1. Administering Oracle Directory Integration Platform
  2. Synchronization Using Oracle Directory Integration Platform
  3. Managing Directory Synchronization Profiles

10 Managing Directory Synchronization Profiles

You can manage directory synchronization profiles using Fusion Middleware Control or the manageSyncProfiles utility.

Topics:

10.1 Managing Synchronization Profiles Using Fusion Middleware Control

You can create, modify, and delete synchronization profiles using Oracle Enterprise Manager Fusion Middleware Control.

Topics:

Note:

Users with non-administrator privileges can use Oracle Enterprise Manager Fusion Middleware Control to view information about existing synchronization profiles, but cannot create or edit profiles.

10.1.1 Creating Synchronization Profiles

This topic explains how to create synchronization profiles using Oracle Enterprise Manager Fusion Middleware Control.

When you create the profile, Oracle recommends using the Test Connection function to test the connection to the source host and using the Validate All Mapping Rules function to test your mapping rules. If you encounter error messages, you must fix the profile configuration or you will not be able to enable the profile and perform synchronization using the profile.

If you create a Synchronization Profile using any of the sample map files included with Oracle Directory Integration Platform, you may encounter various warning messages. The Synchronization Profile will function correctly despite the warnings and you can ignore the warning messages. To avoid the warning messages, edit the default settings of the map file included with Oracle Directory Integration Platform according to your specific environment, then create the profile.

Perform the following steps to create a synchronization profile using Oracle Enterprise Manager Fusion Middleware Control:

  1. Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
  2. Log in to Oracle Enterprise Manager Fusion Middleware Control.
  3. In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component where you want to create the synchronization profile.
  4. Click the DIP Server menu, select Administration, and then click Synchronization Profiles.

    The Manage Synchronization Profiles page appears.

  5. Click Create.

    The Create Synchronization Profile page appears with tabs for the various types of profile settings. The following sections describe the parameters on each tab in the Create Synchronization Profile page.

    After you set values for the parameters, click OK on the Create Synchronization Profile page to create the profile. The profile will appear on the Manage Synchronization Profiles page.

Example 10-1 General

The General tab contains the following parameters that configure the general settings for the profile:

  • Profile Name: Specify the name of the connector in ASCII characters only—non-ASCII characters are not supported in the Profile Name. The name you enter is used as the RDN component of the DN for this connector profile. For example, specifying a profile name MSAccess creates a connector profile named orclodipagentname=MSAccess,cn=subscriber profile, cn=changelog subscriber, cn=oracle internet directory.

  • Profile Status: Select whether or not to enable or disable the profile.

  • Use DIP-OID as? / Use DIP-OUD as? / Use DIP-ODSEE as?: This label refers to your installed Oracle directory (either Oracle Internet Directory, Oracle Universal Directory, or Oracle Directory Server Enterprise Edition) that is one end-point for synchronization and provisioning. Select whether your Oracle directory will be used as the source or destination directory. Selecting Source pushes the changes from the Oracle back-end directory into the connected directory. Selecting Destination pushes changes from the connected directory into the Oracle back-end directory.

  • Type: Select the type of connected directory from the list.

    Note:

    If you select non-standard LDAP type of profile, such as Database or Custom, the subsequent configuration parameters will vary. For example, if you select Custom from the Type list, you must identify the Java classname and the package, for example: com.comp.dip.integration.MyListener

  • Host: The host where the connected directory is running.

  • Port: The port where the connected directory is running.

  • SSL Settings: Specify whether to enable or disable SSL settings. If you enable SSL Settings, the root certificates of the target directory must be in the Oracle Directory Integration Platform keystore to successfully connect or test the connection to the target directory.

    Note:

    Ensure that the connected directories cipher suites are supported in Oracle Directory Integration Platform and available out-of-box. See Supported Out-of-Box Cipher Suites.

  • Database Service Name: This option appears, If you have selected "Database (JDBC)" from the Type menu. Enter the database service name.

    Note:

    Enter the service name, not the SID.

  • User Name: Specify the account to be used by the connector agent for accessing the connected directory. For example, if the connected directory is a database, then the account might be Scott. If the connected directory is another LDAP-compliant directory, then the account might be cn=Directory Manager.

  • Password: Specify the password the connector/agent is to use when accessing the connected directory.

  • Test Connection: Use the Test Connection function to test the connection to the source host.

Example 10-2 Mapping

The Mapping tab allows you to configure Domain and Attribute Mapping Rules, and Domain and Attribute Exclusion Lists for the profile.

Domain Mapping Rules are for the domain or container from which objects are synchronized into the Oracle back-end directory. The Domain Exclusion List identifies domains to be excluded during bootstrap and synchronization.

Attribute Mapping Rules are for attributes of the objects that are being managed. The Attribute Exclusion List identifies attributes to be excluded during bootstrap and synchronization.

