4
Directory Administration Tools

This chapter introduces the various administration tools of Oracle Internet Directory. It discusses the online administration tool, called Oracle Directory Manager, and tells you how to launch it, navigate through it, and connect to directory servers with it. It also introduces the command-line tools for ldap, bulk, and catalog operations.

This chapter contains these topics:

• Using Oracle Directory Manager
• Using Command-Line Tools
• Routine Administration at a Glance

Using Oracle Directory Manager

Oracle Directory Manager is a Java-based tool for administering Oracle Internet Directory. This section describes some of its basic features. More specific instructions are found in sections throughout this book that explain how to perform various tasks.

This section contains these topics:

• Starting Oracle Directory Manager
• Connecting to a Directory Server
• Navigating Oracle Directory Manager
• Connecting to Additional Directory Servers by Using Oracle Directory Manager
• Disconnecting from a Directory Server by Using Oracle Directory Manager
• Performing Administration Tasks by Using Oracle Directory Manager

  Note: You cannot use Oracle Directory Manager to administer LDAP directories other than Oracle Internet Directory.

Starting Oracle Directory Manager

Before you can launch Oracle Directory Manager, you must have a directory server instance running.

To start Oracle Directory Manager, follow the instructions for your operating system:

Operating System	Instructions
Windows NT	From the Start menu, click Programs > ORACLE_HOME > Oracle Internet Directory > Oracle Directory Manager
UNIX	If you have not set the path, then navigate to ORACLE_HOME/bin. Type at the system prompt: oidadmin

The first time you start Oracle Directory Manager, an alert tells you that you must connect to a server. Click OK. The Directory Server Connection dialog box appears.

Connecting to a Directory Server

To connect to a directory server:

1. In the Directory Server Connection dialog box, type the name and port number of an available server.

   The default port is 389. You can change the port if you wish. However, if you have an Oracle directory server running on a port that is not the default, then be sure that any clients that use that server are informed of the correct port.

   Click OK. The Oracle Directory Manager Connect dialog box appears.

2. In each field of the Credentials tab page, type the information specific to this server instance as described in the next table.

   Field	Description
   User	The first time you log in, do so either as the super user or anonymously. If you intend to configure SSL features during this session, login as the super user. If you are logging in as the super user, in the User box, type cn=orcladmin. If you are logging in anonymously, leave the User box empty. If you have already set up the user's entry by using LDAP command-line tools, you can enter that user's entry in one of two ways: Browse and select that entry by using the button to the right of the User field Type the distinguished name (DN) for that user's entry by using the correct format, for example, cn=Susie Brown,ou=HR,o=acme,c=us
   Password	If you are logging in as the super user and you specified a password for the super user during installation, in the Password box, type the password you specified. Otherwise, type the default password, namely, welcome. After you are logged into Oracle Directory Manager and have connected to a directory server, you should change this password to protect the directory. If you are logging in anonymously, leave the Password box empty. If you want to login as a specific directory user, enter the corresponding password. See Also: "Managing Super Users, Guest Users, and Proxy Users" for instructions on how to change the password
   Server	From the Server list, select the host containing the directory server to which you want to connect. If you are already connected to a directory server, and you want to connect to one on a different host: Click the button to the right of the Server field. The Select Directory Servers dialog box displays a list of available servers. Select a server. Click OK. To add a directory server to the list: In the Select Directory Servers dialog box, click Add. The Directory Server Connection dialog box appears. In the Server field, type the name of the directory server you want to add. In the Port field, type the port number for the server you want to add. Click OK. The added directory appears in the list in the Select Directory Server dialog box. To modify a directory server on the list: Select the directory server you want to modify. Click Edit. The Directory Server Connection dialog box appears. Modify the Server and Port fields, then click OK. The modifications for that server appear in the list in the Select Directory Server dialog box.
   Port	The default port (389) appears in this field. If there is more than one directory server instance on the same host, each directory server instance has a different port, and that port number appears in this field when you select the directory server instance. To change this port number: Click the button to the right of the Server field. In the Select Directory Server dialog box, select the directory server. Click Edit. The Directory Server Connection dialog box appears. In the Directory Server Connection dialog box, in the Port field, enter the new port number, then click Ok.
   SSL Enabled	Selecting this check box causes all commands you issue by using Oracle Directory Manager to be sent over Secure Sockets Layer (SSL). You can connect to a directory server either with or without SSL. If you connect by using SSL, then Oracle Directory Manager becomes an SSL client. You can connect in this way if both of the following two conditions are met: The server to which you are connecting uses SSL. If that server does not use SSL, and you select this check box, then authentication will fail. You have already created a wallet containing a certificate and a list of trusted certificates.

