|
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) Part No. B14082-01 |
|
 Previous |
 Next |
|
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) Part No. B14082-01 |
|
|
Previous |
Next |
This appendix provides syntax, usage notes, and examples for LDIF and LDAP command-line tools. It contains these topics:
Starting, Stopping, Restarting, and Monitoring Oracle Internet Directory Servers
The Directory Integration and Provisioning Assistant (dipassistant) Syntax
OID Database Statistics Collection Tool (oidstats.sql) Syntax
Syntax for Oracle Internet Directory Configuration Assistant in Standalone Mode
The standardized file format for directory entries is as follows:
dn: distinguished_name attribute_type: attribute_value ... objectClass: object_class_value ...
Table A-1 Properties in an LDIF File
| Property | Value | Description |
|---|---|---|
dn:
|
RDN,RDN,RDN,...
|
Separate RDNs with commas. |
attribute_type:
|
attribute_value
|
This line repeats for every attribute in the entry, and for every attribute value in multi-valued attributes. |
objectClass:
|
object_class_ value
|
This line repeats for every object class. |
The following example shows a file entry for an employee. The first line contains the DN. The lines that follow the DN begin with the mnemonic for an attribute, followed by the value to be associated with that attribute. Note that each entry ends with lines defining the object classes for the entry.
dn: cn=Suzie Smith,ou=Server Technology,o=Acme, c=US
cn: Suzie Smith
cn: SuzieS
sn: Smith
mail: ssmith@us.Acme.com
telephoneNumber: 69332
photo: /ORACLE_HOME/empdir/photog/ssmith.jpg
objectClass: organizationalPerson
objectClass: person
objectClass: top
The next example shows a file entry for an organization:
dn: o=Acme,c=US o: Acme ou: Financial Applications objectClass: organization objectClass: top
A list of formatting rules follows. This list is not exhaustive.
All mandatory attributes belonging to an entry being added must be included with non-null values in the LDIF file.
|
Tip: To see the mandatory and optional attribute types for an object class, use Oracle Directory Manager. See "Viewing Properties of Object Classes by Using Oracle Directory Manager". |
Non-printing characters and tabs are represented in attribute values by base-64 encoding.
The entries in your file must be separated from each other by a blank line.
A file must contain at least one entry.
Lines can be continued to the next line by beginning the continuation line with a space or a tab.
Add a blank line between separate entries.
Reference binary files, such as photographs, with the absolute address of the file, preceded by a forward slash ("/").
The DN contains the full, unique directory address for the object.
The lines listed after the DN contain both the attributes and their values. DNs and attributes used in the input file must match the existing structure of the DIT. Do not use attributes in the input file that you have not implemented in your DIT.
Sequence the entries in an LDIF file so that the DIT is created from the top down. If an entry relies on an earlier entry for its DN, make sure that the earlier entry is added before its child entry.
When you define schema within an LDIF file, insert a white space between the opening parenthesis and the beginning of the text, and between the end of the text and the ending parenthesis.
|
See Also:
|
This section provides syntax information about the command-line tools used for starting, stopping, restarting, and monitoring Oracle Internet Directory servers. Please refer to "Process Control of Oracle Internet Directory Components" for information about Oracle Internet Directory process control semantics and best practices.
This section contains these topics:
Use the OID Monitor to initiate, monitor, and terminate directory server processes. If you elect to install a replication server, OID Monitor controls it. When you issue commands through OID Control Utility (OIDCTL) to start or stop directory server instances, your commands are interpreted by this process.
Starting OID Monitor restarts any Oracle Internet Directory processes that were previously stopped.
Set the following environment variables:
ORACLE_HOME
ORACLE_SID or a proper TNS CONNECT string
NLS_LANG (APPROPRIATE_LANGUAGE.AL32UTF8). The default language set at installation is AMERICAN_AMERICA.
PATH. In the PATH environment variable, specify the Oracle LDAP binary—that is, ORACLE_HOME/bin—before the UNIX binary directory.
oidmon [connect=connect_string] [host=virtual/host_name][sleep=seconds] start
Table A-2 Arguments for Starting OID Monitor
For example:
oidmon connect=dbs1sleep=15 start
To start OID Monitor on a virtual host:
oidmon connect=dbsl host=virtual_host start
Stopping the OID Monitor also stops all other Oracle Internet Directory processes.
To stop the OID Monitor daemon, at the system prompt, type:
oidmon [connect=connect_string][host=virtual/host_name] stop
Table A-3 Arguments for Stopping OID Monitor
For example:
oidmon connect=dbs1 stop
While starting and stopping OID Monitor, use the host parameter to specify the virtual host name. The syntax is:
oidmon [connect=connect_string] host=virtual_host start|stop
|
Note: If you are going to start Oracle Internet Directory servers on a virtual host, then, when using both OIDMON and OIDCTL, be sure to specify thehost argument as the virtual host.
If the OID Monitor is started with the To determine the physical host name, execute the |
OID Control Utility is a command-line tool for starting and stopping the directory server. The commands are interpreted and executed by the OID Monitor process.
|
Note: Although you can start the directory server without using OID Monitor and the OID Control Utility, Oracle Corporation recommends that you use them. This way, if the directory server unexpectedly terminates, then OID Monitor automatically restarts it. |
This section contains these topics:
Starting and Stopping an Oracle Directory Server Instance by Using the OID Control Utility
Starting the Oracle Directory Integration and Provisioning Server by Using the OID Control Utility
Stopping the Oracle Directory Integration and Provisioning Server
Restarting Oracle Internet Directory Server Instances by Using the OID Control Utility
Use the OID Control Utility to start and stop Oracle directory server instances.
The syntax for starting an Oracle directory server instance is:
oidctl connect=connect_string server=oidldapd instance=server_instance_number \ [configset=configset_number] [host=virtual/host_name] \ [flags=' -p port_number -work maximum_number_of_worker_threads_per_server \ -debug debug_level -l change_logging' -server number_of_server_processes] \ start
Table A-4 Arguments for Starting a Directory Server by Using OIDCTL
| Argument | Description |
|---|---|
-debug debug_level
|
Specifies a debug level during Oracle directory server instance startup |
-l change_logging
|
Turns replication change logging on and off. To turn it off, enter -l false. To turn it on, do any one of the following:
Turning off change logging for a given node by specifying |
-p port_number
|
Specifies a port number during server instance startup. The default port number is 389. |
-server number_of_server_processes
|
Specifies the number of server processes to start on this port |
-sport
|
Specifies the SSL port number during server instance startup. Default port if not set is 636.
See Also:
|
-work maximum_number_of_worker_threads_per_server
|
Specifies the maximum number of worker threads for this server |
configset=configset_number
|
Configset number used to start the server. This defaults to configset0 if not set. This should be a number between 0 and 1000.
|
connect=connect_string
|
If you already have a tnsnames.ora file configured, then this is the net service name specified in that file, located in ORACLE_HOME/network/admin.
|
host=virtual/host_name
|
Specifies the virtual host or Oracle Application Server Identity Management Cluster nodes on which to start the directory server |
instance=server_instance_number
|
Instance number of the server to start. Should be a number between 1 and 1000. |
server=oidldapd
|
Type of server to start (valid values are OIDLDAPD and OIDREPLD). This is not case-sensitive. |
start
|
Starts the server specified in the server argument. |
For example, to start a directory server instance whose net service name is dbs1, using configset5,at port 12000, with a debug level of 1024, an instance number 3, and in which change logging is turned off, type at the system prompt:
oidctl connect=dbs1 server=oidldapd instance=3 configset=5 \
flags='-p 12000 -debug 1024 -l ' start
When starting and stopping an Oracle directory server instance, the server name and instance number are mandatory, as are the commands start or stop. All other arguments are optional.
All keyword value pairs within the flags arguments must be separated by a single space.
Single quotes are mandatory around the flags.
The configset identifier defaults to zero (configset0) if not set.
Use the OID Control Utility to start and stop Oracle directory replication server instances.
The syntax for starting the Oracle directory replication server is:
oidctl connect=connect_string server=oidrepld instance=server_instance_number \ [configset=configset_number] flags=' -p directory_server_port_number \ -d debug_level -h directory_server_host_name -m [true | false] \ -z transaction_size ' start
Table A-5 Arguments for Starting a Directory Replication Server by Using OIDCTL
| Argument | Description |
|---|---|
connect=connect_string
|
If you already have a tnsnames.ora file configured, then this is the name specified in that file, which is located in ORACLE_HOME/network/admin
|
server=oidrepld
|
Type of server to start (valid values are OIDLDAPD and OIDREPLD). This is not case-sensitive.
|
instance=server_instance_number
|
Instance number of the server to start. Should be a number between 1 and 1000. |
configset=configset_number
|
Configset number used to start the server. The default is configset0. This should be a number between 0 and 1000.
|
-p directory_server_port_number
|
Port number that the replication server uses to connect to the directory on TCP port directory_server_port_number. If you do not specify this option, the tool connects to the default port (389).
|
-d debug_level
|
Specifies a debug level during replication server instance startup |
-h directory_server_host_name
|
Specifies the directory_server_host_name to which the replication server connects, rather than to the default host, that is, your local computer. Directory_server_host_name can be a computer name or an IP address. (Replication server only)
|
-m [true|false]
|
Turns conflict resolution on and off. Valid values are true and false. The default is true. (Replication server only)
|
-z transaction_size
|
Specifies the number of changes applied in each replication update cycle. If you do not specify this, the number is determined by the Oracle directory server size limit parameter, which has a default setting of 1024. You can configure this latter setting. |
start
|
Starts the server specified in the server argument.
|
For example, to start the replication server with an instance=1, at port 12000, with debugging set to 1024, type at the system prompt:
oidctl connect=dbs1 server=oidrepld instance=1 flags='-p 12000 -h eastsun11 \
-d 1024' start
When starting an Oracle directory replication server, the -p flag, which specifies the port number, is mandatory. All other flags are optional. When stopping an Oracle directory replication server, all flags are optional
All keyword value pairs within the flags arguments must be separated by a single space.
Quotes are mandatory around the flags. Either single or double quotes work on UNIX. Only double quotes work on Windows.
The configset identifier defaults to zero (configset0) if not set.
The Oracle directory integration and provisioning server executable, odisrv, resides in the $ORACLE_HOME/bin directory.
The way you start the directory integration and provisioning server depends on whether your installation is:
A typical Oracle Internet Directory installation
In this case, your installation includes, among other server and client components, the OID Monitor and the OID Control Utility. In such installations, you start and stop the directory integration and provisioning server by using these tools.
|
Note: Although you can start the directory integration and provisioning server without using the OID Monitor and the OID Control Utility, Oracle Corporation recommends that you use them. This way, if the directory integration and provisioning server unexpectedly terminates, the OID Monitor automatically restarts it. |
An Oracle Directory Integration and Provisioning-only installation
In this case, the way you start the directory integration and provisioning server depends on whether you are using Oracle Directory Integration and Provisioning for high availability.
If you are using Oracle Directory Integration and Provisioning for high availability, then Oracle Corporation recommends that you start the directory integration and provisioning server by using the OID Monitor and the OID Control Utility. This requires configuring the tnsnames.ora file with the right host and SID to which the OID Monitor must connect.
If you are not using Oracle Directory Integration and Provisioning for high availability, then Oracle Corporation recommends that you start the directory integration and provisioning server without using the OID Monitor.
You can start the directory integration and provisioning server in either SSL mode for tighter security, or non-SSL mode. You need to use a connect string to connect to the database.
|
Note: When the Oracle directory integration and provisioning server is invoked in the default mode, it supports only the Oracle Directory Provisioning Integration Service, and not the Oracle Directory Synchronization Service. |
To start the directory integration and provisioning server in non-SSL mode:
Be sure that OID Monitor is running. To verify this on UNIX, enter the following at the command line:
ps -ef | grep oidmon
If OID Monitor is not running, then start it by following the instructions in "The OID Monitor (oidmon) Syntax".
Start the directory integration and provisioning server by using the OID Control Utility. Do this by entering:
oidctl [connect=connect_string] server=odisrv [instance=instance_number] \
[config=configuration_set_number] [flags="[host=hostname] \
[port=port_number] [debug=debug_level] \
[refresh=interval_between_refreshes] \
[grpID=group_identifier_of_provisioning_profile] \
[maxprofiles=number_of_profiles] \
[ sslauth=ssl_mode ]"] start
Table A-6 describes the arguments in this command.
Table A-6 Description of Arguments for Starting the Oracle Directory Integration and Provisioning Server
| Argument | Description |
|---|---|
connect=connect_string
|
If you already have a tnsnames.ora file configured, then this is the net service name specified in that file, located in $ORACLE_HOME/network/admin
|
server=odisrv
|
Type of server to start. In this case, the server you are starting is odisrv. This is not case-sensitive. This argument is mandatory.
|
instance=instance_number
|
Specifies the instance number to assign to the directory integration and provisioning server. This instance number must be unique. OID Monitor verifies that the instance number is not already associated with a currently running instance of this server. If it is associated with a currently running instance, then OID Monitor returns an error message. |
config=configuration_set_number
|
Specifies the number of the configuration set that the directory integration and provisioning server is to execute. This argument is mandatory. |
host=hostname
|
Oracle directory server host name |
port=port_number
|
Oracle directory server port number |
debug=debug_level
|
The required debugging level of the directory integration and provisioning server
See Also: Table 10-2 for a description of the various debug levels |
refresh=interval_between_refreshes
|
Specifies the interval, in minutes, between server refreshes for any changes in the integration profiles. Default is 2 minutes (Refresh=2). |
grpID=group_identifier_of_provisioning_profile
|
Specifies the group of profiles to be scheduled |
maxprofiles=number_of_profiles
|
Specifies the maximum number of profiles that can be executed concurrently for this server instance |
sslauth=ssl_mode
|
SSL modes:
|
In a client-only installation, where the OID Monitor and OID Control tools are not available, the Oracle directory integration and provisioning server can be started without OID Monitor or OID Control Utility, either in non-SSL mode or, for tighter security, in SSL mode. The parameters described in Table A-6 remain the parameters for each type of invocation.
To start the directory integration and provisioning server, enter the following at the command line:
odisrv [host=host_name] [port=port_number] \ config=configuration_set_number [instance=instance_number] \ [debug=debug_level] [refresh=interval_between_refresh] \ [maxprofiles=number_of_profiles] [sslauth=ssl_mode]
The way you stop the directory integration and provisioning server depends on the tool that you used to start it.
If you started the directory integration and provisioning server by using OID Monitor and the OID Control utility, then you use them to stop it, as follows:
Before you stop the directory integration and provisioning server, be sure that the OID Monitor is running. To verify this, enter the following at the command line:
ps -ef | grep oidmon
If OID Monitor is not running, then start it by following the instructions in "The OID Monitor (oidmon) Syntax".
Stop the directory integration and provisioning server by entering:
oidctl [connect=connect_string] server=odisrv instance=instance stop
In a client-only installation, where the OID Monitor and OID Control tools are not available, the Oracle directory integration and provisioning server can be started without OID Control. To stop the server without these tools, use the stopodiserver.sh tool, which is located in the $ORACLE_HOME/ldap/admin directory.
|
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
If the Oracle directory integration and provisioning server is stopped by any means other than the methods mentioned in this section, then the server cannot be started from the same host. In that case, the footprint of the previous execution in the directory needs to be removed by using the following command:
|
|
See Also: The material on Oracle Identity Management Command-Line Tools in Oracle Identity Management Integration Guide for instructions about stopping the Oracle directory integration and provisioning server |
When you want to refresh the server cache immediately, rather than at the next scheduled time, use the RESTART command. When the Oracle Internet Directory server restarts, it maintains the same parameters it had before it stopped.
To restart an Oracle Internet Directory server instance, at the system prompt, type:
oidctl connect=connect_string server={oidldapd|oidrepld|odisrv} \ instance=server_instance_number restart
OID Monitor must be running whenever you restart directory server instances.
If you try to contact a server that is not running, you receive from the SDK the error message 81—LDAP_SERVER_DOWN.
If you change a configuration set entry that is referenced by an active server instance, you must stop that instance and restart it to effect the changed value in the configuration set entry on that server instance. You can either issue the STOP command followed by the START command, or you can use the RESTART command. RESTART both stops and restarts the server instance.
For example, suppose that Oracle directory server instance1 is started, using configset3, and with the net service name dbs1. Further, suppose that, while instance1 is running, you change one of the attributes in configset3. To enable the change in configset3 to take effect on instance1, you enter the following command:
oidctl connect=dbs1 server=oidldapd instance=1 restart
If there are more than one instance of the Oracle directory server running on that node using configset3, then you can restart all the instances at once by using the following command syntax:
oidctl connect=dbs1 server=oidldapd restart
Note that this command restarts all the instances running on the node, whether they are using configset3 or not.
|
Important Note: The restart process takes only a few seconds to execute, but during that time clients cannot access the Oracle directory server instance. |
When starting a directory server, a directory replication server, or a directory integration and provisioning server, use the host parameter to specify the virtual host name.
Starting and Stopping a Directory Server on Either a Virtual Host or a Oracle Application Server Identity Management Cluster Node
To start a directory server on a virtual host:
oidctl [connect=connect_string] host=virtual_host_name server=oidldapd \ instance=instance_number configset=configset_number flags= "..." start
To stop a directory server on a virtual host:
oidctl host=virtual_host_name server=oidldapd instance=instance_number stop
Starting and Stopping a Directory Replication Server on Either a Virtual Host or a Oracle Application Server Identity Management Cluster Node
To start a directory replication server on a virtual host:
oidctl [connect=connect_string] host=virtual_host_name server=oidrepld instance=instance_number flags= "..." start
To stop a directory replication server on a virtual host:
oidctl host=virtual_host_name server=oidrepld instance=instance_number stop
Starting and Stopping a Oracle Directory Integration and Provisioning Server on Either a Virtual Host or a Oracle Application Server Identity Management Cluster Node
To start a directory integration and provisioning server on a virtual host:
oidctl [connect=connect_string] host=virtual_host_name server=odisrv \ instance=instance_number configset=configset_number flags= "..." start
To stop a directory integration and provisioning server on a virtual host:
oidctl host=virtual/host_name server=odisrv instance=instance_number stop
When the directory server is started to run on the virtual host, it binds and listens to requests on the specified LDAP port on the IP address or IP addresses that correspond to the virtual host only.
When communicating with the directory server, the directory replication server uses the virtual host name. Further, the replicaID attribute that represents the unique replication identification for the Oracle Internet Directory node is generated once. It is independent of the host name and hence requires no special treatment in Oracle Application Server Cold Failover Cluster (Identity Management).
When communicating with the directory server, the directory integration and provisioning server uses the virtual host name.
The OPMN Control Utility (OPMNCTL) enables you to manage Oracle Application Server components in an integrated way. If you use it to start an Oracle Internet Directory server, then you do not need to separately start OID Monitor or the directory-designated database. Instead, OPMNCTL starts those components for you.
|
Note: This section only discusses how to use the OPMN Control utility to start and stop Oracle Internet Directory servers. For detailed information on how to use the OPMN Control utility, see Oracle Process Manager and Notification Server Administrator's Guide. |
You can use OPMNCTL to do the following:
Start and stop a default, that is, out-of-the-box, directory server instance
On a given node, stop, then restart, all running Oracle Internet Directory servers—that is, directory servers, directory replication server, and directory integration and provisioning server
Once you have used OPMNCTL to start the default directory server, you cannot then use it to start or stop a particular instance of an Oracle Internet Directory server. To start or stop particular instances, do either of the following:
Use OPMNCTL to stop all running Oracle Internet Directory servers on a node, then use it to restart those same servers
Use OIDCTL to start or stop the particular directory servers as described in "Starting and Stopping an Oracle Directory Server Instance by Using the OID Control Utility"
For example, to start a particular instance of a directory server:
Add a new configuration set entry for the new instance:
ldapadd -p port number -D cn-orcladmin -w password for orcladmin \ -f configset1
Start the new directory server instance with the new configuration set entry:
oidctl connect=connect string server=oidldapd \ instance=new_instance_number configset=1 start
To stop all running Oracle Internet Directory server instances, including the directory server, the directory replication server, and the directory integration and provisioning server, enter:
opmnctl stopproc ias-component=OID
The OID Diagnostic tool collects diagnostic information that helps triage issues reported on OID. The tool connects to the database used as the Directory Store (also called Metadata Repository) of Oracle Internet Directory and reads the information. The tool makes no recommendations on potential fixes to issues. Rather, it collects information to help OID Support and Development understand a problem and determine its solution. The tool can collect four types of diagnostic information:
DIT
Data consistency
Server manageability statistics
System and process information
|
Note: To collect server manageability information, you must configure server manageability. |
This section contains these topics:
To invoke the OID server diagnostic tool, type:
oiddiag arguments
Table A-7lists arguments to oiddag.
Table A-7 Arguments to oiddiag
| Argument | Description |
|---|---|
listdiags=true[targetfile=file_name]
|
Writes to an output file a list of the diagnostics that oiddiag can collect. The default file is $ORACLE_HOME/ldap/log/oiddiag.txt. You can specify a different output target file by using the targetfile argument.
|
collect_all = true[outfile=file_name]
|
Collects all the diagnostic information that oiddiag can collect and writes it to an output file. The default output file is $ORACLE_HOME/ldap/log/oiddiagtimestamp.log. The timestamp format is YYYYMMDDHHmmss. You can specify a different output file by using the outfile argument.
|
collect_sub = true[infile= input_file_name] [outfile= output_file_name]
|
Collects a sub-set of the diagnostic information and writes it to an output file. You must provide the specific list of diagnostics in an input file. The default input file is $ORACLE_HOME/ldap/log/oiddiag.txt. The default output file is $ORACLE_HOME/ldap/log/oiddiagtimestamp.log. The timestamp format is YYYYMMDDHHmmss. You can specify a different input or output file by using the infile or outfile argument, respectively.
|
If you use either the option collect_all=true or the option collect_sub=true, oiddiag prompts for the following parameters:
The fully domain-qualified database host name
The database listener port number
The database service name
The ODS database user password
You can find the hostname, port number and service name in the file tnsnames.ora. For example, in the following tnsnames.ora file, the hostname, port number and service names are, respectively, sun16.us.oracle.com, 1521, and orcl.us.oracle.com:
ORCL =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = sun16.us.oracle.com)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = orcl.us.oracle.com)
)
)
The following are examples of oiddiag usage:
Write to the output file list.txt a list of the diagnostics that oiddiag can collect:
oiddiag listdiags=true targetfile=list.txt
Collect all the diagnostics and write them to the default output file:
oiddiag collect_all=true
Collect the specific diagnostics listed in the file diagin.txt and write them to the default output file:
oiddiag collect_sub=true infile=diagin.txt
This section tells you how to use the following tools:
|
Note: Various UNIX shells interpret some characters—for example, asterisks (*)—as special characters. Depending on the shell you are using, you may need to escape these characters. |
Oracle Internet Directory uses indexes to make attributes available for searches. When Oracle Internet Directory is installed, the cn=catalogs entry lists available attributes that can be used in a search. You can index only those attributes that have:
An equality matching rule
Matching rules supported by Oracle Internet Directory
If you want to use additional attributes in search filters, then you must add them to the catalog entry. You can do this at the time you create the attribute by using Oracle Directory Manager. However, if the attribute already exists, then you can index it only by using the Catalog Management tool.
Before running catalog.sh, be sure that the directory server is either stopped or in read-only mode. Otherwise, data will be inconsistent.
|
Caution: Do not use the catalog.sh-delete option on indexes created by the Oracle Internet Directory base schema. Removing indexes from base schema attributes can adversely impact the operation of Oracle Internet Directory.
|
|
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
The Catalog Management tool uses this syntax:
catalog.sh -connect connect_string {-add|-delete} \ {-attr attr_name|-file file_name}
Table A-8 Arguments for the Catalog Management Tool (catalog.sh)
| Argument | Description |
|---|---|
-connect connect_string
|
Specifies the connect string to connect to the directory database. This argument is mandatory.
See Also: Oracle Database Net Services Administrator's Guide in the Oracle Database Documentation Library |
-add -attr attr_name
|
Indexes the specified attribute |
-delete -attr attr_name
|
Drops the index from the specified attribute |
-add -file file_name
|
Indexes attributes (one for each line) in the specified file |
-delete -file file_name
|
Drops the indexes from the attributes in the specified file |
When you enter the catalog.sh command, the following message appears:
This tool can only be executed if you know the OiD user password. Enter OiD password:
If you enter the correct password, the command is executed. If you give an incorrect password, the following message is displayed:
Cannot execute this tool
To effect the changes after running the Catalog Management tool, stop, then restart, the Oracle directory server.
|
See Also:
|
The ldapadd command-line tool enables you to add entries, their object classes, attributes, and values to the directory. To add attributes to an existing entry, use the ldapmodify command, explained in "ldapmodify Syntax".
|
See Also: "Adding Configuration Set Entries by Using ldapadd" for an explanation of using ldapadd to configure a server with an input file |
ldapadd uses this syntax:
ldapadd[arguments] -f file_name
where file_name is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".
The following example adds the entry specified in the LDIF file my_ldif_file.ldi:
ldapadd -p 389 -h myhost -f my_ldif_file.ldi
Table A-9 Arguments for ldapadd
| Optional Arguments | Description |
|---|---|
-b
|
Specifies that you have included binary file names in the file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced. |
-c
|
Tells ldapadd to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapadd stops when it encounters an error.) |
-D "binddn"
|
When authenticating to the directory, specifies doing so as the entry specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-E "character_set"
|
Specifies native character set encoding. See Appendix F, " Globalization Support in the Directory". |
-f file_name
|
Specifies the input name of the LDIF format import data file. For a detailed explanation of how to format an LDIF file, see "LDAP Data Interchange Format (LDIF) Syntax". |
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-K
|
Same as -k, but performs only the first step of the Kerberos bind
|
-k
|
Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined.You must already have a valid ticket granting ticket. |
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
-n
|
Shows what would occur without actually performing the operation |
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p directory_server_port_number
|
Connects to the directory on TCP port directory_server_port_number. If you do not specify this option, then the tool connects to the default port (389).
|
-P wallet_password
|
Specifies wallet password required for one-way or two-way SSL connections |
-U SSLAuth
|
Specifies SSL authentication mode:
|
-v
|
Specifies verbose mode |
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Provides the password required to connect |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections.
For example, on UNIX, you could set this parameter as follows: On Microsoft Windows, you could set this parameter as follows: |
-X dsml_file
|
Specifies the input name of the DSML format import data file. |
ldapaddmt is like ldapadd: It enables you to add entries, their object classes, attributes, and values to the directory. It is unlike ldapadd in that it supports multiple threads for adding entries concurrently.
