Page 1 Configuration, Command, and File Reference Netscape Directory Server Version 6.2 December 2003...
Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law.
Page 3: Table Of Contents
Contents About This Reference Guide ........... . . 19 Directory Server Overview .
Page 4 Configuration Changes Requiring Server Restart ........35 Core Server Configuration Attributes Reference .
Page 5 nsslapd-errorlog (Error Log) ............57 nsslapd-errorlog-level (Error Log Level) .
Page 6 nsslapd-schemacheck (Schema Checking) ..........80 nsslapd-schemareplace .
Page 7 nsDS5Flags ..............100 nsDS5ReplicaBindDN .
Page 8 opsInitiated ..............115 opsCompleted .
Page 9 ldbm database Plug-in ............. . 134 Legacy Replication Plug-in .
Page 10 nsslapd-db-home-directory ............157 nsslapd-db-idl-divisor .
Page 11 nsslapd-db-hash-buckets ............171 nsslapd-db-hash-elements-examine-rate .
Page 12 nsAbandonedSearchCheckInterval ..........180 nsBindConnectionsLimit .
Page 13 ldif Files ................195 Lock Files .
Page 14 SNMP Attributes ..............224 Chapter 7 Command-Line Utilities .
Page 15 db2dsml (Export database contents to DSML) ......... . 252 Syntax .
Page 16 vlvindex (Create virtual list view indexes) ..........261 Syntax .
Page 17 Configuration File Format ............280 Appendix A Using the ns-slapd and slapd.exe Command-Line Utilities .
Page 18 Netscape Directory Server Configuration, Command, and File Reference • December 2003...
Page 19: About This Reference Guide
About This Reference Guide Netscape Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.
Page 20: Prerequisite Reading
Prerequisite Reading • SNMP Agent—Permits you to monitor Directory Server in real time using the Simple Network Management Protocol (SNMP). • Online backup and restore—Allows you to create backups and restore from backups while the server is running. Prerequisite Reading This reference guide does not describe many of the basic directory and architectural concepts that you need to successfully design, implement, and administer your directory service.
Page 21: Conventions Used In This Reference Guide
Conventions Used In This Reference Guide Conventions Used In This Reference Guide This section explains the conventions used in this book. —This typeface is used for any text that appears on the computer Monospaced font screen or text that you should type. It is also used for filenames, functions, and examples.
Page 22 Related Information • Netscape Directory Server Deployment Guide. Provides an overview for planning your deployment of the Directory Server. Includes deployment examples. • Netscape Directory Server Administrator’s Guide. Procedures for the day-to-day maintenance of your directory service. Includes information on configuring server-side plug-ins.
Page 23: Chapter 1 Introduction
Chapter 1 Introduction This chapter provides a brief overview of the configuration and administration utilities provided to manage the Netscape Directory Server (Directory Server). This chapter is divided into the following sections: • Overview of Directory Server Management (page 23) •...
Page 24: Directory Server Configuration
Directory Server Configuration This reference manual deals with the other methods of managing the Directory Server, namely altering the server configuration attributes via the command line and using the command-line utilities. Directory Server Configuration The format and method for storing configuration information for Directory Server mark a significant change from previous versions of the Directory Server.
Page 25: Using Directory Server Command-Line Utilities
Using Directory Server Command-Line Utilities Using Directory Server Command-Line Utilities Directory Server comes with a set of configurable command-line utilities that you can use to search and modify entries in the directory and administer the server. Chapter 7, “Command-Line Utilities”describes these command-line utilities and contains information on where the utilities are stored and how to access them.
Page 26 Using Directory Server Command-Line Scripts Netscape Directory Server Configuration, Command, and File Reference • December 2003...
Page 27: Chapter 2 Core Server Configuration Reference
Chapter 2 Core Server Configuration Reference The configuration information for Netscape Directory Server (Directory Server) is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files.
Page 28 Server Configuration - Overview Many of the features of the Directory Server are designed as discrete modules that plug into the core server. The details of the internal configuration for each plug-in are contained in separate entries under . For cn=plugins,cn=config example, the configuration of the Telephone Syntax plug-in is contained in this entry:...
Page 29: Ldif Configuration Files - Location
Server Configuration - Overview LDIF Configuration Files - Location The Directory Server configuration data is automatically output to files in LDIF format that are located in the following directory: serverRoot/slapd-serverID/config Thus, if you specified a server identifier of for example, then in a phonebook default installation, your configuration LDIF files are all stored under: /usr/netscape/servers/slapd-phonebook/config...
Page 30: Configuration Of Plug-In Functionality
Server Configuration - Overview dn: cn=config objectclass: top objectclass: extensibleObject objectclass: nsslapdConfig nsslapd-accesslog-logging-enabled: on nsslapd-enquote-sup-oc: on nsslapd-localhost: phonebook.example.com nsslapd-errorlog: /usr/netscape/servers/slapd-phonebook/logs/errors nsslapd-schemacheck: on nsslapd-store-state-info: on nsslapd-port: 389 nsslapd-localuser: nobody Configuration of Plug-in Functionality The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree .
Page 31: Configuration Of Databases
Server Configuration - Overview For a list of plug-ins supported by Directory Server, general plug-in configuration information, the plug-in configuration attribute reference, and a list of plug-ins requiring restart, see Chapter 3, “Plug-in Implemented Server Functionality Reference.” Configuration of Databases subtrees contain configuration data for cn=NetscapeRoot cn=UserRoot...
Page 32: Migration Of Pre-Directory Server 6.X Configuration Files To Ldif Format
Accessing and Modifying Server Configuration Migration of Pre-Directory Server 6.x Configuration Files to LDIF Format The Directory Server will only recognize configuration files that are in the LDIF format, which means that the slapd.conf slapd.ldbm.conf configuration files from 4.x versions of Directory Server must be converted to the LDIF format.
Page 33: Changing Configuration Attributes
Accessing and Modifying Server Configuration Code Example 2-3 Default ACIs in dse.ldif aci: (targetattr = "*")(version 3.0; acl "Configuration Adminstrators Group"; allow (all) groupdn = "ldap:///cn=Configuration Administrators,ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Configuration Adminstrator"; allow (all) userdn = "ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0;...
Page 34: Modifying Configuration Entries Using Ldap
Accessing and Modifying Server Configuration NOTE If you edit the file, you must stop the server beforehand, dse.ldif otherwise your changes will be lost. Editing the file is dse.ldif recommended only for changes to attributes which cannot be altered dynamically. See “Configuration Changes Requiring Server Restart”...
Page 35: Restrictions To Modifying Configuration Entries And Attributes
Core Server Configuration Attributes Reference Code Example 2-4 Disabling the Telephone Syntax Plug-in ldapmodify -D bindDN -w password dn: cn=Telephone Syntax,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off Restrictions to Modifying Configuration Entries and Attributes Certain restrictions apply when modifying server entries and attributes: •...
Page 36 Core Server Configuration Attributes Reference Figure 2-2 Directory Information Tree Showing Configuration Data The list of configuration tree nodes covered in this section is as follows: • cn=config • cn=changelog5 • cn=encryption • cn=features • cn=mapping tree • cn=monitor • cn=replication •...
Page 37: Cn=Config
Core Server Configuration Attributes Reference cn=config General configuration entries are stored under the entry. The cn=config entry is an instance of the object class, which in turn cn=config nsslapdConfig inherits from object class. For attributes to be taken into extensibleObject account by the server, both of these object classes (in addition to the object class) must be present in the entry.
Page 38: Nsslapd-Accesslog-Level
Core Server Configuration Attributes Reference Attributes in dse.ldif Value Logging enabled or disabled nsslapd-accesslog-logging-enabled Disabled nsslapd-accesslog empty string nsslapd-accesslog-logging-enabled Enabled nsslapd-accesslog filename nsslapd-accesslog-logging-enabled Disabled nsslapd-accesslog empty string nsslapd-accesslog-logging-enabled Disabled nsslapd-accesslog filename Entry DN: cn=config Valid Values: Any valid filename. Default Value: serverRoot/slapd-serverID/logs/access Syntax: DirectoryString...
Page 39: Nsslapd-Accesslog-List
Core Server Configuration Attributes Reference Default Value: Syntax: Integer Example: nsslapd-accesslog-level: 256 nsslapd-accesslog-list This read-only attribute, which cannot be set, provides a list of access log files used in access log rotation. Entry DN: cn=config Valid Values: Default Value: None Syntax: DirectoryString Example:...
Page 40: Nsslapd-Accesslog-Logexpirationtimeunit (Access Log Expiration Time Unit)
Core Server Configuration Attributes Reference Default Value: Syntax: Integer Example: nsslapd-accesslog-logexpirationtime: 2 nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit) Specifies the units for attribute. If the nsslapd-accesslog-logexpirationtime unit is unknown by the server, then the log will never expire. Entry DN: cn=config Valid Values: month | week | day...
Page 41: Nsslapd-Accesslog-Logmaxdiskspace (Access Log Maximum Disk Space)
Core Server Configuration Attributes Reference Attributes in dse.ldif Value Logging Enabled or Disabled nsslapd-accesslog-logging-enabled Disabled nsslapd-accesslog filename Entry DN: cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-accesslog-logging-enabled: off nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space) Specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume.
Page 42: Nsslapd-Accesslog-Logminfreediskspace (Access Log Minimum Free Disk Space)
Core Server Configuration Attributes Reference nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space) Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest access log is deleted until enough disk space is freed to satisfy this attribute.
Page 43: Nsslapd-Accesslog-Logrotationsynchour (Access Log Rotation Sync Hour)
Core Server Configuration Attributes Reference nsslapd-accesslog-logrotationsynchour (Access Log Rotation Sync Hour) Specifies the hour of the day for rotating access logs. This attribute must be used in conjunction with nsslapd-accesslog-logrotationsync-enabled attributes. nsslapd-accesslog-logrotationsyncmin Entry DN: cn=config Valid Range: 0 through 23 Default Value: Syntax: Integer...
Page 44: Nsslapd-Accesslog-Logrotationtimeunit (Access Log Rotation Time Unit)
Core Server Configuration Attributes Reference attribute first and if this attribute value is nsslapd-accesslog-maxlogsperdir larger than 1, the server then checks the nsslapd-accesslog-logrotationtime attribute. See “nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)” on page 45 for more information. Entry DN: cn=config Valid Range: -1 | 1 to the maximum 32 bit integer value (2147483647) where a value...
Page 45: Nsslapd-Accesslog-Maxlogsperdir (Access Log Maximum Number Of Log Files)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: -1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means the log file is unlimited in size. Default Value: Syntax: Integer Example: nsslapd-accesslog-maxlogsize: 100 nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files) Specifies the total number of access logs that can be contained in the directory...
Page 46: Nsslapd-Accesslog-Mode (Access Log File Permission)
Core Server Configuration Attributes Reference nsslapd-accesslog-mode (Access Log File Permission) Specifies the access mode or file permission with which access log files are to be created. The valid values are any combination of 000 to 777, as they mirror numbered or absolute UNIX file permissions. That is, the value must be a combination of a 3-digit number, the digits varying from 0 through 7: 0 - None 1 - Execute only...
Page 47: Nsslapd-Auditlog (Audit Log)
Core Server Configuration Attributes Reference Example: nsslapd-attribute-name-exceptions: on nsslapd-auditlog (Audit Log) Specifies the pathname and filename of the log used to record changes made to each database. Entry DN: cn=config Valid Values: Any valid filename Default Value: serverRoot/slapd-serverID/logs/audit Syntax: DirectoryString Example: nsslapd-auditlog: /usr/netscape/servers/slapd-phonebook/logs/audit...
Page 48: Nsslapd-Auditlog-Logexpirationtime (Audit Log Expiration Time)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Values: Default Value: None Syntax: DirectoryString Example: nsslapd-auditlog-list: auditlog2,auditlog3 nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time) Specifies the maximum age that a log file is allowed to be before it is deleted. This attribute supplies only the number of units.
Page 49: Nsslapd-Auditlog-Logmaxdiskspace (Audit Log Maximum Disk Space)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-auditlog-logging-enabled: off For audit logging to be enabled this attribute must have a valid path and file name and the configuration attribute must be nsslapd-auditlog-logging-enabled switched to .
Page 50: Nsslapd-Auditlog-Logminfreediskspace (Audit Log Minimum Free Disk Space)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: -1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means that the disk space allowed to the audit log is unlimited in size. Default Value: Syntax: Integer...
Page 51: Nsslapd-Auditlog-Logrotationsynchour (Audit Log Rotation Sync Hour)
Core Server Configuration Attributes Reference For example, to rotate audit log files everyday at midnight, enable this attribute by setting its value to and then set the values of the nsslapd-auditlog-logrotationsynchour attributes to nsslapd-auditlog-logrotationsyncmin Entry DN: cn=config Valid Values: on | off Default Value: Syntax: DirectoryString...
Page 52: Nsslapd-Auditlog-Logrotationtime (Audit Log Rotation Time)
Core Server Configuration Attributes Reference Syntax: Integer Example: nsslapd-auditlog-logrotationsyncmin: 30 nsslapd-auditlog-logrotationtime (Audit Log Rotation Time) Specifies the time between audit log file rotations. The audit log will be rotated when this time interval is up, regardless of the current size of the audit log. This attribute supplies only the number of units.
Page 53: Nsslapd-Auditlog-Maxlogsize (Audit Log Maximum Log Size)
Core Server Configuration Attributes Reference Example: nsslapd-auditlog-logrotationtimeunit: day nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size) Specifies the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That is, the server starts writing log information to a new log file.
Page 54: Nsslapd-Auditlog-Mode (Audit Log File Permission)
Core Server Configuration Attributes Reference Valid Range: 1 to the maximum 32 bit integer value (2147483647) Default Value: Syntax: Integer Example: nsslapd-auditlog-maxlogsperdir: 10 nsslapd-auditlog-mode (Audit Log File Permission) Specifies the access mode or file permissions with which audit log files are to be created.
Page 55: Nsslapd-Certmap-Basedn (Certificate Map Search Base)
Core Server Configuration Attributes Reference nsslapd-certmap-basedn (Certificate Map Search Base) This attribute can be used when client authentication is performed using SSL certificates in order to avoid limitation of the security subsystem certificate mapping, configured in the file. Depending on the certmap.conf certmap.conf configuration, the certificate mapping may be done using a directory subtree...
Page 56: Nsslapd-Csnlogging
Core Server Configuration Attributes Reference Consider increasing the value of this attribute if Directory Server is refusing connections because it is out of connection slots. When this occurs, the following message is written to the Directory Server’s error log file: listening for new connections -- too many fds open A server restart is required for the change to take effect.
