Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1433997
  • 博文数量: 556
  • 博客积分: 12626
  • 博客等级: 上将
  • 技术积分: 5799
  • 用 户 组: 普通用户
  • 注册时间: 2006-01-11 15:56
个人简介

从事IT基础架构多年,发现自己原来更合适去当老师……喜欢关注新鲜事物,不仅限于IT领域。

文章分类

全部博文(556)

文章存档

2019年(6)

2018年(15)

2017年(17)

2016年(11)

2015年(2)

2014年(2)

2013年(36)

2012年(54)

2011年(100)

2010年(41)

2009年(72)

2008年(14)

2007年(82)

2006年(104)

分类: Oracle

2008-03-14 17:19:00

 

1. Starting and stopping the Directory servers

1.1 To start / stop the Guardian

A) To start the Guardian:

B) To stop the Guardian:

1.2 To start / stop the LDAP Server

A) To start the LDAP Server:

B) To start the LDAP Server with additional flags:

C) To stop the LDAP Server:

D) To stop and restart all the running LDAP servers:

2. Initial Loading to populate the Directory

2.1 Bulk-loader in check mode (failure cases)

2.2 Bulk-loader in check and generate mode

2.3 Bulk-loader in check, generate and load mode

3. Using the command-line tools

3.1 Adding entries to the Directory - "ldapadd"

A) Adding an entry by using an LDIF File

B) Adding an entry by not using an LDIF File

C) Adding a first level entry by using an LDIF File

D) Add a non-first level entry without a parent (should fail)

3.2 Searching entries in the Directory - "ldapsearch"

A) Base object search

B) One-level Search

C) Sub-tree Search

D) Search using Size Limit

3.3 Modifying entries in the Directory - "ldapmodify"

A) add

B) delete

C) replace

D) single value, multiple value operations

3.4 Deleting entries from the Directory - "ldapdelete"

3.5 Modifying DN / RDN of an entry in the Directory - "ldapmodify" RDN/DN

A) ModifyRDN

B) ModifyDN of a leaf level entry

4. Schema modifications

A) Read the subschema Subentry

B) Define a new attribute

C) Define a new auxiliary object class, that includes the above new attribute

D) Add the new auxiliary class above to an existing entry, add values to the new attributes and display them

E) Check that out new entry is created

F) Define a new structural object class

G) Add an entry with the new structural class

5. Access control examples

A) Changing the default ACCESS policy at DSE ROOT as super user

B) Creating an Admin user under c=us as anonymous user (should fail)

C) Deleting a user as anonymous user (should fail)

D) Modifying an attribute value as anonymous user (should fail)

E) Modifying an attribute value as self user - should fails

6. Reading the LDAP server configuration set

7. Using the LDIF writer

 

 

 

Note 1. To start the ldap server we need to start the guardian and the manager.

Note 2. The details of various options for the server are given at the end of the examples in this section.

 

oidmon [connect= connectstring] [sleep=sleeptime] start | stop

where:

    • connectstring Is the directory database connect string. The connect string should be defined in the tnsnames.ora file. If you don't know the connect string, please consult the instructor. If connect string is not provided, it defaults to the value of ORACLE_SID environment variable.
    • Sleeptime The time interval in seconds at which the Guardian monitors OSD servers. If sleeptime is not provided, it is set by default to 10 seconds.

Examples

 

oidmon connect=nldap sleep=10 start

This command will start the guardian connecting to the database with connect string nldap and monitoring interval of 10 seconds. The nldap connect string should be defined in the tnsnames.ora file. If it is not, please consult the instructor.

 

oidmon connect=nldap stop

 

The LDAP server is started using the OiD Control UtilityManager.

The command line parameters for the OiD Control Utility are ,

oidctl [connect=connectstring] server=servername instance=instanceno [configset=configsetno] [flags="flagsvalues"] start | stop

where:

    • connectstring Is the directory database connect string. The connect string should be defined in the tnsnames.ora file. If you don't know the connect string, please consult the instructor. If connect string is not provided, it defaults tothe value of ORACLE_SID environment variable.
    • servername The name of the OiD server to be started/stopped. Server names must be either osdldap/osdrepl
    • instanceno The instance number to be started/stopped. Instance value is mandatory for OIDLDAPD and OIDREPL.
    • configsetno The configuration set number to be used while starting a OID server.
    • flagvalues The flags needed while starting the OID server.
    • Start | stop Start or Stop the OID server.
Examples

 

oidctl connect=nldap server=OIDLDAPD instance=9 start

This command will start the ldap server (provided guardian is running) connecting to database with connect string nldap, with instance number 9 and port number specified by configset 0.

