Generic commands and Rules.................................................

2
Basic Examples................................................................2
From My System..............................................................4
Synchronization................................................................4
Ods_process...................................................................4
ldapbinds.......................................................................5
ldapmodify examples..........................................................5
Sample change to configset:................................................................................................................5
Sample remove all objectclasses, and create mailgroup................................................................5
Sample with multiple types of things to add:...................................................................................6
ldapadd examples..............................................................6
ldapdelete examples...........................................................6
ldifwrite examples.............................................................6
oidpasswd......................................................................6
ldapsearch examples..........................................................7
To get a list of object classes and attributes:................................................................................7
To get root DSE / DSA Config............................................................................................................7
To dump the indexed attributes.........................................................................................................7
To dump the ACIs...................................................................................................................................7
To get a list of DNs in some container..............................................................................................8
To get the number of members of a group:......................................................................................8
To get a list of groups a user is a member of:.................................................................................8
To dump a configset...............................................................................................................................8
To dump running instances:...................................................................................................................9
To dump the Integration Server configset:.....................................................................................9
To dump a profile:...................................................................................................................................9
To get the profile details from the db:............................................................................................9
To verify that AD admin can read the 'container' of directory entries to be synched:....10
To dump the changelog entries:.........................................................................................................10
To dump a provisioning profile:...........................................................................................................11
To dump all Integration profiles, including Provisioning (but not OCS):..................................11
To dump replication configset info:...................................................................................................11
To dump replication configuration info:...........................................................................................12
To dump the replication agreement:.................................................................................................12
To dump plug-in info:............................................................................................................................12
To dump one user:.................................................................................................................................12
To dump all AD users:...........................................................................................................................12
To dump a subtree:...............................................................................................................................13
To get a list of users with recently changed password:..............................................................13
To dump tnsnames info:.......................................................................................................................13
To get the OID version:......................................................................................................................13
HOW TO GET FIVE-DIGIT VERSION NUMBER, INCLUDING PATCH SETS ON A RUNNING OID ...................................................................13
HOW TO GET THE VERSION WHEN THE OIDLDAPD WILL NOT START........................................................................................................13

HOW TO GET THE BINARIES VERSION.................................................................................................................................................13

 To get the default subscriber:..........................................................................................................14
To dump settings pertaining to realm/default subscriber:........................................................14
To get the lastchangenumber:...........................................................................................................14
To get the My Profile details in OIDDAS:.....................................................................................14
To get a Portal group:...........................................................................................................................15
To get the guid for Portal users:......................................................................................................15
To get the password policy settings.................................................................................................15
To get the ODS password:..................................................................................................................15
To find any dupe DNs:..........................................................................................................................15
Server Chaining setup..........................................................................................................................15
Bulkload.......................................................................15
To export/import OID schemas:...........................................16
EXPORT: .................................................................................................................................................16
IMPORT: .................................................................................................................................................16
OIDCA to Create a Default Subscriber...................................16
bulkdelete....................................................................16
OID/AD Checkpoints........................................................17

Generic commands and Rules

Not advisable to start from Windows Services. Best to use command line, as follows:
oidmon [connect=<net_service_name>] start
oidctl connect=<net_service_name> server=oidldapd
instance=<unique_instance_number> flags="-p <OID_port>" start

You can omit parameters that have defaults, such as -p (and therefore flags) if on port 389
In the oidmon command, can omit the 'connect' parameter if have just one
$ORACLE_HOME on that box
There's also a -h <hostname> you can use in oidmon if you want to start on another box

Basic Examples
oidldapd: serverid=2
odisrv: serverid=7
oidrelpd: serverid=4

9.0.4: If you start OID from the command line then OPMN will not be able to manage the
process.
opmnctl startall
- start all components that are managed by opmn (OID, http server, OC4J
containers)
opmnctl status
 opmnctl startproc ias-component=OID
opmnctl status
opmnctl stopproc ias-component=OID
opmnctl startproc process-type=OC4J_SECURITY (must be upper case)

oidmon connect=iasdb start

in 92, can start multiple oidmons this way on same box
oidmon connect=iasdb stop

oidctl connect=iasdb server=oidldapd instance=1 configset=1 start

oidctl connect=iasdb server=oidldapd instance=1 configset=1 flags="-debug 65535" start
see OPMN admin guide for starting 904 instances on diff configsets
oidctl connect=iasdb server=oidldapd instance=1 configset=1 flags="-debug 67108863" start
oidctl connect=iasdb server=oidldapd instance=1 stop

oidctl connect=iasdb server=odisrv instance=1 config=1 start

oidctl connect=iasdb server=odisrv instance=1 config=1 flags="debug=63" start
9.0.4: oidctl connect=od02asdb01 server=odisrv instance=2 config=1 flags=”host=<host>
debug=63 port=22650” start
oidctl connect=iasdb server=odisrv instance=1 stop
check both the O_H/ldap/log, AND O_H/ldap/odi/log
10.1.2: oidctl connect=<OID_db> host=<virtual_hostname> server=ODISRV instance=<inst>
configset=<config> flags="host=<host> port=<port> debug=<debug>" start

NOTE: With 10.1.2.0.2 the max default size for the aud/trc files is 10MB. Reaching this
sizelimit a backup of the files will be created and a new empty .trc /.aud file will be used.
The size parameter is configurable.

