manualshive.com logo in svg

Red Hat 8.1, Command Reference Manual, Page: 21 / 372

Share
Download
Red Hat 8.1 Command Reference Manual Download Page 21

Accessing and Modifying Server Configuration

7

For a list of plug-ins supported by Directory Server, general plug-in configuration information, the plug-
in configuration attribute reference, and a list of plug-ins requiring restart for configuration changes,
see 

Chapter 3, Plug-in Implemented Server Functionality Reference

.

2.1.2.3. Configuration of Databases

The 

o=NetscapeRoot

 and 

cn=UserRoot

 subtrees under the database plug-in entry contain

configuration data for the databases containing the 

o=NetscapeRoot

 suffix and the default suffix

created during setup, such as 

dc=example,dc=com

.

These entries and their children have many attributes used to configure different database settings,
like the cache sizes, the paths to the index files and transaction logs, entries and attributes for
monitoring and statistics; and database indexes.

2.1.2.4. Configuration of Indexes

Configuration information for indexing is stored as entries in the Directory Server under the following
information-tree nodes:

cn=index,o=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config

cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config

cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config

For more information about indexes in general, see the 

Directory Server Administrator's Guide

. For

information about the index configuration attributes, see 

Section 3.4.1, “Database Attributes under

cn=config, cn=ldbm database, cn=plugins, cn=config”

.

2.2. Accessing and Modifying Server Configuration

This section discusses access control for configuration entries and describes the various ways in
which the server configuration can be viewed and modified. It also covers restrictions to the kinds
of modification that can be made and discusses attributes that require the server to be restarted for
changes to take effect.

2.2.1. Access Control for Configuration Entries

When the Directory Server is installed, a default set of access control instructions (ACIs) is
implemented for all entries under 

cn=config

. The following code sample is an example of these

default ACIs.

aci: (targetattr = "*")(version 3.0; acl "Configuration Administrators Group"; allow (all)
     groupdn = "ldap:///cn=Configuration Administrators,u=Groups, ou=TopologyManagement,
 o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow (all)
     userdn = "ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group"; allow (all)
     groupdn = "ldap:///ou=Directory Administrators, dc=example,dc=com";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow(all)
     groupdn = "ldap:///cn=slapd-phonebook, cn=Red Hat Directory Server,
     cn=Server Group, cn=phonebook.example.com, dc=example,dc=com, o=NetscapeRoot";)

Summary of Contents for 8.1

Page 1: ...Red Hat Directory Server 8 1 Configuration and Command Reference Ella Deon Lackey Publication date April 28 2009 updated on February 11 2010 ...

Page 2: ...st provide the URL for the original version Red Hat as the licensor of this document waives the right to enforce and agrees not to assert Section 4d of CC BY SA to the fullest extent permitted by applicable law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Linu...

Page 3: ...iguration Attributes Reference 10 2 3 1 cn config 10 2 3 2 cn changelog5 69 2 3 3 cn encryption 73 2 3 4 cn features 76 2 3 5 cn mapping tree 76 2 3 6 Suffix Configuration Attributes under cn suffixName 77 2 3 7 Replication Attributes under cn replica cn suffixDN cn mapping tree cn config 78 2 3 8 Replication Attributes under cn ReplicationAgreementName cn replica cn suffixName cn mapping tree cn ...

Page 4: ...ed Name Syntax Plug in 146 3 1 13 Distributed Numeric Assignment Plug in 147 3 1 14 Generalized Time Syntax Plug in 147 3 1 15 HTTP Client Plug in 147 3 1 16 Integer Syntax Plug in 148 3 1 17 Internationalization Plug in 148 3 1 18 JPEG Syntax Plug in 149 3 1 19 ldbm database Plug in 149 3 1 20 Legacy Replication Plug in 150 3 1 21 MemberOf Plug in 150 3 1 22 Multi master Replication Plug in 150 3...

Page 5: ... 188 3 4 7 Database Attributes under cn index cn NetscapeRoot cn ldbm database cn plugins cn config and cn index cn UserRoot cn ldbm database cn plugins cn config 189 3 4 8 Database Attributes under cn attributeName cn encrypted attributes cn database_name cn ldbm database cn plugins cn config 191 3 5 Database Link Plug in Attributes Chaining Attributes 193 3 5 1 Database Link Attributes under cn ...

Page 6: ... 228 5 2 2 Error Log Content 229 5 2 3 Error Log Content for Other Log Levels 230 5 3 Audit Log Reference 233 5 4 LDAP Result Codes 235 6 Command Line Utilities 237 6 1 Finding and Executing Command Line Utilities 237 6 2 Using Special Characters 237 6 3 Command Line Utilities Quick Reference 238 6 4 ldapsearch 238 6 5 ldapmodify 254 6 6 ldapdelete 260 6 7 ldappasswd 265 6 8 ldif 271 6 9 dbscan 27...

Page 7: ...s 297 7 4 7 ldif2db pl Import 298 7 4 8 logconv pl Log Converter 299 7 4 9 migrate ds pl 303 7 4 10 migrate ds admin pl 305 7 4 11 ns accountstatus pl Establishes Account Status 307 7 4 12 ns activate pl Activates an Entry or Group of Entries 308 7 4 13 ns inactivate pl Inactivates an Entry or Group of Entries 308 7 4 14 ns newpwpolicy pl Adds Attributes for Fine Grained Password Policy 309 7 4 15...

Page 8: ...viii ...

Page 9: ...f Directory Server include An LDAP server The LDAP v3 compliant network daemon Directory Server Console A graphical management console that dramatically reduces the effort of setting up and maintaining your directory service SNMP agent Can monitor the Directory Server using the Simple Network Management Protocol SNMP 2 Examples and Formatting Each of the examples used in this guide such as file lo...

Page 10: ...splayed in a prompt Monospace with a background This type of formatting is used for anything entered or returned in a command prompt Italicized text Any text which is italicized is a variable such as instance_name or hostname Occasionally this is also used to emphasize a new term or other phrase Bolded text Most phrases which are in bold are application names such as Cygwin or are fields or option...

Page 11: ...irectory Server Red Hat Directory Server Deployment Guide provides an overview for planning a deployment of the Directory Server Red Hat Directory Server Administrator s Guide contains procedures for the day to day maintenance of the directory service Includes information on configuring server side plug ins Red Hat Directory Server Configuration Command and File Reference provides reference inform...

Page 12: ...docs redhat com 5 Documentation History Revision 8 1 9 February 11 2010 Ella Deon Lackey Clarifying how passwordUnlock works per Bugzilla 552377 Changing thensDirectoryServerTask object class to extensibleObject per Bugzilla 555787 Adding extra reference to the 64 bit tools directory per Bugzilla 554972 Revision 8 1 8 January 11 2010 Ella Deon Lackey Adding section on nsslapd cachememsize and the ...

Page 13: ...Documentation History xiii Expanding the description of dnaNextRange Bugzilla 512557 Revision 8 1 0 April 28 2009 Ella Deon Lackey dlackey redhat com Initial draft for version 8 1 ...

Page 14: ...xiv ...

Page 15: ...and configuration information stored in each instance of Directory Server This is useful reference to helps administrators understand the changes or absence of changes in the course of directory activity From a security standpoint this also helps users detect errors and intrusion by highlighting normal changes and abnormal behavior 1 3 Using Directory Server Command Line Utilities Directory Server...

Page 16: ...2 ...

Page 17: ...in LDIF format This dse ldif file contains all of the server configuration information The latest version of this file is called dse ldif the version prior to the last modification is called dse ldif bak and the latest file with which the server successfully started is called dse ldif startOK Many of the features of the Directory Server are designed as discrete modules that plug into the core serv...

Page 18: ...ns necessary for starting the server with the bare minimum feature set no user schema no schema for any non core features The rest of the schema used by users features and applications is found in 01common ldif and the other schema files Do not modify this file 01common ldif Contains LDAPv3 standard operational schema such as subschemaSubentry LDAPv3 standard user and organization schema defined i...

Page 19: ...by Red Hat Administration Server 50ns certificate ldif Schema for Red Hat Certificate Management System 50ns directory ldif Contains additional configuration schema used by Directory Server 4 12 and earlier versions of the directory which is no longer applicable to current releases of Directory Server This schema is required for replicating between Directory Server 4 12 and current releases 50ns m...

Page 20: ...xample shows among other things that schema checking has been enabled this is represented by the attribute nsslapd schemacheck which takes the value on dn cn config objectclass top objectclass extensibleObject objectclass nsslapdConfig nsslapd accesslog logging enabled on nsslapd enquote sup oc off nsslapd localhost phonebook example com nsslapd schemacheck on nsslapd port 389 nsslapd localuser no...

Page 21: ...ectory Server Administrator s Guide For information about the index configuration attributes see Section 3 4 1 Database Attributes under cn config cn ldbm database cn plugins cn config 2 2 Accessing and Modifying Server Configuration This section discusses access control for configuration entries and describes the various ways in which the server configuration can be viewed and modified It also co...

Page 22: ...Restart for further information The following sections describe how to modify entries using LDAP both by using Directory Server Console and by using the command line the restrictions that apply to modifying entries the restrictions that apply to modifying attributes and the configuration changes requiring restart 2 2 2 1 Modifying Configuration Entries Using LDAP The configuration entries in the d...

Page 23: ...s entered for an attribute the server ignores it Because ldapdelete is used for deleting an entire entry use ldapmodify to remove an attribute from an entry 2 2 2 3 Configuration Changes Requiring Server Restart Some configuration attributes cannot be altered while the server is running In these cases for the changes to take effect the server needs to be shut down and restarted The modifications s...

Page 24: ...ting custom server functionality contact Directory Server support The configuration information stored in the dse ldif file is organized as an information tree under the general configuration entry cn config as shown in the following diagram Figure 2 2 Directory Information Tree Showing Configuration Data Most of these configuration tree nodes are covered in the following sections The cn plugins n...

Page 25: ...ibute must be switched to on The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging Attribute Value Logging enabled or disabled nsslapd accesslog logging enabled nsslapd accesslog on empty string Disabled nsslapd accesslog logging enabled nsslapd accesslog on filename Enabled nsslapd acce...

Page 26: ...te which cannot be set provides a list of access log files used in access log rotation Parameter Description Entry DN cn config Valid Values Default Value None Syntax DirectoryString Example nsslapd accesslog list accesslog2 accesslog3 2 3 1 4 nsslapd accesslog logbuffering Log Buffering When set to off the server writes all access log entries directly to disk Buffering allows the server to use ac...

Page 27: ...Time Unit This attribute specifies the units for nsslapd accesslog logexpirationtime attribute If the unit is unknown by the server then the log never expires Parameter Description Entry DN cn config Valid Values month week day Default Value month Syntax DirectoryString Example nsslapd accesslog logexpirationtimeunit week 2 3 1 7 nsslapd accesslog logging enabled Access Log Enable Logging Disables...

Page 28: ...aximum Disk Space This attribute specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume If this value is exceeded the oldest access log is deleted When setting a maximum disk space consider the total number of log files that can be created due to log file rotation Also remember that there are three different log files access log audit log and error log ...

Page 29: ...analysis of the log files much easier because they then map directly to the calendar For access log rotation to be synchronized with time of day this attribute must be enabled with the nsslapd accesslog logrotationsynchour and nsslapd accesslog logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files For example to rotate access log files every day at midnig...

Page 30: ...t size of the access log This attribute supplies only the number of units The units day week month and so forth are given by the nsslapd accesslog logrotationtimeunit attribute Although it is not recommended for performance reasons to specify no log rotation since the log grows indefinitely there are two ways of specifying this Either set the nsslapd accesslog maxlogsperdir attribute value to 1 or...

Page 31: ...isk space for the access log Parameter Description Entry DN cn config Valid Range 1 1 to the maximum 32 bit integer value 2147483647 where a value of 1 means the log file is unlimited in size Default Value 100 Syntax Integer Example nsslapd accesslog maxlogsize 100 2 3 1 16 nsslapd accesslog maxlogsperdir Access Log Maximum Number of Log Files This attribute sets the total number of access logs th...

Page 32: ...the first digit represents the owner s permissions the second digit represents the group s permissions and the third digit represents everyone s permissions When changing the default value remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone The newly configured access mode only affects new...

Page 33: ...alues on off Default Value off Syntax DirectoryString Example nsslapd attribute name exceptions on 2 3 1 20 nsslapd auditlog Audit Log This attribute sets the path and filename of the log used to record changes made to each database Parameter Description Entry DN cn config Valid Values Any valid filename Default Value var log dirsrv slapd instance_name audit Syntax DirectoryString Example nsslapd ...

Page 34: ...2 auditlog3 2 3 1 22 nsslapd auditlog logexpirationtime Audit Log Expiration Time This attribute sets the maximum age that a log file is allowed to be before it is deleted This attribute supplies only the number of units The units day week month and so forth are given by the nsslapd auditlog logexpirationtimeunit attribute Parameter Description Entry DN cn config Valid Range 1 to the maximum 32 bi...

Page 35: ...e four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging Attribute Value Logging enabled or disabled nsslapd auditlog logging enabled nsslapd auditlog on empty string Disabled nsslapd auditlog logging enabled nsslapd auditlog on filename Enabled nsslapd auditlog logging enabled nsslapd auditlog off empty stri...

Page 36: ... space is freed to satisfy this attribute Parameter Description Entry DN cn config Valid Range 1 unlimited 1 to the maximum 32 bit integer value 2147483647 Default Value 1 Syntax Integer Example nsslapd auditlog logminfreediskspace 1 2 3 1 27 nsslapd auditlog logrotationsync enabled Audit Log Rotation Sync Enabled This attribute sets whether audit log rotation is to be synchronized with a particul...

Page 37: ...e must be used in conjunction with nsslapd auditlog logrotationsync enabled and nsslapd auditlog logrotationsynchour attributes Parameter Description Entry DN cn config Valid Range 0 through 59 Default Value None because nsslapd auditlog logrotationsync enabled is off Syntax Integer Example nsslapd auditlog logrotationsyncmin 30 2 3 1 30 nsslapd auditlog logrotationtime Audit Log Rotation Time Thi...

Page 38: ...tribute Parameter Description Entry DN cn config Valid Values month week day hour minute Default Value week Syntax DirectoryString Example nsslapd auditlog logrotationtimeunit day 2 3 1 32 nsslapd auditlog maxlogsize Audit Log Maximum Log Size This attribute sets the maximum audit log size in megabytes When this value is reached the audit log is rotated That means the server starts writing log inf...

Page 39: ...grotationtime Audit Log Rotation Time for more information Parameter Description Entry DN cn config Valid Range 1 to the maximum 32 bit integer value 2147483647 Default Value 1 Syntax Integer Example nsslapd auditlog maxlogsperdir 10 2 3 1 34 nsslapd auditlog mode Audit Log File Permission This attribute sets the access mode or file permissions with which audit log files are to be created The vali...

Page 40: ...olute path to any directory which is owned by the server user ID and only allows read and write access to the server user ID Default Value etc dirsrv slapd instance_name Syntax DirectoryString Example etc dirsrv slapd phonebook 2 3 1 36 nsslapd certmap basedn Certificate Map Search Base This attribute can be used when client authentication is performed using SSL certificates in order to avoid limi...

Page 41: ...ns too many fds open A server restart is required for the change to take effect It may be necessary to increase the operating system limits for the number of open files and number of open files per process and it may be necessary to increase the ulimit for the number of open files ulimit n in the shell that starts the Directory Server See Section 2 3 1 77 nsslapd maxdescriptors Maximum File Descri...

Page 42: ...is attribute is deprecated and will be removed in a future version of Directory Server This attribute controls whether quoting in the objectclass attributes contained in the cn schema entry conforms to the quoting specified by Internet draft RFC 2252 By default the Directory Server conforms to RFC 2252 which indicates that this value should not be quoted Only very old clients need this value set t...

