1. Reference for Oracle Identity Management
  2. Command-Line Tool Reference
  3. Oracle Internet Directory Data Management Tools

3 Oracle Internet Directory Data Management Tools

You can use the data management command-line tools to administer the entries and data stored in Oracle Internet Directory.

This section contains the following topics:

Note:

  • The bulk tools do not support attribute uniqueness.

  • If your schema were created during installation of a version prior to 11g Release 1 (11.1.1.6.0), you must add data files to the OLTS_CT_STORE and OLTS_ATTRSTORE tablespaces if you intend to add more than a million entries to Oracle Internet Directory. Perform this step prior to the bulkload or ldapadd operation. For details, see the section Creating Data Files and Adding Data Files to a Tablespace in Oracle Database Administrator's Guide.

3.1 bulkdelete

The bulkdelete command-line tool enables you to delete one or more subtrees efficiently.

The bulkdelete command can be used when both an Oracle Internet Directory server and Oracle Directory Replication servers are in operation. It uses a SQL interface to benefit performance. For this release, the bulkdelete tool runs on only one node at a time.

You must restrict LDAP activity against the subtree during deletion.

Note:

The bulkdelete command requires that the environment variable DOMAIN_HOME be set.

The following examples show how to delete one or more subtrees from the directory:

3.1.1 Deleting All Entries in a Naming Context and Making Them Tombstone Entries

You can delete all entries in a naming context and make them tombstone entries by using bulkdelete command.

Execute the following command:

bulkdelete connect="dbs1" basedn="cn=OracleContext" cleandb="FALSE"

3.1.2 Completely Deleting All Entries in a Naming Context

You can completely delete all the entries in a naming context by using bulkdelete command without proving any cleandb option.

Execute the following command:

bulkdelete connect="dbs1" basedn="cn=OracleContext"

3.1.3 Deleting Entries in Multiple Naming Contexts

You can delete entries in multiple naming contexts by providing a file containing the list of DNs to be deleted.

This example uses a file that contains a list of DNs to delete.

bulkdelete connect="dbs1" file="~/myfiles/dn.txt"

3.2 bulkload

The bulkload command-line tool is useful for loading large number of entries into a directory server.

The bulkload command uses Oracle SQL*Loader to load the directory entries. The bulkload tool expects the input file to be in LDAP Data Interchange Format (LDIF). See LDIF File Format for the correct format and syntax of an LDIF file.

Intermediate files used by bulkload are stored in$DOMAIN_HOME/tools/OID/load by default. For more information, refer to the following sections:

3.2.1 Using bulkload with Replication

When you add data to a node that is part of a Directory Replication Group (DRG), you can use either bulk tools or LDAP tools, depending on the circumstances.

Note:

The bulkload command requires that the environment variable DOMAIN_HOME be set.

When you add data to a node that is part of a Directory Replication Group (DRG), you can use either bulk tools or LDAP tools, depending on the circumstances. The following rules apply:

  • When you add new entries to all nodes in the DRG, you can use either bulk tools or LDAP tools. For more than 20K entries, bulk tools are significantly faster. If you use LDAP tools, add the entries to only one node in the DRG and let replication propagate the entries. If you use bulk tools, generate the intermediate file only once from the LDIF file and use that intermediate file to load the entries onto all the nodes in the DRG.

  • When you copy existing entries from one node to another in the same replication group, use bulk tools. Use the bulkload option restore=true when you upload the data.

  • If the LDIF file contains operational attributes, which it does when created with ldifwrite, use bulkload to add the entries.

  • If the replication agreement is a partial replication agreement, use ldifwrite with the base DN as the replication agreement DN to write the entries to the LDIF file. Then use bulkload with the restore=true option to load the data.

3.2.2 Overview of the Bulk Loading Tool Operations

The Bulk Loading tool performs Check, Generate, Load actvities.

The Bulk Loading Tool performs its operations in the following phases:

  1. Check

    In the check phase, all entries of LDIF files are verified for valid LDAP schema and duplicate entries. The Bulk Loading Tool reports any errors, which must be corrected before proceeding.

  2. Generate

    In the generate phase, the LDIF input is converted into intermediate files that can be used by SQL*Loader to load the data into the Oracle Internet Directory directory store.

  3. Load

    The Intermediate files generated in generate phase are loaded into the Oracle Internet Directory directory store. The Bulk Loading Tool supports two types of loading of data:

    • Incremental Mode Loading

      Incremental mode enables you to append data to existing directory data. Loading in this mode is faster than other add methods, but slower than bulk mode loading.

      Use this mode when you want to append a small amount of data. Here, small amount is a relative number. It depends upon existing data in directory, the amount of data to be loaded, and the hardware capabilities to handle the load.

      In this mode, the Bulk Loading Tool does not drop and rebuild catalog indexes. Instead, it uses SQL*Loader in insert mode to add data to the database and update indexes through inserts.

    • Bulk Mode Loading

      In bulk mode, you must be able to add or append large number of entries to a directory. By default, the Bulk Loading Tool runs in bulk mode. Bulk mode is faster than incremental mode.

      In bulk mode, all Oracle Internet Directory server instances should be stopped. In this mode, the Bulk Loading Tool drops existing indexes and re-creates them after loading of data. For data loading, it uses SQL*Loader direct-path mode.

      Note:

      • Running the bulkload -load operation sets the server mode to read-write. If you require a different mode, reset it after performing the load operation.

      • At the start of the load operation, bulkload determines the current configured value of orclRIenabled, then disables referential integrity. At the end of load phase, bulkload returns orclRIenabled to its original value. If is any referential integrity violations occurred, however, referential integrity is disabled, and you see the message: 

        There is a violation of Referential Integrity and hence it is Disabled now. Run the OIDDIAG tool with diagnostic option to collect the Entries which have dangling DN attribute values and Fix the violation

        Fix the violation and then set orclRIenabled to the desired value.

  4. Index Creation

    After the load is complete, the indexes are re-created if the load was done in bulk mode. Also, the Bulk Loading Tool provides an option just to re-create all indexes. This is useful in case if previous index creation was unsuccessful for some reason.

  5. Directory Data Recovery

    A failure in the load phase can leave directory data in an inconsistent state. The Bulk Loading Tool can revert back to original state that existed prior to the invocation of bulkload.

3.2.3 Prerequisites for Using the Bulkload Tool

Ensure these prerequisites are met before using the Bulkload Tool.

Before running the bulkload tool:

  1. Stop your Oracle Internet Directory server instance(s) before loading data in bulk mode.
  2. Take a cold backup of the Oracle Internet Directory database.
  3. If loading data in incremental mode, you do not need to stop the directory server, although you must put the directory server in read-modify mode. Read-modify mode restricts add, delete, and modify DN operations.
  4. If loading an LDIF file with data from an older version of Oracle Internet Directory, see the Planning an Upgrade of Oracle Fusion Middleware in Oracle Fusion Middleware Planning an Upgrade of Oracle Fusion Middleware for any special instructions about upgrading orclguids before you begin.

3.2.4 Tasks and Examples for bulkload

You can load data in various modes and verify and recreate indexes using the bulkloadtool.

This section contains the following topics:

3.2.4.1 Loading Data in Bulk Mode

This task describes the procedure for loading data in Bulk Mode.

The typical usage scenario is to load directory data after Oracle Internet Directory installation. First check the LDIF file for schema errors and generate the intermediate files. Next, load the data into the Oracle Internet Directory store.

The following example shows how to run the bulkload tool. The tool is first run with the check and generate options. The check option checks the input for schema and data consistency violations. The generate option generates the input files for SQL*Loader. Next, the command is run with the load option to load the data into the directory. 

bulkload connect="orcl" check="TRUE" generate="TRUE" file="~/myfiles/data.ldif"
bulkload connect="orcl" load="TRUE"
3.2.4.2 Loading Data for Multiple Nodes in a Replicated Environment

This task describes the procedure to load data for multiple nodes in a replicate environment.

When you load the same data into multiple nodes in a replicated network, ensure that the orclGUID parameter (global ID) is consistent across all the nodes. You can accomplish this by generating the bulk load data file once only (using the generate argument), and then using the same data file to load the other nodes (using the load argument).

3.2.4.3 Loading Data in Incremental Mode

This task describes the procedure to load data in incremental mode.

If you must add directory entries to an Oracle Internet Directory store already containing some user LDIF data, use the append argument to denote incremental mode. This mode is normally faster than other methods of adding entries to the directory. However, be sure that the directory server instances are in read-modify mode before you begin. The following example shows how to run bulkload in incremental mode. 

bulkload connect="orcl" check="TRUE" generate="TRUE" load="TRUE" append="TRUE" file="~/myfiles/data.ldif"
3.2.4.4 Verifying Indexes

You can verify existing indexes in the directory using the check option along with the index option.

Execute the following command:

bulkload connect="orcl" check="TRUE" index="TRUE"
3.2.4.5 Recreating Indexes

This task describes the procedure to recreate indexes.

The load operation either updates or creates the indexes. However, due to issues like improper sizing, the indexes may not be updated or created properly. For this reason, the bulkload tool enables you to re-create all the indexes. 

bulkload connect="orcl" index="TRUE"
3.2.4.6 Recovering Data After a Load Error

This task describes the procedure to recover data after a load error.

Due to issues like improper disk sizing, the load operation may fail. If this happens, then directory data can be inconsistent. For this reason, bulkload enables you to recover the directory data to the state that existed prior to the invocation of bulkload. 

bulkload connect="orcl" recover="TRUE"

3.3 bulkmodify

The bulkmodify command-line tool enables you to modify a large number of existing entries in an efficient way.

Note:

The bulkmodify command requires that the environment variable DOMAIN_HOME be set.

For more information, refer to the following sections:

3.3.1 About bulkmodify Tool

Understand about the usage of bulkmodify tool.

The bulkmodify tool supports the following:

  • Subtree based modification

  • LDAP search filter. For example, the filter could be objectclass=*, objectclass=oneclass, or '(&(sn=Baileys)(cn=Kalid Baileys))'.

  • Attribute value addition and replacement. It modifies all matched entries in bulk.

The bulkmodify tool performs schema checking on the specified attribute name and value pair during initialization. All entries that meet the following criteria are modified:

  • They are under the specified subtree.

  • They meet the LDAP filter condition.

  • They contain the attribute to be modified as either mandatory or optional.

The directory server and directory replication server may be running concurrently while bulk modification is in progress, but the bulk modification does not affect the replication server. You must perform bulk modification against all replicas.

Note:

LDIF file based modification is not supported by bulkmodify. This type of modification requires per-entry-based schema checking, and therefore the performance gain over the existing ldapmodify tool is insignificant.

Make sure that when bulkmodify is invoked, server side entry cache is disabled.

You must restrict user access to the subtree during bulk modification. If necessary, access control item (ACI) restriction can be applied to the subtree being updated by bulkmodify.

You cannot use bulkmodify to add a value to single-valued attributes that already contain one value. If a second value is added, you must alter the directory schema to make that attribute multi-valued.

3.3.2 Attributes Excluded from add or replace Operations Using the bulkmodify Tool

Understand about the concept of excluding add or replace attributes while performing bulkmodify.

The bulkmodify tool does not allow add or replace operations on the following attributes:

  • dn (use ldapmoddn instead)

  • cn (use ldapmodify instead)

  • userpassword (use ldapmodify instead)

  • orclpassword (use ldapmodify instead)

  • orclentrylevelaci (use ldapmodify instead)

  • orclaci (use ldapmodify instead)

  • orclcertificatehash

  • orclcertificatematch

  • any binary attribute

  • any operational attribute

It does not allow replace operation on the attribute objectclass.

