|
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) B14082-02 |
|
 Previous |
 Next |
|
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) B14082-02 |
|
|
Previous |
Next |
This chapter explains how to view, add, modify, and delete entries. It contains these topics:
|
See Also: Chapter 2, "Directory Concepts and Architecture" for an overview of directory entries, directory information trees, distinguished names, and relative distinguished names |
This section contains these topics:
Viewing Attributes for a Specific Entry by Using Oracle Directory Manager
Managing Entries with Attribute Options by Using Oracle Directory Manager
You can display all entries by using the navigator pane, or search for one or more specific entries by using the Oracle Directory Manager search feature.
To display an entry, in the navigator pane, expand Oracle Internet Directory Servers, then directory server instance, then Entry Management.
The root of the tree is listed first, then the second level, and so forth, moving from left to right. The subtree lists the RDN of each entry in hierarchical order. To see the lower level entries within any subtree, click the plus sign (+) to the left of the parent entry.
To search for a directory entry:
In the navigator pane, expand Oracle Internet Directory Servers, then directory server instance, then Entry Management. The Search fields appear in the right pane.
In the Root of the Search field, enter the DN of the root of your search.
For example, suppose you want to search for an employee who works in the Manufacturing division in the IMC organization in the Americas. The DN of the root of your search would be:
ou=Manufacturing,ou=Americas,o=IMC,c=US
You would therefore type that DN in the Root of the Search text box.
You can also select the root of your search by browsing the directory information tree (DIT). To do this:
Click Browse to the right of the Root of the Search field. The Select Distinguished Name (DN) Path: Tree View dialog box appears.
Click the plus sign (+) next to tree view to display its entries.
Continue navigating to the entry that represents the level you want for the root of your search.
Select that entry, then click OK. The DN for the root of your search appears in the Root of the Search text box in the right pane.
In the Max Results (entries) box, type the maximum number of entries you want your search to retrieve. The default is 200. The directory server retrieves the value you set, up to 1000.
In the Max Search Time (seconds) box, type the maximum number of seconds for the duration of your search. The value you enter here must be at least that of the default, namely, 25. The directory server searches for the amount of time you specify, up to one hour.
In the Search Depth list, select the level in the DIT to which you want to search.
The options are:
Base: Retrieves a particular directory entry. Along with this search depth, you use the search criteria bar to select the attribute objectClass and the filter Present.
One Level: Limits your search to all entries beginning one level down from the root of your search
Subtree: Searches entries within the entire subtree, including the root of your search
In the Search Criteria box, use the lists and text fields on the search criteria bar to focus your search.
From the list at the left end of the search criteria bar, select an attribute of the entry for which you want to search. Because not all attributes are used in every entry, be sure that the attribute you specify actually corresponds to one in the entry for which you are looking. Otherwise, the search will fail.
From the list in the middle of the search criteria bar, select a filter. Options described in Table A-39.
In the text box at the right end of the search criteria bar, type the value for the attribute you just selected. For example, if the attribute you selected was cn, you could type the particular common name you want to find.
To further refine your search, use the buttons in the Search Criteria box to enhance the search criteria bar. These are described Table A-40.
Click Search. The results of your search appear in the Distinguished Name box.
|
See Also: "Viewing Active Server Instance Information" for instructions on setting the number of entries to display in searches, and to set the time limit for searches |
Once you have displayed the results of your search, click the entry whose attributes you want to view. An Entry dialog box displays the attributes for that entry.
Some attributes can also be DNs. For example, one attribute for a given employee might be that employee's manager who, in turn, has a DN. In this case, when you display the Entry dialog box for the employee, you would see a Browse button next to the Manager text box. To find information about that manager, click Browse to display the Directory: Entry Management dialog box, then follow the steps mentioned in "Searching for Entries by Using Oracle Directory Manager".
|
See Also: "Viewing All Directory Attributes by Using Oracle Directory Manager" for instructions about how to view all attributes in the directory |
This section tells you how to add entries for users and groups.
|
Note: When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry. |
To add or delete entries with Oracle Directory Manager, you must have write access to the parent entry and you must know the DN for the new entry.
To add a new entry:
In the navigator pane, expand each of the following objects in succession: Oracle Internet Directory Servers, directory server instance.
Select Entry Management.
On the toolbar, click Create. The New Entry dialog box appears.
