Oracle Internet Directory Administrator's Guide
Release 2.1.1

Part Number A86101-01

Library

Product

Contents

Index

Go to previous page Go to next page

A
Syntax for LDIF and Command Line Tools

This appendix provides syntax, usage notes, and examples for LDAP Data Interchange Format (LDIF) and LDAP command line tools. It contains these topics:

LDAP Data Interchange Format (LDIF) Syntax

The standardized file format for directory entries is as follows:

dn: distinguished_name
attribute_type: attribute_value
.
.
. objectClass: object_class_value .
.
.

Property  Value  Description 

dn: 

RDN,RDN,RDN, ... 

Separate RDNs with commas. 

attribute

attribute_value 

This line repeats for every attribute in the entry, and for every attribute value in multi-valued attributes. 

objectClass: 

object_class_ value 

This line repeats for every object class. 

The following example shows a file entry for an employee. The first line contains the DN. The lines that follow the DN begin with the mnemonic for an attribute, followed by the value to be associated with that attribute. Note that each entry ends with lines defining the object classes for the entry.

dn: cn=Suzie Smith,ou=Server Technology,o=Acme, c=US
cn: Suzie Smith
cn: SuzieS
sn: Smith
email: ssmith@us.Acme.com
telephoneNumber: 69332
photo:/ORACLE_HOME/empdir/photog/ssmith.jpg
objectClass: organizational person
objectClass: person objectClass: top

The next example shows a file entry for an organization.

dn: o=Acme,c=US
o: Acme
ou: Financial Applications
objectClass: organization objectClass: top

LDIF Formatting Notes

A list of formatting rules follows. This list is not exhaustive.

Command Line Tools Syntax

This section tells you how to use the following tools:

ldapadd Syntax

The ldapadd command line tool enables you to add entries, their object classes, attributes, and values to the directory. To add attributes to an existing entry, use the ldapmodify command, explained in "ldapmodify Syntax".

See Also:

"Adding Configuration Set Entries by Using ldapadd" for an explanation of using ldapadd to configure a server with an input file 

ldapadd uses this syntax:

ldapadd [arguments] -f filename

where filename is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".

The following example adds the entry specified in the LDIF file my_ldif_file.ldi:

ldapadd -p 389 -h myhost -f my_ldif_file.ldi

Optional Arguments  Descriptions 

-b 

Specifies that you have included binary file names in the file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced. 

-c 

Tells ldapadd to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapadd stops when it encounters an error.) 

-D binddn 

When authenticating to the directory, specifies doing so as the entry specified in binddn. Use this with the -w password option. 

-E "character_set

Specifies native character set encoding. See Chapter 12, "Managing National Language Support (NLS)"

-f filename 

Specifies the input name of the LDIF format import data file. For a detailed explanation of how to format an LDIF file, see "LDAP Data Interchange Format (LDIF) Syntax"

-h ldaphost 

Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. 

-K 

Same as -k, but performs only the first step of the Kerberos bind 

-k  

Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined.

You must already have a valid ticket granting ticket.  

-n  

Shows what would occur without actually performing the operation 

-p ldapport 

Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). 

-P wallet_password  

Specifies wallet password required for one-way or two-way SSL connections 

-U SSLAuth 

Specifies SSL authentication mode:

  • 1 for no authentication required

  • 2 for one way authentication required

  • 3 for two way authentication required

 

-v 

Specifies verbose mode 

-w password 

Provides the password required to connect 

-W wallet_location 

Specifies wallet location required for one-way or two-way SSL connections 

ldapaddmt Syntax

ldapaddmt is like ldapadd: it enables you to add entries, their object classes, attributes, and values to the directory. It is unlike ldapadd in that it supports multiple threads for adding entries concurrently.

While it is processing LDIF entries, ldapaddmt logs errors in the add.log file in the current directory.

ldapaddmt uses this syntax:

ldapaddmt -T number_of_threads -h host -p port -f filename

where filename is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".

The following example uses five concurrent threads to process the entries in the file myentries.ldif.

ldapaddmt -T 5 -h node1 -p 3000 -f myentries.ldif


Note:

Increasing the number of concurrent threads improves the rate at which LDIF entries are created, but consumes more system resources. 


Optional Arguments  Descriptions 

-b 

Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced. 

-c 

Tells the tool to proceed in spite of errors. The errors will be reported. (If you do not use this option, the tool stops when it encounters an error.) 

-D binddn 

When authenticating to the directory, specifies doing so as the entry is specified in binddn. Use this with the -w password option. 

-E "character_set

Specifies native character set encoding. See Chapter 12, "Managing National Language Support (NLS)" 

-h ldaphost 

Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. 

-K 

Same as -k, but performs only the first step of the kerberos bind 

-k  

Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined.

