1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Server
  5. DIRECTORY SERVER 7.1
  6. Configuration

Red Hat DIRECTORY SERVER 7.1 Configuration

Configuration, command, and file reference
Hide thumbs Also See for DIRECTORY SERVER 7.1:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administrator's Manual, Reference
Configuration, Command, and
File Reference
Red Hat Directory Server
Version 7.1
May 2005
Updated August 2009

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the DIRECTORY SERVER 7.1 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Red Hat DIRECTORY SERVER 7.1

Summary of Contents for Red Hat DIRECTORY SERVER 7.1

  • Page 1 Configuration, Command, and File Reference Red Hat Directory Server Version 7.1 May 2005 Updated August 2009...
  • Page 2 All other trademarks referenced herein are the property of their respective owners. The GPG fingerprint of the security@redhat.com key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E...

  • Page 3: Table Of Contents

    Contents About This Reference Guide ............. . 19 Directory Server Overview .
  • Page 4 Modifying Configuration Entries Using LDAP ........33 Restrictions to Modifying Configuration Entries and Attributes .
  • Page 5 nsslapd-ds4-compatible-schema ........... . 55 nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting) .
  • Page 6 nsslapd-schema-ignore-trailing-spaces (Ignore Trailing Spaces in Object Class Names) ..78 nsslapd-schemacheck (Schema Checking) ..........78 nsslapd-schemareplace .
  • Page 7 nsDS5Flags ..............99 nsDS5ReplicaBindDN .
  • Page 8 nsds7DirsyncCookie ............. 116 nsds7NewWinGroupSyncEnabled .
  • Page 9 Boolean Syntax Plug-in ............. . 133 Case Exact String Syntax Plug-in .
  • Page 10 nsslapd-pluginLoadGlobal ............157 nsslapd-plugin-depends-on-type .
  • Page 11 nsslapd-require-index ............177 nsslapd-suffix .
  • Page 12 dbfilecachehit ..............184 dbfilecachemiss .
  • Page 13 nsSearchOneLevelCount ............197 nsSearchSubtreeCount .
  • Page 14 Abandon Message ............. . . 218 Message ID .
  • Page 15 Syntax ................252 Options .
  • Page 16 Syntax ................268 Options .
  • Page 17 Options ............... . . 284 ns-activate.pl (Activate an entry or group of entries) .
  • Page 18 Index ................319 Red Hat Directory Server Configuration, Command, and File Reference •...

  • Page 19: About This Reference Guide

    Directory Server Overview About This Reference Guide Red Hat Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.

  • Page 20: Prerequisite Reading

    Prerequisite Reading • Directory Server Console — An improved management Console that dramatically reduces the effort of setting up and maintaining your directory service. The directory console is part of Red Hat Console, the common management framework for LDAP directory services. •...

  • Page 21: Conventions Used In This Reference Guide

    For example, if you gave the server an identifier of , then the actual path would look like phonebook /opt/redhat-ds/servers/slapd-phonebook/. . . • In examples/sample code, paths assume that the Directory Server is installed in the default location .
  • Page 22 For a list of documentation installed with Directory Server, open the file. serverRoot/manual/en/slapd/index.htm For the latest information about Directory Server, including current release notes, complete product documentation, technical notes, and deployment information, check this site: http://www.redhat.com/docs/manuals/dir-server/ Red Hat Directory Server Configuration, Command, and File Reference • May 2005...

  • Page 23: Chapter 1 Introduction

    Overview of Directory Server Management Chapter 1 Introduction This chapter provides a brief overview of the configuration and administration utilities provided to manage the Red Hat Directory Server (Directory Server). This chapter is divided into the following sections: • Overview of Directory Server Management (page 23) •...

  • Page 24: Directory Server Configuration

    Directory Server Configuration You can perform most Directory Server administrative tasks through Red Hat Console, the graphical user interface provided with the Directory Server. For information on the general use of the Red Hat Console, see Managing Servers with Red Hat Console, and, for details on how to use the Console to manage the Directory Server in particular, see Red Hat Directory Server Administrator’s Guide.

  • Page 25: Using Directory Server Command-Line Utilities

    Using Directory Server Command-Line Utilities Using Directory Server Command-Line Utilities Directory Server comes with a set of configurable command-line utilities that you can use to search and modify entries in the directory and administer the server. Chapter 7, “Command-Line Utilities,”describes these command-line utilities and contains information on where the utilities are stored and how to access them.
  • Page 26 Using Directory Server Command-Line Scripts Red Hat Directory Server Configuration, Command, and File Reference • May 2005...

  • Page 27: Chapter 2 Core Server Configuration Reference

    Chapter 2 Core Server Configuration Reference The configuration information for Red Hat Directory Server (Directory Server) is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files.

  • Page 28: Server Configuration - Overview

    Server Configuration - Overview Server Configuration - Overview When you install the Directory Server, its default configuration is stored as a series of LDAP entries within the directory, under the subtree . When cn=config the server is started, the contents of the subtree are read from a file cn=config ) in LDIF format.

  • Page 29: Ldif Configuration Files - Location

    Thus, if you specified a server identifier of , then, in a default phonebook installation, your configuration LDIF files are all stored under: /opt/redhat-ds/servers/slapd-phonebook/config Schema Configuration Files - Location Schema configuration is also stored in LDIF format, and these files are located in the following directory:...

  • Page 30: Configuration Of Plug-In Functionality

    Code Example 2-2 Configuration Entry for Telephone Syntax Plug-in dn: cn=Telephone Syntax,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginPath: /opt/redhat-ds/servers/lib/syntax-plug-in.so nsslapd-pluginInitfunc: tel_init nsslapd-pluginType: syntax nsslapd-pluginEnabled: on Red Hat Directory Server Configuration, Command, and File Reference • May 2005...

  • Page 31: Configuration Of Databases

    Server Configuration - Overview Some of these attributes are common to all plug-ins, and some may be particular to a specific plug-in. You can check which attributes are currently being used by a given plug-in by performing an on the subtree.

  • Page 32: Accessing And Modifying Server Configuration

    Accessing and Modifying Server Configuration Accessing and Modifying Server Configuration This section discusses access control for configuration entries and describes the various ways in which the server configuration can be viewed and modified. It also covers restrictions to the kinds of modification that can be made and discusses attributes that require the server to be restarted for changes to take effect.

  • Page 33: Changing Configuration Attributes

    Accessing and Modifying Server Configuration • The user acting as the administrator, who has the UID that can be admin configured at installation time. • Members of local Directory Administrators Group. • The local Directory Administrator (root DN). • The SIE (Server Instance Entry) Group, usually assigned using the Set Access Permissions from the main topology view in the main console.

  • Page 34: Restrictions To Modifying Configuration Entries And Attributes

    Accessing and Modifying Server Configuration NOTE As with any set of configuration files, care should be taken when changing or deleting nodes in the subtree as this risks cn=config affecting Directory Server functionality. The entire configuration, including attributes that always take default values, can be viewed by performing an operation on the subtree:...

  • Page 35: Configuration Changes Requiring Server Restart

    Core Server Configuration Attributes Reference Configuration Changes Requiring Server Restart Some configuration attributes cannot be altered dynamically while the server is running. In these cases, for the changes to take effect, the server needs to be shut down and restarted. The modifications should be made either through the Directory Server Console or by manually editing the file.

  • Page 36: Cn=Config

    Core Server Configuration Attributes Reference • cn=changelog5 • cn=encryption • cn=features • cn=mapping tree • cn=monitor • cn=replication • cn=SNMP • cn=tasks • cn=uniqueid generator node is covered in the chapter 3, “Plug-in Implemented Server cn=plugins Functionality Reference.” The description of each attribute contains details such as the DN of its directory entry, its default value, the valid range of values, and an example of its use.

  • Page 37: Nsslapd-Accesslog (Access Log)

    Core Server Configuration Attributes Reference Syntax: DirectoryString Example: nsslapd-accesscontrol: off nsslapd-accesslog (Access Log) Specifies the path and filename of the log used to record each database access. The following information is recorded by default in the log file: • IP address of the client machine that accessed the database. •...

  • Page 38: Nsslapd-Accesslog-Level: 256

    Valid Values: Any valid filename. Default Value: serverRoot/slapd-serverID/logs/access Syntax: DirectoryString Example: nsslapd-accesslog: /opt/redhat-ds/servers/slapd-phonebook/logs/access nsslapd-accesslog-level Controls what is logged to the access log. Entry DN: cn=config Valid Values: 0 — No access logging 4 — Logging for internal access operations 256 — Logging for access to an entry 512 —...

  • Page 39: Nsslapd-Accesslog-Logbuffering (Log Buffering)

    Core Server Configuration Attributes Reference nsslapd-accesslog-logbuffering (Log Buffering) When set to , the server writes all access log entries directly to disk. Entry DN: cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-accesslog-logbuffering: off nsslapd-accesslog-logexpirationtime (Access Log Expiration Time) Specifies the maximum age that a log file is allowed to reach before it is deleted.

  • Page 40: Nsslapd-Accesslog-Logging-Enabled (Access Log Enable Logging)

    Core Server Configuration Attributes Reference nsslapd-accesslog-logging-enabled (Access Log Enable Logging) Disables and enables accesslog logging but only in conjunction with the attribute that specifies the path and filename of the log used nsslapd-accesslog to record each database access. For access logging to be enabled, this attribute must be switched to and the configuration attribute must have a valid path and filename.

  • Page 41: Nsslapd-Accesslog-Logminfreediskspace (Access Log Minimum Free Disk Space)

    Core Server Configuration Attributes Reference When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space.

  • Page 42: Nsslapd-Accesslog-Logrotationsynchour (Access Log Rotation Sync Hour)

    Core Server Configuration Attributes Reference For access log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-accesslog-logrotationsynchour attribute values set to the hour and nsslapd-accesslog-logrotationsyncmin minute of the day for rotating log files. For example, to rotate access log files every day at midnight, enable this attribute by setting its value to , and then set the values of the nsslapd-accesslog-logrotationsynchour...

  • Page 43: Nsslapd-Accesslog-Logrotationtime (Access Log Rotation Time)

    Core Server Configuration Attributes Reference Default Value: Syntax: Integer Example: nsslapd-accesslog-logrotationsyncmin: 30 nsslapd-accesslog-logrotationtime (Access Log Rotation Time) Specifies the time between access log file rotations. The access log will be rotated when this time interval is up, regardless of the current size of the access log. This attribute supplies only the number of units.

  • Page 44: Nsslapd-Accesslog-Maxlogsize (Access Log Maximum Log Size)

    Core Server Configuration Attributes Reference Example: nsslapd-accesslog-logrotationtimeunit: week nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size) Specifies the maximum access log size in megabytes. When this value is reached, the access log is rotated. That means the server starts writing log information to a new log file.

  • Page 45: Nsslapd-Accesslog-Mode (Access Log File Permission)

    Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: 1 to the maximum 32 bit integer value (2147483647) Default Value: Syntax: Integer Example: nsslapd-accesslog-maxlogsperdir: 10 nsslapd-accesslog-mode (Access Log File Permission) Specifies the access mode or file permission with which access log files are to be created.

  • Page 46: Nsslapd-Attribute-Name-Exceptions

    Default Value: serverRoot/slapd-serverID/logs/audit Syntax: DirectoryString Example: nsslapd-auditlog: /opt/redhat-ds/servers/slapd-phonebook/logs/audit For audit logging to be enabled, this attribute must have a valid path and filename, and the configuration attribute nsslapd-auditlog-logging-enabled must be switched to . The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.

  • Page 47: Nsslapd-Auditlog-List

    Core Server Configuration Attributes Reference Attributes in dse.ldif Value Logging enabled or disabled Enabled nsslapd-auditlog-logging-enabled filename nsslapd-auditlog Disabled nsslapd-auditlog-logging-enabled empty string nsslapd-auditlog Disabled nsslapd-auditlog-logging-enabled filename nsslapd-auditlog nsslapd-auditlog-list Provides a list of audit log files. Entry DN: cn=config Valid Values: Default Value: None Syntax: DirectoryString...

  • Page 48: Nsslapd-Auditlog-Logexpirationtimeunit (Audit Log Expiration Time Unit)

    Core Server Configuration Attributes Reference nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit) Specifies the units for the attribute. If nsslapd-auditlog-logexpirationtime the unit is unknown by the server, then the log will never expire. Entry DN: cn=config Valid Values: month | week | day Default Value: week Syntax:...

  • Page 49: Nsslapd-Auditlog-Logmaxdiskspace (Audit Log Maximum Disk Space)

    Core Server Configuration Attributes Reference Attributes in dse.ldif Value Logging enabled or disabled Disabled nsslapd-auditlog-logging-enabled nsslapd-auditlog empty string Disabled nsslapd-auditlog-logging-enabled filename nsslapd-auditlog nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space) Specifies the maximum amount of disk space in megabytes that the audit logs are allowed to consume.

  • Page 50: Nsslapd-Auditlog-Logrotationsync-Enabled (Audit Log Rotation Sync Enabled)

    Core Server Configuration Attributes Reference Syntax: Integer Example: nsslapd-auditlog-logminfreediskspace: 3 nsslapd-auditlog-logrotationsync-enabled (Audit Log Rotation Sync Enabled) Specifies whether audit log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way enables you to generate log files at a specified time during a day, such as midnight to midnight every day.

  • Page 51: Nsslapd-Auditlog-Logrotationsyncmin (Audit Log Rotation Sync Minute)

    Core Server Configuration Attributes Reference Default Value: None (because nsslapd-auditlog-logrotationsync-enabled is off) Syntax: Integer Example: nsslapd-auditlog-logrotationsynchour: 23 nsslapd-auditlog-logrotationsyncmin (Audit Log Rotation Sync Minute) Specifies the minute of the day for rotating audit logs. This attribute must be used in conjunction with nsslapd-auditlog-logrotationsync-enabled attributes.

  • Page 52: Nsslapd-Auditlog-Logrotationtimeunit (Audit Log Rotation Time Unit)

    Core Server Configuration Attributes Reference Valid Range: -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between audit log file rotation is unlimited. Default Value: Syntax: Integer Example: nsslapd-auditlog-logrotationtime: 100 nsslapd-auditlog-logrotationtimeunit (Audit Log Rotation Time Unit) Specifies the units for the attribute.

  • Page 53: Nsslapd-Auditlog-Maxlogsperdir (Audit Log Maximum Number Of Log Files)

    Core Server Configuration Attributes Reference nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files) Specifies the total number of audit logs that can be contained in the directory where the audit log is stored. If you are using log file rotation, then each time the audit log is rotated, a new log file is created.

  • Page 54: Nsslapd-Certmap-Basedn (Certificate Map Search Base)

    Core Server Configuration Attributes Reference In the 3-digit number, the first digit represents the owner’s permissions, the second digit represents the group’s permissions, and the third digit represents everyone’s permissions. When changing the default value, keep in mind that will not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.

  • Page 55: Nsslapd-Conntablesize

    Core Server Configuration Attributes Reference nsslapd-conntablesize Specifies the connection table size, which determines the total number of connections supported by the server. Entry DN: cn=config Valid Values: Operating-system dependant Default Value: The default value is the system’s max descriptors, which can be configured using the nsslapd-maxdescriptors (Maximum File Descriptors) attribute.