To create a mapping rule or exclusion list, click Create for the type of mapping rule or exclusion list you want to create, enter values for the parameters, and then click OK at the top of the Create Synchronization Profile page.

Note:

Use the Validate All Mapping Rules button at the top of the Create Synchronization Profile page to test your mapping rules after you create them. If you have errors in the mapping rules that you have defined, then the profile will not work. However, warnings do not prevent the profile from being used.

The following is a list and description of the Domain Mapping Rules parameters:

  • DIP-OID Container / DIP-OUD Container / DIP-ODSEE Container: This label refers to your installed Oracle directory (either Oracle Internet Directory, Oracle Universal Directory, or Oracle Directory Server Enterprise Edition) that is one end-point for synchronization and provisioning. This is the name of the destination container into which the objects are synchronized. Enter a value of NONLDAP if you a synchronizing with a non-LDAP source.

  • Source Container or Destination Container: If you are configuring an import profile, this parameter will be labeled Source Container. If you are configuring an export profile, this parameter will be labeled Destination Container. The parameter identifies the name of the source/destination container from/to which the objects are synchronized. Enter a value of NONLDAP if you a synchronizing with a non-LDAP source.

  • DN Mapping Rule: The specific mapping rule that determines how entries from the source container are mapped to the destination container.

The following is a list and description of the Domain Exclusion List parameters:

  • Source Container to Exclude: This parameter appears if you are configuring an import profile. Identify the domains to be excluded during bootstrap and synchronization by entering a value, for example, OU=myou,OU=test,DC=mycompany,DC=com, or by clicking Lookup and browsing to the domain, and then clicking OK in the Create Domain Exclusion Container dialog box.

  • DIP-OID Container to Exclude / DIP-OUD Container to Exclude / DIP-ODSEE Container to Exclude: This parameter appears if you are configuring an export profile. Identify the domains to be excluded during bootstrap and synchronization by entering a value, for example, OU=myou,OU=test,DC=mycompany,DC=com, or by clicking Lookup and browsing to the domain, and then clicking OK in the Create Domain Exclusion Container dialog box.

The following is a list and description of the Attribute Mapping Rules parameters:

  • Source Object Class: Select the object class in the source directory. This parameter does not apply when synchronizing with a non-LDAP source.

  • Source Attributes: The source directory attributes to which you want to apply the mapping rule. When synchronizing with LDAP sources, select the Single Attributes option and enter the appropriate attributes in the Attributes field. When synchronizing with non-LDAP sources, select the Multiple Attributes option and enter the appropriate attributes in the Multivalue Attributes field.

  • Source Attribute Required: Enable or disable the source attribute requirement.

    Note:

    After registering the profile, the Source Attribute Required option is enabled by default. Ensure that you disable the source attribute requirement to start synchronization.

  • DIP-OID Object Class / DIP-OUD Object Class / DIP-ODSEE Object Class: Select the destination object type or class. Use the destination object class for LDAP targets.

    Destination Table: If your destination directory type is Database (JDBC), select the destination table.

  • DIP-OID Attribute / DIP-OUD Attribute / DIP-ODSEE Attribute: Select the destination attribute name to which you want to apply the mapping rule.

    Destination Column: If your destination directory type is Database (JDBC), select the destination column.

  • DIP-OID Attribute Type / DIP-OUD Attribute Type / DIP-ODSEE Attribute Type: Enter the type of the attribute in the destination directory.

  • Mapping Expression: Enter the transformation rule that derives the destination attribute value from the source attribute value.

The following is a list and description of the Attribute Exclusion List parameters:

  • ObjectClass: Select the objectclass that contains the attributes you want to add to the Attribute Exclusion List. After you select an objectclass, its attributes appear in the Multiple Address field.

  • Attributes: Select the attributes you want to add to the Attribute Exclusion List.

Example 10-3 Filtering

The Filtering tab contains the following parameters that configure the filter settings for the profile:

  • Source Matching Filter: Specify the attribute that uniquely identifies an entry in the connected directory or specify an LDAP search filter for the connected directory in the format searchfilter=ldap_search_filter.

  • Destination Matching Rule: Specify the attribute that uniquely identifies records in the Oracle back-end directory. This attribute is used as a key to synchronize the Oracle back-end directory with the connected directory.

  • Associated Profile: The Associated Profile filtering setting is used to avoid loop back changes in bi-directional synchronization where changes initiated from one directory return to the same directory. For import profiles, specify the export profile it is associated with in the Associated Profile field. For export profiles, specify the import profile used for synchronizing the data from that directory.

    Note:

    To disassociate a profile, set the Associated Profile setting to Select One.

Example 10-4 Advanced

The Advanced tab contains the following parameters that configure the advanced settings for the profile:

  • Scheduling Interval (HH:MM:SS): Specify the number of hours, minutes, and seconds between synchronization attempts between a connected directory and the Oracle back-end directory.

