Red Hat 8.1 User's Manual
Contents
1. V Prints the version of this script Table 7 32 repl monitor pl Options Configuration File Format The configuration file defines the following The connection parameters for connecting to the LDAP servers to get replication information specifying this information is mandatory The server alias for more readable server names specifying this information is optional The color thresholds for time lags specifying this information is optional The format for the configuration file is shown below connection host port binddn bindpwd bindcert host port binddn bindpwd bindcert alias alias host port alias host port color lowmark color lowmark color The connection section defines how this tool may connect to each LDAP server in the replication topology to get the replication agreement information The default binddn is cn Directory Manager Simple bind will be used unless bindcert is specified with the path of a certificate database 315 Chapter 7 Command Line Scripts A server may have a dedicated or shared entry in the connection section The script will find out the most matched entry for a given server For example if all the LDAP servers except host1 share the same binddn and bindpassword the connection section will need to contain just two entries connection binddn bindpassword host1 binddn1 bindpassword1 In the optional alias section use aliases such as Supp2. Example 2 3 13 CnN SNMP SNMP configuration attributes are stored under cn SNMP cn config The cn SNMP entry is an instance of the nSSNMP object class 2 3 13 1 nssnmpenabled This attribute sets whether SNMP is enabled Parameter Description Entry DN cn SNMP cn config Valid Values on off Default Value on Syntax DirectoryString Example nssnmpenabled off 2 3 13 2 nssnmporganization This attribute sets the organization to which the Directory Server belongs 100 cn SNMP Parameter Description Entry DN cn SNMP cn config Valid Values Organization name Default Value Syntax DirectoryString Example nssnmporganization Red Hat Inc 2 3 13 3 nssnmplocation This attribute sets the location within the company or organization where the Directory Server resides Parameter Description Entry DN cn SNMP cn config Valid Values Location Default Value Syntax DirectoryString Example nssnmplocation B14 2 3 13 4 nssnmpcontact This attribute sets the email address of the person responsible for maintaining the Directory Server Parameter Description Entry DN cn SNMP cn config Valid Values Contact email address Default Value Syntax DirectoryString Example nssnmpcontact jerome example com 2 3 13 5 nssnmpdescription Provides a unique description of the Directory Server instance Entry DN cn SNMP cn config Valid Val
3. cccceecee cece ceeeee ee eeeeeeeeaaeeeeaeeesaeees 204 3 6 Retro Changelog Plug in Attributes 00 cc ceceee cece cece renerne rener ELLE LEE REE EEN 205 3 6 1 nsslapd changelOgdir cccceeeeeeeeeee eee eee ERE ee ee RENEE ERE RER KEE ERE eeeeaeeeeaeeeea 206 3 6 2 nsslapd changelogmaxage Max Changelog Age ccceeeeeeeeeeeeeeeeeeeeeaeeees 206 3 7 Distributed Numeric Assignment Plug in Attributes cece ce eeee cece ee eeee ee eeeeaeeeeeeeeeaes 207 Si Ze Te OMAR EE A ieee aaa SUE SPANDE EDP TEENA EA EAE tiveerg dian veeeat 207 3 7 23 ANAMAGIECREG CM esi ant aaa inate adhd a ae ieee ad cle Seta dade aed 207 3203s OMAMAXVAIUC se Ea AER EE st OATES KEITA EEEE SEAE ELSE NE cael 208 3 7 4 dnaNextRanges ccrssictiseiaheeded ties Mrs a tanei a Aaa aaa aataid 208 SD OnaNextValue inc ERE a nae Marae andy 209 Si Oe OMAP IETIX oa an citi ation BE TES eg a aria antl oe Es FE gt BESES ENGE EO etl edad 209 3 7 7 ANARANGEREQUESTTIMEOUT 6 cee eee ee cece e eect etter eee ee ce ee etna ee eeeeee EEEn ae eeeaeeees 209 Bil B dna Stopes eee ue Sevier Nee hee a ee ee 210 3 4 9 dnaShared tgDN e ee aa Ta ease sen Pia eda a Taeao seit akan eae at i aaa Ted rele Se 210 STIO GAWES kerne RER a SENGE SENGE BEDE BEDE AE RE SEE HEDE SS SON SES EGE eee dts tees 211 Configuration and Command Reference 3 CALS dna Type iss cer ene eed eis d Bie ese ene Ek BA Ties Ee 3 8 MemberOf Plug in Attri
4. 252 ldapsearch Option Description e Minimizes the base 64 encoding for the values of returned entries F Specifies a different separator This option allows a separator other than a colon to separate an attribute name from the corresponding value For example sp f Specifies the file containing the search filters to be used in the search For example f search_filters option to supply a search filter directly to the command line For more information about search filters see Appendix B Finding Directory Entries in the Directory Server Administrator s Guide G Conducts a virtual list view search This option can set the number of entries before or after the search target and the index or value of the first entry returned For example a value operation that sorts by surname G 20 30 johnson returns the first entry with a surname equal to or less than johnson in addition to 20 entries that come before it and 30 entries that come after it If there are fewer matching entries in the directory than the before or after number requested by the search all available entries before after the search target that match the search criteria are returned An index operation which sorts by surname G 20 30 100 0 returns from the 80th through 130th entries sorted by sn Use 0 as the fourth value for the count number unless you know how many entries the VLV index has H Prints th
5. Example passwordMinDigits 3 2 3 1 133 passwordMinLength Password Minimum Length This attribute specifies the minimum number of characters that must be used in Directory Server user password attributes In general shorter passwords are easier to crack Directory Server enforces a minimum password of eight characters This is long enough to be difficult to crack but short enough that users can remember the password without writing it down This can be abbreviated to pwdMinLength For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Entry DN Valid Range Description cn config 2 to 512 characters 6 Default Value Syntax Integer Example passwordMinLength 6 2 3 1 134 PasswordMinLowers Password Syntax This attribute sets the minimum number of lower case letters password must contain Parameter Description Entry DN Valid Range cn config 0 to 64 Default Value Integer 66 cn config Parameter Example Description passwordMinLowers 1 2 3 1 135 PasswordMinSpecials Password Syntax This attribute sets the minimum number of special or not alphanumeric characters a password must contain Entry DN cn config Valid Range 0 to 64 Default Value 0 Syntax Integer Example passwordMinSpecials 1 2 3 1 136 P
6. Default Value Integer 36 cn config Parameter Description 2 3 1 60 nsslapd idletimeout Default Idle Timeout This attribute sets the amount of time in seconds after which an idle LDAP client connection is closed by the server A value of means that the server never closes idle connections This setting applies to all connections and all users Idle timeout is enforced when the connection table is walked when poll does not return zero Therefore a server with a single connection never enforces the idle timeout Use the nsIdleTimeout operational attribute which can be added to user entries to override the value assigned to this attribute For details see the Setting Resource Limits Based on the Bind DN section in the Directory Server Administrator s Guide NOTE For very large databases with millions of entries this attribute must have a high enough value that the online initialization process can complete or replication will fail when the connection to the server times out Alternatively the nsIdleTimeout attribute can be set to a high value on the entry used as the supplier bind DN Parameter Description Entry DN cn config Valid Range 0 to the maximum 32 bit integer value 2147483647 Default Value 0 Syntax Integer Example nsslapd idletimeout 0 2 3 1 61 nsslapd instancedir Instance Directory This attribute is deprecated There are now separate configura
7. 172 Database Attributes under cn config cn Idbm database cn plugins cn config 3 4 1 15 nsslapd db page size This attribute specifies the size of the pages used to hold items in the database in bytes The minimum size is 512 bytes and the maximum size is 64 kilobytes If the page size is not explicitly set Directory Server defaults to a page size of 8 kilobytes Changing this default value can have a significant performance impact If the page size is too small it results in extensive page splitting and copying whereas if the page size is too large it can waste disk space Before modifying the value of this attribute export all databases using the db21dif script Once the modification has been made reload the databases using the 1dif2db script Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Range 512 bytes to 64 kilobytes Default Value 8KB Syntax Integer Example nsslapd db page size 8KB 3 4 1 16 nsslapd db spin count This attribute specifies the number of times that test and set mutexes should spin without blocking WARNING A Never touch this value unless you are very familiar with the inner workings of Berkeley DB or are specifically told to do so by Red Hat support Parameter Description Entry DN cn config cn Idbm database cn plugins cn config Valid Range 0 to 2 31 1 Default Value 0 Syntax Integer Example nsslapd db spin
8. Description Task plug in to reload schema files Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information 158 Space Insensitive String Syntax Plug in Plug in Information Description Further Information Table 3 4 Details of Schema Reload Plug in 3 1 32 Space Insensitive String Syntax Plug in Plug in Parameter Description Plug in Name Space Insensitive String Syntax DN of Configuration Entry cn Space Insensitive String Syntax cn plugins cn config Description Syntax for handling space insensitive values Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information This plug in enables the Directory Server to support space and case insensitive values This allows applications to search the directory using entries with ASCII space characters For example a search or compare operation that uses JOHN Doe will match entries that contain johndoe john doe and John Doe if the attribute s schema has been configured to use the space insensitive syntax For more information about finding directory entries refer to the Finding Directory Entries chapter in the Directory Server Administrator s Guide 3
9. Parameter Description Valid Values Any valid collation order object identifier OID Default Value None Syntax DirectoryString Example nsMatchingRule 2 16 840 1 113730 3 3 2 3 1 For Bulgarian 3 4 5 6 nsSystemindex This mandatory attribute specifies whether the index is a system index an index which is vital for Directory Server operations If this attribute has a value of true then it is system essential System indexes should not be removed as this will seriously disrupt server functionality Parameter Description Entry DN cn default indexes cn config cn ldbm database cn plugins cn config Valid Values true false Default Value Syntax DirectoryString Example nsSystemindex true 3 4 6 Database Attributes under cn monitor cn NetscapeRoot cn ldbm database cn plugins cn config This section covers global read only entries for monitoring activity on the NetscapeRoot database The attributes containing database statistics are given for each file that makes up the database For further information see the Monitoring Server and Database Activity chapter in the Directory Server Administrator s Guide dbfilenamenumber This attribute gives the name of the file and provides a sequential integer identifier Starting at 0 for the file All associated statistics for the file are given this same numerical identifier dbfilecachehit This attribute gives the number of times that
10. 2 Examples and Formatting Each of the examples used in this guide such as file locations and commands have certain defined conventions 2 1 Command and File Examples All of the examples for Red Hat Directory Server commands file locations and other usage are given for Red Hat Enterprise Linux 5 32 bit systems Be certain to use the appropriate commands and files for your platform To start the Red Hat Directory Server service dirsv start Example 1 Example Command 2 2 Tool Locations The tools for Red Hat Directory Server are located in the usr bin and the usr sbin directories These tools can be run from any location without specifying the tool location 2 3 LDAP Locations There is another important consideration with the Red Hat Directory Server tools The LDAP tools referenced in this guide are Mozilla LDAP installed with Red Hat Directory Server in the usr 1ib About This Reference mozidap directory on Red Hat Enterprise Linux 5 32 bit or usr 1ib64 mozldap for 64 bit systems However Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP in the usr bin directory It is possible to use the OpenLDAP commands as shown in the examples but you must use the x argument to disable SASL which OpenLDAP tools use by default 2 4 Text Formatting and Styles Certain words are represented in different fonts styles and weights Different character formatting is used to indicate the f
11. Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information 3 1 25 Password Storage Schemes The cn Password Storage Schemes entry is a container entry not a plug in entry itself All of the plug ins used for encryption are stored under this entry The supported schemes change as new encryption methods are added to view the complete and current list list the entries under cn Password Storage Schemes cn plugins cn config usr lib mozldap ldapsearch D cn directory manager w secreti2 p 389 b cn Password Storage Schemes cn plugins cn config s sub objectclass The different password storage scheme plug ins are stored in entries named in the format cn Storage Scheme Name Plugin cn Password Storage Schemes cn plugins cn config For more information on using the different password storage schemes see the User Account Management chapter in the Directory Server Administrator s Guide CAUTION A Do not modify the configuration of the password scheme plug ins Red Hat recommends leaving these plug ins running at all times Storage Scheme Name Usage Notes This encryption method is required for using SASL CRYPT This storage scheme is not very secure and is included only for compatibility with legacy servers an
12. Required or Optional Option Description Example noactive Do not permit mechanisms susceptible to active attacks nodict Do not permit mechanisms susceptible to passive dictionary attacks forwardsec Require forward secrecy passcred Attempt to pass client credentials noanonymous Do not permit mechanisms that allow anonymous access minssf Require a minimum security strength this option needs a numeric value specifying bits of encryption A value of 1 means integrity is provided without privacy maxssf Require a maximum security strength this option needs a numeric value specifying bits of encryption A value of 1 means integrity is provided without privacy e maxbufsize Set the maximum receive buffer size the client will accept 249 Chapter 6 Command Line Utilities Required or Optional Option Description Example when using integrity or privacy settings Table 6 7 Description of CRAM MD5 Mechanism Options Required or Optional Option Description Example Required mech DIGEST MD5 Gives the SASL o0 mech DIGEST mechanism MD5 Required authid authid_value Gives the ID used to 0O Optional secprop value authenticate to the server authid_value can be the following UID For example msmith e u uid For example u msmith e dn dn_value For example dn uid
13. Example nsslapd changelogdir var lib dirsrv slapd instance_name changelogdb 3 6 2 nsslapd changelogmaxage Max Changelog Age This attribute specifies the maximum age of any entry in the changelog The changelog contains a record for each directory modification and is used when synchronizing consumer servers Each record contains a timestamp Any record with a timestamp that is older than the value specified in this attribute is removed If this attribute is absent there is no age limit on changelog records which is the default behavior since this attribute is not present by default NOTE A Expired changelog records will not be removed if there is an agreement that has fallen behind further than the maximum age Parameter Description Entry DN cn Retro Changelog Plugin cn plugins cn config Valid Range 0 meaning that entries are not removed according to their age to the maximum 32 bit integer value 2147483647 Default Value 0 206 Distributed Numeric Assignment Plug in Attributes Parameter Description Syntax DirectoryString Integer Age D AgelD is s for seconds m for minutes h for hours d for days or w for weeks Example nsslapd changelogmaxage 30d 3 7 Distributed Numeric Assignment Plug in Attributes The Distributed Numeric Assignment Plug in manages ranges of numbers and assigns unique numbers within that range to entries By breaking number assignments in
14. Example nsslapd lIdapilisten off 2 3 1 69 nsslapd ldapimaprootdn Autobind Mapping for Root User With autobind a system user is mapped to a Directory Server user and then automatically authenticated to the Directory Server over a UNIX socket The root system user the user with a UID of 0 is mapped to whatever Directory Server entry is specified in the nsslapd ldapimaprootan attribute Parameter Entry DN Valid Values Description cn config Any DN cn Directory Manager Default Value 40 cn config Parameter Description nsslapd Ildapimaprootdn cn Directory Manager 2 3 1 70 nsslapd ldapimaptoentries Enable Autobind Mapping for Regular Users With autobind a system user is mapped to a Directory Server user and then automatically authenticated to the Directory Server over a UNIX socket This mapping is automatic for root users but it must be enabled for regular system users through the nsslapd ldapimaptoentries attribute Setting this attribute to on enables mapping for regular system users to Directory Server entries If this attribute is not enabled then only root users can use autobind to authenticate to the Directory Server and all other users connect anonymously The mappings themselves are configured through the nsslapd 1dapiuidnumbertype and nsslapd ldapigidnumber type attributes which map Directory Server attributes to the user s UID and GUID numbers Users can
15. Specifies that the entries are not actually to be modified but that ldapmodify is to show what it would do with the specified input Specifies the maximum number of referral hops to follow For example 261 Chapter 6 Command Line Utilities Option Description 0 2 R Specifies that referrals are not to be followed automatically V Specifies that the utility is to run in verbose mode V Specifies the LDAP version number to be used on the operation For example V 2 LDAPv3 is the default An LDAPv3 operation cannot be performed against a Directory Server that only supports LDAPv2 Y Specifies the proxy DN to use for the modify operation This argument is provided for testing purposes For more information about proxied authorization see the Managing Access Control chapter in the Directory Server Administrator s Guide Table 6 14 Additional ldapmodify Options 6 6 Idapdelete 1dapdelete performs delete operations on directory entries via LDAP e Syntax Commonly Used Idapdelete Options e SSL Options e SASL Options Additional Idapdelete Options Syntax ldapdelete optional options Commonly Used Idapdelete Options Description D Specifies the distinguished name with which to authenticate to the server The value must be a DN recognized by the Directory Server and it must also have the authority to delete the entries For example 262 Idapdelete Op
16. cceceeeeeeeeeeeeeeeeeeeeeneees A 1 A 2 A 3 A 4 A 5 A 6 A 7 Glossary Index vii viii About This Reference Red Hat Directory Server Directory Server is a powerful and scalable distributed directory server based on the industry standard Lightweight Directory Access Protocol LDAP Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in an intranet over an extranet with trading partners or over the public Internet to reach customers This reference covers the server configuration and the command line utilities It is designed primarily for directory administrators and experienced directory users who want to use the command line to access the directory After configuring the server use this reference to help maintain it The Directory Server can also be managed through the Directory Server Console a graphical user interface The Red Hat Directory Server Administrator s Guide describes how to do this and explains individual administration tasks more fully 1 Directory Server Overview The major components of Directory Server include An LDAP server The LDAP v3 compliant network daemon e Directory Server Console A graphical management console that dramatically reduces the effort of setting up and maintaining your directory service SNMP agent Can monitor the Directory Server using the Simple Network Management Protocol SNMP
17. Chapter 3 Plug in Implemented Server Functionality Reference Plug in Parameter Configurable Arguments Description List of attributes uid mail userPassword followed by and then suffixes on which the check is to occur Dependencies None Performance Related Information Further Information None If the Directory Server uses non ASCII characters such as Japanese turn this plug in off 3 1 2 ACL Plug in Plug in Parameter Plug in Name Description ACL Plug in DN of Configuration Entry cn ACL Plugin cn plugins cn config Description ACL access check plug in Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Further Information Access control incurs a minimal performance hit Leave this plug in enabled since it is the primary means of access control for the server See the Managing Access Control chapter in the Directory Server Administrator s Guide 3 1 3 ACL Preoperation Plug in Plug in Parameter Plug in Name Description ACL Preoperation DN of Configuration Entry cn ACL preoperation cn plugins cn config Description ACL access check plug in Configurable Options on off Default Setting on Configurable Arguments None Dependencies Database Performance Related Information Further Information Ac
18. To return operational attributes as a result of a search operation they must be explicitly specified in the search command To retrieve regular attributes along with explicitly specified operational attributes specify an asterisk in addition to the operational attributes Commonly Used Idapsearch Options Table 6 3 Commonly Used Idapsearch Options lists the most commonly used ldapsearch command line options The most common ldapsearch usage specifies the host and port number bind DN and password scope base DN and a filter that returns every entry under the search base ldapsearch b basedn s sub h host p port D binddn w password objectclass 241 Chapter 6 Command Line Utilities Description b Specifies the starting point for the search The value specified here must be a distinguished name that currently exists in the database This option is optional if the LDAP_BASEDN environment variable has been set to a base DN The value specified in this option should be provided in double quotation marks For example b cn Barbara Jensen ou Product Development dc example dc com The root DSE entry is a special entry that contains a list of all the suffixes supported by the local directory To search this entry supply a search base of a search scope of base and a filter of objectclass For example b s base objectclass Specifies the distinguished name with which
19. replicaNickname replicaEntryFilter Sets whether to delete existing databases before beginning replication Identifies the name for the replication agreement Identifies the entries to be replicated replicatedAttributeList replicaCFUpdated replicaAbandonedChanges Identifies attribute list to be replicated Stores the status of copiedFrom Contains change numbers which are not replicated replicaLastRelevantChange 2 5 2 15 replicaAbandonedChanges Stores the last relevant change This attribute contains change numbers for modifications or entries which are not replicated OID Syntax Multi or Single Valued 2 16 840 1 113730 3 1 218 DirectoryString Multi valued 138 Legacy Replication Attributes Defined in Directory Server 2 5 2 16 replicaBeginOrc For online replication creation ORC the consumer server can dump its entire database and allows the supplier to send it completely fresh information The replicaBeginOrc attribute sets whether the consumer deletes its database Its values are either start or stop OID 2 16 840 1 113730 3 1 50 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 17 replicaBindDn For consumer initiated replication this attribute gives the username for the server to bind to the supplier as OID 2 16 840 1 113730 3 1 58 Syntax DN Multi or Single Valued
20. urefreshurd t refreshInterval r v Options Description Specifies the absolute path to the configuration file which defines the connection parameters used to connect to LDAP servers to get replication information For more information about the configuration file see Configuration File Format f configFile h host Specifies the initial replication supplier s host The default value is the current hostname Specifies the initial replication supplier s port The default value is 389 314 repl monitor pl Monitors Replication Status Option Description r If specified causes the routine to be entered without printing the HTML header information This is suitable when making multiple calls to this routine such as specifying multiple different unrelated supplier servers and expecting a single HTML output t refreshinterval Specifies the refresh interval in seconds The default value is 300 seconds This option must be used with the u option u refreshUrl Specifies the refresh URL The output HTML file may invoke a CGI program periodically If this CGI program in turn calls this script the effect is that the output HTML file would automatically refresh itself This is useful for continuous monitoring See also the t option The script has been integrated into Red Hat Administration Express so that the replication status can be monitored through a web browser
21. 353 Index nsslapd db page rw evict rate attribute 188 nsslapd db page size attribute 173 nsslapd db page trickle rate attribute 188 nsslapd db page write rate attribute 188 nsslapd db pages in use attribute 188 nsslapd db spin count attribute 173 nsslapd db transaction batch val attribute 173 nsslapd db trickle percentage attribute 174 nsslapd db txn region wait rate attribute 188 nsslapd db verbose attribute 175 nsslapd dbcachesize attribute 168 nsslapd dbncache attribute 175 nsslapd directory attribute 176 180 nsslapd ds4 compatible schema attribute 28 nsslapd errorlog attribute 29 nsslapd errorlog level attribute 30 nsslapd errorlog list attribute 31 nsslapd errorlog logexpirationtime attribute 31 nsslapd errorlog logexpirationtimeunit attribute 31 nsslapd errorlog logging enabled attribute 32 nsslapd errorlog logmaxdiskspace attribute 32 nsslapd errorlog logminfreediskspace attribute 32 nsslapd errorlog logrotationsync enabled attribute 33 nsslapd errorlog logrotationsynchour attribute 33 nsslapd errorlog logrotationsyncmin attribute 34 nsslapd errorlog logrotationtime attribute 34 nsslapd errorlog logrotationtimeunit attribute 34 nsslapd errorlog maxlogsize attribute 35 nsslapd errorlog maxlogsperdir attribute 35 nsslapd errorlog mode attribute 36 nsslapd groupvalnestlevel attribute 36 nsslapd idletimeout attribute 37 nsslapd idlistscanlimit attribute 166 nsslapd import cache autosize att
22. Additional Idapdelete Options Option C Description Specifies that the utility must run in continuous operation mode Errors are reported but the utility continues with deletions The default is to quit after reporting an error Specifies the file containing the distinguished names of entries to be deleted For example f modify_statements Omit this option to supply the distinguished name of the entry to be deleted directly to the command line H M Lists all available ldapdelete options Manages smart referrals This causes the server not to return the smart referral contained on the entry but instead to delete the actual entry containing the smart referral For more information about smart referrals see the Configuring Directory Databases chapter in the Directory Server Administrator s Guide Specifies that the entries are not actually to be deleted but that ldapdelete is to show what it would do with the specified input Specifies the maximum number of referral hops to follow For example W 2 There is no maximum number of referral hops 266 Idappasswd Option Description R Specifies that referrals are not to be followed automatically By default the server follows referrals V Specifies that the utility is to run in verbose mode V Specifies the LDAP version number to be used on the operation For example V 2 LDAPv3 is the default An LDAPv3 oper
23. Analyzes the access logs of a Directory Server to extract usage statistics and count the occurrences of significant events It is compatible with log formats from previous releases of Directory Server For information on access logs see Section 5 1 Access Log Reference NOTE logconv p1 is in the usr bin directory The tool will extract the following information from access logs Number of restarts Total number of connections Total operations requested FDs file descriptors taken FDs returned Highest FD taken Total results returned Disruptions Results to requests ratio Broken pipes Number of searches Connections reset by peer Number of modifications Unavailable resources and detail Number of adds Total binds and types of binds Number of deletes Most frequent occurrence lists optional Number of modified RDNs Error and return codes Persistent searches Failed logins Internal operations with verbose logs Connection codes Entry operations with verbose logs Client IP addresses and connection codes Extended operations Bind DNs Abandoned requests Base DNs for searching Smart referrals received verbose logs Search filters VLV virtual list view operations VLV unindexed searches Server side sorting operations Etimes elapsed operation time Longest etimes Nentries number of entries in result SSL connections Largest Nentries Perfo
24. Description Any valid path to the directory storing the changelog Default Value None Syntax DirectoryString Example nsslapd changelogdir var lib dirsrv slapd instance namelchangelogdb 2 3 2 2 nsslapd changelogmaxage Max Changelog Age This attribute sets the maximum age of any entry in the changelog The changelog contains a record for each directory modification and is used when synchronizing consumer servers Each record contains a timestamp Any record with a timestamp that is older than the value specified in this attribute is removed If this attribute is absent there is no age limit on changelog records For information on the changelog see Section 2 3 2 1 nsslapd changelogdir The server has to be restarted for changes to this attribute to go into effect Parameter Entry DN Description cn changelog5 cn config Valid Range 0 meaning that entries are not removed according to their age to maximum 32 bit integer 2147483647 Default Value 0 Syntax DirectoryString IntegerAge ID where AgelD is s for seconds m for minutes h for hours d for days and w for weeks Example nsslapd changelogmaxage 30d 2 3 2 3 nsslapd changelogmaxentries Max Changelog Records This attribute sets the maximum number of records the changelog may contain If this attribute is absent there is no maximum number of records the changelog can contain For information
25. Description e secProp the security properties realm the Kerberos realm e flags The expected values depend on the supported mechanism The o can be used multiple times to pass all of the required SASL information for the mechanism For example o mech DIGEST MD5 o authzid test user o authid test_user Table 6 6 SASL Options There are three SASL mechanisms supported in Red Hat Directory Server CRAM MD5 described in Table 6 7 Description of CRAM MD5 Mechanism Options DIGEST MD5 described in Table 6 8 Description of DIGEST MD5 SASL Mechanism Options GSSAPI described in Table 6 9 Description of GSSAPI SASL Mechanism Options Required or Optional Option Description Example Required mech CRAM MD5 Gives the SASL o mech CRAM MD5 mechanism Required authid authid_value Gives the ID used to 0 authenticate to the authid dn uid jsmith server authid_value ou People can be the following dc example dc com UID For example msmith u uid For example u msmith dn dn_value For example dn uid msmith ou People o example com Optional secprop value The secprop attribute o sets the security secprop noplain minssf 1 maxbufsize 512 properties for the connection The secprop value can be any of the following e None noplain Do not permit mechanisms susceptible to simple passive attack 248 ldapsearch
26. Syntax migrate ds p1 oldsroot server_directory actualsroot server_directory instance instance_name file name cross debug log name General ConfigDirectoryAdminPwd password Options Alternate Options General ConfigDirectoryAdminPwd password Description Required This is the password for the configuration directory administrator of the old Directory Server the default username is admin oldsroot actualsroot Required This is the path to the server root directory in the old 7 1 Directory Server installation The default path in 7 1 servers is opt redhat ds This is used for migrating between two machines to specify the real path to the current server root directory in the old 7 1 Directory Server installation if that directory is mounted on a networked drive or tarballed and moved to a relative directory In that case the oldsroot parameter sets the directory from which the migration is run such as machine_new migrate opt redhat ds while the actualsroot parameter sets the server root opt redhat ds 306 migrate ds pl Alternate Options Description instance i This parameter specifies a specific instance to migrate This parameter can be used multiple time to migrate several instances simultaneously By default the migration script migrates all Directory Server instances on the machine file name f name This se
27. Syntax ds_removal f s instance_name w manager password 285 Chapter 7 Command Line Scripts Options Parameter Description Forces the removal of the instance This can be useful if the instance is not running but must be removed anyway instance_name The name of the instance to remove manager_password The Directory Manager password to use to bind to the instance 7 3 8 Idif2db Import Runs the ns slapd command line utility with the Ldif2db keyword To run this script the server must be stopped Ellipses indicate that multiple occurrences are allowed For information on the equivalent Perl script see Section 7 4 7 Idif2db pl Import NOTE 1dif2db supports LDIF version 1 specifications An attribute can also be loaded using the lt URL specifier notation for example jpegphoto lt file tmp myphoto jpg Although the official notation requires three the use of one is accepted For further information on the LDIF format see the Managing Directory Entries chapter in the Red Hat Directory Server Administrator s Guide Syntax 1dif2db n backendInstance s includeSuf fix x excludeSuf fix i ldifFile O g string G namespacelId E Options Description Merges chunk size Encrypts data during import This option is used only if database encryption is enabled g string Generates a unique ID Type n
28. The nsslapd db checkpoint interval attribute is absent from dse 1dif To change the checkpoint interval add the attribute to dse 1dif This attribute can be dynamically modified using ldapmodify For further information on modifying this attribute see the Tuning Directory Server Performance chapter in the Directory Server Administrator s Guide This attribute is provided only for system modification diagnostics and should be changed only with the guidance of Red Hat technical support or Red Hat professional services Inconsistent settings of this attribute and other configuration attributes may cause the Directory Server to be unstable For more information on database transaction logging refer to the Monitoring Server and Database Activity chapter in the Directory Server Administrator s Guide Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Range 10 to 300 seconds 168 Database Attributes under cn config cn ldbm database cn plugins cn config Default Value 60 Syntax Integer Example nsslapd db checkpoint interval 120 3 4 1 7 nsslapd db circular logging This attribute specifies circular logging for the transaction log files If this attribute is switched off old transaction log files are not removed and are kept renamed as old log transaction files Turning circular logging off can severely degrade server performance and as such should only be modifi
29. cl dump Dumps and Decodes the Changelog Description to restore a single database it is not necessary to use the n option to restore the entire directory Table 7 4 bak2db Options For information on the equivalent Perl script see Section 7 4 1 bak2db pl Restores a Database from Backup For more information on restoring databases see the Populating Directory Databases chapter in the Red Hat Directory Server Administrator s Guide For more information on using filesystem replica initialization see the Managing Replication chapter in the Red Hat Directory Server Administrator s Guide 7 3 2 cl dump Dumps and Decodes the Changelog Troubleshoots replication related problems cl1 dump is a shell script wrapper of cl dump p1 to set the appropriate library path Syntax cl dump h host p port D bindDn w bindPassword P bindCert r replicaRoots o outputFile c v cl1 dump i changelogFile o outputFile c Options Without the i option the script must be run when the Directory Server is running from a location from which the server s changelog directory is accessible Option Description C Dumps and interprets CSN only This option can be used with or without the i option D bindDn Specifies the Directory Server s bind DN Defaults to cn Directory Manager if the option is omitted h host Specifies the Directory Server s host This defaults to the server wher
30. f file l number_of_ldap_connections entryfile Commonly Used Idapmodify Options Description Adds LDIF entries to the directory without requiring the changetype add LDIF update statement This provides a simplified method of adding entries to the directory This option also allows directly adding a file created by ldapmodify B Specifies the suffix under which the new entries will be added Specifies the distinguished name with which to authenticate to the server The value must be a DN recognized by the Directory Server and it must also have the authority to modify the entries For example 256 ldapmodify Option Description D uid bjensen dc example dc com This option cannot be used with the N option f Option that specifies the file containing the LDIF update statements used to define the directory modifications For example f modify_statements If this option is not supplied the update statements are read from stdin For information on supplying LDIF update statements from the command line see the Creating Directory Entries chapter in the Directory Server Administrator s Guide g Specifies that the password policy request control not be sent with the bind request By default the new LDAP password policy request control is sent with bind requests The ldapmodify tool can parse and display information from the response control if it is ret
