Page 1 Configuration, Command, and File Reference Netscape Directory Server Version 6.02 May 2002...
Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law.
Page 3: Table Of Contents
Contents About This Reference Guide ........... . . 17 Directory Server Overview .
Page 4 Configuration Changes Requiring Server Restart ........33 Core Server Configuration Attributes Reference .
Page 5 nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit) ....55 nsslapd-errorlog-maxlogsize (Maximum Error Log Size) ....... 56 nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files) .
Page 6 passwordMaxFailure (Maximum Password Failures) ........77 passwordMinAge (Password Minimum Age) ......... 77 passwordMinLength (Password Minimum Length) .
Page 7 nsDS5ReplicaChangesSentSinceStartup ..........95 nsDS5ReplicaCredentials .
Page 8 Configuration Quick Reference Tables ........... 106 LDIF Configuration Files .
Page 9 nsslapd-pluginInitfunc ............. . 132 nsslapd-pluginType .
Page 10 Database Attributes Under cn=NetscapeRoot,cn=ldbm database, cn=plugins,cn=config and cn=UserRoot,cn=ldbm database, cn=plugins,cn=config ........150 nsslapd-cachesize .
Page 11 cn ................157 description .
Page 12 nsRenameCount ..............170 nsSearchBaseCount .
Page 13 Abandon Message ............. . . 187 Message ID .
Page 14 Options ................222 Chapter 8 Command-Line Scripts .
Page 15 Options ............... . . 236 Exit Status .
Page 16 ns-slapd (UNIX) ..............250 slapd.exe (Windows) .
Page 17: About This Reference Guide
About This Reference Guide Netscape Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.
Page 18: Prerequisite Reading
Prerequisite Reading • SNMP Agent—Permits you to monitor Directory Server in real time using the Simple Network Management Protocol (SNMP). • Online backup and restore—Allows you to create backups and restore from backups while the server is running. Prerequisite Reading This reference guide does not describe many of the basic directory and architectural concepts that you need to successfully design, implement, and administer your directory service.
Page 19: Conventions Used In This Reference Guide
Conventions Used In This Reference Guide Conventions Used In This Reference Guide This section explains the conventions used in this book. —This typeface is used for any text that appears on the computer Monospaced font screen or text that you should type. It is also used for filenames, functions, and examples.
Page 20 Related Information For the latest information about Directory Server, including current release notes, complete product documentation, technical notes, and deployment information, check this site: http://enterprise.netscape.com/docs Netscape Directory Server Configuration, Command, and File Reference • May 2002...
Page 21: Chapter 1 Introduction
Chapter 1 Introduction This chapter provides a brief overview of the configuration and administration utilities provided to manage the Netscape Directory Server (Directory Server). This chapter is divided into the following sections: • Overview of Directory Server Management (page 21) •...
Page 22: Directory Server Configuration
Directory Server Configuration This reference manual deals with the other methods of managing the Directory Server, namely altering the server configuration attributes via the command line and using the command-line utilities. Directory Server Configuration The format and method for storing configuration information for Directory Server mark a significant change from previous versions of the Directory Server.
Page 23: Using Directory Server Command-Line Scripts
Using Directory Server Command-Line Scripts addition to these command-line utiltiies, Directory Server also provides ns-slapd command-line utilities for performing directory operations as slapd.exe described in Appendix A, “Using the ns-slapd and slapd.exe Command-Line Utilities.” Using Directory Server Command-Line Scripts In addition to command-line utilities, several non-configurable scripts are provided with the Directory Server that make it quick and easy to perform routine server administration tasks from the command line.
Page 24 Using Directory Server Command-Line Scripts Netscape Directory Server Configuration, Command, and File Reference • May 2002...
Page 25: Chapter 2 Core Server Configuration Reference
Chapter 2 Core Server Configuration Reference The configuration information for Netscape Directory Server (Directory Server) is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files.
Page 26 Server Configuration - Overview Many of the features of the Directory Server are designed as discrete modules that plug into the core server. The details of the internal configuration for each plug-in are contained in separate entries under . For example, the cn=plugins,cn=config configuration of the Telephone Syntax plug-in is contained in this entry: cn=Telephone Syntax,cn=plugins,cn=config...
Page 27: Ldif Configuration Files - Location
Server Configuration - Overview LDIF Configuration Files - Location The Directory Server configuration data is automatically output to files in LDIF format that are located in the following directory: /usr/netscape/servers/slapd-serverID/config where serverID is the server identifier that you defined when you installed your Directory Server.
Page 28: Configuration Of Plug-In Functionality
Server Configuration - Overview Code Example 2-1 gives an example of part of the file for a Directory dse.ldif Server. The example shows, amongst other things, that schema checking has been turned on; this is represented by the attribute , which takes nsslapd-schemacheck the value Code Example 2-1...
Page 29: Configuration Of Databases
Server Configuration - Overview Some of these attributes are common to all plug-ins and some may be particular to a specific plug-in. You can check which attributes are currently being used by a given plug-in by performing an on the subtree.
Page 30: Migration Of Pre-Directory Server 6.X Configuration Files To Ldif Format
Accessing and Modifying Server Configuration Migration of Pre-Directory Server 6.x Configuration Files to LDIF Format The Directory Server will only recognize configuration files that are in the LDIF format, which means that the configuration slapd.conf slapd.ldbm.conf files from 4.x versions of Directory Server must be converted to LDIF format. Directory Server 4.x configurations can be migrated to the new LDIF format using the tool tool.
Page 31: Changing Configuration Attributes
Accessing and Modifying Server Configuration Default ACIs in dse.ldif Code Example 2-3 aci: (targetattr = "*")(version 3.0; acl "Configuration Adminstrators Group"; allow (all) groupdn = "ldap:///cn=Configuration Administrators,ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Configuration Adminstrator"; allow (all) userdn = "ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0;...
Page 32: Modifying Configuration Entries Using Ldap
Accessing and Modifying Server Configuration NOTE If you edit the file, you must stop the server beforehand, dse.ldif otherwise your changes will be lost. Editing the file is dse.ldif recommended only for changes to attributes which cannot be altered dynamically. See “Configuration Changes Requiring Server Restart,”...
Page 33: Restrictions To Modifying Configuration Entries And Attributes
Core Server Configuration Attributes Reference Disabling the Telephone Syntax Plug-in Code Example 2-4 ldapmodify -D bindDN -w password dn: cn=Telephone Syntax,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off Restrictions to Modifying Configuration Entries and Attributes Certain restrictions apply when modifying server entries and attributes: •...
Page 34 Core Server Configuration Attributes Reference Directory Information Tree Showing Configuration Data Figure 2-2 The list of configuration tree nodes covered in this section is as follows: • cn=config • cn=changelog5 • cn=encryption • cn=features • cn=mapping tree • cn=monitor • cn=replication •...
Page 35: Cn=Config
Core Server Configuration Attributes Reference cn=config General configuration entries are stored under the entry. The cn=config entry is an instance of the object class, which in turn cn=config nsslapdConfig inherits from object class. For attributes to be taken into extensibleObject account by the server, both of these object classes (in addition to the object class) must be present in the entry.
Page 36: Nsslapd-Accesslog (Access Log)
Core Server Configuration Attributes Reference nsslapd-accesslog (Access Log) Specifies the path and filename of the log used to record each database access. The following information is recorded by default in the log file: • IP address of the client machine that accessed the database •...
Page 37: Nsslapd-Accesslog-Level
Core Server Configuration Attributes Reference Example: nsslapd-accesslog: /usr/netscape/servers/slapd-serverID/logs/access nsslapd-accesslog-level Controls what is logged to the access log. Entry DN: cn=config Valid Range: 0—No access logging 4—Logging for internal access operations 256—Logging for access to an entry 512—Logging for access to an entry and referrals These values can be added together to provide you with the exact type of logging you require, for example 516 (4 + 512) to obtain internal access operation, entry access, and referral logging.
Page 38: Nsslapd-Accesslog-Logexpirationtime (Access Log Expiration Time)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: on | off Default Value: Syntax: DirectoryString Example: nsslapd-accesslog-logbuffering: off nsslapd-accesslog-logexpirationtime (Access Log Expiration Time) Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units.
Page 39: Nsslapd-Accesslog-Logging-Enabled (Access Log Enable Logging)
Core Server Configuration Attributes Reference nsslapd-accesslog-logging-enabled (Access Log Enable Logging) Disables and enables accesslog logging but only in conjunction with the attribute that specifies the path and filename of the log used nsslapd-accesslog to record each database access. For access logging to be enabled this attribute must be switched to and the configuration attribute must have a valid path and filename.
Page 40: Nsslapd-Accesslog-Logminfreediskspace (Access Log Minimum Free Disk Space)
Core Server Configuration Attributes Reference When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space.
Page 41: Nsslapd-Accesslog-Logrotationtimeunit (Access Log Rotation Time Unit)
Core Server Configuration Attributes Reference attribute first and if this attribute value is nsslapd-accesslog-maxlogsperdir larger than 1, the server then checks the nsslapd-accesslog-logrotationtime attribute. See “nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)” on page 42 for more information. Entry DN: cn=config Valid Range: -1 | 1 to the maximum 32 bit integer value (2147483647) where a value...
Page 42: Nsslapd-Accesslog-Maxlogsperdir (Access Log Maximum Number Of Log Files)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: -1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means the log file is unlimited in size. Default Value: Syntax: Integer Example: nsslapd-accesslog-maxlogsize: 100 nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files) Specifies the total number of access logs that can be contained in the directory...
Page 43: Nsslapd-Auditlog (Audit Log)
Core Server Configuration Attributes Reference Valid Range: on | off Default Value: Syntax: DirectoryString Example: nsslapd-attribute-name-exceptions: on nsslapd-auditlog (Audit Log) Specifies the pathname and filename of the log used to record changes made to each database. Entry DN: cn=config Valid Range: Any valid filename Default Value: /usr/netscape/servers/slapd-serverID/logs/audit...
Page 44: Nsslapd-Auditlog-List
Core Server Configuration Attributes Reference nsslapd-auditlog-list Provides a list of audit log files. Entry DN: cn=config Valid Range: Default Value: None Syntax: DirectoryString Example: nsslapd-auditlog-list: auditlog2,auditlog3 nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time) Specifies the maximum age that a log file is allowed to be before it is deleted. This attribute supplies only the number of units.
Page 45: Nsslapd-Auditlog-Logging-Enabled (Audit Log Enable Logging)
Core Server Configuration Attributes Reference nsslapd-auditlog-logging-enabled (Audit Log Enable Logging) Turns audit logging on and off. Entry DN: cn=config Valid Range: on | off Default Value: Syntax: DirectoryString Example: nsslapd-auditlog-logging-enabled: off For audit logging to be enabled this attribute must have a valid path and file name and the configuration attribute must be nsslapd-auditlog-logging-enabled...
Page 46: Nsslapd-Auditlog-Logminfreediskspace (Audit Log Minimum Free Disk Space)
Core Server Configuration Attributes Reference When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space.
Page 47: Nsslapd-Auditlog-Logrotationtimeunit (Audit Log Rotation Time Unit)
Core Server Configuration Attributes Reference Although it is not recommended for performance reasons to specify no log rotation as the log will grow indefinitely, you have two ways of specifying this. Either you set the attribute value to 1 or the nsslapd-auditlog-maxlogsperdir attribute to -1.
Page 48: Nsslapd-Auditlog-Maxlogsperdir (Audit Log Maximum Number Of Log Files)
Core Server Configuration Attributes Reference When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space.
Page 49: Nsslapd-Certmap-Basedn (Certificate Map Search Base)
Core Server Configuration Attributes Reference nsslapd-certmap-basedn (Certificate Map Search Base) This attribute can be used when client authentication is performed using SSL certificates in order to avoid limitation of the security subsystem certificate mapping, configured in the file. Depending on the certmap.conf certmap.conf configuration, the certificate mapping may be done using a directory subtree...
Page 50: Nsslapd-Enquote-Sup-Oc (Enable Superior Object Class Enquoting)
Core Server Configuration Attributes Reference nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting) Controls whether quoting in the attributes contained in the objectclasses entry will conform to the quoting specified by internet draft RFC 2252. cn=schema By default, the Directory Server places single quotes around the superior object class identified on the attributes contained in .
Page 51: Nsslapd-Errorlog (Error Log)
Core Server Configuration Attributes Reference nsslapd-errorlog (Error Log) Specifies the pathname and filename of the log used to record error messages generated by the Directory Server. These messages can describe error conditions, but more often they will contain informative conditions such as these: •...
Page 52: Nsslapd-Errorlog-Level (Error Log Level)
Core Server Configuration Attributes Reference nsslapd-errorlog-level (Error Log Level) Specifies the level of logging to be used by the Directory Server. The log level is additive; that is, specifying a value of 3 causes both levels 1 and 2 to be performed. To turn logging off, remove the attribute from nsslapd-errorlog-level...
Page 53: Nsslapd-Errorlog-List
Core Server Configuration Attributes Reference nsslapd-errorlog-list This read-only attribute provides a list of error log files. Entry DN: cn=config Valid Range: Default Value: None Syntax: DirectoryString Example: nsslapd-errorlog-list:errorlog2,errorlog3 nsslapd-errorlog-logexpirationtime (Error Log Expiration Time) Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units.
