Page 1 Configuration, Command, and File Reference Netscape Directory Server Version 6.1 August 2002...
Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law.
Page 3: Table Of Contents
Contents About This Reference Guide ........... . . 19 Directory Server Overview .
Page 4 Configuration Changes Requiring Server Restart ........35 Core Server Configuration Attributes Reference .
Page 5 nsslapd-errorlog-logexpirationtime (Error Log Expiration Time) ......58 nsslapd-errorlog-logexpirationtimeunit (Error Log Expiration Time Unit) ....58 nsslapd-errorlog-logging-enabled (Enable Error Logging) .
Page 6 nsslapd-ssl-check-hostname (Verify Hostname for Outbound Connections) ....79 nsslapd-threadnumber (Thread Number) ..........80 nsslapd-timelimit (Time Limit) .
Page 7 nsDS5ReplicaPurgeDelay ............99 nsDS5ReplicaReferral .
Page 8 cn=replication ..............111 cn=SNMP .
Page 9 SSHA Password Storage Scheme Plug-in ..........133 Postal Address String Syntax Plug-in .
Page 10 nsslapd-db-transaction-logging ........... . 156 nsslapd-db-trickle-percentage .
Page 11 nsslapd-db-longest-chain-length ........... 165 nsslapd-db-page-create-rate .
Page 12 nsReferralOnScopedSearch ............177 nsSizeLimit .
Page 13 File Descriptor ..............192 Slot Number .
Page 14 Commonly Used ldapsearch Options ..........220 SSL Options .
Page 15 getpwenc (Print encrypted password) ..........246 Syntax .
Page 16 db2index.pl (Create and generate indexes) ..........256 Syntax .
Page 17 Syntax ................277 Options .
Page 18 Netscape Directory Server Configuration, Command, and File Reference • August 2002...
Page 19: About This Reference Guide
About This Reference Guide Netscape Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.
Page 20: Prerequisite Reading
Prerequisite Reading • SNMP Agent—Permits you to monitor Directory Server in real time using the Simple Network Management Protocol (SNMP). • Online backup and restore—Allows you to create backups and restore from backups while the server is running. Prerequisite Reading This reference guide does not describe many of the basic directory and architectural concepts that you need to successfully design, implement, and administer your directory service.
Page 21: Conventions Used In This Reference Guide
Conventions Used In This Reference Guide Conventions Used In This Reference Guide This section explains the conventions used in this book. —This typeface is used for any text that appears on the computer Monospaced font screen or text that you should type. It is also used for filenames, functions, and examples.
Page 22 Related Information • Netscape Directory Server Administrator’s Guide. Procedures for the day-to-day maintenance of your directory service. Includes information on configuring server-side plug-ins. • Netscape Directory Server Schema Reference. Provides information about the Netscape Directory Server schema. • Netscape Directory Server Plug-In Programmer’s Guide. Describes how to write server plug-ins in order to customize and extend the capabilities of Directory Server.
Page 23: Chapter 1 Introduction
Chapter 1 Introduction This chapter provides a brief overview of the configuration and administration utilities provided to manage the Netscape Directory Server (Directory Server). This chapter is divided into the following sections: • Overview of Directory Server Management (page 23) •...
Page 24: Directory Server Configuration
Directory Server Configuration This reference manual deals with the other methods of managing the Directory Server, namely altering the server configuration attributes via the command line and using the command-line utilities. Directory Server Configuration The format and method for storing configuration information for Directory Server mark a significant change from previous versions of the Directory Server.
Page 25: Using Directory Server Command-Line Scripts
Using Directory Server Command-Line Scripts addition to these command-line utiltiies, Directory Server also provides ns-slapd command-line utilities for performing directory operations as slapd.exe described in Appendix A, “Using the ns-slapd and slapd.exe Command-Line Utilities.” Using Directory Server Command-Line Scripts In addition to command-line utilities, several non-configurable scripts are provided with the Directory Server that make it quick and easy to perform routine server administration tasks from the command line.
Page 26 Using Directory Server Command-Line Scripts Netscape Directory Server Configuration, Command, and File Reference • August 2002...
Page 27: Chapter 2 Core Server Configuration Reference
Chapter 2 Core Server Configuration Reference The configuration information for Netscape Directory Server (Directory Server) is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files.
Page 28 Server Configuration - Overview Many of the features of the Directory Server are designed as discrete modules that plug into the core server. The details of the internal configuration for each plug-in are contained in separate entries under . For example, the cn=plugins,cn=config configuration of the Telephone Syntax plug-in is contained in this entry: cn=Telephone Syntax,cn=plugins,cn=config...
Page 29: Ldif Configuration Files - Location
Server Configuration - Overview LDIF Configuration Files - Location The Directory Server configuration data is automatically output to files in LDIF format that are located in the following directory: serverRoot/slapd-serverID/config Thus, if you specified a server identifier of for example, then in a phonebook default installation, your configuration LDIF files are all stored under: /usr/netscape/servers/slapd-phonebook/config...
Page 30: Configuration Of Plug-In Functionality
Server Configuration - Overview dn: cn=config objectclass: top objectclass: extensibleObject objectclass: nsslapdConfig nsslapd-accesslog-logging-enabled: on nsslapd-enquote-sup-oc: on nsslapd-localhost: phonebook.example.com nsslapd-errorlog: /usr/netscape/servers/slapd-phonebook/logs/errors nsslapd-schemacheck: on nsslapd-store-state-info: on nsslapd-port: 389 nsslapd-localuser: nobody Configuration of Plug-in Functionality The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree .
Page 31: Configuration Of Databases
Server Configuration - Overview For a list of plug-ins supported by Directory Server, general plug-in configuration information, the plug-in configuration attribute reference, and a list of plug-ins requiring restart, see Chapter 3, “Plug-in Implemented Server Functionality Reference.” Configuration of Databases subtrees contain configuration data for cn=NetscapeRoot cn=UserRoot...
Page 32: Migration Of Pre-Directory Server 6.X Configuration Files To Ldif Format
Accessing and Modifying Server Configuration Migration of Pre-Directory Server 6.x Configuration Files to LDIF Format The Directory Server will only recognize configuration files that are in the LDIF format, which means that the configuration slapd.conf slapd.ldbm.conf files from 4.x versions of Directory Server must be converted to LDIF format. Directory Server 4.x configurations can be migrated to the new LDIF format using the tool tool.
Page 33: Changing Configuration Attributes
Accessing and Modifying Server Configuration Default ACIs in dse.ldif Code Example 2-3 aci: (targetattr = "*")(version 3.0; acl "Configuration Adminstrators Group"; allow (all) groupdn = "ldap:///cn=Configuration Administrators,ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Configuration Adminstrator"; allow (all) userdn = "ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0;...
Page 34: Modifying Configuration Entries Using Ldap
Accessing and Modifying Server Configuration NOTE If you edit the file, you must stop the server beforehand, dse.ldif otherwise your changes will be lost. Editing the file is dse.ldif recommended only for changes to attributes which cannot be altered dynamically. See “Configuration Changes Requiring Server Restart,”...
Page 35: Restrictions To Modifying Configuration Entries And Attributes
Core Server Configuration Attributes Reference Disabling the Telephone Syntax Plug-in Code Example 2-4 ldapmodify -D bindDN -w password dn: cn=Telephone Syntax,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off Restrictions to Modifying Configuration Entries and Attributes Certain restrictions apply when modifying server entries and attributes: •...
Page 36 Core Server Configuration Attributes Reference Directory Information Tree Showing Configuration Data Figure 2-2 The list of configuration tree nodes covered in this section is as follows: • cn=config • cn=changelog5 • cn=encryption • cn=features • cn=mapping tree • cn=monitor • cn=replication •...
Page 37: Cn=Config
Core Server Configuration Attributes Reference cn=config General configuration entries are stored under the entry. The cn=config entry is an instance of the object class, which in turn cn=config nsslapdConfig inherits from object class. For attributes to be taken into extensibleObject account by the server, both of these object classes (in addition to the object class) must be present in the entry.
Page 38: Nsslapd-Accesslog-Level
Core Server Configuration Attributes Reference Attributes in dse.ldif Value Logging enabled or disabled nsslapd-accesslog-logging-enabled Disabled nsslapd-accesslog empty string nsslapd-accesslog-logging-enabled Enabled nsslapd-accesslog filename nsslapd-accesslog-logging-enabled Disabled nsslapd-accesslog empty string nsslapd-accesslog-logging-enabled Disabled nsslapd-accesslog filename Entry DN: cn=config Valid Values: Any valid filename. Default Value: serverRoot/slapd-serverID/logs/access Syntax: DirectoryString...
Page 39: Nsslapd-Accesslog-List
Core Server Configuration Attributes Reference Default Value: Syntax: Integer Example: nsslapd-accesslog-level: 256 nsslapd-accesslog-list This read-only attribute which cannot be set provides a list of access log files used in access log rotation. Entry DN: cn=config Valid Values: Default Value: None Syntax: DirectoryString Example:...
Page 40: Nsslapd-Accesslog-Logexpirationtimeunit (Access Log Expiration Time Unit)
Core Server Configuration Attributes Reference Default Value: Syntax: Integer Example: nsslapd-accesslog-logexpirationtime: 2 nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit) Specifies the units for attribute. If the nsslapd-accesslog-logexpirationtime unit is unknown by the server, then the log will never expire. Entry DN: cn=config Valid Values: month | week | day...
Page 41: Nsslapd-Accesslog-Logmaxdiskspace (Access Log Maximum Disk Space)
Core Server Configuration Attributes Reference Attributes in dse.ldif Value Logging Enabled or Disabled nsslapd-accesslog-logging-enabled Disabled nsslapd-accesslog filename Entry DN: cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-accesslog-logging-enabled: off nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space) Specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume.
Page 42: Nsslapd-Accesslog-Logminfreediskspace (Access Log Minimum Free Disk Space)
Core Server Configuration Attributes Reference nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space) Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest access log is deleted until enough disk space is freed to satisfy this attribute.
Page 43: Nsslapd-Accesslog-Logrotationsynchour (Access Log Rotation Sync Hour)
Core Server Configuration Attributes Reference nsslapd-accesslog-logrotationsynchour (Access Log Rotation Sync Hour) Specifies the hour of the day for rotating access logs. This attribute must be used in conjunction with nsslapd-accesslog-logrotationsync-enabled attributes. nsslapd-accesslog-logrotationsyncmin Entry DN: cn=config Valid Range: 0 through 23 Default Value: Syntax: Integer...
Page 44: Nsslapd-Accesslog-Logrotationtimeunit (Access Log Rotation Time Unit)
Core Server Configuration Attributes Reference attribute first and if this attribute value is nsslapd-accesslog-maxlogsperdir larger than 1, the server then checks the nsslapd-accesslog-logrotationtime attribute. See “nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files),” on page 45 for more information. Entry DN: cn=config Valid Range: -1 | 1 to the maximum 32 bit integer value (2147483647) where a value...
Page 45: Nsslapd-Accesslog-Maxlogsperdir (Access Log Maximum Number Of Log Files)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: -1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means the log file is unlimited in size. Default Value: Syntax: Integer Example: nsslapd-accesslog-maxlogsize: 100 nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files) Specifies the total number of access logs that can be contained in the directory...
Page 46: Nsslapd-Auditlog (Audit Log)
Core Server Configuration Attributes Reference Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-attribute-name-exceptions: on nsslapd-auditlog (Audit Log) Specifies the pathname and filename of the log used to record changes made to each database. Entry DN: cn=config Valid Values: Any valid filename Default Value: serverRoot/slapd-serverID/logs/audit...
Page 47: Nsslapd-Auditlog-List
Core Server Configuration Attributes Reference nsslapd-auditlog-list Provides a list of audit log files. Entry DN: cn=config Valid Values: Default Value: None Syntax: DirectoryString Example: nsslapd-auditlog-list: auditlog2,auditlog3 nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time) Specifies the maximum age that a log file is allowed to be before it is deleted. This attribute supplies only the number of units.
Page 48: Nsslapd-Auditlog-Logging-Enabled (Audit Log Enable Logging)
Core Server Configuration Attributes Reference nsslapd-auditlog-logging-enabled (Audit Log Enable Logging) Turns audit logging on and off. Entry DN: cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-auditlog-logging-enabled: off For audit logging to be enabled this attribute must have a valid path and file name and the configuration attribute must be nsslapd-auditlog-logging-enabled...
Page 49: Nsslapd-Auditlog-Logminfreediskspace (Audit Log Minimum Free Disk Space)
Core Server Configuration Attributes Reference When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space.
Page 50: Nsslapd-Auditlog-Logrotationsynchour (Audit Log Rotation Sync Hour)
Core Server Configuration Attributes Reference For audit log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-auditlog-logrotationsynchour attribute values set to the hour and nsslapd-auditlog-logrotationsyncmin minute of the day for rotating log files. For example, to rotate audit log files everyday at midnight, enable this attribute by and then set the values of the setting its value to nsslapd-auditlog-logrotationsynchour...
Page 51: Nsslapd-Auditlog-Logrotationtime (Audit Log Rotation Time)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: 0 through 59 Default Value: None (because nsslapd-auditlog-logrotationsync-enabled is off) Syntax: Integer Example: nsslapd-auditlog-logrotationsyncmin: 30 nsslapd-auditlog-logrotationtime (Audit Log Rotation Time) Specifies the time between audit log file rotations. The audit log will be rotated when this time interval is up, regardless of the current size of the audit log.
Page 52: Nsslapd-Auditlog-Maxlogsize (Audit Log Maximum Log Size)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Values: month | week | day | hour | minute Default Value: week Syntax: DirectoryString Example: nsslapd-auditlog-logrotationtimeunit: day nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size) Specifies the maximum audit log size in megabytes. When this value is reached, the audit log is rotated.
Page 53: Nsslapd-Certmap-Basedn (Certificate Map Search Base)
Core Server Configuration Attributes Reference If the value for this attribute is higher than 1, then you need to check the attribute to establish whether or not log nsslapd-auditlog-logrotationtime rotation is specified. If the attribute has a nsslapd-auditlog-logrotationtime value of -1 then there is no log rotation. See “nsslapd-auditlog-logrotationtime (Audit Log Rotation Time),”...
Page 54: Nsslapd-Ds4-Compatible-Schema
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-csnlogging:on nsslapd-ds4-compatible-schema Makes the schema in compatible with 4.x versions of Directory Server. cn=schema Entry DN: cn=config Valid Values: on | off Default Value: Syntax: DirectoryString...
