Release 2.1.1
Part Number A86101-01
 Library |
 Product |
 Contents |
 Index |
| Oracle Internet Directory Administrator's Guide Release 2.1.1 Part Number A86101-01 |
|
This chapter explains how to manage an Oracle directory server by using Oracle Directory Manager and command line tools.
This chapter contains these topics:
Chapter 3, "Preliminary Tasks" for instructions on starting and stopping directory server instances
See Also:
When you start an Oracle directory server by using the OID Control Utility, that start message refers to a configuration set entry containing server parameters. You can add, modify, and delete configuration set entries by using either Oracle Directory Manager or the appropriate command line tool.
|
See Also:
|
This section contains these topics:
Although you can change values in the default configuration set, namely, configset0, all of your changes will be carried over to every new configuration set entry that you create. This is because configset0 values are used as the template for all new configuration set entries.
When you want to change values that should not always be in effect for every instance of the server that you run, it is better to create new configuration set entries. Note that, in release 2.1.1, this applies to the Oracle directory server instances only. The Oracle replication directory server supports only one configuration set in this release.
You may want to establish a separate instance of a directory server with different values. If you do not want those values to be exercised by all users, set up a new configuration set entry and run a separate server instance pointing to that configuration set entry for groups with special needs.
Figure 5-1 shows three separate directory server instances, each with a different value.
Figure 5-1 shows:
cn=osdldap) with:
cn=osdrepld) using configset0
See Also:
You can use Oracle Directory Manager to view, add, modify, and delete configuration set entries.
|
Important Note: You cannot change the parameters for an active instance directly; you must change the parameters in a configuration set entry and save it. After the configuration set entry is saved, use the OID Control Utility restart command to stop current Oracle directory server instances and restart them. You can change a configuration set entry and start fresh instances that use the new parameters. The changes will not affect the older instances that are still running, however, unless they have been restarted. For information on restarting directory server instances, see "Task 3: Reset the Default Security Configuration". |
To view configuration set entries:
You can see all the parameters for the instance by selecting the tabs across the top of the dialog box. However, you cannot change them in this dialog box. To change them, you must change the configuration set entry on which they are based.
The first time you add a configuration set entry, you can:
To add configuration set entries by copying the default configuration set entry:
|
See Also:
Appendix C for information about setting the location of the Oracle Wallet and the Oracle Wallet password. |
Remember: The changes will not affect the active directory server instance until you restart it. See "Restarting Directory Server Instances".
Note:
To create a new configuration set entry without copying from a previous configuration set entry:
Click Ok.
To modify configuration set entries:
Modify the values in the fields for the General tab as described in this table:
You can change any of the values. Press Apply to save the changes.
Remember: The changes will not affect the active directory server instance until you restart it. See "Restarting Directory Server Instances".
Appendix C for information on setting the location of the Oracle Wallet and the Oracle Wallet password.
Note:
See Also:
To delete configuration set entries:
Remember: The changes will not affect the active directory server instance until you restart it. See "Restarting Directory Server Instances".
Note:
Although changing configuration set entries by using Oracle Directory Manager is desirable, it can sometimes be more convenient to use the available command line tools--for example, when you want to make the same set of changes across multiple Oracle directory servers.
When you add or modify configuration set entries by using the command line tools, the input file for adding a new configuration set entry should be written in LDAP Data Interchange Format (LDIF). It should contain only the attributes and values that differ from the installed defaults. The directory server uses the attribute values that you establish in the new configuration set entry to override its own existing values for these attributes.
If you are adding a new Oracle directory server instance, you can either use an existing configuration set entry, or add a new one for the new instance.
To add a new configuration set entry, create an input file, and then load the input file with ldapadd. Follow these steps:
Input files must use LDIF format. When you create the input file, you need to define or include only those attributes that differ from the current values in that configuration set entry.
In this example, the parameter configset2 is the RDN, or local name, of the new entry, the wallet location is: /HOME/test/wallet, and the password is welcome.
dn:cn=configset2, cn=oidldapd, cn=subconfigsubentry
cn:configset2
objectclass:orclConfigSet
objectclass:orclLDAPSubConfig
objectclass:top
orclsslauthentication:1
orclsslenable:1
orclsslport:5000
orclsslversion:3
orclsslwalletpasswd:welcome
orclsslwalleturl:file:/HOME/test/wallet
At the system prompt, type the command to add the input file. If the example shown above were given the file name newconfigs, the ldapadd command would look something like this:
ldapadd [options] -f newconfigs
|
See Also:
|
To modify or delete an existing configuration set entry, create an input file containing only the attributes that you want to change, and then load the input file with the ldapmodify command. Follow these steps:
When you create the input file, define or include only those attributes that differ from the installed defaults.