You must already have a valid ticket granting ticket. 

-n  

Shows what would occur without actually performing the operation. 

-p ldapport 

Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). 

-P wallet_password  

Specifies wallet password required for one-way or two-way SSL connections 

-T 

Sets the number of threads for concurrently processing entries 

-U SSLAuth 

Specifies SSL Authentication Mode:

  • 1 for no authentication required

  • 2 for one way authentication required

  • 3 for two way authentication required

 

-v 

Specifies verbose mode 

-w password 

Provides the password required to connect 

-W wallet_location 

Specifies wallet location required for one-way or two-way SSL connections 

ldapbind Syntax

The ldapbind command line tool enables you to see whether you can authenticate a client to a server.

ldapbind uses this syntax:

ldapbind [arguments]

Optional Arguments  Descriptions 

-D binddn 

When authenticating to the directory, specifies doing so as the entry specified in binddn. Use this with the -w password option. 

-E ".character_set

Specifies native character set encoding. See Chapter 12, "Managing National Language Support (NLS)"

-h ldaphost 

Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. 

-n  

Shows what would occur without actually performing the operation 

-p ldapport 

Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). 

-P wallet_password  

Specifies the wallet password required for one-way or two-way SSL connections 

-U SSLAuth 

Specifies SSL authentication mode:

  • 1 for no authentication required

  • 2 for one way authentication required

  • 3 for two way authentication required

 

-w password 

Provides the password required to connect 

-W wallet_location 

Specifies wallet location (required for one-way or two-way SSL connections) 

ldapcompare Syntax

The ldapcompare command line tool enables you to match attribute values you specify in the command line with the attribute values in the directory entry.

ldapcompare uses this syntax:

ldapcompare [arguments] 

The following example tells you whether Person Nine's title is associate.

ldapcompare -p 389 -h myhost -b "cn=Person Nine, ou=EuroSInet Suite, o=IMC, 
c=US" -a title -v associate

Mandatory Arguments  Descriptions 

-a attribute name 

Specifies the attribute on which to perform the compare 

-b basedn 

Specifies the distinguished name of the entry on which to perform the compare 

-v attribute value 

Specifies the attribute value to compare 

Optional Arguments  Descriptions 

-D binddn 

When authenticating to the directory, specifies doing so as the entry is specified in binddn. Use this with the -w password option. 

-d debug-level 

Sets the debugging level. See "Setting Debug Logging Levels by Using the OID Control Utility"

-E "character_set

Specifies native character set encoding. See Chapter 12, "Managing National Language Support (NLS)"

-f filename 

Specifies the input filename 

-h ldaphost 

Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. 

-p ldapport 

Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). 

-P wallet_password  

Specifies wallet password (required for one-way or two-way SSL connections) 

-U SSLAuth 

Specifies SSL authentication mode:

  • 1 for no authentication required

  • 2 for one way authentication required

  • 3 for two way authentication required

 

-w password 

Provides the password required to connect 

-W wallet_location 

Specifies wallet location required for one-way or two-way SSL connections 

ldapdelete Syntax

The ldapdelete command line tool enables you to remove entire entries from the directory that you specify in the command line.

ldapdelete uses this syntax:

ldapdelete [arguments] "entry_DN"

The following example uses port 389 on a host named myhost.

ldapdelete -p 389 -h myhost ou=EuroSInet Suite, o=IMC, c=US"

Optional Arguments  Descriptions 

-D binddn 

When authenticating to the directory, uses a full DN for the binddn parameter; typically used with the -w password option. 

-d debug-level 

Sets the debugging level. See "Setting Debug Logging Levels by Using the OID Control Utility"

-E "character_set

Specifies native character set encoding. See Chapter 12, "Managing National Language Support (NLS)"

-f filename 

Specifies the input filename 

-h ldaphost 

Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. 

-k 

Authenticates using authentication instead of simple authentication. To enable this option, you must compile with Kerberos defined.

You must already have a valid ticket granting ticket.  

-n 

Shows what would be done, but doesn't actually delete 

-p ldapport 

Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). 

-P wallet_password  

Specifies wallet password required for one-way or two-way SSL connections 

-U SSLAuth 

Specifies SSL authentication mode:

  • 1 for no authentication required

  • 2 for one way authentication required

  • 3 for two way authentication required

 

-v 

Specifies verbose mode 

-w password 

Provides the password required to connect. 

