Red Hat Directory Server 8.
Configuration and Command Reference Red Hat Directory Server 8.1 Configuration and Command Reference Edition 8.1.10 Author Copyright © 2009 Red Hat, Inc. Ella Deon Lackey Copyright © 2009 Red Hat, Inc.. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/.
About This Reference ix 1. Directory Server Overview .............................................................................................. ix 2. Examples and Formatting ............................................................................................... ix 2.1. Command and File Examples ............................................................................... ix 2.2. Tool Locations .....................................................................................................
Configuration and Command Reference 2.4.8. nsDSWindowsReplicationAgreement (Object Class) ......................................... 2.4.9. nsMappingTree (Object Class) ........................................................................ 2.4.10. nsSaslMapping (Object Class) ...................................................................... 2.4.11. nsslapdConfig (Object Class) ........................................................................ 2.4.12. passwordpolicy (Object Class) ..............
3.3. 3.4. 3.5. 3.6. 3.7. 3.2.5. nsslapd-pluginEnabled ................................................................................... 3.2.6. nsslapd-pluginId ............................................................................................. 3.2.7. nsslapd-pluginVersion ..................................................................................... 3.2.8. nsslapd-pluginVendor ..................................................................................... 3.2.9.
Configuration and Command Reference 3.7.11. dnaType ....................................................................................................... 3.8. MemberOf Plug-in Attributes ..................................................................................... 3.8.1. memberofattr ................................................................................................. 3.8.2. memberofgroupattr .........................................................................................
.3.9. ldif2ldap (Performs Import Operation over LDAP) ............................................. 7.3.10. monitor (Retrieves Monitoring Information) ..................................................... 7.3.11. repl-monitor (Monitors Replication Status) ...................................................... 7.3.12. pwdhash (Prints Encrypted Passwords) ......................................................... 7.3.13. restart-slapd (Restarts the Directory Server) ...........................................
viii
About This Reference Red Hat Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in an intranet, over an extranet with trading partners, or over the public Internet to reach customers. This reference covers the server configuration and the command-line utilities.
About This Reference mozldap directory on Red Hat Enterprise Linux 5 (32-bit) (or /usr/lib64/mozldap for 64-bit systems). However, Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP in the /usr/ bin directory. It is possible to use the OpenLDAP commands as shown in the examples, but you must use the -x argument to disable SASL, which OpenLDAP tools use by default. 2.4. Text Formatting and Styles Certain words are represented in different fonts, styles, and weights.
Additional Reading 3. Additional Reading The Directory Server Administrator's Guide describes how to set up, configure, and administer Red Hat Directory Server and its contents. this manual does not describe many of the basic directory and architectural concepts that you need to deploy, install, and administer a directory service successfully. Those concepts are contained in the Red Hat Directory Server Deployment Guide. You should read that book before continuing with this manual.
About This Reference 4. Giving Feedback If there is any error in this Configuration, Command, and File Reference or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Directory Server through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues: • Select the Red Hat Directory Server product. • Set the component to Doc - cli-guide.
Documentation History Revision 8.1.5 September 9, 2009 Ella Deon Lackey Removing any references to the Directory Server Gateway or Org Chart. Revision 8.1.4 September 4, 2009 Ella Deon Lackey Correcting the directory paths for configuration LDIF files, per Bugzilla #521139. Revision 8.1.3 August 26, 2009 Ella Deon Lackey Adding information about setting database and entry cache memory sizes and clarifying the units of measurement for the attributes, per Bugzilla #503615. Revision 8.1.
xiv
Chapter 1. Introduction Directory Server is based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). The Directory Server is a robust, scalable server designed to manage large scale directories to support an enterprise-wide directory of users and resources, extranets, and e-commerce applications over the Internet. The Directory Server runs as the ns-slapd process or service on the machine. The server manages the directory databases and responds to client requests.
2
Chapter 2. Core Server Configuration Reference The configuration information for Red Hat Directory Server is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files.
Chapter 2. Core Server Configuration Reference if a server identifier is phonebook, then for a Directory Server on Red Hat Enterprise Linux 5 (32-bit), the configuration LDIF files are all stored under /etc/dirsrv/slapd-phonebook. This directory also contains other server instance-specific configuration files. Schema configuration is also stored in LDIF format, and these files are located in the /etc/dirsrv/ slapd-instance_name/schema directory (/etc/opt/dirsrv/slapd->instance_name on HPUX).
LDIF and Schema Configuration Files Configuration Filename Purpose 10rfc2307.ldif Schema from RFC 2307, "An Approach for Using LDAP as a Network Information Service." This may be superseded by 10rfc2307bis, the new version of rfc2307, when that schema becomes available. 20subscriber.ldif Contains new schema elements and the Nortel subscriber interoperability specification. Also contains the adminRole and memberOf attributes and inetAdmin object class, previously stored in the 50ns-delegatedadmin.
Chapter 2. Core Server Configuration Reference 2.1.2. How the Server Configuration Is Organized The dse.ldif file contains all configuration information including directory-specific entries created by the directory at server startup, such as entries related to the database. The file includes the root Directory Server entry (or DSE, named by "") and the contents of cn=config and cn=monitor. When the server generates the dse.
Accessing and Modifying Server Configuration Some of these attributes are common to all plug-ins, and some may be particular to a specific plug-in. Check which attributes are currently being used by a given plug-in by performing an ldapsearch on the cn=config subtree.
Chapter 2. Core Server Configuration Reference aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow(all) groupdn = "ldap:///cn=slapd-phonebook, cn=Red Hat Directory Server, cn=Server Group, cn=phonebook.example.com, dc=example,dc=com, o=NetscapeRoot";) These default ACIs allow all LDAP operations to be carried out on all configuration attributes by the following users: • Members of the Configuration Administrators group.
Changing Configuration Attributes The entire configuration, including attributes that always take default values, can be viewed by performing an ldapsearch operation on the cn=config subtree: ldapsearch -b cn=config -D bindDN -w password • bindDN is the DN chosen for the Directory Manager when the server was installed (cn=Directory Manager by default). • password is the password chosen for the Directory Manager. For more information on using ldapsearch, see Section 6.4, “ldapsearch”.
Chapter 2. Core Server Configuration Reference nsslapd-tmpdir nsSSL2 nsSSL3 nsSSLclientauth nsSSLSessionTimeout nsslapd-conntablesize nsslapd-lockdir nsslapd-maxdescriptors nsslapd-reservedescriptors nsslapd-listenhost nsslapd-schema-ignore-trailing-spaces nsslapd-securelistenhost nsslapd-workingdir nsslapd-return-exact-case nsslapd-maxbersize 2.3.
cn=config 2.3.1.1. nsslapd-accesslog (Access Log) This attribute specifies the path and filename of the log used to record each LDAP access. The following information is recorded by default in the log file: • IP address of the client machine that accessed the database. • Operations performed (for example, search, add, and modify). • Result of the access (for example, the number of entries returned or an error code).
Chapter 2.
cn=config Parameter Description Syntax DirectoryString Example nsslapd-accesslog-logbuffering: off 2.3.1.5. nsslapd-accesslog-logexpirationtime (Access Log Expiration Time) This attribute specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units are provided by the nsslapd-accessloglogexpirationtimeunit attribute.
Chapter 2. Core Server Configuration Reference Attribute Value Logging Enabled or Disabled nsslapd-accesslog-loggingenabled on Disabled empty string nsslapd-accesslog nsslapd-accesslog-loggingenabled on Enabled filename nsslapd-accesslog nsslapd-accesslog-loggingenabled off Disabled empty string nsslapd-accesslog nsslapd-accesslog-loggingenabled off Disabled filename nsslapd-accesslog Table 2.3. dse.
cn=config 2.3.1.9. nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space) This attribute sets the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest access logs are deleted until enough disk space is freed to satisfy this attribute.
Chapter 2. Core Server Configuration Reference Parameter Description Valid Range 0 through 23 Default Value 0 Syntax Integer Example nsslapd-accesslog-logrotationsynchour: 23 2.3.1.12. nsslapd-accesslog-logrotationsyncmin (Access Log Rotation Sync Minute) This attribute sets the minute of the day for rotating access logs. This attribute must be used in conjunction with nsslapd-accesslog-logrotationsync-enabled and nsslapd-accessloglogrotationsynchour attributes.
cn=config 2.3.1.14. nsslapd-accesslog-logrotationtimeunit (Access Log Rotation Time Unit) This attribute sets the units for the nsslapd-accesslog-logrotationtime attribute. Parameter Description Entry DN cn=config Valid Values month | week | day | hour | minute Default Value day Syntax DirectoryString Example nsslapd-accesslog-logrotationtimeunit: week 2.3.1.15. nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size) This attribute sets the maximum access log size in megabytes.
Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=config Valid Range 1 to the maximum 32 bit integer value (2147483647) Default Value 10 Syntax Integer Example nsslapd-accesslog-maxlogsperdir: 10 2.3.1.17. nsslapd-accesslog-mode (Access Log File Permission) This attribute sets the access mode or file permission with which access log files are to be created.
cn=config /usr/lib/mozldap/ldapsearch -D "cn=directory manager" -b "dc=example,dc=com" -s sub "(objectclass=*)" When unauthenticated binds are allowed, the bind attempt goes through as an anonymous bind (assuming anonymous access is allowed). The nsslapd-allow-unauthenticated-binds attribute sets whether to allow an unauthenticated bind to succeed as an anonymous bind. By default, unauthenticated binds are disabled.
Chapter 2. Core Server Configuration Reference Attributes in dse.ldif Value Logging enabled or disabled nsslapd-auditlog-loggingenabled on Disabled empty string nsslapd-auditlog nsslapd-auditlog-loggingenabled on Enabled filename nsslapd-auditlog nsslapd-auditlog-loggingenabled off Disabled empty string nsslapd-auditlog nsslapd-auditlog-loggingenabled off Disabled filename nsslapd-auditlog Table 2.4. Possible Combinations for nsslapd-auditlog 2.3.1.21.
cn=config 2.3.1.23. nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit) This attribute sets the units for the nsslapd-auditlog-logexpirationtime attribute. If the unit is unknown by the server, then the log never expires. Parameter Description Entry DN cn=config Valid Values month | week | day Default Value week Syntax DirectoryString Example nsslapd-auditlog-logexpirationtimeunit: day 2.3.1.24.
Chapter 2. Core Server Configuration Reference 2.3.1.25. nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space) This attribute sets the maximum amount of disk space in megabytes that the audit logs are allowed to consume. If this value is exceeded, the oldest audit log is deleted. When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation.
cn=config For example, to rotate audit log files every day at midnight, enable this attribute by setting its value to on, and then set the values of the nsslapd-auditlog-logrotationsynchour and nsslapdauditlog-logrotationsyncmin attributes to 0. Parameter Description Entry DN cn=config Valid Values on | off Default Value off Syntax DirectoryString Example nsslapd-auditlog-logrotationsync-enabled: on 2.3.1.28.
Chapter 2. Core Server Configuration Reference number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditloglogrotationtimeunit attribute. If the nsslapd-auditlog-maxlogsperdir attribute is set to 1, the server ignores this attribute. Although it is not recommended for performance reasons to specify no log rotation, as the log grows indefinitely, there are two ways of specifying this.
cn=config Parameter Description Valid Range -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size. Default Value 100 Syntax Integer Example nsslapd-auditlog-maxlogsize: 50 2.3.1.33. nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files) This attribute sets the total number of audit logs that can be contained in the directory where the audit log is stored. Each time the audit log is rotated, a new log file is created.
Chapter 2. Core Server Configuration Reference • 7 - Read, write, and execute In the 3-digit number, the first digit represents the owner's permissions, the second digit represents the group's permissions, and the third digit represents everyone's permissions. When changing the default value, remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
cn=config 2.3.1.37. nsslapd-config This read-only attribute is the config DN. Parameter Description Entry DN cn=config Valid Values Any valid configuration DN Default Value Syntax DirectoryString Example nsslapd-config: cn=config 2.3.1.38. nsslapd-conntablesize This attribute sets the connection table size, which determines the total number of connections supported by the server. The server has to be restarted for changes to this attribute to go into effect.
Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=config Valid Values on | off Default Value on Syntax DirectoryString Example nsslapd-counters: on 2.3.1.40. nsslapd-csnlogging This attribute sets whether change sequence numbers (CSNs), when available, are to be logged in the access log. By default, CSN logging is turned on.
cn=config Parameter Description Default Value off Syntax DirectoryString Example nsslapd-enquote-sup-oc: off 2.3.1.43. nsslapd-errorlog (Error Log) This attribute sets the path and filename of the log used to record error messages generated by the Directory Server. These messages can describe error conditions, but more often they contain informative conditions, such as: • Server startup and shutdown times. • The port number that the server uses.
Chapter 2. Core Server Configuration Reference 2.3.1.44. nsslapd-errorlog-level (Error Log Level) This attribute sets the level of logging for the Directory Server. The log level is additive; that is, specifying a value of 3 includes both levels 1 and 2. The default value for nsslapd-errorlog-level is 16384. Parameter Description Entry DN cn=config Valid Values • 1 — Trace function calls. Logs a message when the server enters and exits a function. • 2 — Debug packet handling.
cn=config Parameter Description needed. Use 128 for very detailed processing messages. Default Value 16384 Syntax Integer Example nsslapd-errorlog-level: 8192 2.3.1.45. nsslapd-errorlog-list This read-only attribute provides a list of error log files. Parameter Description Entry DN cn=config Valid Values Default Value None Syntax DirectoryString Example nsslapd-errorlog-list: errorlog2,errorlog3 2.3.1.46.
Chapter 2. Core Server Configuration Reference Parameter Description Syntax DirectoryString Example nsslapd-errorlog-logexpirationtimeunit: week 2.3.1.48. nsslapd-errorlog-logging-enabled (Enable Error Logging) Turns error logging on and off. Parameter Description Entry DN cn=config Valid Values on | off Default Value on Syntax DirectoryString Example nsslapd-errorlog-logging-enabled: on 2.3.1.49.
cn=config Parameter Description Valid Range -1 (unlimited) | 1 to the maximum 32 bit integer value (2147483647) Default Value -1 Syntax Integer Example nsslapd-errorlog-logminfreediskspace: -1 2.3.1.51. nsslapd-errorlog-logrotationsync-enabled (Error Log Rotation Sync Enabled) This attribute sets whether error log rotation is to be synchronized with a particular time of the day.
Chapter 2. Core Server Configuration Reference 2.3.1.53. nsslapd-errorlog-logrotationsyncmin (Error Log Rotation Sync Minute) This attribute sets the minute of the day for rotating error logs. This attribute must be used in conjunction with nsslapd-errorlog-logrotationsync-enabled and nsslapd-errorloglogrotationsynchour attributes. Parameter Description Entry DN cn=config Valid Range 0 through 59 Default Value 0 Syntax Integer Example nsslapd-errorlog-logrotationsyncmin: 30 2.3.1.54.
cn=config Parameter Description Valid Values month | week | day | hour | minute Default Value week Syntax DirectoryString Example nsslapd-errorlog-logrotationtimeunit: day 2.3.1.56. nsslapd-errorlog-maxlogsize (Maximum Error Log Size) This attribute sets the maximum error log size in megabytes. When this value is reached, the error log is rotated, and the server starts writing log information to a new log file. If nsslapd-errorlogmaxlogsperdir is set to 1, the server ignores this attribute.
Chapter 2. Core Server Configuration Reference 2.3.1.58. nsslapd-errorlog-mode (Error Log File Permission) This attribute sets the access mode or file permissions with which error log files are to be created. The valid values are any combination of 000 to 777 since they mirror numbered or absolute UNIX file permissions.
cn=config Parameter Description Example nsslapd-groupevalnestlevel: 5 2.3.1.60. nsslapd-idletimeout (Default Idle Timeout) This attribute sets the amount of time in seconds after which an idle LDAP client connection is closed by the server. A value of 0 means that the server never closes idle connections. This setting applies to all connections and all users. Idle timeout is enforced when the connection table is walked, when poll() does not return zero.
Chapter 2. Core Server Configuration Reference Parameter Description Syntax Integer Example nsslapd-ioblocktimeout: 1800000 2.3.1.63. nsslapd-lastmod (Track Modification Time) This attribute sets whether the Directory Server maintains the modification attributes for Directory Server entries. These are operational attributes. These attributes include: • modifiersName - The distinguished name of the person who last modified the entry.
cn=config Parameter Description Entry DN cn=config Valid Values on | off Default Value off Syntax DirectoryString Example nsslapd-ldapiautobind: off 2.3.1.65. nsslapd-ldapientrysearchbase (Search Base for LDAPI Authentication Entries) With autobind, it is possible to map system users to Directory Server user entries, based on the system user's UID and GUID numbers.