 

This command will start the ldap server (provided guardian is running) connecting to database with connect string nldap, with instance number 2 at port number 4000 and all other defaults specified by configset 0.

 

oidctl connect=nldap server=OIDLDAPD instance=2 stop

This will stop the LDAP server(provided guardian is running)running with instance number 2, connected to the database with connect string nldap.

 

oidctl connect=nldap server=OIDLDAPD refresh

This will stop and restart all the running LDAP servers.

 

 

Note: At the end of this section, please ensure that the IMC data has been loaded.

 

Ensure OID LDAP server has been shutdown. After executing each example, check the log files in "$ORACLE_HOME/ldap/log" for details on the detected errors.

To use Bulk-loader in the check mode, go to $ORACLE_HOME/ldap/bin directory. Then do,

./bulkload.sh -connect -check

where:

    • connectstring Is the directory database connect string. The connect string should be defined in the tnsnames.ora file. If you don't know the connect string, please consult the instructor. If connect string is not provided, it defaults to the value of ORACLE_SID environment variable.
    • LDIF file Is the file containing the LDIF data. Complete path needs to be specified.

Examples:

Note: The examples below assume connect string is "nldap" and the directory where the LDIF input files are located is "$ORACLE_HOME/ldap/demo/samples/training/ldifdata"

./bulkload.sh -connect nldap -check badldif1.dat

will run the Bulk-loader in the check mode using the badldif1.dat file. Since the file contains schema errors, the bulk loader should display all the errors on the screen.

Other examples files are:

$ORACLE_HOME/ldap/demo/samples/training/ldifdata/badldif2.dat (schema errors) $ORACLE_HOME/ldap/demo/samples/training/ldifdata/badldif3.dat (contains Duplicate DN) $ORACLE_HOME/ldap/demo/samples/training/ldifdata/badldif4.dat (Duplicate multi-values attributes)

 

./bulkload.sh -connect -check -generate

Example

./bulkload.sh -connect nldap -check -generate $ORACLE_HOME/ldap/demo/samples/training/ldifdata/initial.dat

Bulkloader will generate intermediate files to be used in the load mode without loading the data into the database.

 

./bulkload.sh -connect -check -generate -load

Example

./bulkload.sh -connect nldap -check -generate -load $ORACLE_HOME/ldap/demo/samples/training/ldifdata/initial.dat

Bulk-loader will perform schema checking on the LDIF file, then generate the intermediate files, and finally using these files it loads the data into the database.

 

 

Note: The LDIF files used in the examples below already exist in the samples directory.

Note: These examples assume that the initial data file has been loaded in section 2.

 

Create an LDIF file as shown below:

dn: cn=Person Six, ou=EuroSInet Suite, o=IMC, c=US cn: Person Six sn: Filler objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson description: Salvage Clerk telephonenumber: 44 1912 123456 userpassword: PASS1 st: Wolverhampton

street: 21 Dougan Street

postalcode: WV1 9ZZ

 

Now using the above file, add Person Six entry as shown below:

ldapadd -p 389 -h hostname -v -f addp6.ldi

This will add Person Six entry to the directory. This assumes LDAP server is running at port 389 on hostname host.

 

ldapadd -p 389 -h hostname -v <

dn: cn=Person Seven, ou=EuroSInet Suite, o=IMC, c=US

cn: Person Seven

sn: Filler

objectclass: top

objectclass: person

objectclass: organizationalperson

objectclass: inetorgperson

telephonenumber: 44 1912 123456

EOF

This will add Person Seven to the same parent as in example 1.

 

ldapadd -p 389 -h hostname -v -f first.ldi

LDIF File:

dn: c=UK

c: uk

objectclass: top

objectclass: country

 

This is an example for first level entry because the entry does not have any parent and it is added to the top level in the directory.