Page 54: Nsslapd-Errorlog-Logging-Enabled (Enable Error Logging)
Core Server Configuration Attributes Reference nsslapd-errorlog-logging-enabled (Enable Error Logging) Turns error logging on and off. Entry DN: cn=config Valid Range: on | off Default Value: Syntax: DirectoryString Example: nsslapd-errorlog-logging-enabled: on nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space) Specifies the maximum amount of disk space in megabytes that the error logs are allowed to consume.
Page 55: Nsslapd-Errorlog-Logrotationtime (Error Log Rotation Time)
Core Server Configuration Attributes Reference Valid Range: 1 to the maximum 32 bit integer value (2147483647) Default Value: Syntax: Integer Example: nsslapd-errorlog-logminfreediskspace: 5 nsslapd-errorlog-logrotationtime (Error Log Rotation Time) Specifies the time between error log file rotations. The error log will be rotated when this time interval is up, regardless of the current size of the error log.
Page 56: Nsslapd-Errorlog-Maxlogsize (Maximum Error Log Size)
Core Server Configuration Attributes Reference Default Value: week Syntax: DirectoryString Example: nsslapd-errorlog-logrotationtimeunit: day nsslapd-errorlog-maxlogsize (Maximum Error Log Size) Specifies the maximum error log size in megabytes. When this value is reached, the error log is rotated. That is, the server starts writing log information to a new log file.
Page 57: Nsslapd-Groupevalnestlevel
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: 1 to the maximum 32 bit integer value (2147483647) Default Value: Syntax: Integer Example: nsslapd-errorlog-maxlogsperdir: 10 nsslapd-groupevalnestlevel Specifies the number of levels of nesting that the access-control system will perform for group evaluation. Entry DN: cn=config Valid Range:...
Page 58: Nsslapd-Ioblocktimeout (Io Block Time Out)
Core Server Configuration Attributes Reference nsslapd-ioblocktimeout (IO Block Time Out) Specifies the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.
Page 59: Nsslapd-Listenhost (Listen To Ip Address)
Core Server Configuration Attributes Reference nsslapd-listenhost (Listen to IP Address) Allows multiple Directory Server instances to run on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine). Provide the hostname which corresponds to the IP interface you want to specify as a value for this attribute.
Page 60: Nsslapd-Maxbersize (Maximum Message Size)
Core Server Configuration Attributes Reference Default Value: To run as the same user who started the Directory Server. Syntax: DirectoryString Example: nsslapd-localuser: nobody nsslapd-maxbersize (Maximum Message Size) Defines the maximum size in bytes allowed for an incoming message. This limits the size of LDAP requests that can be handled by the Directory Server.
Page 61: Nsslapd-Maxthreadsperconn (Maximum Threads Per Connection)
Core Server Configuration Attributes Reference process. See your operating-system documentation for details on file descriptor limits and configuration. Note that the program (explained in the Netscape dsktune Directory Server Installation Guide) can be used to suggest changes to the system kernel or TCP/IP tuning attributes, including increasing the number of file descriptors if necessary.
Page 62: Nsslapd-Nagle
Core Server Configuration Attributes Reference nsslapd-nagle When the value of this attribute is , the option is set so that LDAP TCP_NODELAY responses (such as entries or result messages) are sent back to a client immediately. When the attribute is turned on, default TCP behavior applies, namely the sending of data is delayed, in the hope that this will enable additional data to be grouped into one packet of the underlying network MTU size (typically 1500 bytes for Ethernet).
Page 63: Nsslapd-Port (Port Number)
Core Server Configuration Attributes Reference nsslapd-port (Port Number) TCP/IP port number used for LDAP communications. If you want to run SSL/TLS over this port you can do so through the Start TLS extended operation. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number.
Page 64: Nsslapd-Referral (Referral)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: on | off Default Value: Syntax: DirectoryString Example: nsslapd-readonly: off nsslapd-referral (Referral) This multi-valued attribute specifies the LDAP URL(s) to be returned by the suffix when the server receives a request for an entry not belonging to the local tree; that is, an entry whose suffix does not match the value specified on any of the suffix attributes.
Page 65: Nsslapd-Referralmode (Referral Mode)
Core Server Configuration Attributes Reference nsslapd-referralmode (Referral Mode) When set this attribute will send back the referral for any request on any suffix. Entry DN: cn=config Valid Range: Valid LDAP URL in the following format: ldap://server-location Default Value: Syntax: DirectoryString Example: nsslapd-referralmode: ldap://ldap.example.com nsslapd-reservedescriptors (Reserved File Descriptors)
Page 66 Core Server Configuration Attributes Reference To assist you in computing the number of file descriptors you set for this attribute we suggest you use the following formula: nsslapd-reservedescriptor = 20 + (NldbmBackends * 4) + NglobalIndex + ReplicationDescriptor + ChainingBackendDescriptors + PTADescriptors + SSLDescriptors where: Number of ldbm databases.
Page 67: Nsslapd-Return-Exact-Case (Return Exact Case)
Core Server Configuration Attributes Reference nsslapd-return-exact-case (Return Exact Case) Returns the exact case of attribute type names as requested by the client. Some client applications require attribute names to exactly match the case of the attribute as it is listed in the schema when the attribute is returned by the Directory Server, as the result of a search or modify operation.
Page 68: Nsslapd-Rootpw (Root Password)
Core Server Configuration Attributes Reference nsslapd-rootpw (Root Password) Allows you to specify the password associated with the . When you "Manager DN" provide the root password, it will be encrypted according to the encryption method you selected for “nsslapd-rootpwstoragescheme (Root Password Storage Scheme)”...
Page 69: Nsslapd-Schemacheck (Schema Checking)
Core Server Configuration Attributes Reference Example: nsslapd-rootpwstoragescheme: SSHA nsslapd-schemacheck (Schema Checking) Specifies whether the database schema will be enforced during entry insertion or modification. When this attribute has a value of on, Directory Server will not check the schema of existing entries until they are modified. The database schema defines the type of information allowed in the database.
Page 70: Nsslapd-Securelistenhost
Core Server Configuration Attributes Reference Valid Range: on | off | replication-only Default Value: replication-only Syntax: DirectoryString Example: nsslapd-schemareplace: replication-only nsslapd-securelistenhost Allows multiple Directory Server instances to run, using secure SSL/TLS connections, on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine).
Page 71: Nsslapd-Security (Security)
Core Server Configuration Attributes Reference nsslapd-security (Security) Specifies whether the Directory Server is to accept SSL/TLS communications on its encrypted port. This attribute should be set to , if you want secure connections. Entry DN: cn=config Valid Range: on | off Default Value: Syntax: DirectoryString...
Page 72: Nsslapd-Threadnumber (Thread Number)
Core Server Configuration Attributes Reference nsslapd-threadnumber (Thread Number) Defines the number of operation threads that the Directory Server will create during startup. The value should be increased if you have nsslapd-threadnumber many directory clients performing time-consuming operations such as add or modify, as this ensures that there are other threads available for servicing short-lived operations such as simple searches.
Page 73: Nsslapd-Versionstring
Core Server Configuration Attributes Reference Example: nsslapd-timelimit: 3600 nsslapd-versionstring Specifies the server version number. Entry DN: cn=config Valid Range: Any valid server version number. Default Value: Syntax: DirectoryString Example: nsslapd-versionstring: Netscape-Directory/6.02 passwordChange (Password Change) Indicates whether users may change their passwords. For more information on password policies, see Chapter 7, “User Account Management”...
Page 74: Passwordexp (Password Expiration)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: on | off Default Value: Syntax: DirectoryString Example: passwordCheckSyntax: off passwordExp (Password Expiration) Indicates whether user passwords will expire after a given number of seconds. By default, user passwords do not expire. Once password expiration is enabled, you can set the number of seconds after which the password will expire using the attribute.
Page 75: Passwordinhistory (Number Of Passwords To Remember)
Core Server Configuration Attributes Reference Default Value: Syntax: DirectoryString Example: passwordHistory: on passwordInHistory (Number of Passwords to Remember) Indicates the number of passwords the Directory Server stores in history. Passwords that are stored in history cannot be reused by users. By default, the password history feature is disabled.
Page 76: Passwordlockoutduration (Lockout Duration)
Core Server Configuration Attributes Reference Default Value: Syntax: DirectoryString Example: passwordLockout: off passwordLockoutDuration (Lockout Duration) Indicates the amount of time in seconds during which users will be locked out of the directory after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user’s password.
Page 77: Passwordmaxfailure (Maximum Password Failures)
Core Server Configuration Attributes Reference passwordMaxFailure (Maximum Password Failures) Indicates the number of failed bind attempts after which a user will be locked out of the directory. By default, account lockout is disabled. You can enable account lockout by modifying the attribute.
Page 78: Passwordmustchange (Password Must Change)
Core Server Configuration Attributes Reference Syntax: Integer Example: passwordMinLength: 6 passwordMustChange (Password Must Change) Indicates whether users must change their passwords when they first bind to the Directory Server, or when the password has been reset by the "Manager DN" For more information on password policies, see Chapter 7, “User Account Management”...
Page 79: Passwordstoragescheme (Password Storage Scheme)
Core Server Configuration Attributes Reference passwordStorageScheme (Password Storage Scheme) Specifies the type of encryption used to store Directory Server passwords. Enter the password in for this attribute indicates that the password will appear in CLEAR plain text. The following encryption types are supported by the Directory Server 6.x: •...
Page 80: Passwordwarning (Send Warning)
Core Server Configuration Attributes Reference passwordWarning (Send Warning) Indicates the number of seconds before a user’s password is due to expire that the user will receive a password expiration warning control on their next LDAP operation. Depending on the LDAP client, the user may also be prompted to change their password at the time the warning is sent.
Page 81: Nsslapd-Changelogdir
Core Server Configuration Attributes Reference • “nsslapd-cachememsize,” on page 151 Note that the default values for the cache-related memory parameters (tuned for a single backend replicated to a single consumer) are as follows: (3000 entries) nsslapd-cachesize : 3000 (10 MB) nsslapd-cachememsize : 10000000 When more backends are replicated or when you need to replicate one backend to more than one consumers, consider tuning the parameters as below:...
Page 82: Nsslapd-Changelogmaxage (Max Changelog Age)
Core Server Configuration Attributes Reference Valid Range: Any valid path to the directory storing the changelog Default Value: None Syntax: DirectoryString Example: nsslapd-changelogdir: /usr/ns-home/slapd-local/changelogdb nsslapd-changelogmaxage (Max Changelog Age) Specifies the maximum age of any entry in the change log. The change log contains a record for each directory modification and is used when synchronizing consumer servers.
Page 83: Cn=Encryption
Core Server Configuration Attributes Reference Syntax: Integer Example: nsslapd-changelogmaxentries: 5000 cn=encryption Encryption related attributes are stored under the cn=encryption,cn=config entry. The entry is an instance of the cn=encryption,cn=config object class. For encryption related attributes to be nsslapdEncryptionConfig taken into account by the server this object class (in addition to the object class) must be present in the entry.
Page 84: Nsssl2
Core Server Configuration Attributes Reference Example: nssslclientauth: allowed nsssl2 Supports SSL version 2. Entry DN: cn=encryption,cn=config Valid Range: on | off Default Value: Syntax: DirectoryString Example: nsssl2: on nsssl3 Supports SSL version 3. Entry DN: cn=encryption,cn=config Valid Range: on | off Default Value: Syntax: DirectoryString...
Page 85 Core Server Configuration Attributes Reference Valid Range: For domestic versions, any combination of the following: For SSLv3 rsa_null_md5 rsa_rc4_128_md5 rsa_rc4_40_md5 rsa_rc2_40_md5 rsa_des_sha rsa_fips_des_sha rsa_3des_sha rsa_fips_3des_sha For TLS tls_rsa_export1024_with_rc4_56_sha tls_rsa_export1024_with_des_cbc_sha Default Value: Syntax: DirectoryString + symbol to enable or - symbol to disable followed by the cipher(s). It is important to note that blank spaces are not allowed in the list of ciphers.
Page 86: Cn=Features
Core Server Configuration Attributes Reference SSLv3 Ciphers (Continued) Table 2-1 Cipher in Console Corresponding SSLv3 Cipher RC2(Export) rsa_rc2_40_md5 rsa_des_sha DES (FIPS) rsa_fips_des_sha Triple-DES rsa_3des_sha Triple-DES (FIPS) rsa_fips_3des_sha If you are using the Directory Server Console to set the cipher preferences, the values on the TLS tab of the Cipher Preference dialog box correspond to the following: Table 2-2...
Page 87: Suffix Configuration Attributes Under Cn="Dc=Example,Dc=Com
Core Server Configuration Attributes Reference Suffix Configuration Attributes Under cn="dc=example,dc=com" Suffix configuration attributes are stored under the cn="dc=example,dc=com" entry. The entry is an instance of the cn="dc=example,dc=com" nsMappingTree object class which inherits from the object class. For suffix extensibleObject configuration attributes to be taken into account by the server these object classes (in addition to the object class) must be present in the entry.
