Managing System Configuration Attributes

9 Managing System Configuration Attributes

This chapter describes the configuration attributes that control the Oracle Internet Directory LDAP server and how to manage these attributes using Oracle Enterprise Manager Fusion Middleware Control, the WebLogic Scripting Tool (wlst), LDAP tools, and Oracle Directory Services Manager (ODSM).

For information about the attributes that control the Oracle Internet Directory replication server, see Managing Replication Configuration Attributes.

This chapter includes the following sections:

9.1 Managing System Configuration Attributes

Understand about managing various system configuration attributes.

This section contains the following topics:

9.1.1 About Configuration Attributes

Most Oracle Internet Directory configuration information is stored in the directory itself. The information is stored as attributes of specific configuration entries. You must have superuser privileges to set system configuration attributes.

Some configuration attributes are specific to an individual instance of the Oracle Internet Directory server. Instance-specific attributes are located in the instance-specific configuration entry, a specific subentry of the Oracle Internet Directory instance entry. Figure 8-1 shows the location of these entries in the DIT.

Some configuration attributes are shared by all Oracle Internet Directory server instances in a WebLogic Server domain that are connected to the same database. Shared attributes reside in the DSA Configuration entry. Replication-specific attributes reside in the Replica Subentry, Replication Configuration, and Replication Agreement Entry.

Some attributes reside in the DSE Root. Most of those are non-configurable.

See Understanding Process Control of Oracle Internet Directory Components

Note:

Oracle Internet Directory configuration attributes, either instance-specific or shared attributes, are not replicated. For example, computed attribute definitions from OrclComputedAttribute are stored in the DSA Configuration entry and are not replicated. If your deployment requires configuration attributes to be replicated, you must replicate them manually.

You can manage all the configuration attributes from the command-line. In addition, many of the configuration attributes have specific, task-oriented management interfaces in Oracle Enterprise Manager Fusion Middleware Control or Oracle Directory Services Manager. You can also use the Data Browser feature of Oracle Directory Services Manager to manage the entries directly.

See Also:

9.1.2 About Operational Attributes

Do not confuse configuration attributes with operational attributes. Operational attributes have special meaning to the directory server and they are used for storing information needed for processing by the server itself or for holding other data maintained by the server that is not explicitly provided by clients. These are attributes that are maintained by the server and either reflect information the server manages about an entry or affect server operation.

Operational attributes are not returned by a search operation unless you specifically request them by name or with the "+" option in the search request. See Listing Operational Attributes by Using ldapsearch for more information.

Examples of operational attributes include the time stamp for an entry and the state values needed for enforcing password policies, described in Operational Attributes of User Entry. You cannot modify operational attributes.

From 11g Release 1 (11.1.1.9.0) onward, Oracle Internet Directory server returns numsubordinate operational attribute. It specifies the count of number of child entries under the given base DN.

Note:

By default the numsubordinate operational attribute is not returned when you specify the + option in the search request. You must explicitly set the orcldseecompatible flag to 1 in the cn=dsaconfig,cn=configsets,cn=oracle internet directory entry.

9.1.3 Attributes of the Instance-Specific Configuration Entry

During installation, Oracle Identity Management 11g Installer creates an instance-specific configuration entry for the first Oracle Internet Directory instance.

It copies default values from a read-only entry under cn=configset0. (You can specify different values for the SSL port and non-SSL during the install.)

The DN of an instance-specific configuration entry has the form:

cn=componentname,cn=osdldapd,cn=subconfigsubentry

For example, if the component name for a server instance is oid1,then the DIT of the instance-specific configuration entry would be:

cn=oid1,cn=osdldapd,cn=subconfigsubentry

Table 9-1 lists the attributes of the instance-specific configuration entry. The Update Mechanism column contains the following abbreviations:

EM – Oracle Enterprise Manager Fusion Middleware Control. See Managing System Configuration Attributes by Using Fusion Middleware Control.
WLST–WebLogic Scripting tool. See Managing System Configuration Attributes by Using WLST.
LDAP–LDAP command-line tools, such as ldapmodify and ldapadd. See Managing System Configuration Attributes by Using LDAP Tools.