Page 43: ...or these two configuration attributes and their outcome in terms of disabling or enabling of error logging Attributes in dse ldif Value Logging enabled or disabled nsslapd errorlog logging enabled nsslapd errorlog on empty string Disabled nsslapd errorlog logging enabled nsslapd errorlog on filename Enabled nsslapd errorlog logging enabled nsslapd errorlog off empty string Disabled nsslapd errorlo...

Page 44: ...r log for example server startup messages Messages at this level are always included in the error log regardless of the log level setting 32768 Database cache debugging 65536 Server plug in debugging It writes an entry to the log file when a server plug in calls slapi log error 131072 Microsecond resolution for timestamps instead of the default seconds 262144 Access control summary information muc...

Page 45: ... the maximum 32 bit integer value 2147483647 A value of 1 or 0 means that the log never expires Default Value 1 Syntax Integer Example nsslapd errorlog logexpirationtime 1 2 3 1 47 nsslapd errorlog logexpirationtimeunit Error Log Expiration Time Unit This attribute sets the units for the nsslapd errorlog logexpirationtime attribute If the unit is unknown by the server then the log never expires Pa...

Page 46: ... the disk space allowed to the error log is unlimited in size Default Value 1 Syntax Integer Example nsslapd errorlog logmaxdiskspace 10000 2 3 1 50 nsslapd errorlog logminfreediskspace Error Log Minimum Free Disk Space This attribute sets the minimum allowed free disk space in megabytes When the amount of free disk space falls below the value specified on this attribute the oldest error log is de...

Page 47: ...rror logs This attribute must be used in conjunction with nsslapd errorlog logrotationsync enabled and nsslapd errorlog logrotationsyncmin attributes Parameter Description Entry DN cn config Valid Range 0 through 23 Default Value 0 Syntax Integer Example nsslapd errorlog logrotationsynchour 23 2 3 1 53 nsslapd errorlog logrotationsyncmin Error Log Rotation Sync Minute This attribute sets the minut...

Page 48: ...tax Integer Example nsslapd errorlog logrotationtime 100 2 3 1 55 nsslapd errorlog logrotationtimeunit Error Log Rotation Time Unit This attribute sets the units for nsslapd errorlog logrotationtime Error Log Rotation Time If the unit is unknown by the server then the log never expires Parameter Description Entry DN cn config Valid Values month week day hour minute Default Value week Syntax Direct...

Page 49: ...s attribute is higher than 1 then check the nsslapd errorlog logrotationtime attribute to establish whether log rotation is specified If the nsslapd errorlog logrotationtime attribute has a value of 1 then there is no log rotation See Section 2 3 1 54 nsslapd errorlog logrotationtime Error Log Rotation Time for more information Parameter Description Entry DN cn config Valid Range 1 to the maximum ...

Page 50: ...level attribute to set the number of levels of nesting that access control performs for group evaluation Instead the number of levels of nesting is hard coded as 5 Parameter Description Entry DN cn config Valid Range 0 to 5 Default Value 5 Syntax Integer Example nsslapd groupevalnestlevel 5 2 3 1 60 nsslapd idletimeout Default Idle Timeout This attribute sets the amount of time in seconds after wh...

Page 51: ...s Default Value 1800000 Syntax Integer Example nsslapd ioblocktimeout 1800000 2 3 1 63 nsslapd lastmod Track Modification Time This attribute sets whether the Directory Server maintains the modification attributes for Directory Server entries These are operational attributes These attributes include modifiersName The distinguished name of the person who last modified the entry modifyTimestamp The ...

Page 52: ... ldapiuidnumbertype nsslapd ldapigidnumbertype and nsslapd ldapientrysearchbase attributes Autobind can only be enabled if LDAPI is enabled meaning the nsslapd ldapilisten is on and the nsslapd ldapifilepath attribute is set to an LDAPI socket Parameter Description Entry DN cn config Valid Values on off Default Value off Syntax DirectoryString Example nsslapd ldapiautobind off 2 3 1 65 nsslapd lda...

Page 53: ...ectory Server attribute The nsslapd ldapigidnumbertype attribute points to the Directory Server attribute to map system GUIDs to user entries Users can only connect to the server with autobind if LDAPI is enabled nsslapd ldapilisten and nsslapd ldapifilepath autobind is enabled nsslapd ldapiautobind and autobind mapping is enabled for regular users nsslapd ldapimaptoentries Parameter Description E...

Page 54: ...sers can use autobind to authenticate to the Directory Server and all other users connect anonymously The mappings themselves are configured through the nsslapd ldapiuidnumbertype and nsslapd ldapigidnumbertype attributes which map Directory Server attributes to the user s UID and GUID numbers Users can only connect to the server with autobind if LDAPI is enabled nsslapd ldapilisten and nsslapd ld...

Page 55: ...IPv6 is given as the nsslapd listenhost value Directory Server only responds to requests sent to that specific interface Either an IPv4 or IPv6 address can be used The server has to be restarted for changes to this attribute to go into effect Parameter Description Entry DN cn config Valid Values Any local hostname IPv4 or IPv6 address Default Value Syntax DirectoryString Example nsslapd listenhost...

Page 56: ...will not take effect until the server is restarted Parameter Description Entry DN cn config Valid Values Absolute path to a directory owned by the server user ID with write access to the server ID Default Value var lock dirsrv slapd instance_name Syntax DirectoryString Example nsslapd lockdir var lock dirsrv slapd instance_name 2 3 1 76 nsslapd maxbersize Maximum Message Size Defines the maximum s...

Page 57: ...o use This number differs depending on the operating system If this value is set too high the Directory Server queries the operating system for the maximum allowable value and then use that value It also issues a warning in the error log If this value is set to an invalid value remotely by using the Directory Server Console or ldapmodify the server rejects the new value keep the old value and resp...

Page 58: ... than the nsslapd maxsasliosize limit the server immediately disconnects the client and logs a message to the error log so that an administrator can adjust the setting if necessary This attribute value is specified in bytes Parameter Description Entry DN cn config Valid Range 1 unlimited to the maximum 32 bit integer value 2147483647 on 32 bit systems 1 unlimited to the maximum 64 bit integer valu...

Page 59: ... that the server does not impose a limit on I O wait time Parameter Description Entry DN cn config Valid Range 0 to the maximum 32 bit integer value 2147483647 Default Value 300000 Syntax DirectoryString Example nsslapd outbound ldap io timeout 300000 2 3 1 82 nsslapd plug in This read only attribute lists the DNs of the plug in entries for the syntax and matching rule plug ins loaded by the serve...

Page 60: ...s cn config cn schema and cn monitor Default Value Syntax DirectoryString Example nsslapd privatenamespaces cn config 2 3 1 85 nsslapd pwpolicy local Enable Subtree and User Level Password Policy Turns fine grained subtree and user level password policy on and off If this attribute has a value of off all entries except for cn Directory Manager in the directory is subjected to the global password p...

Page 61: ...x does not match the value specified on any of the suffix attributes For example assume the server contains only entries ou People dc example dc com but the request is for this entry ou Groups dc example dc com In this case the referral would be passed back to the client in an attempt to allow the LDAP client to locate a server that contains the requested entry Although only one referral is allowe...

Page 62: ...e server is maintaining a large number of index files more than 30 The server is servicing a large number of LDAP connections There are error messages reporting that the server is unable to open file descriptors the actual error message differs depending on the operation that the server is attempting to perform but these error messages are not related to managing client LDAP connections Increasing...

Page 63: ...s the exact case of attribute type names as requested by the client Although LDAPv3 compliant clients must ignore the case of attribute names some client applications require attribute names to match exactly the case of the attribute as it is listed in the schema when the attribute is returned by the Directory Server as the result of a search or modify operation However most client applications ig...

Page 64: ...heme attribute When viewed from the server console this attribute shows the value When viewed from the dse ldif file this attribute shows the encryption method followed by the encrypted string of the password The example shows the password as displayed in the dse ldif file not the actual password WARNING When the root DN is configured at server setup a root password is required However it is possi...

Page 65: ... If this parameter is set the server uses the specified path for loading SASL plugins If this parameter is not set the server uses the SASL_PATH environment variable If neither nsslapd saslpath or SASL_PATH are set the server attempts to load SASL plugins from the default location usr lib sasl2 Changes made to this attribute will not take effect until the server is restarted Parameter Description ...

Page 66: ...e Extending the Directory Schema chapter in the Directory Server Administrator s Guide WARNING Red Hat strongly discourages turning off schema checking This can lead to severe interoperability problems This is typically used for very old or non standard LDAP data that must be imported into the Directory Server If there are not a lot of entries that have this problem consider using the extensibleOb...

Page 67: ...machine or makes it possible to limit listening to one interface of a multihomed machine There can be multiple IP addresses associated with a single hostname and these IP addresses can be a mix of both IPv4 and IPv6 This parameter can be used to restrict the Directory Server instance to a single IP interface this parameter also specifically sets what interface to use for SSL TLS traffic rather tha...

Page 68: ...ition to the other SSL TLS configuration Parameter Description Entry DN cn config Valid Values on off Default Value off Syntax DirectoryString Example nsslapd security off 2 3 1 103 nsslapd sizelimit Size Limit This attribute sets the maximum number of entries to return from a search operation If this limit is reached ns slapd returns any entries it has located that match the search request as wel...

Page 69: ...upplier server s log files if it finds that the peer server s hostname does not match the name specified in its certificate DATE SSL alert ldap_sasl_bind LDAP_SASL_EXTERNAL 81 Netscape runtime error 12276 Unable to communicate securely with peer requested domain name does not match the server s certificate DATE NSMMReplicationPlugin agmt cn SSL Replication Agreement to host1 host1 example com 636 ...

Page 70: ...e search request as well as an exceeded time limit error When no limit is set ns slapd returns every matching entry to the client regardless of the time it takes To set a no limit value whereby Directory Server waits indefinitely for the search to complete specify a value of 1 for this attribute in the dse ldif file A value of zero 0 causes no time to be allowed for searches The smallest time limi...

Page 71: ...ld have read or write access to it The default value for this attribute is the same directory containing the error log which is usually var log dirsrv slapd instance_name Changes made to this attribute will not take effect until the server is restarted 2 3 1 110 nsSSLclientauth Client Authentication This attribute sets whether client authentication also called certificate based authentication is a...

Page 72: ...ment and that the string does not contain any trivial words such as the user s name or user ID or any attribute value stored in the uid cn sn givenname ou or mail attributes of the user s directory entry Password syntax includes several different categories for checking Minimum number of digit characters 0 9 Minimum number of ASCII alphabetic characters both upper and lower case Minimum number of ...

Page 73: ... in the Directory Server Administrator s Guide Parameter Description Entry DN cn config Valid Values on off Default Value off Syntax DirectoryString Example passwordExp on 2 3 1 115 passwordExpirationTime This attribute specifies the length of time that passes before the user s password expires Parameter Description Entry DN cn config Valid Values Any date in integers Default Value none Syntax Gen...

Page 74: ...s an operational attribute meaning its value is managed by the server and the attribute is not returned in default searches Parameter Description Entry DN cn config Valid Values none to any reasonable integer Default Value none Syntax Integer Example passwordGraceUserTime 1 2 3 1 119 passwordHistory Password History Enables password history Password history refers to whether users are allowed to r...

Page 75: ...uide Parameter Description Entry DN cn config Valid Range 2 to 24 passwords Default Value 6 Syntax Integer Example passwordInHistory 7 2 3 1 121 passwordIsGlobalPolicy Password Policy and Replication This attribute controls whether password policy attributes are replicated Parameter Description Entry DN cn config Valid Values on off Default Value off Syntax DirectoryString Example passwordIsGlobal...

Page 76: ... s password Enable and disable the account lockout feature using the passwordLockout attribute This can be abbreviated to pwdLockoutDuration For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Description Entry DN cn config Valid Range 1 to the maximum 32 bit integer value 2147483647 in seconds Default Value...

Page 77: ...nteger bind failures Default Value 3 Syntax Integer Example passwordMaxFailure 3 2 3 1 127 passwordMaxRepeats Password Syntax Maximum number of times the same character can appear sequentially in the password Zero 0 is off Integer values reject any password which used a character more than that number of times for example 1 rejects characters that are used more than once aa and 2 rejects character...

Page 78: ... Value 0 Syntax Integer Example passwordMinAge 150 2 3 1 130 passwordMinAlphas Password Syntax This attribute sets the minimum number of alphabetic characters password must contain Parameter Description Entry DN cn config Valid Range 0 to 64 Default Value 0 Syntax Integer Example passwordMinAlphas 4 2 3 1 131 passwordMinCategories Password Syntax This sets the minimum number of character categorie...

Page 79: ...sswords are easier to crack Directory Server enforces a minimum password of eight characters This is long enough to be difficult to crack but short enough that users can remember the password without writing it down This can be abbreviated to pwdMinLength For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter D...

Page 80: ...to 3 then a givenname of DJ does not result in a policy that rejects DJ from being in the password but the policy rejects a password containing the givenname of Bob Parameter Description Entry DN cn config Valid Range 1 to 64 Default Value 3 Syntax Integer Example passwordMinTokenLength 3 2 3 1 137 PasswordMinUppers Password Syntax This sets the minimum number of uppercase letters password must co...

Page 81: ...0 2 3 1 140 passwordResetFailureCount Reset Password Failure Count After Indicates the amount of time in seconds after which the password failure counter resets Each time an invalid password is sent from the user s account the password failure counter is incremented If the passwordLockout attribute is set to on users are locked out of the directory when the counter reaches the number of failures s...

Page 82: ...Secure Hash Algorithm is included only for backward compatibility with 4 x Directory Servers do not use this algorithm MD5 Message Digest algorithm 5 is a commonly used standard hashing algorithm CRYPT the UNIX crypt algorithm is provided for compatibility with UNIX passwords NOTE Passwords cannot be encrypted using the NS MTA MD5 password storage scheme The storage scheme is still present but onl...

Page 83: ...on Entry DN cn config Valid Range 1 to the maximum 32 bit integer value 2147483647 in seconds Default Value 86400 1 day Syntax Integer Example passwordWarning 86400 2 3 1 145 retryCountResetTime This attribute specifies the length of time that passes before the passwordRetryCount attribute is reset Parameter Description Entry DN cn config Valid Range 1 to any reasonable integer Default Value none ...

Page 84: ...ity with some legacy applications See Section 3 1 29 Retro Changelog Plug in for further information about the Retro Changelog Plug in 2 3 2 1 nsslapd changelogdir This required attribute specifies the name of the directory in which the changelog database is created Whenever a changelog configuration entry is created it must contain a valid directory otherwise the operation is rejected The GUI pro...

Page 85: ...x DirectoryString IntegerAgeID where AgeID is s for seconds m for minutes h for hours d for days and w for weeks Example nsslapd changelogmaxage 30d 2 3 2 3 nsslapd changelogmaxentries Max Changelog Records This attribute sets the maximum number of records the changelog may contain If this attribute is absent there is no maximum number of records the changelog can contain For information on the ch...

Page 86: ... later the change OID 2 16 840 1 113730 3 1 5 Syntax Integer Multi or Single Valued Multi valued Defined in Changelog Internet Draft 2 3 2 7 changeTime This attribute defines a time in a YYMMDDHHMMSS format when the entry was added OID 2 16 840 1 113730 3 1 77 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 3 2 8 changeType This attribute specifies the type...

Page 87: ...n the case of modrdn operations this attribute specifies the newSuperior attribute of the entry OID 2 16 840 1 113730 3 1 11 Syntax DN Multi or Single Valued Multi valued Defined in Changelog Internet Draft 2 3 2 13 targetDn This attribute contains the DN of the entry that was affected by the LDAP operation In the case of a modrdn operation the targetDn attribute contains the DN of the entry befor...

Page 88: ...Lclientauth This attribute sets how clients may use certificates to authenticate to the Directory Server for SSL connections The server has to be restarted for changes to this attribute to go into effect Parameter Description Entry DN cn encryption cn config Valid Values off allowed required off means disallow certificate based authentication allowed means clients may use certificates or other for...