In the Distinguished Name field, type the full DN. You can also click Browse to locate and select the DN of the parent for the entry you want to add. The entry you select appears in the Distinguished Name field. To the left of that parent DN, type the RDN for your new entry, followed by a comma.
To specify an object class for the new entry, next to the Object Classes box, click Add. The Super Class Selector dialog box appears.
|
Note: You must assign user entries to theinetOrgPerson object class in order for the entries to appear in the Oracle Internet Directory Self-Service Console.
|
In the Super Class Selector dialog box, select an object class, then click Select. As you select from the object class list, mandatory and optional attributes populate the windows in the tab pages in the lower half of the New Entry dialog box. You must enter values into the mandatory attributes fields. You are not required to enter values into the optional attributes fields.
When you have selected the object classes and provided values for the appropriate attributes, click OK.
You can use Oracle Directory Manager to create a new entry by copying from an existing entry and changing its DN. When you do this, you should also change the attributes, such as name and address, so that they correspond to the new DN. To add an entry, you must have write access to its parent.
|
Tip: You can find a template for the new DN by looking up other similar entries in the search pane. |
To add an entry by copying an existing entry:
In the navigator pane, expand each of the following objects in succession: Oracle Internet Directory Servers, directory server instance.
Select Entry Management.
In the right pane, the search interface appears. Use it to search for an entry that you want to use as a template.
From the entries retrieved, double-click one that you want to use as your template. The Entry dialog box for that entry appears.
In the Entry dialog box, click Create Like. A New Entry: Create Like dialog box appears.
Change critical fields to tailor this entry to the one that you want to create. You must always change the DN and the common name in this operation, or the pane will not save your new entry data. For example, if you create an entry for Henri Latrobe by using the entry for Henri Latour as the template, then you have to change cn=Henri Latour in the DN to cn=Henri Latrobe. You also must change any other attributes that must be unique, such as employee number and telephone number.
Click OK to save your changes.
|
See Also: The online help for this dialog box for details about adding information into fields |
In this example, we create a user named Anne Smith and assign her a password.
Login as the administrator.
In the navigator pane, expand each of the following objects in succession: Oracle Internet Directory Servers, directory server instance.
Select Entry Management.
On the toolbar, click Create. The New Entry dialog box appears.
In the Distinguished Name field, type the full DN. You can also click the Browse button to locate the DN of the parent for this entry, then type the RDN—namely, cn=Anne Smith—followed by a comma, to the left of that parent DN.
|
Note: You cannot use a tilde (~) in a user name. |
To the right of the Object Classes box, click Add. The Super Class Selector dialog box appears.
In the Super Class Selector dialog box, select the person object class, then click Select. This returns you to the New Entry dialog box.
In the New Entry dialog box, click the Optional Properties tab, and scroll to the User Password window.
Type the password for Anne Smith.
|
See Also:
|
You can add auxiliary object classes to an existing entry.
You can add optional, but not mandatory, attributes to an object class already in use by entries. If you add optional attributes to an object class already in use, then no special rules apply, and they are added as empty attributes to those entries.
|
Note: When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry. |
To modify an entry:
Perform a search for the entry you want to modify as described in "Searching for Entries by Using Oracle Directory Manager".
In the Distinguished Name box of the right pane, select the entry you want to modify.
Click Edit. The Entry dialog box appears.
Modify the appropriate fields, then choose Select the Properties tab page. If you do not see the attributes you want to add or modify, then, at the top of the tab page, select View Properties: All.
In the Properties tab page, modify the values of any editable attributes.
Choose OK.
In this example, we modify the password for the entry we created for Anne Smith in the section "Example: Adding a User Entry by Using Oracle Directory Manager".
Perform a search for the Anne Smith entry.
In the right pane, in the Distinguished Name box, select the entry for Anne Smith.
Click Edit.
In the Entry dialog box, scroll to the User Password window and modify the value.
Click OK.
This section tells you how to add, modify, and delete attribute options.
|
See Also: "Searching for Entries by Using Oracle Directory Manager" for instructions on searching for entries with attribute options |
|
Note: In Oracle Internet Directory 10g Release 2 (10.1.2), Oracle Directory Manager does not allow you to add an attribute option to an entry when you create the entry. You can use Oracle Directory Manager to add attribute options only to already existing entries. |
To add an attribute option to an existing entry:
In the navigator pane, expand each of the following objects in succession: Oracle Internet Directory Servers, directory server instance, and Entry Management.
