Oracle Internet Directory Administrator's Guide Release 9.0.2 Part Number A95192-01 |
|
Before configuring and using Oracle Internet Directory, you must perform the tasks described in this chapter. This chapter also lists the locations of the log files of the various Oracle Internet Directory components.
This section contains these topics:
The OID Monitor must be running to process commands to start and stop the server.
This section contains these topics:
To start the OID Monitor:
oidmon [connect=
net_service_name] [sleep=
seconds] start
For example:
oidmon connect=
dbs1sleep=15 start
To stop the OID Monitor daemon, at the system prompt, type:
oidmon [connect=
net_service_name]stop
For example:
oidmon connect=dbsl stop
Once the OID Monitor is running, start a server instance by using the OID Control Utility.
This section contains these topics:
The syntax for starting an Oracle directory server instance is:
oidctl connect=
net_service_nameserver=
oidldapdinstance=
server_instance_number[configset=
configset_number] [flags=
' -p port_number -work maximum_number_of_ worker_threads_per_server -debug debug_level -l change_logging'
-server number_ of_server_processes]
start
For example, to start a directory server instance whose net service name is dbs1, using configset5,at
port 12000, with a debug level of 1024, an instance number 3
, and in which change logging is turned off, type at the system prompt:
oidctl connect=
dbs1server=oidldapd instance=3 configset=5 flags=
'-p 12000
'
-debug 1024 -lstart
When starting and stopping an Oracle directory server instance, the server name and instance number are mandatory, as are the commands start
or stop
. All other arguments are optional.
All keyword value pairs within the flags arguments must be separated by a single space.
Single quotes are mandatory around the flags.
The configset identifier defaults to zero (configset0
) if not set.
OID Monitor must be running whenever you start or stop directory server instances.
At the system prompt, type:
oidctl connect=net_service_name server=OIDLDAPD instance=server_instance_number stop
For example:
oidctl connect=
dbs1server=oidldapd instance=3 stop
The syntax for starting the Oracle directory replication server is:
oidctl connect=net_service_name server=oidrepld instance=server_instance_number [configset=configset_number] flags=' -p directory_server_port_number -d debug_ level -h directory_server_host_name -m [true | false]-z transaction_size ' start
For example, to start the replication server with an instance=1, at port 12000, with debugging set to 1024, type at the system prompt:
oidctl connect=dbs1 server=oidrepld instance=1 flags='-p 12000 -h eastsun11 -d 1024' start
When starting and stopping an Oracle directory replication server, the -h
flag, which specifies the host name, is mandatory. All other flags are optional.
All keyword value pairs within the flags arguments must be separated by a single space.
Single quotes are mandatory around the flags.
The configset identifier defaults to zero (configset0
) if not set.
OID Monitor must be running whenever you start or stop directory server instances.
At the system prompt, type:
oidctl connect=net_service_name server=OIDREPLD instance=server_instance_number stop
For example:
oidctl connect=
dbs1server=oidrepld instance=1 stop
If you use OID Monitor and the OID Control utility, then you can both stop and restart the directory server in one command, namely, restart
. This is useful when you want to refresh the server cache immediately, rather than at the next scheduled time. When the directory server restarts, it maintains the same parameters it had before it stopped. You cannot override these original parameters by entering new ones in the restart command.
To restart a directory server instance, at the system prompt, type:
oidctl connect=net_service_name server={oidldapd|oidrepld} instance=server_ instance_number restart
OID Monitor must be running whenever you start, stop, or restart directory server instances.
If you try to contact a server that is down, you receive from the SDK the error message 81--LDAP_SERVER_DOWN
.
If you change a configuration set entry that is referenced by an active server instance, you must stop that instance and restart it to effect the changed value in the configuration set entry on that server instance. You can either issue the STOP command followed by the START command, or you can use the RESTART command. RESTART both stops and restarts the server instance.
For example, suppose that Oracle directory server instance1 is started, using configset3, and with the net service name dbs1. Further, suppose that, while instance1 is running, you change one of the attributes in configset3. To enable the change in configset3 to take effect on instance1, you enter the following command:
oidctl connect=dbs1 server=oidldapd instance=1 restart
If there are more than one instance of the Oracle directory server running on that node using configset3, then you can restart all the instances at once by using the following command syntax:
oidctl connect=dbs1 server=oidldapd restart
Note that this command restarts all the instances running on the node, whether they are using configset3 or not.