  • Maximum Number of Retries: The maximum number of times the synchronization is to be retried during each synchronization cycle iteration. The interval of each synchronization cycle iteration is every 60 seconds, if the Scheduling Interval parameter is set to 60 seconds.

  • Log Level: Specify the logging level for debugging. Selecting the All level logs all information, including entries that are synchronized.

  • Primary Table: Choose from the list the primary table for this profile.

  • Last Change Number: Identifies the number of changes that synchronization has been performed for. When you create a synchronization profile, the Last Change Number parameter is locked—you cannot enter a value for it.

    After you create a synchronization profile and attempt to edit it, an additional option named Edit and Persist is available for the Last Change Number parameter. You can edit the value for the Last Change Number parameter if you select (enable) the Edit and Persist option. Enabling the Edit and Persist option causes the Last Change Number to be persisted in the profile. Changes to the Last Change Number will not be persisted if the Edit and Persist option is not enabled.

    WARNING:

    Be aware that if you edit the value for the Last Change Number, setting an incorrect value can cause the profile to stop working or cause erroneous synchronization operations.

  • Primary Keys: Specify the primary key(s) for the tables to which you are syncing by selecting the database table name, then entering the primary key column(s). If a primary key consists of multiple columns, then list each column name separated by a comma. For example: id,name,dob. To delete a row, click the red "x" in the row that you want to delete. To add additional primary key entries, click Add Primary Key.

  • Table Relations: Click Add Table Relation to define the relationships between the primary table and all of the other tables involved in the profile. In the Relation Column(s) box, type the column name that defines the relationship between the Secondary Table and the Primary Table. If you need to specify multiple column names, use a comma separated list, for example: id,name.

  • Additional Configuration Parameters: This section allows you to manage optional, advanced configuration parameters. To create an advanced configuration parameter, click Add and identify the parameter and its value. The following is a list and description of each advanced configuration parameter:

    • Check All Entries: Applicable only for eDirectory and OpenLDAP, it determines how deleted entries in Novell eDirectory or OpenLDAP are synchronized with the Oracle back-end directory. If you assign a value of true to this parameter, the Oracle Directory Integration Platform identifies deleted entries by performing a linear comparison between the entries in the Oracle back-end directory and Novell eDirectory or OpenLDAP. If an entry does not exist in Novell eDirectory or OpenLDAP, the entry is deleted from the Oracle back-end directory. If you assign a value of false to this parameter, deleted entries are synchronized according to the difference between the number of entries in the connected directory and the number of entries in the Oracle back-end directory. If the number of deleted entries is 0 or less than 0, then there are no deleted entries to synchronize. However, if the number of deleted entries is greater than 0, then the Oracle Directory Integration Platform compares each entry in the Oracle back-end directory with Novell eDirectory or OpenLDAP to identify the deleted entries to synchronize. The Oracle Directory Integration Platform continues to compare entries until it locates the same number of deleted entries as the difference between the number of entries in the connected directory and the number of entries in the Oracle back-end directory. For better performance, you should assign a value of false to this parameter.

    • Unique Attribute: Applicable only for eDirectory and OpenLDAP, it identifies the unique attribute in Novell eDirectory or OpenLDAP that can be used to search for an entry. You assign to this parameter a value of GUID for Novell eDirectory or entryuuid for OpenLDAP.

    • Attribute Type: Applicable only for eDirectory and OpenLDAP, it indicates the type of the UniqueAttribute parameter. You assign to this parameter a value of Binary for Novell eDirectory or nonBinary for OpenLDAP. This parameter is used to obtain the corresponding Oracle back-end directory attribute for the attribute that is defined in the mapping file.

    • Search Time Delta Size in seconds: This parameter is applicable only for eDirectory and OpenLDAP, which handle synchronization based on timestamps and do not support changelog. Search Time Delta Size in seconds determines the time interval for processing changes during each synchronization cycle iteration. The default value is 3600. The number of iterations performed during each synchronization cycle depend on the number of pending changes. For example, if the Search Time Delta In Seconds parameter is set to 60 and there are changes pending for about one minute, synchronization will require a single iteration. If changes are pending for three minutes, synchronization will require three iterations.

      Note:

      • When the number of changes per minute is small, you will experience better synchronization efficiency by setting Search Time Delta Size in seconds to a higher value.

      • Be sure the value you set for the Search Time Delta In Seconds parameter does not exceed the LDAP search limit of the connected directory server. Otherwise, you may receive an error during synchronization and some changes may not be processed.

    • Search Delta Size: This parameter is applicable when importing changes from directories that support changelog. Search Delta Size determines how many incremental changes are processed during each iteration in a synchronization cycle. The default value is a value of 500. The number of iterations performed during each synchronization cycle depends on the number of pending changes. For example, if the Search Delta Size parameter is assigned a value of 500 and there are 498 pending changes, synchronization will require a single iteration. However, if there are 501 pending changes, synchronization will require two iterations. In some cases, you will experience better synchronization efficiency if you assign a higher value to this parameter. However, be sure that the value you specify does not exceed the LDAP search limit of the connected directory server. Otherwise, you may receive an error during synchronization and some changes may not be processed.

