See you there–it should be a fun and informative session!

Recently, I was helping move an Oracle Portal (10.1.2.0.2) environment from one host to another. This was due to a company spin off, so the “sticky” part of this move was that the domain name and resulting realm changed (more on that in a minute).

First, if you’ve had to perform this task, you should have already identified Metalink Note 251776.1 which describes the process necessary for moving users and groups from one OracleAS Infrastructure to another. The note’s step 3 mentions that the LDIF file must be edited to replace all references to the old realm with the new realm in the target system. However, this can prove difficult if you do actually have to change the realm name because of the way that ldapsearch produces output. The LDIF standard specifies that lines can be continued on the following line if a space is the first character on the line. The corresponding ldapadd command can properly import lines that are broken into multiple lines, but the standard search and replace tools (in notepad, vi or any other standard text editor) can’t find the occurrences properly to replace them. So, some entries are able to be replaced easily like this one (assume we need to replace “dc=dannorris,dc=local” with “dc=newcorp,dc=com“):

dn: cn=dba,cn=portal.080827.121025.144000000,cn=groups,dc=dannorris,dc=local
uniquemember: cn=portal,cn=users,dc=dannorris,dc=local
uniquemember: cn=orcladmin,cn=users,dc=dannorris,dc=local
cn: DBA
displayname: DBA
description: portal.080827.121025.144000000 - Database Administrators
owner: cn=portal,cn=users,dc=dannorris,dc=local
owner: cn=orcladmin,cn=users,dc=dannorris,dc=local
objectclass: top
objectclass: groupofUniqueNames
objectclass: orclGroup
objectclass: orclPrivilegeGroup

The problem comes when you encounter a group name that causes one or more of the lines to be wrapped to the next line (ldapsearch has a hard-coded line length), like this one (note that the first and eighth lines aren’t wrapped because of your screen–that’s actually how ldapsearch outputs them):

dn: cn=DANCO_PROCUREMENT_LIMITED,cn=portal.080827.121025.144000000,cn=groups,d
 c=dannorris,dc=local
objectclass: orclGroup
objectclass: groupOfUniqueNames
objectclass: top
owner: cn=danco_admin,cn=users, dc=dannorris,dc=local
uniquemember: cn=danco_admin,cn=users,dc=dannorris,dc=local
uniquemember: cn=dba,cn=portal.080827.121025.144000000,cn=groups,dc=dannorris,
 dc=local
orclisvisible: true
displayname: DANCO_PROCUREMENT_LIMITED
cn: DANCO_PROCUREMENT_LIMITED

The standard search and replace function in the text editor won’t be able to interpret the value of the dn: attribute above as somethin that needs to be replaced because the search string would be “dc=dannorris,dc=local” and the above is “d\n c=dannorris,dc=local” instead. Similarly, the uniquemember: value is also broken across lines.

I found it useful to have a short utility script (in Perl, because that’s what I know and it’s always available with recent Oracle installations) that can concatenate the broken lines into a single line that can be consumed by search and replace more easily. The script also removes the authpassword: attributes as it processes since those can’t be loaded with ldapadd (as mentioned in the Metalink note). Here’s the script source (I call it concat.pl):

$cnt=0;
while ($line = <>) {
  chomp($line);
  if ( $line =~ /^authpassword/ ) {
    next;
  } elsif ( $line =~ /^\S+/) { ### this line is a "normal" or starting line
    $results[$cnt++] = $line;
  } elsif ( $line =~ /^$/ ) {  ### this line is blank
    $results[$cnt++] = "";
  } elsif ( $line =~ /^ \S+/ ) {  ### this line is a continuation
    $results[$cnt-1] = $results[$cnt-1] . substr($line,1);
  }
}

for $i (0 .. $cnt) {
  print "$results[$i]\n";
}

The script essentially creates a simple array of output and then the for loop at the end spits out the resulting array to STDOUT. There are a few simple regular expressions used and the \S character class from Perl to make things easy. To run this script, you need to invoke perl directly (I wrote this for Windows, so that’s why there’s no #! at the start). I run it like this on Windows:

%ORACLE_HOME%\perl\5.6.1\bin\MSWin32-x86\perl concat.pl < input.ldif > output.ldif

Then just review the output to see that it looks like you expect. Once satisfied, you can perform the search and replace knowing that it should match all the occurrences, not just the ones that happened to fit on a single line.

Basically, the “thing” was that someone needed help understanding how to get started with an OID installation for managing TNS connect descriptors. He wanted (and needed) to use an existing database since he was resource-constrained and wasn’t sure what the installation process looks like for such an installation.

Here’s the combined thread between @fuadar, @topperge and me (@dannorris) just a few minutes ago:

fuadar: looking for someone or some document to install oid in an existing 10.2 database need only names service resolution
dannorris: @fudar It’s much easier to just have it install its own DB. If you use existing DB, you must run metadata repos creation asst first.
fuadar: @dnanorris out of space already have a database out there for other functions. trying to setup oid to solve our tnsnames issues
dannorris: @fudar Issues? Honestly, OID usually introduces more issues than it solves when it comes to TNS. It’s a lot more complex than a text file.
fuadar: @dannorris true but i’m trying to come up with some way to manage acouple of hundred servers and a couple of thousand clients
dannorris: @fudar It’s definitely the right direction to head–just need realistic expectations about complexity and manageability–not easier!
fuadar: @dannorris agree just looking for better documentation
topperge: @fuadar fudar, all you need is RepCA and install the identity repos, http://tinyurl.com/yweyr8
dannorris: @fuadar Better free up some space first–you’ll need a gig or two I’d expect. (ps sorry for misspelling your handle)
fuadar: @topperge so what you are saying is just go thru the oid software install process and then so the repca manually
fuadar: @topperge i am using the Oracle Identity management dvd’s 10.1.4.0.1
dannorris: @fuadar Install RepCA first, run it, then install OID from IdM and tell it to use the repos you created.
dannorris: @fuadar be sure to check DB prereqs (version, pkgs, options, etc.). Follow section here http://snurl.com/1xzda
fuadar: @dannorris thanks reinstalling the software now
topperge: @fuadar There is a 10.1.4 MRCA with the DVDs, install from that first , then install from the OIM Infrastructure CD second
topperge: @fuadar then make sure you patch to 10.1.4.2 which is patch 5983637 on metalink (doing the same install right now)

Even patch numbers! Posting that same question to a forum would likely have taken several hours to get responses–and precise responses as well. Now, I don’t want everyone to believe that @topperge (Matt Topper) and I sit around all day looking for questions we can answer on Twitter. However, I am on Twitter most of the time (even though I don’t tweet that often) and occasionally will throw a response or post in when I think of it. Matt is usually there and seems to behave similarly most of the time.

The bottom line: today, Twitter helped someone solve a real technical problem much faster than they were likely to solve it via other means (web 2 dot oh or otherwise). I don’t know that it happens every day, but we can only save one life at a time .

You can follow me (@dannorris) on twitter, but as I don’t say much, you won’t likely be impressed. After all, I’m no Jake Kuramoto.