30
Oracle Directory Integration Server Administration

This chapter discusses the Oracle directory integration server and tells you how to configure and manage it. It contains these topics:

• About the Oracle Directory Integration Server
• Registering the Oracle Directory Integration Server
• Operational Information about the Oracle Directory Integration Server
• Managing the Oracle Directory Integration Server
• Viewing Oracle Directory Integration Server Information
• Managing the Oracle Directory Integration Platform in a Replicated Environment

About the Oracle Directory Integration Server

The Oracle directory integration server is the central component of the Oracle Directory Integration Platform. It is a server process that does the following:

• Scheduling of connectors

  The directory integration server schedules connectors for synchronizing between Oracle Internet Directory and connected directories. If there is an agent, its execution time is also scheduled.

• Data import and export

  The directory integration server imports changes into and exports changes out of Oracle Internet Directory. LDIF, LDAP, and tagged interfaces are supported.

• Mapping

  The Oracle directory integration server includes a generic facility for filtering and mapping data to and from the connected directories. The directory integration server maps attributes when exporting data to a connected directory and when interpreting data imported from a file or directory for input to Oracle Internet Directory.

You can run multiple directory integration server instances on any host.

Registering the Oracle Directory Integration Server

To authenticate the node to run the Oracle Directory Integration Platform, install the directory integration server, then register it with Oracle Internet Directory. You register it by using the by using the Oracle directory integration server registration tool (odisrvreg). You must separately register each directory integration server installed on a different host by running odisrvreg on that host. To run this tool, you need the privileges of an Oracle Internet Directory administrator.

As part of registration, the tool creates an entry in the directory and sets the password for the directory integration server. If the registration entry already exists, then you can use the tool to reset the existing password. The odisrvreg tool also creates a local file called odisrvwallet, at $ORACLE_HOME/ldap/odi/conf. This file acts as a private wallet for the directory integration server, which uses it on startup to bind to the directory.

Table 30-1 describes the parameters odisrvreg uses. You can also run odisrvreg in SSL mode to make communication between the tool and the directory fully secure, using the -U, -W, and -P parameters that are also in Table 30-1.

To register the directory integration server in non-SSL mode, enter this command:

odisrvreg -h hostname -p port -D binddn  -w bindpasswd

Table 30-1  Descriptions of ODISRVREG Arguments

/home/my_dir/my_wallet.dat

C:\my_dir\my_wallet.dat

To register the Oracle directory integration server in SSL mode--that is, to run the registration tool in SSL mode, enter the following:

odisrvreg -h hostname -p port -D binddn  -w bindpasswd

-U ssl_mode -W wallet -P wallet_password

The -U, -W, and -P parameters, shown here on a separate line for clarity, are actually used on the same command line as the others.

Operational Information about the Oracle Directory Integration Server

This section introduces structural and operational information about the directory integration server and contains these topics:

• The Oracle Directory Integration Server and Configuration Set Entries
• Standard Sequences of Directory Integration Server Events
• Managing Configuration Set Entries

The Oracle Directory Integration Server and Configuration Set Entries

Each directory integration server can execute a set of connections supporting synchronization between Oracle Internet Directory and connected directories. A set of connectors enables the directory integration server to support these connections. The configuration set entry lists this set of connectors, and passes it as one of the command-line arguments to the server.

Whenever a connector is scheduled to do synchronization, the directory integration server starts up a separate thread. This thread opens an LDAP connection to the directory server, then closes the connection before exiting.

The server has three types of threads of execution in the process:

Table 30-2  Oracle Directory Integration Server Threads

If no integration profiles are listed for the configuration set, the Oracle directory integration server waits indefinitely until integration profiles are added to that configuration set. This wait also occurs if integration profiles are configured for the configuration set, but they are all disabled.

If the configuration set specified in the command line does not exist in the directory, then the Oracle directory integration server logs this information in the log file and exits.

If the configuration set is not specified, then configuration set 0 is assumed, and all the provisioning profiles are considered for scheduling.

Standard Sequences of Directory Integration Server Events

Any specific instance of the Oracle directory integration server supports either provisioning or synchronization. The directory integration server runs as a shared server process while handling the synchronization and provisioning event propagations.

