| Oracle® Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform 11g Release 1 (11.1.1) Part Number E10031-04 | 
 | 
| 
 | View PDF | 
This chapter explains how to manage directory synchronization profiles. It contains these topics:
This section explains how to create, modify, and delete synchronization profiles by using Oracle Enterprise Manager Fusion Middleware Control. It contains these topics:
Note:
Users with non-administrator privileges can use Oracle Enterprise Manager Fusion Middleware Control to view information about existing synchronization profiles, but cannot create or edit profiles.This section explains how to create synchronization profiles using Oracle Enterprise Manager Fusion Middleware Control. When you create the profile, Oracle recommends using the Test Connection function to test the connection to the source host and using the Validate All Mapping Rules function to test your mapping rules. If you encounter error messages, you must fix the profile configuration or you will not be able to enable the profile and perform synchronization using the profile.
If you create a Synchronization Profile using any of the sample map files included with Oracle Directory Integration Platform, you may encounter various warning messages. The Synchronization Profile will function correctly despite the warnings and you can ignore the warning messages. To avoid the warning messages, edit the default settings of the map file included with Oracle Directory Integration Platform according to your specific environment, then create the profile.
Perform the following steps to create a synchronization profile using Oracle Enterprise Manager Fusion Middleware Control:
Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
Log in to Oracle Enterprise Manager Fusion Middleware Control.
In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component where you want to create the synchronization profile.
Click the DIP Server menu, point to Administration, and then click Synchronization Profiles. The Manage Synchronization Profiles appears.
Click Create. The Create Synchronization Profile page appears with tabs for the various types of profile settings. The following sections describe the parameters on each tab in the Create Synchronization Profile page.
After you set values for the parameters, click OK on the Create Synchronization Profile page to create the profile. The profile will appear on the Manage Synchronization Profiles page.
General
The General tab contains the following parameters that configure the general settings for the profile:
Profile Name: Specify the name of the connector in ASCII characters only—non-ASCII characters are not supported in the Profile Name. The name you enter is used as the RDN component of the DN for this connector profile. For example, specifying a profile name MSAccess creates a connector profile named orclodipagentname=MSAccess,cn=subscriber profile, cn=changelog subscriber, cn=oracle internet directory.
Profile Status: Select whether or not to enable or disable the profile.
Use DIP-OID as?: The DIP-OID label refers to the Oracle Internet Directory that is one end-point for synchronization and provisioning. Select whether Oracle Internet Directory will be used as the source or destination directory. Selecting Source pulls changes from a connected target directory into Oracle Internet Directory. Selecting Destination pushes changes from Oracle Internet Directory into a connected target directory.
Type: Select the type of connected directory from the list.
Note:
If you select non-standard LDAP type of profile, such as Database or Custom, the subsequent configuration parameters will vary. For example, if you select Custom from the Type list, you must identify the Java classname and the package, for example:com.comp.dip.integration.MyListenerHost: The host where the connected directory is running.
Port: The port where the connected directory is running.
SSL Settings: Specify whether to enable or disable SSL settings. If you enable SSL Settings, the root certificates of the target directory must be in the Oracle Directory Integration Platform keystore to successfully connect or test the connection to the target directory.
User Name: Specify the account to be used by the connector agent for accessing the connected directory. For example, if the connected directory is a database, then the account might be Scott. If the connected directory is another LDAP-compliant directory, then the account might be cn=Directory Manager.
Password: Specify the password the connector/agent is to use when accessing the connected directory.
Test Connection: Use the Test Connection function to test the connection to the source host.
Mapping
The Mapping tab allows you to configure Domain and Attribute Mapping Rules, and Domain and Attribute Exclusion Lists for the profile.
Domain Mapping Rules are for the domain or container from which objects are synchronized into Oracle Internet Directory. The Domain Exclusion List identifies domains to be excluded during bootstrap and synchronization.
Attribute Mapping Rules are for attributes of the objects that are being managed. The Attribute Exclusion List identifies attributes to be excluded during bootstrap and synchronization.
To create a mapping rule or exclusion list, click Create for the type of mapping rule or exclusion list you want to create, enter values for the parameters, and then click OK at the top of the Create Synchronization Profile page.