  • Page 56: Nsslapd-Enquote-Sup-Oc (Enable Superior Object Class Enquoting)

    Core Server Configuration Attributes Reference Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-ds4-compatible-schema: off nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting) Controls whether quoting in the attributes contained in the objectclasses entry will conform to the quoting specified by Internet draft RFC 2252. cn=schema By default, the Directory Server places single quotes around the superior object class identified in the...

  • Page 57: Nsslapd-Errorlog (Error Log)

    Default Value: serverRoot/slapd-serverID/logs/error Syntax: DirectoryString Example: nsslapd-errorlog: /opt/redhat-ds/servers/slapd-phonebook/logs/error For error logging to be enabled, this attribute must have a valid path and filename, and the configuration attribute must be nsslapd-errorlog-logging-enabled switched to . The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of error logging.

  • Page 58: Nsslapd-Errorlog-Level (Error Log Level)

    Core Server Configuration Attributes Reference nsslapd-errorlog-level (Error Log Level) Specifies the level of logging to be used by the Directory Server. The log level is additive; that is, specifying a value of 3 causes both levels 1 and 2 to be performed.

  • Page 59: Nsslapd-Errorlog-List

    Core Server Configuration Attributes Reference nsslapd-errorlog-list This read-only attribute provides a list of error log files. Entry DN: cn=config Valid Values: Default Value: None Syntax: DirectoryString Example: nsslapd-errorlog-list:errorlog2,errorlog3 nsslapd-errorlog-logexpirationtime (Error Log Expiration Time) Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units.

  • Page 60: Nsslapd-Errorlog-Logging-Enabled (Enable Error Logging)

    Core Server Configuration Attributes Reference nsslapd-errorlog-logging-enabled (Enable Error Logging) Turns error logging on and off. Entry DN: cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-errorlog-logging-enabled: on nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space) Specifies the maximum amount of disk space in megabytes that the error logs are allowed to consume.

  • Page 61: Nsslapd-Errorlog-Logrotationsync-Enabled (Error Log Rotation Sync Enabled)

    Core Server Configuration Attributes Reference Valid Range: 1 to the maximum 32 bit integer value (2147483647) Default Value: Syntax: Integer Example: nsslapd-errorlog-logminfreediskspace: 5 nsslapd-errorlog-logrotationsync-enabled (Error Log Rotation Sync Enabled) Specifies whether error log rotation is to be synchronized with a particular time of the day.

  • Page 62: Nsslapd-Errorlog-Logrotationsyncmin (Error Log Rotation Sync Minute)

    Core Server Configuration Attributes Reference Default Value: Syntax: Integer Example: nsslapd-errorlog-logrotationsynchour: 23 nsslapd-errorlog-logrotationsyncmin (Error Log Rotation Sync Minute) Specifies the minute of the day for rotating error logs. This attribute must be used in conjunction with nsslapd-errorlog-logrotationsync-enabled attributes. nsslapd-errorlog-logrotationsynchour Entry DN: cn=config Valid Range: 0 through 59...

  • Page 63: Nsslapd-Errorlog-Logrotationtimeunit (Error Log Rotation Time Unit)

    Core Server Configuration Attributes Reference Default Value: Syntax: Integer Example: nsslapd-errorlog-logrotationtime: 100 nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit) Specifies the units for (Error Log Rotation nsslapd-errorlog-logrotationtime Time). If the unit is unknown by the server, then the log will never expire. Entry DN: cn=config Valid Values:...

  • Page 64: Nsslapd-Errorlog-Maxlogsperdir (Maximum Number Of Error Log Files)

    Core Server Configuration Attributes Reference nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files) Specifies the total number of error logs that can be contained in the directory where the error log is stored. If you are using log file rotation, then each time the error log is rotated, a new log file is created.

  • Page 65: Nsslapd-Groupevalnestlevel

    Core Server Configuration Attributes Reference The newly configured access mode will only affect new logs that are created; the mode will be set when the log rotates to a new file. Entry DN: cn=config Valid Range: 000 through 777 Default Value: Syntax: Integer Example:...

  • Page 66: Nsslapd-Instancedir (Instance Directory)

    Syntax: DirectoryString Example: nsslapd-instancedir: /opt/redhat-ds/servers/slapd-phonebook nsslapd-ioblocktimeout (IO Block Time Out) Specifies the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.

  • Page 67: Nsslapd-Listenhost (Listen To Ip Address)

    Core Server Configuration Attributes Reference • — The timestamp, in GMT format, for when the entry was modifytimestamp last modified. • — The distinguished name of the person who initially created creatorsname the entry. • — The timestamp for when the entry was created in GMT createtimestamp format.

  • Page 68: Nsslapd-Localuser (Local User)

    Core Server Configuration Attributes Reference Default Value: Hostname of installed machine. Syntax: DirectoryString Example: nsslapd-localhost:phonebook.example.com nsslapd-localuser (Local User) Specifies the user as whom the Directory Server runs. The group as which the user runs is derived from this attribute by examining the groups of which the user is a member.

  • Page 69: Nsslapd-Maxdescriptors (Maximum File Descriptors)

    Core Server Configuration Attributes Reference nsslapd-maxdescriptors (Maximum File Descriptors) This attribute sets the maximum, platform-dependent number of file descriptors that the Directory Server will try to use. A file descriptor is used whenever a client connects to the server and for some server activities, such as index maintenance. The number of available file descriptors for TCP/IP connections is the total for the attribute minus the number of file descriptors used by nsslapd-maxdescriptors...

  • Page 70: Nsslapd-Maxthreadsperconn (Maximum Threads Per Connection)

    Core Server Configuration Attributes Reference nsslapd-maxthreadsperconn (Maximum Threads per Connection) Defines the maximum number of threads that a connection should use. For normal operations where a client binds and only performs one or two operations before unbinding, you should use the default value. For situations where a client binds and simultaneously issues many requests, you should increase this value to allow each connection enough resources to perform all the operations.

  • Page 71: Nsslapd-Plug-In

    Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: 0 to the maximum 32 bit integer value (2147483647) Default Value: 300000 Syntax: DirectoryString Example: nsslapd-outbound-ldap-io-timeout: 300000 nsslapd-plug-in This read-only attribute lists the syntaxes and matching rules loaded by the server. nsslapd-port (Port Number) TCP/IP port number used for LDAP communications.

  • Page 72: Nsslapd-Pwpolicy-Local (Enable Subtree- And User-Level Password Policy)

    Core Server Configuration Attributes Reference Default Value: Syntax: DirectoryString Example: nsslapd-privatenamespaces: cn=config nsslapd-pwpolicy-local (Enable Subtree- and User-Level Password Policy) Turns fine-grained (subtree- and user-level) password policy on and off. If this attribute has a value , all entries (except for ) in cn=Directory Manager the directory will be subjected to the global password policy;...

  • Page 73: Nsslapd-Referral (Referral)

    Core Server Configuration Attributes Reference nsslapd-referral (Referral) This multi-valued attribute specifies the LDAP URL(s) to be returned by the suffix when the server receives a request for an entry not belonging to the local tree; that is, an entry whose suffix does not match the value specified on any of the suffix attributes.

  • Page 74: Nsslapd-Reservedescriptors (Reserved File Descriptors)

    Core Server Configuration Attributes Reference Syntax: DirectoryString Example: nsslapd-referralmode: ldap://ldap.example.com nsslapd-reservedescriptors (Reserved File Descriptors) This read-only attribute specifies the number of file descriptors that Directory Server reserves for managing non-client connections, such as index management and managing replication. The number of file descriptors that the server reserves for this purpose subtracts from the total number of file descriptors available for servicing LDAP client connections (see “nsslapd-maxdescriptors (Maximum File Descriptors),”...

  • Page 75: Nsslapd-Return-Exact-Case (Return Exact Case)

    Core Server Configuration Attributes Reference NldbmBackends Number of ldbm databases. NglobalIndex Total number of configured indexes for all databases including system indexes. (By default 8 system indexes and 17 additional indexes per database). ReplicationDescriptor NSupplierReplica + 8 where NSupplierReplica is number of replicas in the server that can act as a supplier (hub or supplier).

  • Page 76: Nsslapd-Rootdn (Manager Dn)

    Core Server Configuration Attributes Reference Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-return-exact-case: off nsslapd-rootdn (Manager DN) Specifies the distinguished name (DN) of an entry that is not subject to access control restrictions, administrative limit restrictions for operations on the directory, or resource limits in general.

  • Page 77: Nsslapd-Rootpwstoragescheme (Root Password Storage Scheme)

    Core Server Configuration Attributes Reference CAUTION If you configure a root DN at server installation time, you must also provide a root password. However, it is possible for the root password to be deleted from by direct editing of the file. dse.ldif In this situation, the root DN can only obtain the same access to your directory as you allow for anonymous access.

  • Page 78: Nsslapd-Schema-Ignore-Trailing-Spaces (Ignore Trailing Spaces In Object Class Names)

    Core Server Configuration Attributes Reference nsslapd-schema-ignore-trailing-spaces (Ignore Trailing Spaces in Object Class Names) Ignores trailing spaces in object class names. By default, the attribute is turned off. If your directory contains entries with object class values that end in one or more spaces, you should turn this attribute on.

  • Page 79: Nsslapd-Schemareplace

    Core Server Configuration Attributes Reference NOTE Schema checking works by default when database modifications are made using an LDAP client, such as , the Directory ldapmodify Server Gateway, or when importing a database from LDIF using . If you turn schema checking off, you will have to verify ldif2db manually that your entries conform to the schema.

  • Page 80: Nsslapd-Securelistenhost

    Core Server Configuration Attributes Reference nsslapd-securelistenhost Allows multiple Directory Server instances to run, using secure SSL/TLS connections, on a multihomed machine or makes it possible to limit listening to one interface of a multihomed machine. Provide the hostname that corresponds to the IP interface you want to specify as a value for this attribute.

  • Page 81: Nsslapd-Sizelimit (Size Limit)

    Core Server Configuration Attributes Reference Entry DN: cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-security: off nsslapd-sizelimit (Size Limit) Specifies the maximum number of entries to return from a search operation. If this limit is reached, returns any entries it has located that match the search ns-slapd request, as well as an exceeded size limit error.

  • Page 82: Nsslapd-Ssl-Check-Hostname (Verify Hostname For Outbound Connections)

    Core Server Configuration Attributes Reference nsslapd-ssl-check-hostname (Verify Hostname for Outbound Connections) Specifies whether an SSL-enabled Directory Server (with certificate-based client authentication turned on) should verify authenticity of a request by matching the hostname against the value assigned to the common name ( ) attribute of the subject name in the certificate being presented.

  • Page 83: Nsslapd-Timelimit (Time Limit)

    Core Server Configuration Attributes Reference Default Value: Syntax: Integer Example: nsslapd-threadnumber: 60 nsslapd-timelimit (Time Limit) Specifies the maximum number of seconds allocated for a search request. If this limit is reached, Directory Server returns any entries it has located that match the search request, as well as an exceeded time limit error.

  • Page 84: Passwordchange (Password Change)

    Core Server Configuration Attributes Reference Syntax: DirectoryString Example: nsslapd-versionstring: Red Hat-Directory/7.1 passwordChange (Password Change) Indicates whether users may change their passwords. For more information on password policies, see chapter 7, “User Account Management,” in the Red Hat Directory Server Administrator’s Guide. Entry DN: cn=config Valid Values:...

  • Page 85: Passwordexp (Password Expiration)

    Core Server Configuration Attributes Reference passwordExp (Password Expiration) Indicates whether user passwords will expire after a given number of seconds. By default, user passwords do not expire. Once password expiration is enabled, you can set the number of seconds after which the password will expire using the attribute.

  • Page 86: Passwordinhistory (Number Of Passwords To Remember)

    Core Server Configuration Attributes Reference passwordInHistory (Number of Passwords to Remember) Indicates the number of passwords the Directory Server stores in history. Passwords that are stored in history cannot be reused by users. By default, the password history feature is disabled, meaning that the Directory Server does not store any old passwords, and, so, users can reuse passwords.

  • Page 87: Passwordlockoutduration (Lockout Duration)

    Core Server Configuration Attributes Reference passwordLockoutDuration (Lockout Duration) Indicates the amount of time in seconds during which users will be locked out of the directory after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user’s password.

  • Page 88: Passwordminage (Password Minimum Age)

    Core Server Configuration Attributes Reference For more information on password policies, see chapter 7, “User Account Management,” in the Red Hat Directory Server Administrator’s Guide. Entry DN: cn=config Valid Range: 1 to maximum integer bind failures Default Value: Syntax: Integer Example: passwordMaxFailure: 3 passwordMinAge (Password Minimum Age)

  • Page 89: Passwordmustchange (Password Must Change)

    Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: 2 to 512 characters Default Value: Syntax: Integer Example: passwordMinLength: 6 passwordMustChange (Password Must Change) Indicates whether users must change their passwords when they first bind to the Directory Server or when the password has been reset by the Manager DN. For more information on password policies, see chapter 7, “User Account Management,”...

  • Page 90: Passwordstoragescheme (Password Storage Scheme)

    Core Server Configuration Attributes Reference Default Value: Syntax: Integer Example: passwordResetFailureCount: 600 passwordStorageScheme (Password Storage Scheme) Specifies the type of encryption used to store Directory Server passwords. Enter the password in for this attribute, which indicates that the password will CLEAR appear in plain text.

  • Page 91: Passwordwarning (Send Warning)

    Core Server Configuration Attributes Reference Valid Values: on | off Default Value: Syntax: DirectoryString Example: passwordUnlock: off passwordWarning (Send Warning) Indicates the number of seconds before a user’s password is due to expire that the user will receive a password expiration warning control on their next LDAP operation.

  • Page 92: Nsslapd-Changelogdir

    Core Server Configuration Attributes Reference • nsslapd-db-page-size • nsslapd-db-spin-count • nsslapd-db-trickle-percentage • nsslapd-db-verbose • nsslapd-cachesize • nsslapd-cachememsize The default values for the cache-related memory parameters (tuned for a single backend replicated to a single consumer) are as follows: (3000 entries) nsslapd-cachesize : 3000 (10 Mbyte) nsslapd-cachememsize : 10000000...

  • Page 93: Nsslapd-Changelogmaxage (Max Changelog Age)

    Syntax: DirectoryString Example: nsslapd-changelogdir: /opt/redhat-ds/servers/slapd-phonebook/changelogdb nsslapd-changelogmaxage (Max Changelog Age) Specifies the maximum age of any entry in the changelog. The changelog contains a record for each directory modification and is used when synchronizing consumer servers. Each record contains a timestamp. Any record with a timestamp that is older than the value specified in this attribute will be removed.

  • Page 94: Nsslapd-Changelogmaxentries (Max Changelog Records)

    Core Server Configuration Attributes Reference nsslapd-changelogmaxentries (Max Changelog Records) Specifies the maximum number of records the changelog may contain. If this attribute is absent, there is no maximum number of records the changelog can contain. For information on the changelog, see “nsslapd-changelogdir,” on page 92.

  • Page 95: Nssslclientauth

    Core Server Configuration Attributes Reference nssslclientauth Specifies client authentication using SSL. Entry DN: cn=encryption,cn=config Valid Values: off | allowed | required Default Value: allowed Syntax: DirectoryString Example: nssslclientauth: allowed nsssl2 Supports SSL version 2. Entry DN: cn=encryption,cn=config Valid Values: on | off Default Value: Syntax: DirectoryString...

  • Page 96: Nsssl3Ciphers

    Core Server Configuration Attributes Reference nsssl3ciphers This multi-valued attribute specifies the set of encryption ciphers the Directory Server will use during SSL communications. For more information on the ciphers supported by the Directory Server, refer to chapter 11, “Managing SSL and SASL,”...