      Note:

      Be sure to thoroughly analyze and test your deployment when modifying the Search Delta Size parameter, especially if you assign a value higher than 2000.

    • Skip Error To Sync Next Change: Determines how Oracle Directory Integration Platform handles an error when processing a change during synchronization. By default, Skip Error To Sync Next Change is assigned a value of false, which means that Oracle Directory Integration Platform will continue processing a change until the error is resolved. If you assign a value of true to Skip Error To Sync Next Change, Oracle Directory Integration Platform will skip any changes that cause an error.

    • Update Search Count: Specifies the maximum number of iterations to perform on the connected directory during the synchronization process. The synchronization process stops after the specified number of search has been performed and resumes at the next scheduled interval.

    • Reduce Filter Time In Seconds: Applicable only for eDirectory and OpenLDAP, it specifies the time difference between a computer that is running the Oracle back-end directory and a computer that is running Novell eDirectory. This parameter is necessary because synchronization between the Oracle back-end directory and Novell eDirectory will not function properly if the time on the Novell eDirectory computer is earlier than the time on the Oracle back-end directory computer. Assign to this parameter a value in seconds that is equal to the time difference between the two computers. The default value is 0.

    • Writer: Identifies the Writer used by the profile for synchronization. This is a read only value and is used only for information purposes.

    • Reader: Identifies the Reader used by the profile for synchronization. This is a read only value used only for information purposes.

    • Reconciler: Do not modify this parameter. It identifies the class used by the profile for reconciliation purposes. The parameter is applicable only for eDirectory and OpenLDAP. This is a read only value used only for information purposes.

10.1.2 Editing Synchronization Profiles

You can edit an existing synchronization profile using Oracle Enterprise Manager Fusion Middleware Control.

To do so, perform the following steps:

  1. Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
  2. Log in to Oracle Enterprise Manager Fusion Middleware Control.
  3. In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component that contains the profile you want to edit.
  4. Click the DIP Server menu, point to Administration, and then click Synchronization Profiles. The Manage Synchronization Profiles appears displaying a list of the existing profiles.
  5. Select the profile you want to edit from the list and click Edit. The Edit Synchronization Profile screen appears for the profile you want to edit.
  6. Edit the profile settings by referring to the General, Mapping, Filtering, and Advanced sections in "Creating Synchronization Profiles" that describe each profile parameter.

    Note:

    You must edit the settings on the General tab before editing the settings on any other tab.

  7. Click OK on the Edit Synchronization Profile page to save the updated profile.

10.1.3 Enabling and Disabling Synchronization Profiles

You can enable or disable an existing synchronization profile using Oracle Enterprise Manager Fusion Middleware Control.

To do so, complete the following:

  1. Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
  2. Log in to Oracle Enterprise Manager Fusion Middleware Control.
  3. In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component that contains the profile you want to enable or disable.
  4. Click the DIP Server menu, point to Administration, and then click Synchronization Profiles. The Manage Synchronization Profiles appears displaying a list of the existing profiles.
  5. Select the profile you want to enable or disable from the list of existing profiles.

    Click the Enable Profile button to enable the profile.

    Click the Disable Profile button to disable the profile.

10.1.4 Deleting Synchronization Profiles

Never delete a synchronization profile directly from the Oracle back-end directory! Instead, use Oracle Enterprise Manager Fusion Middleware Control to delete a synchronization profile. If you use the Oracle back-end directory to delete a synchronization profile, you will receive a PROFILE_ALREADY_REGISTERED message if you attempt to recreate the profile.

Perform the following steps to delete a synchronization profile using Oracle Enterprise Manager Fusion Middleware Control:

  1. Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
  2. Log in to Oracle Enterprise Manager Fusion Middleware Control.
  3. In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component that contains the profile you want to delete.
  4. Click the DIP Server menu, point to Administration, and then click Synchronization Profiles. The Manage Synchronization Profiles appears.
  5. On the Manage Synchronization Server page, select profile you want to delete and click Delete. A window that prompts you to confirm deletion of the connector profile.
  6. Click Yes to confirm that you want to delete the profile.

10.1.5 Troubleshooting Synchronization Profiles Using DIP Tester

DIP Synchronization Profile Tester (DIP Tester) is a utility that can perform synchronization operations and return detailed log messages generated during the test. Use DIP Tester to test synchronization profiles and verify that the profile configuration and mapping rules are working as expected with your directory data.

DIP Tester only works with LDAP-to-LDAP directory-based sync profiles. It does not work with DB/Custom and other non-directory-based profiles.

You can run DIP Tester either from the Enterprise Manager user interface or from a command-line using WLST.