While it is processing LDIF entries, ldapaddmt logs errors in the add.log file in the current directory.
ldapaddmt -T number_of_threads -h host -p port -f file_name
where file_name is the name of an LDIF file written with the specifications explained in the section "LDAP Data Interchange Format (LDIF) Syntax".
The following example uses five concurrent threads to process the entries in the file myentries.ldif.
ldapaddmt -T 5 -h node1 -p 3000 -f myentries.ldif
Table A-10 Arguments for ldapaddmt
| Optional Arguments | Description |
|---|---|
-b
|
Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. The tool retrieves the actual values from the file referenced. |
-c
|
Tells the tool to proceed in spite of errors. The errors will be reported. (If you do not use this option, the tool stops when it encounters an error.) |
-D "binddn"
|
When authenticating to the directory, specifies doing so as the entry is specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-E "character_set"
|
Specifies native character set encoding. See Appendix F, " Globalization Support in the Directory" |
-h ldap_host
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-K
|
Same as -k, but performs only the first step of the kerberos bind |
-k
|
Authenticates using Kerberos authentication instead of simple authentication. To enable this option, you must compile with KERBEROS defined. You must already have a valid ticket granting ticket. |
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
-n
|
Shows what would occur without actually performing the operation. |
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password
|
Specifies wallet password required for one-way or two-way SSL connections |
-T
|
Sets the number of threads for concurrently processing entries |
-U SSLAuth
|
Specifies SSL authentication mode:
|
-v
|
Specifies verbose mode |
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Provides the password required to connect |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Microsoft Windows, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet" |
-X dsml_file
|
Specifies the input name of the DSML format import data file. |
The ldapbind command-line tool enables you to see whether you can authenticate a client to a server.
ldapbind uses this syntax:
ldapbind [arguments]
Table A-11 Arguments for ldapbind
| Arguments | Description |
|---|---|
-D "binddn"
|
When authenticating to the directory, specifies doing so as the entry specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-E ".character_set"
|
Specifies native character set encoding. See Appendix F, " Globalization Support in the Directory". |
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
| -n | Shows what would occur without actually performing the operation |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password
|
Specifies the wallet password required for one-way or two-way SSL connections |
-U SSLAuth
|
Specifies SSL authentication mode: 1 for no authentication required 2 for one way authentication required 3 for two way authentication required |
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Provides the password required to connect |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Microsoft Windows, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet" |
-O sasl_security_properties
|
Specifies SASL security properties. The security property supported is -O "auth". This security property is for DIGEST-MD5 SASL mechanism. It enables authentication with no data integrity or data privacy. |
-Y sasl_mechanism
|
Specifies a SASL mechanism. These mechanisms are supported:
|
-R sasl_realm
|
Specifies a SASL realm |
The ldapcompare command-line tool enables you to match attribute values you specify in the command line with the attribute values in the directory entry.
ldapcompare [arguments]
The following example tells you whether Person Nine's title is associate.
ldapcompare -p 389 -h myhost -b "cn=Person Nine,ou=EuroSInet Suite,o=IMC,c=US" \
-a title -v associate
Table A-12 Arguments for ldapcompare
| Optional Arguments | Description |
|---|---|
-a attribute name
|
Specifies the attribute on which to perform the compare. This argument is mandatory. |
-b "basedn"
|
Specifies the distinguished name of the entry on which to perform the compare. This argument is mandatory. |
-v attribute_value
|
Specifies the attribute value to compare. This argument is mandatory. |
-D binddn
|
When authenticating to the directory, specifies doing so as the entry is specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-d debug_level
|
Sets the debugging level. See "Setting Debug Logging Levels by Using the OID Control Utility". |
| -E "character_set" | Specifies native character set encoding. See Appendix F, " Globalization Support in the Directory". |
-f file_name
|
Specifies the input file name |
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
|
-P wallet_password
|
Specifies wallet password required for one-way or two-way SSL connections |
-U SSLAuth
|
Specifies SSL authentication mode:
|
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Provides the password required to connect |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet"
On Microsoft Windows, you could set this parameter as follows: |
The ldapdelete command-line tool enables you to remove entire entries from the directory that you specify in the command line.
ldapdelete [arguments] ["entry_DN" | -f input_file_name]
|
Note: If you specify the entry DN, then do not use the-f option.
|
The following example uses port 389 on a host named myhost.
ldapdelete -p 389 -h myhost "ou=EuroSInet Suite, o=IMC, c=US"
Table A-13 Arguments for ldapdelete
| Optional Argument | Description |
|---|---|
-D "binddn"
|
When authenticating to the directory, uses a full DN for the binddn parameter—that is, the DN of the user seeking authentication; typically used with the -w password option.
|
-d debug_level
|
Sets the debugging level. See "Setting Debug Logging Levels by Using the OID Control Utility". |
| -c | Tells ldapdelete to proceed in spite of errors. The errors will be reported. (If you do not use this option, then ldapdelete stops when it encounters an error.) |
-E "character_set"
|
Specifies native character set encoding. See Appendix F, " Globalization Support in the Directory". |
-f input_file_name
|
Specifies the input file name |
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
|
| -k | Authenticates using authentication instead of simple authentication. To enable this option, you must compile with Kerberos defined. You must already have a valid ticket granting ticket. |
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
| -n | Shows what would be done, but doesn't actually delete |
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password
|
Specifies wallet password required for one-way or two-way SSL connections |
-U SSLAuth
|
Specifies SSL authentication mode:
|
| -v | Specifies verbose mode |
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Provides the password required to connect. |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet" On Microsoft Windows, you could set this parameter as follows: -W "file:C:\my_dir\my_wallet".
|
The ldapmoddn command-line tool enables you to modify the DN or RDN of an entry.
The ldapmoddn command-line tool uses this syntax:
ldapmoddn [arguments]
The following example uses ldapmoddn to modify the RDN component of a DN from "cn=mary smith" to "cn=mary jones". It uses port 389, and a host named myhost.
ldapmoddn -p 389 -h myhost -b "cn=mary smith,dc=Americas,dc=imc,dc=com" \
-R "cn=mary jones"
Table A-14 Arguments for ldapmoddn
| Argument | Description |
|---|---|
-b "basedn"
|
Specifies DN of the entry to be moved. This argument is mandatory. |
-D "binddn"
|
When authenticating to the directory, do so as the entry is specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-E "character_set"
|
Specifies native character set encoding. See Appendix F, " Globalization Support in the Directory". |
-f file_name
|
Specifies the input file name |
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
-N newparent
|
Specifies new parent of the RDN. Either this argument or the -R argument must be specified. |
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password
|
Specifies wallet password required for one-way or two-way SSL connections |
-r
|
Specifies that the old RDN is not retained as a value in the modified entry. If this argument is not included, the old RDN is retained as an attribute in the modified entry. |
-R newrdn
|
Specifies new RDN. Either this argument or the -N argument must be specified. |
-U SSLAuth
|
Specifies SSL authentication mode:
|
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Provides the password required to connect. |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet"
On Microsoft Windows, you could set this parameter as follows: |
The ldapmodify tool enables you to act on attributes.
ldapmodify [arguments] -f file_name
where file_name is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".
The list of arguments in the following table is not exhaustive. These arguments are all optional.
Table A-15 Arguments for ldapmodify
| Argument | Description |
|---|---|
-a
|
Denotes that entries are to be added, and that the input file is in LDIF format. |
-b
|
Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. |
-c
|
Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.) |
-D "binddn"
|
When authenticating to the directory, specifies doing so as the entry is specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-E "character_set"
|
Specifies native character set encoding. See Appendix F, " Globalization Support in the Directory". |
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
|
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
-n
|
Shows what would occur without actually performing the operation. |
-o log_file_name
|
Can be used with the -c option to write the erroneous LDIF entries in the logfile. You must specify the absolute path for the log file name.
|
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
|
| -P wallet_password | Specifies wallet password required for one-way or two-way SSL connections |
-U SSLAuth
|
Specifies SSL authentication mode:
|
-v
|
Specifies verbose mode |
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Overrides the default, unauthenticated, null bind. To force authentication, use this option with the -D option.
|
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet"
On Microsoft Windows, you could set this parameter as follows: |
To run modify, delete, and modifyrdn operations using the -f flag, use LDIF for the input file format (see "LDAP Data Interchange Format (LDIF) Syntax") with the specifications noted in this section:
If you are making several modifications, then, between each modification you enter, add a line that contains a hyphen (-) only. For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US changetype: modify add: work-phone work-phone: 510/506-7000 work-phone: 510/506-7001 - delete: home-fax
Unnecessary space characters in the LDIF input file, such as a space at the end of an attribute value, will cause the LDAP operations to fail.
Line 1: Every change record has, as its first line, the literal dn: followed by the DN value for the entry, for example:
dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US
Line 2: Every change record has, as its second line, the literal changetype: followed by the type of change (add, delete, modify, modrdn), for example:
changetype: modify
or
changetype: modrdn
Format the remainder of each record according to the following requirements for each type of change:
Uses LDIF format (see "LDAP Data Interchange Format (LDIF) Syntax").
The lines that follow this changetype consist of changes to attributes belonging to the entry that you identified previously in Line 1. You can specify three different types of attribute modifications—add, delete, and replace—which are explained next:
Add attribute values. This option to changetype modify adds more values to an existing multi-valued attribute. If the attribute does not exist, it adds the new attribute with the specified values:
add: attribute name attribute name: value1 attribute name: value2...
For example:
dn:cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US changetype: modify add: work-phone work-phone: 510/506-7000 work-phone: 510/506-7001
Delete values. If you supply only the delete line, all the values for the specified attribute are deleted. Otherwise, if you specify an attribute line, you can delete specific values from the attribute:
delete: attribute name [attribute name: value1]
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US changetype: modify delete: home-fax
Replace values. Use this option to replace all the values belonging to an attribute with the new, specified set:
replace: attribute name [attribute name: value1 ...]
If you do not provide any attributes with replace, then the directory adds an empty set. It then interprets the empty set as a delete request, and complies by deleting the attribute from the entry. This is useful if you want to delete attributes that may or may not exist.
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US changetype: modify replace: work-phone work-phone: 510/506-7002
This change type deletes entries. It requires no further input, since you identified the entry in Line 1 and specified a changetype of delete in Line 2.
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US changetype: delete
The line following the change type provides the new relative distinguished name using this format:
newrdn: RDN
For example:
dn: cn=Barbara Fritchy,ou=Sales,o=Oracle,c=US changetype: modrdn newrdn: cn=Barbara Fritchy-Blomberg
To specify an attribute as single-valued, include in the attribute definition entry in the LDIF file the keyword SINGLE-VALUE with surrounding white space.
Example: Using ldapmodify to Add an Attribute
This example adds a new attribute called myAttr. The LDIF file for this operation is:
dn: cn=subschemasubentry changetype: modify add: attributetypes attributetypes: (1.2.3.4.5.6.7 NAME 'myAttr' DESC 'New attribute definition' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
On the first line, enter the DN specifying where this new attribute is to be located. All attributes and object classes they are stored in cn=subschemasubentry.
The second and third lines show the proper format for adding a new attribute.
The last line is the attribute definition itself. The first part of this is the object identifier number: 1.2.3.4.5.6.7. It must be unique among all other object classes and attributes. Next is the NAME of the attribute. In this case the attribute NAME is myAttr. It must be surrounded by single quotes. Next is a description of the attribute. Enter whatever description you want between single quotes. At the end of this attribute definition in this example are optional formatting rules to the attribute. In this case we are adding a matching rule of EQUALITY caseIgnoreMatch and a SYNTAX of Directory String. This example uses the object ID number of 1.3.6.1.4.1.1466.115.121.1.15 instead of the SYNTAXES name which is "Directory String".
Put your attribute information in a file formatted like this example. Then run the following command to add the attribute to the schema of your Oracle directory server.
ldapmodify -h yourhostname -p 389 -D "orcladmin" -w "welcome" -v \
-f /tmp/newattr.ldif
This ldapmodify command assumes that your Oracle directory server is running on port 389, that your super user account name is orcladmin, that your super user password is welcome and that the name of your LDIF file is newattr.ldif. Substitute the host name of your computer where you see yourhostname.
If you are not in the directory where the LDIF file is located, then you must enter the full directory path to the file at the end of your command. This example assumes that your LDIF file is located in the /tmp directory.
The ldapmodifymt command-line tool enables you to modify several entries concurrently.
ldapmodifymt uses this syntax:
ldapmodifymt -T number_of_threads [arguments] -f file_name
where file_name is the name of an LDIF file written with the specifications explained the section "LDAP Data Interchange Format (LDIF) Syntax".
The following example uses five concurrent threads to modify the entries in the file myentries.ldif.
ldapmodifymt -T 5 -h node1 -p 3000 -f myentries.ldif
|
Note: The ldapmodifymt tool logs error messages in the fileadd.log, which is located in the directory where you are running the command.
|
The arguments in the following table are all optional.
Table A-16 Arguments for ldapmodifymt
| Argument | Description |
|---|---|
-a
|
Denotes that entries are to be added, and that the input file is in LDIF format. (If you are running ldapadd, this flag is not required.) |
-b
|
Specifies that you have included binary file names in the data file, which are preceded by a forward slash character. |
-c
|
Tells ldapmodify to proceed in spite of errors. The errors will be reported. (If you do not use this option, ldapmodify stops when it encounters an error.) |
-D "binddn"
|
When authenticating to the directory, specifies doing so as the entry is specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-E "character_set"
|
Specifies native character set encoding. See Appendix F, " Globalization Support in the Directory". |
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address. |
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
-n
|
Shows what would occur without actually performing the operation. |
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389). |
-P wallet_password
|
Specifies wallet password required for one-way or two-way SSL connections |
-T
|
Sets the number of threads for concurrently processing entries |
-U SSLAuth
|
Specifies SSL authentication mode:
|
-v
|
Specifies verbose mode |
-V ldap_version
|
Specifies the version of the LDAP protocol to use. The default value is 3, which causes the tool to use the LDAP v3 protocol. A value of 2 causes the tool to use the LDAP v2 protocol. |
-w password
|
Overrides the default, unauthenticated, null bind. To force authentication, use this option with the -D option. |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet"
On Microsoft Windows, you could set this parameter as follows: |
The ldapsearch command-line tool enables you to search for and retrieve specific entries in the directory.
The ldapsearch tool uses this syntax:
ldapsearch [arguments]filter[attributes]
The filter format must be compliant with RFC-2254.
|
See Also: RFC-2254 available athttp://www.ietf.org for further information about the standard for the filter format
|
Separate attributes with a space. If you do not list any attributes, all attributes are retrieved.
|
Note:
|
Table A-17 Arguments for ldapsearch
| Argument | Description |
|---|---|
-b "basedn"
|
Specifies the base DN for the search. This argument is mandatory. |
-s scope
|
This argument is mandatory. Specifies search scope: base, one, or sub Base: Retrieves a particular directory entry. Along with this search depth, you use the search criteria bar to select the attribute objectClass and the filter Present. One Level: Limits your search to all entries beginning one level down from the root of your search Subtree: Searches entries within the entire subtree, including the root of your search
|
-A
|
Retrieves attribute names only (no values) |
-a deref
|
Specifies alias dereferencing: never, always, search, or find |
-B
|
Allows printing of non-ASCII values |
-D "binddn"
|
When authenticating to the directory, specifies doing so as the entry specified in binddn—that is, the DN of the user seeking authentication. Use this with the -w password option.
|
-d debug level
|
Sets debugging level to the level specified (see Table 10-2) |
-E "character_set"
|
Specifies native character set encoding. See Appendix F, " Globalization Support in the Directory". |
-f file
|
Performs sequence of searches listed in file |
-F sep
|
Prints sep instead of = between attribute names and values
|
-h ldaphost
|
Connects to ldaphost, rather than to the default host, that is, your local computer. ldaphost can be a computer name or an IP address.
|
-L
|
Prints entries in LDIF format (-B is implied)
|
-l timelimit
|
Specifies maximum time (in seconds) to wait for ldapsearch command to complete |
-M
|
Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.
|
-n
|
Shows what would be done without actually searching |
-O ref_hop_limit
|
Specifies the number of referral hops that a client should process. The default value is 5. |
-p ldapport
|
Connects to the directory on TCP port ldapport. If you do not specify this option, the tool connects to the default port (389).
|
-P wallet_password
|
Specifies wallet password required for one-way or two-way SSL connections |
-S attr
|
Sorts the results by attribute attr |
-t
|
Writes to files in /tmp
|
-u
|
Includes user-friendly entry names in the output |
-U SSLAuth
|
Specifies the SSL authentication mode:
|
-v
|
Specifies verbose mode |
-w passwd
|
Specifies bind passwd for simple authentication |
-W wallet_location
|
Specifies wallet location required for one-way or two-way SSL connections. For example, on UNIX, you could set this parameter as follows: -W "file:/home/my_dir/my_wallet"
On Microsoft Windows, you could set this parameter as follows: |
-z sizelimit
|
Specifies maximum number of entries to retrieve |
-X
|
Prints the entries in DSML v1 format. |
Study the following examples to see how to build your own search commands.
The following example performs a base-level search on the directory from the root.
ldapsearch -p 389 -h myhost -b "" -s base -v "objectclass=*"
-b specifies base DN for the search, root in this case.
-s specifies whether the search is a base search (base), one level search (one) or subtree search (sub).
"objectclass=*" specifies the filter for search.
The following example performs a one level search starting at "ou=HR, ou=Americas, o=IMC, c=US".
ldapsearch -p 389 -h myhost -b "ou=HR, ou=Americas, o=IMC, c=US" -s one \
-v "objectclass=*"
The following example performs a subtree search and returns all entries having a DN starting with "cn=us".
ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*"
The following example actually retrieves only two entries, even if there are more than two matches.
ldapsearch -h myhost -p 389 -z 2 -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" \
-s one "objectclass=*"
The following example returns only the DN attribute values of the matching entries:
ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "objectclass=*" dn
The following example retrieves only the distinguished name along with the surname (sn) and description (description) attribute values:
ldapsearch -p 389 -h myhost -b "c=US" -s sub -v "cn=Person*" dn sn description
The following example retrieves entries with common name (cn) attributes that have an option specifying a language code attribute option. This particular example retrieves entries in which the common names are in French and begin with the letter R.
ldapsearch -p 389 -h myhost -b "c=US" -s sub "cn;lang-fr=R*"
Suppose that, in the entry for John, no value is set for the cn;lang-it language code attribute option. In this case, the following example does not return John's entry:
ldapsearch -p 389 -h myhost -b "c=us" -s sub "cn;lang-it=Giovanni"
The following example retrieves all user attributes and the createtimestamp and orclguid operational attributes:
ldapsearch -p 389 -h myhost -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" \
-s sub "cn=Person*" * createtimestamp orclguid
The following example retrieves entries modified by Anne Smith:
ldapsearch -h sun1 -b "" "(&(objectclass=*)(modifiersname=cn=Anne Smith))"
The following example retrieves entries modified between 01 April 2001 and 06 April 2001:
ldapsearch -h sun1 -b "" \
"(&(objectclass=*)(modifytimestamp >= 20000401000000) \
(modifytimestamp <= 20000406235959))"
|
Note: Becausemodifiersname and modifytimestamp are not indexed attributes, use catalog.sh to index these two attributes. Then, restart the Oracle directory server before issuing the two previous ldapsearch commands.
|
Each of the following examples searches on port 389 of host sun1, and searches the whole subtree starting from the DN "ou=hr,o=acme,c=us".
The following example searches for all entries with any value for the objectclass attribute.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=*"
The following example searches for all entries that have orcl at the beginning of the value for the objectclass attribute.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=orcl*"
The following example searches for entries where the objectclass attribute begins with orcl and cn begins with foo.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" \
-s subtree "(&(objectclass=orcl*)(cn=foo*))"
The following example searches for entries in which the common name (cn) is not foo.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "(!(cn=foo))"
The following example searches for entries in which cn begins with foo or sn begins with bar.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" \
-s subtree "(|(cn=foo*)(sn=bar*))"
The following example searches for entries in which employeenumber is less than or equal to 10000.
ldapsearch -p 389 -h sun1 -b "ou=hr, o=acme, c=us" \
-s subtree "employeenumber<=10000"
This section contains these topics:
|
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
|
Note: All bulk tools require you to enter the correct password to access the ODS database. |
The bulkdelete command-line tool enables you to delete a subtree efficiently. It can be used when both an Oracle directory server and Oracle directory replication servers are in operation. It uses a SQL interface to benefit performance. For this release, the bulkdelete tool runs on only one node at a time.
|
Note: Make sure that when bulkmodify is invoked, server-side entry cache is disabled. |
This tool does not support filter-based deletion. That is, it deletes an entire subtree below the root of the subtree. If the base DN is a user-added DN, rather than a DN created as part of the installation of the directory, it is included in the delete. You must restrict LDAP activity against the subtree during deletion.
The bulkdelete tool uses this syntax:
bulkdelete.sh -connect connect_string -base "base_dn" -size number_of_entries \ -encode "character_set"
Table A-18 Arguments for bulkdelete
| Mandatory Argument | Description |
|---|---|
-connect connect_string
|
Specifies the connect string to connect to the directory database. This argument is mandatory.
See Also: Oracle Database Net Services Administrator's Guide in the Oracle Database Documentation Library |
-base "base_dn"
|
Specifies the base DN of the subtree to be deleted. This argument is mandatory. |
-size number_of_entries
|
Specifies the number of entries to be committed as a part of one transaction. |
-encode "character_set"
|
Specifies native character set encoding.
See Also: Appendix F, " Globalization Support in the Directory". |
This section contains these topics:
The bulkload command-line tool is useful for loading large number of entries to a directory server. It uses Oracle SQL*Loader to load directory entries. The bulkload tool expects the input file to be in LDIF.
|
See Also:
|
The bulkload tool performs its operation in following phases:
Check
In the check phase, all entries of LDIF files are verified for valid LDAP schema and duplicate entries. If there are any errors reported by bulkloader, then the user needs to rectify the error and retry bulkload.
Generate
In the generate phase, the LDIF input is converted into intermediate files that can be used by SQL*Loader to load the data into the Oracle Internet Directory directory store.
Load
The Intermediate files generated in generate phase are loaded into the Oracle Database which is the Oracle Internet Directory directory store. Bulkloader supports two types of loading of data:
Incremental Mode Loading
Incremental mode enables you to append data to existing directory data. Loading in this mode is faster than other "add" methods, but slower than bulk mode loading.
Use this mode when you want to append a small amount of data. Here, "small amount" is a relative number. It depends upon existing data in directory, the amount of data to be loaded, and the hardware capabilities to handle the load.
In this mode, bulkload does not drop and rebuild catalog indexes. Instead, it uses SQL*Loader in insert mode to add data to the database and update indexes through inserts.
To invoke incremental mode, you must specify -append along with other options.
When using bulkload in incremental mode, you must put the directory server in the read-modify mode. During read-modify mode, search and modify operations are allowed but add, delete, and modifyDN operations are restricted.
|
See Also: "Task 2: Configure Structural Access Items" for instructions on using Oracle Directory Manager to set access rights |
Bulk Mode Loading
In bulk mode, you must be able to add or append large number of entries to a directory. By default, Bulkloader runs in bulk mode. Bulk mode is faster than incremental mode.
In bulk mode, all Oracle Internet Directory server instances should be stopped. In this mode, Bulkloader drops existing indexes and re-creates them after loading of data. For data loading, it uses SQL*Loader direct-path mode.
Index Creation
After the load is complete, the indexes are re-created if the load was done in "bulk" mode. Also, the Bulkloader tool provides an option just to re-create all indexes. This is useful in case if previous index creation was unsuccessful for some reason.
Directory Data Recovery
A failure in the 'load' phase of bulkload operation can leave directory data in inconsistent state. Bulkloader can revert back to original state that existed prior to the invocation of bulkload. Use the -recover option to recover directory data in case of Bulkload failure.
The bulkload tool can be used in single node as well as multiple node environments.
Single Node Environment
Loading in 'bulk' mode
The typical usage scenario is to load directory data after Oracle Internet Directory installation. You would want to 'check' the LDIF file for schema errors, 'generate' the intermediate files and 'load' the data into the Oracle Internet Directory store. The 'parallel' option is normally faster since the load and index creation happens in parallel. The invocation of bulkload will be something like:
bulkload.sh -connect coonect_string -check -generate -load -parallel LDIF_file
You can break this operation into separate 'check, 'generate' and 'load' invocations. The 'check' can also be avoided if the LDIF data is from another Oracle Internet Directory directory node.
Loading in 'incremental' or 'append' Mode
If you need to add directory entries to an Oracle Internet Directory store already containing some user LDIF data, then use the 'incremental' or 'append' mode. This mode is normally faster than other methods of adding entries to the directory. However, be sure that the directory server instances are in read-modify mode before bulkload begins to append data. The typical invocation of bulkload will be something like:
bulkload.sh -connect coonect_string -check -generate -load -append LDIF_file
Index recreation
The bulkload operation either updates or creates the indexes. However, due to issues like improper sizing, the indexes may not be updated or created properly. For this reason, the bulkload tool enables you to re-create all the indexes. The invocation of bulkload is:
bulkload.sh -connect coonect_string -index
Data recovery on errors
Due to issues like improper disk sizing, the 'load' phase of bulkload may fail. If this happens, then directory data can be inconsistent. For this reason, bulkloader enables you to recover the directory data to the state that existed prior to the invocation of bulkload. The invocation is:
bulkload.sh -connect coonect_string -recover
Multi-Node Environment
Bulk Mode Loading
Specify the connect strings of all the Oracle Internet Directory nodes involved. The invocation of the bulkload tool is something like:
bulkload.sh -connect "coonect_string1 coonect_string2 coonect_string2" -check \
-generate -load -parallel LDIF_file
The bulkload tool does the following:
It prompts the user to put all Oracle Internet Directory LDAP servers on all the nodes in 'read-modify' mode.
It prompts the user to bring down the Oracle Internet Directory servers on the node corresponding to connect_string1
The 'check' and 'generate' are performed on the node corresponding to connect_string1
The 'load' is performed on the node corresponding to connect_string1
Bulkloader prompts the user to bring up the Oracle Internet Directory servers on the node corresponding to connect_string1
Steps 2, 4 and 5 are repeated for all the nodes.
Now, all the Oracle Internet Directory servers can be changed to read/write mode.
Incremental Mode Loading
Here, the approach is the same as in bulk mode loading except that the Oracle Internet Directory servers need not be shut down. All of them must be in 'read-only' mode.
After generating a file with the generate option, you can use the load option to load multiple computers with the identical SQL*Loader file. Do this only when creating a new replica node.