Table 9-1 Attributes of the Instance-Specific Configuration Entry

Attribute	Description	Update Mechanism	Default	Possible Values
`orclmaxpsearchconns`	Maximum number of connections allowed for an LDAP persistent search operation. See Persistent LDAP Search Operations.	EM, LDAP, WLST	0	Integer, up to 1024.
`orclserverprocs`	Number of Server Processes. Restart the server after changing. See Understanding Process Control of Oracle Internet Directory Components.	EM, LDAP, WLST	1	Integer, up to 1024.
`orclreqattrcase`	Preserve the case of required attribute names specified in an `ldapsearch` request. See Getting Started With Oracle Internet Directory.	EM, LDAP	0	0: Do not preserve attribute case 1: Preserve attribute case
`orclhostname`	Hostname or IP address. See Managing IP Addresses in Oracle Internet Directory. See Managing Oracle Internet Directory Instances	LDAP	Set during install	Host or IP address
`orclnonsslport`	Non-SSL port See Configuring Server Properties. If you change the port number, restart the server. See Managing Oracle Internet Directory Instances.	EM, LDAP, WLST	3060	Port number
`orclsslport`	SSL port See Configuring Server Properties. If you change the port number, restart the server. See Managing Oracle Internet Directory Instances.	EM, LDAP, WLST	3131	Port number
`orcltraceconndn`	Distinguished name (DN) of a connection that causes Oracle Internet Directory server to log messages for operations performed by the specified connection DN, if `orclDebugFlag` is set to a value other than zero (0).	EM, LDAP, WLST	None	Multi-valued attribute that can specify one or more connection DNs.
`orcltraceconnip`	Connection IP address that causes Oracle Internet Directory server to log messages for operations performed by the specified connection IP address, if `orclDebugFlag` is set to a value other than zero (0).	EM, LDAP, WLST	None	Multi-valued attribute that can specify one or more connection IP addresses.
`orcltxntimelimit`	Maximum time allowed in a transaction (seconds). See Using LDAP Transactions in Application Developer's Guide for Oracle Identity Management and Configuring Server Properties.	EM, LDAP, WLST	0	Positive integer (seconds)
`orcltxnmaxoperations`	Maximum number of operations allowed in a transaction. See Using LDAP Transactions in Application Developer's Guide for Oracle Identity Management and Configuring Server Properties.	EM, LDAP, WLST	0	Positive integer
`orclservermode`	Server Mode See Performing Bulk Operations.	EM, LDAP, WLST	rw	R: read-only rw: read/write rm: read-modify
`orclaudcustevents`	A comma-separated list of events and category names to be audited. Custom events are only applicable when `orclAudFilterPreset` is `Custom`. See Managing Auditing.	EM, LDAP, WLST	Empty	Examples include: Authentication.SUCCESSESONLY, Authorization(Permission -eq 'CSFPermission')
`orclaudfilterpreset`	Replaces the audit levels used in 10g (10.1.4.0.1) and earlier releases. See Managing Auditing.	EM, LDAP, WLST	None	`None`, `Low`, `Medium`, `All`, and `Custom`.
`orclaudsplusers`	A comma separated list of users for whom auditing is always enabled, even if `orclAudFilterPreset` is `None`. See Managing Auditing.	EM, LDAP, WLST	Empty	Valid users. For example: cn=orcladmin
`orclcachenotifyip`	Associates a port number with an IP address in order to allow Oracle Internet Directory servers to communicate with each other in a cluster environment when cached data is changed.	LDAP	None	Port number and IP address See Configuring IP Addresses for Notifications in a Cluster.
`orcldebugflag`	Debug Flag See Managing Logging.	EM, LDAP, WLST	0	0 ~ 117440511 See Table 24-3.
`orcldebugforceflush`	Force flush debug messages See Managing Logging.	LDAP	0	0: Disable 1: Enable
`orcldebugop`	Operations Enabled for Debug See Managing Logging.	EM, LDAP, WLST	511	See Table 24-4.
`orclmaxlogfiles`	Maximum Number of Log Files to Keep in Rotation See Managing Logging.	EM, LDAP, WLST	100	Integer
`orclmaxlogfilesize`	Maximum Log File Size (MB) See Managing Logging.	EM, LDAP, WLST	1 MB	Size, in MB
`orcleventlevel`	Statistics collection event level See Monitoring Oracle Internet Directory.	EM, LDAP, WLST	0	See Table 25-5.
`orcloptracklevel`	Security event tracking level See Monitoring Oracle Internet Directory.	EM, LDAP, WLST	0	Table 25-3
`orclstatsflag`	Flag to turn on or off OID statistics data See Monitoring Oracle Internet Directory.	EM, LDAP, WLST	1	0: disable 1: enable
`orclstatslevel`	Enable user statistics collection See Monitoring Oracle Internet Directory.	EM, LDAP, WLST	0	0: disable 1: enable
`orclstatsperiodicity`	Frequency of flushing statistics to data bases See Monitoring Oracle Internet Directory.	EM, LDAP, WLST	30	60
`orclsslauthentication`	SSL Authentication Restart the server after changing. See Configuring Secure Sockets Layer (SSL).	EM, LDAP, WLST	1	1: No SSL authentication 32: One-way authentication 64: Two-way authentication
`orclsslciphersuite`	SSL Cipher Suite Restart the server after changing. See Configuring Secure Sockets Layer (SSL).	EM, LDAP, WLST	Empty	See Table 27-1, left column.