  • Page 97: Cn=Features

    Core Server Configuration Attributes Reference Table 2-1 SSLv3 Ciphers Cipher in Console Corresponding SSLv3 Cipher None rsa_null_md5 rsa_rc4_128_md5 RC4 (Export) rsa_rc4_40_md5 RC2(Export) rsa_rc2_40_md5 rsa_des_sha DES (FIPS) rsa_fips_des_sha Triple-DES rsa_3des_sha Triple-DES (FIPS) rsa_fips_3des_sha If you are using the Directory Server Console to set the cipher preferences, the values on the TLS tab of the Cipher Preference dialog box correspond to the following: Table 2-2...

  • Page 98: Suffix Configuration Attributes Under Cn="Suffixname

    Core Server Configuration Attributes Reference Replication configuration attributes are stored under and the replication cn=replica,cn="suffixName",cn=mapping tree,cn=config agreement attributes under cn=replicationAgreementName,cn=replica,cn="suffixName",cn=mapping tree,cn=config Windows synchronization agreement attributes are stored under cn=syncAgreementName,cn=replica,cn="suffixName",cn=mapping tree,cn=config Suffix Configuration Attributes under cn="suffixName" Suffix configuration attributes are stored under the entry.

  • Page 99: Nsslapd-Backend

    Core Server Configuration Attributes Reference nsslapd-backend Gives the name of the database or database link used to process requests. This attribute can be multi-valued, with one database or database link per value. This attribute is required when the value of the attribute is set to nsslapd-state backend...

  • Page 100: Nsds5Replicabinddn

    Core Server Configuration Attributes Reference Syntax: Integer Example: nsDS5Flags: 0 nsDS5ReplicaBindDN This multi-valued attribute specifies the DN to use when binding. Although you can have more than one value in this entry, you can only have one cn=replica supplier bind DN per replication agreement.The value can either be the DN of the local entry on the consumer server or, in the case of an SSL connection, the certificate identity associated with same DN.

  • Page 101: Nsds5Replicaid

    Core Server Configuration Attributes Reference nsDS5ReplicaId Specifies the unique ID for suppliers in a given replication environment. Entry DN: cn=replica,cn="suffixName",cn=mapping tree,cn=config Valid Range: 0 to 254 Default Value: Syntax: Integer Example: nsDS5ReplicaId: 1 nsDS5ReplicaLegacyConsumer If this attribute is absent or has a value of , then it means that the replica is false not a legacy consumer.

  • Page 102: Nsds5Replicapurgedelay

    Any valid LDAP URL Default Value: Syntax: DirectoryString Example: nsDS5ReplicaReferral: ldap://ldap.redhat.com nsDS5ReplicaRoot Specifies the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated and cannot be modified. Entry DN: cn=replica,cn="suffixName",cn=mapping tree,cn=config...

  • Page 103: Nsds5Replicatombstonepurgeinterval

    Core Server Configuration Attributes Reference Example: nsDS5ReplicaRoot: "dc=example,dc=com" nsDS5ReplicaTombstonePurgeInterval Specifies the time interval in seconds between purge operation cycles. When setting this attribute, remember that the purge operation is time-consuming. Entry DN: cn=replica,cn="suffixName",cn=mapping tree,cn=config Valid Range: 0 to maximum 32-bit integer (2147483647) in seconds Default Value: 3600 (1 hour) Syntax:...

  • Page 104: Nsds5Replconflict

    Core Server Configuration Attributes Reference nsds5replconflict This multi-valued attribute is included on entries that have a change conflict that cannot be resolved automatically by the synchronization process. Replication Attributes under cn=ReplicationAgreementName,cn=replica, cn="suffixName", cn=mapping tree,cn=config The replication attributes that concern the replication agreement are stored under cn=ReplicationAgreementName,cn=replica,cn="suffixName",cn=mapping .

  • Page 105: Nsds5Replicabinddn

    Core Server Configuration Attributes Reference Valid Values: Any string Default Value: Syntax: DirectoryString Example: description: Replication Agreement between Server A and Server B. nsDS5ReplicaBindDN Specifies the DN to use when binding. The value of this attribute must be the same as the one in on the consumer replica.

  • Page 106: Nsds5Replicabusywaittime

    Core Server Configuration Attributes Reference nsDS5ReplicaBusyWaitTime Specifies the amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access. The default value is 3 seconds. If you set the attribute to a negative value, Directory Server sends the client a message and an error LDAP_UNWILLING_TO_PERFORM...

  • Page 107: Nsds5Replicacredentials

    Core Server Configuration Attributes Reference nsDS5ReplicaCredentials Specifies the credentials for the bind DN (specified in the nsDS5ReplicaBindDN attribute) on the remote server containing the consumer replica. The value for this attribute can be modified. When certificate-based authentication is used, this attribute may not have a value.

  • Page 108: Nsds5Replicalastinitstart

    Core Server Configuration Attributes Reference Default Value: Syntax: GeneralizedTime Example: nsDS5ReplicaLastInitEnd: YYYYMMDDhhmmssZ (19711223113229) nsDS5ReplicaLastInitStart This optional, read-only attribute states when the initialization of the consumer replica started. Entry DN: cn=ReplicationAgreementName,cn=replica,cn="suffixName",cn= mapping tree,cn=config Valid Values: Default Value: Syntax: GeneralizedTime Example: nsDS5ReplicaLastInitStart: YYYYMMDDhhmmssZ (20000902160000) nsDS5ReplicaLastInitStatus This optional, read-only attribute provides status for the initialization of the...

  • Page 109: Nsds5Replicalastupdateend

    Core Server Configuration Attributes Reference nsDS5ReplicaLastUpdateEnd This read-only attribute states when the most recent replication schedule update ended. Entry DN: cn=ReplicationAgreementName,cn=replica,cn="suffixName",cn= mapping tree,cn=config Valid Values: Default Value: Syntax: GeneralizedTime Example: nsDS5ReplicaLastUpdateEnd: YYYYMMDDhhmmssZ (20000902160000) nsDS5ReplicaLastUpdateStart This read-only attribute states when the most recent replication schedule update started.

  • Page 110: Nsds5Replicaport

    Core Server Configuration Attributes Reference Syntax: DirectoryString Example: nsDS5ReplicaLastUpdateStatus: 0 replica acquired successfully nsDS5ReplicaPort Specifies the port number for the remote server containing the replica. Once this attribute has been set, it cannot be modified. Entry DN: cn=ReplicationAgreementName,cn=replica,cn="suffixName",cn= mapping tree,cn=config Valid Values: Port number for the remote server containing the replica Default Value:...

  • Page 111: Nsds5Replicaroot

    Core Server Configuration Attributes Reference Entry DN: cn=ReplicationAgreementName,cn=replica,cn="suffixName",cn= mapping tree,cn=config Valid Values: stop | start Default Value: Syntax: DirectoryString Example: nsDS5ReplicaRefresh: start nsDS5ReplicaRoot Specifies the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated and cannot be modified. Entry DN: cn=ReplicationAgreementName,cn=replica,cn="suffixName",cn= mapping tree,cn=config...

  • Page 112: Nsds5Replicatedattributelist

    Core Server Configuration Attributes Reference • If both attributes are specified, but is less nsDS5ReplicaSessionPauseTime than or equal to nsDS5ReplicaBusyWaitTime is set automatically to 1 second more than nsDS5ReplicaSessionPauseTime nsDS5ReplicaBusyWaitTime When setting the values, ensure that the nsDS5ReplicaSessionPauseTime interval is at least 1 second longer than the interval specified for .

  • Page 113: Nsds5Replicatimeout

    Core Server Configuration Attributes Reference Entry DN: cn=ReplicationAgreementName,cn=replica,cn="suffixName",cn= mapping tree,cn=config Valid Range: Default Value: Syntax: DirectoryString Example: nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE salary userPassword manager nsDS5ReplicaTimeout This allowed attribute specifies the number of seconds outbound LDAP operations will wait for a response from the remote replica before timing out and failing. If you see messages in the error log file, then you "Warning: timed out waiting"...

  • Page 114: Nsds5Replicaupdateinprogress

    Core Server Configuration Attributes Reference Valid Values: SSL | LDAP Default Value: absent Syntax: DirectoryString Example: nsDS5ReplicaTransportInfo: LDAP nsDS5ReplicaUpdateInProgress This read-only attribute states whether a replication schedule update is in progress. Entry DN: cn=ReplicationAgreementName,cn=replica,cn="suffixName",cn= mapping tree,cn=config Valid Values: true | false Default Value: Syntax: DirectoryString...

  • Page 115: Nsds50Ruv

    Core Server Configuration Attributes Reference nsDS50ruv This attribute is responsible for managing the internal state of the replica via the replication update vector. It is always present and must not be changed. Synchronization Attributes under cn=syncAgreementName, cn=WindowsReplica,cn="suffixName", cn=mapping tree,cn=config The synchronization attributes that concern the synchronization agreement are stored under cn=syncAgreementName,cn=WindowsReplica,cn="suffixName",cn=mapping .

  • Page 116: Nsds7Directoryreplicasubtree

    Core Server Configuration Attributes Reference nsds7DirectoryReplicaSubtree The suffix or DN of the Directory Server subtree that is being synchronized. Entry DN: cn=syncAgreementName,cn=replica,cn="suffixName",cn=mappi ng tree,cn=config Valid Values: Any valid suffix or subsuffix Default Value: Syntax: DirectoryString Example: nsDS7DirectoryReplicaSubtree: ou=People,dc=example,dc=com nsds7DirsyncCookie This string is created by Active Directory DirSync and gives the state of the Active Directory server at the time of the last synchronization.

  • Page 117: Nsds7Newwinusersyncenabled

    Core Server Configuration Attributes Reference Default Value: Syntax: DirectoryString Example: nsDS7NewWinGroupSyncEnabled: on nsds7NewWinUserSyncEnabled Specifies whether a new entry created in the Windows sync peer is automatically synchronized by creating a new entry on the Directory Server. Entry DN: cn=syncAgreementName,cn=replica,cn="suffixName",cn=mappi ng tree,cn=config Valid Values: on | off Default Value:...

  • Page 118: Cn=Monitor

    Core Server Configuration Attributes Reference Valid Values: Any valid suffix or subsuffix Default Value: Syntax: DirectoryString Example: nsDS7WindowsReplicaSubtree: cn=Users,dc=domain,dc=com cn=monitor Monitoring read-only information is stored under . The cn=monitor,cn=config entry is an instance of the object class. For cn=monitor extensibleObject configuration attributes to be taken into account by the server, this cn=monitor object class (in addition to the...

  • Page 119: Opsinitiated

    Core Server Configuration Attributes Reference opsInitiated Number of Directory Server operations initiated. opsCompleted Number of Directory Server operations completed. entriesSent Number of entries sent by Directory Server. bytesSent Number of bytes sent by Directory Server. currentTime Current time usually given in Greenwich Mean Time (indicated by syntax notation;...

  • Page 120: Cn=Replication

    Core Server Configuration Attributes Reference cn=replication No attributes to document. When configuring legacy replication, it will be stored under this node, which serves as a placeholder. cn=replication cn=SNMP SNMP configuration attributes are stored under . The cn=SNMP,cn=config entry is an instance of the object class.

  • Page 121: Nssnmplocation

    Core Server Configuration Attributes Reference nssnmplocation Specifies the location within the company or organization where the Directory Server resides. Entry DN: cn=SNMP,cn=config Valid Values: Location Default Value: Syntax: DirectoryString Example: nssnmplocation: B14 nssnmpcontact Specifies the email address of the person responsible for maintaining the Directory Server.

  • Page 122: Nssnmpmasterhost

    Core Server Configuration Attributes Reference nssnmpmasterhost This mandatory attribute specifies the hostname of the machine on which the master agent is installed. Entry DN: cn=SNMP,cn=config Valid Values: machine hostname or local host Default Value: localhost Syntax: DirectoryString Example: nssnmpmasterhost: localhost nssnmpmasterport Specifies the port number used to communicate with the master agent.

  • Page 123: Nsstate

    Configuration Quick Reference Tables nsstate Saves the state of the across server restarts. This attribute is uniqueid generator maintained by the server. You should not edit it. Entry DN: cn=uniqueid generator,cn=config Valid Values: Default Value: Syntax: DirectoryString Example: nsstate:AbId0c3oMIDUntiLCyYNGgAAAAAAAAAA Configuration Quick Reference Tables This section provides quick reference tables for LDIF configuration files supplied with the Directory Server, object classes and schema used in server configuration, and attributes requiring server restart.
  • Page 124 Configuration Quick Reference Tables Directory Server Configuration LDIF Files (Continued) Table 2-4 Configuration Filename Purpose Contains LDAPv3 standard operational schema, 00core.ldif such as subschemaSubentry, LDAPv3 standard user and organization schema defined in RFC 2256 (based on X.520/X.521), inetOrgPerson and other widely-used attributes, and the operational attributes used by Directory Server configuration.
  • Page 125 Configuration Quick Reference Tables Directory Server Configuration LDIF Files (Continued) Table 2-4 Configuration Filename Purpose Contains additional configuration schema used by 50ns-directory.ldif Directory Server 4.12 and earlier versions of the directory, which is no longer applicable to current releases of Directory Server. This schema is required for replicating between Directory Server 4.12 and current releases.

  • Page 126: Configuration Changes Requiring Server Restart

    Configuration Quick Reference Tables Schema LDIF Files for Legacy Products (Continued) Table 2-5 Configuration Filename Purpose Schema used by Red Hat Mailing List Manager. 50ns-mlm.ldif Schema used for Netscape Web Mail. 50ns-msg.ldif Schema used for Netscape Netshare. 50ns-netshare.ldif Schema used for Netscape Collabra Server to hold 50ns-news.ldif news group preferences.
  • Page 127 Configuration Quick Reference Tables Configuration Changes Requiring Server Restart (Continued) Table 2-6 Configuration Attribute Action Requiring Restart Enabling or disabling SSL version 2 for cn=encryption,cn=config:nsssl2 Directory Server. Enabling or disabling SSL version 3 for cn=encryption,cn=config:nsssl3 Directory Server. Enabling or disabling client authentication. cn=encryption,cn=config:nssslclientauth Changing the lifetime of an SSL session.
  • Page 128 Configuration Quick Reference Tables Red Hat Directory Server Configuration, Command, and File Reference • May 2005...

  • Page 129: Chapter 3 Plug-In Implemented Server Functionality Reference

    Overview Chapter 3 Plug-in Implemented Server Functionality Reference This chapter contains reference information on Red Hat Directory Server (Directory Server) server plug-ins. The chapter is divided into the following sections: • Overview (page 129) • Server Plug-in Functionality Reference (page 130) •...

  • Page 130: Object Classes For Plug-In Configuration

    Syntax,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginPath: /opt/redhat-ds/servers/lib/syntax-plugin.so nsslapd-pluginInitfunc: tel_init nsslapd-pluginType: syntax nsslapd-pluginEnabled: on Some of these attributes are common to all plug-ins while others may be particular to a specific plug-in. You can check which attributes are currently being...

