kenn commands

Generic commands and RulesGeneric commands and Rules..................................................................................................22Basic ExamplesBasic Examples............................................................................................................................................22From My SystemFrom My System........................................................................................................................................44SynchronizationSynchronization..........................................................................................................................................44Ods_processOds_process....................................................................................................................................................44ldapbindsldapbinds............................................................................................................................................................55ldapmodify examplesldapmodify examples..........................................................................................................................55

Sample change to configset:....................................................................................5Sample remove all objectclasses, and create mailgroup..........................................5Sample with multiple types of things to add:...........................................................6

ldapadd examplesldapadd examples..................................................................................................................................66ldapdelete examplesldapdelete examples............................................................................................................................66ldifwrite examplesldifwrite examples..................................................................................................................................66oidpasswdoidpasswd..........................................................................................................................................................66ldapsearch examplesldapsearch examples..........................................................................................................................77

To get a list of object classes and attributes:...........................................................7To get root DSE / DSA Config...................................................................................7To dump the indexed attributes...............................................................................7To dump the ACIs.....................................................................................................7To get a list of DNs in some container......................................................................8To get the number of members of a group:.............................................................8To get a list of groups a user is a member of:..........................................................8To dump a configset................................................................................................8To dump running instances:.....................................................................................9To dump the Integration Server configset:...............................................................9To dump a profile:....................................................................................................9To get the profile details from the db:......................................................................9To verify that AD admin can read the 'container' of directory entries to be synched:...............................................................................................................................10To dump the changelog entries:............................................................................10To dump a provisioning profile:..............................................................................10To dump all Integration profiles, including Provisioning (but not OCS):..................10To dump replication configset info:........................................................................11To dump replication configuration info:..................................................................11To dump the replication agreement:......................................................................11To dump plug-in info:.............................................................................................11To dump one user:.................................................................................................11To dump all AD users:............................................................................................12To dump a subtree:................................................................................................12To get a list of users with recently changed password:..........................................12To dump tnsnames info:.........................................................................................12To get the OID version:..........................................................................................12

HOW TO GET FIVE-DIGIT VERSION NUMBER, INCLUDING PATCH SETS ON A RUNNING OID.........................12HOW TO GET THE VERSION WHEN THE OIDLDAPD WILL NOT START..........................................................12HOW TO GET THE BINARIES VERSION.....................................................................................................13

To get the default subscriber:................................................................................13To dump settings pertaining to realm/default subscriber:......................................13To get the lastchangenumber:...............................................................................13To get the My Profile details in OIDDAS:.................................................................13To get a Portal group:............................................................................................14To get the guid for Portal users:.............................................................................14To get the password policy settings.......................................................................14To get the ODS password:......................................................................................14

To find any dupe DNs:............................................................................................14Server Chaining setup............................................................................................14

BulkloadBulkload............................................................................................................................................................1414To export/import OID schemas:To export/import OID schemas:..........................................................................................1515

EXPORT:.................................................................................................................15IMPORT:.................................................................................................................15

OIDCA to Create a Default SubscriberOIDCA to Create a Default Subscriber......................................................................1515bulkdeletebulkdelete......................................................................................................................................................1616OID/AD CheckpointsOID/AD Checkpoints..........................................................................................................................1616plugin debug

Generic commands and RulesGeneric commands and RulesNot advisable to start from Windows Services. Best to use command line, as follows:

oidmon [connect=<net_service_name>] startoidctl connect=<net_service_name> server=oidldapd instance=<unique_instance_number> flags="-p <OID_port>" start

You can omit parameters that have defaults, such as -p (and therefore flags) if on port 389In the oidmon command, can omit the 'connect' parameter if have just one $ORACLE_HOME on that boxThere's also a -h <hostname> you can use in oidmon if you want to start on another box

Basic ExamplesBasic Examplesoidldapd: serverid=2odisrv: serverid=7oidrelpd: serverid=4

9.0.4: If you start OID from the command line then OPMN will not be able to manage the process.

opmnctl startall- start all components that are managed by opmn (OID, http server, OC4J containers)

opmnctl statusopmnctl startproc ias-component=OIDopmnctl statusopmnctl stopproc ias-component=OIDopmnctl startproc process-type=OC4J_SECURITY (must be upper case)

oidmon connect=iasdb start in 92, can start multiple oidmons this way on same boxoidmon connect=iasdb stop

oidctl connect=iasdb server=oidldapd instance=1 configset=1 start

oidctl connect=iasdb server=oidldapd instance=1 configset=1 flags="-debug 65535" start

see OPMN admin guide for starting 904 instances on diff configsetsoidctl connect=iasdb server=oidldapd instance=1 configset=1 flags="-debug 67108863" startoidctl connect=iasdb server=oidldapd instance=1 stop

oidctl connect=iasdb server=odisrv instance=1 config=1 startoidctl connect=iasdb server=odisrv instance=1 config=1 flags="debug=63" start9.0.4: oidctl connect=od02asdb01 server=odisrv instance=2 config=1 flags=”host=<host> debug=63 port=22650” startoidctl connect=iasdb server=odisrv instance=1 stop

check both the O_H/ldap/log, AND O_H/ldap/odi/log10.1.2: oidctl connect=<OID_db> host=<virtual_hostname> server=ODISRV instance=<inst> configset=<config> flags="host=<host> port=<port> debug=<debug>" start

NOTE: With 10.1.2.0.2 the max default size for the aud/trc files is 10MB. Reaching this sizelimit a backup of the files will be created and a new empty .trc /.aud file will be used. The size parameter is configurable.