Page 89: ...bute specifies the set of encryption ciphers the Directory Server uses during SSL communications For more information on the ciphers supported by the Directory Server see the Managing SSL chapter in the Directory Server Administrator s Guide Parameter Description Entry DN cn encryption cn config Valid Values For SSLv3 rsa_null_md5 rsa_rc4_128_md5 rsa_rc4_40_md5 rsa_rc2_40_md5 rsa_des_sha rsa_fips_...

Page 90: ...840 1 113730 3 4 9 cn features cn config objectClass top objectClass directoryServerFeature oid 2 16 840 1 113730 3 4 9 cn VLV Request Control aci targetattr aci version 3 0 acl VLV Request Control allow read search compare proxy userdn ldap all creatorsName cn server cn plugins cn config modifiersName cn server cn plugins cn config createTimestamp 20090129132357Z modifyTimestamp 20090129132357Z 2...

Page 91: ...such as equals signs commas and space characters that must be quoted or escaped to appear as a value in another DN 2 3 6 1 nsslapd state Determines how the suffix handles operations Parameter Description Entry DN cn suffix cn mapping tree cn config Valid Values backend disabled referral referral on update backend means the backend database is used to process all operations disabled means the datab...

Page 92: ...rver this object class in addition to the top object class must be present in the entry For further information about replication see the Managing Replication chapter in the Directory Server Administrator s Guide 2 3 7 1 nsDS5Flags This attribute sets replica properties that were previously defined in flags At present only one flag exists which sets whether the log changes Parameter Description En...

Page 93: ...UniqueID It is possible to search for a tombstone entry by its nsUniqueID For example ldapsearch D cn directory manager w password s sub b dc example dc com objectclass nsTombstone nsUniqueID 66a2b699 1dd211b2 807fa9c3 a58714648 2 3 7 4 nsDS5ReplicaAutoReferral This attribute sets whether the Directory Server follows configured referrals for the database Parameter Description Entry DN cn replica c...

Page 94: ...n Entry DN cn replica cn suffixDN cn mapping tree cn config Valid Range 1 to maximum 32 bit integer 2147483647 Default Value Syntax Integer Example nsDS5ReplicaChangeCount 675 2 3 7 7 nsDS5ReplicaId This attribute sets the unique ID for suppliers in a given replication environment Parameter Description Entry DN cn replica cn suffixDN cn mapping tree cn config Valid Range 0 to 65534 Default Value S...

Page 95: ...ate information so that when a conflict occurs in a multi master replication process the server resolves the conflicts based on the timestamp and replica ID stored in the change sequence numbers An internal Directory Server housekeeping operation periodically removes tombstone entries which are older than the value of this attribute in seconds State information which is older than the nsDS5Replica...

Page 96: ...ute sets the DN at the root of a replicated area This attribute must have the same value as the suffix of the database being replicated and cannot be modified Parameter Description Entry DN cn replica cn suffixDN cn mapping tree cn config Valid Values Suffix of the database being replicated which is the suffix DN Default Value Syntax DirectoryString Example nsDS5ReplicaRoot dc example dc com 2 3 7...

Page 97: ...yntax Integer Example nsDS5ReplicaType 2 2 3 7 15 nsDS5ReplicaReapActive This read only attribute specifies whether the background task that removes old tombstones deleted entries from the database is active See Section 2 3 7 13 nsDS5ReplicaTombstonePurgeInterval for more information about this task A value of 0 means that the task is inactive and a value of 1 means that the task is active The ser...

Page 98: ...d This attribute is required for setting up a replication agreement Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values Any valid cn Default Value Syntax DirectoryString Example cn MasterAtoMasterB 2 3 8 2 description Free form text description of the replication agreement This attribute can be modified Parameter Description Entr...

Page 99: ...pplier should wait after a consumer sends back a busy response before making another attempt to acquire access The default value is three 3 seconds If the attribute is set to a negative value Directory Server sends the client a message and an LDAP_UNWILLING_TO_PERFORM error code The nsDS5ReplicaBusyWaitTime attribute works in conjunction with the nsDS5ReplicaSessionPauseTime attribute The two attr...

Page 100: ... is used this attribute may not have a value The example shows the dse ldif entry not the actual password If this value over LDAP or using the Console set it to the cleartext credentials and let the server encrypt the value Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values Any valid password which is then encrypted using the DE...

Page 101: ...tes when the initialization of the consumer replica started Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values YYYYMMDDhhmmssZ is the date time in Generalized Time form at which the connection was opened This value gives the time in relation to Greenwich Mean Time The hours are set with a 24 hour clock The Z at the end indicates...

Page 102: ...5801Z 2 3 8 13 nsDS5ReplicaLastUpdateStart This read only attribute states when the most recent replication schedule update started Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values YYYYMMDDhhmmssZ is the date time in Generalized Time form at which the connection was opened This value gives the time in relation to Greenwich Mea...

Page 103: ...nes deleted entries from the database is active See Section 2 3 7 13 nsDS5ReplicaTombstonePurgeInterval for more information about this task A value of zero 0 means that the task is inactive and a value of 1 means that the task is active If this value is set manually the server ignores the modify request Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping t...

Page 104: ...ast one second longer than the interval specified for nsDS5ReplicaBusyWaitTime The longer interval gives waiting suppliers a better chance to gain consumer access before the previous supplier can re access the consumer If either attribute is specified but not both nsDS5ReplicaSessionPauseTime is set automatically to 1 second more than nsDS5ReplicaBusyWaitTime If both attributes are specified but n...

Page 105: ...cn config Valid Range Default Value Syntax DirectoryString Example nsDS5ReplicatedAttributeList objectclass EXCLUDE salary userPassword manager 2 3 8 21 nsDS5ReplicaTimeout This allowed attribute specifies the number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing If the server writes Warning timed out waiting messages in the error log...

Page 106: ... 3 8 24 nsDS5ReplicaUpdateSchedule This multi valued attribute specifies the replication schedule and can be modified Changes made to this attribute take effect immediately Modifying this value can be useful to pause replication and resume it later For example if this value to 0000 0001 0 this in effect causes the server to stop sending updates for this replication agreement The server continues t...

Page 107: ...dition to the top object class must be present in the entry Synchronization agreements are configured only on databases that are enabled to synchronize with Windows Active Directory servers cn nsDS5ReplicaLastUpdateEnd description nsDS5ReplicaLastUpdateStart nsDS5ReplicaBindDN the Windows sync manager ID nsDS5ReplicaLastUpdateStatus nsDS5ReplicaBindMethod nsDS5ReplicaPort nsDS5ReplicaBusyWaitTime ...

Page 108: ...t Value Syntax DirectoryString Example nsDS7DirsyncCookie khDKJFBZsjBDSCkjsdhIU74DJJVBXDhfvjmfvbhzxj 2 3 9 3 nsds7NewWinGroupSyncEnabled This attribute sets whether a new group created in the Windows sync peer is automatically synchronized by creating a new group on the Directory Server Parameter Description Entry DN cn syncAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Value...

Page 109: ... winSyncInterval This attribute sets how frequently in seconds the Directory Server polls the Windows sync peer to look for changes in the Active Directory entries If this entry is not set the Directory Server checks the Windows server every five 5 minutes meaning the default value is 300 300 seconds This value can be set lower to write Active Directory changes over to the Directory Server faster ...

Page 110: ...45 45 cn directory manager A is the connection number which is the number of the slot in the connection table associated with this connection This is the number logged as slot A in the access log message when this connection was opened and usually corresponds to the file descriptor associated with the connection The attribute dTableSize shows the total size of the connection table YYYYMMDDhhmmssZ ...

Page 111: ...entriessent This attribute shows the number of entries sent by Directory Server bytessent This attribute shows the number of bytes sent by Directory Server currenttime This attribute shows the current time given in Greenwich Mean Time indicated by GeneralizedTime syntax Z notation for example 20090202131102Z startTime This attribute shows the Directory Server start time given in Greenwich Mean Tim...

Page 112: ... attributes When configuring legacy replication those entries are stored under this cn replication node which serves as a placeholder 2 3 12 cn sasl Entries which contain SASL mapping configurations are stored under cn mapping cn sasl cn config The cn sasl entry is an instance of the nsContainer object class Each mapping underneath it is an instance of the nsSaslMapping object class 2 3 12 1 nsSas...

Page 113: ...fig The cn SNMP entry is an instance of the nsSNMP object class 2 3 13 1 nssnmpenabled This attribute sets whether SNMP is enabled Parameter Description Entry DN cn SNMP cn config Valid Values on off Default Value on Syntax DirectoryString Example nssnmpenabled off 2 3 13 2 nssnmporganization This attribute sets the organization to which the Directory Server belongs Parameter Description Entry DN ...

Page 114: ...of the Directory Server instance Parameter Description Entry DN cn SNMP cn config Valid Values Description Default Value Syntax DirectoryString Example nssnmpdescription Employee directory instance 2 3 13 6 nssnmpmasterhost nssnmpmasterhost is deprecated This attribute is deprecated with the introduction of net snmp The attribute still appears in dse ldif but without a default value Parameter Desc...

Page 115: ...gers even on 32 bit machines or with a 32 bit version of Directory Server All of the SNMP statistics attributes use the 64 bit integers if it is configured NOTE The nsslapd counters attribute enables 64 bit integers for these specific database and server counters The counters which use 64 bit integers are not configurable 64 bit integers are either enabled for all the allowed counters or disabled ...

Page 116: ...number of errors returned Connections This shows the number of currently open connections ConnectionSeq This shows the total number of connections opened including both currently open and closed connections BytesRecv This shows the number of bytes received BytesSent This shows the number of bytes sent EntriesReturned This shows the number of entries returned as search results ReferralsReturned Thi...

Page 117: ...before Directory Server 8 0 many Directory Server tasks were managed by the Administration Server These tasks were moved to the core Directory Server configuration in version 8 0 and are invoked and administered by Directory Server under the cn tasks entry There are seven tasks that are managed under the cn tasks entry cn import cn export cn backup cn restore cn index cn schema reload task cn memb...

Page 118: ...task such as cumulative statistics or its current output message The entire contents of the attribute may be updated periodically for as long as the process is running This attribute value is set by the server and should not be edited Parameter Description Entry DN cn task_name cn task_type cn tasks cn config Valid Values Any string Default Value Syntax case exact string Example nsTaskStatus Loadi...

Page 119: ... cn tasks cn config Valid Values 0 success to 97 1 Default Value Syntax Integer Example nsTaskExitCode 0 Any response other than 0 is an error nsTaskCurrentItem This attribute shows the number of subtask which the task operation has completed assuming the task can be broken down into subtasks If there is only one task then nsTaskCurrentItem is 0 while the task is running and 1 when the task is com...

Page 120: ...task to be aborted while in progress This attribute can be modified by users Parameter Description Entry DN cn task_name cn task_type cn tasks cn config Valid Values true false Default Value Syntax Case insensitive string Example nsTaskCancel true ttl This attribute sets the amount of time in seconds the task entry will remain in the DSE after the task has finished or aborted Setting a ttl attribu...

Page 121: ... task attributes listed in Section 2 3 15 1 Task Invocation Attributes for Entries under cn tasks There are some optional attributes which can be used to refine the import operation similar to the options for the ldif2db and ldif2db pl scripts nsIncludeSuffix which is analogous to the s option to specify the suffix to import nsExcludeSuffix analogous to the x option to specify a suffix or subtree ...

Page 122: ...file Parameter Description Entry DN cn task_name cn import cn tasks cn config Valid Values Any DN Default Value Syntax DN multi valued Example nsIncludeSuffix ou people dc example dc com nsExcludeSuffix This attribute identifies suffixes or subtrees in the LDIF file to exclude from the import Parameter Description Entry DN cn task_name cn import cn tasks cn config Valid Values Any DN Default Value...

Page 123: ...t this attribute generates time based IDs Parameter Description Entry DN cn task_name cn import cn tasks cn config Valid Values none no unique ID empty time based ID deterministic namespace name based ID Default Value empty Syntax Case insensitive string Example nsUniqueIdGenerator nsUniqueIdGeneratorNamespace This attributes defines how to generate name based IDs the attribute sets the namespace ...

Page 124: ...d in Section 2 3 15 1 Task Invocation Attributes for Entries under cn tasks There are some optional attributes which can be used to refine the export operation similar to the options for the db2ldif and db2ldif pl scripts nsIncludeSuffix analogous to the s option to specify the suffixes to include in the exported LDIF files nsExcludeSuffix analogous to the x option to exclude the specified suffixe...

Page 125: ... nsIncludeSuffix This attribute identifies a specific suffix or subtree to export to an LDIF file Parameter Description Entry DN cn task_name cn export cn tasks cn config Valid Values Any DN Default Value Syntax DN multi valued Example nsIncludeSuffix ou people dc example dc com nsExcludeSuffix This attribute identifies suffixes or subtrees in the database to exclude from the exported LDIF file Pa...

Page 126: ... false Default Value false Syntax Case insensitive string Example nsExportReplica true nsPrintKey This attributes sets whether to print the entry ID number as the entry is processed by the export task Parameter Description Entry DN cn task_name cn export cn tasks cn config Valid Values true false Default Value true Syntax Case insensitive string Example nsPrintKey false nsUseId2Entry The nsUseId2E...

Page 127: ...try such as cn task_ID cn backup cn tasks cn config uses the following attributes to define the backup task A backup task entry under cn backup must contain the location of the directory to which to copy the archive copy in the nsArchiveDir attribute and the type of database being backed up in the nsDatabaseTypes attribute Additionally it must contain a unique cn to identify the task For example d...

Page 128: ...store entry is a container entry for task operations to restore a database The cn restore entry itself has no attributes but each of the task entries within this entry such as cn task_ID cn restore cn tasks cn config uses the following attributes to define the restore task A restore task entry under cn restore must contain the location of the directory from which to retrieve the archive copy in th...

Page 129: ... The cn index entry itself has no attributes but each of the task entries within this entry such as cn task_ID cn index cn tasks cn config uses the following attributes to define the backup task An index task entry under cn index can create a standard index by identifying the attribute to be indexed and the type of index to create both defined in the nsIndexAttribute attribute Alternatively the in...

Page 130: ...sing index entry and the VLV creation task is run according to the browsing index entry parameters Parameter Description Entry DN cn task_name cn index cn tasks cn config Valid Values Any attribute The index type which can be pres presence eq equality approx approximate and sub substring Default Value Syntax Case insensitive string multi valued Example nsIndexAttribute cn pres eq nsIndexAttribute ...

Page 131: ...a reload task cn tasks cn config uses the schema reload attributes to define the individual reload task cn The cn attribute is used to identify a new task operation to initiate The cn attribute value can be anything as long as it defines a new task Parameter Description Entry DN cn task_name cn schema reload task cn tasks cn config Valid Values Any string Default Value Syntax DirectoryString Examp...

Page 132: ...lter objectclass groupOfNames As soon as the task is complete the task entry is removed from the directory The cn memberof task entry is a container entry for memberOf update operations The cn memberof task entry itself has no attributes but each of the task entries beneath this entry such as cn task_ID cn memberof task cn tasks cn config uses its attributes to define the individual update task ba...

Page 133: ...nsibleObject object class but some require other object classes These configuration object classes are listed here 2 4 1 changeLogEntry Object Class This object class is used for entries which store changes made to the Directory Server entries To configure Directory Server to maintain a changelog that is compatible with the changelog implemented in Directory Server 4 1x enable the Retro Changelog ...

Page 134: ...entry when processing a MODDN operation 2 4 2 directoryServerFeature Object Class This object class is used specifically for entries which identify a feature of the directory service This object class is defined by Directory Server Superior Class top OID 2 16 840 1 113730 3 2 40 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry Allowed Attributes A...

