Oracle Internet Directory Administrator's Guide Release 2.1.1 Part Number A86101-01 |
|
Oracle Internet Directory release 2.1.1 enables synchronization with supported third party metadirectory solutions. Synchronization with these metadirectory solutions occurs through the use of change logs. This chapter describes how that change log information is generated and used by supporting solutions. It also provides instructions for enabling other directories to synchronize with Oracle Internet Directory.
This chapter contains these topics:
Changes in an Oracle Internet Directory are recorded as entries in the change log object store. Other directories must have access to that store if they are to synchronize with Oracle Internet Directory. You grant them this access by registering them with Oracle Internet Directory.
Each entry in the change log store has a change number. Another directory retrieves from Oracle Internet Directory only those entries with change numbers equal to or greater than the last change it retrieved. For example, suppose that the entry that a directory last retrieved had a change number of 250. Entries that this directory subsequently retrieves must have change numbers of 250 or greater.
Once you have registered another directory with Oracle Internet Directory, that directory can authenticate to Oracle Internet Directory and retrieve updates from it. It does this by following the processes described in this section.
See Also:
Enabling Other Directories to Synchronize with Oracle Internet Directory for instructions on registering directories with Oracle Internet Directory |
This section contains these topics:
In this example, my_other_directory
acquires changes from Oracle Internet Directory by issuing the following command through ldapsearch:
ldapsearch -h host -p port -b "cn=changeLog" -s one
(&(objectclass=changeLogEntry)
(changeNumber >= orclLastAppliedChangeNumber )
( ! (modifiersname =cn=my_other_directory,cn=Subscriber Profile,
cn=ChangeLog Subscriber,cn=Oracle Internet Directory ) ) )
When the directory is retrieving changes for the first time, the value for orclLastAppliedChangeNumber
is the number you set in "Task 2: Register a Directory as a Change Subscription Object in Oracle Internet Directory".
The argument (!(modifiersname=
client_bind_dn))
in the filter ensures that Oracle Internet Directory does not return changes made by the other directory itself.
After retrieving changes from Oracle Internet Directory, the connected directory updates the orclLastAppliedChangeNumber
attribute in its change subscription object. This allows Oracle Internet Directory to purge changes that connected directories have already applied. It also enables the connected directory to retrieve only the most recent changes, ignoring those it has already applied.
This example uses an input file named mod.ldif
in which the last applied change number is 121. The connected directory updates orclLastAppliedChangeNumber
in its change subscription object as follows:
mod.ldif
:
dn: cn=my_other_directory,cn=Subscriber Profile,
cn=ChangeLog Subscriber,cn=Oracle Internet Directory changetype:modify replace: orclLastAppliedChangeNumber orclLastAppliedChangeNumber: 121
mod.ldif
file:
ldapmodify -h host -p port -f mod.ldif
To retrieve changes after the first time, the other directory issues a command by using ldapsearch. The following example returns all the changes with changeNumber
equal to or greater than 121, except those related to operations performed by the other directory itself.
ldapsearch -h my_host> -p my_port_number -b "cn=changeLog" -s one" (&(objectclass=changeLogEntry) (changeNumber >= 122 )
( ! (modifiersname = cn=my_other_directory,cn=Subscriber Profile,
cn=ChangeLog Subscriber,cn=Oracle Internet Directory ) ) )
To enable other directories to retrieve the changes stored in Oracle Internet Directory, you perform the tasks described in this section. This section contains these topics:
To bootstrap a directory to synchronize data between a local directory and Oracle Internet Directory, execute these steps:
oidcurrentchange.sh -connect net_service_name
This displays the current change number. Later, you will use this number to fill the orclLastAppliedChangeNumber
field when you register the directory.
To enable other directories to synchronize with an Oracle Internet Directory, you must register them with Oracle Internet Directory. This gives the directories access to change log objects stored in Oracle Internet Directory.
To register a directory, you make an entry for it in Oracle Internet Directory. This entry is called a change subscription object, and it is placed under the following container in the Oracle Internet Directory schema:
cn=Subscriber Profile,cn=ChangeLog Subscriber,cn=
Oracle Internet Directory
This change subscription object provides a unique credential for a directory to bind with Oracle Internet Directory and to retrieve changes from it.
Associate the change subscription object with the auxiliary object class orclChangeSubscriber
, which has several attributes, two of them mandatory. The two mandatory attributes are:
To register a directory, use ldapadd. The following example uses an input file, named add.ldif, to create a change subscription object, my_other_directory
, under the container cn=Subscriber Profile,cn=ChangeLog Subscriber,cn=
Oracle Internet Directory.
add.ldif
:
dn: cn=my_other_directory,cn=Subscriber Profile,cn=ChangeLog Subscriber,
cn=Oracle Internet Directory userpassword:my_secret_code orclLastAppliedChangeNumber: current_change_number_in_directory_before_
initial_boot_strapping objectclass: orclChangeSubscriber objectclass: top
ldapadd -h <host > -p < port > -f add.ldif
To deregister a directory, use ldapdelete. Enter the following command:
ldapdelete -h host -p port cn=directory_name,cn=Subscriber Profile,
cn=ChangeLog Subscriber,cn=Oracle Internet Directory
Once you have registered a directory with Oracle Internet Directory, you must grant it read access to the cn=changeLog
entry in Oracle Internet Directory.
See Also:
Chapter 9, "Managing Directory Access Control" for instructions on setting access control policies |
|
Copyright © 1996-2000, Oracle Corporation. All Rights Reserved. |
|