3
Preliminary Tasks and Information

Before configuring and using Oracle Internet Directory, you must perform the tasks described in this chapter. This chapter also lists the locations of the log files of the various Oracle Internet Directory components.

This section contains these topics:

• Task 1: Start the OID Monitor
• Task 2: Start a Server Instance
• Task 3: Reset the Default Security Configuration
• Task 4: Reset the Default Password for the Database
• Task 5: Run the OID Database Statistics Collection Tool
• Log File Locations

Task 1: Start the OID Monitor

The OID Monitor must be running to process commands to start and stop the server.

This section contains these topics:

• Starting the OID Monitor
• Stopping the OID Monitor

Starting the OID Monitor

To start the OID Monitor:

1. Set the following environment variables:
   • ORACLE_HOME
   • ORACLE_SID or a proper TNS CONNECT string
   • NLS_LANG (APPROPRIATE_LANGUAGE.AL32UTF8). The default language set at installation is AMERICAN_AMERICA.
2. At the system prompt, type:

   oidmon [connect=net_service_name] [sleep=seconds] start
   
   

   Argument	Description
   connect=net_service_name	Specifies the net service name of the database to which you want to connect. This is the network service name set in the tnsnames.ora file. This argument is optional.
   sleep=seconds	Specifies number of seconds after which the OID Monitor should check for new requests from OID Control and for requests to restart any servers that may have stopped. The default sleep time is 10 seconds. This argument is optional.
   start	Starts the OID Monitor process

   For example:

   oidmon connect=dbs1 sleep=15 start
   
   

Stopping the OID Monitor

To stop the OID Monitor daemon, at the system prompt, type:

oidmon [connect=net_service_name] stop

Argument	Description
connect=net_service_name	Specifies net service name of the database to which you want to connect. This is the net service name set in the tnsnames.ora file.
stop	Stops the OID Monitor process

For example:

oidmon connect=dbsl stop

Task 2: Start a Server Instance

Once the OID Monitor is running, start a server instance by using the OID Control Utility.

This section contains these topics:

• Starting an Oracle Directory Server Instance
• Stopping an Oracle Directory Server Instance
• Starting an Oracle Directory Replication Server Instance
• Stopping an Oracle Directory Replication Server Instance
• Restarting Directory Server Instances
• Troubleshooting Directory Server Instance Startup

Starting an Oracle Directory Server Instance

The syntax for starting an Oracle directory server instance is:

oidctl connect=net_service_name server=oidldapd instance=server_instance_number 
[configset=configset_number] [flags=' -p port_number -work maximum_number_of_
worker_threads_per_server -debug debug_level -l change_logging' -server number_
of_server_processes] start

Argument	Description
connect=net_service_name	If you already have a tnsnames.ora file configured, this is the net service name specified in that file, located in ORACLE_HOME/network/admin
server=oidldapd	Type of server to start (valid values are OIDLDAPD and OIDREPLD). This is not case-sensitive.
instance=server_instance_number	Instance number of the server to start. Should be a number between 1 and 1000.
configset=configset_number	Configset number used to start the server. This defaults to configset0 if not set. This should be a number between 0 and 1000.
-p port_number	Specifies a port number during server instance startup. The default port number is 389.
-work maximum_number_of_worker_threads_per_server	Specifies the maximum number of worker threads for this server
-debug debug_level	Specifies a debug level during Oracle directory server instance startup
-l change_logging	Turns replication change logging on and off. To turn it off, enter -l false. To turn it on, do any one of the following: omit the -l flag enter simply -l enter -l true Turning off change logging for a given node by specifying -l false has two drawbacks: it prevents replication of updates on that node to other nodes in the DRG, and it prevents application provisioning and synchronization of connected directories, because those two services require an active change log. The default, TRUE, permits replication, provisioning, and synchronization.
-server number_of_server_processes	Specifies the number of server processes to start on this port
start	Starts the server specified in the server argument.