Page 55: Nsslapd-Errorlog (Error Log)
Core Server Configuration Attributes Reference Turning this attribute on will cause the Directory Server Resource Kit LDAP clients to no longer function, as they require the schema as defined in RFC 2252. Turning this attribute off causes the Directory Server to conform to RFC 2252, but doing so may interfere with some earlier LDAP clients.
Page 56: Nsslapd-Errorlog-Level (Error Log Level)
Core Server Configuration Attributes Reference For error logging to be enabled this attribute must have a valid path and filename and the configuration attribute must be nsslapd-errorlog-logging-enabled switched to . The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of error logging.
Page 57: Nsslapd-Errorlog-List
Core Server Configuration Attributes Reference Valid Values: 1 = Trace function calls. Logs a message when the server enters and exits a function. 2 = Debug Packet handling 4 = Heavy trace output debugging 8 = Connection management 16 = Print out packets sent/received 32 = Search filter processing 64 = Config file processing 128 = Access control list processing...
Page 58: Nsslapd-Errorlog-Logexpirationtime (Error Log Expiration Time)
Core Server Configuration Attributes Reference nsslapd-errorlog-logexpirationtime (Error Log Expiration Time) Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the attribute.
Page 59: Nsslapd-Errorlog-Logmaxdiskspace (Error Log Maximum Disk Space)
Core Server Configuration Attributes Reference nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space) Specifies the maximum amount of disk space in megabytes that the error logs are allowed to consume. If this value is exceeded, the oldest error log is deleted. When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation.
Page 60: Nsslapd-Errorlog-Logrotationsync-Enabled (Error Log Rotation Sync Enabled)
Core Server Configuration Attributes Reference nsslapd-errorlog-logrotationsync-enabled (Error Log Rotation Sync Enabled) Specifies whether error log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way enables you to generate log files at a specified time during a day, say midnight to midnight everyday, making analysis of the log files much easier because they then map directly to the calendar.
Page 61: Nsslapd-Errorlog-Logrotationsyncmin (Error Log Rotation Sync Minute)
Core Server Configuration Attributes Reference nsslapd-errorlog-logrotationsyncmin (Error Log Rotation Sync Minute) Specifies the minute of the day for rotating error logs. This attribute must be used in conjunction with nsslapd-errorlog-logrotationsync-enabled attributes. nsslapd-errorlog-logrotationsynchour Entry DN: cn=config Valid Range: 0 through 59 Default Value: Syntax: Integer...
Page 62: Nsslapd-Errorlog-Logrotationtime (Error Log Rotation Time)
Core Server Configuration Attributes Reference nsslapd-errorlog-logrotationtime (Error Log Rotation Time) Specifies the time between error log file rotations. The error log will be rotated when this time interval is up, regardless of the current size of the error log. This attribute supplies only the number of units.
Page 63: Nsslapd-Errorlog-Maxlogsize (Maximum Error Log Size)
Core Server Configuration Attributes Reference nsslapd-errorlog-maxlogsize (Maximum Error Log Size) Specifies the maximum error log size in megabytes. When this value is reached, the error log is rotated. That is, the server starts writing log information to a new log file.
Page 64: Nsslapd-Groupevalnestlevel
Core Server Configuration Attributes Reference Syntax: Integer Example: nsslapd-errorlog-maxlogsperdir: 10 nsslapd-groupevalnestlevel Specifies the number of levels of nesting that the access-control system will perform for group evaluation. Entry DN: cn=config Valid Range: 0 to 5 Default Value: Syntax: Integer Example: nsslapd-groupevalnestlevel:5 nsslapd-idletimeout (Default Idle Timeout) Specifies the amount of time in seconds after which an idle LDAP client connection...
Page 65: Nsslapd-Instancedir (Instance Directory)
Core Server Configuration Attributes Reference nsslapd-instancedir (Instance Directory) Specifies the full path to the directory where this server instance is installed. The serverID from installation time is the default ID. Entry DN: cn=config Valid Values: Any valid file path. Default Value: serverRoot/slapd-serverID Syntax: DirectoryString...
Page 66: Nsslapd-Listenhost (Listen To Ip Address)
Core Server Configuration Attributes Reference • —The timestamp for when the entry was created in GMT createtimestamp format. Entry DN: cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-lastmod: off nsslapd-listenhost (Listen to IP Address) Allows multiple Directory Server instances to run on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine).
Page 67: Nsslapd-Localuser (Local User)
Core Server Configuration Attributes Reference nsslapd-localuser (Local User) Applicable to Directory Server installations on Unix machines. Specifies the user that the Directory Server runs as. The group that the user runs as is derived from this attribute, by examining the groups that the user is a member of.
Page 68 Core Server Configuration Attributes Reference This attribute sets the maximum, platform-dependent number of file descriptors that the Directory Server will try to use. A file descriptor is used whenever a client connects to the server, and for some server activities such as index maintenance. The number of available file descriptors for TCP/IP connections is the total for the attribute minus the number of file descriptors used by nsslapd-maxdescriptors...
Page 69: Nsslapd-Maxthreadsperconn (Maximum Threads Per Connection)
Core Server Configuration Attributes Reference nsslapd-maxthreadsperconn (Maximum Threads Per Connection) Defines the maximum number of threads that a connection should use. For normal operations where a client binds and only performs one or two operations before unbinding, you should use the default value. For situations where a client binds and simultaneously issues many requests, you should increase this value to allow each connection enough resources to perform all the operations.
Page 70: Nsslapd-Plug-In
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: 0 to the maximum 32 bit integer value (2147483647) Default Value: 300000 Syntax: DirectoryString Example: nsslapd-outbound-ldap-io-timeout: 300000 nsslapd-plug-in This read-only attribute lists the syntaxes and matching rules loaded by the server. nsslapd-port (Port Number) TCP/IP port number used for LDAP communications.
Page 71: Nsslapd-Readonly (Read Only)
Core Server Configuration Attributes Reference Default Value: Syntax: DirectoryString Example: nsslapd-privatenamespaces: cn=config nsslapd-readonly (Read Only) Specifies whether the whole server is in read-only mode, meaning that neither data in the database(s) nor configuration information can be modified. Any attempt to modify a database in read-only mode returns an error indicating that the server is unwilling to perform the operation.
Page 72: Nsslapd-Referralmode (Referral Mode)
Core Server Configuration Attributes Reference For more information on managing referrals, see Chapter 3, “Configuring Directory Databases” in the Netscape Directory Server Administrator’s Guide. Entry DN: cn=config Valid Values: Valid LDAP URL in the following format: ldap://server-location Default Value: Syntax: DirectoryString Example: nsslapd-referral: ldap://ldap.example.com...
Page 73 Core Server Configuration Attributes Reference • You are seeing error messages reporting that the server is unable to open file descriptors (the actual error message will differ depending on the operation that the server is attempting to perform), but these error messages are NOT related to managing client LDAP connections.
Page 74: Nsslapd-Return-Exact-Case (Return Exact Case)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: 1 to 65535 Default Value: Syntax: Integer Example: nsslapd-reservedescriptors: 64 nsslapd-return-exact-case (Return Exact Case) Returns the exact case of attribute type names as requested by the client. Some client applications require attribute names to exactly match the case of the attribute as it is listed in the schema when the attribute is returned by the Directory Server, as the result of a search or modify operation.
Page 75: Nsslapd-Rootpw (Root Password)
Core Server Configuration Attributes Reference Syntax: Example: nsslapd-rootdn: cn=Directory Manager nsslapd-rootpw (Root Password) Allows you to specify the password associated with the . When you "Manager DN" provide the root password, it will be encrypted according to the encryption method you selected for “nsslapd-rootpwstoragescheme (Root Password Storage Scheme),”...
Page 76: Nsslapd-Schemacheck (Schema Checking)
Core Server Configuration Attributes Reference Valid Values: Any encryption method as described in “passwordStorageScheme (Password Storage Scheme),” on page 87. Default Value: CLEAR Syntax: DirectoryString Example: nsslapd-rootpwstoragescheme: SSHA nsslapd-schemacheck (Schema Checking) Specifies whether the database schema will be enforced during entry insertion or modification.
Page 77: Nsslapd-Schemareplace
Core Server Configuration Attributes Reference nsslapd-schemareplace Determines whether modify operations that replace attribute values are allowed on entry. cn=schema Entry DN: cn=config Valid Values: on | off | replication-only Default Value: replication-only Syntax: DirectoryString Example: nsslapd-schemareplace: replication-only nsslapd-securelistenhost Allows multiple Directory Server instances to run, using secure SSL/TLS connections, on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine).
Page 78: Nsslapd-Security (Security)
Core Server Configuration Attributes Reference Valid Range: 1 to 65535 Default Value: Syntax: Integer Example: nsslapd-securePort: 636 nsslapd-security (Security) Specifies whether the Directory Server is to accept SSL/TLS communications on its encrypted port. This attribute should be set to , if you want secure connections. Entry DN: cn=config Valid Values:...
Page 79: Nsslapd-Ssl-Check-Hostname (Verify Hostname For Outbound Connections)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: -1 to the maximum 32 bit integer value (2147483647) Default Value: 2000 Syntax: Integer Example: nsslapd-sizelimit: 2000 nsslapd-ssl-check-hostname (Verify Hostname for Outbound Connections) Specifies whether an SSL-enabled Directory Server (with certificate based client authentication turned on) should verify authenticity of a request by matching the hostname against the value assigned to the Common Name (CN) attribute of the subject name in the certificate being presented.
Page 80: Nsslapd-Threadnumber (Thread Number)
Core Server Configuration Attributes Reference nsslapd-threadnumber (Thread Number) Defines the number of operation threads that the Directory Server will create during startup. The value should be increased if you have nsslapd-threadnumber many directory clients performing time-consuming operations such as add or modify, as this ensures that there are other threads available for servicing short-lived operations such as simple searches.
Page 81: Nsslapd-Versionstring
Core Server Configuration Attributes Reference Example: nsslapd-timelimit: 3600 nsslapd-versionstring Specifies the server version number. Entry DN: cn=config Valid Values: Any valid server version number. Default Value: Syntax: DirectoryString Example: nsslapd-versionstring: Netscape-Directory/6.1 passwordChange (Password Change) Indicates whether users may change their passwords. For more information on password policies, see Chapter 7, “User Account Management”...
Page 82: Passwordexp (Password Expiration)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: passwordCheckSyntax: off passwordExp (Password Expiration) Indicates whether user passwords will expire after a given number of seconds. By default, user passwords do not expire. Once password expiration is enabled, you can set the number of seconds after which the password will expire using the attribute.
Page 83: Passwordinhistory (Number Of Passwords To Remember)
Core Server Configuration Attributes Reference Default Value: Syntax: DirectoryString Example: passwordHistory: on passwordInHistory (Number of Passwords to Remember) Indicates the number of passwords the Directory Server stores in history. Passwords that are stored in history cannot be reused by users. By default, the password history feature is disabled.
Page 84: Passwordlockoutduration (Lockout Duration)
Core Server Configuration Attributes Reference Default Value: Syntax: DirectoryString Example: passwordLockout: off passwordLockoutDuration (Lockout Duration) Indicates the amount of time in seconds during which users will be locked out of the directory after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user’s password.
Page 85: Passwordmaxfailure (Maximum Password Failures)
Core Server Configuration Attributes Reference passwordMaxFailure (Maximum Password Failures) Indicates the number of failed bind attempts after which a user will be locked out of the directory. By default, account lockout is disabled. You can enable account lockout by modifying the attribute.
Page 86: Passwordmustchange (Password Must Change)
Core Server Configuration Attributes Reference Syntax: Integer Example: passwordMinLength: 6 passwordMustChange (Password Must Change) Indicates whether users must change their passwords when they first bind to the Directory Server, or when the password has been reset by the "Manager DN" For more information on password policies, see Chapter 7, “User Account Management”...
Page 87: Passwordstoragescheme (Password Storage Scheme)
Core Server Configuration Attributes Reference passwordStorageScheme (Password Storage Scheme) Specifies the type of encryption used to store Directory Server passwords. Enter the password in for this attribute indicates that the password will appear in CLEAR plain text. The following encryption types are supported by the Directory Server 6.x: •...
Page 88: Passwordwarning (Send Warning)
Core Server Configuration Attributes Reference passwordWarning (Send Warning) Indicates the number of seconds before a user’s password is due to expire that the user will receive a password expiration warning control on their next LDAP operation. Depending on the LDAP client, the user may also be prompted to change their password at the time the warning is sent.
Page 89: Nsslapd-Changelogdir
Core Server Configuration Attributes Reference • “nsslapd-cachememsize,” on page 161 Note that the default values for the cache-related memory parameters (tuned for a single backend replicated to a single consumer) are as follows: (3000 entries) nsslapd-cachesize : 3000 (10 MB) nsslapd-cachememsize : 10000000 When more backends are replicated or when you need to replicate one backend to more than one consumers, consider tuning the parameters as below:...
Page 90: Nsslapd-Changelogmaxage (Max Changelog Age)
Core Server Configuration Attributes Reference Valid Values: Any valid path to the directory storing the changelog Default Value: None Syntax: DirectoryString Example: nsslapd-changelogdir: /usr/netscape/servers/slapd-phonebook/changelogdb nsslapd-changelogmaxage (Max Changelog Age) Specifies the maximum age of any entry in the change log. The change log contains a record for each directory modification and is used when synchronizing consumer servers.
Page 91: Cn=Encryption
Core Server Configuration Attributes Reference Valid Range: 0 (meaning that the only maximum limit is the disk size) to maximum integer (2147483647) Default Value: Syntax: Integer Example: nsslapd-changelogmaxentries: 5000 cn=encryption Encryption related attributes are stored under the cn=encryption,cn=config entry. The entry is an instance of the cn=encryption,cn=config object class.
Page 92: Nsssl2
Core Server Configuration Attributes Reference Default Value: allowed Syntax: DirectoryString Example: nssslclientauth: allowed nsssl2 Supports SSL version 2. Entry DN: cn=encryption,cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsssl2: on nsssl3 Supports SSL version 3. Entry DN: cn=encryption,cn=config Valid Values: on | off...