When you load the same data into multiple nodes in a replicated network, ensure that the orclGUID parameter (global IDs) is consistent across all the nodes. You can accomplish this by generating the bulkload data file once only (using the -generate option), and then using the same data file to load the other nodes (using the -load option).
In multi-node environments, be sure that all nodes have same schema before running the bulkload tool.
If you see bad entries logged in badentry.ldif but do not rectify them, then data can be inconsistent.
The 'check' mode of the bulkload tool does not check and report the lack of parent-child relationships between entries.
The 'incremental' or 'append' mode is only for adding new entries—and not new attribute values—to existing entries.
In multi-node environments, the first connect string specified must refer to the local node.
The bulkload tool uses this syntax:
bulkload.sh -connect connect_string <[-check] [-generate] [-restore] [-numThread]
[-parallel] [-encode] [-append] [-load] | [-index] | [-recover]
absolute_path_to_LDIF_data_file
Table A-19 lists and describes the arguments.
Table A-19 Arguments for bulkload.sh
| Argument | Description | Mandatory? |
|---|---|---|
-connect
|
Specifies the net service name defined in the tnsnames.ora file. For loading data in single node, specify its connect-string—for example orcl. For loading data in multiple nodes, specify connect-strings of all nodes—for example, orcl1 orcl2 orcl3
See Also: Oracle Database Net Services Administrator's Guide in the Oracle Database Documentation Library |
Yes |
-check
|
Checks LDAP schema for inconsistencies and for existence of duplicate DNs in the file | No |
-generate
|
Creates intermediate files suitable for loading into Oracle Internet Directory using SQL*Loader | No |
-restore
|
Assumes operational attributes, such as orclguid, creatorsname, and createtimestamp, are already present in the specified LDIF file. When used with -generate, bulkload.sh avoids creating duplicate operational attribute values in the output SQL*Loader files. When used with -check, bulkload.sh suppresses errors associated with finding pre-existing operational attribute values in LDIF files.
|
No |
-numThread n
|
Specifies the number of threads to be created. - numThread is useful only in -generate mode. The default value is number of CPUs on machine + 1 | No |
-parallel
|
Specifies that the loading should be done in parallel. Useful with -load option | No |
-encode
|
Specifies native character set encoding
See Also: Appendix F, " Globalization Support in the Directory" |
No |
-append
|
Specifies append incremental mode (Default is bulkmode append) | No |
-load
|
Loads files resulting from generate phase into specified database | No |
-index
|
re-creates indexes on all catalog tables | No |
-recover
|
In case of bulkload.sh failure, recovers directory with original data | No |
-file_name
|
Absolute path of ldif file | No |
The LDIF data file path must be fully specified for check or generate operations.
While calling bulkload at least one of -check, -generate, -load, -recover or -index actions must be specified.
There are certain combinations of options that should be called together for effective bulkloading.
The -restore flag should only be used when ldif file contains operational attributes such as orclguid, creatorsname, and so forth.
The path name to the LDIF data file should be fully specified, and the data file must be specified for the -check or -generate actions.
-numThread is useful only if given with -generate option.
-parallel should be called with -load only.
-recover or -index should not be specified with any other option.
|
See Also: Chapter 25, "Oracle Internet Directory Replication Administration" for further information and resources for bulkloading multiple nodes in a replicated environment |
The bulkmodify command-line tool enables you to modify a large number of existing entries in an efficient way. The bulkmodify tool supports the following:
Subtree based modification
A single attribute filter. For example, the filter could be objectclass=*, objectclass=oneclass, or telephonenumber=*.
Attribute value addition and replacement. It modifies all matched entries in bulk.
The bulkmodify tool performs schema checking on the specified attribute name and value pair during initialization. All entries that meet the following criteria are modified:
They are under the specified subtree.
They meet the single filter condition.
They contain the attribute to be modified as either mandatory or optional.
The directory server and directory replication server may be running concurrently while bulk modification is in progress, but the bulk modification does not affect the replication server. You must perform bulk modification against all replicas.
You must restrict user access to the subtree during bulk modification. If necessary, ACI restriction can be applied to the subtree being updated by bulkmodify.
You cannot use bulkmodify to add a value to single-valued attributes that already contain one value. If a second value is added, you must alter the directory schema to make that attribute multi-valued.
The bulkmodify tool uses this syntax:
bulkmodify -c connect_string -b "base_dn" {-a|-r} attr_name \ -v att_value [-f filter] [-s size]
Table A-20 Arguments for bulkmodify
| Argument | Description |
|---|---|
-c connect_string
|
Specifies the connect string for the directory database. This argument is mandatory.
See Also: Oracle Database Net Services Administrator's Guide in the Oracle Database Documentation Library |
-b "base_dn"
|
Specifies the base DN of the subtree to be modified. This argument is mandatory. |
-a attr_name
|
Specifies the attribute name for addition. This argument is mandatory. |
-r attr_name
|
Specifies the attribute name for replacement. This argument is mandatory. |
-v attr_value
|
Specifies the attribute value for either addition or replacement. This argument is mandatory. |
-f filter
|
Specifies the filter to be used |
-s number_of_entries
|
Specifies the number of entries to be committed as a part of one transaction. If not specified, default is 100. |
-E "character_set"
|
Specifies native character set encoding. See Appendix F, " Globalization Support in the Directory". |
The filter specified with the -f option must contain a single attribute.
If a filter is not specified, the default filter objectclass=* is assumed.
There can be only one attribute name specified in the -a or -r option in each execution.
There can be only one value specified in the -v option in each execution. For example, the following bulkmodify command adds the telephone number 408-123-4567 to the entries of all employees who have Anne Smith as their manager:
bulkmodify -c my_database -b "c=US" -a telephoneNumber -v "408-123-4567" \
-f "manager=Anne Smith"
To assure that the modified entries are read, after completing the bulkmodify procedure, restart the Oracle Internet Directory server.
The ldifwrite command-line tool enables you to convert to LDIF all or part of the information residing in an Oracle Internet Directory. Once you have converted the information, you can load it into a new node in a replicated directory or another node for backup storage.
|
Note: The ldifwrite tool output does not include operational data of the directory itself—for example,cn=subschemasubentry, cn=catalogs, and cn=changelog entries. To export these entries into LDIF format, use ldapsearch with the -L flag.
|
The ldifwrite tool performs a subtree search, including all entries below the specified DN, including the DN itself.
The ldifwrite tool uses this syntax:
ldifwrite [ -c connect_string ] -b "base_DN" -f file_name [ -E encoding ] [ -t num_threads ]
Table A-21 Arguments for ldifwrite
| Argument | Description |
|---|---|
-c connect_string
|
Specifies the net service name for the directory that is the source of the data, as defined in the tnsnames.ora file. This argument is mandatory.
See Also: Oracle Database Net Services Administrator's Guide in the Oracle Database Documentation Library |
-b "base_dn"
|
Specifies the base of the subtree to be written out in LDIF format. This argument is mandatory.
If the base DN is the replication agreement entry, then you can back up part of the naming context based on the LDAP naming context configuration. In this case, the syntax is:
|
-f file_name
|
Specifies the name of the LDIF file to be created. This argument is mandatory. |
-E "character_set"
|
Specifies native character set encoding. |
-t num_threads
|
Specifies the number of threads used to read data from the directory store and write LDIF output to a file. The default is the number of CPUs + 1. |
This example writes all the entries under ou=Europe,o=imc,c=us into the output1.ldi file.
ldifwrite -c nldap -b "ou=Europe, o=imc, c=us" -f output1.ldif
All the arguments are mandatory.
The LDIF file and the intermediate file are always written to the current directory.
The ldifwrite tool includes the operational attributes of each entry in the directory, including createtimestamp, creatorsname, and orclguid.
When prompted for the Oracle Internet Directory password, enter the password of the ODS database user account. The default password is ods.
This example uses the following naming context objects defined in partial replication:
dn: cn=includednamingcontext000001, cn=replication namecontext, orclagreementid=000001, orclreplicaid=node replica identifier, cn=replication configuration
orclincludednamingcontexts: c=us
orclexcludednamingcontexts: ou=Americas, c=us
orclexcludedattributes: userpassword
objectclass: top
objectclass: orclreplnamectxconfig
In this example, all entries under c=us are backed up except ou=Americas,c=us. The userpassword attribute is also excluded. The command is
ldifwrite -c connect_string -b "cn=includednamingcontext000001, \ cn=replication namecontext,orclagreementid=000001, \ orclreplicaid=node replica identifier,cn=replication configuration" \ -f file_name
Starting with 10g Release 2 (10.1.2), a certificate hash value can be used to bind to Oracle Internet Directory. The introduction of this hash value requires that user certificates issued before 10g Release 2 (10.1.2) be updated in the directory. This is a post-upgrade step and it is required only if user certificates are provisioned in the directory. The upgradecert.pl tool is used for this purpose.
To run upgradecert.pl:
Make sure that the Oracle Internet Directory server instance is up and running.
Check that you are running Perl 5.6 or later. Run this command:
perl -version
Make sure that the environment variable PERL5LIB is set to the proper PERL library location.
Check that you can run ldapmodify and ldapsearch from your command prompt.
Determine whether you have enough disk space to run the tool. The amount of disk space required depends upon the number of certificates stored.
Run the tool, using this syntax:
perl $ORACLE_HOME/ldap/bin/upgradecert.pl -h host_name -p port \ -D "cn=orcladmin_dn" -w orcladmin_password -t temp_dir
Table A-21 defines the tool parameters.
Table A-22 Parameters for upgradecert.pl
| Parameter | Description |
|---|---|
-h host_name
|
The host name of the directory that contains the certificates to be upgraded. The value here can be either a computer name or an IP address. The default is localhost.
|
-p port
|
The port number of the directory that contains the certificates to be upgraded. If you omit this parameter, the tool connects to port 389, the default. |
-D orcladmin_dn
|
The DN of the directory super user. This parameter is mandatory. |
-w orcladmin_password
|
The password of the directory super user. This parameter is mandatory. |
-t temp_dir
|
The temporary working directory. This is where the log file is found. The default is $ORACLE_HOME/ldap/log if the ORACLE_HOME environment variable is set. If this variable is not set, the default is the current directory.
|
If the tool runs successfully, the message Done appears. If an error occurs instead, details about it can be found in the log file at $ORACLE_HOME/ldap/log/userCertUpgrade_timestamp.log. Note that this file is in the current directory if ORACLE_HOME is not set. Correct the error and run upgradecert.pl again.
This section contains these topics:
When a replication conflict arises, the Oracle directory replication server places the change in the retry queue and tries to apply it from there for a specified number of times. If it fails after that specified number, then the replication server puts the change in the human intervention queue. From there, the replication server repeats the change application process at less frequent intervals while awaiting your action.
At this point, you need to:
Examine the change in the human intervention queue
Reconcile the conflicting changes
Place the change either back into the retry queue or into the purge queue.
Two tools assist in this process. Use the OID Reconciliation tool to synchronize conflicting changes, and the Human Intervention Queue Manipulation tool to move changes from the human intervention queue to either the retry queue or the purge queue.
The Human Intervention Queue Manipulation Tool enables you to move the changes from the human intervention queue to either the retry queue or the purge queue. Moving the change to the purge queue means that there are no further attempts to re-apply the change log entry. Perform the following general steps to address changes in the human intervention queue:
Shut down the Oracle directory replication server.
Analyze the replication log.
Use the Human Intervention Queue Manipulation Tool to move the changes to either the retry queue or the purge queue as described in the following sections.
|
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
To place a change back into the retry queue, use this syntax:
hiqretry.sh -connect connect_string [-start change_number] \ [-end change_number] [-equal change_number] -supplier supplier_node
Table A-23 lists and describes the arguments.
Table A-23 Arguments for Moving a Change from the Human Intervention Queue into the Retry Queue
| Argument | Description |
|---|---|
-connect connect_string
|
Connects to the database using the net service name defined in the tnsnames.ora file
|
-start change_number
|
Specifies the start change number for the retry operation. If you skip this option, then the command moves all the changes with change numbers less than or equal to the specified end change number back to the retry queue. |
-end change_number
|
Specifies the end change number for the retry operation. If you skip this option, then the command moves all the changes with change numbers greater than or equal to the specified start change number back to the retry queue. |
-equal change_number
|
Specifies the change number. The command moves the exact change conflict back to the retry queue. This option should not be present when -start or -end is used.
|
-supplier supplier_node
|
Specifies the supplier node where the changes originate |
To place a change into the purge queue, use this syntax:
hiqpurge.sh -connect connect_string [-start change_number] [-end change_number] \ [-equal change_number] -supplier supplier_node
Arguments are:
Table A-24 Arguments for Moving a Change from the Human Intervention Queue into the Purge Queue
| Argument | Description |
|---|---|
-connect connect_string
|
Connects to the database using the net service name defined in the tnsnames.ora file |
-start change_number
|
Specifies the start change number for the purge operation. If you skip this option, then the command moves all the changes with change numbers less or equal to the specified end change number back to the purge queue. |
-end change_number
|
Specifies the end change number for the purge operation. If you skip this option, then the command moves all the changes with change numbers greater or equal to the specified start change number back to the purge queue. |
-equal change_number
|
Specifies the change number of the change. The command moves the exact change conflict back to the purge queue. This option should not be present when -start or -end is used.
|
-supplier supplier_node
|
Specifies the supplier node where the changes originate |
|
Note: When using hiqretry.sh or hiqpurge.sh, if you do not want all changes to be moved, then you must supply either the-equal flag, or a combination of the -start and -end flags.
|
The following examples illustrate how to use the Human Intervention Queue Manipulation Tool.
Example: Retrying and Discarding Changes
Suppose that, after analyzing the replication log, you decide to do the following:
Retry changes coming from the supplier node, ldap_rep1, with change numbers between 10324 to 10579
Discard changes with change numbers between 10581 to 10623.
To do this, you issue these two commands:
hiqretry.sh -connect oiddb1 -start 10324 -end 10579 -supplier ldap_rep1 hiqpurge.sh -connect oiddb1 -start 10581 -end 10623 -supplier ldap_repl
The first command moves changes originating in ldap_rep1 with change numbers from 10324 to 10579 back to the retry queue. The second command deletes changes that originate in the supplier ldap_repl and that have change numbers from 10581 to 10623.
Example: Moving a Single Change from the Human Intervention Queue to the Retry Queue
The following command moves the change with change number equal to 10519 back to the retry queue.
hiqretry.sh -connect oiddb1 -equal 10519 -supplier ldap_repl
Example: Moving a Group of Changes from the Human Intervention Queue to the Retry Queue
The following command moves all the changes with change number greater or equal to 10324 back to the retry queue.
hiqretry.sh -connect oiddb1 -start 10324 -supplier ldap_repl
The following command moves all the changes with change numbers less than or equal to 10579 back to the retry queue.
hiqretry.sh -connect oiddb1 -end 10579 -supplier ldap_repl
Example: Moving All Changes from the Human Intervention Queue to the Retry Queue
The following command includes no options. It moves all changes that originate in the supplier ldap_repl from the human intervention queue to the retry queue.
hiqretry.sh -connect oiddb1 -supplier ldap_repl
When the Oracle directory replication server encounters inconsistent data, you can use the OID Reconciliation Tool to synchronize the entries on the consumer with those on the supplier. When you do this, perform the following general steps:
Set the supplier and the consumer to read-only mode.
Ensure that the supplier and the consumer are in tranquil state. If they are not in a tranquil state, then wait until they have finished updating.
Identify the inconsistent entries or subtree on the consumer.
Use the OID Reconciliation Tool to fix the inconsistent entries or subtree on the consumer.
Set the participating supplier and consumer back to read/write mode.
|
Note: To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:
|
The OID Reconciliation Tool uses this syntax:
oidreconcile -h supplier_host -c consumer_host [-P supplier_port] \ [-p consumer_port] [-s scope] -b "basedn" -W supplier_password \ -w consumer_password [-T thread]
Table A-25 Arguments for Reconciling Inconsistent Data by Using the OID Reconciliation Tool
| Argument | Description |
|---|---|
-h supplier_host
|
Supplier host. This can be a computer name or IP address. |
-c consumer_host
|
Consumer host. This can be a computer name or IP address. |
-P supplier_port
|
Supplier TCP port. If you do not specify this option, then the tool connects to the default port (389). |
-p consumer_port
|
Consumer TCP port. If you do not specify this option, then the tool connects to the default port (389). |
-s scope
|
Reconcile scope: subtree. Note: You cannot specify base or one-level for this argument.
|
-b "basedn"
|
Specifies the distinguished name of the entry on which to perform reconciliation. |
-W supplier_password
|
The password of the replication DN of the supplier node |
-w consumer_password
|
The password of the replication DN of the consumer node |
-T thread
|
Number of worker threads |
When the OID Reconciliation Tool receives the specified DN, it compares the orclGuid of the parent DN on both the supplier and the consumer.
If the global identification (orclGuid) of both parents match, and the option -s subtree is set, then the OID Reconciliation Tool does the following:
Deletes all the entries in the subtree on the consumer node
Replaces them with entries from the supplier node
For example, the following command replaces the whole subtree starting from "ou=hr,o=acme,c=us" on the consumer with the equivalent subtree on the supplier:
oidreconcile -h supplier_host -P 389 -c consumer_host -p 389 \ -b "ou=hr,o=acme,c=us" -s subtree -W supplier_password \ -w consumer_password
If the global identification (orclGuid) of both parents ("o=acme,c=us") match, and -s subtree is not set, then the OID Reconciliation Tool replaces only the entry itself on the consumer node with the specified entry from the supplier node.
For example, the following command, in which the option "-s subtree" is not set, replaces only the specified entry, "ou=hr,o=acme,c=us".
oidreconcile -h supplier -P 389 -c consumer -p 389 -b "ou=hr, o=acme, c=us" \ -W supplier_password -w consumer_password
The next figure helps to explain how this process works.
This figure shows two DITs, one on a supplier node and one on a consumer node. In the DIT on the supplier node, the orclGuid for c=us is 1 (one), the orclGuid for o=acme is 10, and the orclGuid for ou=st is 15. On the consumer node, the orclGuid for o=acme is 5, and the orclGuid for ou=st is 7.
The orclGuids for the parent of o=acme,c=us—namely, c=us—on both the supplier and the consumer match. Therefore, the following command replaces all entries under o=acme,c=us on the consumer with the corresponding ones on supplier:
oidreconcile -h supplier -c consumer -b "o=acme, c=us" -s subtree \
-W supplier_password -w consumer_password
If the orclGuid of both parents does not match, then the OID Reconciliation Tool does not perform the reconciliation. Instead, it tells the user the first ancestor on the consumer in which the orclGuid matches that of the same ancestor on the supplier.
For example, in the previous example, suppose that you were to run the following command:
oidreconcile -h supplier -c consumer -b "ou=st, o=acme, c=us" -s subtree \ -W supplier_password -w consumer_password
This command would result in a message providing the first ancestor of ou=st in which the match of the orclGuid is o=acme,c=us. This message means that you should use o=acme,c=us as the basedn argument for oidreconcile.
The Replication Environment Management Tool is used to manage Oracle Internet Directory replication configuration activities.
More specifically, the replication environment management tool:
Configures Oracle Database Advanced Replication-based multimaster replication
Scans the replication environment and verify the correctness of replication setup of the Advanced Replication-based DRG
Rectifies any problem in the Advanced Replication-based DRG. If the tool cannot rectify a problem, it reports the point or points of failure to you for manual intervention
Reports queue statistics, deferred transactions errors, and administrative request errors of an Advanced Replication-based DRG
Reconfigures the Advanced Replication-based DRG
Configures LDAP-based replication
Reconfigures the LDAP-based DRG
The syntax for the Replication Environment Management Tool is:
remtool [ -asrsetup | -addnode | -delnode |-asrverify |-asrrectify | -chgpwd | -asrcleanup | -suspendasr | -resumeasr | -dispqstat | -dispasrerr | -paddnode | -pdelnode | -pchgpwd | -presetpwd | -pchgwalpwd | -pcleanup ] [ -v ] [ -connect repadmin_name/password@net_service_name | -bind host:port/replication_dn_password ]
remtool -pilotreplica [ begin | end ] -bind host:port/replication_dn_password [ -bkup fname ]
remtool -backupmetadata -replica phost:pport/prdnpwd [ -master mhost:mport/mrdnpwd | -bkup fname ]
Table A-26 Arguments for the Replication Environment Management Tool (remtool)
| Argument | Description |
|---|---|
-connect
|
For Oracle Database Advanced Replication only.
Connect string of the master definition site (MDS) or Remote Master Site (RMS) only. If This argument requires three elements:
|
-bind
|
For LDAP based replication only.
Bind details of the directory server This argument requires three elements
|
-v
|
Verbose mode
Specifying |
Table A-27 Options for Configuring and Managing an Oracle Database Advanced Replication-Based DRG (remtool)
| Argument | Description |
|---|---|
| -asrsetup
|
Create a Directory Replication Group (DRG) by configuring Advanced Replication |
| -addnode
|
Add a new node to an existing DRG. |
| -delnode
|
Reconfigure Advanced Replication to delete a node from an existing DRG |
| -asrverify
|
Verify correctness of Advanced Replication configuration of a DRG. This option reports problems but does not rectify them. |
| -asrrectify
|
Verify correctness of Advanced Replication setup for a DRG and rectify the problems, if any |
| -chgpwd
|
Change replication administrator database account password on all nodes of a DRG |
| -asrcleanup
|
Clean up Advanced Replication setup of a DRG |
| -suspendasr
|
Quiesce / Suspend replication activity of a DRG |
| -resumeasr
|
Resume replication activity of a DRG |
| -dispqstat
|
Display queue statistics of all nodes |
| -dispasrerr
|
Display all deferred transaction errors and administrative request errors of a DRG |
Table A-28 Options for Configuring and Managing an LDAP-Based Replication DRG (remtool)
| Argument | Description |
|---|---|
| -paddnode
|
Add a partial replica to a DRG. |
| -pdelnode
|
Delete a partial replica from a DRG |
| -pchgpwd
|
Change password of replication DN of a replica |
| -presetpwd
|
Reset password of replication DN of a replica |
| -pchgwalpwd
|
Change password of replication DN of a replica only in wallet |
| -pcleanup
|
Cleanup partial replication setup of a DRG |
Table A-29 Options for Supporting Application Server Reassociation (remtool)
| Argument | Description |
|---|---|
| -pilotreplica
|
Begin or end pilot mode in a replica.
This argument requires either the |
| -backupmetadata | To add metadata of a pilot replica to master replica or to back up metadata of a pilot replica in a file. This option must be executed at the pilot replica.
This argument must be followed by the |
Example 1: Verifying Oracle Database Advanced Replication Configuration (Verbose Mode)
In the following example, the Replication Environment Management Tool:
Verifies the correctness of Advanced Replication configuration of a DRG
Reports on the verification as it progresses
Does not rectify the problems
The command is:
remtool -asrverify -v
Example 2: Verifying Oracle Database Advanced Replication Configuration (Non-Verbose Mode)
In the following example, the Replication Environment Management Tool:
Verifies the correctness of Advanced Replication configuration of a DRG
Does not report on the verification as it progresses
Does not rectify the problems
The command is:
remtool -asrverify
Example 3: Verifying Oracle Database Advanced Replication Configuration and Rectifying the Problems
In this example, the Replication Environment Management Tool:
Verifies the correctness of Advanced Replication configuration of a DRG
Reports on the verification as it progresses
Rectifies the problems
The command is:
remtool -asrrectify -v -connect repadmin/repadmin@node_1.my_company.com
The syntax is:
remtool -addnode [-v] [-conn[ect] rep_admin_name/rep_admin_password@connectid_of_mds_or_rms]
Usage Notes for the -ADDNODE Option
The addnode option is used to add a new node to an existing DRG created by the ASRSETUP option.
The node to be added must be empty.
Oracle Internet Directory processes on the master definition site (MDS) and other remote master sites (RMSs) must be down.
After the addnode procedure is complete, Oracle Internet Directory processes can be started.
The SYSTEM user password of the new node is required for this option.