Page 88: Replication Attributes Under Cn=Replica, Cn="Dc=Example,Dc=Com
Core Server Configuration Attributes Reference Syntax: DirectoryString Example: nsslapd-backend: NetscapeRoot Replication Attributes Under cn=replica, cn=“dc=example,dc=com”, cn=mapping tree,cn=config Replication configuration attributes are stored under cn=replica,cn=“dc=example,dc=com”,cn=mapping tree,cn=config. entry is an instance of the object class. For replication cn=replica nsDS5Recplia configuration attributes to be taken into account by the server this object class (in addition to the object class) must be present in the entry.
Page 89: Nsds5Flags
Core Server Configuration Attributes Reference nsDS5Flags This attribute allows you to specify replica properties you will have previously defined in flags. At present only one flag exists, which allows you to specify whether your log changes or not. Entry DN: cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config Valid Range:...
Page 90: Nsds5Replicachangecount
Core Server Configuration Attributes Reference nsDS5ReplicaChangeCount This read-only attribute informs you of the total number of entries in the change log (whether they still remain to be replicated or not). When the change log is purged only the entries that are still to be replicated will be left. See “nsDS5ReplicaPurgeDelay,”...
Page 91: Nsds5Replicaname
Core Server Configuration Attributes Reference Syntax: DirectoryString Example: nsDS5ReplicaLegacyConsumer: false nsDS5ReplicaName This read- only attribute specifies the name of the replica with a unique identifier for internal operations. This unique identifier is allocated by the server when the replica is created.This attribute is destined for internal use only. Entry DN: cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config...
Page 92: Nsds5Replicareferral
Core Server Configuration Attributes Reference nsDS5ReplicaReferral This multi valued attribute specifies the user-defined referrals. This should only be defined on a consumer. User referrals are only returned when a client attempts to modify data on a read-only consumer. Entry DN: cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config Valid Range:...
Page 93: Nsds5Replicatype
Core Server Configuration Attributes Reference Example: nsDS5ReplicaTombstonePurgeInterval: 3600 nsDS5ReplicaType Defines the type of replication relationship that exists between this replica and the others. Entry DN: cn=ReplicationAgreementName,cn="dc=example,dc=com", cn=mapping tree,cn=config Valid Range: 0 = unknown 1 = primary (not yet used) 2 = consumer (read-only) 3 = consumer/supplier (updateable) Default Value: Syntax:...
Page 94: Description
Core Server Configuration Attributes Reference configuration attributes to be taken into account by the server this object class (in addition to the object class) must be present in the entry. Replication Agreements are configured only on supplier replicas. The replication agreement configuration attributes are presented in this section.
Page 95: Nsds5Replicabindmethod
Core Server Configuration Attributes Reference nsDS5ReplicaBindMethod Specifies the method to use for binding. This attribute can be modified. Entry DN: cn=ReplicationAgreementName,cn="dc=example,dc=com",cn=ma pping tree,cn=config Valid Range: SIMPLE (This bind method requires a DN and password) SSLCLIENTAUTH Default Value: SIMPLE Syntax: DirectoryString Example: nsDS5ReplicaBindMethod: SIMPLE nsDS5ReplicaChangesSentSinceStartup...
Page 96: Nsds5Replicahost
Core Server Configuration Attributes Reference Default Value: Syntax: DirectoryString {DES} encrypted_password Example: nsDS5ReplicaCredentials: {DES} 9Eko69APCJfFReplica nsDS5ReplicaHost Specifies the hostname for the remote server containing the consumer replica. Once this attribute has been set it cannot be modified. Entry DN: cn=ReplicationAgreementName,cn="dc=example,dc=com",cn=ma pping tree,cn=config Valid Range: Any valid host server name...
Page 97: Nsds5Replicalastinitstatus
Core Server Configuration Attributes Reference Entry DN: cn=ReplicationAgreementName,cn="dc=example,dc=com",cn=ma pping tree,cn=config Valid Range: Default Value: Syntax: GeneralizedTime Example: nsDS5ReplicaLastInitStart: YYYYMMDDhhmmssZ (20000902160000) nsDS5ReplicaLastInitStatus This optional, read-only attribute provides status for the initialization of the consumer. Entry DN: cn=ReplicationAgreementName,cn="dc=example,dc=com",cn=ma pping tree,cn=config Valid Range: 0 (Consumer Initialization Succeeded) followed by any other status message.
Page 98: Nsds5Replicalastupdatestart
Core Server Configuration Attributes Reference nsDS5ReplicaLastUpdateStart This read-only attribute states when the most recent replication schedule update started. Entry DN: cn=ReplicationAgreementName,cn="dc=example,dc=com",cn=ma pping tree,cn=config Valid Range: Default Value: Syntax: GeneralizedTime Example: nsDS5ReplicaLastUpdateStart: YYYYMMDDhhmmssZ (20000902160000) nsDS5ReplicaLastUpdateStatus This read-only attribute provides the status for the most recent replication schedule updates.
Page 99: Nsds5Replicarefresh
Core Server Configuration Attributes Reference Syntax: Integer Example: nsDS5ReplicaPort: 389 nsDS5ReplicaRefresh Allows you to initialize your replica. This attribute is absent by default. However, if you add this attribute with a value of then the server re initialize the start replica and remove the attribute value.
Page 100: Nsds5Replicatransportinfo
Core Server Configuration Attributes Reference You can find out the amount of time the operation actually lasted by examining the access log on the remote machine and then set the attribute nsDS5ReplicaTimout accordingly to optimize performance. Entry DN: cn=ReplicationAgreementName,cn="dc=example,dc=com",cn=ma pping tree,cn=config Valid Range: 0 to maximum integer value (2147483647) in seconds Default Value:...
Page 101: Nsds5Replicaupdateschedule
Core Server Configuration Attributes Reference Syntax: DirectoryString Example: nsDS5ReplicaUpdateInProgress:true nsDS5ReplicaUpdateSchedule This multi-valued attribute specifies the replication schedule and can be modified. Entry DN: cn=ReplicationAgreementName,cn="dc=example,dc=com",cn=ma pping tree,cn=config Valid Range: Time schedule presented as XXXX-YYYY 012345 where XXXX is the starting hour, YYYY is the finishing hour and the numbers 0123456 are the days of the week starting with Sunday.
Page 102: Currentconnections
Core Server Configuration Attributes Reference currentConnections Number of current Directory Server connections. totalConnections Total number of Directory Server connections. dTableSize Size of the Directory Server descriptor table. readWaiters Number of connections where some requests are pending and not currently being serviced by a thread in Directory Server.
Page 103: Backendmonitordn
Core Server Configuration Attributes Reference backendMonitorDN DN for each Directory Server backend. For further information on monitoring the database, see these sections: • Database Attributes Under cn=monitor,cn=ldbm database, cn=plugins,cn=config (on page 149) • Database Attributes Under cn=database,cn=monitor,cn=ldbm database, cn=plugins,cn=config (on page 153) •...
Page 104: Nssnmporganization
Core Server Configuration Attributes Reference nssnmporganization Specifies the organization to which the Directory Server belongs. Entry DN: cn=SNMP,cn=config Valid Range: Organization name Default Value: Syntax: DirectoryString Example: nssnmporganization: netscape nssnmplocation Specifies the location within the company or organization where the Directory Server resides.
Page 105: Nssnmpdescription
Core Server Configuration Attributes Reference nssnmpdescription Provides a unique description of the Directory Server instance. Entry DN: cn=SNMP,cn=config Valid Range: Description Default Value: Syntax: DirectoryString Example: nssnmpdescription: Employee directory instance nssnmpmasterhost This mandatory attribute specifies the hostname of the machine on which the master agent is installed.
Page 106: Cn=Tasks
Configuration Quick Reference Tables cn=tasks No attributes to document. cn=uniqueid generator The uniqueid generator configuration attributes are stored under cn=uniqueid . The entry is an instance of the generator,cn=config cn=uniqueid generator object class. For uniqueid generator configuration attributes to be extensible taken into account by the server this object class (in addition to the object class)
Page 107 Configuration Quick Reference Tables Table 2-3 Directory Server Configuration LDIF Files Configuration Filename Purpose Contains front-end Directory Specific Entries dse.ldif created by the directory at server startup. These include the Root DSE (""), and the contents of cn=config and cn=monitor. Contains LDAPv3 standard operational schema, 00core.ldif such as “subschemaSubentry,”...
Page 108 Configuration Quick Reference Tables Directory Server Configuration LDIF Files (Continued) Table 2-3 Configuration Filename Purpose Schema for Netscape Certificate Management 50ns-certificate.ldif System. Schema used by Netscape Compass Server to define 50ns-compass.ldif personal interest profiles. Schema used by Netscape Delegated Administrator 50ns-delegated-admin.ldif 4.5.
Page 109: Configuration Changes Requiring Server Restart
Configuration Quick Reference Tables Directory Server Configuration LDIF Files (Continued) Table 2-3 Configuration Filename Purpose Schema for Netscape Web Calendaring. 50ns-wcal.ldif Schema for Netscape Web Server. 50ns-web.ldif User-defined schema maintained by Directory 99user.ldif Server replication consumers which contains the attributes and object classes from the suppliers. Configuration Changes Requiring Server Restart Table 2-4 lists the configuration attributes that cannot be altered dynamically, while the server is still running.
Page 110 Configuration Quick Reference Tables Configuration Changes Requiring Server Restart (Continued) Table 2-4 Configuration Attribute Action Requiring Restart Changing the lifetime of an SSL session. cn=encryption,cn=config:nssslsessiontimeout Netscape Directory Server Configuration, Command, and File Reference • May 2002...
Page 111: Chapter 3 Plug-In Implemented Server Functionality Reference
Chapter 3 Plug-in Implemented Server Functionality Reference This chapter contains reference information on Netscape Directory Server (Directory Server) server plug-ins. The chapter is divided into the following sections: • Overview (page 111) • Server Plug-in Functionality Reference (page 112) • List of Attributes Common to All Plug-ins (page 132) •...
Page 112: Object Classes For Plug-In Configuration
Server Plug-in Functionality Reference dn: cn=Telephone Syntax,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginPath: /usr/netscape/servers/lib/syntax-plugin.so nsslapd-pluginInitfunc: tel_init nsslapd-pluginType: syntax nsslapd-pluginEnabled: on Some of these attributes are common to all plug-ins while others may be particular to a specific plug-in. You can check which attributes are currently being used by a given plug-in by performing an on the subtree.
Page 113: 7-Bit Check Plug-In
Server Plug-in Functionality Reference 7-bit check Plug-in Plug-in Name 7-bit check (NS7bitAtt) DN of Configuration cn=7-bit check,cn=plugins,cn=config Entry Description Checks certain attributes are 7-bit clean on | off Configurable Options Default Setting list of attributes (uid mail userpassword) followed by "," and Configurable Arguments then suffix(es) on which the check is to occur...
Page 114: Acl Preoperation Plug-In
Server Plug-in Functionality Reference ACL preoperation Plug-in Plug-in Name ACL preoperation DN of Configuration cn=ACL preoperation,cn=plugins,cn=config Entry Description ACL access check plug-in on | off Configurable Options Default Setting None Configurable Arguments database Dependencies Performance None Related Information Chapter 6, “Managing Access Control” in the Netscape Directory Further Information Server Administrator’s Guide.
Page 115: Boolean Syntax Plug-In
Server Plug-in Functionality Reference Boolean Syntax Plug-in Plug-in Name Boolean Syntax DN of Configuration cn=Boolean Syntax,cn=plugins,cn=config Entry Description Syntax for handling booleans. on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in. Netscape Related Information recommends that you leave this plug-in running at all times.
Page 116: Case Ignore String Syntax Plug-In
Server Plug-in Functionality Reference Case Ignore String Syntax Plug-in Plug-in Name Case Ignore String Syntax DN of Configuration cn=Case Ignore String Syntax,cn=plugins,cn=config Entry Description Syntax for handling case-insensitive strings on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in.
Page 117: Class Of Service Plug-In
Server Plug-in Functionality Reference Class of Service Plug-in Plug-in Name Class of Service DN of Configuration cn=Class of Service,cn=plugins,cn=config Entry Description Allows for sharing of attributes between entries on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in.
Page 118: Distinguished Name Syntax Plug-In
Server Plug-in Functionality Reference Distinguished Name Syntax Plug-in Plug-in Name Distinguished Name Syntax DN of Configuration cn=Distinguished Name Syntax,cn=plugins,cn=config Entry Description Syntax for handling DNs on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in. Netscape Related Information recommends that you leave this plug-in running at all times.
Page 119: Integer Syntax Plug-In
Server Plug-in Functionality Reference Generalized Time Syntax Plug-in Name The Generalized Time String consists of the following: Further Information four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second and a time zone indication.
Page 120: Ldbm Database Plug-In
Server Plug-in Functionality Reference Internationalization Plugin Plug-in Name Default Setting Configurable The Internationalization has one argument which must not be Arguments modified: /usr/netscape/servers/slapd- serverID /config/slapd -collations.conf This directory stores the collation orders and locales used by the internationalization plug-in. Dependencies None Performance Do not modify the configuration of this plug-in.