Page 93 Core Server Configuration Attributes Reference Valid Values: For domestic versions, any combination of the following: For SSLv3 rsa_null_md5 rsa_rc4_128_md5 rsa_rc4_40_md5 rsa_rc2_40_md5 rsa_des_sha rsa_fips_des_sha rsa_3des_sha rsa_fips_3des_sha For TLS tls_rsa_export1024_with_rc4_56_sha tls_rsa_export1024_with_des_cbc_sha Default Value: Syntax: DirectoryString + symbol to enable or - symbol to disable followed by the cipher(s). It is important to note that blank spaces are not allowed in the list of ciphers.
Page 94: Cn=Features
Core Server Configuration Attributes Reference SSLv3 Ciphers (Continued) Table 2-1 Cipher in Console Corresponding SSLv3 Cipher RC2(Export) rsa_rc2_40_md5 rsa_des_sha DES (FIPS) rsa_fips_des_sha Triple-DES rsa_3des_sha Triple-DES (FIPS) rsa_fips_3des_sha If you are using the Directory Server Console to set the cipher preferences, the values on the TLS tab of the Cipher Preference dialog box correspond to the following: Table 2-2...
Page 95: Suffix Configuration Attributes Under Cn="Suffixname
Core Server Configuration Attributes Reference Suffix Configuration Attributes Under cn="suffixName" Suffix configuration attributes are stored under the entry. The cn="suffixName" entry is an instance of the object class which cn="suffixName" nsMappingTree inherits from the object class. For suffix configuration extensibleObject attributes to be taken into account by the server these object classes (in addition to object class) must be present in the entry.
Page 96: Replication Attributes Under Cn=Replica, Cn="Suffixname", Cn=Mapping Tree,Cn=Config
Core Server Configuration Attributes Reference Default Value: None Syntax: DirectoryString Example: nsslapd-backend: NetscapeRoot Replication Attributes Under cn=replica, cn=“suffixName”, cn=mapping tree,cn=config Replication configuration attributes are stored under . The cn=replica,cn=“suffixName”,cn=mapping tree,cn=config cn=replica entry is an instance of the object class. For replication configuration nsDS5Recplia attributes to be taken into account by the server this object class (in addition to the object class) must be present in the entry.
Page 97: Nsds5Replicabinddn
Core Server Configuration Attributes Reference Valid Values: 0 | 1 Changelog activation: 0 = no changes are logged 1 = changes are logged Default Value: 0 (no changes are logged) Syntax: Integer Example: nsDS5Flags: 0 nsDS5ReplicaBindDN This multivalued attribute specifies the DN to use when binding. Although you can have more than one value in this entry, you can only have one cn=replica...
Page 98: Nsds5Replicaid
Core Server Configuration Attributes Reference Syntax: Integer Example: nsDS5ReplicaChangeCount: 675 nsDS5ReplicaId Specifies the unique ID for masters in a given replication environment. Entry DN: cn=replica,cn="suffixName",cn=mapping tree,cn=config Valid Range: 0 to 254 Default Value: Syntax: Integer Example: nsDS5ReplicaId: 1 nsDS5ReplicaLegacyConsumer If this attribute is absent or has a value of then it means that the replica is not false a legacy consumer.
Page 99: Nsds5Replicapurgedelay
Core Server Configuration Attributes Reference Syntax: DirectoryString (a UID identifies the replica) Example: nsDS5ReplicaName: 66a2b699-1dd211b2-807fa9c3-a58714648 nsDS5ReplicaPurgeDelay This multi valued attribute specifies the period of time in seconds after which internal purge operations will be performed on the change log. When setting this attribute ensure that the purge delay is longer than the longest replication cycle in your replication policy, to avoid incurring conflict resolution problems and server divergence.
Page 100: Nsds5Replicatombstonepurgeinterval
Core Server Configuration Attributes Reference Entry DN: cn=replica,cn="suffixName",cn=mapping tree,cn=config Valid Values: Suffix of the database being replicated Default Value: Syntax: DirectoryString Example: nsDS5ReplicaRoot: "dc=example,dc=com" nsDS5ReplicaTombstonePurgeInterval Specifies the time interval in seconds between purge operation cycles. When setting this attribute bear in mind that the purge operation is time consuming. Entry DN: cn=replica,cn="suffixName",cn=mapping tree,cn=config Valid Range:...
Page 101: Nsstate
Core Server Configuration Attributes Reference nsState This attribute stores information on the state of the clock. It is destined for internal use only to ensure that the server cannot generate a change sequence number (csn) inferior to existing ones required for detecting backward clock errors. Replication Attributes Under cn=ReplicationAgreementName,cn=replica, cn="suffixName", cn=mapping tree,cn=config...
Page 102: Nsds5Replicabindmethod
Core Server Configuration Attributes Reference Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config Valid Values: Any valid DN Default Value: Syntax: DirectoryString Example: nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindMethod Specifies the method to use for binding. This attribute can be modified. Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config Valid Values: SIMPLE | SSLCLIENTAUTH SIMPLE bind method requires a DN and password.
Page 103: Nsds5Replicacredentials
Core Server Configuration Attributes Reference nsDS5ReplicaCredentials Specifies the credentials for the bind DN (specified in the nsDS5ReplicaBindDN attribute) on the remote server containing the consumer replica. The value for this attribute can be modified. Please note that when certificate based authentication is used this attribute may not have a value.
Page 104: Nsds5Replicalastinitstart
Core Server Configuration Attributes Reference Default Value: Syntax: GeneralizedTime Example: nsDS5ReplicaLastInitEnd: YYYYMMDDhhmmssZ (19711223113229) nsDS5ReplicaLastInitStart This optional, read-only attribute states when the initialization of the consumer replica started. Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config Valid Values: Default Value: Syntax: GeneralizedTime Example: nsDS5ReplicaLastInitStart: YYYYMMDDhhmmssZ (20000902160000) nsDS5ReplicaLastInitStatus This optional, read-only attribute provides status for the initialization of the...
Page 105: Nsds5Replicalastupdateend
Core Server Configuration Attributes Reference nsDS5ReplicaLastUpdateEnd This read-only attribute states when the most recent replication schedule update ended. Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config Valid Values: 0 = meaning that the Consumer Initialization has succeeded Default Value: Syntax: GeneralizedTime Example: nsDS5ReplicaLastUpdateEnd: YYYYMMDDhhmmssZ (20000902160000) nsDS5ReplicaLastUpdateStart This read-only attribute states when the most recent replication schedule update...
Page 106: Nsds5Replicaport
Core Server Configuration Attributes Reference Syntax: DirectoryString Example: nsDS5ReplicaLastUpdateStatus: 0 replica acquired successfully nsDS5ReplicaPort Specifies the port number for the remote server containing the replica. Once this attribute has been set it cannot be modified. Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config Valid Values: Port number for the remote server containing the replica.
Page 107: Nsds5Replicaroot
Core Server Configuration Attributes Reference Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config Valid Values: stop | start Default Value: Syntax: DirectoryString Example: nsDS5ReplicaRefresh: start nsDS5ReplicaRoot Specifies the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated and cannot be modified. Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config...
Page 108: Nsds5Replicatransportinfo
Core Server Configuration Attributes Reference Example: nsDS5ReplicaTimeout: 600 seconds nsDS5ReplicaTransportInfo Specifies the type of transport used for transporting data to and from the replica. The attribute values can either be SSL which means that the connection is established over SSL, or LDAP, which means that regular LDAP connections are used.
Page 109: Nsds50Ruv
Core Server Configuration Attributes Reference Valid Range: Time schedule presented as XXXX-YYYY 012345 where XXXX is the starting hour, YYYY is the finishing hour and the numbers 0123456 are the days of the week starting with Sunday. Default Value: 0000-2359 0123456 (all the time) Syntax: Integer Example:...
Page 110: Readwaiters
Core Server Configuration Attributes Reference readWaiters Number of connections where some requests are pending and not currently being serviced by a thread in Directory Server. opsInitiated Number of Directory Server operations initiated. opsCompleted Number of Directory Server operations completed. entriesSent Number of entries sent by Directory Server.
Page 111: Cn=Replication
Core Server Configuration Attributes Reference • Database Link Attributes Under cn=monitor,cn=database instance name,cn=chaining database, cn=plugins,cn=config (on page 180) cn=replication No attributes to document. When configuring legacy replication, it will be stored under this node, which serves as a placeholder. cn=replication cn=SNMP SNMP configuration attributes are stored under .
Page 112: Nssnmplocation
Core Server Configuration Attributes Reference nssnmplocation Specifies the location within the company or organization where the Directory Server resides. Entry DN: cn=SNMP,cn=config Valid Values: Location Default Value: Syntax: DirectoryString Example: nssnmplocation: B14 nssnmpcontact Specifies the E-mail address of the person responsible for maintaining the Directory Server.
Page 113: Nssnmpmasterhost
Core Server Configuration Attributes Reference nssnmpmasterhost This mandatory attribute specifies the hostname of the machine on which the master agent is installed. For UNIX only. Entry DN: cn=SNMP,cn=config Valid Values: machine hostname or local host Default Value: localhost Syntax: DirectoryString Example: nssnmpmasterhost: localhost nssnmpmasterport...
Page 114: Nsstate
Configuration Quick Reference Tables nsstate Saves the state of the uniqueid generator across server restarts. This attribute is maintained by the server. You should not edit it. Entry DN: cn=uniqueid generator,cn=config Valid Values: Default Value: Syntax: DirectoryString Example: nsstate:AbId0c3oMIDUntiLCyYNGgAAAAAAAAAA Configuration Quick Reference Tables This section provides quick reference tables for LDIF configuration files supplied with the Directory Server, object classes and schema used in server configuration, and attributes requiring server restart.
Page 115 Configuration Quick Reference Tables Directory Server Configuration LDIF Files (Continued) Table 2-3 Configuration Filename Purpose Contains LDAPv3 standard operational schema, 00core.ldif such as “subschemaSubentry,” LDAPv3 standard user and organization schema defined in RFC 2256 (based on X.520/X.521), inetOrgPerson and select other widely-used attributes, and the operational attributes used by Directory Server configuration.
Page 116 Configuration Quick Reference Tables Directory Server Configuration LDIF Files (Continued) Table 2-3 Configuration Filename Purpose Schema used by Netscape Compass Server to define 50ns-compass.ldif personal interest profiles. Schema used by Netscape Delegated 50ns-delegated-admin.ldif Administrator. Contains additional configuration schema used by 50ns-directory.ldif Netscape Directory Server 4.12 and earlier versions of the directory, which is no longer applicable to...
Page 117: Configuration Changes Requiring Server Restart
Configuration Quick Reference Tables Directory Server Configuration LDIF Files (Continued) Table 2-3 Configuration Filename Purpose User-defined schema maintained by Directory 99user.ldif Server replication consumers which contains the attributes and object classes from the suppliers. Configuration Changes Requiring Server Restart Table 2-4 lists the configuration attributes that cannot be altered dynamically, while the server is still running.
Page 118 Configuration Quick Reference Tables Netscape Directory Server Configuration, Command, and File Reference • August 2002...
Page 119: Chapter 3 Plug-In Implemented Server Functionality Reference
Chapter 3 Plug-in Implemented Server Functionality Reference This chapter contains reference information on Netscape Directory Server (Directory Server) server plug-ins. The chapter is divided into the following sections: • Overview (page 119) • Server Plug-in Functionality Reference (page 120) • List of Attributes Common to All Plug-ins (page 141) •...
Page 120: Object Classes For Plug-In Configuration
Server Plug-in Functionality Reference dn: cn=Telephone Syntax,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginPath: /usr/netscape/servers/lib/syntax-plugin.so nsslapd-pluginInitfunc: tel_init nsslapd-pluginType: syntax nsslapd-pluginEnabled: on Some of these attributes are common to all plug-ins while others may be particular to a specific plug-in. You can check which attributes are currently being used by a given plug-in by performing an on the subtree.
Page 121: 7-Bit Check Plug-In
Server Plug-in Functionality Reference 7-bit check Plug-in Plug-in Name 7-bit check (NS7bitAtt) DN of Configuration cn=7-bit check,cn=plugins,cn=config Entry Description Checks certain attributes are 7-bit clean on | off Configurable Options Default Setting list of attributes (uid mail userpassword) followed by "," and Configurable Arguments then suffix(es) on which the check is to occur...
Page 122: Acl Preoperation Plug-In
Server Plug-in Functionality Reference ACL preoperation Plug-in Plug-in Name ACL preoperation DN of Configuration cn=ACL preoperation,cn=plugins,cn=config Entry Description ACL access check plug-in on | off Configurable Options Default Setting None Configurable Arguments database Dependencies Performance None Related Information Chapter 6, “Managing Access Control” in the Netscape Directory Further Information Server Administrator’s Guide.
Page 123: Boolean Syntax Plug-In
Server Plug-in Functionality Reference Boolean Syntax Plug-in Plug-in Name Boolean Syntax DN of Configuration cn=Boolean Syntax,cn=plugins,cn=config Entry Description Syntax for handling booleans. on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in. It is recommended Related Information that you leave this plug-in running at all times.
Page 124: Case Ignore String Syntax Plug-In
Server Plug-in Functionality Reference Case Ignore String Syntax Plug-in Plug-in Name Case Ignore String Syntax DN of Configuration cn=Case Ignore String Syntax,cn=plugins,cn=config Entry Description Syntax for handling case-insensitive strings on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in.
Page 125: Class Of Service Plug-In
Server Plug-in Functionality Reference Class of Service Plug-in Plug-in Name Class of Service DN of Configuration cn=Class of Service,cn=plugins,cn=config Entry Description Allows for sharing of attributes between entries on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in.
Page 126: Distinguished Name Syntax Plug-In
Server Plug-in Functionality Reference Distinguished Name Syntax Plug-in Plug-in Name Distinguished Name Syntax DN of Configuration cn=Distinguished Name Syntax,cn=plugins,cn=config Entry Description Syntax for handling DNs on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in. It is recommended Related Information that you leave this plug-in running at all times.
Page 127: Http Client Plug-In
Server Plug-in Functionality Reference The Generalized Time String consists of the following: Further Information four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second and a time zone indication. We strongly recommend that you use the Z time zone indication which stands for Greenwich Mean Time.
Page 128: Internationalization Plug-In
Server Plug-in Functionality Reference None Configurable Arguments Dependencies None Do not modify the configuration of this plug-in. It is recommended Performance Related Information that you leave this plug-in running at all times. Further Information Internationalization Plug-in Plug-in Name Internationalization Plugin DN of Configuration cn=Internationalization Entry...
