Page 1: Command Reference
Red Hat Directory Server 8.1 Configuration and Command Reference Ella Deon Lackey Publication date: April 28, 2009, updated on February 11, 2010...
Page 2 Configuration and Command Reference Red Hat Directory Server 8.1 Configuration and Command Reference Author Ella Deon Lackey Copyright © 2009 Red Hat, Inc. Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA").
Page 3: Table Of Contents
About This Reference 1. Directory Server Overview ....................ix 2. Examples and Formatting ....................ix 2.1. Command and File Examples ................ix 2.2. Tool Locations ..................... ix 2.3. LDAP Locations ....................ix 2.4. Text Formatting and Styles ................... x 3. Additional Reading ......................xi 4.
Page 4 Configuration and Command Reference 2.4.8. nsDSWindowsReplicationAgreement (Object Class) ......... 124 2.4.9. nsMappingTree (Object Class) ................ 126 2.4.10. nsSaslMapping (Object Class) ..............127 2.4.11. nsslapdConfig (Object Class) ................ 127 2.4.12. passwordpolicy (Object Class) ..............128 2.5. Legacy Attributes ...................... 130 2.5.1. Legacy Server Attributes ................130 2.5.2.
Page 5 3.2.5. nsslapd-pluginEnabled ................... 160 3.2.6. nsslapd-pluginId ..................... 160 3.2.7. nsslapd-pluginVersion ..................160 3.2.8. nsslapd-pluginVendor ..................161 3.2.9. nsslapd-pluginDescription ................161 3.3. Attributes Allowed by Certain Plug-ins ............... 161 3.3.1. nsslapd-pluginLoadNow .................. 161 3.3.2. nsslapd-pluginLoadGlobal ................162 3.3.3. nsslapd-plugin-depends-on-type ..............162 3.3.4.
Page 6 Configuration and Command Reference 3.7.11. dnaType ....................... 208 3.8. MemberOf Plug-in Attributes ..................209 3.8.1. memberofattr ....................209 3.8.2. memberofgroupattr ..................209 4. Server Instance File Reference 4.1. Overview of Directory Server Files ................211 4.2. Backup Files ......................212 4.3.
Page 7 7.3.9. ldif2ldap (Performs Import Operation over LDAP) ..........285 7.3.10. monitor (Retrieves Monitoring Information) ............. 285 7.3.11. repl-monitor (Monitors Replication Status) ............286 7.3.12. pwdhash (Prints Encrypted Passwords) ............288 7.3.13. restart-slapd (Restarts the Directory Server) ..........289 7.3.14. restoreconfig (Restores Administration Server Configuration) ......289 7.3.15.
Page 8 viii...
Page 9: About This Reference
About This Reference Red Hat Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in an intranet, over an extranet with trading partners, or over the public Internet to reach customers.
Page 10: Text Formatting And Styles
About This Reference mozldap directory on Red Hat Enterprise Linux 5 (32-bit) (or /usr/lib64/mozldap for 64-bit systems). However, Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP in the /usr/ bin directory. It is possible to use the OpenLDAP commands as shown in the examples, but you must use the -x argument to disable SASL, which OpenLDAP tools use by default.
Page 11: Additional Reading
Server and how to use the Administration Server with the Configuration and User Directory Server instances. For the latest information about Directory Server, including current release notes, complete product documentation, technical notes, and deployment information, see the Red Hat Directory Server documentation site at http://www.redhat.com/docs/manuals/dir-server/.
Page 12: Giving Feedback
If there is any error in this Configuration, Command, and File Reference or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Directory Server through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues: •...
Page 13 Documentation History Expanding the description of dnaNextRange, Bugzilla #512557. Revision 8.1.0 April 28, 2009 Ella Deon Lackey dlackey@redhat.com Initial draft for version 8.1. xiii...
Page 15: Introduction
Chapter 1. Introduction Directory Server is based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). The Directory Server is a robust, scalable server designed to manage large scale directories to support an enterprise-wide directory of users and resources, extranets, and e-commerce applications over the Internet.
Page 17: Core Server Configuration Reference
Chapter 2. Core Server Configuration Reference The configuration information for Red Hat Directory Server is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files. The principal advantage of this method of configuration storage is that it allows a directory administrator to reconfigure the server using LDAP while it is still running, thus avoiding the need to shut the server down for most configuration changes.
Page 18 Chapter 2. Core Server Configuration Reference if a server identifier is phonebook, then for a Directory Server on Red Hat Enterprise Linux 5 (32-bit), the configuration LDIF files are all stored under /etc/dirsrv/slapd-phonebook. This directory also contains other server instance-specific configuration files. Schema configuration is also stored in LDIF format, and these files are located in the /etc/dirsrv/ slapd-instance_name/schema directory (/etc/opt/dirsrv/slapd->instance_name on HP- UX).
Page 19: How The Server Configuration Is Organized
How the Server Configuration Is Organized Configuration Filename Purpose 10rfc2307.ldif Schema from RFC 2307, "An Approach for Using LDAP as a Network Information Service." This may be superseded by 10rfc2307bis, the new version of rfc2307, when that schema becomes available. 20subscriber.ldif Contains new schema elements and the Nortel subscriber interoperability specification.
Page 20: Configuration Attributes
Chapter 2. Core Server Configuration Reference When the server generates the dse.ldif file, it lists the entries in hierarchical order in the order that the entries appear in the directory under cn=config, which is usually the same order in which an LDAP search of subtree scope for base cn=config returns the entries.
Page 21: Accessing And Modifying Server Configuration
Accessing and Modifying Server Configuration For a list of plug-ins supported by Directory Server, general plug-in configuration information, the plug- in configuration attribute reference, and a list of plug-ins requiring restart for configuration changes, Chapter 3, Plug-in Implemented Server Functionality Reference.
Page 22: Changing Configuration Attributes
Chapter 2. Core Server Configuration Reference These default ACIs allow all LDAP operations to be carried out on all configuration attributes by the following users: • Members of the Configuration Administrators group. • The user acting as the administrator, the admin account that was configured at setup. By default, this is the same user account which is logged into the Console.
Page 23: Restrictions To Modifying Configuration Entries And Attributes
Changing Configuration Attributes ldapsearch -b cn=config -D bindDN -w password • bindDN is the DN chosen for the Directory Manager when the server was installed (cn=Directory Manager by default). • password is the password chosen for the Directory Manager. Section 6.4, “ldapsearch”.
Page 24: Core Server Configuration Attributes Reference
Chapter 2. Core Server Configuration Reference nsSSL3 nsSSLclientauth nsSSLSessionTimeout nsslapd-conntablesize nsslapd-lockdir nsslapd-maxdescriptors nsslapd-reservedescriptors nsslapd-listenhost nsslapd-schema-ignore-trailing-spaces nsslapd-securelistenhost nsslapd-workingdir nsslapd-return-exact-case nsslapd-maxbersize 2.3. Core Server Configuration Attributes Reference This section contains reference information on the configuration attributes that are relevant to the core Section 2.2, “Accessing server functionality.
Page 25 cn=config 2.3.1.1. nsslapd-accesslog (Access Log) This attribute specifies the path and filename of the log used to record each LDAP access. The following information is recorded by default in the log file: • IP address of the client machine that accessed the database. •...
Page 26 Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=config Valid Values • 0 - No access logging • 4 - Logging for internal access operations • 256 - Logging for connections, operations, and results • 512 - Logging for access to an entry and referrals •...
Page 27 cn=config Parameter Description Syntax DirectoryString Example nsslapd-accesslog-logbuffering: off 2.3.1.5. nsslapd-accesslog-logexpirationtime (Access Log Expiration Time) This attribute specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units are provided by the nsslapd-accesslog- logexpirationtimeunit attribute.
Page 28 Chapter 2. Core Server Configuration Reference Attribute Value Logging Enabled or Disabled nsslapd-accesslog-logging- Disabled enabled empty string nsslapd-accesslog nsslapd-accesslog-logging- Enabled enabled filename nsslapd-accesslog nsslapd-accesslog-logging- Disabled enabled empty string nsslapd-accesslog nsslapd-accesslog-logging- Disabled enabled filename nsslapd-accesslog Table 2.3. dse.ldif Attributes Parameter Description Entry DN cn=config Valid Values...
Page 29 cn=config 2.3.1.9. nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space) This attribute sets the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest access logs are deleted until enough disk space is freed to satisfy this attribute.
Page 30 Chapter 2. Core Server Configuration Reference Parameter Description Valid Range 0 through 23 Default Value Syntax Integer Example nsslapd-accesslog-logrotationsynchour: 23 2.3.1.12. nsslapd-accesslog-logrotationsyncmin (Access Log Rotation Sync Minute) This attribute sets the minute of the day for rotating access logs. This attribute must be used in conjunction with nsslapd-accesslog-logrotationsync-enabled and nsslapd-accesslog- logrotationsynchour attributes.
Page 31 cn=config 2.3.1.14. nsslapd-accesslog-logrotationtimeunit (Access Log Rotation Time Unit) This attribute sets the units for the nsslapd-accesslog-logrotationtime attribute. Parameter Description Entry DN cn=config Valid Values month | week | day | hour | minute Default Value Syntax DirectoryString Example nsslapd-accesslog-logrotationtimeunit: week 2.3.1.15.
Page 32 Chapter 2. Core Server Configuration Reference Parameter Description Valid Range 1 to the maximum 32 bit integer value (2147483647) Default Value Syntax Integer Example nsslapd-accesslog-maxlogsperdir: 10 2.3.1.17. nsslapd-accesslog-mode (Access Log File Permission) This attribute sets the access mode or file permission with which access log files are to be created. The valid values are any combination of 000 to 777 (these mirror the numbered or absolute UNIX file permissions).
Page 33 cn=config When unauthenticated binds are allowed, the bind attempt goes through as an anonymous bind (assuming anonymous access is allowed). The nsslapd-allow-unauthenticated-binds attribute sets whether to allow an unauthenticated bind to succeed as an anonymous bind. By default, unauthenticated binds are disabled. Parameter Description Entry DN...
Page 34 Chapter 2. Core Server Configuration Reference Attributes in dse.ldif Value Logging enabled or disabled nsslapd-auditlog-logging- Enabled enabled filename nsslapd-auditlog nsslapd-auditlog-logging- Disabled enabled empty string nsslapd-auditlog nsslapd-auditlog-logging- Disabled enabled filename nsslapd-auditlog Table 2.4. Possible Combinations for nsslapd-auditlog 2.3.1.21. nsslapd-auditlog-list Provides a list of audit log files. Parameter Description Entry DN...
Page 35 cn=config Parameter Description Entry DN cn=config Valid Values month | week | day Default Value week Syntax DirectoryString Example nsslapd-auditlog-logexpirationtimeunit: day 2.3.1.24. nsslapd-auditlog-logging-enabled (Audit Log Enable Logging) Turns audit logging on and off. Parameter Description Entry DN cn=config Valid Values on | off Default Value Syntax...
Page 36: Disk Space
Chapter 2. Core Server Configuration Reference When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space.
Page 37 cn=config Parameter Description Valid Values on | off Default Value Syntax DirectoryString Example nsslapd-auditlog-logrotationsync-enabled: on 2.3.1.28. nsslapd-auditlog-logrotationsynchour (Audit Log Rotation Sync Hour) This attribute sets the hour of the day for rotating audit logs. This attribute must be used in conjunction with nsslapd-auditlog-logrotationsync-enabled and nsslapd-auditlog- logrotationsyncmin attributes.
Page 38 Chapter 2. Core Server Configuration Reference maxlogsperdir attribute value to 1 or set the nsslapd-auditlog-logrotationtime attribute to -1. The server checks the nsslapd-auditlog-maxlogsperdir attribute first, and, if this attribute value is larger than 1, the server then checks the nsslapd-auditlog-logrotationtime attribute. Section 2.3.1.33, “nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)”...
Page 39 cn=config Parameter Description Example nsslapd-auditlog-maxlogsize: 50 2.3.1.33. nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files) This attribute sets the total number of audit logs that can be contained in the directory where the audit log is stored. Each time the audit log is rotated, a new log file is created. When the number of files contained in the audit log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted.
Page 40 Chapter 2. Core Server Configuration Reference The newly configured access mode only affects new logs that are created; the mode is set when the log rotates to a new file. Parameter Description Entry DN cn=config Valid Range 000 through 777 Default Value Syntax Integer...
Page 41 cn=config Parameter Description Syntax DirectoryString Example nsslapd-config: cn=config 2.3.1.38. nsslapd-conntablesize This attribute sets the connection table size, which determines the total number of connections supported by the server. The server has to be restarted for changes to this attribute to go into effect. Parameter Description Entry DN...
Page 42 Chapter 2. Core Server Configuration Reference 2.3.1.40. nsslapd-csnlogging This attribute sets whether change sequence numbers (CSNs), when available, are to be logged in the access log. By default, CSN logging is turned on. Parameter Description Entry DN cn=config Valid Values on | off Default Value Syntax...
Page 43 cn=config • Server startup and shutdown times. • The port number that the server uses. This log contains differing amounts of information depending on the current setting of the Log Level Section 2.3.1.44, “nsslapd-errorlog-level (Error Log Level)” attribute. See for more information. Parameter Description Entry DN...
Page 44 Chapter 2. Core Server Configuration Reference Parameter Description • 2 — Debug packet handling. • 4 — Heavy trace output debugging. • 8 — Connection management. • 16 — Print out packets sent/received. • 32 — Search filter processing. • 64 — Config file processing. •...
Page 45 cn=config Parameter Description Entry DN cn=config Valid Values Default Value None Syntax DirectoryString Example nsslapd-errorlog-list: errorlog2,errorlog3 2.3.1.46. nsslapd-errorlog-logexpirationtime (Error Log Expiration Time) This attribute sets the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units.
Page 46 Chapter 2. Core Server Configuration Reference Parameter Description Syntax DirectoryString Example nsslapd-errorlog-logging-enabled: on 2.3.1.49. nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space) This attribute sets the maximum amount of disk space in megabytes that the error logs are allowed to consume. If this value is exceeded, the oldest error log is deleted. When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation.
Page 47 cn=config For error log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-errorlog-logrotationsynchour and nsslapd-errorlog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files. For example, to rotate error log files every day at midnight, enable this attribute by setting its value to on, and then set the values of the nsslapd-errorlog-logrotationsynchour and nsslapd- errorlog-logrotationsyncmin attributes to 0.
Page 48 Chapter 2. Core Server Configuration Reference number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog- logrotationtimeunit (Error Log Rotation Time Unit) attribute. Although it is not recommended for performance reasons to specify no log rotation, as the log grows indefinitely, there are two ways of specifying this.
Page 49 cn=config Parameter Description Valid Range -1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means the log file is unlimited in size. Default Value Syntax Integer Example nsslapd-errorlog-maxlogsize: 100 2.3.1.57. nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files) This attribute sets the total number of error logs that can be contained in the directory where the error log is stored.
Page 50 Chapter 2. Core Server Configuration Reference • 7 - Read, write, and execute In the 3-digit number, the first digit represents the owner's permissions, the second digit represents the group's permissions, and the third digit represents everyone's permissions. When changing the default value, remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
Page 51 cn=config Parameter Description Syntax Integer Example nsslapd-idletimeout: 0 2.3.1.61. nsslapd-instancedir (Instance Directory) This attribute is deprecated. There are now separate configuration parameters for instance-specific paths, such as nsslapd-certdir and nsslapd-lockdir. See the documentation for the specific directory path that is set. 2.3.1.62.
Page 52 Chapter 2. Core Server Configuration Reference If for some reason this attribute were set to off, the solution is to export the database to ldif (db2ldif or db2ldif.pl or from the console), set the value to on, and import the data.
Page 53 cn=config 2.3.1.66. nsslapd-ldapifilepath (File Location for LDAPI Socket) LDAPI connects a user to an LDAP server over a UNIX socket rather than TCP. In order to configure LDAPI, the server must be configured to communicate over a UNIX socket. The UNIX socket to use is set in the nsslapd-ldapifilepath attribute.
Page 54 Chapter 2. Core Server Configuration Reference 2.3.1.69. nsslapd-ldapimaprootdn (Autobind Mapping for Root User) With autobind, a system user is mapped to a Directory Server user and then automatically authenticated to the Directory Server over a UNIX socket. The root system user (the user with a UID of 0) is mapped to whatever Directory Server entry is specified in the nsslapd-ldapimaprootdn attribute.