Page 57: Nsslapd-Errorlog (Error Log)
Core Server Configuration Attributes Reference That is, the Directory Server publishes attributes in the objectclasses entry as follows: cn=schema objectclasses: ( 2.5.6.6 NAME ’person’ DESC ’Standard ObjectClass’ SUP ’top’ MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) ) However, RFC 2252 indicates that this attribute should be published as follows: objectclasses: ( 2.5.6.6 NAME ’person’...
Page 58: Nsslapd-Errorlog-Level (Error Log Level)
Core Server Configuration Attributes Reference This log will contain differing amounts of information depending on the current setting of the Log Level attribute. See “nsslapd-errorlog-level (Error Log Level)” on page 58 for more information. Entry DN: cn=config Valid Values: Any valid filename Default Value: serverRoot/slapd-serverID/logs/error Syntax:...
Page 59: Nsslapd-Errorlog-List
Core Server Configuration Attributes Reference To turn logging off, remove the attribute from nsslapd-errorlog-level and restart the Directory Server. dse.ldif Entry DN: cn=config Valid Values: 1 = Trace function calls. Logs a message when the server enters and exits a function. 2 = Debug Packet handling 4 = Heavy trace output debugging 8 = Connection management...
Page 60: Nsslapd-Errorlog-Logexpirationtime (Error Log Expiration Time)
Core Server Configuration Attributes Reference Default Value: None Syntax: DirectoryString Example: nsslapd-errorlog-list:errorlog2,errorlog3 nsslapd-errorlog-logexpirationtime (Error Log Expiration Time) Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the attribute.
Page 61: Nsslapd-Errorlog-Logmaxdiskspace (Error Log Maximum Disk Space)
Core Server Configuration Attributes Reference Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-errorlog-logging-enabled: on nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space) Specifies the maximum amount of disk space in megabytes that the error logs are allowed to consume. If this value is exceeded, the oldest error log is deleted. When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation.
Page 62: Nsslapd-Errorlog-Logrotationsync-Enabled (Error Log Rotation Sync Enabled)
Core Server Configuration Attributes Reference Example: nsslapd-errorlog-logminfreediskspace: 5 nsslapd-errorlog-logrotationsync-enabled (Error Log Rotation Sync Enabled) Specifies whether error log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way enables you to generate log files at a specified time during a day, say midnight to midnight everyday, making analysis of the log files much easier because they then map directly to the calendar.
Page 63: Nsslapd-Errorlog-Logrotationsyncmin (Error Log Rotation Sync Minute)
Core Server Configuration Attributes Reference nsslapd-errorlog-logrotationsyncmin (Error Log Rotation Sync Minute) Specifies the minute of the day for rotating error logs. This attribute must be used in conjunction with nsslapd-errorlog-logrotationsync-enabled attributes. nsslapd-errorlog-logrotationsynchour Entry DN: cn=config Valid Range: 0 through 59 Default Value: Syntax: Integer...
Page 64: Nsslapd-Errorlog-Logrotationtime (Error Log Rotation Time)
Core Server Configuration Attributes Reference nsslapd-errorlog-logrotationtime (Error Log Rotation Time) Specifies the time between error log file rotations. The error log will be rotated when this time interval is up, regardless of the current size of the error log. This attribute supplies only the number of units.
Page 65: Nsslapd-Errorlog-Maxlogsize (Maximum Error Log Size)
Core Server Configuration Attributes Reference nsslapd-errorlog-maxlogsize (Maximum Error Log Size) Specifies the maximum error log size in megabytes. When this value is reached, the error log is rotated. That is, the server starts writing log information to a new log file.
Page 66: Nsslapd-Errorlog-Mode (Error Log File Permission)
Core Server Configuration Attributes Reference Syntax: Integer Example: nsslapd-errorlog-maxlogsperdir: 10 nsslapd-errorlog-mode (Error Log File Permission) Specifies the access mode or file permissions with which error log files are to be created. The valid values are any combination of 000 to 777, as they mirror numbered or absolute UNIX file permissions.
Page 67: Nsslapd-Idletimeout (Default Idle Timeout)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: 0 to 5 Default Value: Syntax: Integer Example: nsslapd-groupevalnestlevel:5 nsslapd-idletimeout (Default Idle Timeout) Specifies the amount of time in seconds after which an idle LDAP client connection is closed by the server. A value of 0 indicates that the server will never close idle connections.
Page 68: Nsslapd-Ioblocktimeout (Io Block Time Out)
Core Server Configuration Attributes Reference nsslapd-ioblocktimeout (IO Block Time Out) Specifies the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.
Page 69: Nsslapd-Listenhost (Listen To Ip Address)
Core Server Configuration Attributes Reference nsslapd-listenhost (Listen to IP Address) Allows multiple Directory Server instances to run on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine). Provide the hostname which corresponds to the IP interface you want to specify as a value for this attribute.
Page 70: Nsslapd-Maxbersize (Maximum Message Size)
Core Server Configuration Attributes Reference Default Value: To run as the same user who started the Directory Server. Syntax: DirectoryString Example: nsslapd-localuser: nobody nsslapd-maxbersize (Maximum Message Size) Defines the maximum size in bytes allowed for an incoming message. This limits the size of LDAP requests that can be handled by the Directory Server.
Page 71: Nsslapd-Maxthreadsperconn (Maximum Threads Per Connection)
Core Server Configuration Attributes Reference The number that you specify here should not be greater than the total number of file descriptors that your operating system allows the process to use. ns-slapd This number will differ depending on your operating system. Some operating systems allow you to configure the number of file descriptors available to a process.
Page 72: Nsslapd-Nagle
Core Server Configuration Attributes Reference Default Value: Syntax: Integer Example: nsslapd-maxthreadsperconn: 5 nsslapd-nagle When the value of this attribute is , the option is set so that LDAP TCP_NODELAY responses (such as entries or result messages) are sent back to a client immediately. When the attribute is turned on, default TCP behavior applies, namely the sending of data is delayed, in the hope that this will enable additional data to be grouped into one packet of the underlying network MTU size (typically 1500 bytes for...
Page 73: Nsslapd-Port (Port Number)
Core Server Configuration Attributes Reference nsslapd-port (Port Number) TCP/IP port number used for LDAP communications. If you want to run SSL/TLS over this port you can do so through the Start TLS extended operation. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number.
Page 74: Nsslapd-Readonly (Read Only)
Core Server Configuration Attributes Reference If this attribute has a value , the server will check for password policies at the subtree- and user-level and enforce those policies. (This feature was introduced in the Directory Server 6.2 release.) Entry DN: cn=config Valid Values: on | off...
Page 75: Nsslapd-Referralmode (Referral Mode)
Core Server Configuration Attributes Reference In this case, the referral would be passed back to the client in an attempt to allow the LDAP client to locate a database that contains the requested entry. Although only one referral is allowed per Directory Server instance, this referral can have multiple values.
Page 76 Core Server Configuration Attributes Reference This read-only attribute specifies the number of file descriptors that Directory Server reserves for managing non-client connections, such as index management and managing replication. The number of file descriptors that the server reserves for this purpose subtracts from the total number of file descriptors available for servicing LDAP client connections (see “nsslapd-maxdescriptors (Maximum File Descriptors)”...
Page 77: Nsslapd-Return-Exact-Case (Return Exact Case)
Core Server Configuration Attributes Reference NSupplierReplica + 8 ReplicationDescriptor (where NSupplierReplica is number of replicas in the server that can act as a supplier (hub or master)). NchainingBackend * ChainingBackendDescriptors nsOperationConnectionsLimit (where nsOperationConnectionsLimit is configurable in database link (chaining) configuration and 10 by default). 3 if PTA is configured, 0 if PTA is not configured PTADescriptors 5 (4 files + 1 listensocket) if SSL is configured, 0 if...
Page 78: Nsslapd-Rootdn (Manager Dn)
Core Server Configuration Attributes Reference nsslapd-rootdn (Manager DN) Specifies the distinguished name (DN) of an entry that is not subject to access-control restrictions, administrative limit restrictions for operations on the directory or resource limits in general. The attributes nsslapd-sizelimit , and do not apply to this DN either.
Page 79: Nsslapd-Rootpwstoragescheme (Root Password Storage Scheme)
Core Server Configuration Attributes Reference Default Value: Syntax: DirectoryString {encryption_method} encrypted_Password Example: nsslapd-rootpw: {SSHA}9Eko69APCJfF nsslapd-rootpwstoragescheme (Root Password Storage Scheme) Available only from the server console. This attribute indicates the encryption method used for the root password. Entry DN: cn=config Valid Values: Any encryption method as described in “passwordStorageScheme (Password Storage Scheme)”...
Page 80: Nsslapd-Schemacheck (Schema Checking)
Core Server Configuration Attributes Reference Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-schema-ignore-trailing-spaces: on nsslapd-schemacheck (Schema Checking) Specifies whether the database schema will be enforced during entry insertion or modification. When this attribute has a value of on, Directory Server will not check the schema of existing entries until they are modified.
Page 81: Nsslapd-Schemareplace
Core Server Configuration Attributes Reference nsslapd-schemareplace Determines whether modify operations that replace attribute values are allowed on entry. cn=schema Entry DN: cn=config Valid Values: on | off | replication-only Default Value: replication-only Syntax: DirectoryString Example: nsslapd-schemareplace: replication-only nsslapd-securelistenhost Allows multiple Directory Server instances to run, using secure SSL/TLS connections, on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine).
Page 82: Nsslapd-Security (Security)
Core Server Configuration Attributes Reference Valid Range: 1 to 65535 Default Value: Syntax: Integer Example: nsslapd-securePort: 636 nsslapd-security (Security) Specifies whether the Directory Server is to accept SSL/TLS communications on its encrypted port. This attribute should be set to , if you want secure connections.
Page 83: Nsslapd-Ssl-Check-Hostname (Verify Hostname For Outbound Connections)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Range: -1 to the maximum 32 bit integer value (2147483647) Default Value: 2000 Syntax: Integer Example: nsslapd-sizelimit: 2000 nsslapd-ssl-check-hostname (Verify Hostname for Outbound Connections) Specifies whether an SSL-enabled Directory Server (with certificate based client authentication turned on) should verify authenticity of a request by matching the hostname against the value assigned to the Common Name (CN) attribute of the subject name in the certificate being presented.
Page 84: Nsslapd-Threadnumber (Thread Number)
Core Server Configuration Attributes Reference nsslapd-threadnumber (Thread Number) Defines the number of operation threads that the Directory Server will create during startup. The value should be increased if you nsslapd-threadnumber have many directory clients performing time-consuming operations such as add or modify, as this ensures that there are other threads available for servicing short-lived operations such as simple searches.
Page 85: Nsslapd-Versionstring
Core Server Configuration Attributes Reference Example: nsslapd-timelimit: 3600 nsslapd-versionstring Specifies the server version number. Entry DN: cn=config Valid Values: Any valid server version number. Default Value: Syntax: DirectoryString Example: nsslapd-versionstring: Netscape-Directory/6.2 passwordChange (Password Change) Indicates whether users may change their passwords. For more information on password policies, see Chapter 7, “User Account Management”...
Page 86: Passwordexp (Password Expiration)
Core Server Configuration Attributes Reference Entry DN: cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: passwordCheckSyntax: off passwordExp (Password Expiration) Indicates whether user passwords will expire after a given number of seconds. By default, user passwords do not expire. Once password expiration is enabled, you can set the number of seconds after which the password will expire using the attribute.
Page 87: Passwordinhistory (Number Of Passwords To Remember)
Core Server Configuration Attributes Reference Default Value: Syntax: DirectoryString Example: passwordHistory: on passwordInHistory (Number of Passwords to Remember) Indicates the number of passwords the Directory Server stores in history. Passwords that are stored in history cannot be reused by users. By default, the password history feature is disabled.
Page 88: Passwordlockoutduration (Lockout Duration)
Core Server Configuration Attributes Reference Default Value: Syntax: DirectoryString Example: passwordLockout: off passwordLockoutDuration (Lockout Duration) Indicates the amount of time in seconds during which users will be locked out of the directory after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user’s password.
Page 89: Passwordmaxfailure (Maximum Password Failures)
Core Server Configuration Attributes Reference passwordMaxFailure (Maximum Password Failures) Indicates the number of failed bind attempts after which a user will be locked out of the directory. By default, account lockout is disabled. You can enable account lockout by modifying the attribute.
Page 90: Passwordmustchange (Password Must Change)
Core Server Configuration Attributes Reference Syntax: Integer Example: passwordMinLength: 6 passwordMustChange (Password Must Change) Indicates whether users must change their passwords when they first bind to the Directory Server, or when the password has been reset by the "Manager DN" For more information on password policies, see Chapter 7, “User Account Management”...
Page 91: Passwordstoragescheme (Password Storage Scheme)
Core Server Configuration Attributes Reference passwordStorageScheme (Password Storage Scheme) Specifies the type of encryption used to store Directory Server passwords. Enter the password in for this attribute indicates that the password will appear CLEAR in plain text. The following encryption types are supported by the Directory Server 6.x: •...
Page 92: Passwordwarning (Send Warning)
Core Server Configuration Attributes Reference passwordWarning (Send Warning) Indicates the number of seconds before a user’s password is due to expire that the user will receive a password expiration warning control on their next LDAP operation. Depending on the LDAP client, the user may also be prompted to change their password at the time the warning is sent.
Page 93: Nsslapd-Changelogdir
Core Server Configuration Attributes Reference • “nsslapd-cachememsize” on page 168 Note that the default values for the cache-related memory parameters (tuned for a single backend replicated to a single consumer) are as follows: (3000 entries) nsslapd-cachesize : 3000 (10 MB) nsslapd-cachememsize : 10000000 When more backends are replicated or when you need to replicate one backend to more than one consumers, consider tuning the parameters as below:...
Page 94: Nsslapd-Changelogmaxage (Max Changelog Age)
Core Server Configuration Attributes Reference Valid Values: Any valid path to the directory storing the changelog Default Value: None Syntax: DirectoryString Example: nsslapd-changelogdir: /usr/netscape/servers/slapd-phonebook/changelogdb nsslapd-changelogmaxage (Max Changelog Age) Specifies the maximum age of any entry in the change log. The change log contains a record for each directory modification and is used when synchronizing consumer servers.
Page 95: Cn=Encryption
Core Server Configuration Attributes Reference Valid Range: 0 (meaning that the only maximum limit is the disk size) to maximum integer (2147483647) Default Value: Syntax: Integer Example: nsslapd-changelogmaxentries: 5000 cn=encryption Encryption related attributes are stored under the cn=encryption,cn=config entry. The entry is an instance of the cn=encryption,cn=config object class.