31. jpegPhoto tmp photo jpeg 260 ldapmodify Option Description ldapmodify reads the contents of the photo jpeg file into the jpegPhoto attribute being added to the entry As an alternative to the b option use the lt URL specifier notation which is simpler For example jpegphoto lt file tmp myphoto jpg Although the official notation requires three the use of one is accepted NOTE The lt URL specifier notation only works if LDIF statement is version 1 or later meaning version 1 is inserted in the LDIF file Otherwise the file URL is appended as the attribute value rather than the contents of the file For further information on the LDIF format see the Managing Directory Entries chapter in the Directory Server Administrator s Guide Specifies that the utility run in continuous operation mode Errors are reported but the utility continues with modifications The default is to quit after reporting an error Lists all available ldapmodify options Manages smart referrals This causes the server not to return the smart referral contained on the entry but instead to apply the modification request directly to the entry Use this option to add change or delete a directory entry that contains a smart referral For more information about smart referrals see the Configuring Directory Databases chapter in the Directory Server Administrator s Guide
32. which returns size limit exceeded for every search Parameter Description Entry DN cn config Valid Range 1 to the maximum 32 bit integer value 2147483647 Default Value 2000 Syntax Integer 55 Chapter 2 Core Server Configuration Reference Parameter Description 2 3 1 104 nsslapd ssl check hostname Verify Hostname for Outbound Connections This attribute sets whether an SSL enabled Directory Server should verify authenticity of a request by matching the hostname against the value assigned to the common name cn attribute of the subject name subjectDN field in the certificate being presented By default the attribute is set to on If it is on and if the hostname does not match the cn attribute of the certificate appropriate error and audit messages are logged For example in a replicated environment messages similar to the following are logged in the supplier server s log files if it finds that the peer server s hostname does not match the name specified in its certificate DATE SSL alert ldap_sasl_bind LDAP_SASL_EXTERNAL 81 Netscape runtime error 12276 Unable to communicate securely with peer requested domain name does not match the server s certificate DATE NSMMReplicationPlugin agmt cn SSL Replication Agreement to hosti host1 example com 636 Replication bind with SSL client authentication failed LDAP error 81 Can t contact LDAP server Red Hat recommends
33. 2 3 1 94 nsslapd rootpwstoragescheme Root Password Storage Scheme This attribute sets the encryption method used for the root password Parameter Description Entry DN cn config Chapter 2 Core Server Configuration Reference Parameter Valid Values Description Any encryption method as described in Section 2 3 1 142 passwordStorageScheme Password Storage Scheme Default Value SSHA Syntax DirectoryString Example nsslapd rootpwstoragescheme SSHA 2 3 1 95 nsslapd saslIpath Sets the absolute path to the directory containing the Cyrus SASL SASL2 plug ins On HP UX systems the Directory Server cannot use the system SASL libraries because they are either not provided or are not the correct version Setting this attribute allows the server to use custom or non standard SASL plug in libraries This is usually set correctly during installation and Red Hat strongly recommends not changing this attribute If the attribute is not present or the value is empty this means the Directory Server is using the system provided SASL plug in libraries which are the correct version If this parameter is set the server uses the specified path for loading SASL plugins If this parameter is not set the server uses the SASL PATH environment variable If neither nsslapd saslpath or SASL PATH are set the server attempts to load SASL plugins from the default location usr 1ib sasl2 Chang
34. 37 passwordMinLowers Sets the minimum number of alphabetic characters that must be used in the password Sets the minimum number of upper case alphabetic characters A to Z which must be used in the password Sets the minimum number of lower case alphabetic characters a to z which must be used in the password passwordMinSpecials Sets the minimum number of special ASCII characters such as which must be used in the password passwordMinCategories passwordMin8bi Sets the minimum number of 8 bit characters used in the password passwordMaxRepeats Sets the maximum number of times that the same character can be used in row Sets the minimum number of categories which must be used in the password passwordMin TokenLength 2 5 Legacy Attributes Sets the length to check for trivial words The attributes were standard with Directory Server 4 x and older This are still included with the schema for compatibility but are not for current versions of the Directory Server 131 Chapter 2 Core Server Configuration Reference 2 5 1 Legacy Server Attributes These attributes were originally used to configure the server instance entries for Directory Server 4 x and older servers 2 5 1 1 LDAPServer Object Class This object class identifies the LDAP server information It is defined by Directory Server Superior Class top OID 2 16 840 1 113730 3 2 35 Required A
35. Default Setting Configurable Arguments on None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information 3 1 7 Case Exact String Syntax Plug in Plug in Parameter Plug in Name Description Case Exact String Syntax DN of Configuration Entry cn Case Exact String Syntax cn plugins cn config Description Syntax for handling case sensitive strings Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times 146 Case Ignore String Syntax Plug in Plug in Parameter Description 3 1 8 Case Ignore String Syntax Plug in Plug in Parameter Description Plug in Name Case Ignore String Syntax DN of Configuration Entry cn Case Ignore String Syntax cn plugins cn config Description Syntax for handling case insensitive strings Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information 3 1 9 Chaining Database
36. Default Value Syntax Case exact string Example nsTaskLog example nsTaskExitCode This attribute contains the exit code for the task This attribute only exists after the task is completed and any value is only valid if the task is complete The result code can be any LDAP exit code as listed in Section 5 4 LDAP Result Codes but only a value equals success any other result code is an error This attribute value is set by the server and should not be edited Parameter Entry DN Description cn task name cn task type cn tasks cn config Valid Values 0 Success to 97 Default Value Syntax Integer Example nsTaskExitCode 0 gt Any response other than 6 is an error nsTaskCurrentitem This attribute shows the number of subtask which the task operation has completed assuming the task can be broken down into subtasks If there is only one task then nsTaskCurrentItemis 0 while the task is running and 1 when the task is complete In this way the attribute is analogous to a 106 cn tasks progress bar When the nsTaskCurrentItem attribute has the same value as nsTaskTotalItems then the task is completed This attribute value is set by the server and should not be edited Entry DN cn task_name cn task_type cn tasks cn config Valid Values 0 to the maximum 32 bit integer value 2147483647 Default Value Syntax Integer Example nsTas
37. Displaying the Index Keys and the All IDs with More Than 20 IDs in sn db4 275 Chapter 6 Command Line Utilities dbscan s f var lib dirsrv slapd instance_name db userRoot objectclass db4 Example 6 11 Displaying the Summary of objectclass db4 dbscan r f var lib dirsrv slapd instance_name db userRoot viv bymccoupeopledcpeopledccom db4 Example 6 12 Displaying VLV Index File Contents dbscan f var lib dirsrv slapd instance_name changelogdb cia2fc02 1d11b2 8018afa7 Fdce000_424c8a000F00 db4 Example 6 13 Displaying the Changelog File Contents dbscan R f var lib dirsrv slapd instance_name db userRoot uid db4 Example 6 14 Dumping the Index File uid db4 with Raw Mode In this example the common name key is hr managers and the equals sign means the key is an equality index dbscan k hr managers r f var lib dirsrv slapd instance_name db userRoot cn db4 hr 2O0managers 7 Example 6 15 Displaying the entryID with the Common Name Key hr managers dbscan K 7 f id2entry db4 id 7 dn cn HR Managers ou groups dc example dc com objectClass top objectClass groupOfUniqueNames cn HR Manager ou groups description People who can manage HR entries creatorsName cn directory manager modifiersName cn directory manager createTimestamp 20050408230424Z modifyTimestamp 20050408230424Z nsUniqueld 8b465f73 1dd211b2 807fd340 d7f40000 parentid 3 entryid 7 entrydn cn hr managers ou groups
38. Glossary A access control instruction access control list access rights account inactivation ACI ACL All IDs Threshold All IDs token anonymous access approximate index attribute attribute list authenticating directory server See ACI See ACL In the context of access control specify the level of access granted or denied Access rights are related to the type of operation that can be performed on the directory The following rights can be granted or denied read write add delete search compare selfwrite proxy and all Disables a user account group of accounts or an entire domain so that all authentication attempts are automatically rejected An instruction that grants or denies permissions to entries in the directory See Also access control instruction The mechanism for controlling access to your directory See Also access control list Replaced with the ID list scan limit in Directory Server version 7 1 A size limit which is globally applied to every index key managed by the server When the size of an individual ID list reaches this limit the server replaces that ID list with an All IDs token See Also D list scan limit A mechanism which causes the server to assume that all directory entries match the index key In effect the All IDs token causes the server to behave as if no index was available for the search request When granted allows anyone to access directory information wi
39. Syntax DirectoryString Example vivBase ou People dc example dc com 3 4 3 8 vivEnabled This attribute sets whether the browsing or virtual list view VLV index is enabled For more information on VLV indexes see the indexing chapter in the Administrator s Guide NOTE This attribute is only available to user databases like userRoot not configuration databases like o NetscapeRoot Parameter Description Entry DN cn index_name cn userRoot cn Idbm database cn plugins cn config O disabled 1 enabled Valid Values Default Value DirectoryString 182 cn NetscapeRoot cn Idbm database cn plugins cn config and cn userRoot cn ldbm database cn plugins cn config Parameter Description 3 4 3 9 vivFilter The browsing or virtual list view VLV index is created by running a search according to a filter and including entries which match that filter in the index The filter is specified in the vlvFilter attribute For more information on VLV indexes see the indexing chapter in the Administrator s Guide NOTE i i i This attribute is only available to user databases like userRoot not configuration databases like o NetscapeRoot Parameter Description Entry DN cn index_name cn userRoot cn ldom database cn plugins cn config Valid Values Any valid LDAP filter Default Value Syntax DirectoryString Example vivEilter
40. a 24 hour clock The Z at the end indicates that the time is relative to Greenwich Mean Time Default Value Syntax GeneralizedTime Example nsDS5ReplicaLastinitEnd 20090504121603Z 2 3 8 10 nsDS5ReplicaLastinitStart This optional read only attribute states when the initialization of the consumer replica started Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values YYYYMMDDhhmmsszZ is the date time in Generalized Time form at which the connection was opened This value gives the time in relation to Greenwich Mean Time The hours are set with a 24 hour clock The Z at the end indicates that the time is relative to Greenwich Mean Time Default Value Syntax GeneralizedTime Example nsDS5ReplicaLastinitStart 20090503030405 2 3 8 11 nsDS5ReplicaLastinitStatus This optional read only attribute provides status for the initialization of the consumer There is typically a numeric code followed by a short string explaining the status Zero 0 means success 88 Replication Attributes under cn ReplicationAgreementName cn replica cn suffixName cn mapping tree cn config Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values 0 Consumer Initialization Succeeded followed by any other status message Default Value Syntax String Example nsD
41. db verify DB gt verify db mstest2 uid db4 DB VERIFY BAD Database verification failed Secondary index file uid db4 in db mstest2 is corrupted Please run db2index pl for reindexing Run db2index t uid to avoid rebuilding all of the indexes or export and reimport all of the databases using db2ldif and I1dif2db dbverify is a shell script wrapper of verify db p1 to set the appropriate library path Syntax dbverify a path to database_directory Options Description a path Gives the path to the database directory If this option is not passed with the verify db pl command then it uses the default database directory var lib dirsrv slapd instance_name db Table 7 8 doverify Options For information on the equivalent Perl script see Section 7 4 21 verify db pl Check for Corrupt Databases 7 3 7 ds_removal The ds_removal tool removes a single instance of Directory Server The server instance usually must be running when this script is run so that the script can bind to the instance It is also possible to force the script to run which may be necessary if there was an interrupted installation process or the instance is corrupted or broken so that it cannot run When the instance is removed it is shutdown and all of its configuration files are removed Certificate database files like cert8 db and key3 db are not removed so the remaining instance directory is renamed removed slapd instance
42. entries in the cn config configuration file Syntax db2index pl1 v D rootdn w password w j filename n backendInstance t attributeName indextypes mathingrules T vlvAttributeName Options The script db2index p1 creates an entry in the directory that launches this dynamic task The entry is generated based upon the values provided for each option Option Description D rootdn Gives the user DN with root permissions such as Directory Manager j filename The name of the file containing the password n backendinstance Gives the instance to be indexed If the instance is not specified the script reindexes all instances t attributeNamef indextypes mathingrules Gives the name of the attribute to be indexed If omitted all the indexes defined for the specified instance are generated Optionally this can include the index type eq pres sub approx and a matching rule OID T vivAttributeName Gives the names of the VLV attributes to be reindexed The name is the VLV index object s common name in cn config V Verbose mode w password Gives the password associated with the user DN W Prompts for the password associated with the user DN Table 7 21 db2index pl Options 7 4 5 db2ldif pl Exports Database Contents to LDIF Exports the contents of the database to LDIF This script creates an entry in the directory that launches this dynamic task The entry is genera
43. increasing the number of d s increases the debug level logfile name l This parameter specifies a log file to which to write the output If this is not set then the setup information is written to a temporary file To not use a log file set the file name to dev null 7 4 16 remove ds pl The remove ds pl script removes a single instance of Directory Server The server instance usually must be running when this script is run so that the script can bind to the instance It is also possible to force the script to run which may be necessary if there was an interrupted installation process or the instance is corrupted or broken so that it cannot run 313 Chapter 7 Command Line Scripts When the instance is removed it is shutdown and all of its configuration files are removed Certificate database files like cert8 db and key3 db are not removed so the remaining instance directory is renamed removed slapd instance Syntax remove ds p1 f i instance_name Options Parameter Description Forces the removal of the instance This can be useful if the instance is not running but must be removed anyway instance name The name of the instance to remove 7 4 17 repl monitor pl Monitors Replication Status Shows in progress status of replication NOTE repl monitor p1 is in the usr bin directory Syntax repl monitor pl1 h host p port f configFile
44. no limit to maximum 32 bit integer 2147483647 entries Default Value 2000 Syntax Integer Example nsslapd sizelimit 2000 3 5 2 13 nsTimeLimit This attribute shows the default search time limit for the database link Entry DN cn default instance config cn chaining database cn plugins cn config Valid Range 1 to maximum 32 bit integer 2147483647 seconds Default Value 3600 201 Chapter 3 Plug in Implemented Server Functionality Reference Parameter Description Example nsslapd timelimit 3600 3 5 3 Database Link Attributes under cn database link name cn chaining database cn plugins cn config This information node stores the attributes concerning the server containing the data A farm server is a server which contains data on databases This attribute can contain optional servers for failover separated by spaces For cascading chaining this URL can point to another database link 3 5 3 1 nsBindMechanism This attribute sets a bind mechanism for the farm server to connect to the remote server A farm server is a server containing data in one or more databases This attribute configures the connection type either standard SSL or SASL e empty This performs simple authentication and requires the nsMultiplexorBindDn and nsMultiplexorCredentials attributes to give the bind information e EXTERNAL This uses an SSL certificate to authenticate the farm server to the remote s
45. nsDS5ReplicaChangeCount 81 nsDS5ReplicaChangesSentSinceStartup 87 nsDS5ReplicaCredentials 87 nsDS5ReplicaHost 87 nsDS5ReplicalD 81 nsDS5ReplicaLastinitEnd 88 nsDS5ReplicaLastinitStart 88 nsDS5ReplicaLastinitStatus 88 nsDS5ReplicaLastUpdateEnd 89 nsDS5ReplicaLastUpdateStart 89 nsDS5ReplicaLastUpdateStatus 90 nsDS5ReplicaLegacyConsumer 81 nsDS5ReplicaName 82 nsDS5ReplicaPort 90 nsDS5ReplicaPurgeDelay 82 nsDS5ReplicaReapActive 90 nsDS5ReplicaReferral 83 nsDS5ReplicaRoot 83 nsDS5ReplicaSessionPauseTime 91 nsDS5ReplicatedAttributeList 92 nsDS5ReplicaTimeout 92 nsDS5ReplicaTombstonePurgelnterval 83 nsDS5ReplicaTransportinfo 93 nsDS5ReplicaType 84 nsDS5ReplicaUpdatelnProgress 93 nsDS5ReplicaUpdateSchedule 93 nsds5Task 85 nsDumpUniqld 114 nsExcludeSuffix 109 112 nsExportReplica 113 nsFilename 109 112 nsImportChunkSize 110 nsImportiIndexAttrs 110 nsIncludeSuffix 109 112 nsIndexAttribute 117 nsIndexVLVAttribute 117 nsInstance 109 112 nsNoWrap 114 nsPrintKey 113 nsruvReplicaLastModified 94 nsSasIMapBaseDNTemplate 99 nsSas IMapFilterTemplate 100 nsSasIMapRegexString 100 nsslapd accesslog 11 nsslapd accesslog level 11 nsslapd accesslog list 12 nsslapd accesslog logbuffering 12 346 nsslapd accesslog logexpirationtime 13 nsslapd accesslog logexpirationtimeunit 13 nsslapd accesslog logging enabled 13 nsslapd accesslog logmaxdiskspace 14 nsslapd accesslog logminfreedisksp
46. nsruvReplicaLastModified Contains the most recent time that an entry in the replica was modified and the changelog was updated 2 4 8 nsDSWindowsReplicationAgreement Object Class Stores the synchronization attributes that concern the synchronization agreement Information on the attributes for this object class are in chapter 2 of the Red Hat Directory Server Configuration Command and File Reference This object class is defined in Directory Server Superior Class top OID 2 16 840 1 113730 3 2 503 Required Attributes objectClass Defines the object classes for the entry cn Gives the name of the synchronization agreement Allowed Attributes description Contains a text description of the synchronization agreement nsDS5BeginReplicaRefresh Initiates a manual synchronization nsds5debugreplicatimeout Gives an alternate timeout period to use when the synchronization is run with debug logging nsDS5ReplicaBindDN Specifies the DN to use when the Directory Server binds to the Windows server 126 nsDSWindowsReplicationAgreement Object Class nsDS5ReplicaBindMethod Specifies the method SSL or simple authentication to use for binding nsDS5ReplicaBusyWaitTime Specifies the amount of time in seconds the Directory Server should wait after the Windows server sends back a busy response before making another attempt to acquire access nsDS5ReplicaChangesSentSinceSt
47. restart slapd Restarts the Directory Server Restarts the Directory Server Syntax restart slapd Options There are no options for this script Exit Status 0 Server restarted successfully 1 Server could not be started 2 Server restarted successfully but was already stopped 291 Chapter 7 Command Line Scripts Exit Code Description 3 Server could not be stopped Table 7 13 restart slapd Exit Status Codes 7 3 14 restoreconfig Restores Administration Server Configuration Restores by default the most recently saved Administration Server configuration information to the NetscapeRoot partition under the etc dirsrv slapd instance name directory To restore the Administration Server configuration do the following 1 Stop the Directory Server 2 Runthe restoreconfig script 3 Restart the Directory Server 4 Restart the Administration Server for the changes to be taken into account Syntax restoreconfig Options There are no options for this script 7 3 15 saveconfig Saves Administration Server Configuration Saves Administration Server configuration information to var lib dirsrv slapd instance_name bak directory This script will only run if the server is running Syntax saveconfig Options There are no options for this script 7 3 16 start slapd Starts the Directory Server Starts the Directory Server It might be a good idea to check whether the server ha
48. set then the member Of attribute is regenerated for every entry in the subtree j filename The name of the file containing the password V Verbose mode w password The password associated with the user DN W Prompts for the password associated with the user DN Table 7 23 fixup memberof pl Options 7 4 7 Idif2db pl Import To run this script the server must be running The script creates an entry in the directory that launches this dynamic task The entry is generated based upon the values provided for each option Ellipses indicate that multiple occurrences are allowed Syntax 1dif2db p1 v D rootdn w password w j filename n backendInstance s includeSuf fix x excludeSuf fix O c g string G namespacelId i filename E Options 300 Idif2db pl Import Option Description C Merges chunk size D rootdn Specifies the user DN with root permissions such as Directory Manager E Decrypts encrypted data during export This option is used only if database encryption is enabled g string Generates a unique ID Type none for no unique ID to be generated and deterministic for the generated unique ID to be name based By default a time based unique ID is generated When using the deterministic generation to have a name based unique ID it is also possible to specify the namespace for the server to use as follows g deterministic namespaceId namespacel
49. this attribute generates time based IDs Parameter Entry DN Valid Values none no unique ID empty time based ID deterministic namespace name based ID Description cn task name cn import cn tasks cn config Default Value empty Case insensitive string Syntax Example nsUniqueldGenerator 110 cn tasks nsUniqueldGeneratorNamespace This attributes defines how to generate name based IDs the attribute sets the namespace to use to generate the IDs This option is useful to import the same LDIF file into two Directory Server instances when the entries need to have the same IDs Parameter Description Entry DN cn task_name cn import cn tasks cn config Valid Values Any string Default Value Syntax Case insensitive string Example nsUniqueldGeneratorNamespace example 2 3 15 3 cn export A database or multiple databases can be exported through the command line by creating a special task entry which defines the parameters of the task and initiates the task As soon as the task is complete the task entry is removed from the directory The cn export entry is a container entry for export task operations The cn export entry itself has no attributes but each of the task entries within this entry such as cn task ID cn export cn tasks cn config uses the following attributes to define the export task An export task entry under cn export must contain t
50. to authenticate to the server This option is optional if anonymous access is supported by the server If specified this value must be a DN recognized by the Directory Server and it must also have the authority to search for the entries For example D uid bjensen dc example dc com Specifies that the password policy request control not be sent with the bind request By default the new LDAP password policy request control is sent with bind requests The ldapsearch tool can parse and display information from the response control if it is returned by a server that is the tool will print an appropriate error or warning message when a server sends the password policy response control with the appropriate value The criticality of the request control is set to false to ensure that all LDAPv3 servers that do not understand the control can ignore it To suppress sending of the request control with the bind request include g on the command line Specifies the hostname or IP address of the machine on which the Directory Server is 242 ldapsearch Option Description installed If a host is not specified ldapsearch uses the local host For example h mozilla Specifies the maximum number of seconds to wait for a search request to complete For example 1 300 Regardless of the value specified here ldapsearch will never wait longer than is allowed by the server s nsslapd timelimit attribut
51. w bindPassword Specifies the password for the bind DN Table 7 19 cl dump pl command options 7 4 3 db2bak pl Creates a Backup of a Database Creates a backup of the database Syntax db2bak p1 v D rootdn w password w j filename a dirName tdb type Options The script db2bak pl creates an entry in the directory that launches this dynamic task The entry is generated based upon the values provided for each option Currently the only possible database type is 1dbm Option Description a dirName The directory where the backup files will be stored The var lib dirsrv slapd instance_name bak directory is used by default The backup file is named according to the year month day hour format YYYY MM DD hhmmss D rootdn The user DN with root permissions such as Directory Manager The default is the DN of the Directory Manager which is read from the nsslapd root attribute under cn config j filename The name of the file containing the password t The database type Currently the only possible database type is 1dbm V Verbose mode w password The password associated with the user DN W Prompts for the password associated with the user DN Table 7 20 db2bak pl Options 297 Chapter 7 Command Line Scripts 7 4 4 db2index pl Creates and Generates Indexes Creates and generates the new set of indexes to be maintained following the modification of indexing
52. 1 33 State Change Plug in Plug in Parameter Description Plug in Name State Change Plug in DN of Configuration Entry cn State Change Plugin cn plugins cn config Description Enables state change notification service Configurable Options on off Default Setting on Configurable Arguments None Dependencies None 159 Chapter 3 Plug in Implemented Server Functionality Reference Plug in Parameter Description Further Information 3 1 34 Telephone Syntax Plug in Plug in Parameter Plug in Name DN of Configuration Entry Description Telephone Syntax cn Telephone Syntax cn plugins cn config Description Syntax for handling telephone numbers Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Further Information 3 1 35 URI Syntax Plug in Plug in Parameter Plug in Name DN of Configuration Entry Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Description URI Syntax cn URI Syntax cn plugins cn config Description Syntax for handling URIs Unique Resource Identifiers including URLs Unique Resource Locators Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Further Information Do not modify the configuration
53. 109 nsInstance 109 nsUniqueldGenerator 110 nsUniqueldGeneratorNamespace 111 configuration entry 105 108 cn index attributes nsIndexAttribute 117 nsIndexVLVAttribute 117 configuration entry 116 cn mapping tree object classes 78 suffix and replication configuration entries 78 cn memberof task attributes basedn 119 filter 120 configuration entry 119 cn monitor object classes 97 read only monitoring configuration entries 97 cn restore attributes nsArchiveDir 116 nsDatabaseTypes 116 configuration entry 115 cn sasl object classes 99 SASL configuration entries 99 cn schema reload task attributes schemadir 119 configuration entry 118 cn SNMP object classes 100 SNMP configuration entries 100 cn tasks attributes cn 105 nsTaskCancel 107 344 nsTaskCurrentltem 106 nsTaskExitCode 106 nsTaskLog 106 nsTaskStatus 105 107 ttl 107 entries 104 task invocation configuration entries 104 cn backup 114 cn export 111 cn import 105 108 cn index 116 cn restore 115 cn uniqueid generator object classes 120 uniqueid generator configuration entries 120 cn UserRoot configuration 7 command line scripts 277 finding and executing 277 location of perl scripts 278 location of shell scripts 277 migrate ds admin pl 308 migrate ds pl 305 perl scripts 294 bak2db pl 295 cl dump pl 296 db2bak pl 297 db2index pl 298 db2ldif pl 298 fixup memberof pl 300 Idif2db pl 300 ns ac
54. 197 nsUnbindCount attribute 205 nsuniqueid db4 file 215 nsUniqueldGenerator 110 nsUniqueldGeneratorNamespace 111 nsUseld2Entry 114 nsUseOneFile 113 nsUseStartTLS attribute 204 numsubordinates db4 file 215 O o NetscapeRoot configuration 7 object classes nsAttributeEncryption 195 nsSaslMapping 128 objectclass db4 file 215 operational attributes passwordRetryCount 69 opscompleted attribute 98 opsinitiated attribute 98 P parentid db4 file 215 passwordAllowChangeTime 58 passwordChange attribute 59 passwordCheckSyntax attribute 59 passwordExp attribute 60 passwordExpirationTime 60 passwordExpWarned 60 passwordGraceUserTime 61 passwordHistory attribute 61 passwordInHistory attribute 61 passwordLockout attribute 62 passwordLockoutDuration attribute 63 passwordMaxAge attribute 63 passwordMaxFailure attribute 64 passwordMinAge attribute 65 passwordMinLength attribute 66 passwordMustChange attribute 67 passwordResetDuration attribute 68 passwordResetFailureCount attribute 68 passwordRetryCount 69 passwords root 51 passwordStorageScheme attribute 69 passwordUnlock attribute 69 passwordWarning attribute 70 perl scripts 294 locating 278 permissions specifying for index files 178 plug in functionality configuration attributes cn 188 dbcachehitratio 178 dbcachehits 178 dbcachepagein 178 dbcachepageout 178 dbcacheroevict 178 dbcacherwevict 178 dbcachetries 17
55. 2 nsEncryptionAlgorithm nsEncryptionAlgorithm selects the cipher used by nsAttributeEncryption The algorithm can be set per encrypted attribute Parameter Description Entry DN cn attributeName cn encrypted attributes cn databaseName cn Idbm database cn plugins cn config Valid Values The following are supported ciphers Advanced Encryption Standard Block Cipher AES Triple Data Encryption Standard Block Cipher 3DES Default Value Syntax DirectoryString Example nsEncryptionAlgorithm AES 3 5 Database Link Plug in Attributes Chaining Attributes The database link plug in attributes are also organized in an information tree as shown in the following diagram 195 Chapter 3 Plug in Implemented Server Functionality Reference cn chaining database cn plugins cn config cn database link instance name cn config cn default instance config cn monitor Figure 3 4 Database Link Plug in All plug in technology used by the database link instances is stored in the cn chaining database plug in node This section presents the additional attribute information for the three nodes marked in bold in the cn chaining database cn plugins cn config information tree in Figure 3 4 Database Link Plug in 3 5 1 Database Link Attributes under cn config cn chaining database cn plugins cn config This section covers global configuration attributes common to all instances are stored in the cn confi
56. 2 3 15 2 cn import An LDIF file or multiple LDIF files can be imported through the command line by creating a special task entry which defines the parameters of the task and initiates the task As soon as the task is complete the task entry is removed from the directory The cn import entry is a container entry for import task operations The cn import entry itself has no attributes but each of the task entries within this entry such as cn task ID cn import cn tasks cn config uses the following attributes to define the import task An import task entry under cn import must contain the LDIF file to import in the nsFilename attribute and the name of the instance into which to import the file in the ns nstance attribute Additionally it must contain a unique cn to identify the task For example dn cn example import cn import cn tasks cn config objectclass extensibleObject cn example import nsFilename home files example 1dif nsInstance userRoot As the import operation runs the task entry will contain all of the server generated task attributes listed in Section 2 3 15 1 Task Invocation Attributes for Entries under cn tasks There are some optional attributes which can be used to refine the import operation similar to the options for the Lldif2db and 1dif2db pl scripts nsincludeSuffix which is analogous to the s option to specify the suffix to import e nsExcludeSuffix analogous to the x option to specify
57. 310 1012 server example com 389 etc dirsrv slapd example 07 Jan 2009 22 18 41 0500 Red Hat Directory 8 1 4 B2008 310 1012 starting up 07 Jan 2009 22 18 44 0500 memory allocator cannot calloc elements trying to allocate or a negative number of elements is not portable and gives different results on different platforms 07 Jan 2009 22 18 44 0500 slapd started Listening on All Interfaces port 389 for LDAP requests Example 5 3 Error Log Excerpt 5 2 3 Error Log Content for Other Log Levels The different log levels return not only different levels of detail but also information about different types of server operations Some of these are summarized here but there are many more combinations of logging levels possible Replication logging is one of the most important diagnostic levels to implement This logging level records all operations related to replication and Windows synchronization including processing modifications on a supplier and writing them to the changelog sending updates and changing replication agreements Whenever a replication update is prepared or sent the error log identifies the replication or synchronization agreement being specified the consumer host and port and the current replication task 232 Error Log Content for Other Log Levels timestamp NSMMReplicationPlugin agmt name consumer_host consumer_port current_task For example 09 Jan 2009 13 44 48 0500 N
58. 4 Using Directory Server Command Line Scripts cccceeeeeeeeeeeeeeeeeee ee eesaeeeeaeeeeseeeeaaes 1 2 Core Server Configuration Reference 3 2 1 Overview of the Directory Server Configuration cccecceeeeseeee ee eeeeeeeesaeeeeaeeeeeeeeeaaees 3 2 1 1 LDIF and Schema Configuration Files 0 ccececceeceeeee eect ee eeeeaeeesaeeeeaaeeeeeeeeaaees 3 2 1 2 How the Server Configuration IS Organized cccceceeeeeeeeeeeeeeeeeeeeeeeaeeeeeeeeeaaes 6 2 2 Accessing and Modifying Server Configuration 0cccceeeeeeeeeeeeee ce eeee ae eeeeeeeeaaeeeeaeeeeaeees 7 2 2 1 Access Control for Configuration Entries cccccecceeeeeeeeeeeeeeeeeeeeeeeeeaaeeeeeeeeaaes 7 2 2 2 Changing Configuration Attributes 2 02 00 ceceecee cece eee ee ee eeee ae eeee ae eesaeeeeaaeeeseeeeaaees 8 2 3 Core Server Configuration Attributes Reference ccccceeeeeeeeeeeeeeeeeeseeeeeaaeeeeaeeeeaeeeed 10 23 1 CN CONTO si eenaa chev tend aan AE ace TAE SeA seed gap PETA eau ceas ETEA 10 2 32 CM CNANGEIOGD soruan enaa aa na aa a a A 71 23 37 CN SNCTYPUOM cess ara a a a ea siete a a eaa a i a aiaa aa aai aaa enaa 75 L SE S E a EETA EE A EAT ina A T 77 2 3 5 CN MAPPING tree sererai a aa a aAa ia Aaaa Taun Toan raean raii naain 78 2 3 6 Suffix Configuration Attributes under cn suffixName ssessriesrrerrrerrrerrrerrn 78 2 3 7 Replication Attributes under cn replica cn suffixDN cn mapping tree CHSCOM
59. 48 nsslapd referralmode attribute 48 nsslapd require index attribute 181 nsslapd reservedescriptors attribute 49 nsslapd return exact case attribute 50 nsslapd rootdn attribute 50 nsslapd rootpw attribute 51 nsslapd rootpwstoragescheme attribute 51 nsslapd saslpath attribute 52 nsslapd schema ignore trailing spaces attribute 52 nsslapd schemacheck attribute 53 nsslapd schemareplace attribute 54 nsslapd securelistenhost attribute 54 nsslapd securePort attribute 54 nsslapd security attribute 55 nsslapd sizelimit attribute 55 nsslapd ssl check hostname 56 nsslapd ssl check hostname attribute 56 nsslapd state attribute 78 nsslapd suffix attribute 181 nsslapd timelimit attribute 57 nsslapd versionstring attribute 57 nsslapd workingdir attribute 58 nssnmpcontact attribute 101 nssnmpdescription attribute 101 354 nssnmpenabled attribute 100 nssnmplocation attribute 101 nssnmpmasterhost attribute 101 nssnmpmasterport attribute 102 nssnmporganization attribute 100 nsSSL2 attribute 75 nsSSL3 attribute 76 nsSSL3ciphers attribute 76 nsSSLclientauth attribute 58 75 nsSSLSessionTimeout attribute 75 nsState attribute 85 120 nsSubStrBegin attribute 192 nsSubStrEnd attribute 193 nsSubStrMiddle attribute 193 nsSystemIndex attribute 191 nsTaskCancel 107 nsTaskCurrentltem 106 nsTaskExitCode 106 nsTaskLog 106 nsTaskStatus 105 107 nsTimeLimit attribute 201 nsTransmittedControls attribute
60. Any string Default Value None Syntax DirectoryString 207 Chapter 3 Plug in Implemented Server Functionality Reference Parameter Description 3 7 3 dnaMaxValue This attribute sets the maximum value that can be assigned for the range The default is 1 which is the same as setting the highest 64 bit integer Parameter Entry DN Description cn Distributed Numeric Assignment Plugin cn plugins cn config Valid Range 1 to the maximum 32 bit integer on 32 bit systems and to the maximum 64 bit integer on 64 bit systems 1 is unlimited 1 Default Value Syntax Integer Example dnaMaxValue 1000 3 7 4 dnaNextRange This attribute defines the next range to use when the current range is exhausted This value is automatically set when range is transferred between servers but it can also be manually set to adda range to a server if range requests are not used The dnaNextRange attribute should be set explicitly only if a separate specific range has to be assigned to other servers Any range set in the dnaNextRange attribute must be unique from the available range for the other servers to avoid duplication If there is no request from the other servers and the server where dnaNextRange is set explicitly has reached its set dnaMaxValue the next set of values part of the dnaNextRange is allocated from this deck The dnaNextRange allocation is also limited by