Page 55 cn=config Parameter Description Entry DN cn=config Valid Values Any Directory Server attribute Default Value uidNumber Syntax DirectoryString Example nsslapd-ldapiuidnumbertype: uidNumber 2.3.1.72. nsslapd-listenhost (Listen to IP Address) This attribute allows multiple Directory Server instances to run on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine).
Page 56 Chapter 2. Core Server Configuration Reference 2.3.1.74. nsslapd-localuser (Local User) This attribute sets the user as whom the Directory Server runs. The group as which the user runs is derived from this attribute by examining the user's primary group. Should the user change, then all of the instance-specific files and directories for this instance need to be changed to be owned by the new user, using a tool such as chown.
Page 57 cn=config Parameter Description Default Value 2097152 Syntax Integer Example nsslapd-maxbersize: 2097152 2.3.1.77. nsslapd-maxdescriptors (Maximum File Descriptors) This attribute sets the maximum, platform-dependent number of file descriptors that the Directory Server tries to use. A file descriptor is used whenever a client connects to the server and also for some server activities, such as index maintenance.
Page 58 Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=config Valid Range 1 to 65535 Default Value 1024 Syntax Integer Example nsslapd-maxdescriptors: 1024 2.3.1.78. nsslapd-maxsasliosize (Maximum SASL Packet Size) When a user is authenticated to the Directory Server over SASL GSS-API, the server must allocate a certain amount of memory to the client to perform LDAP operations, according to how much memory the client requests.
Page 59 cn=config Parameter Description Default Value Syntax Integer Example nsslapd-maxthreadsperconn: 5 2.3.1.80. nsslapd-nagle When the value of this attribute is off, the TCP_NODELAY option is set so that LDAP responses (such as entries or result messages) are sent back to a client immediately. When the attribute is turned on, default TCP behavior applies;...
Page 60: Password Policy
Chapter 2. Core Server Configuration Reference The server has to be restarted for the port number change to be taken into account. Parameter Description Entry DN cn=config Valid Range 1 to 65535 Default Value Syntax Integer Example nsslapd-port: 389 NOTE Set the port number to zero (0) to disable the LDAP port if the LDAPS port is enabled.
Page 61 cn=config 2.3.1.86. nsslapd-readonly (Read Only) This attribute sets whether the whole server is in read-only mode, meaning that neither data in the databases nor configuration information can be modified. Any attempt to modify a database in read- only mode returns an error indicating that the server is unwilling to perform the operation. Parameter Description Entry DN...
Page 62 Chapter 2. Core Server Configuration Reference Parameter Description Example nsslapd-referral: ldap://ldap.example.com 2.3.1.88. nsslapd-referralmode (Referral Mode) When set, this attribute sends back the referral for any request on any suffix. Parameter Description Entry DN cn=config Valid Values Any valid LDAP URL in the form >ldap://server-location Default Value Syntax...
Page 63 cn=config • NglobalIndex is the total number of configured indexes for all databases including system indexes. (By default 8 system indexes and 17 additional indexes per database). • ReplicationDescriptor is eight (8) plus the number of replicas in the server that can act as a supplier or hub (NSupplierReplica).
Page 64 Chapter 2. Core Server Configuration Reference 2.3.1.92. nsslapd-rootdn (Manager DN) This attribute sets the distinguished name (DN) of an entry that is not subject to access control restrictions, administrative limit restrictions for operations on the directory, or resource limits in general. There does not have to be an entry corresponding to this DN, and by default there is not an entry for this DN, thus values like cn=Directory Manager are acceptable.
Page 65 cn=config 2.3.1.94. nsslapd-rootpwstoragescheme (Root Password Storage Scheme) This attribute sets the encryption method used for the root password. Parameter Description Entry DN cn=config Valid Values Any encryption method as described in Section 2.3.1.142, “passwordStorageScheme (Password Storage Scheme)”. Default Value SSHA Syntax DirectoryString Example...
Page 66 Chapter 2. Core Server Configuration Reference and missing superiors are added) trailing spaces are ignored, if appropriate. This means that even when nsslapd-schema-ignore-trailing-spaces is on, a value such as top is not added if top is already there. An error message is logged and returned to the client if an object class is not found and it contains trailing spaces.
Page 67 cn=config 2.3.1.98. nsslapd-schemadir This is the absolute path to the directory containing the Directory Server instance-specific schema files. When the server starts up, it reads the schema files from this directory, and when the schema is modified through LDAP tools, the schema files in this directory are updated. This directory must be owned by the server user ID, and that user must have read and write permissions to the directory.
Page 68 Chapter 2. Core Server Configuration Reference port number. Specifying a port number of less than 1024 requires that Directory Server be started as root. The server sets its uid to the nsslapd-localuser value after startup. The server only listens to this port if it has been configured with a private key and a certificate, and nsslapd-security is set to on;...
Page 69 cn=config Parameter Description Valid Range -1 to the maximum 32 bit integer value (2147483647) Default Value 2000 Syntax Integer Example nsslapd-sizelimit: 2000 2.3.1.104. nsslapd-ssl-check-hostname (Verify Hostname for Outbound Connections) This attribute sets whether an SSL-enabled Directory Server should verify authenticity of a request by matching the hostname against the value assigned to the common name (cn) attribute of the subject name (subjectDN field) in the certificate being presented.
Page 70 Chapter 2. Core Server Configuration Reference 2.3.1.105. nsslapd-threadnumber (Thread Number) Defines the number of operation threads that the Directory Server creates at startup. The nsslapd- threadnumber value should be increased if there are many directory clients performing time- consuming operations such as add or modify, as this ensures that there are other threads available for servicing short-lived operations such as simple searches.
Page 71 cn=config Changes made to this attribute will not take effect until the server is restarted. 2.3.1.108. nsslapd-versionstring This attribute sets the server version number. The build data is automatically appended when the version string is displayed. Parameter Description Entry DN cn=config Valid Values Any valid server version number.
Page 72 Chapter 2. Core Server Configuration Reference Parameter Description Default Value Syntax DirectoryString Example passwordAllowChangeTime: 5h 2.3.1.112. passwordChange (Password Change) Indicates whether users may change their passwords. This can be abbreviated to pwdAllowUserChange. For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
Page 73 cn=config Parameter Description Entry DN cn=config Valid Values on | off Default Value Syntax DirectoryString Example passwordCheckSyntax off 2.3.1.114. passwordExp (Password Expiration) Indicates whether user passwords expire after a given number of seconds. By default, user passwords do not expire. Once password expiration is enabled, set the number of seconds after which the password expires using the passwordMaxAge attribute.
Page 74 Chapter 2. Core Server Configuration Reference 2.3.1.117. passwordGraceLimit (Password Expiration) This attribute is only applicable if password expiration is enabled. After the user's password has expired, the server allows the user to connect for the purpose of changing the password. This is called a grace login.
Page 75 cn=config 2.3.1.120. passwordInHistory (Number of Passwords to Remember) Indicates the number of passwords the Directory Server stores in history. Passwords that are stored in history cannot be reused by users. By default, the password history feature is disabled, meaning that the Directory Server does not store any old passwords, and so users can reuse passwords.
Page 76 Chapter 2. Core Server Configuration Reference lockout is enabled, set the number of failed bind attempts after which the user is locked out using the passwordMaxFailure attribute. This can be abbreviated to pwdLockOut. For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
Page 77 cn=config Parameter Description Syntax Integer Example passwordMaxAge: 100 2.3.1.126. passwordMaxFailure (Maximum Password Failures) Indicates the number of failed bind attempts after which a user is locked out of the directory. By default, account lockout is disabled. Enable account lockout by modifying the passwordLockout attribute.
Page 78 Chapter 2. Core Server Configuration Reference Parameter Description Valid Range 0 to 64 Default Value Syntax Integer Example passwordMin8Bit: 0 2.3.1.129. passwordMinAge (Password Minimum Age) Indicates the number of seconds that must pass before a user can change their password. Use this attribute in conjunction with the passwordInHistory (number of passwords to remember) attribute to prevent users from quickly cycling through passwords so that they can use their old password again.
Page 79 cn=config Parameter Description Valid Range 0 to 5 Default Value Syntax Integer Example passwordMinCategories: 2 2.3.1.132. PasswordMinDigits (Password Syntax) This sets the minimum number of digits a password must contain. Parameter Description Entry DN cn=config Valid Range 0 to 64 Default Value Syntax Integer...
Page 80 Chapter 2. Core Server Configuration Reference Parameter Description Example passwordMinLowers: 1 2.3.1.135. PasswordMinSpecials (Password Syntax) This attribute sets the minimum number of special, or not alphanumeric, characters a password must contain. Parameter Description Entry DN cn=config Valid Range 0 to 64 Default Value Syntax Integer...
Page 81 cn=config For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide. Parameter Description Entry DN cn=config Valid Values on | off Default Value Syntax DirectoryString Example passwordMustChange: off 2.3.1.139. passwordResetDuration This attribute sets the amount of time that must pass after login failures before the server resets the password retry count to zero.
Page 82 Chapter 2. Core Server Configuration Reference 2.3.1.141. passwordRetryCount This attribute counts the number of consecutive failed attempts at entering the correct password. This is an operational attribute, meaning its value is managed by the server and the attribute is not returned in default searches.
Page 83: Cn=Changelog5
cn=changelog5 Parameter Description Entry DN cn=config Valid Values on | off Default Value Syntax DirectoryString Example passwordUnlock: off 2.3.1.144. passwordWarning (Send Warning) Indicates the number of seconds before a user's password is due to expire that the user receives a password expiration warning control on their next LDAP operation.
Page 84 Chapter 2. Core Server Configuration Reference When more backends are replicated or when one backend is replicated to more than one consumer, tune the nsslapd-cachememsize so that its value is 5000000 times the number of replication agreements initiated from the server (5000000 * no_of_repl_agreements). The relationship between the values assigned to the nsslapd-dbcachesize and nsslapd- cachememsize parameters should be the same as the relationship that is described in the database tuning section.
Page 85 cn=changelog5 2.3.2.2. nsslapd-changelogmaxage (Max Changelog Age) This attribute sets the maximum age of any entry in the changelog. The changelog contains a record for each directory modification and is used when synchronizing consumer servers. Each record contains a timestamp. Any record with a timestamp that is older than the value specified in this attribute is removed.
Page 86 Chapter 2. Core Server Configuration Reference 2.3.2.5. changeLog This attribute contains the distinguished name of the entry which contains the set of entries comprising the server’s changelog. 2.16.840.1.113730.3.1.35 Syntax Multi- or Single-Valued Multi-valued Defined in Changelog Internet Draft 2.3.2.6. changeNumber This attribute is always present.
Page 87: Cn=Encryption
cn=encryption Syntax Boolean Multi- or Single-Valued Multi-valued Defined in Changelog Internet Draft 2.3.2.10. filterInfo This is used by the changelog for processing replication. 2.16.840.1.113730.3.1.206 Syntax DirectoryString Multi- or Single-Valued Multi-valued Defined in Directory Server 2.3.2.11. newRdn In the case of modrdn operations, this attribute specifies the new RDN of the entry. 2.16.840.1.113730.3.1.9 Syntax Multi- or Single-Valued...
Page 88 Chapter 2. Core Server Configuration Reference 2.3.3.1. nsSSLSessionTimeout This attribute sets the lifetime duration of a TLS/SSL. The minimum timeout value is 5 seconds. If a smaller value is set, then it is automatically replaced by 5 seconds. A value greater than the maximum value in the valid range below is replaced by the maximum value in the range.
Page 89 cn=encryption Parameter Description Example nsSSL2: off 2.3.3.4. nsSSL3 Supports SSL version 3. The server has to be restarted for changes to this attribute to go into effect. Parameter Description Entry DN cn=encryption, cn=config Valid Values on | off Default Value Syntax DirectoryString Example...
Page 90: Cn=Features
Chapter 2. Core Server Configuration Reference Parameter Description Use the plus (+) symbol to enable or minus (-) symbol to disable, followed by the ciphers. Blank spaces are not allowed in the list of ciphers. To enable all ciphers — except rsa_null_md5, which must be specifically called —...
Page 91: Suffix Configuration Attributes Under Cn="Suffixname
Suffix Configuration Attributes under cn="suffixName" • Replication configuration attributes are stored under cn=replica, cn=suffix, cn=mapping tree,cn=config. • Replication agreement attributes are stored under cn=replicationAgreementName, cn=replica, cn=suffix,cn=mapping tree,cn=config. • Windows synchronization agreement attributes are stored under cn=syncAgreementName, cn=replica, cn=suffix,cn=mapping tree,cn=config. 2.3.6. Suffix Configuration Attributes under cn="suffixName" Suffix configuration attributes are stored under the cn=suffix entry.
Page 92: Replication Attributes Under Cn=Replica, Cn="Suffixdn", Cn=Mapping Tree, Cn=Config
Chapter 2. Core Server Configuration Reference The value should be the name of the backend database entry instance under cn=ldbm database,cn=plugins,cn=config. For example: o=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config Parameter Description Entry DN cn=suffix, cn=mapping tree, cn=config Valid Values Any valid partition name Default Value None Syntax DirectoryString...
Page 93 Replication Attributes under cn=replica, cn="suffixDN", cn=mapping tree, cn=config Parameter Description Default Value Syntax DirectoryString Example nsds5debugreplicatimeout: 60:8192 2.3.7.3. nsDS5ReplConflict Although this attribute is not in the cn=replica entry, it is used in conjunction with replication. This multi-valued attribute is included on entries that have a change conflict that cannot be resolved automatically by the synchronization process.
Page 94 Chapter 2. Core Server Configuration Reference Parameter Description Syntax DirectoryString Example nsDS5ReplicaBindDN: cn=replication manager, cn=config 2.3.7.6. nsDS5ReplicaChangeCount This read-only attribute shows the total number of entries in the changelog and whether they still remain to be replicated. When the changelog is purged, only the entries that are still to be replicated remain.
Page 95 Replication Attributes under cn=replica, cn="suffixDN", cn=mapping tree, cn=config 2.3.7.9. nsDS5ReplicaName This attribute specifies the name of the replica with a unique identifier for internal operations. If it is not specified, this unique identifier is allocated by the server when the replica is created. NOTE It is recommended that the server be permitted to generate this name.
Page 96 Chapter 2. Core Server Configuration Reference Parameter Description Default Value 604800 [1 week (60x60x24x7)] Syntax Integer Example nsDS5ReplicaPurgeDelay: 604800 2.3.7.11. nsDS5ReplicaReferral This multi-valued attribute specifies the user-defined referrals. This should only be defined on a consumer. User referrals are only returned when a client attempts to modify data on a read-only consumer.
Page 97 Replication Attributes under cn=replica, cn="suffixDN", cn=mapping tree, cn=config Parameter Description Valid Range 0 to maximum 32-bit integer (2147483647) in seconds Default Value 86400 (1 day) Syntax Integer Example nsDS5ReplicaTombstonePurgeInterval: 86400 2.3.7.14. nsDS5ReplicaType Defines the type of replication relationship that exists between this replica and the others. Parameter Description Entry DN...
Page 98: Replication Attributes Under Cn=Replicationagreementname, Cn=Replica, Cn="Suffixname", Cn=Mapping Tree, Cn=Config
Chapter 2. Core Server Configuration Reference 2.3.7.17. nsState This attribute stores information on the state of the clock. It is designed only for internal use to ensure that the server cannot generate a change sequence number (csn) inferior to existing ones required for detecting backward clock errors.
Page 99 Replication Attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName", cn=mapping tree, cn=config Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values Any valid DN (can be empty if client certificates are used) Default Value Syntax DirectoryString Example nsDS5ReplicaBindDN: cn=replication manager, cn=config 2.3.8.4.
Page 100 Chapter 2. Core Server Configuration Reference Parameter Description Example nsDS5ReplicaBusyWaitTime: 3 2.3.8.6. nsDS5ReplicaChangesSentSinceStartup This read-only attribute shows the number of changes sent to this replica since the server started. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Range 0 to maximum 32-bit integer (2147483647) Default Value Syntax...
Page 101 Replication Attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName", cn=mapping tree, cn=config 2.3.8.9. nsDS5ReplicaLastInitEnd This optional, read-only attribute states when the initialization of the consumer replica ended. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config YYYYMMDDhhmmssZ is the date/time in Valid Values Generalized Time form at which the connection was opened.