For example, to start a directory server instance whose net service name is dbs1, using configset5,at port 12000, with a debug level of 1024, an instance number 3, and in which change logging is turned off, type at the system prompt:

oidctl connect=dbs1 server=oidldapd instance=3 configset=5 flags='-p 12000

 -debug 1024 -l ' start

When starting and stopping an Oracle directory server instance, the server name and instance number are mandatory, as are the commands start or stop. All other arguments are optional.

All keyword value pairs within the flags arguments must be separated by a single space.

Single quotes are mandatory around the flags.

The configset identifier defaults to zero (configset0) if not set.

Stopping an Oracle Directory Server Instance

OID Monitor must be running whenever you start or stop directory server instances.

At the system prompt, type:

oidctl connect=net_service_name server=OIDLDAPD instance=server_instance_number 
stop

For example:

oidctl connect=dbs1 server=oidldapd instance=3 stop

Starting an Oracle Directory Replication Server Instance

The syntax for starting the Oracle directory replication server is:

oidctl connect=net_service_name server=oidrepld instance=server_instance_number 
[configset=configset_number] flags=' -p directory_server_port_number -d debug_
level -h directory_server_host_name -m [true | false]-z transaction_size ' start

Argument	Description
connect=net_service_name	If you already have a tnsnames.ora file configured, then this is the name specified in that file, which is located in ORACLE_HOME/network/admin
server=oidrepld	Type of server to start (valid values are OIDLDAPD and OIDREPLD). This is not case-sensitive.
instance=server_instance_number	Instance number of the server to start. Should be a number between 1 and 1000.
configset=configset_number	Configset number used to start the server. The default is configset0. This should be a number between 0 and 1000.
-p directory_server_port_number	Port number that the replication server uses to connect to the directory on TCP port directory_server_port_number. If you do not specify this option, the tool connects to the default port (389).
-d debug_level	Specifies a debug level during replication server instance startup
-h directory_server_host_name	Specifies the directory_server_host_name to which the replication server connects, rather than to the default host, that is, your local computer. Directory_server_host_name can be a computer name or an IP address. (Replication server only)
-m [true|false]	Turns conflict resolution on and off. Valid values are true and false. The default is true. (Replication server only)
-z transaction_size	Specifies the number of changes applied in each replication update cycle. If you do not specify this, the number is determined by the Oracle directory server sizelimit parameter, which has a default setting of 1024. You can configure this latter setting.
start	Starts the server specified in the server argument.

For example, to start the replication server with an instance=1, at port 12000, with debugging set to 1024, type at the system prompt:

oidctl connect=dbs1 server=oidrepld instance=1 flags='-p 12000 -h eastsun11 -d 
1024' start

When starting and stopping an Oracle directory replication server, the -h flag, which specifies the host name, is mandatory. All other flags are optional.

All keyword value pairs within the flags arguments must be separated by a single space.

Single quotes are mandatory around the flags.

The configset identifier defaults to zero (configset0) if not set.

Stopping an Oracle Directory Replication Server Instance

OID Monitor must be running whenever you start or stop directory server instances.

At the system prompt, type:

oidctl connect=net_service_name server=OIDREPLD instance=server_instance_number 
stop

For example:

oidctl connect=dbs1 server=oidrepld instance=1 stop

Restarting Directory Server Instances

If you use OID Monitor and the OID Control utility, then you can both stop and restart the directory server in one command, namely, restart. This is useful when you want to refresh the server cache immediately, rather than at the next scheduled time. When the directory server restarts, it maintains the same parameters it had before it stopped. You cannot override these original parameters by entering new ones in the restart command.

To restart a directory server instance, at the system prompt, type:

oidctl connect=net_service_name server={oidldapd|oidrepld} instance=server_
instance_number  restart

OID Monitor must be running whenever you start, stop, or restart directory server instances.

If you try to contact a server that is down, you receive from the SDK the error message 81--LDAP_SERVER_DOWN.