It does not allow add for single-valued attributes.

3.3.3 Limitations of bulkmodify

Understand about the limitations of bulkmodifycommand.

bulkmodify has the following limitations:

  • bulkmodify does not distinguish between attributes with or without subtypes, when performing the replace operation. bulkmodify replaces the attribute value irrespective of whether the attribute contains subtypes.

  • bulkmodify allows the RDN to be modified without modifying the DN. If an attribute is part of a DN, then the attribute value is modified but the DN entry in the directory is not modified.

  • bulkmodify does not perform an object class check when performing an add operation. When adding a new attribute to a directory entry, bulkmodify does not verify if the entry has the required object class to support the attribute.

3.3.4 Updating an Attribute for Multiple Entries at Once

The following example shows how to modify an attribute for several entries using a filter.

This command adds the telephone number 408-123-4567 to the entries of all employees who have Anne Smith as their manager.

Example:

bulkmodify connect="orcl" basedn="c=US" add="TRUE" attribute="telephoneNumber" value="408-123-4567" filter="manager=Anne Smith"

3.4 catalog

Oracle Internet Directory uses indexes to make attributes available for searches.

When Oracle Internet Directory is installed, the cn=catalogs entry lists available attributes that can be used in a search. You can index only those attributes that have:

3.4.1 About catalog

From Oracle Internet Directory 11g Release 1 (11.1.1.6.0) onward, a new autocatalog feature is enabled by default in fresh installs.

You can also enable it if you have upgraded from a previous release. When this feature is enabled, Oracle Internet Directory automatically invokes the catalog command to index attributes when you search for them. If the autocatalog feature is not enabled, and you want to use previously uncataloged attributes in search filters, you must add them to the catalog entry, as in previous releases.

If the autocatalog feature is not enabled, and you want to use additional attributes in search filters, then you must add them to the catalog entry. You can do this at the time you create the attribute by using Oracle Directory Services Manager. However, if the attribute already exists, then you can index it only by using ldapmodify or the Catalog Management Tool (catalog).

Note:

  • You can use the LDAP tool ldapmodify to create and drop indexes from attributes. The ldapmodify tool actually invokes catalog, and you can still use catalog for this purpose.

  • The catalog command requires that the environment variable DOMAIN_HOME be set.

  • The catalog command cannot index more than 1000 attributes at a time. If more than 1000 attributes are present in the file, the tool throws an error. If you need to index more than 1000 attributes, use multiple files.

Before running catalog, be sure that the directory server is either stopped or in read-only mode.

Note:

Do not use the catalog delete="TRUE" argument on indexes created by the Oracle Internet Directory base schema. Removing indexes from base schema attributes can adversely impact the operation of Oracle Internet Directory.

3.4.2 Tasks and Examples for catalog

Using the catalog tool, you can perform the following tasks:

3.4.2.1 Indexing a Single Attribute

The following example shows how to index a single attribute. The catalog tool prompts you for the Oracle Internet Directory super user password.

Example

catalog connect="orcl" add="TRUE" attribute="orclGender"
3.4.2.2 Indexing Multiple Attributes

The following example shows how to index multiple values at once by supplying a file that contains a list of attribute names.

The catalog tool prompts you for the Oracle Internet Directory superuser password.

Example

catalog connect="orcl" add="TRUE" file="~/myfiles/attrs.txt"
3.4.2.3 Removing an Attribute from the List of Indexed Attributes

The following example shows how to remove a single attribute from the list of indexed attributes.

The catalog tool prompts you for the Oracle Internet Directory superuser password.

Example:

catalog connect="orcl" delete="TRUE" attribute="orclGender"
3.4.2.4 Indexing an Attribute Using the IOT Option

The following example indexes the specified attribute and creates an IOT table to improve performance by not creating an additional index.

The catalog tool prompts you for the Oracle Internet Directory superuser password.

Example:

catalog connect="orcl" attribute="orclGender" add="TRUE" iot="TRUE"

3.5 ldapadd

Using the example, understand how to index the specified attribute and create an IOT table to improve performance by not creating an additional index.

The ldapadd command-line tool enables you to add entries, their object classes, attributes, and values to the directory. To add attributes to an existing entry, use the ldapmodify command, explained in ldapmodify.

See Also:

For information on using attribute aliases with ldapadd refer to the "Attribute Aliases In the Directory" section in Administering Oracle Internet Directory.

Using the ldapadd tool, you can perform the following tasks:

3.5.1 Adding Data to the Directory Using an LDIF File

You can use ldapadd to add entries or schema information to the directory from an LDIF file.

The file must be correctly formatted. See LDIF File Format for information about formatting an LDIF file.

Example:

ldapadd -h myhost.company.com -D "cn=orcladmin" -q -p 3060 \
   -f ~/myfiles/input.ldif -v

3.5.2 Adding Data to the Directory Using a DSML File

You can use ldapadd to add entries or schema information to the directory from a Directory Service Markup Language (DSML) file that contains <addRequest> elements.

For more information about the formatting DSML files, visit the OASIS Web site at http://www.oasis-open.org. The following example shows a sample DSML entry for a user.

Example: 

<addRequest dn="CN=Alice,OU=HR,DC=Example,DC=COM">
     <attr name="objectclass"><value>top</value></attr>
     <attr name="objectclass"><value>person</value></attr>
     <attr name="objectclass"><value>organizationalPerson</value></attr>
     <attr name="sn"><value>Johnson</value></attr>
     <attr name="givenName"><value>Alice</value></attr>
     <attr name="title"><value>Software Design Engineer</value></attr>
</addRequest>

Once you have a correctly formatted DSML file, you can add data to the directory using ldapadd and supplying the DSML file as the input file.

Example:

ldapadd -h myhost.company.com -D "cn=orcladmin" -q -p 3060 \
    -X ~/myfiles/input.xml -v

3.5.3 Previewing an Add Operation

Use the -n argument with an ldapadd command to preview the results of an add operation before actually adding any data to the directory.

Example:

ldapadd -h myhost.company.com -D "cn=orcladmin" -q -p 3060 \
    -X ~/myfiles/input.xml -v -n

3.6 ldapaddmt

The ldapaddmt tool performs the same functionality as the ldapadd command. It enables you to add entries, their object classes, attributes, and values to the directory. However, it also supports multiple threads for adding entries concurrently.

While it is processing entries, ldapaddmt logs errors in the add.log file within the current directory.

Note:

Increasing the number of concurrent threads improves the rate at which entries are created, but consumes more system resources.

Adding Concurrent Entries to the Directory Using an LDIF File

You can use ldapaddmt to add concurrent entries or schema information to the directory from an LDIF file. The file must be correctly formatted. See LDIF File Format for information about formatting an LDIF file.

Example: 

ldapaddmt -h myhost.company.com -D "cn=orcladmin" -q -T 5 -p 3060 \
    -f ~/myfiles/input.ldif -v

3.7 ldapbind

The ldapbind command-line tool enables you to see whether you can authenticate a client to a server.

Validating Authentication Credentials

The following example shows how to validate the authentication credentials used to bind to the directory server when using SSL.

Example:

ldapbind -h myhost.company.com -D "cn-orcladmin" -q -p 3133 \
    -U 2 -W "file:/home/my_dir/my_wallet" -Q

3.8 ldapcompare

The ldapcompare command-line tool enables you to compare an attribute value that you specify on the command line to the attribute value in a directory entry.

Comparing Attribute Values for an Entry

The following example shows how to check an entry for a person named Anne Smith to see if her title is Manager.

Example: 

ldapcompare -h myhost.company.com -D "cn=orcladmin" -q -p 3060 -a title \
    -b "cn=Anne Smith,ou=Sales,o=IMC,c=US" -v "Manager"

3.9 ldapdelete

The ldapdelete command-line tool enables you to remove entire entries from the directory.

See Also:

For information on using attribute aliases with ldapdelete refer to the "Attribute Aliases In the Directory" section in Administering Oracle Internet Directory.

3.9.1 Tasks and Examples for ldapdelete

You can perform single and multiple deletes using ldapdelete.

Using ldapdelete you can perform the following tasks:

3.9.1.1 Deleting a Single Entry

The following example shows how to delete an entry for a person named Anne Smith.

Example: 

ldapdelete -h myhost.company.com -D "cn=orcladmin" -q \
   -p 3060 "cn=Anne Smith,ou=Sales,o=IMC,c=US"
3.9.1.2 Deleting Multiple Entries Using an LDIF File

The following example shows how to delete many entries at once by supplying an LDIF file that contains the DNs of the entries to delete.

See LDIF File Format for information about formatting an LDIF file.

Example: 

ldapdelete -h myhost.company.com -D "cn=orcladmin" -q -p 3060 \      -f /home/mydir/delete.ldif

3.10 ldapmoddn

The ldapmoddn command-line tool enables you to change the RDN of an entry, or to move an entry to a new parent node in the directory tree.

See Also:

For information on using attribute aliases with ldapmoddn refer to the "Attribute Aliases In the Directory" section in Administering Oracle Internet Directory.

Using the ldapmoddn command-line tool, you can perform the following tasks:

3.10.1 Changing the RDN of an Entry

The following example shows how to change the RDN of an entry from Mary Smith to Mary Jones.

Example: 

ldapmoddn -h myhost.company.com -D "cn=orcladmin" -q -p 3060 \
    -b "cn=Mary Smith,dc=Americas,dc=IMC,dc=com" -R "cn=Mary Jones" -r

3.10.2 Moving an Entry

The following example shows how to move an entry to another parent node in the directory subtree.

The entry with the RDN of Mary Smith is moved from the dc=Americas parent node to the dc=Australia parent node.

Example: 

ldapmoddn -h myhost.company.com -D "cn=orcladmin" -q -p 3060 \
    -b "cn=Mary Smith,dc=Americas,dc=IMC,dc=com" -N "dc=Australia,dc=IMC,dc=com"

3.11 ldapmodify

The ldapmodify command-line tool enables you to add, delete, or replace attributes for entries by supplying an LDIF file as input.

You can also delete or add entries using ldapmodify.

See LDIF File Format for more information about the correct formatting of LDIF files.

See Also:

For information on using attribute aliases with ldapmodify refer to the "Attribute Aliases In the Directory" section in Administering Oracle Internet Directory.

Using the ldapmodify command-line tool, you can perform the following tasks:

3.11.1 Modifying the Directory Schema

You must first prepare your LDIF file to define the new schema elements you want to add. Once you have a properly formatted LDIF file, you can use the ldapmodify tool to import the new schema definitions into the directory schema.

See Adding Schema Elements for examples.

Example: 

ldapmodify -h myhost.company.com -D "cn=orcladmin" -q -p 3060  \
    -f /home/myfiles/modify.ldif  -v

3.11.2 Modifying an Entry

You must first prepare your LDIF file correctly to modify the attributes or attribute values for an entry. Once you have a properly formatted LDIF file, you can use the ldapmodify tool to import the changes.

See LDIF Format for Modifying Entries for examples.

Example: 

ldapmodify -h myhost.company.com -D "cn=orcladmin" -q \
    -p 3060 -f /home/myfiles/modify.ldif  -v

3.11.3 Indexing an Attribute

You can add or drop an attribute in the catalog entry by using ldapmodify.

From Oracle Internet Directory 11g Release 1 (11.1.1.6.0) onward, a new autocatalog feature is enabled by default in fresh installs. You can also enable it if you have upgraded from a previous release. When this feature is enabled, Oracle Internet Directory automatically invokes the catalog command to index attributes when you search for them. If the autocatalog feature is not enabled, and you want to use previously uncataloged attributes in search filters, you must add them to the catalog entry, as in previous releases.

