Page 1: Command Reference
Red Hat Directory Server 8.0 Configuration and Command Reference Joshua Oakes Ella Deon Lackey David O'Brien Publication date: January 10, 2008, updated on February 11, 2010...
Page 2 Configuration and Command Reference Red Hat Directory Server 8.0 Configuration and Command Reference Author Joshua Oakes Author Ella Deon Lackey Author David O'Brien Copyright © 2008 Red Hat, Inc. Copyright © 2008 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA").
Page 3: Table Of Contents
About This Reference 1. Directory Server Overview ....................vii 2. Examples and Formatting ....................vii 3. Additional Reading ......................viii 4. Giving Feedback ......................ix 5. Document History ......................ix 1. Introduction 1.1. Directory Server Configuration ..................1 1.2. Directory Server Instance File Reference ............... 1 1.3.
Page 4 Configuration and Command Reference 3.1.12. Distinguished Name Syntax Plug-in ..............98 3.1.13. Generalized Time Syntax Plug-in ..............99 3.1.14. HTTP Client Plug-in ..................99 3.1.15. Integer Syntax Plug-in ..................99 3.1.16. Internationalization Plug-in ................100 3.1.17. JPEG Syntax Plug-in ..................100 3.1.18.
Page 5 3.4.6. Database Attributes under cn=monitor, cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config ....................135 3.4.7. Database Attributes under cn=index, cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config and cn=index, cn=UserRoot, cn=ldbm database, cn=plugins, cn=config ........................ 136 3.4.8. Database Attributes under cn=attributeName, cn=encrypted attributes, cn=database_name, cn=ldbm database, cn=plugins, cn=config ........136 3.5.
Page 6 Configuration and Command Reference 7.2. Command-Line Scripts Quick Reference ..............203 7.3. Shell Scripts ......................205 7.3.1. bak2db (Restores a Database from Backup) ............ 206 7.3.2. cl-dump (Dumps and Decodes the Changelog) ..........206 7.3.3. dbverify (Checks for Corrupt Databases) ............207 7.3.4.
Page 7: About This Reference
About This Reference Red Hat Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in an intranet, over an extranet with trading partners, or over the public Internet to reach customers.
Page 8: Additional Reading
About This Reference Formatting Style Purpose Monospace is used for commands, package names, files and Monospace font directory paths, and any text displayed in a prompt. This type of formatting is used for anything entered or returned Monospace in a command prompt. with a background Italicized text...
Page 9: Giving Feedback
If there is any error in this Configuration, Command, and File Reference or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Directory Server through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues: •...
Page 10 Changed the default on the nsslapd-cache-autosize parameter to 0, per Bugzilla #514282. Revision 8.0.4 January 10, 2009 Ella Deon Lackey dlackey@redhat.com Correcting the default values for *-logrotationsync-enabled and *-logexpirationtime attributes per bz473187. Expanding the verify-db.pl and dbverify sections per bz462805.
Page 11: Introduction
Chapter 1. Introduction Directory Server is based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). The Directory Server is a robust, scalable server designed to manage large scale directories to support an enterprise-wide directory of users and resources, extranets, and e-commerce applications over the Internet.
Page 13: Core Server Configuration Reference
Chapter 2. Core Server Configuration Reference The configuration information for Red Hat Directory Server is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files. The principal advantage of this method of configuration storage is that it allows a directory administrator to reconfigure the server using LDAP while it is still running, thus avoiding the need to shut the server down for most configuration changes.
Page 14: Ldif And Schema Configuration Files
Chapter 2. Core Server Configuration Reference Figure 2.1. Directory Information Tree Showing Configuration Data 2.1.1. LDIF and Schema Configuration Files The Directory Server configuration data are stored in LDIF files in the /etc/dirsrv/ slapd-instance_name directory (/etc/opt/dirsrv/slapd-instance_name on HP-UX). Thus, if a server identifier is phonebook, then for a Directory Server on Red Hat Enterprise Linux 5 (32-bit), the configuration LDIF files are all stored under /etc/dirsrv/slapd-phonebook.
Page 15 LDIF and Schema Configuration Files Configuration Filename Purpose defined in RFC 2256 (based on X.520/X.521), inetOrgPerson and other widely-used attributes, and the operational attributes used by Directory Server configuration. Modifying this file causes interoperability problems. User-defined attributes should be added through the Directory Server Console.
Page 16: How The Server Configuration Is Organized
Chapter 2. Core Server Configuration Reference Configuration Filename Purpose 50ns-directory.ldif Contains additional configuration schema used by Directory Server 4.12 and earlier versions of the directory, which is no longer applicable to current releases of Directory Server. This schema is required for replicating between Directory Server 4.12 and current releases.
Page 17: Configuration Of Databases
How the Server Configuration Is Organized nsslapd-accesslog-logging-enabled: on nsslapd-enquote-sup-oc: off nsslapd-localhost: phonebook.example.com nsslapd-schemacheck: on nsslapd-port: 389 nsslapd-localuser: nobody 2.1.2.2. Configuration of Plug-in Functionality The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config. The following code sample is an example of the configuration entry for an example plug-in, the Telephone Syntax plug-in.
Page 18: Accessing And Modifying Server Configuration
Chapter 2. Core Server Configuration Reference 2.2. Accessing and Modifying Server Configuration This section discusses access control for configuration entries and describes the various ways in which the server configuration can be viewed and modified. It also covers restrictions to the kinds of modification that can be made and discusses attributes that require the server to be restarted for changes to take effect.
Page 19: Modifying Configuration Entries Using Ldap
Changing Configuration Attributes The following sections describe how to modify entries using LDAP (both by using Directory Server Console and by using the command line), the restrictions that apply to modifying entries, the restrictions that apply to modifying attributes, and the configuration changes requiring restart. 2.2.2.1.
Page 20: Core Server Configuration Attributes Reference
Chapter 2. Core Server Configuration Reference 2.2.2.3. Configuration Changes Requiring Server Restart Some configuration attributes cannot be altered while the server is running. In these cases, for the changes to take effect, the server needs to be shut down and restarted. The modifications should be made either through the Directory Server Console or by manually editing the dse.ldif file.
Page 21: Cn=Config
cn=config Figure 2.2. Directory Information Tree Showing Configuration Data Most of these configuration tree nodes are covered in the following sections. Chapter 3, Plug-in Implemented Server Functionality Reference. The cn=plugins node is covered in The description of each attribute contains details such as the DN of its directory entry, its default value, the valid range of values, and an example of its use.
Page 22 Chapter 2. Core Server Configuration Reference Attribute Value Logging enabled or disabled nsslapd-accesslog-logging- Disabled enabled empty string nsslapd-accesslog nsslapd-accesslog-logging- Enabled enabled filename nsslapd-accesslog nsslapd-accesslog-logging- Disabled enabled empty string nsslapd-accesslog nsslapd-accesslog-logging- Disabled enabled filename nsslapd-accesslog Table 2.2. dse.ldif File Attributes Parameter Description Entry DN cn=config...
Page 23 cn=config Parameter Description access operation, entry access, and referral logging. Default Value Syntax Integer Example nsslapd-accesslog-level: 256 2.3.1.3. nsslapd-accesslog-list This read-only attribute, which cannot be set, provides a list of access log files used in access log rotation. Parameter Description Entry DN cn=config Valid Values...
Page 24 Chapter 2. Core Server Configuration Reference Parameter Description A value of -1 or 0 means that the log never expires. Default Value Syntax Integer Example nsslapd-accesslog-logexpirationtime: 2 2.3.1.6. nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit) This attribute specifies the units for nsslapd-accesslog-logexpirationtime attribute. If the unit is unknown by the server, then the log never expires.
Page 25 cn=config Attribute Value Logging Enabled or Disabled nsslapd-accesslog Table 2.3. dse.ldif Attributes Parameter Description Entry DN cn=config Valid Values on | off Default Value Syntax DirectoryString Example nsslapd-accesslog-logging-enabled: off 2.3.1.8. nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space) This attribute specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume.
Page 26 Chapter 2. Core Server Configuration Reference 2.3.1.10. nsslapd-accesslog-logrotationsync-enabled (Access Log Rotation Sync Enabled) This attribute sets whether access log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way can generate log files at a specified time during a day, such as midnight to midnight every day.
Page 27 cn=config Parameter Description Default Value Syntax Integer Example nsslapd-accesslog-logrotationsyncmin: 30 2.3.1.13. nsslapd-accesslog-logrotationtime (Access Log Rotation Time) This attribute sets the time between access log file rotations. The access log is rotated when this time interval is up, regardless of the current size of the access log. This attribute supplies only the number of units.
Page 28 Chapter 2. Core Server Configuration Reference When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space.
Page 29 cn=config • 4 - Read only • 5 - Read and execute • 6 - Read and write • 7 - Read, write, and execute In the 3-digit number, the first digit represents the owner's permissions, the second digit represents the group's permissions, and the third digit represents everyone's permissions.
Page 30 Chapter 2. Core Server Configuration Reference lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging. Attributes in dse.ldif Value Logging enabled or disabled nsslapd-auditlog-logging- Disabled enabled empty string nsslapd-auditlog...
Page 31 cn=config Parameter Description Example nsslapd-auditlog-logexpirationtime: 1 2.3.1.22. nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit) This attribute sets the units for the nsslapd-auditlog-logexpirationtime attribute. If the unit is unknown by the server, then the log never expires. Parameter Description Entry DN cn=config Valid Values month | week | day Default Value...
Page 32: Disk Space
Chapter 2. Core Server Configuration Reference Attribute Value Logging enabled or disabled filename nsslapd-auditlog Table 2.5. Possible combinations for nsslapd-auditlog and nsslapd-auditlog-logging-enabled 2.3.1.24. nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space) This attribute sets the maximum amount of disk space in megabytes that the audit logs are allowed to consume.
Page 33 cn=config For audit log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files. For example, to rotate audit log files every day at midnight, enable this attribute by setting its value to on, and then set the values of the nsslapd-auditlog-logrotationsynchour and nsslapd- auditlog-logrotationsyncmin attributes to 0.
Page 34 Chapter 2. Core Server Configuration Reference 2.3.1.29. nsslapd-auditlog-logrotationtime (Audit Log Rotation Time) This attribute sets the time between audit log file rotations. The audit log is rotated when this time interval is up, regardless of the current size of the audit log. This attribute supplies only the number of units.
Page 35 cn=config Parameter Description Entry DN cn=config Valid Range -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size. Default Value Syntax Integer Example nsslapd-auditlog-maxlogsize: 50 2.3.1.32. nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files) This attribute sets the total number of audit logs that can be contained in the directory where the audit log is stored.
Page 36 Chapter 2. Core Server Configuration Reference • 7 - Read, write, and execute In the 3-digit number, the first digit represents the owner's permissions, the second digit represents the group's permissions, and the third digit represents everyone's permissions. When changing the default value, remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
Page 37 cn=config Parameter Description Entry DN cn=config Valid Values Any valid configuration DN Default Value Syntax DirectoryString Example nsslapd-config: cn=config 2.3.1.37. nsslapd-conntablesize This attribute sets the connection table size, which determines the total number of connections supported by the server. The server has to be restarted for changes to this attribute to go into effect. Parameter Description Entry DN...
Page 38 Chapter 2. Core Server Configuration Reference 2.3.1.39. nsslapd-ds4-compatible-schema Makes the schema in cn=schema compatible with 4.x versions of Directory Server. Parameter Description Entry DN cn=config Valid Values on | off Default Value Syntax DirectoryString Example nsslapd-ds4-compatible-schema: off 2.3.1.40. nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting) This attribute is deprecated and will be removed in a future version of Directory Server.
Page 39 cn=config Parameter Description Example nsslapd-errorlog: /var/log/dirsrv/ slapd-instance_name/errors For error logging to be enabled, this attribute must have a valid path and filename, and the nsslapd- errorlog-logging-enabled configuration attribute must be switched to on. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of error logging.
