oracle Directory Services Manager

You can view attributes for a specific entry by using Oracle Directory Services Manager.

To view the attributes for a specific entry:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.
  2. Locate the entry by navigating to it in the data tree or by searching for it, as described in Searching for Entries by Using Oracle Directory Services Manager.
  3. Click the entry. Attributes for that entry are displayed in the right pane. The display for the entry has at least the three tabs: Attributes, Subtree Access, and Local Access. If the entry is a person, the display in the right pane also has an Person tab, which displays basic user information. If the entry is a group, the display screen has a Group tab, which displays basic group information.
  4. To view the attributes of an entry, click the Attributes tab.
  5. You can switch between Managed Attributes and Show All by using the Views list.
  6. To change the list of attributes shown as managed attributes, click the icon under Optional Attributes. Select attributes you want to move from the All Attributes list to the Shown Attributes lists and use the Move and Move All arrows to move the attributes. Select attributes you want to move from the shown Attributes list to the All Attributes lists and use the Remove and Remove All arrows to move the attributes. Click Add Attributes to make your changes take effect or click Cancel to discard your changes. After you click Add Attributes, only the attributes that were on the Shown Attributes list are shown in the Managed Attributes view.

For information on using the Subtree Access and Local Access tabs to view access control settings, see Adding or Modifying an ACP by Using the Data Browser in ODSM.

13.2.6 Adding a New Entry by Using Oracle Directory Services Manager

To add or delete entries with Oracle Directory Services Manager, you must have write access to the parent entry and you must know the DN to use for the new entry.

Note:

When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.

To add a group entry, follow the procedure described in Managing Group Entries by Using Oracle Directory Services Manager.

To add an entry other than a group entry type:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.
  2. From the task selection bar, select Data Browser.
  3. On the toolbar, select the Create a new entry icon. Alternatively, right click any entry and choose Create.

    The Create New Entry wizard appears.

  4. Specify the object classes for the new entry. Click the Add icon and use the Add Object Class dialog to select object class entries. Optionally, use the search box to filter the list of object classes. To add the object class, select it and then click OK. (All the superclasses from this object class through top are also added.)
  5. In the Parent of the entry field, you can specify the full DN of the parent entry of the entry you are creating. You can also click Browse to locate and select the DN of the parent for the entry you want to add. If you leave the Parent of the entry field blank, the entry is created under the root entry.
  6. Click Next.
  7. Choose an attribute which will be the Relative Distinguished Name value for this entry and enter a value for that attribute. You must enter values for attributes that are required for the object class you are using, even if none of them is the RDN value. For example, for object class inetorgperson, attributes cn (common name) and sn (surname or last name) are required, even if neither of them is the Relative Distinguished Name value.
  8. Click Next. The next page of the wizard appears. (Alternatively, you can click Back to return to the previous page.)
  9. Click Finish.

13.2.7 Deleting an Entry or Subtree by Using Oracle Directory Services Manager

You can delete an entry or subtree by using Oracle Directory Services Manager.

To delete an entry, including an entire subtree:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.
  2. From the task selection bar, select Data Browser.
  3. Navigate to the entry you want to delete.
  4. To delete only the entry, click the Delete icon. When the Delete dialog appears, click Yes. If the entry has no subentries, deletion succeeds. If the entry has subentries, the deletion fails and ODSM displays an error message. Click OK to dismiss the error message.

    To delete an entire subtree, click the icon labelled Delete the selected entry and its subtree. When the Delete Subtree dialog appears, read the contents of the dialog. Click Yes to proceed with the deletion or No to abort.

    Note:

    Before you delete an entire subtree with a large number of entries, configure the undo tablespace size so that it has sufficient space for the delete operation.

    For more information, see Managing Undo in Oracle Database Administrator's Guide.

13.2.8 Adding an Entry by Copying an Existing Entry in Oracle Directory Services Manager

You can use Oracle Directory Services Manager to create a new entry by copying from an existing entry and changing its DN. When you do this, you should also change the attributes, such as name and address, so that they correspond with the new DN.

To add an entry, you must have write access to its parent.

Tip:

You can find a template for the new DN by looking up other similar entries in the search pane.

To add a group entry, follow the procedure described in Managing Group Entries by Using Oracle Directory Services Manager.

To add an entry (other than a group entry type) by copying an existing entry:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.

  2. From the task selection bar, select Data Browser.

  3. In the data tree, navigate to the entry you want to use as a template. Alternatively, click Advanced Search, and use it to search for an entry that you want to use as a template.

  4. In the left panel, click the Create a new entry like this one icon. Alternatively, click the entry you want to use as a template, right click, and choose Create Like. A New Entry: Create Like wizard appears. The object classes and the DN of the parent entry are already filled in.

