| Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1 (11.1.1) Part Number E10029-03 | 
 | 
| 
 | View PDF | 
This chapter consists of the following sections:
Modifying Attributes of a Large Number of Entries By Using bulkmodify
Deleting Entries or Attributes of Entries by Using bulkdelete
Dumping Data from Oracle Internet Directory to a File by Using ldifwrite
Creating and Dropping Indexes from Existing Attributes by Using catalog
For processing large quantities of data, bulk operations are typically more efficient than standard LDAP operations You can perform bulk operations only by using the command-line bulk tools.
Before you begin using the Oracle Identity Management command-line tools, you must configure your environment. This involves setting the appropriate environment variables.
The syntax and examples provided in this guide require that you have the following environment variables set:
ORACLE_HOME - The location of non-writable files in your Oracle Identity Management installation.
ORACLE_INSTANCE - The location of writable files in your Oracle Identity Management installation.
NLS_LANG (APPROPRIATE_LANGUAGE.AL32UTF8) - The default language set at installation is AMERICAN_AMERICA.
WLS_HOME - The location where the WebLogic Server is installed. This environment variable is required for Oracle Directory Integration Platform commands but not Oracle Internet Directory commands.
PATH - The following directory locations should be added to your PATH:
ORACLE_HOME/bin
ORACLE_HOME/ldap/bin
ORACLE_HOME/ldap/admin
Note:
The bulk tools do not support attribute uniqueness.In addition to this chapter, bulk tools are also discussed in the following sections of this book:
"Indexing an Attribute for Which Data Exists by Using the Catalog Management Tool"
"Backing Up and Restoring a Small Directory or Specific Naming Context"
See Also:
The chapter on Oracle Internet Directory administration tools in Oracle Fusion Middleware Reference for Oracle Identity Management.Notes:
Stop all instances of Oracle Internet Directory before using bulkload. Before using any of the other bulk tools, either stop all instances of Oracle Internet Directory or disable the entry cache.
Do not start Oracle Internet Directory while a bulk tool is executing.
Tip:
The syntax descriptions in this chapter show true or false arguments in the following format:check="TRUE"
You can type true or false in uppercase or lowercase, you can specify just the first letter, and you can omit the double quotes. That is, the following specifications are equivalent:
check=t check=true check="true" check=T check=TRUE check="TRUE"
Some bulk tool operations and replication setup procedures require you to switch an Oracle Internet Directory instance from read/write to read-only mode or from read-only to read/write mode. You can do so by using either Oracle Enterprise Manager Fusion Middleware Control or ldapmodify.
While the server is in read-only mode, only the administrator cn=orcladmin can write to the directory. As a result, you can only make changes to the directory by using utilities that enable you to connect as cn=orcladmin. These include:
Oracle Directory Services Manager
Command line tools
You cannot make changes while the server is in read-only mode by using WLST or Oracle Enterprise Manager Fusion Middleware Control because they connect to the Oracle Internet Directory server as the user cn=emd admin, cn=oracle internet directory.
To set the server mode to read-only from Fusion Middleware Control:
Select Administration, then Server Properties from the Oracle Internet Directory menu.
Select General.
Choose Read-only for Server Mode.
Click Apply.
To set the server mode to read/write mode from Fusion Middleware Control, use the same procedure but choose Read/Write in Step 3.
To set the server mode to Read-Only by using ldapmodify, run the following command:
ldapmodify -D "cn=orcladmin" -q -h host_name \ -p port -f change_mode.ldif
where the file change_mode.ldif has the following content:
dn: cn=componentname,cn=osdldapd,cn=subconfigsubentry changetype: modify replace: orclservermode orclservermode: r
To set the server mode to Read/Write by using ldapmodify, use the same command but change the last line in the LDIF file to:
orclservermode: rw
The bulk loader, bulkload, is a bulk management tool. It takes input data in LDIF or SQL*Loader format and loads the data directly into Oracle Internet Directory's schema in the metadata repository. It has three main phases: check, generate and load.
In the check phase, bulkload parses and verifies the LDIF input data for the schema.
In the generate phase, bulkload generates intermediate files in SQL*Loader format.
In the load phase, bulkload can use either of two methods: bulk mode loading or incremental mode loading.
When using bulk mode loading, bulkload loads generated intermediate files into the database. As it does so, it drops old indexes and generates new ones.