Page 102 Chapter 2. Core Server Configuration Reference Parameter Description Example nsDS5ReplicaLastUpdateStatus: 0 Total update succeeded 2.3.8.12. nsDS5ReplicaLastUpdateEnd This read-only attribute states when the most recent replication schedule update ended. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config YYYYMMDDhhmmssZ is the date/time in Valid Values Generalized Time form at which the connection was opened.
Page 103 Replication Attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName", cn=mapping tree, cn=config Parameter Description Valid Values 0 (no replication sessions started), followed by any other error or status message Default Value Syntax DirectoryString Example nsDS5ReplicaLastUpdateStatus: 0 replica acquired successfully 2.3.8.15. nsDS5ReplicaPort This attribute sets the port number for the remote server containing the replica. Once this attribute has been set, it cannot be modified.
Page 104 Chapter 2. Core Server Configuration Reference Parameter Description Valid Values stop | start Default Value Syntax DirectoryString Example nsDS5BeginReplicaRefresh: start 2.3.8.18. nsDS5ReplicaRoot This attribute sets the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated and cannot be modified.
Page 105 Replication Attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName", cn=mapping tree, cn=config Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values Any valid integer Default Value Syntax Integer Example nsDS5ReplicaSessionPauseTime: 0 2.3.8.20. nsDS5ReplicatedAttributeList This allowed attribute specifies any attributes that are not replicated to a consumer server. Fractional replication allows databases to be replicated across slow connections or to less secure consumers while still protecting sensitive information.
Page 106 Chapter 2. Core Server Configuration Reference which means that regular LDAP connections are used. If this attribute is absent, then regular LDAP connections are used. This attribute cannot be modified once it is set. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values SSL | LDAP...
Page 107: Synchronization Attributes Under Cn=Syncagreementname, Cn=Windowsreplica,Cn="Suffixname", Cn=Mapping Tree, Cn=Config
chronization Attributes under cn=syncAgreementName, cn=WindowsReplica,cn="suffixName", cn=mapping tree, cn=config 2.3.8.25. nsDS50ruv This attribute stores the last replica update vector (RUV) read from the consumer of this replication agreement. It is always present and must not be changed. 2.3.8.26. nsruvReplicaLastModified This attribute contains the most recent time that an entry in the replica was modified and the changelog was updated.
Page 108 Chapter 2. Core Server Configuration Reference Parameter Description Example nsDS7DirectoryReplicaSubtree: ou=People,dc=example,dc=com 2.3.9.2. nsds7DirsyncCookie This string is created by Active Directory Dirsync and gives the state of the Active Directory Server at the time of the last synchronization. The old cookie is sent to Active Directory with each Directory Server update;...
Page 109: Cn=Monitor
cn=monitor 2.3.9.5. nsds7WindowsDomain This attribute sets the name of the Windows domain to which the Windows sync peer belongs. Parameter Description Entry DN cn=syncAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values Any valid domain name Default Value Syntax DirectoryString Example nsDS7WindowsDomain: DOMAINWORLD 2.3.9.6.
Page 110 Chapter 2. Core Server Configuration Reference section describes the cn=monitor attributes. The only attribute that can be changed by a user to set access control is the aci attribute. If the nsslapd-counters attribute in cn=config is set to on (the default setting), then all of the counters kept by the Directory Server instance increment using 64-bit integers, even on 32-bit machines or with a 32-bit version of Directory Server.
Page 111 cn=monitor dTableSize This attribute shows the size of the Directory Server connection table. Each connection is associated with a slot in this table, and usually corresponds to the file descriptor used by this connection. See Section 2.3.1.38, “nsslapd-conntablesize” for more information. readWaiters This attribute shows the number of connections where some requests are pending and not currently being serviced by a thread in Directory Server.
Page 112: Cn=Replication
Chapter 2. Core Server Configuration Reference backendMonitorDN This attribute shows the DN for each Directory Server database backend. For further information on monitoring the database, see the following sections: Section 3.4.8, “Database Attributes under cn=attributeName, cn=encrypted attributes, • cn=database_name, cn=ldbm database, cn=plugins, cn=config” Section 3.4.4, “Database Attributes under cn=database, cn=monitor, cn=ldbm database, cn=plugins, •...
Page 113: Cn=Snmp
cn=SNMP Parameter Description Syntax IA5String Example nsSaslMapFilterTemplate: (cn=\1) 2.3.12.3. nsSaslMapRegexString This attribute contains a regular expression used to map SASL identity strings. Parameter Description Entry DN cn=mapping_name, cn=mapping, cn=sasl, cn=config Valid Values Any valid regular expression Default Value Syntax IA5String Example nsSaslMapRegexString: \(.*\) 2.3.13.
Page 114 Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=SNMP, cn=config Valid Values Location Default Value Syntax DirectoryString Example nssnmplocation: B14 2.3.13.4. nssnmpcontact This attribute sets the email address of the person responsible for maintaining the Directory Server. Parameter Description Entry DN cn=SNMP, cn=config...
Page 115: Snmp Statistic Attributes
SNMP Statistic Attributes Parameter Description Entry DN cn=SNMP, cn=config Valid Values Operating system dependent port number. See the operating system documentation for further information. Default Value <blank> Syntax Integer Example nssnmpmasterport: 199 2.3.14. SNMP Statistic Attributes Table 2.8, “SNMP Statistic Attributes” contains read-only attributes which list the statistics available for LDAP and SNMP clients.
Page 116 Chapter 2. Core Server Configuration Reference Attribute Description RemoveEntryOps This shows the number of LDAP delete requests. ModifyEntryOps This shows the number of LDAP modify requests. ModifyRDNOps This shows the number of LDAP modify RDN (modrdn) requests. ListOps Not used. This value is always 0. SearchOps This shows the number of LDAP search requests.
Page 117: Cn=Tasks
cn=tasks Attribute Description backend, this value is 0, and see the monitor entry for each one for more information. SlaveHits Not used. This value is always 0. CacheEntries and CacheHits are updated every ten (10) seconds. Red Hat strongly encourages using the database backend specific monitor entries for this and other database information.
Page 118 Chapter 2. Core Server Configuration Reference 2.3.15.1. Task Invocation Attributes for Entries under cn=tasks Five tasks which administer Directory Server instances have configuration entries which initiate and identify individual operations. These task entries are instances of the same object class, extensibleObject, and have certain common attributes which describe the state and behavior of Directory Server tasks.
Page 119 cn=tasks Parameter Description Entry DN cn=task_name, cn=task_type, cn=tasks, cn=config Valid Values Any string Default Value Syntax Case-exact string Example nsTaskLog: example... nsTaskExitCode This attribute contains the exit code for the task. This attribute only exists after the task is completed and any value is only valid if the task is complete.
Page 120 Chapter 2. Core Server Configuration Reference nsTaskTotalItems This attributes shows the total number of subtasks that must be completed for the task operation. When the nsTaskCurrentItem attribute has the same value as nsTaskTotalItems, then the task is completed. This attribute value is set by the server and should not be edited. Parameter Description Entry DN...
Page 121 cn=tasks 2.3.15.2. cn=import An LDIF file or multiple LDIF files can be imported through the command line by creating a special task entry which defines the parameters of the task and initiates the task. As soon as the task is complete, the task entry is removed from the directory.
Page 122 Chapter 2. Core Server Configuration Reference Parameter Description Example nsFilename: /home/jsmith/example.ldif nsInstance This attribute supplies the name of the database instance into which to import the files, such as NetscapeRoot or slapd-example. Parameter Description Entry DN cn=task_name, cn=import, cn=tasks, cn=config Valid Values The name of a Directory Server instance (any string)
Page 123 cn=tasks Parameter Description Valid Values 0 to the maximum 32 bit integer value (2147483647) Default Value Syntax Integer Example nsImportChunkSize: 10 nsImportIndexAttrs This attribute sets whether to index the attributes that are imported into database instance. Parameter Description Entry DN cn=task_name, cn=import, cn=tasks, cn=config Valid Values true | false...
Page 124 Chapter 2. Core Server Configuration Reference 2.3.15.3. cn=export A database or multiple databases can be exported through the command line by creating a special task entry which defines the parameters of the task and initiates the task. As soon as the task is complete, the task entry is removed from the directory.
Page 125 cn=tasks Parameter Description Valid Values Any string Default Value Syntax Case-exact string, multi-valued Example nsFilename: /home/jsmith/example.ldif nsInstance This attribute supplies the name of the database instance from which to export the database, such as NetscapeRoot or userRoot. Parameter Description Entry DN cn=task_name, cn=export, cn=tasks, cn=config Valid Values The name of a Directory Server instance (any...
Page 126 Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=task_name, cn=export, cn=tasks, cn=config Valid Values true | false Default Value false Syntax Case-insensitive string Example nsUseOneFile: true nsExportReplica This attribute identifies whether the exported database will be used in replication. For replicas, the proper attributes and settings will be included with the entry to initialize the replica automatically.
Page 127 cn=tasks Parameter Description Entry DN cn=task_name, cn=export, cn=tasks, cn=config Valid Values true | false Default Value false Syntax Case-insensitive string Example nsNoWrap: false nsDumpUniqId This attribute sets that the unique IDs for the exported entries are not exported. Parameter Description Entry DN cn=task_name, cn=export, cn=tasks, cn=config Valid Values...
Page 128 Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=task_name, cn=backup, cn=tasks, cn=config Valid Values Any local directory location Default Value Syntax Case-exact string Example nsArchiveDir: /export/backups nsDatabaseTypes This attribute gives the kind of database being archived. Setting the database types signals what kind of backup plug-in the Directory Server should use to archive the database.
Page 129 cn=tasks Parameter Description Valid Values Any local directory location Default Value Syntax Case-exact string Example nsArchiveDir: /export/backups nsDatabaseTypes This attribute gives the kind of database being archived. Setting the database types signals what kind of backup plug-in the Directory Server should use to archive the database. Parameter Description Entry DN...
Page 130 Chapter 2. Core Server Configuration Reference nsIndexAttribute This attribute gives the name of the attribute to index and the types of indexes to apply. The format of the attribute value is the attribute name and a comma-separated list of index types, enclosed in double quotation marks.
Page 131 cn=tasks IMPORTANT Any schema loaded from another directory must be copied into the schema directory or the schema will be lost when the server. The schema reload task is initiated though the command line by creating a special task entry which defines the parameters of the task and initiates the task.
Page 132 Chapter 2. Core Server Configuration Reference is changed, all of the members' associated directory entries are automatically updated with their corresponding memberOf attributes. The cn=memberof task (and the related fixup-memberof.pl script) is used to create the initial memberOf attributes on the member's user entries in the directory. After the memberOf attributes are created, then the MemberOf Plug-in manages the memberOf attributes automatically.
Page 133: Cn=Uniqueid Generator
cn=uniqueid generator 2.3.16. cn=uniqueid generator The unique ID generator configuration attributes are stored under cn=uniqueid generator,cn=config. The cn=uniqueid generator entry is an instance of the extensibleObject object class. nsState This attribute saves the state of the unique ID generator across server restarts. This attribute is maintained by the server.
Page 134: Directoryserverfeature (Object Class)
Chapter 2. Core Server Configuration Reference targetDn The distinguished name of an entry added, modified or deleted on a supplier server. Allowed Attributes changes Changes made to the Directory Server. deleteOldRdn A flag that defines whether the old Relative Distinguished Name (RDN) of the entry should be kept as a distinguished attribute of the entry or should be deleted.
Page 135: Nschangelog4Config (Object Class)
nsChangelog4Config (Object Class) 2.16.840.1.113730.3.2.109 Required Attributes Attribute Definition objectClass Defines the object classes for the entry. Gives the common name of the entry. 2.4.4. nsChangelog4Config (Object Class) In order for Directory Server 8.1 to replicate between Directory Server 4.x servers, the Directory Server 8.1 instance must have a special changelog configured.
Page 136: Nsds5Replica (Object Class)
Chapter 2. Core Server Configuration Reference 2.4.6. nsDS5Replica (Object Class) This object class is for entries which define a replica in database replication. Many of these attributes are set within the backend and cannot be modified. Information on the attributes for this object class are listed with the core configuration attributes in chapter 2 of the Directory Server Configuration, Command, and File Reference.
Page 137: Nsds5Replicationagreement (Object Class)
nsDS5ReplicationAgreement (Object Class) nsDS5ReplicaType Defines the type of replica, such as a read-only consumer. nsDS5Task Launches a replication task, such as dumping the database contents to LDIF; this is used internally by the Directory Server supplier. nsState Stores information on the clock so that proper change sequence numbers are generated.
Page 138: Nsdswindowsreplicationagreement (Object Class)
Chapter 2. Core Server Configuration Reference nsDS5ReplicaLastInitEnd States when the initialization of the consumer replica ended. nsDS5ReplicaLastInitStart States when the initialization of the consumer replica started. nsDS5ReplicaLastInitStatus The status for the initialization of the consumer. nsDS5ReplicaLastUpdateEnd States when the most recent replication schedule update ended.
Page 139 nsDSWindowsReplicationAgreement (Object Class) Required Attributes objectClass Defines the object classes for the entry. Gives the name of the synchronization agreement. Allowed Attributes description Contains a text description of the synchronization agreement. nsDS5BeginReplicaRefresh Initiates a manual synchronization. nsds5debugreplicatimeout Gives an alternate timeout period to use when the synchronization is run with debug logging.
Page 140: Nsmappingtree (Object Class)
Chapter 2. Core Server Configuration Reference nsDS5ReplicaTimeout Specifies the number of seconds outbound LDAP operations will wait for a response from the Windows server before timing out and failing. nsDS5ReplicaTransportInfo Specifies the type of transport used for transporting data to and from the Windows server.
Page 141: Nssaslmapping (Object Class)
nsSaslMapping (Object Class) Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. Gives the common name of the entry. 2.4.10. nsSaslMapping (Object Class) This object class is used for entries which contain an identity mapping configuration for mapping SASL attributes to the Directory Server attributes.
Page 142: Passwordpolicy (Object Class)
Chapter 2. Core Server Configuration Reference Allowed Attributes Attribute Definition Gives the common name of the entry. 2.4.12. passwordpolicy (Object Class) Both local and global password policies take the passwordpolicy object class. This object class is defined in Directory Server. Superior Class 2.16.840.1.113730.3.2.13 Required Attributes...
Page 143 passwordpolicy (Object Class) Attribute Definition passwordResetDuration Sets the period of time before the server resets the retry count to zero. passwordUnlock Identifies whether a user is locked out until the password is reset by an administrator. The default is to allow a user to log back in after the lockout period.
Page 144: Legacy Attributes
Chapter 2. Core Server Configuration Reference Attribute Definition passwordMinCategories Sets the minimum number of categories which must be used in the password. passwordMinTokenLength Sets the length to check for trivial words. 2.5. Legacy Attributes The attributes were standard with Directory Server 4.x and older. This are still included with the schema for compatibility, but are not for current versions of the Directory Server.
Page 145 Legacy Server Attributes Attribute Definition changeLogMaximumSize Specifies maximum changelog size. 2.5.1.2. changeLogMaximumAge This sets the maximum age for the changelog maintained by the server. 2.16.840.1.113730.3.1.200 Syntax DirectoryString Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.1.3. changeLogMaximumConcurrentWrites This attribute sets the maximum number of concurrent writes that can be written to the changelog. 2.16.840.1.113730.3.1.205 Syntax DirectoryString...
Page 146: Legacy Replication Attributes
Chapter 2. Core Server Configuration Reference Defined in Directory Server 2.5.1.7. nsSynchUserIDFormat This attribute is used for Windows synchronization. 2.16.840.1.113730.3.1.406 Syntax DirectoryString Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2. Legacy Replication Attributes These attributes were originally used to configure replication for Directory Server 4.x and older servers.
Page 147 Legacy Replication Attributes Attribute Definition cirPort Identifies the port of the supplier. cirBindDN Specifies the bind DN. cirUsePersistentSearch Specifies a flag whether or not to use the persistent search. cirUseSSL Specifies a flag whether or not to use SSL. cirBindCredentials Specifies a password of cirBindDN.
Page 148 Chapter 2. Core Server Configuration Reference Syntax Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.5. cirHost For consumer-initiated replication, this contains the hostname of the supplier server. 2.16.840.1.113730.3.1.80 Syntax DirectoryString Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.6. cirLastUpdateApplied For consumer-initiated replication, this attribute stores the change number of the last change sent to the consumer.