RAC:
oidctl connect=iasdb host=<virtual_host> server=odisrv instance=1 config=1
flags="host=<virtual_host>" start
10.1.2 IM 2-node replicating cluster with shared db:
oidctl connect=iasdb server=odisrv instance=1 config=1 flags="host=<physical_host>" start

oidctl connect=oidt04 server=oidrepld instance=<instance_number> flags='-h sitf03 -p 392

-d 65535' start
10.1.2: oidctl connect=oiddrp server=oidrepld instance=1 flags='-h sdrl001 -p <OID_port>
-d 117440511 ' start
9.0.4: oidctl connect=oidt04 server=oidrepld instance=<instance_number> flags='-h sitf03
-p 392 -d 67108863' start
oidctl connect=oidt04 server=oidrepld instance=<instance_number> stop
RAC:
oidctl connect=onam host=<virtual_host> server=oidrepld instance=1 flags="-h <virtual_host>
-p <OID_port>" start
From My System
oidctl connect=ora92 server=oidldapd instance=1 start
oidctl connect=ora92 server=oidldapd instance=1 flags="-p 4032" start
s/b double quotes for flags
if oracle_sid is set, don't need to specify connect=

oidctl connect=ora92 server=oidldapd instance=1 stop

9.2:
oidctl connect=oid92i2 server=oidldapd instance=3 configset=1 flags="-p 389 -d 65535"
start

9.0.2:
oidctl connect=oid92i2 server=oidldapd instance=3 configset=1 flags="-p 389 -debug 65535"
start
non-9.2:
oidctl connect=oid92i2 server=oidldapd instance=3 configset=1 flags="port=389
debug=65535" start

Synchronization
9.2:
oidctl ... server=odisrv config= ... port= debug=
--> NOT configset, NOT oidsrv
oidctl connect=iasdb server=odisrv instance=1 config=1 flags="debug=65535" start
Oracle Internet Directory Administrator's Guide, Release 9.0.1 > 24 Managing the
Oracle Directory Integration Server > Starting the Oracle Directory Integration
Server, on p.24-8

Portal: If you are running Portal which requires the DIP server, it by default uses
configset0. This is a hidden configset that you do not see when you look in ODM at
Integration Servers. Therefore, the command line to start the DIP for provisioning is:
oidctl connect=<SID> server=odisrv instance=1 start
LDAP: If you then want to setup synchronization, which by default uses the configset1
that you see under Integration Servers in ODM:
oidctl connect=<SID> server=odisrv instance=2 configset=1 start

Ods_process
sqlplus ods/ods@oid92i2
truncate table ods_process;
ldapbinds
ldapbind -D "cn=orcladmin" -w <orcladmin_pwd> -h <OID_host> -p <OID_port>
ldapbind -D "cn=guest" -w guest -p 4032
ldapbind -D "cn=proxy" -w proxy -p 4032

Try these from your client:

- anonymous bind with no SSL authentication:
ldapbind -h <OID_host> -p <OID_SSL_port> -U 1
- superuser bind with no SSL authentication:
ldapbind -h <OID_host> -p <OID_SSL_port> -D cn=orcladmin -w <password> -U 1
- anonymous bind with server authentication:
ldapbind -h <OID_host> -p <OID_SSL_port> -U 2 -W "file:<path_to_client_wallet>"
-P <wallet_password>
- superuser bind with server authentication:
ldapbind -h <OID_host> -p <OID_SSL_port> -D cn=orcladmin -w <password> -U 2 -W
"file:<path_to_client_wallet>" -P <wallet_password>

SASL
ldapbind -D cn=orcladmin -w <passwd> -O "auth" -Y "DIGEST-MD5"

ldapmodify examples
ldapmodify -h irina-laptop -p 389 -D "cn=orcladmin" -w welcome -f newobjectclass.ldif
ldapmodify -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -f newobjectclass.ldif

Sample change to configset:

dn: cn=configset0, cn=osdldapd, cn=subconfigsubentry
changetype: modify
replace: orclmaxcc
orclmaxcc: <new_value>
-
replace: orclserverprocs
orclserverprocs: <new_value>

Sample remove all objectclasses, and create mailgroup

dn: cn=subschemasubentry
changetype: modify
replace: objectclasses
objectclasses: ( 2.16.840.1.113894.5.2.5000 NAME 'mailgroup' SUP
groupofuniquenames AUXILIARY MAY ( mail ) )
Sample with multiple types of things to add:
dn: cn=subschemasubentry
changetype: modify
add: attributetypes
attributetypes: ( 9.9.9.11 NAME 'IPGchangepassword' DESC 'Section for intranet security'
EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.44' USAGE
userApplications )
attributetypes: ( 9.9.9.13 NAME 'IPGpasschangeperiod' DESC 'Section for intranet
security' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.44' USAGE
userApplications )
-
add: objectclasses
objectclasses: ( 8.8.8.1 NAME 'Intranet' SUP top STRUCTURAL MAY ( IPGchangepassword
$ IPGpasschangeperiod ) )

ldapadd examples
ldapadd -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <orcladmin_pwd> -f objattr.ldif
ldapadd -h irina-laptop -p 389 -D "cn=orcladmin" -w welcome -f newuser.ldif