Page 40 Chapter 2. Core Server Configuration Reference Parameter Description • 2048 — Log entry parsing debugging. • 4096 — Housekeeping thread debugging. • 8192 — Replication debugging. • 16384 — Default level of logging used for critical errors and other messages that are always written to the error log;...
Page 41 cn=config Parameter Description Entry DN cn=config Valid Range -1 to the maximum 32 bit integer value (2147483647) A value of -1 or 0 means that the log never expires. Default Value Syntax Integer Example nsslapd-errorlog-logexpirationtime: 1 2.3.1.45. nsslapd-errorlog-logexpirationtimeunit (Error Log Expiration Time Unit) This attribute sets the units for the nsslapd-errorlog-logexpirationtime attribute.
Page 42 Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=config Valid Range -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the error log is unlimited in size.
Page 43 cn=config 2.3.1.50. nsslapd-errorlog-logrotationsynchour (Error Log Rotation Sync Hour) This attribute sets the hour of the day for rotating error logs. This attribute must be used in conjunction with nsslapd-errorlog-logrotationsync-enabled and nsslapd-errorlog- logrotationsyncmin attributes. Parameter Description Entry DN cn=config Valid Range 0 through 23 Default Value Syntax...
Page 44 Chapter 2. Core Server Configuration Reference Parameter Description that the time between error log file rotation is unlimited). Default Value Syntax Integer Example nsslapd-errorlog-logrotationtime: 100 2.3.1.53. nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit) This attribute sets the units for nsslapd-errorlog-logrotationtime (Error Log Rotation Time). If the unit is unknown by the server, then the log never expires.
Page 45 cn=config of the log file is deleted. The default is 1 log. If this default is accepted, the server does not rotate the log, and it grows indefinitely. If the value for this attribute is higher than 1, then check the nsslapd-errorlog- logrotationtime attribute to establish whether log rotation is specified.
Page 46 Chapter 2. Core Server Configuration Reference Parameter Description Example nsslapd-errorlog-mode: 600 2.3.1.57. nsslapd-groupevalnestlevel This attribute is deprecated, and documented here only for historical purposes. The Access Control Plug-in does not use the value specified by the nsslapd- groupevalnestlevel attribute to set the number of levels of nesting that access control performs for group evaluation.
Page 47 cn=config Parameter Description Entry DN cn=config Valid Range 0 to the maximum 32 bit integer value (2147483647) in ticks Default Value 1800000 Syntax Integer Example nsslapd-ioblocktimeout: 1800000 2.3.1.61. nsslapd-lastmod (Track Modification Time) This attribute sets whether the Directory Server maintains the modification attributes for Directory Server entries.
Page 48 Chapter 2. Core Server Configuration Reference The server has to be restarted for changes to this attribute to go into effect. Parameter Description Entry DN cn=config Valid Values Any local hostname, IPv4 or IPv6 address Default Value Syntax DirectoryString Example nsslapd-listenhost: ldap.example.com NOTE On HP-UX the hostname value can be a relocatable IP address.
Page 49 cn=config 2.3.1.65. nsslapd-lockdir (Server Lock File Directory) This is the full path to the directory the server uses for lock files. The default value is /var/lock/ dirsrv/slapd-instance_name. Changes to this value will not take effect until the server is restarted. Parameter Description Entry DN...
Page 50 Chapter 2. Core Server Configuration Reference The number given here should not be greater than the total number of file descriptors that the operating system allows the ns-slapd process to use. This number differs depending on the operating system. If this value is set too high, the Directory Server queries the operating system for the maximum allowable value, and then use that value.
Page 51 cn=config Parameter Description Default Value Syntax Integer Example nsslapd-maxthreadsperconn: 5 2.3.1.69. nsslapd-nagle When the value of this attribute is off, the TCP_NODELAY option is set so that LDAP responses (such as entries or result messages) are sent back to a client immediately. When the attribute is turned on, default TCP behavior applies;...
Page 52: Password Policy
Chapter 2. Core Server Configuration Reference The server has to be restarted for the port number change to be taken into account. Parameter Description Entry DN cn=config Valid Range 1 to 65535 Default Value Syntax Integer Example nsslapd-port: 389 NOTE Set the port number to zero (0) to disable the LDAP port if the LDAPS port is enabled.
Page 53 cn=config 2.3.1.75. nsslapd-readonly (Read Only) This attribute sets whether the whole server is in read-only mode, meaning that neither data in the databases nor configuration information can be modified. Any attempt to modify a database in read- only mode returns an error indicating that the server is unwilling to perform the operation. Parameter Description Entry DN...
Page 54 Chapter 2. Core Server Configuration Reference Parameter Description Example nsslapd-referral: ldap://ldap.example.com 2.3.1.77. nsslapd-referralmode (Referral Mode) When set, this attribute sends back the referral for any request on any suffix. Parameter Description Entry DN cn=config Valid Values Any valid LDAP URL in the form >ldap://server-location Default Value Syntax...
Page 55 cn=config • NglobalIndex is the total number of configured indexes for all databases including system indexes. (By default 8 system indexes and 17 additional indexes per database). • ReplicationDescriptor is eight (8) plus the number of replicas in the server that can act as a supplier or hub (NSupplierReplica).
Page 56 Chapter 2. Core Server Configuration Reference 2.3.1.81. nsslapd-rootdn (Manager DN) This attribute sets the distinguished name (DN) of an entry that is not subject to access control restrictions, administrative limit restrictions for operations on the directory, or resource limits in general. There does not have to be an entry corresponding to this DN, and by default there is not an entry for this DN, thus values like cn=Directory Manager are acceptable.
Page 57 cn=config 2.3.1.83. nsslapd-rootpwstoragescheme (Root Password Storage Scheme) This attribute sets the encryption method used for the root password. Parameter Description Entry DN cn=config Valid Values Any encryption method as described in Section 2.3.1.123, “passwordStorageScheme (Password Storage Scheme)”. Default Value SSHA Syntax DirectoryString Example...
Page 58 Chapter 2. Core Server Configuration Reference and missing superiors are added) trailing spaces are ignored, if appropriate. This means that even when nsslapd-schema-ignore-trailing-spaces is on, a value such as top is not added if top is already there. An error message is logged and returned to the client if an object class is not found and it contains trailing spaces.
Page 59 cn=config 2.3.1.87. nsslapd-schemadir This is the absolute path to the directory containing the Directory Server instance-specific schema files. When the server starts up, it reads the schema files from this directory, and when the schema is modified through LDAP tools, the schema files in this directory are updated. This directory must be owned by the server user ID, and that user must have read and write permissions to the directory.
Page 60 Chapter 2. Core Server Configuration Reference port number. Specifying a port number of less than 1024 requires that Directory Server be started as root. The server sets its uid to the nsslapd-localuser value after startup. The server only listens to this port if it has been configured with a private key and a certificate, and nsslapd-security is set to on;...
Page 61 cn=config Parameter Description Valid Range -1 to the maximum 32 bit integer value (2147483647) Default Value 2000 Syntax Integer Example nsslapd-sizelimit: 2000 2.3.1.93. nsslapd-ssl-check-hostname (Verify Hostname for Outbound Connections) This attribute sets whether an SSL-enabled Directory Server should verify authenticity of a request by matching the hostname against the value assigned to the common name (cn) attribute of the subject name (subjectDN field) in the certificate being presented.
Page 62 Chapter 2. Core Server Configuration Reference 2.3.1.94. nsslapd-threadnumber (Thread Number) Defines the number of operation threads that the Directory Server creates at startup. The nsslapd- threadnumber value should be increased if there are many directory clients performing time- consuming operations such as add or modify, as this ensures that there are other threads available for servicing short-lived operations such as simple searches.
Page 63 cn=config Changes made to this attribute will not take effect until the server is restarted. 2.3.1.97. nsslapd-versionstring This attribute sets the server version number. The build data is automatically appended when the version string is displayed. Parameter Description Entry DN cn=config Valid Values Any valid server version number.
Page 64 Chapter 2. Core Server Configuration Reference • Minimum number of digit characters (0-9) • Minimum number of ASCII alphabetic characters, both upper- and lower-case • Minimum number of uppercase ASCII alphabetic characters • Minimum number of lowercase ASCII alphabetic characters •...
Page 65 cn=config Parameter Description Entry DN cn=config Valid Values 0 (off) to any reasonable integer Default Value Syntax Integer Example passwordGraceLimit: 3 2.3.1.103. passwordHistory (Password History) Enables password history. Password history refers to whether users are allowed to reuse passwords. By default, password history is disabled, and users can reuse passwords. If this attribute is set to on, the directory stores a given number of old passwords and prevents users from reusing any of the stored passwords.
Page 66 Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=config Valid Values on | off Default Value Syntax DirectoryString Example passwordIsGlobalPolicy: off 2.3.1.106. passwordLockout (Account Lockout) Indicates whether users are locked out of the directory after a given number of failed bind attempts. By default, users are not locked out of the directory after a series of failed bind attempts.
Page 67 cn=config For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide. Parameter Description Entry DN cn=config Valid Range 1 to the maximum 32 bit integer value (2147483647) in seconds Default Value 8640000 (100 days) Syntax Integer...
Page 68 Chapter 2. Core Server Configuration Reference NOTE The 7-bit checking for userPassword must be disabled to use this. Parameter Description Entry DN cn=config Valid Range 0 to 64 Default Value Syntax Integer Example passwordMin8Bit: 0 2.3.1.112. passwordMinAge (Password Minimum Age) Indicates the number of seconds that must pass before a user can change their password.
Page 69 cn=config category. A password of aAaAaA would pass because it contains characters from two categories, uppercase and lowercase. The default is 3, which means that if password syntax checking is enabled, valid passwords have to have three categories of characters. Parameter Description Entry DN...
Page 70 Chapter 2. Core Server Configuration Reference Parameter Description Default Value Syntax Integer Example passwordMinLowers: 1 2.3.1.118. PasswordMinSpecials (Password Syntax) This attribute sets the minimum number of special, or not alphanumeric, characters a password must contain. Parameter Description Entry DN cn=config Valid Range 0 to 64 Default Value...
Page 71 cn=config For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide. Parameter Description Entry DN cn=config Valid Values on | off Default Value Syntax DirectoryString Example passwordMustChange: off 2.3.1.122. passwordResetFailureCount (Reset Password Failure Count After) Indicates the amount of time in seconds after which the password failure counter resets.
Page 72: Cn=Changelog5
Chapter 2. Core Server Configuration Reference NOTE Passwords cannot be encrypted using the NS-MTA-MD5 password storage scheme. The storage scheme is still present but only for reasons of backward compatibility. For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
Page 73 cn=changelog5 databases. The changelog entry supports the following attributes with the same meaning as for databases: The default values for the cache-related memory parameters (tuned for a single backend replicated to a single consumer) are as follows: • nsslapd-cachesize: 3000 (3000 entries) •...
Page 74 Chapter 2. Core Server Configuration Reference Parameter Description Valid Values Any valid path to the directory storing the changelog Default Value None Syntax DirectoryString Example nsslapd-changelogdir: /var/lib/dirsrv/ slapd-instance_name/changelogdb 2.3.2.2. nsslapd-changelogmaxage (Max Changelog Age) This attribute sets the maximum age of any entry in the changelog. The changelog contains a record for each directory modification and is used when synchronizing consumer servers.
Page 75: Cn=Encryption
cn=encryption 2.3.3. cn=encryption Encryption related attributes are stored under the cn=encryption,cn=config entry. The cn=encryption,cn=config entry is an instance of the nsslapdEncryptionConfig object class. 2.3.3.1. nssslsessiontimeout This attribute sets the lifetime duration of a TLS/SSL. The minimum timeout value is 5 seconds. If a smaller value is set, then it is automatically replaced by 5 seconds.
Page 76 Chapter 2. Core Server Configuration Reference Parameter Description Valid Values on | off Default Value Syntax DirectoryString Example nsssl2: off 2.3.3.4. nsSSL3 Supports SSL version 3. The server has to be restarted for changes to this attribute to go into effect. Parameter Description Entry DN...