To add an attribute, import an LDIF file by using ldapmodify. For example, to index the attribute displayName, import the following LDIF file by using ldapmodify:

Example: 

dn: cn=catalogs 
changetype: modify 
add: orclindexedattribute 
orclindexedattribute: displayName

Type a command similar to the following at the system prompt:

ldapmodify -D "cn=orcladmin" -q -h host -p port -f ldif_file_name

To index the attribute, the ldapmodify command invokes the Catalog Management tool, catalog. For information about that tool, see catalog.

To drop an index from an attribute by using ldapmodify, specify delete in the LDIF file. For example: 

dn: cn=catalogs 
changetype: modify 
delete: orclindexedattribute
orclindexedattribute: displayName

3.12 ldapmodifymt

The ldapmodifymt command-line tool is similar to ldapmodify in that it enables you to add, delete, or modify entries by supplying an LDIF file as input. However, ldapmodifymt runs in multi-threaded mode allowing you to operate on multiple entries concurrently.

See LDIF File Format for more information about the correct formatting of LDIF files.

Modifying Multiple Entries Concurrently

To modify multiple entries at once, you must first prepare your LDIF file correctly. See LDIF File Format for examples. Once you have a properly formatted LDIF file, you can use the ldapmodifymt tool to import the changes.

The following example uses five concurrent threads to modify the entries specified in the file /home/myfiles/modify.ldif.

Example: 

ldapmodify -h myhost.company.com -D "cn=orcladmin" -w password -p 3060 \
    -T 5 -f /home/myfiles/modify.ldif  -v

3.13 ldapsearch

The ldapsearch command-line tool enables you to search for and retrieve specific entries in the directory.

The LDAP filter that you use to search for entries must be compliant with the Internet Engineering Task Force (IETF) standards as specified in RFC 2254. Refer to the IETF Web site at http://www.ietf.org for more information about the standard filter format. Oracle Internet Directory supports all elements of RFC 2254 except for extensible matching.

Note:

Various UNIX shells interpret some characters—for example, asterisks (*)—as special characters. Depending on the shell you are using, you might need to escape these characters.

See Also:

For information on using attribute aliases with ldapsearch refer to the "Attribute Aliases In the Directory" section in Administering Oracle Internet Directory

Using the ldapsearch command-line tool, you can perform the following tasks:

3.13.1 Performing a Base Object Search

The following example performs a base-level search on the directory from the root.

  • -b specifies base DN for the search, root in this case.

  • -s specifies whether the search is a base search (base), one level search (one) or subtree search (sub).

  • "objectclass=*" specifies the filter for search.

Example: 

ldapsearch -p 3060 -h myhost -b "" -s base -v "objectclass=*"

3.13.2 Performing a One-Level Search

The following example performs a one level search starting at "ou=HR, ou=Americas, o=IMC, c=US".

Example: 

ldapsearch -p 3060 -h myhost -b "ou=HR, ou=Americas, o=IMC, c=US" -s one \
           -v "objectclass=*"

3.13.3 Performing a Subtree Search

The following example performs a subtree search and returns all entries having a DN starting with "cn=us".

Example: 

ldapsearch -p 3060 -h myhost -b "c=US" -s sub -v "cn=Person*"

3.13.4 Searching for Attribute Values of Entries

The following example returns only the DN attribute values of the matching entries:

Example: 

ldapsearch -p 3060 -h myhost -b "c=US" -s sub -v "objectclass=*" dn

The following example retrieves only the distinguished name along with the surname (sn) and description (description) attribute values:

Example: 

ldapsearch -p 3060 -h myhost -b "c=US" -s sub -v "cn=Person*" dn sn description

The following example retrieves the distinguished name (dn), surname (sn), and description (description) attribute values. The entries are sorted by surname (sn). There are 10 entries returned per page.

Example: 

ldapsearch -p 3060 -h myhost -b "c=US" -s sub -v "cn=Person*" dn sn description \
    -T sn -j 10

3.13.5 Searching for Operational Attributes of Entries

You can search for operational attributes using the ldapsearch command.

The following example returns only operational attributes:

$ ldapsearch -h example.com -p 3060 -D cn=orcladmin -w password -b "c=uk" -L -s base "(objectclass=*)" +

3.13.6 Searching for Entries with Attribute Options

The following example retrieves entries with common name (cn) attributes that have an option specifying a language code attribute option. This particular example retrieves entries in which the common names are in French and begin with the letter R.

Example: 

ldapsearch -p 3060 -h myhost -b "c=US" -s sub "cn;lang-fr=R*"

Suppose that, in the entry for John, no value is set for the cn;lang-it language code attribute option. In this case, the following example does not return John's entry:

Example: 

ldapsearch -p 3060 -h myhost -b "c=us" -s sub "cn;lang-it=Giovanni"

3.13.7 Searching for All User Attributes and Specified Operational Attributes

With the help of examples, learn how to search for all user attributes and specified operational attributes.

Example: 

ldapsearch -p 3060 -h myhost -b "ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US" \
           -s sub "cn=Person*" "*" createtimestamp orclguid

The following example retrieves entries modified by Anne Smith:

Example: 

ldapsearch -h sun1 \
    -b "" "(&(objectclass=*)(modifiersname=cn=Anne Smith))"

The following example retrieves entries modified between 01 April 2001 and 06 April 2001:

Example: 

ldapsearch -h sun1 -b "" \
     "(&(objectclass=*)(modifytimestamp >= 20000401000000) \
     (modifytimestamp <= 20000406235959))"

Note:

Because modifiersname and modifytimestamp are not indexed attributes, use catalog to index these two attributes. Then, restart the Oracle directory server before issuing the two previous ldapsearch commands.

3.13.8 Searching for Entries (More Examples)

Each of the following examples searches on port 3060 of host sun1, and searches the whole subtree starting from the DN "ou=hr,o=acme,c=us".

The following example searches for all entries with any value for the objectclass attribute.

ldapsearch -p 3060 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=*"

The following example searches for all entries that have orcl at the beginning of the value for the objectclass attribute. 

ldapsearch -p 3060 -h sun1 -b "ou=hr, o=acme, c=us" -s subtree "objectclass=orcl*"

The following example searches for entries where the objectclass attribute begins with orcl and cn begins with foo. 

ldapsearch -p 3060 -h sun1 -b "ou=hr, o=acme, c=us" \
          -s subtree "(&(objectclass=orcl*)(cn=foo*))"

The following example searches for entries in which cn begins with foo or sn begins with bar. 

ldapsearch -p 3060 -h sun1 -b "ou=hr, o=acme, c=us" \
          -s subtree "(|(cn=foo*)(sn=bar*))"

The following example searches for entries in which employeenumber is less than or equal to 10000. 

ldapsearch -p 3060 -h sun1 -b "ou=hr, o=acme, c=us" \
           -s subtree "employeenumber<=10000"

3.13.9 Attribute Case in ldapsearch Output

In the output from the ldapsearch command, the attribute names are shown in lower case if the attribute orclReqattrCasein the instance-specific configuration entry is 0. If orclReqattrCase is set to 1, the attribute names in the output are shown in the same case in which they were entered on the command line.

Example: 

ldapsearch -h localhost -p 389 -b "dc=oracle,dc=com" -s base -L "objectclass=*" DC

If orclReqattrCase is 0 the output looks like this: 

dn: dc=oracle,dc=comdc: oracle

If orclReqattrCase is 1, the output looks like this: 

dn: dc=oracle,dc=comDC: oracle

3.14 ldifmigrator

The Oracle Internet Directory Data Migration Tool is used to convert LDIF files output from other directories or application-specific repositories into a format recognized by Oracle Ineternet Direcotry.

The Oracle Internet Directory Data Migration Tool (ldifmigrator) is used to convert LDIF files output from other directories or application-specific repositories into a format recognized by Oracle Internet Directory. The Data Migration Tool takes as input an LDIF file containing substitution variables, and outputs an LDIF file suitable for loading into Oracle Internet Directory.

See LDIF Format for Migrating Entries for the correct format of the LDIF input file for this tool.

Using the ldifmigrator command-line tool, you can perform the following tasks:

3.14.1 Using the Data Migration Tool in Lookup Mode

The migration tool looks up the directory server to figure out certain substitution variables specified in the LDIF input file.

In this example, Oracle Internet Directory server is present in the environment, and the migration tool looks up the directory server to figure out certain substitution variables specified in the LDIF input file.

Example: 

$ldifmigrator "input_file=sample.dat" "output_file=sample.ldif" \
               -lookup "host=ldap.acme.com" "subscriber=acme" \
               "s_UserOrganization=Development"

3.14.2 Overriding Data Migration Values in Lookup Mode

In some cases, you want to use the lookup mode but would also like to override the values of one or more of the pre-defined substitution variables.

This can be done by specifying the override value in the command-line. The following command line shows how one can set the UserNickNameAttribute to cn overriding the default of uid:

Example: 

$ldifmigrator "input_file=sample.dat" "output_file=sample.ldif" \
              -lookup "host=ldap.acme.com" "subscriber=acme" \
             "s_UserOrganization=Development" "s_UserNicknameAttribute=cn"

3.14.3 Using the Data Migration Tool by Supplying Your Own Values

The following example shows how you can specify your own values for substitution variables found in the LDIF input file, rather than using lookup mode.

Example: 

$ldifmigrator "input_file=sample.dat" "output_file=sample.ldif"  \
              "s_UserContainerDN=cn=Users,o=Acme,dc=com" \
              "s_UserNicknameAttribute=uid" "s_UserOrganization=Development"

3.14.4 Loading and Reconciling Data Using the Data Migration Tool

The Data Migration Tool gives your the option of loading the data directly into the directory.

The Data Migration Tool gives your the option of loading the data directly into Oracle Internet Directory. Use the -load and -reconcile options to load data and safely reconcile any conflicts.

Example: 

$ldifmigrator "input_file=sample.dat" "output_file=sample.ldif" \
               -lookup "host=ldap.acme.com" "subscriber=acme" \
               "s_UserOrganization=Development"
               -load -reconcile SAFE

3.15 ldifwrite

The ldifwrite command-line tool enables you to convert to LDIF all or part of the information residing in a directory.

The ldifwrite command-line tool enables you to convert to LDIF all or part of the information residing in an Oracle Internet Directory. Once you have converted the information, you can load it into a new node in a replicated directory or another node for backup storage.

Note:

The ldifwrite command requires that the environment variable DOMAIN_HOME be set.

Note:

The ldifwrite tool output does not include operational data of the directory itself—for example, cn=subschemasubentry, cn=catalogs, and cn=changelog entries. To export these entries into LDIF format, use ldapsearch with the -L flag.

The ldifwrite tool performs a subtree search, including all entries below the specified DN, including the DN itself.

3.15.1 Using ldifwrite with Replication

When you add data to a node that is part of a Directory Replication Group (DRG), you can use either bulk tools or LDAP tools, depending on the circumstances.

The following rules apply:

  • When you add new entries to all nodes in the DRG, you can use either bulk tools or LDAP tools. For more than 20K entries, bulk tools are significantly faster. If you use LDAP tools, add the entries to only one node in the DRG and let replication propagate the entries. If you use bulk tools, generate the intermediate file only once from the LDIF file and use that intermediate file to load the entries onto all the nodes in the DRG.

  • When you copy existing entries from one node to another in the same replication group, use bulk tools. Use the bulkload option restore=true when you upload the data.

  • If the LDIF file contains operational attributes, which it does when created with ldifwrite, use bulkload to add the entries.

  • If the replication agreement is a partial replication agreement, use ldifwrite with the base DN as the replication agreement DN to write the entries to the LDIF file. Then use bulkload with the restore=true option to load the data.

