I
Migrating User Data from Application-Specific Repositories

This chapter contains these topics:

• About Migrating from Application-Specific Repositories

• Tasks For Migrating Data from Application-Specific Repositories

• The OID Migration Tool

About Migrating from Application-Specific Repositories

Migrating user data from an application-specific repository requires:

• Collecting the user data from the application-specific repository and formatting it in a way that the directory can read it

• Making that data available to the directory administrator who must then:
  • Specify where to place it in the directory

  • Import it into the directory

To enable this migration to happen, the Oracle Provisioning Integration Service relies on the application-specific repository exporting its data to an intermediate template file. This is not a pure LDIF file. Rather, records in this template file are in LDIF, but with substitution variables that the application itself leaves undefined--for you, the directory administrator, to define later in the process. These variables have to do with, for example, the location in the directory where the information is finally to reside.

To convert the user data from this intermediate template file into proper LDIF, you use the OID Migration Tool. Once the data is converted to LDIF, you can load it into the directory.

To summarize: Migrating data from application-specific repositories involves these general steps:

1. (LDIF) template file

2. You, the directory administrator, using the OID Migration Tool to read these partial LDIF entries and convert them to actual LDIF entries based on the deployment choices

3. You, the directory administrator, loading the data, now in LDIF, into Oracle Internet Directory.

4. The application completing the migration process according to its own specifications.

Tasks For Migrating Data from Application-Specific Repositories

You can run the OID Migration Tool in one of two modes:

• Simple mode, in which you specify all values of the substitution variables

• Look-up mode, in which the OID Migration Tool determines values for certain substitution variables by searching the directory

To migrate data from application-specific repositories, you create an intermediate template file, then run the OID Migration Tool.

Task 1: Create an Intermediate Template File

Applications generating data in national languages must store that data in AL32UTF8 in the intermediate template file as specified in the IETF RFC 2849, "The LDAP Data Interchange Format (LDIF) - Technical Specification" available at http://www.ietf.org/rfc/rfc2849.txt.

When generating the intermediate template file, migrating applications must list all user records sequentially with a record separator as defined in RFC 2849. The OID User Migration Tool assigns all of these users to the default subscriber, which corresponds to the enterprise itself.

Figure I-1 shows the overall structure of the intermediate template file containing user entries.

Figure I-1 Structure of the Intermediate User File

Text description of the illustration oidag068.gif

The intermediate template file uses the following format to generate a valid user entry. All of the strings in bold text are supplied from the application-specific repository.

dn: cn=UserID, %s_UserContainerDN%
sn: Last_Name
orclGlobalID: GUID_for_User
%s_UserNicknameAttribute%: UserID
objectClass: inetOrgPerson
objectClass: orclUserV2

In this template, the strings %s_UserContainerDN% and %s_UserNicknameAttribute% are substitution variables for which the OID Migration Tool provides values. The OID Migration Tool determines these values according to deployment-specific considerations. Either the application passes the arguments to the OID Migration Tool, or the tool retrieves them from the directory.

Example: User Entries in an Intermediate Template File

The following intermediate template file includes user entries generated by the application-specific migration logic. In this example, all of the data listed in bold text is from the application-specific user repository.

dn: cn=jdoe, %s_UserContainerDN%
sn: Doe
%s_UserNicknameAttribute%: jdoe
objectClass: inetOrgPerson
objectClass: orclUserV2
title: Member of Technical Staff
homePhone: 415-584-5670
homePostalAddress: 234 Lez Drive$ Redwood City$ CA$ 94402

dn: cn=jsmith, %s_UserContainerDN%
sn: Smith
%s_UserNicknameAttribute%: jsmith
objectClass: inetOrgPerson
objectClass: orclUserV2
title: Member of Technical Staff
homePhone: 650-584-5670
homePostalAddress: 232 Gonzalez Drive$ San Francisco$ CA$ 94404

dn: cn=lrider, %s_UserContainerDN%
sn: Rider
%s_UserNicknameAttribute%: lrider
objectClass: inetOrgPerson
objectClass: orclUserV2
title: Senior Member of Technical Staff
homePhone: 650-584-5670

Once all of the user data is converted to the intermediate file format, the OID Migration Tool further converts it into a proper LDIF file that can be loaded into Oracle Internet Directory.

You can find examples of intermediate template files in $SRCHOME/ldap/schema/oid.

Attributes in User Entries

Each user entry has mandatory and optional attributes.

Table I-1 lists and describes the mandatory attributes in a user entry.