   See Also: Chapter 11, "Secure Sockets Layer (SSL) and the Directory" for instructions on enabling SSL "Entries" for instructions on formatting distinguished names "Configuring SSL Parameters" for information about changing ports and their impact on security Oracle Advanced Security Administrator's Guide for instructions on creating a wallet by using Oracle Wallet Manager when using SSL

3. If you selected the SSL Enabled check box on the Credentials tab, then select the SSL tab.
4. Enter the requested data in the fields as described in the next table.

   Field	Description
   SSL Location	The client wallet used in two-way authentication. If the client wallet is on the local machine, then type the wallet path and file name by using this syntax: file: absolute_path_name If the wallet is on another machine, then link to that location and enter the linked path and file name of the wallet.
   SSL Password	The password to open the user's wallet
   SSL Authentication	Select the authentication level: No SSL Authentication--Neither the client nor the server authenticates itself to the other. No certificates are sent or exchanged. If you selected the SSL Enabled check box on the Credentials tab, and choose this option, then only SSL encryption/decryption will be used. SSL Client and Server Authentication--Two-way authentication. Both client and server send certificates to each other. SSL Server Authentication--One-way authentication. Only the directory server authenticates itself to the client by sending its certificate to the client.

5. Click Login. Oracle Directory Manager appears.

Navigating Oracle Directory Manager

This section provides an overview of Oracle Directory Manager, and explains the items in the menu bar and the buttons on the toolbar.

Overview of Oracle Directory Manager

Like the directory itself, the navigator pane (left side of the double window interface) has a tree-like structure. When Oracle Directory Manager first opens, the navigator pane shows only one tree item, Oracle Internet Directory Servers. By clicking the plus sign(+) next to the tree item, subcomponents of that tree item appear.

In the right pane, some windows contain buttons labeled Apply and OK. If you press Apply, the changes you have made are committed, and the window remains available for more changes. If you press OK, the changes you have made are committed, and the window closes.

Similarly, some windows have buttons that are labeled Revert and Cancel. If you press Revert, then the changes you have made in that window do not take effect, the original values reappear in the fields, and the window stays open for further work. If you press Cancel, the changes you have made in that window do not take effect, and the window closes.

The Oracle Directory Manager Menu Bar

The next table lists and describes the menus you can access by using the menu bar. Menu items become enabled or disabled depending on the pane or tab page you are displaying.

Menu	Menu Items
File	Create--Adds an object Create Like--Adds a new object by using the object selected in the navigator pane as a template Connect--Connects to a directory server selected in the navigator pane Disconnect--Disconnects from a directory server selected in the navigator pane Exit--Exits Oracle Directory Manager
Edit	Edit--Modifies an object Remove--Removes a selected object Find Object Classes--Searches for an object class
View	Refresh--Updates data stored in memory to reflect changes in the database Tear-Off--Generates a secondary dialog containing the fields and values displayed in Oracle Directory Manager's right pane. This is useful when comparing two pieces of information.
Operations	Create Object Class--Displays the New Object Class dialog box that you use to add a new object class Create Attribute--Displays the New Attribute Type dialog box that you use to add a new attribute to an entry Create Access Ctrl Point--Displays the New Access Control Point dialog box that you use to add a new access control policy point. Create Entry--Displays the New Entry dialog box that you use to add a new directory entry Refresh Entry--Updates data for entries stored in memory to reflect changes in the database Refresh Subtree Entries--Updates the children of entries stored in memory to reflect changes in the database Drop Index--Removes an index from an attribute. When you select this item, an alert asks you to confirm that you want to drop the index. Search ACPs--Enables you to configure ACP searches User Preferences--Displays a dialog box that enables you to: Configure the display of entry search results Establish whether ACPs are displayed whenever Oracle Directory Manager runs, or only as the result of a search
Help	Contents--Displays the Contents tab page of the Help navigator Search for Help On...--Displays the Help Search dialog box that you use to search for words in the online help guide About Oracle Internet Directory--Displays Oracle Internet Directory version information

The Oracle Directory Manager Toolbar

Figure 4-1 and Table 4-1 together illustrate and describe the Oracle Internet Directory toolbar, starting at the left. Buttons become enabled or disabled depending on the pane or tab page you are displaying in Oracle Directory Manager.