RAC:oidctl connect=iasdb host=<virtual_host> server=odisrv instance=1 config=1

flags="host=<virtual_host>" start10.1.2 IM 2-node replicating cluster with shared db:oidctl connect=iasdb server=odisrv instance=1 config=1

flags="host=<physical_host>" start

oidctl connect=oidt04 server=oidrepld instance=<instance_number> flags='-h sitf03 -p 392 -d 65535' start

10.1.2: oidctl connect=oiddrp server=oidrepld instance=1 flags='-h sdrl001 -p <OID_port> -d 117440511 ' start

9.0.4: oidctl connect=oidt04 server=oidrepld instance=<instance_number> flags='-h sitf03 -p 392 -d 67108863' start

oidctl connect=oidt04 server=oidrepld instance=<instance_number> stopRAC:oidctl connect=onam host=<virtual_host> server=oidrepld instance=1 flags="-h

<virtual_host> -p <OID_port>" start

From My SystemFrom My Systemoidctl connect=ora92 server=oidldapd instance=1 startoidctl connect=ora92 server=oidldapd instance=1 flags="-p 4032" start s/b double quotes for flags if oracle_sid is set, don't need to specify connect=

oidctl connect=ora92 server=oidldapd instance=1 stop

9.2:oidctl connect=oid92i2 server=oidldapd instance=3 configset=1 flags="-p 389 -d 65535" start

9.0.2: oidctl connect=oid92i2 server=oidldapd instance=3 configset=1 flags="-p 389 -debug 65535" startnon-9.2:oidctl connect=oid92i2 server=oidldapd instance=3 configset=1 flags="port=389debug=65535" start

SynchronizationSynchronization9.2:oidctl ... server=odisrv config= ... port= debug=

--> NOT configset, NOT oidsrvoidctl connect=iasdb server=odisrv instance=1 config=1 flags="debug=65535" start

Oracle Internet Directory Administrator's Guide, Release 9.0.1 > 24 Managing the Oracle Directory Integration Server > Starting the Oracle Directory Integration Server, on p.24-8

Portal: If you are running Portal which requires the DIP server, it by default uses configset0. This is a hidden configset that you do not see when you look in ODM at Integration Servers. Therefore, the command line to start the DIP for provisioning is:

oidctl connect=<SID> server=odisrv instance=1 startLDAP: If you then want to setup synchronization, which by default uses the configset1 that you see under Integration Servers in ODM:

oidctl connect=<SID> server=odisrv instance=2 configset=1 start

Ods_processOds_processsqlplus ods/ods@oid92i2truncate table ods_process;

ldapbindsldapbindsldapbind -D "cn=orcladmin" -w <orcladmin_pwd> -h <OID_host> -p <OID_port>ldapbind -D "cn=guest" -w guest -p 4032ldapbind -D "cn=proxy" -w proxy -p 4032

Try these from your client:- anonymous bind with no SSL authentication:

ldapbind -h <OID_host> -p <OID_SSL_port> -U 1 - superuser bind with no SSL authentication:

ldapbind -h <OID_host> -p <OID_SSL_port> -D cn=orcladmin -w <password> -U 1

- anonymous bind with server authentication:ldapbind -h <OID_host> -p <OID_SSL_port> -U 2 -W "file:<path_to_client_wallet>" -P <wallet_password>

- superuser bind with server authentication:ldapbind -h <OID_host> -p <OID_SSL_port> -D cn=orcladmin -w <password> -U 2 -W "file:<path_to_client_wallet>" -P <wallet_password>

SASLldapbind -D cn=orcladmin -w <passwd> -O "auth" -Y "DIGEST-MD5"

ldapmodify examplesldapmodify examplesldapmodify -h irina-laptop -p 389 -D "cn=orcladmin" -w welcome -f newobjectclass.ldifldapmodify -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -f newobjectclass.ldif

Sample change to configset:dn: cn=configset0, cn=osdldapd, cn=subconfigsubentrychangetype: modifyreplace: orclmaxccorclmaxcc: <new_value>-replace: orclserverprocsorclserverprocs: <new_value>

Sample remove all objectclasses, and create mailgroupdn: cn=subschemasubentrychangetype: modifyreplace: objectclassesobjectclasses: ( 2.16.840.1.113894.5.2.5000 NAME 'mailgroup' SUP groupofuniquenames AUXILIARY MAY ( mail ) )

Sample with multiple types of things to add:dn: cn=subschemasubentrychangetype: modifyadd: attributetypesattributetypes: ( 9.9.9.11 NAME 'IPGchangepassword' DESC 'Section for intranet security' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.44' USAGE userApplications )attributetypes: ( 9.9.9.13 NAME 'IPGpasschangeperiod' DESC 'Section for intranet security' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.44' USAGE userApplications )-add: objectclassesobjectclasses: ( 8.8.8.1 NAME 'Intranet' SUP top STRUCTURAL MAY ( IPGchangepassword $ IPGpasschangeperiod ) )

ldapadd examplesldapadd examplesldapadd -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <orcladmin_pwd> -f objattr.ldifldapadd -h irina-laptop -p 389 -D "cn=orcladmin" -w welcome -f newuser.ldif