{ Note : -v specifies verbose mode in the tool, which simply means give detailed explanation)

 

 

Adding new entry cn=john,ou=noSuchObject,o=IMC,c=US

ldapadd -p 389 -h hostname -v -f john.ldi

LDIF File:

dn: cn=john,ou=noSuchObject,o=IMC,c=US

cn: john

sn: smith

objectclass: top

objectclass: person

objectclass: organizationalperson

userpassword: jsmith

seeAlso: cn=jsmith,ou=finance,o=imc,c=us

description: abc

title: finanace manager

x121Address: 12345

registeredAddress: 1999 beach park blvd $ #5 $ foster city $ ca 94404

destinationIndicator: foster city

preferredDeliveryMethod: e-mail

telexNumber: 67890

teletexTerminalIdentifier: 1111

telephoneNumber: 2222

internationaliSDNNumber: 3333

facsimileTelephoneNumber: 4444

street: 1999 beach park blvd $ #5 $ foster city $ ca 94404

postOfficeBox: 65910

postalCode: 94404

postalAddress: 200 oracle parkway $ 65910 $ redwood shores $ ca 94065

physicalDeliveryOfficeName: HQ

ou: finance

st: ca

l: redwood shores

 

The output of this command will be

ldap_add: No such object

ldap_add: matched: o=IMC,c=US

ldap_add: additional info: Parent entry not found in the directory.

 

We cannot add john to the directory since his parent ou=noSuchObject,o=IMC,c=US does not exist. Add the parent and the retry

ldapadd -p 389 -h hostname -v -f parent.ldi

LDIF File:

dn: ou=noSuchObject,o=IMC,c=US

objectclass: top

objectclass: organizationalunit

ou: noSuchObject

 

Now if you add entry for John, it should succeed.

ldapadd -p 389 -h hostname -v -f john.ldi

 

The directory can be searched using any standard LDAP client tool that supports the "ldapsearch" operation. OiD command-line tool "ldapsearch" is such a tool.

"Ldapsearch" examples for:

* Size limit

* Required attributes list

* Reading operational attributes

 

ldapsearch -p 389 -h hostname -b "" -s base -v "objectclass=*"

This will perform a base level search on the directory from the root.

* -b specifies base dn for search

* -s specifies whether it is a base or one (one level) or sub (subtree) search.

* "objectclass=*" specifies the filter for search.

ldapsearch -p 389 -h hostname -b "ou=HR, ou=Americas, o=IMC, c=US" -s one -v objectclass=*"

This will perform a one level search.

 

ldapsearch -p 389 -h hostname -b "c=US" -s sub -v "cn=Person*"

This will perform a sub-tree search and return all entries having dn starting with 'cn=Person'.

 

ldapsearch -h hostname -p port -z 2 -b 'ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US -s onelevel "objectclass=*"

Since we have specified the size limit as 2, we will get only two entries though search results in more than two matches.

ldapsearch -p 389 -h hostname -b "c=US" -s sub -v "objectclass=*" dn

This will return only the dn's of the matching entries. We can specify whitespace-separated list of attributes to retrieve after the filter. (if no attribute list is given, all are retrieved)

 

B) Add

ldapmodify -p 389 -h hostname -v -f modadd.ldi

MODADD.LDI:

dn: cn=greg miller, ou=modify, o=IMC, c=US

changetype: modify

add: cn

cn: gmiller

This will add an attribute cn=gmiller to the entry cn=greg miller, ou=modify, o=IMC, c=US in the directory.

ldapmodify -p 389 -h hostname -v -f moddel.ldi

MODDEL.LDI:

dn: cn=greg miller, ou=modify, o=IMC, c=US

changetype: modify

delete: cn

cn: gmiller

This will delete the attribute cn=gmiller of the entry cn=greg miller, ou=modify, o=IMC, c=US.

ldapmodify -p 389 -h hostname -v -f modrepl.ldi

MODREPL.LDI

dn: cn=linda, ou=modify, o=IMC, c=US

changetype: modify

replace: description

description: abc

description: def

description: xyz

This will replace description of entry cn=linda, ou=modify, o=IMC, c=US

ldapmodify -p 389 -h hostname -v -f modmul.ldi

MODMUL.LDI:

dn: cn=Person Four, ou=EuroSInet Suite, o=IMC, c=US

changetype: modify

delete: sn

-

add: sn

sn: digger

 

multiple modifications in one operation

ldapdelete -p 389 -h hostname -v "cn= Person Nine, ou=EuroSInet Suite, o=IMC, c=US"

tries to delete a non-existing entry. It should fail.

ldapdelete -p 389 -h hostname -v "c=us"

tries to delete a non-leaf entry. It should fail.