Figure 4-1 Oracle Directory Manager Toolbar

Text description of the illustration toolsa.gif

Table 4-1  Oracle Directory Manager Toolbar

Button	Purpose
1	Connect/Disconnect--Connects to or disconnect from a directory server selected in the navigator pane
2	Refresh--Updates data for objects other than entries that are stored in memory to reflect changes in the database
3	Create--Adds a new object
4	Create Like--Adds a new object by using another object as a template
5	Edit--Modifies an object
6	Find Object Classes or Attributes--Searches for either an object class or an attribute, depending on the context. If, in the navigator pane, you navigate to Oracle Internet Directory > directory_server_instance > Server Management > Object Classes, then this button searches for an object class. If you navigate to Oracle Internet Directory > directory_server_instance > Server Management > Attributes, this button searches for attributes.
7	Delete--Removes an object
8	Refresh Entry--Updates data for entries stored in memory to reflect changes in the database
9	Refresh SubTree Entries--Updates the children of entries stored in memory to reflect changes in the database
10	Drop Index--Removes an index from an attribute. When you click this button, an alert asks you to confirm that you want to drop the index.
11	Search--Enables you to configure ACP searches
12	User Preferences--Enables you to configure the display of ACPs in the navigator pane, as well as entries in a search operation
13	Help--Displays the Help system

Connecting to Additional Directory Servers by Using Oracle Directory Manager

You can connect to more than one directory server at a time, and then view and modify the data, schema, and security for each directory server. If you do this, then each server is listed in the navigator pane under Oracle Internet Directory Servers.

To connect to an additional directory server:

1. In the navigator pane, select Oracle Internet Directory Servers.
2. In the right pane, click New.
3. Follow the login procedures described in "Connecting to a Directory Server".

Disconnecting from a Directory Server by Using Oracle Directory Manager

To disconnect from a directory server by using Oracle Directory Manager, choose File > Disconnect. Also, when you exit Oracle Directory Manager, connections between all directory servers and the directory are automatically disconnected.

All connection information is stored in the user's home directory in the file osdadmin.ini.

When you restart Oracle Directory Manager, all previously connected server connections appear in the Directory Server Login dialog box.

Performing Administration Tasks by Using Oracle Directory Manager

You can perform most of the Oracle Internet Directory administrative tasks through Oracle Directory Manager. Tasks that you cannot perform through Oracle Directory Manager involve running processes, such as starting and stopping the OID Monitor (oidmon) process and starting and stopping server instances. To perform tasks that you cannot perform with Oracle Directory Manager, use the appropriate LDAP command-line tool.

The following table lists the task areas managed by Oracle Directory Manager and where to find instructions for using it in each area.

Task Area	Instructions
Schema administration	"Managing Object Classes by Using Oracle Directory Manager" "Managing Attributes by Using Oracle Directory Manager"
Entries management	"Managing Entries by Using Oracle Directory Manager"
ACP administration	"Managing Access Control by Using Oracle Directory Manager" Managing Access Control by Using Command-Line Tools
Partitioning and replication	Chapter 22, "Oracle Directory Replication Server Administration"

Using Command-Line Tools

Oracle Internet Directory provides several types of command-line tools for manipulating directory entries and attributes--for example:

• LDAP tools, for altering objects in text files written in the LDAP Data Interchange Format (LDIF)
• Bulk tools, for creating or managing large numbers of directory entries by using data from other applications
• A catalog management tool, for making existing attributes indexable
• Various tools to help you synchronize multiple directories in your enterprise

Many of the command-line tools act on objects that are in text files written in the LDAP Data Interchange Format (LDIF).

Table 4-2 lists and describes the various command-line tools, and points you to more information about each one.

