Release 2.1.1
Part Number A86101-01
 Library |
 Product |
 Contents |
 Index |
| Oracle Internet Directory Administrator's Guide Release 2.1.1 Part Number A86101-01 |
|
This chapter guides you through some tasks you must perform before configuring and using Oracle Internet Directory. It also discusses upgrading from previous releases of Oracle Internet Directory.
Before you can run the administration tools and begin configuring and using the directory, you need to start OID Monitor and start a directory server instance. You also need to reset the default security configuration.
This section contains these topics:
The OID Monitor daemon must be running to process commands to start and stop the server.
This section contains these topics:
To start the OID Monitor:
NLS_LANG=APPROPRIATE_LANGUAGE.UTF8
oidmon [connect=net_service_name] [sleep=seconds] start
For example:
oidmon connect=dbs1sleep=10 start
To stop the OID Monitor daemon, at the system prompt, type:
oidmon [connect=net_service_name]stop
For example:
oidmon connect=dbsl stop
Once the OID Monitor is running, start a server instance by using the OID Control Utility.
This section contains these topics:
The syntax for starting an Oracle directory server instance is:
oidctl connect=net_service_nameserver=oidldapdinstance=server_instance_number[configset=configset_number] [flags=' -p port_number -work maximum_number_of_ worker_threads_per_server -debug debug_level -l change_logging -server n']start
For example, to start an Oracle directory server instance whose net service name is dbs1, using configset5,at port 12000, with a debug level of 1024, an instance number 3, and in which change logging is turned off, type at the system prompt:
oidctl connect=dbs1server=oidldapd instance=3 configset=5 flags='-p 12000
-debug 1024 -l ' start
When starting and stopping an Oracle directory server instance, the server name and instance number are mandatory. All other arguments are optional.
All keyword value pairs within the flags arguments must be separated by a single space.
Single quotes are mandatory around the flags.
The configset identifier defaults to zero (configset0) if not set.
OID Monitor must be running whenever you start or stop directory server instances.
At the system prompt, type:
oidctl connect=net_service_name server=OIDLDAPD instance=server_instance_number stop
For example:
oidctl connect=dbs1server=oidldapd instance=3 stop
The syntax for starting the Oracle directory replication server is:
oidctl connect=net_service_name server=oidrepld instance=server_instance_number [configset=configset_number] flags=' -h hostname -p port_number
-d debug_level -m [true | false]-z transaction_size ' start
For example, to start the replication server with an instance=1, at port 12000, with debugging set to 1024, type at the system prompt:
oidctl connect=dbs1 server=oidrepld instance=1 flags='-p 12000 -h eastsun11 -d 1024' start
When starting and stopping an Oracle directory replication server, the -h flag, which specifies the host name, is mandatory. All other flags are optional.
All keyword value pairs within the flags arguments must be separated by a single space.
Single quotes are mandatory around the flags.
The configset identifier defaults to zero (configset0) if not set.
OID Monitor must be running whenever you start or stop directory server instances.
At the system prompt, type:
oidctl connect=net_service_name server=OIDREPLD instance=server_instance_number stop
For example:
oidctl connect=dbs1server=oidrepld instance=1 stop
To restart a directory server instance, at the system prompt, type:
oidctl connect=net_service_name server={oidldapd|oidrepld} instance=server_ instance_number restart
OID Monitor must be running whenever you start, stop, or restart directory server instances.
If you try to contact a server that is down, you receive from the SDK the error message 81--LDAP_SERVER_DOWN.
If you change a configuration set entry that is referenced by an active server instance, you must stop that instance and restart it to effect the changed value in the configuration set entry on that server instance. You can either issue the STOP command followed by the START command, or you can use the RESTART command. RESTART both stops and restarts the server instance.