Example: -ADDNODE Option
In this example, MY_HOST3.MY_COMPANY.COM is added to a DRG consisting of MY_HOST1.MY_COMPANY.COM and MY_HOST2.MY_COMPANY.COM for which the following command is issued:
remtool -addnode -v -conn repadmin/repadmin@MY_HOST1.MY_COMPANY.COM
The results are:
MY_HOST1.MY_COMPANY.COM is Master Definition Site (MDS). Connected to MDS. MY_HOST2.MY_COMPANY.COM is Remote Master Site (RMS). Connected to RMS. Directory Replication Group (DRG) details : -------- ------------- ----------------------- ------------- ------------- ---- Instance Host Name Global Name Version Replicaid Site Name Type -------- ------------- ----------------------- ------------- ------------- ---- rid2 my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS rid2 my_host MY_HOST2.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid2 RMS -------- ------------- ----------------------- ------------- ------------- ---- Do you want to continue? [y/n] : y ------------------------------------------------------------------------------ WARNING: Make sure that the replication administrator database account does not exist already in the new node to be added to the DRG. If the account exists, that account will be dropped and will be created newly. ------------------------------------------------------------------------------ Enter global name of new node to be added : MY_HOST3.MY_COMPANY.COM Enter SYSTEM user password of new node to be added : ------------------------------------------------------------------------------ Adding a new node... MY_HOST3.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry... MY_HOST3.MY_COMPANY.COM : Dropping replication administrator repadmin... MY_HOST3.MY_COMPANY.COM : Creating replication administrator repadmin... MY_HOST3.MY_COMPANY.COM : Granting privileges or roles required for replication administrator to repadmin... MY_HOST3.MY_COMPANY.COM : Granting privileges or roles required for replication administrator to repadmin... MY_HOST3.MY_COMPANY.COM : Granting privileges or roles required for replication administrator to repadmin... MY_HOST3.MY_COMPANY.COM : Dropping replication group LDAP_REP... MY_HOST3.MY_COMPANY.COM : Creating purge job... MY_HOST3.MY_COMPANY.COM : Dropping database link made to MY_HOST1.MY_COMPANY.COM... MY_HOST3.MY_COMPANY.COM : Dropping database link made to MY_HOST1.MY_COMPANY.COM... MY_HOST3.MY_COMPANY.COM : Creating database link to MY_HOST1.MY_COMPANY.COM... MY_HOST3.MY_COMPANY.COM : Scheduling push job to MY_HOST1.MY_COMPANY.COM... MY_HOST3.MY_COMPANY.COM : Dropping database link made to MY_HOST2.MY_COMPANY.COM... MY_HOST3.MY_COMPANY.COM : Dropping database link made to MY_HOST2.MY_COMPANY.COM... MY_HOST3.MY_COMPANY.COM : Creating database link to MY_HOST2.MY_COMPANY.COM... MY_HOST3.MY_COMPANY.COM : Scheduling push job to MY_HOST2.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Dropping database link made to MY_HOST3.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Dropping database link made to MY_HOST3.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Creating database link to MY_HOST3.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Scheduling push job to MY_HOST3.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Dropping database link made to MY_HOST3.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Dropping database link made to MY_HOST3.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Creating database link to MY_HOST3.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Scheduling push job to MY_HOST3.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Quiescing replication activity... MY_HOST1.MY_COMPANY.COM : Adding replication site MY_HOST3.MY_COMPANY.COM to replication group LDAP_REP... MY_HOST1.MY_COMPANY.COM : Executing deferred administrative requests... MY_HOST3.MY_COMPANY.COM : Executing deferred administrative requests... MY_HOST1.MY_COMPANY.COM : Executing deferred administrative requests... MY_HOST1.MY_COMPANY.COM : Executing deferred administrative requests... MY_HOST3.MY_COMPANY.COM : Executing deferred administrative requests... MY_HOST1.MY_COMPANY.COM : Resuming replication activity... MY_HOST1.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry... MY_HOST2.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry... MY_HOST3.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry... MY_HOST1.MY_COMPANY.COM : Verifying replication agreement entry... MY_HOST1.MY_COMPANY.COM : Inserting replication agreement entry my_host_rid3... CORRECTED: MY_HOST1.MY_COMPANY.COM : "my_host_rid3" hostname has been added to replication agreement entry. MY_HOST2.MY_COMPANY.COM : Verifying replication agreement entry... MY_HOST2.MY_COMPANY.COM : Inserting replication agreement entry my_host_rid3... CORRECTED: MY_HOST2.MY_COMPANY.COM : "my_host_rid3" hostname has been added to replication agreement entry. MY_HOST3.MY_COMPANY.COM : Verifying replication agreement entry... MY_HOST3.MY_COMPANY.COM : Inserting replication agreement entry my_host_rid... CORRECTED: MY_HOST3.MY_COMPANY.COM : "my_host_rid" hostname has been added to replication agreement entry. MY_HOST3.MY_COMPANY.COM : Inserting replication agreement entry my_host_rid2... CORRECTED: MY_HOST3.MY_COMPANY.COM : "my_host_rid2" hostname has been added to replication agreement entry. MY_HOST3.MY_COMPANY.COM : Inserting replication agreement entry my_host_rid3... CORRECTED: MY_HOST3.MY_COMPANY.COM : "my_host_rid3" hostname has been added to replication agreement entry. MY_HOST1.MY_COMPANY.COM : Verifying initialization parameter... MY_HOST2.MY_COMPANY.COM : Verifying initialization parameter... MY_HOST3.MY_COMPANY.COM : Verifying initialization parameter... ------------------------------------------------------------------------------ Node MY_HOST3.MY_COMPANY.COM has been added to this DRG. ------------------------------------------------------------------------------ Directory Replication Group (DRG) details : -------- ------------- ----------------------- ------------- ------------- ---- Instance Host Name Global Name Version Replicaid Site Name Type -------- ------------- ----------------------- ------------- ------------- ---- rid1 my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS rid2 my_host MY_HOST2.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid2 RMS rid3 my_host MY_HOST3.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid3 RMS -------- ------------- ----------------------- ------------- ------------- ----
The syntax is:
remtool -asrsetup [-v]
Usage Notes for the -ASRSETUP Option
For the -asrsetup option, the -conn[ect] option is ignored.
The user is prompted for following details:
MDS Globalname
MDS Password
globalname of all RMSs
password of all RMSs
where Globalname is the database global name. This same name must be the same as the alias defined in the tnsnames.ora file.
All Oracle Internet Directory processes must be down in MDS and all RMSs. After the ASRSETUP option is completed, the user can bring up all Oracle Internet Directory processes and replication server processes.
Example: -ASRSETUP Option
In this example, a DRG is created consisting of MY_HOST1.MY_COMPANY.COM and MY_HOST2.MY_COMPANY.COM for which the following command is issued:
remtool -asrsetup -v
The results are as follows:
------------------------------------------------------------------------------ ASR Setup for OID Replication WARNING: Make sure that the replication administrator that you enter below does not exist already in any of the nodes that will be part of the DRG to be created now. If the user exists, that user will be dropped and will be created newly. ------------------------------------------------------------------------------ Enter replication administrator's name : repadmin Enter replication administrator's password : Reenter replication administrator's password : Enter Master Definition Site (MDS) details : Enter global name of MDS : MY_HOST1.MY_COMPANY.COM Enter SYSTEM user password of MDS : Enter Remote Master Site (RMS) details : Enter global name of RMS # 1 : MY_HOST2.MY_COMPANY.COM Enter SYSTEM user password of MDS : Are there more Remote Master Sites in the group? [y/n/q] : n Verify the details you had entered. ------------------------------------------------------------------------------ Replication administrator's name : repadmin Master Definition Site : MY_HOST1.MY_COMPANY.COM Remote Master Site # 1 : MY_HOST2.MY_COMPANY.COM Are these details correct? [y/n/q] : y ------------------------------------------------------------------------------ ASR setup in progress... MY_HOST1.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry... MY_HOST1.MY_COMPANY.COM : Dropping replication administrator repadmin... MY_HOST1.MY_COMPANY.COM : Creating replication administrator repadmin... MY_HOST1.MY_COMPANY.COM : Granting privileges or roles required for replication administrator to repadmin... MY_HOST1.MY_COMPANY.COM : Granting privileges or roles required for replication administrator to repadmin... MY_HOST1.MY_COMPANY.COM : Granting privileges or roles required for replication administrator to repadmin... MY_HOST1.MY_COMPANY.COM : Creating purge job... MY_HOST1.MY_COMPANY.COM : Dropping database link made to MY_HOST2.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Dropping database link made to MY_HOST2.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Creating database link to MY_HOST2.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Scheduling push job to MY_HOST2.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry... MY_HOST2.MY_COMPANY.COM : Dropping replication administrator repadmin... MY_HOST2.MY_COMPANY.COM : Creating replication administrator repadmin... MY_HOST2.MY_COMPANY.COM : Granting privileges or roles required for replication administrator to repadmin... MY_HOST2.MY_COMPANY.COM : Granting privileges or roles required for replication administrator to repadmin... MY_HOST2.MY_COMPANY.COM : Granting privileges or roles required for replication administrator to repadmin... MY_HOST2.MY_COMPANY.COM : Creating purge job... MY_HOST2.MY_COMPANY.COM : Dropping database link made to MY_HOST1.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Dropping database link made to MY_HOST1.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Creating database link to MY_HOST1.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Scheduling push job to MY_HOST1.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Dropping replication group LDAP_REP... MY_HOST1.MY_COMPANY.COM : Creating replication group LDAP_REP... MY_HOST1.MY_COMPANY.COM : Adding object TABLE ODS.ASR_CHG_LOG to replication group LDAP_REP... MY_HOST1.MY_COMPANY.COM : Generating replication support for TABLE ODS.ASR_CHG_LOG... MY_HOST1.MY_COMPANY.COM : Adding object TABLE ODS.ODS_CHG_STAT to replication group LDAP_REP... MY_HOST1.MY_COMPANY.COM : Generating replication support for TABLE ODS.ODS_CHG_STAT... MY_HOST2.MY_COMPANY.COM : Dropping replication group LDAP_REP... MY_HOST1.MY_COMPANY.COM : Adding replication site MY_HOST2.MY_COMPANY.COM to replication group LDAP_REP... MY_HOST1.MY_COMPANY.COM : Executing deferred administrative requests... MY_HOST2.MY_COMPANY.COM : Executing deferred administrative requests... MY_HOST1.MY_COMPANY.COM : Executing deferred administrative requests... MY_HOST1.MY_COMPANY.COM : Executing deferred administrative requests... MY_HOST2.MY_COMPANY.COM : Executing deferred administrative requests... MY_HOST1.MY_COMPANY.COM : Executing deferred administrative requests... MY_HOST2.MY_COMPANY.COM : Executing deferred administrative requests... MY_HOST1.MY_COMPANY.COM : Executing deferred administrative requests... MY_HOST2.MY_COMPANY.COM : Executing deferred administrative requests... MY_HOST1.MY_COMPANY.COM : Verifying initialization parameter... MY_HOST2.MY_COMPANY.COM : Verifying initialization parameter... MY_HOST1.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry... MY_HOST2.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry... MY_HOST1.MY_COMPANY.COM : Verifying replication agreement entry... MY_HOST1.MY_COMPANY.COM : Inserting replication agreement entry my_host_... CORRECTED: MY_HOST1.MY_COMPANY.COM : "my_host_rid" hostname has been added to replication agreement entry. MY_HOST1.MY_COMPANY.COM : Inserting replication agreement entry my_host_rid2... CORRECTED: MY_HOST1.MY_COMPANY.COM : "my_host_rid2" hostname has been added to replication agreement entry. MY_HOST2.MY_COMPANY.COM : Verifying replication agreement entry... MY_HOST2.MY_COMPANY.COM : Inserting replication agreement entry my_host_rid... CORRECTED: MY_HOST2.MY_COMPANY.COM : "my_host_rid1" hostname has been added to replication agreement entry. MY_HOST2.MY_COMPANY.COM : Inserting replication agreement entry my_host_rid2... CORRECTED: MY_HOST2.MY_COMPANY.COM : "my_host_rid2" hostname has been added to replication agreement entry. MY_HOST1.MY_COMPANY.COM : Resuming replication activity... ------------------------------------------------------------------------------ ASR setup has been configured successfully. ------------------------------------------------------------------------------ Directory Replication Group (DRG) details : -------- ------------- ----------------------- ------------- ------------- ---- Instance Host Name Global Name Version Replicaid Site Name Type -------- ------------- ----------------------- ------------- ------------- ---- rid1 my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS rid2 my_host MY_HOST2.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid2 RMS -------- ------------- ----------------------- ------------- ------------- ----
The syntax is:
remtool -chgpwd [-v] [-conn[ect] rep_admin_name/rep_admin_password@connectid_of_mds_or_rms]
Used for changing password of replication administrator of DRG created by ASRSETUP procedure.
created by ASRSETUP procedure.
In ASR based replication repadmin password is same in all nodes. This option will change the password of replication administrator database account at all nodes.
Example: -CHGPWD Option
In this example, the password of the replication administrator of a DRG consisting of MY_HOST1.MY_COMPANY.COM and MY_HOST2.MY_COMPANY.COM is changed for which, the following command is issued:
remtool -chgpwd -v -conn repadmin/repadmin@MY_HOST1.MY_COMPANY.COM
The results are:
MY_HOST1.MY_COMPANY.COM is Master Definition Site (MDS). Connected to MDS. MY_HOST2.MY_COMPANY.COM is Remote Master Site (RMS). Connected to RMS. Directory Replication Group (DRG) details : -------- ------------- ----------------------- ------------- ------------- ---- Instance Host Name Global Name Version Replicaid Site Name Type -------- ------------- ----------------------- ------------- ------------- ---- rid1 my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS rid2 my_host MY_HOST2.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid2 RMS -------- ------------- ----------------------- ------------- ------------- ---- Enter new password of the replication administrator : Reenter new password of the replication administrator : ------------------------------------------------------------------------------ Changing the password of all nodes... MY_HOST1.MY_COMPANY.COM : Changing password of replication administrator repadmin... MY_HOST2.MY_COMPANY.COM : Changing password of replication administrator repadmin... MY_HOST1.MY_COMPANY.COM : Dropping database link made to MY_HOST2.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Dropping database link made to MY_HOST2.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Creating database link to MY_HOST2.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Dropping database link made to MY_HOST1.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Dropping database link made to MY_HOST1.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Creating database link to MY_HOST1.MY_COMPANY.COM... ------------------------------------------------------------------------------ Password has been changed. ------------------------------------------------------------------------------
The syntax is:
remtool -delnode [-v] [-conn[ect] rep_admin_name/rep_admin_password@connectid_ of_mds_or_rms]
Usage Notes for the -DELNODE Option
The -DELNODE option is used for deleting a node from a DRG that is created by ASRSETUP option.
The global name of the node to be deleted must be specified.
Oracle Internet Directory processes must be down in all nodes of the DRG.
The -DELNODE option can be used to remove only RMS from a DRG.
The -DELNODE option cannot be used to remove MDS from a DRG.
The -DELNODE option can be also used to remove a RMS from a DRG that has only two nodes: one MDS and one RMS. This leaves the DRG with only an MDS. The user can add multimaster nodes later on to this DRG.
If remtool detects that one of the nodes in a DRG is not up and running when invoked with the -DELNODE option, remtool selects that node for deletion.
Example 1: -DELNODE Option
In this example, MY_HOST3.MY_COMPANY.COM is removed from a DRG consisting of MY_HOST1.MY_COMPANY.COM, MY_HOST2.MY_COMPANY.COM and MY_HOST3.MY_COMPANY.COM for which the following command is issued:
remtool -delnode -v -conn repadmin/repadmin@MY_HOST1.MY_COMPANY.COM
The results are:
MY_HOST1.MY_COMPANY.COM is Master Definition Site (MDS). Connected to MDS. MY_HOST2.MY_COMPANY.COM is Remote Master Site (RMS). Connected to RMS. MY_HOST3.MY_COMPANY.COM is Remote Master Site (RMS). Connected to RMS. Directory Replication Group (DRG) details : -------- ------------- ----------------------- ------------- ------------- ---- Instance Host Name Global Name Version Replicaid Site Name Type -------- ------------- ----------------------- ------------- ------------- ---- rid1 my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS rid2 my_host MY_HOST2.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid2 RMS rid3 my_host MY_HOST3.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid3 RMS -------- ------------- ----------------------- ------------- ------------- ---- Do you want to continue? [y/n] : y Enter globalname of node to be deleted : MY_HOST3.MY_COMPANY.COM ------------------------------------------------------------------------------ Deleting an existing node... MY_HOST1.MY_COMPANY.COM : Dropping replication site MY_HOST3.MY_COMPANY.COM from replication group LDAP_REP... MY_HOST3.MY_COMPANY.COM : Dropping replication group LDAP_REP... MY_HOST3.MY_COMPANY.COM : Unscheduling push job to MY_HOST1.MY_COMPANY.COM... MY_HOST3.MY_COMPANY.COM : Unscheduling push job to MY_HOST2.MY_COMPANY.COM... MY_HOST3.MY_COMPANY.COM : Dropping database link made to MY_HOST1.MY_COMPANY.COM... MY_HOST3.MY_COMPANY.COM : Dropping database link made to MY_HOST2.MY_COMPANY.COM... MY_HOST3.MY_COMPANY.COM : Dropping database link made to MY_HOST1.MY_COMPANY.COM... MY_HOST3.MY_COMPANY.COM : Dropping database link made to MY_HOST2.MY_COMPANY.COM... Enter "SYSTEM" user password for "MY_HOST3.MY_COMPANY.COM" database at "my_host" host : MY_HOST3.MY_COMPANY.COM : Dropping replication administrator repadmin... MY_HOST1.MY_COMPANY.COM : Unscheduling push job to MY_HOST3.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Dropping database link made to MY_HOST3.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Dropping database link made to MY_HOST3.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Unscheduling push job to MY_HOST3.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Dropping database link made to MY_HOST3.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Dropping database link made to MY_HOST3.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry... MY_HOST2.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry... MY_HOST1.MY_COMPANY.COM : Verifying replication agreement entry... MY_HOST1.MY_COMPANY.COM : Deleting replication agreement entry my_host_rid3... CORRECTED: MY_HOST1.MY_COMPANY.COM : "my_host_rid3" hostname has been removed from replication agreement entry as it is not part of DRG or was repeated. MY_HOST2.MY_COMPANY.COM : Verifying replication agreement entry... MY_HOST2.MY_COMPANY.COM : Deleting replication agreement entry my_host_rid3... CORRECTED: MY_HOST2.MY_COMPANY.COM : "my_host_rid3" hostname has been removed from replication agreement entry as it is not part of DRG or was repeated. ------------------------------------------------------------------------------ Node MY_HOST3.MY_COMPANY.COM has been deleted from this DRG. ------------------------------------------------------------------------------ Directory Replication Group (DRG) details : -------- ------------- ----------------------- ------------- ------------- ---- Instance Host Name Global Name Version Replicaid Site Name Type -------- ------------- ----------------------- ------------- ------------- ---- rid1 my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS rid2 my_host MY_HOST2.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid2 RMS -------- ------------- ----------------------- ------------- ------------- ---- ================================================================================
Example 2: -delnode
In this example, MY_HOST2.MY_COMPANY.COM is removed from a DRG consisting of MY_HOST1.MY_COMPANY.COM and MY_HOST2.MY_COMPANY.COM for which the following command is issued:
remtool -delnode -v -conn repadmin/repadmin@MY_HOST1.MY_COMPANY.COM
The results are:
MY_HOST1.MY_COMPANY.COM is Master Definition Site (MDS). Connected to MDS. MY_HOST2.MY_COMPANY.COM is Remote Master Site (RMS). Connected to RMS. Directory Replication Group (DRG) details : -------- ------------- ----------------------- ------------- ------------- ---- Instance Host Name Global Name Version Replicaid Site Name Type -------- ------------- ----------------------- ------------- ------------- ---- rid1 my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS rid2 my_host MY_HOST2.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid2 RMS -------- ------------- ----------------------- ------------- ----------------- Do you want to continue? [y/n] : y Enter globalname of node to be deleted : MY_HOST2.MY_COMPANY.COM ------------------------------------------------------------------------------ Deleting an existing node... MY_HOST1.MY_COMPANY.COM : Dropping replication site MY_HOST2.MY_COMPANY.COM from replication group LDAP_REP... MY_HOST2.MY_COMPANY.COM : Dropping replication group LDAP_REP... MY_HOST2.MY_COMPANY.COM : Unscheduling push job to MY_HOST1.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Dropping database link made to MY_HOST1.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Dropping database link made to MY_HOST1.MY_COMPANY.COM... Enter "SYSTEM" user password for "MY_HOST2.MY_COMPANY.COM" database at "my_host" host : MY_HOST2.MY_COMPANY.COM : Dropping replication administrator repadmin... MY_HOST1.MY_COMPANY.COM : Unscheduling push job to MY_HOST2.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Dropping database link made to MY_HOST2.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Dropping database link made to MY_HOST2.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry... MY_HOST1.MY_COMPANY.COM : Verifying replication agreement entry... MY_HOST1.MY_COMPANY.COM : Deleting replication agreement entry my_host_rid2... CORRECTED: MY_HOST1.MY_COMPANY.COM : "my_host_rid2" hostname has been removed from replication agreement entry as it is not part of DRG or was repeated. ------------------------------------------------------------------------------ Node MY_HOST2.MY_COMPANY.COM has been deleted from this DRG. ------------------------------------------------------------------------------ Directory Replication Group (DRG) details : -------- ------------- ----------------------- ------------- ------------- ---- Instance Host Name Global Name Version Replicaid Site Name Type -------- ------------- ----------------------- ------------- ------------- ---- rid1 my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS -------- ------------- ----------------------- ------------- ------------- ---- Warning : This replication group has only one node.
The syntax is:
remtool -asrcleanup [-v] [-conn[ect] rep_admin_name/rep_admin_password@connectid_of_mds_or_rms]
Usage Notes for the -ASRCLEANUP Option
The -ASRCLEANUP option is used to clean up an existing ASR setup.
The -ASRCLEANUP option can be used to clean up flawed ASR setup as well.
The -ASRCLEANUP option prompts the user for SYSTEM password of all sites taking part in replication.
Example 1: -ASRCLEANUP Option
In this example, ASR setup is cleaned up from a DRG consisting of MY_HOST1.MY_COMPANY.COM and MY_HOST2.MY_COMPANY.COM for which the following command is issued:
remtool -asrcleanup -v
The results are:
Enter replication administrator's name : repadmin Enter replication administrator's password : Enter global name of MDS : my_host1.my_company.com MY_HOST1.MY_COMPANY.COM is Master Definition Site (MDS). Connected to MDS. MY_HOST2.MY_COMPANY.COM is Remote Master Site (RMS). Connected to RMS. Directory Replication Group (DRG) details : -------- ------------- ----------------------- ------------- ------------- ---- Instance Host Name Global Name Version Replicaid Site Name Type -------- ------------- ----------------------- ------------- ------------- ---- rid1 my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS rid2 my_host MY_HOST2.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid2 RMS -------- ------------- ----------------------- ------------- ------------- ---- Do you want to continue? [y/n] : y ------------------------------------------------------------------------------ Cleaning up... MY_HOST1.MY_COMPANY.COM : Dropping replication site MY_HOST2.MY_COMPANY.COM from replication group LDAP_REP... MY_HOST2.MY_COMPANY.COM : Dropping replication group LDAP_REP... MY_HOST2.MY_COMPANY.COM : Unscheduling push job to MY_HOST1.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Dropping database link made to MY_HOST1.MY_COMPANY.COM... MY_HOST2.MY_COMPANY.COM : Dropping database link made to MY_HOST1.MY_COMPANY.COM... Enter "SYSTEM" user password for "MY_HOST2.MY_COMPANY.COM" database at "my_host" host : MY_HOST2.MY_COMPANY.COM : Dropping replication administrator repadmin... MY_HOST1.MY_COMPANY.COM : Dropping replication group LDAP_REP... MY_HOST1.MY_COMPANY.COM : Unscheduling push job to MY_HOST2.MY_COMPANY.COM... MY_HOST1.MY_COMPANY.COM : Dropping database link made to MY_HOST2.MYCOMPANY.COM... MY_HOST1.MY_COMPANY.COM : Dropping database link made to MY_HOST2.MY_COMPANY.COM... Enter "SYSTEM" user password for "MY_HOST1.MY_COMPANY.COM" database at "my_host" host : MY_HOST1.MY_COMPANY.COM : Dropping replication administrator repadmin... ------------------------------------------------------------------------------ ASR setup has been cleaned up. ------------------------------------------------------------------------------
The syntax is:
remtool -asrrectify [-v] [-conn[ect] rep_admin_name/rep_admin_password@connectid_of_mds_or_rms]
Usage Notes for the -ASRRECTIFY Option
The -ASRRECTIFY option is used for detecting and rectifying problems in Advanced Replication setup.
The -ASRRECTIFY option reports errors and rectifies them.
Oracle Corporation recommends that, before executing this option, you stop Oracle Internet Directory servers.
To use the -ASRRECTIFY option, all the nodes must be up and running. The -ASRRECTIFY option fails, if any of the nodes are not running.
If necessary, the -ASRRECTIFY option prompts for the SYSTEM user password.
Example 1: -ASRRECTIFY Option
In this example, ASR setup errors are deducted and rectified in a DRG consisting of MY_HOST1.MY_COMPANY.COM and MY_HOST2.MY_COMPANY.COM for which the following command is issued:
remtool -asrrectify -v -conn repadmin/repadmin@my_host1.my_company.com
MY_HOST1.MY_COMPANY.COM is Master Definition Site (MDS). Connected to MDS.
MY_HOST2.MY_COMPANY.COM is Remote Master Site (RMS). Connected to RMS.
Directory Replication Group (DRG) details :
-------- ------------- ----------------------- ------------- ------------- ----
Instance Host Name Global Name Version Replicaid Site
Name Type
-------- ------------- ----------------------- ------------- ------------- ----
rid1 my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS
rid2 my_host MY_HOST2.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid2 RMS
-------- ------------- ----------------------- ------------- ------------- ----
Do you want to continue? [y/n] : y
------------------------------------------------------------------------------
Rectifying ASR setup...
MY_HOST1.MY_COMPANY.COM : Verifying initialization parameter...
MY_HOST2.MY_COMPANY.COM : Verifying initialization parameter...
MY_HOST1.MY_COMPANY.COM : Verifying replication administrator roles...
MY_HOST2.MY_COMPANY.COM : Verifying replication administrator roles...
MY_HOST1.MY_COMPANY.COM : Verifying database links...
MY_HOST2.MY_COMPANY.COM : Verifying database links...
MY_HOST1.MY_COMPANY.COM : Verifying purge job...
MY_HOST2.MY_COMPANY.COM : Verifying purge job...
MY_HOST1.MY_COMPANY.COM : Verifying scheduled links...
MY_HOST2.MY_COMPANY.COM : Verifying scheduled links...
MY_HOST1.MY_COMPANY.COM : Verifying availability of replication objects...
MY_HOST2.MY_COMPANY.COM : Verifying availability of replication objects...
MY_HOST1.MY_COMPANY.COM : Verifying replication group...
MY_HOST1.MY_COMPANY.COM : Quiescing replication activity...
MY_HOST1.MY_COMPANY.COM : Adding object TABLE ODS.ASR_CHG_LOG to replication group LDAP_REP...
MY_HOST1.MY_COMPANY.COM : Generating replication support for TABLE ODS.ASR_CHG_LOG...
CORRECTED:
MY_HOST1.MY_COMPANY.COM : Replication support has been generated for TABLE ODS.ASR_CHG_LOG.
MY_HOST1.MY_COMPANY.COM : Quiescing replication activity...
MY_HOST1.MY_COMPANY.COM : Adding object TABLE ODS.ODS_CHG_STAT to replication group LDAP_REP...
MY_HOST1.MY_COMPANY.COM : Generating replication support for TABLE ODS.ODS_CHG_STAT...
CORRECTED:
MY_HOST1.MY_COMPANY.COM : Replication support has been generated for TABLE ODS.ODS_CHG_STAT.
MY_HOST1.MY_COMPANY.COM : Resuming replication activity...
MY_HOST2.MY_COMPANY.COM : Verifying replication group...
MY_HOST1.MY_COMPANY.COM : Resuming replication activity...
MY_HOST1.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry...
MY_HOST2.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry...
MY_HOST1.MY_COMPANY.COM : Verifying replication agreement entry...
MY_HOST2.MY_COMPANY.COM : Verifying replication agreement entry...
-------------------- ----- ----- ----- ----- ----- ----- -----
DB Name Init Repl DB Purge Sch. Repl Repl
Param Admin Links Job Links Group Agrmt
Role Entry
-------------------- ----- ----- ----- ----- ----- ----- -----
MY_HOST1.MY_COMPANY. Chkd Chkd Chkd Chkd Chkd Crtd Chkd
MY_HOST2.MY_COMPANY. Chkd Chkd Chkd Chkd Chkd Chkd Chkd
-------------------- ----- ----- ----- ----- ----- ----- -----
Legends :
Chkd - Checked. No errors.