The three threads described in Table 30-2 work together to create these typical process flow sequences:

• Main Thread Process Sequence
• Scheduler Thread Process Sequence
• Connector Thread Process Sequence

Main Thread Process Sequence

On startup, the main thread comes up. This daemon thread of the server starts up the scheduler. It verifies the registration of the instance in the directory. If, the instance is not registered--that is, if the instance is not started up by OID Monitor, then it performs self-registration in Oracle Internet Directory with the config set number and the instance number details.

The main thread periodically checks for the refresh time and signals the scheduler to refresh. It also periodically checks for the shutdown signal. On receipt of the shutdown signal, it signals the scheduler thread to shutdown.

Once the scheduler thread dies, the main thread unregisters and dies.

Scheduler Thread Process Sequence

When it is started by the main thread, the scheduler thread reads the configuration set to find the integration profiles to be scheduled. It creates a list of profiles to be scheduled and schedules them based on their scheduling interval. While creating the list of profiles, it validates the attributes. If any of the profile attributes have invalid values, the profile is not considered for synchronization or provisioning.

When it receives the refresh signal, the scheduler thread refreshes the integration profiles.

When it receives the shutdown signal, the scheduler thread waits until all the connectors complete the synchronization or provisioning event propagation. It then returns control to the main thread.

Connector Thread Process Sequence

As part of initialization, the connector thread establishes connection with Oracle Internet Directory and the connected directory. If the data interface type is LDIF or tagged then appropriate files are opened. The connector thread:

• Reads the changes one at a time from the source
• Filters the changes if applicable
• Maps the changes as specified by the mapping rules
• Creates the destination change record
• Write the changes to the destination

After applying all the changes, return back to the scheduler.

Managing Configuration Set Entries

You can create, modify, and view configuration set entries by using either Oracle Directory Manager or the appropriate command line tools.

In addition to listing all the integration profiles that the directory integration server is to execute, a configuration set also associates the host with the integration profile for synchronization. When a connector is registered, an integration profile is created and added to the configuration set. This configuration set entry determines the behavior of the directory integration server.

You can control the runtime behavior of the directory integration server by using a different configuration set entry when you start it. For example, you can start instance 1 of the directory integration server on host H1 with configset1, and instance 2 of the directory integration server on host H1 with configset2. The behavior of instance 1 of the directory integration server depends on configset 1, and that of instance 2 depends on configset2. By dividing different agents on host H1 between the two configuration set entries, you are distributing the load of running the agents on host H1 between the two directory integration server instances. Similarly, running different configuration sets and different instances on different hosts helps balance the load between the servers.

Managing the Oracle Directory Integration Server

This section contains these topics:

• Starting the Oracle Directory Integration Server
• Stopping the Oracle Directory Integration Server
• Using the Restart Command
• Setting the Debug Level
• Finding the Log Files
• Changing the Synchronization Status Attribute

Starting the Oracle Directory Integration Server

The Oracle directory integration server executable, odisrv, resides in the $ORACLE_HOME/bin directory.

The way you start the directory integration server depends on whether your installation includes the OID Monitor and the OID Control Utility. These tools--along with other server and client components--are parts of a typical server installation. In such installations, you start the directory integration server by using these tools.

Client-only installations do not include the OID Monitor and the OID Control Utility. In such installations, you start the directory integration server from the command line.

The directory server can be started in non-SSL mode, or in SSL mode for tighter security. Table 30-3 describes the parameters for each type of invocation.

Using the OID Monitor and Control Utilities to Start the Oracle Directory Integration Server

To start the directory integration server in non-SSL mode:

1. Be sure that OID Monitor is running. To verify this, enter the following at the command line:

   ps -ef | grep oidmon
   
   

   If OID Monitor is not running, then start it by following the instructions in "Task 1: Start the OID Monitor".

2. Start the directory integration server by using the OID Control utility by entering:

   oidctl [connect=net_service_name] server=odisrv [instance=instance_number]  
   [config=configuration_set_number] [flags="[host=hostname] [port=port_number] 
   [debug=debug_level] [refresh=interval_between_refresh]
   
   [maxprofiles=number_of_profiles] "] start
   
   

   Table 30-3 describes the arguments in this command.