Table 4-2  Oracle Internet Directory Command-Line Tools

Tool	Description	More Information
Starting, Stopping, and Monitoring Oracle Internet Directory Servers
OID Control Utility (OIDCTL)	OID Control Utility is a command-line tool for starting and stopping the server. The commands are interpreted and executed by the OID Monitor process.	"Oracle Internet Directory Architecture" for a conceptual description "The OID Control Utility" for syntax and usage notes
OID Monitor (OIDMON)	Use this tool to initiate, monitor, and terminate the LDAP server processes. If you elect to install a replication server, OID Monitor controls it. When you issue commands through OID Control Utility (OIDCTL) to start or stop directory server instances, your commands are interpreted by this process.	"Oracle Internet Directory Architecture" for a conceptual description "The OID Monitor" for syntax and usage notes
Managing Entries
ldapadd	Use this tool to add entries one at a time.	"ldapadd Syntax"
ldapaddmt	Use this tool to add several entries concurrently by using this shared-server tool.	"ldapaddmt Syntax"
ldapbind	Use this tool to authenticate user/client to a directory server.	"ldapbind Syntax"
ldapdelete	Use this tool to delete entries.	"ldapdelete Syntax"
ldapmoddn	Use this tool to modify the DN or RDN of an entry, rename an entry or a subtree, or move an entry or a subtree under a new parent.	"ldapmoddn Syntax"
ldapsearch	Use this tool to search for directory entries.	"ldapsearch Syntax"
Managing Attributes
Catalog Management Tool (catalog.sh)	Oracle Internet Directory uses indexes to make attributes available for searches. When Oracle Internet Directory is installed, the entry cn=catalogs lists available attributes that can be used in a search. Only those attributes that have an equality matching rule can be indexed. If you want to use additional attributes in search filters, you must add them to the catalog entry. You can do this at the time you create the attribute by using Oracle Directory Manager. However, if the attribute already exists, then you can index it only by using the Catalog Management tool.	"The Catalog Management Tool" for syntax and usage notes "Indexing an Attribute by Using Command-Line Tools" "Indexing an Attribute by Using Oracle Directory Manager"
ldapcompare	Use this tool to see whether an entry contains a specified attribute value.	"ldapcompare Syntax"
ldapmodify	Use this tool to create, update, and delete attribute data for an entry.	"ldapmodify Syntax"
ldapmodifymt	Use this tool to modify several entries concurrently by using this shared-server tool.	"ldapmodifymt Syntax"
Performing Bulk Operations
bulkdelete	Use this tool to delete a subtree efficiently	"bulkdelete Syntax"
bulkload	Use this tool to load large number of entries to Oracle Internet Directory through LDIF files	"bulkload Syntax"
bulkmodify	Use this tool to modify a large number of existing entries efficiently	"ldapmodify Syntax"
ldifwrite	Use this tool to copy data from the directory information base into an LDIF file that can be read by any LDAP-compliant directory server. You can use ldifwrite in conjunction with bulkload. You can also use ldifwrite to back up information from all or part of a directory.	"ldifwrite Syntax"
Managing Replication
OID Reconciliation Tool	When a replication conflict arises, Oracle directory replication server places the change in the retry queue and tries to apply it from there for a specified number of times. If it fails after that specified number, then the replication server puts the change in the human intervention queue. From there, the replication server repeats the change application process at less frequent intervals while awaiting your action. At this point, you need to: Examine the change in the human intervention queues Reconcile the conflicting changes on the consumer with those on the supplier by using the OID Reconciliation Tool Place the change either back into the retry queue or into the purge queue	"Using the OID Reconciliation Tool" "The OID Reconciliation Tool" for syntax and an explanation of how OID Reconciliation Tool works
Human Intervention Queue Manipulation Tool	Once you have reconciled conflicting changes by using the OID Reconciliation Tool, the Human Intervention Queue Manipulation Tool enables you to move them from the human intervention queue to either the retry queue or the purge queue. Moving the change to the purge queue means that there are no further attempts to re-apply the change log entry.	"Using the Human Intervention Queue Manipulation Tool" "The Human Intervention Queue Manipulation Tool"
Managing Synchronization and Provisioning
Provisioning Subscription Tool	Use this tool to administer provisioning profile entries in the directory, including creating, disabling, enabling, deleting, monitoring, and clearing errors	"The Provisioning Subscription Tool"
oidmuplf.sh	Use this tool to load mapping and configuration information when you are synchronizing directories.	"The oidmuplf.sh Tool"
oidmcrep.sh	Use this tool to create a synchronization profile	"The oidmcrep.sh Tool"
oidmdelp	Use this tool to deregister a synchronization profile	"The oidmdelp.sh Tool"
stopodis	In a client-only installation where the monitor and oidctl tools are not available, you can start the directory integration server without the oidctl tool	"The stopodis.sh Tool"
schemasync	Use this tool to synchronize schema elements--namely attributes and object classes--between an Oracle directory server and third-party LDAP directories	"The schemasync Tool"
Migrating from Application-Specific Repositories
OID Migration Tool	Use this tool to migrate data from application-specific repositories into Oracle Internet Directory.	"The OID Migration Tool"
Monitoring Database Statistics
OID Database Statistics Collection Tool (oidstats.sh)	Use this tool to analyze the various database ods schema objects to estimate the statistics. You must run this utility whenever there are significant changes in directory data--including the initial load of data into the directory. If you load data into the directory by any means other than the bulkload tool (bulkload.sh), then you must run the OID Database Statistics Collection tool after loading. Statistics collection is essential for the Oracle Optimizer to choose an optimal plan in executing the queries corresponding to the LDAP operations. You can run OID Database Statistics Collection tool at any time, without shutting down any of the OID daemons.	"The OID Database Statistics Collection Tool"
Changing the Database Password
OID Database Password Utility (oidpasswd)	Oracle Internet Directory uses a password when connecting to an Oracle database. The default for this password when you install Oracle Internet Directory is ODS. You can change this password by using the OID Database Password Utility.	"The OID Database Password Utility"