Page 149 Legacy Replication Attributes Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.10. cirUpdateFailedAt For consumer initiated replication, this attribute shows the time of the last failed updated attempt. 2.16.840.1.113730.3.1.88 Syntax DirectoryString Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.11. cirUpdateSchedule For consumer-initiated replication, this attribute sets the schedule for replication.
Page 150 Chapter 2. Core Server Configuration Reference 2.16.840.1.113730.3.2.36 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. Specifies the common name of the entry. Allowed Attributes Attribute Definition description Gives a text description of the entry. localityName Gives the city or geographical location of the entry.
Page 151 Legacy Replication Attributes 2.16.840.1.113730.3.1.218 Syntax DirectoryString Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.16. replicaBeginOrc For online replication creation (ORC), the consumer server can dump its entire database and allows the supplier to send it completely fresh information. The replicaBeginOrc attribute sets whether the consumer deletes its database.
Page 152 Chapter 2. Core Server Configuration Reference 2.16.840.1.113730.3.1.202 Syntax Binary Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.21. replicaEntryFilter This attribute contains an LDAP filter to use to identify the entries to be replicated. 2.16.840.1.113730.3.1.203 Syntax IA5String Multi- or Single-Valued Multi-valued Defined in Directory Server...
Page 153 Legacy Replication Attributes Syntax DirectoryString Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.26. replicaRoot This attribute sets the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated and cannot be modified. 2.16.840.1.113730.3.1.57 Syntax Multi- or Single-Valued...
Page 154 Chapter 2. Core Server Configuration Reference Multi- or Single-Valued Multi-valued Defined in Directory Server 2.5.2.31. replicaUseSSL This attribute sets whether to use a secure connection (SSL) for replication. 2.16.840.1.113730.3.1.54 Syntax DirectoryString Multi- or Single-Valued Multi-valued Defined in Directory Server...
Page 155: Bit Check Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference This chapter contains reference information on Red Hat Directory Server plug-ins. The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins, cn=config. dn: cn=Telephone Syntax, cn=plugins, cn=config objectclass: top objectclass: nsSlapdPlugin...
Page 156: Acl Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Configurable Arguments List of attributes (uid mail userPassword) followed by "," and then suffixes on which the check is to occur. Dependencies None Performance Related Information None Further Information If the Directory Server uses non-ASCII characters, such as Japanese, turn this plug-in off.
Page 157: Attribute Uniqueness Plug-In
Attribute Uniqueness Plug-in 3.1.4. Attribute Uniqueness Plug-in Plug-in Parameter Description Plug-in Name Attribute Uniqueness Plug-in DN of Configuration Entry cn=Attribute Uniqueness, cn=plugins, cn=config Description Checks that the values of specified attributes are unique each time a modification occurs on an entry.
Page 158: Boolean Syntax Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Description Syntax for handling binary data Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug- in. Red Hat recommends leaving this plug-in running at all times.
Page 159: Case Ignore String Syntax Plug-In
Case Ignore String Syntax Plug-in 3.1.8. Case Ignore String Syntax Plug-in Plug-in Parameter Description Plug-in Name Case Ignore String Syntax DN of Configuration Entry cn=Case Ignore String Syntax, cn=plugins, cn=config Description Syntax for handling case-insensitive strings Configurable Options on | off Default Setting Configurable Arguments None...
Page 160: Country String Syntax Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times. Further Information See the "Advanced Entry Management"...
Page 161: Distributed Numeric Assignment Plug-In
Distributed Numeric Assignment Plug-in 3.1.13. Distributed Numeric Assignment Plug-in Plug-in Information Description Plug-in Name Distributed Numeric Assignment (DNA) Configuration Entry DN cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config Description Distributed Numeric Assignment plugin Configurable Options on | off Default Setting Configurable Arguments Dependencies None Performance Related Information None...
Page 162: Integer Syntax Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description DN of Configuration Entry cn=HTTP Client, cn=plugins, cn=config Description HTTP client plug-in Configurable Options on | off Default Setting Configurable Arguments None Dependencies Database Performance Related Information Further Information 3.1.16. Integer Syntax Plug-in Plug-in Parameter Description Plug-in Name...
Page 163: Jpeg Syntax Plug-In
JPEG Syntax Plug-in Plug-in Parameter Description Dependencies None Performance Related Information Do not modify the configuration of this plug- in. Red Hat recommends leaving this plug-in running at all times. Further Information See the "Internationalization" appendix and the section on "Searching an Internationalized Directory"...
Page 164: Legacy Replication Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference 3.1.20. Legacy Replication Plug-in Plug-in Parameter Description Plug-in Name Legacy Replication Plug-in DN of Configuration Entry cn=Legacy Replication plug-in, cn=plugins, cn=config Description Enables a current version Directory Server to be a consumer of a 4.x supplier Configurable Options on | off Default Setting...
Page 165: Octet String Syntax Plug-In
Octet String Syntax Plug-in Plug-in Parameter Description Description Enables replication between two current Directory Servers Configurable Options on | off Default Setting Configurable Arguments None Dependencies Database Performance Related Information Further Information Turn this plug-in off if one server will never replicate.
Page 166: Password Storage Schemes
Chapter 3. Plug-in Implemented Server Functionality Reference 3.1.25. Password Storage Schemes The cn=Password Storage Schemes entry is a container entry, not a plug-in entry itself. All of the plug-ins used for encryption are stored under this entry. The supported schemes change as new encryption methods are added;...
Page 167: Postal Address String Syntax Plug-In
Postal Address String Syntax Plug-in Storage Scheme Name Usage Notes SHA256 Use SHA256 or higher to encrypt passwords because these are stronger encryption schemes. SHA384 This storage scheme is recommended for password storage because of its strength. SHA512 This storage scheme is recommended for password storage because of its strength.
Page 168: Referential Integrity Postoperation Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Configurable Options on | off Default Setting Configurable Arguments ldap://example.com:389/o=example Dependencies None Performance Related Information Pass-through authentication slows down bind requests a little because they have to make an extra hop to the remote server. See the "Using Pass-through Authentication"...
Page 169: Retro Changelog Plug-In
Retro Changelog Plug-in Plug-in Parameter Description Dependencies Database Performance Related Information The Referential Integrity Plug-in should be enabled only on one master in a multimaster replication environment to avoid conflict resolution loops. When enabling the plug-in on chained servers, be sure to analyze the performance resource and time needs as well as integrity needs;...
Page 170: Roles Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference 3.1.30. Roles Plug-in Plug-in Parameter Description Plug-in Name Roles Plug-in DN of Configuration Entry cn=Roles Plugin, cn=plugins, cn=config Description Enables the use of roles in the Directory Server Configurable Options on | off Default Setting Configurable Arguments None...
Page 171: State Change Plug-In
State Change Plug-in Plug-in Parameter Description Dependencies None Performance Related Information Do not modify the configuration of this plug- in. Red Hat recommends leaving this plug-in running at all times. Further Information This plug-in enables the Directory Server to support space and case insensitive values. This allows applications to search the directory using entries with ASCII space characters.
Page 172: Uri Syntax Plug-In
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Performance Related Information Do not modify the configuration of this plug- in. Red Hat recommends leaving this plug-in running at all times. Further Information 3.1.35. URI Syntax Plug-in Plug-in Parameter Description Plug-in Name URI Syntax...
Page 173: Nsslapdplugin
nsSlapdPlugin 3.2.1. nsSlapdPlugin Each Directory Server plug-in belongs to the nsSlapdPlugin object class. This object class is defined in Directory Server. Superior Class 2.16.840.1.113730.3.2.41 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. Gives the common name of the entry. nsslapd-pluginPath Identifies the plugin library name (without the library suffix).
Page 174: Nsslapd-Plugintype
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Valid Values Any valid plug-in function Default Value None Syntax DirectoryString Example nsslapd-pluginInitfunc: NS7bitAttr_Init 3.2.4. nsslapd-pluginType Section 3.3.3, “nsslapd-plugin-depends-on-type” This attribute specifies the plug-in type. See further information. Plug-in Parameter Description Entry DN cn=plug-in name, cn=plugins, cn=config...
Page 175: Nsslapd-Pluginvendor
nsslapd-pluginVendor Plug-in Parameter Description Entry DN cn=plug-in name, cn=plugins, cn=config Valid Values Any valid plug-in version Default Value Product version number Syntax DirectoryString Example nsslapd-pluginVersion: 8.1 3.2.8. nsslapd-pluginVendor This attribute specifies the vendor of the plug-in. Plug-in Parameter Description Entry DN cn=plug-in name, cn=plugins, cn=config Valid Values Any approved plug-in vendor...
Page 176: Nsslapd-Pluginloadglobal
Chapter 3. Plug-in Implemented Server Functionality Reference 3.3.2. nsslapd-pluginLoadGlobal This attribute specifies whether the symbols in dependent libraries are made visible locally (false) or to the executable and to all shared objects (true). Plug-in Parameter Description Entry DN cn=plug-in name, cn=plugins, cn=config Valid Values true | false Default Value...
Page 177: Database Plug-In Attributes
Database Plug-in Attributes 3.4. Database Plug-in Attributes Figure 3.1, “Database Plug- The database plug-in is also organized in an information tree, as shown in in”. Figure 3.1. Database Plug-in All plug-in technology used by the database instances is stored in the cn=ldbm database plug-in node.
Page 178 Chapter 3. Plug-in Implemented Server Functionality Reference 3.4.1.2. nsslapd-idlistscanlimit This performance-related attribute, present by default, specifies the number of entry IDs that are searched during a search operation. Attempting to set a value that is not a number or is too big for a 32-bit signed integer returns an LDAP_UNWILLING_TO_PERFORM error message, with additional error information explaining the problem.
Page 179 Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config 3.4.1.4. nsslapd-cache-autosize-split This performance tuning-related attribute specifies the percentage of cache space to allocate to the database cache. For example, setting this to 60 would give the database cache 60 percent of the cache space and split the remaining 40 percent between the backend entry caches.
Page 180 Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Valid Range 500 kilobytes to 4 gigabytes for 32-bit platforms and 500 kilobytes to 2^64-1 for 64-bit platforms Default Value 10000000 (bytes) Syntax Integer Example nsslapd-dbcachesize: 10000000 3.4.1.6. nsslapd-db-checkpoint-interval This sets the amount of time in seconds after which the Directory Server sends a checkpoint entry to the database transaction log.
Page 181 Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config 3.4.1.8. nsslapd-db-debug This attribute specifies whether additional error information is to be reported to Directory Server. To report error information, set the parameter to on. This parameter is meant for troubleshooting; enabling the parameter may slow down the Directory Server. Parameter Description Entry DN...
Page 182 Chapter 3. Plug-in Implemented Server Functionality Reference This situation will occur only for certain combinations of the database cache size, the size of physical memory, and kernel tuning attributes. In particular, this situation should not occur if the database cache size is less than 100 megabytes. If the Solaris host seems excessively slow and the database cache size is around 100 megabytes or more, then use the iostat utility to diagnose the problem by monitoring the activity of the disk where the Directory Server's database files are stored.
Page 183 Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config Before modifying the value of this attribute, export all databases using the db2ldif script. Once the modification has been made, reload the databases using the ldif2db script. WARNING This parameter should only be used by very advanced users. Parameter Description Entry DN...
Page 184 Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Values Any valid path and directory name Default Value Syntax DirectoryString Example nsslapd-db-logdirectory: /logs/txnlog 3.4.1.14. nsslapd-db-logfile-size This attribute specifies the maximum size of a single file in the log in bytes. By default, or if the value is set to 0, a maximum size of 10 megabytes is used.
Page 185 Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config WARNING Never touch this value unless you are very familiar with the inner workings of Berkeley DB or are specifically told to do so by Red Hat support. Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Range...
Page 186 Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Range 0 to 30 Default Value 0 (or turned off) Syntax Integer Example nsslapd-db-transaction-batch-val: 5 3.4.1.18. nsslapd-db-trickle-percentage This attribute sets that at least the specified percentage of pages in the shared-memory pool are clean by writing dirty pages to their backing files.
Page 187 Database Attributes under cn=config, cn=ldbm database, cn=plugins, cn=config To configure a dbcache size larger than 4 gigabytes, add the nsslapd-dbncache attribute to cn=config, cn=ldbm database, cn=plugins, cn=config between the nsslapd- dbcachesize and nsslapd-db-logdirectory attribute lines. Set this value to an integer that is one-quarter (1/4) the amount of memory in gigabytes. For example, for a 12 gigabyte system, set the nsslapd-dbncache value to 3;...
Page 188 Chapter 3. Plug-in Implemented Server Functionality Reference database, 2 gigabytes is used when loading two databases, and so on. Ensure there is sufficient physical memory to prevent swapping from occurring, as this would result in performance degradation. Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Range...
Page 189: Cn=Config
Database Attributes under cn=monitor, cn=ldbm database, cn=plugins, cn=config attribute, which is used for autosizing the entry cache and database cache, is used during the Directory Server operations only and not during the ldif2db command-line operation; the attribute value is the percentage of free physical memory to be allocated for the entry cache and database cache.
Page 190: Database Attributes Under Cn=Netscaperoot, Cn=Ldbm Database, Cn=Plugins Cn=Config And Cn=Userroot, Cn=Ldbm Database, Cn=Plugins, Cn=Config
Chapter 3. Plug-in Implemented Server Functionality Reference dbcachehitratio This attribute shows the percentage of requested pages found in the database cache (hits/tries). dbcachepagein This attribute shows the pages read into the database cache. dbcachepageout This attribute shows the pages written from the database cache to the backing file. dbcacheroevict This attribute shows the clean pages forced from the cache.
Page 191 r cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config and cn=userRoot, cn=ldbm database, cn=plugins, cn=config NOTE The performance counter for this setting goes to the highest 64-bit integer, even on 32- bit systems, but the setting itself is limited on 32-bit systems to the highest 32-bit integer because of how the system addresses memory.
Page 192 Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Valid Range 500 kilobytes to 2 -1 on 32-bit systems and to -1 on 64-bit systems Default Value 10,485,760 (10 megabytes) Syntax Integer Example nsslapd-cachememsize: 10485760 3.4.3.3. nsslapd-directory This attribute specifies the path to the database instance. If it is a relative path, it starts from the path specified by nsslapd-directory in the global database entry cn=config, cn=ldbm database, cn=plugins, cn=config.
Page 193 r cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config and cn=userRoot, cn=ldbm database, cn=plugins, cn=config Parameter Description Valid Values on | off Default Value Syntax DirectoryString Example nsslapd-require-index: off 3.4.3.6. nsslapd-suffix This attribute specifies the suffix of the database link. This is a single-valued attribute because each database instance can have only one suffix.
Page 194 Chapter 3. Plug-in Implemented Server Functionality Reference NOTE This attribute is only available to user databases like userRoot, not configuration databases like o=NetscapeRoot. Parameter Description Entry DN cn=index_name, cn=userRoot, cn=ldbm database, cn=plugins, cn=config Valid Values 0 (disabled) | 1 (enabled) Default Value Syntax DirectoryString...
Page 195 r cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config and cn=userRoot, cn=ldbm database, cn=plugins, cn=config 2.16.840.1.113730.3.2.42 Required Attributes Attribute Definition objectClass Defines the object classes for the entry. Gives the common name of the entry. vlvSort Identifies the attribute list that the browsing index (virtual list view index) is sorted on.
Page 196 Chapter 3. Plug-in Implemented Server Functionality Reference Superior Class 2.16.840.1.113730.3.2.38 Required Attributes Attribute Definition objectClass Defines the object classes for the entry. vlvBase Identifies base DN the browsing index is created. vlvScope Identifies the scope to define the browsing index. vlvFilter Identifies the filter string to define the browsing index.
Page 197: Database Attributes Under Cn=Database, Cn=Monitor, Cn=Ldbm Database Cn=Plugins, Cn=Config
Database Attributes under cn=database, cn=monitor, cn=ldbm database, cn=plugins, cn=config 3.4.3.14. vlvUses This attribute contains the count for the browsing or virtual list view (VLV) index. For more information on VLV indexes, see the indexing chapter in the Administrator's Guide. NOTE This attribute is only available to user databases like userRoot, not configuration databases like o=NetscapeRoot.
Page 198 Chapter 3. Plug-in Implemented Server Functionality Reference nsslapd-db-cache-try This attribute shows the total cache lookups. nsslapd-db-cache-region-wait-rate This attribute shows the number of times that a thread of control was forced to wait before obtaining the region lock. nsslapd-db-cache-size-bytes This attribute shows the total cache size in bytes. nsslapd-db-clean-pages This attribute shows the clean pages currently in the cache.