Page 77: Cn=Features
cn=features Parameter Description Default Value Syntax DirectoryString Use the plus (+) symbol to enable or minus (-) symbol to disable, followed by the ciphers. Blank spaces are not allowed in the list of ciphers. To enable all ciphers — except rsa_null_md5, which must be specifically called —...
Page 78: Replication Attributes Under Cn=Replica, Cn="Suffixdn", Cn=Mapping Tree, Cn=Config
Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=suffix, cn=mapping tree, cn=config Valid Values backend | disabled | referral | referral on update backend means the backend (database) is used to process all operations. disabled means the database is not available for processing operations.
Page 79 Replication Attributes under cn=replica, cn="suffixDN", cn=mapping tree, cn=config 2.3.7.1. nsDS5Flags This attribute sets replica properties that were previously defined in flags. At present only one flag exists, which sets whether the log changes. Parameter Description Entry DN cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values 0 | 1...
Page 80 Chapter 2. Core Server Configuration Reference Parameter Description Example nsDS5ReplicaChangeCount: 675 2.3.7.4. nsDS5ReplicaId This attribute sets the unique ID for suppliers in a given replication environment. Parameter Description Entry DN cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Range 0 to 65534 Default Value Syntax Integer...
Page 81 Replication Attributes under cn=replica, cn="suffixDN", cn=mapping tree, cn=config Parameter Description Default Value Syntax DirectoryString (a UID identifies the replica) Example nsDS5ReplicaName: 66a2b699-1dd211b2-807fa9c3-a58714648 2.3.7.7. nsDS5ReplicaPurgeDelay This attribute controls the maximum age of deleted entries (tombstone entries) and state information. The Directory Server stores tombstone entries and state information so that when a conflict occurs in a multi-master replication process, the server resolves the conflicts based on the timestamp and replica ID stored in the change sequence numbers.
Page 82 Chapter 2. Core Server Configuration Reference Parameter Description Default Value Syntax DirectoryString Example nsDS5ReplicaReferral: ldap://ldap.example.com 2.3.7.9. nsDS5ReplicaRoot This attribute sets the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated and cannot be modified. Parameter Description Entry DN...
Page 83 Replication Attributes under cn=replica, cn="suffixDN", cn=mapping tree, cn=config Parameter Description Valid Values 0 | 1 | 2 | 3 0 means unknown 1 means primary (not yet used) 2 means consumer (read-only) 3 consumer/supplier (updateable) Default Value Syntax Integer Example nsDS5ReplicaType: 2 2.3.7.12.
Page 84: Replication Attributes Under Cn=Replicationagreementname, Cn=Replica, Cn="Suffixname", Cn=Mapping Tree, Cn=Config
Chapter 2. Core Server Configuration Reference 2.3.8. Replication Attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName", cn=mapping tree, cn=config The replication attributes that concern the replication agreement are stored under cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config. The cn=ReplicationAgreementName entry is an instance of the nsDS5ReplicationAgreement object class.
Page 85 Replication Attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName", cn=mapping tree, cn=config Parameter Description Default Value Syntax DirectoryString Example nsDS5ReplicaBindDN: cn=replication manager, cn=config 2.3.8.4. nsDS5ReplicaBindMethod This attribute sets the method to use for binding. This attribute can be modified. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values...
Page 86 Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Range 0 to maximum 32-bit integer (2147483647) Default Value Syntax Integer Example nsDS5ReplicaChangesSentSinceStartup: 647 2.3.8.7. nsDS5ReplicaCredentials This attribute sets the credentials for the bind DN (specified in the nsDS5ReplicaBindDN attribute) on the remote server containing the consumer replica.
Page 87 Replication Attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName", cn=mapping tree, cn=config Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config YYYYMMDDhhmmssZ is the date/time in Valid Values Generalized Time form at which the connection was opened. This value gives the time in relation to Greenwich Mean Time.
Page 88 Chapter 2. Core Server Configuration Reference 2.3.8.12. nsDS5ReplicaLastUpdateEnd This read-only attribute states when the most recent replication schedule update ended. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config YYYYMMDDhhmmssZ is the date/time in Valid Values Generalized Time form at which the connection was opened.
Page 89 Replication Attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName", cn=mapping tree, cn=config Parameter Description Example nsDS5ReplicaLastUpdateStatus: 0 replica acquired successfully 2.3.8.15. nsDS5ReplicaPort This attribute sets the port number for the remote server containing the replica. Once this attribute has been set, it cannot be modified. Parameter Description Entry DN...
Page 90 Chapter 2. Core Server Configuration Reference Parameter Description Example nsDS5BeginReplicaRefresh: start 2.3.8.18. nsDS5ReplicaRoot This attribute sets the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated and cannot be modified. Parameter Description Entry DN...
Page 91 Replication Attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName", cn=mapping tree, cn=config Parameter Description Valid Values Any valid integer Default Value Syntax Integer Example nsDS5ReplicaSessionPauseTime: 0 2.3.8.20. nsDS5ReplicatedAttributeList This allowed attribute specifies any attributes that are not replicated to a consumer server. Fractional replication allows databases to be replicated across slow connections or to less secure consumers while still protecting sensitive information.
Page 92 Chapter 2. Core Server Configuration Reference 2.3.8.22. nsDS5ReplicaTransportInfo This attribute sets the type of transport used for transporting data to and from the replica. The attribute values can be either SSL, which means that the connection is established over SSL, or LDAP, which means that regular LDAP connections are used.
Page 93: Synchronization Attributes Under Cn=Syncagreementname, Cn=Windowsreplica,Cn="Suffixname", Cn=Mapping Tree, Cn=Config
chronization Attributes under cn=syncAgreementName, cn=WindowsReplica,cn="suffixName", cn=mapping tree, cn=config 2.3.8.25. nsDS50ruv This attribute stores the last replica update vector (RUV) read from the consumer of this replication agreement. It is always present and must not be changed. 2.3.9. Synchronization Attributes under cn=syncAgreementName, cn=WindowsReplica,cn="suffixName", cn=mapping tree, cn=config The synchronization attributes that concern the synchronization agreement are stored under cn=syncAgreementName, cn=WindowsReplica, cn=suffixDN, cn=mapping...
Page 94: On | Off
Chapter 2. Core Server Configuration Reference 2.3.9.2. nsds7DirsyncCookie This string is created by Active Directory DirSync and gives the state of the Active Directory Server at the time of the last synchronization. The old cookie is sent to Active Directory with each Directory Server update;...
Page 95: Cn=Monitor
cn=monitor Parameter Description Entry DN cn=syncAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values Any valid domain name Default Value Syntax DirectoryString Example nsDS7WinndowsDomain: DOMAINWORLD 2.3.9.6. nsds7WindowsReplicaSubtree The suffix or DN of the Windows subtree that is being synchronized. Parameter Description Entry DN cn=syncAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config...
Page 96 Chapter 2. Core Server Configuration Reference • D is r if the server is in the process of reading BER from the network, empty otherwise. This value is usually empty (as in the example). • E this is the bind DN. This may be empty or have value of NULLDN for anonymous connections. currentConnections This attribute shows the number of currently open and active Directory Server connections.
Page 97: Cn=Replication
cn=replication version This attribute shows the Directory Server vendor, version, and build number. For example, Red Hat/8.0.1 B2007.274.08. threads This attribute shows the number of threads used by the Directory Server. This should correspond to nsslapd-threadnumber in cn=config. nbackEnds This attribute shows the number of Directory Server database backends. backendMonitorDN This attribute shows the DN for each Directory Server database backend.
Page 98 Chapter 2. Core Server Configuration Reference 2.3.12.2. nssnmporganization This attribute sets the organization to which the Directory Server belongs. Parameter Description Entry DN cn=SNMP, cn=config Valid Values Organization name Default Value Syntax DirectoryString Example nssnmporganization: Red Hat, Inc. 2.3.12.3. nssnmplocation This attribute sets the location within the company or organization where the Directory Server resides.
Page 99: Snmp Statistic Attributes
SNMP Statistic Attributes 2.3.12.6. nssnmpmasterhost nssnmpmasterhost is deprecated. This attribute is deprecated with the introduction of net-snmp. The attribute still appears in dse.ldif but without a default value. Parameter Description Entry DN cn=SNMP, cn=config Valid Values machine hostname or localhost Default Value <blank>...
Page 100 Chapter 2. Core Server Configuration Reference Attribute Description ReadOps Not used. This value is always 0. CompareOps This shows the number of LDAP compare requests. AddEntryOps This shows the number of LDAP add requests. RemoveEntryOps This shows the number of LDAP delete requests. ModifyEntryOps This shows the number of LDAP modify requests.
Page 101: Cn=Tasks
cn=tasks Attribute Description CacheHits If the server has only one database backend, this is the number of entries returned from the entry cache, rather than from the database, for search results. If the server has more than one database backend, this value is 0, and see the monitor entry for each one for more information.
Page 103: Plug-In Implemented Server Functionality Reference
Chapter 3. Plug-in Implemented Server Functionality Reference This chapter contains reference information on Red Hat Directory Server plug-ins. The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins, cn=config. dn: cn=Telephone Syntax, cn=plugins, cn=config objectclass: top objectclass: nsSlapdPlugin...
Page 104: Acl Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Configurable Arguments List of attributes (uid mail userpassword) followed by "," and then suffixes on which the check is to occur. Dependencies None Performance Related Information None Further Information If the Directory Server uses non-ASCII characters, such as Japanese, turn this plug-in off.
Page 105: Attribute Uniqueness Plug-In
Attribute Uniqueness Plug-in 3.1.4. Attribute Uniqueness Plug-in Plug-in Parameter Description Plug-in Name Attribute Uniqueness Plug-in DN of Configuration Entry cn=Attribute Uniqueness, cn=plugins, cn=config Description Checks that the values of specified attributes are unique each time a modification occurs on an entry.
Page 106: Boolean Syntax Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Description Syntax for handling binary data Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug- in. Red Hat recommends leaving this plug-in running at all times.
Page 107: Case Ignore String Syntax Plug-In
Case Ignore String Syntax Plug-in 3.1.8. Case Ignore String Syntax Plug-in Plug-in Parameter Description Plug-in Name Case Ignore String Syntax DN of Configuration Entry cn=Case Ignore String Syntax, cn=plugins, cn=config Description Syntax for handling case-insensitive strings Configurable Options on | off Default Setting Configurable Arguments None...
Page 108: Country String Syntax Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times. Further Information See the "Advanced Entry Management"...
Page 109: Generalized Time Syntax Plug-In
Generalized Time Syntax Plug-in 3.1.13. Generalized Time Syntax Plug-in Plug-in Parameter Description Plug-in Name Generalized Time Syntax DN of Configuration Entry cn=Generalized Time Syntax, cn=plugins, cn=config Description Syntax for dealing with dates, times and time zones Configurable Options on | off Default Setting Configurable Arguments None...
Page 110: Internationalization Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Description Syntax for handling integers Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug- in. Red Hat recommends leaving this plug-in running at all times.
Page 111: Ldbm Database Plug-In
ldbm database Plug-in Plug-in Parameter Description Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug- in. Red Hat recommends leaving this plug-in running at all times. Further Information 3.1.18.
Page 112: Multi-Master Replication Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Further Information See the "Managing Replication" chapter in the Directory Server Administrator's Guide. 3.1.20. Multi-master Replication Plug-in Plug-in Parameter Description Plug-in Name Multi-master Replication Plug-in DN of Configuration Entry cn=Multimaster Replication plugin, cn=plugins, cn=config Description Enables replication between two current...
Page 113: Clear Password Storage Plug-In
CLEAR Password Storage Plug-in Plug-in Parameter Description DN of Configuration Entry cn=OID Syntax,cn=plugins,cn=config Description Syntax for object identifiers (OID). Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug- in.
Page 114: Ns-Mta-Md5 Password Storage Scheme Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Dependencies None Performance Related Information Do not modify the configuration of this plug- in. Red Hat recommends leaving this plug-in running at all times. Further Information See the "User Account Management" chapter in the Directory Server Administrator's Guide.