Crtd - ASR setup errors were found and corrected.
Err - Error occurred while doing ASR setup verification.
NCrtd - ASR setup has errors, but not corrected.
------------------------------------------------------------------------------
Summary of findings:
CORRECTED:
MY_HOST1.MY_COMPANY.COM : Replication support has been generated for TABLE ODS.ASR_CHG_LOG.
CORRECTED:
MY_HOST1.MY_COMPANY.COM : Replication support has been generated for TABLE ODS.ODS_CHG_STAT.
------------------------------------------------------------------------------
Example 2: -ASRRECTIFY Option
In this example, ASR setup errors are deducted and rectified in a DRG consisting of MY_HOST1.MY_COMPANY.COM and MY_HOST2.MY_COMPANY.COM. Here remtool detects that user has changed global name of MY_HOST2.MY_COMPANY.COM to NEWNAME.MY_COMPANY.COM after setting up ASR. Remtool rectifies this error first before continuing with other checks. The following command is issued:
remtool -asrrectify -v -conn repadmin/repadmin@my_host1.my_company.com
The results are:
MY_HOST1.MY_COMPANY.COM is Master Definition Site (MDS). Connected to MDS.
Enter "SYSTEM" user password for "MY_HOST2.MY_COMPANY.COM" database at "my_host" host :
NEWNAME.MY_COMPANY.COM : Renaming global name to MY_HOST2.MY_COMPANY.COM (instance name : rid2, hostname : my_host)
CORRECTED:
MY_HOST2.MY_COMPANY.COM : Global name of database "rid2" at host "my_host" has been changed to MY_HOST2.MY_COMPANY.COM.
MY_HOST2.MY_COMPANY.COM is Remote Master Site (RMS). Connected to RMS.
CORRECTED:
MY_HOST2.MY_COMPANY.COM : Global name of database "rid2" at host "my_host" has been changed to MY_HOST2.MY_COMPANY.COM.
Directory Replication Group (DRG) details :
-------- ------------- ----------------------- ------------- ------------- ----
Instance Host Name Global Name Version Replicaid Site
Name Type
-------- ------------- ----------------------- ------------- ------------- ----
rid1 my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS
rid2 my_host MY_HOST2.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid2 RMS
-------- ------------- ----------------------- ------------- ------------- ----
Do you want to continue? [y/n] : y
------------------------------------------------------------------------------
Rectifying ASR setup...
MY_HOST1.MY_COMPANY.COM : Verifying initialization parameter...
MY_HOST2.MY_COMPANY.COM : Verifying initialization parameter...
MY_HOST1.MY_COMPANY.COM : Verifying replication administrator roles...
MY_HOST2.MY_COMPANY.COM : Verifying replication administrator roles...
MY_HOST1.MY_COMPANY.COM : Verifying database links...
MY_HOST2.MY_COMPANY.COM : Verifying database links...
MY_HOST1.MY_COMPANY.COM : Verifying purge job...
MY_HOST2.MY_COMPANY.COM : Verifying purge job...
MY_HOST1.MY_COMPANY.COM : Verifying scheduled links...
MY_HOST2.MY_COMPANY.COM : Verifying scheduled links...
MY_HOST1.MY_COMPANY.COM : Verifying availability of replication objects...
MY_HOST2.MY_COMPANY.COM : Verifying availability of replication objects...
MY_HOST1.MY_COMPANY.COM : Verifying replication group...
MY_HOST1.MY_COMPANY.COM : Resuming replication activity...
MY_HOST2.MY_COMPANY.COM : Verifying replication group...
MY_HOST1.MY_COMPANY.COM : Resuming replication activity...
MY_HOST1.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry...
MY_HOST2.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry...
MY_HOST1.MY_COMPANY.COM : Verifying replication agreement entry...
MY_HOST2.MY_COMPANY.COM : Verifying replication agreement entry...
-------------------- ----- ----- ----- ----- ----- ----- -----
DB Name Init Repl DB Purge Sch. Repl Repl
Param Admin Links Job Links Group Agrmt
Role Entry
-------------------- ----- ----- ----- ----- ----- ----- -----
MY_HOST1.MY_COMPANY. Chkd Chkd Chkd Chkd Chkd Chkd Chkd
MY_HOST2.MY_COMPANY. Chkd Chkd Chkd Chkd Chkd Chkd Chkd
-------------------- ----- ----- ----- ----- ----- ----- -----
Legends :
Chkd - Checked. No errors.
Crtd - ASR setup errors were found and corrected.
Err - Error occurred while doing ASR setup verification.
NCrtd - ASR setup has errors, but not corrected.
------------------------------------------------------------------------------
The syntax is:
remtool -asrverify [-v] [-conn[ect] rep_admin_name/rep_admin_password@connectid_of_mds_or_rms]
Usage Notes for the -ASRVERIFY Option
This option is used for just detecting problems in ASR setup. It will just report errors and won't rectify them.
While executing this option, Oracle Internet Directory servers can be up.
If, by mistake, the replication administrator account is dropped in any of the nodes, then the -asrverify" option fails. In this case, the -asrrectify option can be used to re-create the replication administrator account and add it back to the DRG.
If, by mistake, the password of replication administrator account of one node of the DRG to be checked is changed, then the -asrverify option fails. In this case, the -asrrectify option can be used to change the replication administrator account and add it back to the DRG.
If the global name of any node is changed after Advanced Replication setup, then the -asrverify reports an error and does not proceed further. The -asrrectify option can be used to revert back to the previous global name and rectify other issues.
To exercise this option, all the nodes must be up and running.
Example 1: -ASRVERIFY Option
In this example, errors in ASR setup are found in a DRG consisting of two nodes for which the following command is issued:
remtool -asrverify -v -conn repadmin/repadmin@my_host1.my_company.com
The results are:
MY_HOST1.MY_COMPANY.COM is Master Definition Site (MDS). Connected to MDS.
MY_HOST2.MY_COMPANY.COM is Remote Master Site (RMS). Connected to RMS.
Directory Replication Group (DRG) details :
--------------------- ----------------------- ------------- ------------- ----
Instance Host Name Global Name Version Replicaid Site
Name Type
--------------------- ----------------------- ------------- ------------- ----
rid1 my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS
rid2 my_host MY_HOST2.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid2 RMS
-------------------------------------------- ------------- -----------------
----------------------------------------------------------------------------
Verifying ASR setup...
MY_HOST1.MY_COMPANY.COM : Verifying initialization parameter...
MY_HOST2.MY_COMPANY.COM : Verifying initialization parameter...
MY_HOST1.MY_COMPANY.COM : Verifying replication administrator roles...
MY_HOST2.MY_COMPANY.COM : Verifying replication administrator roles...
MY_HOST1.MY_COMPANY.COM : Verifying database links...
MY_HOST2.MY_COMPANY.COM : Verifying database links...
MY_HOST1.MY_COMPANY.COM : Verifying purge job...
MY_HOST2.MY_COMPANY.COM : Verifying purge job...
MY_HOST1.MY_COMPANY.COM : Verifying scheduled links...
MY_HOST2.MY_COMPANY.COM : Verifying scheduled links...
MY_HOST1.MY_COMPANY.COM : Verifying availability of replication objects...
MY_HOST2.MY_COMPANY.COM : Verifying availability of replication objects...
MY_HOST1.MY_COMPANY.COM : Verifying replication group...
ASR SETUP ERROR/WARNING:
MY_HOST1.MY_COMPANY.COM : Replication support is not available for TABLE ODS.ASR_CHG_LOG.
ASR SETUP ERROR/WARNING:
MY_HOST1.MY_COMPANY.COM : Replication support is not available for TABLE ODS.ODS_CHG_STAT.
MY_HOST2.MY_COMPANY.COM : Verifying replication group...
ASR SETUP ERROR/WARNING:
MY_HOST2.MY_COMPANY.COM : Replication support is not available for TABLE ODS.ASR_CHG_LOG.
ASR SETUP ERROR/WARNING:
MY_HOST2.MY_COMPANY.COM : Replication support is not available for TABLE ODS.ODS_CHG_STAT.
MY_HOST1.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry...
MY_HOST2.MY_COMPANY.COM : Verifying uniqueness of replication agreement entry...
MY_HOST1.MY_COMPANY.COM : Verifying replication agreement entry...
MY_HOST2.MY_COMPANY.COM : Verifying replication agreement entry...
-------------------- ----- ----- ----- ----- ----- ----- -----
DB Name Init Repl DB Purge Sch. Repl Repl
Param Admin Links Job Links Group Agrmt
Role Entry
-------------------- ----- ----- ----- ----- ----- ----- -----
MY_HOST1.MY_COMPANY. Chkd Chkd Chkd Chkd Chkd NCrtd Chkd
MY_HOST2.MY_COMPANY. Chkd Chkd Chkd Chkd Chkd NCrtd Chkd
-------------------- ----- ----- ----- ----- ----- ----- -----
Legends :
Chkd - Checked. No errors.
Crtd - ASR setup errors were found and corrected.
Err - Error occurred while doing ASR setup verification.
NCrtd - ASR setup has errors, but not corrected.
------------------------------------------------------------------------------
Summary of findings:
ASR SETUP ERROR/WARNING:
MY_HOST1.MY_COMPANY.COM : Replication support is not available for TABLE ODS.ASR_CHG_LOG.
ASR SETUP ERROR/WARNING:
MY_HOST1.MY_COMPANY.COM : Replication support is not available for TABLE ODS.ODS_CHG_STAT.
ASR SETUP ERROR/WARNING:
MY_HOST2.MY_COMPANY.COM : Replication support is not available for TABLE ODS.ASR_CHG_LOG.
ASR SETUP ERROR/WARNING:
MY_HOST2.MY_COMPANY.COM : Replication support is not available for TABLE ODS.ODS_CHG_STAT.
------------------------------------------------------------------------------
The syntax is:
remtool -dispasrerr [-v] [-conn[ect] rep_admin_name/rep_admin_password@connectid_of_mds_or_rms]
Usage Notes for the -DISPASRERR Option
This option is used for displaying ASR errors in a DRG.
It displays both ASR administrative request errors and deferred transaction errors.
Example: -DISPASRERR Option
In this example, ASR errors of DRG consisting of MY_HOST1.MY_COMPANY.COM and MY_HOST2.MY_COMPANY.COM are reported for which the following command is issued:
remtool -dispasrerr -v -conn repadmin/repadmin@my_host1.my_company.com MY_HOST1.MY_COMPANY.COM is Master Definition Site (MDS). Connected to MDS. MY_HOST2.MY_COMPANY.COM is Remote Master Site (RMS). Connected to RMS. Directory Replication Group (DRG) details : -------- ------------- ----------------------- ------------- ------------- ---- Instance Host Name Global Name Version Replicaid Site Name Type -------- ------------- ----------------------- ------------- ------------- ---- rid my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS rid2 my_host MY_HOST2.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid2 RMS -------- ------------- ----------------------- ------------- ------------- ---- ------------------------------------------------------------------------------ Following administrative request errors were found at MY_HOST1.MY_COMPANY.COM -------------------- -------------------- ------------------------------- Admin request Request raised at Error raised by -------------------- -------------------- ------------------------------- REPADMIN MY_HOST1.MY_COMPANY. ORA-23309: object ODS.ASR_CHG_L REPADMIN MY_HOST1.MY_COMPANY. ORA-23309: object ODS.ODS_CHG_S REPADMIN MY_HOST1.MY_COMPANY. ORA-23416: table "ODS"."ODS_CHG REPADMIN MY_HOST1.MY_COMPANY. ORA-23308: object ODS.ODS_CHG_S REPADMIN MY_HOST1.MY_COMPANY. ORA-23416: table "ODS"."ASR_CHG REPADMIN MY_HOST1.MY_COMPANY. ORA-23308: object ODS.ASR_CHG_L -------------------- -------------------- ------------------------------- ------------------------------------------------------------------------------ Following deferred transaction errors were found at MY_HOST1.MY_COMPANY.COM --------------- --------------- --------------- ---------------------------- Deferred Deferred Trans Destination Error Transaction ID Origin DB --------------- --------------- --------------- ---------------------------- 1.2.3733 MY_HOST1.MY_COM MY_HOST1.MY_COM ORA-01403: no data found --------------- --------------- --------------- ---------------------------- No deferred transaction errors were found at MY_HOST2.MY_COMPANY.COM ------------------------------------------------------------------------------ ------------------------------------------------------------------------------
The syntax is:
remtool -dispqstat [-v] [-conn[ect] rep_admin_name/rep_admin_password@connectid_of_mds_or_rms]
This option is used for displaying queue statistics of DRG that uses ASR based replication. This option cannot be used for the DRG that uses LDAP based replication.
For DRG that uses ASR and LDAP based replication, this option displays queue statistics for nodes that uses ASR based replication only.
Example: -DISPQSTAT Option
In this example, queue statistics of DRG consisting of MY_HOST1.MY_COMPANY.COM and MY_HOST2.MY_COMPANY.COM are reported for which the following command is issued:
remtool -dispqstat -v -conn repadmin/repadmin@my_host1.my_company.com
The results are:
MY_HOST1.MY_COMPANY.COM is Master Definition Site (MDS). Connected to MDS.
MY_HOST2.MY_COMPANY.COM is Remote Master Site (RMS). Connected to RMS.
Directory Replication Group (DRG) details :
-------- ------------- ----------------------- ------------- ------------- ----
Instance Host Name Global Name Version Replicaid Site
Name Type
-------- ------------- ----------------------- ------------- ------------- ----
rid1 my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS
rid2 my_host MY_HOST2.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid2 RMS
-------- ------------- ----------------------- ------------- ------------- ----
Queue Statistics :
-------------- -------------- --------- --------- --------- --------- ---------
Supplier Consumer New Retry Purge HIQ Change #
-------------- -------------- --------- --------- --------- --------- ---------
MY_HOST1.MY CO MY_HOST1.MY CO 3 9 10 6 2003
MY_HOST1.MY CO MY HOST2.MY CO 2 7 8 5 2001
MY_HOST2.MY CO MY_HOST1.MY CO 2 8 5 8 2002
MY_HOST2.MY CO MY_HOST2.MY CO 2 10 7 8 2000
-------------- -------------- --------- --------- --------- --------- ---------
Legends
New: No. of new change logs
Retry: No. of change logs in retry queue
Purge: No. of change logs in purge queue
HIQ: No. of change logs in Human Intervention Queue (HIQ)
Change # : Last applied change log no.
The syntax is:
remtool -suspendasr [-v] [-conn[ect] rep_admin_name/rep_admin_password@connectid_of_mds_or_rms]
Usage Notes for the -SUSPENDASR Option
This option is used to suspend Advanced Replication activity of a DRG that uses it for replication.
While Advanced Replication activity is suspended, replication cannot take place.
Example: -SUSPENDASR Option
In this example, replication activity of DRG consisting of MY_HOST1.MY_COMPANY.COM and MY_HOST2.MY_COMPANY.COM is suspended for which the following command is issued:
remtool -suspendasr -v -conn repadmin/repadmin@my_host1.my_company.com
The results are:
MY_HOST1.MY_COMPANY.COM is Master Definition Site (MDS). Connected to MDS. MY_HOST2.MY_COMPANY.COM is Remote Master Site (RMS). Connected to RMS. Directory Replication Group (DRG) details : -------- ------------- ----------------------- ------------- ------------- ---- Instance Host Name Global Name Version Replicaid Site Name Type -------- ------------- ----------------------- ------------- ------------- ---- rid my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS rid2 my_host MY_HOST2.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid2 RMS -------- ------------- ----------------------- ------------- ------------- ---- ------------------------------------------------------------------------------ Altering replication status... MY_HOST1.MY_COMPANY.COM : Quiescing replication activity... ------------------------------------------------------------------------------ Replication status has been altered successfully. ------------------------------------------------------------------------------
The syntax is:
remtool -resumeasr [-v] [-conn[ect] rep_admin_name/rep_admin_password@connectid_of_mds_or_rms]
Usage Notes for the -RESUMEASR Option
This option is used to resume ASR activity of a DRG that uses ASR for replication.
Example: -RESUMEASR Option
In this example, replication activity of DRG consisting of MY_HOST1.MY_COMPANY.COM and MY_HOST2.MY_COMPANY.COM is resumed for which the following command is issued:
remtool -resumeasr -v -conn repadmin/repadmin@MY_HOST1.MY_COMPANY.COM
The results are:
MY_HOST1.MY_COMPANY.COM is Master Definition Site (MDS). Connected to MDS. MY_HOST2.MY_COMPANY.COM is Remote Master Site (RMS). Connected to RMS. Directory Replication Group (DRG) details : -------- ------------- ----------------------- ------------- ------------- ---- Instance Host Name Global Name Version Replicaid Site Name Type -------- ------------- ----------------------- ------------- ------------- ---- rid1 my_host MY_HOST1.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid1 MDS rid2 my_host MY_HOST2.MY_COMPANY.COM OID 9.0.4.0.0 my_host_rid2 RMS -------- ------------- ----------------------- ------------- ------------- ---- ------------------------------------------------------------------------------ Altering replication status... MY_HOST1.MY_COMPANY.COM : Resuming replication activity... ------------------------------------------------------------------------------ Replication status has been altered successfully. ------------------------------------------------------------------------------
The syntax is:
remtool -paddnode [-v] [-bind hostname:port/replication_dn_password]
Usage Notes for the -PADDNODE Option
Using this option a read-only replica or a read-only partial replica can be added to a node, known as supplier node.
Supplier node can be part of a DRG that uses ASR for replication or LDAP for replication or both.
New replica to be added should not be part of any DRG.
If the user does not specify supplier directory details using -bind option, user is prompted to specify supplier details:
If the supplier details are valid, remtool identifies all nodes in the DRG, if any, and displays the details before asking for consumer details.
After getting consumer directory details, if the DRG has multiple nodes, it prompts the user to specify the supplier's replicaid. Here user can specify the replicaid of any node of the DRG that uses LDAP based replication.
In case user wants to specify a ASR based replica as supplier, user must specify the ASR based replica as supplier in -bind option or when remtool prompts the user to specify it.
Remtool, after adding a replica, displays a list of naming contexts available in supplier replica along with "*". "*" indicates that whole directory will be included for replication barring DSE. User can select to replicate a portion of directory by selecting required naming contexts or whole directory by selecting "*". If user does not select any naming context, none of the naming contexts will take part in replication.
Remtool includes cn=oraclecontext naming context for replication whether or not user specifies naming context(s) to be included for replication.
Remtool sets the OID server at the consumer replica to read-only mode.
Example 1:-PADDNODE Option
In this example, the directory server ldap://my_host:3060 is added as partial read-only replica by specifying naming contexts to be replicated to directory server ldap://my_host:3040 for which the following command is issued:
remtool -paddnode -v -bind my_host:3040/ods
The results are:
Directory Replication Group (DRG) details :
--- ------------------ ----------------------- ----------------------- -----
Sl Replicaid Directory Information Supplier Information Repl.
No. Type
--- ------------------ ----------------------- ----------------------- -----
001 my_host_rid my_host:3040 -- RW
--- ------------------ ----------------------- ----------------------- -----
Enter consumer directory details:
Enter hostname of host running OID server : my_host
Enter port on which OID server is listening : 3060
Enter replication dn password :
------------------------------------------------------------------------------
ldap://my_host:3060 [my_host_rid2] : Modifying entry orclreplicaid=my_host_rid2,cn=replication configuration...
ldap://my_host:3060 [my_host_rid2] : Modifying entry ...
ldap://my_host:3040 [my_host_rid1] : Modifying entry orclreplicaid=my_host_rid1,cn=replication configuration...
ldap://my_host:3040 [my_host_rid1] : Modifying entry ...
ldap://my_host:3040 [my_host_rid1] : Modifying entry ...
ldap://my_host:3040 [my_host_rid1] : Adding entry orclagreementid=000002,orclreplicaid=my_host_rid1,cn=replication configuration...
ldap://my_host:3040 [my_host_rid1] : Adding entry orclreplicaid=my_host_rid2,cn=replication configuration...
ldap://my_host:3040 [my_host_rid1] : Adding entry cn=replication dn,orclreplicaid=my_host_rid2,cn=replication configuration...
ldap://my_host:3060 [my_host_rid2] : Adding entry orclreplicaid=my_host_rid1,cn=replication configuration...
ldap://my_host:3060 [my_host_rid2] : Adding entry orclagreementid=000002,orclreplicaid=my_host_rid1,cn=replication configuration...
ldap://my_host:3040 [my_host_rid] : Adding entry cn=includednamingcontext000001,orclagreementid=000002,orclreplicaid=usunnae07_prep,cn=replication configuration...
ldap://my_host:3060 [my_host_rid2] : Adding entry cn=includednamingcontext000001,orclagreementid=000002,orclreplicaid=usunnae07_prep,cn=replication configuration...
------------------------------------------------------------------------------
Replica ldap://my_host:3060(my_host_rid2) has been added to this DRG.
------------------------------------------------------------------------------
Directory Replication Group (DRG) details :
--- ------------------ ----------------------- ----------------------- -----
Sl Replicaid Directory Information Supplier Information Repl.
No. Type
--- ------------------ ----------------------- ----------------------- -----
001 my_host_rid1 my_host:3040 -- RW
002 my_host_rid2 my_host:3060 my_host_rid1 RO
--- ------------------ ----------------------- ----------------------- -----
Replica ldap://my_host:3060 (my_host_rem2) can be made partial replica by specifying naming contexts to be replicated.
------------------------------------------------------------------------------
List of available naming contexts in supplier replica ldap://my_host:3040 (my_host_rid1) :
1. * [replicate whole directory]
2. dc=com
3. dc=org
4. dc=net
5. dc=edu
Enter naming context (e-end, q-quit) : dc=org
Enter naming context (e-end, q-quit) : dc=edu
Enter naming context (e-end, q-quit) : e
Following naming contexts will be included for replication:
------------------------------------------------------------------------------
1. dc=org
2. dc=edu
Do you want to continue? [y/n] : y
ldap://my_host:3040 [my_host_rid1] : Adding entry cn=includednamingcontext000002,orclagreementid=000002,orclreplicaid=my_host_rid,cn=replication configuration...
ldap://my_host:3060 [my_host_rid2] : Adding entry cn=includednamingcontext000002,orclagreementid=000002,orclreplicaid=my_host_rid,cn=replication configuration...
ldap://my_host:3040 [my_host_rid1] : Adding entry cn=includednamingcontext000003,orclagreementid=000002,orclreplicaid=my_host_rid,cn=replication configuration...
ldap://my_host:3060 [my_host_rid2] : Adding entry cn=includednamingcontext000003,orclagreementid=000002,orclreplicaid=my_host_rid,cn=replication configuration...
------------------------------------------------------------------------------
Selected naming contexts have been included for replication.
------------------------------------------------------------------------------
Example #2: -PADDNODE Option
In this example, directory server ldap://my_host:3060 is added as partial replica to directory server ldap://my_host:3040, which is part of the DRG consisting of ldap://my_host:3040 and ldap://my_host:3080 that uses LDAP based replication. The user can connect to either my_host:3040 or my_host:3080 and add a consumer replica to my_host:3040.
In this example, the following command is issued:
remtool -paddnode -v -bind my_host:3040/ods
The results are:
Directory Replication Group (DRG) details :
--- ------------------ ----------------------- ----------------------- -----
Sl Replicaid Directory Information Supplier Information Repl.
No. Type
--- ------------------ ----------------------- ----------------------- -----
001 my_host_rid1 my_host:3040 -- RW
002 my_host_rid3 my_host:3080 my_host_rid1 RO
--- ------------------ ----------------------- ----------------------- -----
Enter consumer directory details:
Enter hostname of host running OID server : my_host
Enter port on which OID server is listening : 3060
Enter replication dn password :
Enter replicaid of the supplier : my_host_rid1
------------------------------------------------------------------------------
ldap://my_host:3060 [my_host_r[my_host_rid1]id2] : Modifying entry orclreplicaid=my_host_rid2,cn=replication configuration...
ldap://my_host:3060 [my_host_rid2] : Modifying entry ...
ldap://my_host:3040 [my_host_rid1] : Modifying entry orclreplicaid=my_host_rem,cn=replication configuration...
ldap://my_host:3040 [my_host_rid1] : Modifying entry ...
ldap://my_host:3040 [my_host_rid1] : Modifying entry ...
ldap://my_host:3040 [my_host_rid1] : Adding entry orclagreementid=000003,orclreplicaid=my_host_rid,cn=replication configuration...
ldap://my_host:3040 [my_host_rid1] : Adding entry orclreplicaid=my_host_rem2,cn=replication configuration...
ldap://my_host:3040 [my_host_rid1] : Adding entry cn=replication dn,orclreplicaid=my_host_rem2,cn=replication configuration...
ldap://my_host:3080 [my_host_rid3] : Adding entry orclreplicaid=my_host_rem2,cn=replication configuration...
ldap://my_host:3080 [my_host_rid3] : Adding entry cn=replication dn,orclreplicaid=my_host_rem2,cn=replication configuration...
ldap://my_host:3060 [my_host_rid2] : Adding entry orclreplicaid=my_host_rem,cn=replication configuration...
ldap://my_host:3060 [my_host_rid2] : Adding entry orclagreementid=000002,orclreplicaid=my_host_rem,cn=replication configuration...
ldap://my_host:3060 [my_host_rid2] : Adding entry orclagreementid=000003,orclreplicaid=my_host_rid,cn=replication configuration...
ldap://my_host:3060 [my_host_rid2] : Adding entry cn=replication dn,orclreplicaid=my_host_rid,cn=replication configuration...
ldap://my_host:3060 [my_host_rid2] : Adding entry orclreplicaid=my_host_rem3,cn=replication configuration...
ldap://my_host:3060 [my_host_rid2] : Adding entry cn=replication dn,orclreplicaid=my_host_rid3,cn=replication configuration...
ldap://my_host:3080 [my_host_rid3] : Adding entry orclagreementid=000003,orclreplicaid=my_host_rid,cn=replication configuration...
------------------------------------------------------------------------------
Replica ldap://my_host:3060(my_host_rem2) has been added to this DRG.
------------------------------------------------------------------------------
Directory Replication Group (DRG) details :
--- ------------------ ----------------------- ----------------------- -----
Sl Replicaid Directory Information Supplier Information Repl.
No. Type
--- ------------------ ----------------------- ----------------------- -----
001 my_host_rid1 my_host:3040 -- RW
002 my_host_rid2 my_host:3060 my_host_rid1 RO
003 my_host_rid3 my_host:3080 my_host_rid1 RO
--- ------------------ ----------------------- ----------------------- -----
Replica ldap://my_host:3060 (my_host_rid2) can be made partial replica by specifying naming contexts to be replicated.