3.15.2 Tasks and Examples for ldifwrite

Using the ldifwrite command-line tool, you can convert entries to an LDIF file in various ways.

This section contains the following topics:

3.15.2.1 Converting All Entries under a Naming Context to an LDIF File

The following example writes all the entries under ou=Europe,o=imc,c=us into the output1.ldif file.

The LDIF file and the intermediate file are always written to the current directory.

The ldifwrite tool includes the operational attributes of each entry in the directory, including createtimestamp, creatorsname, and orclguid.

When prompted for the Oracle Internet Directory password, enter the password of the ODS database user account.

Example: 

ldifwrite connect="nldap" basedn="ou=Europe, o=imc, c=us" ldiffile="output1.ldif"
3.15.2.2 Converting a Partial Naming Context to an LDIF File

The following example uses the following naming context objects defined in partial replication:

The following example uses the following naming context objects defined in partial replication:

dn: cn=includednamingcontext000001,  cn=replication namecontext,  orclagreementid=000001,  orclreplicaid=node replica identifier,  cn=replication configuration
orclincludednamingcontexts: c=us
orclexcludednamingcontexts: ou=Americas, c=us
orclexcludedattributes: userpassword
objectclass: top
objectclass: orclreplnamectxconfig

In this example, all entries under c=us are backed up except ou=Americas,c=us. The userpassword attribute is also excluded.

Example: 

ldifwrite connect="nldap" basedn="cn=includednamingcontext000001, \
          cn=replication namecontext,orclagreementid=000001, \
          orclreplicaid=node replica identifier,cn=replication configuration" \
          ldiffile="output2.ldif"
3.15.2.3 Converting Entries that Match Criteria to an LDIF File

The following example writes entries under ou=users,o=test,c=us that have sn="Stuart" to an output LDIF file, output3.ldif.

Example: 

ldifwrite connect="nldap" basedn="ou=users, o= test, c=us" filter="sn=xyz" ldiffile="output3.ldif"

3.16 upgradecert.pl

You can use a certificate hash value to bind to Oracle Internet Directory. The introduction of this hash value requires that user certificates issued before Release 10.1.2 be updated in the directory. This is a post-upgrade step and it is required only if user certificates are provisioned in the directory. The upgradecert.pl tool is used for this purpose.

This section contains the following topics:

3.16.1 Before Running the upgradecert.pl Tool

Ensure the following conditions before running the upgradecert.pl command.

Before running the upgradecert.pl tool:

  1. Make sure that the Oracle Internet Directory server instance is up and running.

  2. Check that you are running Perl 5.6 or later. Run this command:

    perl -version

  3. Make sure that the environment variable PERL5LIB is set to the proper PERL library location.

  4. Check that you can run ldapmodify and ldapsearch from your command prompt.

  5. Determine whether you have enough disk space to run the tool. The amount of disk space required depends upon the number of certificates stored.

3.16.2 Upgrading User Certificates Stored in the Directory from Releases Prior to 10.1.2

Learn how to upgrades user certificates stored in the directory from releases prior to 10.1.2 by executing the command specified in this section.

To upgrade the user certificates:

perl $ORACLE_HOME/ldap/bin/upgradecert.pl -h myhost.company.com \
     -D "cn=orcladmin" -w password

3.17 Oracle Internet Directory Data Management Tools Command Reference

Learn about the syntax, attributes, and related commands for all Oracle Internet Directory Data Management Tools Command.

This section contains the following topics:

3.17.1 bulkdelete Command Reference

The following topics list and describe the bulkdelete syntax and arguments.

Syntax for bulkdelete

bulkdelete connect=connect_string {[basedn=Base_DN]|[file=file_name]}
[filter="LDAP_search_filter"] [encode=character_set] [debug="TRUE"|"FALSE"] 
[cleandb="TRUE"|"FALSE"] [skipcheck="TRUE"|"FALSE"] [size=transaction_size] 
[threads=num_of_threads] [verbose="TRUE"|"FALSE"]

Arguments for bulkdelete

connect

Required. The directory database connect string. If you already have a tnsnames.ora file configured, then this is the net service name specified in that file, which is located by default in $DOMAIN_HOME/config/fmwconfig/components/OID/config/ directory. (You can set the TNS_ADMIN environment variable if you want to use a different location.)

basedn | file

Required. The base DN of the subtree to be deleted, for example, "dc=company, dc=com". Enclose the DN in quotation marks. You can also specify multiple base DNs by putting them in a file and specifying the file name and path with the file argument.

filter

Optional. The LDAP filter for entries to be deleted. This filter option allows you to delete only entries that match a specific LDAP filter condition. Using this option, you can delete a huge amount of data in a reasonable amount of time.

encode

Optional. The native character set encoding. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, WE8MSWIN1252, JA16SJIS, or AL32UTF8.

debug

Optional. The debug option reports the logging level. This is useful in case the command runs into errors. The output is logged to the bulkdelete.log file. This file can be found under $DOMAIN_HOME/tools/OID/logs.

cleandb

Optional. This is used to specify whether the deleted entries would be tomb stoned or deleted completely from the database. The default (cleandb="TRUE") is to delete the entries completely.

skipcheck

Optional. The skipcheck option allows you to execute bulkdelete without stopping OID services. This is possible by passing skipcheck="TRUE" in the command line. Default is skipcheck="FALSE".

size

Optional. The number of entries to be committed as a part of one transaction.

threads

Optional. The number of threads to create. The default value is the number of CPUs on the machine plus one.

verbose

Optional. This is used to run the command in verbose mode.

Related Command-Line Tools for bulkdelete

3.17.2 bulkload Command Reference

The following topics list and describe the bulkload syntax and arguments.

Syntax for bulkload

bulkload [connect=connect_string]
{[check="TRUE"|"FALSE"  [file=ldif_file]] [generate="TRUE"|"FALSE"
[append="TRUE"|"FALSE"] [restore="TRUE"|"FALSE"] [thread=num_of_threads]
file=ldif_file]
[load="TRUE"|"FALSE"  [append="TRUE"|"FALSE"] [threads=num_of_threads]]
[index="TRUE"|"FALSE"] [missing="TRUE"|"FALSE"] [recover="TRUE"|"FALSE"]}
[encode=character_set] [debug="TRUE"|"FALSE"] [verbose="TRUE"|"FALSE"]

Arguments for bulkload

connect

Optional. The directory database connect string. If you already have a tnsnames.ora file configured, then this is the net service name specified in that file, which is located by default in $DOMAIN_HOME/config/fmwconfig/components/OID/config/ directory. (You can set the TNS_ADMIN environment variable if you want to use a different location.) For loading data in single node, specify its connect string—for example orcl. For loading data in multiple nodes, specify connect strings of all nodes—for example: 

bulkload connect="orcl1,orcl2,orcl3"

check | generate | load | recover | index | missing

Required. The operation to perform. The operations are:

  • check - Checks the LDIF file provided for schema inconsistencies and for duplicate entry DNs. You must provide the full path or relative path and file name of an LDIF file. You can optionally specify the number of threads. The check and generate operations can be issued at the same time.

  • generate - Creates intermediate files suitable for loading entries into Oracle Internet Directory using SQL*Loader. You must provide the full path or relative path and file name of an LDIF file from which to generate entries. You can optionally specify the number of threads. The check and generate operations can be issued at the same time.

    Note:

    • After the generate operation, the directory is left in the read-modify mode until you perform the load operation.

    • bulkload updates the mode to read-only when performing a load operation.

  • load - Loads the files generated in the generate operation into the database. You can use the append option to specify if the data needs to be appended to the existing directory data. For load to succeed, the LDAP server must be stopped. You can optionally specify the number of threads. If you set the ldplonly option to "TRUE", then the data is loaded in parallel but index creation takes place in serial mode. You must run a generate operation before a load operation.

  • recover - In case of a failure during a load operation, recovers the directory with the original data. You cannot use any other option when using the recover option.

  • index - Recreates indexes on all catalog tables.

  • missing - Creates only missing indexes on catalog tables.

file

Required for the check and generate operations. The fully qualified path or relative path and file name of the LDIF file that contains the entries you want to load.

threads

Optional for the check,generate, and load operations. The number of threads to create. The default value is the number of CPUs on the machine plus one.

restore

Optional with the check and generate operations. Assumes operational attributes, such as orclguid, creatorsname, and createtimestamp, are already present in the specified LDIF file. Duplicate operational attribute values are not created in the output SQL*Loader files.

When the restore option is set to TRUE, then the operational attributes specified in the LDIF file are honored. If restore option is not specified or it is set to FALSE, then the operational attributes might not be retained, depending on the type of attribute. Best practice is to avoid having operational attributes in the LDIF file when the restore option value is FALSE.

append

Optional with the generate and load operations. Loads entries in incremental mode rather than bulk mode, which is the default. Incremental mode appends data to existing directory data, and is intended for loading small amounts of data.

encode

Optional. The native character set encoding. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, WE8MSWIN1252, JA16SJIS, or AL32UTF8.

debug

Optional. The debug option turns debugging on or off. Turning debugging on (debug="TRUE") is useful when the command runs into errors. The output is logged to the bulkload.log file. This file can be found under DOMAIN_HOME/tools/OID/logs.

verbose

This is used to run the command in verbose mode.

Related Command-Line Tools for bulkload

3.17.3 bulkmodify Command Reference

The following topics list and describe the bulkmodify syntax and arguments.

Syntax for bulkmodify

bulkmodify connect=connect_string basedn=Base_DN
{[add="TRUE"|"FALSE"]|[replace="TRUE"|"FALSE"]} attribute=attribute_name
value=attribute_value [-q] [filter=filter_string] [size=transaction_size]
[threads=num_of_threads] [debug="TRUE"|"FALSE"] [encode=character_set]
[verbose="TRUE"|"FALSE"]

Arguments for bulkmodify

connect

Required. The directory database connect string. If you already have a tnsnames.ora file configured, then this is the net service name specified in that file, which is located by default in $DOMAIN_HOME/config/fmwconfig/components/OID/config/ directory. (You can set the TNS_ADMIN environment variable if you want to use a different location.)

basedn

Required. The DN of the subtree to be modified. Enclose the DN in quotes.

add | replace

Required. The operation to be performed on the attribute. Specifies whether you want to add an attribute value or replace an attribute value.

attribute

Required. The name of a single attribute for which a value needs to be added or replaced.

value

Required. The single attribute value to add or replace. If the value contains spaces, enclose it in quotes.

-q

Optional. The -q option causes the command to prompt for a secure value instead of the command line value. A secure value supplied at the command prompt is not visible on the screen.

filter

Optional. A filter string that contains a single attribute. Defaults to objectclass=*.

size

Optional. The number of entries to be committed as part of one transaction. Defaults to 100.

threads

Optional. The number of threads to create. The default value is the number of CPUs on the machine plus one.

debug

Optional. The debug option reports the logging level. This is useful in case the command runs into errors. The output is logged to the bulkmodify.log file. This file can be found under $DOMAIN_HOME/tools/OID/logs.

encode

Optional. The native character set encoding. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, WE8MSWIN1252, JA16SJIS, or AL32UTF8.

verbose

This is used to run the command in verbose mode.

Related Command-Line Tools for bulkmodify

3.17.4 catalog Command Reference

The following topics list and describe the catalog syntax and arguments.