Chapter 2. Core Server Configuration Reference 2.3.1.67. nsslapd-ldapigidnumbertype (Attribute Mapping for System GUID Number) Autobind can be used to authenticate system users to the server automatically and connect to the server using a UNIX socket. To map the system user to a Directory Server user for authentication, the system user's UID and GUID numbers should be mapped to be a Directory Server attribute.
cn=config Parameter Description Example nsslapd-ldapimaprootdn: cn=Directory Manager 2.3.1.70. nsslapd-ldapimaptoentries (Enable Autobind Mapping for Regular Users) With autobind, a system user is mapped to a Directory Server user and then automatically authenticated to the Directory Server over a UNIX socket. This mapping is automatic for root users, but it must be enabled for regular system users through the nsslapd-ldapimaptoentries attribute.
Chapter 2. Core Server Configuration Reference 2.3.1.72. nsslapd-listenhost (Listen to IP Address) This attribute allows multiple Directory Server instances to run on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine). There can be multiple IP addresses associated with a single hostname, and these IP addresses can be a mix of both IPv4 and IPv6. This parameter can be used to restrict the Directory Server instance to a single IP interface.
cn=config Parameter Description Entry DN cn=config Valid Values Any valid user Default Value Syntax DirectoryString Example nsslapd-localuser: nobody 2.3.1.75. nsslapd-lockdir (Server Lock File Directory) This is the full path to the directory the server uses for lock files. The default value is /var/lock/ dirsrv/slapd-instance_name. Changes to this value will not take effect until the server is restarted.
Chapter 2. Core Server Configuration Reference 2.3.1.77. nsslapd-maxdescriptors (Maximum File Descriptors) This attribute sets the maximum, platform-dependent number of file descriptors that the Directory Server tries to use. A file descriptor is used whenever a client connects to the server and also for some server activities, such as index maintenance.
cn=config Parameter Description Example nsslapd-maxdescriptors: 1024 2.3.1.78. nsslapd-maxsasliosize (Maximum SASL Packet Size) When a user is authenticated to the Directory Server over SASL GSS-API, the server must allocate a certain amount of memory to the client to perform LDAP operations, according to how much memory the client requests.
Chapter 2. Core Server Configuration Reference 2.3.1.80. nsslapd-nagle When the value of this attribute is off, the TCP_NODELAY option is set so that LDAP responses (such as entries or result messages) are sent back to a client immediately. When the attribute is turned on, default TCP behavior applies; specifically, sending data is delayed so that additional data can be grouped into one packet of the underlying network MTU size, typically 1500 bytes for Ethernet.
cn=config Parameter Description Default Value 389 Syntax Integer Example nsslapd-port: 389 NOTE Set the port number to zero (0) to disable the LDAP port if the LDAPS port is enabled. 2.3.1.84. nsslapd-privatenamespaces This read-only attribute contains the list of the private naming contexts cn=config, cn=schema, and cn=monitor.
Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=config Valid Values on | off Default Value off Syntax DirectoryString Example nsslapd-readonly: off 2.3.1.87. nsslapd-referral (Referral) This multi-valued attribute specifies the LDAP URLs to be returned by the suffix when the server receives a request for an entry not belonging to the local tree; that is, an entry whose suffix does not match the value specified on any of the suffix attributes.
cn=config Parameter Description Entry DN cn=config Valid Values Any valid LDAP URL in the form >ldap://server-location Default Value Syntax DirectoryString Example nsslapd-referralmode: ldap://ldap.example.com 2.3.1.89. nsslapd-reservedescriptors (Reserved File Descriptors) This attribute specifies the number of file descriptors that Directory Server reserves for managing non-client connections, such as index management and managing replication.
Chapter 2. Core Server Configuration Reference • ChainingBackendDescriptors is NchainingBackend times the nsOperationConnectionsLimit (a chaining or database link configuration attribute; 10 by default). • PTADescriptors is 3 if PTA is configured and 0 if PTA is not configured. • SSLDescriptors is 5 (4 files + 1 listensocket) if SSL is configured and 0 if SSL is not configured. The server has to be restarted for changes to this attribute to go into effect.
cn=config For information on changing the root DN, see the "Creating Directory Entries" chapter in the Directory Server Administrator's Guide. Parameter Description Entry DN cn=config Valid Values Any valid distinguished name Default Value Syntax DN Example nsslapd-rootdn: cn=Directory Manager 2.3.1.93. nsslapd-rootpw (Root Password) This attribute sets the password associated with the Manager DN.
Chapter 2. Core Server Configuration Reference Parameter Description Valid Values Any encryption method as described in Section 2.3.1.142, “passwordStorageScheme (Password Storage Scheme)”. Default Value SSHA Syntax DirectoryString Example nsslapd-rootpwstoragescheme: SSHA 2.3.1.95. nsslapd-saslpath Sets the absolute path to the directory containing the Cyrus-SASL SASL2 plug-ins.
cn=config Parameter Description Valid Values on | off Default Value off Syntax DirectoryString Example nsslapd-schema-ignore-trailing-spaces: on 2.3.1.97. nsslapd-schemacheck (Schema Checking) This attribute sets whether the database schema is enforced when entries are added or modified. When this attribute has a value of on, Directory Server will not check the schema of existing entries until they are modified. The database schema defines the type of information allowed in the database.
Chapter 2. Core Server Configuration Reference be owned by the server user ID, and that user must have read and write permissions to the directory. The default value is the schema subdirectory of the Directory Server instance-specific configuration directory, /etc/dirsrv/slapd-instance_name/schema. Changes made to this attribute will not take effect until the server is restarted. 2.3.1.99.
cn=config The server has to be restarted for the port number change to be taken into account. Parameter Description Entry DN cn=config Valid Range 1 to 65535 Default Value 636 Syntax Integer Example nsslapd-securePort: 636 2.3.1.102. nsslapd-security (Security) This attribute sets whether the Directory Server is to accept SSL/TLS communications on its encrypted port. This attribute should be set to on for secure connections.
Chapter 2. Core Server Configuration Reference Parameter Description Example nsslapd-sizelimit: 2000 2.3.1.104. nsslapd-ssl-check-hostname (Verify Hostname for Outbound Connections) This attribute sets whether an SSL-enabled Directory Server should verify authenticity of a request by matching the hostname against the value assigned to the common name (cn) attribute of the subject name (subjectDN field) in the certificate being presented. By default, the attribute is set to on.
cn=config Parameter Description Entry DN cn=config Valid Range 1 to the maximum number of threads supported by the system Default Value 30 Syntax Integer Example nsslapd-threadnumber: 60 2.3.1.106. nsslapd-timelimit (Time Limit) This attribute sets the maximum number of seconds allocated for a search request. If this limit is reached, Directory Server returns any entries it has located that match the search request, as well as an exceeded time limit error.
Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=config Valid Values Any valid server version number. Default Value Syntax DirectoryString Example nsslapd-versionstring: Red Hat-Directory/8.1 2.3.1.109. nsslapd-workingdir This is the absolute path of the directory that the server uses as its current working directory after startup.
cn=config 2.3.1.112. passwordChange (Password Change) Indicates whether users may change their passwords. This can be abbreviated to pwdAllowUserChange. For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide. Parameter Description Entry DN cn=config Valid Values on | off Default Value on Syntax DirectoryString Example passwordChange: on 2.3.1.113.
Chapter 2. Core Server Configuration Reference Parameter Description Syntax DirectoryString Example passwordCheckSyntax off 2.3.1.114. passwordExp (Password Expiration) Indicates whether user passwords expire after a given number of seconds. By default, user passwords do not expire. Once password expiration is enabled, set the number of seconds after which the password expires using the passwordMaxAge attribute.
cn=config a grace login. The server allows only a certain number of attempts before completely locking out the user. This attribute is the number of grace logins allowed. A value of 0 means the server does not allow grace logins. Parameter Description Entry DN cn=config Valid Values 0 (off) to any reasonable integer Default Value 0 Syntax Integer Example passwordGraceLimit: 3 2.3.1.118.
Chapter 2. Core Server Configuration Reference the Directory Server does not store any old passwords, and so users can reuse passwords. Enable password history using the passwordHistory attribute. To prevent users from rapidly cycling through the number of passwords that are tracked, use the passwordMinAge attribute. This can be abbreviated to pwdInHistory. For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
cn=config This can be abbreviated to pwdLockOut. For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide. Parameter Description Entry DN cn=config Valid Values on | off Default Value on Syntax DirectoryString Example passwordLockout: off 2.3.1.124. passwordLockoutDuration (Lockout Duration) Indicates the amount of time in seconds during which users are locked out of the directory after an account lockout.
Chapter 2. Core Server Configuration Reference Parameter Description Example passwordMaxAge: 100 2.3.1.126. passwordMaxFailure (Maximum Password Failures) Indicates the number of failed bind attempts after which a user is locked out of the directory. By default, account lockout is disabled. Enable account lockout by modifying the passwordLockout attribute. This can be abbreviated to pwdMaxFailure.
cn=config Parameter Description Default Value 0 Syntax Integer Example passwordMin8Bit: 0 2.3.1.129. passwordMinAge (Password Minimum Age) Indicates the number of seconds that must pass before a user can change their password. Use this attribute in conjunction with the passwordInHistory (number of passwords to remember) attribute to prevent users from quickly cycling through passwords so that they can use their old password again.
Chapter 2. Core Server Configuration Reference Parameter Description Valid Range 0 to 5 Default Value 0 Syntax Integer Example passwordMinCategories: 2 2.3.1.132. PasswordMinDigits (Password Syntax) This sets the minimum number of digits a password must contain. Parameter Description Entry DN cn=config Valid Range 0 to 64 Default Value 0 Syntax Integer Example passwordMinDigits: 3 2.3.1.133.
cn=config Parameter Description Example passwordMinLowers: 1 2.3.1.135. PasswordMinSpecials (Password Syntax) This attribute sets the minimum number of special, or not alphanumeric, characters a password must contain. Parameter Description Entry DN cn=config Valid Range 0 to 64 Default Value 0 Syntax Integer Example passwordMinSpecials: 1 2.3.1.136. PasswordMinTokenLength (Password Syntax) This attribute sets the smallest attribute value length that is used for trivial words checking.
Chapter 2. Core Server Configuration Reference For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide. Parameter Description Entry DN cn=config Valid Values on | off Default Value off Syntax DirectoryString Example passwordMustChange: off 2.3.1.139. passwordResetDuration This attribute sets the amount of time that must pass after login failures before the server resets the password retry count to zero.
cn=config Parameter Description Example passwordResetFailureCount: 600 2.3.1.141. passwordRetryCount This attribute counts the number of consecutive failed attempts at entering the correct password. This is an operational attribute, meaning its value is managed by the server and the attribute is not returned in default searches.
Chapter 2. Core Server Configuration Reference against hackers who try to break into the directory by repeatedly trying to guess a user's password. If this passwordUnlock attribute is set to off and the operational attribute accountUnlockTime has a value of 0, then the account is locked indefinitely. For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
cn=changelog5 2.3.2. cn=changelog5 Multi-master replication changelog configuration entries are stored under the cn=changelog5 entry. The changelog behaves much like a database, and it has many of attributes also used by the ldbm databases. The primary cache-related memory attribute, nsslapd-cachememsize, has a default value of 10485760 bytes, which is 10 MB. This parameter is tuned for a single backend replicated to a single consumer.
Chapter 2. Core Server Configuration Reference Parameter Description Valid Values Any valid path to the directory storing the changelog Default Value None Syntax DirectoryString Example nsslapd-changelogdir: /var/lib/dirsrv/ slapd-instance_name/changelogdb 2.3.2.2. nsslapd-changelogmaxage (Max Changelog Age) This attribute sets the maximum age of any entry in the changelog. The changelog contains a record for each directory modification and is used when synchronizing consumer servers.
cn=changelog5 2.3.2.4. changes This attribute contains the changes made to the entry for add and modify operations in LDIF format. OID 2.16.840.1.113730.3.1.8 Syntax Binary Multi- or Single-Valued Multi-valued Defined in Changelog Internet Draft 2.3.2.5. changeLog This attribute contains the distinguished name of the entry which contains the set of entries comprising the server’s changelog. OID 2.16.840.1.113730.3.1.
Chapter 2. Core Server Configuration Reference Multi- or Single-Valued Multi-valued Defined in Changelog Internet Draft 2.3.2.9. deleteOldRdn In the case of modrdn operations, this attribute specifies whether the old RDN was deleted. OID 2.16.840.1.113730.3.1.10 Syntax Boolean Multi- or Single-Valued Multi-valued Defined in Changelog Internet Draft 2.3.2.10. filterInfo This is used by the changelog for processing replication. OID 2.16.840.1.113730.3.1.
cn=encryption Multi- or Single-Valued Multi-valued Defined in Changelog Internet Draft 2.3.3. cn=encryption Encryption related attributes are stored under the cn=encryption,cn=config entry. The cn=encryption,cn=config entry is an instance of the nsslapdEncryptionConfig object class. 2.3.3.1. nsSSLSessionTimeout This attribute sets the lifetime duration of a TLS/SSL. The minimum timeout value is 5 seconds. If a smaller value is set, then it is automatically replaced by 5 seconds.
Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=encryption, cn=config Valid Values on | off Default Value off Syntax DirectoryString Example nsSSL2: off 2.3.3.4. nsSSL3 Supports SSL version 3. The server has to be restarted for changes to this attribute to go into effect. Parameter Description Entry DN cn=encryption, cn=config Valid Values on | off Default Value on Syntax DirectoryString Example nsSSL3: on 2.3.3.5.
cn=features Parameter Description • tls_rsa_export1024_with_des_cbc_sha Default Value Syntax DirectoryString Use the plus (+) symbol to enable or minus (-) symbol to disable, followed by the ciphers. Blank spaces are not allowed in the list of ciphers. To enable all ciphers — except rsa_null_md5, which must be specifically called — specify +all.
Chapter 2. Core Server Configuration Reference 2.3.5. cn=mapping tree • Configuration attributes for suffixes, replication, and Windows synchronization are stored under cn=mapping tree,cn=config. Configuration attributes related to suffixes are found under the suffix subentry cn=suffix, cn=mapping tree,cn=config. For example, a suffix is the root entry in the directory tree, such as dc=example,dc=com. • Replication configuration attributes are stored under cn=replica, cn=suffix, cn=mapping tree,cn=config.
Replication Attributes under cn=replica, cn="suffixDN", cn=mapping tree, cn=config Parameter Description Example nsslapd-state: backend 2.3.6.2. nsslapd-backend Gives the name of the database or database link used to process requests. This attribute can be multi-valued, with one database or database link per value. This attribute is required when the value of the nsslapd-state attribute is set to backend or referral on update.
Chapter 2. Core Server Configuration Reference 2.3.7.2. nsds5DebugReplicaTimeout This attribute gives an alternate timeout period to use when the replication is run with debug logging. This can set only the time or both the time and the debug level: nsds5debugreplicatimeout: seconds[:debuglevel] Parameter Description Entry DN cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values Any numeric string Default Value Syntax DirectoryString Example nsds5debugreplicatimeout: 60:8192 2.3.7.3.
Replication Attributes under cn=replica, cn="suffixDN", cn=mapping tree, cn=config Each value should be the DN of a local entry on the consumer server. If replication suppliers are using client certificate-based authentication to connect to the consumers, configure the certificate mapping on the consumer to map the subjectDN in the certificate to a local entry.
Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values true | false Default Value false Syntax DirectoryString Example nsDS5ReplicaLegacyConsumer: false 2.3.7.9. nsDS5ReplicaName This attribute specifies the name of the replica with a unique identifier for internal operations. If it is not specified, this unique identifier is allocated by the server when the replica is created.
Replication Attributes under cn=replica, cn="suffixDN", cn=mapping tree, cn=config This attribute specifies the interval, in seconds, to perform internal purge operations on an entry. When setting this attribute, ensure that the purge delay is longer than the longest replication cycle in the replication policy to preserve enough information to resolve replication conflicts and to prevent the copies of data stored in different servers from diverging.
Chapter 2. Core Server Configuration Reference Periodically, the server runs an internal housekeeping operation to purge old update and state information from the changelog and the main database. See Section 2.3.7.10, “nsDS5ReplicaPurgeDelay”. When setting this attribute, remember that the purge operation is time-consuming, especially if the server handles many delete operations from clients and suppliers.
