This chapter describes how to manage Oracle Internet Directory directory entries using Oracle Directory Services Manager and LDAP command-line utilities.
This chapter includes the following sections:
Section 13.2, "Managing Entries by Using Oracle Directory Services Manager"
Section 13.3, "Managing Entries by Using LDAP Command-Line Tools"
The primary function of most directories is to store information about users and return that information in response to requests. Applications that request information from the directory server are called clients of the server.
As administrator, you manage users, groups, and other types of entries by using Oracle Directory Services manager or the command-line tools.
See Also:
Chapter 3, "Understanding Oracle Internet Directory Concepts and Architecture," for introductory information about entries, object classes, and attributes.You display entries, including users and groups, by using the Data Browser in Oracle Directory Services Manager.
The current chapter focuses on users and other types of entries. Chapter 14, "Managing Dynamic and Static Groups" discusses groups and group entries in more detail.
This section contains these topics:
Section 13.2.1, "Displaying Entries by Using Oracle Directory Services Manager"
Section 13.2.2, "Searching for Entries by Using Oracle Directory Services Manager"
Section 13.2.3, "Importing Entries from an LDIF File by Using Oracle Directory Services Manager"
Section 13.2.4, "Exporting Entries to an LDIF File by Using Oracle Directory Services Manager"
Section 13.2.5, "Viewing Attributes for a Specific Entry by Using Oracle Directory Services Manager"
Section 13.2.7, "Deleting an Entry or Subtree by Using Oracle Directory Services Manager"
Section 13.2.6, "Adding a New Entry by Using Oracle Directory Services Manager"
Section 13.2.8, "Adding an Entry by Copying an Existing Entry in Oracle Directory Services Manager"
Section 13.2.9, "Modifying an Entry by Using Oracle Directory Services Manager"
See Also:
Section 30.2.4, "Adding or Modifying an ACP by Using the Data Browser in ODSM"
Section 30.2.5, "Setting or Modifying Entry-Level Access by Using the Data Browser in ODSM"
for information on setting or modifying access control on an entry.
To display entries by using the Data Browser in Oracle Directory Services Manager proceed as follows:
Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
From the task selection bar, select Data Browser.
If desired, expand items in the data tree in the left panel to view the entries in each subtree.
Entries of some object class types have generic icons in the data tree. Others are shown with a specific icon. For example:
Object Class | Icon |
---|---|
User | |
Group | |
OrganizationalUnit | |
Organization | |
Domain | |
Country | |
Generic |
When an access control list (ACL) has been set on an entry, the icon changes; a small key appears to the right of the icon. For example:
Object Class | Icon with ACL |
---|---|
User | |
Group |
If desired, mouse over each icon in the tool bar to read the icon's action.
Select the Refresh the entry icon to refresh only the entry in the right pane. Select the Refresh subtree entries icon to refresh child entries of the selected entry.
To limit the number of entries displayed in a subtree, select the entry at the root of the subtree, then click the Filter child entries icon and specify a filter, as follows:
In the Max Results field, specify a number from 1 to 1000, indicating the maximum number of entries to return.
From the list at the left end of the search criteria bar, select an attribute of the entries you want to view.
From the list in the middle of the search criteria bar, select a filter.
In the text box at the right end of the search criteria bar, type the value for the attribute you just selected. For example, if the attribute you selected was cn
, you could type the particular common name you want to find.
Click + to add this search criterion to the LDAP Query field.
To view the LDAP filter you have selected, select Show LDAP filter.
To further refine your search, use the list of conjunctions (AND, OR, NOT AND, and NOT OR) and the lists and text fields on the search criteria bar to add additional search criteria. Click + to add a search criterion to the LDAP Query field.Click X to delete a search criterion from the LDAP Query field.
When you have finished configuring the search criteria, click OK. The child entries that match the filter are shown under the selected entry. The filter is applied for first level children only, not for the entire subtree. Click the Refresh icon to remove the filter.