Page 129: Legacy Replication Plug-In
Server Plug-in Functionality Reference Implements local databases Description Configurable Options Default Setting Configurable None Arguments Dependencies None Performance See “Database Plug-in Attributes” on page 145 for further Related Information information on database configuration. Further Information Chapter 3, “Configuring Directory Databases” in the Netscape Directory Server Administrator’s Guide Legacy Replication Plug-in Plug-in Name...
Page 130: Octet String Syntax Plug-In
Server Plug-in Functionality Reference DN of Configuration cn=Multimaster Replication Entry plugin,cn=plugins,cn=config Description Enables replication between two 6.x Directory Servers on | off Configurable Options Default Setting Configurable None Arguments database Dependencies Performance Related Information Further Information You can turn this plug-in off if you only have one server which will never replicate.
Page 131: Clear Password Storage Plug-In
Server Plug-in Functionality Reference CLEAR Password Storage Plug-in Plug-in Name CLEAR DN of Configuration cn=CLEAR,cn=Password Storage Entry Schemes,cn=plugins,cn=config Description CLEAR password storage scheme used for password encryption on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Do not modify the configuration of this plug-in. It is recommended Performance Related Information that you leave this plug-in running at all times.
Page 132: Ns-Mta-Md5 Password Storage Scheme Plug-In
Server Plug-in Functionality Reference NS-MTA-MD5 Password Storage Scheme Plug-in Plug-in Name NS-MTA-MD5 DN of Configuration cn=NS-MTA-MD5,cn=Password Storage Entry Schemes,cn=plugins,cn=config Description NS-MTA-MD5 password storage scheme for password encryption on | off Configurable Options Default Setting Configurable None Arguments None Dependencies Performance Do not modify the configuration of this plug-in.
Page 133: Ssha Password Storage Scheme Plug-In
Server Plug-in Functionality Reference None Dependencies If there are not passwords encrypted using the SHA password Performance Related Information storage scheme, you may turn this plug-in off. If you want to encrypt your password with the SHA password storage scheme, we recommend that you choose SSHA instead, as SSHA is a far more secure option.
Page 134: Presence Plug-In
Server Plug-in Functionality Reference on | off Configurable Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in. It is recommended Related Information that you leave this plug-in running at all times. Further Information Presence Plug-in Plug-in Name Presence...
Page 135: Referential Integrity Postoperation Plug-In
Server Plug-in Functionality Reference Enables pass-through authentication, the mechanism which allows Description one directory to consult another to authenticate bind requests. Configurable on | off Options Default Setting Configurable ldap://example.com:389/o=example Arguments None Dependencies Chapter 16, “Using the Pass-Through Authentication Plug-in” in Performance Related Information the Netscape Directory Server Administrator’s Guide.
Page 136: Retro Changelog Plug-In
Server Plug-in Functionality Reference When enabled the post operation Referential Integrity plug-in Configurable Arguments performs integrity updates on the member, uniquemember, owner and seeAlso attributes immediately after a delete or rename operation. You can reconfigure the plug-in to perform integrity checks on all other attributes.
Page 137: Roles Plug-In
Server Plug-in Functionality Reference on | off Configurable Options Default Setting See “Retro Changelog Plug-in Attributes,” on page 181 for further Configurable Arguments information on the two configuration attributes for this plug-in. None Dependencies Performance May slow down Directory Server performance. Related Information Chapter 8, “Managing Replication”...
Page 138: State Change Plug-In
Server Plug-in Functionality Reference DN of Configuration cn=Space Insensitive String Entry Syntax,cn=plugins,cn=config Description Syntax for handling space-insensitive values on | off Configurable Options Default Setting Configurable None Arguments None Dependencies Performance Do not modify the configuration of this plug-in. It is recommended Related Information that you leave this plug-in running at all times.
Page 139: Telephone Syntax Plug-In
Server Plug-in Functionality Reference None Configurable Arguments Dependencies None Performance Related Information Further Information Telephone Syntax Plug-in Plug-in Name Telephone Syntax DN of Configuration cn=Telephone Syntax,cn=plugins,cn=config Entry Description Syntax for handling telephone numbers on | off Configurable Options Default Setting Configurable None Arguments...
Page 140: Uri Syntax Plug-In
Server Plug-in Functionality Reference Default Setting Enter the following arguments: Configurable Arguments "DN" "DN"... if you want to check for UID attribute uniqueness in all listed subtrees. However, enter the following arguments: attribute="uid" MarkerObjectclass = "ObjectClassName" and optionally requiredObjectClass = "ObjectClassName" if you want to check for UID attribute uniqueness when adding or updating entries with the requiredObjectClass, starting from the parent entry containing the ObjectClass as defined by the...
Page 141: List Of Attributes Common To All Plug-Ins
List of Attributes Common to All Plug-ins DN of Configuration cn=URI Syntax,cn=plugins,cn=config Entry Description Syntax for handling URIs (Unique Resource Identifiers) including URLs (Unique Resource Locators) Configurable on | off Options Default Setting None Configurable Arguments None Dependencies Do not modify the configuration of this plug-in. It is recommended Performance Related Information that you leave this plug-in running at all times.
Page 142: Nsslapd-Plugintype
List of Attributes Common to All Plug-ins Entry DN: cn=plug-in name,cn=plugins,cn=config Valid Values: Any valid plug-in function Default Value: None Syntax: DirectoryString Example: nsslapd-pluginInitfunc:NS7bitAttr_Init nsslapd-pluginType Specifies the plug-in type. See “nsslapd-plugin-depends-on-type” on page 144 for further information. Entry DN: cn=plug-in name,cn=plugins,cn=config Valid Values: Any valid plug-in type Default Value:...
Page 143: Nsslapd-Pluginid
List of Attributes Common to All Plug-ins nsslapd-pluginId Specifies the plug-in ID. Entry DN: cn=plug-in name,cn=plugins,cn=config Valid Values: Any valid plug-in ID Default Value: None Syntax: DirectoryString Example: nsslapd-pluginId: chaining database nsslapd-pluginVersion Specifies the plug-in version. Entry DN: cn=plug-in name,cn=plugins,cn=config Valid Values: Any valid plug-in version Default Value:...
Page 144: Nsslapd-Plugindescription
Attributes Allowed by Certain Plug-ins nsslapd-pluginDescription Provides a description of the plug-in. Entry DN: cn=plug-in name,cn=plugins,cn=config Valid Values: Default Value: None Syntax: DirectoryString Example: nsslapd-pluginDescription: acl access check plug-in Attributes Allowed by Certain Plug-ins nsslapd-plugin-depends-on-type Multi-valued attribute, used to ensure that plug-ins are called by the server in the correct order.
Page 145: Nsslapd-Plugin-Depends-On-Named
Database Plug-in Attributes nsslapd-plugin-depends-on-named Multi-valued attribute, used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the value of a plug-in. The plug-in whose value matches one of the following values will be started by the server prior to this plug-in.
Page 146: Database Attributes Under Cn=Config,Cn=Ldbm Database,Cn=Plugins,Cn=Config
Database Plug-in Attributes All plug-in technology used by the database instances is stored in the cn=ldbm e plug-in node. This section presents the additional attribute information databas for each of the nodes in bold in the cn=ldbm database,cn=plugins,cn=config information tree. Database Attributes Under cn=config,cn=ldbm database,cn=plugins,cn=config Global configuration attributes common to all instances are stored in the...
Page 147: Nsslapd-Cache-Autosize
Database Plug-in Attributes However, as tuning this attribute is a complex task and can severely degrade performance, it is advisable to keep the default value. For a more detailed explanation of the All IDs Threshold see Chapter 10, “Managing Indexes” in the Netscape Directory Server Administrator’s Guide.
Page 148: Nsslapd-Dbcachesize
Database Plug-in Attributes Valid Range: Default Value: 66 (This will not necessarily optimize your operations) Syntax: Integer Example: nsslapd-cache-autosize-split: 66 nsslapd-dbcachesize This performance tuning related attribute specifies database cache size. Note that this is neither the index cache nor the entry cache. If you activate automatic cache resizing, you override this attribute, by replacing these values with its own guessed values at a later stage of the server startup.
Page 149: Nsslapd-Db-Circular-Logging
Database Plug-in Attributes . To change the checkpoint interval, you add the attribute to dse.ldif dse.ldif This attribute can be dynamically modified using . For further ldapmodify information on modifying this attribute, see Chapter 14, “Tuning Directory Server Performance” in the Netscape Directory Server Administrator’s Guide. This attribute is provided only for system modification/diagnostics and should be changed only with the guidance of Netscape Technical Support or Netscape Professional Services.
Page 150: Nsslapd-Db-Debug
Database Plug-in Attributes nsslapd-db-debug Specifies whether additional error information is to be reported to Directory Server. To report error information, set the parameter to . Note that this parameter is meant for troubleshooting, and enabling the parameter may slow down the Directory Server. Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Values:...
Page 151: Nsslapd-Db-Home-Directory
Database Plug-in Attributes Syntax: DirectoryString Example: nsslapd-db-durable_transactions: on nsslapd-db-home-directory Applicable to Solaris only. Used to fix a situation in Solaris where the operating system endlessly flushes pages. This flushing can be so excessive that performance of the entire system is severely degraded. This situation will occur only for certain combinations of the database cache size, the size of physical memory, and kernel tuning attributes.
Page 152: Nsslapd-Db-Idl-Divisor
Database Plug-in Attributes NOTE The directory referenced by the nsslapd-db-home-directory attribute must be a subdirectory of a file system of type tempfs (such as ). However, Directory Server does not create the /tmp subdirectory referenced by this attribute. You must create the directory either manually or by using a script.
Page 153: Nsslapd-Db-Logbuf-Size
Database Plug-in Attributes Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range: 0 to 8 Default Value: Syntax: Integer Example: nsslapd-db-idl-divisor: 2 nsslapd-db-logbuf-size Specifies the log information buffer size. Log information is stored in memory until the buffer fills up or the transaction commit forces the buffer to be written to disk. Larger buffer sizes can signficantly increase throughput in the presence of long running transactions, highly concurrent applications, or transactions producing large amounts of data.
Page 154: Nsslapd-Db-Logfile-Size
Database Plug-in Attributes For more information on database transaction logging, see Chapter 12, “Monitoring Server and Database Activity” in the Netscape Directory Server Administrator’s Guide. Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Values: Any valid path and directory name Default Value: Syntax: DirectoryString Example: nsslapd-db-logdirectory: /logs/txnlog...
Page 155: Nsslapd-Db-Spin-Count
Database Plug-in Attributes Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range: 512 bytes to 64 K bytes Default Value: 8K bytes Syntax: Integer Example: nsslapd-db-page-size: 8K bytes nsslapd-db-spin-count Specifies the number of times that test-and-set mutexes should spin without blocking. Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range: 0 to 2^31-1...
Page 156: Nsslapd-Db-Transaction-Logging
Database Plug-in Attributes durability, while also allowing transaction batching to be turned on and off remotely when desired. Bear in mind that the value you choose for this attribute may require you to modify the attribute to ensure nsslapd-db-logbuf-size sufficient log buffer size for accommodating your batched transactions. Also, the attribute is only valid if the nsslapd-db-transaction-batch-val...
Page 157: Nsslapd-Db-Verbose
Database Plug-in Attributes Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range: 0 to 100 Default Value: Syntax: Integer Example: nsslapd-db-trickle-percentage: 40 nsslapd-db-verbose Specifies whether to record additional informational and debugging messagses when searching the log for checkpoints, doing deadlock detection, and performing recovery.
Page 158: Nsslapd-Import-Cachesize
Database Plug-in Attributes nsslapd-import-cachesize This performance tuning related attribute determines the size of the database cache used in the bulk import process. By setting this attribute value so that the maximum available system physical memory is used for the database cache during bulk importing, you can optimize bulk import speed.
Page 159: Database Attributes Under Cn=Monitor,Cn=Ldbm Database, Cn=Plugins,Cn=Config
Database Plug-in Attributes Database Attributes Under cn=monitor,cn=ldbm database, cn=plugins,cn=config Global read-only attributes containing database statistics for monitoring activity on your databases are stored in the cn=monitor,cn=ldbm database, tree node. For more information on these monitoring cn=plugins,cn=config read-only entries see Chapter 12, “Monitoring Server and Database Activity” in the Netscape Directory Server Administrator’s Guide.
Page 160: Database Attributes Under Cn=Netscaperoot,Cn=Ldbm Database, Cn=Plugins,Cn=Config And Cn=Userroot,Cn=Ldbm Database, Cn=Plugins,Cn=Config
Database Plug-in Attributes Database Attributes Under cn=NetscapeRoot,cn=ldbm database, cn=plugins,cn=config and cn=UserRoot,cn=ldbm database, cn=plugins,cn=config subtrees contain configuration data for, cn=NetscapeRoot cn=UserRoot or if we prefer, the definition of, the databases containing the o=NetscapeRoot suffixes respectively. The subtree contains the o=France.Sun cn=NetscapeRoot configuration data used by the Netscape Administration Server for authentication and all actions that cannot be performed through LDAP (such as start/stop) and subtree contains all the configuration data for the user-defined...
Page 161: Nsslapd-Cachememsize
Database Plug-in Attributes nsslapd-cachememsize This performance tuning related attribute specifies the cache size in terms of available memory space. Limiting cachesize in terms of memory occupied is the simplest method. By activating automatic cache resizing you override this attribute, replacing these values with its own guessed values at a later stage of the server startup.
Page 162: Nsslapd-Require-Index
Database Plug-in Attributes Entry DN: cn=Netscaperoot,cn=ldbm database,cn=plugins,cn=config or cn=UserRoot,cn=ldbm database,cn=plugins,cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-readonly: off nsslapd-require-index When switched to on this attribute allows you to refuse non-indexed or allids searches. This performance related attribute avoids saturating the server with erroneous searches.
Page 163: Database Attributes Under Cn=Database,Cn=Monitor,Cn=Ldbm Database, Cn=Plugins,Cn=Config
Database Plug-in Attributes Syntax: DirectoryString Example: nsslapd-suffix: o=Netscaperoot Database Attributes Under cn=database,cn=monitor,cn=ldbm database, cn=plugins,cn=config The attributes in this tree node entry are all read-only, database performance counters. All of the values for these attributes are 32-bit integers. nsslapd-db-abort-rate Number of transactions that have been aborted. nsslapd-db-active-txns Number of transactions that are currently active.