When using incremental mode loading, bulkload loads intermediate files to tables in the database using insert mode. While it loads the data, bulkload updates the indexes.
Bulk mode loading is faster than incremental mode loading.
The bulk loader also supports the following features:
It enables you to specify the number of threads in order to achieve parallelism during the generate and load phases.
It has an encode option that enables you to use data in other languages.
It has a restore option that enables you to retain the operational attributes specified in the LDIF file.
It has an index option for index recreation and a missing option for creation of missing indexes.
It has a recover option that is useful for recovering from bulkload failures.
When appending the data to existing directories, bulkload supports both bulk mode and incremental mode loading.
The append option enables you to load data while the LDAP server is up and running.
At the beginning of the generate phase, the server's orclServerMode, in the instance-specific configuration entry, is changed from read/write to read-modify. At the end of the generate phase, it is left in the read-modify state so that you cannot add entries to Oracle Internet Directory between the generate and load phases. This is necessary to maintain internal sequence numbers. You are expeced to run the load phase immediately after the generate phase. At the end of the load phase, the servers' orclServerMode is set back to read/write. Using bulkload with the recover option also sets orclServerMode back to read/write.
At the start of the load operation, bulkload determines the current configured value of orclRIenabled, then disables referential integrity. At the end of load phase, bulkload returns orclRIenabled to its original value. If is any referential integrity violations occurred, however, referential integrity is disabled, and you see the message:
There is a violation of Referential Integrity and hence it is Disabled now. Run the OIDDIAG tool with diagnostic option to collect the Entries which have dangling DN attribute values and Fix the violation
Fix the violation and then set orclRIenabled to the desired value.
The bulkload tool generates the following output files in the ORACLE_INSTANCE/diagnostics/logs/OID/tools directory:
An output log, bulkload.log
A list of duplicate DNs, duplicateDN.log
Intermediate files, *.ctl and *.dat
The bulkload tool generates the following output files in the ORACLE_INSTANCE/OID/load directory:
A list of bad LDIF entries, badentry.ldif
A list of all dynamic group entries that can be added using ldapadd, dynGrp.ldif
Intermediate log files generated by the SQL*Loader, bsl_*.log
Notes:
If a directory server instance is participating in a replication agreement, do not use the bulkload tool to add data into the node. Instead, use ldapadd.
Before using bulkload, ensure that the environment variable ORACLE_INSTANCE has been set to the full path name of the Oracle instance.
Running the bulkload load operation sets the server mode to read/write. If you require a different mode, reset it after performing the load operation.
If the applicable password policy has the pwdmustchange attribute set to 1, then for every new entry loaded by bulkload, the pwdreset attribute is set to 1 by default. See Chapter 28, "Managing Password Policies" for more information.
If you do not use the bulkload utility to populate the directory, then you must run the oidstats.sql tool to avoid significant search performance degradation.
See Also:
Theoidstats.sql command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management for a description and syntax for the oidstats.sql toolThe bulkload tool has the following syntax:
bulkload [connect=connect_string] {[check="TRUE"|"FALSE" [file=ldif_file]] [generate="TRUE"|"FALSE" [append="TRUE"|"FALSE"] [restore="TRUE"|"FALSE"] [thread=num_of_threads] file=ldif_file] [load="TRUE"|"FALSE" [append="TRUE"|"FALSE"] [threads=num_of_threads]] [index="TRUE"|"FALSE"] [missing="TRUE"|"FALSE"] [recover="TRUE"|"FALSE"]} [encode=character_set] [debug="TRUE"|"FALSE"] [verbose="TRUE"|"FALSE"]
Some of the parameter combinations are valid while others are invalid.
You must set the environment variable ORACLE_INSTANCE. Specify the fully qualified path to the Oracle Instance where the intermediate file is generated.
You must specify at least one of the following actions when you invoke bulkload: check, generate, load, append, recover, or index.
If check is TRUE, bulkload performs a schema check.
If generate is TRUE, bulkload generates intermediate files.
When using the check or generate action, you must specify the path name to the LDIF data file.
If load is TRUE, bulkload loads intermediate files.
When append is TRUE, bulkload can perform its actions while the server is up and running.
Use the restore flag only when the LDIF file contains operational attributes, such as orclguid or creatorsname. Avoid having operational attributes in the LDIF file when the restore flag is not specified or is set to FALSE.