Select the entry to which you want to add an attribute option. The corresponding tab pages appear in the right pane.
In the right pane, in the Properties tab page, in the View Properties field, select Advanced. The Properties tab page changes accordingly.
In the Attribute field, select the attribute to which you want to add the option, for example, ou.
In the Attribute Options field, enter the attribute option, for example, lang-en.
In the Attribute Value field, enter the value of the attribute option you just specified, for example, Server Technologies. To add more than one attribute value for the specified attribute option, separate the values by using a semicolon.
Click Apply.
To modify an attribute option:
In the navigator pane, expand each of the following objects in succession: Oracle Internet Directory Servers, directory server instance, and Entry Management.
Select the entry whose attribute option you want to modify. The corresponding tab pages appear in the right pane.
In the Properties tab page, in the View Properties field, select either Only Non-null Values or All.
Scroll to the field containing the attribute option you want to modify.
Modify the value in the field.
Click Apply.
To delete an attribute option:
In the navigator pane, expand each of the following objects in succession: Oracle Internet Directory Servers, directory server instance, and Entry Management.
Select the entry from which you want to delete an attribute option. The corresponding tab pages appear in the right pane.
In the Properties tab page, in the View Properties field, select either Only Non-null Values or All.
Scroll to the field containing the attribute option you want to delete.
Delete the value in the field.
Click Apply.
This section points you to the command-line tools you can use in managing entries. It also provides several examples of entry management by using command-line tools. It contains these topics:
Table 6-1 lists each of the command-line tools for managing entries, and tells you where to find syntax and usage notes for each one.
Table 6-1 Command-Line Tools for Managing Entries
| Tool | Task(s) | Syntax and Usage Notes |
|---|---|---|
|
Add entries one at a time. |
The "ldapadd" command-line tool reference in Oracle Identity Management User Reference |
|
|
Add several entries concurrently by using this shared server tool. |
The "ldapaddmt" command-line tool reference in Oracle Identity Management User Reference |
|
|
ldapbind |
Authenticate a user or client to a directory server. Verify that you can connect a client to a server. |
The "ldapbind" command-line tool reference in Oracle Identity Management User Reference |
|
Compare attribute values you specify with those in a directory entry. |
The "ldapcompare" command-line tool reference inOracle Identity Management User Reference |
|
|
Delete entries. |
The "ldapdelete" command-line tool reference in Oracle Identity Management User Reference |
|
|
Modify the DN or RDN of an entry. Rename an entry or a subtree. Move an entry or a subtree under a new parent. |
The "ldapmoddn" command-line tool reference in Oracle Identity Management User Reference |
|
|
Create, update, and delete attribute data for an entry. |
The "ldapmodify" command-line tool reference inOracle Identity Management User Reference |
|
|
Modify several entries concurrently by using this shared server tool. |
The "ldapmodifymt" command-line tool reference in Oracle Identity Management User Reference |
|
|
Search for directory entries. |
The "ldapsearch" command-line tool reference in Oracle Identity Management User Reference |
The following example shows an LDIF file, named entry.ldif, for the entry for an employee named John:
dn: cn=john, c=us objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: john cn;lang-fr:Jean cn;lang-en-us:John sn: Doe jpegPhoto: /photo/john.jpg userpassword: welcome
This file contains the cn, sn, jpegPhoto, and userpassword attributes.
For the cn attribute, it specifies two options: cn;lang-fr, and cn;lang-en-us. These options return the common name in either French or American English.
For the jpegPhoto attribute, it specifies the path and file name of the corresponding JPEG image you want to include as an entry attribute.
|
Note:
|
The following example changes the password for a user named Audrey from welcome to audreyspassword. As in the previous example, the data for this user entry is in the entry.ldif file. This file contains the following:
dn: cn=audrey,c=us changetype: modify replace: userpassword userpassword: audreyspassword
Issue this command to modify the file:
ldapmodify -p 389 -v -f entry.ldif
where -v specifies verbose mode.
|
Note: When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry |
This section provides examples of how to add and delete attribute options, and how to search for entries with attribute options.