61. Attributes Within a configuration entry each attribute is represented as an attribute name The value of the attribute corresponds to the attribute s configuration The following code sample is an example of part of the dse 1dif file for a Directory Server The example shows among other things that schema checking has been enabled this is represented by the attribute nsslapd schemacheck which takes the value on dn cn config objectclass top objectclass extensibleObject objectclass nsslapdConfig nsslapd accesslog logging enabled on nsslapd enquote sup oc off nsslapd localhost phonebook example com nsslapd schemacheck on nsslapd port 389 nsslapd localuser nobody 2 1 2 2 Configuration of Plug in Functionality The configuration for each part of Directory Server plug in functionality has its own separate entry and set of attributes under the subtree cn plugins cn config The following code sample is an example of the configuration entry for an example plug in the Telephone Syntax plug in dn cn Telephone Syntax cn plugins cn config objectclass top objectclass nsSlapdPlugin objectclass extensibleObject cn Telephone Syntax nsslapd pluginType syntax nsslapd pluginEnabled on Accessing and Modifying Server Configuration Some of these attributes are common to all plug ins and some may be particular to a specific plug in Check which attributes are currently being used by a given plug in by performing
62. Configurable Options on off Default Setting off Configurable Arguments Dependencies None Performance Related Information None Further Information Table 3 1 Details of Distributed Numeric Assignment Plug in 3 1 14 Generalized Time Syntax Plug in Plug in Parameter Description Plug in Name Generalized Time Syntax DN of Configuration Entry cn Generalized Time Syntax cn plugins cn config Description Syntax for dealing with dates times and time zones Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information The Generalized Time String consists of a four digit year two digit month for example 01 for January two digit day two digit hour two digit minute two digit second an optional decimal part of a second and a time zone indication Red Hat strongly recommends using the Z time zone indication which indicates Greenwich Mean Time 149 Chapter 3 Plug in Implemented Server Functionality Reference 3 1 15 HTTP Client Plug in Plug in Parameter Description Plug in Name HTTP Client DN of Configuration Entry cn HTTP Client cn plugins cn config Description HTTP client plug in Configurable Options on off Default Setting on Configurable Arguments N
63. D option For example w mypassword Table 6 19 Idappasswd specific Options General Idappasswd Options NOTE The ldappasswd utility requires confidentiality If the messages are not encrypted with SSL TLS or an appropriate SASL mechanism the server will not perform the request Description 3 Specifies that hostnames should be checked in SSL certificates D Specifies the distinguished name with which to authenticate to the server This value must be a DN recognized by the Directory Server and it must also have the authority to delete the entries For example D uid bjensen dc example dc com 268 Idappasswd Option Description The D option cannot be used with the N option For more information on access control see the Managing Access Control chapter in the Directory Server Administrator s Guide Specifies that the password policy request control not be sent with the bind request By default the new LDAP password policy request control is sent with bind requests The 1dappasswd tool can parse and display information from the response control if it is returned by a server that is the tool will print an appropriate error or warning message when a server sends the password policy response control with the appropriate value The criticality of the request control is set to false to ensure that all LDAPv3 servers that do not understand the control can ignore it To su
64. Description cn config off allowed required Default Value Syntax DirectoryString Example nsSSLclientauth allowed 2 3 1 111 passwordAllowChangeTime This attribute specifies the length of time that must pass before the user is allowed to change his password For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Entry DN Valid Values Description cn config Any integer Default Value Syntax DirectoryString Example passwordAllowChangeTime 5h 58 cn config 2 3 1 112 passwordChange Password Change Indicates whether users may change their passwords This can be abbreviated to pwdAllowUserChange For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Description Entry DN cn config Valid Values on off Default Value on Syntax DirectoryString Example passwordChange on 2 3 1 113 passwordCheckSyntax Check Password Syntax This attribute sets whether the password syntax is checked before the password is saved The password syntax checking mechanism checks that the password meets or exceeds the password minimum length requirement and that the string does not contain any trivial words such as the user s name or user ID or any attribute va
65. EEn EE nEn 163 3 3 Attributes Allowed by Certain Plug ins ccccceeece cece eee eres eee ee eeee se eeeaeeeeaaeeeeaeeesaeees 164 3 3 1 nsslapd pluginLoadNow 0 ccece cece eee cece ee ee ee eeee ae REEL ERE eeeeaeeeeaeeeeaaeeeeaeeesaeees 164 3 3 2 nsslapd pluginLoadGlobal cece ee cece cece tk tk ee eeee ae esse REE ae eeeeeeeaaeeeeaeesaeees 164 3 3 3 nsslapd plugin depends On tyPe cece eee cece cece ee cece eeee ae eeeeeeeesaeeeeaaeeeseeeaaees 164 3 3 4 nsslapd plugin depends On NaMed cceeeeee ce eeee cece ee eeee ae eeeeeeeesaeeeeaeeeeaeneeaas 165 3 4 Database Plug in Attributes 0 0 0 cece cece ee cece eee LEE tees aa ee eee LEE LEE LENE LEE LEE LEE LEES 165 3 4 1 Database Attributes under cn config cn ldbm database cn plugins cn config TAA TE uta dts tesa edad ERE EET ates ED ETERN ED taunt characte tune P etsy 165 3 4 2 Database Attributes under cn monitor cn Idbm database cn plugins ENE CON EAE ss veces A TETA tees ede es E bah opens aeShee essa TT 178 3 4 3 Database Attributes under cn NetscapeRoot cn ldbm database cn plugins cn config and cn userRoot cn ldom database cn plugins cn config eeeeeeeeee 179 3 4 4 Database Attributes under cn database cn monitor cn Idbm database CM SPIUGINS CHECOMMG rok ceneseec steve Annales es abel spr hest sanne din koka see ae net d ae 186 3 4 5 Database Attributes under cn default indexes cn config cn ldbm database
66. ENTRY dn cn PD Managers ou groups dc example dc com 12 7Ju1 2009 16 43 02 0200 conn 306 op 0 ENTRY dn ou Red Hat Servers dc example dc com 12 7Ju1 2009 16 43 02 0200 conn 306 op 0 REFERRAL Connection Description The connection description in this case conn Internal indicates that the connection is an internal connection The operation number op 1 also indicates that the operation was initiated internally 12 Ju1 2009 16 45 46 0200 conn Internal op 1 ENTRY dn cn 22dc example dc com 22 cn mapping tree cn config Options Description The options description options persistent indicates that a persistent search is being performed as distinguished from a regular search operation Persistent searches can be used asa form of monitoring and configured to return changes to given configurations as changes occur this is explained more in the ldapsearch chapter of the Administrator s Guide Both log levels 512 and 4 are enabled for this example so both internal access operations and entry access and referrals being logged 12 Ju1 2009 16 45 46 0200 conn Internal op 1 SRCH base cn 22dc example dc com 22 cn mapping tree cn config scope 0 filter objectclass nsMappingTree attrs nsslapd referral options persistent 228 Common Connection Codes 5 1 4 Common Connection Codes A connection code is a code that is added to the closed log message to provide additional information related to the conne
67. Entry DN cn task name cn restore cn tasks cn config Valid Values Any local directory location Default Value Syntax Case exact string Example nsArchiveDir export backups nsDatabaseTypes This attribute gives the kind of database being archived Setting the database types signals what kind of backup plug in the Directory Server should use to archive the database Parameter Entry DN Valid Values Description cn task name cn restore cn tasks cn config Idbm database Default Value Idbm database Syntax Case exact string Example nsDatabaseType Idom database 2 3 15 6 cn index Directory attributes can be indexed though the command line by creating a special task entry which defines the parameters of the task and initiates the task As soon as the task is complete the task entry is removed from the directory The cn index entry is a container entry for index task operations The cn index entry itself has no attributes but each of the task entries within this entry such as cn task_ D cn index cn tasks cn config uses the following attributes to define the backup task An index task entry under cn index can create a standard index by identifying the attribute to be indexed and the type of index to create both defined in the ns ndexAttribute attribute 116 cn tasks Alternatively the index task can be used to generate virtual list view VLV indexes for an
68. Figure 2 2 Directory Information Tree Showing Configuration Data Most of these configuration tree nodes are covered in the following sections The cn plugins node is covered in Chapter 3 Plug in Implemented Server Functionality Reference The description of each attribute contains details such as the DN of its directory entry its default value the valid range of values and an example of its use NOTE Some of the entries and attributes described in this chapter may change in future releases of the product 2 3 1 cn config General configuration entries are stored in the cn config entry The cn config entry is an instance of the nsslapdConf ig object class which in turn inherits from extensibleObject object class 10 cn config 2 3 1 1 nsslapd accesslog Access Log This attribute specifies the path and filename of the log used to record each LDAP access The following information is recorded by default in the log file IP address of the client machine that accessed the database Operations performed for example search add and modify Result of the access for example the number of entries returned or an error code For more information on turning access logging off see the Monitoring Server and Database Activity chapter in the Directory Server Administrator s Guide For access logging to be enabled this attribute must have a valid path and parameter and the nsslapd accesslog logging enabled config
69. Options 7 4 Perl Scripts This section describes the following Perl scripts Section 7 4 1 bak2db pl Restores a Database from Backup Section 7 4 2 cl dump pl Dumps and Decodes the Changelog e Section 7 4 3 db2bak pl Creates a Backup of a Database Section 7 4 4 db2index pl Creates and Generates Indexes e Section 7 4 5 db2ldif pl Exports Database Contents to LDIF e Section 7 4 6 fixup memberof p Regenerate memberOf Attributes 294 bak2db pl Restores a Database from Backup Section 7 4 10 migrate ds admin pl Section 7 4 7 Idif2db pl Import Section 7 4 8 logconv pl Log Converter Section 7 4 11 ns accountstatus pl Establishes Account Status Section 7 4 12 ns activate pl Activates an Entry or Group of Entries Section 7 4 13 ns inactivate pl Inactivates an Entry or Group of Entries e Section 7 4 14 ns newpwpolicy pl Adds Attributes for Fine Grained Password Policy e Section 7 4 16 remove ds pl e Section 7 4 17 repl monitor pl Monitors Replication Status e Section 7 4 18 schema reload pl Reload Schema Files Dynamically Section 7 4 19 setup ds pl e Section 7 4 20 setup ds admin pl Section 7 4 21 verify db pl Check for Corrupt Databases 7 4 1 bak2db pl Restores a Database from Backup Restores a database from a backup Syntax bak2db p1 v
70. Server instances and the Administration Server for the 7 1 deployment IMPORTANT Do not run setup ds admin pl for the new Directory Server 8 1 instance before running the migration script if you are migrating from a 7 1 server If you are upgrading from a Directory Server 8 0 server do not run migrate ds admin pl Run setup ds admin pl u instead Information can be passed with the script or in an inf file same as the setup scripts Both the inf parameters and command line arguments are described in the silent configuration section of the nstallation Guide Syntax migrate ds admin p1 oldsroot server_directory actualsroot server_directory instance instance_name file name cross debug log name General ConfigDirectoryAdminPwd password Options Alternate Options Description General ConfigDirectoryAdminPwd password Required This is the password for the configuration directory administrator of the old Directory Server the default username is admin oldsroot 0 Required This is the path to the server root directory in the old 7 1 Directory Server installation The default path in 7 1 servers is opt redhat ds actualsroot a This is used for migrating between two machines to specify the real path to the current server root directory in the old 7 1 Directory Server installation if that directory is mounted on a networked drive or tarballed and moved to a rela
71. a directory Also Simple Authentication and Security Layer Definitions describing what types of information can be stored as entries in the directory When information that does not match the schema is stored in the directory clients attempting to access the directory may be unable to display the proper results 339 Glossary schema checking Secure Sockets Layer self access Server Console server daemon Server Selector server service service SIE Simple Authentication and Security Layer Simple Network Management Protocol single master replication SIR slapd SNMP SNMP master agent SNMP subagent Ensures that entries added or modified in the directory conform to the defined schema Schema checking is on by default and users will receive an error if they try to save an entry that does not conform to the schema See SSL When granted indicates that users have access to their own entries if the bind DN matches the targeted entry Java based application that allows you to perform administrative management of your Directory Server from a GUI The server daemon is a process that once running listens for and accepts requests from clients Interface that allows you select and configure servers using a browser A process on Windows that once running listens for and accepts requests from clients It is the SMB server on Windows NT A background process on a Windows machine that is
72. a search requiring data from this file was performed and that the data were successfully obtained from the cache dbfilecachemiss This attribute gives the number of times that a search requiring data from this file was performed and that the data could not be obtained from the cache dbfilepagein This attribute gives the number of pages brought to the cache from this file 191 Chapter 3 Plug in Implemented Server Functionality Reference dbfilepageout This attribute gives the number of pages for this file written from cache to disk 3 4 7 Database Attributes under cn index cn NetscapeRoot cn lIdbm database cn plugins cn config and cn index cn UserRoot cn ldbm database cn plugins cn config In addition to the set of default indexes that are stored under cn default indexes cn config cn ldbm database cn plugins cn config custom indexes can be created for o NetscapeRoot o UserRoot and user defined backend instances these are stored under cn index cn database_name cn ldbm database cn plugins cn config Each indexed attribute represents a subentry under the cn conf ig information tree nodes as shown in the following diagram cn index cn UserRoot cn Idbm database cn plugins cn config cn seeAlso cn changenumber Figure 3 2 Indexed Attribute Representing a Subentry For example the index file for the aci attribute under o UserRoot appears in the Directory Server as follows dn cn aci cn index cn Us
73. a suffix or subtree to exclude from the import e nsilmportChunkSize analogous to the c option to override starting a new pass during the import and merge the chunks nsimportindexAttrs which sets whether to import attribute indexes with no corollary in the script options nsUniqueldGenerator analogous to the g option to generate unique ID numbers for the entries nsUniqueldGeneratorNamespace analogous to the G option to generate a unique name based ID for the entries 108 cn tasks nsFilename The nsFilename attribute contains the path and filenames of the LDIF files to import into the Directory Server instance To import multiple files add multiple instances of this attribute For example nsFilename file1 1ldif nsFilename file2 1ldif Entry DN cn task_name cn import cn tasks cn config Valid Values Any string Default Value Syntax Case exact string multi valued Example nsFilename home jsmith example dif nsinstance This attribute supplies the name of the database instance into which to import the files such as NetscapeRoot or slapd example Entry DN cn task_name cn import cn tasks cn config Valid Values The name of a Directory Server instance any string Default Value Syntax Case exact string Example nsInstance userRoot nsincludeSuffix This attribute identifies a specific suffix or subtree to import from the LDIF file Entry DN cn task_name
74. an ldapsearch on the cn config subtree For a list of plug ins supported by Directory Server general plug in configuration information the plug in configuration attribute reference and a list of plug ins requiring restart for configuration changes see Chapter 3 Plug in Implemented Server Functionality Reference 2 1 2 3 Configuration of Databases The o NetscapeRoot and cn UserRoot subtrees under the database plug in entry contain configuration data for the databases containing the o NetscapeRoot suffix and the default suffix created during setup such as dc example dc com These entries and their children have many attributes used to configure different database settings like the cache sizes the paths to the index files and transaction logs entries and attributes for monitoring and statistics and database indexes 2 1 2 4 Configuration of Indexes Configuration information for indexing is stored as entries in the Directory Server under the following information tree nodes cn index o NetscapeRoot cn ldbm database cn plugins cn config cn index cn UserRoot cn ldbm database cn plugins cn config e cn default indexes cn config cn ldbm database cn plugins cn config For more information about indexes in general see the Directory Server Administrator s Guide For information about the index configuration attributes see Section 3 4 1 Database Attributes under cn config cn ldbm database cn plugins cn config
75. and File Reference or there is any way to improve the documentation please let us know Bugs can be filed against the documentation for Red Hat Directory Server through Bugzilla http bugzilla redhat com bugzilla Make the bug report as specific as possible so we can be more effective in correcting any issues Select the Red Hat Directory Server product e Set the component to Doc cli guide Set the version number to 8 1 For errors give the page number for the PDF or URL for the HTML and give a succinct description of the problem such as incorrect procedure or typo For enhancements put in what information needs to be added and why e Give a clear title for the bug For example Incorrect command example for setup script options is better than Bad example We appreciate receiving any feedback requests for new sections corrections improvements enhancements even new ways of delivering the documentation or new styles of docs You are welcome to contact Red Hat Content Services directly at mailto docs redhat com 5 Documentation History Revision July 29 2010 Ella Deon Lackey 8 1 10 Adding information about setting an idle timeout period for large databases for the replication user per Bugzilla 618055 Revision 8 1 9 February 11 2010 Ella Deon Lackey Clarifying how passwordUnlock works per Bugzilla 552377 Changing thensDirectoryServerTask object class to extensibleObject per Bugzilla 555787 Addin
76. attribute using the ns ndexVLVAttribute attribute This is the same as running the vlvindex script For example dn cn example presence index cn index cn tasks cn config objectclass extensibleObject cn example presence index nsIndexAttribute cn pres dn cn example VLV index cn index cn tasks cn config objectclass extensibleObject cn example VLV index nsIndexVLVAttribute by MCC ou people dc example dc com As the index operation runs the task entry will contain all of the server generated task attributes listed in Section 2 3 15 1 Task Invocation Attributes for Entries under cn tasks nsindexAttribute This attribute gives the name of the attribute to index and the types of indexes to apply The format of the attribute value is the attribute name and a comma separated list of index types enclosed in double quotation marks For example nsIndexAttribute attribute index1 index2 Parameter Description Entry DN cn task_name cn index cn tasks cn config Valid Values Any attribute The index type which can be pres presence eq equality approx approximate and sub substring Default Value Syntax Case insensitive string multi valued Example nsindexAttribute cn pres eq nsindexAttribute description sub nsindexVLVAttribute This attribute gives the name of the target entry for a VLV index A virtual list view is based on a browsing index entry as described in the A
77. attribute gives an alternate timeout period to use when the replication is run with debug logging This can set only the time or both the time and the debug level nsds5debugreplicatimeout seconds debuglevel Parameter Description Entry DN cn replica cn suffixDN cn mapping tree cn config Valid Values Any numeric string Default Value Syntax DirectoryString Example nsds5debugreplicatimeout 60 8192 2 3 7 3 nSDS5RepiConflict Although this attribute is not in the cn replica entry it is used in conjunction with replication This multi valued attribute is included on entries that have a change conflict that cannot be resolved automatically by the synchronization process To check for replication conflicts requiring administrator intervention perform an LDAP search for nsDS5Rep1Conflict For example ldapsearch D cn directory manager w password s sub b dc example dc com objectclass nsTombstone nsDS5ReplConflict dn nsDS5ReplConflict nsUniqueID Using the search filter objectclass nsTombstone also shows tombstone deleted entries The value of the nsDS5ReplConflict contains more information about which entries are in conflict usually by referring to them by their nsUnique1ID It is possible to search for a tombstone entry by its nsUnique1ID For example ldapsearch D cn directory manager w password s sub b dc example dc com objectclass nsTombstone nsUniqueID 66a2b699 1dd211b2 807fa
78. auditlog list Provides a list of audit log files Parameter Description Entry DN cn config Valid Values Default Value None Syntax DirectoryString Example nsslapd auditlog list auditlog2 auditlog3 2 3 1 22 nsslapd auditlog logexpirationtime Audit Log Expiration Time This attribute sets the maximum age that a log file is allowed to be before it is deleted This attribute supplies only the number of units The units day week month and so forth are given by the nsslapd auditlog logexpirationtimeunit attribute Parameter Description Entry DN cn config Valid Range 1 to the maximum 32 bit integer value 2147483647 A value of 1 or O means that the log never expires Default Value 1 Syntax Integer Example nsslapd auditlog logexpirationtime 1 20 cn config 2 3 1 23 nsslapd auditlog logexpirationtimeunit Audit Log Expiration Time Unit This attribute sets the units for the nsslapd auditlog logexpirationtime attribute If the unit is unknown by the server then the log never expires Entry DN cn config Valid Values month week day Default Value 000 RKC Syntax DirectoryString Example nsslapd auditlog logexpirationtimeunit day 2 3 1 24 nsslapd auditlog logging enabled Audit Log Enable Logging Turns audit logging on and off Entry DN cn config Valid Values on off Default Value ok Syntax DirectoryString Example nsslapd auditlog logging
79. because these are stronger encryption schemes SSHA384 This storage scheme is recommended for password storage because of its strength SSHA512 This storage scheme is recommended for password storage because of its strength Table 3 3 Password Storage Plugins 3 1 26 Postal Address String Syntax Plug in Plug in Parameter Description Plug in Name Postal Address Syntax DN of Configuration Entry cn Postal Address Syntax cn plugins cn config Description Syntax used for handling postal addresses Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times 155 Chapter 3 Plug in Implemented Server Functionality Reference Plug in Parameter Further Information Description 3 1 27 PTA Plug in Plug in Parameter Plug in Name DN of Configuration Entry Description Pass Through Authentication Plug in cn Pass Through Authentication cn plugins cn config Description Configurable Options Enables pass through authentication the mechanism which allows one directory to consult another to authenticate bind requests on off Default Setting off Configurable Arguments Dependencies Idap example com 389 o example None Performance Related Information Pass through
80. certificate based authentication These options are valid only when LDAPS has been turned on and configured for the Directory Server For information on certificate based authentication and creating a certificate database for use with LDAP clients see the Managing SSL chapter in the Directory Server Administrator s Guide In addition to the standard ldapsearch options such as the base b scope s and filter the follow options are required to run an ldapsearch command using SSL e p with the Directory Server secure port e Z to specify to use SSL or alternatively ZZ or ZZZ to specify Start TLS P to give certificate database s filename and path N to give the SSL certificate name K to specify the private key database s filename and path Wto give the password to the private key database 245 Chapter 6 Command Line Utilities Option 3 I Description Specifies that hostnames should be checked in SSL certificates Specifies the SSL key password file that contains the token password pair Specifies the absolute path including the filename of the private key database of the client The K option must be specified when the key database has a different name than key3 db or when the key database is not under the same directory as the certificate database the cert8 db file the path which is specified with the P option Specifies the path to the security module database such as e
81. cn config Valid Values Any integer Default Value 3 syntax neger Example nsSubStrBegin 2 3 4 7 2 nsSubStrEnd By default for a search to be indexed the search string must be at least three characters long without counting any wildcard characters For example the string abc would be an indexed search while ab would not be Indexed searches are significantly faster than unindexed searches so changing the minimum length of the search key is helpful to increase the number of indexed searches This substring length can be edited based on the position of any wildcard characters The nsSubStrEnd attribute sets the required number of characters for an indexed search for the end of a search string after the wildcard For example xyZz If the value of this attribute is changed then the index must be regenerated using db2index Parameter Description Entry DN cn attribute_name cn index cn database_name cn ldbm database cn plugins cn config Valid Values Anyinteger 0 Default Value 3 Syntax Integer Example nsSubStrEnd 2 3 4 7 3 nSSubStrMiddle By default for a search to be indexed the search string must be at least three characters long without counting any wildcard characters For example the string abc would be an indexed search while ab would not be Indexed searches are significantly faster than unindexed searches so changing the minimum length of the search key is h
82. cn import cn tasks cn config Valid Values Any DN Default Value Syntax DN multi valued Example nsincludeSuffix ou people dc example dc com nsExcludeSuffix This attribute identifies suffixes or subtrees in the LDIF file to exclude from the import Parameter Description Entry DN cn task_name cn import cn tasks cn config 109 Chapter 2 Core Server Configuration Reference Parameter Valid Values Description Default Value Syntax DN multi valued Example nsExcludeSuffix ou machines dc example dc com nsimportChunkSize This attribute defines the number of chunks to have during the import operation which overrides the server s detection during the import of when to start a new pass and merges the chunks Parameter Entry DN Valid Values 0 to the maximum 32 bit integer value 2147483647 Description cn task name cn import cn tasks cn config Default Value Integer Syntax Example nsImportChunkSize 10 nsImportindexAttrs This attribute sets whether to index the attributes that are imported into database instance Parameter Description Entry DN cn task name cn import cn tasks cn config Valid Values true false Default Value true Syntax Case insensitive string Example nsImportIndexAttrs true nsUniqueldGenerator This sets whether to generate a unique ID for the imported entries By default
83. control is the aci attribute If the nsslapd counters attribute in cn config is set to on the default setting then all of the counters kept by the Directory Server instance increment using 64 bit integers even on 32 bit machines or with a 32 bit version of Directory Server For the cn monitor entry the 64 bit integers are used with the opsinitiated opscompleted entriessent and bytessent counters NOTE The nsslapd counters attribute enables 64 bit support for these specific database and server counters The counters which use 64 bit integers are not configurable the 64 bit integers are either enabled for all the allowed counters or disabled for all allowed counters connection This attribute lists open connections These are given in the following format connection A YYYYMMDDhhmmssZ B C D E For example connection 31 20010201164808Z 45 45 cn directory manager A is the connection number which is the number of the slot in the connection table associated with this connection This is the number logged as slot A in the access log message when this connection was opened and usually corresponds to the file descriptor associated with the connection The attribute dTableSize shows the total size of the connection table e YYYYMMDDhhmmssZ is the date and time in GeneralizedTime form at which the connection was opened This value gives the time in relation to Greenwich Mean Time Bis the number of operations received on th
84. count 0 3 4 1 17 nsslapd db transaction batch val This attribute specifies how many transactions will be batched before being committed This attribute can improve update performance when full transaction durability is not required This attribute can be dynamically modified using ldapmodify For further information on modifying this attribute refer to the Tuning Directory Server Performance chapter in the Directory Server Administrator s Guide 173 Chapter 3 Plug in Implemented Server Functionality Reference WARNING Setting this value will reduce data consistency and may lead to loss of data This is because if there is a power outage before the server can flush the batched transactions those transactions in the batch will be lost Do not set this value unless specifically requested to do so by Red Hat support If this attribute is not defined or is set to a value of 0 transaction batching will be turned off and it will be impossible to make remote modifications to this attribute via LDAP However setting this attribute to a value greater than causes the server to delay committing transactions until the number of queued transactions is equal to the attribute value A value greater than 0 also allows modifications to this attribute remotely via LDAP A value of 1 for this attribute allows modifications to the attribute setting remotely via LDAP but results in no batching behavior A value of 1 at server star
85. count to zero passwordUnlock Sets whether a user is locked out until the password is reset by an administrator or whether the user can log in again after a given lockout duration The default is to allow a user to log back in after the lockout period passwordLockoutDuration passwordCheckS yntax Sets the time in seconds that users will be locked out of the directory Identifies whether or not the password syntax is checked by the server before the password is saved 130 Legacy Attributes Attribute Definition passwordMustChange Identifies whether or not to change their passwords when they first login to the directory or after the password is reset by the Directory Manager passwordStorageScheme passwordMinAge Sets the type of encryption used to store Directory Server passwords Sets the number of seconds that must pass before a user can change their password passwordResetFailureCoun a Sets the time in seconds after which the password failure counter will be reset Each time an invalid password is sent from the user s account the password failure counter is incremented passwordGraceLimit passwordMinDigits Sets the number of grace logins permitted when a user s password is expired Sets the minimum number of numeric characters 0 through 9 which must be used in the password passwordMinAlphas passwordMin Uppers
86. dc example dc com Example 6 16 Displaying an Entry with the entry ID of 7 276 Chapter 7 Command Line Scripts This chapter provides information on the scripts for managing Red Hat Directory Server such as backing up and restoring the database Scripts are a shortcut way of executing the ns slapd interface commands that are documented in Appendix A Using the ns slapd Command Line Utilities 7 1 Finding and Executing Command Line Scripts Most Directory Server related scripts are located in the usr 1lib dirsrv slapd instance_name directory for Red Hat Enterprise Linux 5 32 bit and in usr 1ib64 dirsrv slapd instance_name on Red Hat Enterprise Linux 64 bit systems A few are located in the usr bin directory The exact locations are listed in Section 7 2 Command Line Scripts Quick Reference When scripts request either a directory name or a filename always provide the absolute path The scripts assume the dse 1dif file is located in the etc dirsrv slapd instance_name directory 7 2 Command Line Scripts Quick Reference The following shell and Perl scripts are located in either the usr 1ib dirsrv slapd instance_name for 32 bit Red Hat Enterprise Linux or usr 1ib64 dirsrv slapd instance_name for 64 bit Red Hat Enterprise Linux directory Shell Script Description bak2db Restores the database from the most recent archived backup db2bak Creates a backup of the current database conte
87. dc example dc com 2 3 8 19 nsDS5ReplicaSessionPauseTime This attribute sets the amount of time in seconds a supplier should wait between update sessions The default value is 0 If the attribute is set to a negative value Directory Server sends the client a message and an LDAP UNWILLING TO PERFORM error code The nsDS5ReplicaSessionPauseTime attribute works in conjunction with the nsDS5ReplicaBusyWait Time attribute The two attributes are designed so that the nsDS5ReplicaSessionPauseTime interval is always at least one second longer than the interval specified for nsDS5ReplicaBusyWait Time The longer interval gives waiting suppliers a better chance to gain consumer access before the previous supplier can re access the consumer If either attribute is specified but not both nsDS5ReplicaSessionPauseTime is set automatically to 1 second more than nsDS5ReplicaBusyWait Time If both attributes are specified but nsDS5ReplicaSessionPauseTinme is less than or equal to nsDS5ReplicaBusyWait Time nsDS5ReplicaSessionPauseTime is set automatically to 1 second more than nsDS5ReplicaBusyWait Time Chapter 2 Core Server Configuration Reference When setting the values ensure that the nsDS5ReplicaSessionPauseTime interval is at least 1 second longer than the interval specified for nsDS5ReplicaBusyWaitTime Increase the interval as needed until there is an acceptable distribution of consumer access among the suppliers Set the nsDS5ReplicaSess
88. dnaType uidNumber 3 8 MemberOf Plug in Attributes Group membership is defined within group entries using an attribute such as member Searching for the member attribute makes it easy to list all of the members for the group However group 211 Chapter 3 Plug in Implemented Server Functionality Reference membership is not reflected in the member s user entry so it is impossible to tell to what groups a person belongs by looking at the user s entry The MemberOf Plug in synchronizes the group membership in group members with the members individual directory entries by identifying changes to a specific attribute such as member in the group entry and then carrying those changes over to a specific attribute in the entries for the members 3 8 1 memberofattr This attribute specifies the attribute in the user entry for the Directory Server to manage to reflect group membership The MemberOf Plug in generates the value of the attribute specified here in the directory entry for the member There is a separate attribute for every group to which the user belongs Parameter Description Entry DN cn MemberOf Plugin cn plugins cn config Valid Range Any Directory Server attribute Default Value memberOf Syntax DirectoryString Example memberofattr memberOf 3 8 2 memberofgroupattr This attribute specifies the attribute in the group entry to use to identify the DNs of group members By default this is the m
89. entry that is the target of a modrdn or moddn operation newSuperior Name of the entry that becomes the immediate superior of the existing entry when processing a MODDN operation 2 4 2 directoryServerFeature Object Class This object class is used specifically for entries which identify a feature of the directory service This object class is defined by Directory Server Superior Class top OID 2 16 840 1 113730 3 2 40 121 Chapter 2 Core Server Configuration Reference Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry Allowed Attributes Attribute Definition cn Specifies the common name of the entry multiLineDescription Gives a text description of the entry oid Specifies the OID of the feature 2 4 3 nsBackendinstance Object Class This object class is used for the Directory Server backend or database instance entry This object class is defined in Directory Server Superior Class top OID 2 16 840 1 113730 3 2 109 Required Attributes Attribute Definition objectClass Defines the object classes for the entry cn Gives the common name of the entry 2 4 4 nsChangelog4Config Object Class In order for Directory Server 8 1 to replicate between Directory Server 4 x servers the Directory Server 8 1 instance must have a special changelog configured This object class defines the confi
90. for times and dates in a specific region The new standard for secure socket layers a public key based protocol Also Transport Layer Security 341 Glossary topology Transport Layer Security U uid URL V virtual list view index X X 500 standard The way a directory tree is divided among physical servers and how these servers link with one another See TLS A unique number associated with each user on a Unix system Uniform Resource Locater The addressing system used by the server and the client to request documents It is often called a location The format of a URL is protocol machine port document The port number is necessary only on selected servers and it is often assigned by the server freeing the user of having to place it in the URL Speeds up the display of entries in the Directory Server Console Virtual list view indexes can be created on any branch point in the directory tree to improve display performance See Also browsing index The set of ISO ITU T documents outlining the recommended information model object classes and attributes used by directory server implementation 342 Index Symbols OOcore Idif Idif files 4 01common dif Idif files 4 O5rfc2247 dif Idif files 4 O5rfc2927 dif Idif files 4 10presence dif Idif files 4 10rfc2307 ldif Idif files 5 20subscriber dif Idif files 5 25java object ldif Idif files 5 28pilot dif Idif f