Page 115: Ssha Password Storage Scheme Plug-In
SSHA Password Storage Scheme Plug-in Plug-in Parameter Description Description SHA password storage scheme for password encryption Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information If there are no passwords encrypted using the SHA password storage scheme, this plug-in can be turned off.
Page 116: Pta Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description DN of Configuration Entry cn=Postal Address Syntax, cn=plugins, cn=config Description Syntax used for handling postal addresses Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug- in.
Page 117: Retro Changelog Plug-In
Retro Changelog Plug-in Plug-in Parameter Description Configurable Options All configuration and on | off Default Setting Configurable Arguments When enabled, the post-operation Referential Integrity Plug-in performs integrity updates on the member, uniquemember, owner and seeAlso attributes immediately after a delete or rename operation.
Page 118: Roles Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description DN of Configuration Entry cn=Retro Changelog Plugin, cn=plugins, cn=config Description Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occurring in the Directory Server.
Page 119: State Change Plug-In
State Change Plug-in Plug-in Parameter Description DN of Configuration Entry cn=Space Insensitive String Syntax, cn=plugins, cn=config Description Syntax for handling space-insensitive values Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug- in.
Page 120: Uri Syntax Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description DN of Configuration Entry cn=Telephone Syntax, cn=plugins, cn=config Description Syntax for handling telephone numbers Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug- in.
Page 121: List Of Attributes Common To All Plug-Ins
List of Attributes Common to All Plug-ins Plug-in Parameter Description Performance Related Information Do not modify the configuration of this plug- in. Red Hat recommends leaving this plug-in running at all times. Further Information 3.2. List of Attributes Common to All Plug-ins This list provides a brief attribute description, the entry DN, valid range, default value, syntax, and an example for each attribute.
Page 122: Nsslapd-Pluginenabled
Chapter 3. Plug-in Implemented Server Functionality Reference 3.2.4. nsslapd-pluginEnabled This attribute specifies whether the plug-in is enabled. This attribute can be changed over protocol but will only take effect when the server is next restarted. Plug-in Parameter Description Entry DN cn=plug-in name, cn=plugins, cn=config Valid Values on | off...
Page 123: Nsslapd-Plugindescription
nsslapd-pluginDescription 3.2.8. nsslapd-pluginDescription This attribute provides a description of the plug-in. Plug-in Parameter Description Entry DN cn=plug-in name, cn=plugins, cn=config Valid Values Default Value None Syntax DirectoryString Example nsslapd-pluginDescription: acl access check plug-in 3.3. Attributes Allowed by Certain Plug-ins 3.3.1. nsslapd-pluginLoadNow This attribute specifies whether to load all of the symbols used by a plug-in immediately (true), as well as all symbols references by those symbols, or to load the symbol the first time it is used (false).
Page 124: Nsslapd-Plugin-Depends-On-Named
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Entry DN cn=referential integrity postoperation, cn=plugins, cn=config Valid Values database Default Value Syntax DirectoryString Example nsslapd-plugin-depends-on-type: database 3.3.4. nsslapd-plugin-depends-on-named Multi-valued attribute used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the cn value of a plug-in.
Page 125 Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config 3.4.1. Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config This section covers global configuration attributes common to all instances are stored in the cn=config, cn=ldbm database, cn=plugins, cn=config tree node. 3.4.1.1. nsLookthroughLimit This performance-related attribute specifies the maximum number of entries that the Directory Server will check when examining candidate entries in response to a search request.
Page 126 Chapter 3. Plug-in Implemented Server Functionality Reference 3.4.1.3. nsslapd-cache-autosize This performance tuning-related attribute, which is turned off by default, specifies the percentage of free memory to use for all the combined caches. For example, if the value is set to 80, then 80 percent of the remaining free memory would be claimed for the cache.
Page 127 Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Range 0 to 99 Default Value 50 (This will not necessarily optimize operations.) Syntax Integer Example nsslapd-cache-autosize-split: 50 3.4.1.5. nsslapd-dbcachesize This performance tuning-related attribute specifies the database index cache size, and is one of the most important values for controlling how much physical RAM the directory server uses.
Page 128 Chapter 3. Plug-in Implemented Server Functionality Reference The nsslapd-db-checkpoint-interval attribute is absent from dse.ldif. To change the checkpoint interval, add the attribute to dse.ldif. This attribute can be dynamically modified using ldapmodify. For further information on modifying this attribute, see the "Tuning Directory Server Performance"...
Page 129 Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config Parameter Description Example nsslapd-db-debug: off 3.4.1.9. nsslapd-db-durable-transactions This attribute sets whether database transaction log entries are immediately written to the disk. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only.
Page 130 Chapter 3. Plug-in Implemented Server Functionality Reference • There is mostly write activity. If these are all true, use the nsslapd-db-home-directory attribute to specify a subdirectory of a tempfs type filesystem. The directory referenced by the nsslapd-db-home-directory attribute must be a subdirectory of a filesystem of type tempfs (such as /tmp).
Page 131 Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config Parameter Description Valid Range 0 to 8 Default Value Syntax Integer Example nsslapd-db-idl-divisor: 2 3.4.1.12. nsslapd-db-logbuf-size This attribute specifies the log information buffer size. Log information is stored in memory until the buffer fills up or the transaction commit forces the buffer to be written to disk.
Page 132 Chapter 3. Plug-in Implemented Server Functionality Reference 3.4.1.14. nsslapd-db-logfile-size This attribute specifies the maximum size of a single file in the log in bytes. By default, or if the value is set to 0, a maximum size of 10 megabytes is used. The maximum size is an unsigned 4-byte value. Parameter Description Entry DN...
Page 133 Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config Parameter Description Example nsslapd-db-spin-count: 0 3.4.1.17. nsslapd-db-transaction-batch-val This attribute specifies how many transactions will be batched before being committed. This attribute can improve update performance when full transaction durability is not required. This attribute can be dynamically modified using ldapmodify.
Page 134 Chapter 3. Plug-in Implemented Server Functionality Reference 3.4.1.18. nsslapd-db-trickle-percentage This attribute sets that at least the specified percentage of pages in the shared-memory pool are clean by writing dirty pages to their backing files. This is to ensure that a page is always available for reading in new information without having to wait for a write.
Page 135 Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Values 1 to 4 Default Value Syntax Integer Example nsslapd-dbncache: 1 3.4.1.21. nsslapd-directory This attribute specifies absolute path to database instance. If the database instance is manually created then this attribute must be included, something which is set by default (and modifiable) in the Directory Server Console.
Page 136 Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Default Value 20 000 000 Syntax Integer Example nsslapd-import-cachesize: 20 000 000 3.4.1.23. nsslapd-import-cache-autosize This performance tuning-related attribute automatically sets the size of the import cache (importCache) to be used during the command-line-based import process of LDIF files to the database (the ldif2db operation).
Page 137: Cn=Config
Database Attributes under cn=monitor, cn=ldbm database, cn=plugins, cn=config Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Range -1, 0 (turns import cache autosizing off) to 100 Default Value -1 (turns import cache autosizing on for ldif2db only and allocates 50% of the free physical memory to importCache) Syntax Integer...
Page 138: Database Attributes Under Cn=Netscaperoot, Cn=Ldbm Database, Cn=Plugins Cn=Config And Cn=Userroot, Cn=Ldbm Database, Cn=Plugins, Cn=Config
Chapter 3. Plug-in Implemented Server Functionality Reference dbcachepagein This attribute shows the pages read into the database cache. dbcachepageout This attribute shows the pages written from the database cache to the backing file. dbcacheroevict This attribute shows the clean pages forced from the cache. dbcacherwevict This attribute shows the dirty pages forced from the cache.
Page 139 cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config and cn=UserRoot, cn=ldbm database, cn=plugins, cn=config Parameter Description Example nsslapd-cachesize: -1 3.4.3.2. nsslapd-cachememsize This performance tuning-related attribute specifies the cache size in terms of available memory space. The simplest method is limiting cache size in terms of memory occupied. Activating automatic cache resizing overrides this attribute, replacing these values with its own guessed values at a later stage of the server startup.
Page 140 Chapter 3. Plug-in Implemented Server Functionality Reference 3.4.3.4. nsslapd-readonly This attribute specifies read-only mode for a single back-end instance. If this attribute has a value of off, then users have all read, write, and execute permissions allowed by their access permissions. Parameter Description Entry DN...
Page 141: Database Attributes Under Cn=Database, Cn=Monitor, Cn=Ldbm Database Cn=Plugins, Cn=Config
Database Attributes under cn=database, cn=monitor, cn=ldbm database, cn=plugins, cn=config 3.4.4. Database Attributes under cn=database, cn=monitor, cn=ldbm database, cn=plugins, cn=config The attributes in this tree node entry are all read-only, database performance counters. All of the values for these attributes are 32-bit integers. nsslapd-db-abort-rate This attribute shows the number of transactions that have been aborted.
Page 142 Chapter 3. Plug-in Implemented Server Functionality Reference nsslapd-db-hash-search-rate This attribute shows the total number of buffer hash table lookups. nsslapd-db-lock-conflicts This attribute shows the total number of locks not immediately available due to conflicts. nsslapd-db-lock-region-wait-rate This attribute shows the number of times that a thread of control was forced to wait before obtaining the region lock.
Page 143: Database Attributes Under Cn=Default Indexes, Cn=Config, Cn=Ldbm Database Cn=Plugins, Cn=Config
Database Attributes under cn=default indexes, cn=config, cn=ldbm database, cn=plugins, cn=config nsslapd-db-page-trickle-rate This attribute shows the dirty pages written using the memp_trickle interface. nsslapd-db-page-write-rate This attribute shows the pages read into the cache. nsslapd-db-pages-in-use This attribute shows all pages, clean or dirty, currently in use. nsslapd-db-txn-region-wait-rate This attribute shows the number of times that a thread of control was force to wait before obtaining the region lock.
Page 144 Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description • eq = equality index • approx = approximate index • sub = substring index • matching rule = international index • index browse = browsing index Default Value Syntax DirectoryString Example nsindextype: eq 3.4.5.3.
Page 145: Cn=Plugins, Cn=Config
Database Attributes under cn=monitor, cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config Parameter Description Valid Values Any valid index cn Default Value None Syntax DirectoryString Example cn: aci 3.4.5.5. description This optional attribute provides a free-hand text description of what the index actually performs. Parameter Description Entry DN...
Page 146: Database Attributes Under Cn=Attributename, Cn=Encrypted Attributes Cn=Database_Name, Cn=Ldbm Database, Cn=Plugins, Cn=Config
Chapter 3. Plug-in Implemented Server Functionality Reference 3.4.7. Database Attributes under cn=index, cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config and cn=index, cn=UserRoot, cn=ldbm database, cn=plugins, cn=config In addition to the set of default indexes that are stored under cn=default indexes, cn=config, cn=ldbm database, cn=plugins, cn=config, custom indexes can be created for o=NetscapeRoot, o=UserRoot, and user-defined backend instances;...
Page 147: Database Link Plug-In Attributes (Chaining Attributes)
Database Link Plug-in Attributes (Chaining Attributes) Figure 3.3. Encrypted Attributes under the cn=config Node For example, the database encryption file for the userPassword attribute under o=UserRoot appears in the Directory Server as follows: dn:cn=userPassword, cn=encrypted attributes,o=UserRoot, cn=ldbm database, cn=plugins, cn=config objectclass:top objectclass:nsAttributeEncryption cn:userPassword...
Page 148: Cn=Config
Chapter 3. Plug-in Implemented Server Functionality Reference Figure 3.4. Database Link Plug-in All plug-in technology used by the database link instances is stored in the cn=chaining database plug-in node. This section presents the additional attribute information for the three nodes marked in Figure 3.4, bold in the cn=chaining database, cn=plugins, cn=config information tree in “Database Link...
Page 149 Database Link Attributes under cn=config, cn=chaining database, cn=plugins, cn=config is suspected. Once this delay period has been met, the database link tests the connection with the remote server. Parameter Description Entry DN cn=config, cn=chaining database, cn=plugins, cn=config Valid Values Any valid delay period in seconds Default Value 60 seconds Syntax...