To search for a directory entry:
Invoke Oracle Directory Services Manager as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
From the task selection bar, choose Data Browser.
To perform a simple keyword search, enter text in the field next to the Search icon to specify keywords to search for in the attributes cn
, uid
, sn
, givenname
, mail
and initials
.
Click the Simple Search arrow to the right of the text field or press the Enter key. Search results, if any, are displayed below the data tree. Click the information icon to view information about this search. Click the Refresh the search results entries icon to refresh the results. Click the Close search result icon to dismiss the search.
To perform a more complex search, click Advanced. The Search Dialog appears.
In the Root of the Search field, enter the DN of the root of your search.
For example, suppose you want to search for an employee who works in the Manufacturing division in the IMC organization in the Americas. The DN of the root of your search would be:
ou=Manufacturing,ou=Americas,o=IMC,c=US
You would therefore type that DN in the Root of the Search text box.
You can also select the root of your search by browsing the data tree. To do this:
Click Browse to the right of the Root of the Search field. The Select Distinguished Name (DN) Path: Tree View dialog box appears.
Expand an item in the tree view to display its entries.
Continue navigating to the entry that represents the level you want for the root of your search.
Select that entry, then click OK. The DN for the root of your search appears in the Root of the Search text box in the right pane.
In the Max Results (entries) box, type the maximum number of entries you want your search to retrieve. The default is 200. The directory server retrieves the value you set, up to 1000.
In the Max Search Time (seconds) box, type the maximum number of seconds for the duration of your search. The value you enter here must be at least that of the default, namely, 25. The directory server searches for the amount of time you specify, up to one hour.
In the Search Depth list, select the level in the DIT to which you want to search.
The options are:
Base: Retrieves a particular directory entry. Along with this search depth, you use the search criteria bar to select the attribute objectClass
and the filter Present
.
One Level: Limits your search to all entries beginning one level down from the root of your search.
Subtree: Searches entries within the entire subtree, including the root of your search. This is the default.
Set search criteria.
Optionally, select Show LDAP filter, then type a query string directly into the LDAP Query text field.
Alternatively, use the lists and text fields on the search criteria bar to focus your search.
From the list at the left end of the search criteria bar, select an attribute of the entry for which you want to search. Because not all attributes are used in every entry, be sure that the attribute you specify actually corresponds to one in the entry for which you are looking. Otherwise, the search fails.
From the list in the middle of the search criteria bar, select a filter.
In the text box at the right end of the search criteria bar, type the value for the attribute you just selected. For example, if the attribute you selected was cn
, you could type the particular common name you want to find.
Click + to add this search criterion to the LDAP Query field.
To view the LDAP filter you have selected, select Show LDAP filter.
To further refine your search, use the list of conjunctions (AND, OR, NOT AND, and NOT OR) and the lists and text fields on the search criteria bar to to add additional search criteria. Click + to add a search criterion to the LDAP Query field. Click X to delete a search criterion from the LDAP Query field.
Click Search. Search results, if any, are displayed below the data tree. If an LDAP error icon appears, mouse over it to see the error. Search again with different criteria, if necessary, to correct the error. Click the Search Filter icon to see information about the search. Chick the Refresh the search result entries icon to refresh the results. You can delete the search results by clicking the Close search result icon.
See Also:
Section 8.3.6, "Viewing Active Server Instance Information by Using opmnctl"For instructions on setting the number of entries to display in searches, and to set the time limit for searchesYou can import entries from an LDIF file, as follows:
Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
Click the Data Browser tab.
Click the Import LDIF icon. The Import File dialog appears.
Enter the path to the LDIF file you want to import, or click Browse and navigate to the file, then click Open in the browser window.
Click OK in the Import File dialog. The LDIF Import Progress window shows the progress of the operation. Expand View Import Progress Table to see detailed progress.
Click Cancel to stop importing entries. Entries already imported are not aborted.
The Data Browser tree refreshes to show the new entries.
You can export entries to an LDIF file, as follows:
Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
Click the Data Browser tab.
Navigate to the top level DN of the subtree you want to export.