Syntax for catalog

catalog connect=connect_string {[add="TRUE"|"FALSE"]|[delete="TRUE"|"FALSE"]}
{[attribute=attribute_name]|[file=file_name]} [logging="TRUE"|"FALSE"]
[threads=num_of_threads] [debug="TRUE"|"FALSE"] [iot="TRUE"|"FALSE"] [verbose="TRUE"|"FALSE"]

Arguments for catalog

connect

Required. The directory database connect string. If you already have a tnsnames.ora file configured, then this is the net service name specified in that file, which is located by default in $DOMAIN_HOME/config/fmwconfig/components/OID/config/ directory. (You can set the TNS_ADMIN environment variable if you want to use a different location.)

add | delete

Required. The operation to perform. The add argument indexes the specified attribute. The delete argument drops the index for the specified attribute.

attribute | file

Required. The attribute or attributes to catalog. Use the attribute argument to specify a single attribute name on the command-line. Use the file argument to provide the full path and file name of a file that contains a list of several attribute names.

logging

Optional. This option is used to decide if redo logs are generated when a catalog is created.

threads

Optional. The number of threads to create. The default value is the number of CPUs on the machine plus one.

debug

Optional. The debug option reports the logging level. This is useful in case the command runs into errors. The output is logged to the catalog.log file. This file can be found under $DOMAIN_HOME/tools/OID/logs.

iot

Optional. If set to TRUE, this option causes an Index Organized Table (IOT) to be created for the specified attribute without creating an additional index. The IOT option improves both read and write performance for a normal LDAP operation and reduces the storage as well. Use the IOT option when you expect lot of updates for the cataloging attribute. The default is FALSE.

verbose

Optional. This option specifies whether the command should be run in verbose mode.

Related Command-Line Tools for catalog

  • N/A

3.17.5 ldapadd Command Reference

The following topics list and describe the ldapadd syntax and arguments.

Syntax for ldapadd

ldapadd -h oid_hostname -D "binddn" -q | -w password [-Y "proxy_dn"] 
[-p ldap_port]  [-V ldap_version] {-f ldif_filename | -X dsml_filename} 
[-b] [-n] [-c [-o log_file_name]] [-M] [-v] [-O ref_hop_limit] [-i 1|0] 
[-U SSL_auth_mode {-W wallet_location -Q | -P wallet_password}] 
[-d debug_level] [-E character_set]

Arguments for ldapadd

-h oid_hostname

Required. The host name or IP address of the Oracle Internet Directory server.

-D ""binddn

Required. The DN of the Oracle Internet Directory user needed to bind to the directory (for example, cn=orcladmin).

-q

Required unless -w is used. Causes the command to prompt for the user password needed to bind to the directory. A password supplied at the command prompt is not visible on the screen.

-w password

Required unless -q is used. The user password needed to bind to the directory. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -w password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-Y ""proxy_dn

Optional. The DN of a proxy user. After binding to the directory, the add operation is performed as this user.

-p ldap_port

Optional. The port number used to connect to the Oracle Internet Directory server. Defaults to port 3060.

-V ldap_version

Optional. The version of the LDAP protocol to use. Allowed values are 2 or 3. Defaults to 3 (LDAP v3).

-f ldif_filename | -X dsml_filename

Required. The full path and file name of the input file that contains the data you want to import.

Use the -f argument to supply an LDIF file. See LDIF File Format for information on formatting an LDIF file.

Use the -X argument to supply a Directory Service Markup Language (DSML) file. See Adding Data to the Directory Using a DSML File for more information about formatting a DSML file.

-b

Optional. Use this option if your input file has binary file names in it, which are preceded by the forward slash character. The tool retrieves the actual values from the file referenced.

-n

Optional. Enables you to preview what would occur in an operation without actually performing the operation.

-c

Optional. Proceeds in spite of errors. All errors are reported. If the -c argument is not used, the tool stops when an error occurs.

-o log_file_name

Optional. Used with the -c argument. Writes the LDIF entries with errors to a log file. Specify the full path and name of the log file.

-M

Optional. Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.

-v

Optional. Runs the tool in verbose mode.

-O ref_hop_limit

Optional. The number of referral hops that a client should process. Defaults to 5.

-i 1 | 0

Optional. Specifies whether to bind as the current user when following referrals. 1 means bind as the current user, 0 means bind anonymously. The default is 0 (zero).

-U SSL_auth_mode

Optional. The SSL authentication mode:

  • 1 for no authentication required.

  • 2 for one way authentication required. You must also supply a wallet location and wallet password.

  • 3 for two way authentication required. You must also supply a wallet location and wallet password.

-W wallet_location

Required if using one way or two way SSL authentication (-U 2|3). The location of the wallet file that contains the server's SSL certificates.

Example for UNIX:

-W "file:/home/my_dir/my_wallet"

Example for Microsoft Windows:

-W "file:C:\my_dir\my_wallet"

-Q

Required, unless -P is used, if using one way or two way SSL authentication (-U 2|3). Causes the command to prompt for the wallet password for the wallet specified in the -W argument. A password supplied at the command prompt is not visible on the screen.

-P wallet_password

Required, unless -Q is used, if using one way or two way SSL authentication (-U 2|3). The wallet password for the wallet specified in the -W argument. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -P wallet_password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-d debug_level

Optional. If not specified the default of 0 (not enabled) is used. Debug levels are additive. Add the numbers representing the functions that you want to activate, and use the sum of those in the command-line option. For example, to trace search filter processing (512) and active connection management (256), enter 768 as the debug level (512 + 256 = 768). Debug levels are as follows:

  • 1 — Heavy trace debugging

  • 128 — Debug packet handling

  • 256 — Connection management, related to network activities

  • 512 — Search filter processing

  • 1024 — Entry parsing

  • 2048 — Configuration file processing

  • 8192 — Access control list processing

  • 491520 — Log of communication with the database

  • 524288 — Schema related operations

  • 4194304 — Replication specific operations

  • 8388608 — Log of entries, operations and results for each connection

  • 16777216 — Trace function call arguments

  • 67108864 — Number and identity of clients connected to this server

  • 117440511 — All possible operations and data

-E character_set

Optional. The native character set encoding. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, WE8MSWIN1252, JA16SJIS, or AL32UTF8.

Related Command-Line Tools for ldapadd

3.17.6 ldapaddmt Command Reference

The following topics list and describe the ldapaddmt syntax and arguments.

Syntax for ldapaddmt

ldapaddmt -h oid_hostname -D "binddn" -q | -w password -T number_threads 
[-p ldap_port] [-V ldap_version] {-f ldif_filename | -X dsml_filename}  [-b] [-c]
[-M] [-O ref_hop_limit] [-U SSL_auth_mode {-W wallet_location -Q | -P
wallet_password}] [-d debug_level] [-E character_set]

Arguments for ldapaddmt

-h oid_hostname

Required. The host name or IP address of the Oracle Internet Directory server.

-D "binddn"

Required. The DN of the Oracle Internet Directory user needed to bind to the directory (for example, cn=orcladmin).

-q

Required unless -w is used. Causes the command to prompt for the user password needed to bind to the directory. A password supplied at the command prompt is not visible on the screen.

-w password

Required unless -q is used. The user password needed to bind to the directory. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -w password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-T number_threads

Required. The number of threads for concurrently processing entries.

-p ldap_port

Optional. The port number used to connect to the Oracle Internet Directory server. Defaults to port 3060.

-V ldap_version

Optional. The version of the LDAP protocol to use. Allowed values are 2 or 3. Defaults to 3 (LDAP v3).

-f ldif_filename | -X dsml_filename

Required. The full path and file name of the input file that contains the data you want to import.

Use the -f argument to supply an LDIF file. See LDIF File Format for information on formatting an LDIF file.

Use the -X argument to supply a Directory Service Markup Language (DSML) file. See Adding Data to the Directory Using a DSML File for more information about formatting a DSML file.

-b

Optional. Use this option if your input file has binary file names in it, which are preceded by the forward slash character. The tool retrieves the actual values from the file referenced.

-c

Optional. Proceeds in spite of errors. All errors are reported. If the -c argument is not used, the tool stops when an error occurs.

-M

Optional. Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.

-O ref_hop_limit

Optional. The number of referral hops that a client should process. Defaults to 5.

-U SSL_auth_mode

Optional. The SSL authentication mode:

  • 1 for no authentication required.

  • 2 for one way authentication required. You must also supply a wallet location and wallet password.

  • 3 for two way authentication required. You must also supply a wallet location and wallet password.

-W wallet_location

Required if using one way or two way SSL authentication (-U 2|3). The location of the wallet file that contains the server's SSL certificates.

Example for UNIX:

-W "file:/home/my_dir/my_wallet"

Example for Microsoft Windows:

-W "file:C:\my_dir\my_wallet"

-Q

Required, unless -P is used, if using one way or two way SSL authentication (-U 2|3). Causes the command to prompt for the wallet password for the wallet specified in the -W argument. A password supplied at the command prompt is not visible on the screen.

-P wallet_password

Required, unless -Q is used, if using one way or two way SSL authentication (-U 2|3). The wallet password for the wallet specified in the -W argument. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -P wallet_password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-d debug_level

Optional. If not specified the default of 0 (not enabled) is used. Debug levels are additive. Add the numbers representing the functions that you want to activate, and use the sum of those in the command-line option. For example, to trace search filter processing (512) and active connection management (256), enter 768 as the debug level (512 + 256 = 768). Debug levels are as follows:

  • 1 — Heavy trace debugging

  • 128 — Debug packet handling

  • 256 — Connection management, related to network activities

  • 512 — Search filter processing

  • 1024 — Entry parsing

  • 2048 — Configuration file processing

  • 8192 — Access control list processing

  • 491520 — Log of communication with the database

  • 524288 — Schema related operations

  • 4194304 — Replication specific operations

  • 8388608 — Log of entries, operations and results for each connection

  • 16777216 — Trace function call arguments

  • 67108864 — Number and identity of clients connected to this server

  • 117440511 — All possible operations and data

-E character_set

Optional. The native character set encoding. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, WE8MSWIN1252, JA16SJIS, or AL32UTF8.

Related Command-Line Tools for ldapaddmt

3.17.7 ldapbind Command Reference

The following topics list and describe the ldapbind syntax and arguments.

Syntax for ldapbind

ldapbind -h oid_hostname -D "binddn" -q | -w password [-p ldap_port] 
[-V ldap_version] [-n] [-O "auth"] [-Y "DIGEST-MD5|EXTERNAL"] 
[-R SASL_realm] [-U SSL_auth_mode {-W wallet_location -Q | -P wallet_password}]
[-E character_set]

Arguments for ldapbind

-h oid_hostname

Required. The host name or IP address of the Oracle Internet Directory server.

-D "binddn"

Required. The DN of the Oracle Internet Directory user needed to bind to the directory (for example, cn=orcladmin).

-q

Required unless -w is used. Causes the command to prompt for the user password needed to bind to the directory. A password supplied at the command prompt is not visible on the screen.

-w password

Required unless -q is used. The user password needed to bind to the directory. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -w password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-p ldap_port

Optional. The port number used to connect to the Oracle Internet Directory server. Defaults to port 3060.

-V ldap_version

Optional. The version of the LDAP protocol to use. Allowed values are 2 or 3. Defaults to 3 (LDAP v3).

-O "auth"

Optional. Specifies SASL security properties. The security property supported is -O "auth". This security property is for DIGEST-MD5 SASL mechanism. It enables authentication with no data integrity or data privacy.

-Y "DIGEST-MD5 | EXTERNAL"

Optional. Specifies a Simple Authentication and Security Layer (SASL) mechanism. The following mechanisms are supported:

  • DIGEST-MD5

  • EXTERNAL - The SASL authentication in this mechanism is done on top of two-way SSL authentication. In this case the identity of the user stored in the SSL wallet is used for SASL authentication.

-R SASL_realm

Optional. A SASL realm.