-W wallet_location 

Specifies wallet location required for one-way or two-way SSL connections 

ldapmoddn Syntax

The ldapmoddn command line tool enables you to modify the DN or RDN of an entry.

ldapmoddn uses this syntax:

ldapmoddn [arguments]

The following example uses ldapmoddn to modify the RDN component of a DN from "cn=dcpl" to "cn=thanh mai". It uses port 389, and a host named myhost.

ldapmoddn -p 389 -h myhost -b "cn=dcpl,dc=Americas,dc=imc,dc=com" -R "cn=thanh 
mai"

Mandatory Argument  Description 

-b basedn 

Specifies DN of the entry to be moved 

Optional Arguments  Descriptions 

-D binddn 

When authenticating to the directory, do so as the entry is specified in binddn. Use this with the -w password option. 

-E "character_set

Specifies native character set encoding. See Chapter 12, "Managing National Language Support (NLS)"

-f filename 

Specifies the input filename 

-h ldaphost 

Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. 

-N newparent 

Specifies new parent of the RDN 

-p ldapport 

Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). 

-P wallet_password  

Specifies wallet password required for one-way or two-way SSL connections 

-r 

Specifies that the old RDN is not retained as a value in the modified entry. If this argument is not included, the old RDN is retained as an attribute in the modified entry. 

-R newrdn 

Specifies new RDN 

-U SSLAuth 

Specifies SSL authentication mode:

  • 1 for no authentication required

  • 2 for one way authentication required

  • 3 for two way authentication required

 

-w password 

Provides the password required to connect. 

-W wallet_location 

Specifies wallet location required for one-way or two-way SSL connections 

ldapmodify Syntax

The ldapmodify tool enables you to act on attributes.

ldapmodify uses this syntax:

ldapmodify [arguments] -f filename

where filename is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".

The list of arguments in the following table is not exhaustive.

Optional Arguments  Description 

-a 

Denotes that entries are to be added, and that the input file is in LDIF format. 

-b 

Specifies that you have included binary file names in the data file, which are preceded by a forward slash character.  

-c 

Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.) 

-D binddn 

When authenticating to the directory, specifies doing so as the entry is specified in binddn. Use this with the -w password option. 

-E "character_set

Specifies native character set encoding. See Chapter 12, "Managing National Language Support (NLS)"

-h ldaphost 

Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. 

-n 

Shows what would occur without actually performing the operation. 

-p ldapport 

Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). 

-P wallet_password  

Specifies wallet password required for one-way or two-way SSL connections 

-U SSLAuth 

Specifies SSL authentication mode:

  • 1 for no authentication required

  • 2 for one way authentication required

  • 3 for two way authentication required

 

-v 

Specifies verbose mode 

-w password 

Overrides the default, unauthenticated, null bind. To force authentication, use this option with the -D option. 

-W wallet_location 

Specifies wallet location (required for one-way or two-way SSL connections) 

To run modify, delete, and modifyrdn operations using the -f flag, use LDIF for the input file format (see "LDAP Data Interchange Format (LDIF) Syntax") with the specifications noted below:

Always separate entries with a blank line.

Unnecessary space characters in the LDIF input file, such as a space at the end of an attribute value, will cause the LDAP operations to fail.

Line 1: Every change record has, as its first line, the literal dn: followed by the DN value for the entry, for example:

dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US

Line 2: Every change record has, as its second line, the literal "changetype:" followed by the type of change (add, delete, modify, modrdn), for example:

changetype:modify

or

changetype:modrdn

Format the remainder of each record according to the following requirements for each type of change:

ldapmodifymt Syntax

The ldapmodifymt command line tool enables you to modify several entries concurrently.

ldapmodifymt uses this syntax:

ldapmodifymt -T number_of_threads [arguments] -f filename

where filename is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".

See Also:

"ldapmodify Syntax" for additional formatting specifications used by ldapmodifymt  

The following example uses five concurrent threads to modify the entries in the file myentries.ldif.

ldapmodifymt -T 5 -h node1 -p 3000 -f myentries.ldif

Optional Arguments  Descriptions 

-a 

Denotes that entries are to be added, and that the input file is in LDIF format. (If you are running ldapadd, this flag is not required.) 

-b 

Specifies that you have included binary file names in the data file, which are preceded by a forward slash character.  

-c 

Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.) 

-D binddn 

When authenticating to the directory, specifies doing so as the entry is specified in binddn. Use this with the -w password option. 

-E "character_set

Specifies native character set encoding. See Chapter 12, "Managing National Language Support (NLS)"

-h ldaphost 

Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. 

-n 

Shows what would occur without actually performing the operation. 

-p ldapport 

Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). 

-P wallet_password  

Specifies wallet password required for one-way or two-way SSL connections 

-T 

Sets the number of threads for concurrently processing entries 

-U SSLAuth 

Specifies SSL authentication mode:

  • 1 for no authentication required

  • 2 for one way authentication required

  • 3 for two way authentication required

 

-v 

Specifies verbose mode 

-w password 

Overrides the default, unauthenticated, null bind. To force authentication, use this option with the -D option. 