91. gives waiting suppliers a better chance to gain consumer access before the previous supplier can re access the consumer Set the nsDS5ReplicaBusyWait Time attribute at any time by using changetype modify with the replace operation The change takes effect for the next update session if one is already in progress Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config 86 Replication Attributes under cn ReplicationAgreementName cn replica cn suffixName cn mapping tree cn config Valid Values Any valid integer Default Value 3 Syntax Integer Example nsDS5ReplicaBusyWaitTime 3 2 3 8 6 nsDS5ReplicaChangesSentSinceStartup This read only attribute shows the number of changes sent to this replica since the server started Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Range 0 to maximum 32 bit integer 2147483647 Default Value Syntax Integer Example nsDS5ReplicaChangesSentSinceStartup 647 2 3 8 7 nSDS5ReplicaCredentials This attribute sets the credentials for the bind DN specified in the nsDS5ReplicaBindDN attribute on the remote server containing the consumer replica The value for this attribute can be modified When certificate based authentication is used this attribute may not have a value The example shows the dse 1dif entry not the actual password If this value ove
92. index name cn userRoot cn Idbm database cn plugins cn config Valid Values 1 onelevel or children search 2 subtree search Default Value Syntax Integer Example vivScope 2 3 4 3 12 vivSearch Object Class A browsing index or virtual list view VLV index dynamically generates an abbreviated index of entry headers that makes it much faster to visually browse large indexes A VLV index definition has two parts one which defines the index and one which defines the search used to identify entries to add to the index The vlvSearch object class defines the search filter entry This object class is defined in Directory Server Superior Class top OID 2 16 840 1 113730 3 2 38 Required Attributes Attribute Definition objectClass Defines the object classes for the entry 184 cn NetscapeRoot cn Idbm database cn plugins cn config and cn userRoot cn Idbm database cn plugins cn config Attribute Definition vivScope Identifies the scope to define the browsing index vivFilter Identifies the filter string to define the browsing index Allowed Attributes Attribute Definition multiLineDescription Gives a text description of the entry 3 4 3 13 vivSort This attribute sets the sort order for returned entries in the browsing or virtual list view VLV index NOTE The entry for this attribute is a vlvIndex entry beneath the vlvSearch entry For more information on
93. is off Integer values reject any password which used a character more than that number of times for example 1 rejects characters that are used more than once aa and 2 rejects characters used more than twice aaa Parameter Description cn config 0 to 64 Default Value 0 Valid Range Syntax Integer Example passwordMaxRepeats 1 2 3 1 128 passwordMin8Bit Password Syntax This sets the minimum number of 8 bit characters the password must contain NOTE Na J The 7 bit checking for userPassword must be disabled to use this Parameter Description Valid Range 0 to 64 64 cn config Default Value 0 Syntax Integer Example passwordMin8Bit 0 2 3 1 129 passwordMinAge Password Minimum Age Indicates the number of seconds that must pass before a user can change their password Use this attribute in conjunction with the passwordInHistory number of passwords to remember attribute to prevent users from quickly cycling through passwords so that they can use their old password again A value of zero 0 means that the user can change the password immediately This can be abbreviated to pwdMaxFailure For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Entry DN cn config Valid Range 0 to valid maximum integer Default Value 0 Syntax Integer Example password
94. items in each of the list options below The default is 20 when this parameter is omitted For example s 10 i 303 Chapter 7 Command Line Scripts Option Description will list the ten client machines that access the Directory Server most often This parameter will apply to all lists that are enabled and it will have no effect if none are displayed S startTimestamp Specifies the start timestamp the timestamp must follow the exact format as specified in the access log V Displays the version number of the logconv p1 script V Enables verbose output With this option logconv pl will compute and display all of the optional lists described in Table 7 27 logconv pl Options to Display Occurrences X jpAddress Specifies the IP address of a client to exclude from the statistics This client will not appear in lists of IP addresses the i flag and the connection codes it generates will not be tallied in the total connections default statistic nor in the connection code details the c flag For example an administrator may want the server to ignore the effect of a load balancer that connects to the Directory Server at regular intervals This option may be repeated to exclude multiple IP addresses accessLog The name of a file that contains the access log of the Directory Server Wildcards can be used in the filename It is also possible to specify multiple filenames However the statist
95. link establishes with the remote server Parameter Entry DN Description cn default instance config cn chaining database cn plugins cn config Valid Range 1 to n connections Default Value 20 Syntax Integer Example nsOperationConnectionsLimit 10 3 5 2 10 nsProxiedAuthorization Reserved for advanced use only This attribute can disable proxied authorization with a value of off 200 Database Link Attributes under cn default instance config cn chaining database cn plugins cn config Entry DN cn default instance config cn chaining database cn plugins cn config Valid Values on off Default Value on Syntax DirectoryString Example nsProxiedAuthorization on 3 5 2 11 nsReferralOnScopedSearch This attribute controls whether referrals are returned by scoped searches This attribute can be used to optimize the directory because returning referrals in response to scoped searches is more efficient A referral is returned to all the configured farm servers Entry DN cn default instance config cn chaining database cn plugins cn config Valid Values on off Default Value off Syntax DirectoryString Example nsReferralOnScopedSearch off 3 5 2 12 nsSizeLimit This attribute shows the default size limit for the database link in bytes Entry DN cn default instance config cn chaining database cn plugins cn config Valid Range 1
96. list the entries to export nsNoWrap analogous to the U option to set whether to wrap long lines in the LDIF file nsDumpUnigid analogous to the u option to set whether to include the unique IDs with the entries when they are exported nsFilename The nsFilename attribute contains the path and filenames of the LDIF files to which to export the Directory Server instance database Parameter Entry DN Valid Values Description cn task name cn export cn tasks cn config Any string Default Value Syntax Case exact string multi valued Example nsFilename home jsmith example ldif nsinstance This attribute supplies the name of the database instance from which to export the database such as NetscapeRoot or userRoot Parameter Entry DN Valid Values The name of a Directory Server instance any string Description cn task name cn export cn tasks cn config Default Value Syntax Case exact string multi valued Example nsinstance userRoot nsincludeSuffix This attribute identifies a specific suffix or subtree to export to an LDIF file Parameter Description Entry DN cn task name cn export cn tasks cn config Valid Values Any DN Default Value Syntax DN multi valued Example nsIncludeSuffix ou people dc example dc com nsExcludeSuffix This attribute identifies suffixes or subtrees in the database to exclu
97. machines use to collect collate and share specific information about machines users filesystems and network parameters throughout a network of computers Powerful workstation with one or more network management applications installed Also network management station Red Hat s LDAP Directory Server daemon or service that is responsible for all actions of the Directory Server See Also s apd Defines an entry type in the directory by defining which attributes are contained in the entry A string usually of decimal numbers that uniquely identifies a schema element such as an object class or an attribute in an object oriented system Object identifiers are assigned by ANSI IETF or similar organizations See Also OID See object identifier Contains information used internally by the directory to keep track of modifications and subtree properties Operational attributes are not returned in response to a search unless explicitly requested When granted indicates that users have access to entries below their own in the directory tree if the bind DN is the parent of the targeted entry See PTA In pass through authentication the PTA directory server will pass through bind requests to the authenticating directory server from all clients whose DN is contained in this subtree A file on Unix machines that stores Unix user login names passwords and user ID numbers It is also known as etc passwd because of where it is ke
98. master Replication Plug in Plug in Parameter Description Plug in Name Multi master Replication Plug in DN of Configuration Entry cn Multimaster Replication plugin cn plugins cn config Description Enables replication between two current Directory Servers Configurable Options on off Default Setting on Configurable Arguments None Dependencies Database Performance Related Information Further Information Turn this plug in off if one server will never replicate See the Managing Replication chapter in the Directory Server Administrator s Guide 3 1 23 Octet String Syntax Plug in Plug in Parameter Description Plug in Name Octet String Syntax DN of Configuration Entry cn Octet String Syntax cn plugins cn config Description Syntax for handling octet strings Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information 3 1 24 OID Syntax Plug in Plug in Parameter Description Plug in Name OID Syntax Plug in DN of Configuration Entry cn OID Syntax cn plugins cn config Description Syntax for object identifiers OID Configurable Options on off 153 Chapter 3 Plug in Implemented Server Functionality Reference Plug in Parameter Description
99. must pass after login failures before the server resets the password retry count to zero For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Description Entry DN cn config Valid Range 0 to the maximum 32 bit integer value 2147483647 in seconds Default Value 600 Syntax Integer Example passwordResetDuration 600 2 3 1 140 passwordResetFailureCount Reset Password Failure Count After Indicates the amount of time in seconds after which the password failure counter resets Each time an invalid password is sent from the user s account the password failure counter is incremented If the passwordLockout attribute is set to on users are locked out of the directory when the counter reaches the number of failures specified by the passwordMaxFailure attribute within 600 seconds by default After the amount of time specified by the passwordLockoutDuration attribute the failure counter is reset to zero 0 This can be abbreviated to pwdFailureCountInterval For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Entry DN Description cn config Valid Range Default Value 1 to the maximum 32 bit integer value 2147483647 in seconds Integer 68 cn config
100. nsslapd db circular logging 169 nsslapd db clean pages 187 nsslapd db commit rate 187 nsslapd db deadlock rate 187 nsslapd db debug 169 nsslapd db dirty pages 187 nsslapd db durable transactions 169 nsslapd db hash buckets 187 nsslapd db hash elements examine rate 187 nsslapd db hash search rate 187 nsslapd db home directory 170 nsslapd db idl divisor 171 nsslapd db lock conflicts 187 nsslapd db lock region wait rate 187 nsslapd db lock request rate 187 nsslapd db lockers 187 nsslapd db log bytes since checkpoint 187 nsslapd db log region wait rate 187 nsslapd db log write rate 188 nsslapd db logbuf size 171 nsslapd db logdirectory 172 nsslapd db logfile size 172 nsslapd db longest chain length 188 nsslapd db page create rate 188 nsslapd db page ro evict rate 188 nsslapd db page rw evict rate 188 nsslapd db page size 173 nsslapd db page trickle rate 188 nsslapd db page write rate 188 nsslapd db pages in use 188 nsslapd db spin count 173 nsslapd db transaction batch val 173 nsslapd db trickle percentage 174 nsslapd db txn region wait rate 188 nsslapd db verbose 175 nsslapd dbcachesize 168 nsslapd dbncache 175 nsslapd directory 176 180 nsslapd idlistscanlimit 166 nsslapd import cache autosize 176 nsslapd import cachesize 176 nsslapd mode 178 nsslapd readonly 181 nsslapd require index 181 nsslapd suffix 181 nsSubStrBegin 192 nsSubStrEnd 193 nsSubSitrMiddle 193 nsSystemIndex 191
101. number of LDAP add requests RemoveEntryOps This shows the number of LDAP delete requests ModifyEntryOps This shows the number of LDAP modify requests ModifyRDNOps This shows the number of LDAP modify RDN modrdn requests ListOps Not used This value is always 0 SearchOps This shows the number of LDAP search requests This shows the number of one level search Operations SecurityErrors WholeSubtreeSearchOps This shows the number of subtree level search Operations Referrals This shows the number of LDAP referrals returned Chainings Not used This value is always 0 This shows the number of errors returned that were security related such as invalid passwords unknown or invalid authentication methods or stronger authentication required Errors Connections This shows the number of errors returned This shows the number of currently open connections ConnectionSeq BytesRecv This shows the total number of connections opened including both currently open and closed connections This shows the number of bytes received BytesSent EntriesReturned This shows the number of bytes sent This shows the number of entries returned as search results 103 Chapter 2 Core Server Configuration Reference Attribute Description ReferralsReturned This provides information on referrals returned as search results continuation references MasterEntries Not used Th
102. objectclass objectclass Idapsubentry 3 4 3 10 vivindex Object Class A browsing index or virtual list view VLV index dynamically generates an abbreviated index of entry headers that makes it much faster to visually browse large indexes A VLV index definition has two parts one which defines the index and one which defines the search used to identify entries to add to the index The vlvIndex object class defines the index entry This object class is defined in Directory Server Superior Class top OID 2 16 840 1 113730 3 2 42 Required Attributes Attribute Definition objectClass Defines the object classes for the entry cn Gives the common name of the entry vivSort Identifies the attribute list that the browsing index virtual list view index is sorted on 183 Chapter 3 Plug in Implemented Server Functionality Reference Allowed Attributes Attribute Definition vlvEnabled Stores the availability of the browsing index vivUses Contains the count the browsing index is used 3 4 3 11 vivScope This attribute sets the scope of the search to run for entries in the browsing or virtual list view VLV index For more information on VLV indexes see the indexing chapter in the Administrator s Guide NOTE This attribute is only available to user databases like userRoot not configuration databases like o NetscapeRoot Parameter Description Entry DN cn
103. of 000 to 777 since they mirror numbered or absolute UNIX file permissions That is the value must be a combination of a 3 digit number the digits varying from 0 through 7 e 0 None e 1 Execute only e 2 Write only e 3 Write and execute e 4 Read only e 5 Read and execute 6 Read and write e 7 Read write and execute In the 3 digit number the first digit represents the owner s permissions the second digit represents the group s permissions and the third digit represents everyone s permissions When changing the default value remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone The newly configured access mode only affects new logs that are created the mode is set when the log rotates to a new file Parameter Description Entry DN cn config Valid Range 000 through 777 Default Value 600 Syntax Integer Example nsslapd errorlog mode 600 2 3 1 59 nsslapd groupevalnestlevel This attribute is deprecated and documented here only for historical purposes The Access Control Plug in does not use the value specified by the nsslapd groupevalnestlevel attribute to set the number of levels of nesting that access control performs for group evaluation Instead the number of levels of nesting is hard coded as 5 Parameter Description Entry DN Valid Range cn config Oto5
104. of the consumer replica ended States when the initialization of the consumer replica started nsDS5ReplicaLastinitStatus The status for the initialization of the consumer nsDS5ReplicaLastUpdateEnd nsDS5ReplicaLastUpdateStart States when the most recent replication schedule update ended States when the most recent replication schedule update started nsDS5ReplicaLastUpdateStatus nsDS5ReplicaPort Provides the status for the most recent replication schedule updates Specifies the port number for the remote replica nsDS5ReplicaRoot nsDS5ReplicaSessionPauseTime Specifies the suffix DN at the root of a replicated area Specifies the amount of time in seconds a supplier should wait between update sessions 125 Chapter 2 Core Server Configuration Reference nsDS5ReplicatedAttributeList Specifies any attributes that will not be replicated to a consumer server nsDS5ReplicaTimeout Specifies the number of seconds outbound LDAP operations will wait for a response from the remote replica before timing out and failing nsDS5ReplicaTransportinfo Specifies the type of transport used for transporting data to and from the replica nsDS5ReplicaUpdatelnProgress States whether a replication schedule update is in progress nsDS5ReplicaUpdateSchedule Specifies the replication schedule nsDS5Oruv Manages the internal state of the replica via the replication update vector
105. of the log files much easier because they then map directly to the calendar For error log rotation to be synchronized with time of day this attribute must be enabled with the nsslapd errorlog logrotationsynchour and nsslapd errorlog logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files For example to rotate error log files every day at midnight enable this attribute by setting its value to on and then set the values of the nsslapd errorlog logrotationsynchour and nsslapd errorlog logrotationsyncmin attributes to 0 Parameter Description Entry DN cn config Valid Values on off Default Value off Syntax DirectoryString Example nsslapd errorlog logrotationsync enabled on 2 3 1 52 nsslapd errorlog logrotationsynchour Error Log Rotation Sync Hour This attribute sets the hour of the day for rotating error logs This attribute must be used in conjunction with nsslapd errorlog logrotationsync enabled and nsslapd errorlog logrotationsyncmin attributes Entry DN cn config Valid Range 0 through 23 Default Value 0 Syntax Integer Example nsslapd errorlog logrotationsynchour 23 Chapter 2 Core Server Configuration Reference 2 3 1 53 nsslapd errorlog logrotationsyncmin Error Log Rotation Sync Minute This attribute sets the minute of the day for rotating error logs This attribute must be used in conjunction with nsslapd errorlog log
106. on the changelog see Section 2 3 2 1 nsslapd changelogadir The server has to be restarted for changes to this attribute to go into effect Parameter Description Entry DN cn changelog5 cn config Valid Range 0 meaning that the only maximum limit is the disk size to maximum 32 bit integer 2147483647 Default Value 0 Syntax Integer Example nsslapd changelogmaxentries 5000 72 cn changelog5 2 3 2 4 changes This attribute contains the changes made to the entry for add and modify operations in LDIF format OID 2 16 840 1 113730 3 1 8 Syntax Binary Multi or Single Valued Multi valued Defined in Changelog Internet Draft 2 3 2 5 changeLog This attribute contains the distinguished name of the entry which contains the set of entries comprising the server s changelog Syntax DN Multi or Single Valued Multi valued 2 3 2 6 changeNumber This attribute is always present It contains an integer which uniquely identifies each change made to a directory entry This number is related to the order in which the change occurred The higher the number the later the change OID 2 16 840 1 113730 3 1 5 Syntax Integer Multi or Single Valued Multi valued Defined in Changelog Internet Draft 2 3 2 7 changeTime This attribute defines a time in a YYMMDDHHMMSS format when the entry was added OID 2 16 840 1 113730 3 1 77 Syntax DirectoryString Multi or S
107. one interface of a multihomed machine There can be multiple IP addresses associated with a single hostname and these IP addresses can be a mix of both IPv4 and IPv6 This parameter can be used to restrict the Directory Server instance to a single IP interface If a hostname is given as the nsslapd listenhost value then the Directory Server responds to requests for every interface associated with the hostname If a single IP interface either IPv4 or IPv6 is given as the nsslapd listenhost value Directory Server only responds to requests sent to that specific interface Either an IPv4 or IPv6 address can be used The server has to be restarted for changes to this attribute to go into effect Parameter Description Entry DN cn config Valid Values Any local hostname IPv4 or IPv6 address Default Value Syntax DirectoryString Example nsslapd listenhost Idap example com NOTE On HP UX the hostname value can be a relocatable IP address 2 3 1 73 nsslapd localhost Local Host This attribute specifies the host machine on which the Directory Server runs This attribute is used to create the referral URL that forms part of the MMR protocol In a high availability configuration with failover nodes that referral should point to the virtual name of the cluster not the local hostname Parameter Entry DN Valid Values Description cn config Any fully qualified hostname Default Value Hostname o
108. options 308 syntax 308 migrate ds pl command line script options 306 syntax 306 monitor command line shell script 288 quick reference 277 multi master replication changelog changelog 71 N nbackends attribute 99 newRdn 74 newSuperior 74 ns accountstatus pl command line perl script 310 quick reference 278 ns activate pl 351 Index command line perl script 310 quick reference 278 ns inactivate pl command line perl script 311 quick reference 278 ns newpolicy pl quick reference 278 ns newpwpolicy pl command line perl script 312 ns slapd command line utilities archive2db 326 db2archive 327 db2index 327 db2ldif 323 finding and executing 323 Idif2db 325 nsAbandonCount attribute 205 nsAbandonedSearchCheckinterval attribute 198 nsActiveChainingComponents attribute 196 nsAddCount attribute 204 nsArchiveDir 115 116 nsAttributeEncryption 194 195 nsBindConnectionCount attribute 205 nsBindConnectionsLimit attribute 198 nsBindCount attribute 205 nsBindMechanism attribute 202 nsBindRetryLimit attribute 198 nsBindTimeout attribute 199 nsCheckLocalACl attribute 199 nsCompareCount attribute 205 nsConcurrentBindLimit attribute 199 nsConcurrentOperationsLimit attribute 200 nsConnectionLife attribute 200 nsDatabaseTypes 115 116 nsDeleteCount attribute 204 nsDS50ruv attribute 94 nsDS5BeginReplicaRefresh attribute 91 nsDS5Flags attribute 79 nsDS5ReplConflict attri
109. options specified i ldifFile n backendInstance Specifies the LDIF file to be imported This option is required There can be multiple i arguments to import more than one LDIF file at a time When importing multiple files the server imports the LDIF files in the order they are specified on the command line Specifies the name of the backend to be imported O Specifies that no attribute indexes are created for the imported database If this option is specified and the indexes need to be restored later the indexes have to be recreated by hand See the Directory Server Administrator s Guide for further information s includeSuffix x exclude Suffix Specifies the suffix or suffixes within the LDIF file to import Specifies suffixes within the LDIF file to exclude during the import There can be multiple x arguments This option can selectively import portions of the LDIF file If both x and s are used with the same suffix x takes precedence Exclusion always takes precedence over inclusion If x or s are not specified then all available suffixes will be imported from the LDIF file To import the LDIF file into the configuration directory do not exclude o NetscapeRoot Table A 2 Idif2db Options A 5 Utilities for Restoring and Backing up Databases archive2db Restores database from the archives Syntax ns Slapd archive2db D configDir a archiveDir 326 Utilities f
110. path Default Value etc dirsrv slapd ins tance_name schema Syntax DirectoryString Example schemadir export schema 2 3 15 8 cn memberof task The member Of attribute is created and managed by the Directory Server automatically to display group membership on the members user entries When the member attribute on a group entry is changed all of the members associated directory entries are automatically updated with their corresponding member Of attributes The cn memberof task and the related fixup memberof pl script is used to create the initial member Of attributes on the member s user entries in the directory After the member Of attributes are created then the MemberOf Plug in manages the member Of attributes automatically The memberOf update task must give the DN of the entry or subtree to run the update task against set in the basedn attribute Optionally the task can include a filter to identify the members user entries to update set in the filter attribute For example dn cn example memberof cn memberof task cn tasks cn config objectclass extensibleObject cn example memberof basedn ou people dc example dc com filter objectclass groupOfNames As soon as the task is complete the task entry is removed from the directory The cn memberof task entry is a container entry for member Of update operations The cn memberof task entry itself has no attributes but each of the task entries ben
111. receives an update request it forwards it to the server that holds the corresponding read write replica This forwarding process is called a referral See RDN A database that participates in replication Replication configuration where replica servers either hub or consumer servers pull directory data from supplier servers This method is available only for legacy replication Act of copying directory trees or subtrees from supplier servers to replica servers Set of configuration parameters that are stored on the supplier server and identify the databases to replicate the replica servers to which the data is pushed the times during which replication can occur the DN and credentials used by the supplier to bind to the consumer and how the connection is secured Request for Comments Procedures or standards documents submitted to the Internet community People can send comments on the technologies before they become accepted standards An entry grouping mechanism Each role has members which are the entries that possess the role Attributes that appear on an entry because it possesses a particular role within an associated CoS template The most privileged user available on Unix machines The root user has complete access privileges to all files on the machine The parent of one or more sub suffixes A directory tree can contain more than one root suffix An authentication framework for clients as they attempt to bind to
112. replication environment nsDS5ReplicaRoot Specifies the suffix DN at the root of a replicated area Allowed Attributes cn Gives the name for the replica nsDS5Flags nsDS5ReplicaAutoReferral Specifies information that has been previously set in flags Sets whether the server will follow configured referrals for the Directory Server database nsDS5ReplicaBindDN nsDS5ReplicaChangeCount nsDS5ReplicaLegacyConsumer Specifies the DN to use when a supplier server binds to a consumer Gives the total number of entries in the changelog and whether they have been replicated Specifies whether the replica is a legacy consumer nsDS5ReplicaName nsDS5ReplicaPurgeDelay Specifies the unique ID for the replica for internal operations Specifies the time in seconds before the changelog is purged nsDS5ReplicaReferral Specifies the URLs for user defined referrals nsDS5ReplicaTombstonePurgelnterval nsDS5ReplicaType Specifies the time interval in seconds between purge operation cycles Defines the type of replica such as a read only consumer nsDS5Task Launches a replication task such as dumping the database contents to LDIF this is used internally by the Directory Server supplier nsState Stores information on the clock so that proper change sequence numbers are generated 2 4 7 nSsDS5ReplicationAgreement Object Class Entries with the nsDS5ReplicationAgre
113. responsible for a particular system task Service processes do not need human intervention to continue functioning Server Instance Entry The ID assigned to an instance of Directory Server during installation See SASL See SNMP The most basic replication scenario in which multiple servers up to four each hold a copy of the same read write replicas to replica servers In a single master replication scenario the supplier server maintains a changelog See supplier initiated replication LDAP Directory Server daemon or service that is responsible for most functions of a directory except replication See Also ns slapd Used to monitor and manage application processes running on the servers by exchanging data about network activity Also Simple Network Management Protocol Software that exchanges information between the various subagents and the NMS Software that gathers information about the managed device and passes the information to the master agent Also called a subagent 340 SSL standard index sub suffix subagent substring index suffix superuser supplier supplier server supplier initiated replication symmetric encryption system index T target target entry TCP IP template entry time date format TLS A software library establishing a secure connection between two parties client and server used to implement HTTPS the secure version of HTTP Also called Secure Sockets Lay
114. script the server must be stopped The vlvinde x script creates virtual list view VLV indexes known in the Directory Server Console as browsing indexes VLV indexes introduce flexibility in the way search results are viewed VLV indexes can organize search results alphabetically or in reverse alphabetical order making it easy to scroll through the list of results VLV index configuration must already exist prior to running this script Syntax vivindex d debugLevel n backendInstance s suffix T vlvTag Options Either the n or the s option must be specified Description d debugLevel Specifies the debug level to use during index creation Debug levels are defined in Section 2 3 1 44 nsslapd errorlog level Error Log Level n backendinstance Gives the name of the database containing the entries to index S suffix Gives the name of the suffix containing the entries to index T vivTag VLV index identifier to use to create VLV indexes The Console can specify VLV index identifier for each database supporting the directory tree as described in the Directory Server Administrator s Guide Define additional VLV tags by creating them in LDIF and adding them to Directory Server s configuration as described in the Red Hat Directory Server Administrator s Guide Red Hat recommends using the DN of the entry for which to accelerate the search sorting Table 7 17 vivindex
115. size of LDAP requests that can be handled by the Directory Server Limiting the size of requests prevents some kinds of denial of service attacks The limit applies to the total size of the LDAP request For example if the request is to add an entry and if the entry in the request is larger than two megabytes then the add request is denied Be cautious before changing this attribute The server should be restarted for changes in this attribute to take effect Entry DN cn config Valid Range 0 2 gigabytes 2 147 483 647 bytes Zero 0 means that the default value should be used Default Value 2097152 Syntax Integer Example nsslapd maxbersize 2097152 Chapter 2 Core Server Configuration Reference 2 3 1 77 nsslapd maxdescriptors Maximum File Descriptors This attribute sets the maximum platform dependent number of file descriptors that the Directory Server tries to use A file descriptor is used whenever a client connects to the server and also for some server activities such as index maintenance File descriptors are also used by access logs error logs audit logs database files indexes and transaction logs and as sockets for outgoing connections to other servers for replication and chaining The number of descriptors available for TCP IP to serve client connections is determined by nsslapd conntablesize and is equal to the nsslapd maxdescriptors attribute minus the number of file descriptors used
116. the password for the bind DN k Bypasses converting the password to UTF8 M Manages smart referrals This causes the server not to return the smart referral contained on the entry but instead to return the actual entry containing the referral Use this option to search for entries that contain smart referrals For more information about smart referrals see the Configuring Directory Databases chapter in the Directory Server Administrator s Guide n Specifies that the search is not actually to be performed but that ldapsearch is to show what it would do with the specified input 0 Specifies the maximum number of referral hops ldapsearch should automatically follow For example 254 ldapsearch Option Description SOR2 R Specifies that referrals are not to be followed automatically By default referrals are followed automatically S Specifies the attribute to use as the sort Criteria For example S sn Use multiple S arguments to further define the sort order In the following example the search results will be sorted first by surname and then by given name S sn S givenname The default is not to sort the returned entries T Specifies that no line breaks should be used within individual values in the search results t Specifies that the results be written to a set of temporary files With this option each attribute value is placed in a separate file within the system t
117. the Attribute Uniqueness Plug in in the Directory Server Administrator s Guide for more information about the Attribute Uniqueness Plug in The UID Uniqueness Plug in is off by default due to operation restrictions that need to be addressed before enabling the plug in in a multi master replication environment Turning the plug in on may slow down Directory Server performance Further Information See the Using the Attribute Uniqueness Plug in in the Directory Server Administrator s Guide 3 1 5 Binary Syntax Plug in Plug in Parameter Description Plug in Name Binary Syntax 145 Chapter 3 Plug in Implemented Server Functionality Reference Plug in Parameter DN of Configuration Entry Description Description cn Binary Syntax cn plugins cn config Syntax for handling binary data Configurable Options on off Default Setting Configurable Arguments on None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information 3 1 6 Boolean Syntax Plug in Plug in Parameter Plug in Name Description Boolean Syntax DN of Configuration Entry Description cn Boolean Syntax cn plugins cn config Syntax for handling booleans Configurable Options on off
118. the configuration file may appear as follows Configuration File for Monitoring Replication Via Admin Express connection mypassword alias M1 host1 example com 10011 ci host4 example com 10021 C2 host2 example com 10022 color ccffcc 5 FFFFCC 60 FFCCCC A shadow port can be set in the replication monitor configuration file For example host port shadowport binddn bindpwd bindcert 316 schema reload pl Reload Schema Files Dynamically When the replication monitor finds a replication agreement that uses the specified port it will use the shadow port to connect to retrieve statistics 7 4 18 schema reload pl Reload Schema Files Dynamically Manually reloads the schema files used by the Red Hat Directory Server instance either in the default location or in user specified locations To run this script the server must be running The script creates an entry in the directory that launches this dynamic task Syntax schema reload pl D rootdn w password w j filename d schema directory v Options Option Description d schema_directory Gives the full path to the directory where the schema file is located If this is not specified the script uses the default schema directory etc dirsrv slapd instance_name schema IMPORTANT If schema files are not in the default directory then Directory Server will not use them the next time it restarts unless schema re
119. the database cache size the size of physical memory and kernel tuning attributes In particular this situation should not occur if the database cache size is less than 100 megabytes If the Solaris host seems excessively slow and the database cache size is around 100 megabytes or more then use the iostat utility to diagnose the problem by monitoring the activity of the disk where the Directory Server s database files are stored There are three conditions required before resetting the nsslapd db home directory attribute The disk is heavily used more than 1 megabyte per second of data transfer There is along service time more than 100ms There is mostly write activity If these are all true use the nsslapd db home directory attribute to specify a subdirectory of a tempfs type filesystem The directory referenced by the nsslapd db home directory attribute must be a subdirectory of a filesystem of type tempfs such as tmp However Directory Server does not create the subdirectory referenced by this attribute This directory must be created either manually or by using a script Failure to create the directory referenced by the nsslapd db home directory attribute will result in Directory Server being unable to start Also if there are multiple Directory Servers on the same machine their nsslapd db home directory attributes must be configured with different directories Failure to do so will result in the databases for both dire
120. the database link only attempts to bind once NOTE Retries only occur for connection failures and not for other types of errors such as invalid bind DNs or bad passwords Parameter Description Entry DN cn default instance config cn chaining database cn plugins cn config 198 Database Link Attributes under cn default instance config cn chaining database cn plugins cn config Valid Range Oto5 Default Value 3 Syntax Integer Example nsBindRetryLimit 3 3 5 2 4 nsBindTimeout This attribute shows the amount of time before the bind attempt times out There is no real valid range for this attribute except reasonable patience limits Entry DN cn default instance config cn chaining database cn plugins cn config Valid Range O to 60 seconds Default Value 15 Syntax Integer Example nsBindTimeout 15 3 5 2 5 nsCheckLocalACl Reserved for advanced use only This attribute controls whether ACIs are evaluated on the database link as well as the remote data server Changes to this attribute only take effect once the server has been restarted Entry DN cn default instance config cn chaining database cn plugins cn config Valid Values on off Default Value off Syntax DirectoryString Example nsCheckLocalACl on 3 5 2 6 nsConcurrentBindLimit This attribute shows the maximum number of concurrent bind operations per TCP connection Entry DN cn default i