-U SSL_auth_mode

Optional. The SSL authentication mode:

  • 1 for no authentication required.

  • 2 for one way authentication required. You must also supply a wallet location and wallet password.

  • 3 for two way authentication required. You must also supply a wallet location and wallet password.

-W wallet_location

Required if using one way or two way SSL authentication (-U 2|3). The location of the wallet file that contains the server's SSL certificates.

Example for UNIX:

-W "file:/home/my_dir/my_wallet"

Example for Microsoft Windows:

-W "file:C:\my_dir\my_wallet"

-Q

Required, unless -P is used, if using one way or two way SSL authentication (-U 2|3). Causes the command to prompt for the wallet password for the wallet specified in the -W argument. A password supplied at the command prompt is not visible on the screen.

-P wallet_password

Required, unless -Q is used, if using one way or two way SSL authentication (-U 2|3). The wallet password for the wallet specified in the -W argument. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -P wallet_password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-E character_set

Optional. The native character set encoding. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, WE8MSWIN1252, JA16SJIS, or AL32UTF8.

Related Command-Line Tools for ldapbind

  • N/A

3.17.8 ldapcompare Command Reference

The following topics list and describe the ldapcompare syntax and arguments.

Syntax for ldapcompare

ldapcompare -h oid_hostname -D "binddn" -q | -w password [-Y "proxy_dn"] 
[-p ldap_port] -a attribute_name -b "base" -v "attribute_value" 
[-U SSL_auth_mode {-W wallet_location -Q | -P wallet_password}] 
[-d debug_level] [-E character_set]

Arguments for ldapcompare

-h oid_hostname

Required. The host name or IP address of the Oracle Internet Directory server.

-D "binddn"

Required. The DN of the Oracle Internet Directory user needed to bind to the directory (for example, cn=orcladmin).

-q

Required unless -w is used. Causes the command to prompt for the user password needed to bind to the directory. A password supplied at the command prompt is not visible on the screen.

-w password

Required unless -q is used. The user password needed to bind to the directory. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -w password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-Y ""proxy_dn

Optional. The DN of a proxy user. After binding to the directory, the add operation is performed as this user.

-p ldap_port

Optional. The port number used to connect to the Oracle Internet Directory server. Defaults to port 3060.

-a attribute_name

Required. The attribute for which to perform the comparison of values.

-b "base"

Required. The DN of the entry for which to perform the comparison.

-v "attribute_value"

Required. The attribute value that you want to compare to the value in the entry.

-U SSL_auth_mode

Optional. The SSL authentication mode:

  • 1 for no authentication required.

  • 2 for one way authentication required. You must also supply a wallet location and wallet password.

  • 3 for two way authentication required. You must also supply a wallet location and wallet password.

-W wallet_location

Required if using one way or two way SSL authentication (-U 2|3). The location of the wallet file that contains the server's SSL certificates.

Example for UNIX:

-W "file:/home/my_dir/my_wallet"

Example for Microsoft Windows:

-W "file:C:\my_dir\my_wallet"

-Q

Required, unless -P is used, if using one way or two way SSL authentication (-U 2|3). Causes the command to prompt for the wallet password for the wallet specified in the -W argument. A password supplied at the command prompt is not visible on the screen.

-P wallet_password

Required, unless -Q is used, if using one way or two way SSL authentication (-U 2|3). The wallet password for the wallet specified in the -W argument. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -P wallet_password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-d debug_level

Optional. If not specified the default of 0 (not enabled) is used. Debug levels are additive. Add the numbers representing the functions that you want to activate, and use the sum of those in the command-line option. For example, to trace search filter processing (512) and active connection management (256), enter 768 as the debug level (512 + 256 = 768). Debug levels are as follows:

  • 1 — Heavy trace debugging

  • 128 — Debug packet handling

  • 256 — Connection management, related to network activities

  • 512 — Search filter processing

  • 1024 — Entry parsing

  • 2048 — Configuration file processing

  • 8192 — Access control list processing

  • 491520 — Log of communication with the database

  • 524288 — Schema related operations

  • 4194304 — Replication specific operations

  • 8388608 — Log of entries, operations and results for each connection

  • 16777216 — Trace function call arguments

  • 67108864 — Number and identity of clients connected to this server

  • 117440511 — All possible operations and data

-E character_set

Optional. The native character set encoding. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, WE8MSWIN1252, JA16SJIS, or AL32UTF8.

Related Command-Line Tools for ldapcompare

  • N/A

3.17.9 ldapdelete Command Reference

The following topics list and describe the ldapdelete syntax and arguments.

Syntax for ldapdelete

ldapdelete -h oid_hostname -D "binddn" -q | -w password [-Y proxy_dn] 
[-p ldap_port] [-V ldap_version] {-f ldif_filename | "entry_dn"} 
[-n] [-M] [-v] [-O ref_hop_limit] 
[-U SSL_auth_mode {-W wallet_location -Q | -P wallet_password}] [-E character_set]

Arguments for ldapdelete

-h oid_hostname

Required. The host name or IP address of the Oracle Internet Directory server.

-D "binddn"

Required. The DN of the Oracle Internet Directory user needed to bind to the directory (for example, cn=orcladmin).

-q

Required unless -w is used. Causes the command to prompt for the user password needed to bind to the directory. A password supplied at the command prompt is not visible on the screen.

-w password

Required unless -q is used. The user password needed to bind to the directory. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -w password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-Y "proxy_dn"

Optional. The DN of a proxy user. After binding to the directory, the add operation is performed as this user.

-p ldap_port

Optional. The port number used to connect to the Oracle Internet Directory server. Defaults to port 3060.

-V ldap_version

Optional. The version of the LDAP protocol to use. Allowed values are 2 or 3. Defaults to 3 (LDAP v3).

-f ldif_filename | "entry_dn"

Required. The full path and file name of the input file that contains the entry DNs you want to delete, or a single entry DN supplied on the command-line.

Use the -f argument to supply an LDIF file. See LDIF File Format for information on formatting an LDIF file.

To delete one entry, supply the DN of the entry in quotes.

-n

Optional. Enables you to preview what would occur in an operation without actually performing the operation.

-M

Optional. Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.

-v

Optional. Runs the tool in verbose mode.

-O ref_hop_limit

Optional. The number of referral hops that a client should process. Defaults to 5.

-U SSL_auth_mode

Optional. The SSL authentication mode:

  • 1 for no authentication required.

  • 2 for one way authentication required. You must also supply a wallet location and wallet password.

  • 3 for two way authentication required. You must also supply a wallet location and wallet password.

-W wallet_location

Required if using one way or two way SSL authentication (-U 2|3). The location of the wallet file that contains the server's SSL certificates.

Example for UNIX:

-W "file:/home/my_dir/my_wallet"

Example for Microsoft Windows:

-W "file:C:\my_dir\my_wallet"

-Q

Required, unless -P is used, if using one way or two way SSL authentication (-U 2|3). Causes the command to prompt for the wallet password for the wallet specified in the -W argument. A password supplied at the command prompt is not visible on the screen.

-P wallet_password

Required, unless -Q is used, if using one way or two way SSL authentication (-U 2|3). The wallet password for the wallet specified in the -W argument. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -P wallet_password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-E character_set

Optional. The native character set encoding. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, WE8MSWIN1252, JA16SJIS, or AL32UTF8.

Related Command-Line Tools for ldapdelete

3.17.10 ldapmoddn Command Reference

The following topics list and describe the ldapmoddn syntax and arguments.

Syntax for ldapmoddn

ldapmoddn -h oid_hostname -D "binddn" -q | -w password [-p ldap_port] 
[-V ldap_version] -b "base_dn" {-R "new_rdn"|-N "new_parent"} 
[-r] [-M] [-O ref_hop_limit] 
[-U SSL_auth_mode {-W wallet_location -Q | -P wallet_password}] [-E character_set]

Arguments for ldapmoddn

-h oid_hostname

Required. The host name or IP address of the Oracle Internet Directory server.

-D "binddn"

Required. The DN of the Oracle Internet Directory user needed to bind to the directory (for example, cn=orcladmin).

-q

Required unless -w is used. Causes the command to prompt for the user password needed to bind to the directory. A password supplied at the command prompt is not visible on the screen.

-w password

Required unless -q is used. The user password needed to bind to the directory. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -w password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-p ldap_port

Optional. The port number used to connect to the Oracle Internet Directory server. Defaults to port 3060.

-V ldap_version

Optional. The version of the LDAP protocol to use. Allowed values are 2 or 3. Defaults to 3 (LDAP v3).

-b "base_dn"

Required. The DN of the entry to be moved to a new parent DN or have its RDN updated.

-R "new_rdn" | -N "new_parent"

Required. The action to perform. Use the -R argument to change the RDN of the entry. Use the -N argument to move the entry to a new parent node in the directory tree.

-r

Optional. Specifies that the old RDN is not retained as a value in the modified entry. If not included, the old RDN is retained as an attribute in the modified entry.

-M

Optional. Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.

-O ref_hop_limit

Optional. The number of referral hops that a client should process. Defaults to 5.

-U SSL_auth_mode

Optional. The SSL authentication mode:

  • 1 for no authentication required.

  • 2 for one way authentication required. You must also supply a wallet location and wallet password.

  • 3 for two way authentication required. You must also supply a wallet location and wallet password.

-W wallet_location

Required if using one way or two way SSL authentication (-U 2|3). The location of the wallet file that contains the server's SSL certificates.

Example for UNIX:

-W "file:/home/my_dir/my_wallet"

Example for Microsoft Windows:

-W "file:C:\my_dir\my_wallet"

-Q

Required, unless -P is used, if using one way or two way SSL authentication (-U 2|3). Causes the command to prompt for the wallet password for the wallet specified in the -W argument. A password supplied at the command prompt is not visible on the screen.

-P wallet_password

Required, unless -Q is used, if using one way or two way SSL authentication (-U 2|3). The wallet password for the wallet specified in the -W argument. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -P wallet_password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-E character_set

Optional. The native character set encoding. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, WE8MSWIN1252, JA16SJIS, or AL32UTF8.

Related Command-Line Tools for ldapmoddn

3.17.11 ldapmodify Command Reference

The following topics list and describe the ldapmodify syntax and arguments.

Syntax for ldapmodify

ldapmodify -h oid_hostname -D "binddn" [-Y "proxy_dn"] -q | -w password 
[-p ldap_port] [-V ldap_version] {-f ldif_filename | -X dsml_filename}  
[-a] [-b] [-c [-o log_file_name]] [-n] [-v] [-M] [-O ref_hop_limit] 
[-i 1|0] [-U SSL_auth_mode {-W wallet_location -Q | -P wallet_password}] 
[-E character_set] [-d debug_level]

Arguments for ldapmodify

-h oid_hostname

Required. The host name or IP address of the Oracle Internet Directory server.

-D "binddn"

Required. The DN of the Oracle Internet Directory user needed to bind to the directory (for example, cn=orcladmin).

-Y "proxy_dn"

Optional. The DN of a proxy user. After binding to the directory, the add operation is performed as this user.

-q

Required unless -w is used. Causes the command to prompt for the user password needed to bind to the directory. A password supplied at the command prompt is not visible on the screen.

-w password

Required unless -q is used. The user password needed to bind to the directory. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -w password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-p ldap_port

Optional. The port number used to connect to the Oracle Internet Directory server. Defaults to port 3060.

-V ldap_version

Optional. The version of the LDAP protocol to use. Allowed values are 2 or 3. Defaults to 3 (LDAP v3).

-f ldif_filename | -X dsml_filename

Required. The full path and file name of the input file that contains the data you want to import.

Use the -f argument to supply an LDIF file. See LDIF File Format for information on formatting an LDIF file.