Page 199 Database Attributes under cn=database, cn=monitor, cn=ldbm database, cn=plugins, cn=config nsslapd-db-lockers This attribute shows the number of current lockers. nsslapd-db-log-bytes-since-checkpoint This attribute shows the number of bytes written to this log since the last checkpoint. nsslapd-db-log-region-wait-rate This attribute shows the number of times that a thread of control was forced to wait before obtaining the region lock.
Page 200: Database Attributes Under Cn=Default Indexes, Cn=Config, Cn=Ldbm Database Cn=Plugins, Cn=Config
Chapter 3. Plug-in Implemented Server Functionality Reference 3.4.5. Database Attributes under cn=default indexes, cn=config, cn=ldbm database, cn=plugins, cn=config The set of default indexes is stored here. Default indexes are configured per backend in order to optimize Directory Server functionality for the majority of setup scenarios. All indexes, except system- essential ones, can be removed, but care should be taken so as not to cause unnecessary disruptions.
Page 201 Database Attributes under cn=default indexes, cn=config, cn=ldbm database, cn=plugins, cn=config Attribute Definition Gives the common name of the entry. nsSystemIndex Identify whether or not the index is a system defined index. Allowed Attributes Attribute Definition description Gives a text description of the entry. nsIndexType Identifies the index type.
Page 202: Database Attributes Under Cn=Monitor, Cn=Netscaperoot, Cn=Ldbm Database Cn=Plugins, Cn=Config
Chapter 3. Plug-in Implemented Server Functionality Reference NOTE Any change to this attribute will not take effect until the change is saved and the index is rebuilt using db2index, which is described in more detail in the "Managing Indexes" chapter of the Directory Server Administrator's Guide). Parameter Description Entry DN...
Page 203: Cn=Config
apeRoot, cn=ldbm database, cn=plugins, cn=config and cn=index, cn=UserRoot, cn=ldbm database, cn=plugins, cn=config dbfilecachemiss This attribute gives the number of times that a search requiring data from this file was performed and that the data could not be obtained from the cache. dbfilepagein This attribute gives the number of pages brought to the cache from this file.
Page 204 Chapter 3. Plug-in Implemented Server Functionality Reference would not be. Indexed searches are significantly faster than unindexed searches, so changing the minimum length of the search key is helpful to increase the number of indexed searches. This substring length can be edited based on the position of any wildcard characters. The nsSubStrBegin attribute sets the required number of characters for an indexed search for the beginning of a search string, before the wildcard.
Page 205: Database Attributes Under Cn=Attributename, Cn=Encrypted Attributes Cn=Database_Name, Cn=Ldbm Database, Cn=Plugins, Cn=Config
Attributes under cn=attributeName, cn=encrypted attributes, cn=database_name, cn=ldbm database, cn=plugins, cn=config would not be. Indexed searches are significantly faster than unindexed searches, so changing the minimum length of the search key is helpful to increase the number of indexed searches. This substring length can be edited based on the position of any wildcard characters. The nsSubStrMiddle attribute sets the required number of characters for an indexed search where a wildcard is used in the middle of a search string.
Page 206 Chapter 3. Plug-in Implemented Server Functionality Reference dn:cn=userPassword, cn=encrypted attributes,o=UserRoot, cn=ldbm database, cn=plugins, cn=config objectclass:top objectclass:nsAttributeEncryption cn:userPassword nsEncryptionAlgorithm:AES To configure database encryption, see the "Database Encryption" section of the "Configuring Directory Databases" chapter in the Directory Server Administrator's Guide. For more information about indexes, refer to the "Managing Indexes"...
Page 207: Database Link Plug-In Attributes (Chaining Attributes)
Database Link Plug-in Attributes (Chaining Attributes) Parameter Description Example nsEncryptionAlgorithm: AES 3.5. Database Link Plug-in Attributes (Chaining Attributes) The database link plug-in attributes are also organized in an information tree, as shown in the following diagram: Figure 3.4. Database Link Plug-in All plug-in technology used by the database link instances is stored in the cn=chaining database plug-in node.
Page 208 Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Example nsActiveChainingComponents: cn=uid uniqueness, cn=plugins, cn=config 3.5.1.2. nsMaxResponseDelay This error detection, performance-related attribute specifies the maximum amount of time it can take a remote server to respond to an LDAP operation request made by a database link before an error is suspected.
Page 209: Database, Cn=Plugins, Cn=Config
Database Link Attributes under cn=default instance config, cn=chaining database, cn=plugins, cn=config Parameter Description Entry DN cn=config, cn=chaining database, cn=plugins, cn=config Valid Values Any valid OID or the above listed controls forwarded by the database link Default Value None Syntax Integer Example nsTransmittedControls: 1.2.840.113556.1.4.473 3.5.2.
Page 210 Chapter 3. Plug-in Implemented Server Functionality Reference 3.5.2.3. nsBindRetryLimit Contrary to what the name suggests, this attribute does not specify the number of times a database link retries to bind with the remote server but the number of times it tries to bind with the remote server.
Page 211 Database Link Attributes under cn=default instance config, cn=chaining database, cn=plugins, cn=config 3.5.2.6. nsConcurrentBindLimit This attribute shows the maximum number of concurrent bind operations per TCP connection. Parameter Description Entry DN cn=default instance config, cn=chaining database, cn=plugins, cn=config Valid Range 1 to 25 binds Default Value Syntax Integer...
Page 212 Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Entry DN cn=default instance config, cn=chaining database, cn=plugins, cn=config Valid Range 1 to n connections Default Value Syntax Integer Example nsOperationConnectionsLimit: 10 3.5.2.10. nsProxiedAuthorization Reserved for advanced use only. This attribute can disable proxied authorization with a value of off. Parameter Description Entry DN...
Page 213: Database Link Attributes Under Cn=Database_Link_Name, Cn=Chaining Database, Cn=Plugins, Cn=Config
Database Link Attributes under cn=database_link_name, cn=chaining database, cn=plugins, cn=config Parameter Description Example nsslapd-sizelimit: 2000 3.5.2.13. nsTimeLimit This attribute shows the default search time limit for the database link. Parameter Description Entry DN cn=default instance config, cn=chaining database, cn=plugins, cn=config Valid Range -1 to maximum 32-bit integer (2147483647) seconds Default Value...
Page 214 Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Entry DN cn=database_link_name, cn=chaining database, cn=plugins, cn=config Valid Values empty EXTERNAL DIGEST-MD5 GSSAPI Default Value empty Syntax DirectoryString Example nsBindMechanism: GSSAPI 3.5.3.2. nsFarmServerURL This attribute gives the LDAP URL of the remote server. A farm server is a server containing data in one or more databases.
Page 215: Cn=Chaining Database, Cn=Plugins, Cn=Config
Database Link Attributes under cn=monitor, cn=database instance name, cn=chaining database, cn=plugins, cn=config Parameter Description Entry DN cn=database_link_name, cn=chaining database, cn=plugins, cn=config Valid Values Any valid password, which will then be encrypted using the DES reversible password encryption schema Default Value Syntax DirectoryString Example...
Page 216 Chapter 3. Plug-in Implemented Server Functionality Reference headcount This attribute gives the number of add operations received. nsDeleteCount This attribute gives the number of delete operations received. nsModifyCount This attribute gives the number of modify operations received. nsRenameCount This attribute gives the number of rename operations received. nsSearchBaseCount This attribute gives the number of base level searches received.
Page 217: Retro Changelog Plug-In Attributes
Retro Changelog Plug-in Attributes 3.6. Retro Changelog Plug-in Attributes Two different types of changelogs are maintained by Directory Server. The first type, referred to as simply a changelog, is used by multi-master replication, and the second changelog, a plug-in referred to as the retro changelog, is intended for use by LDAP clients for maintaining application compatibility with Directory Server 4.x versions.
Page 218: Distributed Numeric Assignment Plug-In Attributes
Chapter 3. Plug-in Implemented Server Functionality Reference NOTE Expired changelog records will not be removed if there is an agreement that has fallen behind further than the maximum age. Parameter Description Entry DN cn=Retro Changelog Plugin, cn=plugins, cn=config Valid Range 0 (meaning that entries are not removed according to their age) to the maximum 32 bit integer value (2147483647)
Page 219: Dnamagicregen
dnaMagicRegen 3.7.2. dnaMagicRegen This attribute sets a user-defined value that instructs the plug-in to assign a new value for the entry. The magic value can be used to assign new unique numbers to existing entries or to use as a standard setting when adding new entries.
Page 220: Dnanextvalue
Chapter 3. Plug-in Implemented Server Functionality Reference NOTE If the dnaNextRange attribute is handled internally if it is not set explicitly. When it is handled automatically, the dnaMaxValue attribute serves as upper limit for the next range. The attribute sets the range in the format lower_range-upper_range. Parameter Description Entry DN...
Page 221: Dnarangerequesttimeout
dnaRangeRequestTimeout Parameter Description Example dnaPrefix: id 3.7.7. dnaRangeRequestTimeout One potential situation with the Distributed Numeric Assignment Plug-in is that one server begins to run out of numbers to assign. The dnaThreshold attribute sets a threshold of available numbers in the range, so that the server can request an additional range from the other servers before it is unable to perform number assignments.
Page 222: Dnathreshold
Chapter 3. Plug-in Implemented Server Functionality Reference NOTE The shared configuration entry must be configured in the replicated subtree, so that the entry can be replicated to the servers. For example, if the ou=People,dc=example,dc=com subtree is replicated, then the configuration entry must be in that subtree, such as ou=UID Number Ranges, ou=People,dc=example,dc=com.
Page 223: Memberof Plug-In Attributes
MemberOf Plug-in Attributes This is required to set up distributed numeric assignments for an attributes. Parameter Description Entry DN cn=Distributed Numeric Assignment Plugin, cn=plugins, cn=config Valid Range Any Directory Server attribute Default Value None Syntax DirectoryString Example dnaType: uidNumber 3.8. MemberOf Plug-in Attributes Group membership is defined within group entries using an attribute such as member.
Page 224 Chapter 3. Plug-in Implemented Server Functionality Reference Some member-related attributes do not contain a DN, like the memberURL attribute. That attribute will not work as a value for memberofgroupattr, since the memberURL value is a URL and a non-DN value cannot work with the MemberOf Plug-in. Parameter Description Entry DN...
Page 225: Overview Of Directory Server Files
Chapter 4. Server Instance File Reference This chapter provides an overview of the files that are specific to an instance of Red Hat Directory Server (Directory Server) — the files stored in the /etc/dirsrv/slapd-instance_name directory. Having an overview of the files and configuration information stored in each instance of Directory Server helps with understanding the file changes (or lack of file changes) which occur in the course of directory activity.
Page 226: Backup Files
Chapter 4. Server Instance File Reference File or Directory Location /var/run/dirsrv Tools /usr/bin /usr/sbin /usr/lib64/mozldap6 Instance directory /usr/lib64/dirsrv/slapd-instance Table 4.2. Red Hat Enterprise Linux 4 and 5 (x86_64) File or Directory Location Backup files /var/opt/dirsrv/slapd-instance/bak Configuration files /etc/opt/dirsrv/slapd-instance Database files /var/opt/dirsrv/slapd-instance/db Runtime files /var/opt/dirsrv/instance...
Page 227 Database Files __db.002 __db.004 DBVERSION log.0000000007 userRoot/ Example 4.1. Database Directory Contents • db.00x files — Used internally by the database and should not be moved, deleted, or modified in any way. • log.xxxxxxxxxx files — Used to store the transaction logs per database. •...
Page 228: Ldif Files
Chapter 4. Server Instance File Reference 4.5. LDIF Files Sample LDIF files are stored in the /var/lib/dirsrv/slapd-instance_name/ldif directory for Example 4.3, “LDIF Directory Contents” storing LDIF-related files. lists the /ldif directory contents. European.ldif Example.ldif Example-roles.ldif Example-views.ldif Example 4.3. LDIF Directory Contents •...
Page 229: Log Files
Log Files For more information on using LDAP utilities, see the Directory Server Administrator's Guide. 4.7. Log Files Each Directory Server instance contains a /var/log/dirsrv/slapd-instance_name directory for storing log files. The following is a sample listing of the /logs directory contents. access access.20090228-171925 errors...
Page 230: Scripts
Chapter 4. Server Instance File Reference ldapcompare ldapdelete-bin ldappasswd ldapsearch-bin Example 4.8. LDAP Tool Directory Contents 4.10. Scripts Directory Server command-line scripts are stored in the /etc/dirsrv/slapd-instance_name directory. The contents of the /etc/dirsrv/slapd-instance_name directory are listed in Example 4.9, “Instance Directory Contents”.
Page 231 Chapter 5. Log File Reference Red Hat Directory Server (Directory Server) provides logs to help monitor directory activity. Monitoring helps quickly detecting and remedying failures and, where done proactively, anticipating and resolving potential problems before they result in failure or poor performance. Part of monitoring the directory effectively is understanding the structure and content of the log files.
Page 232: Access Logging Levels
Chapter 5. Log File Reference 5.1.1. Access Logging Levels Different levels of access logging generate different amounts of detail and record different kinds of nsslapd-accesslog-level operations. The log level is set in the instance's configuration attribute. The default level of logging is level 256, which logs access to an entry, but there are five different log levels available: •...
Page 233: Connection Number
Default Access Logging Content [21/Apr/2009:11:39:53 -0700] conn=13 op=3 RESULT err=0 tag=120 nentries=0 etime=0 [21/Apr/2009:11:39:53 -0700] conn=13 op=4 UNBIND [21/Apr/2009:11:39:53 -0700] conn=13 op=4 fd=659 closed - U1 [21/Apr/2009:11:39:55 -0700] conn=14 fd=700 slot=700 connection from 207.1.153.51 to 192.18.122.139 [21/Apr/2009:11:39:55 -0700] conn=14 op=0 BIND dn="" method=sasl version=3 mech=DIGEST-MD5 [21/Apr/2009:11:39:55 -0700] conn=14 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [21/Apr/2009:11:39:55 -0700] conn=14 op=1 BIND dn="uid=jdoe,dc=example,dc=com"...
Page 234: Version Number
Chapter 5. Log File Reference [21/Apr/2009:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0 Section 5.1.2, “Default Access Logging Content”, we have op=0 for the bind operation request and result pair, then op=1 for the LDAP search request and result pair, and so on. The entry op=-1 in the access log generally means that the LDAP request for this connection was not issued by an external LDAP client but, instead, initiated internally.
Page 235 Default Access Logging Content Description tag=107 A result from a delete operation. tag=109 A result from a moddn operation. tag=111 A result from a compare operation. tag=115 A search reference when the entry on which the search was performed holds a referral to the required entry.
Page 236: Unindexed Search Indicator
Chapter 5. Log File Reference • ABANDON for abandon operation If the LDAP request resulted in sorting of entries, then the message SORT serialno will be recorded in the log, followed by the number of candidate entries that were sorted. For example: [04/May/2009:15:51:46 -0700] conn=114 op=68 SORT serialno (1) The number enclosed in parentheses specifies the number of candidate entries that were sorted, which in this case is 1.
Page 237 Default Access Logging Content ResponseInformation has the following form: targetPosition:contentCount (resultCode) The example below highlights the VLV-specific entries: [07/May/2009:11:43:29 -0700] conn=877 op=8530 SRCH base="(ou=People)" scope=2 filter="(uid=*)" [07/May/2009:11:43:29 -0700] conn=877 op=8530 SORT uid [07/May/2009:11:43:29 -0700] conn=877 op=8530 VLV 0:5:0210 10:5397 (0) [07/May/2009:11:43:29 -0700] conn=877 op=8530 RESULT err=0 tag=101 nentries=1 etime=0 In the above example, the first part, 0:5:0210, is the VLV request information: •...
Page 238: Abandon Message
Chapter 5. Log File Reference Extended Operation Name Description Replication Request Extended Operation. Directory Server End Sent to indicate that a 2.16.840.1.113730.3.5.5 Replication Request replication session is to be terminated. Directory Server Replication Carries an entry, along with 2.16.840.1.113730.3.5.6 Entry Request its state information (csn and UniqueIdentifier) and is used to perform a replica...