Page 96: Nsssl2
Core Server Configuration Attributes Reference Default Value: allowed Syntax: DirectoryString Example: nssslclientauth: allowed nsssl2 Supports SSL version 2. Entry DN: cn=encryption,cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsssl2: on nsssl3 Supports SSL version 3. Entry DN: cn=encryption,cn=config Valid Values: on | off...
Page 97 Core Server Configuration Attributes Reference Valid Values: For domestic versions, any combination of the following: For SSLv3 rsa_null_md5 rsa_rc4_128_md5 rsa_rc4_40_md5 rsa_rc2_40_md5 rsa_des_sha rsa_fips_des_sha rsa_3des_sha rsa_fips_3des_sha For TLS tls_rsa_export1024_with_rc4_56_sha tls_rsa_export1024_with_des_cbc_sha Default Value: Syntax: DirectoryString + symbol to enable or - symbol to disable followed by the cipher(s). It is important to note that blank spaces are not allowed in the list of ciphers.
Page 98: Cn=Features
Core Server Configuration Attributes Reference Table 2-1 SSLv3 Ciphers (Continued) Cipher in Console Corresponding SSLv3 Cipher RC2(Export) rsa_rc2_40_md5 rsa_des_sha DES (FIPS) rsa_fips_des_sha Triple-DES rsa_3des_sha Triple-DES (FIPS) rsa_fips_3des_sha If you are using the Directory Server Console to set the cipher preferences, the values on the TLS tab of the Cipher Preference dialog box correspond to the following: Table 2-2...
Page 99: Suffix Configuration Attributes Under Cn="Suffixname
Core Server Configuration Attributes Reference Suffix Configuration Attributes Under cn="suffixName" Suffix configuration attributes are stored under the entry. The cn="suffixName" entry is an instance of the object class which cn="suffixName" nsMappingTree inherits from the object class. For suffix configuration extensibleObject attributes to be taken into account by the server these object classes (in addition to object class) must be present in the entry.
Page 100: Replication Attributes Under Cn=Replica, Cn="Suffixname", Cn=Mapping Tree,Cn=Config
Core Server Configuration Attributes Reference Default Value: None Syntax: DirectoryString Example: nsslapd-backend: NetscapeRoot Replication Attributes Under cn=replica, cn=“suffixName”, cn=mapping tree,cn=config Replication configuration attributes are stored under . The cn=replica,cn=“suffixName”,cn=mapping tree,cn=config cn=replica entry is an instance of the object class. For replication configuration nsDS5Recplia attributes to be taken into account by the server this object class (in addition to the object class) must be present in the entry.
Page 101: Nsds5Replicabinddn
Core Server Configuration Attributes Reference Valid Values: 0 | 1 Changelog activation: 0 = no changes are logged 1 = changes are logged Default Value: 0 (no changes are logged) Syntax: Integer Example: nsDS5Flags: 0 nsDS5ReplicaBindDN This multivalued attribute specifies the DN to use when binding. Although you can have more than one value in this entry, you can only have one cn=replica...
Page 102: Nsds5Replicaid
Core Server Configuration Attributes Reference Syntax: Integer Example: nsDS5ReplicaChangeCount: 675 nsDS5ReplicaId Specifies the unique ID for masters in a given replication environment. Entry DN: cn=replica,cn="suffixName",cn=mapping tree,cn=config Valid Range: 0 to 254 Default Value: Syntax: Integer Example: nsDS5ReplicaId: 1 nsDS5ReplicaLegacyConsumer If this attribute is absent or has a value of then it means that the replica is not false a legacy consumer.
Page 103: Nsds5Replicapurgedelay
Core Server Configuration Attributes Reference Syntax: DirectoryString (a UID identifies the replica) Example: nsDS5ReplicaName: 66a2b699-1dd211b2-807fa9c3-a58714648 nsDS5ReplicaPurgeDelay This multi valued attribute specifies the period of time in seconds after which internal purge operations will be performed on the change log. When setting this attribute ensure that the purge delay is longer than the longest replication cycle in your replication policy, to avoid incurring conflict resolution problems and server divergence.
Page 104: Nsds5Replicatombstonepurgeinterval
Core Server Configuration Attributes Reference Entry DN: cn=replica,cn="suffixName",cn=mapping tree,cn=config Valid Values: Suffix of the database being replicated Default Value: Syntax: DirectoryString Example: nsDS5ReplicaRoot: "dc=example,dc=com" nsDS5ReplicaTombstonePurgeInterval Specifies the time interval in seconds between purge operation cycles. When setting this attribute bear in mind that the purge operation is time consuming. Entry DN: cn=replica,cn="suffixName",cn=mapping tree,cn=config Valid Range:...
Page 105: Nsstate
Core Server Configuration Attributes Reference nsState This attribute stores information on the state of the clock. It is destined for internal use only to ensure that the server cannot generate a change sequence number (csn) inferior to existing ones required for detecting backward clock errors. Replication Attributes Under cn=ReplicationAgreementName,cn=replica, cn="suffixName", cn=mapping tree,cn=config...
Page 106: Nsds5Replicabindmethod
Core Server Configuration Attributes Reference Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config Valid Values: Any valid DN Default Value: Syntax: DirectoryString Example: nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindMethod Specifies the method to use for binding. This attribute can be modified. Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config Valid Values: SIMPLE | SSLCLIENTAUTH SIMPLE bind method requires a DN and password.
Page 107: Nsds5Replicachangessentsincestartup
Core Server Configuration Attributes Reference Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config Valid Values: Default Value: Syntax: Integer Example: nsDS5ReplicaBusyWaitTime: 3 nsDS5ReplicaChangesSentSinceStartup This read-only attribute provides you with the number of changes sent to this replica since the server started. Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config Valid Range: 0 to maximum integer (2147483647)
Page 108: Nsds5Replicahost
Core Server Configuration Attributes Reference nsDS5ReplicaHost Specifies the hostname for the remote server containing the consumer replica. Once this attribute has been set it cannot be modified. Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config Valid Values: Any valid host server name Default Value: Syntax: DirectoryString Example:...
Page 109: Nsds5Replicalastinitstatus
Core Server Configuration Attributes Reference Example: nsDS5ReplicaLastInitStart: YYYYMMDDhhmmssZ (20000902160000) nsDS5ReplicaLastInitStatus This optional, read-only attribute provides status for the initialization of the consumer. Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config Valid Values: 0 (Consumer Initialization Succeeded) followed by any other status message. Default Value: Syntax: String Example:...
Page 110: Nsds5Replicalastupdatestatus
Core Server Configuration Attributes Reference Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config Valid Values: Default Value: Syntax: GeneralizedTime Example: nsDS5ReplicaLastUpdateStart: YYYYMMDDhhmmssZ (20000902160000) nsDS5ReplicaLastUpdateStatus This read-only attribute provides the status for the most recent replication schedule updates. Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config Valid Values: 0 (no replication sessions started) followed by any other error or status message Default Value: Syntax:...
Page 111: Nsds5Replicareapactive
Core Server Configuration Attributes Reference nsDS5ReplicaReapActive This read-only attribute specifies whether the background task that removes old tombstones (deleted entries) from the database is active. A value of zero indicates that the task is inactive and a value of 1 indicates that the task is active. If you try to set the value, the server will ignore the modify request.
Page 112: Nsds5Replicasessionpausetime
Core Server Configuration Attributes Reference Syntax: DirectoryString Example: nsDS5ReplicaRoot: “dc=example,dc=com” nsDS5ReplicaSessionPauseTime Specifies the amount of time in seconds a supplier should wait between update sessions. The default value is 0. If you set the attribute to a negative value, Directory Server sends the client a message and an error code.
Page 113: Nsds5Replicatimeout
Core Server Configuration Attributes Reference Default Value: Syntax: Integer Example: nsDS5ReplicaSessionPauseTime: 0 nsDS5ReplicaTimeout This allowed attribute specifies the number of seconds outbound LDAP operations will wait for a response from the remote replica before timing out and failing. If you see messages in the error log file, then you “Warning: timed out waiting”...
Page 114: Nsds5Replicaupdateinprogress
Core Server Configuration Attributes Reference nsDS5ReplicaUpdateInProgress This read-only attribute states whether or not a replication schedule update is in progress. Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config Valid Values: true | false Default Value: Syntax: DirectoryString Example: nsDS5ReplicaUpdateInProgress:true nsDS5ReplicaUpdateSchedule This multi-valued attribute specifies the replication schedule and can be modified. Entry DN: cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config...
Page 115: Cn=Monitor
Core Server Configuration Attributes Reference cn=monitor Monitoring read-only information is stored under . The cn=monitor,cn=config entry is an instance of the object class. For cn=monitor extensibleObject configuration attributes to be taken into account by the server this cn=monitor object class (in addition to the object class) must be present in the entry.
Page 116: Bytessent
Core Server Configuration Attributes Reference bytesSent Number of bytes sent by Directory Server. currentTime Current time usually given in Greenwich Mean Time (indicated by GeneralizedTime syntax notation, for example 20010202131102Z startTime Directory Server start time. nbackEnds Number of Directory Server backends. backendMonitorDN DN for each Directory Server backend.
Page 117: Cn=Snmp
Core Server Configuration Attributes Reference cn=SNMP SNMP configuration attributes are stored under . The cn=SNMP,cn=config entry is an instance of the object class. For SNMP configuration cn=SNMP nsSNMP attributes to be taken into account by the server this object class (in addition to the object class) must be present in the entry.
Page 118: Nssnmpcontact
Core Server Configuration Attributes Reference Default Value: Syntax: DirectoryString Example: nssnmplocation: B14 nssnmpcontact Specifies the E-mail address of the person responsible for maintaining the Directory Server. Entry DN: cn=SNMP,cn=config Valid Values: Contact E-mail address Default Value: Syntax: DirectoryString Example: nssnmpcontact: jerome@example.com nssnmpdescription Provides a unique description of the Directory Server instance.
Page 119: Nssnmpmasterport
Core Server Configuration Attributes Reference Syntax: DirectoryString Example: nssnmpmasterhost: localhost nssnmpmasterport Specifies the port number used to communicate with the master agent. For UNIX only. Entry DN: cn=SNMP,cn=config Valid Values: Operating System dependent port number. Refer to your Operating System documentation for further information. Default Value: Syntax: Integer...
Page 120: Configuration Quick Reference Tables
Configuration Quick Reference Tables Default Value: Syntax: DirectoryString Example: nsstate:AbId0c3oMIDUntiLCyYNGgAAAAAAAAAA Configuration Quick Reference Tables This section provides quick reference tables for LDIF configuration files supplied with the Directory Server, object classes and schema used in server configuration, and attributes requiring server restart. LDIF Configuration Files Table 2-3 lists all the configuration files which are supplied with the Directory Server, including those for the schema of other Netscape servers.
Page 121 Configuration Quick Reference Tables Table 2-3 Directory Server Configuration LDIF Files (Continued) Configuration Filename Purpose Schema from RFC 2927: “MIME Directory Profile 05rfc2927.ldif for LDAP Schema.” Contains the ldapSchemas operational attribute required for the attribute to show up in the subschema subentry. Schema from RFC 2307: “An Approach for Using 10rfc2307 LDAP as a Network Information Service”.
Page 122 Configuration Quick Reference Tables Table 2-3 Directory Server Configuration LDIF Files (Continued) Configuration Filename Purpose Legacy Netscape Schema used by Netscape 50ns-legacy.ldif Administration Server for legacy servers. Schema used by Netscape Messaging Server to 50ns-mail.ldif define mail users and mail groups. Schema used by Netscape Mission Control 50ns-mcd-browser.ldif Desktop to hold browser client preferences.
Page 123: Configuration Changes Requiring Server Restart
Configuration Quick Reference Tables Configuration Changes Requiring Server Restart Table 2-4 lists the configuration attributes that cannot be altered dynamically, while the server is still running. They require that the server be stopped and restarted to take effect. The table lists the configuration attributes concerned, with their full DNs, and provides a brief description of their functions.
Page 124 Configuration Quick Reference Tables Netscape Directory Server Configuration, Command, and File Reference • December 2003...
Page 125: Chapter 3 Plug-In Implemented Server Functionality Reference
Chapter 3 Plug-in Implemented Server Functionality Reference This chapter contains reference information on Netscape Directory Server (Directory Server) server plug-ins. The chapter is divided into the following sections: • Overview (page 125) • Server Plug-in Functionality Reference (page 126) • List of Attributes Common to All Plug-ins (page 147) •...
Page 126: Object Classes For Plug-In Configuration
Server Plug-in Functionality Reference dn: cn=Telephone Syntax,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginPath: /usr/netscape/servers/lib/syntax-plugin.so nsslapd-pluginInitfunc: tel_init nsslapd-pluginType: syntax nsslapd-pluginEnabled: on Some of these attributes are common to all plug-ins while others may be particular to a specific plug-in. You can check which attributes are currently being used by a given plug-in by performing an on the subtree.
Page 127: 7-Bit Check Plug-In
Server Plug-in Functionality Reference 7-bit check Plug-in 7-bit check (NS7bitAtt) Plug-in Name DN of Configuration cn=7-bit check,cn=plugins,cn=config Entry Checks certain attributes are 7-bit clean Description Configurable on | off Options Default Setting Configurable list of attributes (uid mail userpassword) followed by "," and Arguments then suffix(es) on which the check is to occur None...
Page 128: Acl Preoperation Plug-In
Server Plug-in Functionality Reference ACL preoperation Plug-in ACL preoperation Plug-in Name DN of Configuration cn=ACL preoperation,cn=plugins,cn=config Entry ACL access check plug-in Description Configurable on | off Options Default Setting Configurable None Arguments database Dependencies Performance None Related Information Chapter 6, “Managing Access Control” in the Netscape Directory Further Information Server Administrator’s Guide.
Page 129: Boolean Syntax Plug-In
Server Plug-in Functionality Reference Boolean Syntax Plug-in Boolean Syntax Plug-in Name DN of Configuration cn=Boolean Syntax,cn=plugins,cn=config Entry Syntax for handling booleans. Description Configurable on | off Options Default Setting Configurable None Arguments None Dependencies Performance Do not modify the configuration of this plug-in. It is recommended Related Information that you leave this plug-in running at all times.
Page 130: Case Ignore String Syntax Plug-In
Server Plug-in Functionality Reference Case Ignore String Syntax Plug-in Case Ignore String Syntax Plug-in Name DN of Configuration cn=Case Ignore String Syntax,cn=plugins,cn=config Entry Syntax for handling case-insensitive strings Description Configurable on | off Options Default Setting Configurable None Arguments None Dependencies Performance Do not modify the configuration of this plug-in.