Use the -X argument to supply a Directory Service Markup Language (DSML) file. See Adding Data to the Directory Using a DSML File for more information about formatting a DSML file.

-a

Optional. Denotes that the LDIF or DSML input file has new entries to be added.

-b

Optional. Use this option if your input file has binary file names in it, which are preceded by the forward slash character. The tool retrieves the actual values from the file referenced.

-c

Optional. Proceeds in spite of errors. All errors are reported. If the -c argument is not used, the tool stops when an error occurs.

-n

Optional. Enables you to preview what would occur in an operation without actually performing the operation.

-v

Optional. Runs the tool in verbose mode.

-o log_file_name

Optional. Used with the -c argument. Writes the LDIF entries with errors to a log file. Specify the full path and name of the log file.

-M

Optional. Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.

-O ref_hop_limit

Optional. The number of referral hops that a client should process. Defaults to 5.

-i 1 | 0

Optional. Specifies whether to bind as the current user when following referrals. 1 means bind as the current user, 0 means bind anonymously. The default is 0 (zero).

-U SSL_auth_mode

Optional. The SSL authentication mode:

  • 1 for no authentication required.

  • 2 for one way authentication required. You must also supply a wallet location and wallet password.

  • 3 for two way authentication required. You must also supply a wallet location and wallet password.

-W wallet_location

Required if using one way or two way SSL authentication (-U 2|3). The location of the wallet file that contains the server's SSL certificates.

Example for UNIX:

-W "file:/home/my_dir/my_wallet"

Example for Microsoft Windows:

-W "file:C:\my_dir\my_wallet"

-Q

Required, unless -P is used, if using one way or two way SSL authentication (-U 2|3). Causes the command to prompt for the wallet password for the wallet specified in the -W argument. A password supplied at the command prompt is not visible on the screen.

-P wallet_password

Required, unless -Q is used, if using one way or two way SSL authentication (-U 2|3). The wallet password for the wallet specified in the -W argument. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -P wallet_password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-E character_set

Optional. The native character set encoding. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, WE8MSWIN1252, JA16SJIS, or AL32UTF8.

-d debug_level

Optional. If not specified the default of 0 (not enabled) is used. Debug levels are additive. Add the numbers representing the functions that you want to activate, and use the sum of those in the command-line option. For example, to trace search filter processing (512) and active connection management (256), enter 768 as the debug level (512 + 256 = 768). Debug levels are as follows:

  • 1 — Heavy trace debugging

  • 128 — Debug packet handling

  • 256 — Connection management, related to network activities

  • 512 — Search filter processing

  • 1024 — Entry parsing

  • 2048 — Configuration file processing

  • 8192 — Access control list processing

  • 491520 — Log of communication with the database

  • 524288 — Schema related operations

  • 4194304 — Replication specific operations

  • 8388608 — Log of entries, operations and results for each connection

  • 16777216 — Trace function call arguments

  • 67108864 — Number and identity of clients connected to this server

  • 117440511 — All possible operations and data

Related Command-Line Tools for ldapmodify

3.17.12 ldapmodifymt Command Reference

The following topics list and describe the ldapmodifymt syntax and arguments.

Syntax for ldapmodifymt

ldapmodifymt -h oid_hostname -D "binddn" -q | -w password [-p ldap_port] 
[-V ldap_version] -T number_of_threads {-f ldif_filename | -X dsml_filename}  
[-a] [-b] [-c [-o log_file_name]] [-M] [-O ref_hop_limit 
[-U SSL_auth_mode {-W wallet_location -Q | -P wallet_password}] 
[-E character_set] [-d debug_level]

Arguments for ldapmodifymt

-h oid_hostname

Required. The host name or IP address of the Oracle Internet Directory server.

-D "binddn"

Required. The DN of the Oracle Internet Directory user needed to bind to the directory (for example, cn=orcladmin).

-q

Required unless -w is used. Causes the command to prompt for the user password needed to bind to the directory. A password supplied at the command prompt is not visible on the screen.

-w password

Required unless -q is used. The user password needed to bind to the directory. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -w password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-p ldap_port

Optional. The port number used to connect to the Oracle Internet Directory server. Defaults to port 3060.

-V ldap_version

Optional. The version of the LDAP protocol to use. Allowed values are 2 or 3. Defaults to 3 (LDAP v3).

-T number_threads

Required. The number of threads for concurrently processing entries.

-f ldif_filename | -X dsml_filename

Required. The full path and file name of the input file that contains the data you want to import.

Use the -f argument to supply an LDIF file. See LDIF File Format for information on formatting an LDIF file.

Use the -X argument to supply a Directory Service Markup Language (DSML) file. See Adding Data to the Directory Using a DSML File for more information about formatting a DSML file.

-a

Optional. Denotes that the LDIF file has entries to be added.

-b

Optional. Use this option if your input file has binary file names in it, which are preceded by the forward slash character. The tool retrieves the actual values from the file referenced.

-c

Optional. Proceeds in spite of errors. All errors are reported. If the -c argument is not used, the tool stops when an error occurs.

-o log_file_name

Optional. Used with the -c argument. Writes the LDIF entries with errors to a log file. Specify the full path and name of the log file.

-M

Optional. Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.

-O ref_hop_limit

Optional. The number of referral hops that a client should process. Defaults to 5.

-U SSL_auth_mode

Optional. The SSL authentication mode:

  • 1 for no authentication required.

  • 2 for one way authentication required. You must also supply a wallet location and wallet password.

  • 3 for two way authentication required. You must also supply a wallet location and wallet password.

-W wallet_location

Required if using one way or two way SSL authentication (-U 2|3). The location of the wallet file that contains the server's SSL certificates.

Example for UNIX:

-W "file:/home/my_dir/my_wallet"

Example for Microsoft Windows:

-W "file:C:\my_dir\my_wallet"

-Q

Required, unless -P is used, if using one way or two way SSL authentication (-U 2|3). Causes the command to prompt for the wallet password for the wallet specified in the -W argument. A password supplied at the command prompt is not visible on the screen.

-P wallet_password

Required, unless -Q is used, if using one way or two way SSL authentication (-U 2|3). The wallet password for the wallet specified in the -W argument. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -P wallet_password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-E character_set

Optional. The native character set encoding. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, WE8MSWIN1252, JA16SJIS, or AL32UTF8.

-d debug_level

Optional. If not specified the default of 0 (not enabled) is used. Debug levels are additive. Add the numbers representing the functions that you want to activate, and use the sum of those in the command-line option. For example, to trace search filter processing (512) and active connection management (256), enter 768 as the debug level (512 + 256 = 768). Debug levels are as follows:

  • 1 — Heavy trace debugging

  • 128 — Debug packet handling

  • 256 — Connection management, related to network activities

  • 512 — Search filter processing

  • 1024 — Entry parsing

  • 2048 — Configuration file processing

  • 8192 — Access control list processing

  • 491520 — Log of communication with the database

  • 524288 — Schema related operations

  • 4194304 — Replication specific operations

  • 8388608 — Log of entries, operations and results for each connection

  • 16777216 — Trace function call arguments

  • 67108864 — Number and identity of clients connected to this server

  • 117440511 — All possible operations and data

Related Command-Line Tools for ldapmodifymt

3.17.13 ldapsearch Command Reference

The following topics list and describe the ldapsearch syntax and arguments.

Syntax for ldapsearch

ldapsearch -h oid_hostname -D "binddn" -q | -w password [-Y "proxy_dn"] 
[-p ldap_port] [-V ldap_version] -b "basedn" {-s base|one|sub} {"filter_string"
attributes]|-f input_file} [-F separator] [-T [-]sort_attribute] [-j page_size]
[-A] [-a never|always|search|find] [-S] [-R] [-i 1|0] [-t] [-u] [-L|-X] [-B] [-M]
[-v] [-n] [-l time_limit] [-z size_limit] [-O ref_hop_limit] [-U SSL_auth_mode 
{-W wallet_location -Q | -P wallet_password}] [-d debug_level] 
[-E character_set][-c]

Arguments for ldapsearch

-h oid_hostname

Required. The host name or IP address of the Oracle Internet Directory server.

-D "binddn"

Required. The DN of the Oracle Internet Directory user needed to bind to the directory (for example, cn=orcladmin).

-q

Required unless -w is used. Causes the command to prompt for the user password needed to bind to the directory. A password supplied at the command prompt is not visible on the screen.

-w password

Required unless -q is used. The user password needed to bind to the directory. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -w password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-Y "proxy_dn"

Optional. The DN of a proxy user. After binding to the directory, the add operation is performed as this user.

-p ldap_port

Optional. The port number used to connect to the Oracle Internet Directory server. Defaults to port 3060.

-V ldap_version

Optional. The version of the LDAP protocol to use. Allowed values are 2 or 3. Defaults to 3 (LDAP v3).

-b "basedn"

Required. The base DN for the search.

-s base | one | sub

Required. The scope of the search within the DIT. The options are:

  • base - Retrieves a particular directory entry. Along with this search depth, you use the search criteria bar to select the attribute objectClass and the filter Present.

  • one - Limits your search to all entries beginning one level down from the root of your search.

  • sub - Searches entries within the entire subtree, including the root of your search.

"filter_string" [attributes] | -f input_file

Required. Supply a single filter on the command-line within quotes followed by the attribute names whose values you want returned. Separate attributes with a space. If you do not list any attributes, all attributes are retrieved.

By default, ldapsearch does not return operational attributes. If you add the character "+" to the list of attributes in the search request, however, ldapsearch returns all operational attributes.

You can also supply an input file with the -f argument that contains a sequence of search operations to perform.

In the output, the attribute names are shown in lower case if the attribute orclReqattrCase is 0 in the instance-specific config entry. If orclReqattrCase is set to 1, the attribute names in the output are shown in the same case in which they were entered on the command line. See Attribute Case in ldapsearch Output.

-F separator

Optional. Enables you to choose a separator to use between attribute names and values in the search output. The default is = (equal sign).

-T [-]sort_attribute

Optional. Instructs the tool to send a sort request to the server. The server returns entries sorted on the attribute, sort_attribute. A dash (-) before sort_attribute instructs the tool to sort the entries in reverse order.

-j page_size

Optional. Instructs the tool to send a page request to the server. The server returns paged entries with pages of size, page_size.

-A

Optional. Retrieves attribute names only (no values).

-a never | always | search | find

Optional. Specifies alias dereferencing. An alias entry in an LDAP directory is an entry that points to another entry. Following an alias pointer is known as dereferencing an alias. The options are:

  • never - Never dereference alias entries. Choose this option to improve search performance if there are no alias entries in the directory that require dereferencing.

  • always - Always dereference aliases. This selection is the default.

  • search - Dereference alias entries subordinate to a specified search base, but do not dereference an alias search base entry.

  • find - Deference an alias entry for a specified search base, but do not dereference alias entries subordinate to the search base.

-S attr

Optional. Sorts the results by the attribute specified.

-R

Optional. Disables the automatic following of referrals.

-i 1 | 0

Optional. Specifies whether to bind as the current user when following referrals. 1 means bind as the current user, 0 means bind anonymously. The default is 0 (zero).

-t

Optional. Writes files to /tmp.

-u

Optional. Includes user-friendly names in the output.

-L | -X

Optional. Prints entries in LDIF (-L) or DSML format (-X).

With the -L option, all attributes, including binary attributes are printed in LDAP Data Interchange Format (LDIF). Binary attributes are transformed into printable characters using BASE64 encoding.

See Also:

LDIF File Format for a description of LDAP Data Interchange Format.

-B

Optional. Allows printing of non-ASCII values. Binary attributes are printed as is, without encoding. The complete value might not be printed, as it might contain non-printable characters.