Do not specify recover with any other option.
The option combination check index verifies the existing indexes.
To import an LDIF file, you use the bulkload utility. This section discusses the tasks to process an LDIF file through bulkload.
See Also:
Thebulkload command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management.This section contains these topics:
Task 1: Stopping Oracle Internet Directory Processes
Stop all Oracle Internet Directory server instances by using either Fusion Middleware Control or the command line.
Task 2: Backing Up the Oracle Database Server
Before you import the file, back up the Oracle database server as a safety precaution.
See Also:
Oracle Database Backup and Recovery Basics in the Oracle Database Documentation LibraryTask 3: Finding Out the Oracle Internet Directory Password
To use bulkload, you must provide the Oracle Internet Directory ODS schema password.
See Also:
Theoidpasswd command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity ManagementTask 4: Checking Input for Schema and Data Consistency Violations and Generating the Input Files for SQL*Loader
On UNIX, the bulkload tool usually resides in $ORACLE_HOME/ldap/bin. On Microsoft Windows, this tool usually resides in ORACLE_HOME\ldap\bin.
Check the input file and generate files for the SQL*Loader by typing:
bulkload connect="connect_string" \ check="TRUE" generate="TRUE" file="full_path_to_ldif-file_name"
When you specify both the check and generate options, the entries are checked for schema compliance.
All check-related errors are reported as command line output. All schema violations are reported in ORACLE_INSTANCE/diagnostics/logs/OID/tools/bulkload.log. All bad entries are logged in ORACLE_INSTANCE/OID/load/badentry.ldif.
If there are duplicate entries, their DNs are logged in ORACLE_INSTANCE/diagnostics/logs/OID/tools/duplicateDN.log. This is just for information purpose. The bulkload tool does not generate duplicate data for duplicate entries. It ignores duplicate entries.
Use a text editor to fix all bad entries, then re-run bulkload with the check and generate options. Repeat until there are no errors, or until the remaining errors are acceptable to you. For example, you might be willing to load a small number of entries with ldapadd.
The bulkload tool generates intermediate *.ctl and *.dat files in the ORACLE_INSTANCE/OID/load directory. Even when errors occur, bulkload generates the intermediate files for those entries that had no check errors.
When bulkload completes successfully or with acceptable errors, you can use the intermediate files with the SQL*Loader in load mode. Do not modify these files.
Note:
Always use thecheck and generate options together if you plan to ignore check-related errors. If you use the generate option without the check option, none of the validation checks are performed. In that case, the intermediate files will contain erroneous entries. Loading such files can lead to data inconsistency and index creation failures.Task 5: Loading the Input Files
After you have generated the input files, run bulkload with the load option. During this step, bulkload loads the *.dat files, which are in Oracle SQL*Loader specific format, into the database, creates attribute indexes, and generates database statistics. The syntax is:
bulkload connect="connect_string" load="TRUE"
The tool will indicate any errors on the screen. All loading errors are reported in the ORACLE_INSTANCE/diagnostics/logs/OID/tools directory. They reside in bulkload.log and in the SQL*Loader-generated files *.bad and bsl_*.log.If load fails, the database might be in an inconsistent state. Restore the database to its state prior to the bulkload operation, either by using bulkload with the recover option or by restoring Oracle Internet Directory directory from a backup taken before you invoked bulkload. Then repeat the command:
bulkload connect="connect_string" load="TRUE"
If you encounter an error during the indexing phase, you can use:
bulkload coonect="con_str" index=true
to re-create all indexes.
If you encounter an error during database statistics generation, you can use the oidstats.sql command to generate statistics.
See Also:
The "oidstats.sql" command reference in Oracle Fusion Middleware Reference for Oracle Identity ManagementIf you must add entries to an Oracle Internet Directory server that already contains data, and the server must be up and running at the same time, then you must use the incremental or append mode. This mode is usually faster than other methods of adding entries to the directory. However, you must ensure that the Oracle Internet Directory LDAP instances are in read-modify mode so that bulkload can append data.