10.1.5.1 Running DIP Tester From the Enterprise Manager User Interface

DIP Tester can only be used with synchronization profiles that are set to the disabled state.

Note:

When disabling a profile there is a delay before the disabled status takes effect. Only after the configured refresh interval has elapsed (an interval of two minutes or more) will the profile become disabled.

To disable a profile click the Disable Profile button on the toolbar.

To Open DIP Tester in Enterprise Manager

  1. From the DIP Server menu, choose Administration > Synchronization Profiles.

    The Manage Synchronization Profiles page opens.

  2. Click the row of the profile to be tested to select it.
  3. Click the arrow to the right of the DIP Tester button and choose from the following menu:

    • Dump Profile - Opens a pop-up window and displays detailed information about the selected synchronization profile so that a copy of the profile can be added to a support ticket.

    • Launch Tester - Opens DIP Tester.

Example 10-5 Test Mode

This section describes the Test Mode screen, which is the first screen of the three screen DIP Tester wizard.

DIP Tester Operation Mode - DIP Tester can run in two modes: Basic and Advanced.

  • Choose Basic mode to quickly run the synchronization task using DIP Tester's preconfigured settings. The synchronization task runs and sync status and log messages from the test are returned in Enterprise Manager.

    Basic mode is useful if you need to quickly retry a failed synchronization. To retry the last failed change, edit the profile and set Skip Error To Sync Next Change to false, set Update Search Count to 1, and searchDeltaSize to 1.

    Note:

    In the default configuration, Skip Error To Sync Next Change is set to false. Consequently DIP Tester will not move past any failed operations. To have DIP Tester continue on to the next operation upon encountering a failed operation, open the Manage Synchronization Profiles page, click Edit, and on the Advanced tab set Skip Error To Sync Next Change to true.

  • Choose Advanced mode to specify and configure the source of the test data. There are three ways to specify the test data:

    • Enter a change number to test sync a specific change. Change numbers are supported on Active Directory, Oracle Internet Directory, Oracle Unified Directory, Oracle Directory Server Enterprise Edition, iPlanet, and Tivoli directories.

    • Enter the SourceDN to test sync a specific change. SourceDN is supported on eDirectory and OpenLDAP directories.

    • Enter LDIF data. LDIF data is compatible with all directory sources.

    Note:

    DIP Tester cannot process delete operations for the OpenLDAP or eDirectory LDAP servers.

    When processing user or group delete operations on other LDAP servers, LDIF delete files need to include the dn and changetype attributes.

    For example:

    dn: cn=userToDelete,cn=users,dc=comain 
changetype: delete

Selected Profile Information - Contains read-only information about the synchronization profile to be tested. Review this information and click Next in the top right corner of the screen to go to step two of the wizard, Test Params.

Table 10-1 Synchronization Profile Properties, Basic Properties

Property Description

Profile Name

The name of the profile to be tested.

Synchronization Mode

Indicates the direction of synchronization.

Import propagates changes from a connected directory to the Oracle back-end directory. Export propagates changes from the Oracle back-end directory to a connected directory.

Profile Status

Indicates that the profile is disabled if the check box is empty.

Table 10-2 Synchronization Profile Properties, Source Details or Destination Details

Property Description

Type

The directory type supplying records for the import test (for example, OpenLDAP, Microsoft Active Directory, Tivoli Directory Server, and so on).

Host

Name of the computer hosting the source container for the synchronization test.

Port

Configured port number for the synchronization job connection.

SSL Settings

Indicates that SSL is disabled if the check box is empty.

User Name

User account that the profile uses to authenticate to the source directory.

Table 10-3 Synchronization Profile Properties, Advanced

Property Description

Last Change Number

Identifies the most recent change number in the change log that synchronization has been performed for.

Skip Error To Sync Next Change

If true, specifies that the profile should continue the synchronization job if an error occurs. If false, the sync job is aborted.

To change this value, edit the synchronization profile, select the Advanced tab, and edit the parameter in the Additional Configuration Parameters section.

Update Search Count

Specifies the maximum number of iterations to be performed on the connected directory during the synchronization process. The synchronization process stops after the specified number of searches has been performed.

To change this value, edit the synchronization profile, select the Advanced tab, and edit the parameter in the Additional Configuration Parameters section.

Example 10-6 Test Params

This section describes the Test Params screen, which is the second screen of the three screen DIP Tester wizard.

If running DIP Tester in Advanced mode, select and configure the source of the test data. To test sync a specific change, either enter a change number or enter the SourceDN. Otherwise, enter synchronization instructions using LDIF (Lightweight Directory Interchange Format) statements.

If running DIP Tester in Basic mode, the options are preconfigured. Click Next in the top right corner of the screen to go to step three of the wizard, Review Options and Test Output.