121. the dnaThreshold attribute that is set in the DNA configuration Any range allocated to another server for dnaNextRange cannot violate the threshold for the server even if the range is available on the deck of dnaNextRange NOTE If the dnaNextRange attribute is handled internally if it is not set explicitly When it is handled automatically the dnaMaxValue attribute serves as upper limit for the next range The attribute sets the range in the format lower range upper range Parameter Description Entry DN cn Distributed Numeric Assignment Plugin cn plugins cn config Valid Range 1 to the maximum 32 bit integer on 32 bit systems and to the maximum 64 bit integer on 64 bit systems for the lower and upper ranges 208 dnaNextValue Default Value None Syntax DirectoryString Example dnaNextRange 100 500 3 7 5 dnaNextValue This attribute gives the next available number which can be assigned After being initially set in the configuration entry this attribute is managed by the Distributed Numeric Assignment Plug in The dnaNextValue attribute is required to set up distributed numeric assignment for an attribute Parameter Description Entry DN cn Distributed Numeric Assignment Plugin cn plugins cn config Valid Range 1 to the maximum 32 bit integer on 32 bit systems and to the maximum 64 bit integer on 64 bit systems Default Value 1 Syntax Integer Example dnaNex
122. to LDIF fixup memberof pl Idif2db pl ns accountstatus pl Regenerates the memberOf on user entries to reflect changes in group membership Imports LDIF files to a database and runs the ns slapd command line utility with the dif2db keyword Provides account status information to establish whether an entry or group of entries is locked ns activate pl ns inactivate pl ns newpwpolicy pl schema reload pl Activates an entry or a group of entries by unlocking them Deactivates an entry or a group of entries Adds relevant entries required for the fine grained user and subtree level password policy Reloads schema dynamically into the server instance verify db pl Checks backend database files Table 7 2 Perl Scripts in usr lib dirsrv slapd instance_name or usr lib64 dirsrv slapd instance_name Script Name Description Perl or Shell Script cl dump Dumps and decodes the Shell changelog 278 Shell Scripts Script Name cl dump pl ds_removal Description Dumps and decodes the changelog Removes a server instance Perl or Shell Script Perl Shell logconv pl Analyzes the access logs of a Directory Server to extract usage Statistics and count the occurrences of significant events Perl migrate ds admin pl pwdhash Migrates a Directory Server 7 1 instance to Directory Server 8 1 Prints the encrypted form of a password usin
123. tree nodes as shown in the following diagram cn encrypted attributes cn databaseName cn ldbm database cn plugins cn config cn socialSecurityNumber ou creditCardNumber ou userPassword Figure 3 3 Encrypted Attributes under the cn config Node For example the database encryption file for the userPassword attribute under o UserRoot appears in the Directory Server as follows dn cn userPassword cn encrypted attributes o UserRoot cn ldbm database cn plugins cn config objectclass top objectclass nsAttributeEncryption cn userPassword nsEncryptionAlgorithm AES To configure database encryption see the Database Encryption section of the Configuring Directory Databases chapter in the Directory Server Administrator s Guide For more information about indexes refer to the Managing Indexes chapter in the Directory Server Administrator s Guide 194 Database Link Plug in Attributes Chaining Attributes 3 4 8 1 nsAttributeEncryption Object Class This object class is used for core configuration entries which identify and encrypt selected attributes within a Directory Server database This object class is defined in Directory Server Superior Class top OID 2 16 840 1 113730 3 2 316 Required Attributes objectClass Defines the object classes for the entry cn Specifies the attribute being encrypted using its common name nsEncryptionAlgorithm The encryption cipher used 3 4 8
124. turning this attribute on to protect Directory Server s outbound SSL connections against a man in the middle MITM attack NOTE gt DNS and reverse DNS must be set up correctly in order for this to work otherwise the server cannot resolve the peer IP address to the hostname in the subject DN in the certificate Parameter Description Entry DN cn config Valid Values on off Default Value on Syntax DirectoryString Example nsslapd ssl check hostname on 2 3 1 105 nsslapd threadnumber Thread Number Defines the number of operation threads that the Directory Server creates at startup The nsslapd threadnumber value should be increased if there are many directory clients performing time consuming operations such as add or modify as this ensures that there are other threads available for servicing short lived operations such as simple searches This value may also need increased if there are many replication agreements or chained backends database links This attribute is not available from the server console 56 cn config Parameter Description Entry DN cn config Valid Range 1 to the maximum number of threads supported by the system Default Value 30 Syntax Integer Example nsslapd threadnumber 60 2 3 1 106 nsslapd timelimit Time Limit This attribute sets the maximum number of seconds allocated for a search request If this limit is reached Directory Server returns any en
125. unlimited in size Default Value 100 Syntax Integer Example nsslapd errorlog maxlogsize 100 2 3 1 57 nsslapd errorlog maxlogsperdir Maximum Number of Error Log Files This attribute sets the total number of error logs that can be contained in the directory where the error log is stored Each time the error log is rotated a new log file is created When the number of files contained in the error log directory exceeds the value stored on this attribute then the oldest version of the log file is deleted The default is 1 log If this default is accepted the server does not rotate the log and it grows indefinitely If the value for this attribute is higher than 1 then check the nsslapd errorlog logrotationtime attribute to establish whether log rotation is specified If the nsslapd errorlog logrotationtime attribute has a value of 1 then there is no log rotation See Section 2 3 1 54 nsslapd errorlog logrotationtime Error Log Rotation Time for more information Parameter Description Entry DN cn config Valid Range 1 to the maximum 32 bit integer value 2147483647 Default Value 1 Syntax Integer Example nsslapd errorlog maxlogsperdir 10 Chapter 2 Core Server Configuration Reference 2 3 1 58 nsslapd errorlog mode Error Log File Permission This attribute sets the access mode or file permissions with which error log files are to be created The valid values are any combination
126. userPassword manager 2 3 8 21 nsDS5ReplicaTimeout This allowed attribute specifies the number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing If the server writes Warning timed out waiting messages in the error log file then increase the value of this attribute Find out the amount of time the operation actually lasted by examining the access log on the remote machine and then set the nsDS5ReplicaTimeout attribute accordingly to optimize performance Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config 92 Replication Attributes under cn ReplicationAgreementName cn replica cn suffixName cn mapping tree cn config Valid Range 0 to maximum 32 bit integer value 2147483647 in seconds Default Value 600 Syntax Integer Example nsDS5ReplicaTimeout 600 2 3 8 22 nsDS5ReplicaTransportinfo This attribute sets the type of transport used for transporting data to and from the replica The attribute values can be either SSL which means that the connection is established over SSL or LDAP which means that regular LDAP connections are used If this attribute is absent then regular LDAP connections are used This attribute cannot be modified once it is set Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values SSL LDAP De
127. 0 3 2 11 Required Attributes Attribute objectClass Definition Defines the object classes for the entry cn Allowed Attributes Attribute cirReplicaRoot Specifies the common name of the supplier server Definition Stores the root suffix to be replicated cirHost Identifies the host of the supplier cirPort Identifies the port of the supplier cirBindDN Specifies the bind DN cirUsePersistentSearch cirUseSSL cirBindCredentials Specifies a flag whether or not to use the persistent search Specifies a flag whether or not to use SSL Specifies a password of cirBindDN cirLastUpdateApplied cirUpdateSchedule cirSyncinterval Timestamp of the last replica update Schedule when the replica update occurs Identifies the interval to do synchronization 134 Legacy Replication Attributes Attribute Definition cirUpdateFailedAt Stores the timestamp of the last failed update attempt cirBeginORC Sets whether the database deletes its contents before beginning replication replicaNickname Identifies the name for the replication agreement replicaEntryFilter Identifies the entries to be replicated replicatedAttributeList Identifies attribute list to be replicated 2 5 2 2 cirBeginORC For online replication creation ORC the consumer server can dump its entire database and allows the supplier to send it completely fresh information The cirBeginORC at
128. 00 Syntax Integer Example nsslapd auditlog maxlogsize 50 2 3 1 33 nsslapd auditlog maxlogsperdir Audit Log Maximum Number of Log Files This attribute sets the total number of audit logs that can be contained in the directory where the audit log is stored Each time the audit log is rotated a new log file is created When the number of files contained in the audit log directory exceeds the value stored on this attribute then the oldest version of the log file is deleted The default is 1 log If this default is accepted the server will not rotate the log and it grows indefinitely If the value for this attribute is higher than 1 then check the nsslapd auditlog logrotationtime attribute to establish whether log rotation is specified If the nsslapd auditlog logrotationtime attribute has a value of 1 then there is no log rotation See Section 2 3 1 30 nsslapd auditlog logrotationtime Audit Log Rotation Time for more information Parameter Description Entry DN cn config Valid Range 1 to the maximum 32 bit integer value 2147483647 Default Value 1 Syntax Integer Example nsslapd auditlog maxlogsperdir 10 2 3 1 34 nsslapd auditlog mode Audit Log File Permission This attribute sets the access mode or file permissions with which audit log files are to be created The valid values are any combination of 000 to 777 since they mirror numbered or absolute UNIX file permissions The value must be a combin
129. 10 nsDS5ReplicaPurgeDelay and Section 2 3 7 13 nsDS5ReplicaTombstonePurgelnterval for more information about purge operation properties Parameter Description Entry DN cn replica cn suffixDN cn mapping tree cn config Valid Range 1 to maximum 32 bit integer 2147483647 Default Value Syntax Integer Example nsDS5ReplicaChangeCount 675 2 3 7 7 nSDS5Replicald This attribute sets the unique ID for suppliers in a given replication environment Parameter Description Entry DN cn replica cn suffixDN cn mapping tree cn config Valid Range 0 to 65534 Default Value Syntax Integer Example nsDS5Replicald 1 2 3 7 8 nsDS5ReplicaLegacyConsumer If this attribute is absent or has a value of false then it means that the replica is not a legacy consumer Chapter 2 Core Server Configuration Reference Parameter Description Entry DN cn replica cn suffixDN cn mapping tree cn config Valid Values true false Default Value false Syntax DirectoryString Example nsDS5ReplicaLegacyConsumer false 2 3 7 9 nSsDS5ReplicaName This attribute specifies the name of the replica with a unique identifier for internal operations If it is not specified this unique identifier is allocated by the server when the replica is created NOTE It is recommended that the server be permitted to generate this name However in certain circumstances for example in replica role cha
130. 10000 49679b20 09 Jan 2009 13 44 48 0500 agmt cn example2 alt 13864 session start anchorcsn 496797f3000000010000 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin changelog program agmt cn example2 alt 13864 CSN 496797f3000000010000 found position set for replay 09 Jan 2009 13 44 48 0500 agmt cn example2 alt 13864 load 1 rec 1 csn 49679b20000000010000 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 replay_update Sending modify operation dn uid mreynolds ou people dc example dc com csn 49679b20000000010000 233 Chapter 5 Log File Reference 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 replay_update Consumer successfully sent operation with csn 49679b20000000010000 09 Jan 2009 13 44 48 0500 agmt cn example2 alt 13864 clcache_load_buffer rc 30990 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 No more updates to send cl5GetNextOperationToReplay 09 Jan 2009 13 44 48 0500 repl5 inc waitfor async results 0 5 09 Jan 2009 13 44 49 0500 repl5 inc result threadmain starting 09 Jan 2009 13 44 49 0500 repl5 inc result threadmain read result for message id 5 09 Jan 2009 13 44 49 0500 repl5 inc result threadmain result 3 5 null 09 Jan 2009 13 44 49 0500 repl5 inc result threadmain read result for message id 5 09 Jan 2009 13 44 49 0500 repl5
131. 2 2 Accessing and Modifying Server Configuration This section discusses access control for configuration entries and describes the various ways in which the server configuration can be viewed and modified It also covers restrictions to the kinds of modification that can be made and discusses attributes that require the server to be restarted for changes to take effect 2 2 1 Access Control for Configuration Entries When the Directory Server is installed a default set of access control instructions ACIs is implemented for all entries under cn config The following code sample is an example of these default ACIs aci targetattr version 3 0 acl Configuration Administrators Group allow all groupdn ldap cn Configuration Administrators u Groups ou TopologyManagement o NetscapeRoot aci targetattr version 3 0 acl Configuration Administrator allow all userdn ldap uid admin ou Administrators ou TopologyManagement o NetscapeRoot aci targetattr version 3 0 acl Local Directory Administrators Group allow all groupdn ldap ou Directory Administrators dc example dc com Chapter 2 Core Server Configuration Reference aci targetattr version 3 0 acl SIE Group allow all groupdn ldap cn slapd phonebook cn Red Hat Directory Server cn Server Group cn phonebook example com dc example dc com o NetscapeRoot These default ACIs allow all LDAP operati
132. 2index e Reindex cn and givenname in the database instance userRoot db2index n userRoot t cn t givenname Reindex cn in the database where the root suffix is dc example dc com db2index s dc example dc com t cn Options n backendInstance Description Gives the name of the instance to be reindexed s includeSuffix t attributeNamef indextypes mathingrules Gives suffixes to be included or the subtrees to be included if n has been used Names of the attributes to be reindexed Optionally this can include the index type eq pres sub approx and a matching rule OID T vivAttributeName Gives the names of the VLV attributes to be reindexed The name is the VLV index object s common name in cn config Table 7 7 db2index Options 7 3 6 dbverify Checks for Corrupt Databases Verifies the backend database files If the server crashes because of a corrupted database this command can be used to verify the integrity of the different database files to help isolate any problems 284 ds_removal IMPORTANT Never run dbverify when a modify operation is in progress This command calls the BerkeleyDB utility db_verify and does not perform any locking This can lead to data corruption if the script is run at the same time as a modify If that occurs an entry will be recorded in the error log DB ERROR db verify Page 3527 out of order key at entry 42 DB ERROR
133. 39 21 Apr 2009 11 39 55 0700 conn 14 op 0 BIND dn method sasl version 3 mech DIGEST MD5 21 Apr 2009 11 39 55 0700 conn 14 op 0 RESULT err 14 tag 97 nentries 0 etime 0 SASL bind in progress 21 Apr 2009 11 39 55 0700 conn 14 op 1 BIND dn uid jdoe dc example dc com method sasl version 3 mech DIGEST MD5 21 Apr 2009 11 39 55 0700 conn 14 op 1 RESULT err 0 tag 97nentries 0 etime 0 dn uid jdoe dc example dc com 21 Apr 2009 11 39 55 0700 conn 14 op 2 UNBIND 21 Apr 2009 11 39 53 0700 conn 14 op 2 fd 700 closed U1 Example 5 1 Example Access Log Connection Number Every external LDAP request is listed with an incremental connection number in this case conn 11 starting at conn 0 immediately after server startup 21 Apr 2009 11 39 51 0700 conn 11 fd 608 slot 608 connection from 207 1 153 51 to 192 18 122 139 Internal LDAP requests are not recorded in the access log by default To activate the logging of internal access operations specify access logging level 4 on the nsslapd accesslog level configuration attribute File Descriptor Every connection from an external LDAP client to Directory Server requires a file descriptor or socket descriptor from the operating system in this case fd 608 fd 608 indicates that it was file descriptor number 608 out of the total pool of available file descriptors which was used 21 Apr 2009 11 39 51 0700 conn 11 fd 608 slot 608 connection from 207 1 153 51 to 192 18 122 1
134. 39 Slot Number The slot number in this case slot 608 is a legacy part of the access log which has the same meaning as file descriptor Ignore this part of the access log 21 Apr 2009 11 39 51 0700 conn 11 fd 608 slot 608 connection from 207 1 153 51 to 192 18 122 139 Operation Number To process a given LDAP request Directory Server will perform the required series of operations For a given connection all operation request and operation result pairs are given incremental operation numbers beginning with op 60 to identify the distinct operations being performed 3 Configuration Command File Reference Core Server Configuration Reference Core Server Configuration Attributes Reference htmit Configuration Command File Reference cnconfig nsslapd accesslog leve 221 Chapter 5 Log File Reference 21 Apr 2009 11 39 51 0700 conn 11 op 0 RESULT err 0 tag 97 nentries 0 etime 0 In Section 5 1 2 Default Access Logging Content we have op 0 for the bind operation request and result pair then op 1 for the LDAP search request and result pair and so on The entry op 1 in the access log generally means that the LDAP request for this connection was not issued by an external LDAP client but instead initiated internally Method Type The method number in this case method 128 indicates which LDAPv3 bind method was used by the client 21 Apr 2009 11 39 51 0700 conn 11 op 0 BIND dn cn Directory Manager method 128 ve
135. 4 nsslapd errorlog level Error Log Level Specifies the location of the server configuration directory that contains the configuration information for the index creation process This must be the full path to the configuration directory etc dirsrv slapd instance name Specifies the name of the backend containing the entries to index t attributeNamef indextypes mathingrules T vivTag Specifies the attribute to be indexed as well as the types of indexes to create and matching rules to apply if any If the matching rule is specified an index type must be specified This option cannot be used with T indexTypes specifies a comma separated list of indexes to be created for the attributes matchingRules is an optional comma separated list of the OIDs for the languages in which the attribute will be indexed This option is used to create international indexes For information on supported locales and collation order OIDs see the Appendix Internationalization in the Directory Server Administrator s Guide Specifies the VLV tag to use to create VLV indexes The Console can be used to specify VLV tags for each database supporting the directory tree as described in the Directory Server Administrator s Guide Additional VLV tags can be defined by creating them in LDIF and adding them in the Directory Server configuration This options cannot be used with t Table A 5 db2index Options 328
136. 4 nsUniqueId db4 uniquemember db4 ancestorid db4 numsubordinates db4 cn db4 objectclass db4 Example 4 2 NetscapeRoot Database Directory Contents The NetscapeRoot subdirectories contain an index_namedb4 file for every index currently defined in the database In addition to these files the NetscapeRoot and userRoot subdirectories contain the following files e ancestorid db4 Contains a list of IDs to find the ID of the entry s ancestor entrydn db4 Contains a list of full DNs to find any ID id2entry db4 Contains the actual directory database entries All other database files can be recreated from this one if necessary nsuniqueid db4 Contains a list of unique IDs to find any ID numsubordinates db4 Contains IDs that have child entries objectclass db4 Contains a list of IDs which have a particular object class parentid db4 Contains a list of IDs to find the ID of the parent 215 Chapter 4 Server Instance File Reference 4 5 LDIF Files Sample LDIF files are stored in the var 1lib dirsrv slapd instance_name 1dif directory for storing LDIF related files Example 4 3 LDIF Directory Contents lists the 1dif directory contents European ldif Example 1ldif Example roles ldif Example views 1dif Example 4 3 LDIF Directory Contents European 1dif Contains European character samples Example 1dif Is a sample LDIF file Example roles 1dif Is a sam
137. 7 bak2db pl command line perl script 295 quick reference 278 base 273 base 64 encoding 273 basedn 119 binary data LDIF and 273 Browsing Indexes 294 bytessent attribute 98 343 Index C changelog multi master replication changelog 71 changeLog 73 changelog configuration attributes changelogmaxentries 72 nsslapd changelogdir 71 nsslapd changelogmaxage 72 changelog configuration entries cn changelog5 71 changeLogEntry 120 changeNumber 73 changes 73 changeTime 73 changeType 73 cl dump command line shell script 281 quick reference 278 cl dump pl command line perl script 296 quick reference 278 cn 105 cn attribute 85 cn backup attributes nsArchiveDir 115 nsDatabaseTypes 115 configuration entry 114 cn changelog5 changelog configuration entries 71 object classes 71 cn config general 3 general configuration entries 10 object classes 10 cn config Directory Information Tree configuration data 3 cn encrypted attributes 194 attribute 194 object class 194 cn encryption encryption configuration entries 75 object classes 75 cn export attributes nsDumpUniqld 114 nsExcludeSuffix 112 nsExportReplica 113 nsFilename 112 nsIncludeSuffix 112 nsInstance 112 nsNoWrap 114 nsPrintKey 113 nsUseld2Entry 114 nsUseOneFile 113 configuration entry 111 cn import attributes nsExcludeSuffix 109 nsFilename 109 nsImportChunkSize 110 nsImportiIndexAttrs 110 nsIncludeSuffix
138. 7 3 12 pwdhash Prints Encrypted Passwords e Section 7 3 11 repl monitor Monitors Replication Status e Section 7 3 13 restart slapd Restarts the Directory Server e Section 7 3 14 restoreconfig Restores Administration Server Configuration e Section 7 3 15 saveconfig Saves Administration Server Configuration Section 7 3 16 start slapd Starts the Directory Server Section 7 3 17 stop slapd Stops the Directory Server Section 7 3 18 suffix2instance Maps a Suffix to a Backend Name Section 7 3 19 vivindex Creates Virtual List View Indexes Some of the shell scripts can be executed while the server is running For others the server must be stopped The description of each script below indicates whether the server must be stopped or if it can continue to run while executing the script When a shell script has a Perl equivalent there is a cross reference to the section describing the equivalent Perl script 7 3 1 bak2db Restores a Database from Backup Restores the database from the most recent archived backup To run this script the server must be stopped Syntax bak2db backupDirectory n backend Options Description backupDirectory Gives the backup directory path n backendinstance Optional Specifies the backend name such as userRoot which is being restored This option is only used for filesystem replica initialization or 280
139. 8 dbfilecachehit 191 dbfilecachemiss 191 dbfilenamenumber 191 dbfilepagein 191 dbfilepageout 192 description 189 dnaFilter 207 dnaMagicRegen 207 dnaMaxValue 208 dnaNextRange 208 dnaNextValue 209 dnaPrefix 209 dnaRangeRequestTimeout 209 dnaScope 210 dnaSharedCfgDN 210 dnaThreshold 211 dnaType 211 memberofattr 212 memberofgroupattr 212 nsAbandonCount 205 355 Index nsAbandonedSearchCheckinterval 198 nsActiveChainingComponents 196 nsAddCount 204 nsBindConnectionCount 205 nsBindConnectionsLimit 198 nsBindCount 205 nsBindMechanism 202 nsBindRetryLimit 198 nsBindTimeout 199 nsCheckLocalACl 199 nsCompareCount 205 nsConcurrentBindLimit 199 nsConcurrentOperationsLimit 200 nsConnectionLife 200 nsDeleteCount 204 nsFarmServerURL 203 nshoplimit 204 nsIndexType 190 nsLookThroughLimit 166 nsMatchingRule 190 nsMaxResponseDelay 196 nsMaxTestResponseDelay 197 nsModifyCount 204 nsMultiplexorBindDn 203 nsMultiplexorCredentials 203 nsOperationConnectionCount 205 nsOperationConnectionsLimit 200 nsProxiedAuthorization 200 nsReferralOnScopedSearch 201 nsRenameCount 205 nsSearchBaseCount 205 nsSearchOneLevelCount 205 nsSearchSubtreeCount 205 nsSizeLimit 201 nsslapd cache autosize 166 nsslapd cache autosize split 167 nsslapd cachememsize 180 nsslapd cachesize 179 nsslapd changelogdir 206 nsslapd changelogmaxage 206 nsslapd db abort rate 186 nsslap
140. 9c3 a58714648 2 3 7 4 nsDS5ReplicaAutoReferral This attribute sets whether the Directory Server follows configured referrals for the database Parameter Entry DN Description cn replica cn suffixDN cn mapping tree cn config Valid Values on off Default Value Syntax DirectoryString Example nsDS5ReplicaAutoReferral on 2 3 7 5 nSDS5ReplicaBindDN This multi valued attribute specifies the DN to use when binding Although there can be more than one value in this cn replica entry there can only be one supplier bind DN per replication agreement 80 Replication Attributes under cn replica cn suffixDN cn mapping tree cn config Each value should be the DN of a local entry on the consumer server If replication suppliers are using client certificate based authentication to connect to the consumers configure the certificate mapping on the consumer to map the subjectDN in the certificate to a local entry Entry DN cn replica cn suffixDN cn mapping tree cn config Valid Values Any valid DN Default Value Syntax DirectoryString Example nsDS5ReplicaBindDN cn replication manager cn config 2 3 7 6 nsDS5ReplicaChangeCount This read only attribute shows the total number of entries in the changelog and whether they still remain to be replicated When the changelog is purged only the entries that are still to be replicated remain See Section 2 3 7
141. APv3 LDBM database LDIF leaf entry Lightweight Directory Access Protocol locale M managed object managed role management information base mapping tree Lightweight Directory Access Protocol Directory service protocol designed to run over TCP IP and across multiple platforms Software used to request and view LDAP entries from an LDAP Directory Server See Also browser See LDAP Data Interchange Format Provides the means of locating Directory Servers using DNS and then completing the query via LDAP A sample LDAP URL is ldap 1dap example com Version 3 of the LDAP protocol upon which Directory Server bases its schema format A high performance disk based database consisting of a set of large files that contain all of the data assigned to it The primary data store in Directory Server LDAP Data Interchange Format Format used to represent Directory Server entries in text form An entry under which there are no other entries A leaf entry cannot be a branch point in a directory tree See LDAP Identifies the collation order character type monetary format and time date format used to present data for users of a specific region culture and or custom This includes information on how data of a given language is interpreted stored or collated The locale also indicates which code page should be used to represent a given language A standard value which the SNMP agent can access and send t
142. CH PIUGINS CHSCOMMG csini a a eegoesdy taba nh cesta tages ven iaaa Da eiaa 188 3 4 6 Database Attributes under cn monitor cn NetscapeRoot cn ldbm database CN plUGINS CN CONAIG c cee ceeece cece cece cece eee cate eee EET Ey Dee ydede 191 3 4 7 Database Attributes under cn index cn NetscapeRoot cn Idbm database cn plugins cn config and cn index cn UserRoot cn Idbm database cn plugins CM COMIG EEEE EEPE TETA TEE act deh cane T E ATAT 192 3 4 8 Database Attributes under cn attributeName cn encrypted attributes cn database_name cn ldbm database cn plugins cn config ceceeeeeeeeeeeees 194 3 5 Database Link Plug in Attributes Chaining Attributes 0 cc ceceeeeeeeeeeeeeeeeeeeeeeeeeaaes 195 3 5 1 Database Link Attributes under cn config cn chaining database cn plugins CHECOMPIG 222 teie sche iting cesmetan ceivindecaan cpluaagenogeccavceattcadengecsdagedetaceneee E eat eeey 196 3 5 2 Database Link Attributes under cn default instance config cn chaining database cn plugins CN CONFIG cece eee ce cece ee eee ee eect ae RENEE ERE sa eeeeaeeesaeeeeaaeeeseeeaaes 198 3 5 3 Database Link Attributes under cn database_link_name cn chaining database cn plugins CN CONFIG cece eeee cece cece ence cece cece eres eee senses ae eeeaeeeeaaeeeeaeeeaaes 202 3 5 4 Database Link Attributes under cn monitor cn database instance name cn chaining database Cn pluginS cn config
143. D rootdn w password w j filename a backupDirectory t databaseType n backend Options The script bak2db p1 creates an entry in the directory that launches this dynamic task The entry is generated based upon the values provided for each option Option Description a backupDirectory The directory of the backup files D rootdn Gives the user DN with root permissions such as Directory Manager The default is the DN of the Directory Manager which is read from the nsslapd root attribute under cn config j filename The name of the file containing the password n backendinstance Specifies the backend name such as userRoot which is being restored This option is only used for filesystem replica initialization or to restore a single database it is not necessary to use the n option to restore the entire directory 295 Chapter 7 Command Line Scripts Description t database Type The database type The only possible database type is 1dbm V Verbose mode w password The password associated with the user DN W Prompts for the password associated with the user DN Table 7 18 bak2db pl Options 7 4 2 cl dump pl Dumps and Decodes the Changelog Troubleshoots replication related problems NOTE cl dump pl is in the usr bin directory Syntax cl dump pl h host p port D bindDn w bindPassword P bindCert r replicaRo
144. Hat Directory Server Configuration Command and File Reference provides reference information on the command line scripts configuration attributes and log files shipped with Directory Server Red Hat Directory Server Installation Guide contains procedures for installing your Directory Server as well as procedures for migrating from a previous installation of Directory Server Red Hat Directory Server Schema Reference provides reference information about the Directory Server schema Red Hat Directory Server Plug in Programmer s Guide describes how to write server plug ins in order to customize and extend the capabilities of Directory Server Using Red Hat Console gives an overview of the primary user interface and how it interacts with the Directory Server and Administration Server as well as how to perform basic management tasks through the main Console window Using the Admin Server describes the different tasks and tools associated with the Administration Server and how to use the Administration Server with the Configuration and User Directory Server instances For the latest information about Directory Server including current release notes complete product documentation technical notes and deployment information see the Red Hat Directory Server documentation site at http www redhat com docs manuals dir server xi About This Reference 4 Giving Feedback If there is any error in this Configuration Command
145. HiM rs ioira aa aia N a AAE AIEA a ALEEA oaser 144 3 1 3 AGL Preoperation Plug anen a a e aae a a Taaa ae 144 3 1 4 Attribute Uniqueness Plug in cece ceee cece ee cette kk renere kreere rener 145 3 1 5 Binary Syntax Plug reed cece eect e eee terse eee E aa a aa a ie 145 3 1 6 Boolean Syntax Plug in W u ssssssessre cece cece eee ee etna ee ERE E ERE eeee ERE E RE ERE ERE E ENE EE LEE 146 3 1 7 Case Exact String Syntax Plug in ssseeeeeeeee nere kreere tessa ee saeeeeaaeeeseeeeaaees 146 3 1 8 Case Ignore String Syntax Plug in cece cece eneret kr ne eeeeeeee RENE REE ERE E LEE 147 3 1 9 Chaining Database Plug in cccceece cece ee reen ee ee ca eeee aa eesaeeeeaaeeesaeeeanees 147 3 1 10 ClassOf Service PIUS sss a ste aen da aaa de ask days aaa n a ranah 147 3 1 11 Country String Syntax Plug in 2 0 cece eee eneret tt ee eter caer eeeeee aa eeeeaeeeeaeeeed 148 3 1 12 Distinguished Name Syntax Plug in 20 ccc ece cece cece renerne rn ae ee estes reen rr rn nen 148 3 1 13 Distributed Numeric Assignment Plug in ccceeeeeeeeeeee ee eeeeeeeeaeeeeeeeeeaaees 149 3 1 14 Generalized Time Syntax Plug in 2 0 2 0 cece cece cece resect ee ae tees ERE E ERE RENE RENE RER E ER 149 3 1 15 HTTP Client PIUQ in ynsan Ea ERE EN Mita heeds eee eet 150 3 1 16 Integer Syntax Plug in cece cece eee cece eee ee RENE ERE E ERNE REE E RER aes REEL ER ELERS LER EL LEE 150 3 1 17
146. IF This file is stored by default in the directory where the command line utility resides 323 Appendix A Using the ns slapd Command Line Utilities Option d debugLevel Description Specifies the debug level to use during the db21dif runtime For further information refer to Section 2 3 1 44 nsslapd errorlog level Error Log Level D configDir Specifies the location of the server configuration directory that contains the configuration information for the export process This must be the full path to the configuration directory etc dirsrv slapd instance_name Decrypts an encrypted database during export This option is used only if database encryption is enabled Sets minimal base 64 encoding n backendInstance Uses several files to store the output LDIF with each instance stored in instance filename where filename is the filename specified in option a Specifies the name of the backend instance to be exported N Specifies that entry IDs are not to be included in the LDIF output The entry IDs are necessary only if the db21dif output is to be used as input to db2index s includeSuffix Exports replication state information The server must be shut down before exporting using this option Specifies the suffix or suffixes to include in the export There can be multiple s arguments Specifies that the unique ID will not be included in the LDIF output By def
147. ING This attribute should never be turned off If the nsslapd lastmod is set to off then generating nsUniqueIDs is also disabled replication does not work and other issues may arise If for some reason this attribute were set to off the solution is to export the database to Idif db21dif or db21dif p1 or from the console set the value to on and import the data The import process assigns each entry a unique id 2 3 1 64 nsslapd Idapiautobind Enable Autobind The nsslapd ldapiautobind sets whether the server will allow users to autobind to Directory Server using LDAPI Autobind maps the UID or GUID number of a system user to a Directory Server user and automatically authenticates the user to Directory Server based on those credentials The Directory Server connection occurs over UNIX socket Along with enabling autobind configuring autobind requires configuring mapping entries The nsslapd 1ldapimaprootdn maps a root user on the system to the Directory Manager The nsslapd ldapimaptoentries maps regular users to Directory Server users based on the parameters defined in the nsslapd 1ldapiuidnumbertype nsslapd ldapigidnumbertype and nsslapd ldapientrysearchbase attributes Autobind can only be enabled if LDAPI is enabled meaning the nsslapd 1dapilisten is on and the nsslapd 1ldapifilepath attribute is set to an LDAPI socket 38 cn config Parameter Description Entry DN cn config Valid Values 0 ol
148. Internationalization Plug in u sssseeeeeeeeeer renerne ee ee eeee aa eeeeeeeesaeeeeaaeeeseeeeaa 150 3 1 18 JPEG Syntax PIJAN oi etene oee ad iea e a ee aa aaide Aaaa iaaa 151 3 1 19 Idbm database PIO Rs eea aae aaia oaia ae a eee aaeeasaa essa eeesaaeeeaaaes 151 3 1 20 Legacy Replication Plug in ccccceceeeee neces eeee ae eeee eee sa eeee aa RER REE LERNER ER 152 3 1 21 MemberOf Plug in 20 2 0 ce cece ee cece ceca ee ee ae seca ee RENE ee eaae essa eessaaeeaaeeesaaeesaaaes 152 3 1 22 Multi master Replication Plug in ccceee cece ee reen kr cess ae eeeeeeeeaaeeeeaeeeeaeees 153 3 31 23 Octet String Syntax Plugi assa arsaa a aai aa aA nA EANA 153 31 24 OID Syntax PIUQH IN eiai aa aaia eaa aaa a iaae kande ske 153 3 1 25 Password Storage Schemes ccccceeeeee eee cence eee ee teter DEERE ERE LEES 154 3 1 26 Postal Address String Syntax Plug in W W u u ssssseeeeerere ce eeee ae eeeeeeeeaaeeeeaeeesaeees 155 B20 27 PTA PUGIN ioeina iaae en abe bene ars a aaam a aata legs 156 3 1 28 Referential Integrity Postoperation Plug in sssssssssrsssrsssrrssrrssrrsrrrsrrrsrrrerrrenns 156 3 1 29 Retro Changelog Plug in cccceee cece ee erne teter ae eesaeeeeaaeeeseeeaaes 157 3 130 ROIS PIU Gat a aa sabes ta attgcadltetes aaae dala a aiae a Ea ea aae aaa ai ENG 158 3 1 31 Schema Reload Plug in ssssseeree ret k tt k REE REEL REEL ERE ERE E RER E ERE LE KELLER RE ne 158 3 1 32 Spa
149. MIG aian aaae ida ce e a a dete a a aa e Ea aa aaa a LOD 79 2 3 8 Replication Attributes under cn ReplicationAgreementName cn replica cn suffixName cn mapping tree cn config ssssssiissiiesrissrisrrrstirttrrerrrerirerrrerrten 85 2 3 9 Synchronization Attributes under cn syncAgreementName cn WindowsReplica cn suffixName cn mapping tree Cn config i 94 223 10 CH SMONICOF yikes eee ate teil die ha bain hei entail 97 23 11 cen replication ss arr Seana sedges ce eeat cece a sede tow Aa i a aie needs arai Ea Eaa 99 G BER E e 15 EAE E NEEE E E EAEE EEE 99 29 13 GNESNMP es ari sta eas sat Caa adds a AE eaa aTe enaa a ariana uaa ated ALAE 100 2 3 14 SNMP Statistic AttriDUteS eden RAEE TER 102 28 15S CO TASKS R RER RENSES ESSENS SOF ESS SEEST SEERE SERRA EN SES ESS EEEE aude aE 104 2 3 16 cn uniqueid generator eee eee ere ee ee de ee eeeeee sa eeeeeeeesaeeesaaeeeaeneeaes 120 2 4 Configuration Object Classes u u ssseerse rer cece EL ERE eeeeaa ee eeaa ee aaeeesaaeesaaeesaaeessaeeeaas 120 2 4 1 changeLogEntry Object Class u u u u u s dsssseeeeeere renere eeee aa eeeeeeesaeeeeaaeeeaeeeeaa 120 2 4 2 directoryServerFeature Object Class cccceeee ee ere ee eeee ee eeeeeeesaeeeeaeeeeeeeeeaa 121 2 4 3 nsBackendInstance Object Class 2 u u u sssseeeee reen kreere kr r rr erne 122 2 4 4 nsChangelog4Config Object Class W W u u u d dss sneen reen rent ae eeeeeeeeaaeeeeeeeaaees 122 2 4 5 nsConta
150. MinAge 150 2 3 1 130 passwordMinAlphas Password Syntax This attribute sets the minimum number of alphabetic characters password must contain Entry DN cn config Valid Range 0 to 64 Default Value 0 Syntax Integer Example passwordMinAlphas 4 2 3 1 131 passwordMinCategories Password Syntax This sets the minimum number of character categories that are represented in the password The categories are lower upper digit special and 8 bit For example if the value of this attribute were set to 2 and the user tried to change the password to aaaaa the server would reject the password because it contains only lower case characters and therefore contains characters from only one category A password of aAaAaA would pass because it contains characters from two categories uppercase and lowercase The default is 3 which means that if password syntax checking is enabled valid passwords have to have three categories of characters Parameter Description Entry DN cn config 65 Chapter 2 Core Server Configuration Reference Parameter Description Valid Range Default Value 0 Syntax Integer Example passwordMinCategories 2 2 3 1 132 PasswordMinDigits Password Syntax This sets the minimum number of digits a password must contain Parameter Description Entry DN Valid Range 0 to 64 0 cn config Default Value Syntax Integer
