5 minutes or less: Indexing Attributes in OID

I’ve written this short post as just a note to myself quite some time back. Since I had to rely on it quite a couple of times, I thought it would be worth sharing it with our readers.

It may be too basic to some people, but I am sure others out there had, are having or will have issues when running searches with LDAP filters against OID (Oracle Internet Directory), especially if those filters refer to custom attributes. The information presented here is certainly available in OID Administration Guide at Managing Directory Schema chapter, but it still might be a little bit scattered.

[Update on 12/02/2013]: Starting with OID 11.1.1.6, there's an autocatalog feature that automatically indexes attributes upon a search. This is controlled by DSA-wide orclautocatalog attribute, which is enabled by default.

First and foremost: an attribute is only searchable in OID if it is indexed. This is definitely not the case of any your brand new custom attributes.

Any search containing a non-indexed attribute in the ldap filter will return something like:

> ldapsearch -h localhost -p 6501 -D "cn=orcladmin" -w welcome1 -b "cn=users,ou=mycompany,dc=com"–s sub "assistant=kathy"

ldap_search: DSA is unwilling to perform
ldap_search: additional info: 
LDAP Error 53 : [LDAP: error code 53 - Function Not Implemented, search filter attribute assistant is not indexed/cataloged]

Second, directly from OID Administration Guide, About Indexing Attributes section:

“You can index only those attributes that have:

• An equality matching rule
• Matching rules supported by Oracle Internet Directory as listed in "Attribute Matching Rules" in Oracle Fusion Middleware Reference for Oracle Identity Management
• Less than 128 characters in their names”
  

The error message above is straightforward. But how do you create an index for the attribute?

There are 3 ways to index attributes in OID: i) using ODSM (Oracle Directory Services Manager), ii) using ldapmodify or iii) using the catalog tool.

ODSM and ldapmodify are only good if you have just defined the attribute and there’s still no data associated with it. Only values added after the index creation are indexed.

The safest approach is running OID’s catalog tool, because it indexes all existing attribute values.

1) Indexing attributes using ODSM:

Here I’ve randomly picked a non-indexed attribute, assistant. The Indexed checkbox (pointed by the blue arrow) is read-only. You actually have to click on the button pointed by the red arrow first.

2) Indexing attributes using ldapmodify:

Create a small ldif file as the one below and run ldapmodify using the –f argument.

dn: cn=catalogs 
changetype: modify 
add: orclindexedattribute 
orclindexedattribute: assistant

> ldapmodify –h <host> –p <port> –D <admin user dn> –w <password> –f <ldif file>

3) Indexing attributes using the catalog tool:

a) Set the ORACLE_HOME environment variable to the your IDM ORACLE_HOME installation. If you’ve accepted the names given to you by the Oracle Installer, this value is typically $MW_HOME/Oracle_IDM1. The catalog tool is found under $ORACLE_HOME/ldap/bin

b) Set the ORACLE_INSTANCE environment variable to your IDM instance installation. If you’ve accepted the names given to you by the Oracle Installer, this value is typically $MW_HOME/asinst_1. Under $ORACLE_INSTANCE you should find a tnsnames.ora under the config folder. This is where the catalog tool gets your database connection details.

c) Run

$ORACLE_HOME/ldap/bin/catalog connect=”OIDDB” add=true attribute=”assistant”

If you want to delete an existing index:

$ORACLE_HOME/ldap/bin/catalog connect=”OIDDB” delete=true attribute=”assistant”

where OIDDB is the actual tnsname defined in your IDM instance tnsnames.ora file.