Example 10-7 View Test Data

Optional. This lookup feature is provided so that you can view change log data, source directory data, and destination directory data without leaving DIP Tester. Select one of the following options form the drop-down menu to view the test data inside of DIP Tester.

  • View Change Log Entry - For directories that support change logs specify the change log and enter a number in the Change Number box. The change number is retrieved from the source.

  • View Source Directory Entry - Select to view an existing source directory entry that you can use as a template. This option should be used to view Active Directory source data, including the uSNChanged attribute.

    The Source Container values in the drop-down menu are retrieved using the domain mapping rules set in the profile.

    Enter a value for the Source RDN box.

  • View Destination Directory Entry - Select to view an existing destination directory entry that you can use as a template.

    The Destination Container values in the drop-down menu are retrieved using the domain mapping rules set in the profile.

    Enter a value for the Destination RDN box.

Example 10-8 Test Options

From the Test data source menu, select Change Number, SourceDN, or LDIF Data, then type the change number, SourceDN, or the LDIF commands that you want to test. Click Next to go to step three of the wizard, Review Options and Test Output.

Example 10-9 Review Options and Test Output

This section describes the Review Options and Test Output screen, which is the third screen of the three screen DIP Tester wizard.

Caution:

A synchronization test is not a simulation. Initiating the test will cause an actual sync operation to take place. Proceed with caution when using DIP Tester in Advance mode.

If running DIP Tester in Advanced mode, use the Review Test Options section to review the change number or LDIF data that you entered on the previous screen. If running DIP Tester in Basic mode, this section uses preconfigured settings.

  • Click Test to initiate the synchronization test.

  • Click Dump Profile to write detailed information about the selected synchronization profile to a pop-up window.

Note:

If a source directory entry and a destination directory entry are already in sync, DIP Tester will not report that the sync operation did not occur. Instead, DIP Tester simply reports "Test Passed" because the entry and attribute data in both directories match.

The Test Output section displays the following information:

  • Result - Either Test Passed or Test Failed.

    Note:

    When using DIP Tester in Basic mode, the Test Output section will occasionally report a result of "Test Passed," when, in fact, errors were reported. For this reason you should always check the Log Messages for DIP Tester section to verify that no errors are reported there.

  • Source Entry Details / Destination Entry Details - If the test passed, displays actual directory data test results for both the source and destination directories.

  • Error Message - If the test failed, displays a message reporting the reason for the test failure.

  • Log Messages for DIP Tester - Detailed messages generated during the course of the synchronization test.

10.1.5.2 Running DIP Tester From the WLST Command-Line Interface

To run DIP Tester from a command-line, use the manageSyncProfiles command and specify the testProfile option.

Operation Mode

DIP Tester (testProfile) can run in Basic mode or Advanced mode.

  • Use Basic mode to quickly run the synchronization task using DIP Tester's preconfigured settings. The synchronization task runs and sync status and log messages from the test are returned to standard out.

    Basic mode is useful if you need to quickly retry a failed synchronization. To retry the last failed change, set Skip Error To Sync Next Change to false and set Update Search Count to 1.

    To run DIP Tester in Basic mode, do not include the -changenumber, -sourcedn, or -ldiffile options.

    Note:

    In the default configuration, Skip Error To Sync Next Change is set to false. Consequently DIP Tester will not move past any failed operations. To have DIP Tester continue on to the next operation upon encountering a failed operation, set Skip Error To Sync Next Change to true.

  • Use Advanced mode if you need to specify and configure the source of the test data. You can either enter a change number to run a specific change in a change log, enter a SourceDN to test sync a specific change on either an eDirectory or an Open LDAP directory, or enter LDIF data.

    To run DIP Tester in Advanced mode, include either the -changenumber, the -sourcedn, or the -ldiffile options when running DIP Tester.

    Note:

    DIP Tester cannot process delete operations for the OpenLDAP or eDirectory LDAP servers.

    When processing user or group delete operations on other LDAP servers, LDIF delete files need to include the dn and changetype attributes.

    For example:

    dn: cn=userToDelete,cn=users,dc=comain 
changetype: delete

Refer to the following DIP Tester Command-Line Examples section for more information.

Note:

If a source directory entry and a destination directory entry are already in sync, DIP Tester will not report that the sync operation did not occur. Instead, DIP Tester simply reports "Test Passed" because the entry and attribute data in both directories match.

Syntax and Arguments for testProfile

manageSyncProfiles testProfile -h hostName -p port -D wlsuser -pf profileName [-changenumber number | -ldiffile file | -sourcedn sourcedn] [-ssl -keyStorePath path -keyStoreType type] [-help]

-h | -host

Oracle WebLogic Server where Oracle Directory Integration Platform is deployed.

-p | -port

Listening port of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed.

- D | -wlsuser

Login ID to connect to the server.

-pf | -profile

The profile name.

-changenumber

The change log number representing the change that needs to be synchronized from directories like Oracle Internet Directory, iPlanet, Tivoli and Active Directory to the destination.