 

 

ldapmoddn -p 389 -h hostname -b "cn=dcp1,dc=Americas,dc=imc,dc=com" -R "cn=thanhmai"

ldapmoddn -h hostname -p 389 -b "cn=Linda Ball, ou=Treasury, ou=Fin-Accounting, ou=Europe, o=IMC, c=US" -R "cn=Linda Ball" -N "dc=imc,dc=com"

 

Command-line invocations for:

ldapmodify -p -h -f sample.ldif

SAMPLE.LDIF

dn: cn=subschemasubentry

changetype: modify

add: attributetypes

attributetypes: ( 1.2.3.4.5.6.7 NAME 'myAttr' DESC 'New attribute definition' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )

 

ldapmodify -p -h -f sample.ldif

SAMPLE.LDIF

dn: cn=subschemasubentry

changetype: modify

add: objectclasses

objectclasses: ( 1.2.3.4.5 NAME 'myOC' DESC 'my Objectclass definition' MAY myAttr )

 

ldapmodify -p -h -f sample.ldif

ldapmodify -p -h -f sample2.ldif

SAMPLE.LDIF

dn: cn=person one, ou=eurosinet suite, o=imc, c=us

changetype: modify

add: objectclass

objectclass: myOC

SAMPLE2.ldif

dn: cn=person one, ou=eurosinet suite, o=imc, c=us

changetype: modify

add: myAttr

myAttr: Value for my attribute

 

ldapsearch -p -h -b "cn=person one, ou=eurosinet suite, o=imc, c=us" -s base "objectclass=*"

 

ldapmodify -p -h -f sample.ldif

SAMPLE.LDIF

dn: cn=subschemasubentry

changetype: modify

add: objectclasses

objectclasses: ( 1.2.3.4.6 NAME 'myOC2' DESC 'my 2nd Objectclass definition' SUP top MUST ( cn $ sn ) MAY myAttr ) )

 

ldapadd -p -h -f sample.ldif

SAMPLE.LDIF

dn: cn=userid123, c=us

cn: userid123

sn: me

myAttr: value for new attribute

objectclass: top

objectclass: myOC2

Note:

1. For these examples to work as expected , please run example 1 before examples 2-4 and run example

2. In the examples below, if you don't specify the hostname, it will default to local host and if you don't specify the port, it will default to 389.

 

ldapmodify -h -p -D "cn=orcladmin" -w "welcome" << EOF

dn:

changetype: modify

replace: orclaci

orclaci: access to entry by * (browse)

orclaci: access to attr=(*) by * (search,read,compare)

EOF

 

B)

ldapadd -h -p << EOF

dn: cn=admin, c=US

cn: admin

sn: Adminstrator

objectclass: top

objectclass: person

objectclass: organizationalperson

objectclass: inetorgperson

description: Directory Administrator for C=us

userpassword: admin

EOF

 

ldapdelete -h -p << EOF

cn=Person One, ou=EuroSInet Suite, o=IMC, c=US

EOF

 

ldapmodify -h -p << EOF

dn: cn=Person One, ou=EuroSInet Suite, o=IMC, c=US

changetype: modify

replace: telephonenumber

telephonenumber: 6500001111

EOF

 

ldapmodify -h -p -D "cn=Person One, ou=EuroSInet Suite, o=IMC, c=US" -w "PASS1" << EOF

dn: cn=Person One, ou=EuroSInet Suite, o=IMC, c=US

changetype: modify replace: userpassword userpassword: HVN EOF    

 

Using the GUI Administration tool one can view the parameters of the Configuration entries used by the LDAP Server.

Example: To view the Default configuration parameters, follow the sequence of menus described below.

Click on Server Management

->Directory Server

->Default Configuration Set

On the Right hand side of the Admin tool window, one can see four tabs: General, Debug Flags, SSL Settings, and Passwords.

By clicking on each of these tabs, one can view the parameters underneath these categories.

 

To export a sub tree into a ldif file:

ldifwrite -c -b -f

This will export a sub tree into an LDIF file under current directory.

Example:

ldifwrite -c nldap -b "ou=Europe, o=imc, c=us" -f sample.ldif

will dump all the entries under "ou=Europe, o=imc, c=us" into the sample.ldif file.

阅读(4196) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~