Replication Attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName", cn=mapping tree, cn=config 2.3.7.16. nsds5Task This attribute is used to launch a replication task, such as dumping the database contents to LDIF. This is used internally by the Directory Server supplier. 2.3.7.17. nsState This attribute stores information on the state of the clock.
Chapter 2. Core Server Configuration Reference empty if certificate-based authentication is used, in which case the DN used is the subject DN of the certificate, and the consumer must have appropriate client certificate mapping enabled. This can also be modified.
Replication Attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName", cn=mapping tree, cn=config Parameter Description Valid Values Any valid integer Default Value 3 Syntax Integer Example nsDS5ReplicaBusyWaitTime: 3 2.3.8.6. nsDS5ReplicaChangesSentSinceStartup This read-only attribute shows the number of changes sent to this replica since the server started.
Chapter 2. Core Server Configuration Reference Parameter Description Valid Values Any valid host server name Default Value Syntax DirectoryString Example nsDS5ReplicaHost: ldap2.example.com 2.3.8.9. nsDS5ReplicaLastInitEnd This optional, read-only attribute states when the initialization of the consumer replica ended.
Replication Attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName", cn=mapping tree, cn=config Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values 0 (Consumer Initialization Succeeded), followed by any other status message. Default Value Syntax String Example nsDS5ReplicaLastUpdateStatus: 0 Total update succeeded 2.3.8.12.
Chapter 2. Core Server Configuration Reference 2.3.8.14. nsDS5ReplicaLastUpdateStatus This read-only attribute provides the status for the most recent replication schedule updates. The format is a numeric code followed by a short string. Zero (0) means success.
Replication Attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName", cn=mapping tree, cn=config 2.3.8.17. nsDS5BeginReplicaRefresh Initializes the replica. This attribute is absent by default. However, if this attribute is added with a value of start, then the server initializes the replica and removes the attribute value. To monitor the status of the initialization procedure, poll for this attribute.
Chapter 2. Core Server Configuration Reference When setting the values, ensure that the nsDS5ReplicaSessionPauseTime interval is at least 1 second longer than the interval specified for nsDS5ReplicaBusyWaitTime. Increase the interval as needed until there is an acceptable distribution of consumer access among the suppliers. Set the nsDS5ReplicaSessionPauseTime attribute at any time by using changetype:modify with the replace operation.
Replication Attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName", cn=mapping tree, cn=config Parameter Description Valid Range 0 to maximum 32-bit integer value (2147483647) in seconds Default Value 600 Syntax Integer Example nsDS5ReplicaTimeout: 600 2.3.8.22. nsDS5ReplicaTransportInfo This attribute sets the type of transport used for transporting data to and from the replica.
Chapter 2. Core Server Configuration Reference Parameter Description Valid Range Time schedule presented as XXXX-YYYY 0123456, where XXXX is the starting hour, YYYY is the finishing hour, and the numbers 0123456 are the days of the week starting with Sunday. Default Value 0000-2359 0123456 (all the time) Syntax Integer Example nsDS5ReplicaUpdateSchedule: 0000-2359 0123456 2.3.8.25.
chronization Attributes under cn=syncAgreementName, cn=WindowsReplica,cn="suffixName", cn=mapping tree, cn=config 2.3.9.1. nsds7DirectoryReplicaSubtree The suffix or DN of the Directory Server subtree that is being synchronized. Parameter Description Entry DN cn=syncAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values Any valid suffix or subsuffix Default Value Syntax DirectoryString Example nsDS7DirectoryReplicaSubtree: ou=People,dc=example,dc=com 2.3.9.2.
Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=syncAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values on | off Default Value Syntax DirectoryString Example nsDS7NewWinUserSyncEnabled: on 2.3.9.5. nsds7WindowsDomain This attribute sets the name of the Windows domain to which the Windows sync peer belongs.
cn=monitor Parameter Description Valid Values 1 to the maximum 32-bit integer value (2147483647) Default Value 300 Syntax Integer Example winSyncInterval: 600 2.3.10. cn=monitor Information used to monitor the server is stored under cn=monitor. This entry and its children are read-only; clients cannot directly modify them. The server updates this information automatically. This section describes the cn=monitor attributes.
Chapter 2. Core Server Configuration Reference • E this is the bind DN. This may be empty or have value of NULLDN for anonymous connections. currentConnections This attribute shows the number of currently open and active Directory Server connections. totalConnections This attribute shows the total number of Directory Server connections. This number includes connections that have been opened and closed since the server was last started in addition to the currentConnections.
cn=replication threads This attribute shows the number of threads used by the Directory Server. This should correspond to nsslapd-threadnumber in cn=config. nbackEnds This attribute shows the number of Directory Server database backends. backendMonitorDN This attribute shows the DN for each Directory Server database backend. For further information on monitoring the database, see the following sections: • Section 3.4.
Chapter 2. Core Server Configuration Reference 2.3.12.2. nsSaslMapFilterTemplate This attribute contains the search filter template used in SASL identity mapping. Parameter Description Entry DN cn=mapping_name, cn=mapping, cn=sasl, cn=config Valid Values Any string Default Value Syntax IA5String Example nsSaslMapFilterTemplate: (cn=\1) 2.3.12.3. nsSaslMapRegexString This attribute contains a regular expression used to map SASL identity strings.
cn=SNMP Parameter Description Entry DN cn=SNMP, cn=config Valid Values Organization name Default Value Syntax DirectoryString Example nssnmporganization: Red Hat, Inc. 2.3.13.3. nssnmplocation This attribute sets the location within the company or organization where the Directory Server resides. Parameter Description Entry DN cn=SNMP, cn=config Valid Values Location Default Value Syntax DirectoryString Example nssnmplocation: B14 2.3.13.4.
Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=SNMP, cn=config Valid Values machine hostname or localhost Default Value Syntax DirectoryString Example nssnmpmasterhost: localhost 2.3.13.7. nssnmpmasterport The nssnmpmasterport attribute was deprecated with the introduction of net-snmp. The attribute still appears in dse.ldif but without a default value.
SNMP Statistic Attributes Attribute Description SimpleAuthBinds This shows the number of LDAP simple bind requests (DN and password). StrongAuthBinds This shows the number of LDAP SASL bind requests, for all SASL mechanisms. BindSecurityErrors This shows the number of number of times an invalid password was given in a bind request. InOps This shows the total number of all requests received by the server. ReadOps Not used. This value is always 0.
Chapter 2. Core Server Configuration Reference Attribute Description ReferralsReturned This provides information on referrals returned as search results (continuation references). MasterEntries Not used. This value is always 0. CopyEntries Not used. This value is always 0. 1 CacheEntries CacheHits 1 SlaveHits If the server has only one database backend, this is the number of entries cached in the entry cache.
cn=tasks The common attributes for these tasks are listed in Section 2.3.15.1, “Task Invocation Attributes for Entries under cn=tasks”. The cn=tasks entry itself has no attributes and serves as the parent and container entry for the individual task entries. IMPORTANT Task entries are not permanent configuration entries. They only exist in the configuration file for as long as the task operation is running or until the ttl period expires. Then, the entry is deleted automatically by the server. 2.3.15.1.
Chapter 2. Core Server Configuration Reference Parameter Description Example nsTaskStatus: Loading entries.... nsTaskLog This entry contains all of the log messages for the task, including both warning and information messages. New messages are appended to the end of the entry value, so this attribute value grows larger, without erasing the original contents, by default. Successful task operations, which have an nsTaskExitCode of 0, are only recorded in the nsTaskLog attribute.
cn=tasks progress bar. When the nsTaskCurrentItem attribute has the same value as nsTaskTotalItems, then the task is completed. This attribute value is set by the server and should not be edited.
Chapter 2. Core Server Configuration Reference information without missing the exit code. Setting the ttl attribute to 0 means that the entry is not cached. Parameter Description Entry DN cn=task_name, cn=task_type, cn=tasks, cn=config Valid Values 0 (cannot be cached) to the maximum 32 bit integer value (2147483647) Default Value Syntax DirectoryString Example ttl: 120 2.3.15.2.
cn=tasks nsFilename The nsFilename attribute contains the path and filenames of the LDIF files to import into the Directory Server instance. To import multiple files, add multiple instances of this attribute. For example: nsFilename: file1.ldif nsFilename: file2.ldif Parameter Description Entry DN cn=task_name, cn=import, cn=tasks, cn=config Valid Values Any string Default Value Syntax Case-exact string, multi-valued Example nsFilename: /home/jsmith/example.
Chapter 2. Core Server Configuration Reference Parameter Description Valid Values Any DN Default Value Syntax DN, multi-valued Example nsExcludeSuffix: ou=machines,dc=example,dc=com nsImportChunkSize This attribute defines the number of chunks to have during the import operation, which overrides the server's detection during the import of when to start a new pass and merges the chunks.
cn=tasks nsUniqueIdGeneratorNamespace This attributes defines how to generate name-based IDs; the attribute sets the namespace to use to generate the IDs. This option is useful to import the same LDIF file into two Directory Server instances when the entries need to have the same IDs. Parameter Description Entry DN cn=task_name, cn=import, cn=tasks, cn=config Valid Values Any string Default Value Syntax Case-insensitive string Example nsUniqueIdGeneratorNamespace: example 2.3.15.3.
Chapter 2.
cn=tasks Parameter Description Entry DN cn=task_name, cn=export, cn=tasks, cn=config Valid Values Any DN Default Value Syntax DN, multi-valued Example nsExcludeSuffix: ou=machines,dc=example,dc=com nsUseOneFile This attribute sets whether to export all Directory Server instances to a single LDIF file or separate LDIF files.
Chapter 2. Core Server Configuration Reference nsUseId2Entry The nsUseId2Entry attribute uses the main database index, id2entry, to define the exported LDIF entries. Parameter Description Entry DN cn=task_name, cn=export, cn=tasks, cn=config Valid Values true | false Default Value false Syntax Case-insensitive string Example nsUseId2Entry: true nsNoWrap This attribute sets whether to wrap long lines in the LDIF file.
cn=tasks dn: cn=example backup, cn=backup, cn=tasks, cn=config objectclass: extensibleObject cn: example backup nsArchiveDir: /export/backups/ nsDatabaseType: ldbm database As the backup operation runs, the task entry will contain all of the server-generated task attributes listed in Section 2.3.15.1, “Task Invocation Attributes for Entries under cn=tasks”. nsArchiveDir This attribute gives the location of the directory to which to write the backup.
Chapter 2. Core Server Configuration Reference A restore task entry under cn=restore must contain the location of the directory from which to retrieve the archive copy (in the nsArchiveDir attribute) and the type of database being restored (in the nsDatabaseTypes attribute). Additionally, it must contain a unique cn to identify the task.
cn=tasks Alternatively, the index task can be used to generate virtual list view (VLV) indexes for an attribute using the nsIndexVLVAttribute attribute. This is the same as running the vlvindex script.
Chapter 2. Core Server Configuration Reference Parameter Description Default Value Syntax Case-insensitive string, multi-valued Example nsIndexAttribute: "cn:pres,eq" nsIndexAttribute: "description:sub" 2.3.15.7. cn=schema reload task The directory schema is loaded when the directory instance is started or restarted.
cn=tasks Parameter Description Example cn: example reload task ID schemadir This contains the full path to the directory containing the custom schema file. Parameter Description Entry DN cn=task_name, cn=schema reload task, cn=tasks, cn=config Valid Values Any local directory path Default Value /etc/dirsrv/slapd-instance_name/schema Syntax DirectoryString Example schemadir: /export/schema/ 2.3.15.8.
Chapter 2. Core Server Configuration Reference Parameter Description Valid Values Any DN Default Value Syntax DN Example basedn: ou=people, dc=example, dc=com filter This attribute gives an optional LDAP filter to use to select which user entries to update the memberOf attribute. Each member of a group has a corresponding user entry in the directory.
directoryServerFeature (Object Class) To configure Directory Server to maintain a changelog that is compatible with the changelog implemented in Directory Server 4.1x, enable the Retro Changelog Plug-in. Each entry in the changelog has the changeLogEntry object class. This object class is defined in Changelog Internet Draft. Superior Class top OID 2.16.840.1.113730.3.2.1 Required Attributes 1 objectClass Defines the object classes for the entry.
Chapter 2. Core Server Configuration Reference Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. Allowed Attributes Attribute Definition cn Specifies the common name of the entry. multiLineDescription Gives a text description of the entry. oid Specifies the OID of the feature. 2.4.3. nsBackendInstance (Object Class) This object class is used for the Directory Server backend, or database, instance entry.
nsContainer (Object Class) Allowed Attributes Attribute Definition cn (common Name) Gives the common name of the entry. 2.4.5. nsContainer (Object Class) Some entries do not define any specific entity, but they create a defined space within the directory tree as a parent entry for similar or related child entries. These are container entries, and they are identified by the nsContainer object class. Superior Class top OID 2.16.840.1.113730.3.2.
Chapter 2. Core Server Configuration Reference nsDS5ReplicaId Specifies the unique ID for suppliers in a replication environment. nsDS5ReplicaRoot Specifies the suffix DN at the root of a replicated area. Allowed Attributes cn Gives the name for the replica. nsDS5Flags Specifies information that has been previously set in flags. nsDS5ReplicaAutoReferral Sets whether the server will follow configured referrals for the Directory Server database.
nsDS5ReplicationAgreement (Object Class) OID 2.16.840.1.113730.3.2.103 Required Attributes objectClass Defines the object classes for the entry. cn Used for naming the replication agreement. Allowed Attributes description Contains a free text description of the replication agreement. nsDS5BeginReplicaRefresh Initializes a replica manually. nsds5debugreplicatimeout Gives an alternate timeout period to use when the replication is run with debug logging.
Chapter 2. Core Server Configuration Reference nsDS5ReplicatedAttributeList Specifies any attributes that will not be replicated to a consumer server. nsDS5ReplicaTimeout Specifies the number of seconds outbound LDAP operations will wait for a response from the remote replica before timing out and failing. nsDS5ReplicaTransportInfo Specifies the type of transport used for transporting data to and from the replica.
nsDSWindowsReplicationAgreement (Object Class) nsDS5ReplicaBindMethod Specifies the method (SSL or simple authentication) to use for binding. nsDS5ReplicaBusyWaitTime Specifies the amount of time in seconds the Directory Server should wait after the Windows server sends back a busy response before making another attempt to acquire access. nsDS5ReplicaChangesSentSinceStartup Shows the number of changes sent since the Directory Server started.
Chapter 2. Core Server Configuration Reference nsds7DirsyncCookie Contains a cookie set by the sync service that functions as an RUV. nsds7NewWinGroupSyncEnabled Specifies whether new Windows group accounts are automatically created on the Directory Server. nsds7NewWinUserSyncEnabled Specifies whether new Windows user accounts are automatically created on the Directory Server.
nsslapdConfig (Object Class) Superior Class top OID 2.16.840.1.113730.3.2.317 Required Attributes objectClass Defines the object classes for the entry. cn Gives the name of the SASL mapping entry. 13 nsSaslMapBaseDNTemplate nsSaslMapFilterTemplate 14 15 nsSaslMapRegexString Contains the search base DN template. Contains the search filter template. Contains a regular expression to match SASL identity strings. 2.4.11.
Chapter 2. Core Server Configuration Reference OID 2.16.840.1.113730.3.2.13 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. Allowed Attributes Attribute Definition 16 passwordMaxAge Sets the number of seconds after which user passwords expire. 17 passwordExp Identifies whether the user's password expires after an interval given by the passwordMaxAge attribute.
Legacy Attributes Attribute Definition passwordMustChange 29 Identifies whether or not to change their passwords when they first login to the directory or after the password is reset by the Directory Manager. 30 passwordStorageScheme Sets the type of encryption used to store Directory Server passwords. 31 passwordMinAge Sets the number of seconds that must pass before a user can change their password.
Chapter 2. Core Server Configuration Reference 2.5.1. Legacy Server Attributes These attributes were originally used to configure the server instance entries for Directory Server 4.x and older servers. 2.5.1.1. LDAPServer (Object Class) This object class identifies the LDAP server information. It is defined by Directory Server. Superior Class top OID 2.16.840.1.113730.3.2.35 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry.