`orclsslenable`	SSL Enable Restart the server after changing. Set `orclsslenable` to `1` or `2` if you use WLST or EM to configure the server. See Configuring Secure Sockets Layer (SSL).	EM, LDAP, WLST	2	0: Non-SSL only 1: SSL only, 2: Non-SSL & SSL mode
`orclsslinteropmode`	SSL Interoperability Mode Restart the server after changing. See Configuring Secure Sockets Layer (SSL).	LDAP	0	0: disabled 1: enabled
`orclsslversion`	SSL Version Restart the server after changing. See Configuring Secure Sockets Layer (SSL).	EM, LDAP, WLST	3	3
`orclsslwalleturl`	SSL Wallet URL Restart the server after changing. See Configuring Secure Sockets Layer (SSL).	EM, LDAP, WLST	File	SSL wallet file location.
`orclanonymousbindsflag`	Allow Anonymous binds See Managing Authentication,	EM, LDAP, WLST	2	See Table 33-5.
`orclsaslauthenticationmode`	SASL Authentication Restart the server after changing Mode. See Managing Authentication.	EM, LDAP, WLST	1	auth, auth-int, auth-conf. Specify all three or a subset of these 3 as a comma separated string.
`orclsaslcipherchoice`	SASL Cipher Choice Restart the server after changing. See Managing Authentication.	EM, LDAP, WLST	Rc4-56,rc4-40,rc4,des,3des	Any combination of Rc4-56, des, 3des, rc4, rc4-40
`orclsaslmechanism`	SASL Mechanism Restart the server after changing. See Managing Authentication.	EM, LDAP, WLST	DIGEST-MD5, EXTERNAL	DIGEST-MD5, EXTERNAL
`orclmaskrealm`	DIT Masking See Managing DIT Masking.	LDAP	No value	List of DIT subtrees.
`orclmaskfilter`	DIT Masking See Managing DIT Masking.	LDAP	No value	LDAP attribute filter.
`orclmaskattribute`	DIT Masking See Managing DIT Masking.	LDAP	No value	List of attributes, possibly preceded by `!`.
`orcldispthreads`	Maximum number of dispatcher threads per server process. See Oracle Internet Directory in Tuning Performance Restart server after changing.	EM, LDAP, WLST	1	Integer (Max 16)
`orclldapconntimeout`	LDAP Connection Timeout, in minutes See Oracle Internet Directory in Tuning Performance.	EM, LDAP, WLST	0	Integer Note: Users configured for statistics tracking do not time out as per this setting.
`orclmaxcc`	Maximum Number of DB Connections Restart the server after changing. See Oracle Internet Directory in Tuning Performance.	EM, LDAP, WLST	2	Integer, maximum128
`orclmaxconnincache`	Maximum number of cached user group connections See Oracle Internet Directory in Tuning Performance.	EM, LDAP, WLST	100000	Integer
`orclmaxldapconns`	Maximum number of concurrent connections per server process See Oracle Internet Directory in Tuning Performance.	EM, LDAP, WLST	1024	Int (Max system max file descriptors per process)
`orclmaxserverresptime`	Maximum Time in seconds for Server process to respond back to Dispatcher process See Oracle Internet Directory in Tuning Performance.	EM, LDAP, WLST	300 seconds	Number of Seconds 0: Dispatcher does not detect the server hang.
`orclnwrwtimeout`	Maximum time in seconds for OID Server to wait for LDAP client respond to a Read/Write operation. See Oracle Internet Directory in Tuning Performance.	EM, LDAP, WLST	30 seconds	Integer
`orcloptrackmaxtotalsize`	Maximum number of bytes of RAM that security events tracking can use for each type of operation. See Oracle Internet Directory in Tuning Performance.	LDAP	100000000 Bytes	Available RAM, in bytes
orcloptracknumelemcontainers;1stlevel	Number of in-memory cache containers for storing information about users performing operations. See Oracle Internet Directory in Tuning Performance.	LDAP	256	Integer
orcloptracknumelemcontainers;2ndlevel	Number of in-memory cache containers for storing information about users whose user password is compared and tracked when detailed compare operation statistics is programmed. See Oracle Internet Directory in Tuning Performance.	LDAP	256	Integer
`orclpluginworkers`	Maximum number of plug-in worker threads per server process Restart the server after changing. See Oracle Internet Directory in Tuning Performance.	EM, LDAP, WLST	2	Int (Max 64)
`orclsizelimit`	Number of entries that can be returned in an `ldapsearch` result See Oracle Internet Directory in Tuning Performance.	LDAP	10000	Integer
`orcltimelimit`	Maximum time that server can spend for a given `ldapsearch` operation	EM, LDAP, WLST	3600	Integer (seconds)
`orclsdumpflag`	Generate stack dump. See Troubleshooting Oracle Internet Directory.	LDAP	0	0: Generate stack trace file. 1: Do not generate stack. trace file, but generate a core file.
`orclskipspecialinfilter`	Evaluates whether Oracle Internet Directory should skip the processing of special characters specified in filter values during a search operation.	LDAP	0	0: Process the special characters specified in the filter value. 1: Do not process the special characters specified in the filter value.
`orclcryptoversion`	Allows you to specify the SSL/TLS version to be used.	LDAP	24	0: All Supported Protocols 2: For SSL v3.0 4: For TLS 1.0 8: For TLS 1.1 16: For TLS 1.2 24: For TLS 1.1 or TLS 1.2 Note: The attribute is additive in nature. This implies that it allows you to add more than one protocol by specifying the corresponding value. For more information, see Supported Protocol Versions.

