Examples of Oracle Internet Directory Usage
1. Installing Oracle Internet Directory

Note: Before installing OiD, following should be set:

ORACLE_HOME, ORACLE_SID, NLS_LANG. The details of these environment variables should be specified in the second handout.

To run the installer:

Change to the stage home directory. It is given in the 2nd handout.

Run the installer using the following command:
./runInstaller

2. Starting and Stopping the Directory servers

Note: 1. To start the ldap server we need to start the guardian and the manager.
	2. The details of various options for the server are given at the end of the examples in this section.
2.1 To start / stop the Guardian
osdguard [connect= connectstring] [sleep=sleeptime] start | stop

where:  
connectstring 	Is the directory database connect string. The connect string should be defined in the tnsnames.ora file. If you don't know the connect string, please consult the instructor. If connect string is not provided, it defaults to the value of ORACLE_SID environment variable.

Sleeptime     The time interval in seconds at which the Guardian                   monitors OSD servers. If sleeptime is not provided,                  it is set by default to 10 seconds.

Examples
1.  To start the Guardian:
osdguard connect=nldap sleep=10 start

This command will start the guardian connecting to the database with connect string nldap and monitoring interval of 10 seconds. The nldap connect string should be defined in the tnsnames.ora file. If it is not, please consult the instructor. 

2. To stop the Guardian:
osdguard connect=nldap stop

2.2 To start / stop the LDAP Server

The LDAP server is started using the OiD Manager. 
The command line parameters for the OiD Manager are ,
osdmgr [connect=connectstring] server=servername instance=instanceno [configset=configsetno] [flags="flagsvalues"] start | stop

where:
connectstring	Is the directory database connect string. The connect string should be defined in the tnsnames.ora file. If you don't know the connect string, please consult the instructor. If connect string is not provided, it defaults to the value of ORACLE_SID environment variable.

 	servername 	The name of the OiD server to be started/stopped.
                    Server names must be either osdldap/osdrepl

instanceno 	The instance number to be started/stopped. Instance value is mandatory for OSDLDAP and OSDREPL.

configsetno 	The configuration set number to be used while starting a OSD server. 

     flagvalues     The flags needed while starting the OSD server. 
     Start | stop   	Start or Stop the OSD server.

Examples
1. To start the LDAP Server:
osdmgr connect=nldap server=OSDLDAP instance=9 start

This command will start the ldap server (provided guardian is running)
connecting to database with connect string nldap, with instance number 9 and port number specified by configset 0.

2. To start the LDAP Server with additional flags:
osdmgr connect=nldap server=OSDLDAP instance=2 flags="-p 4000" start

This command will start the ldap server (provided guardian is running)
connecting to database with connect string nldap, with instance number 2 at port number 4000 and all other defaults specified by configset 0.

3. To stop the LDAP Server:
osdmgr connect=nldap server=OSDLDAP instance=2 stop

This will stop the LDAP server(provided guardian is running)running with instance number 2, connected to the database with connect string nldap.


4. To stop and restart all the running LDAP servers:
osdmgr connect= nldap server=OSDLDAP refresh

This will stop and restart all the running LDAP servers.

3. Initial Loading to populate the Directory

Note: At the end of this section, please ensure that the IMC data has been loaded. 
3.1 Bulk-loader in check mode (failure cases)
Ensure OID LDAP server has been shutdown. After executing each example, check the log files in "$ORACLE_HOME/ldap/log" for details on the detected errors.  

To use Bulk-loader in the check mode, go to $ORACLE_HOME/ldap/bin directory.  Then do,

./bulkload.sh -connect <connect string> -check <LDIF file> 

where:  
connectstring 	Is the directory database connect string. The connect string should be defined in the tnsnames.ora file. If you don't know the connect string, please consult the instructor. If connect string is not provided, it defaults to the value of ORACLE_SID environment variable.
LDIF file	Is the file containing the LDIF data. Complete path needs to be specified.