Page 131: Class Of Service Plug-In
Server Plug-in Functionality Reference Class of Service Plug-in Class of Service Plug-in Name DN of Configuration cn=Class of Service,cn=plugins,cn=config Entry Allows for sharing of attributes between entries Description Configurable on | off Options Default Setting Configurable None Arguments None Dependencies Performance Do not modify the configuration of this plug-in.
Page 132: Distinguished Name Syntax Plug-In
Server Plug-in Functionality Reference Distinguished Name Syntax Plug-in Distinguished Name Syntax Plug-in Name DN of Configuration cn=Distinguished Name Syntax,cn=plugins,cn=config Entry Syntax for handling DNs Description Configurable on | off Options Default Setting Configurable None Arguments None Dependencies Performance Do not modify the configuration of this plug-in. It is recommended Related Information that you leave this plug-in running at all times.
Page 133: Http Client Plug-In
Server Plug-in Functionality Reference Further Information The Generalized Time String consists of the following: four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second and a time zone indication. We strongly recommend that you use the Z time zone indication which stands for Greenwich Mean Time.
Page 134: Internationalization Plug-In
Server Plug-in Functionality Reference Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in. It is recommended Related Information that you leave this plug-in running at all times. Further Information Internationalization Plug-in Plug-in Name Internationalization Plugin DN of Configuration cn=Internationalization Entry...
Page 135: Legacy Replication Plug-In
Server Plug-in Functionality Reference Description Implements local databases Configurable Options Default Setting None Configurable Arguments Dependencies None See “Database Plug-in Attributes” on page 151 for further Performance Related Information information on database configuration. Further Information Chapter 3, “Configuring Directory Databases” in the Netscape Directory Server Administrator’s Guide Legacy Replication Plug-in Plug-in Name...
Page 136: Octet String Syntax Plug-In
Server Plug-in Functionality Reference DN of Configuration cn=Multimaster Replication Entry plugin,cn=plugins,cn=config Description Enables replication between two 6.x Directory Servers Configurable on | off Options Default Setting Configurable None Arguments Dependencies database Performance Related Information Further Information You can turn this plug-in off if you only have one server which will never replicate.
Page 137: Clear Password Storage Plug-In
Server Plug-in Functionality Reference CLEAR Password Storage Plug-in CLEAR Plug-in Name DN of Configuration cn=CLEAR,cn=Password Storage Entry Schemes,cn=plugins,cn=config CLEAR password storage scheme used for password encryption Description Configurable on | off Options Default Setting Configurable None Arguments None Dependencies Do not modify the configuration of this plug-in. It is recommended Performance Related Information that you leave this plug-in running at all times.
Page 138: Ns-Mta-Md5 Password Storage Scheme Plug-In
Server Plug-in Functionality Reference NS-MTA-MD5 Password Storage Scheme Plug-in NS-MTA-MD5 Plug-in Name DN of Configuration cn=NS-MTA-MD5,cn=Password Storage Entry Schemes,cn=plugins,cn=config NS-MTA-MD5 password storage scheme for password encryption Description on | off Configurable Options Default Setting Configurable None Arguments None Dependencies Performance Do not modify the configuration of this plug-in.
Page 139: Ssha Password Storage Scheme Plug-In
Server Plug-in Functionality Reference Dependencies None Performance If there are not passwords encrypted using the SHA password Related Information storage scheme, you may turn this plug-in off. If you want to encrypt your password with the SHA password storage scheme, we recommend that you choose SSHA instead, as SSHA is a far more secure option.
Page 140: Presence Plug-In
Server Plug-in Functionality Reference Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in. It is recommended Related Information that you leave this plug-in running at all times. Further Information Presence Plug-in Plug-in Name Presence...
Page 141: Referential Integrity Postoperation Plug-In
Server Plug-in Functionality Reference Description Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests. Configurable on | off Options Default Setting Configurable ldap://example.com:389/o=example Arguments Dependencies None Performance Chapter 16, “Using the Pass-Through Authentication Plug-in” in Related Information the Netscape Directory Server Administrator’s Guide.
Page 142: Retro Changelog Plug-In
Server Plug-in Functionality Reference Configurable When enabled the post operation Referential Integrity plug-in Arguments performs integrity updates on the member, uniquemember, owner and seeAlso attributes immediately after a delete or rename operation. You can reconfigure the plug-in to perform integrity checks on all other attributes.
Page 143: Roles Plug-In
Server Plug-in Functionality Reference Configurable on | off Options Default Setting Configurable See “Retro Changelog Plug-in Attributes,” on page 188 for further Arguments information on the two configuration attributes for this plug-in. Dependencies None Performance May slow down Directory Server performance. Related Information Further Information Chapter 8, “Managing Replication”...
Page 144: State Change Plug-In
Server Plug-in Functionality Reference DN of Configuration cn=Space Insensitive String Entry Syntax,cn=plugins,cn=config Description Syntax for handling space-insensitive values Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in. It is recommended Related Information that you leave this plug-in running at all times.
Page 145: Telephone Syntax Plug-In
Server Plug-in Functionality Reference Configurable None Arguments Dependencies None Performance Related Information Further Information Telephone Syntax Plug-in Plug-in Name Telephone Syntax DN of Configuration cn=Telephone Syntax,cn=plugins,cn=config Entry Description Syntax for handling telephone numbers on | off Configurable Options Default Setting None Configurable Arguments...
Page 146: Uri Syntax Plug-In
Server Plug-in Functionality Reference Default Setting Configurable Enter the following arguments: Arguments "DN" "DN"... if you want to check for UID attribute uniqueness in all listed subtrees. However, enter the following arguments: attribute="uid" MarkerObjectclass = "ObjectClassName" and optionally requiredObjectClass = "ObjectClassName" if you want to check for UID attribute uniqueness when adding or updating entries with the requiredObjectClass, starting from the parent entry containing the ObjectClass as defined by the...
Page 147: List Of Attributes Common To All Plug-Ins
List of Attributes Common to All Plug-ins DN of Configuration cn=URI Syntax,cn=plugins,cn=config Entry Description Syntax for handling URIs (Unique Resource Identifiers) including URLs (Unique Resource Locators) on | off Configurable Options Default Setting Configurable None Arguments None Dependencies Performance Do not modify the configuration of this plug-in. It is recommended Related Information that you leave this plug-in running at all times.
Page 148: Nsslapd-Plugintype
List of Attributes Common to All Plug-ins Entry DN: cn=plug-in name,cn=plugins,cn=config Valid Values: Any valid plug-in function Default Value: None Syntax: DirectoryString Example: nsslapd-pluginInitfunc:NS7bitAttr_Init nsslapd-pluginType Specifies the plug-in type. See “nsslapd-plugin-depends-on-type” on page 150 for further information. Entry DN: cn=plug-in name,cn=plugins,cn=config Valid Values: Any valid plug-in type Default Value:...
Page 149: Nsslapd-Pluginid
List of Attributes Common to All Plug-ins nsslapd-pluginId Specifies the plug-in ID. Entry DN: cn=plug-in name,cn=plugins,cn=config Valid Values: Any valid plug-in ID Default Value: None Syntax: DirectoryString Example: nsslapd-pluginId: chaining database nsslapd-pluginVersion Specifies the plug-in version. Entry DN: cn=plug-in name,cn=plugins,cn=config Valid Values: Any valid plug-in version Default Value:...
Page 150: Nsslapd-Plugindescription
Attributes Allowed by Certain Plug-ins nsslapd-pluginDescription Provides a description of the plug-in. Entry DN: cn=plug-in name,cn=plugins,cn=config Valid Values: Default Value: None Syntax: DirectoryString Example: nsslapd-pluginDescription: acl access check plug-in Attributes Allowed by Certain Plug-ins nsslapd-plugin-depends-on-type Multi-valued attribute, used to ensure that plug-ins are called by the server in the correct order.
Page 151: Nsslapd-Plugin-Depends-On-Named
Database Plug-in Attributes nsslapd-plugin-depends-on-named Multi-valued attribute, used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the value of a plug-in. The plug-in whose value matches one of the following values will be started by the server prior to this plug-in.
Page 152: Database Attributes Under Cn=Config,Cn=Ldbm Database,Cn=Plugins,Cn=Config
Database Plug-in Attributes All plug-in technology used by the database instances is stored in the cn=ldbm e plug-in node. This section presents the additional attribute information databas for each of the nodes in bold in the cn=ldbm database,cn=plugins,cn=config information tree. Database Attributes Under cn=config,cn=ldbm database,cn=plugins,cn=config Global configuration attributes common to all instances are stored in the...
Page 153: Nsslapd-Cache-Autosize
Database Plug-in Attributes However, as tuning this attribute is a complex task and can severely degrade performance, it is advisable to keep the default value. For a more detailed explanation of the All IDs Threshold see Chapter 10, “Managing Indexes” in the Netscape Directory Server Administrator’s Guide.
Page 154: Nsslapd-Dbcachesize
Database Plug-in Attributes Valid Range: Default Value: 66 (This will not necessarily optimize your operations) Syntax: Integer Example: nsslapd-cache-autosize-split: 66 nsslapd-dbcachesize This performance tuning related attribute specifies database cache size. Note that this is neither the index cache nor the entry cache. If you activate automatic cache resizing, you override this attribute, by replacing these values with its own guessed values at a later stage of the server startup.
Page 155: Nsslapd-Db-Checkpoint-Interval
Database Plug-in Attributes nsslapd-db-checkpoint-interval The amount of time in seconds after which the Directory Server sends a checkpoint entry to the database transaction log. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only.
Page 156: Nsslapd-Db-Debug
Database Plug-in Attributes Default Value: Syntax: DirectoryString Example: nsslapd-db-circular-logging: on nsslapd-db-debug Specifies whether additional error information is to be reported to Directory Server. To report error information, set the parameter to . Note that this parameter is meant for troubleshooting, and enabling the parameter may slow down the Directory Server.
Page 157: Nsslapd-Db-Home-Directory
Database Plug-in Attributes For more information on database transaction logging, see Chapter 12, “Monitoring Server and Database Activity” in the Netscape Directory Server Administrator’s Guide. Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example: nsslapd-db-durable_transactions: on nsslapd-db-home-directory Applicable to Solaris only.
Page 158: Nsslapd-Db-Idl-Divisor
Database Plug-in Attributes NOTE The directory referenced by the nsslapd-db-home-directory attribute must be a subdirectory of a file system of type tempfs (such as ). However, Directory Server does not create the /tmp subdirectory referenced by this attribute. You must create the directory either manually or by using a script.
Page 159: Nsslapd-Db-Logbuf-Size
Database Plug-in Attributes Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range: 0 to 8 Default Value: Syntax: Integer Example: nsslapd-db-idl-divisor: 2 nsslapd-db-logbuf-size Specifies the log information buffer size. Log information is stored in memory until the buffer fills up or the transaction commit forces the buffer to be written to disk. Larger buffer sizes can signficantly increase throughput in the presence of long running transactions, highly concurrent applications, or transactions producing large amounts of data.
Page 160: Nsslapd-Db-Logfile-Size
Database Plug-in Attributes For more information on database transaction logging, see Chapter 12, “Monitoring Server and Database Activity” in the Netscape Directory Server Administrator’s Guide. Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Values: Any valid path and directory name Default Value: Syntax: DirectoryString Example: nsslapd-db-logdirectory: /logs/txnlog...
Page 161: Nsslapd-Db-Spin-Count
Database Plug-in Attributes Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range: 512 bytes to 64 K bytes Default Value: 8K bytes Syntax: Integer Example: nsslapd-db-page-size: 8K bytes nsslapd-db-spin-count Specifies the number of times that test-and-set mutexes should spin without blocking. Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range: 0 to 2^31-1...
Page 162: Nsslapd-Db-Transaction-Logging
Database Plug-in Attributes durability, while also allowing transaction batching to be turned on and off remotely when desired. Bear in mind that the value you choose for this attribute may require you to modify the attribute to ensure nsslapd-db-logbuf-size sufficient log buffer size for accommodating your batched transactions. Also, the attribute is only valid if the nsslapd-db-transaction-batch-val...
Page 163: Nsslapd-Db-Verbose
Database Plug-in Attributes Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range: 0 to 100 Default Value: Syntax: Integer Example: nsslapd-db-trickle-percentage: 40 nsslapd-db-verbose Specifies whether to record additional informational and debugging messagses when searching the log for checkpoints, doing deadlock detection, and performing recovery.
Page 164: Nsslapd-Import-Cachesize
Database Plug-in Attributes nsslapd-import-cachesize This performance tuning related attribute determines the size of the database cache used in the bulk import process. By setting this attribute value so that the maximum available system physical memory is used for the database cache during bulk importing, you can optimize bulk import speed.
Page 165 Database Plug-in Attributes By default, the attribute is enabled and is nsslapd-import-cache-autosize set to a value of -1. This value autosizes importCache for the operation ldif2db (only), automatically allocating fifty percent (50%) of the free physical memory for importCache. The percentage value (50%) is hardcoded and cannot be changed.
Page 166: Nsslapd-Mode
Database Plug-in Attributes Entry DN: cn=config,cn=ldbm database,cn=plugins,cn=config Valid Range: -1, 0 (turns import cache autosizing off) to 100 Default -1 (turns import cache autosizing on for ldif2db only and allocates Value: 50% of the free physical memory to importCache) Syntax: Integer Example: nsslapd-import-cache-autosize: -1...
Page 167: Dbcachehitratio
Database Plug-in Attributes dbcachehitratio Percentage of requested pages found in the database cache (hits/tries) dbcachepagein Pages read into the database cache. dbcachepageout Pages written from the database cache to the backing file. dbcacheroevict Clean pages forced from the cache. dbcacherwevict Dirty pages forced from the cache.
Page 168: Nsslapd-Cachesize
Database Plug-in Attributes nsslapd-cachesize This performance tuning related attribute specifies the cache size in terms of the entries it can hold. However, it is worth noting that it is simpler to limit by memory size only (see attribute). If you attempt to set a value that nsslapd-cachememsize is not a number or is too big for a 32-bit signed integer you will receive an LDAP_UNWILLING_TO_PERFORM error message with additional error...
Page 169: Nsslapd-Directory
Database Plug-in Attributes nsslapd-directory Specifies absolute path to database instance. If your database instance is manually created then this attribute must be included, something which is set by default (and modifiable) in the Netscape Console. Once your database instance is created, do not modify this path as any changes risk preventing the server from accessing data.