NOTE: To add attributes or objectclasses, use ldapmodify

NOTE: system operational attributes can’t be ldapadded, but they can be bulkloaded with a
–restore during the load
NOTE: the only operational attributed allowed to be ldapadded is orclguid, supported since
902x

ldapdelete examples
ldapdelete -h irina-pc2 -p 4032 -D "cn=orcladmin" -w welcome -f createaliases.ldif
ldapdelete -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd>
"cn=ftarica,cn=users,dc=farmalink,dc=com,dc=ar"

ldifwrite examples
ldifwrite -c oid92 -b "cn=Users,dckenn-pc2,dc=com" -f ldifwrite.txt
--> prompts for ODS password. Ensure Home Selector is set to OID o_h
ldifwrite -c iasdb -b "cn=infotrac8,ou=gale,ou=Groups,o=thomsonlearning.com" -f
infotrac8_`date +%Y%m%d.%H%M`.ldif
 creates the following file: cat infotrac8_20040401.1204.ldif

oidpasswd

10.1.2:
oidpasswd connect=<OID_db> change_oiddb_pwd=true
oidpasswd connect=<OID_db> create_wallet=true
oidpasswd connect=<OID_db> unlock_su_acct=true
oidpasswd connect=<OID_db> reset_su_password=true
oidpasswd connect=<OID_db> manage_su_acl=true

ldapsearch examples
See Note 237919.1 for other ldapsearches
_

To get a list of object classes and attributes:

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w "<orcladmin_pwd>" –L -b
"cn=subschemasubentry" -s base "objectclass=*" objectclasses attributetypes >
objattr.ldif
ldapsearch -h <OID_host> -p 4032 -D "" -w "welcome" -b "cn=subschemasubentry" -s base
"objectclass=*" objectclasses attributetypes > attributes.txt

To get root DSE / DSA Config

ldapsearch -h <OID_host> –p <OID_port> -D cn=orcladmin -w <pwd> -b "" -s base -v
"objectclass=*" > rootdse.txt

ldapsearch -h <OID_host> –p <OID_port> -D cn=orcladmin -w <pwd> -b "

cn=dsaconfig,cn=configsets,cn=oracle internet directory" -s base -v "objectclass=*"
> dsaconfig.txt

To dump the indexed attributes

Ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b "cn=catalogs" -s
base "objectclass=*"

To dump the ACIs

Default ACP:
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w “<pwd>“ -s one -b ""
“orclaci=*" orclaci > aci.txt

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w “<pwd>“ -s sub -b ""

“orclaci=*" orclaci > aci.txt

For a DIT:
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w “<pwd>“ -s base -b
"cn=users,dc=evan,dc=ocunet" objectclass=* orclaci > aci.txt
To get a list of DNs in some container
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b
"<container_where_records_are_located>" -s sub "objectclass=*" dn

This could then be used with an ldapdelete to remove all the DNs in this file

To get the number of members of a group:

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w “<pwd>“ -L -b "<your group
dn>" -s base "objectclass=*" member|wc –l

To get a list of groups a user is a member of:

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s sub -b ""
"(uniquemember=cn=orcladmin, cn=Users, dc=owner-abcab1nsf,dc=com)" "dn"

10.1.2.0.2: undocumented -C option returns a (flat) list of groups an entry belongs to. This
option might be pretty slow with 10.1.2.0.2. We made significant performance
changes to this option in 10.1.3.

An example command to use looks like

ldapsearch -C -b "<yourBranch> -s sub "uniquemember=<YourUserDN"

Here's the text from the (not yet accessible) 10.1.3 doc
___________________________________

-C
Optional. ldapsearch -C option causes ldapsearch to traverse a hierarchy and report direct
memberships. The ldapsearch -C option essentially includes the CONNECT_BY
control (2.16.840.1.113894.1.8.3) in the request sent to the client. ldapsearch
doesn't have any means to pass values with a control. So, it sends the CONNECT_BY
control without values. In this case the default values are assumed, that is, the
hierarchy-establishing attribute name is obtained from the filter, and the number
of levels is 0. Thus, the -C option can only be used to fetch all containers of a
containee queries, for example, fetch all groups of a user, fetch all employees of a
manager and so forth. Also, all levels of the hierarchy are traversed

To dump a configset
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b
"cn=configset1,cn=osdldapd,cn=subconfigsubentry" -s sub "objectclass=*" > config1.txt

when OID is down:

SQL> set pagesize 2000
SQL> select * from ods.ds_attrstore where entryid in
(select entryid from ods.ds_attrstore where attrval like '%osdldapd%'
and attrval like '%configset%');

To dump running instances:

 includes odisrv instances
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b
"cn=subregistrysubentry" -s sub "objectclass=*" > instances.txt

To dump the Integration Server configset:

ldapsearch –h <OID_host> –p <OID_port> -D cn=orcladmin -w <pwd> -b
"cn=instance1,cn=odisrv,cn=subregistrysubentry" -s sub objectclass=* > config.txt

or all of them:
ldapsearch –h <OID_host> –p <OID_port> -D cn=orcladmin -w <pwd> -b "
cn=odisrv,cn=subregistrysubentry" -s sub objectclass=* > config.txt

To dump a profile:
ldapsearch –h <OID_host> –p <OID_port> -D cn=orcladmin -w <pwd> -b
"orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn=changelog
Subscriber,cn=oracle internet directory" -s sub objectclass=*
ldapsearch –h <OID_host> –p <OID_port> -D cn=orcladmin -w <pwd> -b
"orclODIPAgentName=ActiveChgImp,cn=subscriber profile,cn=changelog
Subscriber,cn=oracle internet directory" -s sub objectclass=* > profile.txt

or all of them:
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s sub -b
"cn=subscriber profile,cn=changelog subscriber, cn=oracle internet directory"
objectclass=*