  5. To add an object class:

    1. Click the Attributes tab.

    2. Click the Add icon next to objectclass and use the Add Object Class dialog to select object class entries. Optionally, use the search box to filter the list of object classes. To add the object class, click it and then click OK.

  6. To delete an object class,

    1. Click the Attributes tab.

    2. Select the object class you want to delete.

    3. Click the Delete icon next to objectclass. The Delete Object Class dialog lists the attributes that will be deleted with that class.

    4. Click Delete to proceed.

  7. Specify the DN of the parent entry, either by changing the content in the text box or by using the Browse button to locate a different DN.

  8. Click Next. The next page of the wizard appears.

  9. Choose an attribute which will be the Relative Distinguished Name value for this entry and enter a value for that attribute. You must enter values for attributes that are required for the object class you are using, even if none of them is the RDN value. For example, for object class inetorgperson, attributes cn (common name) and sn (surname or last name) are required, even if neither of them is the Relative Distinguished Name value.

  10. Click Next.

  11. Click Finish.

13.2.9 Modifying an Entry by Using Oracle Directory Services Manager

You can add auxiliary object classes to an existing entry.

Note:

When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.

To modify a group entry, follow the procedure described in Managing Group Entries by Using Oracle Directory Services Manager. For other entry types, proceed as follows:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.

  2. From the task selection bar, select Data Browser.

  3. Navigate to an entry in the data tree. Alternatively, perform a search for the entry you want to modify as described in Searching for Entries by Using Oracle Directory Services Manager. In the search result in the left pane, select the entry you want to modify.

  4. To edit the RDN, select the Edit RDN icon above the Data Tree. Alternatively, you can select the entry in the Data Tree, right click, and select Edit RDN.

    Specify the new RDN value. For a multivalued RDN you can use the Delete Old RDN checkbox to specify whether the old RDN should be deleted. Select OK to save the change or Cancel to abandon the change.

  5. To add an object class:

    1. Click the Attributes tab.

    2. Click the Add icon next to objectclass and use the Add Object Class dialog to select object class entries. Optionally, use the search box to filter the list of object classes. To add the object class, click it and then click OK.

  6. To delete an object class,

    1. Click the Attributes tab.

    2. Select the object class you want to delete.

    3. Click the Delete icon next to objectclass. The Delete Object Class dialog lists the attributes that will be deleted with that class.

    4. Click Delete to proceed or Cancel to cancel the deletion.

  7. If the entry is a person, click the Person tab and use it to manage basic user attributes. Click Apply to save your changes or Revert to discard them.

    If the entry is a group, see Managing Group Entries by Using Oracle Directory Services Manager.

  8. If this is a person entry, you can upload a photograph. Click Browse, navigate to the photograph, then click Open. To update the photograph, click Update and follow the same procedure. Click the Delete icon to delete the photograph.

  9. To modify the values of attributes that are not specific to a person or group, click the Attributes tab in the right pane and make the desired changes.

    By default, only non-empty attributes are shown. You can switch between Managed Attributes and Show All by using the Views list.

  10. To change the list of attributes shown as managed attributes, click the icon under Optional Attributes. Select attributes you want to move from the All Attributes list to the Shown Attributes lists and use the Move and Move All arrows to move the attributes. Select attributes you want to move from the shown Attributes list to the All Attributes lists and use the Remove and Remove All arrows to move the attributes. Click Add Attributes to make your changes take effect or click Cancel to discard your changes. After you click Add Attributes, only the attributes that were on the Shown Attributes list are shown in the Managed Attributes view.

  11. Specify values for the optional properties. You can also modify the values of the mandatory properties. For multivalued attributes, you can use the Add and Delete icons to add and delete multiple values.

  12. When you have completed all your changes, click Apply to make them take effect. Alternatively, click Revert to abandon your changes.

  13. You can set an access control point (ACP) on this entry by using the Subtree Access and Local Access tabs. The procedures are described in Adding or Modifying an ACP by Using the Data Browser in ODSM and Setting or Modifying Entry-Level Access by Using the Data Browser in ODSM.

13.3 Managing Entries by Using LDAP Command-Line Tools

You can manage entries using LDAP Command-Line tools.

This section contains the following topics:

13.3.1 Listing All the Attributes in the Directory by Using ldapsearch

ldapsearch command is used in listing the attributes in the directory.

Use the following command line to list of all the attributes, including those that do not have values:

ldapsearch -p port -h host -D "cn=orcladmin" -q -b "cn=subschemasubentry" \
           -s base "objectclass=*"

13.3.2 Listing Operational Attributes by Using ldapsearch

By default, ldapsearch does not return operational attributes. If you add the character "+" to the list of attributes in the search request, however, ldapsearch returns all operational attributes.