------------------------------------------------------------------------------
List of available naming contexts in supplier replica ldap://my_host:3040 (my_host_rid1) :
1. * [replicate whole directory]
Enter naming context (e-end, q-quit) : e
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Example #3:-PADDNODE Option
In this example, OID server ldap://my_host:3080 is added as partial replica to OID server ldap://my_host:3040 that is part of the DRG consisting of ldap://my_host:3040 and ldap://my_host:3060 that uses ASR based replication. The user must connect to my_host:3040 to add a consumer replica to my_host:3040 in this case. In this example, the following command is issued:
remtool -paddnode -v -bind my_host:3040/ods
The results are:
Directory Replication Group (DRG) details :
--- ------------------ ----------------------- ----------------------- -----
Sl Replicaid Directory Information Supplier Information Repl.
No. Type
--- ------------------ ----------------------- ----------------------- -----
001 my_host_rid1 my_host:3040 my_host_rid2 RW
002 my_host_rid2 -- my_host_rid1 RW
--- ------------------ ----------------------- ----------------------- -----
Enter consumer directory details:
Enter hostname of host running OID server : my_host
Enter port on which OID server is listening : 3080
Enter replication dn password :
Enter replicaid of the supplier : my_host_rid1
------------------------------------------------------------------------------
ldap://my_host:3080 [my_host_rid3] : Modifying entry orclreplicaid=my_host_rem3,cn=replication configuration...
ldap://my_host:3080 [my_host_rid3] : Modifying entry ...
ldap://my_host:3040 [my_host_rid1] : Modifying entry orclreplicaid=my_host_rem,cn=replication configuration...
ldap://my_host:3040 [my_host_rid1] : Modifying entry ...
ldap://my_host:3040 [my_host_rid1] : Modifying entry ...
ldap://my_host:3040 [my_host_rid1] : Adding entry orclagreementid=000002,orclreplicaid=my_host_rem,cn=replication configuration...
ldap://my_host:3040 [my_host_rid1] : Adding entry orclreplicaid=my_host_rem3,cn=replication configuration...
ldap://my_host:3040 [my_host_rid1] : Adding entry cn=replication dn,orclreplicaid=my_host_rem3,cn=replication configuration...
ldap://my_host:3080 [my_host_rid3] : Adding entry orclreplicaid=my_host_rem,cn=replication configuration...
ldap://my_host:3080 [my_host_rid3] : Adding entry orclagreementid=000002,orclreplicaid=my_host_rem,cn=replication configuration...
ldap://my_host:3080 [my_host_rid3] : Adding entry cn=replication dn,orclreplicaid=my_host_rem,cn=replication configuration...
------------------------------------------------------------------------------
Replica ldap://my_host:3080(my_host_rem3) has been added to this DRG.
------------------------------------------------------------------------------
Directory Replication Group (DRG) details :
--- ------------------ ----------------------- ----------------------- -----
Sl Replicaid Directory Information Supplier Information Repl.
No. Type
--- ------------------ ----------------------- ----------------------- -----
001 my_host_rid1 my_host:3040 my_host_rid2 RW
002 my_host_rid2 -- my_host_rid1 RW
003 my_host_rid3 my_host:3080 my_host_rid1 RO
--- ------------------ ----------------------- ----------------------- -----
Replica ldap://my_host:3080 (my_host_rid3) can be made partial replica by specifying naming contexts to be replicated.
Do you want to continue? [y/n] : y
------------------------------------------------------------------------------
List of available naming contexts in supplier replica ldap://my_host:3040 (my_host_rid1) :
1. * [replicate whole directory]
2. dc=com
3. dc=org
4. dc=net
5. dc=edu
Enter naming context (e-end, q-quit) : *
Enter naming context (e-end, q-quit) : e
Following naming contexts will be included for replication:
------------------------------------------------------------------------------
1. *
Do you want to continue? [y/n] : y
ldap://my_host:3040 [my_host_rid] : Adding entry cn=includednamingcontext000002,orclagreementid=000002,orclreplicaid=my_host_rid,cn=replication configuration...
ldap://my_host:3080 [my_host_rid3] : Adding entry cn=includednamingcontext000002,orclagreementid=000002,orclreplicaid=my_host_rid,cn=replication configuration...
------------------------------------------------------------------------------
Selected naming contexts have been included for replication.
------------------------------------------------------------------------------
The syntax is:
remtool -pdelnode [-v] [-bind <hostname>:<port#>/<repl_dn_password>]
Usage Notes for the -PDELNODE Option
This option can be used to delete a read-only or read-only partial replica from a DRG.
This option cannot be used to delete a ASR based replica. -delnode option has to be used.
Example 1: -PDELNODE Option
In this example, replica ldap://my_host:3080 is removed from the DRG created as shown in Example 3 of -PADDNODE option. This DRG consists of 3 replicas - ldap://my_host:3040, ldap://my_host:3060, ldap://my_host:3080 - of which ldap://my_host:3040 and ldap://my_host:3060 uses ASR based replication and ldap:my_host:3040 and ldap://my_host:3080 uses LDAP based replication. To delete replica ldap://my_host:3080, user has to give bind details of either ldap://my_host:3040 or ldap://my_host:3080.
|
Note: A user cannot delete the replicaldap://my_host:3080 by giving bind details of ldap://my_host:3060, although binding to it gives details of all replicas.
|
In this example, the following command is issued:
remtool -pdelnode -v -bind my_host:3040/ods ------------------------------------------------------------------------------ Directory Replication Group (DRG) details : --- ------------------ ----------------------- ----------------------- ----- Sl Replicaid Directory Information Supplier Information Repl. No. Type --- ------------------ ----------------------- ----------------------- ----- 001 my_host_rid1 my_host:3040 my_host_rid2 RW 002 my_host_rid2 -- my_host_rid1 RW 003 my_host_rid3 my_host:3080 my_host_rid1 RO --- ------------------ ----------------------- ----------------------- ----- Enter replicaid of the replica to be deleted : my_host_rid3 ------------------------------------------------------------------------------ ldap://my_host:3040 [my_host_rid1] : Modifying entry ... ldap://my_host:3040 [my_host_rid1] : Deleting entry orclagreementid=000002,orclreplicaid=my_host_rid1,cn=replication configuration... ldap://my_host:3040 [my_host_rid1] : Deleting entry orclreplicaid=my_host_rem3,cn=replication configuration... ldap://my_host:3080 [my_host_rid3] : Modifying entry orclreplicaid=my_host_rem3,cn=replication configuration... ldap://my_host:3080 [my_host_rid3] : Modifying entry ... ldap://my_host:3080 [my_host_rid3] : Deleting entry orclreplicaid=my_host_rem,cn=replication configuration... ------------------------------------------------------------------------------ Replica ldap://my_host:3080(my_host_rid3) has been deleted from this DRG. ------------------------------------------------------------------------------ Directory Replication Group (DRG) details : --- ------------------ ----------------------- ----------------------- ----- Sl Replicaid Directory Information Supplier Information Repl. No. Type --- ------------------ ----------------------- ----------------------- ----- 001 my_host_rid1 my_host:3040 my_host_rid2 RW 002 my_host_rid2 -- my_host_rid1 RW --- ------------------ ----------------------- ----------------------- -----
Example #2: -PDELNODE Option
In this example, a replica is deleted from a DRG consisting of three replicas. All three replicas use LDAP-based replication. Required replica can be deleted by binding to any of these three replicas.
In this example, the following command is issued:
remtool -pdelnode -v -bind my_host:3040/ods ------------------------------------------------------------------------------ Directory Replication Group (DRG) details : --- ------------------ ----------------------- ----------------------- ----- Sl Replicaid Directory Information Supplier Information Repl. No. Type --- ------------------ ----------------------- ----------------------- ----- 001 my_host_rid1 my_host:3040 -- RW 002 my_host_rid3 my_host:3080 my_host_rid1 RO 003 my_host_rid2 my_host:3060 my_host_rid1 RO --- ------------------ ----------------------- ----------------------- ----- Enter replicaid of the replica to be deleted : my_host_rid3 ------------------------------------------------------------------------------ ldap://my_host:3040 [my_host_rid1] : Modifying entry ... ldap://my_host:3040 [my_host_rid1] : Deleting entry orclagreementid=000003,orclreplicaid=my_host_rem,cn=replication configuration... ldap://my_host:3040 [my_host_rid1] : Deleting entry orclreplicaid=my_host_rem3,cn=replication configuration... ldap://my_host:3060 [my_host_rid2] : Deleting entry orclagreementid=000003,orclreplicaid=my_host_rem,cn=replication configuration... ldap://my_host:3060 [my_host_rid2] : Deleting entry orclreplicaid=my_host_rem3,cn=replication configuration... ldap://my_host:3080 [my_host_rid3] : Modifying entry orclreplicaid=my_host_rem3,cn=replication configuration... ldap://my_host:3080 [my_host_rid3] : Modifying entry ... ldap://my_host:3080 [my_host_rid3] : Deleting entry orclreplicaid=my_host_rem,cn=replication configuration... ldap://my_host:3080 [my_host_rid3] : Deleting entry orclreplicaid=my_host_rem2,cn=replication configuration... ------------------------------------------------------------------------------ Replica ldap://my_host:3080(my_host_rid3) has been deleted from this DRG. ------------------------------------------------------------------------------ Directory Replication Group (DRG) details : --- ------------------ ----------------------- ----------------------- ----- Sl Replicaid Directory Information Supplier Information Repl. No. Type --- ------------------ ----------------------- ----------------------- ----- 001 my_host_rid1 my_host:3040 -- RW 002 my_host_rid2 my_host:3060 my_host_rid RO --- ------------------ ----------------------- ----------------------- -----
The syntax is:
remtool -pchgpwd [-v] [-bind <hostname>:<port>/<replication_dn_password>]
Usage Notes for the -PCHGPWD Option
This option is used to change password of replication DN.
The replication DN of Oracle Internet Directory server identified by "-bind" option will be changed.
Password of replication DN of the identified replica will be changed both in Oracle Internet Directory repository and in wallet.
If the replica is taking part in replication, then password will be changed in other replicas for the local replica's replication DN. Note that, unlike ASR based replication, the replication DN password of each replica can be different from others.
This option has to be executed in the host, where Oracle Internet Directory server whose replication DN password has to be changed is running. This is mandatory as password in wallet must also to be changed. Otherwise remtool will report an error as shown in example #2.
Example 1: -PCHGPWD Option
In this example, the password of replica ldap://my_host:3040/ods is changed for which the following command is issued:
remtool -pchgpwd -v -bind my_host:3040/ods
The results are:
Directory Replication Group (DRG) details : --- ------------------ ----------------------- ----------------------- ----- Sl Replicaid Directory Information Supplier Information Repl. No. Type --- ------------------ ----------------------- ----------------------- ----- 001 my_host_rid1 my_host:3040 -- RW 002 my_host_rid3 my_host:3080 my_host_rid1 RO --- ------------------ ----------------------- ----------------------- ----- ------------------------------------------------------------------------------ Replication DN password of ldap://my_host:3040 (my_host_rem) associated with database 'rid' will be changed. Do you want to continue? [y/n] : y Enter new password of replication DN : Reenter new password of replication DN : ------------------------------------------------------------------------------ ldap://my_host:3040 [my_host_rid1] : Modifying entry cn=replication dn,orclreplicaid=my_host_rem,cn=replication configuration... ldap://my_host:3080 [my_host_rid3] : Modifying entry cn=replication dn,orclreplicaid=my_host_rem,cn=replication configuration... ------------------------------------------------------------------------------ Password has been changed. ------------------------------------------------------------------------------
Example 2: -PCHGPWD Option
In this example, user tries to change the password of replica my_host:3040 from a different host for which the following command is issued:
remtool -pchgpwd -v -bind my_host:3040/ods
The results are:
Directory Replication Group (DRG) details : --- ------------------ ----------------------- ----------------------- ----- Sl Replicaid Directory Information Supplier Information Repl. No. Type --- ------------------ ----------------------- ----------------------- ----- 001 my_host_rid1 my_host:3040 -- RW 002 my_host_rid3 my_host:3080 my_host_rid1 RO --- ------------------ ----------------------- ----------------------- ----- ----------------------------------------------------------------------------- Replication DN password of ldap://my_host:3040 (my_host_rid1) associated with database 'rid1' will be changed. Do you want to continue? [y/n] : y Enter new password of replication DN : Reenter new password of replication DN : ------------------------------------------------------------------------------ ldap://my_host:3040 : Invoke the remtool at host my_host to change the password of ldap://my_host:3040 replica. ------------------------------------------------------------------------------ Error occurred while changing password of replica ldap://my_host:3040(my_host_rid1). ldap://my_host:3040 : Invoke the remtool at host my_host to change the password of ldap://my_host:3040 replica.
The syntax is:
remtool -pcleanup -v -bind my_host:3040/ods
Usage Notes for the -PCLEANUP Option
This option can be used to clean up LDAP based replication setup.
This option can be used to clean up a replica which has incomplete or flawed LDAP based replication setup. In case of incomplete or flawed LDAP-based replication setup, the Replication Environment Management Tool cleans up only the replica identified by the -bind option. If replication configuration information is corrupted, or the replication DN entry is not available, then it prompts for the super user DN and password.
This option can be used only to clean up LDAP based replication setup and not ASR based replication setup.
Example 1: -PCLEANUP Option
In this example, the replication setup of a DRG that has 3 replicas taking part in LDAP based replication.
In this example, the following command is issued:
remtool -pcleanup -v -bind my_host:3040/ods
The results are:
Directory Replication Group (DRG) details : --- ------------------ ----------------------- ----------------------- ----- Sl Replicaid Directory Information Supplier Information Repl. No. Type --- ------------------ ----------------------- ----------------------- ----- 001 my_host_rid1 my_host:3040 -- RW 002 my_host_rid3 my_host:3080 my_host_rid1 RO 003 my_host_rid2 my_host:3060 my_host_rid1 RO --- ------------------ ----------------------- ----------------------- ----- DRG identified by replica ldap://my_host:3040 (my_host_rid1) will be cleaned up. Do you want to continue? [y/n] : y ------------------------------------------------------------------------------ ldap://my_host:3040 [my_host_rid1] : Modifying entry orclreplicaid=my_host_rem,cn=replication configuration... ldap://my_host:3040 [my_host_rid1] : Modifying entry ... ldap://my_host:3040 [my_host_rid1] : Modifying entry ... ldap://my_host:3040 [my_host_rid1] : Deleting entry orclagreementid=000002,orclreplicaid=my_host_rem,cn=replication configuration... ldap://my_host:3040 [my_host_rid1] : Deleting entry orclagreementid=000003,orclreplicaid=my_host_rem,cn=replication configuration... ldap://my_host:3040 [my_host_rid1] : Deleting entry orclreplicaid=my_host_rem3,cn=replication configuration... ldap://my_host:3040 [my_host_rid1] : Deleting entry orclreplicaid=my_host_rem2,cn=replication configuration... ldap://my_host:3080 [my_host_rid3] : Modifying entry orclreplicaid=my_host_rem3,cn=replication configuration... ldap://my_host:3080 [my_host_rid3] : Modifying entry ... ldap://my_host:3080 [my_host_rid3] : Modifying entry ... ldap://my_host:3080 [my_host_rid3] : Deleting entry orclreplicaid=my_host_rem,cn=replication configuration... ldap://my_host:3080 [my_host_rid3] : Deleting entry orclreplicaid=my_host_rem2,cn=replication configuration... ldap://my_host:3060 [my_host_rid2] : Modifying entry orclreplicaid=my_host_rem2,cn=replication configuration... ldap://my_host:3060 [my_host_rid2] : Modifying entry ... ldap://my_host:3060 [my_host_rid2] : Modifying entry ... ldap://my_host:3060 [my_host_rid2] : Deleting entry orclreplicaid=my_host_rem3,cn=replication configuration... ldap://my_host:3060 [my_host_rid2] : Deleting entry cn=replication dn,orclreplicaid=my_host_rem3,cn=replication configuration... ------------------------------------------------------------------------------ Replica ldap://my_host:3040(my_host_rid1) has been cleaned up. ------------------------------------------------------------------------------
Example 2: -pcleanup
This example shows how -pcleanup option can be used to clean up flawed LDAP based replication setup.
Step 1: First replica ldap://my_host:3040 is added to ldap://my_host:3060.While replication setup is in progress, error occurs which results in flawed setup.
remtool -paddnode -v -bind my_host:3040/ods Directory Replication Group (DRG) details : --- ------------------ ----------------------- ----------------------- ----- Sl Replicaid Directory Information Supplier Information Repl. No. Type --- ------------------ ----------------------- ----------------------- ----- 001 my_host_rid1 my_host:3040 -- RW --- ------------------ ----------------------- ----------------------- ----- Enter consumer directory details: Enter hostname of host running OID server : my_host Enter port on which OID server is listening : 3060 Enter replication dn password : ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Error occurred while adding partial replica ldap://my_host:3060. ldap://my_host:3060 : Failed to add entry orclreplicaid=my_host_rid1,cn=replication configuration. DSA is unwilling to perform ldap://my_host:3060 : Failed to read replication configuration information.
Step 2: Again add ldap://my_host:3060 to ldap://my_host:3040, which results in error.
remtool -paddnode -v -bind my_host:3040/ods ldap://my_host:3060 : Failed to read replication configuration information.
Step 3: As there was error in above paddnode procedure, no new node can be added. Hence call -pcleanup to clean the setup. After cleanup is complete, -paddnode can be invoked again to add a new replica.
remtool -pcleanup -v -bind my_host:3040/ods ldap://my_host:3060 : Failed to read replication configuration information. Error occurred while getting replication configuration information. This tool will try to rectify the problem if super user DN and password are provided. Do you want to continue? [y/n] : y Enter superuser DN : cn=orcladmin Enter superuser password : Enter new password of replication DN : Reenter new password of replication DN : ------------------------------------------------------------------------------ Directory Replication Group (DRG) details : --- ------------------ ----------------------- ----------------------- ----- Sl Replicaid Directory Information Supplier Information Repl. No. Type --- ------------------ ----------------------- ----------------------- ----- 001 my_host_rid1 my_host:3040 -- RW 002 my_host_rid2 my_host:3060 my_host_rid1 RO --- ------------------ ----------------------- ----------------------- ----- DRG identified by replica ldap://my_host:3040 (my_host_rem) will be cleaned up. Do you want to continue? [y/n] : y ------------------------------------------------------------------------------ ldap://my_host:3040 [my_host_rid1] : Modifying entry orclreplicaid=my_host_rem,cn=replication configuration... ldap://my_host:3040 [my_host_rid1] : Modifying entry ... ldap://my_host:3040 [my_host_rid1] : Modifying entry ... ldap://my_host:3040 [my_host_rid1] : Deleting entry orclagreementid=000002,orclreplicaid=my_host_rem,cn=replication configuration... ldap://my_host:3040 [my_host_rid1] : Deleting entry orclreplicaid=my_host_rem2,cn=replication configuration... ------------------------------------------------------------------------------ Replica ldap://my_host:3040(my_host_rem) has been cleaned up. ------------------------------------------------------------------------------
The syntax is:
remtool -presetpwd -v -bind my_host:3040/ods
Usage Notes for the -PRESETPWD Option
This option is used for resetting replication DN password.
To reset the replication DN password, Superuser DN and password are required.
This will just reset the replication DN password in wallet and in the directory.
This will not reset the password in any other directories of the DRG of which this directory is part.
Example: -PRESETPWD Option
In this example, the following command is issued to reset the password of replica my_host:3040:
remtool -presetpwd -v -bind my_host:3040/ods
The results are:
Enter superuser DN : cn=orcladmin Enter superuser password : ------------------------------------------------------------------------------ Replication DN password of ldap://my_host:3040 (my_host_rem) associated with database 'rid1' will be reset. Do you want to continue? [y/n] : y Enter new password of replication DN : Reenter new password of replication DN : ------------------------------------------------------------------------------ ldap://my_host:3040 [my_host_rid1] : Modifying entry cn=replication dn,orclreplicaid=my_host_rid1,cn=replication configuration... ------------------------------------------------------------------------------ Password has been changed. ------------------------------------------------------------------------------
The syntax is:
remtool -pchgwalpwd -v -bind my_host:3040/ods
Usage Notes for the -PCHGWALPWD Option
This option is used to change only the wallet password.
This will set the wallet password to replication DN password stored in Oracle Internet Directory repository.
Bind details must be that of the directory whose wallet password is to be changed.
This option is useful in RAC environment.
Example: -PCHGWALPWD Option
In this example, password of replication DN of replica ldap://my_host:3040 is set to that of in Oracle Internet Directory repository in the wallet for which the following command is issued:
remtool -pchgwalpwd -v -bind my_host:3040/ods
The results are:
Directory Replication Group (DRG) details : --- ------------------ ----------------------- ----------------------- ----- Sl Replicaid Directory Information Supplier Information Repl. No. Type --- ------------------ ----------------------- ----------------------- ----- 001 my_host_rid1 my_host:3040 -- RW 002 my_host_rid3 my_host:3080 my_host_rid1 RO --- ------------------ ----------------------- ----------------------- ----- ------------------------------------------------------------------------------ Replication DN password of ldap://my_host:3040 (my_host_rid1) associated with database 'rid' will be set in wallet. Do you want to continue? [y/n] : y
Password has been changed.
The syntax to begin pilot mode in a replica is:
remtool -pilotreplica begin -bind host:port/replication_dn_password
The syntax to end pilot mode in a replica is:
remtool -pilotreplica end -bind host:port/replication_dn_password [ -bkup fname ]
Arguments used with the -PILOTREPLICA option are shown in Table A-30.
Table A-30 Arguments Used With the -PILOTREPLICA Option
| Argument | Meaning |
|---|---|
host
|
Hostname where pilot replica's LDAP server is running |
port
|
Port where pilot replica's LDAP server is listening |
replication_dn_password
|
Password of replication DN of pilot replica |
fname
|
Name of backup file in which entries modified after pilot mode is started are to be stored in LDIF format |
|
Note: The-pilotreplica option will not work if anonymous bind is disabled at the pilot replica.
|
The syntax to add metadata of a pilot replica to a master replica or to back up metadata of a pilot replica in a file is:
remtool -backupmetadata -replica phost:pport/prdnpwd [ -master mhost:mport/mrdnpwd | -bkup fname ]
Arguments used with the -BACKUPMETADATA option are shown in Table A-31.
Table A-31 Arguments Used With the -BACKUPMETADATA Option
| Argument | Meaning |
|---|---|
phost
|
Hostname where pilot replica's LDAP server is running |
pport
|
Port where pilot replica's LDAP server is listening |
prdnpwd
|
Password of replication DN of pilot replica |
mhost
|
Hostname where master replica's LDAP server is running |
mport
|
Port where master replica's LDAP server is listening |
mrdnpwd
|
Password of replication DN of master replica |
fname
|
Name of backup file in which metadata entries are to be stored in LDIF format |
|
Note: The-backupmetadata option will not work if anonymous bind is disabled at the pilot replica or master replica.
|
The Directory Integration and Provisioning Assistant (dipassistant) is a command-line tool for administering the Oracle directory integration and provisioning server. The syntax for the Directory Integration and Provisioning Assistant is:
dipassistant [-gui | command] [-help] command := createprofile [cp] | createprofilelike [cpl] | modifyprofile [mp] | deleteprofile [dp] | listprofiles[lp | lsprof] | showprofile[sp] | expressconfig[ec] | bootstrap [bs] | wpasswd [wp] | chgpasswd [cpw] | reassociate [rs]
For help on a particular command, enter:
dipassistant command -help
Table A-32 lists the tasks you can perform with the Directory Integration and Provisioning Assistant. It also points you to instructions for performing each task.
Table A-32 Summary of Functionality of the Directory Integration and Provisioning Assistant
| Tasks | Commands | More Information |
|---|---|---|
| Use the Oracle Directory Integration and Provisioning Server Administration tool, which is the graphical version of the Directory Integration and Provisioning Assistant | -gui
|
The chapter on Oracle Internet Directory integration and provisioning tools in Oracle Identity Management Integration Guide. |
| Create, modify, or delete a synchronization profile | createprofile
|
"Creating, Modifying, and Deleting Synchronization Profiles"
|
| See all the profile names in Oracle Internet Directory | listprofiles
|
"Listing All Synchronization Profiles in Oracle Internet Directory"
|
| See the details of a specific profile | showprofile
|
"Viewing the Details of a Specific Synchronization Profile"
|
| Creates and configures import and export profiles for synchronization with Microsoft Active Directory | expressconfig
|
"Performing an Express Configuration of the Active Directory Connector Profiles"
|
| Make Oracle Internet Directory and the connected directory identical before beginning synchronization | bootstrap
|
"Bootstrapping a Directory by Using the Directory Integration and Provisioning Assistant"
|
| Set the wallet password that the Oracle directory integration and provisioning server later uses to connect to Oracle Internet Directory | wpasswd
|
"Bootstrapping a Directory by Using the Directory Integration and Provisioning Assistant"
|
| Reset the password of the administrator of the Oracle Directory Integration Platform | chgpasswd
|
"Changing the Password of the Administrator of Oracle Directory Integration and Provisioning"
|
| Move integration profiles from one identity management node to another | reassociate
|
"Moving an Integration Profile to a Different Identity Management Node"
|
The syntax for creating, modifying, or deleting synchronization profiles by using the Directory Integration and Provisioning Assistant is:
dipassistant createprofile [-h hostName] [-p port] [-D bindDn] [-w password] -f fileName -configset Configset Number dipassistant createprofilelike [-h hostName] [-p port] [-D bindDn] [-w password] -profile origProfName -newprofile newProfName dipassistant modifyprofile [-h hostName] [-p port] [-D bindDn] [-w password] {-f fileName | -profile profName [-updlcn] } [propName1=value] [propName2=value]... dipassistant deleteprofile -profile profName [-h hostName] [-p port] [-D bindDn] [-w password] [-configset Configset Number]
Table A-33 describes the parameters for creating, modifying, and deleting synchronization profiles by using the Directory Integration and Provisioning Assistant.
Table A-33 Parameters for Creating, Modifying, and Deleting Synchronization Profiles by Using the Directory Integration and Provisioning Assistant
| Parameter | Description |
|---|---|
-h | -host
|
Host where Oracle Internet Directory is running. The default value is the name of the local host. |
-p | -port
|
Port at which Oracle Internet Directory was started. The default is 389. |
-D | -dn
|
The bind DN to be used in identifying to the directory. The default value is the DN of the Oracle Directory Integration and Provisioning administrator. |
-w | -passwd
|
The password of the bind DN to be used while binding to the directory. |
-f | -file
|
The configuration file containing the profile parameters.