To get the profile details from the db:

set pages 1000

SELECT * FROM ct_dn dn, ds_attrstore store WHERE dn.entryid = store.entryid AND
dn.parentdn like 'cn=oracle internet directory,cn=changelog subscriber,%' AND
store.attrname = 'orcllastappliedchangenumber' AND store.entryid IN ( SELECT
entryid from ds_attrstore store1 where store1.entryid = store.entryid and
store1.attrname = 'orclsubscriberdisable');

Check the results for the entryid for 'orclodipagentname=ActiveChgImp' and use it in the
following query:
 select * from ds_attrstore where entryid=<value_from_previous_query>

To verify that AD admin can read the 'container' of directory entries to be

synched:
ldapsearch -p 389 -h adhost –D
"cn=Administrator,cn=users,dc=msad,dc=us,dc=oracle,dc=com" -w
"welcome1" -b "cn=users,dc=msad-orl,dc=us,dc=oracle,dc=com" -s base
"objectclass=*"

To dump the changelog entries:

ldapsearch -p $LDAPPORT -h $LDAPHOST -D "$LDAPADMIN" -w $LDAPPW –b
"cn=changelog" -s one "(&(objectclass=changelogentry)(changenumber=$LACN))"
The changelog entries are one level down and are treated as a special case so will not display
if you are using a scope of "sub", e.g.
ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <OID superuser password> -s
one -b "cn=changelog" "(objectclass=changelogentry)" "*"
Note that I am searching as "cn=orcladmin". To check that the subscriber user entry has
access you need to check the ACI on the "cn=changelog", e.g.
> ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <OID superuser password>
-s base -b "cn=changelog" "(objectclass=*)" "orclaci"
By default full access is only granted to "cn=odisgroup,cn=odi,cn=oracle internet directory"
group so check your subscribers are members of that group.

Run the ldapsearch to obtain the last change number on Active Directory:
For example:

ldapsearch -p 389 -h adhost -D Administrator@e.org \

-w "<password>" -b "" -s base "objectclass=*" highestCommittedUSN

Verify that you can read the 'container' of directory entries you wish to synch:

ldapsearch -p 389 -h adhost -D Administrator@e.org \

-w "<password>" -b "OU=USERS,OU=kenn,OU=OFFICES,DC=spe,DC=org" -s base
"objectclass=*"
when running this search using the ADMINISTRATOR account the two
required attributes are present in the output of the search.

Verify that you can read an entry within the 'container' of directory entries you wish to synch:

ldapsearch -p 389 -h adhost -D Administrator@e.org \

-w "<password>" -b "<SOME
USER>,OU=USERS,OU=kenn,OU=OFFICES,DC=spe,DC=org" -s base "objectclass=*"

Note: The output of this search shows that you can read the USNCreated and USNChanged
attributes
Verify that you can read the 'container' of directory entries you wish to synch:

For example:

ldapsearch -p 389 -h adhost -D servacct_oid@e.org \

-w "<password>" -b "OU=USERS,OU=kenn,OU=OFFICES,DC=spe,DC=org" -s base
"objectclass=*"

Verify that when you retrieve entries from AD you see the USNCreated and USNChanged
attributes:

Run an ldapsearch against AD for an existing user:

ldapsearch -p 389 -h adhost -D servacct_oid@e.org \

-w "<password>" -b "<SOME
USER>,OU=USERS,OU=kenn,OU=OFFICES,DC=e,DC=org" -s base "objectclass=*"

IF YOU DO NOT SEE THE USNCreated and USNChanged attributes STOP. AD SYNC WILL
NOT WORK.
YOU MUST HAVE YOUR AD ADMINISTRATOR FIX YOUR SYNC ACCOUNT SO THAT IT
CAN READ THESE VALUES.

To dump a provisioning profile:

2 locations:
For Syndication, Wireless, Portal, eBiz profiles:
ldapsearch -h <OID_host> -p <OID_port> -D cn=orcladmin -w <pwd> -b "cn=provisioning
profiles,cn=changelog subscriber,cn=oracle internet directory" -s sub objectclass=*
> provprofiles1.txt

For OCS (email, Content, RTC, Calendar profiles):

ldapsearch -h <OID_host> -p <OID_port> -D cn=orcladmin -w <pwd> -b "cn=Profiles,
cn=Provisioning, cn=Directory Integration Platform, cn=Products, cn=OracleContext"
-s sub objectclass=* > provprofiles2.txt

To dump all Integration profiles, including Provisioning (but not OCS):

ldapsearch -h <OID_host> -p <OID_port> -D cn=orcladmin -w <pwd> -b "cn=changelog
subscriber,cn=oracle internet directory" -s sub objectclass=* > allprofiles.txt

To dump replication configset info:

ldapsearch -h <host> -p <port> -D cn=orcladmin -w <password> -b
"cn=osdrepld,cn=subconfigsubentry" -s sub "objectclass=*"
9.2: ldapsearch -h <host> -p <port> -D cn=orcladmin -w <password> -s base -b ""
objectclass=*

Or dump both repl and ldap:

ldapsearch -h <host> -p <port> -D cn=orcladmin -w <password> -b cn=subregistrysubentry -s
sub -v "objectclass=*"

To dump replication configuration info:

9.0.4 (new): ldapsearch -h <host> -p <port> -L -D cn=orcladmin -w <password> -s base -b
"orclReplicaID=<replicaid>, cn=replication configuration" "objectclass=*"

To dump the replication agreement:

Pre-904: ldapsearch -h <host> -p <port> -D cn=orcladmin -w <password> -s base -b
"orclagreementid=000001, cn=orclreplagreements" "objectclass=*"

904/LDAP: ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <password> -s sub

-b "orclReplicaID=<replicaid>, cn=replication configuration" "objectclass=*"

To dump plug-in info:

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b
"cn=plugin,cn=subconfigsubentry" -s sub "cn=*" > plugins.ldif

Hostname and port:

sqlplus ods/<pwd>@<OID_db>
> set pagesize 9999
> spool code.sql
> select text from user_source where name='OIDADPSWD' and type='PACKAGE BODY'
order by line;
> spool off;
NOTE: For the “name”, use the plugin attribute orclpluginname
Search the output for lines such as:
my_session := DBMS_LDAP.init('<AD_host>', <AD_port>);

To dump one user:

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w "<pwd>" -L -b
"<full_user_DN>" -s sub "objectclass=*"
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w "<pwd>" -L -b "cn=test1,
cn=Users,dc=kenn-pc1,dc=com" -s sub "cn=*"

To dump all AD users:

ldapsearch -p 389 -h <ADhost> -D "Administrator@bde-ad1.us.oracle.com" -w <pwd> -b
"dc=bde-ad1,dc=us,dc=oracle,dc=com" -s sub "objectclass=user" SamAccountName
where "bde-ad1" is your domainname
ldapsearch -h <AD Host> -p 389 -D "Administrator@bde-ad1.us.oracle.com"-w <pwd> -s sub
-b "cn=<ADUser>,dc=xxx,dc=xxx,xxxx" objectclass=* > user.txt
To dump a subtree:
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w "<pwd>”-b "dc=com" -s sub
"cn=*" > entries.txt
ldapsearch -h owner-abcab1nsf -p 4032 -D "cn=orcladmin" -w "welcome" -b
"o=webjunction.org" -s sub "uid=*" > user.txt

To get a list of users with recently changed password:

First, index the attribute pwdchangedtime (catalog.sh)
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w "<pwd>” -b
"cn=users,dc=acme,dc=com" -s sub "(pwdchangedtime >= 20040106000000z)"

To dump the groups a user is a member of:

ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w “<pwd>“ -s sub -b ""
"(uniquemember=cn=orcladmin,cn=users,<realm or subscriber DN>)" "dn"

To dump the members of a group (root level):

ldapsearch -D "cn=orcladmin" -w welcome -L -b "cn=Groups,cn=OracleContext" -s sub
"objectclass=*" uniquemember

To dump tnsnames info:

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b "dc=irina-
pc1,dc=com" -s sub "cn=*" cn orclnetdescstring > tnsnames.txt

To get the OID version:

HOW TO GET FIVE-DIGIT VERSION NUMBER, INCLUDING PATCH SETS ON A RUNNING OID
ldapsearch -h <OID_host> -p <port> -D "cn=orcladmin" -w <pwd> -b "" -s base objectclass="*"
orcldirectoryversion

HOW TO GET THE VERSION WHEN THE OIDLDAPD WILL NOT START...

Login to the DB as : ODS/ODS

Run the following query :
select attrval from ds_attrstore where entryid = 1 and attrname =
'orcldirectoryversion';
Sample output is as follows:
ATTRVAL
------------------------------------------------------------------
OID 9.0.2.3.0

HOW TO GET THE BINARIES VERSION

Go to $ORACLE_HOME/bin and type:

oidldapd -version
The output will be something like:
 oidldapd: Release 9.0.2.3.0 - Production on Wed Feb 11 08:35:41 2004
(c) Copyright 2001 Oracle Corporation. All rights reserved.

To get the default subscriber:

ldapsearch –h <OID_host> -p <port> -D "cn=orcladmin" –w <password> -L –s base –b
"cn=Common,cn=Products,cn=OracleContext" "(objectclass=orclContainer)"
"orcldefaultsubscriber"

To dump settings pertaining to realm/default subscriber:

Root Context:
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s base -b
"cn=Common,cn=Products,cn=OracleContext" "(objectclass=orclContainer)"
ldapsearch -p 3060 -D "cn=orcladmin" -w welcome1 -L -s base -b
"cn=Common,cn=Products,cn=OracleContext" "(objectclass=orclContainer)"

Default realm:
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s base -b
"cn=Common,cn=Products,cn=OracleContext,<your_realm>" “(objectclass=orclContainer)"
ldapsearch -p 3060 -D "cn=orcladmin" -w <pwd> -L -s base -b
"cn=Common,cn=Products,cn=OracleContext,dc=us,dc=oracle,dc=com"
“(objectclass=orclContainer)"

For the value of <your_realm> in the 2nd command, please use the value returned from the
1st command for the attribute orcldefaultsubscriber.