If you change a configuration set entry that is referenced by an active server instance, you must stop that instance and restart it to effect the changed value in the configuration set entry on that server instance. You can either issue the STOP command followed by the START command, or you can use the RESTART command. RESTART both stops and restarts the server instance.

For example, suppose that Oracle directory server instance1 is started, using configset3, and with the net service name dbs1. Further, suppose that, while instance1 is running, you change one of the attributes in configset3. To enable the change in configset3 to take effect on instance1, you enter the following command:

oidctl connect=dbs1 server=oidldapd instance=1 restart

If there are more than one instance of the Oracle directory server running on that node using configset3, then you can restart all the instances at once by using the following command syntax:

oidctl connect=dbs1 server=oidldapd restart

Note that this command restarts all the instances running on the node, whether they are using configset3 or not.

Troubleshooting Directory Server Instance Startup

If the directory server fails to start, you can override all user-specified configuration parameters to start the directory server and then return the configuration sets to a workable state by using the hard coded default parameters. Use this option only if the LDAP server fails to come up with default configset(configset=0).

To start the directory server by using its hard-coded default parameters instead of the configuration parameters stored in the directory, type at the system prompt:

oidctl connect=net_service_name server=oidldapd instance=1 flags='-p port_number 
-f'

The -f option in the flags starts the server with hard-coded configuration values, overriding any defined configuration sets except for the values in configset0.

To see debug log files generated by the OID Control Utility, navigate to $ORACLE_HOME/ldap/log.

Task 3: Reset the Default Security Configuration

Oracle Internet Directory is installed with a default security configuration described later in this section. At the very beginning, you need to modify this default configuration to the needs of your environment, ensuring that each user receives the appropriate authorization.

Oracle Corporation specifically recommends that you control access to the subentry subSchemaSubEntry and its children because these objects contain information about the directory.

Moreover, when you load directory entries, you are creating a hierarchy of directory entries. You must therefore establish:

• Permissions to load entries into this hierarchy
• Directory access for clients that need read, modify, and write access to the directory entries

Default Access Policies

When you first install Oracle Internet Directory, the default configuration establishes the following policies at various points in the directory information tree.

Default Access Policy At the Root DSE

• Everyone has browse entry permissions
• The user security administration group and the user (self) have complete access to their own userpkcs12, orcluserpkcs12hint, userpassword orclpassword, and orclpasswordverifier attributes but not to those of others
• The user (self) has complete access to the user's own orclpassword, and orclpasswordverifier attribute but not to those of others
• Everyone has search, read, and compare access for all attributes except the userpkcs12, orcluserpkcs12hint, userpassword, orclpassword, and orclpasswordverifier attributes

Default Access Policy At the Users Container in the Default Subscriber Naming Context

The users container is cn=users,o=oracle,dc=com.

• The Subscriber DAS Create User Group is cn=oracledascreateuser,cn=groups,cn=oraclecontext,
distinguished_name_of_subscriber. Members of this group have permission to browse and add entries of the object class orcluser.
• The Subscriber DAS Delete User Group is cn=oracledasdeleteuser,cn=groups,cn=oraclecontext,
distinguished_name_of_subscriber. Members of this group have permission to browse and delete entries of the object class orcluser.
• The Subscriber DAS Edit User Group is cn=oracledasedituser,cn=groups,cn=oraclecontext,
distinguished_name_of_subscriber. Members of this group have permission to browse entries of object class orcluser.
• The Subscriber DAS Edit User Group has complete access to all attributes, including userpassword, in entries of the object class orcluser. The user (self) has complete access to the user's own attributes. Other users have only read permission on the attributes.
• The Authentication Services Group is cn=authenticationServices,cn=groups,cn=oraclecontext,
distinguished_name_of_subscriber. Members of this group have compare permission on userpassword, while other users have no permissions.
• The Verifier Services Group has read, search, and compare permission on authpassword and orclpasswordverifier. The user (self) has complete access to the user's own verifier attributes, while others have no access to them.