  • Page 131: 7-Bit Check Plug-In

    Server Plug-in Functionality Reference 7-bit Check Plug-in Plug-in Name 7-bit check (NS7bitAtt) DN of cn=7-bit check,cn=plugins,cn=config Configuration Entry Description Checks certain attributes are 7-bit clean Configurable on | off Options Default Setting Configurable List of attributes (uid mail userpassword) followed by "," and Arguments then suffix(es) on which the check is to occur Dependencies...

  • Page 132: Acl Preoperation Plug-In

    Server Plug-in Functionality Reference Performance Related Information Further Chapter 6, “Managing Access Control,” in the Red Hat Directory Information Server Administrator’s Guide. ACL Preoperation Plug-in Plug-in Name ACL Preoperation DN of cn=ACL preoperation,cn=plugins,cn=config Configuration Entry Description ACL access check plug-in Configurable on | off Options...

  • Page 133: Boolean Syntax Plug-In

    Server Plug-in Functionality Reference Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in. It is recommended Related that you leave this plug-in running at all times. Information Further Information Boolean Syntax Plug-in Plug-in Name...

  • Page 134: Case Exact String Syntax Plug-In

    Server Plug-in Functionality Reference Case Exact String Syntax Plug-in Plug-in Name Case Exact String Syntax DN of cn=Case Exact String Syntax,cn=plugins,cn=config Configuration Entry Description Syntax for handling case-sensitive strings Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in.

  • Page 135: Chaining Database Plug-In

    Server Plug-in Functionality Reference Performance Do not modify the configuration of this plug-in. It is recommended Related that you leave this plug-in running at all times. Information Further Information Chaining Database Plug-in Plug-in Name Chaining Database DN of cn=Chaining database,cn=plugins,cn=config Configuration Entry Description...

  • Page 136: Country String Syntax Plug-In

    Server Plug-in Functionality Reference Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in. It is recommended Related that you leave this plug-in running at all times. Information Further Chapter 5, “Advanced Entry Management,”...

  • Page 137: Distinguished Name Syntax Plug-In

    Server Plug-in Functionality Reference Distinguished Name Syntax Plug-in Plug-in Name Distinguished Name Syntax DN of cn=Distinguished Name Syntax,cn=plugins,cn=config Configuration Entry Description Syntax for handling DNs Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in. It is recommended Related that you leave this plug-in running at all times.

  • Page 138: Http Client Plug-In

    Server Plug-in Functionality Reference Performance Do not modify the configuration of this plug-in. It is recommended Related that you leave this plug-in running at all times. Information Further The Generalized Time String consists of a four digit year, two digit Information month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a...

  • Page 139: Internationalization Plug-In

    Server Plug-in Functionality Reference DN of cn=Integer Syntax,cn=plugins,cn=config Configuration Entry Description Syntax for handling integers Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in. It is recommended Related that you leave this plug-in running at all times.

  • Page 140: Jpeg Syntax Plug-In

    Server Plug-in Functionality Reference Performance Do not modify the configuration of this plug-in. It is recommended Related that you leave this plug-in running at all times. Information Further See Appendix D, “Internationalization,” in the Red Hat Directory Information Server Administrator’s Guide. JPEG Syntax Plug-in Plug-in Name JPEG Syntax Plug-in...

  • Page 141: Legacy Replication Plug-In

    Server Plug-in Functionality Reference Configurable Options Default Setting Configurable None Arguments Dependencies None Performance See “Database Plug-in Attributes,” on page 158, for further Related information on database configuration. Information Further Chapter 3, “Configuring Directory Databases,” in the Red Hat Information Directory Server Administrator’s Guide.

  • Page 142: Multi-Master Replication Plug-In

    Server Plug-in Functionality Reference Multi-master Replication Plug-in Plug-in Name Multi-master Replication Plug-in DN of cn=Multimaster Replication Configuration plugin,cn=plugins,cn=config Entry Description Enables replication between two current Directory Servers Configurable on | off Options Default Setting Configurable None Arguments Dependencies database Performance Related Information Further...

  • Page 143: Oid Syntax Plug-In

    Server Plug-in Functionality Reference Performance Do not modify the configuration of this plug-in. It is recommended Related that you leave this plug-in running at all times. Information Further Information OID Syntax Plug-in Plug-in Name OID Syntax Plug-in DN of cn=OID Syntax,cn=plugins,cn=config Configuration Entry Description...

  • Page 144: Crypt Password Storage Plug-In

    Server Plug-in Functionality Reference Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in. It is recommended Related that you leave this plug-in running at all times. Information Further Chapter 7, “User Account Management,”...

  • Page 145: Ns-Mta-Md5 Password Storage Scheme Plug-In

    Server Plug-in Functionality Reference NS-MTA-MD5 Password Storage Scheme Plug-in Plug-in Name NS-MTA-MD5 DN of cn=NS-MTA-MD5,cn=Password Storage Configuration Schemes,cn=plugins,cn=config Entry Description NS-MTA-MD5 password storage scheme for password encryption Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in.

  • Page 146: Ssha Password Storage Scheme Plug-In

    Server Plug-in Functionality Reference Configurable None Arguments Dependencies None Performance If there are not passwords encrypted using the SHA password Related storage scheme, you may turn this plug-in off. If you want to Information encrypt your password with the SHA password storage scheme, we recommend that you choose SSHA instead, as SSHA is a far more secure option.

  • Page 147: Pta Plug-In

    Server Plug-in Functionality Reference DN of cn=Postal Address Syntax,cn=plugins,cn=config Configuration Entry Description Syntax used for handling postal addresses Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in. It is recommended Related that you leave this plug-in running at all times.

  • Page 148: Referential Integrity Postoperation Plug-In

    2. Log file for storing the change; for example, /opt/redhat-ds/servers/logs/referint 3. All the additional attribute names you want to be checked for referential integrity.

  • Page 149: Retro Changelog Plug-In

    Server Plug-in Functionality Reference Retro Changelog Plug-in Plug-in Name Retro Changelog Plug-in DN of cn=Retro Changelog Plugin,cn=plugins,cn=config Configuration Entry Description Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occurring in the Directory Server. The Retro Changelog offers the same functionality as the changelog in the 4.x versions of Directory Server.

  • Page 150: Space Insensitive String Syntax Plug-In

    Server Plug-in Functionality Reference Configurable None Arguments Dependencies database Performance Do not modify the configuration of this plug-in. It is recommended Related that you leave this plug-in running at all times. Information Further Chapter 5, “Advanced Entry Management,” in the Red Hat Directory Information Server Administrator’s Guide.

  • Page 151: State Change Plug-In

    Server Plug-in Functionality Reference State Change Plug-in Plug-in Name State Change Plug-in DN of cn=State Change Plugin,cn=plugins,cn=config Configuration Entry Description Enables state-change-notification service Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Related Information Further Information Telephone Syntax Plug-in Plug-in Name Telephone Syntax...

  • Page 152: Uid Uniqueness Plug-In

    Server Plug-in Functionality Reference Performance Do not modify the configuration of this plug-in. Red Hat Related recommends that you leave this plug-in running at all times. Information Further Information UID Uniqueness Plug-in Plug-in Name UID Uniqueness Plug-in DN of cn=UID Uniqueness,cn=plugins,cn=config Configuration Entry Description...

  • Page 153: Uri Syntax Plug-In

    Server Plug-in Functionality Reference Performance Directory Server provides the UID Uniqueness Plug-in by default. Related If you want to ensure unique values for other attributes, you can Information create instances of the UID Uniqueness Plug-in for those attributes. See chapter 17, “Using the Attribute Uniqueness Plug-in,” in the Red Hat Directory Server Administrator’s Guide for more information about the Attribute Uniquenss Plug-in.

  • Page 154: List Of Attributes Common To All Plug-Ins

    Entry DN: cn=plug-in name,cn=plugins,cn=config Valid Values: Any valid path Default Value: None Syntax: DirectoryString Example: nsslapd-pluginPath: /opt/redhat-ds/servers/lib/uid-plugin.so nsslapd-pluginInitfunc Specifies the plug-in function to be initiated. Entry DN: cn=plug-in name,cn=plugins,cn=config Valid Values: Any valid plug-in function Default Value: None Syntax: DirectoryString...

  • Page 155: Nsslapd-Pluginenabled

    List of Attributes Common to All Plug-ins Default Value: None Syntax: DirectoryString Example: nsslapd-pluginType: preoperation nsslapd-pluginEnabled Specifies whether the plug-in is enabled. This attribute can be changed over protocol but will only take effect when the server is next restarted. Entry DN: cn=plug-in name,cn=plugins,cn=config Valid Values:...

  • Page 156: Nsslapd-Pluginvendor

    List of Attributes Common to All Plug-ins Default Value: Product version number Syntax: DirectoryString Example: nsslapd-pluginVersion: 7.1 nsslapd-pluginVendor Specifies the vendor of the plug-in. Entry DN: cn=plug-in name,cn=plugins,cn=config Valid Values: Any approved plug-in vendor Default Value: Red Hat, Inc. Syntax: DirectoryString Example: nsslapd-pluginVendor: Red Hat, Inc.

  • Page 157: Attributes Allowed By Certain Plug-Ins

    Attributes Allowed by Certain Plug-ins Attributes Allowed by Certain Plug-ins nsslapd-pluginLoadNow Specifies whether to load all of the symbols used by a plug-in immediately ( true as well as all symbols references by those symbols, or to load the symbol the first time it is used ( false Entry DN:...

  • Page 158: Nsslapd-Plugin-Depends-On-Named

    Database Plug-in Attributes values in the following valid range will be started by the server prior to this plug-in. The following postoperation Referential Integrity Plug-in example shows that the database plug-in will be started prior to the postoperation Referential Integrity Plug-in. Entry DN: cn=referential integrity postoperation,cn=plugins,cn=config...

  • Page 159: Database Attributes Under Cn=Config,Cn=Ldbm Database,Cn=Plugins,Cn=Config

    Database Plug-in Attributes Database Plug-in Figure 3-1 All plug-in technology used by the database instances is stored in the cn=ldbm plug-in node. This section presents the additional attribute information database for each of the nodes in bold in the cn=ldbm database,cn=plugins,cn=config information tree.

  • Page 160: Nsslapd-Idlistscanlimit

    Database Plug-in Attributes Valid Range: -1 to maximum 32-bit integer in entries (where -1 is unlimited) Default Value: 5000 Syntax: Integer Example: nsLookthroughLimit: 5000 nsslapd-idlistscanlimit This performance-related attribute, present by default, specifies the number of entry IDs that are searched during a search operation. If you attempt to set a value that is not a number or is too big for a 32-bit signed integer, you will receive an error message, with additional error information LDAP_UNWILLING_TO_PERFORM...

  • Page 161: Nsslapd-Cache-Autosize-Split

    Database Plug-in Attributes NOTE If the attribute and nsslapd-cache-autosize attribute are both set to high values, nsslapd-cache-autosize-split such as 100, then the Directory Server may fail to start and return an error message. To fix this issue, reset the nsslapd-cache-autosize attributes to a more reasonable level.

  • Page 162: Nsslapd-Dbcachesize

    Database Plug-in Attributes Valid Range: Default Value: 66 (This will not necessarily optimize your operations.) Syntax: Integer Example: nsslapd-cache-autosize-split: 66 nsslapd-dbcachesize This performance tuning-related attribute specifies database cache size. This is neither the index cache nor the entry cache. If you activate automatic cache resizing, you override this attribute by replacing these values with its own guessed values at a later stage of the server startup.

  • Page 163: Nsslapd-Db-Circular-Logging

    Database Plug-in Attributes . To change the checkpoint interval, you add the attribute to dse.ldif dse.ldif This attribute can be dynamically modified using . For further ldapmodify information on modifying this attribute, see chapter 14, “Tuning Directory Server Performance,” in the Red Hat Directory Server Administrator’s Guide. This attribute is provided only for system modification/diagnostics and should be changed only with the guidance of Red Hat Technical Support or Red Hat Professional Services.

  • Page 164: Nsslapd-Db-Debug

    Database Plug-in Attributes nsslapd-db-debug Specifies whether additional error information is to be reported to Directory Server. To report error information, set the parameter to . This parameter is meant for troubleshooting; enabling the parameter may slow down the Directory Server. Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Values:...

  • Page 165: Nsslapd-Db-Home-Directory

    Database Plug-in Attributes Syntax: DirectoryString Example: nsslapd-db-durable-transactions: on nsslapd-db-home-directory Applicable to Solaris only. Used to fix a situation in Solaris where the operating system endlessly flushes pages. This flushing can be so excessive that performance of the entire system is severely degraded. This situation will occur only for certain combinations of the database cache size, the size of physical memory, and kernel tuning attributes.

  • Page 166: Nsslapd-Db-Idl-Divisor

    Database Plug-in Attributes NOTE The directory referenced by the nsslapd-db-home-directory attribute must be a subdirectory of a filesystem of type tempfs (such as ). However, Directory Server does not create the /tmp subdirectory referenced by this attribute. You must create the directory either manually or by using a script.

  • Page 167: Nsslapd-Db-Logbuf-Size

    Database Plug-in Attributes Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range: 0 to 8 Default Value: Syntax: Integer Example: nsslapd-db-idl-divisor: 2 nsslapd-db-logbuf-size Specifies the log information buffer size. Log information is stored in memory until the buffer fills up or the transaction commit forces the buffer to be written to disk. Larger buffer sizes can signficantly increase throughput in the presence of long running transactions, highly concurrent applications, or transactions producing large amounts of data.

  • Page 168: Nsslapd-Db-Logfile-Size

    Database Plug-in Attributes Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Values: Any valid path and directory name Default Value: Syntax: DirectoryString Example: nsslapd-db-logdirectory: /logs/txnlog nsslapd-db-logfile-size Specifies the maximum size of a single file in the log in bytes. By default, or if the value is set to , a maximum size of 10Mbyte is used.

  • Page 169: Nsslapd-Db-Spin-Count

    Database Plug-in Attributes Default Value: Syntax: Integer Example: nsslapd-db-page-size: 8KB nsslapd-db-spin-count Specifies the number of times that test-and-set mutexes should spin without blocking. Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range: 0 to 2^31-1 Default Value: Syntax: Integer Example: nsslapd-db-spin-count: 0 nsslapd-db-transaction-batch-val Specifies how many transactions will be batched before being committed.

  • Page 170: Nsslapd-Db-Transaction-Logging

    Database Plug-in Attributes For more information on database transaction logging, see chapter 12, “Monitoring Server and Database Activity,” in the Red Hat Directory Server Administrator’s Guide. Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range: 0 to 30 Default Value: 0 (or turned off) Syntax: Integer Example:...

  • Page 171: Nsslapd-Db-Verbose

    Database Plug-in Attributes Example: nsslapd-db-trickle-percentage: 40 nsslapd-db-verbose Specifies whether to record additional informational and debugging messagses when searching the log for checkpoints, doing deadlock detection, and performing recovery. This parameter is meant for troubleshooting, and enabling the parameter may slow down the Directory Server. Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Values:...

  • Page 172: Nsslapd-Import-Cachesize

    Database Plug-in Attributes Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Values: 1 to 4 Default Value: Syntax: Integer Example: nsslapd-dbncache: 1 nsslapd-import-cachesize This performance tuning-related attribute determines the size of the database cache used in the bulk import process. Setting this attribute value so that the maximum available system physical memory is used for the database cache during bulk importing optimizes bulk import speed.

  • Page 173: Nsslapd-Import-Cache-Autosize

    Database Plug-in Attributes nsslapd-import-cache-autosize This performance tuning-related attribute automatically sets the size of the import cache ( ) to be used during the command-line-based import process of importCache LDIF files to the database (the operation). ldif2db In Directory Server, the import operation can be run as a server task or exclusively on the command-line.