Examples:
Note: The examples below assume connect string is "nldap" and the directory where the LDIF input files are located is "/private/oracle/sampleldif"

./bulkload.sh -connect nldap -check badldif1.dat

will run the Bulk-loader in the check mode using the badldif1.dat
file. Since the file contains schema errors, the bulk loader should display all the errors on the screen.

Other examples files are:

/private/oracle/sampleldif/badldif2.dat (schema errors)

/private/oracle/sampleldif/badldif3.dat (contains Duplicate DN)

/private/oracle/sampleldif/badldif4.dat (Duplicate multi-values attributes)
3.2 Bulk-loader in check and generate mode
./bulkload.sh -connect <connect string> -check -generate <LDIF file>

Example
./bulkload.sh -connect nldap -check -generate /private/oracle/sampleldif/initial.dat

Bulkloader will generate intermediate files to be used in the load mode without loading the data into the database.
3.3 Bulk-loader in check, generate and load mode
./bulkload.sh -connect <connect string> -check -generate -load <LDIF file>

Example
./bulkload.sh -connect nldap -check -generate -load /private/oracle/sampleldif/initial.dat

Bulk-loader will perform schema checking on the LDIF file, then generate the intermediate files, and finally using these files it loads the data into the database.

4. Use Netscape/Explorer to browse your OID LDAP server
* Set preferences
* Use "Edit/Search Directory"
5. Using the command-line tools
Note: The LDIF files used in the examples below already exist in the samples directory. The location of the samples directory is given in the 2nd handout.
5.1 Adding entries to the Directory - "ldapadd"
Note: These examples assume that the initial data file has been loaded in section 2.

1.  Adding an entry by using an LDIF File

Create an LDIF file as shown below:
<file addp6.ldi>
dn: cn=Person Six, ou=EuroSInet Suite, o=IMC, c=US
cn: Person Six
sn: Filler
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetorgperson
description: Salvage Clerk
telephonenumber: 44 1912 123456
userpassword: PASS1
st: Wolverhampton
street: 21 Dougan Street
postalcode: WV1 9ZZ
<eof addp6.ldi>

Now using the above file, add Person Six entry as shown below:
ldapadd -p 389 -h demo-sun -v -f addp6.ldi

This will add Person Six entry to the directory. This assumes LDAP server is running at port 389 on demo-sun host.

2. Adding an entry by not using an LDIF File

ldapadd -p 389 -h demo-sun -v <<EOF
dn: cn=Person Seven, ou=EuroSInet Suite, o=IMC, c=US
cn: Person Seven
sn: Filler
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetorgperson
telephonenumber: 44 1912 123456
EOF

This will add Person Seven to the same parent as in example 1. 

3.  Adding a first level entry by using an LDIF File

LDIF File:
<File first.ldi>
dn: c=UK
c: uk
objectclass: top
objectclass: country
<eof first.ldi>

ldapadd -p 389 -h demo-sun -v -f first.ldi
This is an example for first level entry because the entry does not have any parent and it is added to the top level in the directory.

{ Note : -v specifies verbose mode in the tool, which simply means give detailed explanation)

4. Add a non-first level entry without a parent  (should fail)

LDIF File:
<File john.ldif >
dn: cn=john,ou=noSuchObject,o=IMC,c=US
cn: john
sn: smith
objectclass: top
objectclass: person
objectclass: organizationalperson
userpassword: jsmith
seeAlso: cn=jsmith,ou=finance,o=imc,c=us
description: abc
title: finanace manager
x121Address: 12345
registeredAddress: 1999 beach park blvd $ #5 $ foster city $ ca 94404
destinationIndicator: foster city
preferredDeliveryMethod: e-mail
telexNumber: 67890
teletexTerminalIdentifier: 1111
telephoneNumber: 2222
internationaliSDNNumber: 3333
facsimileTelephoneNumber: 4444
street: 1999 beach park blvd $ #5 $ foster city $ ca 94404
postOfficeBox: 65910
postalCode: 94404
postalAddress: 200 oracle parkway $ 65910 $ redwood shores $ ca 94065
physicalDeliveryOfficeName: HQ
ou: finance
st: ca
l: redwood shores
<eof john.ldi>


ldapadd -p 389 -h demo-sun -v -f john.ldi

The output of this command will be 

ldap_add: No such object
ldap_add: matched: o=IMC,c=US
ldap_add: additional info: Parent entry not found in the directory.
adding new entry cn=john,ou=noSuchObject,o=IMC,c=US

