Page 1 Configuration, Command, and File Reference Netscape Directory Server Version 6.01 January 2002...
Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law.
Page 3: Table Of Contents
Contents About This Reference Guide ........... . . 15 Directory Server Overview .
Page 4 Restrictions to Modifying Configuration Attributes ........31 Configuration Changes Requiring Server Restart .
Page 5 nsslapd-errorlog-logrotationtime (Error Log Rotation Time) ......53 nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit) ....54 nsslapd-errorlog-maxlogsize (Maximum Error Log Size) .
Page 6 passwordMaxFailure (Maximum Password Failures) ........75 passwordMinAge (Password Minimum Age) ......... 75 passwordMinLength (Password Minimum Length) .
Page 7 nsDS5ReplicaChangesSentSinceStartup ..........93 nsDS5ReplicaCredentials .
Page 8 Configuration Quick Reference Tables ........... 104 LDIF Configuration Files .
Page 9 nsslapd-pluginEnabled ............. . 130 nsslapd-pluginId .
Page 10 nsslapd-require-index ............148 nsslapd-suffix .
Page 11 dbfilecachemiss ..............154 dbfilepagein .
Page 12 nsUnbindCount ..............167 nsCompareCount .
Page 13 Common Connection Codes ............186 LDAP Result Codes .
Page 14 Perl Scripts ................234 bak2db.pl (Restore database from backup) .
Page 15: About This Reference Guide
About This Reference Guide Netscape Directory Server (Directory Server), version 6.x, is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.
Page 16: Prerequisite Reading
Prerequisite Reading • SNMP Agent—Permits you to monitor Directory Server in real time using the Simple Network Management Protocol (SNMP). • Online backup and restore—Allows you to create backups and restore from backups while the server is running. Prerequisite Reading This reference guide does not describe many of the basic directory and architectural concepts that you need to successfully design, implement, and administer your directory service.
Page 17: Conventions Used In This Reference Guide
Conventions Used In This Reference Guide Conventions Used In This Reference Guide This section explains the conventions used in this book. —This typeface is used for any text that appears on the computer Monospaced font screen or text that you should type. It is also used for filenames, functions, and examples.
Page 18 Related Information For the latest information about Directory Server, including current release notes, complete product documentation, technical notes, and deployment information, check this site: http://enterprise.netscape.com/docs Netscape Directory Server Configuration, Command, and File Reference • January 2002...
Page 19: Chapter 1 Introduction
Chapter 1 Introduction This chapter provides a brief overview of the configuration and administration utilities provided to manage the Netscape Directory Server (Directory Server). This chapter is divided into the following sections: • Overview of Directory Server Management (page 19) •...
Page 20: Directory Server Configuration
Directory Server Configuration This reference manual deals with the other methods of managing the Directory Server, namely altering the server configuration attributes via the command line and using the command-line utilities. Directory Server Configuration The format and method for storing configuration information for Directory Server 6.x mark a significant change from previous versions of the Directory Server.
Page 21: Using Directory Server Command-Line Scripts
Using Directory Server Command-Line Scripts addition to these command-line utiltiies, Directory Server also provides ns-slapd command-line utilities for performing directory operations as slapd.exe described in Appendix A, “Using the ns-slapd and slapd.exe Command-Line Utilities”. Using Directory Server Command-Line Scripts In addition to command-line utilities, several non-configurable scripts are provided with the Directory Server that make it quick and easy to perform routine server administration tasks from the command line.
Page 22 Using Directory Server Command-Line Scripts Netscape Directory Server Configuration, Command, and File Reference • January 2002...
Page 23: Chapter 2 Core Server Configuration Reference
Chapter 2 Core Server Configuration Reference The configuration information for Netscape Directory Server (Directory Server) 6.x is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files.
Page 24 Server Configuration - Overview the features of the Directory Server 6.x are designed as discrete modules that plug into the core server. The details of the internal configuration for each plug-in are contained in separate entries under . For example, the cn=plugins,cn=config configuration of the Telephone Syntax plug-in is contained in the entry: cn=Telephone Syntax,cn=plugins,cn=config...
Page 25: Ldif Configuration Files - Location
Server Configuration - Overview LDIF Configuration Files - Location The Directory Server configuration data is automatically output to files in LDIF format that are located in the following directory: /usr/netscape/servers/slapd-serverID/config where serverID is the server identifier that you defined when you installed your Directory Server.
Page 26: Configuration Of Plug-In Functionality
Server Configuration - Overview Code Example 2-1 on page 26 gives an example of part of the file for a dse.ldif Directory Server and shows, amongst other things, that schema checking has been turned on. This is represented by the attribute , which takes nsslapd-schemacheck the value...
Page 27: Configuration Of Databases
Server Configuration - Overview Some of these attributes are common to all plug-ins and some may be particular to a specific plug-in. You can check which attributes are currently being used by a given plug-in by performing an on the subtree.
Page 28: Migration Of Pre-Directory Server 6.X Configuration Files To Ldif Format
Accessing and Modifying Server Configuration Migration of Pre-Directory Server 6.x Configuration Files to LDIF Format The Directory Server 6.x will only recognize configuration files that are in the LDIF format, which means that the configuration slapd.conf slapd.ldbm.conf files from 4.x versions of Directory Server must be converted to LDIF format. Directory Server 4.x configurations can be migrated to the new LDIF format using the tool tool.
Page 29: Changing Configuration Attributes
Accessing and Modifying Server Configuration Default ACIs in dse.ldif Code Example 2-3 aci: (targetattr = "*")(version 3.0; acl "Configuration Adminstrators Group"; allow (all) groupdn = "ldap:///cn=Configuration Administrators,ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Configuration Adminstrator"; allow (all) userdn = "ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0;...
Page 30: Modifying Configuration Entries Using Ldap
Accessing and Modifying Server Configuration NOTE If you edit the file you must stop the server beforehand, dse.ldif otherwise your changes will be lost. Editing the file is dse.ldif recommended only for changes to attributes which cannot be altered dynamically. “Configuration Changes Requiring Server Restart,”...
Page 31: Restrictions To Modifying Configuration Entries
Accessing and Modifying Server Configuration Previously we saw an example of the configuration entry for the Telephone Syntax plug-in where the plug-in is enabled. If you wanted to disable this feature you might use the following series of commands to implement this change. Code Example 2-4 Disabling the Telephone Syntax Plug-in ldapmodify -D bindDN -w password...
Page 32: Core Server Configuration Attributes Reference
Core Server Configuration Attributes Reference Core Server Configuration Attributes Reference This section guides you through all the core server functionality configuration attributes. For server functionality implemented via plug-ins, see the section “Configuration Quick Reference Tables,” on page 104. For implementing your own server functionality, contact Netscape Professional Services.
Page 33: Cn=Config
Core Server Configuration Attributes Reference • cn=monitor • cn=replica • cn=replication • cn=SNMP • cn=tasks • cn=uniqueid generator node is covered in the “Configuration Quick Reference Tables” cn=plugins section. We arrange the attributes alphabetically and provide a full description for each, giving the DN of its directory entry, its default value, the valid range of values, and an example of its use.
Page 34: Nsslapd-Accesscontrol (Enable Access Control)
Core Server Configuration Attributes Reference nsslapd-accesscontrol (Enable Access Control) Turns access control on and off. If this attribute has a value , then any valid bind attempt (including an anonymous bind) results in full access to all information stored in the Directory Server. Entry DN cn=config Valid Range...
Page 35: Nsslapd-Accesslog-Level
Core Server Configuration Attributes Reference Attributes in dse.ldif Value Logging enabled or disabled nsslapd-accesslog-logging-enabled Disabled nsslapd-accesslog empty string nsslapd-accesslog-logging-enabled Disabled nsslapd-accesslog filename Entry DN cn=config Valid Range Any valid filename. Default Value /usr/netscape/servers/slapd-serverID/logs/access DirectoryString Syntax Example nsslapd-accesslog: /usr/netscape/servers/slapd-serverID/logs/access nsslapd-accesslog-level Controls what is logged to the access log. Entry DN cn=config 0—No access logging...
Page 36: Nsslapd-Accesslog-List
Core Server Configuration Attributes Reference nsslapd-accesslog-list This read-only attribute which cannot be set provides a list of access log files used in access log rotation. Entry DN cn=config Valid Range Default Value None Syntax DirectoryString Example nsslapd-accesslog-list:accesslog2,accesslog3 nsslapd-accesslog-logbuffering (Log Buffering) When set to , the server writes all access log entries directly to disk.
Page 37: Nsslapd-Accesslog-Logexpirationtimeunit (Access Log Expiration Time Unit)
Core Server Configuration Attributes Reference nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit) Specifies the units for attribute. If the nsslapd-accesslog-logexpirationtime unit is unknown by the server, then the log will never expire. Entry DN cn=config Valid Range month | week | day Default Value month DirectoryString...
Page 38: Nsslapd-Accesslog-Logmaxdiskspace (Access Log Maximum Disk Space)
Core Server Configuration Attributes Reference Entry DN cn=config on | off Valid Range Default Value Syntax DirectoryString Example nsslapd-accesslog-logging-enabled: off nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space) Specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume.
Page 39: Nsslapd-Accesslog-Logrotationtime (Access Log Rotation Time)
Core Server Configuration Attributes Reference Integer Syntax Example nsslapd-accesslog-logminfreediskspace: 4 nsslapd-accesslog-logrotationtime (Access Log Rotation Time) Specifies the time between access log file rotations. The access log will be rotated when this time interval is up, regardless of the current size of the access log. This attribute supplies only the number of units.
Page 40: Nsslapd-Accesslog-Maxlogsize (Access Log Maximum Log Size)
Core Server Configuration Attributes Reference nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size) Specifies the maximum access log size in megabytes. When this value is reached, the access log is rotated. That is, the server starts writing log information to a new log file.
Page 41: Nsslapd-Attribute-Name-Exceptions
Core Server Configuration Attributes Reference Integer Syntax Example nsslapd-accesslog-maxlogsperdir: 10 nsslapd-attribute-name-exceptions Allows non-standard characters in attribute names to be used for backwards compatibility with older servers. Entry DN cn=config Valid Range on | off Default Value DirectoryString Syntax Example nsslapd-attribute-name-exceptions: on nsslapd-auditlog (Audit Log) Specifies the pathname and filename of the log used to record changes made to each database.
Page 42: Nsslapd-Auditlog-List
Core Server Configuration Attributes Reference Attributes in dse.ldif Value Logging enabled or disabled nsslapd-auditlog-logging-enabled Disabled nsslapd-auditlog empty string nsslapd-auditlog-logging-enabled Enabled nsslapd-auditlog filename nsslapd-auditlog-logging-enabled Disabled nsslapd-auditlog empty string nsslapd-auditlog-logging-enabled Disabled nsslapd-auditlog filename nsslapd-auditlog-list Provides a list of audit log files. Entry DN cn=config Valid Range Default Value...
Page 43: Nsslapd-Auditlog-Logexpirationtimeunit (Audit Log Expiration Time Unit)
Core Server Configuration Attributes Reference nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit) Specifies the units for the attribute. If the nsslapd-auditlog-logexpirationtime unit is unknown by the server, then the log will never expire. Entry DN cn=config Valid Range month | week | day Default Value week DirectoryString...
Page 44: Nsslapd-Auditlog-Logmaxdiskspace (Audit Log Maximum Disk Space)
Core Server Configuration Attributes Reference Attributes in dse.ldif Value Logging enabled or disabled nsslapd-auditlog-logging-enabled Disabled nsslapd-auditlog empty string nsslapd-auditlog-logging-enabled Disabled nsslapd-auditlog filename nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space) Specifies the maximum amount of disk space in megabytes that the audit logs are allowed to consume.
Page 45: Nsslapd-Auditlog-Logrotationtime (Audit Log Rotation Time)
Core Server Configuration Attributes Reference Example nsslapd-auditlog-logminfreediskspace: 3 nsslapd-auditlog-logrotationtime (Audit Log Rotation Time) Specifies the time between audit log file rotations. The audit log will be rotated when this time interval is up, regardless of the current size of the audit log. This attribute supplies only the number of units.
Page 46: Nsslapd-Auditlog-Maxlogsize (Audit Log Maximum Log Size)
Core Server Configuration Attributes Reference nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size) Specifies the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That is, the server starts writing log information to a new log file.
Page 47: Nsslapd-Certmap-Basedn (Certificate Map Search Base)
Core Server Configuration Attributes Reference Integer Syntax Example nsslapd-auditlog-maxlogsperdir: 10 nsslapd-certmap-basedn (Certificate Map Search Base) This attribute can be used when client authentication is performed using SSL certificates in order to avoid limitation of the security subsystem certificate mapping, configured in .
Page 48: Nsslapd-Enquote-Sup-Oc (Enable Superior Object Class Enquoting)
Core Server Configuration Attributes Reference nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting) Controls whether quoting in the attributes contained in the objectclasses entry will conform to the quoting specified by internet draft RFC 2252. cn=schema By default, the Directory Server places single quotes around the superior object class identified on the attributes contained in .