For example, suppose that Oracle directory server instance1 is started, using configset3, and with the net service name dbs1. Further, suppose that, while instance1 is running, you change one of the attributes in configset3. To enable the change in configset3 to take effect on instance1, you enter the following command:
oidctl connect=dbs1 server=oidldapd instance=1 restart
If there are more than one instance of the Oracle directory server running on that node using configset3, then you can restart all the instances at once by using the following command syntax:
oidctl connect=dbs1 server=oidldapd restart
Note that this command restarts all the instances running on the node, whether they are using configset3 or not.
If the directory server fails to start, you can override all user-specified configuration parameters to start the directory server and then return the configuration sets to a workable state by using the ldapmodify operation.
To start the directory server using its hard-coded default parameters instead of the configuration parameters stored in the directory, type at the system prompt:
oidctl connect=net_service_name flags='-p port_number -f'
The -f option in the flags starts the server with hard-coded configuration values, overriding any defined configuration sets except for the values in configset0.
When you first install Oracle Internet Directory, the default configuration grants to all users read, browse, and search access to all entries in the directory. One of the first things you need to do is establish and implement an access control policy to ensure that each user receives the appropriate authorization. Oracle Corporation specifically recommends that you control access to the subentry subSchemaSubEntry and its children because these objects contain information about the directory.
Moreover, when you load directory entries, you are creating a hierarchy of directory entries. You must therefore establish:
See Also:
Oracle Internet Directory release 2.1.1 allows you to upgrade from either Oracle Internet Directory release 2.0.4.x or release 2.0.6. You choose to upgrade to a release 2.1.1 when prompted during the installation process.
In a replicated environment, a node running release 2.1.1 can co-exist with nodes running previous releases of Oracle Internet Directory. Moreover, in a replicated environment, upgrade of one node to release 2.1.1 requires no network downtime. The other nodes can remain available while the upgrade progresses.
This section contains these topics:
To upgrade on a single node, follow the instructions in the installation documentation for your operating system.
Upgrading a multi-node Oracle Internet Directory system to release 2.1.1 requires special attention. This section discusses the two ways to upgrade a multi-node Oracle Internet Directory system:
Use this method if you do not want any system downtime. While the upgrade on one node is in progress, it allows all the other nodes to remain available. However, using this method requires that you clearly understand and strictly follow these guidelines:
orclupgradeinprogress in the DSE root is set to TRUE. This attribute is created during the upgrade procedure.
orclupgradeinprogress to FALSE on all the nodes.
orclupgradeinprogress attribute in the DSE root is set to TRUE, the release 2.1.1 node performs special processing on change log entries it generates for other nodes. This is required for backward compatibility.
See Also:
Perform the following tasks, first on the MDS, then on the master sites.
Before shutting down the database at the MDS, run the script delasrjobs.sql located in /oidupgrade/on the installation CD. This script deletes ASR jobs on other master sites that push changes to the MDS. Deleting these jobs temporarily removes the MDS from the replication environment so that no changes can be applied to it. Other nodes, however, remain operational and continue replicating changes.
If you do not shutdown the database and listener, then Oracle Universal Installer prompts you to do it.
|
See Also:
|
Run Oracle Universal Installer to upgrade to Oracle Internet Directory release 2.1.1, which uses Oracle8i release 8.1.7. The installer both migrates the database and upgrades Oracle Internet Directory.
After the upgrade is completed, make sure that the database and listener are up and running.
Test the connectivity to other nodes. If connectivity is broken, then use the backup copies of listener.ora, sqlnet.ora and tnsnames.ora and restart the listener. The backup files are named listenerdate.bak, sqlnetdate.bak and tnsnamesdate.bak.
After you have upgraded the node, create jobs on other nodes. You do this by executing $ORACLE_HOME/ldap/admin/creasrjobs.sql on the upgraded node. This script creates on the other nodes the jobs that were deleted in "Task 4: Delete Jobs on Other Nodes". These jobs now start pushing the existing changes and new changes on other nodes to the node you have just upgraded.
Once the node is upgraded, perform the post upgrade procedure for password encryption as described in "Post Upgrade Procedure for Password Encryption".
After upgrading the MDS, upgrade other master sites one at a time. Perform tasks 1 through 12 on each master site until all the nodes are upgraded.