Page 164: Nsslapd-Db-Deadlock-Rate
Database Plug-in Attributes nsslapd-db-deadlock-rate Number of deadlocks detected. nsslapd-db-dirty-pages Dirty pages currently in the cache. nsslapd-db-hash-buckets Number of hash buckets in buffer hash table. nsslapd-db-hash-elements-examine-rate Total number of hash elements traversed during hash table lookups. nsslapd-db-hash-search-rate Total number of buffer hash table lookups. nsslapd-db-lock-conflicts Total number of locks not immediately available due to conflicts.
Page 165: Nsslapd-Db-Log-Write-Rate
Database Plug-in Attributes nsslapd-db-log-write-rate Number of megabytes and bytes written to this log. nsslapd-db-longest-chain-length Longest chain ever encountered in buffer hash table lookups. nsslapd-db-page-create-rate Pages created in the cache. nsslapd-db-page-read-rate Pages read into the cache. nsslapd-db-page-ro-evict-rate Clean pages forced from the cache. nsslapd-db-page-rw-evict-rate Dirty pages forced from the cache.
Page 166: Database Attributes Under Cn=Default Indexes,Cn=Config,Cn=Ldbm Database, Cn=Plugins,Cn=Config
Database Plug-in Attributes Database Attributes Under cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config The set of default indexes is stored here. Default indexes are configured per backend in order to optimize Directory Server functionality for the majority of set up scenarios. All indexes, except system essential ones, can be removed, but care should be taken so as not to cause unnecessary disruptions.
Page 167: Nsmatchingrule
Database Plug-in Attributes Valid Values: pres = presence index eq = equality index approx = approximate index sub = substring index matching rule = international index index browse = browsing index Default Value: Syntax: DirectoryString Example: nsindextype: eq nsMatchingRule This optional, multivalued attribute specifies the collation order object identifier (OID) required for the Directory Server to operate international indexing.
Page 168: Description
Database Plug-in Attributes description This non-mandatory attribute provides a free-hand text description of what the index actually performs. Entry DN: cn=default indexes,cn=monitor,cn=ldbm database,cn=plugins,cn=config Valid Values: Default Value: None Syntax: DirectoryString Example: description:substring index Database Attributes Under cn=monitor,cn=Netscaperoot,cn=ldbm database,cn=plugins,cn=config Global, read-only entries for monitoring activity on the NetscapeRoot database. These attributes containing database statistics are given for each file that makes up your database.
Page 169: Dbfilepageout
Database Plug-in Attributes dbfilepageout Number of pages for this file written from cache to disk. Database Attributes Under cn=index,cn=Netscaperoot,cn=ldbm database, cn=plugins,cn=config and cn=index,cn=UserRoot,cn=ldbm database, cn=plugins,cn=config In addition to the set of default indexes that are stored under cn=default , custom indexes,cn=config,cn=ldbm database,cn=plugins,cn=config indexes can be created for and are stored under...
Page 170: Database Link Plug-In Attributes (Chaining Attributes)
Database Link Plug-in Attributes (chaining attributes) dn:cn=aci,cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=confi objectclass:top objectclass:nsIndex cn=aci nssystemindex:true nsindextype:pres For details regarding the five possible indexing attributes see the section “Database Attributes Under cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config,” on page 166.For further information about indexes see Chapter 10, “Managing Indexes” in the Netscape Directory Server Administrator’s Guide.
Page 171: Database Link Attributes Under Cn=Config,Cn=Chaining Database, Cn=Plugins,Cn=Config
Database Link Plug-in Attributes (chaining attributes) Database Link Attributes Under cn=config,cn=chaining database, cn=plugins,cn=config Global configuration attributes common to all instances are stored in the tree node. cn=config,cn=chaining database,cn=plugins,cn=config nsActiveChainingComponents Lists the components using chaining. A component is any functional unit in the server.
Page 172: Nsmaxtestresponsedelay
Database Link Plug-in Attributes (chaining attributes) nsMaxTestResponseDelay This error detection, performance related attribute specifies the duration of the test issued by the database link to check whether the remote server is responding. If a response from the remote server is not returned before this period has passed, the database link assumes the remote server is down and the connection is not used for subsequent operations.
Page 173: Databaselinkattributesundercn=Defaultinstanceconfig,Cn=Chainingdatabase,Cn=Plugins,Cn=Config
Database Link Plug-in Attributes (chaining attributes) Database Link Attributes Under cn=default instance config,cn=chaining database,cn=plugins,cn=config Default instance configuration attributes for instances are housed in the cn=default instance config,cn=chaining database,cn=plugins,cn=config tree node. nsAbandonedSearchCheckInterval Number of seconds that pass before the server checks for abandoned operations. Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config...
Page 174: Nsbindretrylimit
Database Link Plug-in Attributes (chaining attributes) nsBindRetryLimit Contrary to what the name suggests, this attribute does not specify the number of times a database link retries to bind with the remote server, but the number of times it tries to bind with the remote server. A value of 0 here indicates that the database link will only attempt to bind once.
Page 175: Nsconcurrentbindlimit
Database Link Plug-in Attributes (chaining attributes) Syntax: DirectoryString Example: nschecklocalaci: on nsConcurrentBindLimit Maximum number of concurrent bind operations per TCP connection. Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Range: 1 to 25 binds Default Value: Syntax: Integer Example: nsconcurrentbindlimit:10 nsConcurrentOperationsLimit Specifies the maximum number of concurrent operations allowed.
Page 176: Nsoperationconnectionslimit
Database Link Plug-in Attributes (chaining attributes) Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Range: 0 to limitless seconds (where 0 means forever) Default Value: Syntax: Integer Example: nsconnectionlife: 0 nsOperationConnectionsLimit Maximum number of LDAP connections the database link establishes with the remote server.
Page 177: Nsreferralonscopedsearch
Database Link Plug-in Attributes (chaining attributes) nsReferralOnScopedSearch Controls whether or not referrals are returned by scoped searches. This attribute allows you to optimize your directory, because returning referrals in response to scoped searches is more efficient. Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Values: on | off...
Page 178: Database Link Attributes Under Cn=Database Link Instance Name,Cn=Chaining Database, Cn=Plugins,Cn=Config
Database Link Plug-in Attributes (chaining attributes) Database Link Attributes Under cn=database link instance name,cn=chaining database, cn=plugins,cn=config This information node stores the attributes concerning the server containing the data. A farm server is a server which contains data on databases. This attribute can contain optional servers for failover, separated by spaces.
Page 179: Nsmultiplexorcredentials
Database Link Plug-in Attributes (chaining attributes) Example: nsMultiplexerBindDN: cn=proxy manager nsMultiplexorCredentials Password for the administrative user, given in plain text. If no password is provided, it means that users can bind as anonymous.The password is encrypted in the configuration file. Please note that the example below is what you view, not what you type.
Page 180: Database Link Attributes Under Cn=Monitor,Cn=Database Instance Name,Cn=Chaining Database, Cn=Plugins,Cn=Config
Database Link Plug-in Attributes (chaining attributes) Database Link Attributes Under cn=monitor,cn=database instance name,cn=chaining database, cn=plugins,cn=config Attributes used for monitoring activity on your instances are stored in the cn=monitor,cn=database instance name,cn=chaining information tree. database,cn=plugins,cn=config nsAddCount Number of add operations received. nsDeleteCount Number of delete operations received.
Page 181: Nsunbindcount
Retro Changelog Plug-in Attributes nsUnbindCount Number of unbinds received. nsCompareCount Number of compare operations received. nsOperationConnectionCount Number of open connections for normal operations. nsBindConnectionCount Number of open connections for bind operations. Retro Changelog Plug-in Attributes Two different types of changelogs are maintained by Directory Server 6.x. The first type, referred to as changelog, is used by multi-master replication and the second changelog, which is in fact a plug-in referred to as retro changelog, is intended for use by LDAP clients for maintaining application compatibility with Directory...
Page 182: Nsslapd-Changelogmaxage (Max Changelog Age)
Retro Changelog Plug-in Attributes NOTE For performance reasons you will probably want to store this database on a different physical disk. Entry DN: cn=Retro Changelog Plugin,cn=plugins,cn=config Valid Values: Any valid path to the directory Default Value: None Syntax: DirectoryString Example: nsslapd-changelogdir: /var/slapd-serverID/changelog nsslapd-changelogmaxage (Max Changelog Age) Specifies the maximum age of any entry in the change log.
Page 183: Chapter 4 Server Instance File Reference
Chapter 4 Server Instance File Reference This chapter provides an overview of the files that are specific to an instance of Netscape Directory Server (Directory Server)—the files stored under the directory. Having an overview of the files and serverRoot/slapd-serverID configuration information stored in each instance of Directory Server should help you understand the file changes or absence of file changes which occur in the course of directory activity.
Page 184 Overview of Directory Server Files Code Example 4-1 shows the contents of the directory, serverRoot/slapd-serverID where directories are marked with a and scripts are marked with an . See Chapter 8, “Command-Line Scripts” for further information on command-line scripts. Code Example 4-1 Contents of the serverRoot/slapd-serverID directory db2ldif* ns-inactivate.pl*...
Page 185: Backup Files
Backup Files Backup Files Each Directory Server instance contains the following three directories for storing backup related files: • - contains a directory dated with the time and date of your database backup, for example , which in turn holds your database 2001_02_13_174524/ backup copy.
Page 186: Ldif Files
ldif Files • - used for storing the version of the database. DBVERSION • - this directory stores the database created by NetscapeRoot o=NetscapeRoot default at Typical installation. • this directory stores the user-defined suffix (user-defined userRoot - databases) created at Typical installation time, for example dc=example,dc=com Code Example 4-3 shows a sample listing of the directory contents.
Page 187: Lock Files
Lock Files Contents of a sample ldif directory Code Example 4-4 ../ European.ldif Example.ldif Example-roles.ldif The following list describes the content of each of the ldif files: • - contains European character samples. European.ldif • - is a sample ldif file. Example.ldif •...
Page 188 Log Files Contents of a sample logs directory Code Example 4-6 access.20010126-120123 audit errors.rotationinfo access.20010130-140221 audit.rotationinfo access access.20010201-100122 errors slapd.stats access.20010124-180611 access.rotationinfo errors.20010124-180607 The following list describes the content of the log related files: • The content of the log files is dependent on the log access audit error...
Page 189: Chapter 5 Access Log And Connection Code Reference
Chapter 5 Access Log and Connection Code Reference Netscape Directory Server (Directory Server) provides you with logs to help you monitor directory activity. Monitoring allows you to quickly detect and remedy failures and where done proactively, anticipate and resolve potential problems before they result in failure or poor performance.
Page 190: Access Logging Levels
Access Log Content • Unbind record • Closed record Every line begins with a timestamp - [21/Apr/2001:11:39:51 -0700]- format of which may vary depending on which platform you are using, where indicates the time difference in relation to GMT. Apart from the connection, -0700 closed and abandon records, which appear individually, all records appear in pairs, consisting of a request for service record followed by a result record.
Page 191: Default Access Logging Content
Access Log Content For example, if you want to log internal access operations, entry access, and referrals, you would insert a value of 516 (512+4) in the configuration attribute. For further information on nsslapd-accesslog-level other access log configuration attributes, see “Core Server Configuration Attributes Reference,”...
Page 192: Connection Number
Access Log Content Access Log Extract with Default Access Logging Level (level 256) Code Example 5-1 21/Apr/2001:11:39:53 -0700] conn=13 op=2 ADD dn="cn=Sat Apr 21 11:39:51 MET DST 2001, dc=example,dc=com" [21/Apr/2001:11:39:53 -0700] conn=13 op=2 RESULT err=0 tag=105 nentries=0 etime=0 csn=3b4c8cfb000000030000 [21/Apr/2001:11:39:53 -0700] conn=13 op=3 EXT oid="2.16.840.1.113730.3.5.5"...
Page 193: Operation Number
Access Log Content Operation Number To process a given LDAP request, Directory Server will perform the required series of operations. For a given connection, all operation request and operation result pairs are given incremental operation numbers beginning with to identify the op=0 distinct operations being performed.
Page 194: Number Of Entries
Access Log Content for a result from an add operation tag=105 for a result from delete operation tag=107 for a result from a moddn operation tag=109 for a result from a compare operation tag=111 indicates a search reference when the entry you perform your search on tag=115 holds a referral to the entry you require.
Page 195: Ldap Response Type
Access Log Content Note that if the LDAP request resulted in sorting of entries, then you will see SORT followed by the number of candidate entries that were sorted. See the serialno bold text in this example: [04/May/2002:15:51:46 -0700] conn=114 op=68 SORT serialno (1) The number enclosed in parentheses specifies the number of candidate entries that were sorted, which, in this case is 1.
Page 196: Search Scope
Access Log Content If the client uses a position-by-value VLV request, the format for the first part, the request information, would be: beforeCount:afterCount:value The example below shows VLV-specific entries in bold: [07/May/2002:11:43:29 -0700] conn=877 op=8530 SRCH base="(ou=People)" scope=2 filter="(uid=*)" [07/May/2002:11:43:29 -0700] conn=877 op=8530 SORT uid [07/May/2002:11:43:29 -0700] conn=877 op=8530 VLV 0:5:0210 10:5397 [07/May/2002:11:43:29 -0700] conn=877 op=8530 RESULT err=0 tag=101 nentries=1 etime=0...
Page 197: Change Sequence Number
Access Log Content Table 5-1 LDAPv3 Extended Operations supported by Directory Server Extended Operation Name Description Directory Server 6.x Start Sent by a replication initiator to 2.16.840.1.113730.3.5.3 Replication Request indicate that a replication session is requested. Directory Server 6.x Sent by a replication responder 2.16.840.1.113730.3.5.4 Replication Response in response to a Start Replication...
Page 198: Message Id
Access Log Content There are two possible log messages depending on whether the message ABANDON ID succeeds in locating which operation was to be aborted or not. If the message ID succeeds in locating the operation (the then the log will read as above. targetop) However, if the message ID does not succeed in locating the operation or if the operation had already finished prior to the...
Page 199: Access Log Content For Additional Access Logging Levels
Access Log Content NOTE Note also that the authenticated DN (the DN used for access control decisions) is now logged in the BIND result line as opposed to the bind request line as was previously the case: [21/Apr/2001:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jdoe,dc=example,dc=com"...
Page 200: Connection Description
Access Log Content Access log level 4 enables logging for internal operations which log the following items in addition to the details of the search being performed, including search base, scope, filter, and requested search attributes. In Code Example 5-3, access logging level 512 is enabled which logs access to entries and referrals.