Page 170: Nsslapd-Suffix
Database Plug-in Attributes Default Value: Syntax: DirectoryString Example: nsslapd-require: off nsslapd-suffix Specifies the suffix of the database link. This is a mono-valued attribute as each database instance can have only one suffix. Previously it was possible to have more than one suffix on a single database instance but this is no longer the case. As a result this attribute is mono-valued to enforce the fact that each database instance can only have one suffix entry.
Page 171: Nsslapd-Db-Cache-Hit
Database Plug-in Attributes nsslapd-db-cache-hit Requested pages found in the cache. nsslapd-db-cache-try Total cache lookups. nsslapd-db-cache-region-wait-rate Number of times that a thread of control was forced to wait before obtaining the region lock. nsslapd-db-cache-size-bytes Total cache size in bytes. nsslapd-db-clean-pages Clean pages currently in the cache. nsslapd-db-commit-rate Number of transactions that have been committed.
Page 172: Nsslapd-Db-Lock-Conflicts
Database Plug-in Attributes nsslapd-db-lock-conflicts Total number of locks not immediately available due to conflicts. nsslapd-db-lock-region-wait-rate Number of times that a thread of control was forced to wait before obtaining the region lock. nsslapd-db-lock-request-rate Total number of locks requested. nsslapd-db-lockers Number of current lockers. nsslapd-db-log-bytes-since-checkpoint Number of bytes written to this log since the last checkpoint.
Page 173: Nsslapd-Db-Page-Rw-Evict-Rate
Database Plug-in Attributes nsslapd-db-page-rw-evict-rate Dirty pages forced from the cache. nsslapd-db-page-trickle-rate Dirty pages written using the memp_trickle interface. nsslapd-db-page-write-rate Pages read into the cache. nsslapd-db-pages-in-use All pages, clean or dirty, currently in use. nsslapd-db-txn-region-wait-rate Number of times that a thread of control was force to wait before obtaining the region lock.
Page 174: Nsindextype
Database Plug-in Attributes Valid Values: true | false Default Value: Syntax: DirectoryString Example: nssystemindex: true nsIndexType This optional multi valued, attribute specifies the type of index for Directory Server 6.x operations and takes the values of the attributes to be indexed. Each desired index type has to be entered on a separate line.
Page 175: Description
Database Plug-in Attributes Example: cn: 2.16.840.1.113730.3.3.2.3.1 (For Bulgarian) Provides the name of the attribute you want to index. Entry DN: cn=default indexes,cn=monitor,cn=ldbm database,cn=plugins,cn=config Valid Values: Any valid index cn Default Value: None Syntax: DirectoryString Example: cn: aci description This non-mandatory attribute provides a free-hand text description of what the index actually performs.
Page 176: Dbfilenamenumber
Database Plug-in Attributes dbfilenamenumber This attribute indicates the name of the file and provides a sequential integer identifier (starting at 0) for the file. All associated statistics for the file are given this same numerical identifier. dbfilecachehit Number of times that a search requiring data from this file was performed and that the data was successfully obtained from the cache.
Page 177: Database Link Plug-In Attributes (Chaining Attributes)
Database Link Plug-in Attributes (chaining attributes) Figure 3-2 Indexed Attribute Representing a Subentry For example, the index file for the attribute under will appear in o=UserRoot the Directory Server as follows: dn:cn=aci,cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=confi objectclass:top objectclass:nsIndex cn=aci nssystemindex:true nsindextype:pres For details regarding the five possible indexing attributes see the section “Database Attributes Under cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config,”...
Page 178: Database Link Attributes Under Cn=Config,Cn=Chaining Database, Cn=Plugins,Cn=Config
Database Link Plug-in Attributes (chaining attributes) Figure 3-3 Database Link Plug-In All plug-in technology used by the database link instances is stored in the database plug-in node. This section presents the additional attribute cn=chaining information for the three nodes marked in bold in the cn=chaining information tree.
Page 179: Nsmaxresponsedelay
Database Link Plug-in Attributes (chaining attributes) Example: nsActiveChainingComponents: cn=uid uniqueness,cn=plugins,cn=config nsMaxResponseDelay This error detection, performance related attribute specifies the maximum amount of time it can take a remote server to respond to an LDAP operation request made by a database link before an error is suspected. Once this delay period has been met, the database link tests the connection with the remote server.
Page 180: Nstransmittedcontrols
Database Link Plug-in Attributes (chaining attributes) nsTransmittedControls This attribute, which can be both a global (and thus dynamic) configuration or an instance (i.e. cn=database link instance,cn=chaining ) configuration attribute, allows you to alter the database,cn=plugins,cn=config controls the database link forwards. The following controls are forwarded by default by the database link: •...
Page 181: Nsbindconnectionslimit
Database Link Plug-in Attributes (chaining attributes) Example: nsabandonedsearchcheckinterval: 10 nsBindConnectionsLimit Maximum number of TCP connections the database link establishes with the remote server. Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Range: 1 to 50 connections Default Value: Syntax: Integer Example: nsbindconnectionslimit: 3 nsBindRetryLimit...
Page 182: Nschecklocalaci
Database Link Plug-in Attributes (chaining attributes) Valid Range: 0 to 60 seconds Default Value: Syntax: Integer Example: nsbindtimeout:15 nsCheckLocalACI Reserved for advanced use only. Controls whether ACIs are evaluated on the database link as well as the remote data server. Changes to this attribute only take effect once the server has been restarted.
Page 183: Nsconnectionlife
Database Link Plug-in Attributes (chaining attributes) Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Range: 1 to 50 operations Default Value: Syntax: Integer Example: nsconcurrentoperationslimit: 50 nsConnectionLife Specifies connection lifetime. You can keep connections between the database link and the remote server open for an unspecified time, or you can close them after a specific period of time.
Page 184: Nsproxiedauthorization
Database Link Plug-in Attributes (chaining attributes) nsProxiedAuthorization Reserved for advanced use only. Allows you to disable proxied authorization, where a value of means proxied authorization is disabled. Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Values: on | off Default Value: Syntax: DirectoryString Example:...
Page 185: Nstimelimit
Database Link Plug-in Attributes (chaining attributes) nsTimeLimit Specifies the default search time limit for the database link. Entry DN: cn=default instance config,cn=chaining database, cn=plugins,cn=config Valid Range: -1 to 2147483647 seconds Default Value: 3600 Syntax: Integer Example: nsTimeLimit: 3600 Database Link Attributes Under cn=database link instance name,cn=chaining database, cn=plugins,cn=config This information node stores the attributes concerning the server containing the...
Page 186: Nsmultiplexorbinddn
Database Link Plug-in Attributes (chaining attributes) nsMultiplexorBindDN Gives the DN of the administrative entry used to communicate with the remote server. The multiplexor is the server that contains the database link and communicates with the farm server. This bind DN cannot be the Directory Manager and if this attribute is not specified, the database link binds as anonymous.
Page 187: Cn=Plugins,Cn=Config
Database Link Plug-in Attributes (chaining attributes) Valid Range: 1 to an appropriate upper limit for your deployment Default Value: Syntax: Integer Example: nsHopLimit: 3 Database Link Attributes Under cn=monitor,cn=database instance name,cn=chaining database, cn=plugins,cn=config Attributes used for monitoring activity on your instances are stored in the cn=monitor,cn=database instance name,cn=chaining information tree.
Page 188: Nssearchsubtreecount
Retro Changelog Plug-in Attributes nsSearchSubtreeCount Number of subtree searches received. nsAbandonCount Number of abandon operations received. nsBindCount Number of bind requests received. nsUnbindCount Number of unbinds received. nsCompareCount Number of compare operations received. nsOperationConnectionCount Number of open connections for normal operations. nsBindConnectionCount Number of open connections for bind operations.
Page 189: Nsslapd-Changelogdir
Retro Changelog Plug-in Attributes It is through the Retro Changelog plug-in that you access the changes performed to the DS using searches to “ ” file. cn=changelog,cn=config nsslapd-changelogdir This attribute specifies the name of the directory in which the changelog database is created the first time the plug-in is run.
Page 190 Retro Changelog Plug-in Attributes Example: nsslapd-changelogmaxage: 30d Netscape Directory Server Configuration, Command, and File Reference • December 2003...
Page 191: Chapter 4 Server Instance File Reference
Chapter 4 Server Instance File Reference This chapter provides an overview of the files that are specific to an instance of Netscape Directory Server (Directory Server)—the files stored under the directory. Having an overview of the files and serverRoot/slapd-serverID configuration information stored in each instance of Directory Server should help you understand the file changes or absence of file changes which occur in the course of directory activity.
Page 192 Overview of Directory Server Files Code Example 4-1 shows the contents of the directory, serverRoot/slapd-serverID where directories are marked with a and scripts are marked with an . See Chapter 8, “Command-Line Scripts” for further information on command-line scripts. Code Example 4-1 Contents of the serverRoot/slapd-serverID directory db2ldif* ns-inactivate.pl*...
Page 193: Backup Files
Backup Files Backup Files Each Directory Server instance contains the following three directories for storing backup related files: • - contains a directory dated with the time and date of your database backup, for example , which in turn holds your database 2001_02_13_174524/ backup copy.
Page 194 Database Files • files are used to store the transaction logs per database. log.xxxxxxxxxx • - used for storing the version of the database. DBVERSION • - this directory stores the database created by NetscapeRoot o=NetscapeRoot default at Typical installation. •...
Page 195: Ldif Files
ldif Files ldif Files Each Directory Server instance contains the ld directory for storing ldif related files. Code Example 4-4 shows a sample listing of the directory ldif contents. Code Example 4-4 Contents of a sample ldif directory ../ European.ldif Example.ldif Example-roles.ldif The following list describes the content of each of the ldif files:...
Page 196: Log Files
Log Files Log Files Each Directory Server instance contains a logs directory for storing log related files. Code Example 4-6 shows a sample listing of the directory contents. logs Code Example 4-6 Contents of a sample logs directory access.20010126-120123 audit errors.rotationinfo access.20010130-140221 audit.rotationinfo...
Page 197: Chapter 5 Access Log And Connection Code Reference
Chapter 5 Access Log and Connection Code Reference Netscape Directory Server (Directory Server) provides you with logs to help you monitor directory activity. Monitoring allows you to quickly detect and remedy failures and where done proactively, anticipate and resolve potential problems before they result in failure or poor performance.
Page 198: Access Logging Levels
Access Log Content • Sequence of operation request/operation result pairs of records (or individual records in the case of connection, closed and abandon records) • Unbind record • Closed record Every line begins with a timestamp - [21/Apr/2001:11:39:51 -0700]- format of which may vary depending on which platform you are using, where indicates the time difference in relation to GMT.
Page 199: Default Access Logging Content
Access Log Content = Precise timing of operation duration. This gives microsecond resolution 131072 for the Elapsed Time item in the access log. For example, if you want to log internal access operations, entry access, and referrals, you would insert a value of 516 (512+4) in the configuration attribute.
Page 200: Connection Number
Access Log Content Code Example 5-1 Access Log Extract with Default Access Logging Level (level 256) [21/Apr/2001:11:39:53 -0700] conn=13 op=1 EXT oid="2.16.840.1.113730.3.5.3" [21/Apr/2001:11:39:53 -0700] conn=13 op=1 RESULT err=0 tag=120 nentries=0 etime=0 21/Apr/2001:11:39:53 -0700] conn=13 op=2 ADD dn="cn=Sat Apr 21 11:39:51 MET DST 2001, dc=example,dc=com" [21/Apr/2001:11:39:53 -0700] conn=13 op=2 RESULT err=0 tag=105 nentries=0 etime=0 csn=3b4c8cfb000000030000 [21/Apr/2001:11:39:53 -0700] conn=13 op=3 EXT...
Page 201: Slot Number
Access Log Content Slot Number The slot number, in this case , is a legacy part of the access log which slot=608 has the same meaning as file descriptor. Ignore this part of the access log. Operation Number To process a given LDAP request, Directory Server will perform the required series of operations.
Page 202: Number Of Entries
Access Log Content indicates the actual entry for which you were searching tag=100 for a result from a search operation tag=101 for a result from a modify operation tag=103 for a result from an add operation tag=105 for a result from delete operation tag=107 for a result from a moddn operation tag=109...
Page 203: Ldap Response Type
Access Log Content = moddn MODDN = extended operation = abandon operation ABANDON Note that if the LDAP request resulted in sorting of entries, then you will see SORT followed by the number of candidate entries that were sorted. See the serialno bold text in this example: [04/May/2002:15:51:46 -0700] conn=114 op=68 SORT serialno (1)
Page 204: Search Scope
Access Log Content where is of the form: RequestInformation beforeCount:afterCount:index:contentCount is of the form: ResponseInformation targetPosition:contentCount (resultCode) If the client uses a position-by-value VLV request, the format for the first part, the request information, would be: beforeCount:afterCount:value The example below shows VLV-specific entries in bold: [07/May/2002:11:43:29 -0700] conn=877 op=8530 SRCH base="(ou=People)"...
Page 205: Extended Operation Oid
Access Log Content Extended Operation OID An extended operation OID, in this case either oid="2.16.840.1.113730.3.5.3" EXT oid="2.16.840.1.113730.3.5.5" provides the OID of the extended operation being performed. Table 5-1 provides the list of LDAPv3 extended operations and their OIDs supported in Directory Server.
Page 206: Abandon Message
Access Log Content Abandon Message The abandon message, in this case, [ 21/Apr/2001:11:39:52 -0700 conn=12 , indicates that an op=2 ABANDON targetop=1 msgid=2 nentries=0 etime=0 operation has been aborted, where indicates the number of entries sent before the operation was nentries=0 aborted, value indicates how much time (in seconds) had elapsed, and...
Page 207: Access Log Content For Additional Access Logging Levels
Access Log Content NOTE Note also that the authenticated DN (the DN used for access control decisions) is now logged in the BIND result line as opposed to the bind request line as was previously the case: [21/Apr/2001:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jdoe,dc=example,dc=com"...
Page 208: Connection Description
Access Log Content Access log level 4 enables logging for internal operations which log the following items in addition to the details of the search being performed, including search base, scope, filter, and requested search attributes. In Code Example 5-3, access logging level 512 is enabled which logs access to entries and referrals.
Page 209: Common Connection Codes
Common Connection Codes NOTE Directory Server access log now distinguishes between persistent and regular searches, which was not the case for previous Directory Server releases. In Code Example 5-4 both access logging level 512 and 4 are enabled, which results in both internal access operations, as well as entry access and referrals being logged.
Page 210: Ldap Result Codes
LDAP Result Codes T2 = Server closed connection after ioblocktimeout period was exceeded U1 = Connection closed by server after client sends an UNBIND request. The server will always close the connection when it sees an UNBIND request. LDAP Result Codes LDAP has a set of result codes that it is useful to be familiar with.