Page 121: Legacy Replication Plug-In
Server Plug-in Functionality Reference Legacy Replication Plug-in Plug-in Name Legacy Replication plug-in DN of Configuration cn=Legacy Replication Entry plug-in,cn=plugins,cn=config Description Enables Directory Server 6.x to be a consumer of a 4.1 supplier on | off Configurable Options Default Setting None. This plug-in can be disabled if the server is not (and never Configurable Arguments will be) a consumer of a 4.x server.
Page 122: Octet String Syntax Plug-In
Server Plug-in Functionality Reference Octet String Syntax Plug-in Plug-in Name Octet String Syntax DN of Configuration cn=Octet String Syntax,cn=plugins,cn=config Entry Description Syntax for handling octet strings on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in. Netscape Related Information recommends that you leave this plug-in running at all times.
Page 123: Crypt Password Storage Plug-In
Server Plug-in Functionality Reference CRYPT Password Storage Plug-in Plug-in Name CRYPT DN of Configuration cn=CRYPT,cn=Password Storage Entry Schemes,cn=plugins,cn=config Description CRYPT password storage scheme used for password encryption on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Do not modify the configuration of this plug-in. Netscape Performance Related Information recommends that you leave this plug-in running at all times.
Page 124: Sha Password Storage Scheme Plug-In
Server Plug-in Functionality Reference NS-MTA-MD5 Plug-in Name You can no longer choose to encrypt passwords using the Further Information NS-MTA-MD5 password storage scheme. The storage scheme is still present but only for reasons of backward compatibility, i.e. if the data in your directory still contains passwords encrypted with the NS-MTA-MD5 password storage scheme.
Page 125: Postal Address String Syntax Plug-In
Server Plug-in Functionality Reference SSHA Plug-in Name SSHA password storage scheme for password encryption Description Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Do not modify the configuration of this plug-in. Netscape Performance Related Information recommends that you leave this plug-in running at all times. Further Information Chapter 7, “User Account Management”...
Page 126: Presence Plug-In
Server Plug-in Functionality Reference Presence Plug-in Plug-in Name Presence DN of Configuration cn=Presence,cn=plugins,cn=config Entry Description Syntax used for handling postal addresses on | off Configurable Options Default Setting None Configurable Arguments database Dependencies Performance Check the reference provided in Further Information. Related Information Chapter 18, “Configuring IM Presence Information”...
Page 127: Referential Integrity Postoperation Plug-In
Server Plug-in Functionality Reference Referential Integrity Postoperation Plug-in Plug-in Name Referential Integrity Postoperation DN of Configuration cn=Referential Integrity Entry Postoperation,cn=plugins,cn=config Description Enables the server to ensure referential integrity All configuration and on | off Configurable Options Default Setting When enabled the post operation Referential Integrity plug-in Configurable Arguments performs integrity updates on the member, uniquemember, owner...
Page 128: Retro Changelog Plug-In
Server Plug-in Functionality Reference Retro Changelog Plug-in Plug-in Name Retro Changelog Plugin DN of Configuration cn=Retro Changelog Plugin,cn=plugins,cn=config Entry Description Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occurring in the Directory Server. The Retro Changelog offers the same functionality as the changelog in the 4.x versions of Directory Server.
Page 129: State Change Plug-In
Server Plug-in Functionality Reference Roles Plugin Plug-in Name Do not modify the configuration of this plug-in. Netscape Performance Related Information recommends that you leave this plug-in running at all times. Chapter 5, “Advanced Entry Management” in the Netscape Further Information Directory Server Administrator’s Guide.
Page 130: Uid Uniqueness Plug-In
Server Plug-in Functionality Reference Telephone Syntax Plug-in Name None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in. Netscape Related Information recommends that you leave this plug-in running at all times. Further Information UID Uniqueness Plug-in Plug-in Name UID Uniqueness plug-in DN of Configuration...
Page 131: Uri Syntax Plug-In
Server Plug-in Functionality Reference UID Uniqueness plug-in Plug-in Name database Dependencies Performance Directory Server 6.x provides the UID Uniqueness plug-in by Related Information default. If you want to ensure unique values for other attributes, you can create instances of the UID Uniqueness plug-in for those attributes.
Page 132: List Of Attributes Common To All Plug-Ins
List of Attributes Common to All Plug-ins List of Attributes Common to All Plug-ins This list provides a brief attribute description, the Entry DN, valid range, default value, syntax and an example for each attribute. nsslapd-pluginPath Specifies the full path to the plug-in. Entry DN cn=plug-in name,cn=plugins,cn=config Any valid path...
Page 133: Nsslapd-Pluginenabled
List of Attributes Common to All Plug-ins None Default Value Syntax DirectoryString Example nsslapd-pluginType: preoperation nsslapd-pluginEnabled Specifies whether or not the plug-in is enabled. This attribute can be changed over protocol, but will only take effect when the server is next restarted. cn=plug-in name,cn=plugins,cn=config Entry DN Valid Range...
Page 134: Nsslapd-Pluginvendor
List of Attributes Common to All Plug-ins Product version Default Value Syntax DirectoryString Example nsslapd-pluginVersion: 6.02 nsslapd-pluginVendor Specifies the vendor of the plug-in. Entry DN cn=plug-in name,cn=plugins,cn=config Any approved plug-in vendor. Valid Range Netscape Communications Corporation Default Value Syntax DirectoryString Example nsslapd-pluginVendor: Netscape nsslapd-pluginDescription...
Page 135: Attributes Allowed By Certain Plug-Ins
Attributes Allowed by Certain Plug-ins Attributes Allowed by Certain Plug-ins nsslapd-plugin-depends-on-type Multi-valued attribute, used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the type number of a plug-in, contained in the attribute See “nsslapd-pluginType”...
Page 136: Database Plug-In Attributes
Database Plug-in Attributes Syntax: DirectoryString Example: nsslapd-plugin-depends-on-named: Class of Service Database Plug-in Attributes The database plug-in is also organized in an information tree as shown in Figure 3-1. Figure 3-1 Database Plug-In All plug-in technology used by the database instances is stored in the cn=ldbm e plug-in node.
Page 137: Nslookthroughlimit
Database Plug-in Attributes nsLookthroughLimit This performance related attribute specifies the maximum number of entries that the Directory Server will check when examining candidate entries in response to a search request. If you bind as the directory manager DN, however, unlimited is set by default and overrides any other settings you may specify here.
Page 138: Nsslapd-Cache-Autosize
Database Plug-in Attributes nsslapd-cache-autosize This performance tuning related attribute which is turned off by default, specifies the percentage of free memory to use for all the combined caches. For example, if the value is set to 80, then 80 percent of the remaining free memory would be claimed for the cache.
Page 139: Nsslapd-Db-Checkpoint-Interval
Database Plug-in Attributes If you attempt to set a value that is not a number or is too big for a 32-bit signed integer you will receive an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem. Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range: 500KB to 4GB for 32-bit platforms and 500KB to 2^64-1 for 64-bit...
Page 140: Nsslapd-Db-Circular-Logging
Database Plug-in Attributes Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range: 10 to 300 seconds Default Value: Syntax: Integer Example: nsslapd-db-checkpoint-interval: 120 seconds nsslapd-db-circular-logging Specifies circular logging for the transaction log files. If this attribute is switched off, old transaction log files are not removed, and are kept renamed as old log transaction files.
Page 141: Nsslapd-Db-Durable-Transactions
Database Plug-in Attributes nsslapd-db-durable-transactions Indicates whether database transactions log entries are immediately written to the disk. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. With durable transactions enabled, every directory change will always be physically recorded in the log file and therefore be able to be recovered in the event of a system failure.
Page 142 Database Plug-in Attributes If your Solaris host seems excessively slow and your database cache size is around 100mb or more, then you can use the utility to diagnose the problem. Use iostat to monitor the activity of the disk where the Directory Server’s database iostat files are stored.
Page 143: Nsslapd-Db-Idl-Divisor
Database Plug-in Attributes nsslapd-db-idl-divisor Specifies the index block size in terms of the number of blocks per database page. The block size is calculated by dividing the database page size by the value of this attribute. A value of 1 makes the block size exactly equal to the page size. The default value of 0 sets the block size to the page size minus an estimated allowance for internal database overhead.
Page 144: Nsslapd-Db-Logdirectory
Database Plug-in Attributes nsslapd-db-logdirectory Specifies the path and directory name of the directory containing the database transaction log. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. By default, the database transaction log is stored in the same directory as the directory entries themselves, .
Page 145: Nsslapd-Db-Page-Size
Database Plug-in Attributes nsslapd-db-page-size Specifies the size of the pages used to hold items in the database in bytes. The minimum size is 512 bytes and the maximum size is 64K bytes. If the page size is not explicitly set, Directory Server defaults to a page size of 8K bytes. Changing this default value can have signficant performance impact.
Page 146: Nsslapd-Db-Transaction-Logging
Database Plug-in Attributes If you do not define this attribute or set it to a value of 0, transaction batching will be turned off and it will be impossible to make remote modifications to this attribute via LDAP. However, setting this attribute to a value greater than 0 causes the server to delay committing transactions until the number of queued transactions is equal to the attribute value.
Page 147: Nsslapd-Db-Trickle-Percentage
Database Plug-in Attributes nsslapd-db-trickle-percentage Ensures that at least the specified percentage of pages in the shared-memory pool are clean, by writing dirty pages to their backing files. This is to ensure that a page is always available for reading in new information without having to wait for a write.
Page 148: Nsslapd-Import-Cachesize
Database Plug-in Attributes This attribute is provided only for system modification/diagnostics and should be changed only with the guidance of Netscape engineering staff and Netscape Professional Services. Inconsistent settings of this attribute and other configuration attributes may cause the Directory Server to be unstable. nsslapd-import-cachesize This performance tuning related attribute determines the size of the database cache used in the bulk import process.
Page 149: Database Attributes Under Cn=Monitor,Cn=Ldbm Database, Cn=Plugins,Cn=Config
Database Plug-in Attributes Default Value: 0600 Syntax: Integer Example: nsslapd-mode: 0600 Database Attributes Under cn=monitor,cn=ldbm database, cn=plugins,cn=config Global read-only attributes containing database statistics for monitoring activity on your databases are stored in the cn=monitor,cn=ldbm database, tree node. For more information on these monitoring cn=plugins,cn=config read-only entries see Chapter 12, “Monitoring Server and Database Activity”...
Page 150: Database Attributes Under Cn=Netscaperoot,Cn=Ldbm Database, Cn=Plugins,Cn=Config And Cn=Userroot,Cn=Ldbm Database, Cn=Plugins,Cn=Config
Database Plug-in Attributes Database Attributes Under cn=NetscapeRoot,cn=ldbm database, cn=plugins,cn=config and cn=UserRoot,cn=ldbm database, cn=plugins,cn=config subtrees contain configuration data for, cn=NetscapeRoot cn=UserRoot or if we prefer, the definition of, the databases containing the o=NetscapeRoot suffixes respectively. The subtree contains the o=France.Sun cn=NetscapeRoot configuration data used by the Netscape Administration Server for authentication and all actions that cannot be performed through LDAP (such as start/stop) and subtree contains all the configuration data for the user-defined...
Page 151: Nsslapd-Cachememsize
Database Plug-in Attributes nsslapd-cachememsize This performance tuning related attribute specifies the cache size in terms of available memory space. Limiting cachesize in terms of memory occupied is the simplest method. By activating automatic cache resizing you override this attribute, replacing these values with its own guessed values at a later stage of the server startup.
Page 152: Nsslapd-Require-Index
Database Plug-in Attributes Entry DN: cn=Netscaperoot,cn=ldbm database,cn=plugins,cn=config or cn=UserRoot,cn=ldbm database,cn=plugins,cn=config Valid Range: on | off Default Value: Syntax: DirectoryString Example: nsslapd-readonly: off nsslapd-require-index When switched to on this attribute allows you to refuse non-indexed or allids searches. This performance related attribute avoids saturating the server with erroneous searches.
Page 153: Database Attributes Under Cn=Database,Cn=Monitor,Cn=Ldbm Database, Cn=Plugins,Cn=Config
Database Plug-in Attributes Syntax: DirectoryString Example: nsslapd-suffix: o=Netscaperoot Database Attributes Under cn=database,cn=monitor,cn=ldbm database, cn=plugins,cn=config The attributes in this tree node entry are all read-only, database performance counters. All of the values for these attributes are 32-bit integers. nsslapd-db-abort-rate Number of transactions that have been aborted. nsslapd-db-active-txns Number of transactions that are currently active.
Page 154: Nsslapd-Db-Deadlock-Rate
Database Plug-in Attributes nsslapd-db-deadlock-rate Number of deadlocks detected. nsslapd-db-dirty-pages Dirty pages currently in the cache. nsslapd-db-hash-buckets Number of hash buckets in buffer hash table. nsslapd-db-hash-elements-examine-rate Total number of hash elements traversed during hash table lookups. nsslapd-db-hash-search-rate Total number of buffer hash table lookups. nsslapd-db-lock-conflicts Total number of locks not immediately available due to conflicts.
Page 155: Nsslapd-Db-Log-Write-Rate
Database Plug-in Attributes nsslapd-db-log-write-rate Number of megabytes and bytes written to this log. nsslapd-db-longest-chain-length Longest chain ever encountered in buffer hash table lookups. nsslapd-db-page-create-rate Pages created in the cache. nsslapd-db-page-read-rate Pages read into the cache. nsslapd-db-page-ro-evict-rate Clean pages forced from the cache. nsslapd-db-page-rw-evict-rate Dirty pages forced from the cache.