We cannot add john to the directory since his parent ou=noSuchObject,o=IMC,c=US does not exist.

4.  Add the parent and the retry

LDIF File:
<File john.ldif >
dn: ou=noSuchObject,o=IMC,c=US
objectclass: top
objectclass: organizationalunit
ou: noSuchObject
<eof parent.ldi>

ldapadd -p 389 -h demo-sun -v -f parent.ldi
Adds John's parent to the directory. 

Now if you add entry for John, it should succeed. 
ldapadd -p 389 -h demo-sun -v -f john.ldi

5. Advanced (left as an exercise) 
* Add a non-first level entry without a parent  (should fail)
* Register the naming context in the DSE root, but don't add the parent
* Now retry the non-first level entry whose parent does not exist
5.2 Searching  entries in the Directory - "ldapsearch"

The directory can be searched using any standard LDAP client tool that supports the "ldapsearch" operation. OiD command-line tool "ldapsearch" is such a tool. 

"Ldapsearch" examples for:
* Size limit
* Required attributes list
* Reading operational attributes
 
1. Base object search
 ldapsearch -p 389 -h demo-sun -b "" -s base -v "objectclass=*"
 This will perform a base level search on the directory from the root.
 -b 		specifies base dn for search
 -s 		specifies whether it is a base or one (one level) or sub (subtree) search.
 "objectclass=*" specifies the filter for search.
 
2. One-level Search
 ldapsearch -p 389 -h demo-sun -b "ou=HR, ou=Americas, o=IMC, c=US" -s one -v "objectclass=*"
 This will perform a one level search.
 
3. Sub-tree Search
 ldapsearch -p 389 -h demo-sun -b "c=US" -s sub -v "cn=Person*"
 This will perform a sub-tree search and return all entries having dn starting with 'cn=Person'.
 
3. Search using Size Limit
 ldapsearch -h ^host^ -p ^port^ -z 2 -b  'ou=Benefits,ou=HR,ou=Americas,o=IMC,c=US -s onelevel 
 "objectclass=*" 
 
 Since we have specified the size limit as 2, we will get only two entries though search results in more than two matches.
 
 ldapsearch -p 389 -h demo-sun -b "c=US" -s sub -v "objectclass=*" dn
 This will return only the dn's of the matching entries. We can specify whitespace-separated list of attributes to retrieve after the filter. (if no attribute list is given, all are retrieved)
5.3 Modifying  entries in the Directory - "ldapmodify"

"ldapmodify" examples for:
* add
* delete
* replace
* single value, multiple value operations
* multiple modifications in one operation
* schema errors, value errors

ldapmodify -p 389 -h demo-sun -v -f modadd.ldi
This will add an attribute cn=gmiller  to the entry cn=greg miller, ou=modify, o=IMC, c=US in the directory.

ldapmodify -p 389 -h demo-sun -v -f moddel.ldi
This will delete the attribute cn=gmiller  of the entry cn=greg miller, ou=modify, o=IMC, c=US.

ldapmodify -p 389 -h demo-sun -v -f modrepl.ldi
This will replace description of entry cn=linda, ou=modify, o=IMC, c=US

ldapmodify -p 389 -h demo-sun -v -f modmul.ldi
multiple modifications in one operation
5.4 Deleting  entries from the Directory - "ldapdelete"

ldapdelete -p 389 -h demo-sun -v "cn= Person Nine, ou=EuroSInet Suite, o=IMC, c=US"

tries to delete a non-existing entry. It should fail.


ldapdelete -p 389 -h demo-sun -v "c=us"
tries to delete a non-leaf entry. It should fail.