Page 201: Common Connection Codes
Common Connection Codes NOTE Directory Server access log now distinguishes between persistent and regular searches, which was not the case for previous Directory Server releases. In Code Example 5-4 both access logging level 512 and 4 are enabled, which results in both internal access operations, as well as entry access and referrals being logged.
Page 202: Ldap Result Codes
LDAP Result Codes T2 = Server closed connection after ioblocktimeout period was exceeded U1 = Connection closed by server after client sends an UNBIND request. The server will always close the connection when it sees an UNBIND request. LDAP Result Codes LDAP has a set of result codes that it is useful to be familiar with.
Page 203 LDAP Result Codes LDAP Result Codes (Continued) Table 5-2 Result Code Defined Value NO_SUCH_OBJECT ALIAS_PROBLEM INVALID_DN_SYNTAX IS_LEAF ALIAS_DEREFERENCING_PROBLEM INAPPROPRIATE_AUTHENTICATION INVALID_CREDENTIALS INSUFFICIENT_ACCESS_RIGHTS BUSY UNAVAILABLE UNWILLING_TO_PERFORM LOOP_DEFECT NAMING_VIOLATION OBJECT_CLASS_VIOLATION NOT_ALLOWED_ON_NONLEAF NOT_ALLOWED_ON_RDN ENTRY_ALREADY_EXISTS OBJECT_CLASS_MODS_PROHIBITED AFFECTS_MULTIPLE_DSAS (LDAP v3) OTHER SERVER_DOWN LDAP_TIMEOUT PARAM_ERROR CONNECT_ERROR LDAP_NOT_SUPPORTED CONTROL_NOT_FOUND NO_RESULTS_RETURNED MORE_RESULTS_TO_RETURN...
Page 204 LDAP Result Codes LDAP Result Codes (Continued) Table 5-2 Result Code Defined Value REFERRAL_LIMIT_EXCEEDED Netscape Directory Server Configuration, Command, and File Reference • August 2002...
Page 205: Chapter 6 Migration From Earlier Versions
Chapter 6 Migration from Earlier Versions This chapter is intended to provide a reference of the information migrated by the script. In the case of migration from a 4.x Netscape Directory migrateInstance6 Server (Directory Server) to a 6.x Directory Server, it describes the mapping of configuration parameters to configuration attributes and configuration entries in the new Directory Server.
Page 206: Server Attributes
Migration from 4.x Directory Server to 6.x Server Attributes In Directory Server 4.x, configuration parameters are stored in the file slapd.conf under the directory. serverRoot/slapd-serverID The corresponding configuration attributes in Directory Server 6.x are stored in the entry. Table 6-1 shows the mapping of Directory Server 4.x cn=config configuration parameters to Directory Server 6.x configuration attributes.
Page 207 Migration from 4.x Directory Server to 6.x Mapping of Legacy Server Parameters to Configuration Attributes (Continued) Table 6-1 Legacy Configuration Parameter Directory Server Configuration Attribute loglevel nsslapd-error-loglevel errorlog-logexpirationtime nsslapd-errorlog-logexpirationtime errorlog-logexpirationtimeunit nsslapd-errorlog-logexpirationtimeunit errorlog-maxlogdiskspace nsslapd-errorlog-logmaxdiskspace errorlog-minfreediskspace nsslapd-errorlog-logminfreediskspace errorlog-logrotationtime nsslapd-errorlog-logrotationtime errorlog-logrotationtimeunit nsslapd-errorlog-logrotationtimeunit errorlog-maxlogsize nsslapd-errorlog-maxlogsize errorlog-maxlogsperdir nsslapd-errorlog-maxlogsperdir...
Page 208 Migration from 4.x Directory Server to 6.x Mapping of Legacy Server Parameters to Configuration Attributes (Continued) Table 6-1 Legacy Configuration Parameter Directory Server Configuration Attribute pw_inhistory passwordinHistory pw_lockout passwordLockout pw_lockduration passwordLockoutDuration pw_maxage passwordMaxAge pw_maxfailure passwordMaxFailure pw_minage passwordMinAge pw_minlength passwordMinLength pw_must_change passwordMustChange pw_reset_failurecount passwordResetFailureCount...
Page 209: Database Attributes
Migration from 4.x Directory Server to 6.x Database Attributes In Directory Server 4.x, database parameters are stored in the slapd.ldbm.conf file under the directory. serverRoot/slapd-serverID Because one instance of Directory Server 5.x or 6.x can manage several databases, the corresponding attributes in Directory Server 5.x or 6.x are stored in a general entry for all databases ( cn=config,cn=ldbm database,cn=plugins,cn=config or in an entry specific to a particular database, of the form...
Page 210: Upgrade From Directory Server 5.X To 6.X
Upgrade from Directory Server 5.x to 6.x Upgrade from Directory Server 5.x to 6.x In Directory Server 5.x and 6.x, the configuration information is stored in the same way. This section explains which configuration attributes are automatically migrated by the script, and which ones are not.
Page 211 Upgrade from Directory Server 5.x to 6.x Attributes in cn=config Automatically Migrated (Continued) Table 6-4 nsslapd-attribute_name_exceptions nsslapd-auditlog-logexpirationtime nsslapd-auditlog-logexpirationtimeunit nsslapd-auditlog-logmaxdiskspace nsslapd-auditlog-logminfreediskspace nsslapd-auditlog-logrotationtime nsslapd-auditlog-logrotationtimeunit nsslapd-auditlog-maxlogsize nsslapd-auditlog-maxlogsperdir nsslapd-certmap-basedn nsslapd-ds4-compatible-schema nsslapd-enquote_sup_oc nsslapd-errorlog-level nsslapd-errorlog-logexpirationtime nsslapd-errorlog-logexpirationtimeunit nsslapd-errorlog-logmaxdiskspace nsslapd-errorlog-logminfreediskspace nsslapd-errorlog-logrotationtime nsslapd-errorlog-logrotationtimeunit nsslapd-errorlog-maxlogsize nsslapd-errorlog-maxlogsperdir nsslapd-groupevalnestlevel nsslapd-idletimeout nsslapd-ioblocktimeout nsslapd-lastmod nsslapd-listenhost nsslapd-maxdescriptors (Not applicable on NT and AIX platforms) nsslapd-nagle...
Page 212 Upgrade from Directory Server 5.x to 6.x Attributes in cn=config Automatically Migrated (Continued) Table 6-4 nsslapd-plugin-depends-on-name nsslapd-plugin-depends-on-type nsslapd-referral nsslapd-reservedescriptors (Not applicable on NT and AIX platforms) nsslapd-rootpwstoragescheme nsslapd-schemacheck nsslapd-securePort nsslapd-security nsslapd-sizelimit nsslapd-SSL3ciphers nsslapd-timelimit passwordChange passwordCheckSyntax passwordExp passwordExpirationTime passwordHistory passwordInHistory passwordLockout passwordLockoutDuration passwordMaxAge passwordMaxFailure...
Page 213 Upgrade from Directory Server 5.x to 6.x Table 6-5 Attributes in cn=config not Migrated Attribute Name Reason for not Migrating Automatically nsslapd-localhost Already set up. nsslapd-localuser Configured during the installation process. nsslapd-port Configured during the installation process. nsslapd-rootdn Configured during the installation process. nsslapd-rootpw Configured during the installation process.
Page 214: Database Attributes
Upgrade from Directory Server 5.x to 6.x Database Attributes All general database configuration attributes are automatically migrated. These attributes are stored in the entry cn=config,cn=ldbm database, and are listed in Table 6-6. cn=plugins,cn=config Database-specific attributes are stored in entries of the form cn=database instance .
Page 215: Database Link Attributes
Upgrade from Directory Server 5.x to 6.x Database-Specific Attributes not Migrated (Continued) Table 6-8 Attribute Name Reason for not Migrating Automatically nsslapd-db-checkpoint-interval This attribute is provided only for system modification/diagnostics and should be changed only under guidance from Netscape Technical Support.
Page 216: Snmp Attributes
Upgrade from Directory Server 5.x to 6.x Default Instance Database Link Attributes Automatically Migrated Table 6-10 nsBindTimeout nsBindRetryLimit nsHopLimit nsmaxresponsedelay nsmaxtestresponsedelay nsCheckLocalACI nsConcurrentBindLimit nsConcurrentOperationsLimit nsConnectionLife nsOperationConnectionslimit nsProxiedAuthorization nsReferralOnScopedSearch nsslapd-sizelimit nsslapd-timelimit SNMP Attributes All SNMP configuration attributes are automatically migrated. These attributes are stored in the entry , and are listed in Table 6-11.
Page 217: Chapter 7 Command-Line Utilities
Chapter 7 Command-Line Utilities This chapter contains reference information on command-line utilities provided by Netscape Directory Server (Directory Server). These command-line utilities make it easy to perform administration tasks on the Directory Server. This chapter is divided into the following sections: •...
Page 218: Command-Line Utilities Quick Reference
Command-Line Utilities Quick Reference NOTE In order to execute the command-line utilities, you must change to the directory where the command-line utilities are stored. Although it is possible to set command-path and library-path variables to execute the utilities, it is not recommended because you run the risk, particularly when you have more than one server version installed, of disrupting the correct execution of other utilities.
Page 219: Using Special Characters
Using Special Characters Using Special Characters When using the command-line utility, you may need to specify values ldapsearch that contain characters that have special meaning to the command-line interpreter (such as space [ ], asterisk [*], backslash [\], and so forth). When this situation occurs, enclose the value in quotation marks ("").
Page 220: Ldapsearch
ldapsearch ldapsearch is a configurable utility that enables you to locate and retrieve ldapsearch directory entries via LDAP. This utility opens a connection to the specified server using the specified distinguished name and password, and locates entries based on a specified search filter. Search scopes can include a single entry, an entry’s immediate subentries, or an entire tree or subtree.
Page 221 ldapsearch Option Description Specifies the hostname or IP address of the machine on which the Directory Server is installed. If you do not specify a host, ldapsearch uses the localhost. For example, -h mozilla. Specifies the maximum number of seconds to wait for a search request to complete.
Page 222: Ssl Options
ldapsearch SSL Options You can use the following command-line options to specify that ldapsearch LDAPS when communicating with your SSL-enabled Directory Server. You also use these options if you want to use certificate-based authentication. These options are valid only when LDAPS has been turned on and configured for your Directory Server.
Page 223: Additional Ldapsearch Options
ldapsearch Option Description Specifies the path and filename of the certificate database of the client. This option is used only with the -Z option. When used on a machine where an SSL-enabled version of Netscape Communicator is configured, the path specified on this option can be that of the certificate database for Communicator.
Page 224 ldapsearch Option Description Virtual list search. Allows you to specify the number of entries before or after the search target, and the index or value of the first entry returned. For example, if you are sorting by surname, -G 20:30:johnson returns the first entry with a surname equal to or less than johnson, in addition to 20 entries that come before it and 30 entries that come after it.
Page 225: Ldapmodify
ldapmodify Option Description Specifies that the output for individual values be formatted without line breaks and that equal signs “=” be used to separate attribute names from values. This argument produces output in a non-LDIF format. Specifies that referrals are not to be followed automatically. By default, referrals are followed automatically.
Page 226: Ldapmodify Options
ldapmodify ldapmodify -D binddn [-w passwd] [-acmnrvFR] [-d debug_level] [-h host ] [-p port ] [-M auth_mechanism] [-Z] [-V version] [ -f file | [-l number_of_ldap_connections] < entryfile ] ldapmodify Options The following three sections list the options that can be specified with ldapmodify The first section lists those options most commonly used, the second section lists SSL options, and the third lists less common options.
Page 227: Ssl Options
ldapmodify Option Description Specifies the name of the host on which the server is running. For example, -h cyclops. Specifies the port number that the server uses. For example, -p 1049. The default is 389. If -Z is used, the default is 636. Causes each add to be performed silently as opposed to being echoed to the screen individually.
Page 228: Additional Ldapmodify Options
ldapmodify Option Description Specifies the filename and path of the private key database of the client. In previous releases of Directory Server, except for when doing certificate-based authentication, it wasn’t necessary to specify the path to the key database (using the -K option). In this release of Directory Server, irrespective of the type of authentication being performed, you must specify the -K option when the key database has a different name than key3.db or when the key database is not under the same directory as the certificate...
Page 229 ldapmodify Option Description Causes the utility to check every attribute value to determine whether the value is a valid file reference. If the value is a valid file reference, then the content of the referenced file is used as the attribute value. This is often used for specifying a path to a file containing binary data, such as JPEG.
Page 230: Ldapdelete
ldapdelete Option Description Specifies the LDAP version number to be used on the operation. For example, -V 2. LDAP v3 is the default. You can not perform an LDAP v3 operation against a Directory Server that only supports LDAP v2. Specifies the proxy DN to use for the modify operation.
Page 231: Ssl Options
ldapdelete Option Description Specifies the name of the host on which the server is running. For example, -h cyclops. The default is localhost. Specifies the port number that the server uses. Default is 389. If -Z is used, the default is 636. Specifies the password associated with the distinguished name specified in the -D option.
Page 232: Additional Ldapdelete Options
ldapdelete Option Description Specifies the certificate name to use for certificate-based client authentication. For example, -N Server-Cert. If this option is specified, then the -Z and -W options are required. Also, if this option is specified, then the -D and -w options must not be specified, or certificate-based authentication will not occur and the bind operation will use the authentication credentials specified on -D and -w.
Page 233: Ldif
ldif Option Description Specifies the maximum number of referral hops to follow. For example, -O 2. There is no maximum number of referral hops. Specifies that referrals are not to be followed automatically. By default, the server follows referrals. Specifies that the utility is to run in verbose mode. Specifies the LDAP version number to be used on the operation.
Page 234: Options
dbscan Options Option Description Specifies that the ldif utility should interpret the entire input as a single binary value. If -b is not present, each line is considered to be a separate input value. As an alternative to the -b option, you can you can use the :< URL specifier notation, which is in fact simpler to use.
Page 235 dbscan Option Parameter Description Specifies that only the lengths of ID lists should be displayed (and not the contents). Specifies that only those index entries with ID lists exceeding the length specified by the -n option are to be displayed. Must be used with the option ( -G <n>...
Page 236 dbscan Netscape Directory Server Configuration, Command, and File Reference • August 2002...
Page 237: Chapter 8 Command-Line Scripts
Chapter 8 Command-Line Scripts This chapter provides information on the scripts you can use to manage your directory, for example, backing up and restoring your database. Scripts are a shortcut way of executing the interface commands that are documented ns-slapd in Appendix A, “Using the ns-slapd and slapd.exe Command-Line Utilities.”...