Click the Export LDIF icon. The Export File dialog appears. Select Export Operational Attributes if you want to export them.
Click OK. The Download LDIF File dialog appears. By default, the entries are exported to a temporary file on the machine where Oracle Directory Services Manager is deployed. If you want to save a copy of the LDIF file to your computer, click Click here to open the LDIF file and save the file.
Click OK.
You can view the attributes for a specific entry as follows:
Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
Locate the entry by navigating to it in the data tree or by searching for it, as described in Section 13.2.2, "Searching for Entries by Using Oracle Directory Services Manager."
Click the entry. Attributes for that entry are displayed in the right pane. The display for the entry has at least the three tabs: Attributes, Subtree Access, and Local Access. If the entry is a person, the display in the right pane also has an Person tab, which displays basic user information. If the entry is a group, the display screen has a Group tab, which displays basic group information.
To view the attributes of an entry, click the Attributes tab.
You can switch between Managed Attributes and Show All by using the Views list.
To change the list of attributes shown as managed attributes, click the icon under Optional Attributes. Select attributes you want to move from the All Attributes list to the Shown Attributes lists and use the Move and Move All arrows to move the attributes. Select attributes you want to move from the shown Attributes list to the All Attributes lists and use the Remove and Remove All arrows to move the attributes. Click Add Attributes to make your changes take effect or click Cancel to discard your changes. After you click Add Attributes, only the attributes that were on the Shown Attributes list are shown in the Managed Attributes view.
For information on using the Subtree Access and Local Access tabs to view access control settings, see Section 30.2.4, "Adding or Modifying an ACP by Using the Data Browser in ODSM."
To add or delete entries with Oracle Directory Services Manager, you must have write access to the parent entry and you must know the DN to use for the new entry.
Note:
When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.To add a group entry, follow the procedure described in Section 14.2, "Managing Group Entries by Using Oracle Directory Services Manager." For other entry types, proceed as follows:
Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
From the task selection bar, select Data Browser.
On the toolbar, select the Create a new entry icon. Alternatively, right click any entry and choose Create.
The Create New Entry wizard appears.
Specify the object classes for the new entry. Click the Add icon and use the Add Object Class dialog to select object class entries. Optionally, use the search box to filter the list of object classes. To add the object class, select it and then click OK. (All the superclasses from this object class through top
are also added.)
Note:
You must assign user entries to theinetOrgPerson
object class in order for the entries to appear in the Oracle Internet Directory Self-Service Console in Oracle Delegated Administration Services.In the Parent of the entry field, you can specify the full DN of the parent entry of the entry you are creating. You can also click Browse to locate and select the DN of the parent for the entry you want to add. If you leave the Parent of the entry field blank, the entry is created under the root entry.
Click Next.
Choose an attribute which will be the Relative Distinguished Name value for this entry and enter a value for that attribute. You must enter values for attributes that are required for the object class you are using, even if none of them is the RDN value. For example, for object class inetorgperson
, attributes cn
(common name) and sn
(surname or last name) are required, even if neither of them is the Relative Distinguished Name value.
Click Next. The next page of the wizard appears. (Alternatively, you can click Back to return to the previous page.)
Click Finish.
To manage optional attributes, navigate to the entry you have just created in the Data Tree
If the entry is a person, click the Person tab and use it to manage basic user attributes. Click Apply to save your changes or Revert to discard them.
If the entry is a group, see Section 14.2, "Managing Group Entries by Using Oracle Directory Services Manager."
If this is a person entry, you can upload a photograph. Click Browse, navigate to the photograph, then click Open. To update the photograph, click Update and follow the same procedure. Click the Delete icon to delete the photograph.
To manage object classes, as well as attributes that are not specific to a person or group entry, click the Attributes tab.
To add an object class:
Click the Attributes tab.
Click the Add icon next to objectclass
and use the Add Object Class dialog to select object class entries. Optionally, use the search box to filter the list of object classes. To add the object class, click it and then click OK.