Note:
Use the Validate All Mapping Rules button at the top of the Create Synchronization Profile page to test your mapping rules after you create them. If your mapping rules are not valid, you cannot use the profile.The following is a list and description of the Domain Mapping Rules parameters:
Source Container or Destination Container: If you are configuring an import profile, this parameter will be labeled Source Container. If you are configuring an export profile, this parameter will be labeled Destination Container. The parameter identifies the name of the source/destination container from/to which the objects are synchronized. Enter a value of NONLDAP if you a synchronizing with a non-LDAP source.
DIP-OID Container: The DIP-OID label refers to the Oracle Internet Directory that is one end-point for synchronization and provisioning. The name of the destination container into which the objects are synchronized. Enter a value of NONLDAP if you a synchronizing with a non-LDAP source.
DN Mapping Rule: The specific mapping rule that determines how entries from the source container are mapped to the destination container.
The following is a list and description of the Domain Exclusion List parameters:
Source Container to Exclude: This parameter appears if you are configuring an import profile. Identify the domains to be excluded during bootstrap and synchronization for by entering a value, for example, OU=myou,OU=test,DC=mycompany,DC=com, or by clicking Lookup and browsing to the domain, and then clicking OK in the Create Domain Exclusion Container dialog box.
DIP-OID Container to Exclude: This parameter appears if you are configuring an export profile. Identify the domains to be excluded during bootstrap and synchronization for by entering a value, for example, OU=myou,OU=test,DC=mycompany,DC=com, or by clicking Lookup and browsing to the domain, and then clicking OK in the Create Domain Exclusion Container dialog box.
The following is a list and description of the Attribute Mapping Rules parameters:
Source Object Class: Select the object class in the source directory. Do not select a value when synchronizing with a non-LDAP source.
Source Attributes: The source directory attributes to which you want to apply the mapping rule. When synchronizing with LDAP sources, select the Single Attributes option and enter the appropriate attributes in the Attributes field. When synchronizing with non-LDAP sources, select the Multiple Attributes option and enter the appropriate attributes in the Multivalue Attributes field.
Source Attribute Required: Enable or disable the source attribute requirement.
DIP-OID Object Class: Select the destination object type or class. Use the destination object class for LDAP targets.
DIP-OID Attribute: Select the destination attribute name to which you want to apply the mapping rule.
DIP-OID Attribute Type: Enter the type of the attribute in the destination directory.
Mapping Expression: Enter the transformation rule that derives the destination attribute value from the source attribute value.
The following is a list and description of the Attribute Exclusion List parameters:
ObjectClass: Select the objectclass that contains the attributes you want to add to the Attribute Exclusion List. After you select an objectclass, its attributes appear in the Multiple Address field.
Attributes: Select the attributes you want to add to the Attribute Exclusion List.
Filtering
The Filtering tab contains the following parameters that configure the filter settings for the profile:
Source Matching Filter: Specify the attribute that uniquely identifies an entry in the connected directory or specify an LDAP search filter for the connected directory in the format searchfilter=ldap_search_filter.
Destination Matching Rule: Specify the attribute that uniquely identifies records in Oracle Internet Directory. This attribute is used as a key to synchronize Oracle Internet Directory with the connected directory.
Associated Profile: The Associated Profile filtering setting is used to avoid loop back changes in bi-directional synchronization where changes initiated from one directory return to the same directory. For import profiles, specify the export profile it is associated with in the Associated Profile field. For export profiles, specify the import profile used for synchronizing the data from that directory.
Note:
To disassociate a profile, set the Associated Profile setting to Select One.Advanced
The Advanced tab contains the following parameters that configure the advanced settings for the profile:
Scheduling Interval (HH:MM:SS): Specify the number of hours, minutes, and seconds between synchronization attempts between a connected directory and Oracle Internet Directory.
Maximum Number of Retries: Specify the maximum number of times the synchronization is to be retried before synchronization stops. The default is 5. The first retry takes place one minute after the first failure. The second retry happens two minutes after the second failure, and subsequently the retry takes place n minutes after the n failure.
Log Level: Specify the logging level for debugging. Selecting the All level logs all information, including entries that are synchronized.
Last Change Number: Identifies the number of changes that synchronization has been performed for. When you create a synchronization profile, the Last Change Number parameter is locked—you cannot enter a value for it.
After you create a synchronization profile and attempt to edit it, an additional option named Edit and Persist is available for the Last Change Number parameter. You can edit the value for the Last Change Number parameter if you select (enable) the Edit and Persist option. Enabling the Edit and Persist option causes the Last Change Number to be persisted in the profile. Changes to the Last Change Number will not be persisted if the Edit and Persist option is not enabled.