You invoke bulkload in incremental or append mode with command lines similar to these:
bulkload connect="conn_str" \
   check="TRUE" generate="TRUE" append="TRUE" file="LDIF_file" 
bulkload connect="conn_str" \
    load="TRUE" append="TRUE" 
The bulkload operation can either update indexes or create indexes. Sometimes, however, bulkload does not update or create the indexes properly. This is typically due to issues like improper sizing. If this happens, you can use bulkload to verify and re-create all the indexes.
Use the following syntax to invoke bulkload for verification of indexes:
bulkload connect="conn_str" \
    check="TRUE" index="TRUE"
To re-create indexes, use the following syntax:
bulkload connect="conn_str" index="TRUE"
The load phase of bulkload can fail because of issues like improper disk sizing. After such a failure, the directory data might be inconsistent. You can use the recover option to return the directory data to its pre-bulkload state. The syntax is:
bulkload connect="conn_str" recover="TRUE"
The bulkmodify tool is useful for modifying the attributes of a large number of entries in an existing directory. It can perform add and replace operations on attribute values. It can operate on a naming context. Using filters, it can also operate selectively on a few entries under a specified naming context.
The bulkmodify tool does not allow add or replace operations on the following attributes:
dn
cn
userpassword
orclpassword
orclentrylevelaci
orclaci
orclcertificatehash
orclcertificatematch
any binary attribute
It does not allow replace operation on the attribute objectclass.
It does not allow add for single-valued attributes.Output from bulkmodify is logged in ORACLE_INSTANCE/diagnostics/logs/OID/tools/bulkmodify.log.
See Also:
Thebulkmodify command-line tool reference inOracle Fusion Middleware Reference for Oracle Identity Managementbulkmodify has the following syntax.
bulkmodify connect=connect_string basedn=Base_DN {[add="TRUE"|"FALSE"]|[replace="TRUE"|"FALSE"]} attribute=attribute_name value=attribute_value [filter=filter_string] [size=transaction_size] [threads=num_of_threads] [debug="TRUE"|"FALSE"] [encode=character_set] [verbose="TRUE"|"FALSE"]
The number of threads should be from one to six times the number of processors.
Select either the add or the replace option. By default both are set to FALSE.
Note:
Before usingbulkmodify, ensure that the environment variable ORACLE_INSTANCE has been set to the full path name of the Oracle instance.This example adds descriptions for all the entries under "c=us".
bulkmodify connect="connect_str" baseDN="c=us" add="TRUE" \
    attribute="description" value="US citizen" filter="objectclass=*"
This example adds telephonenumber for all the entries under "c=us" that have the manager Anne Smith.
bulkmodify connect="connect_str" baseDN="c=us" add="TRUE" \
     attribute="telephoneNumber" \
     value="408-123-4567" filter="manager=cn=Anne Smith"
bulkdelete is useful for deleting the attributes of a large number of entries in an existing directory. bulkdelete can delete entries specified under a naming context. By default, it deletes entries completely. It removes all traces of an entry from the database. If you use the option cleandb FALSE, bulkdelete turns all entries into tombstone entries instead of deleting them completely.
Bulkdelete output is logged in ORACLE_INSTANCE/diagnostics/logs/OID/tools/bulkdelete.log.
See Also:
Thebulkdelete command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity ManagementThe bulkdelete tool has the following syntax.
bulkdelete connect=connect_string {[basedn=Base_DN] | [file=file_name]} [cleandb="TRUE"|"FALSE"] [size=transaction_size] [encode=character_set] [debug="TRUE"|"FALSE"] [threads=num_of_threads] [verbose="TRUE"|"FALSE"]
Select either the basedn or the file option. If cleandb is TRUE, bulkdelete removes entries completely from the database. By default cleandb is set to TRUE. The number of threads should be from one to six times the number of CPUs.
Notes:
Before using bulkdelete, ensure that the environment variable ORACLE_INSTANCE has been set to the full path name of the Oracle instance.
If the number of entries to be deleted in the specified naming context is large, you must tune the Oracle Database as specified in the Oracle Internet Directory chapter of Oracle Fusion Middleware Performance and Tuning Guide.
