从事IT基础架构多年,发现自己原来更合适去当老师……喜欢关注新鲜事物,不仅限于IT领域。
分类: Oracle
2008-03-14 17:19:00
1. Starting and stopping the Directory servers
1.1 To start / stop the Guardian
A) To start the Guardian:
B) To stop the Guardian:
1.2 To start / stop the LDAP Server
A) To start the LDAP Server:
B) To start the LDAP Server with additional flags:
C) To stop the LDAP Server:
D) To stop and restart all the running LDAP servers:
2. Initial Loading to populate the Directory
2.1 Bulk-loader in check mode (failure cases)
2.2 Bulk-loader in check and generate mode
2.3 Bulk-loader in check, generate and load mode
3. Using the command-line tools
3.1 Adding entries to the Directory - "ldapadd"
A) Adding an entry by using an LDIF File
B) Adding an entry by not using an LDIF File
C) Adding a first level entry by using an LDIF File
D) Add a non-first level entry without a parent (should fail)
3.2 Searching entries in the Directory - "ldapsearch"
A) Base object search
B) One-level Search
C) Sub-tree Search
D) Search using Size Limit
3.3 Modifying entries in the Directory - "ldapmodify"
A) add
B) delete
C) replace
D) single value, multiple value operations
3.4 Deleting entries from the Directory - "ldapdelete"
3.5 Modifying DN / RDN of an entry in the Directory - "ldapmodify" RDN/DN
A) ModifyRDN
B) ModifyDN of a leaf level entry
4. Schema modifications
A) Read the subschema Subentry
B) Define a new attribute
C) Define a new auxiliary object class, that includes the above new attribute
D) Add the new auxiliary class above to an existing entry, add values to the new attributes and display them
E) Check that out new entry is created
F) Define a new structural object class
G) Add an entry with the new structural class
5. Access control examples
A) Changing the default ACCESS policy at DSE ROOT as super user
B) Creating an Admin user under c=us as anonymous user (should fail)
C) Deleting a user as anonymous user (should fail)
D) Modifying an attribute value as anonymous user (should fail)
E) Modifying an attribute value as self user - should fails
6. Reading the LDAP server configuration set
7. Using the LDIF writer
Note 1. To start the ldap server we need to start the guardian and the manager.
Note 2. The details of various options for the server are given at the end of the examples in this section.
oidmon [connect= connectstring] [sleep=sleeptime] start | stop
where:
Examples
oidmon connect=nldap sleep=10 start
This command will start the guardian connecting to the database with connect string nldap and monitoring interval of 10 seconds. The nldap connect string should be defined in the tnsnames.ora file. If it is not, please consult the instructor.
oidmon connect=nldap stop
The LDAP server is started using the OiD Control UtilityManager.
The command line parameters for the OiD Control Utility are ,
oidctl [connect=connectstring] server=servername instance=instanceno [configset=configsetno] [flags="flagsvalues"] start | stop
where:
oidctl connect=nldap server=OIDLDAPD instance=9 start
This command will start the ldap server (provided guardian is running) connecting to database with connect string nldap, with instance number 9 and port number specified by configset 0.
This command will start the ldap server (provided guardian is running) connecting to database with connect string nldap, with instance number 2 at port number 4000 and all other defaults specified by configset 0.
oidctl connect=nldap server=OIDLDAPD instance=2 stop
This will stop the LDAP server(provided guardian is running)running with instance number 2, connected to the database with connect string nldap.
oidctl connect=nldap server=OIDLDAPD refresh
This will stop and restart all the running LDAP servers.
Note: At the end of this section, please ensure that the IMC data has been loaded.
Ensure OID LDAP server has been shutdown. After executing each example, check the log files in "$ORACLE_HOME/ldap/log" for details on the detected errors.
To use Bulk-loader in the check mode, go to $ORACLE_HOME/ldap/bin directory. Then do,
./bulkload.sh -connect
where:
Examples:
Note: The examples below assume connect string is "nldap" and the directory where the LDIF input files are located is "$ORACLE_HOME/ldap/demo/samples/training/ldifdata"
./bulkload.sh -connect nldap -check badldif1.dat
will run the Bulk-loader in the check mode using the badldif1.dat file. Since the file contains schema errors, the bulk loader should display all the errors on the screen.
Other examples files are:
$ORACLE_HOME/ldap/demo/samples/training/ldifdata/badldif2.dat (schema errors) $ORACLE_HOME/ldap/demo/samples/training/ldifdata/badldif3.dat (contains Duplicate DN) $ORACLE_HOME/ldap/demo/samples/training/ldifdata/badldif4.dat (Duplicate multi-values attributes)
./bulkload.sh -connect
Example
./bulkload.sh -connect nldap -check -generate $ORACLE_HOME/ldap/demo/samples/training/ldifdata/initial.dat
Bulkloader will generate intermediate files to be used in the load mode without loading the data into the database.