151. Multi valued Defined in Directory Server 2 5 2 18 replicaBindMethod This attribute sets the method for the server to use to bind to the consumer server OID 2 16 840 1 113730 3 1 53 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 19 replicaCFUpdated This attribute stores the status of the copiedFrom attribute on an entry OID 2 16 840 1 113730 3 1 217 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 20 replicaCredentials This attribute contains the password associated with the replica bind DN OID 2 16 840 1 113730 3 1 202 Syntax Binary 139 Chapter 2 Core Server Configuration Reference Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 21 replicaEntryFilter This attribute contains an LDAP filter to use to identify the entries to be replicated OID Syntax Multi or Single Valued 2 16 840 1 113730 3 1 203 IA5String Multi valued Defined in 2 5 2 22 replicaHost Directory Server This attribute contains the hostname of the replica server OID 2 16 840 1 113730 3 1 197 Syntax DirectoryString Multi or Single Valued Multi valued Defined in 2 5 2 23 replicaLastRelevantChange Directory Server This attribute stores the last relevant change in an entry Def
152. OldRdn 74 newRdn 74 newSuperior 74 targetDn 74 special object classes changeLogEntry 120 nsDS5Replica 123 nsDS5ReplicationAgreement 124 nsDSWindowsReplicationAgreement 126 start slapd command line shell script 292 quick reference 277 startTime attribute 98 statistics from access logs 302 stop slapd command line shell script 293 quick reference 277 suffix and replication configuration entries cn mapping tree 78 suffix configuration attributes nsslapd backend 79 nsslapd state 78 object classes 78 suffix2instance command line shell script 293 quick reference 277 synchronization agreement attributes 358 nsds7DirectoryReplicaSubtree 95 nsds7DirsyncCookie 95 nsds7NewWinGroupSyncEnabled 95 nsds7NewWinUserSyncEnabled 95 nsds7WindowsDomain 96 nsds7WindowsReplicaSubtre 96 winSynclinterval 96 T targetDn 74 totalConnections attribute 98 trailing spaces in object class names 52 ttl 107 U uniqueid generator configuration attributes nsState 120 uniqueid generator configuration entries cn uniqueid generator 120 V verify db pl command line perl script 321 quick reference 277 278 vivBase attribute 182 vivEnabled attribute 182 vivFilter attribute 183 vivindex command line shell script 294 quick reference 277 vivScope attribute 184 vivSort attribute 185 vivUses attribute 185 W winSynclinterval 96 359 360
153. PORTANT Never run verify db pl when a modify operation is in progress This command calls the BerkeleyDB utility db_verify and does not perform any locking This can lead to data corruption if the script is run at the same time as a modify If that occurs an entry will be recorded in the error log DB ERROR db_verify Page 3527 out of order key at entry 42 DB ERROR db_verify DB gt verify db mstest2 uid db4 DB_VERIFY_BAD Database verification failed Secondary index file uid db4 in db mstest2 is corrupted Please run db2index pl for reindexing Run db2index t uid to avoid rebuilding all of the indexes or export and reimport all of the databases using db21dif and I1dif2db Syntax verify db pl a path to database_directory Options Description a path Gives the path to the database directory If this option is not passed with the verify 321 Chapter 7 Command Line Scripts Description db pl command then it uses the default database directory var lib dirsrv slapd instance_name db Opens the help page Table 7 34 verify db p Options 322 Appendix A Using the ns slapd Command Line Utilities Chapter 7 Command Line Scripts discussed the scripts for performing routine administration tasks on the Red Hat Directory Server Directory Server This appendix discusses the ns slapd command line utilities that can be used to perform the same tasks The ns slapd command l
154. Parameter Description 2 3 1 141 passwordRetryCount This attribute counts the number of consecutive failed attempts at entering the correct password This is an operational attribute meaning its value is managed by the server and the attribute is not returned in default searches Parameter Description Entry DN cn config Valid Range 0 to the maximum 32 bit integer value 2147483647 Default Value 0 Syntax Integer Example passwordRetryCount 3 2 3 1 142 passwordStorageScheme Password Storage Scheme This attribute sets the type of encryption used to store Directory Server passwords The following encryption types are supported by the Directory Server CLEAR means the password is stored in cleartext with no hashing or encryption This scheme must be used in order to use SASL DIGEST MD5 SSHA Salted Secure Hash Algorithm the default is the recommended method because it is the most secure There are several bit sizes available 140 bits the default 256 384 and 512 SHA Secure Hash Algorithm is included only for backward compatibility with 4 x Directory Servers do not use this algorithm MD5 Message Digest algorithm 5 is a commonly used standard hashing algorithm CRYPT the UNIX crypt algorithm is provided for compatibility with UNIX passwords NOTE Passwords cannot be encrypted using the NS MTA MD5 password storage scheme The storage scheme is still present but only for reasons of ba
155. Plug in Plug in Parameter Description Plug in Name Chaining Database DN of Configuration Entry cn Chaining database cn plugins cn config Description Enables backend databases to be linked Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information There are many performance related tuning parameters involved with the chaining database See the Maintaining Database Links section in the Directory Server Administrator s Guide Further Information A chaining database is also known as a database link Database links are described in the Configuring Directory Databases chapter in the Directory Server Administrator s Guide 3 1 10 Class of Service Plug in Plug in Parameter Description Plug in Name Class of Service 147 Chapter 3 Plug in Implemented Server Functionality Reference Plug in Parameter DN of Configuration Entry Description cn Class of Service cn plugins cn config Description Allows for sharing of attributes between entries Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Further Information Do not modify the configuration of this plug in Leave this plug in running at all times See the Advanced Entry Management chapter in the Directory Server Administrator s Guide 3 1 11 Country
156. Range 1 to 65535 Default Value 636 Syntax Integer Example nsslapd securePort 636 2 3 1 102 nsslapd security Security This attribute sets whether the Directory Server is to accept SSL TLS communications on its encrypted port This attribute should be set to on for secure connections To run with security on the server must be configured with a private key and server certificate in addition to the other SSL TLS configuration Entry DN cn config Valid Values on off Default Value off Syntax DirectoryString Example nsslapd security off 2 3 1 103 nsslapd sizelimit Size Limit This attribute sets the maximum number of entries to return from a search operation If this limit is reached ns slapd returns any entries it has located that match the search request as well as an exceeded size limit error When no limit is set ns slapd returns every matching entry to the client regardless of the number found To set a no limit value whereby the Directory Server waits indefinitely for the search to complete specify a value of 1 for this attribute in the dse 1dif file This limit applies to everyone regardless of their organization NOTE A value of 1 on this attribute in dse 1dif file is the same as leaving the attribute blank in the server console in that it causes no limit to be used This cannot have a null value in dse 1dif file as it is not a valid integer It is possible to set it to 0
157. Red Hat Directory Server 8 1 Configuration and Command Reference EllaDeon Lackey Publication date April 28 2009 updated on February 11 2010 Configuration and Command Reference Red Hat Directory Server 8 1 Configuration and Command Reference Edition 8 1 10 Author Ella Deon Lackey Copyright 2009 Red Hat Inc Copyright 2009 Red Hat Inc The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution Share Alike 3 0 Unported license CC BY SA An explanation of CC BY SA is available at http creativecommons org licenses by sa 3 0 In accordance with CC BY SA if you distribute this document or an adaptation of it you must provide the URL for the original version Red Hat as the licensor of this document waives the right to enforce and agrees not to assert Section 4d of CC BY SA to the fullest extent permitted by applicable law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Linux is the registered trademark of Linus Torvalds in the United States and other countries Java is a registered trademark of Oracle and or its affiliates XFS is a trademark of Silicon Graphics International Corp or its subsidiaries in the United States and or other countries MySQL is a registered trademark of MySQL AB in the Uni
158. ReplicationAgreementName entry is an instance of the nsDS5ReplicationAgreement object class Replication agreements are configured only on supplier replicas 2 3 8 1 cn This attribute is used for naming Once this attribute has been set it cannot be modified This attribute is required for setting up a replication agreement Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values Any valid cn Default Value Syntax DirectoryString Example cn MasterAtoMasterB 2 3 8 2 description Free form text description of the replication agreement This attribute can be modified Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values Any string Default Value Syntax DirectoryString Example description Replication Agreement between Server A and Server B 2 3 8 3 nsDS5ReplicaBindDN This attribute sets the DN to use when binding to the consumer during replication The value of this attribute must be the same as the one in cn replica on the consumer replica This may be Chapter 2 Core Server Configuration Reference empty if certificate based authentication is used in which case the DN used is the subject DN of the certificate and the consumer must have appropriate client certificate mapping enabled This can also be modified Parameter Ent
159. S5ReplicaLastUpdateStatus 0 Total update succeeded 2 3 8 12 nsDS5ReplicaLastUpdateEnd This read only attribute states when the most recent replication schedule update ended Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values YYYYMMDDhhmmssZ is the date time in Generalized Time form at which the connection was opened This value gives the time in relation to Greenwich Mean Time The hours are set with a 24 hour clock The Z at the end indicates that the time is relative to Greenwich Mean Time Default Value Syntax GeneralizedTime Example nsDS5ReplicaLastUpdateEnd 20090502175801Z 2 3 8 13 nsDS5ReplicaLastUpdateStart This read only attribute states when the most recent replication schedule update started Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values YYYYMMDDhhmmssZ is the date time in Generalized Time form at which the connection was opened This value gives the time in relation to Greenwich Mean Time The hours are set with a 24 hour clock The Z at the end indicates that the time is relative to Greenwich Mean Time Default Value Syntax GeneralizedTime Example nsDS5ReplicaLastUpdateStart 20090504122055Z Chapter 2 Core Server Configuration Reference 2 3 8 14 nsDS5ReplicaLastUpdateStatus This read only attribute provides the status
160. SMMReplicationPlugin agmt cn example2 alt 13864 replicageneration 4949df6e000000010000 replicageneration means that the new information is being sent and 4949df6e000000010000 is the change sequence number of the entry being replicated Example 5 4 Replication Error Log Entry shows the complete process of sending a single entry to a consumer from adding the entry to the changelog to releasing the consumer after replication is complete 09 Jan 2009 13 44 48 0500 _csngen_adjust_local_time gen state before 496799220001 1231526178 0 0 09 Jan 2009 13 44 48 0500 _csngen_adjust_local_time gen state after 49679b200000 1231526688 0 0 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin ruv_add_csn_inprogress successfully inserted csn 49679b20000000010000 into pending list 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin Purged state information from entry uid mreynolds ou People dc example dc com up to CSN 495e5d73000000010000 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin ruv update ruv successfully committed csn 49679b20000000010000 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 State wait_for_changes gt wait_for_changes 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 State wait_for_changes gt ready_to_acquire_replica 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 Trying non s
161. Schedule States whether an update is in progress Specifies the synchronization schedule nsDS50ruv nsds7DirectoryReplicaSubtree Manages the internal state of the Directory Server sync peer using the replication update vector RUV Specifies the Directory Server suffix root or sub that is synced 127 Chapter 2 Core Server Configuration Reference nsds7DirsyncCookie Contains a cookie set by the sync service that functions as an RUV nsds7NewWinGroupSyncEnabled Specifies whether new Windows group accounts are automatically created on the Directory Server nsds7NewWinUserSyncEnabled Specifies whether new Windows user accounts are automatically created on the Directory Server nsds7WindowsDomain Identifies the Windows domain being synchronized analogous to nsDS5ReplicahHost ina replication agreement nsds7WindowsReplicaSubtree Specifies the Windows server suffix root or sub that is synced nsruvReplicaLastModified Contains the most recent time that an entry in the Directory Server sync peer was modified and the changelog was updated winSynclinterval Sets how frequently in seconds the Directory Server polls the Windows server for updates to write over If this is not set the default is 300 which is 300 seconds or five 5 minutes 2 4 9 nsMappingTree Object Class A mapping tree maps a suffix to the backend Each mapping tree entry uses the nsMappingTree objec
162. String Syntax Plug in Plug in Parameter Plug in Name Description Country String Syntax Plug in DN of Configuration Entry Description cn Country String Syntax cn plugins cn config Syntax for handling countries Configurable Options on off Default Setting Configurable Arguments on None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information 3 1 12 Distinguished Name Syntax Plug in Plug in Parameter Plug in Name Description Distinguished Name Syntax DN of Configuration Entry cn Distinguished Name Syntax cn plugins cn config Description Syntax for handling DNs Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times 148 Distributed Numeric Assignment Plug in Plug in Parameter Description 3 1 13 Distributed Numeric Assignment Plug in Plug in Information Description Plug in Name Distributed Numeric Assignment DNA Configuration Entry DN cn Distributed Numeric Assignment Plugin cn plugins cn config Description Distributed Numeric Assignment plugin
163. The Directory Server is a robust scalable server designed to manage large scale directories to support an enterprise wide directory of users and resources extranets and e commerce applications over the Internet The Directory Server runs as the ns slapd process or service on the machine The server manages the directory databases and responds to client requests This reference deals with the other methods of managing the Directory Server by altering the server configuration attributes using the command line and using command line utilities and scripts 1 1 Directory Server Configuration The format and method for storing configuration information for Directory Server and a listing for all server attributes are found in two chapters Chapter 2 Core Server Configuration Reference and Chapter 3 Plug in Implemented Server Functionality Reference 1 2 Directory Server Instance File Reference Chapter 4 Server Instance File Reference has an overview of the files and configuration information stored in each instance of Directory Server This is useful reference to helps administrators understand the changes or absence of changes in the course of directory activity From a security standpoint this also helps users detect errors and intrusion by highlighting normal changes and abnormal behavior 1 3 Using Directory Server Command Line Utilities Directory Server comes with a set of configurable command line utilities that can search and modify ent
164. VLV indexes see the indexing chapter in the Administrator s Guide NOTE This attribute is only available to user databases like userRoot not configuration databases like o NetscapeRoot Parameter Description Entry DN cn index_name cn index_name cn userRoot cn Idbm database cn plugins cn config Valid Values Any Directory Server attributes in a space separated list Default Value Syntax DirectoryString Example vivSort cn givenname o ou sn 3 4 3 14 vivUses This attribute contains the count for the browsing or virtual list view VLV index For more information on VLV indexes see the indexing chapter in the Administrator s Guide NOTE This attribute is only available to user databases like userRoot not configuration databases like o NetscapeRoot 185 Chapter 3 Plug in Implemented Server Functionality Reference Parameter Description Entry DN cn index_name cn userRoot cn Idbm database cn plugins cn config Valid Values N A Default Value Syntax DirectoryString Example vivUses 800 3 4 4 Database Attributes under cn database cn monitor cn ldbm database cn plugins cn config The attributes in this tree node entry are all read only database performance counters All of the values for these attributes are 32 bit integers except for entrycachehits and entrycachetries If the nsslapd counters attribute in cn conf ig is set to on then some of the counters kept b
165. ace 15 nsslapd accesslog logrotationsync enabled 15 nsslapd accesslog logrotationsynchour 15 nsslapd accesslog logrotationsyncmin 16 nsslapd accesslog logrotationtime 16 nsslapd accesslog maxlogsize 17 nsslapd accesslog maxlogsperdir 17 nsslapd accesslog mode 18 nsslapd allow unauthenticated binds 18 nsslapd attribute name exceptions 19 nsslapd auditlog list 20 nsslapd auditlog logexpirationtime 20 nsslapd auditlog logexpirationtimeunit 21 nsslapd auditlog logging enabled 21 nsslapd auditlog logmaxsdiskspace 22 nsslapd auditlog logminfreediskspace 22 nsslapd auditlog logrotationsync enabled 22 nsslapd auditlog logrotationsynchour 23 nsslapd auditlog logrotationsyncmin 23 nsslapd auditlog logrotationtime 23 nsslapd auditlog logrotationtimeunit 24 nsslapd auditlog maxlogsize 24 nsslapd auditlog maxlogsperdir 25 nsslapd auditlog mode 25 nsslapd backend 79 nsslapd certmap basedn 26 nsslapd changelogdir 71 nsslapd changelogmaxage 72 nsslapd changelogmaxentries 72 nsslapd config 27 nsslapd conntablesize 27 nsslapd counters 27 nsslapd csnlogging 28 nsslapd ds4 compatible schema 28 nsslapd errorlog 29 nsslapd errorlog level 30 nsslapd errorlog list 31 nsslapd errorlog logexpirationtime 31 nsslapd errorlog logexpirationtimeunit 31 nsslapd errorlog logging enabled 32 nsslapd errorlog logmaxdiskspace 32 nsslapd errorlog logminfreediskspace 32 nsslapd errorlog logrotationsync enabled 33 nsslapd errorl
166. ain internal access operation entry access and referral logging Default Value 256 Syntax Integer Example nsslapd accesslog level 256 2 3 1 3 nsslapd accesslog list List of Access Log Files This read only attribute which cannot be set provides a list of access log files used in access log rotation Parameter Description Entry DN cn config Valid Values Default Value None Syntax DirectoryString Example nsslapd accesslog list accesslog2 accesslog3 2 3 1 4 nsslapd accesslog logbuffering Log Buffering When set to of f the server writes all access log entries directly to disk Buffering allows the server to use access logging even when under a heavy load without impacting performance However when debugging it is sometimes useful to disable buffering in order to see the operations and their results right away instead of having to wait for the log entries to be flushed to the file Disabling log buffering can severely impact performance in heavily loaded servers Parameter Description on Default Value 12 cn config Parameter Description Example nsslapd accesslog logbuffering off 2 3 1 5 nsslapd accesslog logexpirationtime Access Log Expiration Time This attribute specifies the maximum age that a log file is allowed to reach before it is deleted This attribute supplies only the number of units The units are provided by the nsslapd accesslog logexp
167. alue on this attribute if all of the following are true The server is replicating to a large number of consumer servers more than 10 and or the server is maintaining a large number of index files more than 30 The server is servicing a large number of LDAP connections There are error messages reporting that the server is unable to open file descriptors the actual error message differs depending on the operation that the server is attempting to perform but these error messages are not related to managing client LDAP connections Increasing the value on this attribute may result in more LDAP clients being unable to access the directory Therefore the value on this attribute is increased also increase the value on the nsslapd maxdescriptors attribute It may not be possible to increase the nsslapd maxdescriptors value if the server is already using the maximum number of file descriptors that the operating system allows a process to use see the operating system documentation for details If this is the case then reduce the load on the server by causing LDAP clients to search alternative directory replicas See Section 2 3 1 38 nsslapd conntablesize for information about file descriptor usage for incoming connections To assist in computing the number of file descriptors set for this attribute use the following formula nsslapd reservedescriptor 20 NldbmBackends 4 NglobalIndex ReplicationDescriptor ChainingBac
168. anaging Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Entry DN Valid Values Description cn config on off Default Value Syntax DirectoryString Example passwordExp on 2 3 1 115 passwordExpirationTime This attribute specifies the length of time that passes before the user s password expires Parameter Entry DN Valid Values Description cn config Any date in integers Default Value none Syntax GeneralizedTime passwordExpirationTime 200909011953 Example 2 3 1 116 passwordExpWarned This attribute is used to indicate that a password expiration warning has been sent to the user Parameter Description Entry DN cn config Valid Values true false Default Value none Syntax DirectoryString Example passwordExpWarned true 2 3 1 117 passwordGraceLimit Password Expiration This attribute is only applicable if password expiration is enabled After the user s password has expired the server allows the user to connect for the purpose of changing the password This is called 60 cn config a grace login The server allows only a certain number of attempts before completely locking out the user This attribute is the number of grace logins allowed A value of means the server does not allow grace logins Parameter Description Entry DN cn config Vali
169. ance_name Changes to this value will not take effect until the server is restarted Parameter Entry DN Valid Values Description cn config Absolute path to any directory which is owned by the server user ID and only allows read and write access to the server user ID Default Value etc dirsrv slapd instance_name Syntax DirectoryString Example etc dirsrv slapd phonebook 2 3 1 36 nsslapd certmap basedn Certificate Map Search Base This attribute can be used when client authentication is performed using SSL certificates in order to avoid limitations of the security subsystem certificate mapping configured in the certmap conf file Depending on the certmap conf configuration the certificate mapping may be done using a directory subtree search based at the root DN If the search is based at the root DN then the nsslapd certmap basedn attribute may force the search to be based at some entry other than the root The valid value for this attribute is the DN of the suffix or subtree to use for certificate mapping For further information on configuring for SSL see the Managing SSL chapter in the Directory Server Administrator s Guide 26 cn config 2 3 1 37 nsslapd config This read only attribute is the config DN Entry DN cn config Valid Values Any valid configuration DN Default Value Syntax DirectoryString Example nsslapd config cn config 2 3 1 38 n
170. apd instance_name directory The configuration files in this directory are explained in Section 2 1 Overview of the Directory Server Configuration 4 4 Database Files Each Directory Server instance contains the var 1ib dirsrv slapd instance_name db directory for storing all of the database files The following is a sample listing of the var 1lib dirsrv slapd instance_name db directory contents 214 Database Files __db 001 db 003 _ db 005 NetscapeRoot __db 002 __db 004 DBVERSION 1log Q000000007 userRoot Example 4 1 Database Directory Contents db 00x files Used internally by the database and should not be moved deleted or modified in any way log xxxxxxxxxx files Used to store the transaction logs per database DBVERSION Used for storing the version of the database NetscapeRoot Stores the o NetscapeRoot database created by default when the setup ds admin pl script is run userRoot Stores the user defined suffix user defined databases created at setup for example dc example dc com NOTE If a new database is created for example testRoot to store the directory tree under a new suffix the directory named testRoot also appears in the var 1ib dirsrv slapd instance_name db directory The following is a sample listing of the NetscapeRoot directory contents entrydn db4 parentid db4 QgivenName db4 sn db4 DBVERSION id2entry db4 uid db4 aci db
171. apd pluginEnabled This attribute specifies whether the plug in is enabled This attribute can be changed over protocol but will only take effect when the server is next restarted Plug in Parameter Description Entry DN cn plug in name cn plugins cn config Valid Values on off Default Value DirectoryString 162 nsslapd pluginid Plug in Parameter Description 3 2 6 nsslapd pluginid This attribute specifies the plug in ID Plug in Parameter Description Entry DN cn plug in name cn plugins cn config Valid Values Any valid plug in ID Default Value 00000000 None Syntax DirectoryString Example nsslapd pluginld chaining database 3 2 7 nsslapd pluginVersion This attribute specifies the plug in version Plug in Parameter Description Entry DN cn plug in name cn plugins cn config Valid Values Any valid plug in version Default Value Product version number Syntax DirectoryString Example nsslapd pluginVersion 8 1 3 2 8 nsslapd pluginVendor This attribute specifies the vendor of the plug in Plug in Parameter Description Entry DN cn plug in name cn plugins cn config Valid Values Any approved plug in vendor Default Value Red Hat Inc Syntax DirectoryString Example nsslapd pluginVendor Red Hat Inc 3 2 9 nsslapd pluginDescription This attribute provides a description of the plug in Plug in Pa
172. applicable to the Directory Server but are still required to be present by SNMP clients If the nsslapd counters attribute in cn config is set to on the default setting then all of the counters kept by the Directory Server instance increment using 64 bit integers even on 32 bit machines or with a 32 bit version of Directory Server All of the SNMP statistics attributes use the 64 bit integers if it is configured NOTE The nsslapd counters attribute enables 64 bit integers for these specific database and server counters The counters which use 64 bit integers are not configurable 64 bit integers are either enabled for all the allowed counters or disabled for all allowed counters Attribute Description AnonymousBinds This shows the number of anonymous bind requests UnAuthBinds This shows the number of unauthenticated anonymous binds 102 SNMP Statistic Attributes Attribute Description OneLevelSearchOps SimpleAuthBinds This shows the number of LDAP simple bind requests DN and password StrongAuthBinds This shows the number of LDAP SASL bind requests for all SASL mechanisms BindSecurityErrors This shows the number of number of times an invalid password was given in a bind request InOps This shows the total number of all requests received by the server ReadOps Not used This value is always 0 CompareOps This shows the number of LDAP compare requests AddEntryOps This shows the
173. arch results in LDIF format For details on this tool see the Finding Directory Entries appendix in the Directory Server Administrator s Guide Idapmodify Adds deletes modifies or renames entries All operations are specified using LDIF update statements For details on this tool see Adding and Modifying Entries Using Idapmodify in the Creating Directory Entries chapter in the Directory Server Administrator s Guide Idapdelete Deletes entries in the directory For information on using this utility see Deleting Entries Using Idapdelete in the Creating Directory Entries chapter in the Directory Server Administrator s Guide Idappasswd Changes users passwords with the password change extended operation For more information on the password extended change operation see the Managing the Password Policy section of the Managing User Accounts and Passwords chapter in the Directory Server Administrator s Guide Idif Automatically formats LDIF files and creates base 64 encoded attribute values For details on this tool see appendix A in the Directory Server Administrator s Guide dbscan Analyzes and extracts information from a Directory Server database file Table 6 1 Commonly Used Command Line Utilities 6 4 Idapsearch ldapsearch is a configurable utility that locates and retrieves directory entries via LDAP This utility opens a connection to the specified server using the specified distinguished nam
174. artup nsDS5ReplicaCredentials nsDS5ReplicaHost nsDS5ReplicaLastinitEnd Shows the number of changes sent since the Directory Server started Specifies the credentials for the bind DN Specifies the hostname for the Windows domain controller of the Windows server being synchronized States when the last total update resynchronization of the Windows server ended nsDS5ReplicaLastinitStart nsDS5ReplicaLastinitStatus States when the last total update resynchronization of the Windows server started The status for the total update resynchronization of the Windows server nsDS5ReplicaLastUpdateEnd nsDS5ReplicaLastUpdateStart States when the most recent update ended States when the most recent update started nsDS5ReplicaLastUpdateStatus Provides the status for the most recent updates nsDS5ReplicaPort nsDS5ReplicaRoot Specifies the port number for the Windows server Specifies the root suffix DN of the Directory Server nsDS5ReplicaSessionPauseTime Specifies the amount of time in seconds the Directory Server should wait between update sessions nsDS5ReplicaTimeout nsDS5ReplicaTransportinfo Specifies the number of seconds outbound LDAP operations will wait for a response from the Windows server before timing out and failing Specifies the type of transport used for transporting data to and from the Windows server nsDS5ReplicaUpdatelnProgress nsDS5ReplicaUpdate
175. ase entry cache debugging 65536 Plug ins Writes an entry to the log file when a server plug in calls slapi log error so this is used for server plug in debugging 131072 Microsecond resolution for timestamps instead of the default seconds This cannot be enabled in the Directory Server Console 262144 Access control summary Summarizes information about access to the server much less verbose than level 128 This value is recommended for use when a summary of access control processing is needed Use 128 for very detailed processing messages Table 5 4 Error Log Levels 5 2 2 Error Log Content The error log format is simpler than the access log entries It is also more flexible because the kind of information returned depends on the service or operation which is writing the log entry Generally error log entries contain the following elements A timestamp such as 05 Jan 2009 02 27 22 0500 although the format varies depending on the platform The ending four digits 0500 indicate the time difference in relation to GMT 231 Chapter 5 Log File Reference The plug in being called for internal operations Functions called by the plug in for internal operations Messages returned by the plug in or operation which may include LDAP error codes connection information or entry information Frequently the messages for an operation appear on multiple lines of the log but these ar
176. assword1 In the optional alias section use aliases such as Supplier1 Supplier2 and Hub1 to identify the servers in the replication topology If used the output shows these aliases instead of http s hostname port The CSN time lags between suppliers and consumers can be displayed in different colors based on their range The default color set is green for 0 5 minutes lag yellow for 5 60 minutes lag and pink for a lag of 60 minutes or more The connection parameters for all the servers in a replication topology must be specified within one configuration file One configuration file however may contain information for multiple replication topologies Because of the connection parameters the replication monitoring tool does not need to perform DES decryption of the credentials stored in the Directory Server Each line in this file could either be a comment started with the character or a connection entry of the format host port binddn bindpwd bindcert host port and binddn can be replaced with relevant values or or omitted altogether If host is null or the entry may apply to any host that does not have a dedicated entry in the file If port is null or the port will default to the port stored in the current replication agreement If binddn is null or it defaults to cn Directory Manager bindcert can be replaced with the full path to the certificate database null or If bindcert is omitted or replaced wi
177. asswordMinTokenLength Password Syntax This attribute sets the smallest attribute value length that is used for trivial words checking For example if the PasswordMinTokenLength is set to 3 then a givenname of DJ does not result in a policy that rejects DJ from being in the password but the policy rejects a password containing the givenname of Bob Entry DN cn config Valid Range 1 to 64 Default Value 3 Syntax Integer Example passwordMinTokenLength 3 2 3 1 137 PasswordMinUppers Password Syntax This sets the minimum number of uppercase letters password must contain Entry DN cn config Valid Range 0 to 64 Default Value 0 Syntax Integer Example passwordMinUppers 2 2 3 1 138 passwordMustChange Password Must Change Indicates whether users must change their passwords when they first bind to the Directory Server or when the password has been reset by the Manager DN This can be abbreviated to pwdMustChange Chapter 2 Core Server Configuration Reference For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Entry DN Description cn config Valid Values on off Default Value Syntax off DirectoryString Example passwordMustChange off 2 3 1 139 passwordResetDuration This attribute sets the amount of time that
178. at is described in the database tuning section The cn changelog5 cn config entry is an instance of the extensibleObject object class NOTE Two different types of changelogs are maintained by Directory Server The first type which is stored here and referred to as the changelog is used by multi master replication the second changelog which is actually a plug in and referred to as the retro changelog is for compatibility with some legacy applications See Section 3 1 29 Retro Changelog Plug in for further information about the Retro Changelog Plug in 2 3 2 1 nsslapd changelogdir This required attribute specifies the name of the directory in which the changelog database is created Whenever a changelog configuration entry is created it must contain a valid directory otherwise the operation is rejected The GUI proposes by default that this database be stored in var 1ib dirsrv slapd instance_name changelogdb WARNING If the cn changelog5 entry is removed the directory specified in the nsslapd changelogdir parameter including any subdirectories are removed with all of their contents NOTE For performance reasons store this database on a different physical disk The server has to be restarted for changes to this attribute to go into effect Parameter Description Entry DN cn changelog5 cn config 71 Chapter 2 Core Server Configuration Reference Parameter Valid Values
179. ation cannot be performed against a Directory Server that only supports LDAPv2 Y Specifies the proxy DN to use for the delete operation This argument is provided for testing purposes For more information about proxied authorization see the Managing Access Control chapter in the Directory Server Administrator s Guide Table 6 18 Additional Idapdelete Options 6 7 ldappasswd Use 1dappasswd to set or change user passwords in Directory Server e Syntax e Idappasswd specific Options General Idappasswd Options e SASL Options Examples Syntax 1dappasswd options user user is the authentication identity typically a DN If not specified the distinguished name specified by the D option bind name is used Idappasswd specific Options Description A Specifies that the command should prompt for the user s existing password 267 Chapter 6 Command Line Utilities Description Specifies the user s existing password For example a old password Specifies that the command should prompt for a new password for the user Specifies a new password for the user For example S new password Specifies a file from which to read the new password For example T new password txt Specifies a file from which to read the user s existing password For example t old password txt Specifies the password associated with the distinguished name specified in the
180. ation of a 3 digit number the digits varying from 0 through 7 e 0 None e 1 Execute only e 2 Write only e 3 Write and execute e 4 Read only e 5 Read and execute e 6 Read and write 25 Chapter 2 Core Server Configuration Reference e 7 Read write and execute In the 3 digit number the first digit represents the owner s permissions the second digit represents the group s permissions and the third digit represents everyone s permissions When changing the default value remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone The newly configured access mode only affects new logs that are created the mode is set when the log rotates to a new file Parameter Description Entry DN cn config Valid Range 000 through 777 Default Value 600 Syntax Integer Example nsslapd auditlog mode 600 2 3 1 35 nsslapd certdir Certificate and Key Database Directory This is the full path to the directory holding the certificate and key databases for a Directory Server instance This directory must contain only the certificate and key databases for this instance and no other instances This directory must be owned and allow read write access for the server user ID No other user should have read right access to this directory The default location is the configuration file directory etc dirsrv slapd inst