See Also: Table A-34 for a list of parameters and their description |
-configset
|
An integer greater than 0 that represents the configuration set with which to associate the profile. |
-profile
|
A text string representing the name of profile to be modified, deleted, or used as a template for creating a new profile. |
-newProfile | -name
|
A text string representing the name of profile to be created in Oracle Internet Directory. |
-updlcn
|
Updates the last applied changed number in the specified profile |
The following example uses a configuration file named import.profile to create a new profile and associate the new profile with configuration set 1:
dipassistant createprofile -h myhost -p 3060 -D cn=dipadmin -w welcome1 -f import.profile -configset 1
The following example creates a new profile named iPlImport with values copied from a profile named iPllmportTemplate.
dipassistant createprofilelike -h myhost -p 3060 -D cn=dipadmin -w welcome1 -profile iPlImportTemplate -newProfile iPlImport
The following example uses a configuration file named changes.profile to modify a profile named myprofile.
dipassistant modifyprofile -profile myprofile -h myhost -p 3060 -D cn=dipadmin -w welcome1 -f changes.profile
The following example deletes the myprofile profile.
dipassistant deleteprofile -profile myprofile -h myhost -p 3060 -D cn=dipadmin -w welcome1 -configset 1
For the createprofile, createprofilelike, and modifyprofile commands, you specify a configuration file containing the properties listed in Table A-34. When modifying an already existing profile, no defaults are assumed. Only those attributes specified in the file are changed. When using Directory Integration and Provisioning Assistant, you reference a property name in the format odip.profile.property_name. However, in Oracle Internet Directory, the property name is stored in the format orclodipproperty_name. Both property name formats are listed in Table A-34.
Table A-34 Properties Expected by createprofile and modifyprofile Commands
| Property | Description | Default |
|---|---|---|
odip.profile.agentexecommand / orclodipagentexecommand
|
In the case of a NON-LDAP interface, the command to produce the information in LDIF format | - |
odip.profile.condiraccount / orclodipcondiraccessaccount
|
DN or user name used to connect to the third party directory. | - |
odip.profile.condirfilter / orclodipcondirmatchingfilter
|
Filter that needs to be applied to the changes read from the connected directory before importing to Oracle Internet Directory | - |
odip.profile.condirpassword / orclodipcondiraccesspassword
|
Password used for identification to the third-party directory. | - |
odip.profile.condirurl / orclodipcondirurl
|
Location of third-party directory [hostname:port]
|
- |
odip.profile.configfile
|
Name of the file that contains the additional profile-specific information to be used for execution | - |
odip.profile.configinfo / orclodipadditionalconfiginfo
|
Contains additional profile-specific information to be used for execution | - |
odip.profile.debuglevel / orclodipprofiledebuglevel
|
Specifies the profile debug level | - |
odip.profile.interface / orclodipinterfacetype
|
Indicator as to whether the LDAP or LDIF or DB or TAGGED format is to be used for data exchange | LDAP |
odip.profile.lastchgnum / orclodipcondirlastappliedchangenumber
|
Last applied change number. In the case of an export profile this number refers to Oracle Internet Directory's last applied change number However, n the case of the import profile, this number refers to the last applied change number in the connected directory | - |
odip.profile.mapfile / orclodipattributemappingrules
|
Name of the file that contains the mapping rules | - |
odip.profile.name / orclodipagentname
|
Name of the profile | - |
odip.profile.oidfilter / orclodipoidmatchingfilter
|
Filter that needs to be applied to the changes that are read from the Oracle Internet Directory before exporting to the connected directory | - |
odip.profile.password / orclODIPAgentPassword
|
Password for accessing this profile | - |
odip.profile.retry / orclodipsyncretrycount
|
Maximum number of times the Oracle directory integration and provisioning server should attempt to execute an entry | 4 |
odip.profile.schedinterval/orclodipschedulinginterval
|
Interval between successive executions of this profile by the integration server. If the previous execution has not completed then the next execution will not resume until it completes. | 1 Minute |
odip.profile.status / orclodipagentcontrol
|
Either DISABLE or ENABLE
|
DISABLE |
odip.profile.syncmode / orclodipasynchronizationmode
|
Direction of synchronization. When the changes are propagated from the third party to Oracle Internet Directory, the synchronization mode is IMPORT. When the changes are propagated to the third party directory, the synchronization mode is EXPORT. | IMPORT |
The listprofiles command prints a list of all the synchronization profiles in Oracle Internet Directory. The syntax for this command is:
dipassistant listprofiles [-h hostName] [-p port] [-D bindDn] [-w password] [-configset Configset Number]
Table A-35 describes the parameters of the listprofiles command.
Table A-35 Parameters of the listprofiles Command
| Parameter | Description |
|---|---|
-h | -host
|
Host where Oracle Internet Directory is running. The default value is the name of the local host. |
-p | -port
|
Port at which Oracle Internet Directory was started. The default is 389. |
-D | -dn
|
The bind DN to be used in identifying to the directory. The default value is the DN of the Oracle Directory Integration and Provisioning administrator. |
-w | -passwd
|
The password of the bind DN to be used while binding to the directory. |
-configset
|
An integer greater than 0 that represents the configuration set with which to associate the profile. |
The following example prints a list of all the synchronization profiles in Oracle Internet Directory:
dipassistant listprofiles -h myhost -p 3060 -D cn=dipadmin -w welcome1
By default, the preceding command prints the following list of sample profiles created during installation. However, your deployment of Oracle Internet Directory may contain additional synchronization profiles.
IplanetExport IplanetImport ActiveImport ActiveExport LdifExport LdifImport TaggedExport TaggedImport OracleHRAgent ActiveChgImp
The showprofile command prints the details of a specific synchronization profile. The syntax for this command is:
dipassistant showprofile -profile profName [-h hostName] [-p port] [-D bindDn] [-w password]
Table A-36 describes the parameters of the showprofile command.
Table A-36 Parameters of the showprofile Command
| Parameter | Description |
|---|---|
-h | -host
|
Host where Oracle Internet Directory is running. The default value is the name of the local host. |
-p | -port
|
Port at which Oracle Internet Directory was started. The default is 389. |
-D | -dn
|
The bind DN to be used in identifying to the directory. The default value is the DN of the Oracle Directory Integration and Provisioning administrator. |
-w | -passwd
|
The password of the bind DN to be used while binding to the directory. |
-profile
|
A text string representing the name of profile to show. |
For example, the following showprofile command prints the details for the ActiveImport sample profile that is created during installation:
dipassistant showprofile -h myhost -p 3060 -D cn=dipadmin -w welcome1 -profile ActiveImport
The preceding command prints the following details of the ActiveImport sample profile:
odip.profile.version = 2.0 odip.profile.lastchgnum = 0 odip.profile.interface = LDAP odip.profile.oidfilter = orclObjectGUID odip.profile.schedinterval = 60 odip.profile.name = ActiveImport odip.profile.syncmode = IMPORT odip.profile.condirfilter = "searchfilter=(|(objectclass=group)(objectclass=organizationalunit) (&(objectclass=user)(!(objectclass=computer))))" odip.profile.retry = 5 odip.profile.debuglevel = 0 odip.profile.status = DISABLE
The expressconfig command performs an express configuration of the Active Directory connector. When you run this command, it performs all required configurations outlined in Table A-32, "Summary of Functionality of the Directory Integration and Provisioning Assistant". This command also creates two profiles, an import profile and an export profile. The syntax for performing an express configuration is as follows:
dipassistant expressconfig [-h hostName] [-p port] [-3rdpartyds 3rd party ds] [-configset Configset Number]
Table A-37 describes the parameters of the expressconfig command.
Table A-37 Parameters of the expressconfig Command
| Parameter | Description |
|---|---|
-h | -host| -oidhost
|
Host where Oracle Internet Directory is running. The default value is the name of the local host. |
-p |-port | -oidport
|
Port at which Oracle Internet Directory was started. The default is 389. |
-3rdpartyds
|
The third-party directory service to configure. |
-configset
|
An integer greater than 0 that represents the configuration set with which to associate the profile. |
|
See Also: The section on using the express configuration option of the Directory Integration and Provisioning Assistant in Oracle Identity Management Integration Guide |
The bootstrap command performs the initial migration of data between a connected directory and Oracle Internet Directory. The syntax for this command is as follows:
dipassistant bootstrap { -profile profName [-h hostName] [-p port] [-D bindDn] [-w password] [-log logFile] [-logseverity severity] [-trace traceFile] [-tracelevel level] [-loadparallelism #nThrs] [-loadretry retryCnt] | -f filename }
Table A-38 describes the parameters of the bootstrap command.
Table A-38 Parameters of the bootstrap Command
| Parameter | Description |
|---|---|
-f | cfg
|
A configuration file containing all the parameters required for performing the bootstrapping.
See Also: Table A-39 for a list of parameters and their description |
-h | -host
|
Host where Oracle Internet Directory is running. The default value is the name of the local host. |
-p | -port
|
Port at which Oracle Internet Directory was started. The default is 389. |
-D | -dn
|
The bind DN to be used in identifying to the directory. The default value is the DN of the Oracle Directory Integration and Provisioning administrator. |
-w | -passwd
|
The password of the bind DN to be used while binding to the directory. |
-profile
|
A text string representing the name of profile to use when performing the bootstrapping. |
-log
|
Log file. If this parameter is not specified, then, by default, the log information is written to OH/ldap/odi/bootstrap.log
|
-logseverity
|
Log severity 1 - 15. 1 – INFO, 2 – WARNING, 3 – DEBUG, 4 – ERROR. Or any combination of these. If not specified, then INFO and ERROR messages alone will be logged. |
-trace
|
Trace file for debugging purpose |
-tracelevel
|
Trace level |
-loadparallelism
|
Indicator that loading to Oracle Internet Directory is to take place in parallel by using multiple threads. For example, -loadparallelism 5 means that 5 threads are to be created, each of which tries to load the entries in parallel to Oracle Internet Directory.
|
-loadretry
|
When the loading to the destination fails, the number of times the retry should be made before marking the entry as bad entry |
When you use the bootstrap command, you can use either the -profile parameter to specify a synchronization profile or the -f parameter to a configuration file. The following example uses a synchronization profile named iPlanetProfile to perform bootstrapping:
dipassistant bootstrap –profile iPlanetProfile -h myhost –port 3060 -D cn=dipadmin -w welcome1
The following example uses a configuration file named bootstrap.cfg to perform bootstrapping:
dipassistant bootstrap –f bootstrap.cfg
When you use the -f parameter with the bootstrap command, you must specify a configuration file containing the properties listed in Table A-39.
Table A-39 Bootstrapping Configuration File Properties
| Property | Description | Mandatory | Default |
|---|---|---|---|
odip.bootstrap.srctype
|
Indicator of whether source of the bootstrapping is LDAP or LDIF. Valid values are either LDAP or LDIF.
|
Yes | - |
odip.bootstrap.desttype
|
Indicator of whether destination of the bootstrapping is LDAP or LDIF. Valid values are either LDAP or LDIF.
|
Yes | - |
odip.bootstrap.srcurl
|
In the case of LDAP source type, location of the source directory. In the case of LDIF, the location of the LDIF file.
Note: For LDAP, the expected format is |
Yes | - |
odip.bootstrap.desturl
|
In the case of LDAP, location of the destination directory. In the case of LDIF, the location of the LDIF file.
Note: For LDAP, the expected format is |
Yes | - |
odip.bootstrap.srcsslmode
|
Indicator of whether SSL-based authentication must be used to connect to the source of the bootstrapping. A value of TRUE indicates that SSL-based authentication must be used.
|
No | FALSE
|
odip.bootstrap.destsslmode
|
Indicator of whether SSL-based authentication must be used to connect to the destination of the bootstrapping. TRUE indicates that SSL-based authentication must be used.
Note: In the case of LDIF, this parameter is meaningless. |
No | FALSE
|
odip.bootstrap.srcdn
|
Supplement to the source URL. In the case of LDIF binding, this parameter is meaningless. However in the case of LDAP, this parameter specifies the Bind DN. | Only in the case of LDAP | - |
odip.bootstrap.destdn
|
Supplement to the destination URL. In the case of LDIF binding, this parameter is meaningless. However in the case of LDAP, this parameter specifies the Bind DN. | Only in the case of LDAP | - |
odip.bootstrap.srcpasswd
|
Bind password to the source. In the case of LDAP binding, this is used as security. Oracle Corporation recommends that you not specify the password in this file. | No | - |
odip.bootstrap.destpasswd
|
Bind password. In the case of LDAP binding, this is used as security credential.
Oracle Corporation recommends that you not specify the password in this file. |
No | - |
odip.bootstrap.mapfile
|
Location of the map file that contains the attribute and domain mappings. | No | - |
odip.bootstrap.logfile
|
Location of the log file. If this file already exists then it will be appended. The default log file is bootstrap.log created under $ORACLE_HOME/ldap/odi/log directory.
|
No | The file bootstrap.log created under the directory $ORACLE_HOME/ldap/odi/
|
odip.bootstrap.logseverity
|
Type of log messages that needs to be logged.
INFO – 1 WARNING - 2 DEBUG – 4 ERROR - 8 Note: A combination of these types can also be given. For example, if you are interested only in WARNING and ERROR message, then specify a value of 8+2—that is, 10. Similarly, for all types of message, use 1 + 2 + 4 + 8 = 15 |
No | 1 + 8 = 9 |
odip.bootstrap.loadparallelism
|
Numeric value indicating the number of writer threads used to load the processed data to the destination | No | 1- |
odip.bootstrap.loadretry
|
In the event of a failure to load an entry, indicator of how many times to retry | No | 5 |
odip.bootstrap.trcfile
|
Location of the trace file. If this file already exists, then it is overwritten. | No | $ORACLE_HOME/ldap/odi/log/bootstrap.trc
|
odip.bootstrap.trclevel
|
The tracing level | No | 3 |
odip.bootstrap.srcencode
|
The encoding used by the LDIF file if the file: Is generated by using a utility of a third-party directory Contains NLS data Is processed on a different platform By default, the Directory Integration and Provisioning Assistant assumes that the file is processed on the system on which it was generated. | Yes |
|
The WPasswd command enables you to set the wallet password that the Oracle directory integration and provisioning server later uses to connect to Oracle Internet Directory. To use this command, enter:
dipassistant wp
The Directory Integration and Provisioning Assistant prompts you to enter, and then confirm, the password.
This chgpasswd command resets the password of dipadmin account. The default password for the dipadmin account is same as ias_admin password chosen during installation. To reset the password, you must provide the security credentials of the orcladmin account. The syntax for resetting the password is as follows:
dipassistant chgpasswd [-h hostName] [-p port] [-D bindDn] [-w password]
Table A-40 describes the parameters of the chgpasswd command.
Table A-40 Parameters of the chgpasswd Command
| Parameter | Description |
|---|---|
-h | -host
|
Host where Oracle Internet Directory is running. The default value is the name of the local host. |
-p | -port
|
Port at which Oracle Internet Directory was started. The default is 389. |
-D | -dn
|
The bind DN to be used in identifying to the directory. The default value is the DN of the Oracle Directory Integration and Provisioning administrator. |
-w | -passwd
|
The password of the bind DN to be used while binding to the directory. |
The following is an example of the chgpasswd command:
dipassistant chgpasswd -h myhost -p 3060 -D cn=dipadmin -w welcome1
The Directory Integration and Provisioning Assistant then prompts for the new password as follows:
New Password: Confirm Password:
You can use the reassociate command of the Directory Integration and Provisioning Assistant to move directory integration profiles to another node and to reassociate them with it. For example, if the middle-tier components are associated with a particular Oracle Identity Management infrastructure, then all the integration profiles existing in that infrastructure node can be moved to a new infrastructure node and reassociated with it.
Table A-41 describes the reassociation rules.
Table A-41 Scenarios for Reassociating Directory Integration Profiles
| Scenario | Actions Taken |
|---|---|
| Integration profile does not exist on the second Oracle Internet Directory node | The integration profile is copied to the second Oracle Internet Directory node and is disabled after copying. It must be enabled by the application. The lastchangenumber attribute in the integration profile is modified to the current last change number on the second Oracle Internet Directory node.
|
| Integration profile exists on the second Oracle Internet Directorynode | Both integration profiles are reconciled in the following manner:
|
The syntax for the reassociate command is as follows:
dipassistant reassociate [-src_ldap_host hostName] [-src_ldap_port port] [-src_ldap_dn bindDn] [-src_ldap_passwd password] -dst_ldap_host hostName [-dst_ldap_port port] [-dst_ldap_dn bindDn] [-dst_ldap_passwd password] [-log logfile]
Table A-42 describes the parameters of the reassociate command.
Table A-42 Parameters of the reassociate Command
| Parameter | Description |
|---|---|
-src_ldap_host host_name
|
Host where Oracle Internet Directory-1 runs |
-src_ldap_port port_number
|
Port where Oracle Internet Directory-1 runs |
-src_ldap_dn bind_DN
|
Bind DN for connecting to Oracle Internet Directory-1 |
-src_ldap_passwd password
|
Bind DN password for connecting to Oracle Internet Directory-1 |
-dst_ldap_host host_name
|
Host where Oracle Internet Directory-2 runs |
-dst_ldap_portport_number
|
Port where Oracle Internet Directory-2 runs |
-dst_ldap_dn bind_DN
|
Bind DN for connecting to Oracle Internet Directory-2 |
-dst_ldap_passwd password
|
Bind DN password for connecting to Oracle Internet Directory-2 |
-log log_file
|
Log file |
The reassociate command defaults are as follows:
src_ldap_host - localhost, src_ldap_port & dst_ldap_port - 389 src_ldap_dn & dst_ldap_dn - cn=orcladmin account
The following is an example of the reassociate command:
dipassistant reassociate -src_ldap_host oid1.mycorp.com \ -dst_ldap_host oid2.mycorp.com -src_ldap_passwd srcpassword \ -dst_ldap_passwd dstpassword
Note if the location of the log file is not specified then by default it will be created as $ORACLE_HOME/ldap/odi/log/reassociate.log.
In this release, the Directory Integration and Provisioning Assistant does not support the following:
SSL-based authentications to Oracle Internet Directory
Schema synchronization
Automatic profile creation at the end of the bootstrapping process when used with the -cfg option
Mapping file validation
Creation of a failed entries file
The following elements of the Directory Integration and Provisioning Assistant are untested:
Bootstrapping of the connected directory over the SSL connection
The use of the modifyprofile command while synchronization is happening for that profile
The bootstrapping command of the Directory Integration and Provisioning Assistant has the limitations described in Table A-43.
Table A-43 Limitations of Bootstrapping in the Directory Integration and Provisioning Assistant
| Type of Bootstrapping | Limitation |
|---|---|
| LDIF-to-LDIF | None |
| LDAP-to-LDIF | For a large number of entries, bootstrapping can fail with an error of size limit exceeded. To resolve this, the connected directory server from which you are bootstrapping should:
|
| LDIF -to-LDAP | None |
| LDAP-to-LDAP | Same as LDAP-to-LDIF |
For initial bootstrapping, you should perform the following steps:
Generate a dump of the entries in the connected directory to an LDIF file using a proprietary tool on the connected directory server.
Configure the properties file so that entries are created in Oracle Internet Directory using the LDIF-to-LDAP approach.
The OID Database Password Utility is used to:
Change the password to the Oracle Internet Directory database.
Oracle Internet Directory uses a password when connecting to an Oracle database. The default for this password matches the value you specified during installation for the Oracle Application Server administrator's password. You can change this password by using the OID Database Password Utility.
Create a wallet named oidpwdlldap1 for the Oracle Internet Directory database password, and a wallet, named oidpwdrsid, for the Oracle directory replication server password.
The sid is obtained not from the environment variable SID but from the connected database.
With the create_wallet=true option, you need to provide the ODS password to authenticate yourself to the ODS database before the ODS wallet can be generated. Note that the default ODS password is the same as that for the Oracle Application Server administrator.
Unlock a locked directory superuser account, namely, cn=orcladmin.
The OID Database Password Utility syntax is:
oidpasswd [connect=connect_string ] [change_oiddb_pwd=true |
create_wallet=true current_password=password_for_the_ODS_database_user |
unlock_su_acct=true]
|
Note: To change the ODS database user password, you must use the oidpasswd tool. If you change the ODS database user password by any other means, then Oracle Internet Directory instances fail to start. |
This section contains these topics:
To change the Oracle Internet Directory database password, enter
oidpasswd [connect=connect string ][change_oiddb_pwd=true]
If no options are provided, the tool still changes the Oracle Internet Directory database password.
The OID Database Password Utility prompts you for the current password. Type the current password, then the new password, then a confirmation of the new password.
The OID Database Password Utility assumes by default that the password being changed is that of the local database (as defined by ORACLE_HOME and ORACLE_SID). If you are changing the password on a remote database, you must use the connect=connect_string option.
For example:
$ oidpasswd current password: ods new password: newsupersecret confirm password: newsupersecret password set.
|
Note:
|
To create wallets for the Oracle Internet Directory database password and the directory replication server password, enter:
oidpasswd [connect=connect string] create_wallet=true
The argument create_wallet is mandatory in this case. Except for connect string, no other option can be specified.
To unlock a locked account for the directory super user, cn=orcladmin, enter:
oidpasswd [connect=connect string] unlock_su_acct=true
The argument unlock_su_acct is mandatory. Except for connect string, no other option can be specified.
If you forget the Oracle Internet Directory super user password, you can use the oidpasswd tool to reset it. You must provide the Oracle Internet Directory database password. When you first install Oracle Internet Directory, the super user password and Oracle Internet Directory database password are the same. After installation, however, you can change the Oracle Internet Directory super user password using ldapmodify. You can change the Oracle Internet Directory database password using the oidpasswd tool separately. The syntax for changing the Oracle Internet Directory database password is:
oidpasswd conn=connect_string reset_su_password=true
The oidpasswd tool prompts you for the Oracle Internet Directory database password. For example:
oidpasswd conn=inst1 reset_su_password=true
OID DB user password:
password:
confirm password:
OID super user password reset successfully
|
Note: After you reset the super user password, you must restart the LDAP server to effect the change. |
When an ACP is set with an ACI that has the keyword DenyGroupOverride, neither the Oracle Internet Directory super user nor members of DirectoryAdminGroup can access the subtree under that ACP. If necessary, you can use the oidpasswd tool to reset that ACP so that the subtree is accessible by the Oracle Internet Directory super user. You must provide the Oracle Internet Directory database password. The syntax is:
oidpasswd conn=connect_string manage_su_password=true
The oidpasswd utility prompts you to enter the Oracle Internet Directory database password and to choose which super user restricted ACPs to reset, as shown in the following examples:
oidpasswd conn=inst1 manage_su_acl=true OID DB user password: The super user restricted ACP list [1] o=oracle,c=us [2] ou=personnel,o=oracle,c=us Enter 'resetall' or the number(s) of the ACP to be reset separated by [,] 2 OID super user restriction reset successfully oidpasswd conn=inst1 manage_su_acl=true OID DB user password: The super user restricted ACP list [1] o=oracle,c=us [2] ou=personnel,o=oracle,c=us Enter 'resetall' or the number(s) of the ACP to be reset separated by [,] resetall OID super user restriction reset successfully oidpasswd conn=inst1 manage_su_acl=true OID DB user password: The super user restricted ACP list [1] o=oracle,c=us [2] ou=personnel,o=oracle,c=us Enter 'resetall' or the number(s) of the ACP to be reset separated by [,] 1,3,5 ACP [3] not found in the list ACP [5] not found in the list OID super user restriction reset successfully oidpasswd conn=inst1 manage_su_acl=trueOID DB user password: The super user restricted ACP list[1] ou=personnel,o=oracle,c=usEnter 'resetall' or the number(s) of the ACP to be reset separated by [,]1,resetallOID super user restriction reset successfully
Once you have reset some ACPs so that the super user can access them, you can use ldapmodify to make the subtrees inaccessible to the super user again. A sample LDIF file is shown in the following example:
dn: o=oracle, c=us changetype: modify delete: orclaci orclaci: access to entry AppendToAll by SuperUser (browse,add,delete,proxy) orclaci: access to attr=(*) AppendToAll by SuperUser (search,read,write,compare)
The ldapmodify syntax, with an LDIF file named acl.dat, is:
ldapmodify -p port_number -D cn=orcladmin -w admin_password -f acl.dat
|
Note: After you change the super user's access rights, you must restart the LDAP server to effect the change. |
Use the oidstats.sql tool to analyze the various database ods schema objects to estimate the statistics. It is located in the following directory: $ORACLE_HOME/ldap/admin/. You must run this utility whenever there are significant changes in directory data—including the initial load of data into the directory.
If you load data into the directory by any means other than the bulkload tool (bulkload.sh), then you must run the OID Database Statistics Collection tool after loading. Statistics collection is essential for the Oracle Optimizer to choose an optimal plan in executing the queries corresponding to the LDAP operations. You can run OID Database Statistics Collection tool at any time, without shutting down any of the Oracle Internet Directory daemons.
|
Note: If you do not use the bulkload utility to populate the directory, then you must run the oidstats.sql tool to avoid significant search performance degradation. |
The OID Database Statistics Collection Tool uses this syntax:
sqlplus ods/ods_password@connect_string @oidstats.sql
Use the OID Migration Tool when you are migrating data from application-specific repositories into Oracle Internet Directory. The OID Migration Tool produces an LDIF file, which is suitable for loading into a directory server by using the standard command-line tools. The input to this tool is a pseudo-LDIF file containing substitution variables. The tool is called ldifmigrator and it exists in ORACLE_HOME/bin.
The syntax of the ldifmigrator tool is as follows:
ldifmigrator [options] {parameter_name=value ...}
{s_SubVar=value ... }
Table A-44 describes the command-line parameters used by this tool in further detail:
Table A-44 ldifmigrator Parameters
| Parameter | Mandatory? | Description |
|---|---|---|
Input_file
|
Yes | The file containing the substitution variables |
Output_file
|
Yes | The name of the file to be generated by this tool |
-lookup
|
No | If this flag is specified, then values of certain substitution variables will be obtained from the directory server. Please see the following table for the names of the variables that are specified using host parameters. The host is mandatory when -lookup flag is specified.
|
Host
|
Yes (only in lookup mode) | The directory server name. This parameter is mandatory when -lookup flag is specified.
|
Port
|
No | The port on which the directory server is listening. If not specified the port 389 will be used
|
DN
|
Yes (only in lookup mode) | Bind DN. This is a mandatory parameter when -lookup flag is specified.
|
Password
|
No | Bind password |
Subscriber
|
No | The subscriber whose attributes will be used as substitution variable. If not specified, then the default identity management realm specified in the Root Oracle Context will be used. |
s_SubsVar1.N
|
No | Custom substitution variables specified by the user |
Table A-45 describes a set of pre-defined substitution variables. If it is running in the lookup mode, the OID Migration Tool can automatically determine the values of these variables by looking them up in the Oracle Internet Directory.