Page 156: Cn=Plugins,Cn=Config
Database Plug-in Attributes Database Attributes Under cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config The set of default indexes is stored here. Default indexes are configured per backend in order to optimize Directory Server functionality for the majority of set up scenarios. All indexes, except system essential ones, can be removed, but care should be taken so as not to cause unnecessary disruptions.
Page 157: Nsmatchingrule
Database Plug-in Attributes Valid Range: pres = presence index eq = equality index approx = approximate index sub = substring index matching rule = international index index browse = browsing index Default Value: Syntax: DirectoryString Example: nsindextype: eq nsMatchingRule This optional, multivalued attribute specifies the collation order object identifier (OID) required for the Directory Server to operate international indexing.
Page 158: Description
Database Plug-in Attributes description This non-mandatory attribute provides a free-hand text description of what the index actually performs. Entry DN: cn=default indexes,cn=monitor,cn=ldbm database,cn=plugins,cn=config Valid Range: Default Value: None Syntax: DirectoryString Example: description:substring index Database Attributes Under cn=monitor,cn=Netscaperoot,cn=ldbm database,cn=plugins,cn=config Global, read-only entries for monitoring activity on the NetscapeRoot database. These attributes containing database statistics are given for each file that makes up your database.
Page 159: Dbfilepageout
Database Plug-in Attributes dbfilepageout Number of pages for this file written from cache to disk. Database Attributes Under cn=index,cn=Netscaperoot,cn=ldbm database, cn=plugins,cn=config and cn=index,cn=UserRoot,cn=ldbm database, cn=plugins,cn=config In addition to the set of default indexes that are stored under cn=default , custom indexes,cn=config,cn=ldbm database,cn=plugins,cn=config indexes can be created for and are stored under...
Page 160: Database Link Plug-In Attributes (Chaining Attributes)
Database Link Plug-in Attributes (chaining attributes) dn:cn=aci,cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=confi objectclass:top objectclass:nsIndex cn=aci nssystemindex:true nsindextype:pres For details regarding the five possible indexing attributes see the section “Database Attributes Under cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config,” on page 156.For further information about indexes see Chapter 10, “Managing Indexes” in the Netscape Directory Server Administrator’s Guide.
Page 161: Database Link Attributes Under Cn=Config,Cn=Chaining Database, Cn=Plugins,Cn=Config
Database Link Plug-in Attributes (chaining attributes) Database Link Attributes Under cn=config,cn=chaining database, cn=plugins,cn=config Global configuration attributes common to all instances are stored in the tree node. cn=config,cn=chaining database,cn=plugins,cn=config nsActiveChainingComponents Lists the components using chaining. A component is any functional unit in the server.
Page 162: Nsmaxtestresponsedelay
Database Link Plug-in Attributes (chaining attributes) nsMaxTestResponseDelay This error detection, performance related attribute specifies the duration of the test issued by the database link to check whether the remote server is responding. If a response from the remote server is not returned before this period has passed, the database link assumes the remote server is down and the connection is not used for subsequent operations.
Page 163: Cn=Plugins,Cn=Config
Database Link Plug-in Attributes (chaining attributes) Database Link Attributes Under cn=default instance config,cn=chaining database,cn=plugins,cn=config Default instance configuration attributes for instances are housed in the cn=default instance config,cn=chaining database,cn=plugins,cn=config tree node. nsAbandonedSearchCheckInterval Number of seconds that pass before the server checks for abandoned operations. Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config...
Page 164: Nsbindretrylimit
Database Link Plug-in Attributes (chaining attributes) nsBindRetryLimit Contrary to what the name suggests, this attribute does not specify the number of times a database link retries to bind with the remote server, but the number of times it tries to bind with the remote server. A value of 0 here indicates that the database link will only attempt to bind once.
Page 165: Nsconcurrentbindlimit
Database Link Plug-in Attributes (chaining attributes) Syntax: DirectoryString Example: nschecklocalaci: on nsConcurrentBindLimit Maximum number of concurrent bind operations per TCP connection. Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Range: 1 to 25 binds Default Value: Syntax: Integer Example: nsconcurrentbindlimit:10 nsConcurrentOperationsLimit Specifies the maximum number of concurrent operations allowed.
Page 166: Nsoperationconnectionslimit
Database Link Plug-in Attributes (chaining attributes) Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Range: 0 to limitless seconds (where 0 means forever) Default Value: Syntax: Integer Example: nsconnectionlife: 0 nsOperationConnectionsLimit Maximum number of LDAP connections the database link establishes with the remote server.
Page 167: Nsreferralonscopedsearch
Database Link Plug-in Attributes (chaining attributes) nsReferralOnScopedSearch Controls whether or not referrals are returned by scoped searches. This attribute allows you to optimize your directory, because returning referrals in response to scoped searches is more efficient. Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Range: on | off...
Page 168: Cn=Plugins,Cn=Config
Database Link Plug-in Attributes (chaining attributes) Database Link Attributes Under cn=database link instance name,cn=chaining database, cn=plugins,cn=config This information node stores the attributes concerning the server containing the data. A farm server is a server which contains data on databases. This attribute can contain optional servers for failover, separated by spaces.
Page 169: Nsmultiplexorcredentials
Database Link Plug-in Attributes (chaining attributes) Example: nsMultiplexerBindDN: cn=proxy manager nsMultiplexorCredentials Password for the administrative user, given in plain text. If no password is provided, it means that users can bind as anonymous.The password is encrypted in the configuration file. Please note that the example below is what you view, not what you type.
Page 170: Database Link Attributes Under Cn=Monitor,Cn=Database Instance Name,Cn=Chaining Database, Cn=Plugins,Cn=Config
Database Link Plug-in Attributes (chaining attributes) Database Link Attributes Under cn=monitor,cn=database instance name,cn=chaining database, cn=plugins,cn=config Attributes used for monitoring activity on your instances are stored in the cn=monitor,cn=database instance name,cn=chaining information tree. database,cn=plugins,cn=config nsAddCount Number of add operations received. nsDeleteCount Number of delete operations received.
Page 171: Nsunbindcount
Retro Changelog Plug-in Attributes nsUnbindCount Number of unbinds received. nsCompareCount Number of compare operations received. nsOperationConnectionCount Number of open connections for normal operations. nsBindConnectionCount Number of open connections for bind operations. Retro Changelog Plug-in Attributes Two different types of changelogs are maintained by Directory Server 6.x. The first type, referred to as changelog, is used by multi-master replication and the second changelog, which is in fact a plug-in referred to as retro changelog, is intended for use by LDAP clients for maintaining application compatibility with Directory...
Page 172: Nsslapd-Changelogmaxage (Max Changelog Age)
Retro Changelog Plug-in Attributes NOTE For performance reasons you will probably want to store this database on a different physical disk. Entry DN: cn=Retro Changelog Plugin,cn=plugins,cn=config Valid Range: Any valid path to the directory Default Value: None Syntax: DirectoryString Example: nsslapd-changelogdir: /var/slapd-serverID/changelog nsslapd-changelogmaxage (Max Changelog Age) Specifies the maximum age of any entry in the change log.
Page 173: Chapter 4 Server Instance File Reference
Chapter 4 Server Instance File Reference This chapter provides an overview of the files stored under . Having an overview of the files and /usr/netscape/servers/slapd-serverID configuration information stored in each instance of Netscape Directory Server (Directory Server) should help you understand the file changes or absence of file changes which occur in the course of directory activity.
Page 174: Configuration Files
Overview of Directory Server Files Code Example 4-1 shows the contents of /usr/netscape/servers/slapd-serverID where directories are marked with a and scripts are marked with an . See Chapter 8, “Command-Line Scripts” for further information on command-line Scripts. Code Example 4-1 Contents of /usr/netscape/servers/slapd-serverID directory db2ldif*...
Page 175: Backup Files
Backup Files Backup Files Each Directory Server instance contains the following three directories for storing backup related files: • - contains a directory dated with the time and date of your database backup, for example , which in turn holds your database 2001_02_13_174524/ backup copy.
Page 176: Ldif Files
ldif Files • - used for storing the version of the database. DBVERSION • - this directory stores the database created by NetscapeRoot o=NetscapeRoot default at Typical installation. • this directory stores the user-defined suffix (user-defined userRoot - databases) created at Typical installation time, for example dc=example,dc=com Code Example 4-3 shows a sample listing of the directory contents.
Page 177: Lock Files
Lock Files Contents of a sample ldif directory Code Example 4-4 ../ European.ldif Example.ldif Example-roles.ldif The following list describes the content of each of the ldif files: • - contains European character samples. European.ldif • - is a sample ldif file. Example.ldif •...
Page 178 Log Files Contents of a sample logs directory Code Example 4-6 access.20010126-120123 audit errors.rotationinfo access.20010130-140221 audit.rotationinfo access access.20010201-100122 errors slapd.stats access.20010124-180611 access.rotationinfo errors.20010124-180607 The following list describes the content of the log related files: • The content of the log files is dependent on the log access audit error...
Page 179: Chapter 5 Access Log And Connection Code Reference
Chapter 5 Access Log and Connection Code Reference Netscape Directory Server (Directory Server) provides you with logs to help you monitor directory activity. Monitoring allows you to quickly detect and remedy failures and where done proactively, anticipate and resolve potential problems before they result in failure or poor performance.
Page 180: Access Logging Levels
Access Log Content • Sequence of operation request/operation result pairs of records (or individual records in the case of connection, closed and abandon records) • Unbind record • Closed record Every line begins with a timestamp - [21/Apr/2001:11:39:51 -0700]- format of which may vary depending on which platform you are using, where indicates the time difference in relation to GMT.
Page 181: Default Access Logging Content
Access Log Content For example, if you want to log internal access operations, entry access and referrals you would insert a value of 516 (512+4) in the nsslapd-accesslog-level configuration attribute. For further information on other access log configuration attributes, see Chapter 2, “Core Server Configuration Reference.” Default Access Logging Content This section describes the access log content in detail based on the default access logging level extract in Code Example 5-1.
Page 182: Connection Number
Access Log Content Access Log Extract with Default Access Logging Level (level 256) Code Example 5-1 [21/Apr/2001:11:39:53 -0700] conn=13 op=2 RESULT err=0 tag=105 nentries=0 etime=0 csn=3b4c8cfb000000030000 [21/Apr/2001:11:39:53 -0700] conn=13 op=3 EXT oid="2.16.840.1.113730.3.5.5" [21/Apr/2001:11:39:53 -0700] conn=13 op=3 RESULT err=0 tag=120 nentries=0 etime=0 [21/Apr/2001:11:39:53 -0700] conn=13 op=4 UNBIND [21/Apr/2001:11:39:53 -0700] conn=13 op=4 fd=659 closed - U1 [21/Apr/2001:11:39:55 -0700] conn=14 fd=700 slot=700 connection...
Page 183: Operation Number
Access Log Content Operation Number To process a given LDAP request, Directory Server will perform the required series of operations. For a given connection, all operation request and operation result pairs are given incremental operation numbers beginning with to identify the op=0 distinct operations being performed.
Page 184: Number Of Entries
Access Log Content for a result from an add operation tag=105 for a result from delete operation tag=107 for a result from a moddn operation tag=109 for a result from a compare operation tag=111 indicates a search reference when the entry you perform your search on tag=115 holds a referral to the entry you require.
Page 185: Ldap Response Type
Access Log Content LDAP Response Type The LDAP response type indicates the LDAP response being issued by the LDAP client. Possible values are: =result RESULT =entry ENTRY =referral or search reference REFERRAL Unindexed Search Indicator The unindexed search indicator, , indicates that the search performed was notes=U unindexed, which means that the database itself had to be directly searched instead of the index file.
Page 186: Change Sequence Number
Access Log Content LDAPv3 Extended Operations supported by Directory Server (Continued) Table 5-1 Directory Server 6.x Replication Sent by a replication 2.16.840.1.113730.3.5.4 Response responder in response to a Start Replication Request Extended Operation or an End Replication Request Extended Operation Directory Server 6.x End Replication Sent to indicate that a 2.16.840.1.113730.3.5.5...
Page 187: Abandon Message
Access Log Content Abandon Message The abandon message, in this case, [ 21/Apr/2001:11:39:52 -0700 conn=12 indicates that an op=2 ABANDON targetop=1 msgid=2 nentries=0 etime=0, operation has been aborted, where indicates the number of entries nentries=0 sent before the operation was aborted, value indicates how much time (in etime=0 seconds) had elapsed, and...
Page 188: Access Log Content For Additional Access Logging Levels
Access Log Content NOTE Note also that the authenticated DN (the DN used for access control decisions) is now logged in the BIND result line as opposed to the bind request line as was previously the case: [21/Apr/2001:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=coulbeck,dc=example,dc=com"...
Page 189: Connection Description
Access Log Content Access log level 4 enables logging for internal operations which log the following items in addition to the details of the search being performed, including search base, scope, filter, and requested search attributes. In Code Example 5-3, access logging level 512 is enabled which logs access to entries and referrals.