Page 49: Nsslapd-Errorlog (Error Log)
Core Server Configuration Attributes Reference nsslapd-errorlog (Error Log) Specifies the pathname and filename of the log used to record error messages generated by the Directory Server. These messages can describe error conditions, but more often they will contain informative conditions such as: •...
Page 50: Nsslapd-Errorlog-Level (Error Log Level)
Core Server Configuration Attributes Reference nsslapd-errorlog-level (Error Log Level) Specifies the level of logging to be used by the Directory Server. The log level is additive; that is, specifying a value of 3 causes both levels 1 and 2 to be performed. To turn logging off, remove the attribute from nsslapd-errorlog-level...
Page 51: Nsslapd-Errorlog-List
Core Server Configuration Attributes Reference nsslapd-errorlog-list This read-only attribute provides a list of error log files. Entry DN cn=config Valid Range None Default Value DirectoryString Syntax Example nsslapd-errorlog-list:errorlog2,errorlog3 nsslapd-errorlog-logexpirationtime (Error Log Expiration Time) Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units.
Page 52: Nsslapd-Errorlog-Logging-Enabled (Enable Error Logging)
Core Server Configuration Attributes Reference nsslapd-errorlog-logging-enabled (Enable Error Logging) Turns error logging on and off. Entry DN cn=config Valid Range on | off Default Value DirectoryString Syntax Example nsslapd-errorlog-logging-enabled: on nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space) Specifies the maximum amount of disk space in megabytes that the error logs are allowed to consume.
Page 53: Nsslapd-Errorlog-Logminfreediskspace (Error Log Minimum Free Disk Space)
Core Server Configuration Attributes Reference nsslapd-errorlog-logminfreediskspace (Error Log Minimum Free Disk Space) Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest error log is deleted until enough disk space is freed to satisfy this attribute.
Page 54: Nsslapd-Errorlog-Logrotationtimeunit (Error Log Rotation Time Unit)
Core Server Configuration Attributes Reference nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit) Specifies the units for (Error Log Rotation nsslapd-errorlog-logrotationtime Time). If the unit is unknown by the server, then the log will never expire. Entry DN cn=config month | week | day | hour | minute Valid Range Default Value week...
Page 55: Nsslapd-Errorlog-Maxlogsperdir (Maximum Number Of Error Log Files)
Core Server Configuration Attributes Reference nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files) Specifies the total number of error logs that can be contained in the directory where the error log is stored. If you are using log file rotation, then each time the error log is rotated, a new log file is created.
Page 56: Nsslapd-Instancedir (Instance Directory)
Core Server Configuration Attributes Reference nsslapd-instancedir (Instance Directory) Specifies the full path to the directory where this server instance is installed. The serverID from installation time is the default ID. Entry DN cn=config Any valid file path. Valid Range Default Value /usr/netscape/servers/slapd-serverID Syntax DirectoryString...
Page 57: Nsslapd-Listenhost (Listen To Ip Address)
Core Server Configuration Attributes Reference • —The timestamp for when the entry was created in GMT createtimestamp format. Entry DN cn=config Valid Range on | off Default Value Syntax DirectoryString Example nsslapd-lastmod: off nsslapd-listenhost (Listen to IP Address) Allows multiple Directory Server instances to run on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine).
Page 58: Nsslapd-Localuser (Local User)
Core Server Configuration Attributes Reference nsslapd-localuser (Local User) UNIX installations only. Specifies the user that the Directory Server runs as. The group that the user runs as is derived from this attribute, by examining the groups that the user is a member of. Should the user change, then all the files in the installation directory will need to be owned by this user.
Page 59 Core Server Configuration Attributes Reference This attribute sets the maximum, platform-dependent number of file descriptors that the Directory Server will try to use. A file descriptor is used whenever a client connects to the server, and for some server activities such as index maintenance. The number of available file descriptors for TCP/IP connections is the total for the attribute minus the number of file descriptors used by nsslapd-maxdescriptors...
Page 60: Nsslapd-Maxthreadsperconn (Maximum Threads Per Connection)
Core Server Configuration Attributes Reference nsslapd-maxthreadsperconn (Maximum Threads Per Connection) Defines the maximum number of threads that a connection should use. For normal operations where a client binds and only performs one or two operations before unbinding, you should use the default value. For situations where a client binds and simultaneously issues many requests, you should increase this value to allow each connection enough resources to perform all the operations.
Page 61: Nsslapd-Plug-In
Core Server Configuration Attributes Reference Entry DN cn=config 0 to the maximum 32 bit integer value (2147483647) Valid range Default value 300000 Syntax DirectoryString 300000 Example nsslapd-outbound-ldap-io-timeout: nsslapd-plug-in This read-only attribute lists the syntaxes and matching rules loaded by the server. nsslapd-port (Port Number) TCP/IP port number used for LDAP communications.
Page 62: Nsslapd-Readonly (Read Only)
Core Server Configuration Attributes Reference Default Value Syntax DirectoryString Example nsslapd-privatenamespaces: cn=config nsslapd-readonly (Read Only) Specifies whether the whole server is in read-only mode, meaning that neither data in the database(s) nor configuration information can be modified. Any attempt to modify a database in read-only mode returns an error indicating that the server is unwilling to perform the operation.
Page 63: Nsslapd-Referralmode (Referral Mode)
Core Server Configuration Attributes Reference NOTE If you want to use SSL and TLS communications, the Referral attribute should be in the following form: ldaps://server-location Start TLS does not support referrals. For more information on managing referrals, see Chapter 3, “Configuring Directory Databases”...
Page 64 Core Server Configuration Attributes Reference Most installations of Directory Server should never need to change this attribute. However, consider increasing the value on this attribute if all of the following are true: • The server is replicating to a large number of consumer servers (more than 10) and/or the server is maintaining a large number of index files (more than 30).
Page 65: Nsslapd-Return-Exact-Case (Return Exact Case)
Core Server Configuration Attributes Reference NSupplierReplica + 8 ReplicationDescriptor (where NSupplierReplica is number of replicas in the server that can act as a supplier (hub or master)). NchainingBackend * ChainingBackendDescriptors nsOperationConnectionsLimit (where nsOperationConnectionsLimit is configurable in database link (chaining) configuration and 10 by default). 3 if PTA is configured, 0 if PTA is not configured PTADescriptors 5 (4 files + 1 listensocket) if SSL is configured, 0 if...
Page 66: Nsslapd-Rootdn (Manager Dn)
Core Server Configuration Attributes Reference nsslapd-rootdn (Manager DN) Specifies the distinguished name of an entry that is not subject to access control restrictions, administrative limit restrictions for operations on the directory or resource limits in general. The attributes nsslapd-sizelimit , and do not apply to this DN either.
Page 67: Nsslapd-Rootpwstoragescheme (Root Password Storage Scheme)
Core Server Configuration Attributes Reference Default Value Syntax DirectoryString {encryption_method} encrypted_Password Example nsslapd-rootpw: {SSHA}9Eko69APCJfF nsslapd-rootpwstoragescheme (Root Password Storage Scheme) Available only from the server console. This attribute indicates the encryption method used for the root password. Entry DN cn=config Valid Range Any encryption method as described in “passwordStorageScheme (Password Storage Scheme)”...
Page 68: Nsslapd-Securelistenhost
Core Server Configuration Attributes Reference Entry DN cn=config on | off Valid Range Default Value Syntax DirectoryString Example nsslapd-schemacheck: on nsslapd-securelistenhost Allows multiple Directory Server instances to run, using secure SSL / TLS connections, on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine).
Page 69: Nsslapd-Security (Security)
Core Server Configuration Attributes Reference Integer Syntax Example nsslapd-securePort: 636 nsslapd-security (Security) Specifies whether the Directory Server is to accept SSL/TLS communications on its encrypted port. This attribute should be set to , if you want secure connections. Entry DN cn=config Valid Range on | off...
Page 70: Nsslapd-Threadnumber (Thread Number)
Core Server Configuration Attributes Reference Default Value 2000 Syntax Integer Example nsslapd-sizelimit: 2000 nsslapd-threadnumber (Thread Number) Defines the number of operation threads that the Directory Server will create during startup. The value should be increased if you have nsslapd-threadnumber many directory clients performing time-consuming operations such as add or modify, as this ensures that there are other threads available for servicing short-lived operations such as simple searches.
Page 71: Nsslapd-Versionstring
Core Server Configuration Attributes Reference Entry DN cn=config -1 to the maximum 32 bit integer value (2147483647) in seconds Valid range Default value 3600 Syntax Integer Example nsslapd-timelimit: 3600 nsslapd-versionstring Specifies the server version number. Entry DN cn=config Valid range Any valid server version number.
Page 72: Passwordchecksyntax (Check Password Syntax)
Core Server Configuration Attributes Reference passwordCheckSyntax (Check Password Syntax) Indicates whether the password syntax will be checked before the password is saved. The password syntax checking mechanism checks that the password meets or exceeds the password minimum length requirement and that the string does not contain any “trivial”...
Page 73: Passwordhistory (Password History)
Core Server Configuration Attributes Reference passwordHistory (Password History) Enables password history. Password history refers to whether users are allowed to reuse passwords. By default, password history is disabled and users can reuse passwords. If you set this attribute to be on, the directory stores a given number of old passwords and prevents users from reusing any of the stored passwords.
Page 74: Passwordlockout (Account Lockout)
Core Server Configuration Attributes Reference passwordLockout (Account Lockout) Indicates whether users will be locked out of the directory after a given number of failed bind attempts. By default, users will not be locked out of the directory after a series of failed bind attempts. If you enable account lockout, you can set the number of failed bind attempts after which the user will be locked out using the attribute.
Page 75: Passwordmaxage (Password Maximum Age)
Core Server Configuration Attributes Reference passwordMaxAge (Password Maximum Age) Indicates the number of seconds after which user passwords will expire. To use this attribute, you must enable password expiration using the passwordExp attribute. For more information on password policies see Chapter 7, “User Account Management”...
Page 76: Passwordminlength (Password Minimum Length)
Core Server Configuration Attributes Reference For more information on password policies see Chapter 7, “User Account Management” in the Netscape Directory Server Administrator’s Guide. passwordMinLength (Password Minimum Length) Specifies the minimum number of characters that must be used in Directory Server user password attributes.
Page 77: Passwordresetfailurecount (Reset Password Failure Count After)
Core Server Configuration Attributes Reference passwordResetFailureCount (Reset Password Failure Count After) Indicates the amount of time in seconds after which the password failure counter will be reset. Each time an invalid password is sent from the user’s account, the password failure counter is incremented. If the attribute is set passwordLockout to on, users will be locked out of the directory when the counter reaches the...
Page 78: Passwordunlock (Unlock Account)
Core Server Configuration Attributes Reference For more information on password policies see Chapter 7, “User Account Management” in the Netscape Directory Server Administrator’s Guide. passwordUnlock (Unlock Account) Indicates whether users will be locked out of the directory for a specified amount of time or until the administrator resets the password after an account lockout.
Page 79: Cn=Changelog5
Core Server Configuration Attributes Reference cn=changelog5 Multi-master replication change log configuration entries are stored under the entry. The entry is an instance of the cn=changelog5 cn=changelog5,cn=config object class For attributes to be taken into account by the extensibleObject server both of these object classes (in addition to the object class) must be present in the entry.
Page 80: Nsslapd-Changelogmaxage (Max Changelog Age)
Core Server Configuration Attributes Reference nsslapd-changelogmaxage (Max Changelog Age) Specifies the maximum age of any entry in the change log. The change log contains a record for each directory modification and is used when synchronizing consumer servers. Each record contains a timestamp. Any record with a timestamp that is older than the value specified in this attribute will be removed.
Page 81: Cn=Encryption
Core Server Configuration Attributes Reference cn=encryption Encryption related attributes are stored under the cn=encryption,cn=config entry. The entry is an instance of the cn=encryption,cn=config object class. For encryption related attributes to be nsslapdEncryptionConfig taken into account by the server this object class (in addition to the object class) must be present in the entry.
Page 82: Nsssl2
Core Server Configuration Attributes Reference nsssl2 Supports SSL version 2. Entry DN cn=encryption,cn=config Valid Range on | off Default Value DirectoryString Syntax Example nsssl2: on nsssl3 Supports SSL version 3. Entry DN cn=encryption,cn=config on | off Valid Range Default Value Syntax DirectoryString Example...
Page 83 Core Server Configuration Attributes Reference For domestic versions, any combination of the following: Valid Range For SSLv3 rsa_null_md5 rsa_rc4_128_md5 rsa_rc4_40_md5 rsa_rc2_40_md5 rsa_des_sha rsa_fips_des_sha rsa_3des_sha rsa_fips_3des_sha For TLS tls_rsa_export1024_with_rc4_56_sha tls_rsa_export1024_with_des_cbc_sha Default Value DirectoryString Syntax + symbol to enable or - symbol to disable followed by the cipher(s). It is important to note that blank spaces are not allowed in the list of ciphers.
