Beruflich Dokumente
Kultur Dokumente
2
Basic Examples................................................................2
From My System..............................................................4
Synchronization................................................................4
Ods_process...................................................................4
ldapbinds.......................................................................5
ldapmodify examples..........................................................5
Sample change to configset:................................................................................................................5
Sample remove all objectclasses, and create mailgroup................................................................5
Sample with multiple types of things to add:...................................................................................6
ldapadd examples..............................................................6
ldapdelete examples...........................................................6
ldifwrite examples.............................................................6
oidpasswd......................................................................6
ldapsearch examples..........................................................7
To get a list of object classes and attributes:................................................................................7
To get root DSE / DSA Config............................................................................................................7
To dump the indexed attributes.........................................................................................................7
To dump the ACIs...................................................................................................................................7
To get a list of DNs in some container..............................................................................................8
To get the number of members of a group:......................................................................................8
To get a list of groups a user is a member of:.................................................................................8
To dump a configset...............................................................................................................................8
To dump running instances:...................................................................................................................9
To dump the Integration Server configset:.....................................................................................9
To dump a profile:...................................................................................................................................9
To get the profile details from the db:............................................................................................9
To verify that AD admin can read the 'container' of directory entries to be synched:....10
To dump the changelog entries:.........................................................................................................10
To dump a provisioning profile:...........................................................................................................11
To dump all Integration profiles, including Provisioning (but not OCS):..................................11
To dump replication configset info:...................................................................................................11
To dump replication configuration info:...........................................................................................12
To dump the replication agreement:.................................................................................................12
To dump plug-in info:............................................................................................................................12
To dump one user:.................................................................................................................................12
To dump all AD users:...........................................................................................................................12
To dump a subtree:...............................................................................................................................13
To get a list of users with recently changed password:..............................................................13
To dump tnsnames info:.......................................................................................................................13
To get the OID version:......................................................................................................................13
HOW TO GET FIVE-DIGIT VERSION NUMBER, INCLUDING PATCH SETS ON A RUNNING OID ...................................................................13
HOW TO GET THE VERSION WHEN THE OIDLDAPD WILL NOT START........................................................................................................13
You can omit parameters that have defaults, such as -p (and therefore flags) if on port 389
In the oidmon command, can omit the 'connect' parameter if have just one
$ORACLE_HOME on that box
There's also a -h <hostname> you can use in oidmon if you want to start on another box
Basic Examples
oidldapd: serverid=2
odisrv: serverid=7
oidrelpd: serverid=4
9.0.4: If you start OID from the command line then OPMN will not be able to manage the
process.
opmnctl startall
- start all components that are managed by opmn (OID, http server, OC4J
containers)
opmnctl status
opmnctl startproc ias-component=OID
opmnctl status
opmnctl stopproc ias-component=OID
opmnctl startproc process-type=OC4J_SECURITY (must be upper case)
NOTE: With 10.1.2.0.2 the max default size for the aud/trc files is 10MB. Reaching this
sizelimit a backup of the files will be created and a new empty .trc /.aud file will be used.
The size parameter is configurable.
RAC:
oidctl connect=iasdb host=<virtual_host> server=odisrv instance=1 config=1
flags="host=<virtual_host>" start
10.1.2 IM 2-node replicating cluster with shared db:
oidctl connect=iasdb server=odisrv instance=1 config=1 flags="host=<physical_host>" start
9.2:
oidctl connect=oid92i2 server=oidldapd instance=3 configset=1 flags="-p 389 -d 65535"
start
9.0.2:
oidctl connect=oid92i2 server=oidldapd instance=3 configset=1 flags="-p 389 -debug 65535"
start
non-9.2:
oidctl connect=oid92i2 server=oidldapd instance=3 configset=1 flags="port=389
debug=65535" start
Synchronization
9.2:
oidctl ... server=odisrv config= ... port= debug=
--> NOT configset, NOT oidsrv
oidctl connect=iasdb server=odisrv instance=1 config=1 flags="debug=65535" start
Oracle Internet Directory Administrator's Guide, Release 9.0.1 > 24 Managing the
Oracle Directory Integration Server > Starting the Oracle Directory Integration
Server, on p.24-8
Portal: If you are running Portal which requires the DIP server, it by default uses
configset0. This is a hidden configset that you do not see when you look in ODM at
Integration Servers. Therefore, the command line to start the DIP for provisioning is:
oidctl connect=<SID> server=odisrv instance=1 start
LDAP: If you then want to setup synchronization, which by default uses the configset1
that you see under Integration Servers in ODM:
oidctl connect=<SID> server=odisrv instance=2 configset=1 start
Ods_process
sqlplus ods/ods@oid92i2
truncate table ods_process;
ldapbinds
ldapbind -D "cn=orcladmin" -w <orcladmin_pwd> -h <OID_host> -p <OID_port>
ldapbind -D "cn=guest" -w guest -p 4032
ldapbind -D "cn=proxy" -w proxy -p 4032
SASL
ldapbind -D cn=orcladmin -w <passwd> -O "auth" -Y "DIGEST-MD5"
ldapmodify examples
ldapmodify -h irina-laptop -p 389 -D "cn=orcladmin" -w welcome -f newobjectclass.ldif
ldapmodify -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -f newobjectclass.ldif
ldapadd examples
ldapadd -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <orcladmin_pwd> -f objattr.ldif
ldapadd -h irina-laptop -p 389 -D "cn=orcladmin" -w welcome -f newuser.ldif
ldapdelete examples
ldapdelete -h irina-pc2 -p 4032 -D "cn=orcladmin" -w welcome -f createaliases.ldif
ldapdelete -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd>
"cn=ftarica,cn=users,dc=farmalink,dc=com,dc=ar"
ldifwrite examples
ldifwrite -c oid92 -b "cn=Users,dckenn-pc2,dc=com" -f ldifwrite.txt
--> prompts for ODS password. Ensure Home Selector is set to OID o_h
ldifwrite -c iasdb -b "cn=infotrac8,ou=gale,ou=Groups,o=thomsonlearning.com" -f
infotrac8_`date +%Y%m%d.%H%M`.ldif
creates the following file: cat infotrac8_20040401.1204.ldif
oidpasswd
10.1.2:
oidpasswd connect=<OID_db> change_oiddb_pwd=true
oidpasswd connect=<OID_db> create_wallet=true
oidpasswd connect=<OID_db> unlock_su_acct=true
oidpasswd connect=<OID_db> reset_su_password=true
oidpasswd connect=<OID_db> manage_su_acl=true
ldapsearch examples
See Note 237919.1 for other ldapsearches
_
For a DIT:
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w “<pwd>“ -s base -b
"cn=users,dc=evan,dc=ocunet" objectclass=* orclaci > aci.txt
To get a list of DNs in some container
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b
"<container_where_records_are_located>" -s sub "objectclass=*" dn
This could then be used with an ldapdelete to remove all the DNs in this file
10.1.2.0.2: undocumented -C option returns a (flat) list of groups an entry belongs to. This
option might be pretty slow with 10.1.2.0.2. We made significant performance
changes to this option in 10.1.3.
Here's the text from the (not yet accessible) 10.1.3 doc
___________________________________
-C
Optional. ldapsearch -C option causes ldapsearch to traverse a hierarchy and report direct
memberships. The ldapsearch -C option essentially includes the CONNECT_BY
control (2.16.840.1.113894.1.8.3) in the request sent to the client. ldapsearch
doesn't have any means to pass values with a control. So, it sends the CONNECT_BY
control without values. In this case the default values are assumed, that is, the
hierarchy-establishing attribute name is obtained from the filter, and the number
of levels is 0. Thus, the -C option can only be used to fetch all containers of a
containee queries, for example, fetch all groups of a user, fetch all employees of a
manager and so forth. Also, all levels of the hierarchy are traversed
To dump a configset
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b
"cn=configset1,cn=osdldapd,cn=subconfigsubentry" -s sub "objectclass=*" > config1.txt
or all of them:
ldapsearch –h <OID_host> –p <OID_port> -D cn=orcladmin -w <pwd> -b "
cn=odisrv,cn=subregistrysubentry" -s sub objectclass=* > config.txt
To dump a profile:
ldapsearch –h <OID_host> –p <OID_port> -D cn=orcladmin -w <pwd> -b
"orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn=changelog
Subscriber,cn=oracle internet directory" -s sub objectclass=*
ldapsearch –h <OID_host> –p <OID_port> -D cn=orcladmin -w <pwd> -b
"orclODIPAgentName=ActiveChgImp,cn=subscriber profile,cn=changelog
Subscriber,cn=oracle internet directory" -s sub objectclass=* > profile.txt
or all of them:
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s sub -b
"cn=subscriber profile,cn=changelog subscriber, cn=oracle internet directory"
objectclass=*
SELECT * FROM ct_dn dn, ds_attrstore store WHERE dn.entryid = store.entryid AND
dn.parentdn like 'cn=oracle internet directory,cn=changelog subscriber,%' AND
store.attrname = 'orcllastappliedchangenumber' AND store.entryid IN ( SELECT
entryid from ds_attrstore store1 where store1.entryid = store.entryid and
store1.attrname = 'orclsubscriberdisable');
Check the results for the entryid for 'orclodipagentname=ActiveChgImp' and use it in the
following query:
select * from ds_attrstore where entryid=<value_from_previous_query>
Run the ldapsearch to obtain the last change number on Active Directory:
For example:
Verify that you can read the 'container' of directory entries you wish to synch:
Verify that you can read an entry within the 'container' of directory entries you wish to synch:
Note: The output of this search shows that you can read the USNCreated and USNChanged
attributes
Verify that you can read the 'container' of directory entries you wish to synch:
For example:
Verify that when you retrieve entries from AD you see the USNCreated and USNChanged
attributes:
IF YOU DO NOT SEE THE USNCreated and USNChanged attributes STOP. AD SYNC WILL
NOT WORK.