Page 190: Common Connection Codes
Common Connection Codes NOTE Directory Server access log now distinguishes between persistent and regular searches, which was not the case for previous Directory Server releases. In Code Example 5-4 both access logging level 512 and 4 are enabled, which results in both internal access operations, as well as entry access and referrals being logged.
Page 191: Ldap Result Codes
LDAP Result Codes T2=Server closed connection after ioblocktimeout period was exceeded U1= Connection closed by server after client sends an UNBIND request. The server will always close the connection when it sees an UNBIND request. LDAP Result Codes LDAP has a set of result codes that it is useful to be familiar with. Table 5-2 LDAP Result Codes Result Code...
Page 192 LDAP Result Codes LDAP Result Codes (Continued) Table 5-2 NO_SUCH_OBJECT ALIAS_PROBLEM INVALID_DN_SYNTAX IS_LEAF ALIAS_DEREFERENCING_PROBLEM INAPPROPRIATE_AUTHENTICATION INVALID_CREDENTIALS INSUFFICIENT_ACCESS_RIGHTS BUSY UNAVAILABLE UNWILLING_TO_PERFORM LOOP_DEFECT NAMING_VIOLATION OBJECT_CLASS_VIOLATION NOT_ALLOWED_ON_NONLEAF NOT_ALLOWED_ON_RDN ENTRY_ALREADY_EXISTS OBJECT_CLASS_MODS_PROHIBITED AFFECTS_MULTIPLE_DSAS (LDAP v3) OTHER SERVER_DOWN LDAP_TIMEOUT PARAM_ERROR CONNECT_ERROR LDAP_NOT_SUPPORTED CONTROL_NOT_FOUND NO_RESULTS_RETURNED MORE_RESULTS_TO_RETURN CLIENT_LOOP REFERRAL_LIMIT_EXCEEDED Netscape Directory Server Configuration, Command, and File Reference •...
Page 193: Chapter 6 Migration From Earlier Versions
Chapter 6 Migration from Earlier Versions This chapter is intended to provide a reference of the information migrated by the script. In the case of migration from a 4.x Netscape Directory migrateInstance6 Server (Directory Server) to a 6.x Directory Server, it describes the mapping of configuration parameters to configuration attributes and configuration entries in the new Directory Server.
Page 194: Server Attributes
Migration from 4.x Directory Server to 6.x Server Attributes In Directory Server 4.1, 4.11, 4.12, and 4.13, configuration parameters are stored in file under the directory. slapd.conf /usr/netscape/server4/slapd-serverID The corresponding configuration attributes in Directory Server 6.x are stored in the entry.
Page 195 Migration from 4.x Directory Server to 6.x Mapping of Legacy Server Parameters to Configuration Attributes (Continued) Table 6-1 Legacy Configuration Parameter Directory Server Configuration Attribute loglevel nsslapd-error-loglevel errorlog-logexpirationtime nsslapd-errorlog-logexpirationtime errorlog-logexpirationtimeunit nsslapd-errorlog-logexpirationtimeunit errorlog-maxlogdiskspace nsslapd-errorlog-logmaxdiskspace errorlog-minfreediskspace nsslapd-errorlog-logminfreediskspace errorlog-logrotationtime nsslapd-errorlog-logrotationtime errorlog-logrotationtimeunit nsslapd-errorlog-logrotationtimeunit errorlog-maxlogsize nsslapd-errorlog-maxlogsize errorlog-maxlogsperdir nsslapd-errorlog-maxlogsperdir...
Page 196 Migration from 4.x Directory Server to 6.x Mapping of Legacy Server Parameters to Configuration Attributes (Continued) Table 6-1 Legacy Configuration Parameter Directory Server Configuration Attribute pw_inhistory passwordinHistory pw_lockout passwordLockout pw_lockduration passwordLockoutDuration pw_maxage passwordMaxAge pw_maxfailure passwordMaxFailure pw_minage passwordMinAge pw_minlength passwordMinLength pw_must_change passwordMustChange pw_reset_failurecount passwordResetFailureCount...
Page 197: Database Attributes
Migration from 4.x Directory Server to 6.x Database Attributes In Directory Server 4.1, 4.11, 4.12, and 4.13, database parameters are stored in the file under the slapd.ldbm.conf /usr/netscape/server4/slapd-serverID directory. Because one instance of Directory Server 5.0 or 6.x can manage several databases, the corresponding attributes in Directory Server 5.0 or 6.x are stored in a general entry for all databases (cn=config,cn=ldbm database,cn=plugins,cn=config...
Page 198: Upgrade From Directory Server 5.0 To 6.X
Upgrade from Directory Server 5.0 to 6.x Upgrade from Directory Server 5.0 to 6.x In Directory Server 5.0 and 6.x configuration information is stored in the same way. This section explains which configuration attributes are automatically migrated by script, and which ones are not. Attributes which are not migrateInstance6 automatically migrated are either configured during the installation process for the new Directory Server, or need to be configured manually for security reasons after...
Page 199 Upgrade from Directory Server 5.0 to 6.x Attributes in cn=config Automatically Migrated (Continued) Table 6-4 nsslapd-attribute_name_exceptions nsslapd-auditlog-logexpirationtime nsslapd-auditlog-logexpirationtimeunit nsslapd-auditlog-logmaxdiskspace nsslapd-auditlog-logminfreediskspace nsslapd-auditlog-logrotationtime nsslapd-auditlog-logrotationtimeunit nsslapd-auditlog-maxlogsize nsslapd-auditlog-maxlogsperdir nsslapd-certmap-basedn nsslapd-ds4-compatible-schema nsslapd-enquote_sup_oc nsslapd-errorlog-level nsslapd-errorlog-logexpirationtime nsslapd-errorlog-logexpirationtimeunit nsslapd-errorlog-logmaxdiskspace nsslapd-errorlog-logminfreediskspace nsslapd-errorlog-logrotationtime nsslapd-errorlog-logrotationtimeunit nsslapd-errorlog-maxlogsize nsslapd-errorlog-maxlogsperdir nsslapd-groupevalnestlevel nsslapd-idletimeout nsslapd-ioblocktimeout nsslapd-lastmod nsslapd-listenhost nsslapd-maxdescriptors (Not applicable on NT and AIX platforms) nsslapd-nagle...
Page 200 Upgrade from Directory Server 5.0 to 6.x Attributes in cn=config Automatically Migrated (Continued) Table 6-4 nsslapd-plugin-depends-on-name nsslapd-plugin-depends-on-type nsslapd-referral nsslapd-reservedescriptors (Not applicable on NT and AIX platforms) nsslapd-rootpwstoragescheme nsslapd-schemacheck nsslapd-securePort nsslapd-security nsslapd-sizelimit nsslapd-SSL3ciphers nsslapd-timelimit passwordChange passwordCheckSyntax passwordExp passwordExpirationTime passwordHistory passwordInHistory passwordLockout passwordLockoutDuration passwordMaxAge passwordMaxFailure...
Page 201 Upgrade from Directory Server 5.0 to 6.x Table 6-5 Attributes in cn=config not Migrated Attribute Name Reason for not Migrating Automatically nsslapd-localhost Already set up. nsslapd-localuser Configured during the installation process. nsslapd-port Configured during the installation process. nsslapd-rootdn Configured during the installation process. nsslapd-rootpw Configured during the installation process.
Page 202: Database Attributes
Upgrade from Directory Server 5.0 to 6.x Database Attributes All general database configuration attributes are automatically migrated. These attributes are stored in the entry cn=config,cn=ldbm database, and are listed in Table 6-6. cn=plugins,cn=config Database-specific attributes are stored in entries of the form cn=database instance .
Page 203: Database Link Attributes
Upgrade from Directory Server 5.0 to 6.x Database-Specific Attributes not Migrated (Continued) Table 6-8 Attribute Name Reason for not Migrating Automatically nsslapd-db-checkpoint-interval This attribute is provided only for system modification/diagnostics and should be changed only under guidance from Netscape Technical Support.
Page 204: Snmp Attributes
Upgrade from Directory Server 5.0 to 6.x Default Instance Database Link Attributes Automatically Migrated Table 6-10 nsBindTimeout nsBindRetryLimit nsHopLimit nsmaxresponsedelay nsmaxtestresponsedelay nsCheckLocalACI nsConcurrentBindLimit nsConcurrentOperationsLimit nsConnectionLife nsOperationConnectionslimit nsProxiedAuthorization nsReferralOnScopedSearch nsslapd-sizelimit nsslapd-timelimit SNMP Attributes All SNMP configuration attributes are automatically migrated. These attributes are stored in the entry , and are listed in Table 6-11.
Page 205: Chapter 7 Command-Line Utilities
Chapter 7 Command-Line Utilities This chapter contains reference information on command-line utilities provided by Netscape Directory Server (Directory Server). These command-line utilities make it easy to perform administration tasks on the Directory Server. This chapter is divided into the following sections: •...
Page 206: Command-Line Utilities Quick Reference
Command-Line Utilities Quick Reference NOTE In order to execute the command-line utilities, you must change to the directory where the command-line utilities are stored. Although it is possible to set command-path and library-path variables to execute the utilities, it is not recommended because you run the risk, particularly when you have more than one server version installed, of disrupting the correct execution of other utilities.
Page 207: Using Special Characters
Using Special Characters Using Special Characters When using the command-line utility, you may need to specify values ldapsearch that contain characters that have special meaning to the command-line interpreter (such as space [ ], asterisk [*], backslash [\], and so forth). When this situation occurs, enclose the value in quotation marks ("").
Page 208: Ldapsearch
ldapsearch ldapsearch is a configurable utility that enables you to locate and retrieve ldapsearch directory entries via LDAP. This utility opens a connection to the specified server using the specified distinguished name and password, and locates entries based on a specified search filter. Search scopes can include a single entry, an entry’s immediate subentries, or an entire tree or subtree.
Page 209 ldapsearch Specifies the hostname or IP address of the machine on which the Directory Server is installed. If you do not specify a host, ldapsearch uses the localhost. For example, -h mozilla. Specifies the maximum number of seconds to wait for a search request to complete.
Page 210: Ssl Options
ldapsearch SSL Options You can use the following command-line options to specify that ldapsearch LDAPS when communicating with your SSL-enabled Directory Server. You also use these options if you want to use certificate-based authentication. These options are valid only when LDAPS has been turned on and configured for your Directory Server.
Page 211: Additional Ldapsearch Options
ldapsearch Specifies the path and filename of the certificate database of the client. This option is used only with the -Z option. When used on a machine where an SSL-enabled version of Netscape Communicator is configured, the path specified on this option can be that of the certificate database for Communicator.
Page 212 ldapsearch Virtual list search. Allows you to specify the number of entries before or after the search target, and the index or value of the first entry returned. For example, if you are sorting by surname, -G 20:30:johnson returns the first entry with a surname equal to or less than johnson, in addition to 20 entries that come before it and 30 entries that come after it.
Page 213: Ldapmodify
ldapmodify Specifies that the output for individual values be formatted without line breaks and that equal signs “=” be used to separate attribute names from values. This argument produces output in a non-LDIF format. Specifies that referrals are not to be followed automatically. By default, referrals are followed automatically.
Page 214: Ldapmodify Options
ldapmodify ldapmodify -D binddn [-w passwd ] [-acmnrvFR] [-d debug_level ] [-h host ] [-p port ] [-M auth_mechanism ] [-Z] [-V version ] [ -f file | [-l number_of_ldap_connections ] < entryfile ] ldapmodify Options The following three sections list the options that can be specified with ldapmodify The first section lists those options most commonly used, the second section lists SSL options, and the third lists less common options.
Page 215: Ssl Options
ldapmodify Specifies the port number that the server uses. For example, -p 1049. The default is 389. If -Z is used, the default is 636. Causes each add to be performed silently as opposed to being echoed to the screen individually. Specifies the password associated with the distinguished name specified in the -D option.
Page 216: Additional Ldapmodify Options
ldapmodify Specifies the certificate name to use for certificate-based client authentication. For example, -N Server-Cert. If this option is specified, then the -Z, and -W options are required. Also, if this option is specified, then the -D and -w options must not be specified, or certificate-based authentication will not occur and the bind operation will use the authentication credentials specified on -D and -w.
Page 217 ldapmodify Causes the utility to check every attribute value to determine whether the value is a valid file reference. If the value is a valid file reference, then the content of the referenced file is used as the attribute value. This is often used for specifying a path to a file containing binary data, such as JPEG.
Page 218: Ldapdelete
ldapdelete Specifies the proxy DN to use for the modify operation. This argument is provided for testing purposes. For more information about proxied authorization, see Chapter 6, “Managing Access Control” in the Netscape Directory Server Administrator’s Guide. ldapdelete enables you to perform delete operations on directory entries via ldapdelete LDAP.
Page 219: Ssl Options
ldapdelete Specifies the password associated with the distinguished name specified in the -D option. For example, -w mypassword. The default is "", or anonymous.If you do not specify a password on the command line, and the server requires one, the command will prompt you to provide one. It is more secure not to provide a password on the command line so that it does not show up in clear text in a listing of commands.
Page 220: Additional Ldapdelete Options
ldapdelete Specifies the path and filename of the security files for the client. This option is used only with the -Z option. When used on a machine where an SSL-enabled web browser is configured, the path specified on this option can point to the security database for the web browser.