Page 84: Cn=Features
Core Server Configuration Attributes Reference SSLv3 Ciphers (Continued) Table 2-2 Cipher in Console Corresponding SSLv3 Cipher rsa_des_sha DES (FIPS) rsa_fips_des_sha Triple-DES rsa_3des_sha Triple-DES (FIPS) rsa_fips_3des_sha If you are using the Directory Server Console to set the cipher preferences, the values on the TLS tab of the Cipher Preference dialog box correspond to the following: Table 2-3 TLS Ciphers...
Page 85: Suffix Configuration Attributes Under Cn="Dc=Example,Dc=Com
Core Server Configuration Attributes Reference Suffix Configuration Attributes Under cn="dc=example,dc=com" Suffix configuration attributes are stored under the cn="dc=example,dc=com" entry. The entry is an instance of the cn="dc=example,dc=com" nsMappingTree object class which inherits from the object class. For suffix extensibleObject configuration attributes to be taken into account by the server these object classes (in addition to the object class) must be present in the entry.
Page 86: Replication Attributes Under Cn=Replica, Cn="Dc=Example,Dc=Com
Core Server Configuration Attributes Reference DirectoryString Syntax Example nsslapd-backend: NetscapeRoot Replication Attributes Under cn=replica, cn=“dc=example,dc=com”, cn=mapping tree,cn=config Replication configuration attributes are stored under cn=replica,cn=“dc=example,dc=com”,cn=mapping tree,cn=config. entry is an instance of the object class. For replication cn=replica nsDS5Recplia configuration attributes to be taken into account by the server this object class (in addition to the object class) must be present in the entry.
Page 87: Nsds5Flags
Core Server Configuration Attributes Reference nsDS5Flags This attribute allows you to specify replica properties you will have previously defined in flags. At present only one flag exists, which allows you to specify whether your log changes or not. Entry DN cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config Changelog activation...
Page 88: Nsds5Replicachangecount
Core Server Configuration Attributes Reference nsDS5ReplicaChangeCount This read-only attribute informs you of the total number of entries in the change log (whether they still remain to be replicated or not). When the change log is purged only the entries that are still to be replicated will be left. See “nsDS5ReplicaPurgeDelay,”...
Page 89: Nsds5Replicaname
Core Server Configuration Attributes Reference DirectoryString Syntax Example nsDS5ReplicaLegacyConsumer: false nsDS5ReplicaName This read- only attribute specifies the name of the replica with a unique identifier for internal operations. This unique identifier is allocated by the server when the replica is created.This attribute is destined for internal use only. Entry DN cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config...
Page 90: Nsds5Replicareferral
Core Server Configuration Attributes Reference nsDS5ReplicaReferral This multi valued attribute specifies the user-defined referrals. This should only be defined on a consumer. User referrals are only returned when a client attempts to modify data on a read-only consumer. Entry DN cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config Any valid LDAP URL...
Page 91: Nsds5Replicatype
Core Server Configuration Attributes Reference Example nsDS5ReplicaTombstonePurgeInterval: 3600 nsDS5ReplicaType Defines the type of replication relationship that exists between this replica and the others. Entry DN cn=ReplicationAgreementName,cn="dc=example,dc=com",cn =mapping tree,cn=config Valid Range 0 = unknown 1 = primary (not yet used) 2 = consumer (read-only) 3 = consumer/supplier (updateable) Default Value Integer...
Page 92: Description
Core Server Configuration Attributes Reference configuration attributes to be taken into account by the server this object class (in addition to the object class) must be present in the entry. Replication Agreements are configured only on supplier replicas. The replication agreement configuration attributes are presented in this section.
Page 93: Nsds5Replicabindmethod
Core Server Configuration Attributes Reference nsDS5ReplicaBindMethod Specifies the method to use for binding. This attribute can be modified. Entry DN cn=ReplicationAgreementName,cn="dc=example,dc=com",cn=mapp ing tree,cn=config SIMPLE (This bind method requires a DN and password) Valid Range SSLCLIENTAUTH Default Value SIMPLE DirectoryString Syntax Example nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicaChangesSentSinceStartup...
Page 94: Nsds5Replicahost
Core Server Configuration Attributes Reference Default Value Syntax DirectoryString {DES} encrypted_password Example nsDS5ReplicaCredentials: {DES} 9Eko69APCJfFReplica nsDS5ReplicaHost Specifies the hostname for the remote server containing the consumer replica. Once this attribute has been set it cannot be modified. Entry DN cn=ReplicationAgreementName,cn="dc=example,dc=com",cn=mapp ing tree,cn=config Any valid host server name Valid Range...
Page 95: Nsds5Replicalastinitstatus
Core Server Configuration Attributes Reference Entry DN cn=ReplicationAgreementName,cn="dc=example,dc=com",cn=mapp ing tree,cn=config Valid Range Default Value Syntax GeneralizedTime Example nsDS5ReplicaLastInitStart: YYYYMMDDhhmmssZ (20000902160000) nsDS5ReplicaLastInitStatus This optional, read-only attribute provides status for the initialization of the consumer. Entry DN cn=ReplicationAgreementName,cn="dc=example,dc=com",cn=mapp ing tree,cn=config Valid Range 0 (Consumer Initialization Succeeded) followed by any other status message.
Page 96: Nsds5Replicalastupdatestart
Core Server Configuration Attributes Reference nsDS5ReplicaLastUpdateStart This read-only attribute states when the most recent replication schedule update started. Entry DN cn=ReplicationAgreementName,cn="dc=example,dc=com",cn=mapp ing tree,cn=config Valid Range Default Value Syntax GeneralizedTime Example nsDS5ReplicaLastUpdateStart: YYYYMMDDhhmmssZ (20000902160000) nsDS5ReplicaLastUpdateStatus This read-only attribute provides the status for the most recent replication schedule updates.
Page 97: Nsds5Replicarefresh
Core Server Configuration Attributes Reference Syntax Integer Example nsDS5ReplicaPort: 389 nsDS5ReplicaRefresh Allows you to initialize your replica. This attribute is absent by default. However, if you add this attribute with a value of then the server re initialize the start replica and remove the attribute value.
Page 98: Nsds5Replicatransportinfo
Core Server Configuration Attributes Reference You can find out the amount of time the operation actually lasted by examining the access log on the remote machine and then set the attribute nsDS5ReplicaTimout accordingly to optimize performance. Entry DN cn=ReplicationAgreementName,cn="dc=example,dc=com",cn=mapp ing tree,cn=config 0 to maximum integer value (2147483647) in seconds Valid Range Default Value...
Page 99: Nsds5Replicaupdateschedule
Core Server Configuration Attributes Reference DirectoryString Syntax Example nsDS5ReplicaUpdateInProgress:true nsDS5ReplicaUpdateSchedule This multi valued attribute specifies the replication schedule and can be modified. Entry DN cn=ReplicationAgreementName,cn="dc=example,dc=com",cn=mapp ing tree,cn=config Valid Range Time schedule presented as XXXX-YYYY 012345 where XXXX is the starting hour, YYYY is the finishing hour and the numbers 0123456 are the days of the week starting with Sunday.
Page 100: Currentconnections
Core Server Configuration Attributes Reference currentConnections Number of current Directory Server connections. totalConnections Total number of Directory Server connections. dTableSize Size of the Directory Server descriptor table. readWaiters Number of connections where some requests are pending and not currently being serviced by a thread in Directory Server.
Page 101: Backendmonitordn
Core Server Configuration Attributes Reference backendMonitorDN DN for each Directory Server backend. For further database monitoring information see “Database Attributes Under cn=monitor,cn=ldbm database, cn=plugins,cn=config” on page 145, “Database Attributes Under cn=database,cn=monitor,cn=ldbm database, cn=plugins,cn=config” on page 149, “Database Attributes Under cn=monitor,cn=Netscaperoot,cn=ldbm database,cn=plugins,cn=config” on page 154 and “Database Link Attributes Under cn=monitor,cn=database instance name,cn=chaining database, cn=plugins,cn=config”...
Page 102: Nssnmplocation
Core Server Configuration Attributes Reference Entry DN cn=SNMP,cn=config Organization name Valid Range Default Value Syntax DirectoryString Example nssnmporganization: netscape nssnmplocation Specifies the location within the company or organization where the Directory Server resides. Entry DN cn=SNMP,cn=config Location Valid Range Default Value Syntax DirectoryString Example...
Page 103: Nssnmpmasterhost
Core Server Configuration Attributes Reference Entry DN cn=SNMP,cn=config Description Valid Range Default Value Syntax DirectoryString Example nssnmpdescription: Employee directory instance nssnmpmasterhost This mandatory attribute specifies the hostname of the machine on which the master agent is installed. For UNIX only. Entry DN cn=SNMP,cn=config machine hostname or local host...
Page 104: Cn=Uniqueid Generator
Configuration Quick Reference Tables cn=uniqueid generator The uniqueid generator configuration attributes are stored under cn=uniqueid entry is an instance of the generator,cn=config. cn=uniqueid generator object class. For uniqueid generator configuration attributes to be extensible taken into account by the server this object class (in addition to the object class) must be present in the entry.
Page 105 Configuration Quick Reference Tables Table 2-4 Directory Server Configuration LDIF Files Configuration Filename Purpose dse.ldif Contains front-end Directory Specific Entries created by the directory at server startup. These include the Root DSE (""), and the contents of cn=config and cn=monitor. 00core.ldif Contains LDAPv3 standard operational schema, such as “subschemaSubentry,”...
Page 106 Configuration Quick Reference Tables Directory Server Configuration LDIF Files (Continued) Table 2-4 Configuration Filename Purpose 50ns-certificate.ldif Schema for Netscape Certificate Management System. 50ns-compass.ldif Schema used by Netscape Compass Server to define personal interest profiles. 50ns-delegated-admin.ldif Schema used by Netscape Delegated Administrator 4.5.
Page 107: Configuration Changes Requiring Server Restart
Configuration Quick Reference Tables Directory Server Configuration LDIF Files (Continued) Table 2-4 Configuration Filename Purpose 50ns-wcal.ldif Schema for Netscape Web Calendaring. 50ns-web.ldif Schema for Netscape Web Server. 99user.ldif User-defined schema maintained by Directory Server replication consumers which contains the attributes and object classes from the suppliers. Configuration Changes Requiring Server Restart Table 2-5 lists the configuration attributes that cannot be altered dynamically, while the server is still running.
Page 108 Configuration Quick Reference Tables Configuration changes requiring server restart (Continued) Table 2-5 Configuration attribute Action requiring restart cn=encryption,cn=config:nssslclientauth Enabling or disabling client authentication. cn=encryption,cn=config:nssslsessiontimeout Changing the lifetime of an SSL session. Netscape Directory Server Configuration, Command, and File Reference • January 2002...
Page 109: Chapter 3 Plug-In Implemented Server Functionality Reference
Chapter 3 Plug-in Implemented Server Functionality Reference This chapter serves as a plug-in implemented server functionality reference and is divided into the following sections: • Overview (page 109) • Server Plug-in Functionality Reference (page 110) • List of Attributes Common to all Plug-ins (page 129) •...
Page 110: Object Classes For Plug-In Configuration
Server Plug-in Functionality Reference dn: cn=Telephone Syntax,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginPath: /usr/ipalnet/servers/lib/syntax-plugin.so nsslapd-pluginInitfunc: tel_init nsslapd-pluginType: syntax nsslapd-pluginEnabled: on shows us some of the plug-in configuration attributes. Some of these attributes are common to all plug-ins while others may be particular to a specific plug-in. You can check which attributes are currently being used by a given plug-in by performing an on the...
Page 111: 7-Bit Check Plug-In
Server Plug-in Functionality Reference 7-bit check Plug-in Plug-in Name 7-bit check (NS7bitAtt) DN of Configuration cn=7-bit check,cn=plugins,cn=config Entry Description Checks certain attributes are 7-bit clean on | off Configurable Options Default Setting list of attributes (uid mail userpassword) followed by "," and then Configurable Arguments suffix(es) on which the check is to occur...
Page 112: Acl Preoperation Plug-In
Server Plug-in Functionality Reference ACL preoperation Plug-in Plug-in Name ACL preoperation DN of Configuration cn=ACL preoperation,cn=plugins,cn=config Entry Description ACL access check plug-in on | off Configurable Options Default Setting None Configurable Arguments database Dependencies Performance None Related Information Chapter 6, “Managing Access Control” in the Netscape Directory Server Further Information Administrator’s Guide.
Page 113: Boolean Syntax Plug-In
Server Plug-in Functionality Reference Boolean Syntax Plug-in Plug-in Name Boolean Syntax DN of Configuration cn=Boolean Syntax,cn=plugins,cn=config Entry Description Syntax for handling booleans. on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in. Netscape recommends Related Information that you leave this plug-in running at all times.
Page 114: Case Ignore String Syntax Plug-In
Server Plug-in Functionality Reference Case Ignore String Syntax Plug-in Plug-in Name Case Ignore String Syntax DN of Configuration cn=Case Ignore String Syntax,cn=plugins,cn=config Entry Description Syntax for handling case-insensitive strings on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in.
Page 115: Class Of Service Plug-In
Server Plug-in Functionality Reference Class of Service Plug-in Plug-in Name Class of Service DN of Configuration cn=Class of Service,cn=plugins,cn=config Entry Description Allows for sharing of attributes between entries on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in.