Input files must have LDIF format.
In the example shown below, the parameter cn=configset2,cn=osdldapd,cn=subconfigsubentry is the DN, or local name, of an existing configuration set entry. This example shows how to modify the ORCLSSLPORT parameter to 7000.
dn:cn=configset2,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclsslport
orclsslport: 7000
Type the command to reference the input file at the system prompt. For example, if the input file were named configfile, your ldapmodify command would look something like the command shown that follows:
ldapmodify[options] -f configfile
|
See Also:
|
Operational attributes--as opposed to application attributes--pertain to the operation of the directory itself. Some operational information is specified by the directory to control the server--for example, the time stamp for an entry. Other operational information, such as access information, is defined by administrators and is used by the directory program in its processing. You must have superuser privileges to set system operational attributes.
This section contains these topics:
You can view and set some of the operational attributes for each Oracle directory server to which you are connected by using Oracle Directory Manager. To do this, in the navigator pane, expand Oracle Internet Directory Servers, then select a server. System operational attributes appear in the right pane.
The next table describes the fields displayed in Oracle Directory Manager for each system operational attribute.
The modifiable system operational attributes are:
|
See Also:
"ldapmodify Syntax" for a more detailed discussion of ldapmodify, and a list of its options |
To enable users to search for specific naming contexts, you can publish those naming contexts. To do this, you specify the topmost entry of each naming context as a value of the namingContexts attribute in the root DSE.
For example, suppose you have a DIT with three major naming contexts, the topmost entries of which are c=uk, c=us, and c=de. If these entries are specified as values in the namingContexts attribute, then a user, by specifying the appropriate filter, can find information about them by searching the root DSE. The user can then focus the search--for example, by concentrating on the c=de naming context in particular.
To publish a naming context, you can use either Oracle Directory Manager or ldapmodify. The namingContexts attribute is multi-valued, so you can specify multiple naming contexts.
To search for published naming contexts, perform a base search on the root DSE with objectClass =* specified as a search filter. The retrieved information includes those entries specified in the namingContexts attribute.
Before you publish a naming context, be sure that:
This section contains these topics:
The following example input file specifies the entry c=uk as a naming context.
dn: changetype: modify add: namingcontexts namingcontexts: c=uk
During installation, you were prompted to set the encryption scheme for passwords. You can change that initial configuration by using either Oracle Directory Manager or ldapmodify. You must be a superuser to change the type of password encryption. This section contains these topics:
To change the type of password encryption by using Oracle Directory Manager:
The following example changes the password encryption algorithm to SHA:
ldapmodify -h myhost -p 389 -v <<EOF dn: changetype: modify replace: orclcryptoscheme orclcryptoscheme: SHA EOF
You can set the maximum number of entries returned in searches, as well as the maximum amount of time, in seconds, for searches to be completed. You can do both of these by using either Oracle Directory Manager or ldapmodify.
This section contains these topics:
You can use Oracle Directory Manager to set the maximum number of retries returned in searches and the maximum amount of time to allow for searches.
You can use ldamodify to set the maximum number of retries returned in searches and the maximum amount of time to allow for searches.
Setting the Maximum Number of Entries Returned in Searches by Using ldapmodify
The following example changes the maximum number of entries to be returned in searches to 500.
ldapmodify -h myhost -p 389 -v <<EOF dn: changetype: modify replace: orclsizelimit orclsizelimit: 500 EOF
Setting the Maximum Amount of Time For Searches by Using ldapmodify
The following example changes the maximum amount of time for a search to 2400.
ldapmodify -h myhost -p 389 -v <<EOF dn: changetype: modify replace: orcltimelimit orcltimelimit: 2400
EOF
A superuser is a special directory administrator who typically has full access to directory information.
A guest user is one who is not an anonymous user, and, at the same time, does not have a specific user entry.
A proxy user is typically used in an environment with a middle tier such as a firewall. In such an environment, the end user authenticates to the middle tier. The middle tier then logs into the directory on the end user's behalf, but does so as a proxy user. A proxy user has the privilege to switch identities and, once it has logged into the directory, switches to the end user's identity. It then performs operations on the end user's behalf, using the authorization appropriate to that particular end user.
You can administer user names and passwords for the super, guest, and proxy users by using either Oracle Directory Manager or ldapmodify.
|
See Also:
Chapter 9, "Managing Directory Access Control" for information on how to set access rights |
This section contains these topics:
To change a user name or password for a superuser, guest user, or a proxy user by using Oracle Directory Manager:
The next table lists and describes the fields in the Passwords tab page.