WARNING:
Be aware that if you edit the value for the Last Change Number, setting an incorrect value can cause the profile to stop working or cause erroneous synchronization operations.
Additional Configuration Parameters: This section allows you to manage optional, advanced configuration parameters. To create an advanced configuration parameter, click Add and identify the parameter and its value. The following is a list and description of each advanced configuration parameter:
Check All Entries: Applicable only for eDirectory and OpenLDAP, it determines how deleted entries in Novell eDirectory or OpenLDAP are synchronized with Oracle Internet Directory. If you assign a value of true to this parameter, the Oracle Directory Integration Platform identifies deleted entries by performing a linear comparison between the entries in Oracle Internet Directory and Novell eDirectory or OpenLDAP. If an entry does not exist in Novell eDirectory or OpenLDAP, the entry is deleted from Oracle Internet Directory. If you assign a value of false to this parameter, deleted entries are synchronized according to the difference between the number of entries in the connected directory and the number of entries in Oracle Internet Directory. If the number of deleted entries is 0 or less than 0, then there are no deleted entries to synchronize. However, if the number of deleted entries is greater than 0, then the Oracle Directory Integration Platform compares each entry in Oracle Internet Directory with Novell eDirectory or OpenLDAP to identify the deleted entries to synchronize. The Oracle Directory Integration Platform continues to compare entries until it locates the same number of deleted entries as the difference between the number of entries in the connected directory and the number of entries in Oracle Internet Directory. For better performance, you should assign a value of false to this parameter.
Unique Attribute: Applicable only for eDirectory and OpenLDAP, it identifies the unique attribute in Novell eDirectory or OpenLDAP that can be used to search for an entry. You assign to this parameter a value of GUID for Novell eDirectory or entryuuid for OpenLDAP.
Attribute Type: Applicable only for eDirectory and OpenLDAP, it indicates the type of the UniqueAttribute parameter. You assign to this parameter a value of Binary for Novell eDirectory or nonBinary for OpenLDAP. This parameter is used to obtain the corresponding Oracle Internet Directory attribute for the attribute that is defined in the mapping file.
Search Time Delta Size in seconds: This parameter is applicable only for eDirectory and OpenLDAP, which handle synchronization based on timestamps and do not support changelog. Search Time Delta Size in seconds determines the time interval for processing changes during each synchronization cycle iteration. The default value is 3600. The number of iterations performed during each synchronization cycle depend on the number of pending changes. For example, if the Search Time Delta In Seconds parameter is set to 60 and there are changes pending for about one minute, synchronization will require a single iteration. If changes are pending for three minutes, synchronization will require three iterations.
Notes:
When the number of changes per minute is small, you will experience better synchronization efficiency by setting Search Time Delta Size in seconds to a higher value.
Be sure the value you set for the Search Time Delta In Seconds parameter does not exceed the LDAP search limit of the connected directory server. Otherwise, you may receive an error during synchronization and some changes may not be processed.
Search Delta Size: This parameter is applicable when importing changes from directories that support changelog. Search Delta Size determines how many incremental changes are processed during each iteration in a synchronization cycle. The default value is a value of 500. The number of iterations performed during each synchronization cycle depend on the number of pending changes. For example, if the Search Delta Size parameter is assigned a value of 500 and there are 498 pending changes, synchronization will require a single iteration. However, if there are 501 pending changes, synchronization will require two iterations. In some cases, you will experience better synchronization efficiency if you assign a higher value to this parameter. However, be sure that the value you specify does not exceed the LDAP search limit of the connected directory server. Otherwise, you may receive an error during synchronization and some changes may not be processed.
Note:
Be sure to thoroughly analyze and test your deployment when modifying the Search Delta Size parameter, especially if you assign a value higher than 2000.Skip Error To Sync Next Change: Determines how Oracle Directory Integration Platform handles an error when processing a change during synchronization. By default, Skip Error To Sync Next Change is assigned a value of false, which means that Oracle Directory Integration Platform will continue processing a change until the error is resolved. If you assign a value of true to Skip Error To Sync Next Change, Oracle Directory Integration Platform will skip any changes that cause an error. All failures are recorded in the $ORACLE_HOME/ldap/odi/log/profile_name.aud audit log. If you set Skip Error To Sync Next Change to true, be sure to periodically review the audit log for failures.