Legacy Server Attributes 2.5.1.3. changeLogMaximumConcurrentWrites This attribute sets the maximum number of concurrent writes that can be written to the changelog. OID 2.16.840.1.113730.3.1.205 Syntax DirectoryString Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.1.4. changeLogMaximumSize This attribute sets the maximum size for the changelog. OID 2.16.840.1.113730.3.1.201 Syntax DirectoryString Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.1.5.
Chapter 2. Core Server Configuration Reference 2.5.2. Legacy Replication Attributes These attributes were originally used to configure replication for Directory Server 4.x and older servers. Some forms of replication, like consumer-initiated replication, are no longer supported. WARNING These attributes are for reference only. Do not attempt to configure replication using these attributes. See Section 2.4.6, “nsDS5Replica (Object Class)” and Section 2.4.
Legacy Replication Attributes Attribute Definition cirUpdateFailedAt Stores the timestamp of the last failed update attempt. cirBeginORC Sets whether the database deletes its contents before beginning replication. replicaNickname Identifies the name for the replication agreement. replicaEntryFilter Identifies the entries to be replicated. replicatedAttributeList Identifies attribute list to be replicated. 2.5.2.2.
Chapter 2. Core Server Configuration Reference Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.6. cirLastUpdateApplied For consumer-initiated replication, this attribute stores the change number of the last change sent to the consumer. OID 2.16.840.1.113730.3.1.86 Syntax DirectoryString Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.7. cirPort In consumer-initiated replication, this attribute gives the port number of the supplier. OID 2.16.840.1.
Legacy Replication Attributes Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.11. cirUpdateSchedule For consumer-initiated replication, this attribute sets the schedule for replication. OID 2.16.840.1.113730.3.1.87 Syntax DirectoryString Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.12. cirUsePersistentSearch This attribute sets whether to use persistent connections with consumer-initiated replication. OID 2.16.840.1.113730.3.1.
Chapter 2. Core Server Configuration Reference Attribute Definition cn Specifies the common name of the entry. Allowed Attributes Attribute Definition description Gives a text description of the entry. localityName Gives the city or geographical location of the entry. ou Gives the organizational unit or division to which the account belongs. seeAlso Contains a URL to another entry or site with related information. replicaroot Stores the root suffix to be replicated.
Legacy Replication Attributes Defined in Directory Server 2.5.2.16. replicaBeginOrc For online replication creation (ORC), the consumer server can dump its entire database and allows the supplier to send it completely fresh information. The replicaBeginOrc attribute sets whether the consumer deletes its database. Its values are either start or stop. OID 2.16.840.1.113730.3.1.50 Syntax DirectoryString Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.17.
Chapter 2. Core Server Configuration Reference Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.21. replicaEntryFilter This attribute contains an LDAP filter to use to identify the entries to be replicated. OID 2.16.840.1.113730.3.1.203 Syntax IA5String Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.22. replicaHost This attribute contains the hostname of the replica server. OID 2.16.840.1.113730.3.1.
Legacy Replication Attributes Defined in Directory Server 2.5.2.26. replicaRoot This attribute sets the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated and cannot be modified. OID 2.16.840.1.113730.3.1.57 Syntax DN Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.27. replicatedAttributeList This attribute specifies any attributes that are replicated to a consumer server. OID 2.16.840.1.113730.3.1.
Chapter 2. Core Server Configuration Reference Defined in Directory Server 2.5.2.31. replicaUseSSL This attribute sets whether to use a secure connection (SSL) for replication. OID 2.16.840.1.113730.3.1.
Chapter 3. Plug-in Implemented Server Functionality Reference This chapter contains reference information on Red Hat Directory Server plug-ins. The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins, cn=config.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Configurable Arguments List of attributes (uid mail userPassword) followed by "," and then suffixes on which the check is to occur. Dependencies None Performance Related Information None Further Information If the Directory Server uses non-ASCII characters, such as Japanese, turn this plug-in off. 3.1.2.
Attribute Uniqueness Plug-in 3.1.4. Attribute Uniqueness Plug-in Plug-in Parameter Description Plug-in Name Attribute Uniqueness Plug-in DN of Configuration Entry cn=Attribute Uniqueness, cn=plugins, cn=config Description Checks that the values of specified attributes are unique each time a modification occurs on an entry. For example, most sites require that a user ID and email address be unique.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description DN of Configuration Entry cn=Binary Syntax, cn=plugins, cn=config Description Syntax for handling binary data Configurable Options on | off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plugin. Red Hat recommends leaving this plug-in running at all times. Further Information 3.1.6.
Case Ignore String Syntax Plug-in Plug-in Parameter Description Further Information 3.1.8.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description DN of Configuration Entry cn=Class of Service, cn=plugins, cn=config Description Allows for sharing of attributes between entries Configurable Options on | off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Distributed Numeric Assignment Plug-in Plug-in Parameter Description Further Information 3.1.13.
Chapter 3. Plug-in Implemented Server Functionality Reference 3.1.15. HTTP Client Plug-in Plug-in Parameter Description Plug-in Name HTTP Client DN of Configuration Entry cn=HTTP Client, cn=plugins, cn=config Description HTTP client plug-in Configurable Options on | off Default Setting on Configurable Arguments None Dependencies Database Performance Related Information Further Information 3.1.16.
JPEG Syntax Plug-in Plug-in Parameter Description specifies the location of the /etc/dirsrv/ config/slapd-collations.conf file. This file stores the collation orders and locales used by the Internationalization Plug-in. Dependencies None Performance Related Information Do not modify the configuration of this plugin. Red Hat recommends leaving this plug-in running at all times.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Further Information See the "Configuring Directory Databases" chapter in the Directory Server Administrator's Guide. 3.1.20. Legacy Replication Plug-in Plug-in Parameter Description Plug-in Name Legacy Replication Plug-in DN of Configuration Entry cn=Legacy Replication plug-in, cn=plugins, cn=config Description Enables a current version Directory Server to be a consumer of a 4.
Multi-master Replication Plug-in 3.1.22.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plugin. Red Hat recommends leaving this plug-in running at all times. Further Information 3.1.25. Password Storage Schemes The cn=Password Storage Schemes entry is a container entry, not a plug-in entry itself.
Postal Address String Syntax Plug-in Storage Scheme Name Usage Notes compatibility for any entries stored in the directory with passwords encrypted with the NSMTA-MD5 password storage scheme. SHA If there are no passwords encrypted using the SHA password storage scheme, this plug-in can be turned off. Instead of encrypting passwords with the SHA password storage scheme, Red Hat recommends choosing SSHA instead because it is more secure.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Further Information 3.1.27. PTA Plug-in Plug-in Parameter Description Plug-in Name Pass-Through Authentication Plug-in DN of Configuration Entry cn=Pass Through Authentication, cn=plugins, cn=config Description Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests.
Retro Changelog Plug-in Plug-in Parameter Description -1= no check for referential integrity 0= check for referential integrity is performed immediately Positive integer= request for referential integrity is queued and processed at a later stage. This positive integer serves as a wakeup call for the thread to process the request at intervals corresponding to the integer (number of seconds) specified. • Log file for storing the change; for example /var/log/dirsrv/ slapd-instance_name/referint.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description so that clients can use this suffix with or without persistent search for simple sync applications. Configurable Options on | off Default Setting off Configurable Arguments See Section 3.6, “Retro Changelog Plug-in Attributes” for further information on the two configuration attributes for this plug-in. Dependencies None Performance Related Information May slow down Directory Server update performance.
Space Insensitive String Syntax Plug-in Plug-in Information Description Further Information Table 3.4. Details of Schema Reload Plug-in 3.1.32.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Performance Related Information Further Information 3.1.34.
List of Attributes Common to All Plug-ins Plug-in Parameter Description Description Enables the use of views in the Directory Server databases. Configurable Options on | off Default Setting on Configurable Arguments None Dependencies Database Performance Related Information Do not modify the configuration of this plugin. Red Hat recommends leaving this plug-in running at all times. Further Information 3.2.
Chapter 3. Plug-in Implemented Server Functionality Reference 3.2.2. nsslapd-pluginPath This attribute specifies the full path to the plug-in. Plug-in Parameter Description Entry DN cn=plug-in name, cn=plugins, cn=config Valid Values Any valid path Default Value None Syntax DirectoryString Example nsslapd-pluginPath: uid-plugin 3.2.3. nsslapd-pluginInitfunc This attribute specifies the plug-in function to be initiated.
nsslapd-pluginId Plug-in Parameter Description Example nsslapd-pluginEnabled: on 3.2.6. nsslapd-pluginId This attribute specifies the plug-in ID. Plug-in Parameter Description Entry DN cn=plug-in name, cn=plugins, cn=config Valid Values Any valid plug-in ID Default Value None Syntax DirectoryString Example nsslapd-pluginId: chaining database 3.2.7. nsslapd-pluginVersion This attribute specifies the plug-in version.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Syntax DirectoryString Example nsslapd-pluginDescription: acl access check plug-in 3.3. Attributes Allowed by Certain Plug-ins 3.3.1. nsslapd-pluginLoadNow This attribute specifies whether to load all of the symbols used by a plug-in immediately (true), as well as all symbols references by those symbols, or to load the symbol the first time it is used (false).
nsslapd-plugin-depends-on-named Plug-in Parameter Description Syntax DirectoryString Example nsslapd-plugin-depends-on-type: database 3.3.4. nsslapd-plugin-depends-on-named Multi-valued attribute used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the cn value of a plug-in. The plug-in with a cn value matching one of the following values will be started by the server prior to this plug-in.
Chapter 3. Plug-in Implemented Server Functionality Reference 3.4.1.1. nsLookThroughLimit This performance-related attribute specifies the maximum number of entries that the Directory Server will check when examining candidate entries in response to a search request. The Directory Manager DN, however, is, by default, unlimited and overrides any other settings specified here.
Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config NOTE If the nsslapd-cache-autosize attribute and nsslapd-cache-autosizesplit attribute are both set to high values, such as 100, then the Directory Server may fail to start and return an error message. To fix this issue, reset the nsslapdcache-autosize and nsslapd-cache-autosize-split attributes to a more reasonable level.
Chapter 3. Plug-in Implemented Server Functionality Reference 3.4.1.5. nsslapd-dbcachesize This performance tuning-related attribute specifies the database index cache size, in bytes. This is one of the most important values for controlling how much physical RAM the directory server uses. This is not the entry cache. This is the amount of memory the Berkeley database backend will use to cache the indexes (the .db4 files) and other files. This value is passed to the Berkeley DB API function set_cachesize.
Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config Parameter Description Default Value 60 Syntax Integer Example nsslapd-db-checkpoint-interval: 120 3.4.1.7. nsslapd-db-circular-logging This attribute specifies circular logging for the transaction log files. If this attribute is switched off, old transaction log files are not removed and are kept renamed as old log transaction files.
Chapter 3. Plug-in Implemented Server Functionality Reference This attribute is provided only for system modification/diagnostics and should be changed only with the guidance of Red Hat Technical Support or Red Hat Professional Services. Inconsistent settings of this attribute and other configuration attributes may cause the Directory Server to be unstable.
Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config The use of this attribute causes internal Directory Server database files to be moved to the directory referenced by the attribute. It is possible, but unlikely, that the server will no longer start after the files have been moved because not enough memory can be allocated. This is a symptom of an overly large database cache size being configured for the server.
Chapter 3. Plug-in Implemented Server Functionality Reference The nsslapd-db-logbuf-size attribute is only valid if the nsslapd-db-durabletransactions attribute is set to on. Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Range 32K to maximum 32-bit integer (limited to the amount of memory available on the machine) Default Value 32K Syntax Integer Example nsslapd-db-logbuf-size: 32K 3.4.1.13.
Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config 3.4.1.15. nsslapd-db-page-size This attribute specifies the size of the pages used to hold items in the database in bytes. The minimum size is 512 bytes, and the maximum size is 64 kilobytes. If the page size is not explicitly set, Directory Server defaults to a page size of 8 kilobytes. Changing this default value can have a significant performance impact.
Chapter 3. Plug-in Implemented Server Functionality Reference WARNING Setting this value will reduce data consistency and may lead to loss of data. This is because if there is a power outage before the server can flush the batched transactions, those transactions in the batch will be lost. Do not set this value unless specifically requested to do so by Red Hat support.
Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config Parameter Description Example nsslapd-db-trickle-percentage: 40 3.4.1.19. nsslapd-db-verbose This attribute specifies whether to record additional informational and debugging messages when searching the log for checkpoints, doing deadlock detection, and performing recovery. This parameter is meant for troubleshooting, and enabling the parameter may slow down the Directory Server.
Chapter 3. Plug-in Implemented Server Functionality Reference 3.4.1.21. nsslapd-directory This attribute specifies absolute path to database instance. If the database instance is manually created then this attribute must be included, something which is set by default (and modifiable) in the Directory Server Console. Once the database instance is created, do not modify this path as any changes risk preventing the server from accessing data.
Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config In Directory Server, the import operation can be run as a server task or exclusively on the commandline. In the task mode, the import operation runs as a general Directory Server operation. The nsslapd-import-cache-autosize attribute enables the import cache to be set automatically to a predetermined size when the import operation is run on the command-line.
Chapter 3. Plug-in Implemented Server Functionality Reference 3.4.1.24. nsslapd-mode This attribute specifies the permissions used for newly created index files. Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Values Any four-digit octal number. However, mode 0600 is recommended. This allows read and write access for the owner of the index files (which is the user as whom the ns-slapd runs) and no access for other users.
r cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config and cn=userRoot, cn=ldbm database, cn=plugins, cn=config 3.4.3. Database Attributes under cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config and cn=userRoot, cn=ldbm database, cn=plugins, cn=config The cn=NetscapeRoot and cn=userRoot subtrees contain configuration data for, or the definition of, the databases containing the o=NetscapeRoot and o=userRoot suffixes.
Chapter 3. Plug-in Implemented Server Functionality Reference 3.4.3.2. nsslapd-cachememsize This performance tuning-related attribute specifies the size, in bytes, for the available memory space for the entry cache. The simplest method is limiting cache size in terms of memory occupied. Activating automatic cache resizing overrides this attribute, replacing these values with its own guessed values at a later stage of the server startup.
r cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config and cn=userRoot, cn=ldbm database, cn=plugins, cn=config Parameter Description Entry DN cn=database_name, cn=ldbm database, cn=plugins, cn=config Valid Values Any valid path to the database instance Default Value Syntax DirectoryString Example nsslapd-directory: /var/lib/dirsrv/ slapd-instance_name/db/userRoot 3.4.3.4. nsslapd-readonly This attribute specifies read-only mode for a single back-end instance.
Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Entry DN cn=database_name, cn=ldbm database, cn=plugins, cn=config Valid Values Any valid DN Default Value Syntax DirectoryString Example nsslapd-suffix: o=NetscapeRoot 3.4.3.7. vlvBase This attribute sets the base DN for which the browsing or virtual list view (VLV) index is created. For more information on VLV indexes, see the indexing chapter in the Administrator's Guide.
r cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config and cn=userRoot, cn=ldbm database, cn=plugins, cn=config Parameter Description Example vlvEnbled: 0 3.4.3.9. vlvFilter The browsing or virtual list view (VLV) index is created by running a search according to a filter and including entries which match that filter in the index. The filter is specified in the vlvFilter attribute. For more information on VLV indexes, see the indexing chapter in the Administrator's Guide.
Chapter 3. Plug-in Implemented Server Functionality Reference Allowed Attributes Attribute vlvEnabled Definition 11 Stores the availability of the browsing index. 12 vlvUses Contains the count the browsing index is used. 3.4.3.11. vlvScope This attribute sets the scope of the search to run for entries in the browsing or virtual list view (VLV) index. For more information on VLV indexes, see the indexing chapter in the Administrator's Guide.
r cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config and cn=userRoot, cn=ldbm database, cn=plugins, cn=config Attribute Definition 13 vlvBase vlvScope Identifies base DN the browsing index is created. 14 Identifies the scope to define the browsing index. 15 vlvFilter Identifies the filter string to define the browsing index. Allowed Attributes Attribute Definition multiLineDescription Gives a text description of the entry. 3.4.3.13.
Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Entry DN cn=index_name, cn=userRoot, cn=ldbm database, cn=plugins, cn=config Valid Values N/A Default Value Syntax DirectoryString Example vlvUses: 800 3.4.4. Database Attributes under cn=database, cn=monitor, cn=ldbm database, cn=plugins, cn=config The attributes in this tree node entry are all read-only, database performance counters.
Database Attributes under cn=database, cn=monitor, cn=ldbm database, cn=plugins, cn=config nsslapd-db-clean-pages This attribute shows the clean pages currently in the cache. nsslapd-db-commit-rate This attribute shows the number of transactions that have been committed. nsslapd-db-deadlock-rate This attribute shows the number of deadlocks detected. nsslapd-db-dirty-pages This attribute shows the dirty pages currently in the cache.