Table I-1 Mandatory Attributes in a User Entry

Attribute	Description
dn	Distinguished name of the user entry with appropriate substitution variables. The relative distinguished name of the entry MUST be cn.
sn	Surname--that is, the last name--of the user
objectclass	Object classes the entry should minimally belong to: inetOrgPerson and orclUserV2

The following are optional attributes from the inetOrgPerson object class:

orclGuid userPassword telephoneNumber seeAlso description title x121Address registeredAddress destinationIndicator preferredDeliveryMethod telexNumber teletexTerminalIdentifier internationaliSDNNumber facsimileTelephoneNumber street

postOfficeBox postalCode postalAddress physicalDeliveryOfficeNameou st l audio businessCategory carLicense departmentNumber displayName employeeNumber employeeType givenName homePhone homePostalAddress

initials jpegPhoto labeledURI mail manager mobile pager photo preferredLanguage roomNumber secretary uid userCertificate x500UniqueIdentifier userSMIMECertificate userPKCS12

See Also: IETF Request for Comments 2798: "Definition of the inetOrgPerson LDAP Object Class," available at http://www.ietf.org/rfc/rfc2798.txt?number=2798, for a description of each attribute in this object class

The following are optional attributes from the orclUserV2 object class:

Table I-2 Attributes in the orclUserV2 Object Class

Attribute	Description
OrclPassword	An Oracle-specific password identifier for custom authentication schemes like O3Logon for the database server
OrclHireDate	Specifies the date on which an employee starts working for a company or subscriber
OrclDefaultProfileGroup	Holds the name (DN) of the group to designate a default group for a user such that a default profile can be built for the user based on this attribute value.
OrclPasswordHint	Specifies the question set by a user for administering password on behalf of a user
OrclPasswordHintAnswer	Specifies the answer set for orclPasswordHint
OrclTimeZone	Indicates the geographical time zone of a user based on his office location.Valid values are the three letter time zone values--for example, EST, PST, GMT
OrclIsVisisble	Specifies whether the user entry should be displayed in people search applications
OrclDisplayPersonalInfo	Specifies if the user personal information should be displayed in white pages queries
OrclWorkflowNotificationPref	Specifies the preferred notification mechanism for Oracle Workflow.
OrclMaidenName	Specifies the maiden name of an individual
OrclDateOfBirth	Specifies the date on which an individual was born
orclActiveStartDate	The date on which the user can successfully begin to authenticate to the Oracle9iAS Single Sign-On server. Values are represented in Universal Time format.
orclEnddate	The date after which the user can no longer authenticate to the Oracle9iAS Single Sign-On server. Values are represented in Universal Time format.

Task 2: Run the OID Migration Tool

Once you have set up the intermediate template file, the OID Migration Tool, described in the next section, enables you to bring all pertinent data from the application-specific repository into Oracle Internet Directory. Once you have migrated the data, you can update whatever portion of it is relevant to the application by synchronizing that application with Oracle Internet Directory. You synchronize by using either the Oracle Directory Synchronization Service or the Oracle Provisioning Integration Service.

The OID Migration Tool

Use the OID Migration Tool when you are migrating data from application-specific repositories into Oracle Internet Directory. The OID Migration Tool produces an LDIF file, which is suitable for loading into a directory server by using the standard command-line tools. The input to this tool is a pseudo-LDIF file containing substitution variables. The tool is called ldifmigrator and it exists in ORACLE_HOME/bin.

The syntax of the ldifmigrator tool is as follows:

$ ldifmigrator Input_file=my_users.dat" "Output_file=my_users.ldif" 

[-lookup "Host=directoryName" 
["Port=portnumber"] 
"DN=bindDn" 
["Password=password"] 
["Subscriber=subscribername"]]
{"s_SubVar1=val1" ..."s_SubVarN=valN"  }

Table I-3 describes the command-line parameters used by this tool in further detail:

Table I-3 ldifmigrator Parameters

Parameter	Mandatory/Optional	Description
Input_file	M	The file containing the substitution variables
Output_file	M	The Name of the file to be generated by this tool
-lookup	O	If this flag is specified, then values of certain substitution variables will be obtained from the directory server. Please see the following table for the names of the variables that are The name of the directory server is specified using host parameter. The host is mandatory when -lookup flag is specified.
Host	M (only in lookup mode)	The directory server name. This parameter is mandatory when -lookup flag is specified.
Port	O	The port on which the directory server is listening. If not specified the port 389 will be used
DN	M (only in lookup mode)	Bind DN. This is a mandatory parameter when -lookup flag is specified.
Password	O	Bind password
Subscriber	O	The subscriber whose attributes will be used as substitution variable. If not specified the default subscriber specified in the Root Oracle Context will be used
s_SubsVar1..N	O	Custom substitution variables specified by the user.