Page 135: ...hangelog This object class is defined for the Directory Server Superior Class top OID 2 16 840 1 113730 3 2 82 Allowed Attributes Attribute Definition cn common Name Gives the common name of the entry 2 4 5 nsContainer Object Class Some entries do not define any specific entity but they create a defined space within the directory tree as a parent entry for similar or related child entries These ar...

Page 136: ... the suffix DN at the root of a replicated area Allowed Attributes cn Gives the name for the replica nsDS5Flags Specifies information that has been previously set in flags nsDS5ReplicaAutoReferral Sets whether the server will follow configured referrals for the Directory Server database nsDS5ReplicaBindDN Specifies the DN to use when a supplier server binds to a consumer nsDS5ReplicaChangeCount Gi...

Page 137: ...utes objectClass Defines the object classes for the entry cn Used for naming the replication agreement Allowed Attributes description Contains a free text description of the replication agreement nsDS5BeginReplicaRefresh Initializes a replica manually nsds5debugreplicatimeout Gives an alternate timeout period to use when the replication is run with debug logging nsDS5ReplicaBindDN Specifies the DN...

Page 138: ...ifies any attributes that will not be replicated to a consumer server nsDS5ReplicaTimeout Specifies the number of seconds outbound LDAP operations will wait for a response from the remote replica before timing out and failing nsDS5ReplicaTransportInfo Specifies the type of transport used for transporting data to and from the replica nsDS5ReplicaUpdateInProgress States whether a replication schedul...

Page 139: ...sSentSinceStartup Shows the number of changes sent since the Directory Server started nsDS5ReplicaCredentials Specifies the credentials for the bind DN nsDS5ReplicaHost Specifies the hostname for the Windows domain controller of the Windows server being synchronized nsDS5ReplicaLastInitEnd States when the last total update resynchronization of the Windows server ended nsDS5ReplicaLastInitStart Sta...

Page 140: ...er new Windows group accounts are automatically created on the Directory Server nsds7NewWinUserSyncEnabled Specifies whether new Windows user accounts are automatically created on the Directory Server nsds7WindowsDomain Identifies the Windows domain being synchronized analogous to nsDS5ReplicaHost in a replication agreement nsds7WindowsReplicaSubtree Specifies the Windows server suffix root or sub...

Page 141: ... Attributes objectClass Defines the object classes for the entry cn Gives the name of the SASL mapping entry nsSaslMapBaseDNTemplate 13 Contains the search base DN template nsSaslMapFilterTemplate 14 Contains the search filter template nsSaslMapRegexString 15 Contains a regular expression to match SASL identity strings 2 4 11 nsslapdConfig Object Class The nsslapdConfig object class defines the co...

Page 142: ... the user s password expires after an interval given by the passwordMaxAge attribute passwordMinLength 18 Sets the minimum number of characters that must be used in passwords passwordKeepHistory 19 Sets whether to keep a password history for a user passwordInHistory 20 Sets the number of passwords the directory stores in the history passwordChange 21 Identifies whether or not users is allowed to c...

Page 143: ...nge their password passwordResetFailureCount 32 Sets the time in seconds after which the password failure counter will be reset Each time an invalid password is sent from the user s account the password failure counter is incremented passwordGraceLimit 33 Sets the number of grace logins permitted when a user s password is expired passwordMinDigits 34 Sets the minimum number of numeric characters 0...

Page 144: ...erver 4 x and older servers 2 5 1 1 LDAPServer Object Class This object class identifies the LDAP server information It is defined by Directory Server Superior Class top OID 2 16 840 1 113730 3 2 35 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry cn Specifies the common name of the entry Allowed Attributes Attribute Definition description Gives a...

Page 145: ...ingle Valued Multi valued Defined in Directory Server 2 5 1 4 changeLogMaximumSize This attribute sets the maximum size for the changelog OID 2 16 840 1 113730 3 1 201 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 1 5 generation This attribute contains a byte vector that uniquely identifies that specific server and version This number is used to disting...

Page 146: ...ce only Do not attempt to configure replication using these attributes See Section 2 4 6 nsDS5Replica Object Class and Section 2 4 8 nsDSWindowsReplicationAgreement Object Class for attributes to configure replicas and replication agreements 2 5 2 1 cirReplicaSource Object Class The cirReplicaSource is an object that is used for consumer initiated replication This object class is defined by Direct...

Page 147: ...plicaEntryFilter Identifies the entries to be replicated replicatedAttributeList Identifies attribute list to be replicated 2 5 2 2 cirBeginORC For online replication creation ORC the consumer server can dump its entire database and allows the supplier to send it completely fresh information The cirBeginORC attribute sets whether the consumer deletes its database Its values are either start or sto...

Page 148: ...1 113730 3 1 86 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 7 cirPort In consumer initiated replication this attribute gives the port number of the supplier OID 2 16 840 1 113730 3 1 81 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 8 cirReplicaRoot In consumer initiated replication this attribute gives ...

Page 149: ...ectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 12 cirUsePersistentSearch This attribute sets whether to use persistent connections with consumer initiated replication OID 2 16 840 1 113730 3 1 83 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 13 cirUseSSL For consumer initiated replication this attribute sets whether...

Page 150: ...licaCredentials Stores a password of replicaBindDn replicaBindMethod Specifies the bind method replicaUseSSL Specifies a flag whether or not to use SSL replicaUpdateSchedule Schedule when the replica update occurs replicaUpdateReplayed Stores the last replicated change number replicaUpdateFailedAt Stores the timestamp of the last failed update attempt replicaBeginORC Sets whether to delete existin...

Page 151: ...licaBindDn For consumer initiated replication this attribute gives the username for the server to bind to the supplier as OID 2 16 840 1 113730 3 1 58 Syntax DN Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 18 replicaBindMethod This attribute sets the method for the server to use to bind to the consumer server OID 2 16 840 1 113730 3 1 53 Syntax DirectoryString Multi or Sin...

Page 152: ...ca server OID 2 16 840 1 113730 3 1 197 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 23 replicaLastRelevantChange This attribute stores the last relevant change in an entry OID 2 16 840 1 113730 3 1 408 Syntax Integer Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 24 replicaNickName This attribute contains the friendly name for...

Page 153: ... a consumer server OID 2 16 840 1 113730 3 1 240 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 28 replicaUpdateFailedAt This attribute contains the time and date of the most recent replication failure OID 2 16 840 1 113730 3 1 49 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 29 replicaUpdateReplayed This ...

Page 154: ...le Valued Multi valued Defined in Directory Server 2 5 2 31 replicaUseSSL This attribute sets whether to use a secure connection SSL for replication OID 2 16 840 1 113730 3 1 54 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server ...

Page 155: ...nsibleObject object class For plug in configuration attributes to be taken into account by the server both of these object classes in addition to the top object class must be present in the entry as shown in the following example dn cn ACL Plugin cn plugins cn config objectclass top objectclass nsSlapdPlugin objectclass extensibleObject 3 1 Server Plug in Functionality Reference The following tabl...

Page 156: ...ne Performance Related Information Access control incurs a minimal performance hit Leave this plug in enabled since it is the primary means of access control for the server Further Information See the Managing Access Control chapter in the Directory Server Administrator s Guide 3 1 3 ACL Preoperation Plug in Plug in Parameter Description Plug in Name ACL Preoperation DN of Configuration Entry cn A...

Page 157: ...object classes from the parent entry containing the ObjectClass as defined by the MarkerObjectclass attribute Dependencies Database Performance Related Information Directory Server provides the UID Uniqueness Plug in by default To ensure unique values for other attributes create instances of the Attribute Uniqueness Plug in for those attributes See the Using the Attribute Uniqueness Plug in in the...

Page 158: ...for handling booleans Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information 3 1 7 Case Exact String Syntax Plug in Plug in Parameter Description Plug in Name Case Exact String Syntax DN of Configurati...

Page 159: ...f Configuration Entry cn Chaining database cn plugins cn config Description Enables backend databases to be linked Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information There are many performance related tuning parameters involved with the chaining database See the Maintaining Database Links section in the Directory Server Admi...

Page 160: ...ins cn config Description Syntax for handling countries Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information 3 1 12 Distinguished Name Syntax Plug in Plug in Parameter Description Plug in Name Distin...

Page 161: ...me Syntax DN of Configuration Entry cn Generalized Time Syntax cn plugins cn config Description Syntax for dealing with dates times and time zones Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information...

Page 162: ...igurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information 3 1 17 Internationalization Plug in Plug in Parameter Description Plug in Name Internationalization Plug in DN of Configuration Entry cn Internationalization Plugin cn plugins cn config Description...

Page 163: ... for JPEG data Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information 3 1 19 ldbm database Plug in Plug in Parameter Description Plug in Name ldbm database Plug in DN of Configuration Entry cn ldbm dat...

Page 164: ...ctory Server Administrator s Guide 3 1 21 MemberOf Plug in Plug in Information Description Plug in Name MemberOf Configuration Entry DN cn MemberOf Plugin cn plugins cn config Description Manages the memberOf attribute on user entries based on the member attributes in the group entry Configurable Options on off Default Setting off Configurable Arguments memberofattr sets the attribute to generate ...

Page 165: ...cn plugins cn config Description Syntax for handling octet strings Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information 3 1 24 OID Syntax Plug in Plug in Parameter Description Plug in Name OID Syntax...

Page 166: ...ify the configuration of the password scheme plug ins Red Hat recommends leaving these plug ins running at all times Storage Scheme Name Usage Notes CLEAR This encryption method is required for using SASL CRYPT This storage scheme is not very secure and is included only for compatibility with legacy servers and to allow migration DES This encryption scheme is used only for reversible encryption an...

Page 167: ...SSHA512 This storage scheme is recommended for password storage because of its strength Table 3 3 Password Storage Plugins 3 1 26 Postal Address String Syntax Plug in Plug in Parameter Description Plug in Name Postal Address Syntax DN of Configuration Entry cn Postal Address Syntax cn plugins cn config Description Syntax used for handling postal addresses Configurable Options on off Default Settin...

Page 168: ...cn plugins cn config Description Enables the server to ensure referential integrity Configurable Options All configuration and on off Default Setting off Configurable Arguments When enabled the post operation Referential Integrity Plug in performs integrity updates on the member uniqueMember owner and seeAlso attributes immediately after a delete or rename operation The plug in can be reconfigured...

Page 169: ...g Plug in Plug in Parameter Description Plug in Name Retro Changelog Plug in DN of Configuration Entry cn Retro Changelog Plugin cn plugins cn config Description Used by LDAP clients for maintaining application compatibility with Directory Server 4 x versions Maintains a log of all changes occurring in the Directory Server The retro changelog offers the same functionality as the changelog in the 4...

Page 170: ... in the Directory Server Administrator s Guide 3 1 31 Schema Reload Plug in Plug in Information Description Plug in Name Schema Reload Configuration Entry DN cn Schema Reload cn plugins cn config Description Task plug in to reload schema files Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Further Information Table 3 4 D...

Page 171: ...ntax For more information about finding directory entries refer to the Finding Directory Entries chapter in the Directory Server Administrator s Guide 3 1 33 State Change Plug in Plug in Parameter Description Plug in Name State Change Plug in DN of Configuration Entry cn State Change Plugin cn plugins cn config Description Enables state change notification service Configurable Options on off Defau...

Page 172: ...erformance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information 3 1 36 Views Plug in Plug in Parameter Description Plug in Name Views Plug in DN of Configuration Entry cn Views cn plugins cn config Description Enables the use of views in the Directory Server databases Configurable Options on off Default...

Page 173: ... type of plugin nsslapd pluginId 4 Identifies the plugin ID nsslapd pluginVersion 5 Identifies the version of plugin nsslapd pluginVendor 6 Identifies the vendor of plugin nsslapd pluginDescription 7 Identifies the description of the plugin nsslapd pluginEnabled 8 Identifies whether or not the plugin is enabled 3 2 2 nsslapd pluginPath This attribute specifies the full path to the plug in Plug in ...

Page 174: ...ple nsslapd pluginType preoperation 3 2 5 nsslapd pluginEnabled This attribute specifies whether the plug in is enabled This attribute can be changed over protocol but will only take effect when the server is next restarted Plug in Parameter Description Entry DN cn plug in name cn plugins cn config Valid Values on off Default Value on Syntax DirectoryString Example nsslapd pluginEnabled on 3 2 6 n...

Page 175: ...2 9 nsslapd pluginDescription This attribute provides a description of the plug in Plug in Parameter Description Entry DN cn plug in name cn plugins cn config Valid Values Default Value None Syntax DirectoryString Example nsslapd pluginDescription acl access check plug in 3 3 Attributes Allowed by Certain Plug ins 3 3 1 nsslapd pluginLoadNow This attribute specifies whether to load all of the symb...

Page 176: ...ial Integrity Plug in example shows that the database plug in will be started prior to the postoperation Referential Integrity Plug in Plug in Parameter Description Entry DN cn referential integrity postoperation cn plugins cn config Valid Values database Default Value Syntax DirectoryString Example nsslapd plugin depends on type database 3 3 4 nsslapd plugin depends on named Multi valued attribut...

Page 177: ...mance related attribute specifies the maximum number of entries that the Directory Server will check when examining candidate entries in response to a search request The Directory Manager DN however is by default unlimited and overrides any other settings specified here It is worth noting that binder based resource limits work for this limit which means that if a value for the operational attribut...

Page 178: ...tax Integer Example nsslapd idlistscanlimit 4000 3 4 1 3 nsslapd cache autosize This performance tuning related attribute which is turned off by default specifies the percentage of free memory to use for all the combined caches For example if the value is set to 80 then 80 percent of the remaining free memory would be claimed for the cache To run other servers on the machine then set the value low...

Page 179: ...ll not necessarily optimize operations Syntax Integer Example nsslapd cache autosize split 50 3 4 1 5 nsslapd dbcachesize This performance tuning related attribute specifies the database index cache size in bytes This is one of the most important values for controlling how much physical RAM the directory server uses This is not the entry cache This is the amount of memory the Berkeley database bac...

Page 180: ...rmance chapter in the Directory Server Administrator s Guide This attribute is provided only for system modification diagnostics and should be changed only with the guidance of Red Hat technical support or Red Hat professional services Inconsistent settings of this attribute and other configuration attributes may cause the Directory Server to be unstable For more information on database transactio...

Page 181: ...on log but may not be physically written to disk immediately If there were a system failure before a directory change was physically written to disk that change would not be recoverable The nsslapd db durable transactions attribute is absent from dse ldif To disable durable transactions add the attribute to dse ldif This attribute is provided only for system modification diagnostics and should be ...

Page 182: ... Directory Server being unable to start Also if there are multiple Directory Servers on the same machine their nsslapd db home directory attributes must be configured with different directories Failure to do so will result in the databases for both directories becoming corrupted The use of this attribute causes internal Directory Server database files to be moved to the directory referenced by the...

Page 183: ...pd db logbuf size attribute is only valid if the nsslapd db durable transactions attribute is set to on Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Range 32K to maximum 32 bit integer limited to the amount of memory available on the machine Default Value 32K Syntax Integer Example nsslapd db logbuf size 32K 3 4 1 13 nsslapd db logdirectory This attribute sp...

Page 184: ...ute specifies the size of the pages used to hold items in the database in bytes The minimum size is 512 bytes and the maximum size is 64 kilobytes If the page size is not explicitly set Directory Server defaults to a page size of 8 kilobytes Changing this default value can have a significant performance impact If the page size is too small it results in extensive page splitting and copying whereas...

Page 185: ...lue unless specifically requested to do so by Red Hat support If this attribute is not defined or is set to a value of 0 transaction batching will be turned off and it will be impossible to make remote modifications to this attribute via LDAP However setting this attribute to a value greater than 0 causes the server to delay committing transactions until the number of queued transactions is equal ...

Page 186: ...tribute specifies whether to record additional informational and debugging messages when searching the log for checkpoints doing deadlock detection and performing recovery This parameter is meant for troubleshooting and enabling the parameter may slow down the Directory Server Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Values on off Default Value off Synta...