Page 211 LDAP Result Codes Table 5-2 LDAP Result Codes (Continued) Result Code Defined Value NO_SUCH_OBJECT ALIAS_PROBLEM INVALID_DN_SYNTAX IS_LEAF ALIAS_DEREFERENCING_PROBLEM INAPPROPRIATE_AUTHENTICATION INVALID_CREDENTIALS INSUFFICIENT_ACCESS_RIGHTS BUSY UNAVAILABLE UNWILLING_TO_PERFORM LOOP_DEFECT NAMING_VIOLATION OBJECT_CLASS_VIOLATION NOT_ALLOWED_ON_NONLEAF NOT_ALLOWED_ON_RDN ENTRY_ALREADY_EXISTS OBJECT_CLASS_MODS_PROHIBITED AFFECTS_MULTIPLE_DSAS (LDAP v3) OTHER SERVER_DOWN LDAP_TIMEOUT PARAM_ERROR CONNECT_ERROR LDAP_NOT_SUPPORTED CONTROL_NOT_FOUND NO_RESULTS_RETURNED MORE_RESULTS_TO_RETURN...
Page 212 LDAP Result Codes Table 5-2 LDAP Result Codes (Continued) Result Code Defined Value REFERRAL_LIMIT_EXCEEDED Netscape Directory Server Configuration, Command, and File Reference • December 2003...
Page 213: Chapter 6 Migration From Earlier Versions
Chapter 6 Migration from Earlier Versions This chapter is intended to provide a reference of the information migrated by the script. In the case of migration from a 4.x Netscape migrateInstance6 Directory Server (Directory Server) to a 6.x Directory Server, it describes the mapping of configuration parameters to configuration attributes and configuration entries in the new Directory Server.
Page 214: Server Attributes
Migration from 4.x Directory Server to 6.x Server Attributes In Directory Server 4.x, configuration parameters are stored in the file, slapd.conf which is under this directory: serverRoot/slapd-serverID The corresponding configuration attributes in Directory Server 6.x are stored in entry. Table 6-1 shows the mapping of Directory Server 4.x cn=config configuration parameters to Directory Server 6.x configuration attributes.
Page 215 Migration from 4.x Directory Server to 6.x Table 6-1 Mapping of Legacy Server Parameters to Configuration Attributes (Continued) Legacy Configuration Parameter Directory Server Configuration Attribute enquote_sup_oc nsslapd-enquote_sup_oc loglevel nsslapd-error-loglevel errorlog-logexpirationtime nsslapd-errorlog-logexpirationtime errorlog-logexpirationtimeunit nsslapd-errorlog-logexpirationtimeunit errorlog-maxlogdiskspace nsslapd-errorlog-logmaxdiskspace errorlog-minfreediskspace nsslapd-errorlog-logminfreediskspace errorlog-logrotationtime nsslapd-errorlog-logrotationtime errorlog-logrotationtimeunit nsslapd-errorlog-logrotationtimeunit errorlog-maxlogsize nsslapd-errorlog-maxlogsize...
Page 216 Migration from 4.x Directory Server to 6.x Table 6-1 Mapping of Legacy Server Parameters to Configuration Attributes (Continued) Legacy Configuration Parameter Directory Server Configuration Attribute pw_history passwordHistory pw_inhistory passwordinHistory pw_lockout passwordLockout pw_lockduration passwordLockoutDuration pw_maxage passwordMaxAge pw_maxfailure passwordMaxFailure pw_minage passwordMinAge pw_minlength passwordMinLength pw_must_change passwordMustChange...
Page 217: Database Attributes
Migration from 4.x Directory Server to 6.x Database Attributes In Directory Server 4.x, database parameters are stored in the slapd.ldbm.conf file, which is under this directory: serverRoot/slapd-serverID Because one instance of Directory Server 5.x or 6.x can manage several databases, the corresponding attributes in Directory Server 5.x or 6.x are stored in a general entry for all databases ( cn=config,cn=ldbm database,cn=plugins,cn=config...
Page 218: Upgrade From Directory Server 5.X To 6.X
Upgrade from Directory Server 5.x to 6.x Upgrade from Directory Server 5.x to 6.x In Directory Server 5.x and 6.x, the configuration information is stored in the same way. This section explains which configuration attributes are automatically migrated by the script, and which ones are migrateInstance6 not.
Page 219 Upgrade from Directory Server 5.x to 6.x Table 6-4 Attributes in cn=config Automatically Migrated (Continued) nsslapd-attribute_name_exceptions nsslapd-auditlog-logexpirationtime nsslapd-auditlog-logexpirationtimeunit nsslapd-auditlog-logmaxdiskspace nsslapd-auditlog-logminfreediskspace nsslapd-auditlog-logrotationtime nsslapd-auditlog-logrotationtimeunit nsslapd-auditlog-maxlogsize nsslapd-auditlog-maxlogsperdir nsslapd-certmap-basedn nsslapd-ds4-compatible-schema nsslapd-enquote_sup_oc nsslapd-errorlog-level nsslapd-errorlog-logexpirationtime nsslapd-errorlog-logexpirationtimeunit nsslapd-errorlog-logmaxdiskspace nsslapd-errorlog-logminfreediskspace nsslapd-errorlog-logrotationtime nsslapd-errorlog-logrotationtimeunit nsslapd-errorlog-maxlogsize nsslapd-errorlog-maxlogsperdir nsslapd-groupevalnestlevel nsslapd-idletimeout nsslapd-ioblocktimeout nsslapd-lastmod nsslapd-listenhost nsslapd-maxdescriptors (Not applicable on NT and AIX platforms) nsslapd-nagle...
Page 220 Upgrade from Directory Server 5.x to 6.x Table 6-4 Attributes in cn=config Automatically Migrated (Continued) nsslapd-plugin-depends-on-name nsslapd-plugin-depends-on-type nsslapd-referral nsslapd-reservedescriptors (Not applicable on NT and AIX platforms) nsslapd-rootpwstoragescheme nsslapd-schemacheck nsslapd-securePort nsslapd-security nsslapd-sizelimit nsslapd-SSL3ciphers nsslapd-timelimit passwordChange passwordCheckSyntax passwordExp passwordExpirationTime passwordHistory passwordInHistory passwordLockout passwordLockoutDuration passwordMaxAge passwordMaxFailure...
Page 221 Upgrade from Directory Server 5.x to 6.x Table 6-5 Attributes in cn=config not Migrated Attribute Name Reason for not Migrating Automatically nsslapd-localhost Already set up. nsslapd-localuser Configured during the installation process. nsslapd-port Configured during the installation process. nsslapd-rootdn Configured during the installation process. nsslapd-rootpw Configured during the installation process.
Page 222: Database Attributes
Upgrade from Directory Server 5.x to 6.x Database Attributes All general database configuration attributes are automatically migrated. These attributes are stored in the entry cn=config,cn=ldbm database, and are listed in Table 6-6. cn=plugins,cn=config Database-specific attributes are stored in entries of the form cn=database instance .
Page 223: Database Link Attributes
Upgrade from Directory Server 5.x to 6.x Table 6-8 Database-Specific Attributes not Migrated (Continued) Attribute Name Reason for not Migrating Automatically nsslapd-db-checkpoint-interval This attribute is provided only for system modification/diagnostics and should be changed only under guidance from Netscape Technical Support.
Page 224: Snmp Attributes
Upgrade from Directory Server 5.x to 6.x Table 6-10 Default Instance Database Link Attributes Automatically Migrated nsBindTimeout nsBindRetryLimit nsHopLimit nsmaxresponsedelay nsmaxtestresponsedelay nsCheckLocalACI nsConcurrentBindLimit nsConcurrentOperationsLimit nsConnectionLife nsOperationConnectionslimit nsProxiedAuthorization nsReferralOnScopedSearch nsslapd-sizelimit nsslapd-timelimit SNMP Attributes All SNMP configuration attributes are automatically migrated. These attributes are stored in the entry , and are listed in Table 6-11.
Page 225: Chapter 7 Command-Line Utilities
Chapter 7 Command-Line Utilities This chapter contains reference information on command-line utilities provided by Netscape Directory Server (Directory Server). These command-line utilities make it easy to perform administration tasks on the Directory Server. This chapter is divided into the following sections: •...
Page 226: Command-Line Utilities Quick Reference
Command-Line Utilities Quick Reference NOTE In order to execute the command-line utilities, you must change to the directory where the command-line utilities are stored. Although it is possible to set command-path and library-path variables to execute the utilities, it is not recommended because you run the risk, particularly when you have more than one server version installed, of disrupting the correct execution of other utilities.
Page 227: Using Special Characters
Using Special Characters Using Special Characters When using the command-line utility, you may need to specify values ldapsearch that contain characters that have special meaning to the command-line interpreter (such as space [ ], asterisk [*], backslash [\], and so forth). When this situation occurs, enclose the value in quotation marks ("").
Page 228: Ldapsearch
ldapsearch ldapsearch is a configurable utility that enables you to locate and retrieve ldapsearch directory entries via LDAP. This utility opens a connection to the specified server using the specified distinguished name and password, and locates entries based on a specified search filter. Search scopes can include a single entry, an entry’s immediate subentries, or an entire tree or subtree.
Page 229 ldapsearch Option Description Specifies that the password policy request control be not sent with the bind request. (This option is new in the 6.2 release of Directory Server, which supports fine-grained password policy. For details, see Netscape Directory Server Deployment Guide.) By default, the new LDAP password policy request control is sent with bind requests.
Page 230: Ssl Options
ldapsearch Option Description Specifies that the search results are sorted on the server rather than on the client. This is useful if you want to sort according to a matching rule, as with an international search. In general, it is faster to sort on the server rather than on the client.
Page 231: Additional Ldapsearch Options
ldapsearch Option Description Specifies the path, including the filename, of the private key database of the client. You may specify the absolute or relative (to the server root) path. You must specify the -K option when the key database has a different name than key3.db or when the key database is not under the same directory as the certificate database, the cert8.db file (the path for which is specified with the -P option).
Page 232 ldapsearch Option Description Specifies that the search retrieve the attributes only, not the attribute values. This option is useful if you just want to determine if an attribute is present for an entry and you are not interested in the value. Specifies how alias dereferencing is completed.
Page 233 ldapsearch Option Description Conversion routines directory. If you want to specify a sort language that is not supported by default in this release of the Directory Server, for example, one obtained from a later release of the LDAP SDK, you need to supply the directory in which you store the conversion routines.
Page 234: Ldapmodify
ldapmodify Option Description Specifies that the user-friendly form of the distinguished name be used in the output. Specifies that the utility is to run in verbose mode. Specifies the LDAP version number to be used on the search. For example, -V 2.
Page 235: Commonly Used Ldapmodify Options
ldapmodify Commonly Used ldapmodify Options To modify an entry or entries in an existing directory, use the ldapmodify command-line utility with the following options: Option Description Allows you to add LDIF entries to the directory without requiring the changetype:add LDIF update statement. This provides a simplified method of adding entries to the directory.
Page 236: Ssl Options
ldapmodify Option Description Causes each add to be performed silently as opposed to being echoed to the screen individually. Specifies the password associated with the distinguished name specified in the -D option. For example, -w mypassword. Specifies that referrals are not to be followed automatically. By default, the server follows referrals.
Page 237: Additional Ldapmodify Options
ldapmodify Option Description Specifies the certificate name to use for certificate-based client authentication. For example, -N Server-Cert. If this option is specified, then the -Z, and -W options are required. Also, if this option is specified, then the -D and -w options must not be specified, or certificate-based authentication will not occur and the bind operation will use the authentication credentials specified on -D and -w.
Page 238 ldapmodify Option Description Causes the utility to check every attribute value to determine whether the value is a valid file reference. If the value is a valid file reference, then the content of the referenced file is used as the attribute value. This is often used for specifying a path to a file containing binary data, such as JPEG.
Page 239: Ldapdelete
ldapdelete Option Description Specifies the LDAP version number to be used on the operation. For example, -V 2. LDAP v3 is the default. You can not perform an LDAP v3 operation against a Directory Server that only supports LDAP v2. Specifies the proxy DN to use for the modify operation.
Page 240: Ssl Options
ldapdelete Option Description Specifies that the password policy request control be not sent with the bind request. (This option is new in the 6.2 release of Directory Server, which supports fine-grained password policy. For details, see Netscape Directory Server Deployment Guide.) By default, the new LDAP password policy request control is sent with bind requests.
Page 241: Additional Ldapdelete Options
ldapdelete Option Description Specifies the path, including the filename, of the private key database of the client. You may specify the absolute or relative (to the server root) path. You must specify the -K option when the key database has a different name than key3.db or when the key database is not under the same directory as the certificate database, the cert8.db file (the path for which is specified with the -P option).
Page 242: Ldif
ldif Option Description Specifies the file containing the distinguished names of entries to be deleted. For example, -f modify_statements. Omit this option if you want to supply the distinguished name of the entry to be deleted directly to the command line. Lists all available ldapdelete options.
Page 243: Syntax
dbscan command-line utility will take any input and format it with the ldif correct line continuation and appropriate attribute information. The utility ldif also senses whether the input requires base 64 encoding. Syntax When you use , you must enter the command using the following format: ldif ldif [-b] [attrtypes] [optional-options] Options...
Page 244: Options
dbscan Options Option Parameter Description filename Specifies the name of the database file, the contents of which is to be analyzed and extracted. Specifies that the output is to be generated as an index file. Specifies that the output is to be generated as an entry (id2entry) file.
Page 245: Chapter 8 Command-Line Scripts
Chapter 8 Command-Line Scripts This chapter provides information on the scripts you can use to manage your directory, for example, backing up and restoring your database. Scripts are a shortcut way of executing the interface commands that are documented ns-slapd in Appendix A, “Using the ns-slapd and slapd.exe Command-Line Utilities.”...
Page 246: Command-Line Scripts Quick Reference
Command-Line Scripts Quick Reference NOTE In order to execute the Perl scripts, you must change to the directory where the scripts are stored. Although it is possible to set command-path and library-path variables to execute the scripts, it is not recommended because you run the risk, particularly when you have more than one server version installed, of disrupting the correct execution of other utilities.
Page 247 Command-Line Scripts Quick Reference Table 8-1 Commonly Used Command-Line Shell and Batch Scripts (Continued) Command Line Script Description Prints the encrypted form of a password using one of the server’s encryption getpwenc algorithms. If a user cannot log in, you can use this script to compare the user’s password to the password stored in the directory.