Page 221: Ldif
ldif Specifies the LDAP version number to be used on the operation. For example, -V 2. LDAP v3 is the default. You cannot perform an LDAP v3 operation against a Directory Server that only supports LDAP v2. Specifies the proxy DN to use for the delete operation. This argument is provided for testing purposes.
Page 222: Options
ldif Options Specifies that the ldif utility should interpret the entire input as a single binary value. If -b is not present, each line is considered to be a separate input value. As an alternative to the -b option, you can you can use the :< URL specifier notation, which is in fact simpler to use.
Page 223: Chapter 8 Command-Line Scripts
Chapter 8 Command-Line Scripts This chapter provides information on the scripts you can use to manage your directory, for example, backing up and restoring your database. Scripts are a shortcut way of executing the interface commands that are documented ns-slapd in Appendix A, “Using the ns-slapd and slapd.exe Command-Line Utilities.”...
Page 224: Command-Line Scripts Quick Reference
Command-Line Scripts Quick Reference NOTE In order to execute the Perl scripts, you must change to the directory where the scripts are stored. Although it is possible to set command-path and library-path variables to execute the scripts, it is not recommended because you run the risk, particularly when you have more than one server version installed, of disrupting the correct execution of other utilities.
Page 225 Command-Line Scripts Quick Reference Commonly Used Command-Line Shell and Batch Scripts (Continued) Table 8-1 Command Line Script Description Imports LDIF files to the database. ldif2db Runs the slapd (Windows) or ns-slapd (Unix) command-line utility with the ldif2db keyword. By default, the script first saves and then merges any existing configuration tree (o=NetscapeRoot) with any files to be imported.
Page 226: Shell And Batch Scripts
Shell and Batch Scripts Table 8-2 Commonly Used Command-Line Perl Scripts Command Line Perl script Description Restores the database from the most recent archived backup. bak2db.pl Located in: /usr/netscape/servers/slapd-serverID Creates a backup of the current database contents db2bak.pl Located in: /usr/netscape/servers/slapd-serverID Creates and regenerates indexes.
Page 227: Bak2Db (Restore Database From Backup)
Shell and Batch Scripts • db2ldif (Export database contents to LDIF) • db2dsml (Export database contents to DSML) • dsml2db (Import DSML document contents into database) • getpwenc (Print encrypted password) • ldif2db (Import) • ldif2ldap (Perform import operation over LDAP) •...
Page 228: Db2Bak (Create Backup Of Database)
Shell and Batch Scripts For information on the equivalent Perl script, see “bak2db.pl (Restore database from backup),” on page 239. For more information on restoring databases, see Chapter 4, “Populating Directory Databases” in the Netscape Directory Server Administrator’s Guide. db2bak (Create backup of database) Creates a backup of the current database contents.
Page 229: Options
Shell and Batch Scripts Options You must specify either the or the option. By default, the output LDIF will be stored in one file. Should you want to specify the use of several files, then use the option Name of the output LDIF file. Instance to be exported.
Page 230: Syntax
Shell and Batch Scripts Syntax Shell script (UNIX): db2dsml {-n backend_instance}* | {-s includesuffix}* [{-x excludesuffix}*] [-u] [-a outputfile] Batch file (Windows): db2dsml {-n backend_instance}* | {-s includesuffix}* [{-x excludesuffix}*] [-u] [-a outputfile] Options You must specify either the option. Name of the output DSML file.
Page 231: Options
Shell and Batch Scripts Options Instance to be exported. Name of the input DSML file. Suffix(es) to be included or to specify the subtree(s) to be included if -n has been used. Suffix(es) to be excluded. getpwenc (Print encrypted password) Prints the encrypted form of a password using one of the server’s encryption algorithms.
Page 232: Syntax
Shell and Batch Scripts NOTE Note that supports LDIF version 1 specifications. You can ldif2db load an attribute using the URL specifier notation, for example: :< pegphoto:< file:///tmp/myphoto.jpg Although the official notation requires three , the use of one tolerated. For further information on the LDIF format see Chapter 4, “Managing Directory Entries”...
Page 233: Ldif2Ldap (Perform Import Operation Over Ldap)
Shell and Batch Scripts Generation of a unique ID. Type none for no unique ID to be generated -g string and deterministic for the generated unique ID to be name-based. By default a time based unique ID is generated. If you use the deterministic generation to have a name-based unique ID, you can also specify the namespace you want the server to use as follows: -g deterministic namespace_id...
Page 234: Monitor (Retrieve Monitoring Information)
Shell and Batch Scripts monitor (Retrieve monitoring information) Retrieves performance monitoring information using the ldapsearch command-line utility. Syntax Shell script (UNIX): monitor Batch file (Windows): monitor Options There are no options for this script. For more information on the command-line utility, see Chapter 7, ldapsearch “Command-Line Utilities.”...
Page 235: Restoreconfig (Restore Administration Server Configuration)
Shell and Batch Scripts Server could not be stopped. restoreconfig (Restore Administration Server Configuration) Restores, by default, the most recently saved Administration Server configuration information to the partition under the following directory: NetscapeRoot /usr/netscape/servers/slapd-serverID/config To restore the Administration Server configuration: Stop the Directory Server Run the script...
Page 236: Syntax
Shell and Batch Scripts Syntax Shell script (UNIX): saveconfig Batch file (Windows): saveconfig Options There are no options for this script. start-slapd (Start the Directory Server) Starts the Directory Server. It might be a good idea to check whether the server has been effectively started using the command, because it could sometimes be that the script returned while the startup process was still ongoing, resulting in a...
Page 237: Stop-Slapd (Stop The Directory Server)
Shell and Batch Scripts stop-slapd (Stop the Directory Server) Stops the Directory Server. It might be a good idea to check whether the server has been effectively stopped using the command, because it could sometimes be that the script returned while the shutdown process was still ongoing, resulting in a confusing message.
Page 238: Vlvindex (Create Virtual List View (Vlv) Indexes)
Shell and Batch Scripts vlvindex (Create virtual list view (VLV) indexes) To run the script the server must be stopped. The script vlvindex vlvindex creates virtual list view (VLV) indexes, known in the Directory Server Console as Browsing Indexes. VLV indexes introduce flexibility in the way you view search results.
Page 239: Perl Scripts
Perl Scripts Perl Scripts This section covers the following scripts: • bak2db.pl (Restore database from backup) • db2bak.pl (Create backup of database) • db2index.pl (Create and generate indexes) • db2ldif.pl (Export database contents to LDIF) • ldif2db.pl (Import) • migrateInstance6 (Migrate to Directory Server 6.x) •...
Page 240: Db2Bak.pl (Create Backup Of Database)
Perl Scripts Verbose mode. Database type. db2bak.pl (Create backup of database) Creates a backup of the database. Syntax Perl script (UNIX and db2bak.pl [-v] -D rootdn -w password [-a dirname] Windows): Options The script creates an entry in the directory that launches this dynamic db2bak.pl task.
Page 241: Syntax
Perl Scripts Syntax Perl script (UNIX and db2index.pl [-v] -D rootdn -w password -n Windows): backend_instance [-t attributeName] Options The script creates an entry in the directory that launches this db2index.pl dynamic task. The entry is generated based upon the values you provide for each option.
Page 242: Ldif2Db.pl (Import)
Perl Scripts This perl script creates an entry in the directory that launches this db2ldif.pl dynamic task. The entry is generated based upon the values you provide for each option. User DN with root permissions, such as Directory Manager. Password associated with the user DN. Instance to be exported.
Page 243: Syntax
Perl Scripts Syntax Perl script (UNIX and ldif2db.pl [-v] -D rootdn -w password -n Windows): backend_instance | {-s includesuffix}* [{-x excludesuffix}*] [-O] [-c] [-g string] [-G namespace_id] {-i filename}* Options User DN with root permissions, such as Directory Manager. Password associated with the user DN. Instance to be imported.
Page 244: Migrateinstance6 (Migrate To Directory Server 6.X)
Perl Scripts Verbose mode. migrateInstance6 (Migrate to Directory Server 6.x) script (note that this is a Perl script despite the fact that it migrateInstance6 does not have the extension) migrates a 4.x Directory Server to Directory Server 6.x. It can also be used to upgrade from Directory Server 5.x to Directory Server 6.x.
Page 245: Ns-Accountstatus.pl (Establish Account Status)
Perl Scripts Directory Server port. Directory Server 4.x. 4.xInstancePath Path for the new Directory Server instance. 6.xInstancePath Trace level. The trace level is set to 0 by default with a valid range of 0 to 3. File in which to log the migration report. By default the migration report is stored under /usr/netscape/servers/slapd-serverID/logs/Migrati on_ddmmyyy_hhmmss.log.
Page 246: Ns-Activate.pl (Activate An Entry Or Group Of Entries)
Perl Scripts ns-activate.pl (Activate an entry or group of entries) Activates an entry or group of entries. Syntax Perl script (UNIX and ns-activate.pl [-D rootdn] -w password [-p port] [-h Windows): host] -I DN (to operation) Options Directory Server userDN with root permissions, such as Directory Manager. Password associated with the user DN.
Page 247: Options
Perl Scripts Options Directory Server userDN with root permissions, such as Directory Manager. Password associated with the user DN. Directory Server port. The default value is the LDAP port of Directory Server specified at installation time. Host name of Directory Server. The default value is the full hostname of the machine where Directory Server is installed.
Page 248 Perl Scripts Netscape Directory Server Configuration, Command, and File Reference • May 2002...
Page 249: Appendix A Using The Ns-Slapd And Slapd.exe Command-Line Utilities
Appendix A Using the ns-slapd and slapd.exe Command-Line Utilities In Chapter 8, “Command-Line Scripts,” we looked at the scripts for performing routine administration tasks on the Netscape Directory Server (Directory Server). In this Appendix we will look at the command-line utilities ns-slapd slapd that can also be used to perform the same tasks.
Page 250: Ns-Slapd (Unix)
Finding and Executing the ns-slapd and slapd.exe Command-Line Utilities ns-slapd (UNIX) is used on a Unix operating system to start the directory server process, ns-slapd to build a directory database from an LDIF file, or to convert an existing database to an LDIF file.
Page 251: Ns-Slapd And Slapd.exe Command-Line Utilities For Exporting Databases
ns-slapd and slapd.exe Command-Line Utilities for Exporting Databases ns-slapd and slapd.exe Command-Line Utilities for Exporting Databases db2ldif Exports the contents of the database to LDIF. Shell syntax (UNIX) ns-slapd db2ldif -D slapd-serverID -a output_file [-d debug_level] [-n backend_instance] [-r] [-s include_suffix] [-x exclude_suffix] [-N] [-u] -[U] where serverID is the location of your server configuration directory.
Page 252 ns-slapd and slapd.exe Command-Line Utilities for Exporting Databases Specifies that entry IDs are not to be included in the LDIF output. The entry IDs are necessary only if the db2ldif output is to be used as input to db2index. Causes the server to include the copiedFrom attribute and its contents in the LDIF output when importing the LDIF file to a consumer server.
Page 253: Ns-Slapd And Slapd.exe Command-Line Utilities For Restoring And Backing Up Databases
ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases ldif2db Imports LDIF files to the database. Shell script syntax (UNIX) ns-slapd ldif2db -D slapd-serverID -i ldif_file [-d debug_level ] [-g string] [-n backend_instance] -O [-s include_suffix] -x exclude_suffix] where ldif_file is the name of the file containing the LDIF to be imported and slapd-serverID is the location of your server configuration directory.
Page 254 ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases Generation of a unique ID. Type none for no unique ID to be generated -g string and deterministic for the generated unique ID to be name-based. By default a time based unique ID is generated. If you use the deterministic generation to have a name-based unique ID, you can also specify the namespace you want the server to use as follows:...
Page 255: Archive2Db
ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases CAUTION If you are importing the LDIF file into your configuration directory, make sure the suffix and its contents are included o=NetscapeRoot in your LDIF file before you import. Do not exclude the suffix using , or combination of the two.
Page 256: Ns-Slapd And Slapd.exe Command-Line Utilities For Creating And Regenerating Indexes
ns-slapd and slapd.exe Command-Line Utilities for Creating and Regenerating Indexes Shell script syntax (UNIX) slapd db2archive -D configdir -a archivedir Batch file syntax (Windows) slapd db2archive -D configdir -a archivedir Options Specifies the server configuration directory that contains the configuration information for the index creation process.
Page 257 ns-slapd and slapd.exe Command-Line Utilities for Creating and Regenerating Indexes Options Specifies the debug level to use during index creation. For further information see “nsslapd-errorlog-level (Error Log Level)” on page 52. Specifies the server configuration directory that contains the configuration information for the index creation process. You must specify the full path to the slapd-serverID directory.
Page 258 ns-slapd and slapd.exe Command-Line Utilities for Creating and Regenerating Indexes Netscape Directory Server Configuration, Command, and File Reference • May 2002...
Page 259: Glossary
Glossary access control instruction See ACI. ACI Access Control Instruction. An instruction that grants or denies permissions to entries in the directory. access control list See ACL. ACL Access control list. The mechanism for controlling access to your directory. access rights In the context of access control, specify the level of access granted or denied.