Page 187: ...specifies absolute path to database instance If the database instance is manually created then this attribute must be included something which is set by default and modifiable in the Directory Server Console Once the database instance is created do not modify this path as any changes risk preventing the server from accessing data Parameter Description Entry DN cn config cn ldbm database cn plugins...

Page 188: ...e memory for import cache By default the nsslapd import cache autosize attribute is enabled and is set to a value of 1 This value autosizes the import cache for the ldif2db operation only automatically allocating fifty percent 50 of the free physical memory for the import cache The percentage value 50 is hard coded and cannot be changed Setting the attribute value to 50 nsslapd import cache autosi...

Page 189: ...import cache autosize 1 3 4 1 24 nsslapd mode This attribute specifies the permissions used for newly created index files Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Values Any four digit octal number However mode 0600 is recommended This allows read and write access for the owner of the index files which is the user as whom the ns slapd runs and no access ...

Page 190: ...e user defined database The cn userRoot subtree is called userRoot by default However this is not hard coded and given the fact that there are going to be multiple database instances this name is changed and defined by the user as and when new databases are added The cn userRoot database referenced can be any user database The following attributes are common to both the cn NetscapeRoot cn ldbm dat...

Page 191: ...rtup The BerkeleyDB documentation 9 offers a good explanation of what the entry cache is along with management information like how to monitor the cache with db_stat m NOTE The nsslapd cachememsize attribute also defines the import buffer size The import buffer size is automatically configured to be 80 of whatever the nsslapd cachememsize setting is When importing databases with very large attribu...

Page 192: ...rom accessing data Parameter Description Entry DN cn database_name cn ldbm database cn plugins cn config Valid Values Any valid path to the database instance Default Value Syntax DirectoryString Example nsslapd directory var lib dirsrv slapd instance_name db userRoot 3 4 3 4 nsslapd readonly This attribute specifies read only mode for a single back end instance If this attribute has a value of off...

Page 193: ...er containing the database link is restarted Parameter Description Entry DN cn database_name cn ldbm database cn plugins cn config Valid Values Any valid DN Default Value Syntax DirectoryString Example nsslapd suffix o NetscapeRoot 3 4 3 7 vlvBase This attribute sets the base DN for which the browsing or virtual list view VLV index is created For more information on VLV indexes see the indexing ch...

Page 194: ...ndexing chapter in the Administrator s Guide NOTE This attribute is only available to user databases like userRoot not configuration databases like o NetscapeRoot Parameter Description Entry DN cn index_name cn userRoot cn ldbm database cn plugins cn config Valid Values Any valid LDAP filter Default Value Syntax DirectoryString Example vlvFilter objectclass objectclass ldapsubentry 3 4 3 10 vlvInd...

Page 195: ...dex For more information on VLV indexes see the indexing chapter in the Administrator s Guide NOTE This attribute is only available to user databases like userRoot not configuration databases like o NetscapeRoot Parameter Description Entry DN cn index_name cn userRoot cn ldbm database cn plugins cn config Valid Values 1 onelevel or children search 2 subtree search Default Value Syntax Integer Exam...

Page 196: ...ption of the entry 3 4 3 13 vlvSort This attribute sets the sort order for returned entries in the browsing or virtual list view VLV index NOTE The entry for this attribute is a vlvIndex entry beneath the vlvSearch entry For more information on VLV indexes see the indexing chapter in the Administrator s Guide NOTE This attribute is only available to user databases like userRoot not configuration d...

Page 197: ... values for these attributes are 32 bit integers except for entrycachehits and entrycachetries If the nsslapd counters attribute in cn config is set to on then some of the counters kept by the Directory Server instance increment using 64 bit integers even on 32 bit machines or with a 32 bit version of Directory Server For the database monitoring the entrycachehits and entrycachetries counters use ...

Page 198: ...s the number of deadlocks detected nsslapd db dirty pages This attribute shows the dirty pages currently in the cache nsslapd db hash buckets This attribute shows the number of hash buckets in buffer hash table nsslapd db hash elements examine rate This attribute shows the total number of hash elements traversed during hash table lookups nsslapd db hash search rate This attribute shows the total n...

Page 199: ...ain ever encountered in buffer hash table lookups nsslapd db page create rate This attribute shows the pages created in the cache nsslapd db page read rate This attribute shows the pages read into the cache nsslapd db page ro evict rate This attribute shows the clean pages forced from the cache nsslapd db page rw evict rate This attribute shows the dirty pages forced from the cache nsslapd db page...

Page 200: ...bute provides the name of the attribute to index Parameter Description Entry DN cn default indexes cn config cn ldbm database cn plugins cn config Valid Values Any valid index cn Default Value None Syntax DirectoryString Example cn aci 3 4 5 2 description This optional attribute provides a free hand text description of what the index actually performs Parameter Description Entry DN cn default inde...

Page 201: ...ase cn plugins cn config Valid Values pres presence index eq equality index approx approximate index sub substring index matching rule international index index browse browsing index Default Value Syntax DirectoryString Example nsIndexType eq 3 4 5 5 nsMatchingRule This optional multi valued attribute specifies the ordering matching rule name or OID used to match values and to generate index keys ...

Page 202: ...l seriously disrupt server functionality Parameter Description Entry DN cn default indexes cn config cn ldbm database cn plugins cn config Valid Values true false Default Value Syntax DirectoryString Example nsSystemIndex true 3 4 6 Database Attributes under cn monitor cn NetscapeRoot cn ldbm database cn plugins cn config This section covers global read only entries for monitoring activity on the ...

Page 203: ...es these are stored under cn index cn database_name cn ldbm database cn plugins cn config Each indexed attribute represents a subentry under the cn config information tree nodes as shown in the following diagram Figure 3 2 Indexed Attribute Representing a Subentry For example the index file for the aci attribute under o UserRoot appears in the Directory Server as follows dn cn aci cn index cn User...

Page 204: ...be at least three characters long without counting any wildcard characters For example the string abc would be an indexed search while ab would not be Indexed searches are significantly faster than unindexed searches so changing the minimum length of the search key is helpful to increase the number of indexed searches This substring length can be edited based on the position of any wildcard charac...

Page 205: ... Syntax Integer Example nsSubStrMiddle 3 3 4 8 Database Attributes under cn attributeName cn encrypted attributes cn database_name cn ldbm database cn plugins cn config The nsAttributeEncryption object class allows selective encryption of attributes within a database Extremely sensitive information such as credit card numbers and government identification numbers may not be protected enough by rou...

Page 206: ...s which identify and encrypt selected attributes within a Directory Server database This object class is defined in Directory Server Superior Class top OID 2 16 840 1 113730 3 2 316 Required Attributes objectClass Defines the object classes for the entry cn Specifies the attribute being encrypted using its common name nsEncryptionAlgorithm 18 The encryption cipher used 3 4 8 2 nsEncryptionAlgorith...

Page 207: ...ig This section covers global configuration attributes common to all instances are stored in the cn config cn chaining database cn plugins cn config tree node 3 5 1 1 nsActiveChainingComponents This attribute lists the components using chaining A component is any functional unit in the server The value of this attribute overrides the value in the global configuration attribute To disable chaining ...

Page 208: ...es the duration of the test issued by the database link to check whether the remote server is responding If a response from the remote server is not returned before this period has passed the database link assumes the remote server is down and the connection is not used for subsequent operations Parameter Description Entry DN cn config cn chaining database cn plugins cn config Valid Values Any val...

Page 209: ...ig cn chaining database cn plugins cn config tree node 3 5 2 1 nsAbandonedSearchCheckInterval This attribute shows the number of seconds that pass before the server checks for abandoned operations Parameter Description Entry DN cn default instance config cn chaining database cn plugins cn config Valid Range 0 to maximum 32 bit integer 2147483647 seconds Default Value 1 Syntax Integer Example nsAba...

Page 210: ...3 Syntax Integer Example nsBindRetryLimit 3 3 5 2 4 nsBindTimeout This attribute shows the amount of time before the bind attempt times out There is no real valid range for this attribute except reasonable patience limits Parameter Description Entry DN cn default instance config cn chaining database cn plugins cn config Valid Range 0 to 60 seconds Default Value 15 Syntax Integer Example nsBindTime...

Page 211: ...e 2 Syntax Integer Example nsConcurrentOperationsLimit 5 3 5 2 8 nsConnectionLife This attribute specifies connection lifetime Connections between the database link and the remote server can be kept open for an unspecified time or closed after a specific period of time It is faster to keep the connections open but it uses more resources When the value is 0 and a list of failover servers is provide...

Page 212: ...n 3 5 2 11 nsReferralOnScopedSearch This attribute controls whether referrals are returned by scoped searches This attribute can be used to optimize the directory because returning referrals in response to scoped searches is more efficient A referral is returned to all the configured farm servers Parameter Description Entry DN cn default instance config cn chaining database cn plugins cn config Va...

Page 213: ...abases This attribute configures the connection type either standard SSL or SASL empty This performs simple authentication and requires the nsMultiplexorBindDn and nsMultiplexorCredentials attributes to give the bind information EXTERNAL This uses an SSL certificate to authenticate the farm server to the remote server Either the farm server URL must be set to the secure URL ldaps or the nsUseStart...

Page 214: ...ue Syntax DirectoryString Example nsFarmServerURL ldap farm1 example com 389 ldap farm2 example com 1389 3 5 3 3 nsMultiplexorBindDn This attribute gives the DN of the administrative entry used to communicate with the remote server The multiplexor is the server that contains the database link and communicates with the farm server This bind DN cannot be the Directory Manager and if this attribute i...

Page 215: ... Valid Range 1 to an appropriate upper limit for the deployment Default Value 10 Syntax Integer Example nsHopLimit 3 3 5 3 6 nsUseStartTLS This attribute sets whether to use Start TLS to initiate a secure encrypted connection over an insecure port This attribute can be used if the nsBindMechanism attribute is set to EXTERNAL but the farm server URL set to the standard URL ldap or if the nsBindMech...

Page 216: ...archOneLevelCount This attribute gives the number of one level searches received nsSearchSubtreeCount This attribute gives the number of subtree searches received nsAbandonCount This attribute gives the number of abandon operations received nsBindCount This attribute gives the number of bind requests received nsUnbindCount This attribute gives the number of unbinds received nsCompareCount This att...

Page 217: ... 1 nsslapd changelogdir This attribute specifies the name of the directory in which the changelog database is created the first time the plug in is run By default the database is stored with all the other databases under var lib dirsrv slapd instance_name changelogdb NOTE For performance reasons store this database on a different physical disk The server has to be restarted for changes to this att...

Page 218: ...ange to entries By breaking number assignments into ranges the Distributed Numeric Assignment Plug in allows multiple servers to assign numbers without conflict The plug in also manages the ranges assigned to servers so that if one instance runs through its range quickly it can request additional ranges from the other servers Distributed numeric assignment is handled per attribute and is only appl...

Page 219: ...32 bit integer on 32 bit systems and to the maximum 64 bit integer on 64 bit systems 1 is unlimited Default Value 1 Syntax Integer Example dnaMaxValue 1000 3 7 4 dnaNextRange This attribute defines the next range to use when the current range is exhausted This value is automatically set when range is transferred between servers but it can also be manually set to add a range to a server if range re...

Page 220: ...able number which can be assigned After being initially set in the configuration entry this attribute is managed by the Distributed Numeric Assignment Plug in The dnaNextValue attribute is required to set up distributed numeric assignment for an attribute Parameter Description Entry DN cn Distributed Numeric Assignment Plugin cn plugins cn config Valid Range 1 to the maximum 32 bit integer on 32 b...

Page 221: ... cn Distributed Numeric Assignment Plugin cn plugins cn config Valid Range 1 to the maximum 32 bit integer on 32 bit systems and to the maximum 64 bit integer on 64 bit systems Default Value 10 Syntax Integer Example dnaRangeRequestTimeout 15 3 7 8 dnaScope This attribute sets the base DN to search for entries to which to apply the distributed numeric assignment This is analogous to the base DN in...

Page 222: ... is that one server begins to run out of numbers to assign which can cause problems The Distributed Numeric Assignment Plug in allows the server to request a new range from the available ranges on other servers So that the server can recognize when it is reaching the end of its assigned range the dnaThreshold attribute sets a threshold of remaining available numbers in the range When the server hi...

Page 223: ... over to a specific attribute in the entries for the members 3 8 1 memberofattr This attribute specifies the attribute in the user entry for the Directory Server to manage to reflect group membership The MemberOf Plug in generates the value of the attribute specified here in the directory entry for the member There is a separate attribute for every group to which the user belongs Parameter Descrip...

Page 224: ... That attribute will not work as a value for memberofgroupattr since the memberURL value is a URL and a non DN value cannot work with the MemberOf Plug in Parameter Description Entry DN cn MemberOf Plugin cn plugins cn config Valid Range Any Directory Server attribute Default Value member Syntax DirectoryString Example memberofgroupattr member ...

Page 225: ...e paths accordingly The files tools and scripts used by Directory Server are in the locations listed in the following directories File or Directory Location Backup files var lib dirsrv slapd instance_name bak Configuration files etc dirsrv slapd instance_name Database files var lib dirsrv slapd instance_name db LDIF files var lib dirsrv slapd instance_name ldif Lock files var lock dirsrv slapd ins...

Page 226: ...ectory and file for storing backup related files var lib dirsrv slapd instance_name bak This contains a directory dated with the instance_name time and date of the database backup such as instance_name 2009_05_02_16_56_05 which in turn holds the database backup copy etc dirsrv slapd instance_name dse_original ldif This is a backup copy of the dse ldif configuration file from the time of installati...

Page 227: ...e NetscapeRoot directory contents entrydn db4 parentid db4 givenName db4 sn db4 DBVERSION id2entry db4 uid db4 aci db4 nsUniqueId db4 uniquemember db4 ancestorid db4 numsubordinates db4 cn db4 objectclass db4 Example 4 2 NetscapeRoot Database Directory Contents The NetscapeRoot subdirectories contain an index_namedb4 file for every index currently defined in the database In addition to these files...

Page 228: ...rectory contents exports imports server Example 4 4 Lock Directory Contents The lock mechanisms stored in the exports imports and server subdirectories prevent multiple simultaneous operations from conflicting with each other The lock mechanisms allow for one server instance to run at a time with possible multiple export jobs They also permit one ldif2db import operation at a time not ldif2db pl b...

Page 229: ...ry Server SNMP data collection component This data is read by the SNMP subagent in response to SNMP attribute queries and is communicated to the SNMP master agent responsible for handling Directory Server SNMP requests 4 8 PID Files slapd serverID pid and slapd serverID startpid files are created in the var run dirsrv directory when the server is up and running Both files store the server s proces...

Page 230: ...d instance_name directory are listed in Example 4 9 Instance Directory Contents Chapter 7 Command Line Scripts has more information on command line scripts bak2db db2index pl ldif2db pl ns inactivate pl start slapd bak2db pl db2ldif ldif2ldap ns newpwpolicy pl stop slapd db2bak db2ldif pl monitor restart slapd suffix2instance db2bak pl dbverify ns accountstatus pl restoreconfig verify db pl db2ind...

Page 231: ...the IP address of the client Bind record Bind result record Sequence of operation request operation result pairs of records or individual records in the case of connection closed and abandon records Unbind record Closed record Every line begins with a timestamp 21 Apr 2009 11 39 51 0700 the format of which may vary depending on the platform 0700 indicates the time difference in relation to GMT Apa...

Page 232: ...1 Apr 2009 11 39 51 0700 conn 11 op 1 RESULT err 0 tag 101 nentries 1 etime 3 notes U 21 Apr 2009 11 39 51 0700 conn 11 op 2 UNBIND 21 Apr 2009 11 39 51 0700 conn 11 op 2 fd 608 closed U1 21 Apr 2009 11 39 52 0700 conn 12 fd 634 slot 634 connection from 207 1 153 51 to 192 18 122 139 21 Apr 2009 11 39 52 0700 conn 12 op 0 BIND dn cn Directory Manager method 128 version 3 21 Apr 2009 11 39 52 0700 ...