Suppose that you were adding the Spanish equivalent of an entry for John, and that the data for this user entry is in the entry.ldif file. This file contains the following:
dn: cn=john,c=us changeType: modify add: cn;lang-sp cn;lang-sp: Juan
Issue this command to modify the file:
ldapmodify -p 389 -v -f entry.ldif
The following example deletes the cn;lang-fr attribute option from the entry for John. As in the previous example, assume that the data for this user entry is in the entry.ldif file. This file contains the following:
dn: cn=john, c=us changetype: modify delete: cn;lang-fr cn;lang-fr: Jean
Issue this command to modify the file:
ldapmodify -p 389 -v -f entry.ldif
The following example retrieves entries with common name (cn) attributes that have an option specifying a language code attribute option. This particular example retrieves entries in which the common names are in French and begin with the letter R.
ldapsearch -p 389 -h myhost -b "c=US" -s sub "cn;lang-fr=R*"
Suppose that, in the entry for John, no value is set for the cn;lang-it language code attribute option. In this case, the following example fails:
ldapsearch -p 389 -h myhost -b "c=us" -s sub "cn;lang-it=Giovanni"
This section lists and describes some of the more common tasks you perform with bulk tools.
This section contains these topics:
Deleting a Large Number of Entries
|
Note: If you do not use the bulkload utility to populate the directory, then you must run the oidstats.sql tool to avoid significant search performance degradation. |
|
See Also:
|
To import an LDIF file, you use the bulkload utility. This section discusses the tasks to process an LDIF file through bulkload.
|
Note:
|
This section contains these topics:
Before you import the file, back up the Oracle database server as a safety precaution.
|
See Also: Oracle Database Backup and Recovery Basics in the Oracle Database Documentation Library |
To use bulkload and the other shell script tools that have commands that end with.sh, you must provide the Oracle Internet Directory password. The default password is ods, although the system administrator can change it by using the OID Database Password Utility.
On UNIX, the bulkload.sh file usually resides in $ORACLE_HOME/ldap/bin. On Microsoft Windows, this file usually resides in ORACLE_HOME\ldap\bin.
Check the input file by typing:
bulkload.sh -connect connect_string -check path_to_ldif-file_name
All schema violations are reported in $ORACLE_HOME/ldap/log/schemacheck.log
If any violations are detected in the input file, use an ASCII text file editor to fix or remove them. If there are any duplicate entries, their DNs are logged in $ORACLE_HOME/ldap/log/duplicate.log.
After you have fixed any errors in the input file, rerun bulkload with the -generate option as shown in the following example. During this step, LDIF data is converted to SQL*Loader specific format.
bulkload.sh -connect connect_string -generate ldif-file_name
All loading errors are reported in $ORACLE_HOME/ldap/log
When this command completes successfully, it generates *.dat files in the $ORACLE_HOME/ldap/load directory to be used by SQL*Loader in -load mode. Do not modify these files.
After you have generated the input files, rerun bulkload with the -load option. During this step, the *.dat files, which are in Oracle SQL*Loader specific format, are loaded into the database and the attribute indexes are created. The syntax is:
bulkload.sh -connect connect_string -load
Converting directory data to LDIF by using LDIF Writer makes the data available for loading into a new node in a replicated directory or into another node for backup storage.
The bulkmodify utility enables you to modify a large number of existing entries efficiently.
A knowledge reference, also called a referral, is represented in the directory as a particular type of entry. When you create a knowledge reference entry, you associate it with the referral object class the and extensibleObject object class. Typically, you create knowledge reference entries at the place in the DIT where you want to establish the partition.
A knowledge reference provides users with a referral containing an LDAP URL. You enter these URLs as values for the ref attribute. There can be multiple ref attributes specified for any knowledge reference entry. Similarly, there can be multiple knowledge reference entries in the DIT.
|
See Also: "Directory Partitioning" for an overview of knowledge references and a description of a smart knowledge reference and a default knowledge reference |
This section contains these topics:
A search result can contain regular entries along with knowledge references. When a user performs a search operation, Oracle Internet Directory looks for the knowledge reference entry within the specified scope of the search. If it finds the knowledge reference, then Oracle Internet Directory returns a referral to the client.
If a user performs an add, delete, or modify operation on an entry located below the knowledge reference entry, then Oracle Internet Directory returns the referral.