-W wallet_location 

Specifies wallet location required for one-way or two-way SSL connections 

ldapsearch Syntax

The ldapsearch command line tool enables you to search for and retrieve specific entries in the directory.

ldapsearch uses this syntax:

ldapsearch [arguments] filter [attributes]

The filter format must be compliant with RFC-2254. For further information about this standard, search for the standard at: http://www.ietf.org/rfc/rfc2254.txt

Separate attributes with a space. If you do not list any attributes, all attributes are retrieved.

Mandatory Arguments  Descriptions 

-b basedn 

Specifies base dn for search 

-s scope 

Specifies search scope: base, one, or sub. 

Optional Arguments  Descriptions 

-A 

Retrieves attribute names only (no values) 

-a deref 

Specifies alias dereferencing: never, always, search, or find 

-B 

Allows printing of non-ASCII values 

-D binddn 

When authenticating to the directory, specifies doing so as the entry specified in binddn. Use this with the -w password option. 

-d debug level 

Sets debugging level to the level specified (see Table 5-1

-E "character_set

Specifies native character set encoding. See Chapter 12, "Managing National Language Support (NLS)"

-f file  

Performs sequence of searches listed in file 

-F sep 

Prints `sep' instead of `=' between attribute names and values 

-h ldaphost 

Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. 

-L 

Prints entries in LDIF format (-B is implied) 

-l timelimit 

Specifies maximum time (in seconds) to wait for ldapsearch command to complete 

-n 

Shows what would be done without actually searching 

-p ldapport 

Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). 

-P wallet_password 

Specifies wallet password (required for one-way or two-way SSL connections) 

-S attr  

Sorts the results by attribute attr 

-t 

Writes to files in /tmp 

-u 

Includes user friendly entry names in the output 

-U SSLAuth 

Specifies the SSL authentication mode:

  • 1 for no authentication required

  • 2 for one way authentication required

  • 3 for two way authentication required

 

-v 

Specifies verbose mode 

-w passwd 

Specifies bind passwd for simple authentication 

-W wallet_location 

Specifies wallet location required for one-way or two-way SSL connections 

-z sizelimit 

Specifies maximum number of entries to retrieve 

Examples of ldapsearch Filters

Study the following examples to see how to build your own search commands.

Example 1: Base Object Search

The following example performs a base-level search on the directory from the root.

ldapsearch -p 389 -h myhost -b "" -s base -v "objectclass=*"
Example 2: One-Level Search

The following example performs a one level search starting at "ou=HR, ou=Americas, o=IMC, c=US".

ldapsearch -p 389 -h myhost -b "ou=HR, ou=Americas, o=IMC, c=US" -s one -v 
"objectclass=*"
Example 3: Sub-Tree Search

The following example performs a sub-tree search and returns all entries having a DN starting with "cn=Person".

ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*"
Example 4: Search Using Size Limit

The following example actually retrieves only two entries, even if there are more than two matches.

ldapsearch -h myhost -p 389 -z 2 -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" 
-s one "objectclass=*"
Example 5: Search with Required Attributes and Attribute Options

The following example returns only the DN attribute values of the matching entries:

ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "objectclass=*" dn

The following example retrieves only the distinguished name (dn) along with the surname (sn) and description (description) attribute values:

ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*" dn sn description

The following example retrieves entries with common name (cn) attributes that have an option specifying a language code attribute option. This particular example retrieves entries in which the common names are in French and begin with the letter R.

ldapsearch -p 389 -h myhost -b "c=US" -s sub "cn;lang-fr=R*"

Suppose that, in the entry for John, no value is set for the cn;lang-it language code attribute option. In this case, the following example fails:

ldapsearch -p 389 -h myhost -b "c=us" -s sub "cn;lang-it=Giovanni
Example 6: Searching for All User Attributes and Specified Operational Attributes

The following example retrieves all user attributes and the createtimestamp and orclguid operational attributes:

ldapsearch -p 389 -h myhost -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" -s sub 
"cn=Person*" * createtimestamp orclguid

The following example retrieves entries modified by Anne Smith:

ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifiersname=cn=Anne
Smith))"

The following example retrieves entries modified between 01 April 2000 and 06 April 2000:

ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifytimestamp>=20000401000000)
(modifytimestamp<= 20000406235959))"


Note:

Because modifiersname and modifytimestamp are not indexed attributes, use catalog.sh to index these two attributes. Then, restart the Oracle directory server before issuing the two previous ldapsearch commands. 


Other Examples:

Each of the following examples searches on port 389 of host sun1, and searches the whole subtree starting from the DN "ou=hr,o=acme,c=us".