To delete an object class,
Click the Attributes tab.
Select the object class you want to delete.
Click the Delete icon next to objectclass
. The Delete Object Class dialog lists the attributes that will be deleted with that class.
Click Delete to proceed.
By default, only non-empty attributes are shown. You can switch between Managed Attributes and Show All by using the Views list.
To change the list of attributes shown as managed attributes, click the icon under Optional Attributes. Select attributes you want to move from the All Attributes list to the Shown Attributes lists and use the Move and Move All arrows to move the attributes. Select attributes you want to move from the shown Attributes list to the All Attributes lists and use the Remove and Remove All arrows to move the attributes. Click Add Attributes to make your changes take effect or click Cancel to discard your changes. After you click Add Attributes, only the attributes that were on the Shown Attributes list are shown in the Managed Attributes view.
Specify values for the optional properties. You can also modify the values of the mandatory properties. For multivalued attributes, you can use the Add and Delete icons to add and delete multiple values.
Click Apply to save your changes or Revert to discard them.
For information on using the Subtree Access and Local Access tabs to set access control, see Section 30.2.4, "Adding or Modifying an ACP by Using the Data Browser in ODSM."
You can delete an entry, including an entire subtree, as follows:
Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
From the task selection bar, select Data Browser.
Navigate to the entry you want to delete.
To delete only the entry, click the Delete icon. When the Delete dialog appears, click Yes. If the entry has no subentries, deletion succeeds. If the entry has subentries, the deletion fails and ODSM displays an error message. Click OK to dismiss the error message.
To delete an entire subtree, click the icon labelled Delete the selected entry and its subtree. When the Delete Subtree dialog appears, read the contents of the dialog. Click Yes to proceed with the deletion or No to abort.
Note:
Before you delete an entire subtree with a large number of entries, configure the undo tablespace size so that it has sufficient space for the delete operation.For more information, see the "Managing Undo" chapter in the Oracle Database Administrator's Guide.
You can use Oracle Directory Services Manager to create a new entry by copying from an existing entry and changing its DN. When you do this, you should also change the attributes, such as name and address, so that they correspond with the new DN. To add an entry, you must have write access to its parent.
Tip:
You can find a template for the new DN by looking up other similar entries in the search pane.To add a group entry, follow the procedure described in Section 14.2, "Managing Group Entries by Using Oracle Directory Services Manager." For other entry types, proceed as follows:
Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
From the task selection bar, select Data Browser.
In the data tree, navigate to the entry you want to use as a template. Alternatively, click Advanced Search, and use it to search for an entry that you want to use as a template.
In the left panel, click the Create a new entry like this one icon. Alternatively, click the entry you want to use as a template, right click, and choose Create Like. A New Entry: Create Like wizard appears. The object classes and the DN of the parent entry are already filled in.
To add an object class:
Click the Attributes tab.
Click the Add icon next to objectclass
and use the Add Object Class dialog to select object class entries. Optionally, use the search box to filter the list of object classes. To add the object class, click it and then click OK.
To delete an object class,
Click the Attributes tab.
Select the object class you want to delete.
Click the Delete icon next to objectclass
. The Delete Object Class dialog lists the attributes that will be deleted with that class.
Click Delete to proceed.
Specify the DN of the parent entry, either by changing the content in the text box or by using the Browse button to locate a different DN.
Click Next. The next page of the wizard appears.
Choose an attribute which will be the Relative Distinguished Name value for this entry and enter a value for that attribute. You must enter values for attributes that are required for the object class you are using, even if none of them is the RDN value. For example, for object class inetorgperson
, attributes cn
(common name) and sn
(surname or last name) are required, even if neither of them is the Relative Distinguished Name value.
Click Next.
Click Finish.
To manage optional attributes, navigate to the entry you have just created in the Data Tree, then proceed to Step 11 in Section 13.2.6, "Adding a New Entry by Using Oracle Directory Services Manager."
You can add auxiliary object classes to an existing entry.