NOTE: To add attributes or objectclasses, use ldapmodifyNOTE: system operational attributes can’t be ldapadded, but they can be bulkloaded with a –restore during the loadNOTE: the only operational attributed allowed to be ldapadded is orclguid, supported since 902x

ldapdelete examplesldapdelete examplesldapdelete -h irina-pc2 -p 4032 -D "cn=orcladmin" -w welcome -f createaliases.ldifldapdelete -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> "cn=ftarica,cn=users,dc=farmalink,dc=com,dc=ar"

ldifwrite examplesldifwrite examplesldifwrite -c oid92 -b "cn=Users,dckenn-pc2,dc=com" -f ldifwrite.txt --> prompts for ODS password. Ensure Home Selector is set to OID o_hldifwrite -c iasdb -b "cn=infotrac8,ou=gale,ou=Groups,o=thomsonlearning.com" -f infotrac8_`date +%Y%m%d.%H%M`.ldif

creates the following file: cat infotrac8_20040401.1204.ldif

oidpasswdoidpasswd

10.1.2:oidpasswd connect=<OID_db> change_oiddb_pwd=trueoidpasswd connect=<OID_db> create_wallet=trueoidpasswd connect=<OID_db> unlock_su_acct=trueoidpasswd connect=<OID_db> reset_su_password=trueoidpasswd connect=<OID_db> manage_su_acl=true

ldapsearch examplesldapsearch examplesSee Note 237919.1 for other ldapsearches_

To get a list of object classes and attributes:ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w "<orcladmin_pwd>"

–L -b "cn=subschemasubentry" -s base "objectclass=*" objectclasses attributetypes > objattr.ldif

ldapsearch -h <OID_host> -p 4032 -D "" -w "welcome" -b "cn=subschemasubentry" -s base "objectclass=*" objectclasses attributetypes > attributes.txt

To get root DSE / DSA Configldapsearch -h <OID_host> –p <OID_port> -D cn=orcladmin -w <pwd> -b "" -s base -

v "objectclass=*" > rootdse.txt

ldapsearch -h <OID_host> –p <OID_port> -D cn=orcladmin -w <pwd> -b " cn=dsaconfig,cn=configsets,cn=oracle internet directory" -s base -v "objectclass=*" > dsaconfig.txt

To dump the indexed attributesLdapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b "cn=catalogs" -s base "objectclass=*"

To dump the ACIsDefault ACP:ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w “<pwd>“ -s one -b

"" “orclaci=*" orclaci > aci.txt

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w “<pwd>“ -s sub -b "" “orclaci=*" orclaci > aci.txt

For a DIT:ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w “<pwd>“ -s base -b

"cn=users,dc=evan,dc=ocunet" objectclass=* orclaci > aci.txt

To get a list of DNs in some containerldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b "<container_where_records_are_located>" -s sub "objectclass=*" dn

This could then be used with an ldapdelete to remove all the DNs in this file

To get the number of members of a group:ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w “<pwd>“ -L -b

"<your group dn>" -s base "objectclass=*" member|wc –l

To get a list of groups a user is a member of:ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s sub -b ""

"(uniquemember=cn=orcladmin, cn=Users, dc=owner-abcab1nsf,dc=com)" "dn"

10.1.2.0.2: undocumented -C option returns a (flat) list of groups an entry belongs to. This option might be pretty slow with 10.1.2.0.2. We made significant performance changes to this option in 10.1.3.

An example command to use looks like

ldapsearch -C -b "<yourBranch> -s sub "uniquemember=<YourUserDN"

Here's the text from the (not yet accessible) 10.1.3 doc___________________________________

-COptional. ldapsearch -C option causes ldapsearch to traverse a hierarchy and report

direct memberships. The ldapsearch -C option essentially includes the CONNECT_BY control (2.16.840.1.113894.1.8.3) in the request sent to the client. ldapsearch doesn't have any means to pass values with a control. So, it sends the CONNECT_BY control without values. In this case the default values are assumed, that is, the hierarchy-establishing attribute name is obtained from the filter, and the number of levels is 0. Thus, the -C option can only be used to fetch all containers of a containee queries, for example, fetch all groups of a user, fetch all employees of a manager and so forth. Also, all levels of the hierarchy are traversed

To dump a configsetldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b "cn=configset1,cn=osdldapd,cn=subconfigsubentry" -s sub "objectclass=*" > config1.txt

when OID is down:SQL> set pagesize 2000

SQL> select * from ods.ds_attrstore where entryid in(select entryid from ods.ds_attrstore where attrval like '%osdldapd%'and attrval like '%configset%');

To dump running instances: includes odisrv instancesldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b "cn=subregistrysubentry" -s sub "objectclass=*" > instances.txt

To dump the Integration Server configset:ldapsearch –h <OID_host> –p <OID_port> -D cn=orcladmin -w <pwd> -b

"cn=instance1,cn=odisrv,cn=subregistrysubentry" -s sub objectclass=* > config.txt

or all of them:ldapsearch –h <OID_host> –p <OID_port> -D cn=orcladmin -w <pwd> -b "

cn=odisrv,cn=subregistrysubentry" -s sub objectclass=* > config.txt

To dump a profile:ldapsearch –h <OID_host> –p <OID_port> -D cn=orcladmin -w <pwd> -b

"orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn=changelog Subscriber,cn=oracle internet directory" -s sub objectclass=*

ldapsearch –h <OID_host> –p <OID_port> -D cn=orcladmin -w <pwd> -b "orclODIPAgentName=ActiveChgImp,cn=subscriber profile,cn=changelog Subscriber,cn=oracle internet directory" -s sub objectclass=* > profile.txt

or all of them:ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s sub -b

"cn=subscriber profile,cn=changelog subscriber, cn=oracle internet directory" objectclass=*

To get the profile details from the db:set pages 1000

SELECT * FROM ct_dn dn, ds_attrstore store WHERE dn.entryid = store.entryid AND dn.parentdn like 'cn=oracle internet directory,cn=changelog subscriber,%' AND store.attrname = 'orcllastappliedchangenumber' AND store.entryid IN ( SELECT entryid from ds_attrstore store1 where store1.entryid = store.entryid and store1.attrname = 'orclsubscriberdisable');

Check the results for the entryid for 'orclodipagentname=ActiveChgImp' and use it in the following query:

select * from ds_attrstore where entryid=<value_from_previous_query>

To verify that AD admin can read the 'container' of directory entries to be synched: ldapsearch -p 389 -h adhost –D

"cn=Administrator,cn=users,dc=msad,dc=us,dc=oracle,dc=com" -w "welcome1" -b "cn=users,dc=msad-orl,dc=us,dc=oracle,dc=com" -s base "objectclass=*"

To dump the changelog entries:ldapsearch -p $LDAPPORT -h $LDAPHOST -D "$LDAPADMIN" -w $LDAPPW –b

"cn=changelog" -s one "(&(objectclass=changelogentry)(changenumber=$LACN))"

The changelog entries are one level down and are treated as a special case so will not display if you are using a scope of "sub", e.g.ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <OID superuser

password> -s one -b "cn=changelog" "(objectclass=changelogentry)" "*" Note that I am searching as "cn=orcladmin". To check that the subscriber user entry has access you need to check the ACI on the "cn=changelog", e.g.> ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <OID superuser

password> -s base -b "cn=changelog" "(objectclass=*)" "orclaci"By default full access is only granted to "cn=odisgroup,cn=odi,cn=oracle internet directory" group so check your subscribers are members of that group.

Run the ldapsearch to obtain the last change number on Active Directory: For example:

ldapsearch -p 389 -h adhost -D [email protected] \ -w "<password>" -b "" -s base "objectclass=*" highestCommittedUSN

Verify that you can read the 'container' of directory entries you wish to synch:

ldapsearch -p 389 -h adhost -D [email protected] \ -w "<password>" -b "OU=USERS,OU=kenn,OU=OFFICES,DC=spe,DC=org" -s base "objectclass=*"when running this search using the ADMINISTRATOR account the two required attributes are present in the output of the search.

Verify that you can read an entry within the 'container' of directory entries you wish to synch:

ldapsearch -p 389 -h adhost -D [email protected] \ -w "<password>" -b "<SOME USER>,OU=USERS,OU=kenn,OU=OFFICES,DC=spe,DC=org" -s base "objectclass=*"

Note: The output of this search shows that you can read the USNCreated and USNChanged attributesVerify that you can read the 'container' of directory entries you wish to synch:

For example:

ldapsearch -p 389 -h adhost -D [email protected] \ -w "<password>" -b "OU=USERS,OU=kenn,OU=OFFICES,DC=spe,DC=org" -s base "objectclass=*"

Verify that when you retrieve entries from AD you see the USNCreated and USNChanged attributes:

Run an ldapsearch against AD for an existing user:

ldapsearch -p 389 -h adhost -D [email protected] \ -w "<password>" -b "<SOME USER>,OU=USERS,OU=kenn,OU=OFFICES,DC=e,DC=org" -s base "objectclass=*"

IF YOU DO NOT SEE THE USNCreated and USNChanged attributes STOP. AD SYNC WILL NOT WORK. YOU MUST HAVE YOUR AD ADMINISTRATOR FIX YOUR SYNC ACCOUNT SO THAT IT CAN READ THESE VALUES.

To dump a provisioning profile:2 locations:For Syndication, Wireless, Portal, eBiz profiles:ldapsearch -h <OID_host> -p <OID_port> -D cn=orcladmin -w <pwd> -b

"cn=provisioning profiles,cn=changelog subscriber,cn=oracle internet directory" -s sub objectclass=* > provprofiles1.txt

For OCS (email, Content, RTC, Calendar profiles):ldapsearch -h <OID_host> -p <OID_port> -D cn=orcladmin -w <pwd> -b

"cn=Profiles, cn=Provisioning, cn=Directory Integration Platform, cn=Products, cn=OracleContext" -s sub objectclass=* > provprofiles2.txt

To dump all Integration profiles, including Provisioning (but not OCS):ldapsearch -h <OID_host> -p <OID_port> -D cn=orcladmin -w <pwd> -b "cn=changelog subscriber,cn=oracle internet directory" -s sub objectclass=* > allprofiles.txt

To dump replication configset info:ldapsearch -h <host> -p <port> -D cn=orcladmin -w <password> -b