Page 150: Database, Cn=Plugins, Cn=Config
Chapter 3. Plug-in Implemented Server Functionality Reference 3.5.2. Database Link Attributes under cn=default instance config, cn=chaining database, cn=plugins, cn=config Default instance configuration attributes for instances are housed in the cn=default instance config, cn=chaining database, cn=plugins, cn=config tree node. 3.5.2.1. nsAbandonedSearchCheckInterval This attribute shows the number of seconds that pass before the server checks for abandoned operations.
Page 151 Database Link Attributes under cn=default instance config, cn=chaining database, cn=plugins, cn=config Parameter Description Valid Range 0 to 5 Default Value Syntax Integer Example nsBindRetryLimit: 3 3.5.2.4. nsBindTimeout This attribute shows the amount of time before the bind attempt times out. There is no real valid range for this attribute, except reasonable patience limits.
Page 152 Chapter 3. Plug-in Implemented Server Functionality Reference 3.5.2.7. nsConcurrentOperationsLimit This attribute specifies the maximum number of concurrent operations allowed. Parameter Description Entry DN cn=default instance config, cn=chaining database, cn=plugins, cn=config Valid Range 1 to 50 operations Default Value Syntax Integer Example nsConcurrentOperationsLimit: 5 3.5.2.8.
Page 153 Database Link Attributes under cn=default instance config, cn=chaining database, cn=plugins, cn=config Parameter Description Entry DN cn=default instance config, cn=chaining database, cn=plugins, cn=config Valid Values on | off Default Value Syntax DirectoryString Example nsProxiedAuthorization: on 3.5.2.11. nsReferralOnScopedSearch This attribute controls whether referrals are returned by scoped searches. This attribute can be used to optimize the directory because returning referrals in response to scoped searches is more efficient.
Page 154: Database, Cn=Plugins, Cn=Config
Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Syntax Integer Example nsslapd-timelimit: 3600 3.5.3. Database Link Attributes under cn=database link instance name, cn=chaining database, cn=plugins, cn=config This information node stores the attributes concerning the server containing the data. A farm server is a server which contains data on databases.
Page 155: Cn=Chaining Database, Cn=Plugins, Cn=Config
Database Link Attributes under cn=monitor, cn=database instance name, cn=chaining database, cn=plugins, cn=config Parameter Description Entry DN cn=database link instance name, cn=chaining database, cn=plugins, cn=config Valid Values Any valid password, which will then be encrypted using the DES reversible password encryption schema Default Value Syntax...
Page 156: Retro Changelog Plug-In Attributes
Chapter 3. Plug-in Implemented Server Functionality Reference nsSearchOneLevelCount This attribute gives the number of one-level searches received. nsSearchSubtreeCount This attribute gives the number of subtree searches received. nsAbandonCount This attribute gives the number of abandon operations received. nsBindCount This attribute gives the number of bind requests received. nsUnbindCount This attribute gives the number of unbinds received.
Page 157: Nsslapd-Changelogdir
nsslapd-changelogdir 3.6.1. nsslapd-changelogdir This attribute specifies the name of the directory in which the changelog database is created the first time the plug-in is run. By default, the database is stored with all the other databases under /var/ lib/dirsrv/slapd-instance_name/changelogdb. NOTE For performance reasons, store this database on a different physical disk.
Page 159: Overview Of Directory Server Files
Chapter 4. Server Instance File Reference This chapter provides an overview of the files that are specific to an instance of Red Hat Directory Server (Directory Server) — the files stored in the /usr/lib/dirsrv/slapd-instance_name directory. Having an overview of the files and configuration information stored in each instance of Directory Server helps with understanding the file changes (or lack of file changes) which occur in the course of directory activity.
Page 160: Backup Files
Chapter 4. Server Instance File Reference File or Directory Location /var/run/dirsrv Tools /usr/bin /usr/sbin /usr/lib64/mozldap6 Instance directory /usr/lib64/dirsrv/slapd-instance Table 4.2. Red Hat Enterprise Linux 4 and 5 (x86_64) File or Directory Location Backup files /var/lib/dirsrv/slapd-instance_name/bak Configuration files /etc/dirsrv/slapd-instance_name Database files /var/lib/dirsrv/slapd-instance_name/db LDIF files /var/lib/dirsrv/slapd-instance_name/ldif...
Page 161: Configuration Files
Configuration Files 4.3. Configuration Files Each Directory Server instance stores it sconfiguration files in the /etc/dirsrv/ slapd-instance_name directory. The configuration files in this directory are explained in Section 2.1, “Server Configuration - Overview”. 4.4. Database Files Each Directory Server instance contains the /var/lib/dirsrv/slapd-instance_name/db directory for storing all of the database files.
Page 162: Ldif Files
Chapter 4. Server Instance File Reference • entrydn.db4 — Contains a list of full DNs to find any ID. • id2entry.db4 — Contains the actual directory database entries. All other database files can be recreated from this one, if necessary. •...
Page 163: Log Files
Log Files operation at a time (not ldif2db.pl, because multiple ldif2db.pl operations can be run at any time) to the exclusion of all export and slapd server operations. If there are error messages indicating that the lock table is out of available locks (for example, libdb: Lock table is out of available locks), double the value of the nsslapd-db-locks attribute in the cn=config,cn=ldbm database,cn=plugins,cn=config entry.
Page 164: Scripts
Chapter 4. Server Instance File Reference dbscan ldif dbscan-bin ldif-bin Example 4.6. /bin Contents ds_removal migrate-ds-admin.pl setup-ds-admin.pl ds_unregister register-ds-admin.pl setup-ds.pl Example 4.7. /sbin Contents ldapcmp ldapcompare-bin ldapmodify ldappasswd-bin ldapcmp-bin ldapdelete ldapmodify-bin ldapsearch ldapcompare ldapdelete-bin ldappasswd ldapsearch-bin Example 4.8. LDAP Tool Directory Contents 4.10.
Page 165: Access Log Content
Chapter 5. Access Log and Connection Code Reference Red Hat Directory Server (Directory Server) provides logs to help monitor directory activity. Monitoring helps quickly detecting and remedying failures and, where done proactively, anticipating and resolving potential problems before they result in failure or poor performance. Part of monitoring the directory effectively is understanding the structure and content of the log files.
Page 166: Access Logging Levels
Chapter 5. Access Log and Connection Code Reference 5.1.1. Access Logging Levels Different levels of access logging exist, and changing the value of the nsslapd-accesslog- Section 2.3.1.2, “nsslapd- level configuration attribute sets the exact type of logging required. See accesslog-level” for full details on access log levels.
Page 167: Connection Number
Default Access Logging Content 5.1.2.1. Connection Number Every external LDAP request is listed with an incremental connection number, in this case conn=11, starting at conn=0 immediately after server startup. [21/Apr/2007:11:39:51 -0700] conn=11 fd=608 slot=608 connection from 207.1.153.51 to 192.18.122.139 Internal LDAP requests are not recorded in the access log by default. To activate the logging of internal access operations, specify access logging level 4 on the nsslapd-accesslog-level Section 2.3.1.2, “nsslapd-accesslog-level”...
Page 168: Version Number
Chapter 5. Access Log and Connection Code Reference • 128 for simple bind with user password • sasl for SASL bind using external authentication mechanism 5.1.2.6. Version Number The version number, in this case version=3, indicates the LDAP version number (either LDAPv2 or LDAPv3) that the LDAP client used to communicate with the LDAP server.
Page 169: Number Of Entries
Default Access Logging Content 5.1.2.9. Number of Entries nentries shows the number of entries, in this case nentries=0, that were found matching the LDAP client's request. [21/Apr/2007:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0 5.1.2.10. Elapsed Time etime shows the elapsed time, in this case etime=1000, or the amount of time (in seconds) that it took the Directory Server to perform the LDAP operation.
Page 170: Unindexed Search Indicator
Chapter 5. Access Log and Connection Code Reference • REFERRAL, an LDAP referral or search reference 5.1.2.13. Unindexed Search Indicator The unindexed search indicator, notes=U, indicates that the search performed was unindexed, which means that the database itself had to be directly searched instead of the index file. Unindexed searches occur in three scenarios: •...
Page 171: Search Scope
Default Access Logging Content • The value is 0210. The second part, 10:5397 (0), is the VLV response information: • The targetPosition is 10. • The contentCount is 5397. • The (resultCode) is (0). 5.1.2.15. Search Scope The entry scope=n defines the scope of the search performed, and n can have a value of 0, 1, or 2. •...
Page 172: Change Sequence Number
Chapter 5. Access Log and Connection Code Reference Extended Operation Name Description Directory Server Bulk Import Sent by the client to signal the 2.16.840.1.113730.3.5.8 Finished end of a bulk import and sent by the server to acknowledge it. Table 5.2. LDAPv3 Extended Operations Supported by Directory Server 5.1.2.17.
Page 173: Access Log Content For Additional Access Logging Levels
Access Log Content for Additional Access Logging Levels In logging a SASL bind, the sasl method is followed by the LDAP version number (see Section 5.1.2.6, “Version Number”) and the SASL mechanism used, as shown below with the GSS- API mechanism. [21/Apr/2007:12:57:14 -0700] conn=32 op=0 BIND dn=""...
Page 174: Common Connection Codes
Chapter 5. Access Log and Connection Code Reference [12/Jul/2007:16:43:02 +0200] conn=306 op=0 ENTRY dn="ou=Red Hat Servers,dc=example,dc=com" [12/Jul/2007:16:43:02 +0200] conn=306 op=0 REFERRAL 5.1.3.1. Connection Description The connection description, in this case conn=Internal, indicates that the connection is an internal connection. The operation number op=-1 also indicates that the operation was initiated internally. [12/Jul/2007:16:45:46 +0200] conn=Internal op=-1 ENTRY dn="cn=\22dc=example,dc=com\22, cn=mapping tree, cn=config"...
Page 175: Ldap Result Codes
LDAP Result Codes Connection Code Description information about this configuration attribute, see Section 2.3.1.58, “nsslapd-idletimeout (Default Idle Timeout)”. Server closed connection after ioblocktimeout period was exceeded. For further information about this configuration Section 2.3.1.60, “nsslapd- attribute, see ioblocktimeout (IO Block Time Out)”.
Page 176 Chapter 5. Access Log and Connection Code Reference Result Code Defined Value Result Code Defined Value NO_SUCH_OBJECT NO_RESULTS_RETURNED ALIAS_PROBLEM MORE_RESULTS_TO_RETURN INVALID_DN_SYNTAX 96 CLIENT_LOOP IS_LEAF REFERRAL_LIMIT_EXCEEDED ALIAS_DEREFERENCING_PROBLEM Table 5.4. LDAP Result Codes...
Page 177: Using Special Characters
Chapter 6. Command-Line Utilities This chapter contains reference information on command-line utilities used with Red Hat Directory Server (Directory Server). These command-line utilities make it easy to perform administration tasks on the Directory Server. 6.1. Finding and Executing Command-Line Utilities The ldapsearch, ldapmodify, ldapdelete, and ldappasswd command-line utilities are provided as a separate package, called either mozldap-tools or mozldap6-tools, and the utilities are installed in /usr/lib/mozldap or /usr/lib/mozldap6, respectively.
Page 178: Command-Line Utilities Quick Reference
Chapter 6. Command-Line Utilities 6.3. Command-Line Utilities Quick Reference The following table provides a summary of the command-line utilities provided for Directory Server. Command-Line Utility Description ldapsearch Searches the directory and returns search results in LDIF format. For details on this tool, see the "Finding Directory Entries"...
Page 179 ldapsearch Syntax ldapsearch [ -b basedn ] [ optional_options ] [ filter ] [ optional_list_of_attributes For any value that contains a space ( ), the value should be enclosed in double quotation marks. For example: -b "ou=groups, dc=example,dc=com" Option Description optional_options A series of command-line options.
Page 180 Chapter 6. Command-Line Utilities Option Description The root DSE entry is a special entry that contains a list of all the suffixes supported by the local directory. To search this entry, supply a search base of "", a search scope of base, and a filter of "objectclass=*".