Page 248 Command-Line Scripts Quick Reference Table 8-2 Commonly Used Command-Line Perl Scripts Command Line Perl Script Description Restores the database from the most recent archived backup. bak2db.pl Located in: serverRoot/slapd-serverID Creates a backup of the current database contents db2bak.pl Located in: serverRoot/slapd-serverID Creates and regenerates indexes.
Page 249: Shell And Batch Scripts
Shell and Batch Scripts Table 8-2 Commonly Used Command-Line Perl Scripts (Continued) Command Line Perl Script Description Dumps and decodes the change log. template-cl-dump.pl Located in: serverRoot/bin/slapd/admin/scripts Provides in-progress status of replication. template-repl-monitor.pl Located in: serverRoot/bin/slapd/admin/scripts Shell and Batch Scripts This section covers the following scripts: •...
Page 250: Bak2Db (Restore Database From Backup)
Shell and Batch Scripts Some of the Shell and Batch scripts can be executed while the server is running. For others, the server must be stopped. The description of each script below indicates whether the server must be stopped, or if it can continue to run while you execute the script.
Page 251: Db2Ldif (Export Database Contents To Ldif)
Shell and Batch Scripts db2ldif (Export database contents to LDIF) Exports the contents of the database to LDIF. This script can be executed while the server is still running. For information on the equivalent Perl script, see “db2ldif.pl (Export database contents to LDIF),”...
Page 252: Db2Dsml (Export Database Contents To Dsml)
Shell and Batch Scripts Option Parameter Description Use of several files for storing the output LDIF with each instance stored in instance filename (where file name is the file name specified for -a option). Delete, for reasons of backward compatibility, the first line of the LDIF file which gives the version of the LDIF standard.
Page 253: Db2Index (Reindex Database Index Files)
Shell and Batch Scripts db2index (Reindex database index files) Reindexes the database index files. For information on the equivalent Perl script, see “db2index.pl (Create and generate indexes),” on page 265. Syntax Shell script (UNIX): db2index [-n backendInstance | {-s includeSuffix}* -t attributeName -T vlvAttribute] Batch file (Windows): db2index [-n backend_instance | {-s includeSuffix}* -t...
Page 254: Dsml2Db (Import Dsml Document Contents Into Database)
Shell and Batch Scripts dsml2db (Import DSML document contents into database) Imports the contents of the DSML, version 1.0, document into the database. To run this script, the server must be stopped. Syntax Shell script (UNIX): dsml2db -n backendInstance | {-s includeSuffix}* [{-x excludeSuffix}*] {-i dsmlFile} Batch file (Windows): dsml2db -n backendInstance | {-s includeSuffix}* [{-x...
Page 255: Options
Shell and Batch Scripts Options There are no options for this script. For more information on the different storage schemes, such as SSHA CRYPT , see the Netscape Directory Server Administrator’s Guide. CLEAR ldif2db (Import) Runs the (Windows) or (Unix) command-line utility with the slapd ns-slapd keyword.
Page 256: Options
Shell and Batch Scripts Options Option Parameter Description backendInstance Instance to be imported. Ensure that you specify an instance that corresponds to the suffix contained by the LDIF file because otherwise the data contained by the database is deleted and the import fails. includeSuffix Suffixes to be included or to specify the subtrees to be included if -n has been used.
Page 257: Ldif2Ldap (Perform Import Operation Over Ldap)
Shell and Batch Scripts ldif2ldap (Perform import operation over LDAP) Performs an import operation over LDAP to the Directory Server. To run this script the server must be running. Syntax Shell script (UNIX): ldif2ldap -D rootdn -w password -f filename Batch file (Windows): ldif2ldap -D rootdn -w password -f filename Options...
Page 258: Restart-Slapd (Restart The Directory Server)
Shell and Batch Scripts restart-slapd (Restart the Directory Server) Restarts the Directory Server. Syntax Shell script (UNIX): restart-slapd Batch file (Windows): restart-slapd Options There are no options for this script. Exit Status Server restarted successfully. Server could not be started. Server restarted successfully, but was already stopped.
Page 259: Syntax
Shell and Batch Scripts Syntax Shell script (UNIX): restoreconfig Batch file (Windows): restoreconfig Options There are no options for this script. saveconfig (Save Administration Server Configuration) Saves Administration Server configuration information to the following directory: serverRoot/slapd-serverID/confbak Note that this script will only run if the server is running. Syntax Shell script (UNIX): saveconfig...
Page 260: Syntax
Shell and Batch Scripts Syntax Shell script (UNIX): start-slapd Batch file (Windows): start-slapd Options There are no options for this script. Exit Status Server started successfully Server could not be started Server was already started stop-slapd (Stop the Directory Server) Stops the Directory Server.
Page 261: Suffix2Instance (Map Suffix To Backend Name)
Shell and Batch Scripts Server could not be stopped. Server was already stopped. suffix2instance (Map Suffix to Backend Name) Maps a suffix to a backend name. Syntax Shell script (UNIX): suffix2instance {-s suffix} Batch file (Windows): suffix2instance {-s suffix} Options Suffix to be mapped to the backend.
Page 262: Options
Perl Scripts Options You must specify either the or the option. Option Parameter Description debugLevel Specifies the debug level to use during index creation. Debug levels are defined in “nsslapd-errorlog-level (Error Log Level),” on page 58. Specifies the server configuration directory that contains the configuration information for the index creation process.
Page 263: Bak2Db.pl (Restore Database From Backup)
Perl Scripts • ns-inactivate.pl (Inactivate an entry or group of entries) • ns-newpwpolicy.pl (Add attributes for fine-grained password policy) • template-cl-dump.pl (Dump and decode changelog) • template-repl-monitor.pl (Monitor replication status) NOTE The Perl scripts that are bundled with Directory Server require the use of , which is included in the nsPerl...
Page 264: Db2Bak.pl (Create Backup Of Database)
Perl Scripts Option Parameter Description Currently, the only possible database databaseType The database type. type is ldbm db2bak.pl (Create backup of database) Creates a backup of the database. Syntax Perl script (UNIX db2bak.pl [-v] -D rootdn -w password [-a dirName] and Windows): Options The script...
Page 265: Db2Index.pl (Create And Generate Indexes)
Perl Scripts db2index.pl (Create and generate indexes) Creates and generates the new set of indexes to be maintained following the modification of indexing entries in the configuration file. cn=config Syntax Perl script (UNIX db2index.pl [-v] -D rootdn { -w password | -j filename and Windows): } [-n backendInstance] [-t attributeName] Options...
Page 266: Syntax
Perl Scripts Syntax Perl script (UNIX db2ldif.pl [-v] -D rootdn -w password {-n and Windows): backendInstance}* | {-s includeSuffix}* [{-x excludeSuffix}*] [-a outputFile] [-N] [-r] [-C] [-u] [-U] [-m] [-o] [-1] [M] Options To run this script, the server must be running and either backend_instance or includesuffix is required.
Page 267: Ldif2Db.pl (Import)
Perl Scripts Option Parameter Description Delete, for reasons of backward compatibility the first line of the LDIF file that gives the version of the LDIF standard. Output LDIF is stored in multiple files. ldif2db.pl (Import) To run this script the server must be running. The script creates an entry in the directory that launches this dynamic task.
Page 268: Logconv.pl (Log Converter)
Perl Scripts Option Parameter Description string Generates a unique ID. Type none for no unique ID to be generated and deterministic for the generated unique ID to be name-based. By default a time based unique ID is generated. If you use the deterministic generation to have a name-based unique ID, you can also specify the namespace you want the server to use as follows: -g deterministic namespaceId...
Page 269 Perl Scripts Number of restarts FDs (file descriptors) taken FDs returned Total number of connections Highest FD taken Total operations requested Total results returned Disruptions: Results to requests ratio Broken pipes Connections reset by peer Number of searches Unavailable resources (and detail) Number of modifications Number of adds Total binds and types of binds...
Page 270: Syntax
Perl Scripts Some information that is extracted by the script is available only in logconv.pl Directory Server 6.x logs: the corresponding values will be zero when analyzing logs from other versions. In addition, some information will only be present in the logs if verbose logging is enabled in your Directory Server.
Page 271: Options
Perl Scripts Options command-line options are described in the following table. logconv.pl The parameters without a preceding dash ( ) at the end of the table will enable the optional lists of occurrences. Specify only those you need to limit the output and improve execution speed.
Page 272 Perl Scripts Opti Parameter Description Enables the most verbose output. With this option, logconv.pl will compute and display all of the optional lists described below. Lists connection latency details (gives you an idea about the overall connection latency). Lists open connection ID statistics (gives you an idea about the FDs that are not yet closed).
Page 273: Migrateinstance6 (Migrate To Directory Server 6.X)
Perl Scripts migrateInstance6 (Migrate to Directory Server 6.x) script (note that this is a Perl script despite the fact that it migrateInstance6 does not have the extension) migrates an instance of 4.x or 5.x Directory Server to Directory Server 6.x. When you run this script, it migrates the configuration files or configuration entries, database instances, and schema with minimum manual intervention.
Page 274: Ns-Accountstatus.pl (Establish Account Status)
Perl Scripts Option Parameter Description oldInstancePath Specifies the path to the legacy (4.x or 5.x) Directory Server instance. For example: /usr/netscape/server4/slapd-phonebook. newInstancePath Specifies the path to the new (6.x) Directory Server instance. For example: /usr/netscape/servers/slapd-phonebook. Specifies the trace level. The trace level is set to 0 by default with a valid range of 0 to 3.
Page 275: Ns-Activate.pl (Activate An Entry Or Group Of Entries)
Perl Scripts Option Parameter Description host Specifies the host name of the Directory Server. The default value is the full host name of the machine where Directory Server is installed. Specifies the entry DN or role DN whose status is required. ns-activate.pl (Activate an entry or group of entries) Activates an entry or group of entries.
Page 276: Syntax
Perl Scripts Syntax Perl script (UNIX ns-inactivate.pl [-D rootdn] -w password [-p port] and Windows): [-h host] -I DN Options Option Parameter Description rootdn Specifies the Directory Server user DN with root permissions, such as Directory Manager. password Specifies the password associated with the user DN. port Specifies the Directory Server’s port.
Page 277: Options
Perl Scripts Options Option Parameter Description rootdn Specifies the Directory Server user DN with root permissions, such as Directory Manager. The default value is cn=directory manager. password Specifies the password associated with the user DN. Prompts for the password associated with the user DN. filename Specifies the path, including the file name, to the file that contains the password associated with the user DN.
Page 278: Options
Perl Scripts Options In the absence of the option, the script must be run when the Directory Server is running and from a location from which the server’s change-log directory is accessible. Option Parameter Description host Specifies the Directory Server’s host. Defaults to the server where the script is running.
Page 279: Syntax
Perl Scripts Syntax Perl script (UNIX template-repl-monitor.pl -h host -p port -f configFile and Windows): [-u refreshUrl] [-t refreshInterval] [-r] [-v] Options Option Parameter Description host Specifies the initial replication supplier’s host. The default value is the current hostname. port Specifies the initial replication supplier’s port.
Page 280: Configuration File Format
Perl Scripts Configuration File Format The configuration file defines the following: • The connection parameters for connecting to the LDAP servers to get replication information; specifying this information is mandatory. • The server alias for more readable server names; specifying this information is optional.
Page 281 Perl Scripts You may also choose to display CSN time lags between masters and consumers in different colors based on their range. The default color set is green for 0-5 minutes lag, yellow for 5-60 minutes lag, and pink for a lag of 60 minutes and more.
Page 282 Perl Scripts Netscape Directory Server Configuration, Command, and File Reference • December 2003...
Page 283: Appendix A Using The Ns-Slapd And Slapd.exe Command-Line Utilities
Appendix A Using the ns-slapd and slapd.exe Command-Line Utilities In Chapter 8, “Command-Line Scripts,” we looked at the scripts for performing routine administration tasks on the Netscape Directory Server (Directory Server). In this Appendix we will look at the command-line utilities ns-slapd slapd that can also be used to perform the same tasks.
Page 284: Ns-Slapd (Unix)
Finding and Executing the ns-slapd and slapd.exe Command-Line Utilities ns-slapd (UNIX) is used on a Unix operating system to start the directory server process, ns-slapd to build a directory database from an LDIF file, or to convert an existing database to an LDIF file.
Page 285: Ns-Slapd And Slapd.exe Command-Line Utilities For Exporting Databases
ns-slapd and slapd.exe Command-Line Utilities for Exporting Databases ns-slapd and slapd.exe Command-Line Utilities for Exporting Databases db2ldif Exports the contents of the database to LDIF. Syntax Shell script (UNIX): ns-slapd db2ldif -D configDir -a outputFile [-d debugLevel] [-n backendInstance] [ -r] [-s includeSuffix] [-x excludeSuffix] [-N] [-u] -[U] Batch file (Windows): slapd.exe db2ldif -D configDir -a outputFile...
Page 286 ns-slapd and slapd.exe Command-Line Utilities for Exporting Databases Option Parameter Description Causes the server to include the copiedFrom attribute and its contents in the LDIF output when importing the LDIF file to a consumer server. This information is required by the server by the replication process.
Page 287: Ns-Slapd And Slapd.exe Command-Line Utilities For Restoring And Backing Up Databases
ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases ldif2db Imports LDIF files to the database. Syntax Shell script (UNIX): ns-slapd ldif2db -D configDir -i ldifFile [-d debugLevel] [-g string] [-n backendInstance] -O [-s includeSuffix] -x excludeSuffix] Batch file (Windows): slapd ldif2db -D configDir -i ldifFile [-d debugLevel]...
Page 288 ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases Option Parameter Description string Generation of a unique ID. Type none for no unique ID to be generated and deterministic for the generated unique ID to be name based. By default a time based unique ID is generated.
Page 289: Archive2Db
ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases Option Parameter Description excludeSuffix Allows you to specify suffixes within the LDIF file to exclude during the import. You can use multiple -x arguments. This option lets you selectively import portions of the LDIF file. If you use both -x and -s with the same suffix, -x takes precedence.
Page 290: Options
ns-slapd and slapd.exe Command-Line Utilities for Restoring and Backing up Databases Options Option Parameter Description configDir Specifies the location of the server configuration directory that contains the configuration information for the index creation process. You must specify the full path to the slapd-serverID directory.
Page 291: Ns-Slapd And Slapd.exe Command-Line Utilities For Creating And Regenerating Indexes
ns-slapd and slapd.exe Command-Line Utilities for Creating and Regenerating Indexes ns-slapd and slapd.exe Command-Line Utilities for Creating and Regenerating Indexes db2index Creates and regenerates indexes. Syntax Shell script (UNIX): slapd db2index -D configDir [-d debugLevel] -n backendName -t attributeName[:indexTypes[:matchingRules]] | [-T vlvTag] Batch file (Windows): slapd db2index -D configDir [-d debugLevel]...