9.1.4 Attributes of the DSA Configuration Entry

Understand about the attributes in the DSA configuration entry.

The DSA configuration entry has the DN:

cn=dsaconfig,cn=configsets,cn=oracle internet directory

Table 9-2 shows shared attributes in the DSA configuration entry. The Update Mechanism column contains the following abbreviations:

EM – Oracle Enterprise Manager Fusion Middleware Control. See Managing System Configuration Attributes by Using Fusion Middleware Control.
LDAP–LDAP command-line tools, such as ldapmodify and ldapadd. See Managing System Configuration Attributes by Using LDAP Tools.

Note:

DSA is an X.500 term for the directory server.

Table 9-2 Attributes in the DSA Configuration Entry

Attribute	Description	Update Mechanism	Default	Possible Values
`orclblockdnip`	IP address that causes Oracle Internet Directory server to reject any new connections and close any existing connections from that IP address.	EM,LDAP	None	IP address
`orclcomputedattribute`	Mechanism to dynamically compute a configurable attribute and its value based on specific rules. See Managing Computed Attributes.	LDAP	None	Multi-valued attribute
`orclmaxlatencylog`	Time in microseconds after which any Oracle Internet Directory server operations that exceed this time are logged to the alert log.	EM,LDAP	10000000 microseconds. Minimum is 10 microseconds.	Microseconds
`orclmaxtcpidleconntime`	Frequency in minutes at which Oracle Internet Directory server calls `OCIPing()` to send keep alive messages to its Oracle Database. Setting this attribute to a value less than the timeout value of the firewall between Oracle Internet Directory server and the Oracle Database (typically 30 minutes) prevents the Database connection from being dropped.	LDAP	20 minutes	Integer 0: No `OCIPing()`
`orclmaxtcpidleconntime`	For zero downtime patching, `orclmaxtcpidleconntime`; ttl is set to 5 and admin is expected to wait for couple of cycles before turning off the database. After being done with number of cycles, it should be turned off with out of the box value 0. The value of this attribute is in minutes.	LDAP	0	Integer 0: Disabled
`orclmaxfiltsize`	Maximum Filter Size See Configuring Shared Properties.	EM, LDAP	24576	Integer
`orclrefreshdgrmems`	Refresh Dynamic Group Memberships. See Managing Dynamic and Static Groups in Oracle Internet Directory.	LDAP	0	1: Cause a refresh. Server will reset it to 0.
`orclautocatalog`	Index attributes on first search. See Index option in Oracle Internet Directory to Search Attributes.	EM, LDAP	1	0: Disabled 1: Enabled
`orclrienabled`	Referential Integrity. See Configuring Referential Integrity.	EM, LDAP	0	0: Disabled 1: Enabled
`orclstatsdn`	User DNs for statistics collection. See Monitoring Oracle Internet Directory.	EM, LDAP	Empty	DNs of entries
`orcldataprivacymode`	Sensitive attributes encrypted when returned See Configuring Data Privacy.	LDAP	0	0: Disabled 1: Enabled
`orclencryptedattributes`	Sensitive attributes stored in encrypted format. See Configuring Data Privacy.	LDAP	See Table 28-1.	Attributes
`orclhashedattributes`	Attributes stored in hashed format. See Configuring Data Privacy.	EM, LDAP	Empty	Attributes
`orclpkimatchingrule`	PKI Matching Rule for mapping user's PKI certificate DN to the user's entry DN. See Managing Authentication.	EM, LDAP	2	0: Exact match. 1: Certificate search. 2: Combination of 0 and 1. 3: Mapping rule only. 4: Try in order: 3, 2
`orclgeneratechangelog`	Whether to generate change logs for user operations. See Managing and Monitoring Replication and the Oracle Internet Directory chapter of Tuning Performance	LDAP	1	1: enable 0: disable
`orcljvmoptions`	Options passed to the JVM when a server plug-in is invoked. See Developing Plug-ins for the Oracle Internet Directory Server.	EM, LDAP	-Xmx64M	Valid JVM options
`orclinmemfiltprocess`	Search Filters to be processed in memory See the Oracle Internet Directory chapter in Tuning Performance.	EM, LDAP	See list in Tuning Performance	Valid search filters
`orclmatchdnenabled`	Whether to provide detailed MatchDN information when base DN of a search is not present. See the Oracle Internet Directory chapter of Tuning Performance	EM, LDAP	1	0: Do not match, but validates if baseDN exists in the database 1: Match 2: Perform no DB check for existence of base DN
`orclskewedattribute`	Skewed attributes. Server restart recommended after changing. See the Oracle Internet Directory chapter in Tuning Performance.	EM, LDAP	objectclass	List of attributes
`orclskiprefinsql`	Skip referral for search. Server restart recommended after changing. See the Oracle Internet Directory chapter in Tuning Performance.	EM, LDAP	0	0: Disabled 1: Enabled
`orcltlimitmode`	Specify search time limit mode to be either accurate or approximate. See the Oracle Internet Directory chapter in Tuning Performance.	LDAP	0	0: Accurate 1: Approximate
`orclcachemaxsize`	Size in bytes of the Result Set cache or Metadata cache, as indicated by the subtype (rs or md). Requires a server restart to take effect.	LDAP	Result Set cache: 64 MB (64 MB is also the minimum cache size) Metadata cache: 128 MB (128 MB is also the minimum cache size).	Subtype: rs (Result Set cache) or md (Metadata cache) Size: M (megabytes) or G (gigabytes).
`orclecacheenabled`	Enable or disable the Entry Cache or Result Set Cache. See the Oracle Internet Directory chapter in Tuning Performance.	EM, LDAP, WLST	2	0: Disable both caches 1: Enable Entry Cache only 2: Enable both caches 4: Pre-load cache data during server start up time or when cache is destroyed. Oracle Internet Directory servers rebuild the cache when `orclecacheenabled` is set to `4`. Note: Entry cache pre-load is based on `orclrscacheattr` settings.
`orclecachemaxentries`	Maximum Entries in Entry Cache. See the Oracle Internet Directory chapter in Tuning Performance.	EM, LDAP, WLST	100000	Integer
`orclecachemaxsize`	Entry Cache Size in bytes. See the Oracle Internet Directory chapter in Tuning Performance.	EM, LDAP, WLST	200000000 Bytes	Size: M (megabytes) or G (gigabytes). For example: 200M
`orclrscacheattr`	Result Set Cache Attributes See the Oracle Internet Directory chapter in Tuning Performance.	EM, LDAP, WLST	cn uid mail orclguid	Multi-valued attribute that specifies the Result Set Cache attributes. Typically these attributes are not modified for the life of the entry. If an attribute has referential integrity enabled, that attribute should not be used.
`orclenablegroupcache`	Enable/Disable Group cache See the Oracle Internet Directory chapter in Tuning Performance.	LDAP	1	1: Enable, 0: Disable
`orcldseecompatible`	If orcldseecompatible is set to `1`, then the attribute `numsubordinates` is returned if the search request has "+" required attribute.		None