Chapter 3. Plug-in Implemented Server Functionality Reference nsslapd-db-log-write-rate This attribute shows the number of megabytes and bytes written to this log. nsslapd-db-longest-chain-length This attribute shows the longest chain ever encountered in buffer hash table lookups. nsslapd-db-page-create-rate This attribute shows the pages created in the cache. nsslapd-db-page-read-rate This attribute shows the pages read into the cache.
Database Attributes under cn=default indexes, cn=config, cn=ldbm database, cn=plugins, cn=config Parameter Description Entry DN cn=default indexes, cn=config, cn=ldbm database, cn=plugins, cn=config Valid Values Any valid index cn Default Value None Syntax DirectoryString Example cn: aci 3.4.5.2. description This optional attribute provides a free-hand text description of what the index actually performs.
Chapter 3. Plug-in Implemented Server Functionality Reference Attribute Definition 17 nsMatchingRule Identifies the matching rule. 3.4.5.4. nsIndexType This optional, multi-valued attribute specifies the type of index for Directory Server operations and takes the values of the attributes to be indexed. Each desired index type has to be entered on a separate line.
Database Attributes under cn=monitor, cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config Parameter Description Valid Values Any valid collation order object identifier (OID) Default Value None Syntax DirectoryString Example nsMatchingRule: 2.16.840.1.113730.3.3.2.3.1 (For Bulgarian) 3.4.5.6. nsSystemIndex This mandatory attribute specifies whether the index is a system index, an index which is vital for Directory Server operations.
Chapter 3. Plug-in Implemented Server Functionality Reference dbfilepageout This attribute gives the number of pages for this file written from cache to disk. 3.4.7.
apeRoot, cn=ldbm database, cn=plugins, cn=config and cn=index, cn=UserRoot, cn=ldbm database, cn=plugins, cn=config If the value of this attribute is changed, then the index must be regenerated using db2index. Parameter Description Entry DN cn=attribute_name, cn=index, cn=database_name, cn=ldbm database, cn=plugins, cn=config Valid Values Any integer Default Value 3 Syntax Integer Example nsSubStrBegin: 2 3.4.7.2.
Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Entry DN cn=attribute_name, cn=index, cn=database_name, cn=ldbm database, cn=plugins, cn=config Valid Values Any integer Default Value 3 Syntax Integer Example nsSubStrMiddle: 3 3.4.8. Database Attributes under cn=attributeName, cn=encrypted attributes, cn=database_name, cn=ldbm database, cn=plugins, cn=config The nsAttributeEncryption object class allows selective encryption of attributes within a database.
Database Link Plug-in Attributes (Chaining Attributes) 3.4.8.1. nsAttributeEncryption (Object Class) This object class is used for core configuration entries which identify and encrypt selected attributes within a Directory Server database. This object class is defined in Directory Server. Superior Class top OID 2.16.840.1.113730.3.2.316 Required Attributes objectClass Defines the object classes for the entry. cn Specifies the attribute being encrypted using its common name.
Chapter 3. Plug-in Implemented Server Functionality Reference Figure 3.4. Database Link Plug-in All plug-in technology used by the database link instances is stored in the cn=chaining database plug-in node. This section presents the additional attribute information for the three nodes marked in bold in the cn=chaining database, cn=plugins, cn=config information tree in Figure 3.4, “Database Link Plug-in”. 3.5.1.
Database Link Attributes under cn=config, cn=chaining database, cn=plugins, cn=config Parameter Description Entry DN cn=config, cn=chaining database, cn=plugins, cn=config Valid Values Any valid delay period in seconds Default Value 60 seconds Syntax Integer Example nsMaxResponseDelay: 60 3.5.1.3. nsMaxTestResponseDelay This error detection, performance-related attribute specifies the duration of the test issued by the database link to check whether the remote server is responding.
Chapter 3. Plug-in Implemented Server Functionality Reference 3.5.2. Database Link Attributes under cn=default instance config, cn=chaining database, cn=plugins, cn=config Default instance configuration attributes for instances are housed in the cn=default instance config, cn=chaining database, cn=plugins, cn=config tree node. 3.5.2.1. nsAbandonedSearchCheckInterval This attribute shows the number of seconds that pass before the server checks for abandoned operations.
Database Link Attributes under cn=default instance config, cn=chaining database, cn=plugins, cn=config Parameter Description Valid Range 0 to 5 Default Value 3 Syntax Integer Example nsBindRetryLimit: 3 3.5.2.4. nsBindTimeout This attribute shows the amount of time before the bind attempt times out. There is no real valid range for this attribute, except reasonable patience limits.
Chapter 3. Plug-in Implemented Server Functionality Reference 3.5.2.7. nsConcurrentOperationsLimit This attribute specifies the maximum number of concurrent operations allowed. Parameter Description Entry DN cn=default instance config, cn=chaining database, cn=plugins, cn=config Valid Range 1 to 50 operations Default Value 2 Syntax Integer Example nsConcurrentOperationsLimit: 5 3.5.2.8. nsConnectionLife This attribute specifies connection lifetime.
Database Link Attributes under cn=default instance config, cn=chaining database, cn=plugins, cn=config Parameter Description Entry DN cn=default instance config, cn=chaining database, cn=plugins, cn=config Valid Values on | off Default Value on Syntax DirectoryString Example nsProxiedAuthorization: on 3.5.2.11. nsReferralOnScopedSearch This attribute controls whether referrals are returned by scoped searches.
Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Syntax Integer Example nsslapd-timelimit: 3600 3.5.3. Database Link Attributes under cn=database_link_name, cn=chaining database, cn=plugins, cn=config This information node stores the attributes concerning the server containing the data. A farm server is a server which contains data on databases. This attribute can contain optional servers for failover, separated by spaces.
Database Link Attributes under cn=database_link_name, cn=chaining database, cn=plugins, cn=config 3.5.3.2. nsFarmServerURL This attribute gives the LDAP URL of the remote server. A farm server is a server containing data in one or more databases. This attribute can contain optional servers for failover, separated by spaces. If using cascading changing, this URL can point to another database link.
Chapter 3. Plug-in Implemented Server Functionality Reference 3.5.3.5. nshoplimit This attribute specifies the maximum number of times a database is allowed to chain; that is, the number of times a request can be forwarded from one database link to another. Parameter Description Entry DN cn=database_link_name, cn=chaining database, cn=plugins, cn=config Valid Range 1 to an appropriate upper limit for the deployment Default Value 10 Syntax Integer Example nsHopLimit: 3 3.5.3.6.
Retro Changelog Plug-in Attributes nsRenameCount This attribute gives the number of rename operations received. nsSearchBaseCount This attribute gives the number of base level searches received. nsSearchOneLevelCount This attribute gives the number of one-level searches received. nsSearchSubtreeCount This attribute gives the number of subtree searches received. nsAbandonCount This attribute gives the number of abandon operations received.
Chapter 3. Plug-in Implemented Server Functionality Reference • The modification action; that is, exactly how the directory was modified. It is through the Retro Changelog Plug-in that the changes performed to the Directory Server are accessed using searches to cn=changelog suffix. 3.6.1. nsslapd-changelogdir This attribute specifies the name of the directory in which the changelog database is created the first time the plug-in is run.
Distributed Numeric Assignment Plug-in Attributes Parameter Description Syntax DirectoryString Integer AgeID AgeID is s for seconds, m for minutes, h for hours, d for days, or w for weeks. Example nsslapd-changelogmaxage: 30d 3.7. Distributed Numeric Assignment Plug-in Attributes The Distributed Numeric Assignment Plug-in manages ranges of numbers and assigns unique numbers within that range to entries.
Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Example dnaMagicRegen: magic 3.7.3. dnaMaxValue This attribute sets the maximum value that can be assigned for the range. The default is -1, which is the same as setting the highest 64-bit integer.
dnaNextValue Parameter Description Default Value None Syntax DirectoryString Example dnaNextRange: 100-500 3.7.5. dnaNextValue This attribute gives the next available number which can be assigned. After being initially set in the configuration entry, this attribute is managed by the Distributed Numeric Assignment Plug-in. The dnaNextValue attribute is required to set up distributed numeric assignment for an attribute.
Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Entry DN cn=Distributed Numeric Assignment Plugin, cn=plugins, cn=config Valid Range 1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems Default Value 10 Syntax Integer Example dnaRangeRequestTimeout: 15 3.7.8. dnaScope This attribute sets the base DN to search for entries to which to apply the distributed numeric assignment.
dnaThreshold Parameter Description Syntax DN Example dnaSharedCfgDN: cn=range transfer user, cn=config 3.7.10. dnaThreshold One potential situation with the Distributed Numeric Assignment Plug-in is that one server begins to run out of numbers to assign, which can cause problems. The Distributed Numeric Assignment Plug-in allows the server to request a new range from the available ranges on other servers.
Chapter 3. Plug-in Implemented Server Functionality Reference membership is not reflected in the member's user entry, so it is impossible to tell to what groups a person belongs by looking at the user's entry. The MemberOf Plug-in synchronizes the group membership in group members with the members' individual directory entries by identifying changes to a specific attribute (such as member) in the group entry and then carrying those changes over to a specific attribute in the entries for the members. 3.8.
Chapter 4. Server Instance File Reference This chapter provides an overview of the files that are specific to an instance of Red Hat Directory Server (Directory Server) — the files stored in the /etc/dirsrv/slapd-instance_name 1 directory. Having an overview of the files and configuration information stored in each instance of Directory Server helps with understanding the file changes (or lack of file changes) which occur in the course of directory activity.
Chapter 4. Server Instance File Reference File or Directory Location Log files /var/log/dirsrv/slapd-instance_name PID /var/run/dirsrv Tools /usr/bin /usr/sbin /usr/lib64/mozldap6 Instance directory /usr/lib64/dirsrv/slapd-instance Table 4.2.
Database Files __db.001 __db.002 __db.003 __db.004 __db.005 DBVERSION NetscapeRoot/ log.0000000007 userRoot/ Example 4.1. Database Directory Contents • db.00x files — Used internally by the database and should not be moved, deleted, or modified in any way. • log.xxxxxxxxxx files — Used to store the transaction logs per database. • DBVERSION — Used for storing the version of the database. • NetscapeRoot — Stores the o=NetscapeRoot database created by default when the setupds-admin.pl script is run.
Chapter 4. Server Instance File Reference 4.5. LDIF Files Sample LDIF files are stored in the /var/lib/dirsrv/slapd-instance_name/ldif directory for storing LDIF-related files. Example 4.3, “LDIF Directory Contents” lists the /ldif directory contents. European.ldif Example.ldif Example-roles.ldif Example-views.ldif Example 4.3. LDIF Directory Contents • European.ldif — Contains European character samples. • Example.ldif — Is a sample LDIF file. • Example-roles.
Log Files For more information on using LDAP utilities, see the Directory Server Administrator's Guide. 4.7. Log Files Each Directory Server instance contains a /var/log/dirsrv/slapd-instance_name directory for storing log files. The following is a sample listing of the /logs directory contents. access access.20090221-162824 access.20090223-171949 access.20090227-171818 access.20090228-171925 errors access.rotationinfo errors.20090221-162824 audit errors.rotationinfo audit.rotationinfo slapd.
Chapter 4. Server Instance File Reference ldapcompare ldapdelete-bin ldappasswd ldapsearch-bin Example 4.8. LDAP Tool Directory Contents 4.10. Scripts Directory Server command-line scripts are stored in the /etc/dirsrv/slapd-instance_name directory. The contents of the /etc/dirsrv/slapd-instance_name directory are listed in Example 4.9, “Instance Directory Contents”. Chapter 7, Command-Line Scripts has more information on command-line scripts. bak2db bak2db.pl db2bak db2bak.pl db2index db2index.
Chapter 5. Log File Reference Red Hat Directory Server (Directory Server) provides logs to help monitor directory activity. Monitoring helps quickly detecting and remedying failures and, where done proactively, anticipating and resolving potential problems before they result in failure or poor performance. Part of monitoring the directory effectively is understanding the structure and content of the log files. This chapter does not provide an exhaustive list of log messages.
Chapter 5. Log File Reference 5.1.1. Access Logging Levels Different levels of access logging generate different amounts of detail and record different kinds of 2 operations. The log level is set in the instance's nsslapd-accesslog-level configuration attribute. The default level of logging is level 256, which logs access to an entry, but there are five different log levels available: • 0 = No access logging. • 4 = Logging for internal access operations. • 256 = Logging for access to an entry.
Default Access Logging Content [21/Apr/2009:11:39:53 -0700] conn=13 [21/Apr/2009:11:39:53 -0700] conn=13 [21/Apr/2009:11:39:53 -0700] conn=13 [21/Apr/2009:11:39:55 -0700] conn=14 192.18.122.
Chapter 5. Log File Reference [21/Apr/2009:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0 In Section 5.1.2, “Default Access Logging Content”, we have op=0 for the bind operation request and result pair, then op=1 for the LDAP search request and result pair, and so on. The entry op=-1 in the access log generally means that the LDAP request for this connection was not issued by an external LDAP client but, instead, initiated internally.
Default Access Logging Content Tag Description tag=107 A result from a delete operation. tag=109 A result from a moddn operation. tag=111 A result from a compare operation. tag=115 A search reference when the entry on which the search was performed holds a referral to the required entry. Search references are expressed in terms of a referral. tag=120 A result from an extended operation. Table 5.1.
Chapter 5. Log File Reference • ABANDON for abandon operation If the LDAP request resulted in sorting of entries, then the message SORT serialno will be recorded in the log, followed by the number of candidate entries that were sorted. For example: [04/May/2009:15:51:46 -0700] conn=114 op=68 SORT serialno (1) The number enclosed in parentheses specifies the number of candidate entries that were sorted, which in this case is 1.
Default Access Logging Content targetPosition:contentCount (resultCode) The example below highlights the VLV-specific entries: [07/May/2009:11:43:29 [07/May/2009:11:43:29 [07/May/2009:11:43:29 [07/May/2009:11:43:29 -0700] -0700] -0700] -0700] conn=877 conn=877 conn=877 conn=877 op=8530 op=8530 op=8530 op=8530 SRCH base="(ou=People)" scope=2 filter="(uid=*)" SORT uid VLV 0:5:0210 10:5397 (0) RESULT err=0 tag=101 nentries=1 etime=0 In the above example, the first part, 0:5:0210, is the VLV request info
Chapter 5. Log File Reference Extended Operation Name Description OID Directory Server End Replication Request Sent to indicate that a replication session is to be terminated. 2.16.840.1.113730.3.5.5 Directory Server Replication Entry Request Carries an entry, along with its state information (csn and UniqueIdentifier) and is used to perform a replica initialization. 2.16.840.1.113730.3.5.
Access Log Content for Additional Access Logging Levels [21/Apr/2009:11:39:52 -0700] conn=12 op=2 ABANDON targetop=NOTFOUND msgid=2 NOTE The Directory Server operation number starts counting at 0, and, in the majority of LDAP SDK/client implementations, the message ID number starts counting at 1, which explains why the message ID is frequently equal to the Directory Server operation number plus 1. SASL Multi-Stage Bind Logging In Directory Server, logging for multi-stage binds is explicit.
Chapter 5.
Common Connection Codes 5.1.4. Common Connection Codes A connection code is a code that is added to the closed log message to provide additional information related to the connection closure. Connection Code Description A1 Client aborts the connection. B1 Corrupt BER tag encountered. If BER tags, which encapsulate data being sent over the wire, are corrupt when they are received, a B1 connection code is logged to the access log.
Chapter 5. Log File Reference 5.2.1. Error Log Logging Levels The error log can record different amounts of detail for operations, as well as different kinds of information depending on the type of error logging enabled. 5 The logging level is set in the nsslapd-errorlog-level configuration attribute. The default log level is 16384, which included critical error messages and standard logged messages, like LDAP results codes and startup messages. As with access logging, error logging levels are additive.
Error Log Content Setting Console Name Description 4096 Housekeeping Housekeeping thread debugging. 8192 Replication Logs detailed information about every replication-related operation, including updates and errors, which is important for debugging replication problems. 16384 Default Default level of logging used for critical errors and other messages that are always written to the error log, such as server startup messages.