Page 238: Command-Line Scripts Quick Reference
Command-Line Scripts Quick Reference NOTE In order to execute the Perl scripts, you must change to the directory where the scripts are stored. Although it is possible to set command-path and library-path variables to execute the scripts, it is not recommended because you run the risk, particularly when you have more than one server version installed, of disrupting the correct execution of other utilities.
Page 239 Command-Line Scripts Quick Reference Commonly Used Command-Line Shell and Batch Scripts (Continued) Table 8-1 Command Line Script Description Prints the encrypted form of a password using one of the server’s encryption getpwenc algorithms. If a user cannot log in, you can use this script to compare the user’s password to the password stored in the directory.
Page 240 Command-Line Scripts Quick Reference Table 8-2 Commonly Used Command-Line Perl Scripts Command Line Perl Script Description Restores the database from the most recent archived backup. bak2db.pl Located in: serverRoot/slapd-serverID Creates a backup of the current database contents db2bak.pl Located in: serverRoot/slapd-serverID Creates and regenerates indexes.
Page 241: Shell And Batch Scripts
Shell and Batch Scripts Commonly Used Command-Line Perl Scripts (Continued) Table 8-2 Command Line Perl Script Description Provides in-progress status of replication. template-repl-monitor.pl Located in: serverRoot/bin/slapd/admin/scripts Shell and Batch Scripts This section covers the following scripts: • bak2db (Restore database from backup) •...
Page 242: Bak2Db (Restore Database From Backup)
Shell and Batch Scripts When a Shell or Batch script has a Perl equivalent, there is a cross-reference to the section describing the equivalent Perl script. bak2db (Restore database from backup) Restores the database from the most recent archived backup. To run this script the server must be stopped.
Page 243: Db2Ldif (Export Database Contents To Ldif)
Shell and Batch Scripts db2ldif (Export database contents to LDIF) Exports the contents of the database to LDIF. This script can be executed while the server is still running. For information on the equivalent Perl script, see “db2ldif.pl (Export database contents to LDIF),”...
Page 244: Db2Dsml (Export Database Contents To Dsml)
Shell and Batch Scripts Option Parameter Description Use of several files for storing the output LDIF with each instance stored in instance filename (where file name is the file name specified for -a option). Delete, for reasons of backward compatibility, the first line of the LDIF file which gives the version of the LDIF standard.
Page 245: Db2Index (Reindex Database Index Files)
Shell and Batch Scripts db2index (Reindex database index files) Reindexes the database index files. For information on the equivalent Perl script, see “db2index.pl (Create and generate indexes),” on page 256. Syntax Shell script (UNIX): db2index [-n backendInstance | {-s includeSuffix}* -t attributeName -T vlvAttribute] Batch file (Windows): db2index [-n backend_instance | {-s includeSuffix}* -t...
Page 246: Dsml2Db (Import Dsml Document Contents Into Database)
Shell and Batch Scripts dsml2db (Import DSML document contents into database) Imports the contents of the DSML, version 1.0, document into the database. To run this script, the server must be stopped. Syntax Shell script (UNIX): dsml2db -n backendInstance | {-s includeSuffix}* [{-x excludeSuffix}*] {-i dsmlFile} Batch file (Windows): dsml2db -n backendInstance | {-s includeSuffix}* [{-x...
Page 247: Options
Shell and Batch Scripts Options There are no options for this script. For more information on the different storage schemes, such as SSHA CRYPT , see the Netscape Directory Server Administrator’s Guide. CLEAR ldif2db (Import) Runs the (Windows) or (Unix) command-line utility with the slapd ns-slapd keyword.
Page 248: Options
Shell and Batch Scripts Options Option Parameter Description backendInstance Instance to be imported. Ensure that you specify an instance that corresponds to the suffix contained by the LDIF file because otherwise the data contained by the database is deleted and the import fails. includeSuffix Suffixes to be included or to specify the subtrees to be included if -n has been used.
Page 249: Ldif2Ldap (Perform Import Operation Over Ldap)
Shell and Batch Scripts ldif2ldap (Perform import operation over LDAP) Performs an import operation over LDAP to the Directory Server. To run this script the server must be running. Syntax Shell script (UNIX): ldif2ldap -D rootdn -w password -f filename Batch file (Windows): ldif2ldap -D rootdn -w password -f filename Options...
Page 250: Restart-Slapd (Restart The Directory Server)
Shell and Batch Scripts restart-slapd (Restart the Directory Server) Restarts the Directory Server. Syntax Shell script (UNIX): restart-slapd Batch file (Windows): restart-slapd Options There are no options for this script. Exit Status Server restarted successfully. Server could not be started. Server restarted successfully, but was already stopped.
Page 251: Syntax
Shell and Batch Scripts Syntax Shell script (UNIX): restoreconfig Batch file (Windows): restoreconfig Options There are no options for this script. saveconfig (Save Administration Server Configuration) Saves Administration Server configuration information to the following directory: serverRoot/slapd-serverID/confbak Note that this script will only run if the server is running. Syntax Shell script (UNIX): saveconfig...
Page 252: Syntax
Shell and Batch Scripts Syntax Shell script (UNIX): start-slapd Batch file (Windows): start-slapd Options There are no options for this script. Exit Status Server started successfully Server could not be started Server was already started stop-slapd (Stop the Directory Server) Stops the Directory Server.
Page 253: Suffix2Instance (Map Suffix To Backend Name)
Shell and Batch Scripts Server could not be stopped. Server was already stopped. suffix2instance (Map Suffix to Backend Name) Maps a suffix to a backend name. Syntax Shell script (UNIX): suffix2instance {-s suffix} Batch file (Windows): suffix2instance {-s suffix} Options Suffix to be mapped to the backend.
Page 254: Options
Perl Scripts Options You must specify either the or the option. Option Parameter Description debugLevel Specifies the debug level to use during index creation. Debug levels are defined in “nsslapd-errorlog-level (Error Log Level),” on page 56. Specifies the server configuration directory that contains the configuration information for the index creation process.
Page 255: Bak2Db.pl (Restore Database From Backup)
Perl Scripts • ns-inactivate.pl (Inactivate an entry or group of entries) • template-cl-dump.pl (Dump and decode changelog) • template-repl-monitor.pl (Monitor replication status) bak2db.pl (Restore database from backup) Restores a database from a backup. Syntax Perl script (UNIX and bak2db.pl [-v] -D rootdn -w password -a Windows): backupDirectory] [-t databaseType] Options...
Page 256: Syntax
Perl Scripts Syntax Perl script (UNIX and db2bak.pl [-v] -D rootdn -w password [-a dirName] Windows): Options The script creates an entry in the directory that launches this dynamic db2bak.pl task. The entry is generated based upon the values you provide for each option. Currently, the only possible database type is ldbm Option...
Page 257: Options
Perl Scripts Options The script creates an entry in the directory that launches this db2index.pl dynamic task. The entry is generated based upon the values you provide for each option. Option Parameter Description Verbose mode. rootdn The user DN with root permissions, such as Directory Manager.
Page 258: Ldif2Db.pl (Import)
Perl Scripts This perl script creates an entry in the directory that launches this db2ldif.pl dynamic task. The entry is generated based upon the values you provide for each option. Option Parameter Description Verbose mode. rootdn The user DN with root permissions, such as Directory Manager.
Page 259: Syntax
Perl Scripts Syntax Perl script (UNIX and ldif2db.pl [-v] -D rootdn -w password -n Windows): backendInstance | {-s includeSuffix}* [{-x excludeSuffix}*] [-O] [-c] [-g string] [-G namespaceId] {-i filename}* Options Option Parameter Description rootdn Specifies the user DN with root permissions, such as Directory Manager.
Page 260: Logconv.pl (Log Converter)
Perl Scripts Option Parameter Description namespaceId Generates a namespace ID as a name-based unique ID. This is the same as specifying the -g deterministic option. filename Specifies the filename of the input LDIF files. When you import multiple files, they are imported in the order in which you specify them on the command line.
Page 261 Perl Scripts Number of restarts FDs (file descriptors) taken FDs returned Total number of connections Highest FD taken Total operations requested Total results returned Disruptions: Results to requests ratio Broken pipes Connections reset by peer Number of searches Unavailable resources (and detail) Number of modifications Number of adds Total binds and types of binds...
Page 262: Syntax
Perl Scripts Some information that is extracted by the script is available only in logconv.pl Directory Server 6.x logs: the corresponding values will be zero when analyzing logs from other versions. In addition, some information will only be present in the logs if verbose logging is enabled in your Directory Server.
Page 263: Options
Perl Scripts Options command-line options are described in the following table. logconv.pl The parameters without a preceding dash ( ) at the end of the table will enable the optional lists of occurrences. Specify only those you need to limit the output and improve execution speed.
Page 264 Perl Scripts Opti Parameter Description Enables the most verbose output. With this option, logconv.pl will compute and display all of the optional lists described below. Lists connection latency details (gives you an idea about the overall connection latency). Lists open connection ID statistics (gives you an idea about the FDs that are not yet closed).
Page 265: Migrateinstance6 (Migrate To Directory Server 6.X)
Perl Scripts migrateInstance6 (Migrate to Directory Server 6.x) script (note that this is a Perl script despite the fact that it migrateInstance6 does not have the extension) migrates an instance of 4.x or 5.x Directory Server to Directory Server 6.x. When you run this script, it migrates the configuration files or configuration entries, database instances, and schema with minimum manual intervention.
Page 266: Ns-Accountstatus.pl (Establish Account Status)
Perl Scripts Option Parameter Description oldInstancePath Specifies the path to the legacy (4.x or 5.x) Directory Server instance. For example: /usr/netscape/server4/slapd-phonebook. newInstancePath Specifies the path to the new (6.x) Directory Server instance. For example: /usr/netscape/servers/slapd-phonebook. Specifies the trace level. The trace level is set to 0 by default with a valid range of 0 to 3.
Page 267: Ns-Activate.pl (Activate An Entry Or Group Of Entries)
Perl Scripts Option Parameter Description host Specifies the host name of the Directory Server. The default value is the full host name of the machine where Directory Server is installed. Specifies the entry DN or role DN whose status is required. ns-activate.pl (Activate an entry or group of entries) Activates an entry or group of entries.
Page 268: Syntax
Perl Scripts Syntax Perl script (UNIX and ns-inactivate.pl [-D rootdn] -w password [-p port] Windows) [-h host] -I DN Options Option Parameter Description rootdn Specifies the Directory Server user DN with root permissions, such as Directory Manager. password Specifies the password associated with the user DN. port Specifies the Directory Server’s port.
Page 269: Options
Perl Scripts Options In the absence of the option, the script must be run when the Directory Server is running and from a location from which the server’s change-log directory is accessible. Option Parameter Description host Specifies the Directory Server’s host. Defaults to the server where the script is running.
Page 270: Syntax
Perl Scripts Syntax Perl script (UNIX and template-repl-monitor.pl -h host -p port -f configFile Windows): [-u refreshUrl] [-t refreshInterval] [-r] [-v] Options Option Parameter Description host Specifies the initial replication supplier’s host. The default value is the current hostname. port Specifies the initial replication supplier’s port.
Page 271: Configuration File Format
Perl Scripts Configuration File Format The configuration file defines the following: • The connection parameters for connecting to the LDAP servers to get replication information; specifying this information is mandatory. • The server alias for more readable server names; specifying this information is optional.
Page 272 Perl Scripts You may also choose to display CSN time lags between masters and consumers in different colors based on their range. The default color set is green for 0-5 minutes lag, yellow for 5-60 minutes lag, and pink for a lag of 60 minutes and more. Note that the connection parameters for all the servers in a replication topology must be specified within one configuration file.
Page 273: Appendix A Using The Ns-Slapd And Slapd.exe Command-Line Utilities
Appendix A Using the ns-slapd and slapd.exe Command-Line Utilities In Chapter 8, “Command-Line Scripts,” we looked at the scripts for performing routine administration tasks on the Netscape Directory Server (Directory Server). In this Appendix we will look at the command-line utilities ns-slapd slapd that can also be used to perform the same tasks.
Page 274: Ns-Slapd (Unix)
Finding and Executing the ns-slapd and slapd.exe Command-Line Utilities ns-slapd (UNIX) is used on a Unix operating system to start the directory server process, ns-slapd to build a directory database from an LDIF file, or to convert an existing database to an LDIF file.
Page 275: Ns-Slapd And Slapd.exe Command-Line Utilities For Exporting Databases
ns-slapd and slapd.exe Command-Line Utilities for Exporting Databases ns-slapd and slapd.exe Command-Line Utilities for Exporting Databases db2ldif Exports the contents of the database to LDIF. Syntax Shell script (UNIX): ns-slapd db2ldif -D configDir -a outputFile [-d debugLevel] [-n backendInstance ] [ -r] [-s includeSuffix] [-x excludeSuffix] [-N] [-u] -[U] Batch file (Windows): slapd.exe db2ldif -D configDir -a outputFile...
Page 276 ns-slapd and slapd.exe Command-Line Utilities for Exporting Databases Option Parameter Description Causes the server to include the copiedFrom attribute and its contents in the LDIF output when importing the LDIF file to a consumer server. This information is required by the server by the replication process.
Page 277: Ns-Slapd And Slapd.exe Command-Line Utilities For Restoring And Backing Up Databases
ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases ldif2db Imports LDIF files to the database. Syntax Shell script (UNIX): ns-slapd ldif2db -D configDir -i ldifFile [-d debugLevel] [-g string] [-n backendInstance] -O [-s includeSuffix] -x excludeSuffix] Batch file (Windows): slapd ldif2db -D configDir -i ldifFile [-d debugLevel]...
Page 278 ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases Option Parameter Description string Generation of a unique ID. Type none for no unique ID to be generated and deterministic for the generated unique ID to be name based. By default a time based unique ID is generated.
Page 279: Archive2Db
ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases Option Parameter Description excludeSuffix Allows you to specify suffixes within the LDIF file to exclude during the import. You can use multiple -x arguments. This option lets you selectively import portions of the LDIF file. If you use both -x and -s with the same suffix, -x takes precedence.
Page 280: Options
ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases Options Option Parameter Description configDir Specifies the location of the server configuration directory that contains the configuration information for the index creation process. You must specify the full path to the slapd-serverID directory.