181. audit log file rotation is unlimited 1 Default Value Syntax Integer Example nsslapd auditlog logrotationtime 100 2 3 1 31 nsslapd auditlog logrotationtimeunit Audit Log Rotation Time Unit This attribute sets the units for the nsslapd auditlog logrotationtime attribute Parameter Description Entry DN cn config Valid Values month week day hour minute Default Value week Syntax DirectoryString Example nsslapd auditlog logrotationtimeunit day 2 3 1 32 nsslapd auditlog maxlogsize Audit Log Maximum Log Size This attribute sets the maximum audit log size in megabytes When this value is reached the audit log is rotated That means the server starts writing log information to a new log file If nsslapd auditlog maxlogsperdir to 1 the server ignores this attribute When setting a maximum log size consider the total number of log files that can be created due to log file rotation Also remember that there are three different log files access log audit log and error log maintained by the Directory Server each of which consumes disk space Compare these considerations to the total amount of disk space for the audit log Parameter Description Entry DN cn config 24 cn config Parameter Description Valid Range 1 1 to the maximum 32 bit integer value 2147483647 where a value of 1 means the log file is unlimited in size Default Value 1
182. ault the server includes the unique ID for all entries with a unique ID in the exported LDIF file Only use this option to use the exported LDIF to initialize a 4 x consumer server otherwise this option does not cause the server to create a unique ID for entries but simply takes what already exists in the database U x exclude Suffix Outputs the contents of the database without wrapping lines Specifies a suffix or suffixes to exclude in the export There can be multiple x arguments If neither s or x is not specified the server exports all suffixes within the database When using both x and s options with the same suffix the x operation takes precedence Exclusion always takes precedence over inclusion If the LDIF file will be imported into 324 Utilities for Restoring and Backing up Databases Idif2db Description the configuration directory do not exclude o NetscapeRoot Table A 1 db2Idif Options A 4 Utilities for Restoring and Backing up Databases Idif2db Imports LDIF files to the database Syntax ns slapd 1ldif2db D configDir i ldifFile d debugLevel g string n backendInstance O s includeSuf fix x excludeSuf fix E Enter the full path to the server configuration directory configdir IdifFile is the name of the file containing the LDIF to be imported There is an example LDIF file under the var 1ib dirsrv slapd instance_name 1dif directory Either th
183. authentication slows down bind requests a little because they have to make an extra hop to the remote server See the Using Pass through Authentication chapter in the Directory Server Administrator s Guide Further Information See the Using the Pass through Authentication Plug in chapter in the Directory Server Administrator s Guide 3 1 28 Referential Integrity Postoperation Plug in Plug in Parameter Plug in Name DN of Configuration Entry Description Referential Integrity Postoperation cn Referential Integrity Postoperation cn plugins cn config Description Configurable Options Default Setting Enables the server to ensure referential integrity All configuration and on off off Configurable Arguments When enabled the post operation Referential Integrity Plug in performs integrity updates on the member uniqueMember owner and seeAlso attributes immediately after a delete or rename operation The plug in can be reconfigured to perform integrity checks on all other attributes Check for referential integrity 156 Retro Changelog Plug in Plug in Parameter Description 1 no check for referential integrity 0 check for referential integrity is performed immediately Positive integer request for referential integrity is queued and processed at a later stage This positive integer serves as a wake up call for the thread to process the request at intervals correspon
184. awing the configuration information from a file Set with the file parameter or from arguments passed in the command line rather than interactively file name This sets the path and name of the file which contains the configuration settings for the new Directory Server instance This can be used with the silent parameter if used alone it sets the default values for the setup prompts d dddd This parameter turns on debugging information For the d flag increasing the number of d s increases the debug level keepcache This saves the temporary installation file inf that is created when the register script is run This file can then be reused for a silent setup This file is always generated but is usually deleted once the install is complete The file is created as a log file named 318 setup ds admin pl Option logfile name update Alternate Options 7 4 20 setup ds admin pl The setup ds admin pl script is used to create a Directory Server instance and a new Administration Server instance Running this script with the u option after the instances are configured updates the configuration with the latest installed packages Description tmp setuprandom inf like tmp setup1GCZ8H inf WARNING The cache file contains the cleartext passwords supplied during setup Use appropriate caution and protection with this file This param
185. ax Integer Example nsTransmittedControls 1 2 840 113556 1 4 473 197 Chapter 3 Plug in Implemented Server Functionality Reference 3 5 2 Database Link Attributes under cn default instance config cn chaining database cn plugins cn config Default instance configuration attributes for instances are housed in the cn default instance config cn chaining database cn plugins cn config tree node 3 5 2 1 nsAbandonedSearchCheckinterval This attribute shows the number of seconds that pass before the server checks for abandoned operations Parameter Description Entry DN cn default instance config cn chaining database cn plugins cn config Valid Range 0 to maximum 32 bit integer 2147483647 seconds Default Value 1 Syntax Integer Example nsAbandonedSearchCheckinterval 10 3 5 2 2 nsBindConnectionsLimit This attribute shows the maximum number of TCP connections the database link establishes with the remote server Parameter Description Entry DN cn default instance config cn chaining database cn plugins cn config Valid Range 1 to 50 connections Default Value 3 Syntax Integer Example nsBindConnectionsLimit 3 3 5 2 3 nsBindRetryLimit Contrary to what the name suggests this attribute does not specify the number of times a database link retries to bind with the remote server but the number of times it tries to bind with the remote server A value of 1 here indicates that
186. ber of locks do a search on cn database cn monitor cn ldbm database cn plugins cn config For example ldapsearch h localhost p 389 D cn directory manager w password b cn database cn monitor cn ldbm database cn plugins cn config objectclass grep locks 216 Log Files For more information on using LDAP utilities see the Directory Server Administrator s Guide 4 7 Log Files Each Directory Server instance contains a var log dirsrv slapd instance_name directory for storing log files The following is a sample listing of the Logs directory contents access access 20090228 171925 errors access 20090221 162824 access rotationinfo errors 20090221 162824 access 20090223 171949 audit errors rotationinfo access 20090227 171818 audit rotationinfo slapd stats Example 4 5 Log Directory Contents The content of the access audit and error log files is dependent on the log configuration The slapd stats file is a memory mapped file which cannot be read by an editor It contains data collected by the Directory Server SNMP data collection component This data is read by the SNMP subagent in response to SNMP attribute queries and is communicated to the SNMP master agent responsible for handling Directory Server SNMP requests 4 8 PID Files slapd serverID pid and slapd serverID startpid files are created in the var run dirsrv directory when the server is up and running Both files store the server s proce
187. borted was either an unknown operation or already complete Message ID The message ID in this case msgid z2 is the LDAP operation identifier as generated by the LDAP SDK client The message ID may have a different value than the operation number but identifies the same operation The message ID is used with an ABANDON operation and tells the user which client operation is being abandoned 226 Access Log Content for Additional Access Logging Levels 21 Apr 2009 11 39 52 0700 conn 12 op 2 ABANDON targetop NOTFOUND msgid 2 NOTE The Directory Server operation number starts counting at 0 and in the majority of LDAP SDk client implementations the message ID number starts counting at 1 which explains why the message ID is frequently equal to the Directory Server operation number plus 1 SASL Multi Stage Bind Logging In Directory Server logging for multi stage binds is explicit Each stage in the bind process is logged The error codes for these SASL connections are really return codes In the SASL bind is currently in progress so it has a return code of err 14 meaning the connection is still open and there is a corresponding progress statement SASL bind in progress 21 Apr 2009 11 39 55 0700 conn 14 op 0 BIND dn method sasl version 3 mech DIGEST MD5 21 Apr 2009 11 39 55 0700 conn 14 op 0 RESULT err 14 tag 97 nentries 0 etime 0 SASL bind in progress In logging a SASL bind the sas1 method is followed by
188. bugging information For the d flag increasing the number of d s increases the debug level keepcache This saves the temporary installation file inf that is created when the register script is run This file can then be reused for a silent setup This file is always generated but is usually deleted once the install is complete The file is created as a log file named tmp setuprandom inf like tmp setup1GCZ8H inf WARNING The cache file contains the cleartext passwords supplied during setup Use appropriate caution and protection with this file 320 verify db pl Check for Corrupt Databases Option Alternate Options Description logfile name l This parameter specifies a log file to which to write the output If this is not set then the setup information is written to a temporary file To not use a log file set the file name to dev null update u This parameter updates existing Directory Server instances If an installation is broken in some way this option can be used to update or replace missing packages and then re register all of the local instances with the Configuration Directory 7 4 21 verify db pl Check for Corrupt Databases Verifies the backend database files If the server crashes because of a corrupted database this script can be used to verify the integrity of the different database files to help isolate any problems IM
189. build data is automatically appended when the version string is displayed 57 Chapter 2 Core Server Configuration Reference Parameter Entry DN Valid Values Description cn config Any valid server version number Default Value Syntax DirectoryString Example nsslapd versionstring Red Hat Directory 8 1 2 3 1 109 nsslapd workingdir This is the absolute path of the directory that the server uses as its current working directory after startup This is the value that the server would return as the value of the getcwd function and the value that the system process table shows as its current working directory This is the directory a core file is generated in The server user ID must have read and write access to the directory and no other user ID should have read or write access to it The default value for this attribute is the same directory containing the error log which is usually var log dirsrv slapd instance_name Changes made to this attribute will not take effect until the server is restarted 2 3 1 110 nsSSLclientauth Client Authentication This attribute sets whether client authentication also called certificate based authentication is allowed to the Directory Server If this attribute is set to required then the Console cannot be set to require SSL because certificate based authentication is not supported in the Console Parameter Entry DN Valid Values
190. bute 80 nsDS5Replica 123 nsDS5ReplicaBindDN attribute 80 nsDS5ReplicaBindMethod attribute 86 nsDS5ReplicaBusyWaitTime attribute 86 nsDS5ReplicaChangeCount attribute 81 nsDS5ReplicaChangesSentSinceStartup attribute 87 nsDS5ReplicaCredentials attribute 87 nsDS5ReplicaHost attribute 87 nsDS5ReplicalD attribute 81 nsDS5ReplicaLastinitEnd attribute 88 nsDS5ReplicaLastinitStart attribute 88 nsDS5ReplicaLastinitStatus attribute 88 nsDS5ReplicaLastUpdateEnd attribute 89 nsDS5ReplicaLastUpdateStart attribute 89 nsDS5ReplicaLastUpdateStatus attribute 90 nsDS5ReplicaLegacyConsumer attribute 81 nsDS5ReplicaName attribute 82 nsDS5ReplicaPort attribute 90 nsDS5ReplicaPurgeDelay attribute 82 nsDS5ReplicaReapActive attribute 90 nsDS5ReplicaReferral attribute 83 nsDS5ReplicaRoot attribute 83 nsDS5ReplicaSessionPauseTime attribute 91 nsDS5ReplicatedAttributeList attribute 92 nsDS5ReplicaTimeout attribute 92 nsDS5ReplicationAgreement 124 nsDS5ReplicaTombstonePurgelnterval attribute 83 nsDS5ReplicaTransportinfo attribute 93 nsDS5ReplicaType attribute 84 nsDS5ReplicaUpdatelnProgress attribute 93 nsDS5ReplicaUpdateSchedule attribute 93 nsds5Task attribute 85 nsds7DirectoryReplicaSubtree 95 nsds7DirsyncCookie 95 nsds7NewWinGroupSyncEnabled 95 nsds7NewWinUserSyncEnabled 95 nsds7WindowsDomain 96 nsds7WindowsReplicaSubtree 96 nsDSWindowsReplicationAgreement 126 nsDumpUniqld 114 nsEncryptionAlgorithm 194 nsExcludeS
191. bute contains a byte vector that uniquely identifies that specific server and version This number is used to distinguish between servers during replication OID 2 16 840 1 113730 3 1 612 Syntax IA5String Multi or Single Valued Multi valued Defined in Directory Server 2 5 1 6 nsSynchUniqueAttribute This attribute is used for Windows synchronization OID 2 16 840 1 113730 3 1 407 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 1 7 nsSynchUserlDFormat This attribute is used for Windows synchronization OID 2 16 840 1 113730 3 1 406 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 133 Chapter 2 Core Server Configuration Reference 2 5 2 Legacy Replication Attributes These attributes were originally used to configure replication for Directory Server 4 x and older servers Some forms of replication like consumer initiated replication are no longer supported WARNING These attributes are for reference only DX not pu to erica ee mang me E See Section sDS5Replica S and Section 2 4 SVI Repl bj a attributes to craig replicas and feberen agreements 2 5 2 1 cirReplicaSource Object Class The cirReplicaSource is an object that is used for consumer initiated replication This object class is defined by Directory Server Superior Class top OID 2 16 840 1 11373
192. bute is turned on default TCP behavior applies specifically sending data is delayed so that additional data can be grouped into one packet of the underlying network MTU size typically 1500 bytes for Ethernet Parameter Entry DN Valid Values Description cn config on off off Default Value Syntax DirectoryString Example nsslapd nagle off 2 3 1 81 nsslapd outbound Idap io timeout This attribute limits the I O wait time for all outbound LDAP connections The default is 300000 milliseconds 5 minutes A value of means that the server does not impose a limit on I O wait time Parameter Description Entry DN cn config Valid Range 0 to the maximum 32 bit integer value 2147483647 Default Value 300000 Syntax DirectoryString Example nsslapd outbound ldap io timeout 300000 2 3 1 82 nsslapd plug in This read only attribute lists the DNs of the plug in entries for the syntax and matching rule plug ins loaded by the server 2 3 1 83 nsslapd port Port Number This attribute gives the TCP IP port number used for standard LDAP communications To run SSL TLS over this port use the Start TLS extended operation This selected port must be unique on the host system make sure no other application is attempting to use the same port number Specifying a port number of less than 1024 means the Directory Server has to be started as root The server sets its uid to t
193. butes 0c cece eee eee ee cece eee ee ee eee eres eee santas REE REE EEEE REE REE REE EEN 3 841 memberotatth c c 2 soslendeciesatoeviesiadn uote deh pies aaa aa SEE a eaaa aT n Raa 3 8 2 memberofgro pattr sssrin idane aen aaa aaa eia i ae vedas eda 4 Server Instance File Reference 4 1 4 2 4 3 4 4 4 5 4 6 4 7 4 8 4 9 Overview of Directory Server Files ceccceee cece rekte ee esse cess aa rrtt ertt nr ttattar teeren BaGkup Files ic occas au eaaa aaeoa Valea anced ev a Aan bonsai ave att aAA aaa EAE AA onan uel a A Kana an Taai aaka ee Configuration Files nsan is a Sides aha deus iinet esa ls eee order sabi acts aTi aai Database FES oore ea iinet iat dia bea Ae ae al LDIF GIGS eree aa ceapteas sexi ghitceurthadieviuilk sete thet EST SEES SER EDER E AARE LOCK FIGS eiretiers eA e ERENER ERRANA does ERAT ETARE KEERT are RAAI E aan LOQUEIGS EE E E E E E E EET PID FIESTA AEA TEENETE E Ea reS 5 Log File Reference 5 1 Access Log Reference miis iga hehe cass a a a aa i a EEE ITEAL AEE ia 5 1 1 Access Logging Levels 5 dariniai diana aiae d aeiaai aa ieaiaia 5 1 2 Default Access Logging Content cccccceceeeee eee ee eeee ae eeeeaeeesaeeeeaaeeeseeeeanees 5 1 3 Access Log Content for Additional Access Logging Levels s 5 1 4 Common Connection Code SEEDEDE ERE essa ETAn AKEE AERA AAAA EANA 5 2 Eronmkog Reference nimino base tena tne sacha sr ta ea cae aad tae Ee 5 2 1 Error Log L
194. by the server as specified in the nsslapd reservedescriptors attribute for non client connections such as index management and managing replication The nsslapd reservedescriptors attribute is the number of file descriptors available for other uses as described above See Section 2 3 1 89 nsslapd reservedescriptors Reserved File Descriptors The number given here should not be greater than the total number of file descriptors that the operating system allows the ns slapd process to use This number differs depending on the operating system If this value is set too high the Directory Server queries the operating system for the maximum allowable value and then use that value It also issues a warning in the error log If this value is set to an invalid value remotely by using the Directory Server Console or ldapmodify the server rejects the new value keep the old value and respond with an error Some operating systems let users configure the number of file descriptors available to a process See the operating system documentation for details on file descriptor limits and configuration The dsktune program explained in the Directory Server Installation Guide can be used to suggest changes to the system kernel or TCP IP tuning attributes including increasing the number of file descriptors if necessary Increased the value on this attribute if the Directory Server is refusing connections because it is out of file descriptors When this occ
195. cachesize 176 nsslapd mode 178 nsslapd plugin depends on named 165 nsslapd plugin depends on type 164 nsslapd pluginDescription 163 nsslapd pluginEnabled 162 nsslapd pluginid 163 nsslapd pluginInitfunc 162 nsslapd pluginLoadGlobal 164 nsslapd pluginLoadNow 164 nsslapd pluginPath 162 nsslapd pluginType 162 nsslapd pluginVendor 163 nsslapd pluginVersion 163 nsslapd readonly 181 356 nsslapd require index 181 nsslapd suffix 181 nsSubStrBegin 192 nsSubStrEnd 193 nsSubStrMiddle 193 nsSystemIndex 191 nsTimeLimit 201 nsTransmittedControls 197 nsUnbindCount 205 nsUseStartTLS 204 vivBase 182 vivEnabled 182 vivEFilter 183 vivScope 184 vivSort 185 vivUses 185 plug ins configuration of 3 distributed number assignment plug in 149 memberOf plug in 152 schema reload plug in 158 port numbers less than 1024 46 pwdhash command line shell script 291 quick reference 278 R read only monitoring configuration attributes backendMonitorDN 99 bytessent 98 connection 97 currentConnections 98 currenttime 98 dTableSize 98 entriessent 98 nbackends 99 opscompleted 98 opsinitiated 98 readWaiters 98 startTime 98 totalConnections 98 read only monitoring configuration entries cn monitor 97 readWaiters attribute 98 register ds admin pl quick reference 278 register ds admin pl command line script syntax 313 remove ds pl quick reference 278 remove ds pl command line script opti
196. cation For example N Server Cert If this option is specified then the Z and W options are required Also if this option is specified then the D and w options must not be specified or certificate based authentication will not occur and the bind operation will use the authentication credentials specified on D and w P Specifies the absolute path including the filename of the certificate database of the client This option is used only with the Z option When used on a machine where an SSL enabled web browser is configured the path specified on this option can be pointed to the certificate database for the web browser For example P security cert db The client security files can be stored on the Directory Server in the etc dirsrv slapd instance_name directory In this case 264 Idapdelete Option Specifies the token and certificate name which Description the P option calls out a path and filename similar to the following P etc dirsrv slapd instance_name client cert db is separated by a semicolon for PKCS11 Specifies that SSL is to be used for the delete Specifies the password for the certificate database identified on the P option For example W serverpassword request ZZ Specifies the Start TLS request Use this option to make a cleartext connection into a secure one If the server does not support Start TLS the command does not need
197. ce Insensitive String Syntax Plug in u u ssseeeeeeer erne rn ennen eeeeaeeeeaeees 159 3 1 33 State Change Plug in W ssseseeere eee ket ee ee aa eeee eee sa eeee LE eesaeeeeaaeeeseeeanees 159 3 1 34 Telephone Syntax Plug in 2 0 0 0 cece cece eee ee cece cece ee eee ee ea tees aa eessae essa eeesaaeesaies 160 321 35 URI Syntax Plug iN ees ceed ec erai aaia diaa adia ea ip paagence vedutiia aa aani 160 321736 Views PU GIN aaa ra e a cs And takes aA naana 160 3 2 List of Attributes Common to All Plug ins ssssseenrernee nerne ae eeeeeeeeaaeeeeeeeeaaees 161 3 21 nSSlapd ad B To Io iiss nade ESPORT RENE an Mea SENSE ESPEN eee ee a eal 161 3 2 2 nsslapd plUGINPALN sis arena cee eina a ania n ta eaa p aad EEY 162 3 2 3 NSSIAPA PIUGININITFUNC 00 eee cece eee e eee eee eee e etna tees tt antte ntt ae EEEn EEEE RENEE ERE EEEE 162 3 24s nsslapd plugin Type a r aae eae raa aaaea a chek Mae ee eth eA aa dakai 162 3 2 5 nsslapd pluginEnabled cece cece eect eee e eee tees eee tant RENEE ERE eeaaeeeeaaeeeeeeeeaes 162 3 26 NSSlAPG PIU GING aes 2 sii ccee eae dead Anra c ae naia anata des aeaa a aKa Haaa ad AARSE dette taa AEAT 163 3 2 7 NSSIAPA PIUGINVEFSION 0 cece eeee cece cece cece eee eee ktr rr trr E EEK E da eeeeeeeeaaeeeeaeeeeaeeeea 163 3 2 8 NSSlaPd PIUGINVENCON duiun aiins aa a aa aa a aaae aaa a ae A an Sia 163 3 2 9 nsslapd pluginDescription ee cece eect reen ker kr kr REE EEEE
198. cess read allowed on entry cn replication cn config 09 Jan 2009 13 15 16 0500 NSACLPlugin Root access read allowed on entry cn replication cn config 09 Jan 2009 13 15 16 0500 NSACLPlugin Root access read allowed on entry cn replication cn config 09 Jan 2009 13 15 16 0500 slapi filter free type 0x87 09 Jan 2009 13 15 16 0500 gt get filter internal 09 Jan 2009 13 15 16 0500 EQUALITY 09 Jan 2009 13 15 16 0500 lt get filter internal 0 09 Jan 2009 13 15 16 0500 get filter before optimize 09 Jan 2009 13 15 16 0500 get filter after optimize 09 Jan 2009 13 15 16 0500 index_subsys_assign_filter_decoders before objectClass nsBackendInstance 09 Jan 2009 13 15 16 0500 index_subsys_assign_filter_decoders after objectClass nsBackendInstance 09 Jan 2009 13 15 16 0500 gt slapi vattr filter test ext 09 Jan 2009 13 15 16 0500 gt test substring filter 09 Jan 2009 13 15 16 0500 EQUALITY Example 5 5 Example ACL Plug in Error Log Entry with Plug in Logging 234 Audit Log Reference EGAra Vaji Example ACL Plug plug in logging and search filter processing log level 32 Many other kinds of logging have similar output to the plug in logging level only for different kinds of internal operations Heavy trace output 4 access control list processing 128 schema parsing 2048 and housekeeping 4096 all record the functions called by the di
199. cess control incurs a minimal performance hit Leave this plug in enabled since it is the primary means of access control for the server See the Managing Access Control chapter in the Directory Server Administrator s Guide 144 Attribute Uniqueness Plug in 3 1 4 Attribute Uniqueness Plug in Plug in Parameter Description Plug in Name Attribute Uniqueness Plug in DN of Configuration Entry cn Attribute Uniqueness cn plugins cn config Description Checks that the values of specified attributes are unique each time a modification occurs on an entry For example most sites require that a user ID and email address be unique Configurable Options on off Default Setting off Configurable Arguments To check for UID attribute uniqueness in all listed subtrees enter uid DN DN However to check for UID attribute uniqueness when adding or updating entries with the requiredObjectClass enter attribute uid MarkerObjectclass ObjectClassName and optionally requiredObjectClass ObjectClassName This starts checking for the required object classes from the parent entry containing the ObjectClass as defined by the MarkerObjectclass attribute Dependencies Database Performance Related Information Directory Server provides the UID Uniqueness Plug in by default To ensure unique values for other attributes create instances of the Attribute Uniqueness Plug in for those attributes See the Using
200. cifies that the entry IDs are not to be included in the LDIF output The entry IDs are necessary only if the db21dif output is to be used as input to db2index r Exports the information required to initialize a replica when the LDIF is imported Using this option requires that the server be stopped first then run the db21dif command The LDIF file which is created with db21dif can be imported using 1dif2db When it is imported if the r option was used than the database is automatically initialized as a replica See Section 7 3 8 Idif2db Import for information on importing an LDIF file S suffix_name u Names the suffixes to be included or the subtrees to be included if n has been used Requests that the unique ID is not exported U Requests that the output LDIF is not folded X suffix_name Names the suffixes to be excluded Table 7 6 db2ldif Options 7 3 5 db2index Reindexes Database Index Files Reindexes the database index files Ellipses indicate that multiple occurrences are allowed For information on the equivalent Perl script see Section 7 4 4 db2index pl Creates and Generates Indexes Syntax db2index n backendInstance s includeSuf fix t lattributeName indextypes mathingrules T vlvAttribute 283 Chapter 7 Command Line Scripts Usage Here are a few sample commands e Reindex all the database index files db
201. ckward compatibility For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide 2 3 1 143 passwordUnlock Unlock Account Indicates whether users are locked out of the directory for a specified amount of time or until the administrator resets the password after an account lockout The account lockout feature protects 69 Chapter 2 Core Server Configuration Reference against hackers who try to break into the directory by repeatedly trying to guess a user s password If this passwordUnlock attribute is set to off and the operational attribute accountUnlockTime has a value of 0 then the account is locked indefinitely For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Description Entry DN cn config Valid Values on off Default Value on Syntax DirectoryString Example passwordUnlock off 2 3 1 144 passwordWarning Send Warning Indicates the number of seconds before a user s password is due to expire that the user receives a password expiration warning control on their next LDAP operation Depending on the LDAP client the user may also be prompted to change their password at the time the warning is sent This can be abbreviated to pwdExpireWarning For more information on password policies see the Managing Users and Passwords chapte
202. cludeSuffix x excludeSuffix Gives the suffixes to be included or to specify the subtrees to be included if n has been used Gives the suffixes to be excluded Table 7 9 Idif2db Options 7 3 9 ldif2idap Performs Import Operation over LDAP Performs an import operation over LDAP to the Directory Server To run this script the server must be running Syntax 1dif21dap D rootdn w password f Filename 287 Chapter 7 Command Line Scripts Options Description D rootdn Gives a user DN with root permissions such as Directory Manager f filename Gives the name of the file to be imported When importing multiple files the files are imported in the order they are specified on the command line w password Gives the password associated with the user DN Table 7 10 Idif2ldap Options 7 3 10 monitor Retrieves Monitoring Information Retrieves performance monitoring information using the ldapsearch command line utility Syntax monitor monitor Options There are no options for this script For more information on the ldapsearch command line utility see Section 6 8 Idif 7 3 11 repl monitor Monitors Replication Status Shows in progress status of replication rep1 monitor is a shell script wrapper of rep1 monitor p1 to set the appropriate library path For more information on the Perl script see Section 7 4 17 repl monitor p Monitors Replicati
203. cn config This attribute specifies the interval in seconds to perform internal purge operations on an entry When setting this attribute ensure that the purge delay is longer than the longest replication cycle in the replication policy to preserve enough information to resolve replication conflicts and to prevent the copies of data stored in different servers from diverging Entry DN cn replica cn suffixDN cn mapping tree cn config Valid Range 0 keep forever to maximum 32 bit integer 2147483647 Default Value 604800 1 week 60x60x24x7 Syntax Integer Example nsDS5ReplicaPurgeDelay 604800 2 3 7 11 nsDS5ReplicaReferral This multi valued attribute specifies the user defined referrals This should only be defined on a consumer User referrals are only returned when a client attempts to modify data on a read only consumer This optional referral overrides the referral that is automatically configured by the consumer by the replication protocol Entry DN cn replica cn suffixDN cn mapping tree cn config Valid Values Any valid LDAP URL Default Value Syntax DirectoryString Example nsDS5ReplicaReferral Idap Idap example com 2 3 7 12 nsDS5ReplicaRoot This attribute sets the DN at the root of a replicated area This attribute must have the same value as the suffix of the database being replicated and cannot be modified Entry DN cn replica cn suffixDN cn mapping tree cn config Val
204. cn ldbm database cn plugins cn config Valid Values Any four digit octal number However mode 0600 is recommended This allows read and write access for the owner of the index files which is the user as whom the ns slapd runs and no access for other users Default Value 600 Integer Example nsslapd mode 0600 3 4 2 Database Attributes under cn monitor cn ildbm database cn plugins cn config Global read only attributes containing database statistics for monitoring activity on the databases are stored in the cn monitor cn ldbm database cn plugins cn config tree node For more information on these entries refer to the Monitoring Server and Database Activity chapter in the Directory Server Administrator s Guide dbcachehits This attribute shows the requested pages found in the database dbcachetries This attribute shows the total cache lookups dbcachehitratio This attribute shows the percentage of requested pages found in the database cache hits tries dbcachepagein This attribute shows the pages read into the database cache dbcachepageout This attribute shows the pages written from the database cache to the backing file dbcacheroevict This attribute shows the clean pages forced from the cache dbcacherwevict This attribute shows the dirty pages forced from the cache 178 cn NetscapeRoot cn ldbm database cn plugins cn config and cn userRoot cn ldbm database cn plugins cn co
205. cn plugins cn config Valid Values Any valid delay period in seconds Default Value 60 seconds Syntax Integer Example nsMaxResponseDelay 60 3 5 1 3 nsMaxTestResponseDelay This error detection performance related attribute specifies the duration of the test issued by the database link to check whether the remote server is responding If a response from the remote server is not returned before this period has passed the database link assumes the remote server is down and the connection is not used for subsequent operations Entry DN cn config cn chaining database cn plugins cn config Valid Values Any valid delay period in seconds Default Value 15 seconds Syntax Integer Example nsMaxTestResponseDelay 15 3 5 1 4 nsTransmittedControls This attribute which can be both a global and thus dynamic configuration or an instance that is cn database link instance cn chaining database cn plugins cn config configuration attribute allows the controls the database link forwards to be altered The following controls are forwarded by default by the database link e Managed DSA OID 2 16 840 1 113730 3 4 2 e Virtual list view VLV OID 2 16 840 1 113730 3 4 9 Server side sorting OID 1 2 840 113556 1 4 473 Entry DN cn config cn chaining database cn plugins cn config Valid Values Any valid OID or the above listed controls forwarded by the database link Default Value None Synt
206. contents of cn config and cn monitor ACls only OOcore dif Contains only those schema definitions necessary for starting the server with the bare minimum feature set no user schema no schema for any non core features The rest of the schema used by users features and applications is found in 01common 1dif and the other schema files Do not modify this file 01common Idif Contains LDAPv3 standard operational schema such as subschemaSubentry LDAPv3 standard user and organization schema defined in RFC 2256 based on X 520 X 521 inetOrgPerson and other widely used attributes and the operational attributes used by Directory Server configuration Modifying this file causes interoperability problems User defined attributes should be added through the Directory Server Console O5rfc2247 Idif Schema from RFC 2247 and related pilot schema from Using Domains in LDAP X500 Distinguished Names O5rfc2927 Idif Schema from RFC 2927 MIME Directory Profile for LDAP Schema Contains the 1dapSchemas operational attribute required for the attribute to show up in the subschema subentry 10presence ldif Legacy Schema for instant messaging presence online information the file lists the default object classes with the allowed attributes that must be added to a user s entry in order for instant messaging presence information to be available for that user LDIF and Schema Configuration Files Configuration File
207. countstatus pl 310 ns activate pl 310 ns inactivate pl 311 ns newpwpolicy pl 312 repl monitor p l 314 schema reload pl 317 verify db pl 321 quick reference 277 register ds admin pl 313 remove ds pl 313 setup ds admin pl 319 setup ds pl 317 shell scripts 279 bak2db 280 cl dump 281 db2bak 282 db2index 283 db2ldif 282 dbverify 284 Idif2db 286 Idif2idap 287 monitor 288 pwdhash 291 repl monitor 288 restart slapd 291 restoreconfg 292 saveconfig 292 start slapd 292 stop slapd 293 suffix2instance 293 vivindex 294 command line utilities dbscan 274 ds_removal 285 finding and executing 239 Idapdelete 262 Idapmodify 256 Idappasswd 267 ldapsearch 240 Idif 273 configuration access control 7 accessing and modifying 7 changing attributes 8 cn UserRoot 7 database specific 3 o NetscapeRoot 7 overview 3 plug in functionality 6 configuration attributes changelog5 configuration attributes 71 changing 8 core server configuration attributes 10 database link plug in configuration attributes 195 database plug in configuration attributes 165 encryption configuration attributes 75 mapping tree configuration attributes 78 monitoring configuration attributes 97 overview 6 plug in functionality configuration attributes 161 plug in functionality configuration attributes allowed by certain plug ins 164 plug in functionality configuration attribut
208. ct Class Both local and global password policies take the passwordpolicy object class This object class is defined in Directory Server Superior Class top 129 Chapter 2 Core Server Configuration Reference OID 2 16 840 1 113730 3 2 13 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry Allowed Attributes Attribute Definition passwordMaxAge Sets the number of seconds after which user passwords expire passwordExp Identifies whether the user s password expires after an interval given by the passwordMaxAge attribute passwordMinLength Sets the minimum number of characters that must be used in passwords passwordKeepHistory Sets whether to keep a password history for a user passwordInHistory Sets the number of passwords the directory stores in the history passwordChange Identifies whether or not users is allowed to passwordWarning change their own password Sets the number of seconds before a warning message is sent to users whose password is about to expire passwordLockout Identifies whether or not users are locked out of the directory after a given number of failed bind attempts passwordMaxFailure passwordResetDuration Sets the number of failed bind attempts after which a user will be locked out of the directory Sets the period of time before the server resets the retry
209. ction closure Connection Code Description Al Client aborts the connection B1 B2 B3 Corrupt BER tag encountered If BER tags which encapsulate data being sent over the wire are corrupt when they are received a B1 connection code is logged to the access log BER tags can be corrupted due to physical layer network problems or bad LDAP client operations such as an LDAP client aborting before receiving all request results BER tag is longer than the nsslapd maxbersize attribute value For further information about this configuration attribute see Section 2 3 1 76 nsslapd maxbersize Maximum Message Size Corrupt BER tag encountered B4 P2 T1 T2 U1 Server failed to flush data response back to client Closed or corrupt connection has been detected Client does not receive a result within the specified idletimeout period For further information about this configuration attribute see Section 2 3 1 60 nsslapd idletimeout Default Idle Timeout Server closed connection after ioblocktimeout period was exceeded For further information about this configuration attribute see Section 2 3 1 62 nsslapd ioblocktimeout IO Block Time Out Connection closed by server after client sends an unbind request The server will always close the connection when it sees an unbind request Table 5 3 Common Connection Codes 5 2 Error Log Reference The Directory Serve
210. ctions If a hostname is given as the nsslapd securelistenhost value then the Directory Server responds to requests for every interface associated with the hostname If a single IP interface either IPv4 or IPv6 is given as the nsslapd securelistenhost value Directory Server only responds to requests sent to that specific interface Either an IPv4 or IPv6 address can be used The server has to be restarted for changes to this attribute to go into effect Parameter Entry DN Valid Values Any secure hostname IPv4 or IPv6 address Description cn config Default Value Syntax DirectoryString Example nsslapd securelistenhost Idaps example com 2 3 1 101 nsslapd securePort Encrypted Port Number This attribute sets the TCP IP port number used for SSL TLS communications This selected port must be unique on the host system make sure no other application is attempting to use the same port number Specifying a port number of less than 1024 requires that Directory Server be started as root The server sets its uid to the nsslapd localuser value after startup The server only listens to this port if it has been configured with a private key and a certificate and nsslapd security is set to on otherwise it does not listen on this port 54 cn config The server has to be restarted for the port number change to be taken into account Parameter Description Entry DN cn config Valid