To get the lastchangenumber:

ldapsearch -h <OID_host> -p <port> -D cn=orcladmin -w <password> -base "" -s base
"objectclass=*" lastchangenumber

To get the My Profile details in OIDDAS:

Realm Context:
ldapsearch -h <OID_host> -p <port> -D cn=orcladmin -w <password> -s sub -base
"cn=categories,cn=User Configuration,cn=Attribute
Configuration,cn=DAS,cn=Products,cn=OracleContext,dc=oracle,dc=com" objectclass=* >
dasprofilerealm.txt

Root Context:
ldapsearch -h <OID_host> -p <port> -D cn=orcladmin -w <password> -s sub -base
"cn=categories,cn=User Configuration,cn=Attribute
Configuration,cn=DAS,cn=Products,cn=OracleContext " objectclass=* > dasprofileroot.txt
To get a Portal group:
list the users in the portal dba group:
ldapsearch -h <OID_host> -p 4032 -D cn=orcladmin -w passwd1 –b
"cn=DBA,cn=portal_groups,cn=groups,dc=us,dc=oracle,dc=com" -s sub –v
objectclass=* uniquemember

To get the guid for Portal users:

ldapsearch -h <OID_host> -p <OID_port> -b "<base_dn>" -s sub "uid=<username>" orclguid

To get the password policy settings

For the root and default subscriber:
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b "" -s sub
"(objectclass=pwdpolicy)" "*"

NOTE: the policy that is applied will be the policy in the default Oracle Context under the
subscriber DN if one exists, otherwise the root policy is applied.

To get the ODS password:

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b
"OrclResourceName=ODS,orclReferenceName=asdb.us.oracle.com,cn=IAS Infrastructure
Databases,cn=IAS,cn=Products,cn=OracleContext" -s base "objectclass=*" o
rclpasswordattribute

To find any dupe DNs:

'select attrvalue from ct_orclnormdn group by attrvalue having count(*)>1;'

Server Chaining setup

ldapsearch -p 13060 -D "cn=orcladmin" -w welcome1 -s base -b "cn=oidscad,cn=OID
Server Chaining,cn=subconfigsubentry" objectclass=*

Bulkload
Bulkload will by default append the data but there is also a "-append" option to bulkload
which when specified will behave like ldapadd with the only difference that it will not
generate change logs and it will not go through LDAP server.
- With default bulkload you will have to bring down the LDAP Server and with the -append
option you need to set it OID LDAP Server to a special read/modify mode
('orclservermode' attribute in root DSE), hence if it is a few entries there is no point in
going thru' all these steps, rather ldapadd is a better option
To export/import OID schemas:

EXPORT:
1. create oidexp.dat file containing:
FILE=oid.data
OWNER=ods, odscommon
GRANTS=y
ROWS=y
2. Run command from o_h/bin:
exp system/manager PARFILE=oidexp.dat

IMPORT:
1. Run the following sql scripts:
cd $ORACLE_HOME/ldap/admin/
sqlplus system/manager @ldapxact.sql (drop/create ods, odscommon and role
ods_server)
sqlplus system/manager @ldapxsec.sql (create new table/view odsinstance(s) )
2. Create oidimp1.dat containing:
FILE=oid.data
FROMUSER=ods
TOUSER=ods
3. Creat oidimp2.dat containing:
FILE=oid.data
FROMUSER=odscommon
TOUSER=odscommon
4. Run the following commands:
imp system/manager PARFILE=oidimp1.dat
imp system/manager PARFILE=oidimp2.dat

OIDCA to Create a Default Subscriber

oidca /createDefaultSubscriber /host "<LDAP host name>" /port <LDAP port> /userDN
"cn=orcladmin" /userPwd <superuser password> /subscriberDN "<your new
subscriber>"
oidca /createDefaultSubscriber /host irina-laptop /port 389 /userDN "cn=orcladmin"
/userPwd welcome /subscriberDN "dc=irina-laptop,dc=net"

bulkdelete
You cannot use bulkdelete with -base "", you must delete -base "cn=oraclecontext", then
-base 'cn=oracleschemaversion", then -base "dc=com" to remove root level entries
one by one..
EXAMPLE:
./bulkdelete.sh -connect oid920 -base "cn=oraclecontext" -size 10
./bulkdelete.sh -connect oid920 -base "cn=oracleschemaversion" -size 10
./bulkdelete.sh -connect oid920 -base "dc=com" -size 10

10.1.2:
bulkdelete.sh -connect <OID_db> -base "<base_dn>" -size <number_of_entries>

Debug option -- 10.1.2 or later:

1. set UTL_FILE_DIR parameter to $ORACLE_HOME/ldap/log directory. (through init.ora
file)
2. restart oracle database (it is required).
3. retry bulkdelete.sh command with -debug option:

bulkdelete.sh -connect oiddb -base "dc=test,dc=oracle,dc=com" –debug

10.1.4 onwards one can use debug parameter with all bulktools.
But for 10.1.2 or earlier you can only use debug option with bulkdelete and bulkmodify

OID/AD Checkpoints
Goal: Enable active directory synchronization with OID including pass-through
authentication

Task 1: Verify the Microsoft Active Directory Information to be Configured into the
Active Directory Synchronization Profiles
For export, check OID:
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -b "" -s base
"objectclass=*" lastchangenumber

For import, check AD:

# This also validates the username and credentials for both directories
ldapsearch -p 389 -h <AD SERVER HOST NAME> -D "<AD USER'S
DISTINGUISHED NAME>" -w <AD USER'S PASSWORD> -b "" -s base
"objectclass=*" defaultnamingcontext

ldapsearch -p 389 -h <AD SERVER HOST NAME> -D "<AD USER'S

DISTINGUISHED NAME>" -w <AD USER'S PASSWORD> -b "" -s base
"objectclass=*" highestCommittedUSN

ldapsearch -p 389 -h <AD SERVER HOST NAME> -D "<AD USER'S

DISTINGUISHED NAME>" -w <AD USER'S PASSWORD> -b <USER CONTAINER
DN> -s sub "(&(objectclass=*)(USNChanged=<value of higestCommittedUSN>))"
## Note: If the last search (for highestCommittedUSN) doesn’t return details of the last
change, STOP. Your AD user doesn't have the necessary privileges to make this work.
http://download-
uk.oracle.com/docs/cd/B14099_16/idmanage.1012/b14085/toc.htm

For the DirSync approach, the Active Directory user account that the Oracle directory
integration and provisioning server uses to access Active Directory must have Domain
Administrative permissions, belong to the Domain Administrators group, or be explicitly
granted Replicating Directory Changes permissions. In addition to the List Property, List
Child Object right (read access), you will also need to grant the user account for accessing
AD the "Replication Change" privilege in order to synchronize the deleted entries. See How
to Grant the "Replicating Directory Changes" Permission for the Microsoft Metadirectory
Services ADMA Service Account , at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;303972

For the USN-Changed approach, the Active Directory user account that the Oracle
directory integration and provisioning server uses to access Active Directory must have
"List Content" and "Read Properties" permission to the cn=Deleted Objects container of a
given domain. See Deleting Items from Active Directory , at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;230113

In order to set these permissions, you must use the dsacls.exe command that is available
with recent versions of Active Directory Application Mode (ADAM). You can download the
most recent version of ADAM at http://www.microsoft.com/downloads/.

See alsoHow to let non-administrators view the Active Directory deleted objects
container in Windows Server 2003 and in Windows 2000 Server , at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;892806

ldapsearch -p 389 -D cn=orcladmin -w <OID USER'S PASSWORD> -b

"orclodipagentname=Activeimport, cn=subscriber profile,cn=changelog
subscriber,cn=oracle internet directory" -s sub "objectclass=*"

# Task 2: Create the OID structure to support synchronization. For example, you
might create:
ou=departments,dc=company,dc=com
ou=users,ou=departments,dc=company,dc=com

# Task 3: Configure the Information Related to the Microsoft Active Directory

Environment
$ORACLE_HOME/ldap/odi/admin/adprofilecfg.sh

Enter OID superuser DN: cn=orcladmin

Enter OID superuser password: <OID USER'S PASSWORD>
##############################################
 Configuring Active Directory connection details
##############################################
Enter Active Directory connection URL (host:port): <AD SERVER HOST NAME>:389

Enter Active Directory privileged user DN to be used for synchronization: <AD

USER'S DISTINGUISHED NAME>

Enter Active Directory privileged user password: chickenbagel

##############################################
Configuring domain-level mapping rules
##############################################

Enter the DN of the domain in Active Directory to be synchronized:<USER

CONTAINER DN>
Profile successfully modified.
Profile successfully modified.
Profile successfully modified.

Check the mapping. If it isn't correct, copy activeimp.map.master and activechg.map.master,

edit them to reflect correct DNs, then:
dipassistant mp -profile ActiveChgImp -host <OID SERVER HOST NAME> -port 389
-dn cn=orcladmin -passwd <OID USER'S PASSWORD> odip.profile.mapfile=
activeimport.map

dipassistant mp -profile ActiveChgImp -host <OID SERVER HOST NAME> -port 389
-dn cn=orcladmin -passwd <OID USER'S PASSWORD> odip.profile.mapfile=
activechange.map

# Task 4: Ensure SQLNET connectivity to the database.

a. Verify that the database service names include <sid>,<sid>.<domain> eg: asdb,
asdb.aci.corp.net
b. Ensure you can connect as user ODS with the same password used for ias_admin

# Task 5: Set permissions on the new containers using option 13 of diptester

Task 6: Configure the Active Directory Plugin

$ORACLE_HOME/ldap/admin/oidspadi.sh
---------------------------------------------
OID Active Directory Plug-in Configuration
---------------------------------------------
Please make sure Database and OID are up and running.

Please enter Active Directory host name: <AD SERVER HOST NAME>
Do you want to use SSL to connect to Active Directory? (y/n) n
Please enter Active Directory port number [389]: 389
 Please enter DB connect string: asdb
Please enter ODS password:

Please enter OID host name: <AD SERVER HOST NAME>

Please enter OID port number [389]: 389
Please enter orcladmin password: <OID USER'S PASSWORD>

Please enter the subscriber common user search base: <USER CONTAINER DN>
Please enter the Plug-in Request Group DN:
Please enter the exception entry property: (&(objectclass=orcluser))

Do you want to setup the backup Active Directory for failover? (y/n) n

Installing Plug-in Packages ...

Table dropped.
Table created.
Sequence dropped.
Sequence created.
Procedure created.
No errors.
Procedure created.
No errors.
No errors.
No errors.