Update Search Count: Specifies the maximum number of iterations to perform on the connected directory during the synchronization process. The synchronization process stops after the specified number of search has been performed and resumes at the next scheduled interval.
Reduce Filter Time In Seconds: Applicable only for eDirectory and OpenLDAP, it specifies the time difference between a computer that is running Oracle Internet Directory and a computer that is running Novell eDirectory. This parameter is necessary because synchronization between Oracle Internet Directory and Novell eDirectory will not function properly if the time on the Novell eDirectory computer is earlier than the time on the Oracle Internet Directory computer. You assign to this parameter a value in seconds that is equal to the time difference between the two computers. The default value is 0.
Writer: Identifies the Writer used by the profile for synchronization. This is a read only value and is used only for information purposes.
Reader: Identifies the Reader used by the profile for synchronization. This is a read only value used only for information purposes.
Reconciler: Do not modify this parameter. It identifies the class used by the profile for reconciliation purposes. The parameter is applicable only for eDirectory and OpenLDAP. This is a read only value used only for information purposes.
To edit an existing synchronization profile using Oracle Enterprise Manager Fusion Middleware Control:
Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
Log in to Oracle Enterprise Manager Fusion Middleware Control.
In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component that contains the profile you want to edit.
Click the DIP Server menu, point to Administration, and then click Synchronization Profiles. The Manage Synchronization Profiles appears displaying a list of the existing profiles.
Select the profile you want to edit from the list and click Edit. The Edit Synchronization Profile screen appears for the profile you want to edit.
Edit the profile settings by referring to the "General", "Mapping", "Filtering", and "Advanced" sections in "Creating Synchronization Profiles" that describe each profile parameter.
Note:
You must edit the settings on the General tab before editing the settings on any other tab.Click OK on the Edit Synchronization Profile page to save the updated profile.
To enable or disable an existing synchronization profile using Oracle Enterprise Manager Fusion Middleware Control:
Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
Log in to Oracle Enterprise Manager Fusion Middleware Control.
In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component that contains the profile you want to enable or disable.
Click the DIP Server menu, point to Administration, and then click Synchronization Profiles. The Manage Synchronization Profiles appears displaying a list of the existing profiles.
Select the profile you want to enable or disable from the list of existing profiles.
Click the Enable Profile button to enable the profile.
Click the Disable Profile button to enable the profile.
Use Oracle Enterprise Manager Fusion Middleware Control to delete a synchronization profile—never delete a synchronization profile directly from Oracle Internet Directory. If you use Oracle Internet Directory to delete a synchronization profile you will receive a PROFILE_ALREADY_REGISTERED message if you attempt to recreate the profile.
Perform the following steps to delete a synchronization profile using Oracle Enterprise Manager Fusion Middleware Control:
Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
Log in to Oracle Enterprise Manager Fusion Middleware Control.
In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component that contains the profile you want to delete.
Click the DIP Server menu, point to Administration, and then click Synchronization Profiles. The Manage Synchronization Profiles appears.
On the Manage Synchronization Server page, select profile you want to delete and click Delete. A window that prompts you to confirm deletion of the connector profile.
Click Yes to confirm that you want to delete the profile.
DIP Synchronization Profile Tester (DIP Tester) is a utility that can perform synchronization operations and return detailed log messages generated during the test. Use DIP Tester to test synchronization profiles and verify that the profile configuration and mapping rules are working as expected with your directory data.
DIP Tester only works with directory-based profiles. It does not work with DB/Custom and other non-directory-based profiles.
You can run DIP Tester either from the Enterprise Manager user interface or from a command-line using WLST.
DIP Tester can only be used with synchronization profiles that are set to the disabled state.
Note:
When disabling a profile there is a delay before the disabled status takes effect. Only after the configured refresh interval has elapsed (an interval of two minutes or more) will the profile become disabled.To disable a profile click the Disable Profile button on the toolbar.
To Open DIP Tester in Enterprise Manager
From the DIP Server menu, choose Administration > Synchronization Profiles.
The Manage Synchronization Profiles page opens.
Click the row of the profile to be tested to select it.
Click the arrow to the right of the DIP Tester button and choose from the following menu:
Dump Profile - Opens a pop-up window and displays detailed information about the selected synchronization profile so that a copy of the profile can be added to a support ticket.
Launch Tester - Opens DIP Tester.
Test Mode
This section describes the Test Mode screen, which is the first screen of the three screen DIP Tester wizard.
