22 Configuring Referential Integrity

This chapter describes how to enable, disable, and configure referential integrity in Oracle Internet Directory using Oracle Enterprise Manager Fusion Middleware Control and LDAP command-line utilities. It also describes how to detect and correct referential integrity violations.

22.1 Introduction to Configuring Referential Integrity

Referential integrity is the process of maintaining consistent relationships among sets of data.

If referential Integrity is enabled in Oracle Internet Directory, whenever you update an entry in the directory, the server also updates other entries that refer to that entry. For example, if you remove a user's entry from the directory, and the user is a member of a group, the server also removes the user from the group. If referential integrity is not enabled, the user remains a member of the group until manually removed. Referential integrity is not enabled by default.

Note:

Disable referential integrity during the replication bootstrapping process. If referential integrity is enabled, bootstrapping fails.

Referential integrity takes effect in two situations:

  • Delete–When an entry is deleted, all the DN attributes that refer to this entry DN are removed.

  • Modify–When an entry's DN is modified (renamed), all the attributes that refer to this entry DN are modified.

The Oracle Internet Directory server can enforce referential integrity. For every LDAP add, modify, delete, and rename operation, the server monitors the request and updates the necessary DN references.

Two configuration parameters control referential integrity: orclRIenabled and orclRIattr.

  • The parameter orclRIenabled controls the referential integrity level. Values for orclRIenabled are:

    • 0–Referential integrity is disabled

    • 1–Referential integrity is enabled for member and uniquemember attributes only.

    • 2–Referential Integrity is enabled for a list of DN syntax attributes as specified in orclRIattr and for attributes member and uniquemember.

  • When orclRIenabled is set to 2, the value of the parameter orclRIattr takes effect. The value of orclRIattr is a list of referential integrity-enabled attributes.

If referential integrity is enabled, it is strictly enforced. For example, you cannot add a group entry whose member or uniquemember attributes are not currently part of the DIT.

22.2 Enabling Referential Integrity Using Fusion Middleware Control

You can enable referential integrity by using Oracle Enterprise Fusion Middleware Control.

To configure and enable referential integrity by using Oracle Enterprise Manager Fusion Middleware Control, perform the following steps:

  1. Select Administration, then Shared Properties from the Oracle Internet Directory menu, then select General.
  2. Select a value from the Referential Integrity list:

    • Enabled for GroupofNames and GroupofUniqueNames

    • Enabled for GroupofNames, GroupofUniqueNames, and configured DN attributes

  3. Choose Apply.

22.3 Disabling Referential Integrity Using Fusion Middleware Control

You can disable referential integrity by using Oracle Enterprise Manager Fusion Middleware Control.

To disable referential integrity by using Oracle Enterprise Manager Fusion Middleware Control, perform the following steps:

  1. Select Administration, then Shared Properties from the Oracle Internet Directory menu, then select General.
  2. Select Disabled from the Enable Referential Integrity list.

22.4 Enabling Referential Integrity Using the Command Line

This section gives a description of how to enable referential integrity using command line utility.

You enable referential integrity in the directory by using ldapmodify to change the value of the parameter orclRIenabled in the DSA Configuration entry:

cn=dsaconfig,cn=configsets,cn=oracle internet directory.

You can set the value to either 1 or 2.

Setting a value of 1 enables referential integrity for GroupofNames and GroupofUniqueNames.

Setting a value of 2 for orclRIenabled enables referential integrity for GroupofNames and GroupofUniqueNames and for specific configured attributes. The next section describes configuring specific attributes.

For example, you would use a command line such as:

ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile

with an LDIF file such as:

dn: cn=dsaconfig, cn=configsets, cn=oracle internet directory
changetype: modify
replace: orclRIenabled
orclRIenabled: 2

Changes to orclRIenabled take effect immediately.

22.5 Configuring Specific Attributes for Referential Integrity by Using the Command Line

When orclRIenabled is set to 2, referential integrity is enabled for GroupofNames, GroupofUniqueNames, and for specific configured attributes.

You configure specific attributes for referential integrity by using catalog with the arguments rienable=TRUE, add=true, and attribute=name_of_attribute. This adds the attribute to orclRIattr, which contains the list of DN syntax attributes to which referential integrity applies. You remove an attribute from referential integrity by using catalog with the arguments rienable=TRUE, delete=true, and attribute=name_of_attribute. This removes the attribute from orclRIattr.

Note:

  • You cannot change the value of orclRIattr by using ldapmodify. You must use the catalog command.

  • Remember that the DOMAIN_HOME environment variable must be set when you use catalog.

This example enables referential integrity for the attribute manager. 

catalog connect="connect_str" add=true rienable="TRUE" attribute="manager"

This example disables referential integrity for the attribute manager. 

catalog connect="connect_str" delete=true rienable="TRUE" attribute="manager"

22.6 Disabling Referential Integrity by Using the Command Line

You can disable referential integrity by using command line utility.

To disable referential integrity in the directory, set the value of orclRIenabled to 0 in the DSA Configuration entry:

cn=dsaconfig,cn=configsets,cn=oracle internet directory.

22.7 Detecting and Correcting Referential Integrity Violations

When you try to enable referential integrity, if there are underlying violations in the DIT, you get an error.

You must run the oiddiag tool to look at the violations, rectify them, and then enable referential integrity. The oiddiag tool has an option, OidDiagDC10, to report all the referential integrity violations. in LDIF format. That LDIF file can be used with ldapmodify tool to fix all reported entries. The steps are as follows:

  1. Run oiddiag with the option listdiags=true. The default output file is $DOMAIN_HOME/tools/OID/logs/oiddiag.txt.
  2. Edit the output file, oiddiag.txt so that it contains only the line:
    oracle.ldap.oiddiag.dc.OidDiagDC10
  3. Run oiddiag with the option collect_sub=true

See Also:

  • The oiddiag command reference in Oracle Fusion Middleware Reference for Oracle Identity Management

  • The oiddiag usage message. Type: 

    oiddiag -help

Note:

On Windows, the filename of the oiddiag command is oiddiag.bat.