9.1.5 Attributes of the DSE

The DSA-specific entry (DSE) is the root of the DIT. This is where Oracle Internet Directory publishes information about itself, such as naming contexts, supported controls, and matching rules. Most attributes of the DSE should not be modified directly.

Note:

Beginning with Oracle Internet Directory 11g Release 1 (11.1.1.6.0), the orclcompatibleversion DSE attribute contains the Oracle Internet Directory version. This attribute is multi-valued. The values can be:

orclcompatibleversion: 11.1.1.6.0
orclcompatibleversion: 11.1.1.7.0
orclcompatibleversion: 11.1.1.9.0
orclcompatibleversion: 12.2.1.3.0

Do not modify orclcompatibleversion. It must be present for Oracle Internet Directory to work with its respective schema.

Some DSE attributes that you might need to modify are listed in Table 9-3.

Table 9-3 Attributes of the DSE

Attribute	Description	Update Mechanism	Default	Possible Values
`namingcontexts`	Naming contexts. See Managing Naming Contexts in Oracle Internet Directory.	LDAP	c=us dc=com	Any valid naming context.
`ref`	Referral specification. See Managing Knowledge References and Referrals.	LDAP
`orclaci`	Access control at the root DSE level. See Managing Directory Access Control.	LDAP
`orclcryptoscheme`	Hashing algorithm for protecting passwords. See Managing Password Verifiers.	LDAP	SSHA	MD4, MD5, SHA, SSHA, SHA256, SHA384, SHA512, SSHA256, SSHA384, SSHA512, SMD5, UNIX Crypt
`subentry`	Contains DN of password policy governing the DSE root. See Managing Password Policies.	LDAP	cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext
`orclsimplemodchglogattributes`	List of multivalued attributes for which change logs contain only changes, not lists of all values. See Change Logs in Directory Replication.	LDAP	`member`, `uniqueMember`	Multivalued attributes

9.2 Managing System Configuration Attributes by Using Fusion Middleware Control

You can view and set most of the configuration attributes for an Oracle directory server by using Oracle Enterprise Manager Fusion Middleware Control.