Page 233: ...are not recorded in the access log by default To activate the logging of internal access operations specify access logging level 4 on the nsslapd accesslog level 3 configuration attribute File Descriptor Every connection from an external LDAP client to Directory Server requires a file descriptor or socket descriptor from the operating system in this case fd 608 fd 608 indicates that it was file de...

Page 234: ... indicates the LDAP version number either LDAPv2 or LDAPv3 that the LDAP client used to communicate with the LDAP server 21 Apr 2009 11 39 51 0700 conn 11 op 0 BIND dn cn Directory Manager method 128 version 3 Error Number The error number in this case err 0 provides the LDAP result code returned from the LDAP operation performed The LDAP error number 0 means that the operation was successful For ...

Page 235: ...ound matching the LDAP client s request 21 Apr 2009 11 39 51 0700 conn 11 op 0 RESULT err 0 tag 97 nentries 0 etime 0 Elapsed Time etime shows the elapsed time in this case etime 3 or the amount of time in seconds that it took the Directory Server to perform the LDAP operation 21 Apr 2009 11 39 51 0700 conn 11 op 1 RESULT err 0 tag 101 nentries 1 etime 3 notes U An etime value of 0 means that the ...

Page 236: ...s that the database itself had to be directly searched instead of the index file Unindexed searches occur in three scenarios When the nsslapd idlistscanlimit was reached within the index file used for the search When no index file existed When the index file was not configured in the way required by the search NOTE An unindexed search indicator is often accompanied by a large etime value as uninde...

Page 237: ...and n can have a value of 0 1 or 2 0 for base search 1 for one level search 2 for subtree search For more information about search scopes see Using ldapsearch in Appendix B Finding Directory Entries in the Red Hat Directory Server Administrator s Guide Extended Operation OID An extended operation OID such as EXT oid 2 16 840 1 113730 3 5 3 or EXT oid 2 16 840 1 113730 3 5 5 in Example 5 1 Example ...

Page 238: ...lar naming context Abandon Message The abandon message indicates that an operation has been aborted 21 Apr 2009 11 39 52 0700 conn 12 op 2 ABANDON targetop 1 msgid 2 nentries 0 etime 0 nentries 0 indicates the number of entries sent before the operation was aborted etime 0 value indicates how much time in seconds had elapsed and targetop 1 corresponds to an operation value from a previously initia...

Page 239: ...SASL bind in progress In logging a SASL bind the sasl method is followed by the LDAP version number 4 and the SASL mechanism used as shown below with the GSS API mechanism 21 Apr 2009 12 57 14 0700 conn 32 op 0 BIND dn method sasl version 3 mech GSSAPI NOTE The authenticated DN the DN used for access control decisions is now logged in the BIND result line as opposed to the bind request line as was...

Page 240: ...16 43 02 0200 conn 306 op 0 ENTRY dn cn Accounting Managers ou groups dc example dc com 12 Jul 2009 16 43 02 0200 conn 306 op 0 ENTRY dn cn HR Managers ou groups dc example dc com 12 Jul 2009 16 43 02 0200 conn 306 op 0 ENTRY dn cn QA Managers ou groups dc example dc com 12 Jul 2009 16 43 02 0200 conn 306 op 0 ENTRY dn cn PD Managers ou groups dc example dc com 12 Jul 2009 16 43 02 0200 conn 306 o...

Page 241: ...failed to flush data response back to client P2 Closed or corrupt connection has been detected T1 Client does not receive a result within the specified idletimeout period For further information about this configuration attribute see Section 2 3 1 60 nsslapd idletimeout Default Idle Timeout T2 Server closed connection after ioblocktimeout period was exceeded For further information about this conf...

Page 242: ...function calls Logs a message when the server enters and exits a function 2 Packeting handlings Logs debug information for packets processed by the server 4 Heavy trace output Logs when the server enters and exits a function with additional debugging messages 8 Connection management Logs the current connection status including the connection methods used for a SASL bind 16 Packets sent received Pr...

Page 243: ...r server plug in debugging 131072 Microsecond resolution for timestamps instead of the default seconds This cannot be enabled in the Directory Server Console 262144 Access control summary Summarizes information about access to the server much less verbose than level 128 This value is recommended for use when a summary of access control processing is needed Use 128 for very detailed processing mess...

Page 244: ...500 slapd shutting down signaling operation threads 07 Jan 2009 15 54 08 0500 slapd shutting down closing down internal subsystems and plugins 07 Jan 2009 15 54 11 0500 Waiting for 3 database threads to stop 07 Jan 2009 15 54 11 0500 All database threads now stopped 07 Jan 2009 15 54 12 0500 slapd stopped Red Hat Directory 8 1 4 B2008 310 1012 server example com 389 etc dirsrv slapd example 07 Jan...

Page 245: ...lugin agmt cn example2 alt 13864 binddn cn directory manager passwd DES iRDGwYacBXFTnmlzPU01WQ 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 No linger to cancel on the connection 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 Replica was successfully acquired 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 State re...

Page 246: ...lug in logging records every the name of the plugin and all of the functions called by the plugin This has a simple format timestamp Plugin_name message timestamp function message The information returned can be hundreds of lines long as every step is processed The precise information recorded depends on the plug in itself For example the ACL Plug in includes a connection and operation number as s...

Page 247: ...are two levels of ACI logging one for debug information and one for summary Both of these ACI logging levels records some extra information that is not included with other types of plug ins or error logging including connection 6 and operation 7 information Show the name of the plug in the bind DN of the user the operation performed or attempted and the ACI which was applied The debug level shows ...

Page 248: ...er replace modifytimestamp modifytimestamp 20090108231429Z modifications to o NetscapeRoot from logging into the Console time 20090108182758 dn cn general ou 1 1 ou console ou cn directory manager ou userpreferences ou example com o netscaperoot changetype modify replace nsPreference nsPreference IwojVGh1IEphbiAwOCAxODoyNzo1OCBFU1QgMjAwOQpXaWR0aD03NzAKU2hvd1 N0YXR1c0Jhcj10cnVlClNob3dCYW5uZXJCYXI9d...

Page 249: ...REQUIRED 65 OBJECT_CLASS_VIOLATION 9 LDAP_PARTIAL_RESULTS 66 NOT_ALLOWED_ON_NONLEAF 10 REFERRAL LDAP v3 67 NOT_ALLOWED_ON_RDN 11 ADMIN_LIMIT_EXCEEDED LDAP v3 68 ENTRY_ALREADY_EXISTS 12 UNAVAILABLE_CRITICAL_EXTENSION LDAP v3 69 OBJECT_CLASS_MODS_PROHIBITED 13 CONFIDENTIALITY_REQUIRED LDAP v3 71 AFFECTS_MULTIPLE_DSAS LDAP v3 14 SASL_BIND_IN_PROGRESS 80 OTHER 16 NO_SUCH_ATTRIBUTE 81 SERVER_DOWN 17 UN...

Page 250: ...236 ...

Page 251: ...n the PATH variable before usr bin These OpenLDAP tools can be used for Directory Server operations with certain cautions The output of the other tools may be different so it may not look like the examples in the documentation The OpenLDAP tools require a x argument to disable SASL so that it can be used for a simple bind meaning the D and w arguments or an anonymous bind The OpenLDAP tools argume...

Page 252: ...ldappasswd Changes users passwords with the password change extended operation For more information on the password extended change operation see the Managing the Password Policy section of the Managing User Accounts and Passwords chapter in the Directory Server Administrator s Guide ldif Automatically formats LDIF files and creates base 64 encoded attribute values For details on this tool see app...

Page 253: ...trator s Guide If a list of attributes is not specified the search returns values for all attributes permitted by the access control set in the directory with the exception of operational attributes Table 6 2 ldapsearch Syntax To return operational attributes as a result of a search operation they must be explicitly specified in the search command To retrieve regular attributes along with explicit...

Page 254: ...Server and it must also have the authority to search for the entries For example D uid bjensen dc example dc com g Specifies that the password policy request control not be sent with the bind request By default the new LDAP password policy request control is sent with bind requests The ldapsearch tool can parse and display information from the response control if it is returned by a server that is...

Page 255: ...rch The scope can be one of the following base searches only the entry specified in the b option or defined by the LDAP_BASEDN environment variable one searches only the immediate children of the entry specified in the b option Only the children are searched the actual entry specified in the b option is not searched sub searches the entry specified in the b option and all of its descendants That i...

Page 256: ...ntries See Section 2 3 1 103 nsslapd sizelimit Size Limit for more information Table 6 3 Commonly Used ldapsearch Options Persistent Search Options A persistent search leaves the search operation open after the initial search results are returned This allows the entries returned in the search to remain in cache and updates to be transmitted and included as they occur Persistent searches leave the ...

Page 257: ...s 1 Table 6 4 Persistent Search Options SSL Options The following command line options can be used to specify that ldapsearch use LDAPS when communicating with an SSL enabled Directory Server or used for certificate based authentication These options are valid only when LDAPS has been turned on and configured for the Directory Server For information on certificate based authentication and creating...

Page 258: ...Specifies the certificate name to use for certificate based client authentication such as N Server Cert If this option is specified then the Z P and W options are required Also if this option is specified then the D and w options must not be specified or certificate based authentication will not occur and the bind operation will use the authentication credentials specified on D and w P Specifies t...

Page 259: ...rted it will continue in cleartext ZZZ Enforces the Start TLS request The server must respond that the request was successful If the server does not support Start TLS such as Start TLS is not enabled or the certificate information is incorrect the command is aborted immediately Table 6 5 Additional SSL ldapsearch Options SASL Options SASL mechanisms can be used to authenticate a user using the o t...

Page 260: ...of DIGEST MD5 SASL Mechanism Options GSSAPI described in Table 6 9 Description of GSSAPI SASL Mechanism Options Required or Optional Option Description Example Required mech CRAM MD5 Gives the SASL mechanism o mech CRAM MD5 Required authid authid_value Gives the ID used to authenticate to the server authid_value can be the following UID For example msmith u uid For example u msmith dn dn_value For...

Page 261: ...ntials noanonymous Do not permit mechanisms that allow anonymous access minssf Require a minimum security strength this option needs a numeric value specifying bits of encryption A value of 1 means integrity is provided without privacy maxssf Require a maximum security strength this option needs a numeric value specifying bits of encryption A value of 1 means integrity is provided without privacy ...

Page 262: ...id For example u msmith dn dn_value For example dn uid msmith ou People o example com o authid dn uid msmith ou People o example com Optional secprop value The secprop attribute sets the security properties for the connection The secprop value can be any of the following None noplain Do not permit mechanisms susceptible to simple passive attack noanonymous Do not permit mechanisms that allow anony...

Page 263: ...escription Example Required mech GSSAPI Gives the SASL mechanism NOTE Have the Kerberos ticket before issuing a GSS API request o mech GSSAPI Optional secprop value The secprop attribute sets the security properties for the connection The secprop value can be any of the following None noplain Do not permit mechanisms susceptible to simple passive attack noanonymous Do not permit mechanisms that al...

Page 264: ...search retrieve the attributes only not the attribute values This option is useful to determine if an attribute is present for an entry and the value is not important a Specifies how alias dereferencing is completed Values can be never always search or find The default value is never B Print non ASCII values using the old output format attrName attrValue c Specifies the getEffectiveRights control ...

Page 265: ... addition to 20 entries that come before it and 30 entries that come after it If there are fewer matching entries in the directory than the before or after number requested by the search all available entries before after the search target that match the search criteria are returned An index operation which sorts by surname G 20 30 100 0 returns from the 80th through 130th entries sorted by sn Use...

Page 266: ... support this control true or if it should be ignored and let the search return as normal false AuthId is the DN of the user whose rights to check j filename Contains the name of a file containing the password for the bind DN k Bypasses converting the password to UTF8 M Manages smart referrals This causes the server not to return the smart referral contained on the entry but instead to return the ...

Page 267: ...ed on the values regardless of the content U Creates file URLs for the files produced by the t option u Specifies that the user friendly form of the distinguished name be used in the output V Specifies the LDAP version number to be used on the search For example V 2 LDAPv3 is the default An LDAPv3 search cannot be performed against a Directory Server that only supports LDAPv2 v Specifies that the ...

Page 268: ...nections entryfile Commonly Used ldapmodify Options Option Description a Adds LDIF entries to the directory without requiring the changetype add LDIF update statement This provides a simplified method of adding entries to the directory This option also allows directly adding a file created by ldapmodify B Specifies the suffix under which the new entries will be added D Specifies the distinguished ...

Page 269: ...e response control if it is returned by a server that is the tool will print an appropriate error or warning message when a server sends the password policy response control with an appropriate value The criticality of the request control is set to false to ensure that all LDAPv3 servers that do not understand the control can ignore it To suppress sending of the request control with the bind reque...

Page 270: ... should be checked in SSL certificates I Specifies the SSL key password file that contains the token password pair K Specifies the path including the filename of the private key database of the client Either the absolute or relative to the server root path can be specified The K option must be used when the key database has a different name than key3 db or when the key database is not under the sa...

Page 271: ...Start TLS request Use this option to make a cleartext connection into a secure one If the server does not support Start TLS the command does not need aborted it will continue in cleartext ZZZ Enforces the Start TLS request The server must respond that the request was successful If the server does not support Start TLS such as Start TLS is not enabled or the certificate information is incorrect the...

Page 272: ...how to use SASL options with ldapmodify Additional ldapmodify Options Option Description b Causes the utility to check every attribute value to determine whether the value is a valid file reference If the value is a valid file reference then the content of the referenced file is used as the attribute value This is often used for specifying a path to a file containing binary data such as JPEG For e...

Page 273: ...rting an error H Lists all available ldapmodify options M Manages smart referrals This causes the server not to return the smart referral contained on the entry but instead to apply the modification request directly to the entry Use this option to add change or delete a directory entry that contains a smart referral For more information about smart referrals see the Configuring Directory Databases...

Page 274: ...forms delete operations on directory entries via LDAP Syntax Commonly Used ldapdelete Options SSL Options SASL Options Additional ldapdelete Options Syntax ldapdelete optional_options Commonly Used ldapdelete Options Option Description D Specifies the distinguished name with which to authenticate to the server The value must be a DN recognized by the Directory Server and it must also have the auth...

Page 275: ...e server uses The default is 389 If Z is used the default is 636 w Specifies the password associated with the distinguished name specified in the D option For example w mypassword The default is or anonymous If a password is not sent on the command line and the server requires one the command prompts for one It is more secure not to provide a password on the command line so that it does not show u...

Page 276: ...ied then the Z and W options are required Also if this option is specified then the D and w options must not be specified or certificate based authentication will not occur and the bind operation will use the authentication credentials specified on D and w P Specifies the absolute path including the filename of the certificate database of the client This option is used only with the Z option When ...

Page 277: ...and is aborted immediately Table 6 16 ldapdelete SSL Options SASL Options SASL mechanisms can be used to authenticate a user using the o the required SASL information To learn which SASL mechanisms are supported search the root DSE See the b option in Table 6 3 Commonly Used ldapsearch Options Option Description o Specifies SASL options The format is o saslOption value saslOption can have one of s...

Page 278: ... the command line H Lists all available ldapdelete options M Manages smart referrals This causes the server not to return the smart referral contained on the entry but instead to delete the actual entry containing the smart referral For more information about smart referrals see the Configuring Directory Databases chapter in the Directory Server Administrator s Guide n Specifies that the entries a...

Page 279: ...ppasswd Use ldappasswd to set or change user passwords in Directory Server Syntax ldappasswd specific Options General ldappasswd Options SASL Options Examples Syntax ldappasswd options user user is the authentication identity typically a DN If not specified the distinguished name specified by the D option bind name is used ldappasswd specific Options Option Description A Specifies that the command...