Routine Administration at a Glance

Oracle Internet Directory routine administration tasks are described throughout this manual. The following table points you to the information you need for some of the more common tasks.

Task	Information
Managing Attributes
Add, modify, or delete an attribute by using command-line tools	"Managing Attributes by Using Command-Line Tools"
Add, modify, or delete an attribute by using the Oracle Directory Manager	"Managing Attributes by Using Oracle Directory Manager"
Managing Entries
Add, modify, or delete a directory entry by using command-line tools	"Managing Entries by Using Command-Line Tools"
Add, modify, or delete a directory entry by using Oracle Directory Manager	"Managing Entries by Using Oracle Directory Manager"
Import bulk data files	"bulkload Syntax" "LDAP Data Interchange Format (LDIF) Syntax"
View Directory Information Tree (DIT) hierarchy of entries	"Managing Entries by Using Oracle Directory Manager"
Managing Object Classes
Add, modify, or delete object classes by using command-line tools	"Managing Object Classes by Using Command-Line Tools"
Add, modify, or delete object classes by using Oracle Directory Manager	"Managing Object Classes by Using Oracle Directory Manager"
Managing Replication
Set up replication	Chapter 22, "Oracle Directory Replication Server Administration"
Resolve replication change conflicts	"Resolving Conflicts Manually"
Move replication changes from human intervention queue to either the retry queue or the purge queue	"Using the Human Intervention Queue Manipulation Tool"
Managing Security
Set up an Access Control Policy Point (ACP)	Chapter 12, "Directory Access Control"
Set up SSL	Chapter 11, "Secure Sockets Layer (SSL) and the Directory"
Managing Servers
Configure server instance parameters by using command-line tools	"Managing Server Configuration Set Entries by Using Command-Line Tools"
Configure server instance parameters by using Oracle Directory Manager	"Managing Server Configuration Set Entries by Using Oracle Directory Manager"
Connect to a directory by using Oracle Directory Manager	"Connecting to a Directory Server" "Connecting to Additional Directory Servers by Using Oracle Directory Manager"
Start the directory server processes	Chapter 3, "Preliminary Tasks and Information"
Stop the directory server processes	Chapter 3, "Preliminary Tasks and Information"
View system operational attributes	"Setting System Operational Attributes by Using Oracle Directory Manager"