"cn=osdrepld,cn=subconfigsubentry" -s sub "objectclass=*" 9.2: ldapsearch -h <host> -p <port> -D cn=orcladmin -w <password> -s base -b ""

objectclass=*

Or dump both repl and ldap:ldapsearch -h <host> -p <port> -D cn=orcladmin -w <password> -b

cn=subregistrysubentry -s sub -v "objectclass=*"

To dump replication configuration info:9.0.4 (new): ldapsearch -h <host> -p <port> -L -D cn=orcladmin -w <password> -s

base -b "orclReplicaID=<replicaid>, cn=replication configuration" "objectclass=*"

To dump the replication agreement:Pre-904: ldapsearch -h <host> -p <port> -D cn=orcladmin -w <password> -s base -b

"orclagreementid=000001, cn=orclreplagreements" "objectclass=*"

904/LDAP: ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <password> -s sub -b "orclReplicaID=<replicaid>, cn=replication configuration" "objectclass=*"

To dump plug-in info:ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b

"cn=plugin,cn=subconfigsubentry" -s sub "cn=*" > plugins.ldif

Hostname and port:sqlplus ods/<pwd>@<OID_db>> set pagesize 9999 > spool code.sql > select text from user_source where name='OIDADPSWD' and type='PACKAGE BODY' order by line;> spool off; NOTE: For the “name”, use the plugin attribute orclpluginnameSearch the output for lines such as:my_session := DBMS_LDAP.init('<AD_host>', <AD_port>);

To dump one user:ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w "<pwd>" -L -b

"<full_user_DN>" -s sub "objectclass=*"ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w "<pwd>" -L -b

"cn=test1, cn=Users,dc=kenn-pc1,dc=com" -s sub "cn=*"

To dump all AD users:ldapsearch -p 389 -h <ADhost> -D "[email protected]" -w

<pwd> -b "dc=bde-ad1,dc=us,dc=oracle,dc=com" -s sub "objectclass=user" SamAccountName

where "bde-ad1" is your domainname ldapsearch -h <AD Host> -p 389 -D "[email protected]"-w <pwd> -s sub -b "cn=<ADUser>,dc=xxx,dc=xxx,xxxx" objectclass=* > user.txt

To dump a subtree:ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w "<pwd>”-b

"dc=com" -s sub "cn=*" > entries.txtldapsearch -h owner-abcab1nsf -p 4032 -D "cn=orcladmin" -w "welcome" -b

"o=webjunction.org" -s sub "uid=*" > user.txt

To get a list of users with recently changed password:First, index the attribute pwdchangedtime (catalog.sh)ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w "<pwd>” -b

"cn=users,dc=acme,dc=com" -s sub "(pwdchangedtime >= 20040106000000z)"

To dump the groups a user is a member of:ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w “<pwd>“ -s sub -b ""

"(uniquemember=cn=orcladmin,cn=users,<realm or subscriber DN>)" "dn"

To dump the members of a group (root level):ldapsearch -D "cn=orcladmin" -w welcome -L -b "cn=Groups,cn=OracleContext" -s

sub "objectclass=*" uniquemember

To dump tnsnames info:ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b "dc=irina-

pc1,dc=com" -s sub "cn=*" cn orclnetdescstring > tnsnames.txt

To get the OID version:

HOW TO GET FIVE-DIGIT VERSION NUMBER, INCLUDING PATCH SETS ON A RUNNING OID

ldapsearch -h <OID_host> -p <port> -D "cn=orcladmin" -w <pwd> -b "" -s base objectclass="*" orcldirectoryversion

HOW TO GET THE VERSION WHEN THE OIDLDAPD WILL NOT START...

Login to the DB as : ODS/ODSRun the following query :

select attrval from ds_attrstore where entryid = 1 and attrname = 'orcldirectoryversion';

Sample output is as follows:ATTRVAL------------------------------------------------------------------OID 9.0.2.3.0

HOW TO GET THE BINARIES VERSION

Go to $ORACLE_HOME/bin and type:oidldapd -version

The output will be something like:oidldapd: Release 9.0.2.3.0 - Production on Wed Feb 11 08:35:41 2004(c) Copyright 2001 Oracle Corporation. All rights reserved.

To get the default subscriber:ldapsearch –h <OID_host> -p <port> -D "cn=orcladmin" –w <password> -L –s base –

b "cn=Common,cn=Products,cn=OracleContext" "(objectclass=orclContainer)" "orcldefaultsubscriber"

To dump settings pertaining to realm/default subscriber:Root Context:

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s base -b "cn=Common,cn=Products,cn=OracleContext" "(objectclass=orclContainer)"

ldapsearch -p 3060 -D "cn=orcladmin" -w welcome1 -L -s base -b "cn=Common,cn=Products,cn=OracleContext" "(objectclass=orclContainer)"

Default realm:ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s base -b "cn=Common,cn=Products,cn=OracleContext,<your_realm>" “(objectclass=orclContainer)"ldapsearch -p 3060 -D "cn=orcladmin" -w <pwd> -L -s base -b "cn=Common,cn=Products,cn=OracleContext,dc=us,dc=oracle,dc=com" “(objectclass=orclContainer)"

For the value of <your_realm> in the 2nd command, please use the value returned from the 1st command for the attribute orcldefaultsubscriber.