   Table 30-3  Description of Arguments for Starting the Oracle Directory Integration Server

   Argument	Description
   connect=net_service_name	If you already have a tnsnames.ora file configured, then this is the net service name specified in that file, located in $ORACLE_HOME/network/admin
   server=odisrv	Type of server to start. In this case, the server you are starting is odisrv. This is not case-sensitive. This argument is mandatory.
   instance=instance_number	Specifies the instance number to assign to the directory integration server. This instance number must be unique. OID Monitor verifies that the instance number is not already associated with a currently running instance of this server. If it is associated with a currently running instance, then OID Monitor returns an error message.
   config=configuration_set_number	Specifies the number of the configuration set that the the directory integration server is to execute. This argument is mandatory.
   host=hostname	Oracle directory server host name
   port=port_number	Oracle directory server port number
   debug=debug_level	The required debugging level of the directory integration server See Also: Table 30-4 for a description of the various debug levels
   refresh=interval_between_refresh	Specifies the interval, in minutes, between server refresh for any changes in the integration profiles. Default is 2 minutes (Refresh=2).
   maxprofiles=number_of_profiles	Specifies the maximum number of profiles that can be executed concurrently for this server instance
   sslauth=ssl_mode	SSL modes (0: NO Auth, 1: One Way)
   wloc=wallet	SSL wallet. Enter the full path name of the SSL wallet file.This wallet is a text wallet created by using the ExportWallet option of the Oracle Wallet Manager. On UNIX, the path name could be: /home/my_dir/my_wallet.dat On Windows NT, the path name could be: C:\my_dir\my_wallet.dat See Also: Oracle Advanced Security Administrator's Guide for instructions on using the Oracle Wallet Manager
   wpass=wallet_password	Password used for opening the SSL wallet

To start the directory server in SSL mode, use the following command:

oidctl [connect=net_service_name] server=odisrv [instance=instance_number]  
[config=configuration_set_number] [flags="[host=hostname] [port=port_number] 
[debug=debug_level] [refresh=interval_between_refresh] [maxprofiles=number_of_
profiles]

[ sslauth=ssl_mode ] [ wloc=wallet ] [ wpass=wallet_password] "] start

As you can see, the only difference is the use of the SSL-related flags:

sslauth=ssl_mode, wloc=wallet, and wpass=wallet_password

Starting the Oracle Directory Integration Server Without Using OID Monitor and the OID Control Utility

The directory server can also be started without OID Monitor or OID Control Utility, either in non-SSL mode or, for tighter security, in SSL mode. The parameters described in Table 30-3 remain the parameters for each type of invocation.

To start the directory integration server in non-SSL mode, enter the following at the command line:

odisrv [host=host_name] [port=port_number]

config=configuration_set_number [instance=instance_number] [debug=debug_level] 
[refresh=interval_between_refresh] [maxprofiles=number_of_profiles] 

To start the directory integration server in SSL mode, enter the following at the command line:

odisrv [host=host_name] [port=port_number] config=configuration_set_number 
[instance=instance_number] [debug=debug_level] [refresh=interval_between_
refresh] [maxprofiles=number_of_profiles][refresh=interval_between_refresh] 
[maxprofiles=number_of_profiles] [sslauth=ssl_mode] [wloc=wallet] [wpass=wallet_
password]

Again you can see that the only difference is the use of the SSL-related flags:

[sslauth=ssl_mode] [wloc=wallet] [wpass=wallet_password]

Stopping the Oracle Directory Integration Server

You stop the directory integration server by using the same tool that you used to start it: by using OID Monitor and the OID Control Utility, or by using odisrv.

Using OID Monitor and the OID Control Utility to Stop the Oracle Directory Integration Server

If you started the directory integration server by using OID Monitor and the OID Control utility, then you use them to stop it, as follows:

1. Before you stop the directory integration server, be sure that the OID Monitor is running. To verify this, enter the following at the command line:

   ps -ef | grep oidmon
   
   

   If OID Monitor is not running, then start it by following the instructions in "Task 1: Start the OID Monitor".

2. You then can stop the directory integration server by entering:

   oidctl [connect=net_service_name] server=odisrv instance=instance stop
   

Stopping the Directory Integration Server Without Using OID Monitor and the OID Control Utility

In a client-only installation where the OID Monitor and OID Control tools are not available, the Oracle directory integration server can be started without OID Control. To stop the server without these tools, use the stopodis.sh tool, which is located in the $ORACLE_HOME/ldap/admin directory.

Using the Restart Command

If you use OID Monitor and the OID Control utility, then you can both stop and restart the directory integration server in one command, namely, restart. This is useful when you want to refresh the server cache immediately, rather than at the next scheduled time. When the directory integration server restarts, it maintains the same parameters it had before it stopped.