The following table describes a set of pre-defined substitution variables. If it is running in the lookup mode, the OID Migration Tool can automatically determine the values of these variables by looking them up Oracle Internet Directory.

Table I-4 Pre-defined Substitution Variables

Variable Name	Meaning	How OID Migration Tool Determines the Value for This Variable
%s_UserContainerDN%	Distinguished name of the entry under which all users are supposed to be added.	This is assigned the value of the attribute: orclCommonUserSearchBase from the entry cn=Common,cn=Products under the subscriber specific Oracle context.
%s_GroupContainerDN%	Distinguished name of the entry under which all public groups are supposed to be added.	This is assigned the value of the attribute: orclCommonGroupSearchBase from the entry cn=Common,cn=Products under the subscriber specific Oracle context.
%s_UserNicknameAttribute%	The nickname attribute to be used for user entries in the subscriber.	This is assigned the value of the attribute: orclCommonNicknameAttribute from the entry cn=Common,cn=Products under the subscriber specific Oracle context.
%s_SubscriberDN%	Distinguished name of the LDAP entry corresponding to the subscriber.	If a simple subscriber name is given, the migration tool will resolve it to a DN using the attribute: orclSubscriberSearchBase and the orclSubscriberNickNameAttr from the entry cn=Common,cn=Products under the root Oracle context.
%s_SubscriberOracleContextDN%	Distinguished name of the subscriber specific Oracle Context.	First the subscriber DN is computed as described above and then the string cn=OracleContext is pre-pended to it.
%s_RootOracleContextDN%	Distinguished name of the Root Oracle Context.	This is currently hard-coded to "cn=OracleContext".
%s_CurrentUserDN%	Distinguished name of the User who is loading the LDIF file. This is sometimes required to bootstrap the creation of groups which require at least one member in them.	The migration tool expects this DN to be specified on the command line as part of the authentication information.

The OID Migration Tool obtains the values of the pre-defined substitution variables only in the lookup mode. Users can override the value of any of the above variables in the `lookup' mode by specifying the variable and a different value in the command line. The user can also specify substitution variables other than the ones listed in the table below and their values in the command line.

Examples: Using the OID Migration Tool

Consider the input file sample.dat whose contents are as follows:

dn: cn=jdoe, %s_UserContainerDN%
sn: Doe
%s_UserNicknameAttribute%: jdoe
objectClass: inetOrgPerson
objectClass: orclUserV2
title: Member of Technical Staff
homePhone: 415-584-5670
homePostalAddress: 234 Lez Drive$ Redwood City$ CA$ 94402
ou: %s_UserOrganization%

The following sections describe how the OID Migration Tool can be used to transform the above template into a valid LDIF ready to be loaded into Oracle Internet Directory.

Using the Migration Tool in the Lookup Mode

In this example, the Oracle directory server is present in the environment, and the deployment wants the migration tool to lookup the directory server to figure out certain substitution variables. It will issue the following command:

$ldifmigrator "input_file=sample.dat" "output_file=sample.ldif" -lookup 
"host=ldap.acme.com" "subscriber=acme" "s_UserOrganization=Development"

On executing the above command, the directory server running on ldap.acme.com will be contacted and the following values of the substitution variables for the subscriber "acme" will be obtained:

Variable Name	Value Obtained from ldap.acme.com
% s_UserContainerDN%	cn=Users,o=acme,dc=com
%s_UserNicknameAttribute%	uid

In addition to the above variables, the OID Migration Tool will also honor the command-line variable called s_UserOrganization and substitute all occurrences of it with the value `Development'. In this case the output of the tool stored in sample.ldif will be as follows (the substituted values are shown in italics):

dn: cn=jdoe,cn=Users,o=Acme,dc=com
sn: Doe
uid: jdoe
objectClass: inetOrgPerson
objectClass: orclUserV2
title: Member of Technical Staff
homePhone: 415-584-5670
homePostalAddress: 234 Lez Drive$ Redwood City$ CA$ 94402
ou: Development

Using the OID Migration Tool Without the Lookup Option

The same output as shown in the previous example could have been obtained by specifying all of the values in the command line (without using the -lookup option). The following command line example describes how one would use the Migration tool without the lookup mode:

$ldifmigrator "input_file=sample.dat" "output_file=sample.ldif"  "s_
UserContainerDN=cn=Users,o=Acme,dc=com" "s_UserNicknameAttribute=uid" "s_
UserOrganization=Development"

Overriding Substitution Values Obtained from the Lookup Mode

In some cases, a deployment would like to use the OID Migration Tool in the lookup mode but would also like to override the values of one or more of the pre-defined substitution variables. This can be done by specifying the override value in the command line. The following command line shows how one can set the UserNickNameAttribute to `cn' overriding the default of `uid':

$ldifmigrator "input_file=sample.dat" "output_file=sample.ldif" -lookup 
"host=ldap.acme.com" "subscriber=acme" "s_UserOrganization=Development" 

"s_UserNicknameAttribute=cn"

On executing the above command, the directory server running on ldap.acme.com will be contacted and the following values of the substitution variables for the subscriber "acme" will be obtained:

Variable Name	Value Obtained from ldap.acme.com
% s_UserContainerDN%	cn=Users,o=acme,dc=com
%s_UserNicknameAttribute%	uid (this is over-ridden by command line specification)

Since s_UserNicknameAttribute is specified on the command line, the OID Migration Tool will ignore the value obtained from the directory and use the value specified in the command line. In addition to the above variables, the migration tool will also honor the command-line variable called s_UserOrganization and substitute all occurrences of it with the value `Development'. In this case the output of the tool stored in sample.ldif will be as follows (the substituted values are shown in italics):

dn: cn=jdoe,cn=Users,o=Acme,dc=com
sn: Doe
cn: jdoe
objectClass: inetOrgPerson
objectClass: orclUserV2
title: Member of Technical Staff
homePhone: 415-584-5670
homePostalAddress: 234 Lez Drive$ Redwood City$ CA$ 94402
ou: Development

OID Migration Tool Error Messages

The OID Migration Tool can display these error messages:

Message	Reason	Remedial Action
Environment variable ORACLE_HOME not defined	ORACLE_HOME is not defined.	Set the environment variable ORACLE_HOME
Error while parsing the input parameters. Please verify	Not all the required parameters are provided. The required parameters are Input_File, Output_File and at least one substitution variable	Specify the input parameters properly. Use the -help option to print the usage.
Input_File parameter not specified. Please specify	Input_File parameter is a mandatory parameter.	Specify the input parameters properly. Use the -help option to print the usage.
Output_File parameter not specified. Please specify	Output_File parameter is a mandatory parameter.	Specify the input parameters properly. Use the -help option to print the usage.
The specified input file does not exist	The specified file location is invalid.	Check the input file path
Check the input file. Zero byte input file	The input file does not contain any entries.	Provide a valid file with pseudo LDIF entries
Cannot create the output file. Output file already exists	The output file already exists	Check the Output_File flag
Access denied, cannot read from the input file	The specified input file does not have read permission	Check the read permission of the input file.
Access denied, cannot create the output file	You do not have permission to create the output file.	Check the permission of the directory under which the output file needs to be created.
Directory server name not specified. When -lookup option is used the host parameter should be specified	When the -lookup option is specified, the host parameter is mandatory.	Specify the host parameter.
Bind Dn parameter name not specified. When -lookup option is used the dn parameter should be specified	When the -lookup option is specified, the DN parameter is mandatory.	Specify the DN parameter.
The port number specified is invalid	The port number should be a numeric value.	Check the port number parameter
Unable to establish connection to directory. Please verify the input parameters: host, port, dn & password	The directory server may not be running on the specified host and port, or credentials may be invalid.	Check the host, port, DN and password parameters. Check $ORACLE_HOME/ldap/install/LDIFMig_YYYY_MM_DD_HH_SS.log file.
Naming Exception occurred while retrieving the subscriber information from the directory. Please verify the input parameters	The specified subscriber does not exist in the directory	Check the subscriber parameter
Not all the substitution variables are defined in the directory server specified	If the subscriber entry does not contain the required attributes, then this error occurs.	Check the subscriber entry in the directory
Error occurred while migrating LDIF data to OID	This might occur if something goes wrong in the middle of a process--for example, a failure of the directory server or disk.	Report the error message to the administrator

When an error condition occurs, the log messages are logged to this file:
ORACLE_HOME/ldap/install/LDIFMig_YYYY_MM_DD_HH_SS.log.