Note:
When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.To modify a group entry, follow the procedure described in Section 14.2, "Managing Group Entries by Using Oracle Directory Services Manager." For other entry types, proceed as follows:
Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Section 7.4.5, "Invoking Oracle Directory Services Manager."
From the task selection bar, select Data Browser.
Navigate to an entry in the data tree. Alternatively, perform a search for the entry you want to modify as described inSection 13.2.2, "Searching for Entries by Using Oracle Directory Services Manager." In the search result in the left pane, select the entry you want to modify.
To edit the RDN, select the Edit RDN icon above the Data Tree. Alternatively, you can select the entry in the Data Tree, right click, and select Edit RDN.
Specify the new RDN value. For a multivalued RDN you can use the Delete Old RDN checkbox to specify whether the old RDN should be deleted. Select OK to save the change or Cancel to abandon the change.
To add an object class:
Click the Attributes tab.
Click the Add icon next to objectclass
and use the Add Object Class dialog to select object class entries. Optionally, use the search box to filter the list of object classes. To add the object class, click it and then click OK.
To delete an object class,
Click the Attributes tab.
Select the object class you want to delete.
Click the Delete icon next to objectclass
. The Delete Object Class dialog lists the attributes that will be deleted with that class.
Click Delete to proceed or Cancel to cancel the deletion.
If the entry is a person, click the Person tab and use it to manage basic user attributes. Click Apply to save your changes or Revert to discard them.
If the entry is a group, see Section 14.2, "Managing Group Entries by Using Oracle Directory Services Manager."
If this is a person entry, you can upload a photograph. Click Browse, navigate to the photograph, then click Open. To update the photograph, click Update and follow the same procedure. Click the Delete icon to delete the photograph.
To modify the values of attributes that are not specific to a person or group, click the Attributes tab in the right pane and make the desired changes.
By default, only non-empty attributes are shown. You can switch between Managed Attributes and Show All by using the Views list.
To change the list of attributes shown as managed attributes, click the icon under Optional Attributes. Select attributes you want to move from the All Attributes list to the Shown Attributes lists and use the Move and Move All arrows to move the attributes. Select attributes you want to move from the shown Attributes list to the All Attributes lists and use the Remove and Remove All arrows to move the attributes. Click Add Attributes to make your changes take effect or click Cancel to discard your changes. After you click Add Attributes, only the attributes that were on the Shown Attributes list are shown in the Managed Attributes view.
Specify values for the optional properties. You can also modify the values of the mandatory properties. For multivalued attributes, you can use the Add and Delete icons to add and delete multiple values.
When you have completed all your changes, click Apply to make them take effect. Alternatively, click Revert to abandon your changes.
You can set an access control point (ACP) on this entry by using the Subtree Access and Local Access tabs. The procedures are described in Section 30.2.4, "Adding or Modifying an ACP by Using the Data Browser in ODSM" and Section 30.2.5, "Setting or Modifying Entry-Level Access by Using the Data Browser in ODSM."
This section contains the following topics:
Section 13.3.1, "Listing All the Attributes in the Directory by Using ldapsearch"
Section 13.3.2, "Listing Operational Attributes by Using ldapsearch"
Section 13.3.5, "Modifying a User Entry by Using ldapmodify"
Section 13.3.6, "Adding an Attribute Option by Using ldapmodify"
Section 13.3.7, "Deleting an Attribute Option by Using ldapmodify"
Section 13.3.8, "Searching for Entries with Attribute Options by Using ldapsearch"
Use the following command line to list of all the attributes, including those that do not have values:
ldapsearch -p port -h host -D "cn=orcladmin" -q -b "cn=subschemasubentry" \ -s base "objectclass=*"
By default, ldapsearch
does not return operational attributes. If you add the character "+" to the list of attributes in the search request, however, ldapsearch
returns all operational attributes.