Chapter 5. Log File Reference • The plug-in being called, for internal operations. • Functions called by the plug-in, for internal operations. • Messages returned by the plug-in or operation, which may include LDAP error codes, connection information, or entry information. Frequently, the messages for an operation appear on multiple lines of the log, but these are not identified with a connection number or operation number. Example 5.
Error Log Content for Other Log Levels [timestamp] NSMMReplicationPlugin - agmt="name" (consumer_host:consumer_port): current_task For example: [09/Jan/2009:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): {replicageneration} 4949df6e000000010000 {replicageneration} means that the new information is being sent, and 4949df6e000000010000 is the change sequence number of the entry being replicated. Example 5.
Chapter 5.
Audit Log Reference NOTE Example 5.5, “Example ACL Plug-in Error Log Entry with Plug-in Logging” shows both plug-in logging and search filter processing (log level 32). Many other kinds of logging have similar output to the plug-in logging level, only for different kinds of internal operations. Heavy trace output (4), access control list processing (128), schema parsing (2048), and housekeeping (4096) all record the functions called by the different operations being performed.
Chapter 5. Log File Reference timestamp: date dn: modified_entry changetype: action action:attribute attribute:new_value replace: modifiersname modifiersname: dn replace: modifytimestamp modifytimestamp: date - LDIF files and formats are described in more detail in the "LDAP Data Interchange Format" appendix 8 of the Administrator's Guide . Several different kinds of audit entries are shown in Example 5.8, “Audit Log Content”. ... modifying an entry ...
LDAP Result Codes replace: modifytimestamp modifytimestamp: 20090109181810Z - Example 5.8. Audit Log Content The audit log does not have any other log level to set. 5.4. LDAP Result Codes LDAP has a set of result codes with which it is useful to be familiar.
Chapter 5. Log File Reference Result Code Defined Value 36 ALIAS_DEREFERENCING_PROBLEM Table 5.5.
Chapter 6. Command-Line Utilities This chapter contains reference information on command-line utilities used with Red Hat Directory Server (Directory Server). These command-line utilities make it easy to perform administration tasks on the Directory Server. 6.1.
Chapter 6. Command-Line Utilities -D "cn=Patricia Fuentes, ou=people, dc=example,dc=Bolivia\, S.A." 6.3. Command-Line Utilities Quick Reference The following table provides a summary of the command-line utilities provided for Directory Server. Command-Line Utility Description ldapsearch Searches the directory and returns search results in LDIF format. For details on this tool, see the "Finding Directory Entries" appendix in the Directory Server Administrator's Guide.
ldapsearch • SSL Options • SASL Options • Additional ldapsearch Options Syntax ldapsearch -b basedn -s scope [ optional_options ] "(attribute=filter)" [ optional_list_of_attributes ] For any value that contains a space ( ), the value should be enclosed in double quotation marks. For example: -b "ou=groups, dc=example,dc=com" Option Description optional_options A series of command-line options. These must be specified before the search filter, if used.
Chapter 6. Command-Line Utilities Option Description -b Specifies the starting point for the search. The value specified here must be a distinguished name that currently exists in the database. This option is optional if the LDAP_BASEDN environment variable has been set to a base DN. The value specified in this option should be provided in double quotation marks.
ldapsearch Option Description installed. If a host is not specified, ldapsearch uses the local host. For example: -h mozilla -l Specifies the maximum number of seconds to wait for a search request to complete. For example: -l 300 Regardless of the value specified here, ldapsearch will never wait longer than is allowed by the server's nsslapd-timelimit attribute, unless the authenticated user is the Directory Manager. The default value for the nsslapd-timelimit attribute is 3600 seconds. See Section 2.
Chapter 6. Command-Line Utilities Option Description If a dash (-) is used as the password value, the utility prompts for the password after the command is entered. This avoids having the password on the command line. -x Specifies that the search results are sorted on the server rather than on the client. This is useful to sort according to a matching rule, as with an international search. In general, it is faster to sort on the server rather than on the client.
ldapsearch Option Description is useful with the -C for persistent searches because it prints any entry modifications without delay and without the search hanging. It can also be used with other ldapsearches, not only persistent searches. PS:changetype Specifies which types of changes to entries allow the entry to be returned in the persistent search.
Chapter 6. Command-Line Utilities Option Description -3 Specifies that hostnames should be checked in SSL certificates. -I Specifies the SSL key password file that contains the token:password pair. -K Specifies the absolute path, including the filename, of the private key database of the client. The -K option must be specified when the key database has a different name than key3.db or when the key database is not under the same directory as the certificate database, the cert8.
ldapsearch Option Description -Q Specifies the token and certificate name, which is separated by a semi-colon (:) for PKCS11. -W Specifies the password for the private key database identified in the -P option. For example: -W secret If a dash (-) is used as the password value, the utility prompts for the password after the command is entered. This avoids having the password on the command line. -W - Prompts for the password for the token database.
Chapter 6. Command-Line Utilities Option Description • secProp, the security properties • realm, the Kerberos realm • flags The expected values depend on the supported mechanism. The -o can be used multiple times to pass all of the required SASL information for the mechanism. For example: -o "mech=DIGEST-MD5" -o "authzid=test_user" o "authid=test_user" Table 6.6. SASL Options There are three SASL mechanisms supported in Red Hat Directory Server: • CRAM-MD5, described in Table 6.
ldapsearch Required or Optional Option Description Example • noactive — Do not permit mechanisms susceptible to active attacks. • nodict — Do not permit mechanisms susceptible to passive dictionary attacks. • forwardsec — Require forward secrecy. • passcred — Attempt to pass client credentials. • noanonymous — Do not permit mechanisms that allow anonymous access. • minssf — Require a minimum security strength; this option needs a numeric value specifying bits of encryption.
Chapter 6. Command-Line Utilities Required or Optional Option Description Example when using integrity or privacy settings. Table 6.7. Description of CRAM-MD5 Mechanism Options Required or Optional Option Description Example Required mech=DIGEST-MD5 Gives the SASL mechanism. -o “mech=DIGESTMD5” Required authid=authid_value Gives the ID used to authenticate to the server. authid_value can be the following: • UID. For example, msmith. -o “authid=dn:uid=msmith,ou=People,o=exampl • u: uid.
ldapsearch Required or Optional Option Description Example • maxssf — Require a maximum security strength; this option needs a numeric value specifying bits of encryption. A value of - 1 means integrity is provided without privacy. The maximum value is 128. Table 6.8. Description of DIGEST-MD5 SASL Mechanism Options Required or Optional Option Description Example Required mech=GSSAPI Gives the SASL mechanism. -o “mech=GSSAPI” NOTE Have the Kerberos ticket before issuing a GSSAPI request.
Chapter 6. Command-Line Utilities Required or Optional Option Description Example • minssf — Require a minimum security strength; this option needs a numeric value specifying bits of encryption. A value of - 1 means integrity is provided without privacy. • maxssf — Require a maximum security strength; this option needs a numeric value specifying bits of encryption. A value of - 1 means integrity is provided without privacy. The maximum value is 56. Table 6.9.
ldapsearch Option Description -e Minimizes the base-64 encoding for the values of returned entries. -F Specifies a different separator. This option allows a separator other than a colon (:) to separate an attribute name from the corresponding value. For example: -F + -f Specifies the file containing the search filters to be used in the search. For example: -f search_filters option to supply a search filter directly to the command line.
Chapter 6. Command-Line Utilities Option Description This argument can input the bind DN, base DN, and the search filter pattern in the specified characterset. ldapsearch converts the input from these arguments before it processes the search request. For example, -i no indicates that the bind DN, base DN, and search filter are provided in Norwegian.
ldapsearch Option Description -O 2 -R Specifies that referrals are not to be followed automatically. By default, referrals are followed automatically. -S Specifies the attribute to use as the sort criteria. For example: -S sn Use multiple -S arguments to further define the sort order. In the following example, the search results will be sorted first by surname and then by given name: -S sn -S givenname The default is not to sort the returned entries.
Chapter 6. Command-Line Utilities Option Description -X Specifies the getEffectiveRights control specific attribute list, where attributes are separated by spaces. For example: "nsroledn userPassword" Table 6.10. Additional ldapsearch Options 6.5. ldapmodify ldapmodify makes changes to directory entries via LDAP.
ldapmodify Option Description -D "uid=bjensen, dc=example,dc=com" This option cannot be used with the -N option. -f Option that specifies the file containing the LDIF update statements used to define the directory modifications. For example: -f modify_statements If this option is not supplied, the update statements are read from stdin. For information on supplying LDIF update statements from the command-line, see the "Creating Directory Entries" chapter in the Directory Server Administrator's Guide.
Chapter 6. Command-Line Utilities Option Description -w Specifies the password associated with the distinguished name specified in the -D option. For example: -w mypassword If a dash (-) is used as the password value, the utility prompts for the password after the command is entered. This avoids having the password on the command line. Table 6.11.
ldapmodify Option Description authentication credentials specified on -D and w. -P Specifies the absolute path, including the filename, of the certificate database of the client. This option is used only with the -Z option. When used on a machine where an SSL-enabled web browser is configured, the path specified on this option can be pointed to the certificate database for the web browser. For example: -P /security/cert.
Chapter 6. Command-Line Utilities Option Description -o Specifies SASL options. The format is -o saslOption=value. saslOption can have one of six values: • mech, the SASL authentication mechanism • authid, the user who is binding to the server (Kerberos principal) • authzid, a proxy authorization (ignored by the server since proxy authorization is not supported) • secProp, the security properties • realm, the Kerberos realm • flags The expected values depend on the supported mechanism.
ldapmodify Option Description ldapmodify reads the contents of the photo.jpeg file into the jpegPhoto attribute being added to the entry. As an alternative to the -b option, use the :< URL specifier notation, which is simpler. For example: jpegphoto:< file:///tmp/myphoto.jpg Although the official notation requires three ///, the use of one / is accepted. NOTE The :< URL specifier notation only works if LDIF statement is version 1 or later, meaning version: 1 is inserted in the LDIF file.
Chapter 6. Command-Line Utilities Option Description -O 2 -R Specifies that referrals are not to be followed automatically. -v Specifies that the utility is to run in verbose mode. -V Specifies the LDAP version number to be used on the operation. For example: -V 2 LDAPv3 is the default. An LDAPv3 operation cannot be performed against a Directory Server that only supports LDAPv2. -Y Specifies the proxy DN to use for the modify operation. This argument is provided for testing purposes.
ldapdelete Option Description -D "uid=bjensen, dc=example,dc=com" For more information on access control, see the "Managing Access Control" chapter in the Directory Server Administrator's Guide. The -D option cannot be used with the -N option. dn Specifies the dn of the entry to delete. -g Specifies that the password policy request control not be sent with the bind request. By default, the new LDAP password policy request control is sent with bind requests.
Chapter 6. Command-Line Utilities SSL Options Use the following options to specify that ldapdelete use LDAPS when communicating with the Directory Server or to use certificate-based authentication. These options are valid only when LDAPS has been turned on and configured for the Directory Server.
ldapdelete Option Description the -P option calls out a path and filename similar to the following: -P /etc/dirsrv/slapd-instance_name/clientcert.db -Q Specifies the token and certificate name, which is separated by a semicolon (:) for PKCS11. -W Specifies the password for the certificate database identified on the -P option. For example: -W serverpassword -Z Specifies that SSL is to be used for the delete request. -ZZ Specifies the Start TLS request.
Chapter 6. Command-Line Utilities Option Description • realm, the Kerberos realm • flags The expected values depend on the supported mechanism. The -o can be used multiple times to pass all of the required SASL information for the mechanism. For example: -o "mech=DIGEST-MD5" -o "authzid=test_user" o "authid=test_user" Table 6.17. SASL Options See SASL Options for ldapsearch for information on how to use SASL options with ldapdelete.
ldappasswd Option Description -R Specifies that referrals are not to be followed automatically. By default, the server follows referrals. -v Specifies that the utility is to run in verbose mode. -V Specifies the LDAP version number to be used on the operation. For example: -V 2 LDAPv3 is the default. An LDAPv3 operation cannot be performed against a Directory Server that only supports LDAPv2. -Y Specifies the proxy DN to use for the delete operation. This argument is provided for testing purposes.
Chapter 6. Command-Line Utilities Option Description -a Specifies the user's existing password. For example: -a old_password -S Specifies that the command should prompt for a new password for the user. -s Specifies a new password for the user. For example: -S new_password Specifies a file from which to read the new password. For example: -T -T new_password.txt Specifies a file from which to read the user's existing password. For example: -t -t old_password.
ldappasswd Option Description The -D option cannot be used with the -N option. For more information on access control, see the "Managing Access Control" chapter in the Directory Server Administrator's Guide. -g Specifies that the password policy request control not be sent with the bind request. By default, the new LDAP password policy request control is sent with bind requests.
Chapter 6. Command-Line Utilities Option Description If this option is specified, then the -D and -w options must not be specified, or certificatebased authentication will not occur, and the bind operation will use the authentication credentials specified by -D and -w. -P Specifies the absolute path, including the filename, of the certificate database of the client. This option is used only with the -Z option.
ldappasswd Option Description -Z Specifies that SSL is to be used for the search request. -ZZ Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one. If the server does not support Start TLS, the command does not need to be aborted; it will continue in cleartext. -ZZZ Enforces the Start TLS request. The server must respond that the request was successful.
Chapter 6. Command-Line Utilities Examples The following examples provide show how to perform various tasks using the ldappasswd command. The Directory Manager changes the password of the user uid=tuser1,ou=People,dc=example,dc=com to new_password over SSL. ldappasswd -Z -h myhost -P /etc/dirsrv/slapd-instance_name/cert8.db -D "cn=Directory Manager" -w admpassword -s new_password "uid=tuser1,ou=People,dc=example,dc=com" Example 6.1.
ldif ldappasswd -h myhost -o "mech=GSSAPI" -S Example 6.6. User Already Authenticating by Kerberos Prompts for a New Password 6.8. ldif ldif automatically formats LDIF files and creates base-64 encoded attribute values. Base-64 encoding makes it possible to represent binary data, such as a JPEG image, in LDIF. Base-64 encoded data is represented using a double colon (::) symbol.
Chapter 6. Command-Line Utilities Option Description NOTE The :< URL specifier notation only works if LDIF statement is version 1 or later, meaning version: 1 is inserted in the LDIF file. Otherwise, the file URL is appended as the attribute value rather than the contents of the file. Table 6.22. ldif Options 6.9. dbscan The dbscan tool analyzes and extracts information from a Directory Server database file. See Section 4.4, “Database Files” for more information on database files.
dbscan Option Parameter Description -K entry_id Specifies the entry to ID to look up. Table 6.24. Entry File Options NOTE The index file options, listed in Table 6.25, “Index File Options ”, are meaningful only when the database file is the secondary index file. Option Parameter Description -k key Specifies the key to look up in the secondary index file. -l size Sets the maximum length of the dumped ID list. The valid range is from 40 to 1048576 bytes. The default value is 4096.
Chapter 6. Command-Line Utilities dbscan -s -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/objectclass.db4 Example 6.11. Displaying the Summary of objectclass.db4 dbscan -r -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/ vlv#bymccoupeopledcpeopledccom.db4 Example 6.12. Displaying VLV Index File Contents dbscan -f /var/lib/dirsrv/slapd-instance_name/changelogdb/c1a2fc02-1d11b2-8018afa7fdce000_424c8a000f00.db4 Example 6.13.
Chapter 7. Command-Line Scripts This chapter provides information on the scripts for managing Red Hat Directory Server, such as backing-up and restoring the database. Scripts are a shortcut way of executing the ns-slapd interface commands that are documented in Appendix A, Using the ns-slapd Command-Line Utilities. 7.1.
Chapter 7. Command-Line Scripts Shell Script Description lib/dirsrv/slapd-instance_name/bak directory. start-slapd Starts Directory Server. stop-slapd Stops Directory Server. suffix2instance Maps a suffix to a backend name. verify-db.pl Checks backend database files. vlvindex Creates and generates virtual list view (VLV) indexes. Table 7.1. Shell Scripts in /usr/lib/dirsrv/slapd-instance_name or /usr/lib64/dirsrv/ slapd-instance_name Perl Script Description bak2db.
Shell Scripts Script Name Description Perl or Shell Script cl-dump.pl Dumps and decodes the changelog. Perl ds_removal Removes a server instance. Shell logconv.pl Analyzes the access logs of a Directory Server to extract usage statistics and count the occurrences of significant events. Perl migrate-ds-admin.pl Migrates a Directory Server 7.1 instance to Directory Server 8.1. Perl pwdhash Prints the encrypted form of a password using one of the server's encryption algorithms.