Page 181 ldapsearch Option Description the Directory Manager. The default value for the nsslapd-timelimit attribute is 3600 Section 2.3.1.95, “nsslapd- seconds. See timelimit (Time Limit)” for more information. Specifies the TCP port number that the Directory Server uses. For example: -p 1049 The default is 389.
Page 182 Chapter 6. Command-Line Utilities Option Description -z 1000 Normally, regardless of the value specified here, ldapsearch never returns more entries than the number allowed by the server's nsslapd- sizelimit attribute, unless the authenticated user is the Directory Manager. However, this limitation can be overridden by binding as the root DN when using this command- line argument.
Page 183 ldapsearch Option Description cert8.db file (the path which is specified with the -P option). Specifies the path to the security module database, such as /etc/dirsrv/ slapd-instance_name/secmod.db. This option only need to be given if the security module database is in a different directory than the certificate database itself.
Page 184 Chapter 6. Command-Line Utilities Option Description Specifies that SSL is to be used for the search request. Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one. If the server does not support Start TLS, the command does not have to be aborted;...
Page 185 ldapsearch Table 6.8, “Description of GSSAPI SASL Mechanism Options” • GSSAPI, described in Required or Optional Option Description Example Required mech=CRAM-MD5 Gives the SASL -o “mech=CRAM-MD5” mechanism. Required authid=authid_value Gives the ID used to authenticate to the “authid=dn:uid=msmith,ou=People,o= server. authid_value can be the following: •...
Page 186 Chapter 6. Command-Line Utilities Required or Optional Option Description Example mechanisms that allow anonymous access. • minssf — Require a minimum security strength; this option needs a numeric value specifying bits of encryption. A value of - 1 means integrity is provided without privacy.
Page 187 ldapsearch Required or Optional Option Description Example Optional secprop=value The secprop attribute sets the security “secprop=noplain,noanonymous, properties for the maxssf=128,minssf=128” connection. The secprop value can be any of the following: • None • noplain — Do not permit mechanisms susceptible to simple passive attack.
Page 188 Chapter 6. Command-Line Utilities Required or Optional Option Description Example ticket before issuing a GSS-API request. Optional secprop=value The secprop attribute sets the security “secprop=noplain,noanonymous, properties for the maxssf=56,minssf=56” connection. The secprop value can be any of the following: • None •...
Page 189: Additional Ldapsearch Options
ldapsearch Additional ldapsearch Options Option Description Specifies that the search retrieve the attributes only, not the attribute values. This option is useful to determine if an attribute is present for an entry and the value is not important. Specifies how alias dereferencing is completed. Values can be never, always, search, or find.
Page 190 Chapter 6. Command-Line Utilities Option Description the search, all available entries before/after the search target that match the search criteria are returned. An index operation which sorts by surname, - G 20:30:100:0, returns from the 80th through 130th entries sorted by sn. Use 0 as the fourth value for the count number unless you know how many entries the VLV index has.
Page 191 ldapsearch Option Description containing the referral. Use this option to search for entries that contain smart referrals. For more information about smart referrals, see the "Configuring Directory Databases" chapter in the Directory Server Administrator's Guide. Specifies that the search is not actually to be performed, but that ldapsearch is to show what it would do with the specified input.
Page 192: Ldapmodify
Chapter 6. Command-Line Utilities Option Description LDAPv3 is the default. An LDAPv3 search cannot be performed against a Directory Server that only supports LDAPv2. Specifies the proxy DN to use for the search. This argument is provided for testing purposes. For more information about proxied authorization, see the "Managing Access Control"...
Page 193 ldapmodify Option Description also allows directly adding a file created by ldapmodify. Specifies the suffix under which the new entries will be added. Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to modify the entries.
Page 194: Ssl Options
Chapter 6. Command-Line Utilities Option Description -p 1049 The default is 389. If -Z is used, the default is 636. Causes each add to be performed silently as opposed to being echoed to the screen individually. Specifies the password associated with the distinguished name specified in the -D option.
Page 195 ldapmodify Option Description -N Server-Cert If this option is specified, then the -Z and - W options are required. Also, if this option is specified, then the -D and -w options must not be specified, or certificate-based authentication will not occur, and the bind operation will use the authentication credentials specified on -D and - Specifies the absolute path, including the filename, of the certificate database of the client.
Page 196 Chapter 6. Command-Line Utilities Option Description information is incorrect, the command is aborted immediately. Table 6.11. ldapmodify SSL Options SASL Options SASL mechanisms can be used to authenticate a user, using the -o the required SASL information. Table 6.3, To learn which SASL mechanisms are supported, search the root DSE. See the -b option in “Commonly-Used ldapsearch Options”.
Page 197 ldapmodify Option Description For example, to add a jpegPhoto attribute, specify the -b option on the ldapmodify call. In the LDIF provided to ldapmodify, include a line like the following: jpegPhoto: /tmp/photo.jpeg ldapmodify reads the contents of the photo.jpeg file into the jpegPhoto attribute being added to the entry.
Page 198: Ldapdelete
Chapter 6. Command-Line Utilities Option Description Specifies that the entries are not actually to be modified but that ldapmodify is to show what it would do with the specified input. Specifies the maximum number of referral hops to follow. For example: -O 2 Specifies that referrals are not to be followed automatically.
Page 199 ldapdelete Option Description Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to delete the entries. For example: -D "uid=bjensen, dc=example,dc=com" For more information on access control, see the "Managing Access Control"...
Page 200 Chapter 6. Command-Line Utilities Option Description the command line so that it does not show up in clear text in a listing of commands. Table 6.14. Commonly-Used ldapdelete Options SSL Options Use the following options to specify that ldapdelete use LDAPS when communicating with the Directory Server or to use certificate-based authentication.
Page 201 ldapdelete Option Description -P /security/cert.db The client security files can be stored on the Directory Server in the /etc/dirsrv/ slapd-instance_name directory. In this case, the -P option calls out a path and filename similar to the following: -P /etc/dirsrv/slapd-instance_name/client- cert.db Specifies the token and certificate name, which is separated by a semicolon (:) for PKCS11.
Page 202 Chapter 6. Command-Line Utilities Option Description • secProp • realm • flags The expected values depend on the supported mechanism. The -o can be used multiple times to pass all of the required SASL information for the mechanism. For example: -o "mech=DIGEST-MD5"...
Page 203: Ldappasswd
ldappasswd Option Description There is no maximum number of referral hops. Specifies that referrals are not to be followed automatically. By default, the server follows referrals. Specifies that the utility is to run in verbose mode. Specifies the LDAP version number to be used on the operation.
Page 204 Chapter 6. Command-Line Utilities Option Description Specifies the user's existing password. For example: -a old_password Specifies that the command should prompt for a new password for the user. Specifies a new password for the user. For example: -S new_password Specifies a file from which to read the new password.
Page 205 ldappasswd Option Description For more information on access control, see the "Managing Access Control" chapter in the Directory Server Administrator's Guide. Specifies that the password policy request control not be sent with the bind request. By default, the new LDAP password policy request control is sent with bind requests.
Page 206 Chapter 6. Command-Line Utilities Option Description based authentication will not occur, and the bind operation will use the authentication credentials specified by -D and -w. Specifies the absolute path, including the filename, of the certificate database of the client. This option is used only with the -Z option. When used on a machine where an SSL-enabled web browser is configured, the path specified on this option can be that of the certificate database...
Page 207 ldappasswd Option Description Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one. If the server does not support Start TLS, the command does not need to be aborted; it will continue in cleartext. Enforces the Start TLS request.
Page 208 Chapter 6. Command-Line Utilities The Directory Manager changes the password of the user uid=tuser1,ou=People,dc=example,dc=com to new_password over SSL. ldappasswd -Z -h myhost -P /etc/dirsrv/slapd-instance_name/cert8.db -D "cn=Directory Manager" -w dmpassword -s new_password "uid=tuser1,ou=People,dc=example,dc=com" Example 6.1. Directory Manager Changing a User's Password Over SSL The Directory Manager generates the password of the user uid=tuser2,ou=People,dc=example,dc=com over SSL.
Page 209: Ldif
ldif ldappasswd -h myhost -o "mech=GSSAPI" -S Example 6.6. User Already Authenticating by Kerberos Prompts for a New Password 6.8. ldif ldif automatically formats LDIF files and creates base-64 encoded attribute values. Base-64 encoding makes it possible to represent binary data, such as a JPEG image, in LDIF. Base-64 encoded data is represented using a double colon (::) symbol.
Page 210: Dbscan
Chapter 6. Command-Line Utilities Option Description NOTE The :< URL specifier notation only works if LDIF statement is version 1 or later, meaning version: 1 is inserted in the lDIF file. Otherwise, the file URL is appended as the attribute value rather than the contents of the file.
Page 211 dbscan Option Parameter Description entry_id Specifies the entry to ID to look Table 6.23. Entry File Options NOTE Table 6.24, “Index File Options ”, are meaningful only when The index file options, listed in the database file is the secondary index file. Option Parameter Description...
Page 212 Chapter 6. Command-Line Utilities dbscan -s -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/objectclass.db4 Example 6.11. Displaying the Summary of objectclass.db4 dbscan -r -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/ vlv#bymccoupeopledcpeopledccom.db4 Example 6.12. Displaying VLV Index File Contents dbscan -f /var/lib/dirsrv/slapd-instance_name/changelogdb/c1a2fc02-1d11b2-8018afa7- fdce000_424c8a000f00.db4 Example 6.13. Displaying the Changelog File Contents dbscan -R -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/uid.db4 Example 6.14.
Page 213: Command-Line Scripts Quick Reference
Chapter 7. Command-Line Scripts This chapter provides information on the scripts for managing Red Hat Directory Server, such as backing-up and restoring the database. Scripts are a shortcut way of executing the ns-slapd Appendix A, Using the ns-slapd Command-Line Utilities. interface commands that are documented in 7.1.
Page 214 Chapter 7. Command-Line Scripts Shell Script Description start-slapd Starts Directory Server. stop-slapd Stops Directory Server. suffix2instance Maps a suffix to a backend name. verify-db.pl Checks backend database files. vlvindex Creates and generates virtual list view (VLV) indexes. Table 7.1. Shell Scripts in /usr/lib/dirsrv/slapd-instance_name or /usr/lib64/dirsrv/ slapd-instance_name Perl Script Description...
Page 215: Shell Scripts
Shell Scripts Script Name Description Perl or Shell Script If a user cannot log in, use this script to compare the user's password to the password stored in the directory. repl-monitor Provides in-progress status of Shell replication. repl-monitor.pl Provides in-progress status of Perl replication.
Page 216: Bak2Db (Restores A Database From Backup)
Chapter 7. Command-Line Scripts When a shell script has a Perl equivalent, there is a cross-reference to the section describing the equivalent Perl script. 7.3.1. bak2db (Restores a Database from Backup) Restores the database from the most recent archived backup. To run this script, the server must be stopped.
Page 217: Dbverify (Checks For Corrupt Databases)
dbverify (Checks for Corrupt Databases) Option Description -D bindDn Specifies the Directory Server's bind DN. Defaults to cn=Directory Manager if the option is omitted. -h host Specifies the Directory Server's host. This defaults to the server where the script is running. -i changelogFile Specifies the path to the changelog file.
Page 218: Db2Bak (Creates A Backup Of A Database)
Chapter 7. Command-Line Scripts Run db2index -t uid to avoid rebuilding all of the indexes or export and reimport all of the databases using db2ldif and ldif2db. dbverify is a shell script wrapper of verify-db.pl to set the appropriate library path. Syntax dbverify [ -a /path/to/database_directory ] Options...
Page 219: Db2Index (Reindexes Database Index Files)
db2index (Reindexes Database Index Files) db2ldif [ -n backendInstance | -s includeSuffix ] [ -x excludeSuffix ] [ -r ] [ -C ] [ -u ] [ -U ] [ -m ] [ M ] [ -a outputFile ] [ -1 ] [ -N ] [ -E ] Options Either the -n or the -s option must be specified.