This section contains the following topics:

9.2.1 Configuring Server Properties

You can configure attributes using the Oracle Internet Directory Server Properties pages of Fusion Middleware Control. The various options in the Server Properties pages, such as, General and Performance are listed in the following sections.

This section includes the following topics:

9.2.1.1 Configuring Server Properties

You can configure most of the attributes in the instance-specific configuration entry by using the Oracle Internet Directory Server Properties pages of Fusion Middleware Control as follows:

Select Administration, then Server Properties from the Oracle Internet Directory menu.
Select General, Performance, SASL, Statistics, or Logging, depending on which parameters you want to configure.
After changing the configuration, choose Apply.

9.2.1.2 General Options in Configuring Server Properties

The correspondence between server properties and configuration attributes on the General tab of the Server Properties page is shown in Table 9-4.

Table 9-4 Configuration Attributes on Server Properties Page, General Tab.

Field or Heading	Configuration Attribute
Server Mode	`orclservermode`
Maximum number of entries to be returned by a search	`orclsizelimit`
Maximum time allowed for a search to complete (sec)	`orcltimelimit`
Preserve Case of Required Attribute Name specified in Search Request	`orclreqattrcase`
Anonymous Bind	`orclanonymousbindsflag`
Maximum time allowed in a Transaction (sec)	`orcltxntimelimit`
Maximum Number of Operations allowed in a Transaction	`orcltxnmaxoperations`
Non-SSL Port	`orclnonsslport`
SSL Port	`orclsslport`

9.2.1.3 Performance Options in Configuring Server Properties

The correspondence between server properties and configuration attributes on the Performance tab of the Server Properties page is shown in Table 9-5

Table 9-5 Configuration Attributes on Server Properties Page, Performance Tab

Field or Heading	Configuration Attribute
Number of OID LDAP Server Processes	`orclserverprocs`
Number of DB Connections per Server Process	`orclmaxcc`
Number of users in privilege Group membership Cache	`orclmaxconnincache`
LDAP Idle Connection Timeout (minutes)	`orclldapconntimeout`
OID server Network Read/Write Retry Timeout (sec)	`orclnwrwtimeout`
Maximum Number of LDAP connections per Server Process	`orclmaxldapconns`
Maximum Time in seconds for Server process to respond back to Dispatcher process	`orclMaxServerRespTime`
Number of Dispatcher Threads per Server Process	`orcldispthreads`
Number of Plug-in Threads per Server Process	`orclpluginworkers`
Enable Change Log Generation	`orclgeneratechangelog`

Restart the server after changing orclserverprocs, orclmaxcc, orcldispthreads, or orclpluginworkers.

9.2.1.4 SASL Tab of Server Properties

The correspondence between server properties and configuration attributes on the SASL tab of the Server Properties page is shown in Table 33-2.

9.2.1.5 Statistics Tab of Server Properties

The correspondence between server properties and configuration attributes on the Statistics tab of the Server Properties page is shown in Table 25-2.

9.2.1.6 Logging Tab of Server Properties

The correspondence between server properties and configuration attributes on the Logging tab of the Server Properties page is shown in Table 24-2.

9.2.2 Configuring Shared Properties

You can configure some of the shared system configuration attributes in the DSA configuration entry by using the Oracle Internet Directory Shared Properties page of Fusion Middleware Control.

This section contains the following topics:

9.2.2.1 Configuring Shared Properties

To configure some of the shared system configuration attributes in the DSA configuration entry, select Administration, then Shared Properties, then select General, Change Superuser Password, or Replication from the Oracle Internet Directory menu. After changing the configuration, choose Apply.

9.2.2.2 Configuration Attributes in General Properties

Table 9-6 lists the configuration attributes available in the General Tab on the Shared Properties Tab.

Table 9-6 Configuration Attributes on Shared Properties Page, General Tab

Field or Heading	Configuration Attribute
User DN	`orclstatsdn`
Skip referral for search	`orclskiprefinsql`
Skewed attributes	`orclskewedattribute`
Search Filters to be processed in memory	`orclinmemfiltprocess`
Hashed attributes	`orclhashedattributes`
Match DN	`orclMatchDnEnabled`
PKI Matching Rule	`orclPKIMatchingRule`
Referential Integrity	`orclrienabled`
Maximum Filter Size	`orclmaxfiltsize`
Enable Entry Cache	`orclecacheenabled`
Maximum Entries in Entry Cache	`orclecachemaxentries`
Maximum Entry Cache Size (MB)	`orclecachemaxsize`
Number of users in privilege group membership cache NOT on EM page	`orclmaxconnincache`
Result Set Cache Attributes	`orclrscacheattr`
Java Plug-in VM Options	`orcljvmoptions`

A server restart is recommended after changing orclskiprefinsql or orclskewedattribute.