The following example searches for all entries with any value for the objectclass attribute.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=*"

The following example searches for all entries that have orcle at the beginning of the value for the objectclass attribute.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"objectclass=orcle*"

The following example searches for entries where the objectclass attribute begins with orcle and cn begins with foo.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"(&(objectclass=orcle*)(cn=foo*))"

The following example searches for entries in which the common name (cn) is not foo.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "(!(cn=foo))"

The following example searches for entries in which cn begins with foo or sn begins with bar.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"(|(cn=foo*)(sn=bar*))"

The following example searches for entries in which employeenumber is less than or equal to 10000.

ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree 
"employeenumber<=10000"

Bulk Tools Syntax

This section contains these topics:

bulkdelete Syntax

The bulkdelete command line tool enables you to delete a subtree efficiently. It can be used when both an Oracle directory server and Oracle directory replication servers are in operation. It uses a SQL interface to benefit performance. For this release, the bulkdelete tool runs on only one node at a time.

This tool does not support filter-based deletion. That is, it deletes an entire subtree below the root of the subtree. If the base DN is a user-added DN, rather than a DN created as part of the installation of the directory, it is included in the delete. You must restrict LDAP activity against the subtree during deletion.

The bulkdelete tool uses this syntax:

bulkdelete.sh -connect net_service_name -base "base_dn" -size number_of_entries 
-encode "character_set"

Mandatory Arguments  Descriptions 

- connect net_service_name 

Specifies the net service name to connect to the directory database

See Also: Net8 Administrator's Guide 

- base "base_dn

Specifies the base DN of the subtree to be deleted 

Optional Arguments  Descriptions 

-size number_of_entries 

Specifies the number of entries to be committed as a part of one transaction. 

-encode "character_set

Native character set encoding 

bulkload Syntax

The bulkload command line tool uses Oracle SQL*Loader to create directory entries from data residing in or created by other applications. When using bulkload, you specify any options and the input filename. The bulkload tool expects the input file to be in LDIF.

See Also:

"LDAP Data Interchange Format (LDIF) Syntax"

The bulkload tool uses this syntax:

bulkload.sh -connect net_service_name [-check] [-generate] [-load]
[-restore] absolute_path_to_ldif.file

Mandatory Argument  Description 

connect net_service_name 

Specifies the net service name defined in the tnsnames.ora file.

See Also: Net8 Administrator's Guide 

Optional Arguments  Descriptions 

check 

Checks LDAP schema for inconsistencies and for existence of duplicate DNs in the file 

-encode "character_set

Specifies native character set encoding. See Chapter 12, "Managing National Language Support (NLS)"

generate 

Creates files suitable for loading into Oracle Internet Directory 

load 

Loads files resulting from generate phase into specified database 

restore 

Takes the operational attributes, such as orclguid, creatorsname, and createtimestamp, from the LDIF file rather than generating new ones. Use this argument only when the LDIF file contains operational attributes. Use this in conjunction with the generate and check arguments. 

Bulk loading must be performed when Oracle Internet Directory instances are not running.

See Also:

Chapter 5, "Managing an Oracle Directory Server" for instructions on stopping directory server instances 

The LDIF data file path must be fully specified for check or generate operations.

Bulk Loading Multiple Nodes in a Replicated Environment

After generating a file with the generate option, you can use the load option to load multiple computers with the identical SQL*Loader file. Do this only when creating a new replica node.

See Also:

"Task 6: Start the Replication Servers on All the Nodes" 

The current version of bulkload does not allow you to specify the connection information for all of the nodes in one command.

When you load the same data into multiple nodes in a replicated network, ensure that the orclGUID parameter (global IDs) is consistent across all the nodes. You can accomplish this by generating the bulkload data file once only (using the -generate option), and then using the same data file to load the other nodes (using the -load option).

bulkmodify Syntax

The bulkmodify command line tool enables you to modify a large number of existing entries in an efficient way. The bulkmodify tool supports the following:

The bulkmodify tool performs schema checking on the specified attribute name and value pair during initialization. All entries that meet the following criteria are modified:

The Oracle directory server and Oracle directory replication server may be running concurrently while bulk modification is in progress, but the bulk modification does not affect the replication server. You must perform bulk modification against all replicas.


Note:

LDIF file based modification is not supported by bulkmodify. This type of modification requires per entry based schema checking, and therefore the performance gain over the existing ldapmodify tool is insignificant. 


You must restrict user access to the subtree during bulk modification. If necessary, ACI restriction can be applied to the subtree being updated by bulkmodify.

You cannot use bulkmodify to add a value to single-valued attributes that already contain one value. If a second value is added, you must alter the directory schema to make that attribute multi-valued.