Chapter 7. Command-Line Scripts • Section 7.3.6, “dbverify (Checks for Corrupt Databases)” • Section 7.3.7, “ds_removal” • Section 7.3.8, “ldif2db (Import)” • Section 7.3.9, “ldif2ldap (Performs Import Operation over LDAP)” • Section 7.3.10, “monitor (Retrieves Monitoring Information)” • Section 7.3.12, “pwdhash (Prints Encrypted Passwords)” • Section 7.3.11, “repl-monitor (Monitors Replication Status)” • Section 7.3.13, “restart-slapd (Restarts the Directory Server)” • Section 7.3.
cl-dump (Dumps and Decodes the Changelog) Option Description to restore a single database; it is not necessary to use the n option to restore the entire directory. Table 7.4. bak2db Options For information on the equivalent Perl script, see Section 7.4.1, “bak2db.pl (Restores a Database from Backup)”. For more information on restoring databases, see the "Populating Directory Databases" chapter in the Red Hat Directory Server Administrator's Guide.
Chapter 7. Command-Line Scripts Option Description commas to separate roots. If the option is omitted, all the replica roots will be dumped. -v Prints the version of the script. -w bindPassword Specifies the password for the bind DN. Table 7.5. cl-dump Options For information on the equivalent Perl script, see Section 7.4.2, “cl-dump.pl (Dumps and Decodes the Changelog)”. 7.3.3. db2bak (Creates a Backup of a Database) Creates a backup of the current database contents.
db2index (Reindexes Database Index Files) Option Description -a outputFile Gives the name of the output LDIF file. -C Uses only the main database file. -E Decrypts encrypted data during export. This option is used only if database encryption is enabled. -m Sets minimal base-64 encoding. -M Uses multiple files for storing the output LDIF, with each instance stored in instance filename (where filename is the filename specified for -a option). -n backendInstance Gives the instance to be exported.
Chapter 7. Command-Line Scripts Usage Here are a few sample commands: • Reindex all the database index files: db2index • Reindex cn and givenname in the database instance userRoot: db2index -n userRoot -t cn -t givenname • Reindex cn in the database where the root suffix is dc=example,dc=com: db2index -s "dc=example,dc=com" -t cn Options Option Description -n backendInstance Gives the name of the instance to be reindexed.
ds_removal IMPORTANT Never run dbverify when a modify operation is in progress. This command calls the BerkeleyDB utility db_verify and does not perform any locking. This can lead to data corruption if the script is run at the same time as a modify. If that occurs, an entry will be recorded in the error log: DB ERROR: db_verify: Page 3527: out-of-order key at entry 42 DB ERROR: db_verify: DB->verify: db/mstest2/uid.db4: DB_VERIFY_BAD: Database verification failed Secondary index file uid.
Chapter 7. Command-Line Scripts Options Option Parameter Description Forces the removal of the instance. This can be useful if the instance is not running but must be removed anyway. -f -s instance_name The name of the instance to remove. -w manager_password The Directory Manager password to use to bind to the instance. 7.3.8. ldif2db (Import) Runs the ns-slapd command-line utility with the ldif2db keyword. To run this script, the server must be stopped.
ldif2ldap (Performs Import Operation over LDAP) Option Description By default, a time-based unique ID is generated. When using the deterministic generation to have a name-based unique ID, it is also possible to specify the namespace for the server to use, as follows: -g deterministic namespace_id namespace_id is a string of characters in the format 00-xxxxxxxx-xxxxxxxx-xxxxxxxxxxxxxxxx.
Chapter 7. Command-Line Scripts Options Option Description -D rootdn Gives a user DN with root permissions, such as Directory Manager. -f filename Gives the name of the file to be imported. When importing multiple files, the files are imported in the order they are specified on the command line. -w password Gives the password associated with the user DN. Table 7.10. ldif2ldap Options 7.3.10.
repl-monitor (Monitors Replication Status) Option Description replication information. For more information about the configuration file, see Configuration File Format. -p port Specifies the initial replication supplier's port. The default value is 389. -r If specified, causes the routine to be entered without printing the HTML header information.
Chapter 7. Command-Line Scripts lowmark = color The connection section defines how this tool may connect to each LDAP server in the replication topology to get the replication-agreement information. The default binddn is cn=Directory Manager. Simple bind will be used unless bindcert is specified with the path of a certificate database. A server may have a dedicated or shared entry in the connection section. The script will find out the most matched entry for a given server.
pwdhash (Prints Encrypted Passwords) 60 = #FFCCCC A shadow port can be set in the replication monitor configuration file. For example: host:port=shadowport:binddn:bindpwd:bindcert When the replication monitor finds a replication agreement that uses the specified port, it will use the shadow port to connect to retrieve statistics. 7.3.12. pwdhash (Prints Encrypted Passwords) Prints the encrypted form of a password using one of the server's encryption algorithms.
Chapter 7. Command-Line Scripts Exit Code Description 3 Server could not be stopped. Table 7.13. restart-slapd Exit Status Codes 7.3.14. restoreconfig (Restores Administration Server Configuration) Restores, by default, the most recently saved Administration Server configuration information to the NetscapeRoot partition under the /etc/dirsrv/slapd-instance_name/ directory. To restore the Administration Server configuration, do the following: 1. Stop the Directory Server. 2.
stop-slapd (Stops the Directory Server) Options There are no options for this script. Exit Status Codes Exit Code Description 0 Server started successfully. 1 Server could not be started. 2 Server was already started. Table 7.14. start-slapd Exit Status Codes 7.3.17. stop-slapd (Stops the Directory Server) Stops the Directory Server.
Chapter 7. Command-Line Scripts 7.3.19. vlvindex (Creates Virtual List View Indexes) To run the vlvindex script, the server must be stopped. The vlvindex script creates virtual list view (VLV) indexes, known in the Directory Server Console as browsing indexes. VLV indexes introduce flexibility in the way search results are viewed. VLV indexes can organize search results alphabetically or in reverse alphabetical order, making it easy to scroll through the list of results.
bak2db.pl (Restores a Database from Backup) • Section 7.4.10, “migrate-ds-admin.pl” • Section 7.4.7, “ldif2db.pl (Import)” • Section 7.4.8, “logconv.pl (Log Converter)” • Section 7.4.11, “ns-accountstatus.pl (Establishes Account Status)” • Section 7.4.12, “ns-activate.pl (Activates an Entry or Group of Entries)” • Section 7.4.13, “ns-inactivate.pl (Inactivates an Entry or Group of Entries)” • Section 7.4.14, “ns-newpwpolicy.pl (Adds Attributes for Fine-Grained Password Policy)” • Section 7.4.
Chapter 7. Command-Line Scripts Option Description -t databaseType The database type. The only possible database type is ldbm. -v Verbose mode. -w password The password associated with the user DN. -w - Prompts for the password associated with the user DN. Table 7.18. bak2db.pl Options 7.4.2. cl-dump.pl (Dumps and Decodes the Changelog) Troubleshoots replication-related problems. NOTE cl-dump.pl is in the /usr/bin directory. Syntax cl-dump.
db2bak.pl (Creates a Backup of a Database) Option Description -P bindCert Specifies the path, including the filename, to the certificate database that contains the certificate used for binding. -r replicaRoots Specifies the replica-roots whose changelog to dump. When specifying multiple roots, use commas to separate roots. If the option is omitted, all the replica roots will be dumped. -v Prints the version of the script. -w bindPassword Specifies the password for the bind DN. Table 7.19.
Chapter 7. Command-Line Scripts 7.4.4. db2index.pl (Creates and Generates Indexes) Creates and generates the new set of indexes to be maintained following the modification of indexing entries in the cn=config configuration file. Syntax db2index.pl [ -v ] -D rootdn { -w password | -w - | -j filename } -n backendInstance [ -t attributeName(:indextypes(:mathingrules)) ] [ -T vlvAttributeName ] Options The script db2index.pl creates an entry in the directory that launches this dynamic task.
db2ldif.pl (Exports Database Contents to LDIF) Options To run this script, the server must be running, and either the -n or -s option is required. Option Description -1 Deletes, for reasons of backward compatibility, the first line of the LDIF file that gives the version of the LDIF standard. -a outputFile Gives the filename of the output LDIF file. -C Uses only the main database file. -D rootdn Gives the user DN with root permissions, such as Directory Manager.
Chapter 7. Command-Line Scripts 7.4.6. fixup-memberof.pl (Regenerate memberOf Attributes) Regenerates and updates memberOf on user entries to coordinate changes in group membership. To run this script, the server must be running. The script creates an entry in the directory that launches this dynamic task. Syntax fixup-memberof.pl -D rootdn { -w password | -w - | -j filename } -b baseDN [ -f filter ] [ -v ] Options Option Description -b baseDN The DN of the subtree containing the entries to update.
ldif2db.pl (Import) Option Description -c Merges chunk size. -D rootdn Specifies the user DN with root permissions, such as Directory Manager. -E Decrypts encrypted data during export. This option is used only if database encryption is enabled. -g string Generates a unique ID. Type none for no unique ID to be generated and deterministic for the generated unique ID to be name-based. By default, a time-based unique ID is generated.
Chapter 7. Command-Line Scripts Option Description -w password Specifies the password associated with the user DN. -w - Prompts for the password associated with the user DN. -x excludeSuffix Specifies the suffixes to be excluded. Table 7.24. ldif2db.pl Options 7.4.8. logconv.pl (Log Converter) Analyzes the access logs of a Directory Server to extract usage statistics and count the occurrences of significant events. It is compatible with log formats from previous releases of Directory Server.
logconv.pl (Log Converter) • Lists of the most frequently occurring parameters in LDAP requests provide insight into how the directory information is being accessed. For example, lists of the top ten bind DNs, base DNs, filter strings, and attributes returned can help administrators optimize the directory for its users. These lists are optional because they are computation intensive: specify only the command-line options required (see Options). Some information that is extracted by the logconv.
Chapter 7. Command-Line Scripts Option Description will list the ten client machines that access the Directory Server most often. This parameter will apply to all lists that are enabled, and it will have no effect if none are displayed. -S startTimestamp Specifies the start timestamp; the timestamp must follow the exact format as specified in the access log. -v Displays the version number of the logconv.pl script. -V Enables verbose output. With this option, logconv.
migrate-ds.pl Option Description c Lists the number of occurrences for each type of connection code. i Lists the IP addresses and connection codes of the clients with the most connections, which detects clients that may be trying to compromise security. b Lists the most frequently used bind DNs. a Lists the most frequent base DNs when performing operations. l Lists the most frequently used filter strings for searches. t Lists the longest and most frequent etimes (elapsed operation time).
Chapter 7. Command-Line Scripts NOTE This script only migrates a Directory Server instance, not an Administration Server. Information can be passed with the script or in an .inf file, same as the setup scripts. Both the .inf parameters and command-line arguments are described in the silent configuration section of the Installation Guide. Syntax migrate-ds.
migrate-ds.pl Option Alternate Options Description --instance -i This parameter specifies a specific instance to migrate. This parameter can be used multiple time to migrate several instances simultaneously. By default, the migration script migrates all Directory Server instances on the machine. --file=name -f name This sets the path and name of the .inf file provided with the migration script. The only parameter is the General.
Chapter 7. Command-Line Scripts 7.4.10. migrate-ds-admin.pl The migrate-ds-admin.pl script is used to migrate a Directory Server 7.1 instance to Directory Server 8.1. Migration can happen between instances on on the same machine, on different machines, or on different platforms. This script migrates both the Directory Server instances and the Administration Server for the 7.1 deployment. IMPORTANT Do not run setup-ds-admin.pl for the new Directory Server 8.
migrate-ds-admin.pl Option Alternate Options Description case, the oldsroot parameter sets the directory from which the migration is run (such as machine_new:/migrate/ opt/redhat-ds/), while the actualsroot parameter sets the server root, (/opt/ redhat-ds/). --instance -i This parameter specifies a specific instance to migrate. This parameter can be used multiple time to migrate several instances simultaneously. By default, the migration script migrates all Directory Server instances on the machine.
Chapter 7. Command-Line Scripts Option Alternate Options Description If this is not set, then the migration information is written to a temporary file, named / tmp/migrateXXXXX.log. To disable logging, set /dev/ null as the logfile. 7.4.11. ns-accountstatus.pl (Establishes Account Status) Provides account status information to establish whether an entry or group of entries is inactivated. Syntax ns-accountstatus.
ns-inactivate.pl (Inactivates an Entry or Group of Entries) Syntax ns-activate.pl [ -D rootdn ] [ -w password | -w - | -j filename ] [ -p port ] [ -h host ] -I DN [ -? ] Options Option Description -D rootdn Specifies the Directory Server user DN with root permissions, such as Directory Manager. -h host Specifies the hostname of the Directory Server. The default value is the full hostname of the machine where Directory Server is installed. -I DN Specifies the entry DN or role DN to activate.
Chapter 7. Command-Line Scripts Option Description -j filename Specifies the path, including the filename, to the file that contains the password associated with the user DN. -p port Specifies the Directory Server's port. The default value is the LDAP port of Directory Server specified at installation time. -w password Specifies the password associated with the user DN. -w - Prompts for the password associated with the user DN. -? Opens the help page. Table 7.30. ns-inactivate.pl Options 7.4.
register-ds-admin.pl Option Description -v Verbose mode. -w password Specifies the password associated with the user DN. -? Opens the help page. Table 7.31. ns-newpwpolicy.pl Options 7.4.15. register-ds-admin.pl The register-ds-admin.pl script can be used for two things: • Registering an existing Directory Server instance with a different Administration Server or Configuration Directory Server. • Creating a new, local Administration Server when only a Directory Server was installed previously.
Chapter 7. Command-Line Scripts When the instance is removed, it is shutdown and all of its configuration files are removed. Certificate database files, like cert8.db and key3.db, are not removed, so the remaining instance directory is renamed removed.slapd-instance. Syntax remove-ds.pl [ -f ] -i instance_name Options Option Parameter Description Forces the removal of the instance. This can be useful if the instance is not running but must be removed anyway.
repl-monitor.pl (Monitors Replication Status) Option Description -r If specified, causes the routine to be entered without printing the HTML header information. This is suitable when making multiple calls to this routine — such as specifying multiple, different, unrelated supplier servers — and expecting a single HTML output. -t refreshInterval Specifies the refresh interval in seconds. The default value is 300 seconds. This option must be used with the -u option.
Chapter 7. Command-Line Scripts A server may have a dedicated or shared entry in the connection section. The script will find out the most matched entry for a given server.
schema-reload.pl (Reload Schema Files Dynamically) When the replication monitor finds a replication agreement that uses the specified port, it will use the shadow port to connect to retrieve statistics. 7.4.18. schema-reload.pl (Reload Schema Files Dynamically) Manually reloads the schema files used by the Red Hat Directory Server instance either in the default location or in user-specified locations. To run this script, the server must be running.
Chapter 7. Command-Line Scripts NOTE This script only creates a Directory Server instance, not an Administration Server. For the new instance to work, there has to be an Administration Server and Configuration Directory Server installed on another machine. Information can be passed with the script or in an .inf file. If no options are used, the setup-ds.pl launches an interactive configuration program. Both the .
setup-ds-admin.pl Option Alternate Options Description tmp/setuprandom.inf, like /tmp/setuplGCZ8H.inf. WARNING The cache file contains the cleartext passwords supplied during setup. Use appropriate caution and protection with this file. --logfile name -l This parameter specifies a log file to which to write the output. If this is not set, then the setup information is written to a temporary file. To not use a log file, set the file name to / dev/null.
Chapter 7. Command-Line Scripts Options Option Alternate Options Description --silent -s This runs the register script in silent mode, drawing the configuration information from a file (set with the --file parameter) or from arguments passed in the command line rather than interactively. --file=name -f name This sets the path and name of the file which contains the configuration settings for the new Directory Server instance.
verify-db.pl (Check for Corrupt Databases) Option Alternate Options Description --logfile name -l This parameter specifies a log file to which to write the output. If this is not set, then the setup information is written to a temporary file. To not use a log file, set the file name to / dev/null. --update -u This parameter updates existing Directory Server instances.
Chapter 7. Command-Line Scripts Option Description db.pl command, then it uses the default database directory, /var/lib/dirsrv/ slapd-instance_name/db. -? Table 7.34. verify-db.pl Options 322 Opens the help page.
Appendix A. Using the ns-slapd Command-Line Utilities Chapter 7, Command-Line Scripts discussed the scripts for performing routine administration tasks on the Red Hat Directory Server (Directory Server). This appendix discusses the ns-slapd commandline utilities that can be used to perform the same tasks.