Page 239: Access Log Content For Additional Access Logging Levels
Access Log Content for Additional Access Logging Levels same operation. The message ID is used with an ABANDON operation and tells the user which client operation is being abandoned. [21/Apr/2009:11:39:52 -0700] conn=12 op=2 ABANDON targetop=NOTFOUND msgid=2 NOTE The Directory Server operation number starts counting at 0, and, in the majority of LDAP SDK/client implementations, the message ID number starts counting at 1, which explains why the message ID is frequently equal to the Directory Server operation number plus 1.
Page 240: Connection Description
Chapter 5. Log File Reference [12/Jul/2009:16:45:46 +0200] conn=Internal op=-1 SRCH base="cn=\22dc=example,dc=com \22,cn=mapping tree,cn=config"scope=0 filter="objectclass=nsMappingTree"attrs="nsslapd- referral" options=persistent [12/Jul/2009:16:45:46 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1etime=0 [12/Jul/2009:16:45:46 +0200] conn=Internal op=-1 SRCH base="cn=\22dc=example,dc=com \22,cn=mapping tree,cn=config"scope=0 filter="objectclass=nsMappingTree" attrs="nsslapd-state" [12/Jul/2009:16:45:46 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1etime=0 Example 5.2.
Page 241: Common Connection Codes
Common Connection Codes 5.1.4. Common Connection Codes A connection code is a code that is added to the closed log message to provide additional information related to the connection closure. Connection Code Description Client aborts the connection. Corrupt BER tag encountered. If BER tags, which encapsulate data being sent over the wire, are corrupt when they are received, a B1 connection code is logged to the access log.
Page 242: Error Log Logging Levels
Chapter 5. Log File Reference 5.2.1. Error Log Logging Levels The error log can record different amounts of detail for operations, as well as different kinds of information depending on the type of error logging enabled. nsslapd-errorlog-level The logging level is set in the configuration attribute.
Page 243: Error Log Content
Error Log Content Setting Console Name Description 4096 Housekeeping Housekeeping thread debugging. 8192 Replication Logs detailed information about every replication-related operation, including updates and errors, which is important for debugging replication problems. 16384 Default Default level of logging used for critical errors and other messages that are always written to the error log, such as server startup messages.
Page 244: Error Log Content For Other Log Levels
Chapter 5. Log File Reference • The plug-in being called, for internal operations. • Functions called by the plug-in, for internal operations. • Messages returned by the plug-in or operation, which may include LDAP error codes, connection information, or entry information. Frequently, the messages for an operation appear on multiple lines of the log, but these are not identified with a connection number or operation number.
Page 245 Error Log Content for Other Log Levels [timestamp] NSMMReplicationPlugin - agmt="name" (consumer_host:consumer_port): current_task For example: [09/Jan/2009:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): {replicageneration} 4949df6e000000010000 {replicageneration} means that the new information is being sent, and 4949df6e000000010000 is the change sequence number of the entry being replicated. Example 5.4, “Replication Error Log Entry”...
Page 246 Chapter 5. Log File Reference [09/Jan/2009:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): replay_update: Consumer successfully sent operation with csn 49679b20000000010000 [09/Jan/2009:13:44:48 -0500] agmt="cn=example2" (alt:13864) - clcache_load_buffer: rc=-30990 [09/Jan/2009:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): No more updates to send (cl5GetNextOperationToReplay) [09/Jan/2009:13:44:48 -0500] - repl5_inc_waitfor_async_results: 0 5 [09/Jan/2009:13:44:49 -0500] - repl5_inc_result_threadmain starting [09/Jan/2009:13:44:49 -0500] - repl5_inc_result_threadmain: read result for message_id 5 [09/Jan/2009:13:44:49 -0500] - repl5_inc_result_threadmain: result 3, 0, 0, 5, (null)
Page 247: Audit Log Reference
Audit Log Reference NOTE Example 5.5, “Example ACL Plug-in Error Log Entry with Plug-in Logging” shows both plug-in logging and search filter processing (log level 32). Many other kinds of logging have similar output to the plug-in logging level, only for different kinds of internal operations.
Page 248 Chapter 5. Log File Reference timestamp: date dn: modified_entry changetype: action action:attribute attribute:new_value replace: modifiersname modifiersname: dn replace: modifytimestamp modifytimestamp: date "LDAP Data Interchange Format" appendix LDIF files and formats are described in more detail in the of the Administrator's Guide Example 5.8, “Audit Log Content”.
Page 249: Ldap Result Codes
LDAP Result Codes replace: modifytimestamp modifytimestamp: 20090109181810Z Example 5.8. Audit Log Content The audit log does not have any other log level to set. 5.4. LDAP Result Codes LDAP has a set of result codes with which it is useful to be familiar. Result Code Defined Value Result Code...
Page 251: Using Special Characters
Chapter 6. Command-Line Utilities This chapter contains reference information on command-line utilities used with Red Hat Directory Server (Directory Server). These command-line utilities make it easy to perform administration tasks on the Directory Server. 6.1. Finding and Executing Command-Line Utilities The ldapsearch, ldapmodify, ldapdelete, and ldappasswd command-line utilities are provided as a separate package, called either mozldap-tools or mozldap6-tools, and the utilities are installed in /usr/lib/mozldap or /usr/lib/mozldap6, respectively.
Page 252: Command-Line Utilities Quick Reference
Chapter 6. Command-Line Utilities 6.3. Command-Line Utilities Quick Reference The following table provides a summary of the command-line utilities provided for Directory Server. Command-Line Utility Description ldapsearch Searches the directory and returns search results in LDIF format. For details on this tool, see the "Finding Directory Entries"...
Page 253 ldapsearch Additional ldapsearch Options • Syntax ldapsearch -b basedn -s scope [ optional_options ] "(attribute=filter)" [ optional_list_of_attributes ] For any value that contains a space ( ), the value should be enclosed in double quotation marks. For example: -b "ou=groups, dc=example,dc=com" Option Description optional_options...
Page 254 Chapter 6. Command-Line Utilities Option Description This option is optional if the LDAP_BASEDN environment variable has been set to a base DN. The value specified in this option should be provided in double quotation marks. For example: -b "cn=Barbara Jensen, ou=Product Development, dc=example,dc=com"...
Page 255 ldapsearch Option Description Specifies the maximum number of seconds to wait for a search request to complete. For example: -l 300 Regardless of the value specified here, ldapsearch will never wait longer than is allowed by the server's nsslapd-timelimit attribute, unless the authenticated user is the Directory Manager.
Page 256 Chapter 6. Command-Line Utilities Option Description Specifies that the search results are sorted on the server rather than on the client. This is useful to sort according to a matching rule, as with an international search. In general, it is faster to sort on the server rather than on the client.
Page 257: Ssl Options
ldapsearch Option Description also be used with other ldapsearches, not only persistent searches. PS:changetype Specifies which types of changes to entries allow the entry to be returned in the persistent search. There are four options: • add • delete • modify •...
Page 258 Chapter 6. Command-Line Utilities Option Description Specifies that hostnames should be checked in SSL certificates. Specifies the SSL key password file that contains the token:password pair. Specifies the absolute path, including the filename, of the private key database of the client.
Page 259 ldapsearch Option Description Specifies the token and certificate name, which is separated by a semi-colon (:) for PKCS11. Specifies the password for the private key database identified in the -P option. For example: -W secret If a dash (-) is used as the password value, the utility prompts for the password after the command is entered.
Page 260 Chapter 6. Command-Line Utilities Option Description • secProp, the security properties • realm, the Kerberos realm • flags The expected values depend on the supported mechanism. The -o can be used multiple times to pass all of the required SASL information for the mechanism.
Page 261 ldapsearch Required or Optional Option Description Example • noactive — Do not permit mechanisms susceptible to active attacks. • nodict — Do not permit mechanisms susceptible to passive dictionary attacks. • forwardsec — Require forward secrecy. • passcred — Attempt to pass client credentials.
Page 262 Chapter 6. Command-Line Utilities Required or Optional Option Description Example using integrity or privacy settings. Table 6.7. Description of CRAM-MD5 Mechanism Options Required or Optional Option Description Example Required mech=DIGEST-MD5 Gives the SASL -o “mech=DIGEST- mechanism. MD5” Required authid=authid_value Gives the ID used to authenticate to the “authid=dn:uid=msmith,ou=People,o=exampl server.
Page 263 ldapsearch Required or Optional Option Description Example • maxssf — Require a maximum security strength; this option needs a numeric value specifying bits of encryption. A value of - 1 means integrity is provided without privacy. The maximum value is 128.
Page 264 Chapter 6. Command-Line Utilities Required or Optional Option Description Example value specifying bits of encryption. A value of - 1 means integrity is provided without privacy. • maxssf — Require a maximum security strength; this option needs a numeric value specifying bits of encryption.
Page 265 ldapsearch Option Description attribute name from the corresponding value. For example: -F + Specifies the file containing the search filters to be used in the search. For example: -f search_filters option to supply a search filter directly to the command line. For more information about search filters, see Appendix B, "Finding Directory Entries", in the Directory Server Administrator's Guide.
Page 266 Chapter 6. Command-Line Utilities Option Description ldapsearch converts the input from these arguments before it processes the search request. For example, -i no indicates that the bind DN, base DN, and search filter are provided in Norwegian. This argument only affects the command-line input;...
Page 267 ldapsearch Option Description Specifies the attribute to use as the sort criteria. For example: -S sn Use multiple -S arguments to further define the sort order. In the following example, the search results will be sorted first by surname and then by given name: -S sn -S givenname The default is not to sort the returned entries.
Page 268: Ldapmodify
Chapter 6. Command-Line Utilities Option Description "nsroledn userPassword" Table 6.10. Additional ldapsearch Options 6.5. ldapmodify ldapmodify makes changes to directory entries via LDAP. Syntax • Commonly-Used ldapmodify Options • SSL Options • SASL Options • Additional ldapmodify Options • Syntax ldapmodify optional_options ldapmodify [ -D binddn ] [ -w passwd ] [ -acmnrvFR ] [ -d debug_level ] [ -h host ] [ -p port ] [ - M auth_mechanism ] [ -Z/ZZ/ZZZ ] [ -V version ] [ -f file ] [ -l number_of_ldap_connections ]...
Page 269 ldapmodify Option Description Option that specifies the file containing the LDIF update statements used to define the directory modifications. For example: -f modify_statements If this option is not supplied, the update statements are read from stdin. For information on supplying LDIF update statements from the command-line, see the "Creating Directory Entries"...
Page 270 Chapter 6. Command-Line Utilities Option Description If a dash (-) is used as the password value, the utility prompts for the password after the command is entered. This avoids having the password on the command line. Table 6.11. Commonly-Used ldapmodify Options SSL Options Use the following command-line options to specify that ldapmodify is to use LDAP over SSL (LDAPS) when communicating with the Directory Server.
Page 271 ldapmodify Option Description option can be pointed to the certificate database for the web browser. For example: -P /security/cert.db The client security files can be stored on the Directory Server in the /etc/dirsrv/ slapd-instance_name directory. In this case, the -P option calls out a path and filename similar to the following: -P /etc/dirsrv/slapd-instance_name/client- cert.db...
Page 272 Chapter 6. Command-Line Utilities Option Description • authid, the user who is binding to the server (Kerberos principal) • authzid, a proxy authorization (ignored by the server since proxy authorization is not supported) • secProp, the security properties • realm, the Kerberos realm •...
Page 273 ldapmodify Option Description jpegphoto:< file:///tmp/myphoto.jpg Although the official notation requires three ///, the use of one / is accepted. NOTE The :< URL specifier notation only works if LDIF statement is version 1 or later, meaning version: 1 is inserted in the LDIF file. Otherwise, the file URL is appended as the attribute value rather than the contents of the file.
Page 274: Ldapdelete
Chapter 6. Command-Line Utilities Option Description -V 2 LDAPv3 is the default. An LDAPv3 operation cannot be performed against a Directory Server that only supports LDAPv2. Specifies the proxy DN to use for the modify operation. This argument is provided for testing purposes.
Page 275 ldapdelete Option Description Specifies that the password policy request control not be sent with the bind request. By default, the new LDAP password policy request control is sent with bind requests. The ldapdelete tool can parse and display information from the response control if it is returned by a server;...
Page 276 Chapter 6. Command-Line Utilities Option Description Specifies that hostnames should be checked in SSL certificates. Specifies the SSL key password file that contains the token:password pair. Specifies the path, including the filename, of the private key database of the client. Either the absolute or relative (to the server root) path can be used.
Page 277 ldapdelete Option Description Specifies the password for the certificate database identified on the -P option. For example: -W serverpassword Specifies that SSL is to be used for the delete request. Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one.
Page 278: Additional Ldapdelete Options
Chapter 6. Command-Line Utilities Option Description -o "mech=DIGEST-MD5" -o "authzid=test_user" - o "authid=test_user" Table 6.17. SASL Options SASL Options for ldapsearch for information on how to use SASL options with ldapdelete. Additional ldapdelete Options Option Description Specifies that the utility must run in continuous operation mode.
Page 279: Ldappasswd
ldappasswd Option Description -V 2 LDAPv3 is the default. An LDAPv3 operation cannot be performed against a Directory Server that only supports LDAPv2. Specifies the proxy DN to use for the delete operation. This argument is provided for testing purposes. For more information about proxied authorization, see the "Managing Access Control"...
Page 280 Chapter 6. Command-Line Utilities Option Description -S new_password Specifies a file from which to read the new password. For example: -T new_password.txt Specifies a file from which to read the user's existing password. For example: -t old_password.txt Specifies the password associated with the distinguished name specified in the -D option.
Page 281 ldappasswd Option Description The ldappasswd tool can parse and display information from the response control if it is returned by a server; that is, the tool will print an appropriate error or warning message when a server sends the password policy response control with the appropriate value.
Page 282 Chapter 6. Command-Line Utilities Option Description When used on a machine where an SSL-enabled web browser is configured, the path specified on this option can be that of the certificate database for the browser. For example: -P /security/cert.db The client security files can also be stored on the Directory Server in the /etc/dirsrv/ slapd-instance_name directory.
Page 283 ldappasswd Option Description Enforces the Start TLS request. The server -ZZZ must respond that the request was successful. If the server does not support Start TLS, such as Start TLS is not enabled or the certificate information is incorrect, the command is aborted immediately.
Page 284 Chapter 6. Command-Line Utilities ldappasswd -Z -h myhost -P /etc/dirsrv/slapd-instance_name/cert8.db -D "cn=Directory Manager" -w admpassword -s new_password "uid=tuser1,ou=People,dc=example,dc=com" Example 6.1. Directory Manager Changing a User's Password Over SSL The Directory Manager generates the password of the user uid=tuser2,ou=People,dc=example,dc=com over SSL. ldappasswd -Z -h myhost -P /etc/dirsrv/slapd-instance_name/cert8.db -D "cn=Directory Manager"...
Page 285: Ldif
ldif 6.8. ldif ldif automatically formats LDIF files and creates base-64 encoded attribute values. Base-64 encoding makes it possible to represent binary data, such as a JPEG image, in LDIF. Base-64 encoded data is represented using a double colon (::) symbol. For example: jpegPhoto:: encoded data In addition to binary data, other values that must be base-64 encoded can identified with other symbols, including the following:...
Page 286: Dbscan
Chapter 6. Command-Line Utilities Option Description inserted in the LDIF file. Otherwise, the file URL is appended as the attribute value rather than the contents of the file. Table 6.22. ldif Options 6.9. dbscan The dbscan tool analyzes and extracts information from a Directory Server database file. See Section 4.4, “Database Files”...
Page 287 dbscan NOTE Table 6.25, “Index File Options ”, are meaningful only when The index file options, listed in the database file is the secondary index file. Option Parameter Description Specifies the key to look up in the secondary index file. size Sets the maximum length of the dumped ID list.
Page 288 Chapter 6. Command-Line Utilities dbscan -r -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/ vlv#bymccoupeopledcpeopledccom.db4 Example 6.12. Displaying VLV Index File Contents dbscan -f /var/lib/dirsrv/slapd-instance_name/changelogdb/c1a2fc02-1d11b2-8018afa7- fdce000_424c8a000f00.db4 Example 6.13. Displaying the Changelog File Contents dbscan -R -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/uid.db4 Example 6.14. Dumping the Index File uid.db4 with Raw Mode In this example, the common name key is =hr managers, and the equals sign (=) means the key is an equality index.
Page 289: Command-Line Scripts Quick Reference
Chapter 7. Command-Line Scripts This chapter provides information on the scripts for managing Red Hat Directory Server, such as backing-up and restoring the database. Scripts are a shortcut way of executing the ns-slapd Appendix A, Using the ns-slapd Command-Line Utilities. interface commands that are documented in 7.1.