Page 220: Ldif2Db (Import)
Chapter 7. Command-Line Scripts Usage Here are a few sample commands: • Reindex all the database index files: db2index • Reindex cn and givenname in the database instance userRoot: db2index -n userRoot -t cn -t givenname • Reindex cn in the database where the root suffix is dc=example,dc=com: db2index -s "dc=example,dc=com"...
Page 221 ldif2db (Import) Syntax ldif2db [ -n backendInstance | { -s includeSuffix } ... ] [ -x excludeSuffix ] [ { -i ldifFile } ] [ -O ] [ -g string ] [ -G namespaceId ] [ -E ] Options Option Description Merges chunk size.
Page 222: Ldif2Ldap (Performs Import Operation Over Ldap)
Chapter 7. Command-Line Scripts Option Description -s includeSuffix Gives the suffixes to be included or to specify the subtrees to be included if -n has been used. -x excludeSuffix Gives the suffixes to be excluded. Table 7.9. ldif2db Options 7.3.8. ldif2ldap (Performs Import Operation over LDAP) Performs an import operation over LDAP to the Directory Server.
Page 223: Monitor (Retrieves Monitoring Information)
monitor (Retrieves Monitoring Information) For more information on the different storage schemes, such as SSHA, SHA, CRYPT, and CLEAR, see the Directory Server Administrator's Guide. 7.3.10. monitor (Retrieves Monitoring Information) Retrieves performance monitoring information using the ldapsearch command-line utility. Syntax monitor monitor Options There are no options for this script.
Page 224: Configuration File Format
Chapter 7. Command-Line Scripts Option Description -t refreshInterval Specifies the refresh interval in seconds. The default value is 300 seconds. This option must be used with the -u option. -u refreshUrl Specifies the refresh URL. The output HTML file may invoke a CGI program periodically. If this CGI program in turn calls this script, the effect is that the output HTML file would automatically refresh itself.
Page 225: Restart-Slapd (Restarts The Directory Server)
restart-slapd (Restarts the Directory Server) *:*:binddn:bindpassword: host1:*:binddn1:bindpassword1: In the optional alias section, use aliases such as Supplier1, Supplier2, and Hub1, to identify the servers in the replication topology. If used, the output shows these aliases, instead of http(s)://hostname:port. The CSN time lags between suppliers and consumers can be displayed in different colors based on their range.
Page 226: Restoreconfig (Restores Administration Server Configuration)
Chapter 7. Command-Line Scripts Syntax restart-slapd Options There are no options for this script. Exit Status Exit Code Description Server restarted successfully. Server could not be started. Server restarted successfully but was already stopped. Server could not be stopped. Table 7.13. restart-slapd Exit Status Codes 7.3.13.
Page 227: Start-Slapd (Starts The Directory Server)
start-slapd (Starts the Directory Server) Options There are no options for this script. 7.3.15. start-slapd (Starts the Directory Server) Starts the Directory Server. It might be a good idea to check whether the server has been effectively started using the ps command because it could sometimes be that the script returned while the startup process was still on-going, resulting in a confusing message.
Page 228: Suffix2Instance (Maps A Suffix To A Backend Name)
Chapter 7. Command-Line Scripts 7.3.17. suffix2instance (Maps a Suffix to a Backend Name) Maps a suffix to a backend name. Syntax suffix2instance { -s suffix } Options Option Description Suffix to be mapped to the backend. Table 7.16. suffix2instance Options 7.3.18.
Page 229: Perl Scripts
Perl Scripts 7.4. Perl Scripts This section describes the following Perl scripts: Section 7.4.1, “bak2db.pl (Restores a Database from Backup)” • Section 7.4.2, “cl-dump.pl (Dumps and Decodes the Changelog)” • Section 7.4.3, “db2bak.pl (Creates a Backup of a Database)” • Section 7.4.4, “db2index.pl (Creates and Generates Indexes)”...
Page 230: Cl-Dump.pl (Dumps And Decodes The Changelog)
Chapter 7. Command-Line Scripts Option Description to use the -n option to restore the entire directory. -t databaseType The database type. Currently, the only possible database type is ldbm. Verbose mode. -w password The password associated with the user DN. Table 7.18.
Page 231: Db2Bak.pl (Creates A Backup Of A Database)
db2bak.pl (Creates a Backup of a Database) Option Description Prints the version of the script. -w bindPassword Specifies the password for the bind DN. Table 7.19. cl-dump.pl command options 7.4.3. db2bak.pl (Creates a Backup of a Database) Creates a backup of the database. Syntax db2bak.pl [ -v ] -D rootdn -w password [ -a dirName ] Options...
Page 232: Db2Ldif.pl (Exports Database Contents To Ldif)
Chapter 7. Command-Line Scripts Option Description -D rootdn Gives the user DN with root permissions, such as Directory Manager. -j filename The name of the file containing the password. -n backendInstance Gives the instance to be indexed. If the instance is not specified, the script reindexes all instances.
Page 233: Ldif2Db.pl (Import)
ldif2db.pl (Import) Option Description Sets the output LDIF to be stored in one file by default with each instance stored in instance_filename. Exports a replica. -s includeSuffix Gives suffixes to be included or the subtrees to be included if -n has been used. Requests that the unique ID is not exported.
Page 234: Logconv.pl (Log Converter)
Chapter 7. Command-Line Scripts Option Description Use this option to import the same LDIF file into two different Directory Servers and the contents of both directories should have the same set of unique IDs. If unique IDs already exist in the LDIF file being imported, then the existing IDs are imported to the server, regardless of the options specified.
Page 235 logconv.pl (Log Converter) • Smart referrals received (verbose logs) • Search filters • VLV (virtual list view) operations • Etimes (elapsed operation time) • VLV unindexed searches • Longest etimes • Server-side sorting operations • Nentries (number of entries in result) •...
Page 236 Chapter 7. Command-Line Scripts Option Description this parameter is omitted, logconv.pl will use the default manager DN of the Directory Server, "cn=Directory Manager". -E endTimestamp Specifies the end timestamp; the timestamp must follow the exact format as specified in the access log.
Page 237: Ns-Accountstatus.pl (Establishes Account Status)
ns-accountstatus.pl (Establishes Account Status) Option Description to the same Directory Server. The tool ignores any file with the name access.rotationinfo. Table 7.25. logconv.pl Options Table 7.26, “logconv.pl Options to Display Occurrences” describes the options that enable the optional lists of occurrences. Specify only those required; specifying a large number of options can produce excessive output and affect execution speed.
Page 238: Ns-Activate.pl (Activates An Entry Or Group Of Entries)
Chapter 7. Command-Line Scripts Syntax ns-accountstatus.pl [ -D rootdn ] -w password [ -p port ] [ -h host ] -I DN Options Option Description -D rootdn Specifies the Directory Server user DN with root permissions, such as Directory Manager. -h host Specifies the hostname of the Directory Server.
Page 239: Ns-Newpwpolicy.pl (Adds Attributes For Fine-Grained Password Policy)
ns-newpwpolicy.pl (Adds Attributes for Fine-Grained Password Policy) Syntax ns-inactivate.pl [ -D rootdn ] -w password [ -p port ] [ -h host ] -I DN Options Option Description -D rootdn Specifies the Directory Server user DN with root permissions, such as Directory Manager. -h host Specifies the hostname of the Directory Server.
Page 240: Repl-Monitor.pl (Monitors Replication Status)
Chapter 7. Command-Line Scripts Option Description -S suffixDN Specifies the DN of the suffix entry that needs to be updated with subtree-level password policy attributes. -U userDN Specifies the DN of the user entry that needs to be updated with user-level password policy attributes.
Page 241 repl-monitor.pl (Monitors Replication Status) Option Description is that the output HTML file would automatically refresh itself. This is useful for continuous monitoring. See also the -t option. The script has been integrated into Red Hat Administration Express, so that the replication status can be monitored through a web browser.
Page 242: Verify-Db.pl (Check For Corrupt Databases)
Chapter 7. Command-Line Scripts The CSN time lags between suppliers and consumers can be displayed in different colors based on their range. The default color set is green for 0-5 minutes lag, yellow for 5-60 minutes lag, and pink for a lag of 60 minutes or more.
Page 243 verify-db.pl (Check for Corrupt Databases) data corruption if the script is run at the same time as a modify. If that occurs, an entry will be recorded in the error log: DB ERROR: db_verify: Page 3527: out-of-order key at entry 42 DB ERROR: db_verify: DB->verify: db/mstest2/uid.db4: DB_VERIFY_BAD: Database verification failed Secondary index file uid.db4 in db/mstest2 is corrupted.
Page 245: A.2. Finding And Executing The Ns-Slapd Command-Line Utilities
Appendix A. Using the ns-slapd Command-Line Utilities Chapter 7, Command-Line Scripts discussed the scripts for performing routine administration tasks on the Red Hat Directory Server (Directory Server). This appendix discusses the ns-slapd command- line utilities that can be used to perform the same tasks. The ns-slapd command-line utilities all perform server administration tasks, and, while it can be argued that they allow a greater degree of flexibility for users, Red Hat recommends using the Chapter 7, Command-Line Scripts...
Page 246 Appendix A. Using the ns-slapd Command-Line Utilities Option Description -d debugLevel Specifies the debug level to use during the db2ldif runtime. For further information, refer Section 2.3.1.42, “nsslapd-errorlog-level (Error Level)”. -D configDir Specifies the location of the server configuration directory that contains the configuration information for the export process.
Page 247: A.4. Utilities For Restoring And Backing Up Databases: Ldif2Db
Utilities for Restoring and Backing up Databases: ldif2db Option Description the configuration directory, do not exclude o=NetscapeRoot. Table A.1. db2ldif Options A.4. Utilities for Restoring and Backing up Databases: ldif2db Imports LDIF files to the database. Syntax ns-slapd ldif2db -D configDir -i ldifFile [ -d debugLevel ] [ -g string ] [ -n backendInstance ] [ -O ] [ -s includeSuffix ] [ -x excludeSuffix ] [ -E ] Enter the full path to the server configuration directory (configdir).
Page 248: A.5. Utilities For Restoring And Backing Up Databases: Archive2Db
Appendix A. Using the ns-slapd Command-Line Utilities Option Description Use this option to import the same LDIF file into two different Directory Servers and the contents of both directories should have the same set of unique IDs. If unique IDs already exist in the LDIF file being imported, then the existing IDs are imported to the server, regardless of the options specified.
Page 249: A.6. Utilities For Restoring And Backing Up Databases: Db2Archive
Utilities for Restoring and Backing up Databases: db2archive Options Option Description -D configDir Specifies the location of the server configuration directory that contains the configuration information for the index creation process. This must be the full path to the configuration directory, /etc/dirsrv/ slapd-instance_name.
Page 250 Appendix A. Using the ns-slapd Command-Line Utilities Option Description Section 2.3.1.42, “nsslapd-errorlog-level (Error Level)”. -D configDir Specifies the location of the server configuration directory that contains the configuration information for the index creation process. This must be the full path to the configuration directory, /etc/dirsrv/ slapd-instance_name.
Page 251 Glossary See ACI. access control instruction An instruction that grants or denies permissions to entries in the directory. access control instruction. See Also See ACL. access control list The mechanism for controlling access to your directory. access control list. See Also access rights In the context of access control, specify the level of access granted or denied.
Page 252 Glossary authentication (1) Process of proving the identity of the client user to the Directory Server. Users must provide a bind DN and either the corresponding password or certificate in order to be granted access to the directory. Directory Server allows the user to perform functions or access files and directories based on the permissions granted to that user by the directory administrator.
Page 253 certificate A collection of data that associates the public keys of a network user with their DN in the directory. The certificate is stored in the directory as user object attributes. Certificate Authority Company or organization that sells and issues authentication certificates.
Page 254 Glossary A method for sharing attributes between entries in a way that is invisible to applications. CoS definition entry Identifies the type of CoS you are using. It is stored as an LDAP subentry below the branch it affects. CoS template entry Contains a list of the shared attribute values.