Appendix A. Using the ns-slapd Command-Line Utilities Option Description -d debugLevel Specifies the debug level to use during the db2ldif runtime. For further information, refer to Section 2.3.1.44, “nsslapd-errorlog-level (Error Log Level)”. -D configDir Specifies the location of the server configuration directory that contains the configuration information for the export process. This must be the full path to the configuration directory, /etc/ dirsrv/slapd-instance_name.
Utilities for Restoring and Backing up Databases: ldif2db Option Description the configuration directory, do not exclude o=NetscapeRoot. Table A.1. db2ldif Options A.4. Utilities for Restoring and Backing up Databases: ldif2db Imports LDIF files to the database. Syntax ns-slapd ldif2db -D configDir -i ldifFile [ -d debugLevel ] [ -g string ] [ -n backendInstance ] [ -O ] [ -s includeSuffix ] [ -x excludeSuffix ] [ -E ] Enter the full path to the server configuration directory (configdir).
Appendix A. Using the ns-slapd Command-Line Utilities Option Description Use this option to import the same LDIF file into two different Directory Servers and the contents of both directories should have the same set of unique IDs. If unique IDs already exist in the LDIF file being imported, then the existing IDs are imported to the server, regardless of the options specified. -i ldifFile Specifies the LDIF file to be imported. This option is required.
Utilities for Restoring and Backing up Databases: db2archive Options Option Description -D configDir Specifies the location of the server configuration directory that contains the configuration information for the index creation process. This must be the full path to the configuration directory, /etc/dirsrv/ slapd-instance_name. -a archiveDir Specifies the archive directory. Table A.3. archive2db Options A.6.
Appendix A. Using the ns-slapd Command-Line Utilities Option Description Section 2.3.1.44, “nsslapd-errorlog-level (Error Log Level)”. -D configDir Specifies the location of the server configuration directory that contains the configuration information for the index creation process. This must be the full path to the configuration directory, /etc/dirsrv/ slapd-instance_name. -n backendName Specifies the name of the backend containing the entries to index.
Glossary A access control instruction See ACI. access control list See ACL. access rights In the context of access control, specify the level of access granted or denied. Access rights are related to the type of operation that can be performed on the directory. The following rights can be granted or denied: read, write, add, delete, search, compare, selfwrite, proxy and all.
Glossary authentication (1) Process of proving the identity of the client user to the Directory Server. Users must provide a bind DN and either the corresponding password or certificate in order to be granted access to the directory. Directory Server allows the user to perform functions or access files and directories based on the permissions granted to that user by the directory administrator.
certificate A collection of data that associates the public keys of a network user with their DN in the directory. The certificate is stored in the directory as user object attributes. Certificate Authority Company or organization that sells and issues authentication certificates. You may purchase an authentication certificate from a Certification Authority that you trust. Also known as a CA. CGI Common Gateway Interface. An interface for external programs to communicate with the HTTP server.
Glossary CoS A method for sharing attributes between entries in a way that is invisible to applications. CoS definition entry Identifies the type of CoS you are using. It is stored as an LDAP subentry below the branch it affects. CoS template entry Contains a list of the shared attribute values. See Also template entry. D daemon A background process on a Unix machine that is responsible for a particular system task. Daemon processes do not need human intervention to continue functioning.
IP address for a hostname from a DNS server, or they look it up in tables maintained on their systems. DNS alias A DNS alias is a hostname that the DNS server knows points to a different host�specifically a DNS CNAME record. Machines always have one real name, but they can have one or more aliases. For example, an alias such as www.yourdomain.domain might point to a real machine called realthing.yourdomain.domain where the server currently exists.
Glossary H hostname A name for a machine in the form machine.domain.dom, which is translated into an IP address. For example, www.example.com is the machine www in the subdomain example and com domain. HTML Hypertext Markup Language. The formatting language used for documents on the World Wide Web. HTML files are plain text files with formatting codes that tell browsers such as the Mozilla Firefox how to display text, position graphics, and form items and to display links to other pages.
L LDAP Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms. LDAP client Software used to request and view LDAP entries from an LDAP Directory Server. See Also browser. LDAP Data Interchange Format See LDAP Data Interchange Format. LDAP URL Provides the means of locating Directory Servers using DNS and then completing the query via LDAP. A sample LDAP URL is ldap:// ldap.example.com.
Glossary master See supplier. master agent See SNMP master agent. matching rule Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use. MD5 A message digest algorithm by RSA Data Security, Inc.
NIS Network Information Service. A system of programs and data files that Unix machines use to collect, collate, and share specific information about machines, users, filesystems, and network parameters throughout a network of computers. NMS Powerful workstation with one or more network management applications installed. Also network management station. ns-slapd Red Hat's LDAP Directory Server daemon or service that is responsible for all actions of the Directory Server. See Also slapd.
Glossary permission In the context of access control, permission states whether access to the directory information is granted or denied and the level of access that is granted or denied. See Also access rights. pointer CoS A pointer CoS identifies the template entry using the template DN only. presence index Allows searches for entries that contain a specific indexed attribute. protocol A set of rules that describes how devices on a network exchange information. protocol data unit See PDU.
referential integrity Mechanism that ensures that relationships between related entries are maintained within the directory. referral (1) When a server receives a search or update request from an LDAP client that it cannot process, it usually sends back to the client a pointer to the LDAP sever that can process the request. (2) In the context of replication, when a read-only replica receives an update request, it forwards it to the server that holds the corresponding read-write replica.
Glossary schema checking Ensures that entries added or modified in the directory conform to the defined schema. Schema checking is on by default, and users will receive an error if they try to save an entry that does not conform to the schema. Secure Sockets Layer See SSL. self access When granted, indicates that users have access to their own entries if the bind DN matches the targeted entry.
SSL A software library establishing a secure connection between two parties (client and server) used to implement HTTPS, the secure version of HTTP. Also called Secure Sockets Layer. standard index index maintained by default. sub suffix A branch underneath a root suffix. subagent See SNMP subagent. substring index Allows for efficient searching against substrings within entries. Substring indexes are limited to a minimum of two characters for each entry.
Glossary topology The way a directory tree is divided among physical servers and how these servers link with one another. Transport Layer Security See TLS. U uid A unique number associated with each user on a Unix system. URL Uniform Resource Locater. The addressing system used by the server and the client to request documents. It is often called a location. The format of a URL is protocol://machine:port/document.
Index Symbols 00core.ldif ldif files, 4 01common.ldif ldif files, 4 05rfc2247.ldif ldif files, 4 05rfc2927.ldif ldif files, 4 10presence.ldif ldif files, 4 10rfc2307.ldif ldif files, 5 20subscriber.ldif ldif files, 5 25java-object.ldif ldif files, 5 28pilot.ldif ldif files, 5 30ns-common.ldif ldif files, 5 50ns-admin.ldif ldif files, 5 50ns-certificate.ldif ldif files, 5 50ns-directory.ldif ldif files, 5 50ns-mail.ldif ldif files, 5 50ns-value.ldif ldif files, 5 50ns-web.ldif ldif files, 5 60pam-plugin.
Index C changelog multi-master replication changelog, 71 changeLog, 73 changelog configuration attributes changelogmaxentries, 72 nsslapd-changelogdir, 71 nsslapd-changelogmaxage, 72 changelog configuration entries cn=changelog5, 71 changeLogEntry, 120 changeNumber, 73 changes, 73 changeTime, 73 changeType, 73 cl-dump command-line shell script, 281 quick reference, 278 cl-dump.
nsTaskCurrentItem, 106 nsTaskExitCode, 106 nsTaskLog, 106 nsTaskStatus, 105, 107 ttl, 107 entries, 104 task invocation configuration entries, 104 cn=backup, 114 cn=export, 111 cn=import, 105, 108 cn=index, 116 cn=restore, 115 cn=uniqueid generator object classes, 120 uniqueid generator configuration entries, 120 cn=UserRoot configuration, 7 command-line scripts, 277 finding and executing, 277 location of perl scripts, 278 location of shell scripts, 277 migrate-ds-admin.pl, 308 migrate-ds.
Index retro changelog plug-in configuration attributes, 205 SASL configuration attributes, 99 SNMP configuration attributes, 100 suffix configuration attributes, 78 synchronization agreement attributes, 94 task configuration attributes, 104 cn=backup, 114 cn=export, 111 cn=import, 105, 108 cn=index, 116 cn=memberof task, 119 cn=restore, 115 cn=schema reload task, 118 uniqueid generator configuration attributes, 120 configuration changes requiring server restart, 9 configuration entries modifying using LDAP
nsslapd-accesslog-logexpirationtime, 13 nsslapd-accesslog-logexpirationtimeunit, 13 nsslapd-accesslog-logging-enabled, 13 nsslapd-accesslog-logmaxdiskspace, 14 nsslapd-accesslog-logminfreediskspace, 15 nsslapd-accesslog-logrotationsync-enabled, 15 nsslapd-accesslog-logrotationsynchour, 15 nsslapd-accesslog-logrotationsyncmin, 16 nsslapd-accesslog-logrotationtime, 16 nsslapd-accesslog-maxlogsize, 17 nsslapd-accesslog-maxlogsperdir, 17 nsslapd-accesslog-mode, 18 nsslapd-allow-unauthenticated-binds, 18 nsslapd
Index nssnmpdescription, 101 nssnmpenabled, 100 nssnmplocation, 101 nssnmpmasterhost, 101 nssnmpmasterport, 102 nssnmporganization, 100 nsSSL2 attribute, 75 nsSSL3 attribute, 76 nsSSL3ciphers attribute, 76 nsSSLclientauth, 58 nsSSLclientauth attribute, 75 nsSSLSessionTimeout attribute, 75 nsState, 85, 120 nsTaskCancel, 107 nsTaskCurrentItem, 106 nsTaskExitCode, 106 nsTaskLog, 106 nsTaskStatus, 105, 107 nsUniqueIdGenerator, 110 nsUniqueIdGeneratorNamespace, 111 nsUseId2Entry, 114 nsUseOneFile, 113 opscomple
dbcachetries, 178 dbfilecachehit, 191 dbfilecachemiss, 191 dbfilenamenumber, 191 dbfilepagein, 191 dbfilepageout, 192 description, 189 nsIndexType, 190 nsLookThroughLimit, 166 nsMatchingRule, 190 nsslapd-cache-autosize, 166 nsslapd-cache-autosize-split, 167 nsslapd-cachememsize, 180 nsslapd-cachesize, 179 nsslapd-db-abort-rate, 186 nsslapd-db-active-txns, 186 nsslapd-db-cache-hit, 186 nsslapd-db-cache-region-wait-rate, 186 nsslapd-db-cache-size-bytes, 186 nsslapd-db-cache-try, 186 nsslapd-db-checkpoint-inte
Index dbcachepageout attribute, 178 dbcacheroevict attribute, 178 dbcacherwevict attribute, 178 dbcachetries attribute, 178 dbfilecachehit attribute, 191 dbfilecachemiss attribute, 191 dbfilenamenumber attribute, 191 dbfilepagein attribute, 191 dbfilepageout attribute, 192 dbscan command-line utility examples, 275 options, 274 syntax, 274 dbverify command-line shell script, 284 quick reference, 277 deleteOldRdn, 74 description attribute, 85 distinguished names root, 50 distributed numeric assignment plug-i
additional options, 266 commonly used options, 262 SASL options, 265 ssl options, 264 syntax, 262 ldapmodify command-line utility additional options, 260 commonly used options, 256 options, 256 SASL options, 259 ssl options, 258 syntax, 256 ldappasswd command-line utility changing user password, 272, 272, 272, 272 examples, 272 generating user password, 272 options, 267 prompting for new password, 272 SASL options, 271 syntax, 267 ldapsearch command-line utility additional options, 252 commonly used options
Index command-line perl script, 310 quick reference, 278 ns-inactivate.pl command-line perl script, 311 quick reference, 278 ns-newpolicy.pl quick reference, 278 ns-newpwpolicy.
nsOperationConnectionCount attribute, 205 nsOperationConnectionsLimit attribute, 200 nsPrintKey, 113 nsProxiedAuthorization attribute, 200 nsReferralOnScopedSearch attribute, 201 nsRenameCount attribute, 205 nsruvReplicaLastModified attribute, 94 nsSaslMapBaseDNTemplate attribute, 99 nsSaslMapFilterTemplate attribute, 100 nsSaslMapping, 128 nsSaslMapRegexString attribute, 100 nsSearchBaseCount attribute, 205 nsSearchOneLevelCount attribute, 205 nsSearchSubtreeCount attribute, 205 nsSizeLimit attribute, 201
Index nsslapd-db-page-rw-evict-rate attribute, 188 nsslapd-db-page-size attribute, 173 nsslapd-db-page-trickle-rate attribute, 188 nsslapd-db-page-write-rate attribute, 188 nsslapd-db-pages-in-use attribute, 188 nsslapd-db-spin-count attribute, 173 nsslapd-db-transaction-batch-val attribute, 173 nsslapd-db-trickle-percentage attribute, 174 nsslapd-db-txn-region-wait-rate attribute, 188 nsslapd-db-verbose attribute, 175 nsslapd-dbcachesize attribute, 168 nsslapd-dbncache attribute, 175 nsslapd-directory att
nssnmpenabled attribute, 100 nssnmplocation attribute, 101 nssnmpmasterhost attribute, 101 nssnmpmasterport attribute, 102 nssnmporganization attribute, 100 nsSSL2 attribute, 75 nsSSL3 attribute, 76 nsSSL3ciphers attribute, 76 nsSSLclientauth attribute, 58, 75 nsSSLSessionTimeout attribute, 75 nsState attribute, 85, 120 nsSubStrBegin attribute, 192 nsSubStrEnd attribute, 193 nsSubStrMiddle attribute, 193 nsSystemIndex attribute, 191 nsTaskCancel, 107 nsTaskCurrentItem, 106 nsTaskExitCode, 106 nsTaskLog, 106
Index nsAbandonedSearchCheckInterval, 198 nsActiveChainingComponents, 196 nsAddCount, 204 nsBindConnectionCount, 205 nsBindConnectionsLimit, 198 nsBindCount, 205 nsBindMechanism, 202 nsBindRetryLimit, 198 nsBindTimeout, 199 nsCheckLocalACI, 199 nsCompareCount, 205 nsConcurrentBindLimit, 199 nsConcurrentOperationsLimit, 200 nsConnectionLife, 200 nsDeleteCount, 204 nsFarmServerURL, 203 nshoplimit, 204 nsIndexType, 190 nsLookThroughLimit, 166 nsMatchingRule, 190 nsMaxResponseDelay, 196 nsMaxTestResponseDelay,
nsslapd-require-index, 181 nsslapd-suffix, 181 nsSubStrBegin, 192 nsSubStrEnd, 193 nsSubStrMiddle, 193 nsSystemIndex, 191 nsTimeLimit, 201 nsTransmittedControls, 197 nsUnbindCount, 205 nsUseStartTLS, 204 vlvBase, 182 vlvEnabled, 182 vlvFilter, 183 vlvScope, 184 vlvSort, 185 vlvUses, 185 plug-ins configuration of, 3 distributed number assignment plug-in, 149 memberOf plug-in, 152 schema reload plug-in, 158 port numbers less than 1024, 46 pwdhash command-line shell script, 291 quick reference, 278 R read-onl
Index nsState, 85 object classes, 79 restart, 291 restart-slapd command-line shell script, 291 quick reference, 277 restarting server requirement for certain configuration changes, 9 restoreconfig command-line shell script, 292 quick reference, 277 retro changelog Meta Directory changelog, 71 retro changelog plug-in configuration attributes nsslapd-changelogdir, 206 retryCountResetTime, 70 S SASL configuration attributes nsSaslMapBaseDNTemplate, 99 nsSaslMapFilterTemplate, 100 nsSaslMapRegexString, 100 SA
nsds7DirectoryReplicaSubtree, 95 nsds7DirsyncCookie, 95 nsds7NewWinGroupSyncEnabled, 95 nsds7NewWinUserSyncEnabled, 95 nsds7WindowsDomain, 96 nsds7WindowsReplicaSubtre, 96 winSyncInterval, 96 T targetDn, 74 totalConnections attribute, 98 trailing spaces in object class names, 52 ttl, 107 U uniqueid generator configuration attributes nsState, 120 uniqueid generator configuration entries cn=uniqueid generator, 120 V verify-db.
360