./bulkload.sh -connect
Example
./bulkload.sh -connect nldap -check -generate -load $ORACLE_HOME/ldap/demo/samples/training/ldifdata/initial.dat
Bulk-loader will perform schema checking on the LDIF file, then generate the intermediate files, and finally using these files it loads the data into the database.
Note: The LDIF files used in the examples below already exist in the samples directory.
Note: These examples assume that the initial data file has been loaded in section 2.
Create an LDIF file as shown below:
dn: cn=Person Six, ou=EuroSInet Suite, o=IMC, c=US cn: Person Six sn: Filler objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson description: Salvage Clerk telephonenumber: 44 1912 123456 userpassword: PASS1 st: Wolverhampton
street: 21 Dougan Street
postalcode: WV1 9ZZ
Now using the above file, add Person Six entry as shown below:
ldapadd -p 389 -h hostname -v -f addp6.ldi
This will add Person Six entry to the directory. This assumes LDAP server is running at port 389 on hostname host.
ldapadd -p 389 -h hostname -v <
dn: cn=Person Seven, ou=EuroSInet Suite, o=IMC, c=US
cn: Person Seven
sn: Filler
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetorgperson
telephonenumber: 44 1912 123456
EOF
This will add Person Seven to the same parent as in example 1.
ldapadd -p 389 -h hostname -v -f first.ldi
LDIF File:
dn: c=UK
c: uk
objectclass: top
objectclass: country
This is an example for first level entry because the entry does not have any parent and it is added to the top level in the directory.
{ Note : -v specifies verbose mode in the tool, which simply means give detailed explanation)
ldapadd -p 389 -h hostname -v -f john.ldi
LDIF File:
dn: cn=john,ou=noSuchObject,o=IMC,c=US
cn: john
sn: smith
objectclass: top
objectclass: person
objectclass: organizationalperson
userpassword: jsmith
seeAlso: cn=jsmith,ou=finance,o=imc,c=us
description: abc
title: finanace manager
x121Address: 12345
registeredAddress: 1999 beach park blvd $ #5 $ foster city $ ca 94404
destinationIndicator: foster city
preferredDeliveryMethod: e-mail
telexNumber: 67890
teletexTerminalIdentifier: 1111
telephoneNumber: 2222
internationaliSDNNumber: 3333
facsimileTelephoneNumber: 4444
street: 1999 beach park blvd $ #5 $ foster city $ ca 94404
postOfficeBox: 65910
postalCode: 94404
postalAddress: 200 oracle parkway $ 65910 $ redwood shores $ ca 94065
physicalDeliveryOfficeName: HQ
ou: finance
st: ca
l: redwood shores
The output of this command will be
ldap_add: No such object
ldap_add: matched: o=IMC,c=US
ldap_add: additional info: Parent entry not found in the directory.
We cannot add john to the directory since his parent ou=noSuchObject,o=IMC,c=US does not exist. Add the parent and the retry
ldapadd -p 389 -h hostname -v -f parent.ldi
dn: ou=noSuchObject,o=IMC,c=US
objectclass: top
objectclass: organizationalunit
ou: noSuchObject
Now if you add entry for John, it should succeed.
ldapadd -p 389 -h hostname -v -f john.ldi
The directory can be searched using any standard LDAP client tool that supports the "ldapsearch" operation. OiD command-line tool "ldapsearch" is such a tool.
"Ldapsearch" examples for:
* Size limit
* Required attributes list
ldapsearch -p 389 -h hostname -b "" -s base -v "objectclass=*"
This will perform a base level search on the directory from the root.
* -b specifies base dn for search
* -s specifies whether it is a base or one (one level) or sub (subtree) search.
* "objectclass=*" specifies the filter for search.
ldapsearch -p 389 -h hostname -b "ou=HR, ou=Americas, o=IMC, c=US" -s one -v objectclass=*"
This will perform a one level search.
ldapsearch -p 389 -h hostname -b "c=US" -s sub -v "cn=Person*"
This will perform a sub-tree search and return all entries having dn starting with 'cn=Person'.
ldapsearch -h hostname -p port -z 2 -b 'ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US -s onelevel "objectclass=*"
Since we have specified the size limit as 2, we will get only two entries though search results in more than two matches.
ldapsearch -p 389 -h hostname -b "c=US" -s sub -v "objectclass=*" dn
This will return only the dn's of the matching entries. We can specify whitespace-separated list of attributes to retrieve after the filter. (if no attribute list is given, all are retrieved)
B) Add
ldapmodify -p 389 -h hostname -v -f modadd.ldi
MODADD.LDI:
dn: cn=greg miller, ou=modify, o=IMC, c=US
changetype: modify
add: cn
cn: gmiller
This will add an attribute cn=gmiller to the entry cn=greg miller, ou=modify, o=IMC, c=US in the directory.