If the directory server fails to start, you can override all user-specified configuration parameters to start the directory server and then return the configuration sets to a workable state by using the hard coded default parameters. Use this option only if the LDAP server fails to come up with default configset(configset=0
).
To start the directory server by using its hard-coded default parameters instead of the configuration parameters stored in the directory, type at the system prompt:
oidctl connect=net_service_name server=oidldapd instance=1 flags='-p port_number -f'
The -f
option in the flags starts the server with hard-coded configuration values, overriding any defined configuration sets except for the values in configset0
.
To see debug log files generated by the OID Control Utility, navigate to $
ORACLE_HOME/ldap/log
.
Oracle Internet Directory is installed with a default security configuration described later in this section. At the very beginning, you need to modify this default configuration to the needs of your environment, ensuring that each user receives the appropriate authorization.
Oracle Corporation specifically recommends that you control access to the subentry subSchemaSubEntry
and its children because these objects contain information about the directory.
Moreover, when you load directory entries, you are creating a hierarchy of directory entries. You must therefore establish:
When you first install Oracle Internet Directory, the default configuration allows the following policies at various points in the directory information tree.
userpkcs12
, orcluserpkcs12hint
, userpassword
orclpassword
, and orclpasswordverifier
attributes but not to those of others
orclpassword
, and orclpasswordverifier
attribute but not to those of others
userpkcs12
, orcluserpkcs12hint
, userpassword
, orclpassword
, and orclpasswordverifier
attributes
The users container is cn=users,o=oracle,dc=com
.
cn=oracledascreateuser,cn=groups,cn=oraclecontext,
distinguished_name_of_subscriber
) has permission to browse and add entries of the object class orcluser
.
cn=oracledasdeleteuser,cn=groups,cn=oraclecontext,
distinguished_name_of_subscriber
) has permission to browse and delete entries of the object class orcluser
.
cn=oracledasedituser,cn=groups,cn=oraclecontext,
distinguished_name_of_subscriber
) has permission to browse entries of object class orcluser
.
userpassword
, in entries of the object class orcluser
. The user (self) has complete access to the user's own attributes. Other users have only read permission on the attributes.
cn=authenticationServices,cn=groups,cn=oraclecontext,
distinguished_name_of_subscriber
) has compare permission on userpassword
, while other users have no permissions.
authpassword
and orclpasswordverifier
. The user (self) has complete access to the user's own verifier attributes, while others have no access to them.
The groups container is cn=groups,
distinguished_name_of_subscriber
,cn=OracleContext
.
orclgroup
.
orclgroup
can be added, deleted, or browsed only by the owner of that entry. Others have no permissions. Only the owner has permissions to read, search, write, and compare attributes of such an entry.
orclgroup
can browse, add, and delete that entry. That entry can also be browsed by these groups:
Only the owner and the DAS Edit User Group have permission to read, search, write, and compare the attributes of such an entry.
The Oracle Context Administrators container is cn=OracleContextAdmins,cn=groups,cn=OracleContext,
distinguished_name_of_subscriber
. Members of the Oracle Context Administrators Group have complete administrative privileges over a specific Oracle Context. The have complete access to the Oracle Context in which the group exists.
The Oracle9i Application Server Administrators container is cn=IASAdmins,cn=groups,cn=OracleContext,
distinguished_name_of_subscriber
. Members of the Oracle9i Application Server Administrators Group have complete administrative privileges over the Oracle9i Application Server product node in a given Oracle Context. In addition, they have permission to:
See Also:
Oracle Internet Directory uses a password when connecting to an Oracle database. The default for this password when you install Oracle Internet Directory is ODS
. You can change this password by using the OID Database Password Utility.
See Also:
"OID Database Password Utility Syntax" for syntax and usage notes |
If you load data into the directory by any means other than the bulkload tool (bulkload.sh), then you must run the OID Database Statistics Collection tool after loading. Statistics collection is essential for the Oracle Optimizer to choose an optimal plan in executing the queries corresponding to the LDAP operations. You can run OID Database Statistics Collection tool at any time, without shutting down any of the OID daemons.
Note: To run this tool on the Windows operating system, you need one of the following UNIX emulation utilities:
|
The Oracle Internet Directory components output their log and trace information to log files in the ORACLE_HOME environment. Table 3-1 lists each component and the location of its corresponding log file.
|
Copyright © 1999, 2002 Oracle Corporation. All Rights Reserved. |
|