Page 281: Ns-Slapd And Slapd.exe Command-Line Utilities For Creating And Regenerating Indexes
ns-slapd and slapd.exe Command-Line Utilities for Creating and Regenerating Indexes ns-slapd and slapd.exe Command-Line Utilities for Creating and Regenerating Indexes db2index Creates and regenerates indexes. Syntax Shell script (UNIX): slapd db2index -D configDir [-d debugLevel] -n backendName -t attributeName[:indexTypes[:matchingRules]] | [-T vlvTag] Batch file (Windows): slapd db2index -D configDir [-d debugLevel]...
Page 282 ns-slapd and slapd.exe Command-Line Utilities for Creating and Regenerating Indexes Option Parameter Description attributeName Specifies the attribute to be indexed as well as the types of indexes to create and matching rules to apply (if any). If you want to specify a matching rule, you must specify an index type. You cannot use this option with option -T.
Page 283: Glossary
Glossary access control instruction See ACI. ACI Access Control Instruction. An instruction that grants or denies permissions to entries in the directory. access control list See ACL. ACL Access control list. The mechanism for controlling access to your directory. access rights In the context of access control, specify the level of access granted or denied.
Page 284 attribute Holds descriptive information about an entry. Attributes have a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value. attribute list A list of required and optional attributes for a given entry type or object class.
Page 285 browser Software, such as Netscape Navigator, used to request and view World Wide Web material stored as HTML files. The browser uses the HTTP protocol to communicate with the host server. browsing index Otherwise known as the virtual view index, speeds up the display of entries in the Directory Server Console.
Page 286 CIR See consumer-initiated replication. class definition Specifies the information needed to create an instance of a particular object and determines how the object works in relation to other objects in the directory. class of service See CoS. classic CoS A classic CoS identifies the template entry by both its DN and the value of one of the target entry’s attributes.
Page 287 DAP Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory. Data Master The server that is the master source of a particular piece of data. database link An implementation of chaining. The database link behaves like a database but has no persistent storage.
Page 288 DNS alias A DNS alias is a hostname that the DNS server knows points to a different host—specifically a DNS CNAME record. Machines always have one real name, but they can have one or more aliases. For example, an alias such as might point to a real machine called www.[yourdomain].[domain] where the server currently exists.
Page 289 HTML Hypertext Markup Language. The formatting language used for documents on the World Wide Web. HTML files are plain text files with formatting codes that tell browsers such as the Netscape Navigator how to display text, position graphics and form items, and display links to other pages. HTTP Hypertext Transfer Protocol.
Page 290 LDAPv3 Version 3 of the LDAP protocol, upon which Directory Server bases its schema format LDAP client Software used to request and view LDAP entries from an LDAP Directory Server. See also browser. LDAP Data Interchange Format See LDAP Data Interchange Format. LDAP URL Provides the means of locating directory servers using DNS and then completing the query via LDAP.
Page 291 matching rule Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use. MD5 A message digest algorithm by RSA Data Security, Inc., which can be used to produce a short digest of data, that is unique with high probability, and is mathematically extremely hard to produce a piece of data that will produce the same message digest.
Page 292 network management station See NMS. NIS Network Information Service. A system of programs and data files that Unix machines use to collect, collate, and share specific information about machines, users, file systems, and network parameters throughout a network of computers. NMS Network Management Station.
Page 293 permission In the context of access control, the permission states whether access to the directory information is granted or denied, and the level of access that is granted or denied. See access rights. PDU Protocol Data Unit. Encoded messages which form the basis of data exchanges between SNMP devices.
Page 294 RDN Relative distinguished name. The name of the actual entry itself, before the entry’s ancestors have been appended to the string to form the full distinguished name. referential integrity Mechanism that ensures that relationships between related entries are maintained within the directory. referral (1) When a server receives a search or update request from an LDAP client that it cannot process, it usually sends back to the client a pointer to the LDAP sever that can process the request.
Page 295 root The most privileged user available on Unix machines. The root user has complete access privileges to all files on the machine. root suffix The parent of one or more sub suffixes. A directory tree can contain more than one root suffix. schema Definitions describing what types of information can be stored as entries in the directory.
Page 296 single-master replication The most basic replication scenario in which two servers each hold a copy of the same read-write replicas to consumer servers. In a single-master replication scenario, the supplier server maintains a change log. SIR See supplier-initiated replication. slapd LDAP Directory Server daemon or service that is responsible for most functions of a directory except replication.
Page 297 supplier server In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica. supplier-initiated replication Replication configuration where supplier servers replicate directory data to consumer servers. symmetric encryption Encryption that uses the same key for both encrypting and decrypting.
Page 298 virtual list view index Otherwise known as a browsing index, speeds up the display of entries in the Directory Server Console. Virtual list view indexes can be created on any branchpoint in the directory tree to improve display performance. X.500 standard The set of ISO/ITU-T documents outlining the recommended information model, object classes and attributes used by directory server implementations.
Page 299: Index
Index SYMBOLS 50ns-delegated-admin.ldif ldif files 116 ::, in LDIF statements 233 50ns-directory.ldif ldif files 116 50ns-legacy.ldif ldif files 116 NUMERICS 50ns-mail.ldif ldif files 116 00core.ldif 50ns-mcd-browser.ldif ldif files 115 ldif files 116 05rfc2247.ldif 50ns-mcd-config.ldif ldif files 115 ldif files 116 05rfc2927.ldif 50ns-mcd-li.ldif ldif files 115...
Page 300 50ns-web.ldif LDAP result codes 202 ldif files 116 levels 190 sample 1 (level 256) 191 51ns-calendar.ldif sample 2 (level 4) 199 ldif files 115 sample 3 (level 512) 200 99user.ldif statistics for monitoring and optimizing directory ldif files 117 usage 261 tool for analyzing 190, 260 alias dereferencing 223 access log...
Page 301 object classes 88 perl scripts 254–272 quick reference 238–241 cn=config restart-slapd 250 general 27 restoreconfg 250 general configuration entries 37 saveconfig 251 object classes 37 shell and batch scripts 241–254 cn=config Directory Information Tree start-slapd 251 configuration data 28 stop-slapd 252 cn=encryption suffix2instance 253 encryption configuration entries 91...
Page 302 replication agreement configuration nsDS5ReplicaLastUpdateEnd 105 attributes 101–109 nsDS5ReplicaLastUpdateStart 105 replication configuration attributes 96–101 nsDS5ReplicaLastUpdateStatus 105 restrictions to modifying 35 nsDS5ReplicaLegacyConsumer 98 retro changelog plug-in configuration nsDS5ReplicaName 98 attributes 181–182 nsDS5ReplicaPort 106 SNMP configuration attributes 111–113 nsDS5ReplicaPurgeDelay 99 suffix configuration attributes 95–96 nsDS5ReplicaReapActive 106 uniqueid generator configuration nsDS5ReplicaReferral 99...
Page 303 nsslapd-auditlog-maxlogsperdir 52 nsslapd-rootpwstoragescheme 75 nsslapd-backend 95 nsslapd-schemacheck 76 nsslapd-certmap-basedn 53 nsslapd-schemareplace 77 nsslapd-changelogdir 89 nsslapd-securelistenhost 77 nsslapd-changelogmaxage 90 nsslapd-securePort 77 nsslapd-changelogmaxentries 90 nsslapd-security 78 nsslapd-config 53 nsslapd-sizelimit 78 nsslapd-csnlogging 53 nsslapd-ssl-check-hostname 79 nsslapd-ds4-compatible-schema 54 nsslapd-state 95 nsslapd-errorlog 55 nsslapd-threadnumber 79, 80 nsslapd-errorlog-level 56 nsslapd-timelimit 80 nsslapd-errorlog-llist 57...
Page 304 currenttime attribute 110 database plug-in configuration attributes cn 167 dbcachehitratio 159 dbcachehits 159 dbcachepagein 159 dbcachepageout 159 dbcacheroevict 159 database dbcacherwevict 159 exporting 243, 244 dbcachetries 159 importing 246 dbfilecachehit 168 reindexing index files 245 dbfilecachemiss 168 database files 185 dbfilenamenumber 168, 173 database link plug-in configuration attributes dbfilepagein 168...
Page 305 nsslapd-db-logbuf-size 153 command-line perl script 256 nsslapd-db-log-bytes-since-checkpoint 164 quick reference 240 nsslapd-db-logdirectory 153 db2indexns-slapd and slapd.exe command-line nsslapd-db-logfile-size 154 utilities nsslapd-db-log-region-wait-rate 164 db2index 281 nsslapd-db-log-write-rate 165 db2ldif nsslapd-db-longest-chain-length 165 command-line shell and batch script 243 nsslapd-dbncache 157 quick reference 238 nsslapd-db-page-create-rate 165 db2ldif.pl nsslapd-db-page-ro-evict-rate 165...
Page 306 editing jpeg images 233 dse.ldif file 35 encryption root password 75 specifying password storage scheme 87 encryption configuration attributes nsssl2 92 LDAP nsssl3 92 modifying configuration entries 34 nsssl3ciphers 92 LDAP Data Interchange Format (LDIF) nssslclientauth 91 binary data 233 nssslsessiontimeout 91 LDAP result codes 202 encryption configuration entries...
Page 307 25java-object.ldif 115 28pilot.ldif 115 Meta Directory changelog 30ns-common.ldif 115 retro changelog 88 50ns-admin.ldif 115 migrateInstance6 50ns-calendar.ldif 115 quick reference 240 50ns-certificate.ldif 115 50ns-compass.ldif 116 monitor 50ns-directory.ldif 116 command-line shell and batch script 249 50ns-legacy.ldif 116 quick reference 239 50ns-mail.ldif 116 multi-master replication changelog 50ns-mcd-browser.ldif 116 changelog 88...
Page 308 nsDS5ReplicaChangesSentSinceStartup nsRenameCount attribute 180 attribute 102 nsSearchBaseCount attribute 180 nsDS5ReplicaCredentials attribute 103 nsSearchOneLevelCount attribute 180 nsDS5ReplicaHost attribute 103 nsSearchSubtreeCount attribute 180 nsDS5ReplicaID attribute 98 nsSizeLimit attribute 177 nsDS5ReplicaLastInitEnd attribute 103 ns-slapd and slapd.exe command-line utilities nsDS5ReplicaLastInitStart attribute 104 archive2db 279 db2archive 280 nsDS5ReplicaLastInitStatus attribute 104 db2ldif 275...
Page 309 nsslapd-auditlog-logrotationtime attribute 51 nsslapd-db-logdirectory attribute 153 nsslapd-auditlog-logrotationtimeunit attribute 51 nsslapd-db-logfile-size attribute 154 nsslapd-auditlog-maxlogsize attribute 52 nsslapd-db-log-region-wait-rate attribute 164 nsslapd-auditlog-maxlogsperdir attribute 52 nsslapd-db-log-write-rate attribute 165 nsslapd-backend attribute 95 nsslapd-db-longest-chain-length attribute 165 nsslapd-cache-autosize attribute 147 nsslapd-dbncache attribute 157 nsslapd-cache-autosize-split attribute 147 nsslapd-db-page-create-rate attribute 165 nsslapd-cachememsize attribute 161 nsslapd-db-page-ro-evict-rate attribute 165 nsslapd-cachesize attribute 160...
Page 310 nsslapd-lastmod attribute 65 nsslapd-timelimit attribute 80 nsslapd-listenhost attribute 66 nsslapd-versionstring attribute 81 nsslapd-localhost attribute 66 nssnmpcontact attribute 112 nsslapd-localuser attribute 67 nssnmpdescription attribute 112 nsslapd-maxbersize attribute 67 nssnmpenabled attribute 111 nsslapd-maxdescriptors attribute 67 nssnmplocation attribute 112 nsslapd-maxthreadsperconn attribute 69 nssnmpmasterhost attribute 113 nsslapd-mode attribute 158 nssnmpmasterport attribute 113 nsslapd-nagle attribute 69...
Page 311 passwordMaxAge attribute 84 nsLookThroughLimit 146 nsMatchingRule 167 passwordMaxFailure attribute 85 nsMaxResponseDelay 171 passwordMinAge attribute 85 nsMaxTestResponseDelay 172 passwordMinLength attribute 85 nsModifyCount 180 passwordMustChange attribute 86 nsMultiplexorBindDN 178 passwordResetFailureCount attribute 86 nsMultiplexorCredentials 179 passwords nsOperationConnectionCount 181 root 75 nsOperationConnectionsLimit 176 passwordStorageScheme attribute 87 nsProxiedAuthorization 176 nsReferralOnScopedSearch 177 passwordUnlock attribute 87...
Page 312 nsslapd-db-logbuf-size 153 nsslapd-db-log-bytes-since-checkpoint 164 read-only monitoring configuration attributes nsslapd-db-logdirectory 153 backendMonitorDN 110 nsslapd-db-logfile-size 154 bytessent 110 nsslapd-db-log-region-wait-rate 164 connection 109 nsslapd-db-log-write-rate 165 currentconnections 109 nsslapd-db-longest-chain-length 165 currenttime 110 nsslapd-dbncache 157 dtablesize 109 nsslapd-db-page-create-rate 165 entriessent 110 nsslapd-db-page-ro-evict-rate 165 nbackends 110 nsslapd-db-page-rw-evict-rate 165 opscompleted 110 nsslapd-db-pages-in-use 165...
Page 313 nsDS5ReplicaID 98 slapd.conf file nsDS5ReplicaLegacyConsumer 98 converting to LDIF format 32 nsDS5ReplicaName 98 location of 32 nsDS5ReplicaPurgeDelay 99 root password and 75 nsDS5ReplicaReferral 99 slapd.ldbm.conf file nsDS5ReplicaRoot 99 converting to LDIF format 32 nsDS5ReplicaTombstonePurgeInterval 100 smart referrals nsDS5ReplicaType 100 ldapsearch option 224 nsState 101 SNMP configuration attributes object classes 96...
Page 314 quick reference 240 template-repl-monitor.pl command-line perl script 269 quick reference 241 totalconnections attribute 109 uniqueid generator configuration attributes nsstate 114 uniqueid generator configuration entries cn=uniqueid generator 113 vlvindex command-line shell and batch script 253 quick reference 239 Netscape Directory Server Configuration, Command, and File Reference • August 2002...

Netscape DIRECTORY SERVER 6.1 Configuration Manual

About this Reference Guide

Chapter 1 Introduction

Chapter 2 Core Server Configuration Reference

Chapter 3 Plug-In Implemented Server Functionality Reference

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.1

Summary of Contents for Netscape NETSCAPE DIRECTORY SERVER 6.1