To get the lastchangenumber:ldapsearch -h <OID_host> -p <port> -D cn=orcladmin -w <password> -base "" -s

base "objectclass=*" lastchangenumber

To get the My Profile details in OIDDAS:Realm Context:ldapsearch -h <OID_host> -p <port> -D cn=orcladmin -w <password> -s sub -base "cn=categories,cn=User Configuration,cn=Attribute Configuration,cn=DAS,cn=Products,cn=OracleContext,dc=oracle,dc=com" objectclass=* > dasprofilerealm.txt

Root Context:ldapsearch -h <OID_host> -p <port> -D cn=orcladmin -w <password> -s sub -base "cn=categories,cn=User Configuration,cn=Attribute Configuration,cn=DAS,cn=Products,cn=OracleContext " objectclass=* > dasprofileroot.txt

To get a Portal group:list the users in the portal dba group:ldapsearch -h <OID_host> -p 4032 -D cn=orcladmin -w passwd1 –b

"cn=DBA,cn=portal_groups,cn=groups,dc=us,dc=oracle,dc=com" -s sub –v objectclass=* uniquemember

To get the guid for Portal users:ldapsearch -h <OID_host> -p <OID_port> -b "<base_dn>" -s sub "uid=<username>" orclguid

To get the password policy settingsFor the root and default subscriber: ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b "" -s sub

"(objectclass=pwdpolicy)" "*"

NOTE: the policy that is applied will be the policy in the default Oracle Context under the subscriber DN if one exists, otherwise the root policy is applied.

To get the ODS password:ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b "OrclResourceName=ODS,orclReferenceName=asdb.us.oracle.com,cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext" -s base "objectclass=*" orclpasswordattribute

To find any dupe DNs:

'select attrvalue from ct_orclnormdn group by attrvalue having count(*)>1;'

Server Chaining setup

ldapsearch -p 13060 -D "cn=orcladmin" -w welcome1 -s base -b "cn=oidscad,cn=OID Server Chaining,cn=subconfigsubentry" objectclass=*

BulkloadBulkloadBulkload will by default append the data but there is also a "-append" option to bulkload which when specified will behave like ldapadd with the only difference that it will not generate change logs and it will not go through LDAP server.- With default bulkload you will have to bring down the LDAP Server and with the -append option you need to set it OID LDAP Server to a special read/modify mode ('orclservermode' attribute in root DSE), hence if it is a few entries there is no point in going thru' all these steps, rather ldapadd is a better option

To export/import OID schemas:To export/import OID schemas:

EXPORT: 1. create oidexp.dat file containing: FILE=oid.data OWNER=ods, odscommon GRANTS=y ROWS=y2. Run command from o_h/bin: exp system/manager PARFILE=oidexp.dat

IMPORT: 1. Run the following sql scripts: cd $ORACLE_HOME/ldap/admin/ sqlplus system/manager @ldapxact.sql (drop/create ods, odscommon and roleods_server) sqlplus system/manager @ldapxsec.sql (create new table/view odsinstance(s) )2. Create oidimp1.dat containing: FILE=oid.data

FROMUSER=ods TOUSER=ods3. Creat oidimp2.dat containing: FILE=oid.data FROMUSER=odscommon TOUSER=odscommon4. Run the following commands: imp system/manager PARFILE=oidimp1.dat imp system/manager PARFILE=oidimp2.dat

OIDCA to Create a Default SubscriberOIDCA to Create a Default Subscriberoidca /createDefaultSubscriber /host "<LDAP host name>" /port <LDAP port>

/userDN "cn=orcladmin" /userPwd <superuser password> /subscriberDN "<your new subscriber>"

oidca /createDefaultSubscriber /host irina-laptop /port 389 /userDN "cn=orcladmin" /userPwd welcome /subscriberDN "dc=irina-laptop,dc=net"

bulkdeletebulkdeleteYou cannot use bulkdelete with -base "", you must delete -base "cn=oraclecontext",

then -base 'cn=oracleschemaversion", then -base "dc=com" to remove root level entries one by one..

EXAMPLE:./bulkdelete.sh -connect oid920 -base "cn=oraclecontext" -size 10./bulkdelete.sh -connect oid920 -base "cn=oracleschemaversion" -size 10./bulkdelete.sh -connect oid920 -base "dc=com" -size 10

10.1.2: bulkdelete.sh -connect <OID_db> -base "<base_dn>" -size

<number_of_entries>

Debug option -- 10.1.2 or later:1. set UTL_FILE_DIR parameter to $ORACLE_HOME/ldap/log directory. (through

init.ora file)2. restart oracle database (it is required).3. retry bulkdelete.sh command with -debug option:

bulkdelete.sh -connect oiddb -base "dc=test,dc=oracle,dc=com" –debug

10.1.4 onwards one can use debug parameter with all bulktools.But for 10.1.2 or earlier you can only use debug option with bulkdelete and

bulkmodify

OID/AD CheckpointsOID/AD CheckpointsGoal: Enable active directory synchronization with OID including pass-through authentication

Task 1: Verify the Microsoft Active Directory Information to be Configured into the Active Directory Synchronization ProfilesFor export, check OID:

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b "" -s base "objectclass=*" lastchangenumber