Page 255 IP address for a hostname from a DNS server, or they look it up in tables maintained on their systems. DNS alias A DNS alias is a hostname that the DNS server knows points to a different host specifically a DNS CNAME record. Machines always have one real name, but they can have one or more aliases.
Page 256 Glossary hostname A name for a machine in the form machine.domain.dom, which is translated into an IP address. For example, www.example.com is the machine www in the subdomain example and com domain. HTML Hypertext Markup Language. The formatting language used for documents on the World Wide Web.
Page 257 LDAP Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms. LDAPv3 Version 3 of the LDAP protocol, upon which Directory Server bases its schema format. LDAP client Software used to request and view LDAP entries from an LDAP Directory Server.
Page 258 Glossary See supplier. master SNMP master agent. master agent matching rule Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use. A message digest algorithm by RSA Data Security, Inc., which can be used to produce a short digest of data that is unique with high probability and is mathematically extremely hard to produce;...
Page 259 Network Information Service. A system of programs and data files that Unix machines use to collect, collate, and share specific information about machines, users, filesystems, and network parameters throughout a network of computers. Powerful workstation with one or more network management network management station.
Page 260 Glossary access rights. See Also Encoded messages which form the basis of data exchanges between protocol data unit. SNMP devices. Also pointer CoS A pointer CoS identifies the template entry using the template DN only. presence index Allows searches for entries that contain a specific indexed attribute. protocol A set of rules that describes how devices on a network exchange information.
Page 261 (2) In the context of replication, when a read-only replica receives an update request, it forwards it to the server that holds the corresponding read-write replica. This forwarding process is called a referral. read-only replica A replica that refers all update operations to read-write replicas. A server can hold any number of read-only replicas.
Page 262 Glossary schema checking Ensures that entries added or modified in the directory conform to the defined schema. Schema checking is on by default, and users will receive an error if they try to save an entry that does not conform to the schema.
Page 263 A software library establishing a secure connection between two parties (client and server) used to implement HTTPS, the secure Secure Sockets Layer. version of HTTP. Also called standard index index maintained by default. sub suffix A branch underneath a root suffix. SNMP subagent.
Page 264 Glossary topology The way a directory tree is divided among physical servers and how these servers link with one another. See TLS. Transport Layer Security A unique number associated with each user on a Unix system. Uniform Resource Locater. The addressing system used by the server and the client to request documents.
Page 265 Index T2 , 165 U1 , 165 contents, 155 Symbols abandon message (ABANDON) , 162 change sequence number (csn) , 162 00core.ldif connection description (conn) , 164 ldif files, 4 connection number (conn) , 157 01common.ldif elapsed time (etime) , 159 ldif files, 4 error number (err) , 158 05rfc2247.ldif...
Page 266 Index perl scripts, 219 bak2db.pl , 219 changelog cl-dump.pl , 220 multi-master replication changelog, 62 db2bak.pl, 221 changelog configuration attributes db2index.pl , 221 changelogmaxentries, 64 db2ldif.pl , 222 nsslapd-changelogdir, 63 ldif2db.pl , 223 nsslapd-changelogmaxage, 64 ns-accountstatus.pl , 227 changelog configuration entries ns-activate.pl , 228 cn=changelog5, 62 ns-inactivate.pl , 228...
Page 267 changelog5 configuration attributes, 62 nsDS5ReplConflict, 73 changing, 8 nsDS5ReplicaBindDN, 69 core server configuration attributes, 10 nsDS5ReplicaBindMethod, 75 database link plug-in configuration attributes, nsDS5ReplicaBusyWaitTime, 75 nsDS5ReplicaChangeCount, 69 database plug-in configuration attributes, 114 nsDS5ReplicaChangesSentSinceStartup, 75 encryption configuration attributes, 65 nsDS5ReplicaCredentials, 76 mapping tree configuration attributes, 67 nsDS5ReplicaHost, 76 monitoring configuration attributes, 85 nsDS5ReplicaID, 70...
Page 268 Index nsslapd-auditlog-logmaxsdiskspace, 22 nsslapd-pwpolicy-local, 42 nsslapd-auditlog-logminfreediskspace, 22 nsslapd-readonly, 43 nsslapd-auditlog-logrotationsync-enabled, 22 nsslapd-referral, 43 nsslapd-auditlog-logrotationsynchour, 23 nsslapd-referralmode, 44 nsslapd-auditlog-logrotationsyncmin, 23 nsslapd-reservedescriptors, 44 nsslapd-auditlog-logrotationtime, 24 nsslapd-return-exact-case, 45 nsslapd-auditlog-logrotationtimeunit, 24 nsslapd-rootdn, 46 nsslapd-auditlog-maxlogsize, 24 nsslapd-rootpw, 46 nsslapd-auditlog-maxlogsperdir, 25 nsslapd-rootpwstoragescheme, 47 nsslapd-auditlog-mode, 25 nsslapd-saslpath, 47 nsslapd-backend, 68 nsslapd-schema-ignore-trailing-spaces, 47 nsslapd-certmap-basedn, 26...
Page 269 passwordUnlock, 62 nsUndbindCount, 146 passwordWarning, 62 database plug-in configuration attributes readwaiters, 86 cn, 134 starttime, 86 dbcachehitratio, 127 totalconnections, 86 dbcachehits, 127 currentconnections attribute, 86 dbcachepagein, 128 currenttime attribute, 86 dbcachepageout, 128 dbcacheroevict, 128 dbcacherwevict, 128 dbcachetries, 127 database dbfilecachehit, 135 exporting, 208 dbfilecachemiss, 135 reindexing index files, 209...
Page 270 Index nsslapd-db-logfile-size, 122 dbcachepageout attribute, 128 nsslapd-db-longest-chain-length, 132 dbcacheroevict attribute, 128 nsslapd-db-page-create-rate, 132 dbcacherwevict attribute, 128 nsslapd-db-page-ro-evict-rate, 132 dbcachetries attribute, 127 nsslapd-db-page-rw-evict-rate, 132 dbfilecachehit attribute, 135 nsslapd-db-page-size, 122 dbfilecachemiss attribute, 135 nsslapd-db-page-trickle-rate, 133 dbfilenamenumber attribute, 135 nsslapd-db-page-write-rate, 133 dbfilepagein attribute, 135 nsslapd-db-pages-in-use, 133 dbfilepageout attribute, 135 nsslapd-db-spin-count, 122...
Page 271 id2entry.db4, 152 contents of, 6 locating configuration, 8 detailed contents of, 4 nsuniqueid.db4, 152 location of, 4 numsubordinates.db4, 152 LDIF entries objectclass.db4, 152 binary data in, 199 parentid.db4, 152 ldif files 00core.ldif, 4 01common.ldif, 4 05rfc2247.ldif, 5 id2entry.db4 file, 152 05rfc2927.ldif, 5 Indexes 10presence.ldif, 5...
Page 272 Index changelog, 62 nsDS5ReplicaHost attribute, 76 nsDS5ReplicaID attribute, 70 nsDS5ReplicaLastInitEnd attribute, 76 nsDS5ReplicaLastInitStart attribute, 77 nbackends attribute, 87 nsDS5ReplicaLastInitStatus attribute, 77 ns-accountstatus.pl nsDS5ReplicaLastUpdateEnd attribute, 78 command-line perl script, 227 nsDS5ReplicaLastUpdateStart attribute, 78 quick reference, 204 nsDS5ReplicaLastUpdateStatus attribute, 78 ns-activate.pl nsDS5ReplicaLegacyConsumer attribute, 70 command-line perl script, 228 nsDS5ReplicaName attribute, 70 quick reference, 204...
Page 273 nsslapd-accesslog-level attribute, 12 nsslapd-db-active-txns attribute, 131 nsslapd-accesslog-list attribute, 13 nsslapd-db-cache-hit attribute, 131 nsslapd-accesslog-logbuffering attribute, 13 nsslapd-db-cache-region-wait-rate attribute, 131 nsslapd-accesslog-logexpirationtime attribute, 13 nsslapd-db-cache-size-bytes attribute, 131 nsslapd-accesslog-logexpirationtimeunit attribute, nsslapd-db-cache-try attribute, 131 nsslapd-db-checkpoint-interval attribute, 117 nsslapd-accesslog-logging-enabled attribute, 14 nsslapd-db-circular-logging attribute, 118 nsslapd-accesslog-logmaxdiskspace attribute, 15 nsslapd-db-clean-pages attribute, 131 nsslapd-accesslog-logminfreediskspace attribute, nsslapd-db-commit-rate attribute, 131...
Page 274 Index nsslapd-errorlog-logexpirationtimeunit attribute, nsslapd-require-index attribute, 130 nsslapd-reservedescriptors attribute, 44 nsslapd-errorlog-logging-enabled attribute, 31 nsslapd-return-exact-case attribute, 45 nsslapd-errorlog-logmaxdiskspace attribute, 31 nsslapd-rootdn attribute, 46 nsslapd-errorlog-logminfreediskspace attribute, nsslapd-rootpw attribute, 46 nsslapd-rootpwstoragescheme attribute, 47 nsslapd-errorlog-logrotationsync-enabled nsslapd-saslpath attribute, 47 attribute, 32 nsslapd-schema-ignore-trailing-spaces attribute, nsslapd-errorlog-logrotationsynchour attribute, 33 nsslapd-errorlog-logrotationsyncmin attribute, 33 nsslapd-schemacheck attribute, 48 nsslapd-errorlog-logrotationtime attribute, 33...
Page 275 passwordCheckSyntax attribute, 53 nshoplimit, 145 passwordExp attribute, 54 nsIndexType, 133 passwordHistory attribute, 55 nsLookThroughLimit, 115 passwordInHistory attribute, 55 nsMatchingRule, 134 passwordLockout attribute, 56 nsMaxResponseDelay, 138 passwordMaxAge attribute, 56 nsMaxTestResponseDelay, 139 passwordMaxFailure attribute, 57 nsModifyCount, 145 passwordMinAge attribute, 58 nsMultiplexorBindDN, 144 passwordMinLength attribute, 59 nsMultiplexorCredentials, 144 passwordMustChange attribute, 60...
Page 276 Index nsslapd-db-logdirectory, 121 backendMonitorDN, 87 nsslapd-db-logfile-size, 122 bytessent, 86 nsslapd-db-longest-chain-length, 132 connection, 85 nsslapd-db-page-create-rate, 132 currentconnections, 86 nsslapd-db-page-ro-evict-rate, 132 currenttime, 86 nsslapd-db-page-rw-evict-rate, 132 dtablesize, 86 nsslapd-db-page-size, 122 entriessent, 86 nsslapd-db-page-trickle-rate, 133 nbackends, 87 nsslapd-db-page-write-rate, 133 opscompleted, 86 nsslapd-db-pages-in-use, 133 opsinitiated, 86 nsslapd-db-spin-count, 122 readwaiters, 86 nsslapd-db-transaction-batch-val, 123...
Page 277 nsDS5ReplConflict, 73 nssnmpenabled, 87 nsDS5ReplicaBindDN, 69 nssnmplocation, 88 nsDS5ReplicaChangeCount, 69 nssnmpmasterhost, 89 nsDS5ReplicaID, 70 nssnmpmasterport, 89 nsDS5ReplicaLegacyConsumer, 70 nssnmporganization, 88 nsDS5ReplicaName, 70 SNMP configuration entries nsDS5ReplicaPurgeDelay, 71 cn=SNMP, 87 nsDS5ReplicaReferral, 71 start-slapd nsDS5ReplicaRoot, 72 command-line shell script, 217 nsDS5ReplicaTombstonePurgeInterval, 72 quick reference, 203 nsDS5ReplicaType, 72 starttime attribute, 86...

Red Hat DIRECTORY SERVER 8.0 Command Reference Manual

Table of Contents

2.3.3.4. Nsssl3

Quick Links

Command Reference

Chapters

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Red Hat DIRECTORY SERVER 8.0

Summary of Contents for Red Hat DIRECTORY SERVER 8.0

Table of Contents