Page 290 Chapter 7. Command-Line Scripts Shell Script Description start-slapd Starts Directory Server. stop-slapd Stops Directory Server. suffix2instance Maps a suffix to a backend name. verify-db.pl Checks backend database files. vlvindex Creates and generates virtual list view (VLV) indexes. Table 7.1. Shell Scripts in /usr/lib/dirsrv/slapd-instance_name or /usr/lib64/dirsrv/ slapd-instance_name Perl Script Description...
Page 291: Shell Scripts
Shell Scripts Script Name Description Perl or Shell Script logconv.pl Analyzes the access logs of Perl a Directory Server to extract usage statistics and count the occurrences of significant events. migrate-ds-admin.pl Migrates a Directory Server 7.1 Perl instance to Directory Server 8.1.
Page 292: Bak2Db (Restores A Database From Backup)
Chapter 7. Command-Line Scripts Section 7.3.8, “ldif2db (Import)” • Section 7.3.9, “ldif2ldap (Performs Import Operation over LDAP)” • Section 7.3.10, “monitor (Retrieves Monitoring Information)” • Section 7.3.12, “pwdhash (Prints Encrypted Passwords)” • Section 7.3.11, “repl-monitor (Monitors Replication Status)” • Section 7.3.13, “restart-slapd (Restarts the Directory Server)” •...
Page 293: Cl-Dump (Dumps And Decodes The Changelog)
cl-dump (Dumps and Decodes the Changelog) Section 7.4.1, “bak2db.pl (Restores a Database from For information on the equivalent Perl script, see Backup)”. For more information on restoring databases, see the "Populating Directory Databases" chapter in the Red Hat Directory Server Administrator's Guide. For more information on using filesystem replica initialization, see the "Managing Replication"...
Page 294: Db2Bak (Creates A Backup Of A Database)
Chapter 7. Command-Line Scripts Section 7.4.2, “cl-dump.pl (Dumps and Decodes the For information on the equivalent Perl script, see Changelog)”. 7.3.3. db2bak (Creates a Backup of a Database) Creates a backup of the current database contents. This script can be executed while the server is still running.
Page 295: Db2Index (Reindexes Database Index Files)
db2index (Reindexes Database Index Files) Option Description Uses multiple files for storing the output LDIF, with each instance stored in instance filename (where filename is the filename specified for -a option). -n backendInstance Gives the instance to be exported. Specifies that the entry IDs are not to be included in the LDIF output.
Page 296: Dbverify (Checks For Corrupt Databases)
Chapter 7. Command-Line Scripts db2index -n userRoot -t cn -t givenname • Reindex cn in the database where the root suffix is dc=example,dc=com: db2index -s "dc=example,dc=com" -t cn Options Option Description -n backendInstance Gives the name of the instance to be reindexed. -s includeSuffix Gives suffixes to be included or the subtrees to be included if -n has been used.
Page 297: Ds_Removal
ds_removal Options Option Description -a path Gives the path to the database directory. If this option is not passed with the verify- db.pl command, then it uses the default database directory, /var/lib/dirsrv/ slapd-instance_name/db. Table 7.8. dbverify Options Section 7.4.21, “verify-db.pl (Check for Corrupt For information on the equivalent Perl script, see Databases)”.
Page 298 Chapter 7. Command-Line Scripts NOTE ldif2db supports LDIF version 1 specifications. An attribute can also be loaded using the :< URL specifier notation; for example: jpegphoto:< file:///tmp/myphoto.jpg Although the official notation requires three ///, the use of one / is accepted. For further information on the LDIF format, see the "Managing Directory Entries"...
Page 299: Ldif2Ldap (Performs Import Operation Over Ldap)
ldif2ldap (Performs Import Operation over LDAP) Option Description -i ldifFile Gives the names of the input LDIF files. When multiple files are imported, they are imported in the order they are specified on the command line. -n backendInstance Gives the instance to be imported. Ensure that the specified instance corresponds to the suffix contained by the LDIF file;...
Page 300: Repl-Monitor (Monitors Replication Status)
Chapter 7. Command-Line Scripts Section 6.8, “ldif”. For more information on the ldapsearch command-line utility, see 7.3.11. repl-monitor (Monitors Replication Status) Shows in-progress status of replication. repl-monitor is a shell script wrapper of repl- monitor.pl to set the appropriate library path. Section 7.4.17, “repl-monitor.pl (Monitors Replication For more information on the Perl script, see Status)”.
Page 301: Configuration File Format
repl-monitor (Monitors Replication Status) Configuration File Format The configuration file defines the following: • The connection parameters for connecting to the LDAP servers to get replication information; specifying this information is mandatory. • The server alias for more readable server names; specifying this information is optional. •...
Page 302: Pwdhash (Prints Encrypted Passwords)
Chapter 7. Command-Line Scripts • host, port, and binddn can be replaced with relevant values or *, or omitted altogether. If host is null or *, the entry may apply to any host that does not have a dedicated entry in the file. If port is null or *, the port will default to the port stored in the current replication agreement.
Page 303: Restart-Slapd (Restarts The Directory Server)
restart-slapd (Restarts the Directory Server) 7.3.13. restart-slapd (Restarts the Directory Server) Restarts the Directory Server. Syntax restart-slapd Options There are no options for this script. Exit Status Exit Code Description Server restarted successfully. Server could not be started. Server restarted successfully but was already stopped.
Page 304: Start-Slapd (Starts The Directory Server)
Chapter 7. Command-Line Scripts This script will only run if the server is running. Syntax saveconfig Options There are no options for this script. 7.3.16. start-slapd (Starts the Directory Server) Starts the Directory Server. It might be a good idea to check whether the server has been effectively started using the ps command because it could sometimes be that the script returned while the startup process was still on-going, resulting in a confusing message.
Page 305: Suffix2Instance (Maps A Suffix To A Backend Name)
suffix2instance (Maps a Suffix to a Backend Name) Exit Code Description Server could not be stopped. Server was already stopped. Table 7.15. stop-slapd Exit Status Codes 7.3.18. suffix2instance (Maps a Suffix to a Backend Name) Maps a suffix to a backend name. Syntax suffix2instance [ -s suffix ] Options...
Page 306: Perl Scripts
Chapter 7. Command-Line Scripts Option Description described in the Directory Server Administrator's Guide. Define additional VLV tags by creating them in LDIF and adding them to Directory Server's configuration, as described in the Red Hat Directory Server Administrator's Guide. Red Hat recommends using the DN of the entry for which to accelerate the search sorting.
Page 307: Cl-Dump.pl (Dumps And Decodes The Changelog)
cl-dump.pl (Dumps and Decodes the Changelog) Syntax bak2db.pl [ -v ] -D rootdn { -w password | -w - | -j filename } -a backupDirectory [ -t databaseType ] [ -n backend ] Options The script bak2db.pl creates an entry in the directory that launches this dynamic task. The entry is generated based upon the values provided for each option.
Page 308: Db2Bak.pl (Creates A Backup Of A Database)
Chapter 7. Command-Line Scripts Options Without the -i option, the script must be run when the Directory Server is running from a location from which the server's changelog directory is accessible. Option Description Dumps and interprets change sequence numbers (CSN) only. This option can be used with or without the -i option.
Page 309: Db2Index.pl (Creates And Generates Indexes)
db2index.pl (Creates and Generates Indexes) Option Description -a dirName The directory where the backup files will be stored. The /var/lib/dirsrv/ slapd-instance_name/bak directory is used by default. The backup file is named according to the year-month-day-hour format (YYYY_MM_DD_hhmmss). -D rootdn The user DN with root permissions, such as Directory Manager.
Page 310: Db2Ldif.pl (Exports Database Contents To Ldif)
Chapter 7. Command-Line Scripts Option Description -T vlvAttributeName Gives the names of the VLV attributes to be reindexed. The name is the VLV index object's common name in cn=config. Verbose mode. -w password Gives the password associated with the user DN. -w - Prompts for the password associated with the user DN.
Page 311: Fixup-Memberof.pl (Regenerate Memberof Attributes)
fixup-memberof.pl (Regenerate memberOf Attributes) Option Description The LDIF file which is created with db2ldif.pl can be imported using ldif2db.pl. When it is imported, if the -r option was used, than the database is automatically initialized as a replica. Section 7.4.7, “ldif2db.pl (Import)” information on importing an LDIF file.
Page 312: Ldif2Db.pl (Import)
Chapter 7. Command-Line Scripts Option Description -w - Prompts for the password associated with the user DN. Table 7.23. fixup-memberof.pl Options 7.4.7. ldif2db.pl (Import) To run this script, the server must be running. The script creates an entry in the directory that launches this dynamic task.
Page 313: Logconv.pl (Log Converter)
logconv.pl (Log Converter) Option Description are imported to the server, regardless of the options specified. -G namespaceId Generates a namespace ID as a name-based unique ID. This is the same as specifying the -g deterministic option. -i filename Specifies the filename of the input LDIF files. When multiple files are imported, they are imported in the order they are specified on the command line.
Page 314 Chapter 7. Command-Line Scripts • Number of deletes • Most frequent occurrence lists (optional) • Number of modified RDNs • Error and return codes • Persistent searches • Failed logins • Internal operations (with verbose logs) • Connection codes • Entry operations (with verbose logs) •...
Page 315 logconv.pl (Log Converter) Options Table 7.26, “logconv.pl Options” describes the logconv.pl command-line options. Option Description -d mgrDN Specifies the distinguished name (DN) of the Directory Manger in the logs being analyzed. This allows the tool to collect statistics for this special user.
Page 316 Chapter 7. Command-Line Scripts Option Description over the set of all logs, so all logs should pertain to the same Directory Server. The tool ignores any file with the name access.rotationinfo. Table 7.26. logconv.pl Options Table 7.27, “logconv.pl Options to Display Occurrences” describes the options that enable the optional lists of occurrences.
Page 317: Migrate-Ds.pl
Required. This is the path to --oldsroot the server root directory in the old 7.1 Directory Server installation. The default path in 7.1 servers is /opt/redhat- ds/. --actualsroot This is used for migrating between two machines to specify the real path to the current server root directory in the old 7.1 Directory Server...
Page 318 In that case, the oldsroot parameter sets the directory from which the migration is run (such as machine_new:/migrate/ opt/redhat-ds/), while the actualsroot parameter sets the server root, (/opt/ redhat-ds/). --instance This parameter specifies a specific instance to migrate.
Page 319: Migrate-Ds-Admin.pl
migrate-ds-admin.pl Option Alternate Options Description of d's increases the debug level. --logfile name This parameter specifies a log file to which to write the output. If this is not set, then the migration information is written to a temporary file, named / tmp/migrateXXXXX.log.
Page 320 Chapter 7. Command-Line Scripts Option Alternate Options Description the old 7.1 Directory Server installation. The default path in 7.1 servers is /opt/redhat- ds/. --actualsroot This is used for migrating between two machines to specify the real path to the current server root directory in the old 7.1 Directory Server...
Page 321: Ns-Accountstatus.pl (Establishes Account Status)
ns-accountstatus.pl (Establishes Account Status) Option Alternate Options Description new 8.1 databases. Changelog information is not migrated. If a supplier or hub is migrated, then all its replicas must be reinitialized. --debug -d[dddd] This parameter turns on debugging information. For the -d flag, increasing the number of d's increases the debug level.
Page 322: Ns-Activate.pl (Activates An Entry Or Group Of Entries)
Chapter 7. Command-Line Scripts Option Description -w - Prompts for the password associated with the user DN. Opens the help page. Table 7.28. ns-accountstatus.pl Options 7.4.12. ns-activate.pl (Activates an Entry or Group of Entries) Activates an entry or group of entries. Syntax ns-activate.pl [ -D rootdn ] [ -w password | -w - | -j filename ] [ -p port ] [ -h host ] -I DN [ -? ]...
Page 323: Ns-Newpwpolicy.pl (Adds Attributes For Fine-Grained Password Policy)
ns-newpwpolicy.pl (Adds Attributes for Fine-Grained Password Policy) Options Option Description -D rootdn Specifies the Directory Server user DN with root permissions, such as Directory Manager. -h host Specifies the hostname of the Directory Server. The default value is the full hostname of the machine where Directory Server is installed.
Page 324: Register-Ds-Admin.pl
Chapter 7. Command-Line Scripts Option Description -p port Specifies the Directory Server's port. The default value is 389 or the LDAP port of Directory Server specified at installation time. -S suffixDN Specifies the DN of the suffix entry that needs to be updated with subtree-level password policy attributes.
Page 325: Remove-Ds.pl
remove-ds.pl Option Alternate Options Description a log file, set the file name to / dev/null. 7.4.16. remove-ds.pl The remove-ds.pl script removes a single instance of Directory Server. The server instance usually must be running when this script is run so that the script can bind to the instance. It is also possible to force the script to run, which may be necessary if there was an interrupted installation process or the instance is corrupted or broken so that it cannot run.
Page 326 Chapter 7. Command-Line Scripts Option Description used to connect to LDAP servers to get replication information. For more information Configuration about the configuration file, see File Format. -h host Specifies the initial replication supplier's host. The default value is the current hostname. -p port Specifies the initial replication supplier's port.
Page 327 repl-monitor.pl (Monitors Replication Status) [color] lowmark = color lowmark = color The connection section defines how this tool may connect to each LDAP server in the replication topology to get the replication-agreement information. The default binddn is cn=Directory Manager. Simple bind will be used unless bindcert is specified with the path of a certificate database. A server may have a dedicated or shared entry in the connection section.
Page 328: Schema-Reload.pl (Reload Schema Files Dynamically)
Chapter 7. Command-Line Scripts C2 = host2.example.com:10022 [color] 0 = #ccffcc 5 = #FFFFCC 60 = #FFCCCC A shadow port can be set in the replication monitor configuration file. For example: host:port=shadowport:binddn:bindpwd:bindcert When the replication monitor finds a replication agreement that uses the specified port, it will use the shadow port to connect to retrieve statistics.
Page 329: Setup-Ds.pl
setup-ds.pl Option Description -w password The password associated with the user DN. -w - Prompts for the password associated with the user DN. Table 7.33. schema-reload.pl Options 7.4.19. setup-ds.pl The setup-ds.pl script is used to create a Directory Server instance. Running this script with the -u option after the instances are configured updates the configuration with the latest installed packages.
Page 330: Setup-Ds-Admin.pl
Chapter 7. Command-Line Scripts Option Alternate Options Description -d flag, increasing the number of d's increases the debug level. --keepcache This saves the temporary installation file (.inf) that is created when the register script is run. This file can then be reused for a silent setup.
Page 331 setup-ds-admin.pl Information can be passed with the script or in an .inf file. If no options are used, the setup-ds- admin.pl launches an interactive configuration program. Both the .inf parameters and command-line arguments are described in the silent configuration section of the Installation Guide. Syntax setup-ds-admin.pl [ --debug ] [ --silent ] [ --file=name ] [ --keepcache ] [ --log=name ] [ --update ] Options...
Page 332: Verify-Db.pl (Check For Corrupt Databases)
Chapter 7. Command-Line Scripts Option Alternate Options Description the cleartext passwords supplied during setup. Use appropriate caution and protection with this file. --logfile name This parameter specifies a log file to which to write the output. If this is not set, then the setup information is written to a temporary file.
Page 333 verify-db.pl (Check for Corrupt Databases) Options Option Description -a path Gives the path to the database directory. If this option is not passed with the verify- db.pl command, then it uses the default database directory, /var/lib/dirsrv/ slapd-instance_name/db. Opens the help page. Table 7.34.
Page 335: A.2. Finding And Executing The Ns-Slapd Command-Line Utilities
Appendix A. Using the ns-slapd Command-Line Utilities Chapter 7, Command-Line Scripts discussed the scripts for performing routine administration tasks on the Red Hat Directory Server (Directory Server). This appendix discusses the ns-slapd command- line utilities that can be used to perform the same tasks. The ns-slapd command-line utilities all perform server administration tasks, and, while it can be argued that they allow a greater degree of flexibility for users, Red Hat recommends using the Chapter 7, Command-Line Scripts...
Page 336 Appendix A. Using the ns-slapd Command-Line Utilities Option Description -d debugLevel Specifies the debug level to use during the db2ldif runtime. For further information, refer Section 2.3.1.44, “nsslapd-errorlog-level (Error Level)”. -D configDir Specifies the location of the server configuration directory that contains the configuration information for the export process.