For example, suppose you want to partition the DIT based on the geographical location of the directory servers. In this example, assume that:
The c=us naming context is held locally on Server A and Server B in the United States.
The c=uk naming context is held locally on Server C and Server D in the United Kingdom.
In this case, you would configure knowledge references between these two naming contexts as follows:
On Server A in the United States, configure a knowledge reference for the c=uk object on Server C and Server D:
dn: c=uk c: uk ref: ldap://host C:389/c=uk ref: ldap://host D:686/c=uk objectclass: top objectclass: referral objectClass: extensibleObject
Configure a similar knowledge reference on Server C in the United Kingdom for the c=us object on Server A and Server B:
dn: c=us c: us ref: ldap://host A:4000/c=us ref: ldap://host B:5000/c=us objectclass: top objectclass: referral objectClass: extensibleObject
Results:
A client querying Server A with base o=foo,c=uk receives a referral.
A client querying Server C with base o=foo,c=us receives a referral.
An add operation of o=foo,c=uk on either Server A or Server B fails. Instead, Oracle Internet Directory returns a referral.
Oracle Internet Directory uses the namingcontext attribute in the DSE to determine every directory naming context held locally by the server. Be sure that the namingContext attribute correctly reflects the naming context information.
You specify default referrals by entering a value for the ref attribute in the DSE entry. If the ref attribute is not in the DSE entry, then no default referral is returned.
When configuring a default referral, do not specify the DN in the LDAP URL.
For example, suppose that the DSE entry on Server A contains the following namingContext value:
namingcontext: c=us
Further, suppose that the default referral is:
Ref: ldap://host PQR:389
Now, suppose that a user enters an operation on Server A that has a base DN in the naming context c=canada, for example:
ou=marketing,o=foo,c=canada
This user would receive a referral to the host PQR. This is because Server A does not hold the c=canada base DN, and the namingcontext attribute in its DSE does not hold the value c=canada.
Referral caching is the process of storing referral information so that it can be easily accessed again and again. Suppose that a client queries Server A, which returns a referral to Server B. The client chases this referral and contacts Server B which performs the operation and returns the results to the client. Without referral caching, the next time the client makes the same query to Server A, the entire procedure is repeated, an unnecessary consumption of time and system resources.
However, if the referral information can be cached, then, in each subsequent query, the referral information can be obtained from cache and Server B can be contacted directly. This speeds up the operation.
Client-side referral caching enables each client to cache this referral information and use it to speed up of referral processing.
Referral entries are stored in a configuration file on the client. When a client establishes a session, it reads the referral information from this configuration file and stores them in a cache. This cache remains static, with no further updates being added during the session. From this point on, for every operation, the client looks up referral information in the cache.
The directory administrator prepares this configuration file for clients to use.
|
Note: The configuration file is optional for clients. If a file is not present, then client operations involving referrals still behave correctly. Thus it is not mandatory for administrator to prepare this file. The advantage of using the configuration file is that it speeds up the client/server operations involving referrals. |
The configuration file consists of one or more referral sets. Each referral set consists of:
The host name where a particular directory server is running
One or more referral entries residing on that server
Each referral entry consists of a sequence of lines, each of which corresponds to one referral URL. The line separator is CR LF or LF.
ref_file=ref_file_content ref_file_content=1*(referral_set) referral_set=hostname SEP ref_entry_set SEP ref_entry_set=ref_entry *(SEP ref_entry) ref_entry=1*(referralurl SEP) SEP=CR LF / LF CR=0x0D LF=0x0A
For example, consider two referral entries in a directory server running on host serverX:
dn: dc=acme, dc=com ref: ldap://serverA:389/dc=acme, dc=com ref: ldap://serverB:389/dc=acme, dc=com dn: dc=oracle, dc=com ref: ldap://serverC:389/dc=oracle, dc=com ref: ldap://serverD:389/dc=oracle, dc=com
Consider the following referral entry in a directory server running on host serverY:-
dn: dc=fiction, dc=com ref: ldap://serverE:389/dc=fiction, dc=com
The corresponding referral.ora file looks like this:
ServerX ldap://serverA:389/dc=acme, dc=com ldap://serverB:389/dc=acme, dc=com ldap://serverC:389/dc=oracle, dc=com ldap://serverD:389/dc=oracle, dc=com ServerY ldap://serverE:389/dc=fiction, dc=com
