This chapter describes how to enable, disable, and configure referential integrity in Oracle Internet Directory using Oracle Enterprise Manager Fusion Middleware Control and LDAP command-line utilities. It also describes how to detect and correct referential integrity violations.
This chapter includes the following sections:
Section 22.1, "Introduction to Configuring Referential Integrity"
Section 22.2, "Enabling Referential Integrity by Using Fusion Middleware Control"
Section 22.3, "Disabling Referential Integrity by Using Fusion Middleware Control"
Section 22.4, "Enabling Referential Integrity by Using the Command Line"
Section 22.5, "Configuring Specific Attributes for Referential Integrity by Using the Command Line"
Section 22.6, "Disabling Referential Integrity by Using the Command Line"
Section 22.7, "Detecting and Correcting Referential Integrity Violations"
Referential integrity is the process of maintaining consistent relationships among sets of data. If referential Integrity is enabled in Oracle Internet Directory, whenever you update an entry in the directory, the server also updates other entries that refer to that entry. For example, if you remove a user's entry from the directory, and the user is a member of a group, the server also removes the user from the group. If referential integrity is not enabled, the user remains a member of the group until manually removed. Referential integrity is not enabled by default.
Note:
Disable referential integrity during the replication bootstrapping process. If referential integrity is enabled, bootstrapping fails.Referential integrity takes effect in two situations:
Delete–When an entry is deleted, all the DN attributes that refer to this entry DN are removed.
Modify–When an entry's DN is modified (renamed), all the attributes that refer to this entry DN are modified.
Beginning with 11g Release 1 (11.1.1), the Oracle Internet Directory server can enforce referential integrity. For every LDAP add, modify, delete, and rename operation, the server monitors the request and updates the necessary DN references.
Two configuration parameters control referential integrity: orclRIenabled
and orclRIattr
.
The parameter orclRIenabled
controls the referential integrity level. Values for orclRIenabled
are:
0–Referential integrity is disabled
1–Referential integrity is enabled for member
and uniquemember
attributes only.
2–Referential Integrity is enabled for a list of DN syntax attributes as specified in orclRIattr and for attributes member
and uniquemember
.
When orclRIenabled
is set to 2, the value of the parameter orclRIattr
takes effect. The value of orclRIattr
is a list of referential integrity-enabled attributes.
If referential integrity is enabled, it is strictly enforced. For example, you cannot add a group entry whose member
or uniquemember
attributes are not currently part of the DIT.
To configure and enable referential integrity by using Oracle Enterprise Manager Fusion Middleware Control, perform the following steps:
Select Administration, then Shared Properties from the Oracle Internet Directory menu, then select General.
Select a value from the Referential Integrity list:
Enabled for GroupofNames and GroupofUniqueNames
Enabled for GroupofNames, GroupofUniqueNames, and configured DN attributes
Choose Apply.
To disable referential integrity by using Oracle Enterprise Manager Fusion Middleware Control, perform the following steps:
Select Administration, then Shared Properties from the Oracle Internet Directory menu, then select General.
Select Disabled from the Enable Referential Integrity list.
You enable referential integrity in the directory by using ldapmodify
to change the value of the parameter orclRIenabled
in the DSA Configuration entry:
cn=dsaconfig,cn=configsets,cn=oracle internet directory
.
You can set the value to either 1 or 2.
Setting a value of 1
enables referential integrity for GroupofNames
and GroupofUniqueNames
.
Setting a value of 2 for orclRIenabled
enables referential integrity for GroupofNames
and GroupofUniqueNames
and for specific configured attributes. The next section describes configuring specific attributes.
For example, you would use a command line such as:
ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile
with an LDIF file such as:
dn: cn=dsaconfig, cn=configsets, cn=oracle internet directory changetype: modify replace: orclRIenabled orclRIenabled: 2
Changes to orclRIenabled
take effect immediately.
When orclRIenabled
is set to 2
, referential integrity is enabled for GroupofNames
, GroupofUniqueNames
, and for specific configured attributes.
You configure specific attributes for referential integrity by using catalog
with the arguments rienable=TRUE
, add=true
, and attribute=
name_of_attribute
. This adds the attribute to orclRIattr
, which contains the list of DN syntax attributes to which referential integrity applies. You remove an attribute from referential integrity by using catalog
with the arguments rienable=TRUE
, delete=true
, and attribute=
name_of_attribute
. This removes the attribute from orclRIattr
.
Notes:
You cannot change the value of orclRIattr
by using ldapmodify
. You must use the catalog
command.
Remember that the ORACLE_INSTANCE
environment variable must be set when you use catalog
.
This example enables referential integrity for the attribute manager
.
catalog connect="connect_str" add=true rienable="TRUE" attribute="manager"
This example disables referential integrity for the attribute manager
.
catalog connect="connect_str" delete=true rienable="TRUE" attribute="manager"
To disable referential integrity in the directory, set the value of orclRIenabled
to 0
in the DSA Configuration entry:
cn=dsaconfig,cn=configsets,cn=oracle internet directory
.
When you try to enable referential integrity, if there are underlying violations in the DIT, you get an error. You must run the oiddiag
tool to look at the violations, rectify them, and then enable referential integrity. The oiddiag
tool has an option, OidDiagDC10
, to report all the referential integrity violations. in LDIF format. That LDIF file can be used with ldapmodify tool to fix all reported entries. The steps are as follows:
Run oiddiag
with the option listdiags=true
. The default output file is ORACLE_INSTANCE
/diagnostics/logs/OID/tools/oiddiag.txt
.
Edit the output file, oiddiag.txt
so that it contains only the line:
oracle.ldap.oiddiag.dc.OidDiagDC10
Run oiddiag
with the option collect_sub=true
See Also:
The oiddiag
command reference in Oracle Fusion Middleware Reference for Oracle Identity Management.
The oiddiag
usage message. Type:
oiddiag -help
Note:
On Windows, the filename of theoiddiag
command is oiddiag.bat.