  • Page 174: Nsslapd-Mode

    Database Plug-in Attributes While running Directory Server with both the autosizing attributes, , enabled, nsslapd-cache-autosize nsslapd-import-cache-autosize ensure that their sum is less than 100. Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range: -1, 0 (turns import cache autosizing off) to 100 Default Value: -1 (turns import cache autosizing on for ldif2db only and allocates 50% of the free physical memory to importCache) Syntax:...

  • Page 175: Dbcachetries

    Database Plug-in Attributes dbcachetries Total requested pages found in the database cache. dbcachehitratio Percentage of requested pages found in the database cache (hits/tries). dbcachepagein Pages read into the database cache. dbcachepageout Pages written from the database cache to the backing file. dbcacheroevict Clean pages forced from the cache.

  • Page 176: Nsslapd-Cachesize

    Database Plug-in Attributes nsslapd-cachesize This performance tuning-related attribute specifies the cache size in terms of the entries it can hold. However, it is worth noting that it is simpler to limit by memory size only (see attribute). If you attempt to set a nsslapd-cachememsize value that is not a number or is too big for a 32-bit signed integer, you will receive an LDAP_UNWILLING_TO_PERFORM error message with additional error...

  • Page 177: Nsslapd-Directory

    Any valid absolute path to the database instance Default Value: Syntax: DirectoryString Example: nsslapd-directory: /opt/redhat-ds/servers/slapd-phonebook/db nsslapd-readonly Specifies Read Only permission rights. If this attribute has a value of , then the user has all read, write, and execute permissions. Entry DN:...

  • Page 178: Nsslapd-Suffix

    Database Plug-in Attributes Default Value: Syntax: DirectoryString Example: nsslapd-require: off nsslapd-suffix Specifies the suffix of the database link. This is a single-valued attribute as each database instance can have only one suffix. Previously, it was possible to have more than one suffix on a single database instance, but this is no longer the case. As a result, this attribute is single-valued to enforce the fact that each database instance can only have one suffix entry.

  • Page 179: Nsslapd-Db-Cache-Hit

    Database Plug-in Attributes nsslapd-db-cache-hit Requested pages found in the cache. nsslapd-db-cache-try Total cache lookups. nsslapd-db-cache-region-wait-rate Number of times that a thread of control was forced to wait before obtaining the region lock. nsslapd-db-cache-size-bytes Total cache size in bytes. nsslapd-db-clean-pages Clean pages currently in the cache. nsslapd-db-commit-rate Number of transactions that have been committed.

  • Page 180: Nsslapd-Db-Lock-Conflicts

    Database Plug-in Attributes nsslapd-db-lock-conflicts Total number of locks not immediately available due to conflicts. nsslapd-db-lock-region-wait-rate Number of times that a thread of control was forced to wait before obtaining the region lock. nsslapd-db-lock-request-rate Total number of locks requested. nsslapd-db-lockers Number of current lockers. nsslapd-db-log-bytes-since-checkpoint Number of bytes written to this log since the last checkpoint.

  • Page 181: Nsslapd-Db-Page-Rw-Evict-Rate

    Database Plug-in Attributes nsslapd-db-page-rw-evict-rate Dirty pages forced from the cache. nsslapd-db-page-trickle-rate Dirty pages written using the memp_trickle interface. nsslapd-db-page-write-rate Pages read into the cache. nsslapd-db-pages-in-use All pages, clean or dirty, currently in use. nsslapd-db-txn-region-wait-rate Number of times that a thread of control was force to wait before obtaining the region lock.

  • Page 182: Nsindextype

    Database Plug-in Attributes Default Value: Syntax: DirectoryString Example: nssystemindex: true nsIndexType This optional, multi-valued attribute specifies the type of index for Directory Server operations and takes the values of the attributes to be indexed. Each desired index type has to be entered on a separate line. Entry DN: cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config...

  • Page 183: Description

    Database Plug-in Attributes Provides the name of the attribute you want to index. Entry DN: cn=default indexes,cn=monitor,cn=ldbm database,cn=plugins,cn=config Valid Values: Any valid index cn Default Value: None Syntax: DirectoryString Example: cn: aci description This non-mandatory attribute provides a free-hand text description of what the index actually performs.

  • Page 184: Dbfilenamenumber

    Database Plug-in Attributes dbfilenamenumber This attribute indicates the name of the file and provides a sequential integer identifier (starting at 0) for the file. All associated statistics for the file are given this same numerical identifier. dbfilecachehit Number of times that a search requiring data from this file was performed and that the data was successfully obtained from the cache.

  • Page 185: Cn=Ldbm Database, Cn=Plugins, Cn=Config

    Database Plug-in Attributes Figure 3-2 Indexed Attribute Representing a Subentry For example, the index file for the attribute under will appear in o=UserRoot the Directory Server as follows: dn:cn=aci,cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=confi objectclass:top objectclass:nsIndex cn=aci nssystemindex:true nsindextype:pres For details regarding the five possible indexing attributes, see the section “Database Attributes under cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config,”...

  • Page 186: Nsencryptionalgorithm

    Database Plug-in Attributes within the database; encrypting them while they are stored adds another layer of protection. This object class has one attribute, , which nsEncryptionAlgorithm sets the encryption cipher used per attribute. Each encrypted attribute represents a subentry under the above information tree nodes, as shown in cn=config Figure 3-3.

  • Page 187: Database Link Plug-In Attributes (Chaining Attributes)

    Database Link Plug-in Attributes (chaining attributes) Default Value: Syntax: DirectoryString Example: nsEncryptionAlgorithm: AES Database Link Plug-in Attributes (chaining attributes) The Database Link Plug-in is also organized in an information tree, as shown in Figure 3-4. Figure 3-4 Database Link Plug-in All plug-in technology used by the database link instances is stored in the plug-in node.

  • Page 188: Nsactivechainingcomponents

    Database Link Plug-in Attributes (chaining attributes) nsActiveChainingComponents Lists the components using chaining. A component is any functional unit in the server. The value of this attribute overrides the value in the global configuration attribute. To disable chaining on a particular database instance, use the value .

  • Page 189: Nsmaxtestresponsedelay

    Database Link Plug-in Attributes (chaining attributes) nsMaxTestResponseDelay This error detection, performance-related attribute specifies the duration of the test issued by the database link to check whether the remote server is responding. If a response from the remote server is not returned before this period has passed, the database link assumes the remote server is down, and the connection is not used for subsequent operations.

  • Page 190: Database,Cn=Plugins,Cn=Config

    Database Link Plug-in Attributes (chaining attributes) Database Link Attributes under cn=default instance config,cn=chaining database,cn=plugins,cn=config Default instance configuration attributes for instances are housed in the cn=default tree node. instance config,cn=chaining database,cn=plugins,cn=config nsAbandonedSearchCheckInterval Number of seconds that pass before the server checks for abandoned operations. Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config...

  • Page 191: Nsbindtimeout

    Database Link Plug-in Attributes (chaining attributes) Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Range: 1 to 5 Default Value: Syntax: Integer Example: nsbindretrylimit: 3 nsBindTimeout Amount of time before the bind attempt times out. There is no real Valid Range for this attribute, except reasonable patience limits.

  • Page 192: Nsconcurrentbindlimit

    Database Link Plug-in Attributes (chaining attributes) nsConcurrentBindLimit Maximum number of concurrent bind operations per TCP connection. Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Range: 1 to 25 binds Default Value: Syntax: Integer Example: nsconcurrentbindlimit: 10 nsConcurrentOperationsLimit Specifies the maximum number of concurrent operations allowed. Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config...

  • Page 193: Nsoperationconnectionslimit

    Database Link Plug-in Attributes (chaining attributes) Syntax: Integer Example: nsconnectionlife: 0 nsOperationConnectionsLimit Maximum number of LDAP connections the database link establishes with the remote server. Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Range: 1 to 20 connections Default Value: Syntax: Integer Example:...

  • Page 194: Nsslapd-Sizelimit

    Database Link Plug-in Attributes (chaining attributes) Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsreferralonscopedsearch: off nsslapd-sizelimit Specifies the default size limit for the database link in bytes. Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Range: -1 (no limit) to maxmum 32-bit integer (2147483647) entries...

  • Page 195: Cn=Plugins,Cn=Config

    Database Link Plug-in Attributes (chaining attributes) Database Link Attributes under cn=database link instance name,cn=chaining database, cn=plugins,cn=config This information node stores the attributes concerning the server containing the data. A farm server is a server which contains data on databases. This attribute can contain optional servers for failover, separated by spaces.

  • Page 196: Nsmultiplexorcredentials

    Database Link Plug-in Attributes (chaining attributes) Example: nsMultiplexerBindDN: cn=proxy manager nsMultiplexorCredentials Password for the administrative user, given in plain text. If no password is provided, it means that users can bind as .The password is encrypted anonymous in the configuration file. The example below is what you view, not what you type. Entry DN: cn=database link instance name,cn=chaining database,cn=plugins,cn=config...

  • Page 197: Nsaddcount

    Database Link Plug-in Attributes (chaining attributes) Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database, cn=plugins,cn=config Attributes used for monitoring activity on your instances are stored in the cn=monitor,cn=database instance name,cn=chaining information tree. database,cn=plugins,cn=config nsAddCount Number of add operations received. nsDeleteCount Number of delete operations received.

  • Page 198: Nsunbindcount

    Retro Changelog Plug-in Attributes nsUnbindCount Number of unbinds received. nsCompareCount Number of compare operations received. nsOperationConnectionCount Number of open connections for normal operations. nsBindConnectionCount Number of open connections for bind operations. Retro Changelog Plug-in Attributes Two different types of changelogs are maintained by Directory Server. The first type, referred to as changelog, is used by multi-master replication, and the second changelog, which is in fact a plug-in referred to as retro changelog, is intended for use by LDAP clients for maintaining application compatibility with Directory...

  • Page 199: Nsslapd-Changelogmaxage (Max Changelog Age)

    Retro Changelog Plug-in Attributes Entry DN: cn=Retro Changelog Plugin,cn=plugins,cn=config Valid Values: Any valid path to the directory Default Value: None Syntax: DirectoryString Example: nsslapd-changelogdir: /var/slapd-serverID/changelog nsslapd-changelogmaxage (Max Changelog Age) Specifies the maximum age of any entry in the changelog. The changelog contains a record for each directory modification and is used when synchronizing consumer servers.
  • Page 200 Retro Changelog Plug-in Attributes Red Hat Directory Server Configuration, Command, and File Reference • May 2005...

  • Page 201: Chapter 4 Server Instance File Reference

    Overview of Directory Server Files Chapter 4 Server Instance File Reference This chapter provides an overview of the files that are specific to an instance of Red Hat Directory Server (Directory Server) — the files stored under the serverID directory. Having an overview of the files and serverRoot/slapd- configuration information stored in each instance of Directory Server should help you understand the file changes or absence of file changes which occur in the...
  • Page 202 Overview of Directory Server Files The only exception is the script, which is stored under this migrateInstance7 directory: serverRoot/bin/slapd/admin/bin Code Example 4-1 shows the contents of the directory, serverRoot/slapd-serverID where directories are marked with a and scripts are marked with an .

  • Page 203: Backup Files

    Backup Files Backup Files Each Directory Server instance contains the following three directories for storing backup-related files: • — Contains a directory dated with the time and date of your database backup, such as , which in turn holds your database 2001_02_13_174524/ backup copy.
  • Page 204 Database Files • — Stores the database created by default at NetscapeRoot o=NetscapeRoot Typical installation. • — Stores the user-defined suffix (user-defined databases) created userRoot at Typical installation time; for example, dc=example,dc=com Code Example 4-3 shows a sample listing of the directory contents.

  • Page 205: Ldif Files

    ldif Files ldif Files Each Directory Server instance contains the directory for storing -related ldif ldif files. Code Example 4-4 shows a sample listing of the directory contents. ldif Contents of a Sample LDIF Directory Code Example 4-4 ../ European.ldif Example.ldif Example-roles.ldif The following list describes the content of each of the...

  • Page 206: Log Files

    Log Files If you get error messages indicating that the lock table is out of available locks [26/Oct/2001:17:44:25 0200] - libdb: Lock table is out of available ), set the value of the attribute in the locks nsslapd-db-locks entry to twice its cn=config,cn=ldbm database,cn=plugins,cn=config current number.
  • Page 207 Log Files • file is a memory-mapped file which cannot be read by an slapd.stats editor. It contains data collected by the Directory Server SNMP data collection component. This data is read by the SNMP subagent in response to SNMP attribute queries and is communicated to the SNMP master agent responsible for handling Directory Server SNMP requests.
  • Page 208 Log Files Red Hat Directory Server Configuration, Command, and File Reference • May 2005...

  • Page 209: Chapter 5 Access Log And Connection Code Reference

    Access Log Content Chapter 5 Access Log and Connection Code Reference Red Hat Directory Server (Directory Server) provides you with logs to help you monitor directory activity. Monitoring allows you to quickly detect and remedy failures and, where done proactively, anticipate and resolve potential problems before they result in failure or poor performance.

  • Page 210: Access Logging Levels

    Access Log Content • Bind result record. • Sequence of operation request/operation result pairs of records (or individual records in the case of connection, closed, and abandon records). • Unbind record. • Closed record. Every line begins with a timestamp — —...

  • Page 211: Default Access Logging Content

    Access Log Content • = Logging for access to an entry and referrals. • = Precise timing of operation duration. This gives microsecond 131072 resolution for the Elapsed Time item in the access log. For example, if you want to log internal access operations, entry access, and referrals, you would insert a value of (512+4) in the configuration attribute.

  • Page 212: Connection Number

    Access Log Content Access Log Extract with Default Access Logging Level (level 256) Code Example 5-1 [21/Apr/2005:11:39:53 -0700] conn=13 op=1 EXT oid="2.16.840.1.113730.3.5.3" [21/Apr/2005:11:39:53 -0700] conn=13 op=1 RESULT err=0 tag=120 nentries=0 etime=0 21/Apr/2005:11:39:53 -0700] conn=13 op=2 ADD dn="cn=Sat Apr 21 11:39:51 MET DST 2005, dc=example,dc=com" [21/Apr/2005:11:39:53 -0700] conn=13 op=2 RESULT err=0 tag=105 nentries=0 etime=0 csn=3b4c8cfb000000030000 [21/Apr/2005:11:39:53 -0700] conn=13 op=3 EXT...

  • Page 213: Slot Number

    Access Log Content Slot Number The slot number, in this case , is a legacy part of the access log which has slot=608 the same meaning as file descriptor. Ignore this part of the access log. Operation Number To process a given LDAP request, Directory Server will perform the required series of operations.

  • Page 214: Number Of Entries

    Access Log Content • indicates the actual entry for which you were searching. tag=100 • for a result from a search operation. tag=101 • for a result from a modify operation. tag=103 • for a result from an add operation. tag=105 •...

  • Page 215: Ldap Response Type

    Access Log Content • = moddn MODDN • = extended operation • = abandon operation ABANDON If the LDAP request resulted in sorting of entries, then you will see SORT serialno followed by the number of candidate entries that were sorted. See the bold text in this example: [04/May/2005:15:51:46 -0700] conn=114 op=68 SORT serialno (1) The number enclosed in parentheses specifies the number of candidate entries that...