Page 116: Distinguished Name Syntax Plug-In
Server Plug-in Functionality Reference Distinguished Name Syntax Plug-in Plug-in Name Distinguished Name Syntax DN of Configuration cn=Distinguished Name Syntax,cn=plugins,cn=config Entry Description Syntax for handling DNs on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in. Netscape recommends Related Information that you leave this plug-in running at all times.
Page 117: Integer Syntax Plug-In
Server Plug-in Functionality Reference Generalized Time Syntax Plug-in Name The Generalized Time String consists of the following: Further Information four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second and a time zone indication.
Page 118: Ldbm Database Plug-In
Server Plug-in Functionality Reference Internationalization Plugin Plug-in Name Default Setting Configurable The Internationalization has one argument which must not be modified: Arguments /usr/netscape/servers/slapd- serverID /config/slapd-col lations.conf This directory stores the collation orders and locales used by the internationalization plug-in. Dependencies None Do not modify the configuration of this plug-in.
Page 119: Legacy Replication Plug-In
Server Plug-in Functionality Reference Legacy Replication Plug-in Plug-in Name Legacy Replication plug-in DN of Configuration cn=Legacy Replication plug-in,cn=plugins,cn=config Entry Description Enables Directory Server 6.x to be a consumer of a 4.1 supplier on | off Configurable Options Default Setting None. This plug-in can be disabled if the server is not (and never will be) Configurable Arguments a consumer of a 4.x server.
Page 120: Octet String Syntax Plug-In
Server Plug-in Functionality Reference Octet String Syntax Plug-in Plug-in Name Octet String Syntax DN of Configuration cn=Octet String Syntax,cn=plugins,cn=config Entry Description Syntax for handling octet strings on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in. Netscape recommends Related Information that you leave this plug-in running at all times.
Page 121: Crypt Password Storage Plug-In
Server Plug-in Functionality Reference CRYPT Password Storage Plug-in Plug-in Name CRYPT DN of Configuration cn=CRYPT,cn=Password Storage Entry Schemes,cn=plugins,cn=config Description CRYPT password storage scheme used for password encryption on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Do not modify the configuration of this plug-in. Netscape recommends Performance Related Information that you leave this plug-in running at all times.
Page 122: Sha Password Storage Scheme Plug-In
Server Plug-in Functionality Reference NS-MTA-MD5 Plug-in Name You can no longer choose to encrypt passwords using the Further Information NS-MTA-MD5 password storage scheme. The storage scheme is still present but only for reasons of backward compatibility, i.e. if the data in your directory still contains passwords encrypted with the NS-MTA-MD5 password storage scheme.
Page 123: Postal Address String Syntax Plug-In
Server Plug-in Functionality Reference SSHA Plug-in Name on | off Configurable Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in. Netscape recommends Related Information that you leave this plug-in running at all times. Further Information Chapter 7, “User Account Management”...
Page 124: Pta Plug-In
Server Plug-in Functionality Reference PTA Plug-in Plug-in Name Pass-Through Authentication Plugin DN of Configuration cn=Pass Through Authentication,cn=plugins,cn=config Entry Description Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests. Configurable on | off Options Default Setting Configurable ldap://example.com:389/o=example...
Page 125: Retro Changelog Plug-In
Server Plug-in Functionality Reference Referential Integrity Postoperation Plug-in Name When enabled the post operation Referential Integrity plug-in performs Configurable Arguments integrity updates on the member, uniquemember, owner and seeAlso attributes immediately after a delete or rename operation. You can reconfigure the plug-in to perform integrity checks on all other attributes.
Page 126: Roles Plug-In
Server Plug-in Functionality Reference Retro Changelog Plugin Plug-in Name on | off Configurable Options Default Setting Configurable See “Retro Changelog Plug-in Attributes,” on page 167 for further Arguments information on the two configuration attributes for this plug-in. Dependencies None Performance May slow down Directory Server performance.
Page 127: Telephone Syntax Plug-In
Server Plug-in Functionality Reference Telephone Syntax Plug-in Plug-in Name Telephone Syntax DN of Configuration cn=Telephone Syntax,cn=plugins,cn=config Entry Description Syntax for handling telephone numbers on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in. Netscape recommends Related Information that you leave this plug-in running at all times.
Page 128: Uri Plug-In
Server Plug-in Functionality Reference UID Uniqueness plug-in Plug-in Name Enter the following arguments: Configurable Arguments "DN" "DN"... if you want to check for UID attribute uniqueness in all listed subtrees. However, enter the following arguments: attribute="uid" MarkerObjectclass = "ObjectClassName" and optionally requiredObjectClass = "ObjectClassName"...
Page 129: List Of Attributes Common To All Plug-Ins
List of Attributes Common to all Plug-ins URI Syntax Plug-in Name on | off Configurable Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in. Netscape recommends Related Information that you leave this plug-in running at all times. Further Information List of Attributes Common to all Plug-ins This list provides a brief attribute description, the Entry DN, valid range, default...
Page 130: Nsslapd-Plugintype
List of Attributes Common to all Plug-ins None Default Value Syntax DirectoryString Example nsslapd-pluginInitfunc:NS7bitAttr_Init nsslapd-pluginType Specifies the plug-in type. See “nsslapd-plugin-depends-on-type” on page 132 for further information. cn=plug-in name,cn=plugins,cn=config Entry DN Valid Range Any valid plug-in type Default Value None DirectoryString Syntax Example...
Page 131: Nsslapd-Pluginid
List of Attributes Common to all Plug-ins nsslapd-pluginId Specifies the plug-in ID. cn=plug-in name,cn=plugins,cn=config Entry DN Any valid plug-in ID Valid Range Default Value None DirectoryString Syntax Example nsslapd-pluginId: chaining database nsslapd-pluginVersion Specifies the plug-in version. cn=plug-in name,cn=plugins,cn=config Entry DN Valid Range Any valid plug-in version Default Value...
Page 132: Nsslapd-Plugindescription
Attributes Allowed by Certain Plug-ins nsslapd-pluginDescription Provides a description of the plug-in. cn=plug-in name,cn=plugins,cn=config Entry DN Valid Range Default Value None DirectoryString Syntax Example nsslapd-pluginDescription: acl access check plug-in Attributes Allowed by Certain Plug-ins nsslapd-plugin-depends-on-type Multi-valued attribute, used to ensure that plug-ins are called by the server in the correct order.
Page 133: Nsslapd-Plugin-Depends-On-Named
Database Plug-in Attributes nsslapd-plugin-depends-on-named Multi-valued attribute, used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the value of a plug-in. The plug-in whose value matches one of the following values will be started by the server prior to this plug-in.
Page 134: Database Attributes Under Cn=Config,Cn=Ldbm Database,Cn=Plugins,Cn=Config
Database Plug-in Attributes All plug-in technology used by the database instances is stored in the cn=ldbm e plug-in node. This section presents the additional attribute information databas for each of the nodes in bold in the cn=ldbm database,cn=plugins,cn=config information tree. Database Attributes Under cn=config,cn=ldbm database,cn=plugins,cn=config Global configuration attributes common to all instances are stored in the...
Page 135: Nsslapd-Cache-Autosize
Database Plug-in Attributes However, as tuning this attribute is a complex task and can severely degrade performance, it is advisable to keep the default value. For a more detailed explanation of the All IDs Threshold see Chapter 10, “Managing Indexes” in the Netscape Directory Server Administrator’s Guide.
Page 136: Nsslapd-Dbcachesize
Database Plug-in Attributes 66 (This will not necessarily optimize your operations) Default Value Syntax Integer Example nsslapd-cache-autosize-split: 66 nsslapd-dbcachesize This performance tuning related attribute specifies database cache size. Note that this is neither the index cache nor the entry cache. If you activate automatic cache resizing, you override this attribute, by replacing these values with its own guessed values at a later stage of the server startup.
Page 137: Nsslapd-Db-Circular-Logging
Database Plug-in Attributes . To change the checkpoint interval, you add the attribute to dse.ldif dse.ldif This attribute can be dynamically modified using . For further ldapmodify information on modifying this attribute, see Chapter 14, “Tuning Directory Server Performance” in the Netscape Directory Server Administrator’s Guide. This attribute is provided only for system modification/diagnostics and should be changed only with the guidance of Netscape engineering staff and Netscape Professional Services.
Page 138: Nsslapd-Db-Durable-Transactions
Database Plug-in Attributes nsslapd-db-durable-transactions Indicates whether database transactions log entries are immediately written to the disk. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. With durable transactions enabled, every directory change will always be physically recorded in the log file and therefore be able to be recovered in the event of a system failure.
Page 139 Database Plug-in Attributes If your Solaris host seems excessively slow and your database cache size is around 100mb or more, then you can use the utility to diagnose the problem. Use iostat to monitor the activity of the disk where the Directory Server’s database iostat files are stored.
Page 140: Nsslapd-Db-Idl-Divisor
Database Plug-in Attributes nsslapd-db-idl-divisor Specifies the index block size in terms of the number of blocks per database page. The block size is calculated by dividing the database page size by the value of this attribute. A value of 1 makes the block size exactly equal to the page size. The default value of 0 sets the block size to the page size minus an estimated allowance for internal database overhead.
Page 141: Nsslapd-Db-Logdirectory
Database Plug-in Attributes Example nsslapd-db-logbuf-size: 32K nsslapd-db-logdirectory Specifies the path and directory name of the directory containing the database transaction log. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. By default, the database transaction log is stored in the same directory as the directory entries themselves, .
Page 142: Nsslapd-Db-Page-Size
Database Plug-in Attributes nsslapd-db-page-size Specifies the size of the pages used to hold items in the database in bytes. The minimum size is 512 bytes and the maximum size is 64K bytes. If the page size is not explicitly set, Directory Server defaults to a page size of 8K bytes. Changing this default value can have signficant performance impact.
Page 143: Nsslapd-Db-Transaction-Logging
Database Plug-in Attributes NOTE attribute is only valid if nsslapd-db-transaction-batch-val attribute is set to on. nsslapd-db-durable-transaction For more information on database transaction logging, see Chapter 12, “Monitoring Server and Database Activity” in the Netscape Directory Server Administrator’s Guide. Entry DN cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range 0 to 30...
Page 144: Nsslapd-Dbncache
Database Plug-in Attributes nsslapd-dbncache This attribute allows you to split the ldbm cache into equally sized separate pieces of memory. It is possible to specify caches that are large enough so that they cannot be allocated contiguously on some architectures, e.g., some releases of Solaris limit the amount of memory that may be allocated contiguously by a process.
Page 145: Nsslapd-Mode
Database Plug-in Attributes nsslapd-mode Specifies the permissions used for newly created index files. Entry DN cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range Any four-digit octal number. However, mode 0600 is recommended. This allows read and write access for the owner of the index files (which is the user that ns-slapd runs as), and no access for other users.
Page 146: Dbcacheroevict
Database Plug-in Attributes dbcacheroevict Clean pages forced from the cache. dbcacherwevict Dirty pages forced from the cache. Database Attributes Under cn=NetscapeRoot,cn=ldbm database, cn=plugins,cn=config and cn=UserRoot,cn=ldbm database, cn=plugins,cn=config subtrees contain configuration data for, cn=NetscapeRoot cn=UserRoot or if we prefer, the definition of, the databases containing the o=NetscapeRoot suffixes respectively.
Page 147: Nsslapd-Cachememsize
Database Plug-in Attributes Integer Syntax Example nsslapd-cachesize: -1 nsslapd-cachememsize This performance tuning related attribute specifies the cache size in terms of available memory space. Limiting cachesize in terms of memory occupied is the simplest method. By activating automatic cache resizing you override this attribute, replacing these values with its own guessed values at a later stage of the server startup.
Page 148: Nsslapd-Readonly
Database Plug-in Attributes nsslapd-readonly Specifies Read Only permission rights. If this attribute has a value of , then the user has all read, write, and execute permissions. Entry DN cn=Netscaperoot,cn=ldbm database,cn=plugins,cn=config or cn=UserRoot,cn=ldbm database,cn=plugins,cn=config Valid Range on | off Default Value Syntax DirectoryString Example...
Page 149: Database Attributes Under Cn=Database,Cn=Monitor,Cn=Ldbm Database, Cn=Plugins,Cn=Config
Database Plug-in Attributes Any valid DN Valid Range Default Value Syntax DirectoryString Example nsslapd-suffix: o=Netscaperoot Database Attributes Under cn=database,cn=monitor,cn=ldbm database, cn=plugins,cn=config The attributes in this tree node entry are all read-only, database performance counters. All of the values for these attributes are 32-bit integers. nsslapd-db-abort-rate Number of transactions that have been aborted.
Page 150: Nsslapd-Db-Commit-Rate
Database Plug-in Attributes nsslapd-db-commit-rate Number of transactions that have been committed. nsslapd-db-deadlock-rate Number of deadlocks detected. nsslapd-db-dirty-pages Dirty pages currently in the cache. nsslapd-db-hash-buckets Number of hash buckets in buffer hash table. nsslapd-db-hash-elements-examine-rate Total number of hash elements traversed during hash table lookups. nsslapd-db-hash-search-rate Total number of buffer hash table lookups.