After each operation search the directory to see the effect.

5.5 Modifying  DN / RDN  of an entry in  the Directory - "ldapmodify" RDN/DN
* ModifyRDN
 ldapmoddn -p 389 -h demo-sun  -b "cn=dcp1,dc=Americas,dc=imc,dc=com" -R "cn=thanh mai"
* ModifyDN of a leaf level entry
  ldapmoddn -h demo-sun -p 389 -b "cn=Linda Ball, ou=Treasur
 y, ou=Fin-Accounting, ou=Europe, o=IMC, c=US" -R "cn=Linda Ball" -N "dc=imc,dc=com"
* ModifyDN of a non-leaf entry


After each operation search the directory to see the effect.
6. Schema modifications

Command-line invocations for:
* Read the subschema Subentry
* ldapsearch -h <host> -p <port> -b "cn=subschemasubentry" -s base "objectclass=*"
* Define a new attribute
* ldapmodify -p <port> -h <host> -f sample.ldif
 SAMPLE.LDIF
 	dn: cn=subschemasubentry
 	changetype: modify
    add: attributetypes
 	attributetypes: ( 1.2.3.4.5.6.7 NAME 'myAttr' DESC 'New attribute definition' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
* Define a new auxiliary object class, that includes the above new attribute
* SAMPLE.LDIF
 dn: cn=subschemasubentry
 	changetype: modify
 add: objectclasses
 objectclasses: ( 1.2.3.4.5 NAME 'myOC' DESC 'my Objectclass definition' MAY myAttr )
* Add the new auxiliary class above to an existing entry, add values to the new attributes and display them
* ldapmodify -p <port> -h <host> -f sample.ldif
 SAMPLE.LDIF
 dn: cn=person one, ou=eurosinet suite, o=imc, c=us
 changetype: modify
 add: objectclass
 objectclass: myOC
* ldapmodify -p <port> -h <host> -f sample2.ldif
 SAMPLE2.ldif
 dn: cn=person one, ou=eurosinet suite, o=imc, c=us
 changetype: modify
 add: myAttr
 myAttr: Value for my attribute
* ldapsearch -p <port> -h <host> -b "cn=person one, ou=eurosinet suite, o=imc, c=us" -s base "objectclass=*"
* Define a new structural object class
* ldapmodify -p <port> -h <host> -f sample.ldif
 SAMPLE.LDIF
 	dn: cn=subschemasubentry
 	changetype: modify
 add: objectclasses
 objectclasses: ( 1.2.3.4.6 NAME 'myOC2' DESC 'my 2nd Objectclass definition' SUP top MUST ( cn $ sn ) MAY myAttr ) )
* Add an entry with the new structural class
* ldapadd -p <port> -h <host> -f sample.ldif
SAMPLE.LDIF
dn: cn=userid123, c=us
cn: userid123
sn: me
myAttr: value for new attribute
objectclass: top
objectclass: myOC2
6.1 Use of Java GUI Administration Tool for Schema Administration

Use of Java GUI Administration Tool for Schema Administration:

0. Lauch Java GUI administration tools:
    under Solaris:    $ORACLE_HOME/bin/osdadmin
    under NT:         click on the icon for OID admin tools

1. Login in with the following info:
      user:   orcladmin
      password:   welcome
      server: mchou-sun
      port:2000