  • Page 216: Search Scope

    Access Log Content beforeCount:afterCount:index:contentCount and ResponseInformation is of the form: targetPosition:contentCount (resultCode) If the client uses a position-by-value VLV request, the format for the first part, the request information would be beforeCount afterCount value. The example below shows VLV-specific entries in bold: [07/May/2005:11:43:29 -0700] conn=877 op=8530 SRCH base="(ou=People)"...

  • Page 217: Extended Operation Oid

    Access Log Content Extended Operation OID An extended operation OID, in this case either oid="2.16.840.1.113730.3.5.3" EXT oid="2.16.840.1.113730.3.5.5" provides the OID of the extended operation being performed. Table 5-1 provides the list of LDAPv3 extended operations and their OIDs supported in Directory Server.

  • Page 218: Abandon Message

    Access Log Content Abandon Message The abandon message, in this case [21/Apr/2005:11:39:52 -0700] conn=12 , indicates that an op=2 ABANDON targetop=1 msgid=2 nentries=0 etime=0 operation has been aborted, where indicates the number of entries nentries=0 sent before the operation was aborted, value indicates how much time etime=0 (in seconds) had elapsed, and...

  • Page 219: Access Log Content For Additional Access Logging Levels

    Access Log Content [21/Apr/2005:12:57:14 -0700] conn=32 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI NOTE The authenticated DN (the DN used for access control decisions) is now logged in the BIND result line as opposed to the bind request line, as was previously the case: [21/Apr/2005:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jdoe,dc=example,dc=com"...

  • Page 220: Connection Description

    Access Log Content Access log level enables logging for internal operations, which log search base, scope, filter, and requested search attributes, in addition to the details of the search being performed. In Code Example 5-3, access logging level is enabled, which logs access to entries and referrals.

  • Page 221: Common Connection Codes

    Common Connection Codes Code Example 5-4 Access Log Extract with Internal Access Operation, Entry Access and Referral Logging Levels (Levels 4+512) [12/Jul/2005:16:45:46 +0200] conn=Internal op=-1 ENTRY dn="cn=\22dc=example,dc=com\22, cn=mapping tree, cn=config" [12/Jul/2005:16:45:46 +0200] conn=Internal op=-1 ENTRY dn="cn=\22dc=example,dc=com\22, cn=mapping tree, cn=config" Common Connection Codes A connection code is a code that is added to the log message to provide closed...
  • Page 222 LDAP Result Codes Table 5-2 LDAP Result Codes Result Code Defined Value SUCCESS OPERATION_ERROR PROTOCOL_ERROR TIME_LIMIT_EXCEEDED SIZE_LIMIT_EXCEEDED COMPARE_FALSE COMPARE_TRUE AUTH_METHOD_NOT_SUPPORTED STRONG_AUTH_REQUIRED LDAP_PARTIAL_RESULTS REFERRAL (LDAP v3) ADMIN_LIMIT_EXCEEDED (LDAP v3) UNAVAILABLE_CRITICAL_EXTENSION (LDAP v3) CONFIDENTIALITY_REQUIRED (LDAP v3) SASL_BIND_IN_PROGRESS NO_SUCH_ATTRIBUTE UNDEFINED_ATTRIBUTE_TYPE INAPPROPRIATE_MATCHING CONSTRAINT_VIOLATION ATTRIBUTE_OR_VALUE_EXISTS INVALID_ATTRIBUTE_SYNTAX NO_SUCH_OBJECT ALIAS_PROBLEM...
  • Page 223 LDAP Result Codes LDAP Result Codes (Continued) Table 5-2 Result Code Defined Value INSUFFICIENT_ACCESS_RIGHTS BUSY UNAVAILABLE UNWILLING_TO_PERFORM LOOP_DEFECT NAMING_VIOLATION OBJECT_CLASS_VIOLATION NOT_ALLOWED_ON_NONLEAF NOT_ALLOWED_ON_RDN ENTRY_ALREADY_EXISTS OBJECT_CLASS_MODS_PROHIBITED AFFECTS_MULTIPLE_DSAS (LDAP v3) OTHER SERVER_DOWN LDAP_TIMEOUT PARAM_ERROR CONNECT_ERROR LDAP_NOT_SUPPORTED CONTROL_NOT_FOUND NO_RESULTS_RETURNED MORE_RESULTS_TO_RETURN CLIENT_LOOP REFERRAL_LIMIT_EXCEEDED Chapter 5 Access Log and Connection Code Reference...
  • Page 224 LDAP Result Codes Red Hat Directory Server Configuration, Command, and File Reference • May 2005...

  • Page 225: Chapter 6 Migration From Earlier Versions

    Migrated Configuration Attributes Chapter 6 Migration from Earlier Versions This chapter is intended to provide a reference of the information migrated by the script in the case of migration from a 6.x Directory Server to a migrateInstance7 7.x Directory Server. Migration from versions 6.2 and later are supported in Directory Server 7.1.
  • Page 226 Migrated Configuration Attributes Table 6-1 Attributes in cn=config Automatically Migrated nsslapd-accesscontrol nsslapd-errorlog-logging-enabled nsslapd-accesslog-logging-enabled nsslapd-auditlog-logging-enabled nsslapd-accesslog-level nsslapd-accesslog-logbuffering nsslapd-accesslog-logexpirationtime nsslapd-accesslog-logexpirationtimeunit nsslapd-accesslog-logmaxdiskspace nsslapd-accesslog-logminfreediskspace nsslapd-accesslog-logrotationtime nsslapd-accesslog-logrotationtimeunit nsslapd-accesslog-maxlogsize nsslapd-accesslog-maxlogsperdir nsslapd-attribute_name_exceptions nsslapd-auditlog-logexpirationtime nsslapd-auditlog-logexpirationtimeunit nsslapd-auditlog-logmaxdiskspace nsslapd-auditlog-logminfreediskspace nsslapd-auditlog-logrotationtime nsslapd-auditlog-logrotationtimeunit nsslapd-auditlog-maxlogsize nsslapd-auditlog-maxlogsperdir nsslapd-certmap-basedn nsslapd-ds4-compatible-schema nsslapd-enquote_sup_oc nsslapd-errorlog-level nsslapd-errorlog-logexpirationtime nsslapd-errorlog-logexpirationtimeunit Red Hat Directory Server Configuration, Command, and File Reference • May 2005...
  • Page 227 Migrated Configuration Attributes Attributes in cn=config Automatically Migrated (Continued) Table 6-1 nsslapd-errorlog-logmaxdiskspace nsslapd-errorlog-logminfreediskspace nsslapd-errorlog-logrotationtime nsslapd-errorlog-logrotationtimeunit nsslapd-errorlog-maxlogsize nsslapd-errorlog-maxlogsperdir nsslapd-groupevalnestlevel nsslapd-idletimeout nsslapd-ioblocktimeout nsslapd-lastmod nsslapd-listenhost nsslapd-maxdescriptors nsslapd-nagle nsslapd-readonly nsslapd-referralmode nsslapd-plugin-depends-on-name nsslapd-plugin-depends-on-type nsslapd-referral nsslapd-reservedescriptors nsslapd-rootpwstoragescheme nsslapd-schemacheck nsslapd-securePort nsslapd-security nsslapd-sizelimit nsslapd-SSL3ciphers nsslapd-timelimit passwordChange passwordCheckSyntax passwordExp passwordExpirationTime Chapter 6 Migration from Earlier Versions...
  • Page 228 Migrated Configuration Attributes Attributes in cn=config Automatically Migrated (Continued) Table 6-1 passwordHistory passwordInHistory passwordLockout passwordLockoutDuration passwordMaxAge passwordMaxFailure passwordMinAge passwordMinLength passwordMustChange passwordResetFailureCount passwordStorageScheme passwordUnlock passwordWarning Table 6-2 Attributes in cn=config Not Automatically Migrated Attribute Name Reason for not Migrating Automatically Already set up. nsslapd-localhost Configured during the installation process.

  • Page 229: Database Attributes

    Migrated Configuration Attributes Attributes in cn=config Not Automatically Migrated (Continued) Table 6-2 Attribute Name Reason for not Migrating Automatically Read-only attribute. nsslapd-errorlog-list Configured during the installation process. nsslapd-instancedir Do not change the value of this attribute unless told to nsslapd-maxbersize do so by Red Hat Technical Support.

  • Page 230: Database Link Attributes

    Migrated Configuration Attributes Table 6-4 Database-Specific Attributes Automatically Migrated nsslapd-cachesize nsslapd-cachememsize nsslapd-readonly nsslapd-require-index Table 6-5 Database-Specific Attributes Not Migrated Attribute Name Reason for not Migrating Automatically Set up automatically during installation. nsslapd-directory Set up automatically during installation. nsslapd-db-logdirectory This attribute is provided only for system nsslapd-db-checkpoint-inte modification/diagnostics and should be changed rval...

  • Page 231: Snmp Attributes

    Migrated Configuration Attributes Table 6-7 lists the configuration attributes for a default instance of a database link. These attributes are stored in the entry cn=default instance config,cn=chaining database, cn=plugins, cn=config Table 6-6 General Database Link Attributes Automatically Migrated nsActiveChainingComponents nsTransmittedControls Table 6-7 Default Instance Database Link Attributes Automatically Migrated nsAbandonedSearchCheckInterval...
  • Page 232 Migrated Configuration Attributes Table 6-8 SNMP Attributes Automatically Migrated nssnmpenabled nssnmporganization nssnmplocation nssnmpcontact nssnmpdescription nssnmpmasterhost nssnmpmasterport Red Hat Directory Server Configuration, Command, and File Reference • May 2005...

  • Page 233: Chapter 7 Command-Line Utilities

    Finding and Executing Command-Line Utilities Chapter 7 Command-Line Utilities This chapter contains reference information on command-line utilities provided by Red Hat Directory Server (Directory Server). These command-line utilities make it easy to perform administration tasks on the Directory Server. This chapter is divided into the following sections: •...

  • Page 234: Command-Line Utilities Quick Reference

    Command-Line Utilities Quick Reference NOTE In order to execute the command-line utilities, you must change to the directory where the command-line utilities are stored. Although it is possible to set command-path and library-path variables to execute the utilities, it is not recommended because you run the risk, particularly when you have more than one server version installed, of disrupting the correct execution of other utilities.

  • Page 235: Using Special Characters

    Using Special Characters Commonly Used Command-Line Utilities (Continued) Table 7-1 Command-Line Utility Description Automatically formats LDIF files for you and creates base ldif 64-encoded attribute values. For details on this tool, see Appendix A in the Red Hat Directory Server Administrator’s Guide.

  • Page 236: Ldapsearch

    ldapsearch • optional_list_of_attributes are space-separated attributes that reduce the scope of the attributes returned in the search results. This list of attributes must appear after the search filter. For a usage example, see the Red Hat Directory Server Administrator’s Guide. If you do not specify a list of attributes, the search returns values for all attributes permitted by the access control set in the directory with the exception of operational attributes.
  • Page 237 ldapsearch Option Description Specifies the starting point for the search. The value specified here must be a distinguished name that currently exists in the database. This option is optional if the LDAP_BASEDN environment variable has been set to a base DN. The value specified in this option should be provided in double quotation marks.

  • Page 238: Ssl Options

    ldapsearch Option Description Specifies the TCP port number that the Directory Server uses. For example, -p 1049. The default is 389. If -Z is used, the default is 636. Specifies the scope of the search. The scope can be one of the following: base —...
  • Page 239 (the path which is specified with the -P option). Specifies the path to the security module database. For example, /opt/redhat-ds/servers/secmod.db. You only need to specify this option if the security module database is in a different directory than the certificate database itself.

  • Page 240: Additional Ldapsearch Options

    ldapsearch Option Description Specifies the password for the private key database identified in the -P option. For example: -W serverpassword Specifies that SSL is to be used for the search request. Specifies the Start TLS request. Use this option if you want to make a cleartext connection into a secure one.
  • Page 241 ldapsearch Option Description Virtual list search. Allows you to specify the number of entries before or after the search target and the index or value of the first entry returned. For example, if you are sorting by surname, -G 20:30:johnson returns the first entry with a surname equal to or less than johnson, in addition to 20 entries that come before it and 30 entries that come after it.
  • Page 242 ldapsearch Option Description Manage smart referrals. Causes the server not to return the smart referral contained on the entry but, instead, to return the actual entry containing the referral. Use this option if you are attempting to search for entries that contain smart referrals.

  • Page 243: Ldapmodify

    ldapmodify ldapmodify enables you to make changes to directory entries via LDAP. ldapmodify Syntax ldapmodify [optional_options] ldapmodify -D binddn [-w passwd] [-acmnrvFR] [-d debug_level] [-h host] [-p port] [-M auth_mechanism] [-Z/ZZ/ZZZ] [-V version] [ -f file | [-l number_of_ldap_connections] [entryfile] ldapmodify Options The following three sections list the options that can be specified with ldapmodify...

  • Page 244: Ssl Options

    ldapmodify Option Description Specifies that the password policy request control not be sent with the bind request. For details, see Red Hat Directory Server Deployment Guide. By default, the new LDAP password policy request control is sent with bind requests. The ldapmodify tool can parse and display information from the response control if it is returned by a server;...

  • Page 245: Additional Ldapmodify Options

    You can also store the client security files on the Directory Server in the serverRoot/alias directory. In this case, the -P option calls out a path and filename similar to the following: -P /redhat/servers/alias/client-cert.db Specifies the password for the certificate database identified on the -P option. For example, -W serverpassword.
  • Page 246 ldapmodify Option Description Causes the utility to check every attribute value to determine whether the value is a valid file reference. If the value is a valid file reference, then the content of the referenced file is used as the attribute value. This is often used for specifying a path to a file containing binary data, such as JPEG.

  • Page 247: Ldapdelete

    ldapdelete Option Description Specifies the proxy DN to use for the modify operation. This argument is provided for testing purposes. For more information about proxied authorization, see chapter 6, “Managing Access Control,” in the Red Hat Directory Server Administrator’s Guide. ldapdelete enables you to perform delete operations on directory entries via ldapdelete...

  • Page 248: Ssl Options

    ldapdelete Option Description Specifies that the password policy request control not be sent with the bind request. For details, see Red Hat Directory Server Deployment Guide. By default, the new LDAP password policy request control is sent with bind requests. The ldapdelete tool can parse and display information from the response control if it is returned by a server;...
  • Page 249 The client security files can also be stored on the Directory Server in the serverRoot/alias directory. In this case, the -P option calls out a path and filename similar to the following: -P /redhat/servers/alias/client-cert.db Specifies the password for the certificate database identified on the -P option. For example, -W serverpassword.

  • Page 250: Additional Ldapdelete Options

    ldif Additional ldapdelete Options The following options offer additional functionality. Option Description Specifies that the utility must run in continuous operation mode. Errors are reported, but the utility continues with deletions. The default is to quit after reporting an error. Specifies the file containing the distinguished names of entries to be deleted.

  • Page 251: Syntax

    dbscan jpegPhoto:: encoded data In addition to binary data, other values that must be base-64 encoded include: • Any value that begins with a semicolon (;) or a space. • Any value that contains non-ASCII data, including newlines. command-line utility will take any input and format it with the correct ldif line continuation and appropriate attribute information.