Searching for an entry with "+" returns only operational attributes. For example: 

$ ldapsearch -h example.com -p 3060 -D cn=orcladmin -w password -b "c=uk" -L -s base "(objectclass=*)" +
dn: c=UK
orclguid: 8EB5730F5852DECBE040E80A7452694E
creatorsname: cn=orcladmin
createtimestamp: 20100826065339z
modifytimestamp: 20100826065339z
modifiersname: cn=orcladmin
orclnormdn: c=uk

By comparison, a search with "*" but not "+" returns all user attributes: 

$ ldapsearch -h example.com -p 3060 -D cn=orcladmin -w password -b "c=uk" -L -s base "(objectclass=*)"
dn: c=UK
c: uk
objectclass: top
objectclass: country

13.3.3 Changing the Attribute Case in ldapsearch Output

In the output from the ldapsearch command, the attribute names are shown in lower case if the attribute orclReqattrCasein the instance-specific configuration entry is 0. If orclReqattrCase is set to 1, the attribute names in the output are shown in the same case in which they were entered on the command line.

Example: 

ldapsearch -h localhost -p 3060 -b "dc=oracle,dc=com" -s base -L "objectclass=*" DC

If orclReqattrCase is 0 the output looks like this: 

dn: dc=oracle,dc=com
dc: oracle

If orclReqattrCase is 1, the output looks like this: 

dn: dc=oracle,dc=com
DC: oracle

If an attribute is specified more than once on the same command line, the attribute names in the output will match the case of the first attribute specification.

13.3.4 Adding a User Entry by Using ldapadd

ldapadd command is used to add a user entry.

The following example shows how to add an entry for an employee named John.

Use ldapadd as follows: 

ldapadd -p port_number -h host -D cn=orcladmin -b -q -f entry.ldif

where entry.ldif looks like this:

dn: cn=john, c=us
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: john
cn;lang-fr:Jean
cn;lang-en-us:John
sn: Doe
jpegPhoto: /photo/john.jpg
userpassword: password

This file contains the cn, sn, jpegPhoto, and userpassword attributes.

For the cn attribute, it specifies two options: cn;lang-fr, and cn;lang-en-us. These options return the common name in either French or American English.

For the jpegPhoto attribute, it specifies the path and file name of the corresponding JPEG image you want to include as an entry attribute.

Note:

  • When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.

  • Do not insert a tilde (~) in a user name.

13.3.5 Modifying a User Entry by Using ldapmodify

ldapmodify command modifies a user entry.

The following example changes the password for a user to a new value. As in the previous example, the data for this user entry is in the entry.ldif file. This file contains the following: 

dn: cn=audrey,c=us
changetype: modify
replace: userpassword
userpassword: password

Substitute the new password for password in the file.

Issue this command to modify the file:

ldapmodify -p 3060 -D "cn=orcladmin" -q -v -f entry.ldif

where -v specifies verbose mode.

Note:

When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.

13.3.6 Adding an Attribute Option by Using ldapmodify

ldapmodify command is used to modify a file.

The following entry adds the Spanish equivalent of an entry for John. The data for this user entry is in the entry.ldif file. This file contains the following: 

dn: cn=john,c=us
changetype: modify
add: cn;lang-sp
cn;lang-sp: Juan

Issue this command to modify the file:

ldapmodify -D "cn=orcladmin" -q -p 3060 -v -f entry.ldif

13.3.7 Deleting an Attribute Option by Using ldapmodify

You can delete an attribute entry by ldapmodify command.

The following example deletes the cn;lang-fr attribute option from the entry for John. As in the previous example, assume that the data for this user entry is in the entry.ldif file. This file contains the following: 

dn: cn=john, c=us
changetype: modify
delete: cn;lang-fr
cn;lang-fr: Jean

Issue this command to modify the file:

ldapmodify -D "cn=orcladmin" -q -p 3060 -v -f entry.ldif

13.3.8 Searching for Entries with Attribute Options by Using ldapsearch

ldapsearch is used to search for entries with attribute options.

The following example retrieves entries with common name (cn) attributes that have an option specifying a language code attribute option. This particular example retrieves entries in which the common names are in French and begin with the letter R. 

ldapsearch -D "cn=orcladmin" -q -p 3060 -h myhost -b "c=US" -s sub "cn;lang-fr=R*"

Suppose that, in the entry for John, no value is set for the cn;lang-it language code attribute option. In this case, the following example fails: 

ldapsearch -D "cn=orcladmin" -q -p 3060 -h myhost -b "c=us" \
           -s sub "cn;lang-it=Giovanni"

See Also:

Attribute Options.

You can use the -X or -B options to ldapsearch to print binary values.

See Also:

The ldapsearch command reference in Reference for Oracle Identity Management.