This example deletes all the entries under "c=us".
bulkdelete connect="connect_str" baseDN="c=us" cleandb="TRUE"
This example deletes all the entries under "c=us" and leaves them as tombstone entries.
bulkdelete connect="connect_str" baseDN="c=us" cleandb=FALSE
This example deletes all the entries under given base DNs specified in file and leaves them as tombstone entries.
bulkdelete connect="connect_str" file="file" cleandb=FALSE
The ldifwrite tool is used to dump of data from an Oracle Internet Directory store to a file. Having the data in a file facilitates loading the data into another node for replication or backup storage. As it writes to the output file, the ldifwrite tool performs a subtree search, including all entries below the specified DN, and the DN itself. It dumps data in LDIF format. It can also dump entries under a specified replication agreement DN.
The ldifwrite tool can dump entries located by using specified filters.Output from ldifwrite is logged in ORACLE_INSTANCE/diagnostics/logs/OID/tools/ldifwrite.log.
See Also:
Theldifwrite command-line tool reference in Oracle Fusion Middleware Reference for Oracle Identity ManagementThe ldifwrite tool has the following syntax.
ldifwrite connect=connect_string basedn=Base_DN ldiffile=LDIF_Filename [filter=LDAP_Filter] [threads=num_of_threads] [debug="TRUE"|"FALSE"] [encode=character_set] [verbose="TRUE"|"FALSE"]
Use the basedn option to specify the base DN or replication agreement DN.
The number of threads should be from one to six times the number of CPUs.
Note:
Before usingldifwrite, ensure that the environment variable ORACLE_INSTANCE has been set to the full path name of the Oracle instance.This example uses the following naming context objects defined in partial replication:
dn: cn=includednamingcontext000001, cn=replication namecontext, orclagreementid=000001, orclreplicaid=node replica identifier, cn=replication configuration orclincludednamingcontexts: c=us orclexcludednamingcontexts: ou=Americas, c=us orclexcludedattributes: userpassword objectclass: top objectclass: orclreplnamectxconfig
In this example, all entries under "c=us" are backed up except "ou=Americas,c=us". The userpassword attribute is also excluded. The command is:
ldifwrite connect="conn_str" \ baseDN="cn=includednamingcontext000001, cn=replication namecontext, \ orclagreementid=000001,orclreplicaid=node replica identifier,\ cn=replication configuration" ldiffile="ldif_file_name"
This example writes all the entries that satisfy LDAP search filter criteria under "ou=Europe, o=imc, c=us" into the output.ldif file.
ldifwrite connect="connect_str" baseDN="ou=Europe, o=imc, c=us"\ filter="uid=abc" ldiffile="output.ldif"
The catalog tool is useful for creating indexes for or dropping indexes from existing attributes. The catalog tool makes an attribute searchable.Output from catalog is logged in ORACLE_INSTANCE/diagnostics/logs/OID/tools/catalog.log.
catalog has the following syntax.
catalog connect=connect_string {[add="TRUE"|"FALSE"]|[delete="TRUE"|"FALSE"]} {[attribute=attribute_name]|[file=file_name]} [logging="TRUE"|"FALSE"] [threads=num_of_threads] [debug="TRUE"|"FALSE"] [verbose="TRUE"|"FALSE"]
Select either the add or the delete option. By default both are set to FALSE.
The number of threads should be from one to six times the number of CPUs.
If logging is TRUE, catalog generates a redo log.
You can specify only one attribute argument on the command line at a time. To add or delete more than one attribute in a single command invocation, use the file option and specify a list of attributes in the file. Use one line for each attribute, for example:
description sn title
Notes:
Before using catalog, ensure that the environment variable ORACLE_INSTANCE has been set to the full path name of the Oracle instance.
The catalog command cannot index more than 1000 attributes at a time. If more than 1000 attributes are present in the file, the tool throws an error. If you need to index more than 1000 attributes, use multiple files.
This example drops an index from the attribute title.
catalog connect="connect_str" delete="TRUE" attribute="title"
Note:
Unless you are absolutely sure that the indexes were not created by the base schema that was installed with Oracle Internet Directory, be careful not to use thecatalog delete=T option to remove indexes from attributes. Removing indexes from base schema attributes can adversely impact the operation of Oracle Internet Directory.This example adds an index to the attribute title.
catalog connect="connect_str" add="TRUE" attribute="title"
See Also:
"Indexing an Attribute for Which Data Exists by Using the Catalog Management Tool"
"Adding an Index to a New Attribute by Using Oracle Directory Services Manager"
"Adding an Index to an Existing Attribute by Using Oracle Directory Services Manager"
"Configuring Specific Attributes for Referential Integrity by Using the Command Line"