Page 260 attribute Holds descriptive information about an entry. Attributes have a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value. attribute list A list of required and optional attributes for a given entry type or object class.
Page 261 browser Software, such as Netscape Navigator, used to request and view World Wide Web material stored as HTML files. The browser uses the HTTP protocol to communicate with the host server. browsing index Otherwise known as the virtual view index, speeds up the display of entries in the Directory Server Console.
Page 262 CIR See consumer-initiated replication. class definition Specifies the information needed to create an instance of a particular object and determines how the object works in relation to other objects in the directory. class of service See CoS. classic CoS A classic CoS identifies the template entry by both its DN and the value of one of the target entry’s attributes.
Page 263 DAP Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory. Data Master The server that is the master source of a particular piece of data. database link An implementation of chaining. The database link behaves like a database but has no persistent storage.
Page 264 DNS alias A DNS alias is a hostname that the DNS server knows points to a different host—specifically a DNS CNAME record. Machines always have one real name, but they can have one or more aliases. For example, an alias such as might point to a real machine called www.[yourdomain].[domain] where the server currently exists.
Page 265 HTML Hypertext Markup Language. The formatting language used for documents on the World Wide Web. HTML files are plain text files with formatting codes that tell browsers such as the Netscape Navigator how to display text, position graphics and form items, and display links to other pages. HTTP Hypertext Transfer Protocol.
Page 266 LDAPv3 Version 3 of the LDAP protocol, upon which Directory Server bases its schema format LDAP client Software used to request and view LDAP entries from an LDAP Directory Server. See also browser. LDAP Data Interchange Format See LDAP Data Interchange Format. LDAP URL Provides the means of locating directory servers using DNS and then completing the query via LDAP.
Page 267 matching rule Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use. MD5 A message digest algorithm by RSA Data Security, Inc., which can be used to produce a short digest of data, that is unique with high probability, and is mathematically extremely hard to produce a piece of data that will produce the same message digest.
Page 268 network management station See NMS. NIS Network Information Service. A system of programs and data files that Unix machines use to collect, collate, and share specific information about machines, users, file systems, and network parameters throughout a network of computers. NMS Network Management Station.
Page 269 permission In the context of access control, the permission states whether access to the directory information is granted or denied, and the level of access that is granted or denied. See access rights. PDU Protocol Data Unit. Encoded messages which form the basis of data exchanges between SNMP devices.
Page 270 RDN Relative distinguished name. The name of the actual entry itself, before the entry’s ancestors have been appended to the string to form the full distinguished name. referential integrity Mechanism that ensures that relationships between related entries are maintained within the directory. referral (1) When a server receives a search or update request from an LDAP client that it cannot process, it usually sends back to the client a pointer to the LDAP sever that can process the request.
Page 271 root The most privileged user available on Unix machines. The root user has complete access privileges to all files on the machine. root suffix The parent of one or more sub suffixes. A directory tree can contain more than one root suffix. schema Definitions describing what types of information can be stored as entries in the directory.
Page 272 single-master replication The most basic replication scenario in which two servers each hold a copy of the same read-write replicas to consumer servers. In a single-master replication scenario, the supplier server maintains a change log. SIR See supplier-initiated replication. slapd LDAP Directory Server daemon or service that is responsible for most functions of a directory except replication.
Page 273 supplier server In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica. supplier-initiated replication Replication configuration where supplier servers replicate directory data to consumer servers. symmetric encryption Encryption that uses the same key for both encrypting and decrypting.
Page 274 virtual list view index Otherwise known as a browsing index, speeds up the display of entries in the Directory Server Console. Virtual list view indexes can be created on any branchpoint in the directory tree to improve display performance. X.500 standard The set of ISO/ITU-T documents outlining the recommended information model, object classes and attributes used by directory server implementations.
Page 275: Index
Index SYMBOLS 50ns-delegated-admin.ldif ldif files 108 ::, in LDIF statements 221 50ns-directory.ldif ldif files 108 50ns-legacy.ldif ldif files 108 NUMERICS 50ns-mail.ldif ldif files 108 00core.ldif 50ns-mcd-browser.ldif ldif files 107 ldif files 108 05rfc2247.ldif 50ns-mcd-config.ldif ldif files 107 ldif files 108 05rfc2927.ldif 50ns-mcd-li.ldif ldif files 107...
Page 276 50ns-web.ldif changelog configuration entries 80 ldif files 109 object classes 80 99user.ldif cn=config ldif files 109 general 25 general configuration entries 35 object classes 35 cn=config Directory Information Tree configuration data 26 cn=encryption encryption configuration entries 83 alias dereferencing 211 object classes 83 cn=mapping tree object classes 86...
Page 277 perl scripts 239–246 restrictions to modifying 33 quick reference 224–226 retro changelog plug-in configuration restart-slapd 234 attributes 171–172 restoreconfg 235 SNMP configuration attributes 103–105 saveconfig 235 suffix configuration attributes 87–88 shell and batch scripts 226–238 uniqueid generator configuration attributes 106 start-slapd 236 configuration changes stop-slapd 237...
Page 278 nsDS5ReplicaPort 98 nsslapd-errorlog-logexpirationtime 53 nsDS5ReplicaPurgeDelay 91 nsslapd-errorlog-logexpirationtimeunit 53 nsDS5ReplicaReferral 92 nsslapd-errorlog-logging-enabled 54 nsDS5ReplicaRefresh 99 nsslapd-errorlog-logmaxdiskspace 54 nsDS5ReplicaRoot 92, 99 nsslapd-errorlog-logminfreediskspace 54 nsDS5ReplicaTimeout 99 nsslapd-errorlog-logrotationtime 55 nsDS5ReplicaTombstonePurgeInterval 92 nsslapd-errorlog-logrotationtimeunit 55 nsDS5ReplicaTransportInfo 100 nsslapd-errorlog-maxlogsize 56 nsDS5ReplicaType 93 nsslapd-errorlog-maxlogsperdir 56 nsDS5ReplicaUpdateInProgress 100 nsslapd-groupvalnestlevel 57 nsDS5ReplicaUpdateSchedule 101 nsslapd-instancedir 57 nsIdleTimeout 35...
Page 279 nssnmpmasterhost 105 nsBindConnectionCount 171 nssnmpmasterport 105 nsBindConnectionsLimit 163 nssnmporganization 104 nsBindCount 170 nsssl2 attribute 84 nsBindRetryLimit 164 nsssl3 attribute 84 nsBindTimeout 164 nsssl3ciphers attribute 84 nsCheckLocalACI 164 nssslclientauth attribute 83 nsCompareCount 171 nssslsessiontimeout attribute 83 nsConcurrentBindLimit 165 nsState 93 nsConcurrentOperationsLimit 165 nsstate 106 nsConnectionLife 165 opscompleted 102...
Page 280 nsLookThroughLimit 137 nsslapd-db-transaction-batch-val 145 nsMatchingRule 157 nsslapd-db-transaction-logging 146 nsslapd-allidsthreshold 137 nsslapd-db-trickle-percentage 147 nsslapd-cache-autosize 138 nsslapd-db-txn-region-wait-rate 155 nsslapd-cache-autosize-split 138 nsslapd-db-verbose 147 nsslapd-cachememsize 151 nsslapd-directory 151 nsslapd-cachesize 150 nsslapd-import-cachesize 148 nsslapd-db-abort-rate 153 nsslapd-mode 148 nsslapd-db-active-txns 153 nsslapd-readonly 151 nsslapd-db-cache-hit 153 nsslapd-require-index 152 nsslapd-db-cache-region-wait-rate 153 nsslapd-suffix 152 nsslapd-dbcachesize 138...
Page 281 dbfilecachehit attribute 158 dbfilecachemiss attribute 158 files dbfilenamenumber attribute 158, 163 containing search filters 211 dbfilepagein attribute 158 id2entry.db2 176 dbfilepageout attribute 159 locating configuration 30 description attribute 94, 158 slapd.conf 68 distinguished names root 67 dse.ldif ldif files 107 dse.ldif file configuration information tree 33 getpwenc...
Page 282 ldapsearch command-line utility command-line shell and batch script 231 additional options 211 quick reference 225 commonly used options 208 ldif2db.pl ssl options 210 command-line perl script 242 ldif 50ns-delegated-admin.ldif 108 quick reference 226 ldif command-line utility ldif2ldap options 222 command-line shell and batch script 233 quick reference 225 LDIF configuration files contents of 27...
Page 283 nsBindConnectionsLimit attribute 163 command-line perl script 246 quick reference 226 nsBindCount attribute 170 nsIndexType attribute 156 nsBindRetryLimit attribute 164 nsLookThroughLimit attribute 137 nsBindTimeout attribute 164 nsMatchingRule attribute 157 nsCheckLocalACI attribute 164 nsMaxResponseDelay attribute 161 nsCompareCount attribute 171 nsMaxTestResponseDelay attribute 162 nsConcurrentBindLimit attribute 165 nsModifyCount attribute 170 nsConcurrentOperationsLimit attribute 165...
Page 284 nsslapd-attribute-name-exceptions attribute 42 nsslapd-db-lockers attribute 154 nsslapd-auditlog-logexpirationtime attribute 44 nsslapd-db-lock-region-wait-rate attribute 154 nsslapd-auditlog-logexpirationtimeunit attribute 44 nsslapd-db-lock-request-rate attribute 154 nsslapd-auditlog-logging-enabled attribute 45 nsslapd-db-logbuf-size attribute 143 nsslapd-auditlog-logmaxdiskspace attribute 45 nsslapd-db-log-bytes-since-checkpoint attribute 154 nsslapd-auditlog-logminfreediskspace attribute 46 nsslapd-db-logdirectory attribute 144 nsslapd-auditlog-logrotationtime attribute 46 nsslapd-db-logfile-size attribute 144 nsslapd-auditlog-logrotationtimeunit attribute 47 nsslapd-db-log-region-wait-rate attribute 154 nsslapd-auditlog-maxlogsize attribute 47...
Page 285 nsslapd-lastmod attribute 58 nsslapd-timelimit attribute 72 nsslapd-listenhost attribute 59 nsslapd-versionstring attribute 73 nsslapd-localhost attribute 59 nssnmpcontact attribute 104 nsslapd-localuser attribute 59 nssnmpdescription attribute 105 nsslapd-maxbersize attribute 60 nssnmpenabled attribute 103 nsslapd-maxdescriptors attribute 60 nssnmplocation attribute 104 nsslapd-maxthreadsperconn attribute 61 nssnmpmasterhost attribute 105 nsslapd-mode attribute 148 nssnmpmasterport attribute 105 nsslapd-nagle attribute 62...
Page 286 passwordMaxAge attribute 76 nsLookThroughLimit 137 nsMatchingRule 157 passwordMaxFailure attribute 77 nsMaxResponseDelay 161 passwordMinAge attribute 77 nsMaxTestResponseDelay 162 passwordMinLength attribute 77 nsModifyCount 170 passwordMustChange attribute 78 nsMultiplexorBindDN 168 passwordResetFailureCount attribute 78 nsMultiplexorCredentials 169 passwords nsOperationConnectionCount 171 root 68 nsOperationConnectionsLimit 166 passwordStorageScheme attribute 79 nsProxiedAuthorization 166 nsReferralOnScopedSearch 167 passwordUnlock attribute 79...
Page 287 nsslapd-db-logbuf-size 143 nsslapd-db-log-bytes-since-checkpoint 154 read-only monitoring configuration attributes nsslapd-db-logdirectory 144 backendMonitorDN 103 nsslapd-db-logfile-size 144 bytessent 102 nsslapd-db-log-region-wait-rate 154 connection 101 nsslapd-db-log-write-rate 155 currentconnections 102 nsslapd-db-longest-chain-length 155 currenttime 102 nsslapd-dbncache 147 dtablesize 102 nsslapd-db-page-create-rate 155 entriessent 102 nsslapd-db-page-ro-evict-rate 155 nbackends 102 nsslapd-db-page-rw-evict-rate 155 opscompleted 102 nsslapd-db-pages-in-use 155...
Page 288 nsDS5ReplicaLegacyConsumer 90 root password and 68 nsDS5ReplicaName 91 slapd.ldbm.conf file nsDS5ReplicaPurgeDelay 91 converting to LDIF format 30 nsDS5ReplicaReferral 92 smart referrals nsDS5ReplicaRoot 92 ldapsearch option 212 nsDS5ReplicaTombstonePurgeInterval 92 SNMP configuration attributes nsDS5ReplicaType 93 nssnmpcontact 104 nsState 93 nssnmpdescription 105 object classes 88 nssnmpenabled 103 restart 234 nssnmplocation 104...
Page 289 nsstate 106 uniqueid generator configuration entries cn=uniqueid generator 106 vlvindex command-line shell and batch script 238 quick reference 225 Index...
Page 290 Netscape Directory Server Configuration, Command, and File Reference • May 2002...

Netscape DIRECTORY SERVER 6.02 Configuration Manual

About this Reference Guide

Chapter 1 Introduction

Chapter 2 Core Server Configuration Reference

Chapter 3 Plug-In Implemented Server Functionality Reference

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.02

Summary of Contents for Netscape NETSCAPE DIRECTORY SERVER 6.02