Page 292 ns-slapd and slapd.exe Command-Line Utilities for Creating and Regenerating Indexes Option Parameter Description attributeName Specifies the attribute to be indexed as well as the types of indexes to create and matching rules to apply (if any). If you want to specify a matching rule, you must specify an index type. You cannot use this option with option -T.
Page 293: Glossary
Glossary access control instruction See ACI. ACI Access Control Instruction. An instruction that grants or denies permissions to entries in the directory. access control list See ACL. ACL Access control list. The mechanism for controlling access to your directory. access rights In the context of access control, specify the level of access granted or denied.
Page 294 attribute Holds descriptive information about an entry. Attributes have a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value. attribute list A list of required and optional attributes for a given entry type or object class.
Page 295 browser Software, such as Netscape Navigator, used to request and view World Wide Web material stored as HTML files. The browser uses the HTTP protocol to communicate with the host server. browsing index Otherwise known as the virtual view index, speeds up the display of entries in the Directory Server Console.
Page 296 ciphertext Encrypted information that cannot be read by anyone without the proper key to decrypt the information. CIR See consumer-initiated replication. class definition Specifies the information needed to create an instance of a particular object and determines how the object works in relation to other objects in the directory.
Page 297 daemon A background process on a Unix machine that is responsible for a particular system task. Daemon processes do not need human intervention to continue functioning. DAP Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory. Data Master The server that is the master source of a particular piece of data.
Page 298 DNS Domain Name System. The system used by machines on a network to associate standard IP addresses (such as 198.93.93.10) with hostnames (such as ). Machines normally get the IP address for a hostname from www.example.com a DNS server, or they look it up in tables maintained on their systems. DNS alias A DNS alias is a hostname that the DNS server knows points to a different host—specifically a DNS CNAME record.
Page 299 general access When granted, indicates that all authenticated users can access directory information. hostname A name for a machine in the form machine.domain.dom, which is translated into an IP address. For example, is the machine www.example.com in the subdomain domain. example HTML Hypertext Markup Language.
Page 300 ISO International Standards Organization knowledge reference Pointers to directory information stored in different databases. LDAP Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms. LDAPv3 Version 3 of the LDAP protocol, upon which Directory Server bases its schema format LDAP client Software used to request and view LDAP entries from an LDAP Directory Server.
Page 301 management information base See MIB. mapping tree A data structure that associates the names of suffixes (subtrees) with databases. master agent See SNMP master agent. matching rule Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use.
Page 302 name collisions Multiple entries with the same distinguished name. nested role Allow you to create roles that contain other roles. network management application Network Management Station component that graphically displays information about SNMP managed devices (which device is up or down, which and how many error messages were received, etc.). network management station See NMS.
Page 303 password file A file on Unix machines that stores Unix user login names, passwords, and user ID numbers. It is also known as , because of /etc/passwd where it is kept. password policy A set of rules that govern how passwords are used in a given directory.
Page 304 RAM Random access memory. The physical semiconductor-based memory in a computer. Information stored in RAM is lost when the computer is shut down. rc.local A file on Unix machines that describes programs that are run when the machine starts. It is also called because of its location.
Page 305 role An entry grouping mechanism. Each role has members, which are the entries that possess the role. role-based attributes Attributes that appear on an entry because it possesses a particular role within an associated CoS template. root The most privileged user available on Unix machines. The root user has complete access privileges to all files on the machine.
Page 306 service A background process on a Windows machine that is responsible for a particular system task. Service processes do not need human intervention to continue functioning. SIE Server Instance Entry. Simple Network Management Protocol See SNMP. single-master replication The most basic replication scenario in which two servers each hold a copy of the same read-write replicas to consumer servers.
Page 307 superuser The most privileged user available on Unix machines (also called root). The superuser has complete access privileges to all files on the machine. supplier Server containing the master copy of directory trees or subtrees that are replicated to consumer servers. supplier server In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica.
Page 308 URL Uniform Resource Locator. The addressing system used by the server and the client to request documents. It is often called a location. The format of a URL is . The port number is necessary only on [protocol]://[machine:port]/[document] selected servers, and it is often assigned by the server, freeing the user of having to place it in the URL.
Page 309: Index
Index SYMBOLS 50ns-delegated-admin.ldif ldif files 121 ::, in LDIF statements 242 50ns-directory.ldif ldif files 121 50ns-legacy.ldif ldif files 122 NUMERICS 50ns-mail.ldif ldif files 122 00core.ldif 50ns-mcd-browser.ldif ldif files 120 ldif files 122 05rfc2247.ldif 50ns-mcd-config.ldif ldif files 120 ldif files 122 05rfc2927.ldif 50ns-mcd-li.ldif ldif files 121...
Page 310 50ns-web.ldif LDAP result codes 210 ldif files 122 levels 198 sample 1 (level 256) 199 51ns-calendar.ldif sample 2 (level 4) 207 ldif files 121 sample 3 (level 512) 208 99user.ldif statistics for monitoring and optimizing directory ldif files 122 usage 269 tool for analyzing 198, 268 alias dereferencing 232 ancestorid.db4 file 194...
Page 311 cn=changelog5 monitor 257 changelog configuration entries 92 ns-accountstatus.pl 274 object classes 92 ns-activate.pl 275 ns-inactivate.pl 275 cn=config ns-newpwpolicy.pl 276 general 27 perl scripts 262–281 general configuration entries 37 quick reference 246–249 object classes 37 restart-slapd 258 cn=config Directory Information Tree restoreconfg 258 configuration data 28 saveconfig 259...
Page 312 plug-in functionality configuration nsDS5ReplicaChangesSentSinceStartup 107 attributes 147–188 nsDS5ReplicaCredentials 107 plug-in functionality configuration attributes nsDS5ReplicaHost 108 allowed by certain plug-ins 150–151 nsDS5ReplicaID 102 plug-in functionality configuration attributes nsDS5ReplicaLastInitEnd 108 common to all plug-ins 147–150 nsDS5ReplicaLastInitStart 108 replication agreement configuration nsDS5ReplicaLastInitStatus 109 attributes 105–114 nsDS5ReplicaLastUpdateEnd 109 replication configuration attributes 100–105...
Page 313 nsslapd-auditlog-logmaxdiskspace 49 nsslapd-nagle 72 nsslapd-auditlog-logmaxsdiskspace 49 nsslapd-outbound-ldap-io-timeout 72 nsslapd-auditlog-logminfreediskspace 50 nsslapd-plug-in 72 nsslapd-auditlog-logrotationsync-enabled 50 nsslapd-port 73 nsslapd-auditlog-logrotationsynchour 51 nsslapd-privatenamespaces 73 nsslapd-auditlog-logrotationsyncmin 51 nsslapd-pwpolicy-local 73 nsslapd-auditlog-logrotationtime 52 nsslapd-readonly 74 nsslapd-auditlog-logrotationtimeunit 52 nsslapd-referral 74 nsslapd-auditlog-maxlogsize 53 nsslapd-referralmode 75 nsslapd-auditlog-maxlogsperdir 53 nsslapd-reservedescriptors 75 nsslapd-auditlog-mode 54 nsslapd-return-exact-case 77 nsslapd-backend 99...
Page 314 passwordLockoutDuration 88 nsMultiplexorBindDN 186 passwordMaxAge 88 nsMultiplexorCredentials 186 passwordMaxFailure 89 nsOperationConnectionCount 188 passwordMinAge 89 nsOperationConnectionsLimit 183 passwordMinLength 89 nsProxiedAuthorization 184 passwordMustChange 90 nsReferralOnScopedSearch 184 passwordResetFailureCount 90 nsRenameCount 187 passwordStorageScheme 91 nsSearchBaseCount 187 passwordUnlock 91 nsSearchOneLevelCount 187 passwordWarning 92 nsSearchSubtreeCount 188 readwaiters 115 nsSizeLimit 184 starttime 116...
Page 315 nsslapd-db-clean-pages 171 location of 28 nsslapd-db-commit-rate 171 db.00x files 193 nsslapd-db-deadlock-rate 171 db2bak nsslapd-db-debug 156 command-line shell and batch script 250 nsslapd-db-dirty-pages 171 quick reference 246 nsslapd-db-durable-transactions 156 db2bak.pl nsslapd-db-hash-buckets 171 command-line perl script 264 nsslapd-db-hash-elements-examine-rate 171 quick reference 248 nsslapd-db-hash-search-rate 171 db2dsml nsslapd-db-home-directory 157...
Page 316 dse.ldif numsubordinates.db4 194 ldif files 120 objectclass.db4 194 parentid.db4 194 dse.ldif file slapd.conf 78 configuration information tree 35 contents of 27, 29 editing 35 dse.ldif.bak file 27 dse.ldif.startOK file 27 dsml2db getpwenc command-line shell and batch script 254 command-line shell and batch script 254 quick reference 246 quick reference 247 dtablesize attribute 115...
Page 317 ssl options 236 50ns-web.ldif 122 syntax 234 51ns-calendar.ldif 121 99user.ldif 122 ldapsearch command-line utility dse.ldif 120 additional options 231 commonly used options 228 ldif2db options 228 command-line shell and batch script 255 ssl options 230 quick reference 247 ldif 50ns-delegated-admin.ldif 121 ldif2db.pl command-line perl script 267 ldif command-line utility...
Page 318 ns-accountstatus.pl nsDS5ReplicaRefresh attribute 111 command-line perl script 274 nsDS5ReplicaRoot attribute 103, 111 quick reference 248 nsDS5ReplicaSessionPauseTime attribute 112 ns-activate.pl nsDS5ReplicaTimeout attribute 113 command-line perl script 275 nsDS5ReplicaTombstonePurgeInterval attribute 104 quick reference 248 nsDS5ReplicaTransportInfo attribute 113 nsActiveChainingComponents attribute 178 nsDS5ReplicaType attribute 104 nsAddCount attribute 187 nsDS5ReplicaUpdateInProgress attribute 114 nsBindConnectionCount attribute 188...
Page 319 nsslapd-accesscontrol attribute 37 nsslapd-changelogdir attribute 93, 189 nsslapd-accesslog attribute 37 nsslapd-changelogmaxage attribute 94, 189 nsslapd-accesslog-auditlog-list attribute 47 nsslapd-changelogmaxentries attribute 94 nsslapd-accesslog-level attribute 38 nsslapd-config attribute 55 nsslapd-accesslog-list attribute 39 nsslapd-conntablesize attribute 55 nsslapd-accesslog-logbuffering attribute 39 nsslapd-csnlogging attribute 56 nsslapd-accesslog-logexpirationtime attribute 39 nsslapd-db-abort-rate attribute 170 nsslapd-accesslog-logexpirationtimeunit nsslapd-db-active-txns attribute 170...
Page 320 nsslapd-db-pages-in-use attribute 173 nsslapd-mode attribute 166 nsslapd-db-page-size attribute 160 nsslapd-nagle attribute 72 nsslapd-db-page-trickle-rate attribute 173 nsslapd-outbound-ldap-io-timeout attribute 72 nsslapd-db-page-write-rate attribute 173 nsslapd-plug-in attribute 72 nsslapd-db-spin-count attribute 161 nsslapd-plugin-depends-on-named attribute 151 nsslapd-db-transaction-batch-val attribute 161 nsslapd-plugin-depends-on-type attribute 150 nsslapd-db-transaction-logging attribute 162 nsslapd-pluginDescription attribute 150 nsslapd-db-trickle-percentage attribute 162 nsslapd-pluginEnabled attribute 148 nsslapd-db-txn-region-wait-rate attribute 173...
Page 321 nssnmplocation attribute 117 passwordMustChange attribute 90 nssnmpmasterhost attribute 118 passwordResetFailureCount attribute 90 nssnmpmasterport attribute 119 passwords root 78 nssnmporganization attribute 117 passwordStorageScheme attribute 91 nsssl2 attribute 96 passwordUnlock attribute 91 nsssl3 attribute 96 passwordWarning attribute 92 nsssl3ciphers attribute 96 perl scripts 262 nssslclientauth attribute 95 locating 248 nssslsessiontimeout attribute 95...
Page 322 nsMaxResponseDelay 179 nsslapd-db-logdirectory 159 nsMaxTestResponseDelay 179 nsslapd-db-logfile-size 160 nsModifyCount 187 nsslapd-db-log-region-wait-rate 172 nsMultiplexorBindDN 186 nsslapd-db-log-write-rate 172 nsMultiplexorCredentials 186 nsslapd-db-longest-chain-length 172 nsOperationConnectionCount 188 nsslapd-dbncache 163 nsOperationConnectionsLimit 183 nsslapd-db-page-create-rate 172 nsProxiedAuthorization 184 nsslapd-db-page-ro-evict-rate 172 nsReferralOnScopedSearch 184 nsslapd-db-page-rw-evict-rate 173 nsRenameCount 187 nsslapd-db-pages-in-use 173 nsSearchBaseCount 187 nsslapd-db-page-size 160 nsSearchOneLevelCount 187...
Page 323 nsDS5ReplicaBindDN 101 nsDS5ReplicaChangeCount 101 read-only monitoring configuration attributes nsDS5ReplicaID 102 backendMonitorDN 116 nsDS5ReplicaLegacyConsumer 102 bytessent 116 nsDS5ReplicaName 102 connection 115 nsDS5ReplicaPurgeDelay 103 currentconnections 115 nsDS5ReplicaReferral 103 currenttime 116 nsDS5ReplicaRoot 103 dtablesize 115 nsDS5ReplicaTombstonePurgeInterval 104 entriessent 115 nsDS5ReplicaType 104 nbackends 116 nsState 105 opscompleted 115 object classes 100...
Page 324 sort criteria 233 specifying scope 229 template-cl-dump.pl server restart command-line perl script 277 after configuration changes 35, 123 quick reference 249 serverID 21 template-repl-monitor.pl serverRoot 21 command-line perl script 278 slapd.conf file quick reference 249 converting to LDIF format 32 totalconnections attribute 115 location of 32 trailing spaces in object class names 79...

Netscape DIRECTORY SERVER 6.2 Configuration Manual

About this Reference Guide

Chapter 1 Introduction

Chapter 2 Core Server Configuration Reference

Chapter 3 Plug-In Implemented Server Functionality Reference

Quick Links

Need help?

Questions and answers

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.2

Summary of Contents for Netscape NETSCAPE DIRECTORY SERVER 6.2