Page 151: Nsslapd-Db-Log-Region-Wait-Rate
Database Plug-in Attributes nsslapd-db-log-region-wait-rate Number of times that a thread of control was forced to wait before obtaining the region lock. nsslapd-db-log-write-rate Number of megabytes and bytes written to this log. nsslapd-db-longest-chain-length Longest chain ever encountered in buffer hash table lookups. nsslapd-db-page-create-rate Pages created in the cache.
Page 152: Cn=Plugins,Cn=Config
Database Plug-in Attributes Database Attributes Under cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config The set of default indexes is stored here. Default indexes are configured per backend in order to optimize Directory Server functionality for the majority of set up scenarios. All indexes, except system essential ones, can be removed, but care should be taken so as not to cause unnecessary disruptions.
Page 153: Nsmatchingrule
Database Plug-in Attributes pres = presence index Valid Range eq = equality index approx = approximate index sub = substring index matching rule = international index index browse = browsing index Default Value DirectoryString Syntax Example nsindextype: eq nsMatchingRule This optional, multivalued attribute specifies the collation order object identifier (OID) required for the Directory Server to operate international indexing.
Page 154: Description
Database Plug-in Attributes description This non-mandatory attribute provides a free-hand text description of what the index actually performs. Entry DN cn=default indexes,cn=monitor,cn=ldbm database,cn=plugins,cn=config Valid Range None Default Value Syntax DirectoryString Example description:substring index Database Attributes Under cn=monitor,cn=Netscaperoot,cn=ldbm database,cn=plugins,cn=config Global, read-only entries for monitoring activity on the NetscapeRoot database. These attributes containing database statistics are given for each file that makes up your database.
Page 155: Dbfilepageout
Database Plug-in Attributes dbfilepageout Number of pages for this file written from cache to disk. Database Attributes Under cn=index,cn=Netscaperoot,cn=ldbm database, cn=plugins,cn=config and cn=index,cn=UserRoot,cn=ldbm database, cn=plugins,cn=config In addition to the set of default indexes that are stored under cn=default , custom indexes,cn=config,cn=ldbm database,cn=plugins,cn=config indexes can be created for and are stored under...
Page 156: Database Link Plug-In Attributes (Chaining Attributes)
Database Link Plug-in Attributes (chaining attributes) dn:cn=aci,cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=confi objectclass:top objectclass:nsIndex cn=aci nssystemindex:true nsindextype:pres For details regarding the five possible indexing attributes see the section “Database Attributes Under cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config,” on page 152.For further information about indexes see Chapter 10, “Managing Indexes” in the Netscape Directory Server Administrator’s Guide.
Page 157: Database Link Attributes Under Cn=Config,Cn=Chaining Database, Cn=Plugins,Cn=Config
Database Link Plug-in Attributes (chaining attributes) Database Link Attributes Under cn=config,cn=chaining database, cn=plugins,cn=config Global configuration attributes common to all instances are stored in the tree node. cn=config,cn=chaining database,cn=plugins,cn=config nsActiveChainingComponents Lists the components using chaining. A component is any functional unit in the server.
Page 158: Nsmaxtestresponsedelay
Database Link Plug-in Attributes (chaining attributes) nsMaxTestResponseDelay This error detection, performance related attribute specifies the duration of the test issued by the database link to check whether the remote server is responding. If a response from the remote server is not returned before this period has passed, the database link assumes the remote server is down and the connection is not used for subsequent operations.
Page 159: Cn=Plugins,Cn=Config
Database Link Plug-in Attributes (chaining attributes) Database Link Attributes Under cn=default instance config,cn=chaining database,cn=plugins,cn=config Default instance configuration attributes for instances are housed in the cn=default instance config,cn=chaining database,cn=plugins,cn=config tree node. nsAbandonedSearchCheckInterval Number of seconds that pass before the server checks for abandoned operations. Entry DN cn=default instance config,cn=chaining database, cn=plugins,cn=config...
Page 160: Nsbindretrylimit
Database Link Plug-in Attributes (chaining attributes) nsBindRetryLimit Contrary to what the name suggests, this attribute does not specify the number of times a database link retries to bind with the remote server, but the number of times it tries to bind with the remote server. A value of 0 here indicates that the database link will only attempt to bind once.
Page 161: Nsconcurrentbindlimit
Database Link Plug-in Attributes (chaining attributes) DirectoryString Syntax Example nschecklocalaci: on nsConcurrentBindLimit Maximum number of concurrent bind operations per TCP connection. Entry DN cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Range 1 to 25 binds Default Value Integer Syntax Example nsconcurrentbindlimit:10 nsConcurrentOperationsLimit Specifies the maximum number of concurrent operations allowed.
Page 162: Nsoperationconnectionslimit
Database Link Plug-in Attributes (chaining attributes) Entry DN cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Range 0 to limitless seconds (where 0 means forever) Default Value Syntax Integer Example nsconnectionlife: 0 nsOperationConnectionsLimit Maximum number of LDAP connections the database link establishes with the remote server.
Page 163: Nsreferralonscopedsearch
Database Link Plug-in Attributes (chaining attributes) nsReferralOnScopedSearch Controls whether or not referrals are returned by scoped searches. This attribute allows you to optimize your directory, because returning referrals in response to scoped searches is more efficient. Entry DN cn=default instance config,cn=chaining database, cn=plugins,cn=config on | off Valid Range...
Page 164: Database Link Attributes Under Cn=Database Link Instance Name,Cn=Chaining Database, Cn=Plugins,Cn=Config
Database Link Plug-in Attributes (chaining attributes) Database Link Attributes Under cn=database link instance name,cn=chaining database, cn=plugins,cn=config This information node stores the attributes concerning the server containing the data. A farm server is a server which contains data on databases. This attribute can contain optional servers for failover, separated by spaces.
Page 165: Nsmultiplexorcredentials
Database Link Plug-in Attributes (chaining attributes) Example nsMultiplexerBindDN: cn=proxy manager nsMultiplexorCredentials Password for the administrative user, given in plain text. If no password is provided, it means that users can bind as anonymous.The password is encrypted in the configuration file. Please note that the example below is what you view, not what you type.
Page 166: Database Link Attributes Under Cn=Monitor,Cn=Database Instance Name, Cn=Chaining Database,Cn=Plugins,Cn=Config
Database Link Plug-in Attributes (chaining attributes) Database Link Attributes Under cn=monitor,cn=database instance name,cn=chaining database, cn=plugins,cn=config Attributes used for monitoring activity on your instances are stored in the cn=monitor,cn=database instance name,cn=chaining information tree. database,cn=plugins,cn=config nsAddCount Number of add operations received. nsDeleteCount Number of delete operations received.
Page 167: Nsunbindcount
Retro Changelog Plug-in Attributes nsUnbindCount Number of unbinds received. nsCompareCount Number of compare operations received. nsOperationConnectionCount Number of open connections for normal operations. nsBindConnectionCount Number of open connections for bind operations. Retro Changelog Plug-in Attributes Two different types of changelogs are maintained by Directory Server 6.x. The first type, referred to as changelog, is used by multi-master replication and the second changelog, which is in fact a plug-in referred to as retro changelog, is intended for use by LDAP clients for maintaining application compatibility with Directory...
Page 168: Nsslapd-Changelogmaxage (Max Changelog Age)
Retro Changelog Plug-in Attributes NOTE For performance reasons you will probably want to store this database on a different physical disk. Entry DN cn=Retro Changelog Plugin,cn=plugins,cn=config Valid Range Any valid path to the directory None Default Value DirectoryString Syntax Example nsslapd-changelogdir: /var/slapd-serverID/changelog nsslapd-changelogmaxage (Max Changelog Age) Specifies the maximum age of any entry in the change log.
Page 169: Chapter 4 Server Instance File Reference
Chapter 4 Server Instance File Reference This chapter provides an overview of the files stored under . Having an overview of the files and /usr/netscape/servers/slapd-serverID configuration information stored in each instance of Netscape Directory Server (Directory Server) should help you understand the file changes or absence of file changes which occur in the course of directory activity.
Page 170 Overview of Directory Server Files Code Example 4-1 on page 170 shows the contents of where directories are marked with a /usr/netscape/servers/slapd-serverID and scripts are marked with an . See Chapter 8, “Command-Line Scripts” for further information on command-line Scripts. Code Example 4-1 Contents of /usr/netscape/servers/slapd-serverID directory...
Page 171: Backup Files
Backup Files Backup Files Each Directory Server instance contains the following three directories for storing backup related files: • - contains a directory dated with the time and date of your database backup, for example , which in turn holds your database 2001_02_13_174524/ backup copy.
Page 172 Database Files • files are used to store the transaction logs per database log.xxxxxxxxxx • - used for storing the version of the database. DBVERSION • - this directory stores the database created by NetscapeRoot o=NetscapeRoot default at Typical installation. •...
Page 173: Ldif Files
ldif Files ldif Files Each Directory Server instance contains the ld directory for storing related ldif files. Code Example 4-4 on page 173 shows a sample listing of the directory ldif contents. Code Example 4-4 Contents of a sample ldif directory ../ European.ldif Example.ldif Example-roles.ldif The following list describes the content of each of the ldif files: •...
Page 174: Log Files
Log Files Log Files Each Directory Server instance contains a logs directory for storing log related files. Code Example 4-6 on page 174 shows a sample listing of the directory logs contents. Code Example 4-6 Contents of a sample logs directory access.20010126-120123 audit errors.rotationinfo...
Page 175: Chapter 5 Access Log And Connection Code Reference
Chapter 5 Access Log and Connection Code Reference Netscape Directory Server (Directory Server) 6.x provides you with logs to help you monitor directory activity. Monitoring allows you to quickly detect and remedy failures and where done proactively, anticipate and resolve potential problems before they result in failure or poor performance.
Page 176: Access Logging Levels
Access Log Content • bind record • bind result record • sequence of operation request / operation result pairs of records (or individual records in the case of connection, closed and abandon records) • unbind record • closed record Every line begins with a timestamp - [21/Apr/2001:11:39:51 -0700]- format of which may vary depending on which platform you are using, where indicates the time difference in relation to GMT.
Page 177: Default Access Logging Content
Access Log Content For example, if you want to log internal access operations, entry access and referrals you would insert a value of 516 (512+4) in the nsslapd-accesslog-level configuration attribute. For further information on other access log configuration attributes see Chapter 2, “Core Server Configuration Reference”. Default Access Logging Content This section describes the access log content in detail based on the default access logging level extract in Code Example 5-1.
Page 178: Connection Number
Access Log Content Access Log Extract with Default Access Logging Level (level 256) Code Example 5-1 [21/Apr/2001:11:39:53 -0700] conn=13 op=2 RESULT err=0 tag=105 nentries=0 etime=0 csn=3b4c8cfb000000030000 [21/Apr/2001:11:39:53 -0700] conn=13 op=3 EXT oid="2.16.840.1.113730.3.5.5" [21/Apr/2001:11:39:53 -0700] conn=13 op=3 RESULT err=0 tag=120 nentries=0 etime=0 [21/Apr/2001:11:39:53 -0700] conn=13 op=4 UNBIND [21/Apr/2001:11:39:53 -0700] conn=13 op=4 fd=659 closed - U1 [21/Apr/2001:11:39:55 -0700] conn=14 fd=700 slot=700 connection...
Page 179: Operation Number
Access Log Content Operation Number To process a given LDAP request, Directory Server will perform the required series of operations. For a given connection, all operation request and operation result pairs are given incremental operation numbers beginning with to identify the op=0 distinct operations being performed.
Page 180: Number Of Entries
Access Log Content for a result from an add operation tag=105 for a result from delete operation tag=107 for a result from a moddn operation tag=109 for a result from a compare operation tag=111 indicates a search reference when the entry you perform your search on tag=115 holds a referral to the entry you require.
Page 181: Ldap Response Type
Access Log Content LDAP Response Type The LDAP response type indicates the LDAP response being issued by the LDAP client. Possible values are: =result RESULT =entry ENTRY =referral or search reference REFERRAL Unindexed Search Indicator The unindexed search indicator, , indicates that the search performed was notes=U unindexed, which means that the database itself had to be directly searched instead of the index file.
Page 182: Change Sequence Number
Access Log Content LDAPv3 Extended Operations supported by Directory Server (Continued) Table 5-1 Directory Server 6.x Replication Sent by a replication 2.16.840.1.113730.3.5.4 Response responder in response to a Start Replication Request Extended Operation or an End Replication Request Extended Operation Directory Server 6.x End Replication Sent to indicate that a 2.16.840.1.113730.3.5.5...
Page 183: Abandon Message
Access Log Content Abandon Message The abandon message, in this case, [ 21/Apr/2001:11:39:52 -0700 conn=12 indicates that an op=2 ABANDON targetop=1 msgid=2 nentries=0 etime=0, operation has been aborted, where indicates the number of entries nentries=0 sent before the operation was aborted, value indicates how much time (in etime=0 seconds) had elapsed, and...