9.2.2.3 Change Superuser Password

See Changing the Superuser Password by Using Fusion Middleware Control.

9.2.2.4 Replication

Replication-related attributes are described in Managing Replication Configuration Attributes. See unresolvable-reference.html.

9.2.3 SSL and Audit Parameters Configuration

You can configure SSL parameters by using the Oracle Internet Directory SSL Configuration Page.

See Overview of Configuring SSL by Using Fusion Middleware Control. You must restart the server for SSL configuration changes to take effect.

You can configure Audit attributes by using the Oracle Internet Directory Audit Policy Settings page. See Managing Auditing Using Fusion Middleware Control.

9.3 Managing System Configuration Attributes by Using WLST

You can manage system configuration attributes using WLST.

Table 9-7 lists the Related MBeans.

This section includes the following topics:

9.3.1 Managing System Configuration Attributes Using WLST

You can use the WebLogic Scripting Tool (wlst) in the Oracle Common home to manage the attributes of the Oracle Internet Directory instance-specific configuration entry that have Oracle Enterprise Manager Fusion Middleware Control interfaces.

A managed bean (MBean) is a Java object that represents a JMX manageable resource in a distributed environment, such as an application, a service, a component or a device. The WebLogic server uses custom MBeans as its interface to system components, such as Oracle Internet Directory.

Note:

WLST manages Oracle Internet Directory through its SSL port. The Oracle Internet Directory SSL port must be configured for no authentication or server authentication. If the Oracle Internet Directory SSL port is configured for mutual authentication, you will not be able to change Oracle Internet Directory attributes by using WLST. See About SSL Authentication Modes.

See Also:

Oracle Fusion Middleware Components in Administering Oracle Fusion Middleware
Using the WebLogic Scripting Tool in Understanding the WebLogic Scripting Tool
Managing Auditing Using WLST

To use WLST, follow the steps below:

Invoke WLST

$ORACLE_HOME/oracle_common/common/bin/wlst.sh

Connect to the WebLogic server

connect('username', 'password', 't3://localhost:7001')

To navigate to the custom mbean tree, type:
```
custom()
```
at the wlst prompt.
To get a one-level list of the MBean in the custom MBean tree, type:
```
ls()
```
In the ls() output, you see two domains that contain MBeans that are related to Oracle Internet Directory configuration. The domains are oracle.as.management.mbeans.register and oracle.as.oid.
To get to a domain, use the cd() command. For example:
```
cd('oracle.as.management.mbeans.register')
```
or
```
cd('oracle.as.oid')
```
If you type ls(), you see a list of MBeans in that domain. There are three MBeans related to Oracle Internet Directory configuration under oracle.as.management.mbeans.register and two under oracle.as.oid. Table 9-7 lists them.

INSTANCE and COMPONENT_NAME refer to the Oracle instance where your Oracle Internet Directory component is located and the name of the component, respectively.

Note:

The Audit MBean is shown here for completeness, but you use different commands for managing auditing by using wlst. See Managing Auditing Using WLST.
To get to a specific MBean, type:
```
cd('MBEAN_NAME') 
```
For example, if you are in the domain oracle.as.management.mbeans.register, and you want to manage the Root Proxy MBean for Oracle Internet Directory component oid1 in Oracle instance instance1, type:
```
cd('oracle.as.management.mbeans.register:type=OID,name=oid1,instance=instance1')
```
Once you have navigated to the desired MBean, you can get the current value for an attribute by typing:
```
get('ATTRIBUTE_NAME') 
```
For example, to get the value for orclserverprocs, type:
```
get('orclserverprocs') 
```
Before you make any changes to attributes, you must ensure that the MBean has the current server configuration. To do that, load the configuration from Oracle Internet Directory server to the mbean. Type:
```
invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.String)) 
```
Then you can use the set command to set a specific attribute. Type:
```
set('ATTRIBUTE_NAME', ATTRIBUTE_VALUE)
```
For example, to set orclserverprocs = 12, type:
```
set('orclserverprocs', 12) 
```
After making changes, you must save the MBean configuration to the Oracle Internet Directory server. Type:
```
invoke('save',jarray.array([],java.lang.Object),jarray.array([],java.lang.String))
```

9.3.2 Related MBeans Of Oracle Internet Directory

There are three MBeans related to Oracle Internet Directory configuration under oracle.as.management.mbeans.register and two under oracle.as.oid.

Table 9-7 lists all the MBeans.