Page 280: ...S or an appropriate SASL mechanism the server will not perform the request Option Description 3 Specifies that hostnames should be checked in SSL certificates D Specifies the distinguished name with which to authenticate to the server This value must be a DN recognized by the Directory Server and it must also have the authority to delete the entries For example D uid bjensen dc example dc com The ...

Page 281: ...word pair K Specifies the path including the filename of the private key database of the client This can be the absolute or relative to the server root path The K option must be used when the key database is not called key3 db or when the key database is not in the same directory as the certificate database that is the cert8 db file the path for which is specified with the P option N Specifies the...

Page 282: ...d certificate name which is separated by a semicolon for PKCS11 W Specifies the password for the certificate database identified on the P option For example W serverpassword w Specifies the password associated with the distinguished name that is specified in the D option For example w diner892 The default is or anonymous If a password is not sent on the command line and the server requires one the...

Page 283: ...n have one of six values mech the SASL authentication mechanism authid the user who is binding to the server Kerberos principal authzid a proxy authorization ignored by the server since proxy authorization is not supported secProp the security properties realm the Kerberos realm flags The expected values depend on the supported mechanism The o can be used multiple times to pass all of the required...

Page 284: ...ost P etc dirsrv slapd instance_name cert8 db D uid tuser3 ou People dc example dc com w old_password a old_password s new_password Example 6 3 User Changing His Own Password A user tuser4 authenticates with the user certificate and changes the password to new_password over SSL ldappasswd Z h myhost P etc dirsrv slapd instance_name cert8 db W dbpassword N uid tuser4 K etc dirsrv slapd instance_nam...

Page 285: ... line utility will take any input and format it with the correct line continuation and appropriate attribute information The ldif utility also senses whether the input requires base 64 encoding Syntax Options Syntax The ldif command has the following format ldif b attrtypes optional_options Options Option Description b Specifies that the ldif utility should interpret the entire input as a single b...

Page 286: ...nsions in their filename depending on the version of Directory Server Syntax Options Syntax dbscan f filename options Options Option Parameter Description f filename Specifies the name of the database file the contents of which are to be analyzed and extracted This option is required R Dump the database as raw data t size Specifies the entry truncate size in bytes Table 6 23 Common Options NOTE Th...

Page 287: ...dex File Options Examples The following are command line examples of different situations using dbscan to examine the Directory Server databases dbscan f var lib dirsrv slapd instance_name db userRoot id2entry db4 Example 6 7 Dumping the Entry File dbscan f var lib dirsrv slapd instance_name db userRoot cn db4 Example 6 8 Displaying the Index Keys in cn db4 dbscan r f var lib dirsrv slapd instance...

Page 288: ...he equals sign means the key is an equality index dbscan k hr managers r f var lib dirsrv slapd instance_name db userRoot cn db4 hr 20managers 7 Example 6 15 Displaying the entryID with the Common Name Key hr managers dbscan K 7 f id2entry db4 id 7 dn cn HR Managers ou groups dc example dc com objectClass top objectClass groupOfUniqueNames cn HR Manager ou groups description People who can manage ...

Page 289: ...nd Line Scripts Quick Reference The following shell and Perl scripts are located in either the usr lib dirsrv slapd instance_name for 32 bit Red Hat Enterprise Linux or usr lib64 dirsrv slapd instance_name for 64 bit Red Hat Enterprise Linux directory Shell Script Description bak2db Restores the database from the most recent archived backup db2bak Creates a backup of the current database contents ...

Page 290: ...reflect changes in group membership ldif2db pl Imports LDIF files to a database and runs the ns slapd command line utility with the ldif2db keyword ns accountstatus pl Provides account status information to establish whether an entry or group of entries is locked ns activate pl Activates an entry or a group of entries by unlocking them ns inactivate pl Deactivates an entry or a group of entries ns...

Page 291: ... Server Perl remove ds pl Removes a Directory Server instance Perl repl monitor Provides in progress status of replication Shell repl monitor pl Provides in progress status of replication Perl setup ds pl Creates or recreates a Directory Server instance Perl setup ds admin pl Creates a new Directory Server instance and local Administration Server instance Perl Table 7 3 Scripts in usr bin 7 3 Shel...

Page 292: ...ome of the shell scripts can be executed while the server is running For others the server must be stopped The description of each script below indicates whether the server must be stopped or if it can continue to run while executing the script When a shell script has a Perl equivalent there is a cross reference to the section describing the equivalent Perl script 7 3 1 bak2db Restores a Database ...

Page 293: ...ccessible Option Description c Dumps and interprets CSN only This option can be used with or without the i option D bindDn Specifies the Directory Server s bind DN Defaults to cn Directory Manager if the option is omitted h host Specifies the Directory Server s host This defaults to the server where the script is running i changelogFile Specifies the path to the changelog file If there is a change...

Page 294: ...b2ldif with r For information on the equivalent Perl script see Section 7 4 5 db2ldif pl Exports Database Contents to LDIF For the shell scripts the script runs the ns slapd command line utility with the db2ldif keyword Ellipses indicate that multiple occurrences are allowed Syntax db2ldif n backendInstance s includeSuffix x excludeSuffix r C u U m M a outputFile 1 N E Options Either the n or the ...

Page 295: ...r option was used than the database is automatically initialized as a replica See Section 7 3 8 ldif2db Import for information on importing an LDIF file s suffix_name Names the suffixes to be included or the subtrees to be included if n has been used u Requests that the unique ID is not exported U Requests that the output LDIF is not folded x suffix_name Names the suffixes to be excluded Table 7 6...

Page 296: ...files If the server crashes because of a corrupted database this command can be used to verify the integrity of the different database files to help isolate any problems IMPORTANT Never run dbverify when a modify operation is in progress This command calls the BerkeleyDB utility db_verify and does not perform any locking This can lead to data corruption if the script is run at the same time as a m...

Page 297: ...stance is corrupted or broken so that it cannot run When the instance is removed it is shutdown and all of its configuration files are removed Certificate database files like cert8 db and key3 db are not removed so the remaining instance directory is renamed removed slapd instance Syntax ds_removal f s instance_name w manager_password Options Option Parameter Description f Forces the removal of th...

Page 298: ...tes a unique ID Type none for no unique ID to be generated and deterministic for the generated unique ID to be name based By default a time based unique ID is generated When using the deterministic generation to have a name based unique ID it is also possible to specify the namespace for the server to use as follows g deterministic namespace_id namespace_id is a string of characters in the format ...

Page 299: ...excludeSuffix Gives the suffixes to be excluded Table 7 9 ldif2db Options 7 3 9 ldif2ldap Performs Import Operation over LDAP Performs an import operation over LDAP to the Directory Server To run this script the server must be running Syntax ldif2ldap D rootdn w password f filename Options Option Description D rootdn Gives a user DN with root permissions such as Directory Manager f filename Gives ...

Page 300: ...he configuration file see Configuration File Format p port Specifies the initial replication supplier s port The default value is 389 r If specified causes the routine to be entered without printing the HTML header information This is suitable when making multiple calls to this routine such as specifying multiple different unrelated supplier servers and expecting a single HTML output t refreshInte...

Page 301: ...ut the most matched entry for a given server For example if all the LDAP servers except host1 share the same binddn and bindpassword the connection section will need to contain just two entries connection binddn bindpassword host1 binddn1 bindpassword1 In the optional alias section use aliases such as Supplier1 Supplier2 and Hub1 to identify the servers in the replication topology If used the outp...

Page 302: ... shadow port can be set in the replication monitor configuration file For example host port shadowport binddn bindpwd bindcert When the replication monitor finds a replication agreement that uses the specified port it will use the shadow port to connect to retrieve statistics 7 3 12 pwdhash Prints Encrypted Passwords Prints the encrypted form of a password using one of the server s encryption algo...

Page 303: ...on Server Configuration Restores by default the most recently saved Administration Server configuration information to the NetscapeRoot partition under the etc dirsrv slapd instance_name directory To restore the Administration Server configuration do the following 1 Stop the Directory Server 2 Run the restoreconfig script 3 Restart the Directory Server 4 Restart the Administration Server for the c...

Page 304: ...ax start slapd Options There are no options for this script Exit Status Codes Exit Code Description 0 Server started successfully 1 Server could not be started 2 Server was already started Table 7 14 start slapd Exit Status Codes 7 3 17 stop slapd Stops the Directory Server Stops the Directory Server It might be a good idea to check whether the server has been effectively stopped using the ps comm...

Page 305: ...in the way search results are viewed VLV indexes can organize search results alphabetically or in reverse alphabetical order making it easy to scroll through the list of results VLV index configuration must already exist prior to running this script Syntax vlvindex d debugLevel n backendInstance s suffix T vlvTag Options Either the n or the s option must be specified Option Description d debugLeve...

Page 306: ...rates Indexes Section 7 4 5 db2ldif pl Exports Database Contents to LDIF Section 7 4 6 fixup memberof pl Regenerate memberOf Attributes Section 7 4 10 migrate ds admin pl Section 7 4 7 ldif2db pl Import Section 7 4 8 logconv pl Log Converter Section 7 4 11 ns accountstatus pl Establishes Account Status Section 7 4 12 ns activate pl Activates an Entry or Group of Entries Section 7 4 13 ns inactivat...

Page 307: ...he file containing the password n backendInstance Specifies the backend name such as userRoot which is being restored This option is only used for filesystem replica initialization or to restore a single database it is not necessary to use the n option to restore the entire directory t databaseType The database type The only possible database type is ldbm v Verbose mode w password The password ass...

Page 308: ...uding the filename for the final result Defaults to STDOUT if omitted p port Specifies the Directory Server s port The default value is 389 P bindCert Specifies the path including the filename to the certificate database that contains the certificate used for binding r replicaRoots Specifies the replica roots whose changelog to dump When specifying multiple roots use commas to separate roots If th...

Page 309: ...nerates Indexes Creates and generates the new set of indexes to be maintained following the modification of indexing entries in the cn config configuration file Syntax db2index pl v D rootdn w password w j filename n backendInstance t attributeName indextypes mathingrules T vlvAttributeName Options The script db2index pl creates an entry in the directory that launches this dynamic task The entry i...

Page 310: ...a outputFile N r C u U m E 1 M Options To run this script the server must be running and either the n or s option is required Option Description 1 Deletes for reasons of backward compatibility the first line of the LDIF file that gives the version of the LDIF standard a outputFile Gives the filename of the output LDIF file C Uses only the main database file D rootdn Gives the user DN with root per...

Page 311: ...4 6 fixup memberof pl Regenerate memberOf Attributes Regenerates and updates memberOf on user entries to coordinate changes in group membership To run this script the server must be running The script creates an entry in the directory that launches this dynamic task Syntax fixup memberof pl D rootdn w password w j filename b baseDN f filter v Options Option Description b baseDN The DN of the subtr...

Page 312: ...N with root permissions such as Directory Manager E Decrypts encrypted data during export This option is used only if database encryption is enabled g string Generates a unique ID Type none for no unique ID to be generated and deterministic for the generated unique ID to be name based By default a time based unique ID is generated When using the deterministic generation to have a name based unique...

Page 313: ...verbose mode w password Specifies the password associated with the user DN w Prompts for the password associated with the user DN x excludeSuffix Specifies the suffixes to be excluded Table 7 24 ldif2db pl Options 7 4 8 logconv pl Log Converter Analyzes the access logs of a Directory Server to extract usage statistics and count the occurrences of significant events It is compatible with log format...

Page 314: ... accessed For example lists of the top ten bind DNs base DNs filter strings and attributes returned can help administrators optimize the directory for its users These lists are optional because they are computation intensive specify only the command line options required see Options Some information that is extracted by the logconv pl script is available only in logs from current releases of Direc...

Page 315: ...s that are enabled and it will have no effect if none are displayed S startTimestamp Specifies the start timestamp the timestamp must follow the exact format as specified in the access log v Displays the version number of the logconv pl script V Enables verbose output With this option logconv pl will compute and display all of the optional lists described in Table 7 27 logconv pl Options to Displa...

Page 316: ...nd DNs with the most failed logins invalid password c Lists the number of occurrences for each type of connection code i Lists the IP addresses and connection codes of the clients with the most connections which detects clients that may be trying to compromise security b Lists the most frequently used bind DNs a Lists the most frequent base DNs when performing operations l Lists the most frequentl...

Page 317: ...ile same as the setup scripts Both the inf parameters and command line arguments are described in the silent configuration section of the Installation Guide Syntax migrate ds pl oldsroot server_directory actualsroot server_directory instance instance_name file name cross debug log name General ConfigDirectoryAdminPwd password Options Option Alternate Options Description General ConfigDirectoryAdmi...

Page 318: ...chine file name f name This sets the path and name of the inf file provided with the migration script The only parameter is the General ConfigDirectoryAdminPwd parameter which is the configuration directory administrator s password Any other configuration setting is ignored by the migration script cross c or x This parameter is used when the Directory Server is being migrated from one machine to a...

Page 319: ... pl for the new Directory Server 8 1 instance before running the migration script if you are migrating from a 7 1 server If you are upgrading from a Directory Server 8 0 server do not run migrate ds admin pl Run setup ds admin pl u instead Information can be passed with the script or in an inf file same as the setup scripts Both the inf parameters and command line arguments are described in the si...

Page 320: ...t ds instance i This parameter specifies a specific instance to migrate This parameter can be used multiple time to migrate several instances simultaneously By default the migration script migrates all Directory Server instances on the machine file name f name This sets the path and name of the inf file provided with the migration script The only parameter is the General ConfigDirectoryAdminPwd pa...

Page 321: ...t Status Provides account status information to establish whether an entry or group of entries is inactivated Syntax ns accountstatus pl D rootdn w password w j filename p port h host I DN Options Option Description D rootdn Specifies the Directory Server user DN with root permissions such as Directory Manager h host Specifies the hostname of the Directory Server The default value is the full host...

Page 322: ...e full hostname of the machine where Directory Server is installed I DN Specifies the entry DN or role DN to activate j filename Specifies the path including the filename to the file that contains the password associated with the user DN p port Specifies the Directory Server s port The default value is the LDAP port of Directory Server specified at installation time w password Specifies the passwo...

Page 323: ...N w Prompts for the password associated with the user DN Opens the help page Table 7 30 ns inactivate pl Options 7 4 14 ns newpwpolicy pl Adds Attributes for Fine Grained Password Policy Adds entries required for implementing the user and subtree level password policy For instructions on how to enable this feature see the Red Hat Directory Server Administrator s Guide Syntax ns newpwpolicy pl D ro...

Page 324: ... script can be used for two things Registering an existing Directory Server instance with a different Administration Server or Configuration Directory Server Creating a new local Administration Server when only a Directory Server was installed previously IMPORTANT The register ds admin pl script does not support external LDAP URLs so the Directory Server instance must be registered against a local...

Page 325: ...les are removed Certificate database files like cert8 db and key3 db are not removed so the remaining instance directory is renamed removed slapd instance Syntax remove ds pl f i instance_name Options Option Parameter Description f Forces the removal of the instance This can be useful if the instance is not running but must be removed anyway i instance_name The name of the instance to remove 7 4 1...

Page 326: ...fresh URL The output HTML file may invoke a CGI program periodically If this CGI program in turn calls this script the effect is that the output HTML file would automatically refresh itself This is useful for continuous monitoring See also the t option The script has been integrated into Red Hat Administration Express so that the replication status can be monitored through a web browser v Prints t...

Page 327: ... for 5 60 minutes lag and pink for a lag of 60 minutes or more The connection parameters for all the servers in a replication topology must be specified within one configuration file One configuration file however may contain information for multiple replication topologies Because of the connection parameters the replication monitoring tool does not need to perform DES decryption of the credential...