  • Page 252: Options

    dbscan Syntax dbscan filename [options] Options Optio Parameter Description filename Specifies the name of the database file, the contents of which are to be analyzed and extracted. Specifies that the output is to be generated as an index file. Specifies that the output is to be generated as an entry (id2entry) file.
  • Page 253 -k "=hr managers" -r -f cn.db4 =hr%20managers To display an entry with the entry ID of 7 dbscan -K 7 -f id2entry.db4 id 7 dn: cn=HR Managers,ou=groups,dc=redhat,dc=com objectClass: top objectClass: groupOfUniqueNames cn: HR Managers ou: groups description: People who can manage HR entries...
  • Page 254 8b465f73-1dd211b2-807fd340-d7f40000 parentid: 3 entryid: 7 entrydn: cn=hr managers,ou=groups,dc=redhat,dc=com Red Hat Directory Server Configuration, Command, and File Reference • May 2005...

  • Page 255: Chapter 8 Command-Line Scripts

    Finding and Executing Command-Line Scripts Chapter 8 Command-Line Scripts This chapter provides information on the scripts you can use to manage your directory, such as backing-up and restoring your database. Scripts are a shortcut way of executing the interface commands that are documented in ns-slapd Appendix A, “Using the ns-slapd Command-Line Utilities.”...

  • Page 256: Command-Line Scripts Quick Reference

    Command-Line Scripts Quick Reference NOTE In order to execute the Perl scripts, you must change to the directory where the scripts are stored. Although it is possible to set command-path and library-path variables to execute the scripts, it is not recommended because you run the risk, particularly when you have more than one server version installed, of disrupting the correct execution of other utilities.
  • Page 257 Command-Line Scripts Quick Reference Commonly Used Command-Line Shell Scripts (Continued) Table 8-1 Command-Line Description Location Script Retrieves performance monitoring information serverRoot/slapd-serverID monitor using the ldapsearch command-line utility. Restarts Directory Server. serverRoot/slapd-serverID restart-slapd Restores by default the most recently saved serverRoot/slapd-serverID restoreconfig Administration Server configuration to NetscapeRoot partition.

  • Page 258: Shell Scripts

    Shell Scripts Commonly Used Command-Line Perl Scripts (Continued) Table 8-2 Command-Line Perl Description Location Script Analyzes the access logs of a Directory Server to serverRoot/bin/slapd/ logconv.pl extract usage statistics and count the occurrences of server significant events. Migrates a 6.x version of Directory Server to the 7.x serverRoot/bin/slapd/ad migrateInstance7 version.

  • Page 259: Bak2Db (Restore Database From Backup)

    Shell Scripts • restart-slapd (Restart the Directory Server) • restoreconfig (Restore Administration Server Configuration) • saveconfig (Save Administration Server Configuration) • start-slapd (Start the Directory Server) • stop-slapd (Stop the Directory Server) • suffix2instance (Map suffix to backend name) • vlvindex (Create virtual list view indexes) Some of the shell scripts can be executed while the server is running.

  • Page 260: Db2Bak (Create Backup Of Database)

    Shell Scripts For information on the equivalent Perl script, see “bak2db.pl (Restore database from backup),” on page 272. For more information on restoring databases, see chapter 4, “Populating Directory Databases,” in the Red Hat Directory Server Administrator’s Guide. For more information on using filesystem replica initialization, see chapter 8, “Managing Replication,”...

  • Page 261: Db2Dsml (Export Database Contents To Dsml)

    Shell Scripts Options You must specify either the or the option. By default, the output LDIF will be stored in one file. Should you want to specify the use of several files, then use the option Optio Parameter Description outputFile Name of the output LDIF file.

  • Page 262: Db2Index (Reindex Database Index Files)

    Shell Scripts Syntax Shell script: db2dsml {-n backendInstance}* | {-s includeSuffix}* [{-x excludeSuffix}*] [-u] [-a outputFile] Options You must specify either the option. Optio Parameter Description backendInstance Instance to be exported. includeSuffix Suffixes to be included or to specify the subtrees to be included if -n has been used.

  • Page 263: Dsml2Db (Import Dsml Document Contents Into Database)

    Shell Scripts • To reindex all the database index files: $ db2index • To reindex in the database instance givenname userRoot $ db2index -n userRoot -t cn -t givenname • To reindex in the database where the root suffix is dc=example,dc=com $ db2index -s "dc=example,dc=com"...

  • Page 264: Getpwenc (Print Encrypted Password)

    Shell Scripts Options Optio Parameter Description backendInstance Instance to be exported. includeSuffix Suffix(es) to be included or to specify the subtree(s) to be included if -n has been used. excludeSuffix Suffix(es) to be excluded. dsmlFile Name of the input DSML file. getpwenc (Print encrypted password) Prints the encrypted form of a password using one of the server’s encryption algorithms.

  • Page 265: Syntax

    Shell Scripts NOTE supports LDIF version 1 specifications. You can load an ldif2db attribute using the URL specifier notation; for example: :< jpegphoto:< file:///tmp/myphoto.jpg Although the official notation requires three , the use of one tolerated. For further information on the LDIF format, see chapter 4, “Managing Directory Entries,”...

  • Page 266: Ldif2Ldap (Perform Import Operation Over Ldap)

    Shell Scripts Optio Parameter Description string Generation of a unique ID. Type none for no unique ID to be generated and deterministic for the generated unique ID to be name-based. By default, a time-based unique ID is generated. If you use the deterministic generation to have a name-based unique ID, you can also specify the namespace you want the server to use, as follows: -g deterministic namespace_id...

  • Page 267: Monitor (Retrieve Monitoring Information)

    Shell Scripts Options Optio Parameter Description rootdn User DN with root permissions, such as Directory Manager. password Password associated with the user DN. filename Name of the file to be imported. When you import multiple files, they are imported in the order in which you specify them on the command-line.

  • Page 268: Exit Status

    Shell Scripts Options There are no options for this script. Exit Status Server restarted successfully. Server could not be started. Server restarted successfully but was already stopped. Server could not be stopped. restoreconfig (Restore Administration Server Configuration) Restores, by default, the most recently saved Administration Server configuration information to the partition under the following directory: NetscapeRoot...

  • Page 269: Saveconfig (Save Administration Server Configuration)

    Shell Scripts saveconfig (Save Administration Server Configuration) Saves Administration Server configuration information to the following directory: serverRoot/slapd-serverID/confbak This script will only run if the server is running. Syntax Shell script: saveconfig Options There are no options for this script. start-slapd (Start the Directory Server) Starts the Directory Server.

  • Page 270: Stop-Slapd (Stop The Directory Server)

    Shell Scripts stop-slapd (Stop the Directory Server) Stops the Directory Server. It might be a good idea to check whether the server has been effectively stopped using the command because it could sometimes be that the script returned while the shutdown process was still on-going, resulting in a confusing message.

  • Page 271: Vlvindex (Create Virtual List View Indexes)

    Shell Scripts vlvindex (Create virtual list view indexes) To run the script, the server must be stopped. The script vlvindex vlvindex creates virtual list view (VLV) indexes, known in the Directory Server Console as browsing indexes. VLV indexes introduce flexibility in the way you view search results.

  • Page 272: Perl Scripts

    Perl Scripts Perl Scripts This section covers the following scripts: • bak2db.pl (Restore database from backup) • db2bak.pl (Create backup of database) • db2index.pl (Create and generate indexes) • db2ldif.pl (Export database contents to LDIF) • ldif2db.pl (Import) • logconv.pl (Log converter) •...

  • Page 273: Db2Bak.pl (Create Backup Of Database)

    Perl Scripts Options The script creates an entry in the directory that launches this dynamic bak2db.pl task. The entry is generated based upon the values you provide for each option. Optio Parameter Description rootdn The user DN with root permissions, such as Directory Manager.

  • Page 274: Db2Index.pl (Create And Generate Indexes)

    Perl Scripts Optio Parameter Description The user DN with root permissions, such as Directory rootdn Manager. The default is the DN of the Directory Manager, which is read from the nsslapd-root attribute under cn=config. password The password associated with the user DN. dirName The directory where the backup files will be stored.

  • Page 275: Db2Ldif.pl (Export Database Contents To Ldif)

    Perl Scripts Optio Parameter Description rootdn The user DN with root permissions, such as Directory Manager. password The password associated with the user DN. backendInstance The instance to be indexed. If the instance is not specified, the script reindexes all instances. attributeName The name of the attribute to be indexed.

  • Page 276: Ldif2Db.pl (Import)

    Perl Scripts Optio Parameter Description backendInstance The instance to be exported. includeSuffix Suffixes to be included or the subtrees to be included if -n has been used. excludeSuffix Suffixes to be excluded. outputFile The filename of the output LDIF file. Suppress printing sequential number.

  • Page 277: Options

    Perl Scripts Options Optio Parameter Description rootdn Specifies the user DN with root permissions, such as Directory Manager. password Specifies the password associated with the user DN. backendInstance Specifies the instance to be imported. includeSuffix Specifies the suffixes to be included or specifies the subtrees to be included if -n has been used.

  • Page 278: Logconv.pl (Log Converter)

    Perl Scripts Optio Parameter Description Specifies verbose mode. logconv.pl (Log converter) Analyzes the access logs of a Directory Server to extract usage statistics and count the occurrences of significant events. It is compatible with log formats from previous releases of Directory Server. For information on access logs, see chapter 5, “Access Log and Connection Code Reference.”...

  • Page 279: Syntax

    Perl Scripts tool displays two types of statistics useful for monitoring and logconv.pl optimizing directory usage: • Simple counts of events such as the total number of binds and the total number of searches provide overall usage information. This is the basic information that the tool will always print.

  • Page 280: Options

    Perl Scripts • accessLog is the name of a file that contains the access log of your Directory Server. You may use wildcards in the filename or specify multiple filenames. However, the statistics are computed over the set of all logs, so all logs should pertain to the same Directory Server.
  • Page 281 Perl Scripts Opti Parameter Description Displays the version number of the logconv.pl script. Displays the usage help text that briefly describes all options. number Specifies the number of items in each of the list options below. The default is 20 when this parameter is omitted. For example, -s 10 -i will list the ten client machines that access the Directory Server most often.

  • Page 282: Migrateinstance7 (Migrate To Directory Server 7.X)

    Perl Scripts Opti Parameter Description Gives operation details about unindexed searches. migrateInstance7 (Migrate to Directory Server 7.x) script (this is a Perl script despite the fact that it does not migrateInstance7 have the extension) migrates an instance of a previous release of Directory Server to Directory Server 7.1.

  • Page 283: Ns-Accountstatus.pl (Establish Account Status)

    Specifies the port number of Directory Server 7.1. oldInstancePath Specifies the path to the legacy Directory Server instance. For example: /opt/redhat-ds/server6/slapd-phonebook. newInstancePath Specifies the path to the new (7.1) Directory Server instance. For example: /opt/redhat-ds/servers/slapd-phonebook. Specifies the trace level. The trace level is set to 0 by default, with a valid range of 0 to 3.

  • Page 284: Ns-Activate.pl (Activate An Entry Or Group Of Entries)

    Perl Scripts Options Optio Parameter Description rootdn Specifies the Directory Server user DN with root permissions, such as Directory Manager. password Specifies the password associated with the user DN. port Specifies the Directory Server’s port. The default value is the LDAP port of Directory Server specified at installation time.

  • Page 285: Ns-Inactivate.pl (Inactivate An Entry Or Group Of Entries)

    Perl Scripts Optio Parameter Description Specifies the entry DN or role DN to activate. ns-inactivate.pl (Inactivate an entry or group of entries) Inactivates and thus locks an entry or group of entries. Syntax Perl script: ns-inactivate.pl [-D rootdn] -w password [-p port] [-h host] -I DN Options Optio...

  • Page 286: Ns-Newpwpolicy.pl (Add Attributes For Fine-Grained Password Policy)

    Perl Scripts ns-newpwpolicy.pl (Add attributes for fine-grained password policy) Adds entries required for implementing the user- and subtree-level password policy. For an overview of user- and subtree-level password policy, check the Red Hat Directory Server Deployment Guide. For instructions to enable this feature, check the Red Hat Directory Server Administrator’s Guide.

  • Page 287: Template-Cl-Dump.pl (Dump And Decode Changelog)

    Perl Scripts template-cl-dump.pl (Dump and decode changelog) Troubleshoots replication-related problems. Syntax Perl script: template-cl-dump.pl [-h host] [-p port] [-D bindDn] -w bindPassword | -P bindCert [-r replicaRoots] [-o outputFile] [-c] [-v] template-cl-dump.pl -i changelogFile [-o outputFile] [-c] Options In the absence of the option, the script must be run when the Directory Server is running and from a location from which the server’s changelog directory is accessible.

  • Page 288: Template-Repl-Monitor.pl (Monitor Replication Status)

    Perl Scripts Optio Parameter Description Dumps and interprets CSN only. This option can be used with or without the -i option. Prints the version of the script. template-repl-monitor.pl (Monitor replication status) Shows in-progress status of replication. Syntax Perl script: template-repl-monitor.pl -h host -p port -f configFile [-u refreshUrl] [-t refreshInterval] [-r] [-v] Options Optio...

  • Page 289: Configuration File Format

    Perl Scripts Optio Parameter Description refreshInterval Specifies the refresh interval in seconds. The default value is 300 seconds. This option must be jointly used with the -u option. If specified, the -r option causes the routine to be entered without printing the HTML header information. This is suitable when making multiple calls to this routine (for example, when specifying multiple, different, “unrelated”...
  • Page 290 Perl Scripts In the connection section, you specify how this tool may connect to each LDAP server in your replication topology to get the replication-agreement information. The default . Simple bind will be used unless binddn cn=Directory Manager is specified with the path of a certificate database. bindcert A server may have a dedicated or shared entry in the connection section.
  • Page 291 Perl Scripts #Configuration File for Monitoring Replication Via Admin Express [connection] *:*:*:mypassword [alias] M1 = host1.example.com:10011 C1 = host4.example.com:10021 C2 = host2.example.com:10022 [color] 0 = #ccffcc 5 = #FFFFCC 60 = #FFCCCC Chapter 8 Command-Line Scripts...
  • Page 292 Perl Scripts Red Hat Directory Server Configuration, Command, and File Reference • May 2005...

  • Page 293: Command-Line Utilities

    Overview of ns-slapd Commands Appendix A Using the ns-slapd Command-Line Utilities In chapter 8, “Command-Line Scripts,” we looked at the scripts for performing routine administration tasks on the Red Hat Directory Server (Directory Server). In this appendix, we will look at the command-line utilities that can also be ns-slapd used to perform the same tasks.

  • Page 294: Ns-Slapd

    Finding and Executing the ns-slapd Command-Line Utilities ns-slapd is used to start the Directory Server process, to build a directory ns-slapd database from an LDIF file, or to convert an existing database to an LDIF file. For more information on starting and stopping the Directory Server, importing from LDIF using the command-line, and exporting to LDIF using the command-line, see chapter 4, “Populating Directory Databases,”...

  • Page 295: Syntax

    ns-slapd Command-Line Utilities for Exporting Databases Syntax Shell script: ns-slapd db2ldif -D configDir -a outputFile [-d debugLevel] [-n backendInstance] [ -r] [-s includeSuffix] [-x excludeSuffix] [-N] [-u] -[U] , the location of your server configuration directory, enter the slapd-serverID full path. You must also specify either the or the option.
  • Page 296 ns-slapd Command-Line Utilities for Exporting Databases Optio Parameter Description includeSuffix Specifies the suffix or suffixes to include in the export. You may use multiple -s arguments. If you do not specify -s or -x, the server exports all suffixes within the database. If you use both -x and -s arguments with the same suffix, the -x operation takes precedence.