The bulkmodify tool uses this syntax:

bulkmodify -c net_service_name -b base_dn {-a|-r} attr_name -v att_value [-f 
filter] [-s size]

Mandatory Arguments  Descriptions 

-c net_service_name 

Specifies the net service name of the directory database

See Also: Net8 Administrator's Guide 

-b base_dn 

Specifies the base DN of the subtree to be modified 

-a attr_name  

Specifies the attribute name for addition 

-r attr_name 

Specifies the attribute name for replacement 

-v att_value  

Specifies the attribute value for either addition or replacement 

Optional Arguments  Descriptions 

-f filter 

Specifies the filter to be used 

-s number_of_entries 

Specifies the number of entries to be committed as a part of one transaction. If not specified, default is 100. 

-E "character_set

Native character set encoding. See Chapter 12, "Managing National Language Support (NLS)"

The filter specified with the -f option must contain a single attribute.

If a filter is not specified, the default filter objectclass=* is assumed.

There can be only one attribute name specified in the -a or -r option in each execution.

There can be only one value specified in the -v option in each execution. For example, the following bulkmodify command adds the telephone number 408-123-4567 to the entries of all employees who have Anne Smith as their manager:

-c my_database -b "c=US" -a telephoneNumber -v "408-123-4567 -f "manager=Anne 
Smith"

To assure that the modified entries are read, after completing the bulkmodify procedure, restart the Oracle Internet Directory server.

ldifwrite Syntax

The ldifwrite command line tool enables you to convert all or part of the information residing in an Oracle Internet Directory to LDIF. This makes that information available for loading into a new node in a replicated directory or into another node for backup storage. The ldifwrite tool performs a subtree search, including all entries below the specified DN, including the DN itself.

The ldifwrite tool uses this syntax:

ldifwrite -c net_service_name -b base_DN -f filename 

Mandatory Arguments  Descriptions 

-c net_service_name 

Specifies the net service name of the directory that is the source of the data, as defined in the tnsnames.ora file.

See Also: Net8 Administrator's Guide 

-b base_DN 

Specifies the base of the subtree to be written out in LDIF format 

-f filename 

Specifies the name of the LDIF file to be created 

Optional Argument  Description 

-E "character_set

Specifies native character set encoding.

See Also: "Using NLS with ldifwrite" 

The following example writes all the entries under ou=Europe, o=imc, c=us into the output1.ldi file.

ldifwrite -c nldap -b "ou=Europe, o=imc, c=us" -f output1.ldi

All the arguments are mandatory.

The LDIF file and the intermediate file are always written to the current directory.

The ldifwrite tool includes the operational attributes of each entry in the directory, including createtimestamp, creatorsname, and orclguid.

Catalog Management Tool Syntax

Oracle Internet Directory uses indexes to make attributes available for searches. When Oracle Internet Directory is installed, the entry cn=catalogs lists available attributes that can be used in a search. Only those attributes that have an equality matching rule can be indexed.

If you want to use additional attributes in search filters, you must add them to the catalog entry. You can do this at the time you create the attribute by using Oracle Directory Manager. However, if the attribute already exists, then you can index it only by using the Catalog Management tool.

Before running the Catalog Management tool, unset the LANG variable. After you finish running Catalog Management tool, set the LANG variable back to its original value.

To unset LANG:

The Catalog Management tool uses this syntax:

catalog.sh -connect net_service_name {add|delete} {-attr attr_name|-file 
filename}

Mandatory Argument  Description 

- connect net_service_name 

Specifies the net service name to connect to the directory database

See Also: Net8 Administrator's Guide 

Optional Arguments  Descriptions 

- add -attr attr_name 

Indexes the specified attribute 

- delete -attr attr_name 

Drops the index from the specified attribute 

- add -file filename 

Indexes attributes (one per line) in the specified file 

-delete -file filename 

Drops the indexes from the attributes in the specified file 

When you enter the catalog.sh command, the following message appears:

This tool can only be executed if you know the OiD user password.
Enter OiD password:

If you enter the correct password, the command is executed. If you give an incorrect password, the following message is displayed:

Cannot execute this tool

After you finish running the Catalog Management tool, set the LANG variable back to its original value.

To set LANG:

To effect the changes after running the Catalog Management tool, stop, then restart, the Oracle directory server.

See Also:

Chapter 5, "Managing an Oracle Directory Server" for instructions on starting and restarting directory servers 

OID Monitor Syntax

This section contains these topics:

Starting the OID Monitor

To start the OID Monitor:

  1. Set the following environment variable to the appropriate language setting. The default language set at installation is AMERICAN_AMERICA.