Page 328: ... be running The script creates an entry in the directory that launches this dynamic task Syntax schema reload pl D rootdn w password w j filename d schema_directory v Options Option Description d schema_directory Gives the full path to the directory where the schema file is located If this is not specified the script uses the default schema directory etc dirsrv slapd instance_name schema IMPORTANT...

Page 329: ...ript or in an inf file If no options are used the setup ds pl launches an interactive configuration program Both the inf parameters and command line arguments are described in the silent configuration section of the Installation Guide Syntax setup ds pl debug silent file name keepcache log name update Options Option Alternate Options Description silent s This runs the register script in silent mod...

Page 330: ... protection with this file logfile name l This parameter specifies a log file to which to write the output If this is not set then the setup information is written to a temporary file To not use a log file set the file name to dev null update u This parameter updates existing Directory Server instances If an installation is broken in some way this option can be used to update or replace missing pa...

Page 331: ...ed in the command line rather than interactively file name f name This sets the path and name of the file which contains the configuration settings for the new Directory Server instance This can be used with the silent parameter if used alone it sets the default values for the setup prompts debug d dddd This parameter turns on debugging information For the d flag increasing the number of d s incre...

Page 332: ...end database files If the server crashes because of a corrupted database this script can be used to verify the integrity of the different database files to help isolate any problems IMPORTANT Never run verify db pl when a modify operation is in progress This command calls the BerkeleyDB utility db_verify and does not perform any locking This can lead to data corruption if the script is run at the ...

Page 333: ...tion Description a path Gives the path to the database directory If this option is not passed with the verify db pl command then it uses the default database directory var lib dirsrv slapd instance_name db Opens the help page Table 7 34 verify db pl Options ...

Page 334: ...320 ...

Page 335: ...ver importing from LDIF using the command line and exporting to LDIF using the command line refer to the Populating Directory Databases chapter in the Red Hat Directory Server Administrator s Guide A 2 Finding and Executing the ns slapd Command Line Utilities The ns slapd command line utilities are stored in etc dirsrv slapd instance_name NOTE In order to execute the command line utilities set the...

Page 336: ...s are necessary only if the db2ldif output is to be used as input to db2index r Exports replication state information The server must be shut down before exporting using this option s includeSuffix Specifies the suffix or suffixes to include in the export There can be multiple s arguments u Specifies that the unique ID will not be included in the LDIF output By default the server includes the uniq...

Page 337: ... debug level to use during runtime For further information refer to Section 2 3 1 44 nsslapd errorlog level Error Log Level D configDir Specifies the location of the server configuration directory that contains the configuration information for the import process This must be the full path to the configuration directory etc dirsrv slapd instance_name E Decrypts an encrypted database during export ...

Page 338: ...s are created for the imported database If this option is specified and the indexes need to be restored later the indexes have to be recreated by hand See the Directory Server Administrator s Guide for further information s includeSuffix Specifies the suffix or suffixes within the LDIF file to import x excludeSuffix Specifies suffixes within the LDIF file to exclude during the import There can be ...

Page 339: ... slapd db2archive D configDir a archiveDir Options Option Description D configDir Specifies the location of the server configuration directory that contains the configuration information for the index creation process This must be the full path to the configuration directory etc dirsrv slapd instance_name a archiveDir Specifies the archive directory Table A 4 db2archive Options A 7 Utilities for C...

Page 340: ...type must be specified This option cannot be used with T indexTypes specifies a comma separated list of indexes to be created for the attributes matchingRules is an optional comma separated list of the OIDs for the languages in which the attribute will be indexed This option is used to create international indexes For information on supported locales and collation order OIDs see the Appendix Inter...

Page 341: ...st reaches this limit the server replaces that ID list with an All IDs token See Also ID list scan limit All IDs token A mechanism which causes the server to assume that all directory entries match the index key In effect the All IDs token causes the server to behave as if no index was available for the search request anonymous access When granted allows anyone to access directory information with...

Page 342: ...base DN bind DN Distinguished name used to authenticate to Directory Server when performing an operation bind distinguished name See bind DN bind rule In the context of access control the bind rule specifies the credentials and conditions that a particular user or client must satisfy in order to get access to directory information branch entry An entry that represents the top of a subtree in the d...

Page 343: ...ication character type Distinguishes alphabetic characters from numeric or other characters and the mapping of upper case to lower case letters ciphertext Encrypted information that cannot be read by anyone without the proper key to decrypt the information class definition Specifies the information needed to create an instance of a particular object and determines how the object works in relation ...

Page 344: ... per database instance Default indexes can be modified although care should be taken before removing them as certain plug ins may depend on them definition entry See CoS definition entry Directory Access Protocol See DAP directory tree The logical representation of the information stored in the directory It mirrors the tree model used by most filesystems with the tree s root point appearing at the...

Page 345: ...earch request equality index Allows you to search efficiently for entries containing a specific attribute value F file extension The section of a filename after the period or dot that typically defines the type of file for example GIF and HTML In the filename index html the file extension is html file type The format of a given file For example graphics files are often saved in GIF format while a ...

Page 346: ...hub In the context of replication a server that holds a replica that is copied from a different server and in turn replicates it to a third server See Also cascading replication I ID list scan limit A size limit which is globally applied to any indexed search operation When the size of an individual ID list reaches this limit the server replaces that ID list with an all IDs token index key Each in...

Page 347: ...at used to represent Directory Server entries in text form leaf entry An entry under which there are no other entries A leaf entry cannot be a branch point in a directory tree Lightweight Directory Access Protocol See LDAP locale Identifies the collation order character type monetary format and time date format used to present data for users of a specific region culture and or custom This includes...

Page 348: ...a to be named and referenced Also called the directory tree monetary format Specifies the monetary symbol used by specific region whether the symbol goes before or after its value and how monetary units are represented multi master replication An advanced replication scenario in which two servers each hold a copy of the same read write replica Each server maintains a changelog for the replica Modi...

Page 349: ...identifier operational attribute Contains information used internally by the directory to keep track of modifications and subtree properties Operational attributes are not returned in response to a search unless explicitly requested P parent access When granted indicates that users have access to entries below their own in the directory tree if the bind DN is the parent of the targeted entry pass ...

Page 350: ...er In pass through authentication PTA the PTA Directory Server is the server that sends passes through bind requests it receives to the authenticating directory server PTA LDAP URL In pass through authentication the URL that defines the authenticating directory server pass through subtree s and optional parameters R RAM Random access memory The physical semiconductor based memory in a computer Inf...

Page 351: ...replica servers to which the data is pushed the times during which replication can occur the DN and credentials used by the supplier to bind to the consumer and how the connection is secured RFC Request for Comments Procedures or standards documents submitted to the Internet community People can send comments on the technologies before they become accepted standards role An entry grouping mechanis...

Page 352: ...ible for a particular system task Service processes do not need human intervention to continue functioning SIE Server Instance Entry The ID assigned to an instance of Directory Server during installation Simple Authentication and Security Layer See SASL Simple Network Management Protocol See SNMP single master replication The most basic replication scenario in which multiple servers up to four eac...

Page 353: ...d to replica servers supplier server In the context of replication a server that holds a replica that is copied to a different server is called a supplier for that replica supplier initiated replication Replication configuration where supplier servers replicate directory data to any replica servers symmetric encryption Encryption that uses the same key for both encrypting and decrypting DES is an ...

Page 354: ... a URL is protocol machine port document The port number is necessary only on selected servers and it is often assigned by the server freeing the user of having to place it in the URL V virtual list view index Speeds up the display of entries in the Directory Server Console Virtual list view indexes can be created on any branch point in the directory tree to improve display performance See Also br...

Page 355: ...nnection number conn 219 elapsed time etime 221 error number err 220 extended operation OID oid 223 file descriptor fd 219 format 217 LDAP request type 221 LDAP response type 222 message ID msgid 224 method type method 220 number of entries nentries 221 operation number op 219 options description options 226 SASL multi stage binds 225 scope of the search scope 223 slot number slot 219 sort SORT 22...

Page 356: ...ort attributes nsDumpUniqId 113 nsExcludeSuffix 111 nsExportReplica 112 nsFilename 110 nsIncludeSuffix 111 nsInstance 111 nsNoWrap 112 nsPrintKey 112 nsUseId2Entry 112 nsUseOneFile 111 configuration entry 110 cn import attributes nsExcludeSuffix 108 nsFilename 107 nsImportChunkSize 108 nsImportIndexAttrs 109 nsIncludeSuffix 108 nsInstance 108 nsUniqueIdGenerator 109 nsUniqueIdGeneratorNamespace 10...

Page 357: ...2db 283 ldif2ldap 285 monitor 285 pwdhash 288 repl monitor 286 restart slapd 289 restoreconfg 289 saveconfig 289 start slapd 290 stop slapd 290 suffix2instance 291 vlvindex 291 command line utilities dbscan 272 ds_removal 283 finding and executing 237 ldapdelete 260 ldapmodify 254 ldappasswd 265 ldapsearch 238 ldif 271 configuration access control 7 accessing and modifying 7 changing attributes 8 ...

Page 358: ...efresh 89 nsDS5Flags 78 nsDS5ReplConflict 79 nsDS5ReplicaBindDN 79 nsDS5ReplicaBindMethod 85 nsDS5ReplicaBusyWaitTime 85 nsDS5ReplicaChangeCount 80 nsDS5ReplicaChangesSentSinceStartup 86 nsDS5ReplicaCredentials 86 nsDS5ReplicaHost 86 nsDS5ReplicaID 80 nsDS5ReplicaLastInitEnd 87 nsDS5ReplicaLastInitStart 87 nsDS5ReplicaLastInitStatus 87 nsDS5ReplicaLastUpdateEnd 88 nsDS5ReplicaLastUpdateStart 88 ns...

Page 359: ...orlog logexpirationtimeunit 31 nsslapd errorlog logging enabled 31 nsslapd errorlog logmaxdiskspace 32 nsslapd errorlog logminfreediskspace 32 nsslapd errorlog logrotationsync enabled 32 nsslapd errorlog logrotationsynchour 33 nsslapd errorlog logrotationsyncmin 33 nsslapd errorlog logrotationtime 33 nsslapd errorlog logrotationtimeunit 34 nsslapd errorlog maxlogsize 34 nsslapd errorlog maxlogsper...

Page 360: ... exporting 280 reindexing index files 281 database encryption nsAttributeEncryption 191 nsEncryptionAlgorithm 191 database files 212 database link plug in configuration attributes nsAbandonCount 202 nsAbandonedSearchCheckInterval 195 nsActiveChainingComponents 193 nsAddCount 202 nsBindConnectionCount 202 nsBindConnectionsLimit 195 nsBindCount 202 nsBindMechanism 199 nsBindRetryLimit 196 nsBindTime...

Page 361: ...d db logfile size 170 nsslapd db longest chain length 185 nsslapd db page create rate 185 nsslapd db page ro evict rate 185 nsslapd db page rw evict rate 185 nsslapd db page size 170 nsslapd db page trickle rate 185 nsslapd db page write rate 185 nsslapd db pages in use 185 nsslapd db spin count 170 nsslapd db transaction batch val 171 nsslapd db trickle percentage 172 nsslapd db txn region wait r...

Page 362: ...emoval quick reference 275 ds_removal command line utility options 283 syntax 283 dTableSize attribute 97 E editing dse ldif file 9 encryption root password 50 specifying password storage scheme 68 encryption configuration attributes nsSSL2 74 nsSSL3 75 nsSSL3ciphers 75 nsSSLclientauth 74 nsSSLSessionTimeout 74 encryption configuration entries cn encryption 73 encryption method for root password 5...

Page 363: ...5java object ldif 5 28pilot ldif 5 30ns common ldif 5 50ns admin ldif 5 50ns certificate ldif 5 50ns directory ldif 5 50ns mail ldif 5 50ns value ldif 5 50ns web ldif 5 99user ldif 5 dse ldif 4 LDIF files 214 ldif2db command line shell script 283 quick reference 275 ldif2db pl command line perl script 298 quick reference 276 ldif2ldap command line shell script 285 quick reference 275 lock files 21...

Page 364: ...bute 87 nsDS5ReplicaLastInitStart attribute 87 nsDS5ReplicaLastInitStatus attribute 87 nsDS5ReplicaLastUpdateEnd attribute 88 nsDS5ReplicaLastUpdateStart attribute 88 nsDS5ReplicaLastUpdateStatus attribute 88 nsDS5ReplicaLegacyConsumer attribute 80 nsDS5ReplicaName attribute 81 nsDS5ReplicaPort attribute 89 nsDS5ReplicaPurgeDelay attribute 81 nsDS5ReplicaReapActive attribute 89 nsDS5ReplicaReferra...

Page 365: ...uditlog logrotationtime attribute 23 nsslapd auditlog logrotationtimeunit attribute 24 nsslapd auditlog maxlogsize attribute 24 nsslapd auditlog maxlogsperdir attribute 25 nsslapd auditlog mode attribute 25 nsslapd backend attribute 77 nsslapd cache autosize attribute 164 nsslapd cache autosize split attribute 165 nsslapd cachememsize attribute 177 nsslapd cachesize attribute 176 nsslapd certmap b...

Page 366: ...d ldapilisten attribute 39 nsslapd ldapimaprootdn attribute 40 nsslapd ldapimaptoentries attribute 40 nsslapd ldapiuidnumbertype attribute 40 nsslapd listenhost attribute 41 nsslapd localhost attribute 41 nsslapd localuser attribute 42 nsslapd maxbersize attribute 42 nsslapd maxdescriptors attribute 43 nsslapd maxsasliosize attribute 44 nsslapd maxthreadsperconn attribute 44 nsslapd mode attribute...

Page 367: ...sswordChange attribute 58 passwordCheckSyntax attribute 58 passwordExp attribute 59 passwordExpirationTime 59 passwordExpWarned 59 passwordGraceUserTime 60 passwordHistory attribute 60 passwordInHistory attribute 61 passwordLockout attribute 61 passwordLockoutDuration attribute 62 passwordMaxAge attribute 62 passwordMaxFailure attribute 63 passwordMinAge attribute 64 passwordMinLength attribute 65...

Page 368: ...d db debug 167 nsslapd db dirty pages 184 nsslapd db durable transactions 167 nsslapd db hash buckets 184 nsslapd db hash elements examine rate 184 nsslapd db hash search rate 184 nsslapd db home directory 167 nsslapd db idl divisor 168 nsslapd db lock conflicts 184 nsslapd db lock region wait rate 184 nsslapd db lock request rate 184 nsslapd db lockers 185 nsslapd db log bytes since checkpoint 18...

Page 369: ... 311 repl monitor command line shell script 286 quick reference 276 repl monitor pl command line perl script 311 quick reference 276 replication agreement configuration attributes cn 84 description 84 nsDS50ruv 93 nsDS5BeginReplicaRefresh 89 nsDS5ReplicaBindDN 84 nsDS5ReplicaBindMethod 85 nsDS5ReplicaBusyWaitTime 85 nsDS5ReplicaChangesSentSinceStartup 86 nsDS5ReplicaCredentials 86 nsDS5ReplicaHost...

Page 370: ...51 setup ds admin pl quick reference 276 setup ds admin pl command line script options 317 syntax 317 setup ds pl quick reference 276 setup ds pl command line script options 315 syntax 315 slapd conf file location of 7 smart referrals ldapsearch option 250 SNMP configuration attributes nssnmpcontact 100 nssnmpdescription 100 nssnmpenabled 99 nssnmplocation 99 nssnmpmasterhost 100 nssnmpmasterport ...

Page 371: ...ces in object class names 51 ttl 106 U uniqueid generator configuration attributes nsState 119 uniqueid generator configuration entries cn uniqueid generator 119 V verify db pl command line perl script 318 quick reference 275 276 vlvBase attribute 179 vlvEnabled attribute 179 vlvFilter attribute 180 vlvindex command line shell script 291 quick reference 275 vlvScope attribute 181 vlvSort attribute...

Page 372: ...358 ...

Reviews:

No comments