2. Goto Oracle Secure Directory Servers ->
              orcladmin@mchou-sun:2000  ->
                 Schema Management

3. Four tab pages shown on the right panel:
    Object Classes.
    Attributes.
    Syntaxes
    Matching Rules

4. Read an Object Class:
    On Object Classes tab page, double click on  'domain' object class,
the object class
    window will be displayed with following info:
        Name:
        Object ID:
        Description:
        Type:
        Super Class group box, which contains list of super classes and
Add/Delete/Edit buttons.
        Mandatory Attributes group box, which contains list of
attributes and Add/Delete/Edit/
                     Make Optional buttons.
        Optional Attributes group box, which contains list of optional
attributes and Add/Delete/Edit
                      buttons.
        Create Like button:
        Delete button:
        Ok button:
        Revert button:
        Cancel button:
        Help button:

5. Read an Attribute:
    On Attribute tab page, double click on  'cn' attribute,  the
attribute
    window will be displayed with following info:
        General tab page:
               Name:
               Object ID:
               Display Name:
               Description:
               Syntax:
               Size:
               Single Value check box.
        Advanced tab page:
               Usage:
               Ordering:
               Equality:
               Substring:
               Cataloged check box.
               Super attribute group box, which contains list of super
attributes and
                    Add/Delete/Edit  buttons.
        Create Like button.
        Delete button.
        Cancel button.
        Help button.

 6. Define a new attribute:
     choose Attributes tab page,
     press Create button, which is under the attribute list box,
     a window is displayed with following fields, type in the data
     associated with the appropriate fields:
         Name:   shoesize
         Object ID:  567.345.56.89
         Display Name:  Shoe Size
         Description: shoe size for testing
         Syntax:  Numeric String
         Size:  3
         Single Value: yes
    press OK button.
    On attribute tab pages, the newly created 'shoesize' attriubte is in

        the list box.

7. Define a new auxiliary object class, that includes the above new
attribute:
    choose Object Calsses tab page,
    press Create button, which is under the object class list box.
    a  window is displayed with following fields, type in the data
associated with
    the appropriate fields:
         Name:  shoe
         Object ID:  67.34.456
         Description:  shoe object class
         Type:  Auxiliary
         Super Class group box:  ( none )
         Mandatory Attriubtes group box:
               press Add button,  a attribute list box window is
displayed, choose 'shoesize'
               attribute and press OK button.
         press OK button.
    the newly created 'shoe' object class is shown in the object classes
list box.

8. Add the new auxiliary class above to  an existing entry
   Currently, it's not supported this feature.

9. Add the new attribute above to an existing entry
   a.  first of all, add the new attriubte to an existing object class:
    goto Schema Management,
    choose Object Classes tab page,
    choose person object class,
    a window is displayed,
    under Optional Attributes group box, press Add button,
    an attribute list box window is displayed,
    choose shoesize attribute and press Ok button,
    now, the shoesize attriubte is displayed in the Optional Attriubtes
list box,
    press Ok button.

   b. add attribute value into the existing entry which has the above
object class :
   goto Oracle Secure Directory Saervers ->
                orcladmin@mchou-sun:2000 ->
                    Directory Entries ->
                       c=US ->
                         ou=compare->
                            ou=Americas ->
                               cn=Paul Cezanne

  choose 'All' View Properties choice box,
  scroll down the attriubte list for 'shoesize' attriubte,
  fill it in with '10', press OK button,

  c. use Netscape browser to verify that the attribute is diefined in
the entry:
   open an browser on other machine,
   type in the following URL:   ldap://mchou-sun:2000/??sub?cn=paul*
   the 'shoesize' attriubte and value will be displayed under the entry.




10. Add an entry with the new object class above, define values to the
new attribute
    and display them
    goto Oracle Secure Directory Saervers ->
                orcladmin@mchou-sun:2000 ->
                    Directory Entries ->
                       c=US ->
                         ou=compare ->
                            cn=cmpP1
    choose 'Create Like' mouse menu,
    a window is displayed,
    change Distinguished Name field to be:    cn=test, ou=compare,
o=IMC, c=US
    change  Common Name (under mandatory Properties tab page):   test
    define  shoesize (under Optional Properties) :  8

    press 'Refresh' mouse menu under
            Oracle Secure Directory Saervers ->
                orcladmin@mchou-sun:2000 ->
                    Directory Entries ->
                       c=US ->
                         ou=compare ->
                            cn=cmpP1
    the 'cn=test' will be shown under it.

    use browser to verify it:
    URL:   ldap://mchou-sun:2000/??sub?cn=test*

7. Access control examples
Note: 1. For these examples to work as expected , please run example 1 before examples 2-4 and run example 
	2. In the examples below, if you don't specify the hostname, it will default to local host and if you don't specify the port, it will default to 389.