    NLS_LANG=APPROPRIATE_LANGUAGE.UTF8
  2. At the system prompt, type:

    oidmon [connect=net_service_name] [sleep=seconds] start
    

    Argument  Description 

    connect=net_service_name 

    Specifies the net service name of the database to which you want to connect. This is the network service name set in the tnsnames.ora file. This argument is optional. 

    sleep=seconds 

    Specifes number of seconds after which the OID Monitor should check for new requests from OID Control and for requests to restart any servers that may have stopped. The default sleep time is 10 seconds. This argument is optional. 

    start 

    Starts the OID Monitor process 

    For example:

    oidmon connect=dbs1 sleep=10 start
    

Stopping the OID Monitor

To stop the OID Monitor daemon, at the system prompt, type:

oidmon [connect=net_service_name] stop

Argument  Description 

connect=net_service_name 

Specifies net service name of the database to which you want to connect. This is the net service name set in the tnsnames.ora file. 

stop 

Stops the OID Monitor process 

For example:

oidmon connect=dbsl stop

OID Control Utility Syntax


Note:

OID Monitor must be running whenever you start, stop, or restart directory server instances. 


This section contains these topics:

Starting and Stopping an Oracle Directory Server Instance

Use the OID Control Utility to start and stop Oracle directory server instances.

Starting an Oracle Directory Server Instance

The syntax for starting an Oracle directory server instance is:

oidctl connect=net_service_name server=oidldapd instance=server_instance_number 
[configset=configset_number] [flags=' -p port_number -work maximum_number_of_
worker_threads_per_server -debug debug_level -l change-logging -server n'] start

Argument  Description 

connect 

If you already have a tnsnames.ora file configured, this is the net service name specified in that file, located in ORACLE_HOME/network/admin 

server 

Type of server to start (valid values are OIDLDAPD and OIDREPLD). This is not case-sensitive. 

instance 

Instance number of the server to start. Should be a number between 0 and 1000. 

configset 

Configset number used to start the server. This defaults to configset0 if not set. This should be a number between 0 and 1000. 

-p 

Specifies a port number during server instance startup. Default port if not set is 389. 

-work 

Specifies the maximum number of worker threads for this server 

-debug 

Specifies a debug level during Oracle directory server instance startup 

-l 

Turns replication change-logging on and off. To turn it off, enter -l. To turn it on, omit the flag. The default is true (values = true and false). (directory server only) 

-server 

Specifies the number of server processes to start on this port 

start 

Starts the server specified in the server argument. 

For example, to start an Oracle directory server instance whose net service name is dbs1, using configset5,at port 12000, with a debug level of 1024, an instance number 3, and in which change-logging is turned off, type at the system prompt:

oidctl connect=dbs1 server=oidldapd instance=3 configset=5 flags='-p 12000 
-debug 1024 -l ' start

When starting and stopping an Oracle directory server instance, the server name and instance number are mandatory. All other arguments are optional.

All keyword value pairs within the flags arguments must be separated by a single space.

Single quotes are mandatory around the flags.

The configset identifier defaults to zero (configset0) if not set.


Note:

If you choose to use a port other than the default port (389 for non-secure usage or 636 for secure usage), you must tell the clients which port to use to locate the Oracle Internet Directory. If you use the default ports, clients can connect to the Oracle Internet Directory without referencing a port in their connect requests. 


Stopping an Oracle Directory Server Instance

At the system prompt, type:

oidctl connect=net_service_name server=OIDLDAPD instance=server_instance_number 
stop

For example:

oidctl connect=dbs1 server=oidldapd instance=3 stop

Starting and Stopping an Oracle Directory Replication Server Instance

Use the OID Control Utility to start and stop Oracle directory replication server instances.

Starting an Oracle Directory Replication Server Instance

The syntax for starting the Oracle directory replication server is:

oidctl connect=net_service_name server=oidrepld instance=server_instance_number 
[configset=configset_number] flags=' -h hostname -p port_number 
-d debug_level -z transaction_size ' start

Argument  Description 

connect 

If you already have a tnsnames.ora file configured, then this is the name specified in that file, which is located in ORACLE_HOME/network/admin 

server 

Type of server to start (valid values are OIDLDAPD and OIDREPLD). This is not case-sensitive. 

instance 

Instance number of the server to start. Should be a number between 0 and 1000. 

configset 

Configset number used to start the server. This defaults to configset0 if not set. This should be a number between 0 and 1000. 

-p 

Specifies a port number during server instance startup. Default port if not set is 389. 

-d 

Specifies a debug level during replication server instance startup 

-h 

Specifies the host name on which the server runs. (Replication server only) 

-m [true|false] 

Turns conflict resolution on and off. The default is true (values = true and false). (Replication server only) 

-z 

Specifies the number of changes applied in each replication update cycle. If you do not specify this, the number is determined by the Oracle directory server sizelimit parameter, which has a default setting of 1024. You can configure this latter setting. 

start 

Starts the server specified in the server argument. 