-M

Optional. Instructs the tool to send the ManageDSAIT control to the server. The ManageDSAIT control instructs the server not to send referrals to clients. Instead a referral entry is returned as a regular entry.

-n

Optional. Enables you to preview what would occur in an operation without actually performing the operation.

-v

Optional. Runs the tool in verbose mode.

-l time_limit

Optional. The maximum time in seconds to wait for an ldapsearch command to complete.

-z size_limit

Optional. The maximum number of entries to return.

-O ref_hop_limit

Optional. The number of referral hops that a client should process. Defaults to 5.

-U SSL_auth_mode

Optional. The SSL authentication mode:

  • 1 for no authentication required.

  • 2 for one way authentication required. You must also supply a wallet location and wallet password.

  • 3 for two way authentication required. You must also supply a wallet location and wallet password.

-W wallet_location

Required if using one way or two way SSL authentication (-U 2|3). The location of the wallet file that contains the server's SSL certificates.

Example for UNIX:

-W "file:/home/my_dir/my_wallet"

Example for Microsoft Windows:

-W "file:C:\my_dir\my_wallet"

-Q

Required, unless -P is used, if using one way or two way SSL authentication (-U 2|3). Causes the command to prompt for the wallet password for the wallet specified in the -W argument. A password supplied at the command prompt is not visible on the screen.

-P wallet_password

Required, unless -Q is used, if using one way or two way SSL authentication (-U 2|3). The wallet password for the wallet specified in the -W argument. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -P wallet_password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-d debug_level

Optional. If not specified the default of 0 (not enabled) is used. Debug levels are additive. Add the numbers representing the functions that you want to activate, and use the sum of those in the command-line option. For example, to trace search filter processing (512) and active connection management (256), enter 768 as the debug level (512 + 256 = 768). Debug levels are as follows:

  • 1 — Heavy trace debugging

  • 128 — Debug packet handling

  • 256 — Connection management, related to network activities

  • 512 — Search filter processing

  • 1024 — Entry parsing

  • 2048 — Configuration file processing

  • 8192 — Access control list processing

  • 491520 — Log of communication with the database

  • 524288 — Schema related operations

  • 4194304 — Replication specific operations

  • 8388608 — Log of entries, operations and results for each connection

  • 16777216 — Trace function call arguments

  • 67108864 — Number and identity of clients connected to this server

  • 117440511 — All possible operations and data

-E character_set

Optional. The native character set encoding. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, WE8MSWIN1252, JA16SJIS, or AL32UTF8.

-C

Optional. ldapsearch -C option causes ldapsearch to traverse a hierarchy and report direct memberships. The ldapsearch -C option essentially includes the CONNECT_BY control (2.16.840.1.113894.1.8.3) in the request sent to the client. ldapsearch doesn't have any means to pass values with a control. So, it sends the CONNECT_BY control without values. In this case the default values are assumed, that is, the hierarchy-establishing attribute name is obtained from the filter, and the number of levels is 0. Thus, the -C option can only be used to fetch all containers of a containee queries, for example, fetch all groups of a user, fetch all employees of a manager and so forth. Also, all levels of the hierarchy are traversed. For more information, see Table 6-2.

See Also:

The "Performing Hierarchical Searches" section in Application Developer's Guide for Oracle Identity Management.

Related Command-Line Tools for ldapsearch

3.17.14 ldifmigrator Command Reference

The following topics list and describe the ldifmigrator syntax and arguments.

Syntax for ldifmigrator

ldifmigrator "input_file=filename" "output_file=filename"
[-lookup -h oid_hostname "dn=binddn" -w password [-p ldap_port]
[subscriber=subscriberDN]] ["s_VariableName1=replacement_value" 
"s_VariableName2=replacement_value"...] 
[-load -reconcile SAFE|SAFE_EXTENDED|NORMAL]

Arguments for ldifmigrator

"input_file=filename"

The full path and file name of the LDIF file that contains directory entry data and one or more substitution variables.

"output_file=filename"

The full path and file name of the output file produced by the ldifmigrator tool.

-lookup

If this flag is specified, then values of certain substitution variables are obtained by looking up the correct values in the directory server. See Substitution Variables for Migration Input Files for a list of substitution variables that can be looked up.

-h oid_hostname

Required if the -lookup flag is used. The host name or IP address of the Oracle Internet Directory server.

"dn=binddn"

Required if the -lookup flag is used. The DN of the Oracle Internet Directory user needed to bind to the directory (for example, cn=orcladmin).

-q

Required unless -w is used. Causes the command to prompt for the user password needed to bind to the directory. A password supplied at the command prompt is not visible on the screen.

-w password

Required unless -q is used. The user password needed to bind to the directory. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -w password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

subscriber=subscriberDN

Optional. The subscriber whose attribute values is used in place of the substitution variables. If not specified, then the default identity management realm specified in the Root Oracle Context is used.

"s_VariableName=replacement_value"

Optional. You can specify a value for a substitution variable on the command-line. See Substitution Variables for Migration Input Files for instructions on adding a substitution variable to the input LDIF file. The ldifmigrator tool replaces all occurrences of the variable with the value you specify.

-load

Optional. Loads the data output by the ldifmigrator tool directly into Oracle Internet Directory. If an entry is already present in the directory then that directory entry is logged to the file. The addition of the directory entries could fail for other reasons as well, for instance not enough permission to add or parent entry not being present.

-reconcile SAFE | SAFE_EXTENDED | NORMAL

Optional. The -reconcile option enables you to specify different modes if the tool tries to load data for entries that already exist, or modify attributes of entries that may have conflicts. The following modes are available:

  • SAFE - This mode only adds new entries that don't exist or appends new attributes to existing entries.

  • SAFE-EXTENDED - This mode only adds new entries that don't exist or appends new attributes to existing entries. If you try to add a new value for existing attributes, then it adds it to the existing set of values.

  • NORMAL - This mode applies all directives as intended, overwriting any conflicting attributes or entries with the data specified in the ldifmigrator output.

See Reconciliation Modes for Migrated Entries for more information about LDIF directives supported by the -reconcile option.

Related Command-Line Tools for ldifmigrator

Error Messages for ldifmigrator

The Data Migration Tool can display these error messages:

Table 3-1 Error Messages of the Data Migration Tool

Message Reason Remedial Action

Environment variable ORACLE_HOME not defined

ORACLE_HOME is not defined.

Set the environment variable ORACLE_HOME

Environment variable DOMAIN_HOME not defined

DOMAIN_HOME is not defined.

Set the environment variable DOMAIN_HOME

Error while parsing the input parameters. Please verify

Not all the required parameters are provided. The required parameters are Input_File, Output_File and at least one substitution variable

Specify the input parameters properly. Use the -help option to print the usage.

Input_File parameter not specified. Please specify

Input_File parameter is a mandatory parameter.

Specify the input parameters properly. Use the -help option to print the usage.

Output_File parameter not specified. Please specify

Output_File parameter is a mandatory parameter.

Specify the input parameters properly. Use the -help option to print the usage.

The specified input file does not exist

The specified file location is invalid.

Check the input file path

Check the input file. Zero byte input file

The input file does not contain any entries.

Provide a valid file with pseudo LDIF entries

Cannot create the output file. Output file already exists

The output file already exists

Check the Output_File flag

Access denied, cannot read from the input file

The specified input file does not have read permission

Check the read permission of the input file.

Access denied, cannot create the output file

You do not have permission to create the output file.

Check the permission of the directory under which the output file needs to be created.

Directory server name not specified. When -lookup option is used the host parameter should be specified

When the -lookup option is specified, the host parameter is mandatory.

Specify the host parameter.

Bind Dn parameter name not specified. When -lookup option is used the dn parameter should be specified

When the -lookup option is specified, the DN parameter is mandatory.

Specify the DN parameter.

The port number specified is invalid

The port number should be a numeric value.

Check the port number parameter

Unable to establish connection to directory. Please verify the input parameters: host, port, dn & password

The directory server may not be running on the specified host and port, or credentials may be invalid.

Check the host, port, DN and password parameters. Check $DOMAIN_HOME/tools/OID/logs.

Naming exception occurred while retrieving the subscriber information from the directory. Please verify the input parameters

The specified identity management realm does not exist in the directory

Check the realm parameter

Not all the substitution variables are defined in the directory server specified

If the identity management realm entry does not contain the required attributes, then this error occurs.

Check the realm entry in the directory

Error occurred while migrating LDIF data to Oracle Internet Directory

This might occur if something goes wrong in the middle of a process—for example, a failure of the directory server or disk.

Report the error message to the administrator

When an error condition occurs, the log messages are logged to this file:

$DOMAIN_HOME/tools/OID/logs/LDIFMig_YYYY_MM_DD_HH_SS.log.

3.17.15 ldifwrite Command Reference

The following topics list and describe the ldifwrite syntax and arguments.

Syntax for ldifwrite

ldifwrite connect=connect_string basedn=Base_DN ldiffile=LDIF_Filename [filter=LDAP_Filter] [threads=num_of_threads] [debug="TRUE"|"FALSE"] [encode=character_set] [verbose="TRUE"|"FALSE"]

Arguments for ldifwrite

connect

Required. The directory database connect string. If you already have a tnsnames.ora file configured, then this is the net service name specified in that file, which is located by default in $DOMAIN_HOME/config/fmwconfig/components/OID/config/ directory. (You can set the TNS_ADMIN environment variable if you want to use a different location.)

basedn

Required. The base DN of the subtree to be written out in LDIF format.

If the base DN is a replication agreement entry, then you can back up part of the naming context based on the LDAP naming context configuration. Specify the replication agreement DN in this case.

ldiffile

Required. The full path and file name of the output LDIF file.

filter

Optional. This is the LDAP filter to be used. You can specify a filter to select entries that match a particular criteria. Only these entries would be written to the LDIF file.

threads

Optional. The number of threads used to read from the directory store and write to the LDIF output file. The default is the number of CPUs plus one.

debug

Optional. The debug option reports the logging level. This is useful in case the command runs into errors. The output is logged to the ldifwrite.log file. This file can be found under $DOMAIN_HOME/tools/OID/logs.

encode

Optional. The native character set encoding. Defaults to the character set of the user's terminal. Each supported character set has a unique acronym, for example, WE8MSWIN1252, JA16SJIS, or AL32UTF8.

verbose

Related Command-Line Tools for ldifwrite

3.17.16 upgradecert.pl Command Reference

The following topics list and describe the upgradecert.pl syntax and arguments.

Syntax for upgradecert.pl

perl ORACLE_HOME/ldap/bin/upgradecert.pl -h oid_hostname -D "binddn"
-w password [-p ldap_port] [-t temp_dir]

Arguments for upgradecert.pl

-h oid_hostname

Required. The host name or IP address of the Oracle Internet Directory server.

-D ""binddn

Required. The DN of the Oracle Internet Directory user needed to bind to the directory (for example, cn=orcladmin).

-q

Required unless -w is used. Causes the command to prompt for the user password needed to bind to the directory. A password supplied at the command prompt is not visible on the screen.

-w password

Required unless -q is used. The user password needed to bind to the directory. Avoid supplying a password on the command line whenever possible. A password typed on the command line is visible on your screen. The -w password option is disabled when LDAP_PASSWORD_PROMPTONLY is set to true. See Overview of Passwords with Command-Line Tools.

-t temp_dir

Optional. The location of the temporary working directory. This is where the log file is found. The default is $DOMAIN_HOME/tools/OID/logs if the DOMAIN_HOME environment variable is set. If this variable is not set, the default is the current directory.

Related Command-Line Tools for upgradecert.pl

  • N/A