YOU MUST HAVE YOUR AD ADMINISTRATOR FIX YOUR SYNC ACCOUNT SO THAT IT
CAN READ THESE VALUES.
HOW TO GET FIVE-DIGIT VERSION NUMBER, INCLUDING PATCH SETS ON A RUNNING OID
ldapsearch -h <OID_host> -p <port> -D "cn=orcladmin" -w <pwd> -b "" -s base objectclass="*"
orcldirectoryversion
HOW TO GET THE VERSION WHEN THE OIDLDAPD WILL NOT START...
Default realm:
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s base -b
"cn=Common,cn=Products,cn=OracleContext,<your_realm>" “(objectclass=orclContainer)"
ldapsearch -p 3060 -D "cn=orcladmin" -w <pwd> -L -s base -b
"cn=Common,cn=Products,cn=OracleContext,dc=us,dc=oracle,dc=com"
“(objectclass=orclContainer)"
For the value of <your_realm> in the 2nd command, please use the value returned from the
1st command for the attribute orcldefaultsubscriber.
Root Context:
ldapsearch -h <OID_host> -p <port> -D cn=orcladmin -w <password> -s sub -base
"cn=categories,cn=User Configuration,cn=Attribute
Configuration,cn=DAS,cn=Products,cn=OracleContext " objectclass=* > dasprofileroot.txt
To get a Portal group:
list the users in the portal dba group:
ldapsearch -h <OID_host> -p 4032 -D cn=orcladmin -w passwd1 –b
"cn=DBA,cn=portal_groups,cn=groups,dc=us,dc=oracle,dc=com" -s sub –v
objectclass=* uniquemember
NOTE: the policy that is applied will be the policy in the default Oracle Context under the
subscriber DN if one exists, otherwise the root policy is applied.
Bulkload
Bulkload will by default append the data but there is also a "-append" option to bulkload
which when specified will behave like ldapadd with the only difference that it will not
generate change logs and it will not go through LDAP server.
- With default bulkload you will have to bring down the LDAP Server and with the -append
option you need to set it OID LDAP Server to a special read/modify mode
('orclservermode' attribute in root DSE), hence if it is a few entries there is no point in
going thru' all these steps, rather ldapadd is a better option
To export/import OID schemas:
EXPORT:
1. create oidexp.dat file containing:
FILE=oid.data
OWNER=ods, odscommon
GRANTS=y
ROWS=y
2. Run command from o_h/bin:
exp system/manager PARFILE=oidexp.dat
IMPORT:
1. Run the following sql scripts:
cd $ORACLE_HOME/ldap/admin/
sqlplus system/manager @ldapxact.sql (drop/create ods, odscommon and role
ods_server)
sqlplus system/manager @ldapxsec.sql (create new table/view odsinstance(s) )
2. Create oidimp1.dat containing:
FILE=oid.data
FROMUSER=ods
TOUSER=ods
3. Creat oidimp2.dat containing:
FILE=oid.data
FROMUSER=odscommon
TOUSER=odscommon
4. Run the following commands:
imp system/manager PARFILE=oidimp1.dat
imp system/manager PARFILE=oidimp2.dat
bulkdelete
You cannot use bulkdelete with -base "", you must delete -base "cn=oraclecontext", then
-base 'cn=oracleschemaversion", then -base "dc=com" to remove root level entries
one by one..
EXAMPLE:
./bulkdelete.sh -connect oid920 -base "cn=oraclecontext" -size 10
./bulkdelete.sh -connect oid920 -base "cn=oracleschemaversion" -size 10
./bulkdelete.sh -connect oid920 -base "dc=com" -size 10
10.1.2:
bulkdelete.sh -connect <OID_db> -base "<base_dn>" -size <number_of_entries>
10.1.4 onwards one can use debug parameter with all bulktools.