For example, to start the replication server with an instance=1, at port 12000, with debugging set to 1024, type at the system prompt:

oidctl connect=dbs1 server=oidrepld instance=1 flags='-p 12000 -h eastsun11 -d 
1024' start

When starting and stopping an Oracle directory replication server, the -h flag, which specifies the host name, is mandatory. All other flags are optional.

All keyword value pairs within the flags arguments must be separated by a single space.

Single quotes are mandatory around the flags.

The configset identifier defaults to zero (configset0) if not set.


Note:

If you choose to use a port other than the default port (389 for non-secure usage or 636 for secure usage), you must tell the clients which port to use to locate the Oracle Internet Directory. If you use the default ports, clients can connect to the Oracle Internet Directory without referencing a port in their connect requests. 


Stopping an Oracle Directory Replication Server Instance

At the system prompt, type:

oidctl connect=net_service_name server=OIDREPLD instance=server_instance_number 
stop

For example:

oidctl connect=dbs1 server=oidrepld instance=1 stop

Restarting Directory Server Instances

To restart a directory server instance, at the system prompt, type:

oidctl connect=net_service_name server={oidldapd|oidrepld} instance=server_
instance_number  restart

OID Monitor must be running whenever you start, stop, or restart directory server instances.

If you try to contact a server that is down, you receive from the SDK the error message 81--LDAP_SERVER_DOWN.

If you change a configuration set entry that is referenced by an active server instance, you must stop that instance and restart it to effect the changed value in the configuration set entry on that server instance. You can either issue the STOP command followed by the START command, or you can use the RESTART command. RESTART both stops and restarts the server instance.

For example, suppose that Oracle directory server instance1 is started, using configset3, and with the net service name dbs1. Further, suppose that, while instance1 is running, you change one of the attributes in configset3. To enable the change in configset3 to take effect on instance1, you enter the following command:

oidctl connect=dbs1 server=oidldapd instance=1 restart

If there are more than one instance of the Oracle directory server running on that node using configset3, then you can restart all the instances at once by using the following command syntax:

oidctl connect=dbs1 server=oidldapd restart

Note that this command restarts all the instances running on the node, whether they are using configset3 or not.


Important Note:

During the restart process, clients cannot access the Oracle directory server instance. However, the process takes only a few seconds to execute. 


Troubleshooting Directory Server Instance Startup

If the directory server fails to start, you can override all user-specified configuration parameters to start the directory server and then return the configuration sets to a workable state by using the ldapmodify operation.

To start the directory server using its hard-coded default parameters instead of the configuration parameters stored in the directory, type at the system prompt:

oidctl connect=net_service_name flags='-p port_number -f'


The -f option in the flags starts the server with hard-coded configuration values, overriding any defined configuration sets except for the values in configset0.

OID Database Password Utility Syntax

The OID Database Password Utility syntax is:

oidpasswd [connect=net_service_name]

The OID Database Password Utility prompts you for the current password. Type the current password, then the new password, then a confirmation of the new password.

The OID Database Password Utility assumes by default that the password being changed is that of the local database (as defined by ORACLE_HOME and ORACLE_SID). If you are changing the password on a remote database, you must use the connect=net_service_name option.

For example:

$ oidpasswd 
current password: ods
new password: newsupersecret
confirm password: newsupersecret
password set.$


Note:

User responses are not echoed to the screen. 


OID Database Statistics Collection Tool Syntax

The $ORACLE_HOME/ldap/admin/oidstats.sh tool is provided to analyze the various database ods schema objects to estimate the statistics.

Syntax

oidstats.sh [ -connect database_connect_string ]
            [ -login database_account_login ]
            [ -pass database_account_password ]
            [ -all ]
            [ -cat catalog_name ]
            [ -pct percent ]
            [ -help | -usage ]

Parameters

Parameter  Description  Default 

connect 

DB connect string 

ORACLE_SID 

login 

DB user name 

ods 

pass 

DB Account Password 

ods 

all 

Estimate statistics on all catalog tables plus DN catalogue 

All catalogues 

cat 

Estimate statistics either on all catalogs (all) or on a particular one, for example, ct_cn 

None 

pct 

Percent of Data To sample 

100 

Examples: Using the OID Database Statistics Collection Tool

Each of the following examples assume that the ORACLE_SID and the default user name and password are in effect.

This example estimates statistics based on 100 percent sample data of all tables.

oidstats.sh -all -pct 100

This example estimates statistics based on 50 percent sample data of all tables.

oidstats.sh -all -pct 50

This example estimates statistics based on 50 percent sample data of CT_CN table.

oidstats.sh -cat ct_cn -pct 50

This example estimates statistics based on 40 percent sample data of all catalog tables

oidstats.sh -cat all -pct 40

Go to previous page Go to next page
Oracle
Copyright © 1996-2000, Oracle Corporation.

All Rights Reserved.

Library

Product

Contents

Index