DIP Tester Operation Mode - DIP Tester can run in two modes: Basic and Advanced.
Choose Basic mode to quickly run the synchronization task using DIP Tester's preconfigured settings. The synchronization task runs and sync status and log messages from the test are returned in Enterprise Manager.
Basic mode is useful if you need to quickly retry a failed synchronization. To retry the last failed change, edit the profile and set Skip Error To Sync Next Change to false, set Update Search Count to 1, and searchDeltaSize to 1.
Note:
In the default configuration, Skip Error To Sync Next Change is set to false. Consequently DIP Tester will not move past any failed operations. To have DIP Tester continue on to the next operation upon encountering a failed operation, open the Manage Synchronization Profiles page, click Edit, and on the Advanced tab set Skip Error To Sync Next Change to true.Choose Advanced mode to specify and configure the source of the test data. There are three ways to specify the test data:
Enter a change number to test sync a specific change. Change numbers are supported on Active Directory, Oracle Internet Directory, iPlanet, and Tivoli directories.
Enter the SourceDN to test sync a specific change. SourceDN is supported on eDirectory and OpenLDAP directories.
Enter LDIF data. LDIF data is compatible with all directory sources.
Note:
DIP Tester cannot process delete operations for the OpenLDAP or eDirectory LDAP servers.When processing user or group delete operations on other LDAP servers, LDIF delete files need to include the dn and changetype attributes.
For example:
dn: cn=userToDelete,cn=users,dc=comain changetype: delete
Selected Profile Information - Contains read-only information about the synchronization profile to be tested. Review this information and click Next in the top right corner of the screen to go to step two of the wizard, Test Params.
Table 7-1 Synchronization Profile Properties, Basic Properties
| Property | Description | 
|---|---|
| Profile Name | The name of the profile to be tested. | 
| Synchronization Mode | Indicates the direction of synchronization. Import propagates changes from a connected directory to Oracle Internet Directory. Export propagates changes from Oracle Internet Directory to a connected directory. | 
| Profile Status | Indicates that the profile is disabled if the check box is empty. | 
Table 7-2 Synchronization Profile Properties, Source Details or Destination Details
| Property | Description | 
|---|---|
| Type | The directory type supplying records for the import test (for example, OpenLDAP, Microsoft Active Directory, Tivoli Directory Server, and so on). | 
| Host | Name of the computer hosting the source container for the synchronization test. | 
| Port | Configured port number for the synchronization job connection. | 
| SSL Settings | Indicates that SSL is disabled if the check box is empty. | 
| User Name | User account that the profile uses to authenticate to the source directory. | 
Table 7-3 Synchronization Profile Properties, Advanced
| Property | Description | 
|---|---|
| Last Change Number | Identifies the most recent change number in the change log that synchronization has been performed for. | 
| Skip Error To Sync Next Change | If true, specifies that the profile should continue the synchronization job if an error occurs. If false, the sync job is aborted. To change this value, edit the synchronization profile, select the Advanced tab, and edit the parameter in the Additional Configuration Parameters section. | 
| Update Search Count | Specifies the maximum number of iterations to be performed on the connected directory during the synchronization process. The synchronization process stops after the specified number of searches has been performed. To change this value, edit the synchronization profile, select the Advanced tab, and edit the parameter in the Additional Configuration Parameters section. | 
Test Params
This section describes the Test Params screen, which is the second screen of the three screen DIP Tester wizard.
If running DIP Tester in Advanced mode, select and configure the source of the test data. To test sync a specific change, either enter a change number or enter the SourceDN. Otherwise, enter synchronization instructions using LDIF (Lightweight Directory Interchange Format) statements.
If running DIP Tester in Basic mode, the options are preconfigured. Click Next in the top right corner of the screen to go to step three of the wizard, Review Options and Test Output.
View Test Data Optional. This lookup feature is provided so that you can view change log data, source directory data, and destination directory data without leaving DIP Tester. Select one of the following options form the drop-down menu to view the test data inside of DIP Tester.
View Change Log Entry - For directories that support change logs specify the change log and enter a number in the Change Number box. The change number is retrieved from the source.
Note:
Failed change numbers cannot be determined automatically. Instead, refer to audit logs for failed change numbers.View Source Directory Entry - Select to view an existing source directory entry that you can use as a template. This option should be used to view Active Directory source data, including the uSNChanged attribute.
The Source Container values in the drop-down menu are retrieved using the domain mapping rules set in the profile.