Page 184: Access Log Content For Additional Access Logging Levels
Access Log Content NOTE Note also that the authenticated DN (the DN used for access control decisions) is now logged in the BIND result line as opposed to the bind request line as was previously the case: [21/Apr/2001:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=coulbeck,dc=example,dc=com"...
Page 185 Access Log Content Code Example 5-2 Access Log Extract with Entry Access and Referral Logging Level (Level 512) 12/Jul/2001:16:43:02 +0200] conn=306 fd=60 slot=60 connection from 127.0.0.1 to 127.0.0.1 [12/Jul/2001:16:43:02 +0200] conn=306 op=0 SRCH base="dc=example,dc=com" scope=2 filter="(description=*)" attrs=ALL [12/Jul/2001:16:43:02 +0200] conn=306 op=0 ENTRY dn="ou=Special Users,dc=example,dc=com"...
Page 186: Connection Description
Common Connection Codes Access log level 4 enables logging for internal operations which log the following items in addition to the details of the search being performed, including search base, scope, filter, and requested search attributes. Connection Description The connection description, in this case indicates that the conn=Internal, connection is an internal connection.
Page 187: Ldap Result Codes
LDAP Result Codes B1=Corrupt BER tag encountered. If BER tags, which encapsulate data being sent over the wire, are corrupt when they are received, a connection code is logged to the access log. BER tags can be corrupted due to physical layer network problems or bad LDAP client operations, such as an LDAP client aborting before receiving all request results.
Page 188 LDAP Result Codes LDAP Result Codes (Continued) Table 5-2 REFERRAL (LDAP v3) ADMIN_LIMIT_EXCEEDED (LDAP v3) UNAVAILABLE_CRITICAL_EXTENSION (LDAP v3) CONFIDENTIALITY_REQUIRED (LDAP v3) SASL_BIND_IN_PROGRESS NO_SUCH_ATTRIBUTE UNDEFINED_ATTRIBUTE_TYPE INAPPROPRIATE_MATCHING CONSTRAINT_VIOLATION ATTRIBUTE_OR_VALUE_EXISTS INVALID_ATTRIBUTE_SYNTAX NO_SUCH_OBJECT ALIAS_PROBLEM INVALID_DN_SYNTAX IS_LEAF ALIAS_DEREFERENCING_PROBLEM INAPPROPRIATE_AUTHENTICATION INVALID_CREDENTIALS INSUFFICIENT_ACCESS_RIGHTS BUSY UNAVAILABLE UNWILLING_TO_PERFORM LOOP_DEFECT NAMING_VIOLATION OBJECT_CLASS_VIOLATION NOT_ALLOWED_ON_NONLEAF...
Page 189 LDAP Result Codes LDAP Result Codes (Continued) Table 5-2 OTHER SERVER_DOWN LDAP_TIMEOUT PARAM_ERROR CONNECT_ERROR LDAP_NOT_SUPPORTED CONTROL_NOT_FOUND NO_RESULTS_RETURNED MORE_RESULTS_TO_RETURN CLIENT_LOOP REFERRAL_LIMIT_EXCEEDED Chapter 5 Access Log and Connection Code Reference...
Page 190 LDAP Result Codes Netscape Directory Server Configuration, Command, and File Reference • January 2002...
Page 191: Chapter 6 Migration From Earlier Versions
Chapter 6 Migration from Earlier Versions This chapter is intended to provide a reference of the information migrated by the script. In the case of migration from a 4.x Netscape Directory migrateInstance6 Server (Directory Server) to a 5.0 or 6.x Directory Server, it describes the mapping of configuration parameters to configuration attributes and configuration entries in the new Directory Server.
Page 192: Server Attributes
Migration from 4.x Directory Server to 6.x Server Attributes In Directory Server 4.1, 4.11, 4.12, and 4.13, configuration parameters are stored in file under the directory. slapd.conf /usr/netscape/server4/slapd-serverID The corresponding configuration attributes in Directory Server 6.x are stored in the entry.
Page 193 Migration from 4.x Directory Server to 6.x Mapping of Legacy Server Parameters to Configuration Attributes (Continued) Table 6-1 Legacy Configuration Parameter Directory Server Configuration Attribute loglevel nsslapd-error-loglevel errorlog-logexpirationtime nsslapd-errorlog-logexpirationtime errorlog-logexpirationtimeunit nsslapd-errorlog-logexpirationtimeunit errorlog-maxlogdiskspace nsslapd-errorlog-logmaxdiskspace errorlog-minfreediskspace nsslapd-errorlog-logminfreediskspace errorlog-logrotationtime nsslapd-errorlog-logrotationtime errorlog-logrotationtimeunit nsslapd-errorlog-logrotationtimeunit errorlog-maxlogsize nsslapd-errorlog-maxlogsize errorlog-maxlogsperdir nsslapd-errorlog-maxlogsperdir...
Page 194 Migration from 4.x Directory Server to 6.x Mapping of Legacy Server Parameters to Configuration Attributes (Continued) Table 6-1 Legacy Configuration Parameter Directory Server Configuration Attribute pw_inhistory passwordinHistory pw_lockout passwordLockout pw_lockduration passwordLockoutDuration pw_maxage passwordMaxAge pw_maxfailure passwordMaxFailure pw_minage passwordMinAge pw_minlength passwordMinLength pw_must_change passwordMustChange pw_reset_failurecount passwordResetFailureCount...
Page 195: Database Attributes
Migration from 4.x Directory Server to 6.x Database Attributes In Directory Server 4.1, 4.11, 4.12, and 4.13, database parameters are stored in the file under the slapd.ldbm.conf /usr/netscape/server4/slapd-serverID directory. Because one instance of Directory Server 5.0 or 6.x can manage several databases, the corresponding attributes in Directory Server 5.0 or 6.x are stored in a general entry for all databases (cn=config,cn=ldbm database,cn=plugins,cn=config...
Page 196: Upgrade From Directory Server 5.0 To 6.X
Upgrade from Directory Server 5.0 to 6.x Upgrade from Directory Server 5.0 to 6.x In Directory Server 5.0 and 6.x configuration information is stored in the same way. This section explains which configuration attributes are automatically migrated by script, and which ones are not. Attributes which are not migrateInstance6 automatically migrated are either configured during the installation process for the new Directory Server, or need to be configured manually for security reasons after...
Page 197 Upgrade from Directory Server 5.0 to 6.x Attributes in cn=config Automatically Migrated (Continued) Table 6-4 nsslapd-attribute_name_exceptions nsslapd-auditlog-logexpirationtime nsslapd-auditlog-logexpirationtimeunit nsslapd-auditlog-logmaxdiskspace nsslapd-auditlog-logminfreediskspace nsslapd-auditlog-logrotationtime nsslapd-auditlog-logrotationtimeunit nsslapd-auditlog-maxlogsize nsslapd-auditlog-maxlogsperdir nsslapd-certmap-basedn nsslapd-ds4-compatible-schema nsslapd-enquote_sup_oc nsslapd-errorlog-level nsslapd-errorlog-logexpirationtime nsslapd-errorlog-logexpirationtimeunit nsslapd-errorlog-logmaxdiskspace nsslapd-errorlog-logminfreediskspace nsslapd-errorlog-logrotationtime nsslapd-errorlog-logrotationtimeunit nsslapd-errorlog-maxlogsize nsslapd-errorlog-maxlogsperdir nsslapd-groupevalnestlevel nsslapd-idletimeout nsslapd-ioblocktimeout nsslapd-lastmod nsslapd-listenhost nsslapd-maxdescriptors (Not applicable on NT and AIX platforms) nsslapd-nagle...
Page 198 Upgrade from Directory Server 5.0 to 6.x Attributes in cn=config Automatically Migrated (Continued) Table 6-4 nsslapd-plugin-depends-on-name nsslapd-plugin-depends-on-type nsslapd-referral nsslapd-reservedescriptors (Not applicable on NT and AIX platforms) nsslapd-rootpwstoragescheme nsslapd-schemacheck nsslapd-securePort nsslapd-security nsslapd-sizelimit nsslapd-SSL3ciphers nsslapd-timelimit passwordChange passwordCheckSyntax passwordExp passwordExpirationTime passwordHistory passwordInHistory passwordLockout passwordLockoutDuration passwordMaxAge passwordMaxFailure...
Page 199 Upgrade from Directory Server 5.0 to 6.x Table 6-5 Attributes in cn=config not Migrated Attribute Name Reason for not Migrating Automatically nsslapd-localhost Already set up. nsslapd-localuser Configured during the installation process. nsslapd-port Configured during the installation process. nsslapd-rootdn Configured during the installation process. nsslapd-rootpw Configured during the installation process.
Page 200: Database Attributes
Upgrade from Directory Server 5.0 to 6.x Database Attributes All general database configuration attributes are automatically migrated. These attributes are stored in the entry cn=config,cn=ldbm database, and are listed in Table 6-6. cn=plugins,cn=config Database-specific attributes are stored in entries of the form cn=database instance .
Page 201: Database Link Attributes
Upgrade from Directory Server 5.0 to 6.x Database-Specific Attributes not Migrated (Continued) Table 6-8 Attribute Name Reason for not Migrating Automatically nsslapd-db-checkpoint-interval This attribute is provided only for system modification/diagnostics and should be changed only under guidance from Netscape Technical Support.
Page 202: Snmp Attributes
Upgrade from Directory Server 5.0 to 6.x Default Instance Database Link Attributes Automatically Migrated Table 6-10 nsBindTimeout nsBindRetryLimit nsHopLimit nsmaxresponsedelay nsmaxtestresponsedelay nsCheckLocalACI nsConcurrentBindLimit nsConcurrentOperationsLimit nsConnectionLife nsOperationConnectionslimit nsProxiedAuthorization nsReferralOnScopedSearch nsslapd-sizelimit nsslapd-timelimit SNMP Attributes All SNMP configuration attributes are automatically migrated. These attributes are stored in the entry , and are listed in Table 6-11.
Page 203: Chapter 7 Command-Line Utilities
Chapter 7 Command-Line Utilities This chapter contains reference information on command-line utilities provided by Netscape Directory Server (Directory Server) 6.x that allow you to access and modify entries. These command-line utilities make it easy to perform administration tasks on the Directory Server. This chapter is divided into the following sections: •...
Page 204: Command-Line Utilities Quick Reference
Command-Line Utilities Quick Reference CAUTION In order to execute the command-line utilities you must change to the directory where the command-line utilities are stored. Although it is possible to set command-path and library-path variables to execute the utilities, this is not recommended procedure because you run the risk, particularly when you have more than one server version installed, not only of disrupting the correct execution of other utilities, but also of compromising the security of the system.
Page 205: Using Special Characters
Using Special Characters Using Special Characters When using the command-line utility, you may need to specify values ldapsearch that contain characters that have special meaning to the command-line interpreter (such as space [ ], asterisk [*], backslash [\], and so forth). When this situation occurs, enclose the value in quotation marks ("").
Page 206: Ldapsearch
ldapsearch ldapsearch A configurable utility that allows you to locate and retrieve directory entries via LDAP. This utility opens a connection to the specified server using the specified distinguished name and password, and locates entries based on a specified search filter.
Page 207 ldapsearch Specifies the maximum number of seconds to wait for a search request to complete. Regardless of the value specified here, ldapsearch will never wait longer than is allowed by the server’s nsslapd-timelimit attribute. For example, -l 300. The default value for the nsslapd-timelimit attribute is 3,600 seconds.
Page 208 ldapsearch SSL options You can use the following command-line options to specify that ldapsearch LDAPS when communicating with your SSL-enabled Directory Server. You also use these options if you want to use certificate-based authentication. These options are valid only when LDAPS has been turned on and configured for your Directory Server.
Page 209 ldapsearch Specifies the password for the private key database identified in the -P option. For example, -W serverpassword Specifies that SSL is to be used for the search request. Additional ldapsearch Options To further customize a search, use the following optional options: Specifies that the search retrieve the attributes only, not the attribute values.
Page 210 ldapsearch Character set. Specifies the character set to use for command line input. The default is the character set specified in the LANG environment variable. You might want to use this option to perform the conversion from the specified character set to UTF8, thus overriding the environment variable setting. Using this argument, you can input the bind DN, base DN, and the search filter pattern in the specified character set.
Page 211: Ldapmodify
ldapmodify Specifies the attribute to use as the sort criteria. For example, -S sn. You can use multiple -S arguments if you want to further define the sort order. In the following example, the search results will be sorted first by surname and then by given name: -S sn -S givenname The default is not to sort the returned entries.
Page 212 ldapmodify Commonly Used ldapmodify options To modify an entry or entries in an existing directory, use the ldapmodify command-line utility with the following options: Allows you to add LDIF entries to the directory without requiring the changetype:add LDIF update statement. This provides a simplified method of adding entries to the directory.
Page 213 ldapmodify SSL options You can use the following command-line options to specify that is to ldapmodify use LDAP over SSL (LDAPS) when communicating with your Directory Server. LDAPS encrypts data during transit. You also use these options if you want to use certificate-based authentication.