Registering Plug-ins ...

adding new entry cn=adwhencompare,cn=plugin,cn=subconfigsubentry
adding new entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry

-------------------------------------------------------------
Done.
-------------------------------------------------------------
[oracle@<OID SERVER HOST NAME> bin]$

Task 7: Enable the Active Directory Plugin

ldapmodify -h <OID SERVER HOST NAME> -p 389 -D cn=orcladmin -w <OID
USER'S PASSWORD> <<EOF
dn: cn=adwhencompare,cn=plugin,cn=subconfigsubentry
changetype: modify
replace: orclpluginenable
orclpluginenable: 1
EOF
 ldapmodify -h <OID SERVER HOST NAME> -p 389 -D cn=orcladmin -w <OID
USER'S PASSWORD> <<EOF
dn: cn=adwhenbind,cn=plugin,cn=subconfigsubentry
changetype: modify
replace: orclpluginenable
orclpluginenable: 1
EOF

modifying entry cn=adwhencompare,cn=plugin,cn=subconfigsubentry

modifying entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry

Task 8: Bootstrap (bring the initial group of users from AD into OID)
dipassistant bootstrap -port 389 -profile ActiveChgImp -dn cn=orcladmin -passwd
<OID USER'S PASSWORD>

Task 9: Start the Synchronization from Microsoft Active Directory to Oracle Internet
Directory
dipassistant mp -profile ActiveChgImp odip.profile.status = ENABLE
Password: <OID USER'S PASSWORD>

Task 10: Start the Oracle Directory Integration and Provisioning Server as You Would
for Synchronization
oidctl connect=asdb server=odisrv instance=2 configset=1 flags="port=389
debug=63" start

Task 11: Verify that Synchronization Has Started

ldapsearch -h <OID SERVER HOST NAME> -p 389 -D cn=orcladmin -w <OID USER'S
PASSWORD> -b "orclodipagentname=activechgimp,cn=subscriber
profile,cn=changelog subscriber,cn=oracle internet directory" -s base
"objectclass=*" orclodipsynchronizationstatus

ldapsearch -h <OID SERVER HOST NAME> -p 389 -D cn=orcladmin -w <OID USER'S

PASSWORD> -b "orclodipagentname=activechgimp,cn=subscriber
profile,cn=changelog subscriber,cn=oracle internet directory" -s base
"objectclass=*" orclodiplastsuccessfulexecutiontime

Task 12: modify the user search base to include the new user containers (Modify
cn=Common,cn=Products,cn=OracleContext,dc=aci,dc=corp,dc=net)

Task 13: Restart OC4J_SECURITY

opmnctl stopproc process-type=OC4J_SECURITY
opmnctl startproc process-type=OC4J_SECURITY

Optional Task 14: Reregister the ODIserver (only necessary if you must reset the
password)
odisrvreg -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <orcladmin password>
Optional Task 15: Modify the password policies so that the orcladmin password doesn't
expire too quickly

1. Please uplaod the ldapsearch output for th source entry

Ex) ldapsearch -h <iplanet host> -p <iplanet port> -D "cn=Directory Manager" -w
<passwor
d> -b "<source entry dn> -s base "objectclass=*"
(user cn=dirman is the directory manager for iplanet SUN LDAP server)
~> ldapsearch -h ldap5.itcs.northwestern.edu -p 391 -D "cn=dirman" -w "xxxxx" -b
"ou=people,dc=northwestern,dc=edu" -s base -x "objectclass=*"

2. Please uplaod the ldapsearch output for th target entry sychronized from the source.
Ex) ldapsearch -h <oid host> -p <oid port> -D cn=orcladmin -w <password> -b "<target
entry dn> -s
base "objectclass=*"
~> ldapsearch -h oiddev1.itcs.northwestern.edu -D "cn=orcladmin" -w "xxxx" -b
"ou=people,dc=northwestern,dc=edu" -s base -x "objectclass=*" >OID-people-branch.ldif-
09-10

For the issue : krbprincipalname value empty

It is not yet clear if you have done the suggested change in the mapping file (changing
the objectclass from person to nuperson for the uid attribute) and tested the behaviour

If you have seen the same problem after the above modification, then please provide the
latest profile trace and the mapping file along with the output of the following ldapsearch (
assuming that the uid being tested is jlh482)

ldapsearch -h ldap5.itcs.northwestern.edu -p <port> -D "cn=dirman" -w "xxxxx" -b

"uid=jlh482,ou=people,dc=northwestern,dc=edu" -s base "objectclass=*"

2) For the LDAP-65 error, give the output of the following ldapsearches (assuming the uid
for this test is mji240)

From Sun One >

ldapsearch -h ldap5.itcs.northwestern.edu -p <port> -D "cn=dirman" -w "xxxxx" -b
"uid=mji240,ou=people,dc=northwestern,dc=edu" -s base "objectclass=*"

From OID >

ldapsearch -h oiddev1.itcs.northwestern.edu -p <port> -D "cn=orcladmin" -w "xxxx" -b
"cn=mji240,ou=people,dc=northwestern,dc=edu" -s base "objectclass=*"
(replace the -b value according to the DN stored in OID)

1. If you have never used plug-in debug before, issue this command to setup the
table:
 sqlplus ods/@oid_db
SQL> @$ORACLE_HOME/ldap/admin/oidspdsu.pls

2. If you have used plug-in debug before, delete the log:

sqlplus ods/@
truncate table ods.plg_debug_log
exit

3. Enable the plug-in debugging:

SQL> @$ORACLE_HOME/ldap/admin/oidspdon.pls

4. Reproduce the issue

5. Upload the plug-in debugging log:

SQL> spool plgdebug.txt;

SQL> select * from ods.plg_debug_log order by id;
SQL> spool off;

6. Disable the plug-in debugging:

SQL> @$ORACLE_HOME/ldap/admin/oidspdof.pls