  • Page 297: Ns-Slapd Command-Line Utilities For Restoring And Backing Up Databases

    ns-slapd Command-Line Utilities for Restoring and Backing up Databases ns-slapd Command-Line Utilities for Restoring and Backing up Databases ldif2db Imports LDIF files to the database. Syntax Shell script: ns-slapd ldif2db -D configDir -i ldifFile [-d debugLevel] [-g string] [-n backendInstance] -O [-s includeSuffix] [-x excludeSuffix] , which is the location of your server configuration directory, enter the configDir...
  • Page 298 ns-slapd Command-Line Utilities for Restoring and Backing up Databases Optio Parameter Description string Generation of a unique ID. Type none for no unique ID to be generated and deterministic for the generated unique ID to be name-based. By default, a time-based unique ID is generated.

  • Page 299: Archive2Db

    ns-slapd Command-Line Utilities for Restoring and Backing up Databases Optio Parameter Description excludeSuffix Allows you to specify suffixes within the LDIF file to exclude during the import. You can use multiple -x arguments. This option lets you selectively import portions of the LDIF file. If you use both -x and -s with the same suffix, -x takes precedence.

  • Page 300: Db2Archive

    ns-slapd Command-Line Utilities for Restoring and Backing up Databases Options Option Paramete Description configDir Specifies the location of the server configuration directory that contains the configuration information for the index creation process. You must specify the full path to the slapd-serverID directory.
  • Page 301 ns-slapd Command-Line Utilities for Creating and Regenerating Indexes ns-slapd Command-Line Utilities for Creating and Regenerating Indexes db2index Creates and regenerates indexes. Syntax Shell script: slapd db2index -D configDir [-d debugLevel] -n backendName -t attributeName[:indexTypes[:matchingRules]] | [-T vlvTag] Options Optio Parameter Description debugLevel Specifies the debug level to use during index creation.
  • Page 302 ns-slapd Command-Line Utilities for Creating and Regenerating Indexes Optio Parameter Description attributeName Specifies the attribute to be indexed as well as the types of indexes to create and matching rules to apply (if any). If you want to specify a matching rule, you must specify an index type. You cannot use this option with option -T.
  • Page 303 Glossary access control instruction See ACI. ACI Also Access Control Instruction. An instruction that grants or denies permissions to entries in the directory. access control list See ACL. ACL Also Access Control List. The mechanism for controlling access to your directory.
  • Page 304 approximate index Allows for efficient approximate or “sounds-like” searches. attribute Holds descriptive information about an entry. Attributes have a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value. attribute list A list of required and optional attributes for a given entry type or object class.
  • Page 305 browser Software, such as Mozilla Firefox, used to request and view World Wide Web material stored as HTML files. The browser uses the HTTP protocol to communicate with the host server. browsing index Also virtual view index. Speeds up the display of entries in the Directory Server Console.
  • Page 306 CIR See consumer-initiated replication. class definition Specifies the information needed to create an instance of a particular object and determines how the object works in relation to other objects in the directory. class of service See CoS. classic CoS A classic CoS identifies the template entry by both its DN and the value of one of the target entry’s attributes.
  • Page 307 DAP Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory. data master The server that is the master source of a particular piece of data. database link An implementation of chaining. The database link behaves like a database but has no persistent storage.
  • Page 308 DNS alias A DNS alias is a hostname that the DNS server knows points to a different host—specifically a DNS CNAME record. Machines always have one real name, but they can have one or more aliases. For example, an alias such as might point to a real machine called www.yourdomain.domain where the server currently exists.
  • Page 309 hostname A name for a machine in the form machine.domain.dom, which is translated into an IP address. For example, is the machine www.example.com in the subdomain domain. example HTML Hypertext Markup Language. The formatting language used for documents on the World Wide Web. HTML files are plain text files with formatting codes that tell browsers such as the Mozilla Firefox how to display text, position graphics, and form items and to display links to other pages.
  • Page 310 knowledge reference Pointers to directory information stored in different databases. LDAP Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms. LDAPv3 Version 3 of the LDAP protocol, upon which Directory Server bases its schema format.
  • Page 311 mapping tree A data structure that associates the names of suffixes (subtrees) with databases. master agent See SNMP master agent. matching rule Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use.
  • Page 312 nested role Allows the creation of roles that contain other roles. network management application Network Management Station component that graphically displays information about SNMP managed devices (which device is up or down, which and how many error messages were received, etc.). network management station See NMS.
  • Page 313 password file A file on Unix machines that stores Unix user login names, passwords, and user ID numbers. It is also known as because of /etc/passwd where it is kept. password policy A set of rules that governs how passwords are used in a given directory.
  • Page 314 RAM Random access memory. The physical semiconductor-based memory in a computer. Information stored in RAM is lost when the computer is shut down. rc.local A file on Unix machines that describes programs that are run when the machine starts. It is also called because of its location.
  • Page 315 role An entry grouping mechanism. Each role has members, which are the entries that possess the role. role-based attributes Attributes that appear on an entry because it possesses a particular role within an associated CoS template. root The most privileged user available on Unix machines. The root user has complete access privileges to all files on the machine.
  • Page 316 service A background process on a Windows machine that is responsible for a particular system task. Service processes do not need human intervention to continue functioning. SIE Server Instance Entry. The ID assigned to an instance of Directory Server during installation. Simple Authentication and Security Layer See SASL.
  • Page 317 suffix The name of the entry at the top of the directory tree, below which data is stored. Multiple suffixes are possible within the same directory. Each database only has one suffix. superuser The most privileged user available on Unix machines. The superuser has complete access privileges to all files on the machine.
  • Page 318 uid A unique number associated with each user on a Unix system. URL Uniform Resource Locator. The addressing system used by the server and the client to request documents. It is often called a location. The format of a URL is .
  • Page 319 Index ldif files 125 50ns-directory.ldif ldif files 125 50ns-legacy.ldif ldif files 125 50ns-mail.ldif ldif files 125 50ns-mcd-browser.ldif ldif files 125 50ns-mcd-config.ldif ldif files 125 50ns-mcd-li.ldif SYMBOLS ldif files 125 ::, in LDIF statements 250 50ns-mcd-mail.ldif ldif files 125 50ns-media.ldif ldif files 125 50ns-mlm.ldif NUMERICS ldif files 126...
  • Page 320 connection code 221 A1 221 backendMonitorDN attribute 119 B1 221 backup files 203 B2 221 B3 221 bak2db B4 221 command-line shell script 259 P2 221 quick reference 256 T1 221 bak2db.pl T2 221 command-line perl script 272 U1 221 quick reference 257 contents 209 base 250...
  • Page 321 object classes 94 restart-slapd 267 restoreconfg 268 cn=mapping tree saveconfig 269 object classes 97 start-slapd 269 suffix and replication configuration entries 97 stop-slapd 270 cn=monitor suffix2instance 270 object classes 118 vlvindex 271 read-only monitoring configuration entries 118 command-line utilities cn=NetscapeRoot dbscan 251–252 configuration 31 finding and executing 233...
  • Page 322 SNMP configuration attributes 120–122 nsDS5ReplicaPort 110 suffix configuration attributes 98–99 nsDS5ReplicaPurgeDelay 102 synchronization agreement attributes 115–116 nsDS5ReplicaReapActive 110 uniqueid generator configuration nsDS5ReplicaReferral 102 attributes 122–123 nsDS5ReplicaRefresh 110 nsDS5ReplicaRoot 102, 111 configuration changes nsDS5ReplicaSessionPauseTime 111 requiring server restart 35, 126 nsDS5ReplicatedAttributeList 112 configuration entries nsDS5ReplicaTimeout 113 modifying using LDAP 33...
  • Page 323 nsslapd-certmap-basedn 54 nsslapd-rootpw 76 nsslapd-changelogdir 92 nsslapd-rootpwstoragescheme 77 nsslapd-changelogmaxage 93 nsslapd-schemacheck 78 nsslapd-changelogmaxentries 94 nsslapd-schema-ignore-trailing-spaces 78 nsslapd-config 54 nsslapd-schemareplace 79 nsslapd-conntablesize 55 nsslapd-securelistenhost 80 nsslapd-csnlogging 55 nsslapd-securePort 80 nsslapd-ds4-compatible-schema 55 nsslapd-security 80 nsslapd-errorlog 57 nsslapd-sizelimit 81 nsslapd-errorlog-level 58 nsslapd-ssl-check-hostname 82 nsslapd-errorlog-list 59 nsslapd-state 98 nsslapd-errorlog-logexpirationtime 59...
  • Page 324 totalconnections 118 nsSearchSubtreeCount 197 nsslapd-changelogmaxage 199 currentconnections attribute 118 nsslapd-sizelimit 194 currenttime attribute 119 nsslapd-timelimit 194 nsTransmittedControls 189 nsUndbindCount 198 database plug-in configuration attributes cn 183 dbcachehitratio 175 database dbcachehits 174 exporting 260, 261 dbcachepagein 175 importing 263 dbcachepageout 175 reindexing index files 262 dbcacheroevict 175 database encryption...
  • Page 325 nsslapd-db-idl-divisor 166 db2dsml nsslapd-db-lock-conflicts 180 command-line shell script 261 nsslapd-db-lockers 180 quick reference 256 nsslapd-db-lock-region-wait-rate 180 db2index 301 nsslapd-db-lock-request-rate 180 command-line shell script 262 nsslapd-db-logbuf-size 167 quick reference 256 nsslapd-db-log-bytes-since-checkpoint 180 db2index.pl nsslapd-db-logdirectory 167 command-line perl script 274 nsslapd-db-logfile-size 168 quick reference 257 nsslapd-db-log-region-wait-rate 180 db2ldif...
  • Page 326 dtablesize attribute 118 quick reference 256 editing id2entry.db4 file 204 dse.ldif file 35 Indexes encryption configuration of 31 root password 76, 77 specifying password storage scheme 90 encryption configuration attributes nsssl2 95 nsssl3 95 nsssl3ciphers 96 jpeg images 250 nssslclientauth 95 nssslsessiontimeout 94 encryption configuration entries cn=encryption 94...
  • Page 327 LDIF configuration files quick reference 256 contents of 29 lock files 205 detailed contents of 123 log files 206 location of 29 access 37 LDIF entries error 57 binary data in 250 log.xxxxxxxxxx files 203 ldif files 205 logconv.pl 00core.ldif 124 quick reference 258 05rfc2247.ldif 124 logconv.pl script 278...
  • Page 328 nsBindCount attribute 197 nsDS5ReplicaUpdateInProgress attribute 114 nsBindRetryLimit attribute 190 nsDS5ReplicaUpdateSchedule attribute 114 nsBindTimeout attribute 191 nsds7DirectoryReplicaSubtree 116 nsCheckLocalACI attribute 191 nsds7DirsyncCookie 116 nsCompareCount attribute 198 nsds7NewWinGroupSyncEnabled 116 nsConcurrentBindLimit attribute 192 nsds7NewWinUserSyncEnabled 117 nsConcurrentOperationsLimit attribute 192 nsds7WindowsDomain 117 nsConnectionLife attribute 192 nsds7WindowsReplicaSubtree 117 nsDeleteCount attribute 197 nsEncryptionAlgorithm 186...
  • Page 329 nsslapd-accesslog attribute 37 nsslapd-changelogmaxentries attribute 94 nsslapd-accesslog-level attribute 38 nsslapd-config attribute 54 nsslapd-accesslog-list attribute 38 nsslapd-conntablesize attribute 55 nsslapd-accesslog-logbuffering attribute 39 nsslapd-csnlogging attribute 55 nsslapd-accesslog-logexpirationtime attribute 39 nsslapd-db-abort-rate attribute 178 nsslapd-accesslog-logexpirationtimeunit nsslapd-db-active-txns attribute 178 attribute 39, 43 nsslapd-db-cache-hit attribute 179 nsslapd-accesslog-logging-enabled attribute 40 nsslapd-db-cache-region-wait-rate attribute 179 nsslapd-accesslog-logmaxdiskspace attribute 40...
  • Page 330 nsslapd-db-page-trickle-rate attribute 181 nsslapd-nagle attribute 70 nsslapd-db-page-write-rate attribute 181 nsslapd-outbound-ldap-io-timeout attribute 70 nsslapd-db-spin-count attribute 169 nsslapd-plug-in attribute 71 nsslapd-db-transaction-batch-val attribute 169 nsslapd-plugin-depends-on-named attribute 158 nsslapd-db-transaction-logging attribute 170 nsslapd-plugin-depends-on-type attribute 157 nsslapd-db-trickle-percentage attribute 170 nsslapd-pluginDescription attribute 156 nsslapd-db-txn-region-wait-rate attribute 181 nsslapd-pluginEnabled attribute 155 nsslapd-db-verbose attribute 171 nsslapd-pluginId attribute 155 nsslapd-directory attribute 177...
  • Page 331 nssnmpenabled attribute 120 passwordMinLength attribute 88 nssnmplocation attribute 121 passwordMustChange attribute 89 nssnmpmasterhost attribute 122 passwordResetFailureCount attribute 89 nssnmpmasterport attribute 122 passwords root 76 nssnmporganization attribute 120 passwordStorageScheme attribute 90 nsssl2 attribute 95 passwordUnlock attribute 90 nsssl3 attribute 95 passwordWarning attribute 91 nsssl3ciphers attribute 96 perl scripts 272 nssslclientauth attribute 95...
  • Page 332 nsMatchingRule 182 nsslapd-db-logfile-size 168 nsMaxResponseDelay 188 nsslapd-db-log-region-wait-rate 180 nsMaxTestResponseDelay 189 nsslapd-db-log-write-rate 180 nsModifyCount 197 nsslapd-db-longest-chain-length 180 nsMultiplexorBindDN 195 nsslapd-dbncache 171 nsMultiplexorCredentials 196 nsslapd-db-page-create-rate 180 nsOperationConnectionCount 198 nsslapd-db-page-ro-evict-rate 180 nsOperationConnectionsLimit 193 nsslapd-db-page-rw-evict-rate 181 nsProxiedAuthorization 193 nsslapd-db-pages-in-use 181 nsReferralOnScopedSearch 193 nsslapd-db-page-size 168 nsRenameCount 197 nsslapd-db-page-trickle-rate 181 nsSearchBaseCount 197...
  • Page 333 nsDS5Flags 99 nsds5replconflict 104 read-only monitoring configuration attributes nsDS5ReplicaBindDN 100 backendMonitorDN 119 nsDS5ReplicaChangeCount 100 bytessent 119 nsDS5ReplicaID 101 connection 118 nsDS5ReplicaLegacyConsumer 101 currentconnections 118 nsDS5ReplicaName 101 currenttime 119 nsDS5ReplicaPurgeDelay 102 dtablesize 118 nsDS5ReplicaReferral 102 entriessent 119 nsDS5ReplicaRoot 102 nbackends 119 nsDS5ReplicaTombstonePurgeInterval 103 opscompleted 119 nsDS5ReplicaType 103...
  • Page 334 setting time limits 83 nsds7NewWinGroupSyncEnabled 116 nsds7NewWinUserSyncEnabled 117 searches nsds7WindowsDomain 117 sort criteria 242 nsds7WindowsReplicaSubtre 117 specifying scope 238 server restart after configuration changes 35, 126 serverID 21 serverRoot 21 slapd.conf file template-cl-dump.pl location of 32 command-line perl script 287 root password and 77 quick reference 258 smart referrals...

Table of Contents