For import, check AD:# This also validates the username and credentials for both directories

ldapsearch -p 389 -h <AD SERVER HOST NAME> -D "<AD USER'S DISTINGUISHED NAME>" -w <AD USER'S PASSWORD> -b "" -s base "objectclass=*" defaultnamingcontext

ldapsearch -p 389 -h <AD SERVER HOST NAME> -D "<AD USER'S DISTINGUISHED NAME>" -w <AD USER'S PASSWORD> -b "" -s base "objectclass=*" highestCommittedUSN

ldapsearch -p 389 -h <AD SERVER HOST NAME> -D "<AD USER'S DISTINGUISHED NAME>" -w <AD USER'S PASSWORD> -b <USER CONTAINER DN> -s sub "(&(objectclass=*)(USNChanged=<value of higestCommittedUSN>))"

## Note: If the last search (for highestCommittedUSN) doesn’t return details of the last change, STOP. Your AD user doesn't have the necessary privileges to make this work.

http://download-uk.oracle.com/docs/cd/B14099_16/idmanage.1012/b14085/toc.htm

For the DirSync approach, the Active Directory user account that the Oracle directory integration and provisioning server uses to access Active Directory must have Domain Administrative permissions, belong to the Domain Administrators group, or be explicitly granted Replicating Directory Changes permissions. In addition to the List Property, List Child Object right (read access), you will also need to grant the user account for accessing AD the "Replication Change" privilege in order to synchronize the deleted entries. See How to Grant the "Replicating Directory Changes" Permission for the Microsoft Metadirectory Services ADMA Service Account , at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;303972

For the USN-Changed approach, the Active Directory user account that the Oracle directory integration and provisioning server uses to access Active Directory must have "List Content" and "Read Properties" permission to the cn=Deleted Objects container of a given domain. See Deleting Items from Active Directory , at:


In order to set these permissions, you must use the dsacls.exe command that is available with recent versions of Active Directory Application Mode (ADAM). You can download the most recent version of ADAM at http://www.microsoft.com/downloads/.

See also How to let non-administrators view the Active Directory deleted objects container in Windows Server 2003 and in Windows 2000 Server , at:


ldapsearch -p 389 -D cn=orcladmin -w <OID USER'S PASSWORD> -b "orclodipagentname=Activeimport, cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" -s sub "objectclass=*"



http://www.microsoft.com/downloads/




# Task 2: Create the OID structure to support synchronization. For example, you might create:

ou=departments,dc=company,dc=comou=users,ou=departments,dc=company,dc=com

# Task 3: Configure the Information Related to the Microsoft Active Directory Environment

$ORACLE_HOME/ldap/odi/admin/adprofilecfg.sh

Enter OID superuser DN: cn=orcladminEnter OID superuser password: <OID USER'S PASSWORD>##############################################Configuring Active Directory connection details##############################################Enter Active Directory connection URL (host:port): <AD SERVER HOST NAME>:389

Enter Active Directory privileged user DN to be used for synchronization: <AD USER'S DISTINGUISHED NAME>

Enter Active Directory privileged user password: chickenbagel##############################################Configuring domain-level mapping rules##############################################

Enter the DN of the domain in Active Directory to be synchronized:<USER CONTAINER DN>Profile successfully modified.Profile successfully modified.Profile successfully modified.

Check the mapping. If it isn't correct, copy activeimp.map.master and activechg.map.master, edit them to reflect correct DNs, then:

dipassistant mp -profile ActiveChgImp -host <OID SERVER HOST NAME> -port 389 -dn cn=orcladmin -passwd <OID USER'S PASSWORD> odip.profile.mapfile= activeimport.map

dipassistant mp -profile ActiveChgImp -host <OID SERVER HOST NAME> -port 389 -dn cn=orcladmin -passwd <OID USER'S PASSWORD> odip.profile.mapfile= activechange.map

# Task 4: Ensure SQLNET connectivity to the database. a. Verify that the database service names include <sid>,<sid>.<domain> eg: asdb, asdb.aci.corp.net b. Ensure you can connect as user ODS with the same password used for ias_admin

# Task 5: Set permissions on the new containers using option 13 of diptester

Task 6: Configure the Active Directory Plugin $ORACLE_HOME/ldap/admin/oidspadi.sh--------------------------------------------- OID Active Directory Plug-in Configuration

---------------------------------------------Please make sure Database and OID are up and running.

Please enter Active Directory host name: <AD SERVER HOST NAME>Do you want to use SSL to connect to Active Directory? (y/n) nPlease enter Active Directory port number [389]: 389

Please enter DB connect string: asdb Please enter ODS password:

Please enter OID host name: <AD SERVER HOST NAME>Please enter OID port number [389]: 389Please enter orcladmin password: <OID USER'S PASSWORD>

Please enter the subscriber common user search base: <USER CONTAINER DN>Please enter the Plug-in Request Group DN:Please enter the exception entry property: (&(objectclass=orcluser))

Do you want to setup the backup Active Directory for failover? (y/n) n

Installing Plug-in Packages ...

Table dropped.Table created.Sequence dropped.Sequence created.Procedure created.No errors.Procedure created.No errors.No errors.No errors.