Table 9-7 Oracle Internet Directory-Related MBeans

MBean Name	MBean Domain	MBean Format in ls() Output
Root Proxy MBean	oracle.as.management.mbeans.register	oracle.as.management.mbeans.register:type=component,name=COMPONENT_NAME,instance=INSTANCE
Non-SSL Port MBean	oracle.as.management.mbeans.register	oracle.as.management.mbeans.register:type=component.nonsslport,name=nonsslport1,instance=INSTANCE,component=COMPONENT_NAME
Audit MBean	oracle.as.management.mbeans.register	oracle.as.management.mbeans.register:type=component.auditconfig,name=auditconfig1,instance=INSTANCE,component=COMPONENT_NAME
SSL Port MBean	oracle.as.oid	oracle.as.oid:type=component.sslconfig,name=sslport1,instance=INSTANCE,component=COMPONENT_NAME
Key Store MBean	oracle.as.oid	oracle.as.oid:type=component.keystore,name=keystore,instance=INSTANCE,component=COMPONENT_NAME

9.4 Managing System Configuration Attributes by Using LDAP Tools

From the command line, you can modify most system configuration attributes by using ldapmodify and list most system configuration by using ldapsearch.

This section describes:

9.4.1 Setting System Configuration Attributes by Using ldapmodify

You can modify system configuration attributes using ldapmodify.

You can modify most attributes in Table 9-1, Table 9-2, and Table 9-3 by using the command-line:

ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile

The contents of the LDIF file depends on the DN and the operation being performed.

The LDIF file for changing the value of the orclgeneratechangelog attribute in the instance-specific entry to 1 would be:

dn: cn=componentname,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclgeneratechangelog
orclgeneratechangelog: 1

The LDIF file for adding the orclinmemfiltprocess attribute to the DSA configuration entry would be:

dn: cn=dsaconfig, cn=configsets, cn=oracle internet directory
changetype: modify
add: orclinmemfiltprocess
orclinmemfiltprocess: (objectclass=inetorgperson)(orclisenabled=TRUE)

Note:

Since 11g Release 1 (11.1.1.0.0), consecutive settings of orcldebugflag and of orcloptracklevel are additive.
Restart the server after changing orclskiprefinsql, orclskewedattribute, orclserverprocs, orcldispthreads, orclmaxcc, orclpluginworkers, or any attribute with a name that begins with "orclssl" or "orclsasl."
After changing orclnonsslport or orclsslport, restart the server.

See Also:

The Oracle Internet Directory chapter of Tuning Performance for more examples of LDIF files
The command-line tool reference, ldapmodify in Reference for Oracle Identity Management for a more detailed discussion of ldapmodify, and a list of its options
.
The "Oracle Identity Management " LDAP Attribute Reference in Reference for Oracle Identity Management for descriptions of the modifiable system configuration attributes.

9.4.2 Listing Configuration Attributes with ldapsearch

You can use ldapsearch to list most attributes.

For example:

Instance-Specific Configuration Entry

If the component name for a server instance is oid1,then you can list the attributes in the instance-specific configuration entry with a command line such as:
```
ldapsearch -p 3060 -h myhost.example.com -D cn=orcladmin -q \
   -b "cn=oid1,cn=osdldapd,cn=subconfigsubentry" -s base "objectclass=*"
```

DSA Configuration Entry

You can list the attributes with the command line:

ldapsearch -p 3060 -h myhost.example.com -D cn=orcladmin -q \
   -b "cn=dsaconfig,cn=configsets,cn=oracle internet directory" \
   -s base "objectclass=*"

DSE

You can list the attributes with the command line:

ldapsearch -p 3060 -h myhost.example.com  -D cn=orcladmin -q \
    -b "" -s base "objectclass=*"

9.5 Managing System Configuration Attributes by Using ODSM Data Browser

Oracle Enterprise Manager Fusion Middleware Control is the recommended graphical user interface for managing system configuration attributes. You can also use ODSM to manage system configuration attributes, which can be useful if Fusion Middleware Control is not available or if you must modify an attribute that has no Fusion Middleware Control interface.

See Managing Entries by Using Oracle Directory Services Manager for detailed instructions for changing the attributes of a directory entry. The following sections explain how to get to the entries that contain system configuration attributes in ODSM.

This section includes the following topics:

9.5.1 Navigating to the Instance-Specific Configuration Entry

You can navigate to the Instance-specific configuration entry from the ODSM Data Browser tab.

On the Data Browser tab, in the navigation tree, expand subconfigsubentry, then osdldapd. Then select the name of the Oracle Internet Directory component you want to manage.

9.5.2 Navigating to the DSA Configuration Entry

You can navigate to the DSA configuration entry from the ODSM Data Browser tab.

On the Data Browser tab, in the navigation tree, expand oracle internet directory, then configsets, then select the entry dsaconfig.

9.5.3 Navigating to the DSE Root

You can navigate to the DSE root from the ODSM Data Browser tab.

On the Data Browser tab, click Root in the navigation tree to select the DSE.