Enter a value for the Source RDN box.
View Destination Directory Entry - Select to view an existing destination directory entry that you can use as a template.
The Destination Container values in the drop-down menu are retrieved using the domain mapping rules set in the profile.
Enter a value for the Destination RDN box.
Test Options From the Test data source menu, select Change Number, SourceDN, or LDIF Data, then type the change number, SourceDN, or the LDIF commands that you want to test. Click Next to go to step three of the wizard, Review Options and Test Output.
Review Options and Test Output
This section describes the Review Options and Test Output screen, which is the third screen of the three screen DIP Tester wizard.
Caution:
A synchronization test is not a simulation. Initiating the test will cause an actual sync operation to take place. Proceed with caution when using DIP Tester in Advance mode.If running DIP Tester in Advanced mode, use the Review Test Options section to review the change number or LDIF data that you entered on the previous screen. If running DIP Tester in Basic mode, this section uses preconfigured settings.
Click Test to initiate the synchronization test.
Click Dump Profile to write detailed information about the selected synchronization profile to a pop-up window.
Note:
If a source directory entry and a destination directory entry are already in sync, DIP Tester will not report that the sync operation did not occur. Instead, DIP Tester simply reports "Test Passed" because the entry and attribute data in both directories match.The Test Output section displays the following information:
Result - Either Test Passed or Test Failed.
Note:
When using DIP Tester in Basic mode, the Test Output section will occasionally report a result of "Test Passed," when, in fact, errors were reported. For this reason you should always check the Log Messages for DIP Tester section to verify that no errors are reported there.Source Entry Details / Destination Entry Details - If the test passed, displays actual directory data test results for both the source and destination directories.
Error Message - If the test failed, displays a message reporting the reason for the test failure.
Log Messages for DIP Tester - Detailed messages generated during the course of the synchronization test.
To run DIP Tester from a command-line, use the manageSyncProfiles command and specify the testProfile option.
Operation Mode
DIP Tester (testProfile) can run in Basic mode or Advanced mode.
Use Basic mode to quickly run the synchronization task using DIP Tester's preconfigured settings. The synchronization task runs and sync status and log messages from the test are returned to standard out.
Basic mode is useful if you need to quickly retry a failed synchronization. To retry the last failed change, set Skip Error To Sync Next Change to false and set Update Search Count to 1.
To run DIP Tester in Basic mode, do not include the -changenumber, -sourcedn, or -ldiffile options.
Note:
In the default configuration, Skip Error To Sync Next Change is set to false. Consequently DIP Tester will not move past any failed operations. To have DIP Tester continue on to the next operation upon encountering a failed operation, set Skip Error To Sync Next Change to true.Use Advanced mode if you need to specify and configure the source of the test data. You can either enter a change number to run a specific change in a change log, enter a SourceDN to test sync a specific change on either an eDirectory or an Open LDAP directory, or enter LDIF data.
To run DIP Tester in Advanced mode, include either the -changenumber, the -sourcedn, or the -ldiffile options when running DIP Tester.
Note:
DIP Tester cannot process delete operations for the OpenLDAP or eDirectory LDAP servers.When processing user or group delete operations on other LDAP servers, LDIF delete files need to include the dn and changetype attributes.
For example:
dn: cn=userToDelete,cn=users,dc=comain changetype: delete
Refer to the following DIP Tester Command-Line Examples section for more information.
Note:
If a source directory entry and a destination directory entry are already in sync, DIP Tester will not report that the sync operation did not occur. Instead, DIP Tester simply reports "Test Passed" because the entry and attribute data in both directories match.Syntax and Arguments for testProfile
manageSyncProfiles testProfile -h hostName -p port -D wlsuser -pf profileName [-changenumber number | -ldiffile file | -sourcedn sourcedn] [-ssl -keyStorePath path -keyStoreType type] [-help]
Oracle WebLogic Server where Oracle Directory Integration Platform is deployed.
Listening port of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed.
Login ID to connect to the server.
The profile name.
The change loge number representing the change that needs to be synchronized from directories like Oracle Internet Directory, iPlanet, Tivoli and Active Directory to the destination.
Distinguished name of the source entry that needs to be synchronized from directories like eDirectory and OpenLDAP to the destination.
A file containing LDIF data that will be applied to the source and then synchronized to the destination.
Executes the command using SSL.
Location of the trust keystore.
Keystore type. If unspecified, defaults to jks.