1. Changing the default ACCESS policy at DSE ROOT as super user
 ldapmodify -h <hostname> -p <port> -D "cn=orcladmin" -w "welcome" << EOF
 dn:
 changetype: modify
 replace: orclaci
 orclaci: access to entry by * (browse)
 orclaci: access to attr=(*)  by * (search,read,compare)
 EOF
 
 
2. Creating an Admin user under c=us as anonymous user (should fail)
 ldapadd  -h <hostname> -p <port> << EOF
 dn: cn=admin, c=US
 cn: admin
 sn: Adminstrator
 objectclass: top
 objectclass: person
 objectclass: organizationalperson
 objectclass: inetorgperson
 description: Directory Administrator for C=us 
 userpassword: admin
 EOF
 
 
3. Deleting a user as anonymous user (should fail)
 ldapdelete  -h <hostname> -p <port> << EOF
 cn=Person One, ou=EuroSInet Suite, o=IMC, c=US
 EOF
 
4. Modifying an attribute value as anonymous user (should fail)
 ldapmodify -h <hostname> -p <port> << EOF
 dn: cn=Person One, ou=EuroSInet Suite, o=IMC, c=US
 changetype: modify
 replace: telephonenumber
 telephonenumber: 6500001111
 EOF
 
5. Modifying an attribute value as self user - should fails
 ldapmodify -h <hostname> -p <port> -D "cn=Person One, ou=EuroSInet Suite, o=IMC, c=US" -w "PASS1" << EOF
 dn: cn=Person One, ou=EuroSInet Suite, o=IMC, c=US
 changetype: modify
 replace: userpassword 
 userpassword: HVN
 EOF
 
7.1 Use of Java GUI Administration Tool for ACL Management

* Use the GUI administration tool for the above schema and data operations
* Use the Netscape browser to view the new attributes and entries
8. Reading  the LDAP server configuration set

Using the GUI Administration tool one can view the parameters 
of the Configuration entries used by the LDAP Server. 

Example: To view the Default configuration parameters, follow  
the sequence of menus described below. 
 
Click on Server Management 
            ->Directory Server  
                 ->Default Configuration Set 
 
On the Right hand side of the Admin tool window, one can see 
four tabs: General, Debug Flags, SSL Settings, and Passwords. 
By clicking on each of these tabs, one can view the parameters 
underneath these categories. 

9. Using the LDIF writer

1.  To export a sub tree into a ldif file:
ldifwrite -c <db connect string> -b <base dn> -f <LDIF file>
This will export a sub tree into an LDIF file under current directory.

Example:
ldifwrite -c nldap -b "ou=Europe, o=imc, c=us" -f sample.ldif
will dump all the entries under "ou=Europe, o=imc, c=us" into the sample.ldif file.
10. Starting an OID LDAP server instance with SSL

1. Inialize a configuration set for SSL (command-line)
 ldapadd -p 389 -h demo-sun -v -f sslconfig.ldi
 
2. Startup SSL instance
 osdmgr connect=nldap server=OSDLDAP instance=1 configset=1 start
 This assumes guardian is running and configset.ldi is added (configset1 is already present in the directory).

3. Command-line search example for SSL (Encryption alone is sufficient)
ldapsearch -p 5000 -h demo-sun -b "" -v -U 1 -s base "objectclass=*"
This assumes ldapserver is running at port 5000 in mode 1.
(ie above step 1 and 2 are alreay done)