Page 214 ldapmodify Causes the utility to check every attribute value to determine whether the value is a valid file reference. If the value is a valid file reference, then the content of the referenced file is used as the attribute value. This is often used for specifying a path to a file containing binary data, such as JPEG.
Page 215: Ldapdelete
ldapdelete Specifies the proxy DN to use for the modify operation. This argument is provided for testing purposes. For more information about proxied authorization, see Chapter 6, “Managing Access Control” in the Netscape Directory Server Administrator’s Guide. ldapdelete Allows you to perform delete operations on directory entries via LDAP. Syntax ldapdelete [ optional-options ] ldapdelete options...
Page 216 ldapdelete SSL options You can use the following options to specify that use LDAPS when ldapdelete communicating with your Directory Server. You also use these options if you want to use certificate-based authentication. These options are valid only when LDAPS has been turned on and configured for your Directory Server.
Page 217: Ldif
ldif Specifies the file containing the distinguished names of entries to be deleted. For example, -f modify_statements. Omit this option if you want to supply the distinguished name of the entry to be deleted directly to the command line. Lists all available ldapdelete options. Manage smart referrals.
Page 218 ldif command-line utility will take any input and format it with the correct ldif line continuation and appropriate attribute information. The utility also ldif senses whether the input requires base 64 encoding. Syntax When you use , you must enter the command using the following format: ldif ldif [-b] [attrtypes] [optional-options] Options...
Page 219: Chapter 8 Command-Line Scripts
Chapter 8 Command-Line Scripts This chapter provides information on the scripts you can use to back up and restore your database. Scripts are a shortcut way of executing the ns-slapd interface commands which are documented in Appendix A, “Using the ns-slapd and slapd.exe Command-Line Utilities.”...
Page 220: Command-Line Scripts Quick Reference
Command-Line Scripts Quick Reference CAUTION In order to execute the Perl Scripts you must change directory to the directory where the command-line utilities are stored. Although it is possible to set command path and library-path variables to execute these scripts, this is not the recommended procedure because you run the risk, particularly when you have more than one server version installed, not only of disrupting the correct execution of other scripts and utilities, but also of compromising the security of...
Page 221 Command-Line Scripts Quick Reference Commonly Used Command-Line Shell and Batch Scripts (Continued) Table 8-1 Command Line Script Description Prints the encrypted form of a password using one of the server’s encryption getpwenc algorithms. If a user cannot log in, you can use this script to compare the user’s password to the password stored in the directory.
Page 222: Shell And Batch Scripts
Shell and Batch Scripts Table 8-2 Commonly Used Command-Line Perl Scripts Command Line Perl script Description Restores the database from the most recent archived backup. bak2db.pl Located in: /usr/netscape/servers/slapd-serverID Creates a backup of the current database contents db2bak.pl Located in: /usr/netscape/servers/slapd-serverID Creates and regenerates indexes.
Page 223: Bak2Db (Restore Database From Backup)
Shell and Batch Scripts When a Shell or Batch script has a Perl equivalent, there is a cross-reference to the section describing the equivalent Perl script. bak2db (Restore database from backup) Restores the database from the most recent archived backup. To run this script the server must be stopped.
Page 224 Shell and Batch Scripts For information on the equivalent Perl script, refer to “db2ldif.pl (Export database contents to LDIF),” on page 236. For the shell and batch scripts, the script runs the (Windows NT) or slapd (UNIX) command-line utility with the keyword.
Page 225: Db2Dsml (Export Database Contents To Dsml)
Shell and Batch Scripts Request that the output LDIF is not folded. Delete, for reasons of backward compatibility, the first line of the LDIF file which gives the version of the LDIF standard. NOTE Please note that by default the output LDIF will be stored in one file.
Page 226: Dsml2Db (Import Dsml Document Contents Into Database)
Shell and Batch Scripts dsml2db (Import DSML document contents into database) Imports the contents of the DSML, version 1.0, document into the database. To run this script, the server must be stopped. Syntax Shell script (UNIX) dsml2db -n backend_instance | {-s includesuffix}* [{-x excludesuffix}*] {-i dsmlfile} Batch file (NT) dsml2db -n backend_instance | {-s includesuffix}* [{-x...
Page 227: Ldif2Db (Import)
Shell and Batch Scripts For more information on the different storage schemes such as SSHA CRYPT see the Netscape Directory Server Administrator’s Guide. CLEAR ldif2db (Import) Runs the (Windows NT) or (Unix) command-line utility with the slapd ns-slapd keyword. To run this script the server must be stopped. ldif2db For information on the equivalent Perl script, refer to “ldif2db.pl (Import),”...
Page 228: Ldif2Ldap (Perform Import Operation Over Ldap)
Shell and Batch Scripts Suffix(es) to be included. Request that only the core db is created without attribute indexes. Merge chunk size. Generation of a unique ID. Type none for no unique ID to be generated -g string and deterministic for the generated unique ID to be name-based. By default a time based unique ID is generated.
Page 229: Monitor (Retrieve Monitoring Information)
Shell and Batch Scripts File name of the file to be imported. When you import multiple files, they are imported in the order in which you specify them on the command line. monitor (Retrieve monitoring information) Retrieves performance monitoring information using the ldapsearch command-line utility.
Page 230: Restoreconfig (Restore Administration Server Configuration)
Shell and Batch Scripts Server restarted successfully, but was already stopped Server could not be stopped restoreconfig (Restore Administration Server Configuration) Restores, by default, the most recently saved Administration Server configuration information to the partition under the following directory: NetscapeRoot /usr/netscape/servers/slapd-serverID/config To restore the Administration Server configuration: Stop the Directory Server...
Page 231: Start-Slapd (Start The Directory Server)
Shell and Batch Scripts Syntax Shell script (UNIX) saveconfig Batch file (NT) saveconfig Options There are no options for this script. start-slapd (Start the Directory Server) Starts the Directory Server. It might be a good idea to check whether the server has been effectively started using the command, because it could sometimes be that the script returned while the startup process was still ongoing, resulting in a...
Page 232: Suffix2Instance (Map Suffix To Backend Name)
Shell and Batch Scripts Syntax Shell script (UNIX) stop-slapd Batch file (NT) stop-slapd Options There are no options for this script. Exit Status Server stopped successfully Server could not be stopped Server was already stopped suffix2instance (Map Suffix to Backend Name) Maps a suffix to a backend name.
Page 233: Vlvindex (Create Virtual List View (Vlv) Indexes)
Shell and Batch Scripts vlvindex (Create virtual list view (VLV) indexes) To run the script the server must be stopped. The script vlvindex vlvindex creates virtual list view (VLV) indexes, known in the Directory Server Console as Browsing Indexes. VLV indexes introduce flexibility in the way you view search results.
Page 234: Perl Scripts
Perl Scripts Perl Scripts bak2db.pl (Restore database from backup) Syntax Perl script (Both) bak2db.pl [-v] -D rootdn -w password -a backup_directory] [-t databasetype] Options User DN with root permissions, such as Directory Manager. The default is the DN of the directory manager which is read from the nsslapd-root attribute under cn=config.
Page 235: Db2Index.pl (Create And Generate Indexes)
Perl Scripts Options User DN with root permissions, such as Directory Manager. The default is the DN of the directory manager which is read from the nsslapd-root attribute under cn=config. Password associated with the user DN. Directory where the backup files will be stored. By default it is under /usr/netscape/servers/slapd-serverID/bak The backup file is named according to the year-month-day-hour format (YYYY_MM_DD_hhmmss).
Page 236: Db2Ldif.pl (Export Database Contents To Ldif)
Perl Scripts Instance to be indexed. Name of the attribute to be indexed. If omitted, all indexes defined for that instance are generated. Verbose mode. NOTE This perl script creates an entry in the directory that bak2db.pl launches this dynamic task. An entry is generated based upon the values you provide for each option.
Page 237: Ldif2Db.pl (Import)
Perl Scripts File name of the output LDIF file. Suffix(es) to be included or to specify the subtree(s) to be included if -n has been used. Suffix(es) to be excluded. Minimal base64 encoding. Output LDIF to be stored in one file by default with each instance stored in instance_file name.
Page 238 Perl Scripts File name of the input LDIF file(s). When you import multiple files, they are imported in the order in which you specify them on the command line. Suffix(es) to be included or to specify the subtree(s) to be included if -n has been used.
Page 239: Migrateinstance6 (Migrate To Directory Server 5.0 Or 6.X)
Perl Scripts migrateInstance6 (Migrate to Directory Server 5.0 or 6.x) Perl script (note that this is a Perl script despite the fact migrateInstance6 that it does not have the extension) migrates a 4.x Directory Server to Directory Server 5.0 or 6.x. It can also be used to upgrade from Directory Server 5.0 to Directory Server 6.x.
Page 240: Ns-Accountstatus.pl (Establish Account Status)
Perl Scripts Path for the new Directory Server instance. 6.xInstancePath Trace level. The trace level is set to 0 by default with a valid range of 0 to 3. File in which to log the migration report. By default the migration report is stored under /usr/netscape/servers/slapd-serverID/logs/Migration_dd mmyyy_hhmmss.log.
Page 241: Ns-Activate.pl (Activate An Entry Or Group Of Entries)
Perl Scripts ns-activate.pl (Activate an entry or group of entries) Activates an entry or group of entries. Syntax Perl script (Both) ns-activate.pl [-D rootdn] -w password [-p port] [-h host] -I DN (to operation) Options Directory Server userDN with root permissions, such as Directory Manager. Password associated with the user DN.
Page 242 Perl Scripts Directory Server port. The default value is the LDAP port of Directory Server specified at installation time. Host name of Directory Server. The default value is the full hostname of the machine where Directory Server is installed. Entry DN or role DN to inactivate. -I DN Netscape Directory Server Configuration, Command, and File Reference •...
Page 243: Appendix A Using The Ns-Slapd And Slapd.exe Command-Line Utilities
Appendix A Using the ns-slapd and slapd.exe Command-Line Utilities In Chapter 8, “Command-Line Scripts,” we looked at the scripts for performing routine administration tasks on the Netscape Directory Server (Directory Server). In this Appendix we will look at the ns-slapd and slapd command-line utilities that can also be used to perform the same tasks.
Page 244: Ns-Slapd (Unix)
Finding and Executing the ns-slapd and slapd.exe Command-Line Utilities ns-slapd (UNIX) is used on a Unix operating system to start the directory server process, ns-slapd to build a directory database from an LDIF file, or to convert an existing database to an LDIF file.
Page 245: Ns-Slapd And Slapd.exe Command-Line Utilities For Exporting Databases
ns-slapd and slapd.exe Command-Line Utilities for Exporting Databases ns-slapd and slapd.exe Command-Line Utilities for Exporting Databases db2ldif Exports the contents of the database to LDIF. Shell syntax (UNIX) ns-slapd db2ldif -D slapd-serverID -a output_file [-d debug_level] [-n backend_instance] [-r] [-s include_suffix] [-x exclude_suffix] [-N] [-u] -[U] where serverID is the location of your server configuration directory.
Page 246 ns-slapd and slapd.exe Command-Line Utilities for Exporting Databases Specifies that entry IDs are not to be included in the LDIF output. The entry IDs are necessary only if the db2ldif output is to be used as input to db2index. Causes the server to include the copiedFrom attribute and its contents in the LDIF output when importing the LDIF file to a consumer server.
Page 247: Ns-Slapd And Slapd.exe Command-Line Utilities For Restoring And Backing Up Databases
ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases ldif2db Imports LDIF files to the database. Shell script syntax (UNIX) ns-slapd ldif2db -D slapd-serverID -i ldif_file [-d debug_level ] [-g string] [-n backend_instance] -O [-s include_suffix] -x exclude_suffix] where ldif_file is the name of the file containing the LDIF to be imported and slapd-serverID is the location of your server configuration directory.
Page 248 ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases Generation of a unique ID. Type none for no unique ID to be generated -g string and deterministic for the generated unique ID to be name-based. By default a time based unique ID is generated. If you use the deterministic generation to have a name-based unique ID, you can also specify the namespace you want the server to use as follows:...
Page 249: Archive2Db
ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases CAUTION If you are importing the LDIF file into your configuration directory, make sure the suffix and its contents are included o=NetscapeRoot in your LDIF file before you import. Do not exclude the suffix using , or combination of the two.
Page 250: Ns-Slapd And Slapd.exe Command-Line Utilities For Creating And Regenerating Indexes
ns-slapd and slapd.exe Command-Line Utilities for Creating and Regenerating Indexes Shell script syntax (UNIX) slapd db2archive -D configdir -a archivedir Batch file syntax (NT) slapd db2archive -D configdir -a archivedir Options Specifies the server configuration directory that contains the configuration information for the index creation process.
Page 251 ns-slapd and slapd.exe Command-Line Utilities for Creating and Regenerating Indexes Options Specifies the debug level to use during index creation. For further information see “nsslapd-errorlog-level (Error Log Level)” on page 50. Specifies the server configuration directory that contains the configuration information for the index creation process.