To change a user name or password for a superuser, a guest user, or a proxy user, use ldapmodify to modify these attributes:
For example, to change the password of the super user to superuserpassword, use ldapmodify to modify the DSE by using an LDIF file containing the following:
dn: changetype:modify replace:orclsupassword orclsupassword:superuserpassword
You can set debug logging levels by using either Oracle Directory Manager or the OID Control Utility.
This section contains these topics:
Ordinarily, you can leave the check boxes on this tab page unselected. However, to generate a log for a specific problem, use this tab page to specify the debug logging level.
To set debug logging levels by using the OID Control Utility, restart the Oracle directory server using the -debug option for an LDAP server, and the -d flag for the replication server. Use the debug level number based on Table 5-1.
Because debug levels are additive, you need to sum together the numbers representing the functions that you want to activate, and use that sum in the command line option.
By default, debug logging is turned off. To turn it on, modify the DSE attribute orcldebugflag to the level you want. You can configure debug levels to one of the following levels.
To see debug log files generated by the OID Control Utility, navigate to $ORACLE_HOME/ldap/log.
Table 5-1 provides the complete list of debug logging levels.
For example, to trace function calls (1) and active connection management (8), enter 9 as the debug level (8 + 1 = 9) as follows:
oidctl server=oidldapd instance=1 flags='-debug 9' restart oidctl server=oidrepld instance=1 flags='-h my_host -p 389 -d 9' restart
This example restarts both the Oracle directory server as well as the Oracle directory replication server with the debugging flags.
The audit log records critical events on the Oracle directory server that are important from both a security and an operational point of view. An administrator can query the audit log using ldapsearch commands. Because the log generation is contingent upon events occurring on the server, only the Oracle directory server itself can create the log entries. You cannot add audit log entries with either the Oracle Directory Manager or the command line tools. Only the server can add entries.
The audit log is made up of regular directory entries, one entry for each event. You can specify search criteria using ldapsearch, and you can view the audit log entries by using Oracle Directory Manager.
By default audit logging is turned off. To turn it on, modify the DSE attribute orclauditlevel to the level you want. You can configure audit levels to audit selected events only.
This section contains these topics:
Each audit log entry contains the orclAuditoc object class. Like all other structural object classes, orclAuditoc inherits from top. Its attributes include:
Note that the audit log entries do not become part of a regular search result set even though the search filter can satisfy the query criteria. For example, a search with the condition objectclass=top does not yield results from the auditlog entries. Only a search with cn=auditlog as the base of the search can find audit log entries.
|
Note:
By default, the attributes |
|
See Also:
|
The audit log container is part of the DSE. It holds its entries as children, organized according to the orclsequence attribute. See Figure 5-2.
The next table shows the auditable events and their audit levels. The third column, Audit Levels, contains hexidecimal values. You can audit more than one event by adding their corresponding values found in this column.
Events described in the previous section can be turned on or off. The DSE attribute orclauditlevel indicates the current audit level set on the server. A value of 0 for the attribute means no auditing, which is the default.
You can set the audit level by using either Oracle Directory Manager or ldapmodify. Both methods are described in this section.
To set the audit level by using Oracle Directory Manager:
Remember: The changes will not affect the active directory server instance until you restart it. See "Restarting Directory Server Instances".
Note:
To audit more than one event, add the values of their the audit masks. For example, suppose you want to audit the following three events:
| Event | Audit Level | Value |
|---|---|---|
|
Schema element delete |
0x0004 |
4 |
|
DSE modification |
0x0020 |
32 |
|
Add |
0x0200 |
512 |
|
548 |
||
The total value of the audit levels is 548. The ldapmodify command would therefore look something like this:
ldapmodify -p port -h host << EOF dn: changetype:modify replace: orclauditlevel orclauditlevel: 548 EOF
Restart the directory server instance after any changes are made to orclauditlevel for the changes to take effect.
You can search for audit log entries by using either Oracle Directory Manager or ldapsearch.
The DN for the audit log container is cn=auditlog. To search for audit log entries, perform a subtree or one-level search, with the container object cn=auditlog as the base of the search.
You can use bulkdelete to purge audit log objects under the container cn=auditlog. Run the following command:
bulkdelete.sh -connect net_service_name -base "cn=auditlog"
You can use Oracle Directory Manager to view information about any active server instance. To do this:
"Managing Server Configuration Set Entries by Using Oracle Directory Manager" for instructions on changing configuration set entries
See Also:
The Oracle Internet Directory uses a password when connecting to an Oracle database. The default for this password when you install Oracle Internet Directory is ODS. You can change this password by using the OID Database Password Utility.
|
 Copyright © 1996-2000, Oracle Corporation. All Rights Reserved. |
|