But for 10.1.2 or earlier you can only use debug option with bulkdelete and bulkmodify
OID/AD Checkpoints
Goal: Enable active directory synchronization with OID including pass-through
authentication
Task 1: Verify the Microsoft Active Directory Information to be Configured into the
Active Directory Synchronization Profiles
For export, check OID:
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b "" -s base
"objectclass=*" lastchangenumber
For the DirSync approach, the Active Directory user account that the Oracle directory
integration and provisioning server uses to access Active Directory must have Domain
Administrative permissions, belong to the Domain Administrators group, or be explicitly
granted Replicating Directory Changes permissions. In addition to the List Property, List
Child Object right (read access), you will also need to grant the user account for accessing
AD the "Replication Change" privilege in order to synchronize the deleted entries. See How
to Grant the "Replicating Directory Changes" Permission for the Microsoft Metadirectory
Services ADMA Service Account , at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;303972
For the USN-Changed approach, the Active Directory user account that the Oracle
directory integration and provisioning server uses to access Active Directory must have
"List Content" and "Read Properties" permission to the cn=Deleted Objects container of a
given domain. See Deleting Items from Active Directory , at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;230113
In order to set these permissions, you must use the dsacls.exe command that is available
with recent versions of Active Directory Application Mode (ADAM). You can download the
most recent version of ADAM at http://www.microsoft.com/downloads/.
See alsoHow to let non-administrators view the Active Directory deleted objects
container in Windows Server 2003 and in Windows 2000 Server , at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;892806
# Task 2: Create the OID structure to support synchronization. For example, you
might create:
ou=departments,dc=company,dc=com
ou=users,ou=departments,dc=company,dc=com
dipassistant mp -profile ActiveChgImp -host <OID SERVER HOST NAME> -port 389
-dn cn=orcladmin -passwd <OID USER'S PASSWORD> odip.profile.mapfile=
activechange.map
Please enter Active Directory host name: <AD SERVER HOST NAME>
Do you want to use SSL to connect to Active Directory? (y/n) n
Please enter Active Directory port number [389]: 389
Please enter DB connect string: asdb
Please enter ODS password:
Please enter the subscriber common user search base: <USER CONTAINER DN>
Please enter the Plug-in Request Group DN:
Please enter the exception entry property: (&(objectclass=orcluser))
Do you want to setup the backup Active Directory for failover? (y/n) n
Table dropped.
Table created.
Sequence dropped.
Sequence created.
Procedure created.
No errors.
Procedure created.
No errors.
No errors.
No errors.
-------------------------------------------------------------
Done.
-------------------------------------------------------------
[oracle@<OID SERVER HOST NAME> bin]$
Task 8: Bootstrap (bring the initial group of users from AD into OID)
dipassistant bootstrap -port 389 -profile ActiveChgImp -dn cn=orcladmin -passwd
<OID USER'S PASSWORD>
Task 9: Start the Synchronization from Microsoft Active Directory to Oracle Internet
Directory
dipassistant mp -profile ActiveChgImp odip.profile.status = ENABLE
Password: <OID USER'S PASSWORD>
Task 10: Start the Oracle Directory Integration and Provisioning Server as You Would
for Synchronization
oidctl connect=asdb server=odisrv instance=2 configset=1 flags="port=389
debug=63" start
Task 12: modify the user search base to include the new user containers (Modify
cn=Common,cn=Products,cn=OracleContext,dc=aci,dc=corp,dc=net)
Optional Task 14: Reregister the ODIserver (only necessary if you must reset the
password)
odisrvreg -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <orcladmin password>
Optional Task 15: Modify the password policies so that the orcladmin password doesn't
expire too quickly
2. Please uplaod the ldapsearch output for th target entry sychronized from the source.
Ex) ldapsearch -h <oid host> -p <oid port> -D cn=orcladmin -w <password> -b "<target
entry dn> -s
base "objectclass=*"
~> ldapsearch -h oiddev1.itcs.northwestern.edu -D "cn=orcladmin" -w "xxxx" -b
"ou=people,dc=northwestern,dc=edu" -s base -x "objectclass=*" >OID-people-branch.ldif-
09-10
It is not yet clear if you have done the suggested change in the mapping file (changing
the objectclass from person to nuperson for the uid attribute) and tested the behaviour
If you have seen the same problem after the above modification, then please provide the
latest profile trace and the mapping file along with the output of the following ldapsearch (
assuming that the uid being tested is jlh482)
2) For the LDAP-65 error, give the output of the following ldapsearches (assuming the uid
for this test is mji240)
1. If you have never used plug-in debug before, issue this command to setup the
table:
sqlplus ods/@oid_db
SQL> @$ORACLE_HOME/ldap/admin/oidspdsu.pls
sqlplus ods/@
truncate table ods.plg_debug_log
exit
SQL> @$ORACLE_HOME/ldap/admin/oidspdon.pls
SQL> @$ORACLE_HOME/ldap/admin/oidspdof.pls