ldapmodify -p 389 -h hostname -v -f moddel.ldi
MODDEL.LDI:
dn: cn=greg miller, ou=modify, o=IMC, c=US
changetype: modify
delete: cn
cn: gmiller
This will delete the attribute cn=gmiller of the entry cn=greg miller, ou=modify, o=IMC, c=US.
ldapmodify -p 389 -h hostname -v -f modrepl.ldi
MODREPL.LDI
dn: cn=linda, ou=modify, o=IMC, c=US
changetype: modify
replace: description
description: abc
description: def
description: xyz
This will replace description of entry cn=linda, ou=modify, o=IMC, c=US
ldapmodify -p 389 -h hostname -v -f modmul.ldi
MODMUL.LDI:
dn: cn=Person Four, ou=EuroSInet Suite, o=IMC, c=US
changetype: modify
delete: sn
-
add: sn
sn: digger
multiple modifications in one operation
ldapdelete -p 389 -h hostname -v "cn= Person Nine, ou=EuroSInet Suite, o=IMC, c=US"
tries to delete a non-existing entry. It should fail.
ldapdelete -p 389 -h hostname -v "c=us"
tries to delete a non-leaf entry. It should fail.
ldapmoddn -p 389 -h hostname -b "cn=dcp1,dc=Americas,dc=imc,dc=com" -R "cn=thanhmai"
ldapmoddn -h hostname -p 389 -b "cn=Linda Ball, ou=Treasury, ou=Fin-Accounting, ou=Europe, o=IMC, c=US" -R "cn=Linda Ball" -N "dc=imc,dc=com"
Command-line invocations for:
ldapmodify -p
SAMPLE.LDIF
dn: cn=subschemasubentry
changetype: modify
add: attributetypes
attributetypes: ( 1.2.3.4.5.6.7 NAME 'myAttr' DESC 'New attribute definition' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
ldapmodify -p
dn: cn=subschemasubentry
changetype: modify
add: objectclasses
objectclasses: ( 1.2.3.4.5 NAME 'myOC' DESC 'my Objectclass definition' MAY myAttr )
ldapmodify -p
ldapmodify -p
SAMPLE.LDIF
dn: cn=person one, ou=eurosinet suite, o=imc, c=us
changetype: modify
add: objectclass
objectclass: myOC
SAMPLE2.ldif
dn: cn=person one, ou=eurosinet suite, o=imc, c=us
changetype: modify
add: myAttr
myAttr: Value for my attribute
ldapsearch -p
ldapmodify -p
SAMPLE.LDIF
dn: cn=subschemasubentry
changetype: modify
add: objectclasses
objectclasses: ( 1.2.3.4.6 NAME 'myOC2' DESC 'my 2nd Objectclass definition' SUP top MUST ( cn $ sn ) MAY myAttr ) )
ldapadd -p
SAMPLE.LDIF
dn: cn=userid123, c=us
cn: userid123
sn: me
myAttr: value for new attribute
objectclass: top
objectclass: myOC2
Note:
1. For these examples to work as expected , please run example 1 before examples 2-4 and run example
2. In the examples below, if you don't specify the hostname, it will default to local host and if you don't specify the port, it will default to 389.
ldapmodify -h
dn:
changetype: modify
replace: orclaci
orclaci: access to entry by * (browse)
orclaci: access to attr=(*) by * (search,read,compare)
EOF
B)
ldapadd -h
dn: cn=admin, c=US
cn: admin
sn: Adminstrator
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetorgperson
description: Directory Administrator for C=us
userpassword: admin
EOF
ldapdelete -h
cn=Person One, ou=EuroSInet Suite, o=IMC, c=US
EOF
ldapmodify -h
dn: cn=Person One, ou=EuroSInet Suite, o=IMC, c=US
changetype: modify
replace: telephonenumber
telephonenumber: 6500001111
EOF
ldapmodify -h
dn: cn=Person One, ou=EuroSInet Suite, o=IMC, c=US
changetype: modify replace: userpassword userpassword: HVN EOF
Using the GUI Administration tool one can view the parameters of the Configuration entries used by the LDAP Server.
Example: To view the Default configuration parameters, follow the sequence of menus described below.
Click on Server Management
->Directory Server
->Default Configuration Set
On the Right hand side of the Admin tool window, one can see four tabs: General, Debug Flags, SSL Settings, and Passwords.
By clicking on each of these tabs, one can view the parameters underneath these categories.
To export a sub tree into a ldif file:
ldifwrite -c
This will export a sub tree into an LDIF file under current directory.
Example:
ldifwrite -c nldap -b "ou=Europe, o=imc, c=us" -f sample.ldif
will dump all the entries under "ou=Europe, o=imc, c=us" into the sample.ldif file.