Provides help for the testProfile command.
Note:
Passwords cannot be passed as command parameters. Instead, the system will prompt you for passwords as needed.
DIP Tester Command-Line Examples
DIP Tester Basic Mode
manageSyncProfiles testProfile -h <hostName> -p <port> -D <wlsuser> -pf <profileName>
DIP Tester Advanced Mode, Change Number Specified
manageSyncProfiles testProfile -h <hostName> -p <port> -D <wlsuser> -pf <profileName> [-changenumber <number>]
DIP Tester Advanced Mode, SourceDN Specified
manageSyncProfiles testProfile -h <hostName> -p <port> -D <wlsuser> -pf <profileName> [-sourcedn <sourcedn>]
DIP Tester Advanced Mode, LDIF File Specified
manageSyncProfiles testProfile -h <hostName> -p <port> -D <wlsuser> -pf <profileName> [-ldiffile <file>]
The Manage Synchronization Profiles utility, manageSyncProfiles, allows you to manage synchronization profiles. manageSyncProfiles is located in the ORACLE_HOME/bin directory.
Notes:
Best security practice is to provide a password only in response to a prompt from the command.
You must set the WLS_HOME and ORACLE_HOME environment variables before executing any of the Oracle Directory Integration Platform commands
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
This topic contains the following sections:
manageSyncProfiles
manageSyncProfiles {activate | deactivate | copy | deregister | get | isexists |
update | testProfile | validateProfile | validateMapRules | register | 
updatechgnum | associateProfile | dissociateProfile | getAllAssociatedProfiles |
getAssociatedProfile | list } -h HOST -p PORT -D wlsuser [-ssl -keystorePath 
PATH_TO_KEYSTORE -keystoreType TYPE] [-profile] [-newProfile]
[-associateProfile][-file] [-params 'prop1 val1 prop2 val2 ...']
[-conDirHost] [-conDirPort] [-conDirBindDn] [-mode] [-conDirType] [-conDirSSL] 
[-profileStatus] [-help]
Operations
activate
Changes the state of the profile identified by -profile to ENABLE.
deactivate
Changes the state of the profile identified by -profile to DISABLE.
copy
Copies an existing profile profile to profile newProfile.
deregister
Deletes an existing profile from Oracle Internet Directory.
get
Gets the profile details from Oracle Internet Directory.
isexists
Checks if the profile profile exists in Oracle Internet Directory.
update
Modifies the profile properties that are identified by command arguments.
testProfile
Changes the state of a disabled profile profile to TEST and schedules the profile for testing to ensure the profile will successfully perform synchronization. After executing the manageSyncProfiles command with the testProfile operation, the results of the test are available in the following log file, where WL_DOMAIN_HOME represents the Oracle WebLogic Server Domain home and ORACLE_WEBLOGIC_MANAGEDSERVER_NAME represents the name of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed:
WL_DOMAIN_HOME/servers/ORACLE_WEBLOGIC_MANAGED_SERVER_NAME/logs/ORACLE_WEBLOGIC_MANAGED_SERVER_NAME.log
Note:
The testProfile operation cannot schedule profiles that are in ENABLE state for testing.validateProfile
Validates the syntax of the values in the specified profile for correctness.
validateMapRules
Validates the map rules provided.
register
Creates a new profile in Oracle Internet Directory.
updatechgnum
Updates the last applied change number in the profile to latest.
associateProfile
Associates associateProfileName with profileName. This is helpful during bidirectional synchronization between directories. You can specify a profile as an associated profile of different profile to help prevent information backflow.
dissociateProfile
Dissociates an associated profile to profileName.
getAllAssociatedProfiles
Returns a list of all profiles whose orclodipassociatedprofile attribute is set to the profile you identify using -pf. For example, if you use getAllAssociatedProfiles with -pf test, getAllAssociatedProfiles returns a list of all profiles that have their orclodipassociatedprofile attribute set to test.
This is useful when you want to delete a profile. You can use it to get a list of all associations you must disassociate before you can delete the profile.
getAssociatedProfile
Returns the value of the orclodipassociatedprofile attribute for the profile you identify using -pf.
list
Displays all profiles registered in Oracle Internet Directory.
Options
-h | host
Oracle WebLogic Managed Server host where Oracle Directory Integration Platform is deployed.
-p | -port
Listening port of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed.