Page 337: A.4. Utilities For Restoring And Backing Up Databases: Ldif2Db
Utilities for Restoring and Backing up Databases: ldif2db Option Description the configuration directory, do not exclude o=NetscapeRoot. Table A.1. db2ldif Options A.4. Utilities for Restoring and Backing up Databases: ldif2db Imports LDIF files to the database. Syntax ns-slapd ldif2db -D configDir -i ldifFile [ -d debugLevel ] [ -g string ] [ -n backendInstance ] [ -O ] [ -s includeSuffix ] [ -x excludeSuffix ] [ -E ] Enter the full path to the server configuration directory (configdir).
Page 338: A.5. Utilities For Restoring And Backing Up Databases: Archive2Db
Appendix A. Using the ns-slapd Command-Line Utilities Option Description Use this option to import the same LDIF file into two different Directory Servers and the contents of both directories should have the same set of unique IDs. If unique IDs already exist in the LDIF file being imported, then the existing IDs are imported to the server, regardless of the options specified.
Page 339: A.6. Utilities For Restoring And Backing Up Databases: Db2Archive
Utilities for Restoring and Backing up Databases: db2archive Options Option Description -D configDir Specifies the location of the server configuration directory that contains the configuration information for the index creation process. This must be the full path to the configuration directory, /etc/dirsrv/ slapd-instance_name.
Page 340 Appendix A. Using the ns-slapd Command-Line Utilities Option Description Section 2.3.1.44, “nsslapd-errorlog-level (Error Level)”. -D configDir Specifies the location of the server configuration directory that contains the configuration information for the index creation process. This must be the full path to the configuration directory, /etc/dirsrv/ slapd-instance_name.
Page 341 Glossary See ACI. access control instruction An instruction that grants or denies permissions to entries in the directory. access control instruction. See Also See ACL. access control list The mechanism for controlling access to your directory. access control list. See Also access rights In the context of access control, specify the level of access granted or denied.
Page 342 Glossary authentication (1) Process of proving the identity of the client user to the Directory Server. Users must provide a bind DN and either the corresponding password or certificate in order to be granted access to the directory. Directory Server allows the user to perform functions or access files and directories based on the permissions granted to that user by the directory administrator.
Page 343 certificate A collection of data that associates the public keys of a network user with their DN in the directory. The certificate is stored in the directory as user object attributes. Certificate Authority Company or organization that sells and issues authentication certificates.
Page 344 Glossary A method for sharing attributes between entries in a way that is invisible to applications. CoS definition entry Identifies the type of CoS you are using. It is stored as an LDAP subentry below the branch it affects. CoS template entry Contains a list of the shared attribute values.
Page 345 IP address for a hostname from a DNS server, or they look it up in tables maintained on their systems. DNS alias A DNS alias is a hostname that the DNS server knows points to a different host specifically a DNS CNAME record. Machines always have one real name, but they can have one or more aliases.
Page 346 Glossary hostname A name for a machine in the form machine.domain.dom, which is translated into an IP address. For example, www.example.com is the machine www in the subdomain example and com domain. HTML Hypertext Markup Language. The formatting language used for documents on the World Wide Web.
Page 347 LDAP Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms. LDAPv3 Version 3 of the LDAP protocol, upon which Directory Server bases its schema format. LDAP client Software used to request and view LDAP entries from an LDAP Directory Server.
Page 348 Glossary See supplier. master SNMP master agent. master agent matching rule Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use. A message digest algorithm by RSA Data Security, Inc., which can be used to produce a short digest of data that is unique with high probability and is mathematically extremely hard to produce;...
Page 349 Network Information Service. A system of programs and data files that Unix machines use to collect, collate, and share specific information about machines, users, filesystems, and network parameters throughout a network of computers. Powerful workstation with one or more network management network management station.
Page 350 Glossary access rights. See Also Encoded messages which form the basis of data exchanges between protocol data unit. SNMP devices. Also pointer CoS A pointer CoS identifies the template entry using the template DN only. presence index Allows searches for entries that contain a specific indexed attribute. protocol A set of rules that describes how devices on a network exchange information.
Page 351 (2) In the context of replication, when a read-only replica receives an update request, it forwards it to the server that holds the corresponding read-write replica. This forwarding process is called a referral. read-only replica A replica that refers all update operations to read-write replicas. A server can hold any number of read-only replicas.
Page 352 Glossary schema checking Ensures that entries added or modified in the directory conform to the defined schema. Schema checking is on by default, and users will receive an error if they try to save an entry that does not conform to the schema.
Page 353 A software library establishing a secure connection between two parties (client and server) used to implement HTTPS, the secure Secure Sockets Layer. version of HTTP. Also called standard index index maintained by default. sub suffix A branch underneath a root suffix. SNMP subagent.
Page 354 Glossary topology The way a directory tree is divided among physical servers and how these servers link with one another. See TLS. Transport Layer Security A unique number associated with each user on a Unix system. Uniform Resource Locater. The addressing system used by the server and the client to request documents.
Page 355 Index T2 , 227 U1 , 227 contents, 217 Symbols abandon message (ABANDON) , 224 change sequence number (csn) , 224 00core.ldif connection description (conn) , 226 ldif files, 4 connection number (conn) , 219 01common.ldif elapsed time (etime) , 221 ldif files, 4 error number (err) , 220 05rfc2247.ldif...
Page 356 Index nsNoWrap, 112 nsPrintKey, 112 changelog nsUseId2Entry, 112 multi-master replication changelog, 69 nsUseOneFile, 111 changeLog, 72 configuration entry, 110 changelog configuration attributes cn=import changelogmaxentries, 71 attributes nsslapd-changelogdir, 70 nsExcludeSuffix, 108 nsslapd-changelogmaxage, 71 nsFilename, 107 changelog configuration entries nsImportChunkSize, 108 cn=changelog5, 69 nsImportIndexAttrs, 109 changeLogEntry, 119 nsIncludeSuffix, 108...
Page 357 nsTaskCurrentItem, 105 ldif2ldap , 285 nsTaskExitCode, 105 monitor, 285 nsTaskLog, 104 pwdhash , 288 nsTaskStatus, 104, 106 repl-monitor, 286 ttl, 106 restart-slapd , 289 entries, 103 restoreconfg , 289 task invocation configuration entries, 103 saveconfig , 289 cn=backup, 113 start-slapd , 290 cn=export, 110 stop-slapd, 290 cn=import, 104, 107...
Page 358 Index retro changelog plug-in configuration nsDS5ReplConflict, 79 attributes, 203 nsDS5ReplicaBindDN, 79 SASL configuration attributes, 98 nsDS5ReplicaBindMethod, 85 SNMP configuration attributes, 99 nsDS5ReplicaBusyWaitTime, 85 suffix configuration attributes, 77 nsDS5ReplicaChangeCount, 80 synchronization agreement attributes, 93 nsDS5ReplicaChangesSentSinceStartup, 86 task configuration attributes, 103 nsDS5ReplicaCredentials, 86 cn=backup, 113 nsDS5ReplicaHost, 86 cn=export, 110...
Page 359 nsslapd-accesslog-logexpirationtime, 13 nsslapd-errorlog-maxlogsize, 34 nsslapd-accesslog-logexpirationtimeunit, 13 nsslapd-errorlog-maxlogsperdir, 35 nsslapd-accesslog-logging-enabled, 13 nsslapd-errorlog-mode, 35 nsslapd-accesslog-logmaxdiskspace, 14 nsslapd-groupvalnestlevel, 36 nsslapd-accesslog-logminfreediskspace, 15 nsslapd-idletimeout, 36 nsslapd-accesslog-logrotationsync-enabled, 15 nsslapd-instancedir, 37 nsslapd-accesslog-logrotationsynchour, 15 nsslapd-ioblocktimeout, 37 nsslapd-accesslog-logrotationsyncmin, 16 nsslapd-lastmod, 37 nsslapd-accesslog-logrotationtime, 16 nsslapd-ldapiautobind, 38 nsslapd-accesslog-maxlogsize, 17 nsslapd-ldapientrysearchbase, 38 nsslapd-accesslog-maxlogsperdir, 17 nsslapd-ldapifilepath, 39 nsslapd-accesslog-mode, 18...
Page 360 Index nssnmpdescription, 100 reindexing index files, 281 nssnmpenabled, 99 database encryption nssnmplocation, 99 nsAttributeEncryption, 191 nssnmpmasterhost, 100 nsEncryptionAlgorithm, 191 nssnmpmasterport, 100 database files, 212 nssnmporganization, 99 database link plug-in configuration attributes nsSSL2 attribute, 74 nsAbandonCount, 202 nsSSL3 attribute, 75 nsAbandonedSearchCheckInterval, 195 nsSSL3ciphers attribute, 75 nsActiveChainingComponents, 193 nsSSLclientauth, 57...
Page 361 dbcachetries, 175 nsslapd-db-spin-count, 170 dbfilecachehit, 188 nsslapd-db-transaction-batch-val, 171 dbfilecachemiss, 189 nsslapd-db-trickle-percentage, 172 dbfilenamenumber, 188 nsslapd-db-txn-region-wait-rate, 185 dbfilepagein, 189 nsslapd-db-verbose, 172 dbfilepageout, 189 nsslapd-dbcachesize, 165 description, 186 nsslapd-dbncache, 172 nsIndexType, 187 nsslapd-directory, 173, 178 nsLookThroughLimit, 163 nsslapd-idlistscanlimit, 164 nsMatchingRule, 187 nsslapd-import-cache-autosize, 174 nsslapd-cache-autosize, 164 nsslapd-import-cachesize, 173 nsslapd-cache-autosize-split, 165...
Page 362 Index dbcachepageout attribute, 176 root password, 50 dbcacheroevict attribute, 176 specifying password storage scheme, 68 dbcacherwevict attribute, 176 encryption configuration attributes dbcachetries attribute, 175 nsSSL2, 74 dbfilecachehit attribute, 188 nsSSL3, 75 dbfilecachemiss attribute, 189 nsSSL3ciphers, 75 dbfilenamenumber attribute, 188 nsSSLclientauth, 74 dbfilepagein attribute, 189 nsSSLSessionTimeout, 74 dbfilepageout attribute, 189...
Page 363 additional options, 264 50ns-web.ldif, 5 commonly used options, 260 99user.ldif, 5 SASL options, 263 dse.ldif, 4 ssl options, 261 LDIF files, 214 syntax, 260 ldif2db ldapmodify command-line utility command-line shell script, 283 additional options, 258 quick reference, 275 commonly used options, 254 ldif2db.pl options, 254 command-line perl script, 298...
Page 364 Index command-line perl script, 308 nsDS5ReplicaLastInitStatus attribute, 87 quick reference, 276 nsDS5ReplicaLastUpdateEnd attribute, 88 ns-inactivate.pl nsDS5ReplicaLastUpdateStart attribute, 88 command-line perl script, 308 nsDS5ReplicaLastUpdateStatus attribute, 88 quick reference, 276 nsDS5ReplicaLegacyConsumer attribute, 80 ns-newpolicy.pl nsDS5ReplicaName attribute, 81 quick reference, 276 nsDS5ReplicaPort attribute, 89 ns-newpwpolicy.pl nsDS5ReplicaPurgeDelay attribute, 81 command-line perl script, 309...
Page 365 nsOperationConnectionCount attribute, 202 nsslapd-auditlog-logrotationtimeunit attribute, 24 nsOperationConnectionsLimit attribute, 197 nsslapd-auditlog-maxlogsize attribute, 24 nsPrintKey, 112 nsslapd-auditlog-maxlogsperdir attribute, 25 nsProxiedAuthorization attribute, 198 nsslapd-auditlog-mode attribute, 25 nsReferralOnScopedSearch attribute, 198 nsslapd-backend attribute, 77 nsRenameCount attribute, 202 nsslapd-cache-autosize attribute, 164 nsruvReplicaLastModified attribute, 93 nsslapd-cache-autosize-split attribute, 165 nsSaslMapBaseDNTemplate attribute, 98 nsslapd-cachememsize attribute, 177 nsSaslMapFilterTemplate attribute, 98...
Page 366 Index nsslapd-db-page-rw-evict-rate attribute, 185 nsslapd-localuser attribute, 42 nsslapd-db-page-size attribute, 170 nsslapd-maxbersize attribute, 42 nsslapd-db-page-trickle-rate attribute, 185 nsslapd-maxdescriptors attribute, 43 nsslapd-db-page-write-rate attribute, 185 nsslapd-maxsasliosize attribute, 44 nsslapd-db-pages-in-use attribute, 185 nsslapd-maxthreadsperconn attribute, 44 nsslapd-db-spin-count attribute, 170 nsslapd-mode attribute, 175 nsslapd-db-transaction-batch-val attribute, 171 nsslapd-nagle attribute, 45 nsslapd-db-trickle-percentage attribute, 172 nsslapd-outbound-ldap-io-timeout attribute, 45...
Page 367 nssnmpenabled attribute, 99 passwordGraceUserTime, 60 nssnmplocation attribute, 99 passwordHistory attribute, 60 nssnmpmasterhost attribute, 100 passwordInHistory attribute, 61 nssnmpmasterport attribute, 100 passwordLockout attribute, 61 nssnmporganization attribute, 99 passwordLockoutDuration attribute, 62 nsSSL2 attribute, 74 passwordMaxAge attribute, 62 nsSSL3 attribute, 75 passwordMaxFailure attribute, 63 nsSSL3ciphers attribute, 75 passwordMinAge attribute, 64 nsSSLclientauth attribute, 57, 74...
Page 368 Index nsAbandonedSearchCheckInterval, 195 nsslapd-db-debug, 167 nsActiveChainingComponents, 193 nsslapd-db-dirty-pages, 184 nsAddCount, 202 nsslapd-db-durable-transactions, 167 nsBindConnectionCount, 202 nsslapd-db-hash-buckets, 184 nsBindConnectionsLimit, 195 nsslapd-db-hash-elements-examine-rate, 184 nsBindCount, 202 nsslapd-db-hash-search-rate, 184 nsBindMechanism, 199 nsslapd-db-home-directory, 167 nsBindRetryLimit, 196 nsslapd-db-idl-divisor, 168 nsBindTimeout, 196 nsslapd-db-lock-conflicts, 184 nsCheckLocalACI, 196 nsslapd-db-lock-region-wait-rate, 184 nsCompareCount, 202 nsslapd-db-lock-request-rate, 184 nsConcurrentBindLimit, 197...
Page 369 nsslapd-require-index, 178 remove-ds.pl command-line script nsslapd-suffix, 179 options, 310, 311 nsSubStrBegin, 189 syntax, 311 nsSubStrEnd, 190 repl-monitor nsSubStrMiddle, 190 command-line shell script, 286 nsSystemIndex, 188 quick reference, 276 nsTimeLimit, 199 repl-monitor.pl nsTransmittedControls, 194 command-line perl script, 311 nsUnbindCount, 202 quick reference, 276 nsUseStartTLS, 201 replication agreement configuration attributes vlvBase, 179...
Page 370 Index nsState, 84 setup-ds.pl command-line script object classes, 78 options, 315 restart, 289 syntax, 315 restart-slapd slapd.conf file command-line shell script, 289 location of, 7 quick reference, 275 smart referrals restarting server ldapsearch option, 250 requirement for certain configuration changes, SNMP configuration attributes nssnmpcontact, 100 restoreconfig...
Page 371 nsds7DirectoryReplicaSubtree, 93 nsds7DirsyncCookie, 94 nsds7NewWinGroupSyncEnabled, 94 nsds7NewWinUserSyncEnabled, 94 nsds7WindowsDomain, 95 nsds7WindowsReplicaSubtre, 95 winSyncInterval, 95 targetDn, 73 totalConnections attribute, 96 trailing spaces in object class names, 51 ttl, 106 uniqueid generator configuration attributes nsState, 119 uniqueid generator configuration entries cn=uniqueid generator, 119 verify-db.pl command-line perl script, 318 quick reference, 275, 276...

Red Hat DIRECTORY SERVER 8.1 Command Reference Manual

1 Directory Server Overview

2 Examples and Formatting

3 Additional Reading

4 Giving Feedback

5 Documentation History

Quick Links

Command Reference

Related Manuals for Red Hat DIRECTORY SERVER 8.1

Summary of Contents for Red Hat DIRECTORY SERVER 8.1