Searching for an entry with "+" returns only operational attributes. For example:
$ ldapsearch -h adc2190517 -p 3060 -D cn=orcladmin -w welcome -b "c=uk" -L -s base "(objectclass=*)" + dn: c=UK orclguid: 8EB5730F5852DECBE040E80A7452694E creatorsname: cn=orcladmin createtimestamp: 20100826065339z modifytimestamp: 20100826065339z modifiersname: cn=orcladmin orclnormdn: c=uk
By comparison, a search with "*" but not "+" returns all user attributes:
$ ldapsearch -h adc2190517 -p 3060 -D cn=orcladmin -w welcome -b "c=uk" -L -s base "(objectclass=*)" dn: c=UK c: uk objectclass: top objectclass: country
In the output from the ldapsearch
command, the attribute names are shown in lower case if the attribute orclReqattrCase
in the instance-specific configuration entry is 0
. If orclReqattrCase
is set to 1
, the attribute names in the output are shown in the same case in which they were entered on the command line.
Example:
ldapsearch -h localhost -p 389 -b "dc=oracle,dc=com" -s base -L "objectclass=*" DC
If orclReqattrCase
is 0
the output looks like this:
dn: dc=oracle,dc=com dc: oracle
If orclReqattrCase
is 1
, the output looks like this:
dn: dc=oracle,dc=com DC: oracle
If an attribute is specified more than once on the same command line, the attribute names in the output will match the case of the first attribute specification.
The following example shows how to add an entry for an employee named John.
Use ldapadd
as follows:
ldapadd -p port_number -h host -D cn=orcladmin -b -q -f entry.ldif
where entry.ldif looks like this:
dn: cn=john, c=us
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: john
cn;lang-fr:Jean
cn;lang-en-us:John
sn: Doe
jpegPhoto: /photo/john.jpg
userpassword: password
This file contains the cn
, sn
, jpegPhoto
, and userpassword
attributes.
For the cn
attribute, it specifies two options: cn;lang-fr
, and cn;lang-en-us
. These options return the common name in either French or American English.
For the jpegPhoto
attribute, it specifies the path and file name of the corresponding JPEG image you want to include as an entry attribute.
Notes:
When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.
Do not insert a tilde (~) in a user name.
The following example changes the password for a user to a new value. As in the previous example, the data for this user entry is in the entry.ldif
file. This file contains the following:
dn: cn=audrey,c=us
changetype: modify
replace: userpassword
userpassword: password
Substitute the new password for password
in the file.
Issue this command to modify the file:
ldapmodify -p 3060 -D "cn=orcladmin" -q -v -f entry.ldif
where -v specifies verbose mode.
Note:
When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.The following entry adds the Spanish equivalent of an entry for John. The data for this user entry is in the entry.ldif
file. This file contains the following:
dn: cn=john,c=us changetype: modify add: cn;lang-sp cn;lang-sp: Juan
Issue this command to modify the file:
ldapmodify -D "cn=orcladmin" -q -p 3060 -v -f entry.ldif
The following example deletes the cn;lang-fr
attribute option from the entry for John. As in the previous example, assume that the data for this user entry is in the entry.ldif
file. This file contains the following:
dn: cn=john, c=us changetype: modify delete: cn;lang-fr cn;lang-fr: Jean
Issue this command to modify the file:
ldapmodify -D "cn=orcladmin" -q -p 3060 -v -f entry.ldif
The following example retrieves entries with common name (cn
) attributes that have an option specifying a language code attribute option. This particular example retrieves entries in which the common names are in French and begin with the letter R.
ldapsearch -D "cn=orcladmin" -q -p 3060 -h myhost -b "c=US" -s sub "cn;lang-fr=R*"
Suppose that, in the entry for John, no value is set for the cn;lang-it
language code attribute option. In this case, the following example fails:
ldapsearch -D "cn=orcladmin" -q -p 3060 -h myhost -b "c=us" \ -s sub "cn;lang-it=Giovanni"
See Also:
Section 3.4.6, "Attribute Options."You can use the -X
or -B
options to ldapsearch
to print binary values.
See Also:
The ldapsearch command reference in Oracle Fusion Middleware Reference for Oracle Identity Management.