Page 252 ns-slapd and slapd.exe Command-Line Utilities for Creating and Regenerating Indexes Netscape Directory Server Configuration, Command, and File Reference • January 2002...
Page 253: Glossary
Glossary access control instruction See ACI. ACI Access Control Instruction. An instruction that grants or denies permissions to entries in the directory. access control list See ACL. ACL Access control list. The mechanism for controlling access to your directory. access rights In the context of access control, specify the level of access granted or denied.
Page 254 attribute Holds descriptive information about an entry. Attributes have a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value. attribute list A list of required and optional attributes for a given entry type or object class.
Page 255 browser Software, such as Netscape Navigator, used to request and view World Wide Web material stored as HTML files. The browser uses the HTTP protocol to communicate with the host server. browsing index Otherwise known as the virtual view index, speeds up the display of entries in the Directory Server Console.
Page 256 CIR See consumer-initiated replication. class definition Specifies the information needed to create an instance of a particular object and determines how the object works in relation to other objects in the directory. class of service See CoS. classic CoS A classic CoS identifies the template entry by both its DN and the value of one of the target entry’s attributes.
Page 257 DAP Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory. Data Master The server that is the master source of a particular piece of data. database link An implementation of chaining. The database link behaves like a database but has no persistent storage.
Page 258 DNS alias A DNS alias is a hostname that the DNS server knows points to a different host—specifically a DNS CNAME record. Machines always have one real name, but they can have one or more aliases. For example, an alias such as might point to a real machine called www.[yourdomain].[domain] where the server currently exists.
Page 259 HTML Hypertext Markup Language. The formatting language used for documents on the World Wide Web. HTML files are plain text files with formatting codes that tell browsers such as the Netscape Navigator how to display text, position graphics and form items, and display links to other pages. HTTP Hypertext Transfer Protocol.
Page 260 LDAPv3 Version 3 of the LDAP protocol, upon which Directory Server bases its schema format LDAP client Software used to request and view LDAP entries from an LDAP Directory Server. See also browser. LDAP Data Interchange Format See LDAP Data Interchange Format. LDAP URL Provides the means of locating directory servers using DNS and then completing the query via LDAP.
Page 261 matching rule Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use. MD5 A message digest algorithm by RSA Data Security, Inc., which can be used to produce a short digest of data, that is unique with high probability, and is mathematically extremely hard to produce a piece of data that will produce the same message digest.
Page 262 network management station See NMS. NIS Network Information Service. A system of programs and data files that Unix machines use to collect, collate, and share specific information about machines, users, file systems, and network parameters throughout a network of computers. NMS Network Management Station.
Page 263 permission In the context of access control, the permission states whether access to the directory information is granted or denied, and the level of access that is granted or denied. See access rights. PDU Protocol Data Unit. Encoded messages which form the basis of data exchanges between SNMP devices.
Page 264 RDN Relative distinguished name. The name of the actual entry itself, before the entry’s ancestors have been appended to the string to form the full distinguished name. referential integrity Mechanism that ensures that relationships between related entries are maintained within the directory. referral (1) When a server receives a search or update request from an LDAP client that it cannot process, it usually sends back to the client a pointer to the LDAP sever that can process the request.
Page 265 root The most privileged user available on Unix machines. The root user has complete access privileges to all files on the machine. root suffix The parent of one or more sub suffixes. A directory tree can contain more than one root suffix. schema Definitions describing what types of information can be stored as entries in the directory.
Page 266 single-master replication The most basic replication scenario in which two servers each hold a copy of the same read-write replicas to consumer servers. In a single-master replication scenario, the supplier server maintains a change log. SIR See supplier-initiated replication. slapd LDAP Directory Server daemon or service that is responsible for most functions of a directory except replication.
Page 267 supplier server In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica. supplier-initiated replication Replication configuration where supplier servers replicate directory data to consumer servers. symmetric encryption Encryption that uses the same key for both encrypting and decrypting.
Page 268 virtual list view index Otherwise known as a browsing index, speeds up the display of entries in the Directory Server Console. Virtual list view indexes can be created on any branchpoint in the directory tree to improve display performance. X.500 standard The set of ISO/ITU-T documents outlining the recommended information model, object classes and attributes used by directory server implementations.
Page 269: Index
Index SYMBOLS 50ns-delegated-admin.ldif ldif files 106 ::, in LDIF statements 217 50ns-directory.ldif ldif files 106 50ns-legacy.ldif ldif files 106 NUMERICS 50ns-mail.ldif ldif files 106 00core.ldif 50ns-mcd-browser.ldif ldif files 105 ldif files 106 05rfc2247.ldif 50ns-mcd-config.ldif ldif files 105 ldif files 106 05rfc2927.ldif 50ns-mcd-li.ldif ldif files 105...
Page 270 50ns-web.ldif changelog configuration entries 79 ldif files 107 object classes 79 99user.ldif cn=config ldif files 107 general 23 general configuration entries 33 object classes 33 cn=config Directory Information Tree configuration data 24 cn=encryption encryption configuration entries 81 alias dereferencing 209 object classes 81 cn=mapping tree object classes 84...
Page 271 perl scripts 234–241, ??–242 restrictions to modifying 31 quick reference 220–222 retro changelog plug-in configuration restart-slapd 229 attributes 167–168 restoreconfg 230 SNMP configuration attributes 101–103 saveconfig 230 suffix configuration attributes 85–86 shell and batch scripts 222–233 uniqueid generator configuration attributes 104 start-slapd 231 configuration changes stop-slapd 231...
Page 272 nsDS5ReplicaPort 96 nsslapd-errorlog-logexpirationtime 51 nsDS5ReplicaPurgeDelay 89 nsslapd-errorlog-logexpirationtimeunit 51 nsDS5ReplicaReferral 90 nsslapd-errorlog-logging-enabled 52 nsDS5ReplicaRefresh 97 nsslapd-errorlog-logmaxdiskspace 52 nsDS5ReplicaRoot 90, 97 nsslapd-errorlog-logminfreediskspace 53 nsDS5ReplicaTimeout 97 nsslapd-errorlog-logrotationtime 53 nsDS5ReplicaTombstonePurgeInterval 90 nsslapd-errorlog-logrotationtimeunit 54 nsDS5ReplicaTransportInfo 98 nsslapd-errorlog-maxlogsize 54 nsDS5ReplicaType 91 nsslapd-errorlog-maxlogsperdir 55 nsDS5ReplicaUpdateInProgress 98 nsslapd-groupvalnestlevel 55 nsDS5ReplicaUpdateSchedule 99 nsslapd-instancedir 56 nsIdleTimeout 33...
Page 273 nssnmpmasterport 103 nsBindConnectionsLimit 159 nssnmporganization 101 nsBindCount 166 nsssl2 attribute 82 nsBindRetryLimit 160 nsssl3 attribute 82 nsBindTimeout 160 nsssl3ciphers attribute 82 nsCheckLocalACI 160 nssslclientauth attribute 81 nsCompareCount 167 nssslsessiontimeout attribute 81 nsConcurrentBindLimit 161 nsState 91 nsConcurrentOperationsLimit 161 nsstate 104 nsConnectionLife 161 opscompleted 100 nsDeleteCount 166 opsinitiated 100...
Page 274 nsMatchingRule 153 nsslapd-directory 147 nsslapd-allidsthreshold 134 nsslapd-import-cachesize 144 nsslapd-cache-autosize 135 nsslapd-mode 145 nsslapd-cache-autosize-split 135 nsslapd-readonly 148 nsslapd-cachememsize 147 nsslapd-require-index 148 nsslapd-cachesize 146 nsslapd-suffix 148 nsslapd-db-abort-rate 149 nsSystemIndex 152 nsslapd-db-active-txns 149 database schema nsslapd-db-cache-hit 149 defined 67 nsslapd-db-cache-region-wait-rate 149 database-specific configuration nsslapd-dbcachesize 136 location of 24 nsslapd-db-cache-size-bytes 149...
Page 275 description attribute 92, 154 distinguished names getpwenc root 66 command-line shell and batch script 226 dse.ldif quick reference 221 ldif files 105 dse.ldif file configuration information tree 32 contents of 23, 25 editing 31 dsml2db id2entry.db2 file 172 command-line shell and batch script 226 Indexes quick reference 220 configuration of 27...
Page 276 detailed contents of 104 log files 174 location of 25 access 34 migration of pre-6.x configuration files to 28 error 49 LDIF entries binary data in 217 ldif files 173 00core.ldif 105 05rfc2247.ldif 105 05rfc2927.ldif 105 Meta Directory changelog 10rfc2307.ldif 105 retro changelog 79 20subscriber.ldif 105 migrateInstance6...
Page 277 nsDS50ruv attribute 99 nsOperationConnectionCount attribute 167 nsDS5Flags attribute 87 nsOperationConnectionsLimit attribute 162 nsDS5ReplicaBindDN attribute 87, 92 nsProxiedAuthorization attribute 162 nsDS5ReplicaBindMethod attribute 93 nsReferralOnScopedSearch attribute 163 nsDS5ReplicaChangeCount attribute 88 nsRenameCount attribute 166 nsDS5ReplicaChangesSentSinceStartup attribute 93 nsSearchBaseCount attribute 166 nsDS5ReplicaCredentials attribute 93 nsSearchOneLevelCount attribute 166 nsDS5ReplicaHost attribute 94 nsSearchSubtreeCount attribute 166...
Page 278 nsslapd-auditlog-maxlogsperdir attribute 46 nsslapd-dbncache attribute 144 nsslapd-backend attribute 85 nsslapd-db-page-create-rate attribute 151 nsslapd-cache-autosize attribute 135 nsslapd-db-page-ro-evict-rate attribute 151 nsslapd-cache-autosize-split attribute 135 nsslapd-db-page-rw-evict-rate attribute 151 nsslapd-cachememsize attribute 147 nsslapd-db-pages-in-use attribute 151 nsslapd-cachesize attribute 146 nsslapd-db-page-size attribute 142 nsslapd-certmap-basedn attribute 47 nsslapd-db-page-trickle-rate attribute 151 nsslapd-changelogdir attribute 79, 167 nsslapd-db-page-write-rate attribute 151 nsslapd-changelogmaxage attribute 80, 168...
Page 279 nsslapd-pluginDescription attribute 132 nsState attribute 91 nsslapd-pluginEnabled attribute 130 nsstate attribute 104 nsslapd-pluginId attribute 131 nsSystemIndex attribute 152 nsslapd-pluginInitFunc attribute 129 nsTimeLimit attribute 163 nsslapd-pluginPath attribute 129 nsTransmittedControls attribute 158 nsslapd-pluginType attribute 130 nsUnbindCount attribute 167 nsslapd-pluginVendor attribute 131 nsuniqueid.db3 172 nsslapd-pluginVersion attribute 131 nsslapd-port attribute 61 nsslapd-privatenamespaces attribute 61...
Page 280 dbcachehitratio 145 nsslapd-allidsthreshold 134 dbcachehits 145 nsslapd-cache-autosize 135 dbcachepagein 145 nsslapd-cache-autosize-split 135 dbcachepageout 145 nsslapd-cachememsize 147 dbcacheroevict 146 nsslapd-cachesize 146 dbcacherwevict 146 nsslapd-changelogdir 167 dbcachetries 145 nsslapd-changelogmaxage 168 dbfilecachehit 154 nsslapd-db-abort-rate 149 dbfilecachemiss 154 nsslapd-db-active-txns 149 dbfilenamenumber 154, 159 nsslapd-db-cache-hit 149 dbfilepagein 154 nsslapd-db-cache-region-wait-rate 149 dbfilepageout 155...
Page 281 nsslapd-db-txn-region-wait-rate 151 readwaiters attribute 100 nsslapd-directory 147 replication agreement configuration attributes nsslapd-import-cachesize 144 description 92 nsslapd-mode 145 nsDS50ruv 99 nsslapd-plugin-depends-on-named 133 nsDS5ReplicaBindDN 92 nsslapd-plugin-depends-on-type 132 nsDS5ReplicaBindMethod 93 nsslapd-pluginDescription 132 nsDS5ReplicaChangesSentSinceStartup 93 nsslapd-pluginEnabled 130 nsDS5ReplicaCredentials 93 nsslapd-pluginId 131 nsDS5ReplicaHost 94 nsslapd-pluginInitFunc 129 nsDS5ReplicaLastInitEnd 94 nsslapd-pluginPath 129 nsDS5ReplicaLastInitStart 94...
Page 282 command-line shell and batch script 230 command-line shell and batch script 231 quick reference 221 quick reference 221 retro changelog starttime attribute 100 Meta Directory changelog 79 stop-slapd retro changelog plug-in configuration attributes command-line shell and batch script 231 nsslapd-changelogdir 167 quick reference 221 root password, Root DN and 66 suffix and replication configuration entries...

Netscape DIRECTORY SERVER 6.01 Configuration Manual

About this Reference Guide

Chapter 1 Introduction

Chapter 2 Core Server Configuration Reference

Chapter 3 Plug-In Implemented Server Functionality Reference

Quick Links

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.01

Summary of Contents for Netscape NETSCAPE DIRECTORY SERVER 6.01