Table A-45 Predefined Substitution Variables
| Variable Name | Meaning | How OID Migration Tool Determines the Value for This Variable |
|---|---|---|
| %s_UserContainerDN% | Distinguished name of the entry under which all users are supposed to be added. | This is assigned the value of the attribute: orclCommonUserSearchBase from the entry cn=Common,cn=Products under the realm- specific Oracle context.
|
| %s_GroupContainerDN% | Distinguished name of the entry under which all public groups are supposed to be added. | This is assigned the value of the attribute: orclCommonGroupSearchBase from the entry cn=Common,cn=Products under the realm- specific Oracle context.
|
| %s_UserNicknameAttribute% | The nickname attribute to be used for user entries in the identity management realm. | This is assigned the value of the attribute: orclCommonNicknameAttribute from the entry cn=Common,cn=Products under the realm- specific Oracle context.
|
| %s_SubscriberDN% | Distinguished name of the LDAP entry corresponding to the identity management realm. | If a simple subscriber name is given, the migration tool will resolve it to a DN using the attribute orclSubscriberSearchBase and the orclSubscriberNickNameAttr from the entry cn=Common,cn=Products under the root Oracle context.
|
| %s_SubscriberOracleContextDN% | Distinguished name of the realm-specific Oracle Context. | First the realm DN is computed as described earlier and then the string cn=OracleContext is pre-pended to it.
|
| %s_RootOracleContextDN% | Distinguished name of the Root Oracle Context. | This is currently hard-coded to cn=OracleContext.
|
| %s_CurrentUserDN% | Distinguished name of the User who is loading the LDIF file. This is sometimes required to bootstrap the creation of groups which require at least one member in them. | The migration tool expects this DN to be specified on the command line as part of the authentication information. |
The OID Migration Tool obtains the values of the pre-defined substitution variables only in the lookup mode. Users can override the value of any of the previous variables in the lookup mode by specifying the variable and a different value in the command line. The user can also specify substitution variables other than the ones listed in the following table and their values in the command line.
This section contains these topics:
Consider the input file sample.dat whose contents are as follows:
dn: cn=jdoe, %s_UserContainerDN% sn: Doe %s_UserNicknameAttribute%: jdoe objectClass: inetOrgPerson objectClass: orclUserV2 title: Member of Technical Staff homePhone: 415-584-5670 homePostalAddress: 234 Lez Drive$ Redwood City$ CA$ 94402 ou: %s_UserOrganization%
The following sections describe how the OID Migration Tool can be used to transform the previous template into a valid LDIF ready to be loaded into Oracle Internet Directory.
In this example, the Oracle directory server is present in the environment, and the deployment wants the migration tool to lookup the directory server to figure out certain substitution variables. It will issue the following command:
$ldifmigrator "input_file=sample.dat" "output_file=sample.ldif" \
-lookup "host=ldap.acme.com" "subscriber=acme" \
"s_UserOrganization=Development"
On executing this command, the directory server running on ldap.acme.com will be contacted and the following values of the substitution variables for the subscriber acme will be obtained:
| Variable Name | Value Obtained from ldap.acme.com |
|---|---|
| % s_UserContainerDN% | cn=Users,o=acme,dc=com
|
| %s_UserNicknameAttribute% | uid
|
In addition to these variables, the OID Migration Tool also honors the command-line variable called s_UserOrganization and substitutes all occurrences of it with the value Development. In this case the output of the tool stored in sample.ldif is as follows (the substituted values are shown in italics):
dn: cn=jdoe,cn=Users,o=Acme,dc=com sn: Doe uid: jdoe objectClass: inetOrgPerson objectClass: orclUserV2 title: Member of Technical Staff homePhone: 415-584-5670 homePostalAddress: 234 Lez Drive$ Redwood City$ CA$ 94402 ou: Development
The same output as shown in the previous example could have been obtained by specifying all of the values in the command line (without using the -lookup option). The following command-line example describes how one would use the Migration tool without the lookup mode:
$ldifmigrator "input_file=sample.dat" "output_file=sample.ldif" \
"s_UserContainerDN=cn=Users,o=Acme,dc=com" \
"s_UserNicknameAttribute=uid" "s_UserOrganization=Development"
In some cases, a deployment would like to use the OID Migration Tool in the lookup mode but would also like to override the values of one or more of the pre-defined substitution variables. This can be done by specifying the override value in the command line. The following command line shows how one can set the UserNickNameAttribute to cn overriding the default of uid:
$ldifmigrator "input_file=sample.dat" "output_file=sample.ldif" \
-lookup "host=ldap.acme.com" "subscriber=acme" \
"s_UserOrganization=Development" "s_UserNicknameAttribute=cn"
On executing this command, the directory server running on ldap.acme.com will be contacted and the following values of the substitution variables for the subscriber acme will be obtained.
Table A-46 Substitution Variables for the subscriber "acme"
| Variable Name | Value Obtained from ldap.acme.com |
|---|---|
| % s_UserContainerDN% | cn=Users,o=acme,dc=com |
| %s_UserNicknameAttribute% | uid (this is over-ridden by command-line specification) |
Since s_UserNicknameAttribute is specified on the command line, the OID Migration Tool will ignore the value obtained from the directory and use the value specified in the command line. In addition to these variables, the migration tool will also honor the command-line variable called s_UserOrganization and substitute all occurrences of it with the value Development. In this case the output of the tool stored in sample.ldif will be as follows (the substituted values are shown in italics):
dn: cn=jdoe,cn=Users,o=Acme,dc=com sn: Doe cn: jdoe objectClass: inetOrgPerson objectClass: orclUserV2 title: Member of Technical Staff homePhone: 415-584-5670 homePostalAddress: 234 Lez Drive$ Redwood City$ CA$ 94402 ou: Development
Using the load capability the users of this tool could directly load the data into Oracle Internet Directory. If an entry is already present in the directory then that directory entry will be logged to the file. The addition of the directory entries could fail for other reasons as well, for instance not enough permission to add or parent entry not being present. The command line tool will now take a new option -load, which will load the user information to the directory.
The user migration tool capabilities available in Oracle Application Server 10g Release 2 (10.1.2) are useful only when an older version of the Oracle Application Server component is the only source of truth for all users being migrated to Oracle Internet Directory. However, in a practical deployment, the following scenarios arise:
The users to be migrated have already been defined in Oracle Internet Directory.
More than one distinct application needs to be migrated to Oracle Internet Directory.
To address these requirements, a new option –reconcile, has been added to the user migration tool. This option requires an argument: –reconcile SAFE | SAFE_EXTENDED | NORMAL.
Table A-47 Different Modes for Use of -reconcile
| Optional Arguments | Description |
|---|---|
-reconcile SAFE
|
Verifies the existence of the user entry in the directory |
–reconcile NORMAL
|
Verifies that all the new attributes will be added and those attributes already in the directory will have their values replaced with the new ones |
–reconcile SAFE_EXTENED
|
All the new attributes will be added. However, if you try to add a new value for existing attributes, then it will add it to the existing set of values. |
Example A-1 -reconcile SAFE option.
This option should be used to append only those attributes not already in the directory. In the case of the above user entry, the OID Migration Tool parses this LDIF entry and substitutes the values for s_subscriber_user_base and s_nickname_attr. After this, it retrieves the jsmith entry from the directory. If the directory does not contain an entry for jsmith, then it simply adds this entry for the first time. On the other hand, if the entry already exists with attributes as defined above, then it adds only those attributes not present in directory. In the above case, it adds only homePhone and homePostalAddress.
Now the Jsmith entry in the directory becomes:
dn: cn=jsmith, dc=oracle, dc=com cn: jsmith sn: Smith orclGlobalID: 86A8485163303EBEE034080020AB67AA uid: jsmith objectClass: inetOrgPerson objectClass: orclUser2 title: Member of Technical Staff homePhone: 650-584-5670 homePostalAddress: 232 Gonzalez Drive$ San Francisco$ CA$ 94404
Example A-2 -reconcile NORMAL option.
This option can be used to overwrite attributes present in the directory. In the case of the above user entry, the user migration tool parses this LDIF entry and substitutes the values for s_subscriber_user_base and s_nickname_attr. It then retrieves the jsmith entry from the directory. If the directory does not contain an entry for jsmith, then it simply adds this entry for the first time. On the other hand, if the entry already exists with attributes as defined above, then it adds only those attributes not present in directory. In addition, the attribute already present is deleted and freshly added with a new value. In the above case it will add homePhone and homePostalAddress and replace the attribute value for the attribute title with the new value.
Now the Jsmith entry in the directory becomes:
dn: cn=jsmith, dc=oracle, dc=com cn: jsmith sn: Smith orclGlobalID: 86A8485163303EBEE034080020AB67AA uid: jsmith objectClass: inetOrgPerson objectClass: orclUser2 title: Principle Member of Technical Staff homePhone: 650-584-5670 homePostalAddress: 232 Gonzalez Drive$ San Francisco$ CA$ 94404
Example A-3 -reconcile SAFE_EXTENDED option.
This option can be used when the user would like to add the values to existing attributes. In the case of the above user entry, the user migration tool will parse this LDIF entry and substitute the values for s_subscriber_user_base and s_nickname_attr. After this, the tool will retrieve the jsmith entry from the directory. If the directory does not contain an entry for jsmith then it would simply add this entry for the first time. On the other hand if the entry already exists with attributes as defined above then it will add the attributes homePhone and homePostalAddress and the new value will be added to the existing title attribute.
Now the Jsmith entry in the directory becomes:
dn: cn=jsmith, dc=oracle, dc=com cn: jsmith sn: Smith orclGlobalID: 86A8485163303EBEE034080020AB67AA uid: jsmith objectClass: inetOrgPerson objectClass: orclUser2 title: Member of Technical Staff title: Principle Member of Technical Staff homePhone: 650-584-5670 homePostalAddress: 232 Gonzalez Drive$ San Francisco$ CA$ 94404
Table A-48 -reconcile SAFE Type LDIF Records
| Sno | Entry Changetype | Attribute Changetype | Action |
|---|---|---|---|
| 1 | Add/No Change type | - | Add only new attributes. |
| 2 | Modrdn/Moddn | - | The OID Migration Tool does not support this change type. |
| 3 | Delete | - | Do not delete the entry from the directory. |
| 4 | Modify | add | Add this attribute. If the entry doesn't exist in the directory then ignore the record as invalid. If the attribute does not exist then add this attribute, otherwise ignore. |
| 5 | -do- | replace | If the entry does not contain the attribute then it will be added. Otherwise Ignore change to the attribute, that is, do not apply the change. When the entry is not present in the directory then ignore it as the invalid entry. |
| 6 | -do- | delete | Ignore the change to the attribute, that is, do not apply the change. |
Table A-49 -reconcile NORMAL Type LDIF Records
| Sno | Entry Changetype | Attribute Changetype | Description |
|---|---|---|---|
| 1 | Add/No Change type | - | Adds the attributes that are not populated in the directory and replaces the attributes that are already populated |
| 2 | Modrdn/Moddn | - | The ldifmigrator tool will not support this change type. |
| 3 | Delete | - | Delete the entry from the directory |
| 4 | Modify | add | If entry doesn't contain the attribute then it will be added. When it contains the attribute then replace it with the specified attribute. If the entry doesn't exist in the directory then ignore the record as invalid. |
| 5 | -do- | replace | If entry doesn't contain the attribute then it will be added. When it contains the attribute then replace it with the specified attribute. If the entry itself does not exist in the directory then ignore the record as invalid |
| 6 | -do- | delete | Remove the specified attribute from the directory. |
Table A-50 -reconcile SAFE_EXTENDED type LDIF records
| Sno | Entry Changetype | Attribute Changetype | Description |
|---|---|---|---|
| 1 | Add/No Change type | - | Add only new attributes. If the entry does not exist then create a new entry. |
| 2 | Modrdn/Moddn | - | The ldifmigrator tool will not support this change type. |
| 3 | Delete | - | Do not delete the entry from the directory. |
| 4 | Modify | add | Add this attribute. If the entry doesn't exist in the directory then ignore the record as invalid. If the attribute does not exist then add this attribute, otherwise add the new values to the directory. |
| 5 | -do- | replace | If the entry does not contain the attribute then it will be added. Otherwise Ignore change to the attribute, that is, do not apply the change. When the entry is not present in the directory then ignore it as the invalid entry. |
| 6 | -do- | delete | Ignore the change to the attribute, that is, do not apply the change. |
The OID Migration Tool can display these error messages:
Table A-51 Error Messages of OID Migration Tool
| Message | Reason | Remedial Action |
|---|---|---|
| Environment variable ORACLE_HOME not defined | ORACLE_HOME is not defined. | Set the environment variable ORACLE_HOME |
| Error while parsing the input parameters. Please verify | Not all the required parameters are provided. The required parameters are Input_File, Output_File and at least one substitution variable | Specify the input parameters properly. Use the -help option to print the usage.
|
| Input_File parameter not specified. Please specify | Input_File parameter is a mandatory parameter. | Specify the input parameters properly. Use the -help option to print the usage.
|
| Output_File parameter not specified. Please specify | Output_File parameter is a mandatory parameter. | Specify the input parameters properly. Use the -help option to print the usage.
|
| The specified input file does not exist | The specified file location is invalid. | Check the input file path |
| Check the input file. Zero byte input file | The input file does not contain any entries. | Provide a valid file with pseudo LDIF entries |
| Cannot create the output file. Output file already exists | The output file already exists | Check the Output_File flag |
| Access denied, cannot read from the input file | The specified input file does not have read permission | Check the read permission of the input file. |
| Access denied, cannot create the output file | You do not have permission to create the output file. | Check the permission of the directory under which the output file needs to be created. |
| Directory server name not specified. When -lookup option is used the host parameter should be specified | When the -lookup option is specified, the host parameter is mandatory.
|
Specify the host parameter. |
| Bind Dn parameter name not specified. When -lookup option is used the dn parameter should be specified | When the -lookup option is specified, the DN parameter is mandatory.
|
Specify the DN parameter. |
| The port number specified is invalid | The port number should be a numeric value. | Check the port number parameter |
| Unable to establish connection to directory. Please verify the input parameters: host, port, dn & password | The directory server may not be running on the specified host and port, or credentials may be invalid. | Check the host, port, DN and password parameters. Check $ORACLE_HOME/ldap/install/LDIFMig_YYYY_MM_DD_HH_SS.log file.
|
| Naming exception occurred while retrieving the subscriber information from the directory. Please verify the input parameters | The specified identity management realm does not exist in the directory | Check the realm parameter |
| Not all the substitution variables are defined in the directory server specified | If the identity management realm entry does not contain the required attributes, then this error occurs. | Check the realm entry in the directory |
| Error occurred while migrating LDIF data to Oracle Internet Directory | This might occur if something goes wrong in the middle of a process—for example, a failure of the directory server or disk. | Report the error message to the administrator |
When an error condition occurs, the log messages are logged to this file: ORACLE_HOME/ldap/install/LDIFMig_YYYY_MM_DD_HH_SS.log.
During installation, the Oracle Internet Directory Configuration Assistant configures Oracle Internet Directory. Once an installation has been completed, you can use it to:
Create, upgrade, and delete an Oracle Context
Configure the file ldap.ora that is used to discover the Oracle Internet Directory server in the environment
Convert an Oracle Context to an identity management realm
Use the Oracle Internet Directory Configuration Assistant with Enterprise User Security and Oracle Net Services features under these conditions:
Table A-52 Conditions for Using Oracle Internet Directory Configuration Assistant for Specific Database Components
| Component | Conditions |
|---|---|
| Enterprise User Security | Enterprise User Security works only with identity management realms created in this release. If you have Oracle Contexts used in prior releases, then you must use the Oracle Internet Directory Configuration Assistant to convert them to identity management realms.
Use Oracle Internet Directory Configuration Assistant when creating or updating the |
| Oracle Net Services | Use Oracle Internet Directory Configuration Assistant when:
|
This section contains these topics:
The Oracle Internet Directory Configuration Assistant syntax is:
oidca oidhost=host
nonsslport=port |
sslport=SSL Port
dn=binddn
pwd=bindpwd
propfile=properties file
Table A-53 lists and describes the parameters for Oracle Internet Directory Configuration Assistant.
Table A-53 Parameters of Oracle Internet Directory Configuration Assistant
| Parameter | Description |
|---|---|
oidhost
|
Oracle directory server. The default is localhost.
|
nonsslport
|
Oracle directory server port. The default is 389.
|
sslport
|
Oracle directory server SSL port; default is 636
|
dn
|
Oracle Internet Directory user—for example, cn=orcladmin
|
pwd
|
Oracle Internet Directory user password |
| propfile | File containing a list of properties to determine the mode of operation and the required operation-specific parameters |
To create an Oracle Context, use the following syntax:
oidca oidhost=host nonsslport=port dn=binddn pwd=bindpwd mode=CREATECTX contextdn=Oracle_Context_DN
Table A-54 lists and describes the parameters for creating an Oracle Context.
Table A-54 Parameters for Creating an Oracle Context
| Parameter | Description |
|---|---|
oidhost
|
Oracle directory server. The default is localhost.
|
nonsslport
|
Oracle directory server port. The default is 389.
|
sslport
|
Oracle directory server SSL port; default is 636
|
dn
|
Oracle Internet Directory user—for example, cn=orcladmin
|
pwd
|
Oracle Internet Directory user password |
mode
|
Mode of the Oracle Internet Directory Configuration Assistant. Always set to CREATECTX.
|
contextdn
|
DN under which OracleContext must be created—for example, dc=acme,dc=com
|
Note the following:
The contextdn must exist for this operation to be successful.
The following valid DN should not exist in Oracle Internet Directory: cn=oraclecontext,dc=acme,dc=com.
The following valid DN must exist in Oracle Internet Directory: dc=acme,dc=com.
The parameters mode and contextdn can also be passed as a properties file.
To perform the operation by using the non-SSL mode, specify the parameter nonsslport=port.
To perform the operation by using SSL mode, specify the parameter sslport=sslport.
Specify either the nonsslport parameter or the sslport parameter but not both.
When creating an Oracle Context, Oracle Internet Directory Configuration Assistant does the following:
It verifies that the contextdn has valid DN syntax and that OracleContext exists in Oracle Internet Directory. Oracle Internet Directory Configuration Assistant cannot upgrade a root Oracle Context explicitly. If there is no root Oracle Context, then Oracle Internet Directory Configuration Assistant sends an error message.
If OracleContext exists under contextdn, then Oracle Internet Directory Configuration Assistant verifies the following:
The OracleContext belongs to a realm. If OracleContext does belong to a realm, then Oracle Internet Directory Configuration Assistant exits with the appropriate message.
|
Note: You cannot upgradeOracleContext instances that belong to a realm.
|
The OracleContext is up-to-date.
If the OracleContext exists but is an older version, then Oracle Internet Directory Configuration Assistant exits with the following message: "Oracle Context already exists and is of an older version".
If the OracleContext does not exist, then Oracle Internet Directory Configuration Assistant creates the OracleContext under this DN.
To upgrade an OracleContext instance, use the following syntax:
oidca oidhost=host nonsslport=port sslport=SSL Port dn=binddn pwd=bindpwd mode=UPGRADECTX contextdn=OracleContext_DN
Table A-55 Parameters for Upgrading an Oracle Context
| Parameter | Description |
|---|---|
oidhost
|
Oracle directory server. The default is localhost.
|
nonsslport
|
Oracle directory server port. The default is 389.
|
sslport
|
Oracle directory server SSL port; default is 636
|
dn
|
Oracle Internet Directory user—for example, cn=orcladmin
|
pwd
|
Oracle Internet Directory user password |
mode
|
Mode of the Oracle Internet Directory Configuration Assistant. Always set to UPGRADECTX. |
contextdn
|
DN under which OracleContext must be created—for example, dc=acme,dc=com
|
Note the following:
The contextdn must contain an OracleContext for this operation to be successful.
The DNs cn=oraclecontext, dc=acme,dc=com and dc=acme,dc=com are both valid.
The parameters mode and contextdn can also be passed as a properties file.
To perform the operation using a non-SSL mode, specify the parameter nonsslport=port.
To perform the operation using SSL mode, specify the parameter sslport=sslport.
Specify either the nonsslport parameter or the sslport parameter, but not both.
When upgrading an Oracle Context, Oracle Internet Directory Configuration Assistant does the following:
It verifies that the contextdn has a valid DN syntax and that OracleContext exists in Oracle Internet Directory. The Assistant cannot upgrade a root OracleContext explicitly. If there is no root OracleContext, then the Assistant sends an error message.
If OracleContext exists under contextdn, then Oracle Internet Directory Configuration Assistant verifies that OracleContext belongs to a realm.
If OracleContext belongs to a realm, then Oracle Internet Directory Configuration Assistant exits with the appropriate message.
|
Note: You cannot upgradeOracleContext instances that belong to a realm.
|
The Assistant verifies that the OracleContext is up-to-date.
If the OracleContext is up-to-date, then the Assistant exits with the message "Oracle Context already exists and is up to date."
If the OracleContext is not up-to-date, then the Assistant upgrades the OracleContext under this DN.
To delete an Oracle Context, use the following syntax:
oidca oidhost=host nonsslport=port sslport=SSL Port dn=binddn pwd=bindpwd mode=DELETECTX contextdn=OracleContext_DN
Table A-56 Parameters for Deleting an Oracle Context
| Parameter | Description |
|---|---|
oidhost
|
Oracle directory server. The default is localhost.
|
nonsslport
|
Oracle directory server port. The default is 389.
|
sslport
|
Oracle directory server SSL port; default is 636
|
dn
|
Oracle Internet Directory user—for example, cn=orcladmin
|
pwd
|
Oracle Internet Directory user password |
mode
|
Mode of the Oracle Internet Directory Configuration Assistant. Always set to DELETECTX. |
contextdn
|
DN under which OracleContext must be created—for example, dc=acme,dc=com
|
Note the following:
The contextdn must contain an OracleContext for this operation to be successful.
The DNs cn=oraclecontext, dc=acme,dc=com and dc=acme,dc=com are both valid.
The parameters mode and contextdn can also be passed as a properties file.
To perform the operation using a non-SSL mode, specify the parameter nonsslport=port.
To perform the operation by using the SSL mode, specify the parameter sslport=sslport.
Specify either the nonsslport parameter or the sslport parameter, but not both.
When deleting an Oracle Context, Oracle Internet Directory Configuration Assistant does the following:
It verifies that the contextdn has a valid DN syntax and that OracleContext exists in Oracle Internet Directory.
If OracleContext exists under contextdn, then Oracle Internet Directory Configuration Assistant verifies that OracleContext belongs to a realm.
If OracleContext belongs to a realm, then Oracle Internet Directory Configuration Assistant exits with the appropriate message.
|
Note: You cannot deleteOracleContext instances that belong to a realm.
|
If OracleContext does not belong to a realm, then Oracle Internet Directory Configuration Assistant deletes it.
To configure the ldap.ora file, use the following syntax:
oidca oidhost=host nonsslport=port sslport=ssl_port adminctx=administrative_context mode=LDAPORA dirtype=OID | AD -update
Table A-57 Parameters for Configuring the ldap.ora File
| Parameter | Description |
|---|---|
oidhost
|
Oracle directory server. The default is localhost.
|
nonsslport
|
Oracle directory server port. The default is 389.
|
sslport
|
Oracle directory server SSL port; default is 636
|
mode
|
Mode of the Oracle Internet Directory Configuration Assistant. Always set to LDAPORA. |
| dirtype | Directory type. Possible values are OID and AD. This attribute is mandatory.
|
| adminctx | Default administrative context—for example, dc=acme,dc=com.
|
| -update | To overwrite an existing ldap.ora file, specify this flag. To create an ldap.ora file, leave this flag unspecified.
|
Note the following:
Either the non-SSL port or the SSL port must be specified. The other port is discovered.
The parameters mode, dirtype, and adminctx can also be passed in within a properties file.
When configuring the ldap.ora file, the Oracle Internet Directory Configuration Assistant does the following:
Using the discovery API, the Assistant determines all the parameters not specified on the command line.
The Assistant checks for the ldap.ora location by using the discovery APIs.
If ldap.ora exists and the -update parameter is specified, then the Assistant exits with the message "ldap.ora exists".
If ldap.ora exists and the -update parameter is not specified, then the Assistant updates the existing ldap.ora file by using the discovery API.
If ldap.ora does not exist, then the Assistant creates a new ldap.ora file in a location in the following order:
LDAP_ADMIN
$ORACLE_HOME/ldap/admin
Oracle Database 10g entries must be stored in Oracle Internet Directory Release 9.0.4. Moreover, Enterprise User Security, a feature of Oracle Database 10g, requires Release 9.0.4 version of an identity management realm.
To convert an existing OracleContext to an identity management realm, use the following syntax:
oidca oidhost=host nonsslport=port sslport=SSL Port dn=binddn pwd=bindpwd mode=CTXTOIMR contextdn=OracleContext_DN
Table A-58 lists and describes the parameters.
Table A-58 Parameters for Converting an Oracle Context to an Identity Management Realm
| Parameter | Description |
|---|---|
oidhost
|
Oracle directory server. The default is localhost.
|
nonsslport
|
Oracle directory server port. The default is 389.
|
sslport
|
Oracle directory server SSL port; default is 636
|
dn
|
Oracle Internet Directory user—for example, cn=orcladmin
|
pwd
|
Oracle Internet Directory user password |
mode
|
Mode of the Oracle Internet Directory Configuration Assistant. Always set to CTXTOIMR.
|
contextdn
|
DN under which OracleContext must be created—for example, dc=acme,dc=com
|
The contextdn must contain an OracleContext for this operation to be successful.
The DNs cn=oraclecontext, dc=acme,dc=com and dc=acme,dc=com are both valid.
The parameters mode and contextdn can also be passed as a properties file.
To perform the operation using a non-SSL mode, specify the parameter nonsslport=port.
To perform the operation using SSL mode, specify the parameter sslport=sslport.
Specify either the nonsslport parameter or the sslport parameter, but not both.
When Oracle Internet Directory Configuration Assistant converts an Oracle Context to an identity management realm, it verifies that:
The contextdn has a valid DN syntax
The contextdn contains a valid OracleContext.
|
Note:
|