After all the nodes are upgraded to Oracle Internet Directory release 2.1.1, modify the orclupgradeinprogress attribute to FALSE on all the nodes. To do this:
Use this method to upgrade all the nodes at the same time. If you use this method, then the system is unavailable during the upgrade process.
dn: changetype:modify replace:orclservermode orclservermode:r
ldapmodify -D "cn=orcladmin" -w welcome -h host_name -p port_number -f input_file.ldif
Before moving to next step, wait for the change log queue to empty. If you skip this step, then changes in the change log queue will be applied once nodes are upgraded.
If you do not shutdown the database and listener, then Oracle Universal Installer prompts you to do it.
|
See Also:
|
Run Oracle Universal Installer to upgrade to Oracle Internet Directory release 2.1.1, which uses Oracle8i release 8.1.7. The installer both migrates the database and upgrades Oracle Internet Directory.
After the upgrade is completed, make sure that the database and listener are up and running.
Test the connectivity to other nodes. If connectivity is broken, then use the backup copies of listener.ora, sqlnet.ora and tnsnames.ora and restart the listener. The backup files are named listenerdate.bak, sqlnetdate.bak and tnsnamesdate.bak.
After all the nodes are upgraded to Oracle Internet Directory release 2.1.1, modify the orclupgradeinprogress attribute to FALSE on all the nodes. To do this:
Perform this modification on all the nodes in the replication environment
Oracle Corporation recommends that you use the LDIF-based backup procedure to backup your existing release Oracle Internet Directory. This is explained in this section.
Normally, you do not need to perform LDIF-based upgrading. Use this method when you cannot successfully run the database-based upgrade process.
The LDIF-based upgrade process requires the following procedures on a node being upgraded:
Be sure that the Oracle directory server is not running, then run the script backup_oid.sh located in the /oidupgrade directory on the CD.
The syntax to run backup_oid.sh is:
backup_oid.sh -connect net_service_name -pass password_for_DB_account_`ods'
The backup_oid.sh script does the following:
.dmp files--for example, attr_store.dmp--in $ORACLE_HOME/ldap/load directory
OID_userdata.ldif in $ORACLE_HOME/ldap/load. The subtree under cn=OracleSchemaVersion (if it exists) is also backed up as orcl_schemaver.ldif in the $ORACLE_HOME/ldap/load directory.
If you plan to install Oracle Internet Directory release 2.1.1 in the same ORACLE_HOME, then save these generated files in some other location.
To do this:
$ORACLE_HOME/1dap/load:
$ORACLE_HOME/ldap/install.
The syntax for restore_oid.sh is:
restore_oid.sh -connect net_service_name -pass password_for_DB_account_`ods'
The restore_oid.sh script does the following:
-restore option
Run the cryptupgrd.sh script located in $ORACLE_HOME/ldap/bin/ to upgrade passwords.
The syntax for cryptupgrd.sh is:
cryptupgrd.sh -connect net_service_name -pass password_for_DB_account_`ods'
In release 2.0.6 and release 2.0.4, the user password was encrypted by using only one encryption algorithm, namely MD4. A flag in the root DSE, namely, orcluseencrypt, merely toggled encryption on and off. By contrast, Oracle Internet Directory release 2.1.1 supports multiple hash schemes.
Oracle Internet Directory release 2.1.1 stores the hash scheme as a prefix to the password value. A new attribute created in the root DSE during the upgrade procedure indicates the default hashing scheme. If the supplied password is not already encrypted, then the Oracle directory server uses this default value to encrypt passwords.
The post upgrade procedure for password encryption adds a prefix MD4 to all the existing password values in the directory. The time taken by this procedure to finish varies depending on the number of entries in the directory.
To run this procedure, enter the following command:
cryptupgrd.sh -connect net_service_name -pass password_for_DB_account_`ods'
|
See Also:
|
|
 Copyright © 1996-2000, Oracle Corporation. All Rights Reserved. |
|