Default Access Policy At the Groups Container in the Default Subscriber Naming Context

The groups container is cn=groups,distinguished_name_of_subscriber,cn=OracleContext.

• The Subscriber DAS Create User Group has permission to browse and add entries of object class orclgroup.
• A hidden group entry of object class orclgroup can be added, deleted, or browsed only by the owner of that entry. Others have no permissions. Only the owner has permissions to read, search, write, and compare attributes of such an entry.
• The owner of a public group entry of object class orclgroup can browse, add, and delete that entry. That entry can also be browsed by these groups:
  • DAS Create User Group
  • DAS Edit User Group
  • DAS Delete User Group

  Only the owner and the DAS Edit User Group have permission to read, search, write, and compare the attributes of such an entry.

Default Access Policy for the Oracle Context Administrators

The Oracle Context Administrators container is cn=OracleContextAdmins,cn=groups,cn=OracleContext,
distinguished_name_of_subscriber.

Members of the Oracle Context Administrators Group have complete administrative privileges over a specific Oracle Context. The have complete access to the Oracle Context in which the group exists.

Default Access Policy for Oracle9i Application Server Administrators

The Oracle9i Application Server Administrators container is cn=IASAdmins,cn=groups,cn=OracleContext,distinguished_name_of_subscriber.

Members of the Oracle9i Application Server Administrators Group have complete administrative privileges over the Oracle9i Application Server product node in a given Oracle Context. In addition, they have permission to:

• Create application entity objects under individual products
• Proxy to these application entities

  See Also: Chapter 2, "Concepts and Architecture" for an introduction to security features of Oracle Internet Directory, and to the default DIT for Oracle components using Oracle Internet Directory Chapter 4, "Directory Administration Tools" for information about the administration tools you use to configure security Chapter 12, "Directory Access Control" for a detailed explanation of access control options and instructions for setting up security Chapter 14, "Oracle Components and Oracle Internet Directory" for a detailed explanation of the Oracle Context schema Appendix C, "Schema Elements" for syntax and usage notes for the command-line tools

Task 4: Reset the Default Password for the Database

Oracle Internet Directory uses a password when connecting to an Oracle database. The default for this password when you install Oracle Internet Directory is ODS. You can change this password by using the OID Database Password Utility.

Task 5: Run the OID Database Statistics Collection Tool

If you load data into the directory by any means other than the bulkload tool (bulkload.sh), then you must run the OID Database Statistics Collection tool after loading. Statistics collection is essential for the Oracle Optimizer to choose an optimal plan in executing the queries corresponding to the LDAP operations. You can run OID Database Statistics Collection tool at any time, without shutting down any of the OID daemons.

Log File Locations

The Oracle Internet Directory components output their log and trace information to log files in the ORACLE_HOME environment. Table 3-1 lists each component and the location of its corresponding log file.

Table 3-1  Log File Locations

Component	Log File Name
Bulk Loader (bulkload.sh)	$ORACLE_HOME/ldap/log/install.log
Catalog Management Tool (catalog.sh)	$ORACLE_HOME/ldap/log/catalog.log
Directory integration agent	$ORACLE_HOME/ldap/odi/log/AgentName.err where AgentName is the name of the agent
Directory integration server (odisrv)	$ORACLE_HOME/ldap/log/odisrvXX.log where XX is Oracle directory integration server instance number
Directory replication server (oidrepld)	$ORACLE_HOME/ldap/log/oidrepld00.log
Directory server (oidldapd)	$ORACLE_HOME/ldap/log/oidldapdXXspid.log where pid is the server process identifier
LDAP dispatcher (oidldapd)	$ORACLE_HOME/ldap/log/oidldapdXX.log where XX is the server instance number
OID Monitor (oidmon)	$ORACLE_HOME/ldap/log/oidmon.log
Replication setup (ldaprepl.sh)	$ORACLE_HOME/ldap/admin/logs/ldaprepl.log