To restart the directory integration server:

1. Make sure that OID Monitor is running. To verify this, enter the following at the command line:

   ps -ef | grep oidmon
   
   

   If OID Monitor is not running, then start it by following the instructions in "Task 1: Start the OID Monitor".

2. At the command line, enter:

   oidctl [connect=net_service_name] server=odisrv instance=instance_number 
   restart
   

Setting the Debug Level

You can specify the kinds of server and profile events to be listed in a log file by using the debug flag.

To specify multiple types of debugging:

1. Add the numeric values of the individual types as indicated in Table 30-4.
2. At the command line, specify the total value. For example, the following command sets the debug level to 484:

   oidctl server=odisrv flags="debug=7" start
   
   

The various types of debug events are listed in Table 30-4 and Table 30-5.

Table 30-4  Debug Types for Server Debugging

When a nonzero debug level is specified, each trace statement in the server log file includes:

• Timestamp
• Thread type
• Profile name

The various trace-statement types are:

• Main--Messages from the controller thread
• Scheduler--Messages from the scheduler thread

  Table 30-5  Debug Types for Profile Debugging

  Debug Event Type (Profiles)	Numeric Value
  Start and Stop of the thread	1
  Initialization, execution, and end details	2
  Details during execution	4
  Change Record	8
  Mapping Details	16

If you do not set a value for the debug flag, then the default level is 0 (zero), and none of the debug events in the previous tables are logged. However, errors and exceptions are always logged.

Finding the Log Files

The log file is located in the
$ORACLE_HOME/ldap/log/odisrv_instance_number.log directory.

For example, if the server was started as server instance number 3, then the log file would have this path name: $ORACLE_HOME/ldap/log/odisrv03.log.

All the profile-specific debug events are stored in the profile-specific trace file in $ORACLE_HOME\ldap\odi\log\profile_name.trc.

Changing the Synchronization Status Attribute

While synchronization is in progress for an export operation, the server constantly updates the synchronization status attribute, orcllastappliedchangenumber. In Oracle Directory Manager, this field is called OID last applied change number.

To change this attribute manually from Oracle Directory Manager:

1. Disable the agent by using Oracle Directory Manager.
2. Make the attribute changes.
3. Re-enable the agent after the change.

Viewing Oracle Directory Integration Server Information

When the directory integration server starts, it generates specific runtime information and stores it in the directory. This information includes:

• Instance number of the directory integration server
• Host on which it is running
• Configuration set with which the directory integration server was started
• State of the configuration set refresh flag. This flag indicates to the directory integration server whenever there is a change to a directory integration profile and a refresh is required.

You can view this information for the directory integration server by using either Oracle Directory Manager or ldapsearch.

Viewing Oracle Directory Integration Server Runtime Information by Using Oracle Directory Manager

To view runtime information for the directory integration server instance by using Oracle Directory Manager:

1. In the navigator pane, expand Oracle Internet Directory Servers > directory_server_instance > Server Management, then select Directory Integration Server. The Active Processes box appears in the right pane.
2. Click View Properties. The Server Process dialog box displays the information.

Viewing Oracle Directory Integration Server Runtime Information by Using ldapsearch

To view registration information for the directory integration server instance by using ldapsearch, perform a base search on its entry. For example:

ldapsearch -p 389 -h my_host -b cn=instance1,cn=odisrv,cn=subregistrysubentry -s 
base -v "objectclass=*"

This example search returns the following:

dn: cn=instance1,cn=odisrv,cn=subregistrysubentry
cn: instance1
orcldiaconfigdns: "orclDIAName=HR,cn=subscriber profile,cn=changelog subscriber, 
cn=oracle internet directory"
orcldiaconfigrefreshflag: 0
orclhostname: my_host
orclconfigsetnumber: 1
objectclass: top
objectclass: orclDIA

Managing the Oracle Directory Integration Platform in a Replicated Environment

If you use the Oracle Directory Integration Platform in a replicated environment with more than one node, then set the orcldiprepository attribute in DSE root to 1. This makes the directory server generate change log entries for changes from the other Oracle Internet Directory nodes. By default, the directory server does not generate these change log entries. The change log entries are required for directory data to be synchronized with third-party directories and metadirectories.