Registering Plug-ins ...adding new entry cn=adwhencompare,cn=plugin,cn=subconfigsubentryadding new entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry

------------------------------------------------------------- Done.-------------------------------------------------------------[oracle@<OID SERVER HOST NAME> bin]$

Task 7: Enable the Active Directory Pluginldapmodify -h <OID SERVER HOST NAME> -p 389 -D cn=orcladmin -w <OID USER'S PASSWORD> <<EOFdn: cn=adwhencompare,cn=plugin,cn=subconfigsubentrychangetype: modifyreplace: orclpluginenableorclpluginenable: 1EOF

ldapmodify -h <OID SERVER HOST NAME> -p 389 -D cn=orcladmin -w <OID USER'S PASSWORD> <<EOF

dn: cn=adwhenbind,cn=plugin,cn=subconfigsubentrychangetype: modifyreplace: orclpluginenableorclpluginenable: 1EOF

modifying entry cn=adwhencompare,cn=plugin,cn=subconfigsubentrymodifying entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry

Task 8: Bootstrap (bring the initial group of users from AD into OID)dipassistant bootstrap -port 389 -profile ActiveChgImp -dn cn=orcladmin -passwd <OID USER'S PASSWORD>

Task 9: Start the Synchronization from Microsoft Active Directory to Oracle Internet Directory

dipassistant mp -profile ActiveChgImp odip.profile.status = ENABLEPassword: <OID USER'S PASSWORD>

Task 10: Start the Oracle Directory Integration and Provisioning Server as You Would for Synchronization

oidctl connect=asdb server=odisrv instance=2 configset=1 flags="port=389 debug=63" start

Task 11: Verify that Synchronization Has Startedldapsearch -h <OID SERVER HOST NAME> -p 389 -D cn=orcladmin -w <OID USER'S PASSWORD> -b "orclodipagentname=activechgimp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" -s base "objectclass=*" orclodipsynchronizationstatus

ldapsearch -h <OID SERVER HOST NAME> -p 389 -D cn=orcladmin -w <OID USER'S PASSWORD> -b "orclodipagentname=activechgimp,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory" -s base "objectclass=*" orclodiplastsuccessfulexecutiontime

Task 12: modify the user search base to include the new user containers (Modify cn=Common,cn=Products,cn=OracleContext,dc=aci,dc=corp,dc=net)

Task 13: Restart OC4J_SECURITYopmnctl stopproc process-type=OC4J_SECURITYopmnctl startproc process-type=OC4J_SECURITY

Optional Task 14: Reregister the ODIserver (only necessary if you must reset the password)

odisrvreg -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <orcladmin password>

Optional Task 15: Modify the password policies so that the orcladmin password doesn't expire too quickly

1. Please uplaod the ldapsearch output for th source entryEx) ldapsearch -h <iplanet host> -p <iplanet port> -D "cn=Directory Manager" -w <passwor

d> -b "<source entry dn> -s base "objectclass=*"(user cn=dirman is the directory manager for iplanet SUN LDAP server)~> ldapsearch -h ldap5.itcs.northwestern.edu -p 391 -D "cn=dirman" -w "xxxxx" -b "ou=people,dc=northwestern,dc=edu" -s base -x "objectclass=*"

2. Please uplaod the ldapsearch output for th target entry sychronized from the source.Ex) ldapsearch -h <oid host> -p <oid port> -D cn=orcladmin -w <password> -b "<target entry dn> -sbase "objectclass=*"~> ldapsearch -h oiddev1.itcs.northwestern.edu -D "cn=orcladmin" -w "xxxx" -b "ou=people,dc=northwestern,dc=edu" -s base -x "objectclass=*" >OID-people-branch.ldif-09-10

For the issue : krbprincipalname value empty

It is not yet clear if you have done the suggested change in the mapping file (changing the objectclass from person to nuperson for the uid attribute) and tested the behaviour

If you have seen the same problem after the above modification, then please provide the latest profile trace and the mapping file along with the output of the following ldapsearch ( assuming that the uid being tested is jlh482)

ldapsearch -h ldap5.itcs.northwestern.edu -p <port> -D "cn=dirman" -w "xxxxx" -b "uid=jlh482,ou=people,dc=northwestern,dc=edu" -s base "objectclass=*"

2) For the LDAP-65 error, give the output of the following ldapsearches (assuming the uid for this test is mji240)

From Sun One >ldapsearch -h ldap5.itcs.northwestern.edu -p <port> -D "cn=dirman" -w "xxxxx" -b "uid=mji240,ou=people,dc=northwestern,dc=edu" -s base "objectclass=*"

From OID >ldapsearch -h oiddev1.itcs.northwestern.edu -p <port> -D "cn=orcladmin" -w "xxxx" -b "cn=mji240,ou=people,dc=northwestern,dc=edu" -s base "objectclass=*" (replace the -b value according to the DN stored in OID)

1. If you have never used plug-in debug before, issue this command to setup the table:

sqlplus ods/@oid_db SQL> @$ORACLE_HOME/ldap/admin/oidspdsu.pls

2. If you have used plug-in debug before, delete the log:

sqlplus ods/@ truncate table ods.plg_debug_log exit

3. Enable the plug-in debugging:

SQL> @$ORACLE_HOME/ldap/admin/oidspdon.pls

4. Reproduce the issue5. Upload the plug-in debugging log:

SQL> spool plgdebug.txt; SQL> select * from ods.plg_debug_log order by id; SQL> spool off;

6. Disable the plug-in debugging:

SQL> @$ORACLE_HOME/ldap/admin/oidspdof.pls

kenn commands

Documents