-D | wlsuser
Oracle WebLogic Server login ID
Note:
You will be prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must executemanageSyncProfiles from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to manageSyncProfiles, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.-ssl
Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.-keystorePath
The full path to the keystore.
-keystoreType
The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12
-pf | -profile
The name of the synchronization profile to use when performing the operation.
-newpf | -newProfile
The name of the new profile which will be a copy of profile.
-assopf
The name of the profile that will be associated with profile
-f | -file
The full path and file name of the profile properties file containing the properties.
See:
Appendix B, "Example Properties File for Synchronization Profiles" for an example of a profile properties file.-params
A value is of the form prop1 val1 prop2 val2 ... where prop is the name of a profile property and val is the new value for that property. This keyword is used only for modification of a profile. You can specify as many key values as required. Refer to Appendix B, "Example Properties File for Synchronization Profiles" to see the names of the profile properties that can be identified using prop1, prop2, and so on.
-conDirHost
Host where connected directory server is running.
-conDirPort
Port at which connected directory server listens.
-conDirBindDn
Connected directory server bind DN.
Note:
You will be prompted for the connected directory bind DN password. You cannot provide the password as a command-line argument. Best security practice is to provide a password only in response to a prompt from the command. If you must executemanageSyncProfiles from a script, you can redirect input from a file containing the connected directory bind DN password. Use file permissions to protect the file and delete it when it is no longer necessary. If you must provide more than one password to manageSyncProfiles, put each on a separate line in the file, in the following order: connected directory bind DN password, then Oracle WebLogic Server login password.-mode
Synchronization mode to be used: import or export
-conDirType
Connected directory type. Supported values are ActiveDirectory, EDirectory, iPlanet, OpenLDAP, ADAM, Tivoli, OID, and ExchangeServer2003.
-conDirSSL
SSL mode value used to connect connected directory server
-prfSt | -profileStatus
Displays status for the profile. Used only with the list operation.
-help
Provides command usage help.
manageSyncProfiles register -h myhost.mycompany.com -p 7005 -D login_ID \
  -f /opt/ldap/odip/iPlImport.profile 
manageSyncProfiles deregister -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 
manageSyncProfiles updatechgnum -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 
manageSyncProfiles activate -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 
manageSyncProfiles deactivate -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 
manageSyncProfiles get -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 
manageSyncProfiles testProfile -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 
manageSyncProfiles associateprofile -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile -assopf myProfile1 
manageSyncProfiles dissociateprofile -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 
manageSyncProfiles getAllAssociatedProfiles -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 
manageSyncProfiles getAssociatedProfile -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile 
manageSyncProfiles update -h myhost.mycompany.com -p 7005 \
   -D login_ID -pf myProfile -f /opt/ldap/odip/iPlImport.profile 
manageSyncProfiles validateMapRules -h myhost.mycompany.com -p 7005 \
   -D login_ID -f /opt/ldap/odip/iPlImport.map -conDirHost server.example.com \  
   -conDirPort 8000 -conDirBindDn administrator@idm2003.net -mode IMPORT \
   -conDirType IPLANET 
manageSyncProfiles isexists -h myhost.mycompany.com -p 7005 -D login_ID \
   -pf myProfile 
manageSyncProfiles copy -h myhost.mycompany.com -p 7005 -D login_ID \
   -pf myProfile -newpf yourProfile 
manageSyncProfiles list -h myhost.mycompany.com -p 7005 -D login_ID -profileStatus
 
During the synchronization process, the server constantly updates the orcllastappliedchangenumber synchronization status attribute. Oracle recommends that you do not change the synchronization status attributes. However, there may be cases when you need to update the orcllastappliedchangenumber attribute. For example, you may need to reapply some changes or skip synchronization of certain entries.
You can change the orcllastappliedchangenumber attribute using Oracle Enterprise Manager Fusion Middleware Control or the manageSyncProfiles command and the updatechgnum argument.
To change the orcllastappliedchangenumber attribute using Oracle Enterprise Manager Fusion Middleware Control, perform the steps in "Editing Synchronization Profiles", and set the Last Change Number setting on the Advanced tab.
To change the orcllastappliedchangenumber attribute using the manageSyncProfiles command and the updatechgnum argument, refer to "Managing Synchronization Profiles Using manageSyncProfiles".
To set a profile property value to null (that is, blank or empty) when manually editing a profile, use a null string, for example: ''. Using a comment (or hash character, #) on the property's line indicates only that the line will not be read, it does not set the property's value to null.