-sourcedn

Distinguished name of the source entry that needs to be synchronized from directories like eDirectory and OpenLDAP to the destination.

-ldiffile

A file containing LDIF data that will be applied to the source and then synchronized to the destination.

- ssl

Executes the command using SSL.

- keyStorePath

Location of the trust keystore.

- keyStoreType

Keystore type. If unspecified, defaults to jks.

- help

Provides help for the testProfile command.

Note:

Passwords cannot be passed as command parameters. Instead, the system will prompt you for passwords as needed.

DIP Tester Command-Line Examples

DIP Tester Basic Mode

manageSyncProfiles testProfile -h <hostName> -p <port> -D <wlsuser> -pf <profileName>

DIP Tester Advanced Mode, Change Number Specified

manageSyncProfiles testProfile -h <hostName> -p <port> -D <wlsuser> -pf <profileName> [-changenumber <number>]

DIP Tester Advanced Mode, SourceDN Specified

manageSyncProfiles testProfile -h <hostName> -p <port> -D <wlsuser> -pf <profileName> [-sourcedn <sourcedn>]

DIP Tester Advanced Mode, LDIF File Specified

manageSyncProfiles testProfile -h <hostName> -p <port> -D <wlsuser> -pf <profileName> [-ldiffile <file>]

10.2 Managing Synchronization Profiles Using manageSyncProfiles

You can use the manageSyncProfiles utility to create and manage synchronization profiles from a command line.

For more information, see manageSyncProfiles Utility.

10.3 Modifying the Synchronization Status Attributes

You can change the orcllastappliedchangenumber attribute using Oracle Enterprise Manager Fusion Middleware Control or the manageSyncProfiles command and the updatechgnum argument.

During the synchronization process, the server constantly updates the orcllastappliedchangenumber synchronization status attribute. Oracle recommends that you do not change the synchronization status attributes. However, there may be cases when you need to update the orcllastappliedchangenumber attribute. For example, you may need to reapply some changes or skip synchronization of certain entries.

To change the orcllastappliedchangenumber attribute using Oracle Enterprise Manager Fusion Middleware Control, perform the steps in "Editing Synchronization Profiles", and set the Last Change Number setting on the Advanced tab.

To change the orcllastappliedchangenumber attribute using the manageSyncProfiles command and the updatechgnum argument, refer to "Managing Synchronization Profiles Using manageSyncProfiles".

10.4 Setting Null Values in Synchronization Profiles

To set a profile property value to null (that is, blank or empty) when manually editing a profile, use a null string.

For example: ''. Using a comment (or hash character, #) on the property's line indicates only that the line will not be read, it does not set the property's value to null.

10.5 manageSyncProfiles Utility

Use the manageSyncProfiles utility to create and manage synchronization profiles from a command line.

The manageSyncProfiles utility is located in the ORACLE_HOME/bin directory.

Note:

  • Best security practice is to provide a password only in response to a prompt from the command.

  • You must set the WLS_HOME and ORACLE_HOME environment variables before executing any of the Oracle Directory Integration Platform commands

  • The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

Syntax for manageSyncProfiles

manageSyncProfiles

manageSyncProfiles {activate | deactivate | copy | deregister | get | isexists |
update | testProfile | validateProfile | validateMapRules | register | 
updatechgnum | associateProfile | dissociateProfile | getAllAssociatedProfiles |
getAssociatedProfile | list } -h HOST -p PORT -D wlsuser [-ssl -keystorePath 
PATH_TO_KEYSTORE -keystoreType TYPE] [-profile] [-newProfile]
[-associateProfile][-file] [-params 'prop1 val1 prop2 val2 ...']
[-conDirHost] [-conDirPort] [-conDirBindDn] [-mode] [-conDirType] [-conDirSSL] 
[-profileStatus] [-help]

Arguments for manageSyncProfiles

Operations

activate

Changes the state of the profile identified by -profile to ENABLE.

deactivate

Changes the state of the profile identified by -profile to DISABLE.

copy

Copies an existing profile profile to profile newProfile.

deregister

Deletes an existing profile from the Oracle back-end directory.

get

Gets the profile details from the Oracle back-end directory.

isexists

Checks if the profile profile exists in the Oracle back-end directory.

update

Modifies the profile properties that are identified by command arguments.

testProfile

Changes the state of a disabled profile profile to TEST and schedules the profile for testing to ensure the profile will successfully perform synchronization. After executing the manageSyncProfiles command with the testProfile operation, the results of the test are available in the following log file, where WL_DOMAIN_HOME represents the Oracle WebLogic Server Domain home and ORACLE_WEBLOGIC_MANAGEDSERVER_NAME represents the name of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed: 

WL_DOMAIN_HOME/servers/ORACLE_WEBLOGIC_MANAGED_SERVER_NAME/logs/ORACLE_WEBLOGIC_MANAGED_SERVER_NAME.log

Note:

The testProfile operation cannot schedule profiles that are in ENABLE state for testing.

validateProfile

Validates the syntax of the values in the specified profile for correctness.

validateMapRules

Validates the map rules provided.

register

Creates a new profile in the Oracle back-end directory.

updatechgnum

Updates the last applied change number in the profile to latest.

associateProfile

Associates associateProfileName with profileName. This is helpful during bidirectional synchronization between directories. You can specify a profile as an associated profile of different profile to help prevent information backflow.

dissociateProfile

Dissociates an associated profile to profileName.

getAllAssociatedProfiles

Returns a list of all profiles whose orclodipassociatedprofile attribute is set to the profile you identify using -pf. For example, if you use getAllAssociatedProfiles with -pf test, getAllAssociatedProfiles returns a list of all profiles that have their orclodipassociatedprofile attribute set to test.

This is useful when you want to delete a profile. You can use it to get a list of all associations you must disassociate before you can delete the profile.

getAssociatedProfile

Returns the value of the orclodipassociatedprofile attribute for the profile you identify using -pf.

list

Displays all profiles registered in the Oracle back-end directory.

Options

-h | host

Oracle WebLogic Managed Server host where Oracle Directory Integration Platform is deployed.

-p | -port

Listening port of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed.

-D | wlsuser

Oracle WebLogic Server login ID

Note:

You will be prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute manageSyncProfiles from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to manageSyncProfiles, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.

-ssl

Executes the command in SSL mode.

Note:

The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.

-keystorePath

The full path to the keystore.

-keystoreType

The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12

-pf | -profile

The name of the synchronization profile to use when performing the operation.

-newpf | -newProfile

The name of the new profile which will be a copy of profile.

-assopf

The name of the profile that will be associated with profile.

-f | -file

The full path and file name of the profile properties file containing the properties.

See:

Example Properties File for Synchronization Profiles for an example of a profile properties file.

-params

A value is of the form prop1 val1 prop2 val2 ... where prop is the name of a profile property and val is the new value for that property. This keyword is used only for modification of a profile. You can specify as many key values as required. Refer to Example Properties File for Synchronization Profiles to see the names of the profile properties that can be identified using prop1, prop2, and so on.

-conDirHost

Host where connected directory server is running.

-conDirPort

Port at which connected directory server listens.

-conDirBindDn

Connected directory server bind DN.

Note:

You will be prompted for the connected directory bind DN password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must execute manageSyncProfiles from a script, you can redirect input from a file containing the connected directory bind DN password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to manageSyncProfiles, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.

-mode

Synchronization mode to be used: import or export

-conDirType

Connected directory type. If using Oracle Internet Directory as your Oracle back-end directory, supported values are ActiveDirectory, EDirectory, iPlanet, OpenLDAP, ADAM, Tivoli, OID, and ExchangeServer2003. If using Oracle Unified Directory or Oracle Directory Server Enterprise Edition as your back-end directory, IPLANET is the only supported value.

-conDirSSL

SSL mode value used to connect connected directory server.

Note:

Ensure that the connected directories cipher suites are supported in Oracle Directory Integration Platform and available out-of-box. See Supported Out-of-Box Cipher Suites.

-prfSt | -profileStatus

Displays status for the profile. Used only with the list operation.

-help

Provides command usage help.

Tasks and Examples for manageSyncProfiles

manageSyncProfiles register -h myhost.mycompany.com -p 7005 -D login_ID \
  -f /opt/ldap/odip/iPlImport.profile 

manageSyncProfiles deregister -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 

manageSyncProfiles updatechgnum -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 

manageSyncProfiles activate -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 

manageSyncProfiles deactivate -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 

manageSyncProfiles get -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 

manageSyncProfiles testProfile -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 

manageSyncProfiles associateprofile -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile -assopf myProfile1 

 manageSyncProfiles dissociateprofile -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 

 manageSyncProfiles getAllAssociatedProfiles -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 

 manageSyncProfiles getAssociatedProfile -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 

 manageSyncProfiles update -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile -f /opt/ldap/odip/iPlImport.profile 

 manageSyncProfiles validateMapRules -h myhost.mycompany.com -p 7005 \
   -D login_ID -f /opt/ldap/odip/iPlImport.map -conDirHost server.example.com \  
   -conDirPort 8000 -conDirBindDn administrator@idm2003.net -mode IMPORT \
   -conDirType IPLANET 

 manageSyncProfiles isexists -h myhost.mycompany.com -p 7005 -D login_ID \
   -pf myProfile 

 manageSyncProfiles copy -h myhost.mycompany.com -p 7005 -D login_ID \
   -pf myProfile -newpf yourProfile 

manageSyncProfiles list -h myhost.mycompany.com -p 7005 -D login_ID -profileStatus