211. ctories becoming corrupted 170 Database Attributes under cn config cn ldbm database cn plugins cn config The use of this attribute causes internal Directory Server database files to be moved to the directory referenced by the attribute It is possible but unlikely that the server will no longer start after the files have been moved because not enough memory can be allocated This is a symptom of an overly large database cache size being configured for the server If this happens reduce the size of the database cache size to a value where the server will start again Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Values Any valid directory name in a tempfs filesystem such as tmp Default Value Syntax DirectoryString Example nsslapd db home directory tmp slapd phonebook 3 4 1 11 nsslapd db idl divisor This attribute specifies the index block size in terms of the number of blocks per database page The block size is calculated by dividing the database page size by the value of this attribute A value of 1 makes the block size exactly equal to the page size The default value of sets the block size to the page size minus an estimated allowance for internal database overhead For the majority of installations the default value should not be changed unless there are specific tuning needs Before modifying the value of this attribute export all databases usi
212. d nsslapd db dirty pages This attribute shows the dirty pages currently in the cache nsslapd db hash buckets This attribute shows the number of hash buckets in buffer hash table nsslapd db hash elements examine rate This attribute shows the total number of hash elements traversed during hash table lookups nsslapd db hash search rate This attribute shows the total number of buffer hash table lookups nsslapd db lock conflicts This attribute shows the total number of locks not immediately available due to conflicts nsslapd db lock region wait rate This attribute shows the number of times that a thread of control was forced to wait before obtaining the region lock nsslapd db lock request rate This attribute shows the total number of locks requested nsslapd db lockers This attribute shows the number of current lockers nsslapd db log bytes since checkpoint This attribute shows the number of bytes written to this log since the last checkpoint nsslapd db log region wait rate This attribute shows the number of times that a thread of control was forced to wait before obtaining the region lock 187 Chapter 3 Plug in Implemented Server Functionality Reference nsslapd db log write rate This attribute shows the number of megabytes and bytes written to this log nsslapd db longest chain length This attribute shows the longest chain ever encountered in buffer hash table lookups nsslapd db page create rate This attr
213. d which will then be encrypted using the DES reversible password encryption schema Default Value Syntax DirectoryString Example nsMultiplexorCredentials DES 9EkKo69APCJfF 203 Chapter 3 Plug in Implemented Server Functionality Reference 3 5 3 5 nshoplimit This attribute specifies the maximum number of times a database is allowed to chain that is the number of times a request can be forwarded from one database link to another Parameter Entry DN Description cn database link name cn chaining database cn plugins cn config Valid Range 1 to an appropriate upper limit for the deployment Default Value 10 Syntax Integer Example nsHopLimit 3 3 5 3 6 nsUseStartTLS This attribute sets whether to use Start TLS to initiate a secure encrypted connection over an insecure port This attribute can be used if the nsBindMechanism attribute is set to EXTERNAL but the farm server URL set to the standard URL ldap or if the nsBindMechanism attribute is left empty Parameter Entry DN Description cn database link name cn chaining database cn plugins cn config Valid Values off on Default Value Syntax DirectoryString nsUseStartTLS on Example 3 5 4 Database Link Attributes under cn monitor cn database instance name cn chaining database cn plugins cn config Attributes used for monitoring activity on
214. d Values 0 off to any reasonable integer Default Value 0 Syntax Integer Example passwordGraceLimit 3 2 3 1 118 passwordGraceUserTime This attribute counts the number of attempts the user has made with the expired password This is an operational attribute meaning its value is managed by the server and the attribute is not returned in default searches Entry DN cn config Valid Values none to any reasonable integer Default Value none Syntax Integer Example passwordGraceUserTime 1 2 3 1 119 passwordHistory Password History Enables password history Password history refers to whether users are allowed to reuse passwords By default password history is disabled and users can reuse passwords If this attribute is set to on the directory stores a given number of old passwords and prevents users from reusing any of the stored passwords Set the number of old passwords the Directory Server stores using the passwordInHistory attribute For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Description Entry DN cn config Valid Values on off Default Value off Syntax DirectoryString Example passwordHistory on 2 3 1 120 passwordinHistory Number of Passwords to Remember Indicates the number of passwords the Directory Server stores in history Passwords that are stored in history cann
215. d db active txns 186 nsslapd db cache hit 186 nsslapd db cache region wait rate 186 nsslapd db cache size bytes 186 nsslapd db cache try 186 nsslapd db checkpoint interval 168 nsslapd db circular logging 169 nsslapd db clean pages 187 nsslapd db commit rate 187 nsslapd db deadlock rate 187 nsslapd db debug 169 nsslapd db dirty pages 187 nsslapd db durable transactions 169 nsslapd db hash buckets 187 nsslapd db hash elements examine rate 187 nsslapd db hash search rate 187 nsslapd db home directory 170 nsslapd db idl divisor 171 nsslapd db lock conflicts 187 nsslapd db lock region wait rate 187 nsslapd db lock request rate 187 nsslapd db lockers 187 nsslapd db log bytes since checkpoint 187 nsslapd db log region wait rate 187 nsslapd db log write rate 188 nsslapd db logbuf size 171 nsslapd db logdirectory 172 nsslapd db logfile size 172 nsslapd db longest chain length 188 nsslapd db page create rate 188 nsslapd db page ro evict rate 188 nsslapd db page rw evict rate 188 nsslapd db page size 173 nsslapd db page trickle rate 188 nsslapd db page write rate 188 nsslapd db pages in use 188 nsslapd db spin count 173 nsslapd db transaction batch val 173 nsslapd db trickle percentage 174 nsslapd db txn region wait rate 188 nsslapd db verbose 175 nsslapd dbcachesize 168 nsslapd dbncache 175 nsslapd directory 176 180 nsslapd idlistscanlimit 166 nsslapd import cache autosize 176 nsslapd import
216. d is a string of characters in the format 00 XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX Use this option to import the same LDIF file into two different Directory Servers and the contents of both directories should have the same set of unique IDs If unique IDs already exist in the LDIF file being imported then the existing IDs are imported to the server regardless of the options specified G namespaceld Generates a namespace ID as a name based unique ID This is the same as specifying the g deterministic option i filename Specifies the filename of the input LDIF files When multiple files are imported they are imported in the order they are specified on the command line j filename Specifies the path including the filename to the file that contains the password associated with the user DN n backendinstance Specifies the instance to be imported O Requests that only the core database is created without attribute indexes s includeSuffix Specifies the suffixes to be included or specifies the subtrees to be included if n has been used V Specifies verbose mode 301 Chapter 7 Command Line Scripts Description w password Specifies the password associated with the user DN Prompts for the password associated with the user DN x excludeSuffix Specifies the suffixes to be excluded Table 7 24 Idif2db pl Options 7 4 8 logconv pl Log Converter
217. d mail groups 50ns value dif 50ns web Idif Schema for servers value item attributes Schema for Netscape Web Server 60pam plugin ldif Reserved for future use 99user ldif User defined schema maintained by Directory Server replication consumers which contains the attributes and object classes from the suppliers Table 2 1 Directory Server LDIF Configuration Files Chapter 2 Core Server Configuration Reference 2 1 2 How the Server Configuration Is Organized The dse 1dif file contains all configuration information including directory specific entries created by the directory at server startup such as entries related to the database The file includes the root Directory Server entry or DSE named by and the contents of cn config and cn monitor When the server generates the dse 1dif file it lists the entries in hierarchical order in the order that the entries appear in the directory under cn conf ig which is usually the same order in which an LDAP search of subtree scope for base cn conf ig returns the entries dse 1dif also contains the cn monitor entry which is mostly read only but can have ACIs set on it NOTE The dse 1dif file does not contain every attribute in cn config If the attribute has not been set by the administrator and has a default value the server will not write it to dse 1dif To see every attribute in cn config use ldapsearch 2 1 2 1 Configuration
218. d to allow migration This encryption scheme is used only for reversible encryption and is available for certain plug ins this is not intended for password storage This storage scheme is not very secure and is included only for compatibility with legacy servers and to allow migration NS MTA MD5 The NS MTA MD5 password storage scheme cannot be used to encrypt passwords The storage scheme is still present for backward 154 Postal Address String Syntax Plug in Storage Scheme Name Usage Notes compatibility for any entries stored in the directory with passwords encrypted with the NS MTA MD5 password storage scheme SHA If there are no passwords encrypted using the SHA password storage scheme this plug in can be turned off Instead of encrypting passwords with the SHA password storage scheme Red Hat recommends choosing SSHA instead because it is more secure SHA256 Use SHA256 or higher to encrypt passwords because these are stronger encryption schemes SHA384 This storage scheme is recommended for password storage because of its strength SHA512 This storage scheme is recommended for password storage because of its strength SSHA This is recommended instead of SHA because it is a stronger encryption screen However Red Hat recommends using at least the SSHA256 storage scheme or higher because these are stronger schemes SSHA256 Use SSHA256 or higher to encrypt passwords
219. de from the exported LDIF file 112 cn tasks Entry DN cn task_name cn export cn tasks cn config Valid Values AnyDN 000000 LL Default Value Syntax DN multi valued ou machines dc example dc com nsUseOneFile This attribute sets whether to export all Directory Server instances to a single LDIF file or separate LDIF files Entry DN cn task_name cn export cn tasks cn config Valid Values true false Default Value false Syntax Case insensitive string Example nsUseOneFile true nsExportReplica This attribute identifies whether the exported database will be used in replication For replicas the proper attributes and settings will be included with the entry to initialize the replica automatically Entry DN cn task_name cn export cn tasks cn config Valid Values true false Default Value false Syntax Case insensitive string Example nsExportReplica true nsPrintKey This attributes sets whether to print the entry ID number as the entry is processed by the export task Entry DN cn task_name cn export cn tasks cn config Valid Values true false Default Value true Syntax Case insensitive string Example nsPrintKey false 113 Chapter 2 Core Server Configuration Reference nsUseld2Entry The nsUseId2Entry attribute uses the main database index id2entry to define the exported LDIF entries Parameter Entry DN Val
220. dexes cn config cn ldbm database cn plugins cn config Valid Values pres presence index eq equality index approx approximate index sub substring index matching rule international index index browse browsing index Default Value Syntax DirectoryString Example nsIndexType eq 3 4 5 5 nsMatchingRule This optional multi valued attribute specifies the ordering matching rule name or OID used to match values and to generate index keys for the attribute This is most commonly used to ensure that equality and range searches work correctly for languages other than English 7 bit ASCII This is also used to allow range searches to work correctly for integer syntax attributes that do not specify an ordering matching rule in their schema definition uidNumber and gidNumber are two commonly used attributes that fall into this category For example for a uidNumber that uses integer syntax the rule attribute could be nsMatchingRule integerOrderingMatch NOTE Any change to this attribute will not take effect until the change is saved and the index is rebuilt using db2index which is described in more detail in the Managing Indexes chapter of the Directory Server Administrator s Guide Parameter Description Entry DN cn default indexes cn config cn Idbm database cn plugins cn config 190 Database Attributes under cn monitor cn NetscapeRoot cn ldbm database cn plugins cn config
221. ding to the integer number of seconds specified e Log file for storing the change for example var log dirsrv slapd instance_name referint All the additional attribute names to be checked for referential integrity Dependencies Database Performance Related Information The Referential Integrity Plug in should be enabled only on one master in a multimaster replication environment to avoid conflict resolution loops When enabling the plug in on chained servers be sure to analyze the performance resource and time needs as well as integrity needs integrity checks can be time consuming and demanding on memory and CPU All attributes specified must be indexed for both presence and equality Further Information See the Managing Indexes chapter for information about how to index attributes used for referential integrity checking and the Configuring Directory Databases chapter in the Directory Server Administrator s Guide 3 1 29 Retro Changelog Plug in Plug in Parameter Description Plug in Name Retro Changelog Plug in DN of Configuration Entry cn Retro Changelog Plugin cn plugins cn config Description Used by LDAP clients for maintaining application compatibility with Directory Server 4 x versions Maintains a log of all changes occurring in the Directory Server The retro changelog offers the same functionality as the changelog in the 4 x versions of Directory Server This plug in exposes the cn chan
222. diskspace attribute 15 nsslapd accesslog logrotationsync enabled attribute 15 nsslapd accesslog logrotationsynchour attribute 15 nsslapd accesslog logrotationsyncmin attribute 16 nsslapd accesslog logrotationtime attribute 16 nsslapd accesslog maxlogsize attribute 17 nsslapd accesslog maxlogsperdir attribute 17 nsslapd accesslog mode attribute 18 nsslapd allow unauthenticated binds attribute 18 nsslapd attribute name exceptions attribute 19 nsslapd auditlog list attribute 20 nsslapd auditlog logexpirationtime attribute 20 nsslapd auditlog logexpirationtimeunit attribute 21 nsslapd auditlog logging enabled attribute 21 nsslapd auditlog logmaxdiskspace attribute 22 nsslapd auditlog logminfreediskspace attribute 22 nsslapd auditlog logrotationsync enabled attribute 22 nsslapd auditlog logrotationsynchour attribute 23 nsslapd auditlog logrotationsyncmin attribute 23 nsslapd auditlog logrotationtime attribute 23 nsslapd auditlog logrotationtimeunit attribute 24 nsslapd auditlog maxlogsize attribute 24 nsslapd auditlog maxlogsperdir attribute 25 nsslapd auditlog mode attribute 25 nsslapd backend attribute 79 nsslapd cache autosize attribute 166 nsslapd cache autosize split attribute 167 nsslapd cachememsize attribute 180 nsslapd cachesize attribute 179 nsslapd certmap basedn attribute 26 nsslapd changelogdir attribute 71 nsslapd changelogmaxage attribute 72 nsslapd changelogmaxentries attribute 72 nssla
223. dministrator s Guide which defines the virtual list base DN scope and filter The nsIndexVLVAt tribute value is the browsing index entry and the VLV creation task is run according to the browsing index entry parameters Parameter Description Entry DN cn task_name cn index cn tasks cn config Valid Values Any attribute The index type which can be pres presence eq equality approx approximate and sub substring 117 Chapter 2 Core Server Configuration Reference Parameter Description Syntax Case insensitive string multi valued Example nsIndexAttribute cn pres eq nsIndexAttribute description sub 2 3 15 7 cn schema reload task The directory schema is loaded when the directory instance is started or restarted Any changes to the directory schema including adding custom schema elements are not loaded automatically and available to the instance until the server is restarted or by initiating a schema reload task Custom schema changes can be reloaded dynamically without having to restart the Directory Server instance This is done by initiating a schema reload task through creating a new task entry under the cn tasks entry The custom schema file can be located in any directory if not specified with the schemadir attribute the server reloads the schema from the default etc dirsrv slapd instance name schema directory _A IMPORTANT Any schema loaded from another directory m
224. e directory is 1ib64 Chapter 4 Server Instance File Reference Location File or Directory Log files var log dirsrv slapd ins tance_name PID Nvar run dirsrv Tools lusr bin lusr sbin usr lib64 mozidap6 Instance directory usr lib64 dirsrv slapd instance Table 4 2 Red Hat Enterprise Linux 4 and 5 x86_64 File or Directory Location Backup files var opt dirsrv slapd instance bak Configuration files etc opt dirsrv slapd instance Database files var opt dirsrv slapd instance db Runtime files var opt dirsrv instance LDIF files var opt dirsrv slapd instance dif Log files var opt log dirsrv slapd instance Tools opt dirsrv bin opt dirsrv sbin Instance directory opt dirsrv slapd instance Libraries opt dirsrv lib Table 4 3 HP UX 11i IA64 4 2 Backup Files Each Directory Server instance contains the following directory and file for storing backup related files e var 1ib dirsrv slapd instance_name bak This contains a directory dated with the instance_name time and date of the database backup such as instance name 2009 05 02 16 56 _05 which in turn holds the database backup copy e etc dirsrv slapd instance_name dse_original 1dif This is a backup copy of the dse 1dif configuration file from the time of installation 4 3 Configuration Files Each Directory Server instance stores its configuration files in the etc dirsrv sl
225. e Syntax Case exact string Example nsDatabaseType Idbm database 2 3 15 5 cn restore A database can be restored through the command line by creating a special task entry which defines the parameters of the task and initiates the task As soon as the task is complete the task entry is removed from the directory The cn restore entry is a container entry for task operations to restore a database The cn restore entry itself has no attributes but each of the task entries within this entry such as cn task_ID cn restore cn tasks cn config uses the following attributes to define the restore task 115 Chapter 2 Core Server Configuration Reference A restore task entry under cn restore must contain the location of the directory from which to retrieve the archive copy in the nsArchiveDir attribute and the type of database being restored in the nsDatabaseTypes attribute Additionally it must contain a unique cn to identify the task For example dn cn example restore cn restore cn tasks cn config objectclass extensibleObject cn example restore nsArchiveDir export backups nsDatabaseType ldbm database As the restore operation runs the task entry will contain all of the server generated task attributes listed in Section 2 3 15 1 Task Invocation Attributes for Entries under cn tasks nsArchiveDir This attribute gives the location of the directory to which to write the backup Parameter Description
226. e 100000 14 cn config 2 3 1 9 nsslapd accesslog logminfreediskspace Access Log Minimum Free Disk Space This attribute sets the minimum allowed free disk space in megabytes When the amount of free disk space falls below the value specified on this attribute the oldest access logs are deleted until enough disk space is freed to satisfy this attribute Parameter Description Entry DN cn config Valid Range 1 1 to the maximum 32 bit integer value 2147483647 Default Value 1 Syntax Integer Example nsslapd accesslog logminfreediskspace 1 2 3 1 10 nsslapd accesslog logrotationsync enabled Access Log Rotation Sync Enabled This attribute sets whether access log rotation is to be synchronized with a particular time of the day Synchronizing log rotation this way can generate log files at a specified time during a day such as midnight to midnight every day This makes analysis of the log files much easier because they then map directly to the calendar For access log rotation to be synchronized with time of day this attribute must be enabled with the nsslapd accesslog logrotationsynchour and nsslapd accesslog logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files For example to rotate access log files every day at midnight enable this attribute by setting its value to on and then set the values of the nsslapd accesslog logrotationsynchour and
227. e Default Value off Syntax DirectoryString 2 3 1 65 nsslapd Idapientrysearchbase Search Base for LDAPI Authentication Entries With autobind it is possible to map system users to Directory Server user entries based on the system user s UID and GUID numbers This requires setting Directory Server parameters for which attribute to use for the UID number nsslapd 1dapiuidnumbertype and GUID number nsslapd ldapigidnumbertype and setting the search base to use to search for matching user entries The nsslapd ldapientrysearchbase gives the subtree to search for user entries to use for autobind Parameter Description Entry DN cn config Valid Values DN Default Value The suffix created when the server instance was created such as dc example dc com Syntax DN Example nsslapd ldapientrysearchbase ou people dc example dc om 2 3 1 66 nsslapd Idapifilepath File Location for LDAP Socket LDAPI connects a user to an LDAP server over a UNIX socket rather than TCP In order to configure LDAPI the server must be configured to communicate over a UNIX socket The UNIX socket to use is set in the nsslapd ldapifilepath attribute Entry DN cn config Valid Values Any directory path Default Value var run dirsrv slapd example socket Syntax Case exact string Example nsslapd ldapifilepath var run slapd example socket Chapter 2 Core Server Configuration Reference 2 3 1 67 nsslapd Idapigidnu
228. e In the task mode the import operation runs as a general Directory Server operation The nsslapd import cache autosize attribute enables the import cache to be set automatically to a predetermined size when the import operation is run on the command line The attribute can also be used by Directory Server during the task mode import for allocating a specified percentage of free memory for import cache By default the nsslapd import cache autosize attribute is enabled and is set to a value of 1 This value autosizes the import cache for the 1dif2db operation only automatically allocating fifty percent 50 of the free physical memory for the import cache The percentage value 50 is hard coded and cannot be changed Setting the attribute value to 50 nsslapd import cache autosize 50 has the same effect on performance during an 1dif2db operation However such a setting will have the same effect on performance when the import operation is run as a Directory Server task The 1 value autosizes the import cache just for the 1dif2db operation and not for any including import general Directory Server tasks NOTE The purpose of a 1 setting is to enable the 1dif2db operation to benefit from free physical memory but at the same time not compete for valuable memory with the entry cache which is used for general operations of the Directory Server Setting the nsslapd import cache autosize attribute value to 0 turns off the import cach
229. e autosizing feature that is no autosizing occurs during either mode of the import operation Instead Directory Server uses the nsslapd import cachesize attribute for import cache size witha default value of 20000000 There are three caches in the context of Directory Server database cache entry cache and import cache The import cache is only used during the import operation The nsslapd cache autosize attribute which is used for autosizing the entry cache and database cache is used during the Directory Server operations only and not during the 1dif2db command line operation the attribute value is the percentage of free physical memory to be allocated for the entry cache and database cache If both the autosizing attributes nsslapd cache autosize and nsslapd import cache autosize are enabled ensure that their sum is less than 100 Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Range 1 O turns import cache autosizing off to 100 Default Value 1 turns import cache autosizing on for Idif2db only and allocates 50 of the free physical memory to import cache Syntax Integer Example nsslapd import cache autosize 1 177 Chapter 3 Plug in Implemented Server Functionality Reference 3 4 1 24 nsslapd mode This attribute specifies the permissions used for newly created index files Parameter Entry DN Description cn config
230. e cn replica cn suffixDN cn mapping tree cn config Valid Values O 1 Default Value Syntax Integer Example nsDS5ReplicaReapActive 0 90 Replication Attributes under cn ReplicationAgreementName cn replica cn suffixName cn mapping tree cn config 2 3 8 17 nsDS5BeginReplicaRefresh Initializes the replica This attribute is absent by default However if this attribute is added with a value of start then the server initializes the replica and removes the attribute value To monitor the status of the initialization procedure poll for this attribute When initialization is finished the attribute is removed from the entry and the other monitoring attributes can be used for detailed status inquiries Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values stop start Default Value Syntax DirectoryString Example nsDS5BeginReplicaRefresh start 2 3 8 18 nsDS5ReplicaRoot This attribute sets the DN at the root of a replicated area This attribute must have the same value as the suffix of the database being replicated and cannot be modified Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values Suffix of the database being replicated same as suffixDN above Default Value Syntax DirectoryString Example nsDS5ReplicaRoot
231. e n or the s option must be specified Options Option Description d debugLevel Specifies the debug level to use during runtime For further information refer to Section 2 3 1 44 nsslapd errorlog level Error Log Level D configDir Specifies the location of the server configuration directory that contains the configuration information for the import process This must be the full path to the configuration directory etc dirsrv slapd instance_name E Decrypts an encrypted database during export This option is used only if database encryption is enabled g string Generates a unique ID Type none for no unique ID to be generated and deterministic for the generated unique ID to be name based By default a time based unique ID is generated When using the deterministic generation to have a name based unique ID it is also possible to specify the namespace for the server to use as follows g deterministic namespaceId namespaceld is a string of characters in the format 00 XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX 325 Appendix A Using the ns slapd Command Line Utilities Option Description Use this option to import the same LDIF file into two different Directory Servers and the contents of both directories should have the same set of unique IDs If unique IDs already exist in the LDIF file being imported then the existing IDs are imported to the server regardless of the
232. e unless the authenticated user is the Directory Manager The default value for the nsslapd timelimit attribute is 3600 seconds See Section 2 3 1 106 nsslapd timelimit Time Limit for more information Specifies the TCP port number that the Directory Server uses For example p 1049 The default is 389 If Z is used the default is 636 Specifies the scope of the search The scope can be one of the following base searches only the entry specified in the b option or defined by the LDAP_BASEDN environment variable one searches only the immediate children of the entry specified in the b option Only the children are searched the actual entry specified in the b option is not searched sub searches the entry specified in the b option and all of its descendants That is perform a subtree search starting at the point identified in the b option This is the default Specifies the password associated with the distinguished name that is specified in the D option For example w diner892 If this option is not specified anonymous access is used 243 Chapter 6 Command Line Utilities Description If a dash is used as the password value the utility prompts for the password after the command is entered This avoids having the password on the command line Specifies that the search results are sorted on the server rather than on the client This is us
233. e Reference Result Code Defined Value Result Code Defined Value 36 ALIAS DEREFERENCING PROBLEM Table 5 5 LDAP Result Codes 238 Chapter 6 Command Line Utilities This chapter contains reference information on command line utilities used with Red Hat Directory Server Directory Server These command line utilities make it easy to perform administration tasks on the Directory Server 6 1 Finding and Executing Command Line Utilities The ldapsearch ldapmodify ldapdelete and ldappasswd command line utilities are provided as a separate package called either mozldap tools or mozldap6 tools and the utilities are installed in usr 1ib mozldap or usr 1ib mozl1dap6 respectively Depending on the package installed on the system add the path to the PATH environment variable to use the command line utilities NOTE For most Linux systems OpenLDAP tools are already installed in the usr bin directory These OpenLDAP tools are not supported for Directory Server operations For the best results with the Directory Server make sure the path to the Mozilla LDAP tools comes first in the PATH or use the full path and file name for every LDAP operation To use Mozilla LDAP tools ensure that usr 1ib mozldap or usr 1ib moz1dap6 appears in the PATH variable before usr bin These OpenLDAP tools can be used for Directory Server operations with certain cautions The output of the other tools may be different so it may not
234. e and password and locates entries based on a specified search filter Search scopes can include a single entry an entry s immediate subentries or an entire tree or subtree Search results are returned in LDIF format e Syntax Commonly Used Idapsearch Options e Persistent Search Options 240 ldapsearch e SSL Options e SASL Options Additional ldapsearch Options Syntax ldapsearch b basedn s scope optional_options attribute filter optional_list_of_attributes For any value that contains a space the value should be enclosed in double quotation marks For example b ou groups dc example dc com Option Description optional_options A series of command line options These must be specified before the search filter if used filter An LDAP search filter as described in Directory Server Administrator s Guide Do not specify a search filter if search filters are supplied in a file using the f option optional_list_of_attributes A list of space separated attributes that reduce the scope of the attributes returned in the search results This list of attributes must appear after the search filter For a usage example see the Directory Server Administrator s Guide If a list of attributes is not specified the search returns values for all attributes permitted by the access control set in the directory with the exception of Operational attributes Table 6 2 ldapsearch Syntax
235. e executed while the server is still running except with the r option To export the replication state information shut down the server first then run db21dif with r For information on the equivalent Perl script see Section 7 4 5 db2Idif p Exports Database Contents to LDIF For the shell scripts the script runs the ns slapd command line utility with the db2ldif keyword Ellipses indicate that multiple occurrences are allowed Syntax db21dif n backendInstance s includeSuf fix x excludeSuffix r C u U m M a outputFile 1 N E Options Either the n or the s option must be specified By default the output LDIF will be stored in one file To specify the use of several files use the option M Description 1 Deletes for reasons of backward compatibility the first line of the LDIF file which gives the version of the LDIF standard 282 db2index Reindexes Database Index Files Option Description n backendInstance a outputFile Gives the name of the output LDIF file C Uses only the main database file E Decrypts encrypted data during export This option is used only if database encryption is enabled m Sets minimal base 64 encoding M Uses multiple files for storing the output LDIF with each instance stored in instance filename where filename is the filename specified for a option Gives the instance to be exported N Spe
236. e help information i Specifies the characterset to use for command line input The default is the characterset specified in the LANG environment variable Use this option to perform the conversion from the specified characterset to UTF8 thus overriding the environment variable setting 253 Chapter 6 Command Line Utilities Option Description This argument can input the bind DN base DN and the search filter pattern in the specified characterset ldapsearch converts the input from these arguments before it processes the search request For example i no indicates that the bind DN base DN and search filter are provided in Norwegian This argument only affects the command line input that is if a file containing a search filter with the f option is specified ldapsearch will not convert the data in the file J Send an arbitrary control This option can be used in the following format to retrieve access control information on a specific entry J control OID boolean criticality dn AuthID control OID is the OID for the get effective rights control 1 3 6 1 4 1 42 2 27 9 5 2 boolean criticality specifies whether the search operation should return an error if the server does not support this control true or if it should be ignored and let the search return as normal false Authld is the DN of the user whose rights to check j filename Contains the name of a file containing
237. e not identified with a connection number or operation number Example 5 3 Error Log Excerpt shows excerpts from an error log at the default logging level which includes some task information critical errors and server startup messages 05 Jan 2009 02 27 22 0500 slapi_ldap_bind Error could not send bind request for id cn repl manager cn config mech SIMPLE error 91 Can t connect to the LDAP server 06 Jan 2009 17 52 04 0500 schemareload Schema reload task starts schema dir default 06 Jan 2009 17 52 04 0500 schemareload Schema validation passed 06 Jan 2009 17 52 04 0500 schemareload Schema reload task finished 07 Jan 2009 15 54 08 0500 libdb write 0xb75646e5 508 No space left on device 07 Jan 2009 15 54 08 0500 libdb txn_checkpoint log failed at LSN 22 7649039 No space left on device 07 Jan 2009 15 54 08 0500 Serious Error Failed to checkpoint database err 28 No space left on device 07 Jan 2009 15 54 08 500 DISK FULL 07 Jan 2009 15 54 08 0500 Attempting to shut down gracefully 07 Jan 2009 15 54 08 0500 slapd shutting down signaling operation threads 07 Jan 2009 15 54 08 0500 slapd shutting down closing down internal subsystems and plugins 07 Jan 2009 15 54 11 0500 Waiting for 3 database threads to stop 07 Jan 2009 15 54 11 0500 All database threads now stopped 07 Jan 2009 15 54 12 0500 slapd stopped Red Hat Directory 8 1 4 B2008
238. e nsslapd auditlog logrotationsync enabled is off Syntax Example Integer nsslapd auditlog logrotationsyncmin 30 2 3 1 30 nsslapd auditlog logrotationtime Audit Log Rotation Time This attribute sets the time between audit log file rotations The audit log is rotated when this time interval is up regardless of the current size of the audit log This attribute supplies only the Chapter 2 Core Server Configuration Reference number of units The units day week month and so forth are given by the nsslapd auditlog logrotationtimeunit attribute If the nsslapd auditlog maxlogsperdir attribute is set to 1 the server ignores this attribute Although it is not recommended for performance reasons to specify no log rotation as the log grows indefinitely there are two ways of specifying this Either set the nsslapd auditlog maxlogsperdir attribute value to 1 or set the nsslapd auditlog logrotationtime attribute to 1 The server checks the nsslapd auditlog maxlogsperdir attribute first and if this attribute value is larger than 1 the server then checks the nsslapd auditlog logrotationtime attribute See Section 2 3 1 33 nsslapd auditlog maxlogsperdir Audit Log Maximum Number of Log Files for more information Parameter Entry DN Description cn config Valid Range 1 1 to the maximum 32 bit integer value 2147483647 where a value of 1 means that the time between
239. e of file for example GIF and HTML In the filename index html the file extension is html The format of a given file For example graphics files are often saved in GIF format while a text file is usually saved as ASCII text format File types are usually identified by the file extension for example GIF or HTML A constraint applied to a directory query that restricts the information returned Allows you to assign entries to the role depending upon the attribute contained by each entry You do this by specifying an LDAP filter Entries that match the filter are said to possess the role When granted indicates that all authenticated users can access directory information Generic Security Services The generic access protocol that is the native way for UNIX based systems to access and authenticate Kerberos services also supports session encryption 333 Glossary H hostname HTML HTTP HTTPD HTTPS hub ID list scan limit index key indirect CoS international index International Standards Organization IP address ISO K knowledge reference A name for a machine in the form machine domain dom which is translated into an IP address For example www example com is the machine www in the subdomain example and com domain Hypertext Markup Language The formatting language used for documents on the World Wide Web HTML files are plain text files with formatting codes that tell browse
240. e pl Activates an Entry or Group of Entries Activates an entry or group of entries 310 ns inactivate pl Inactivates an Entry or Group of Entries Syntax ns activate pl D rootdn w password w j filename p port h host I1 DN Options Option Description D rootdn Specifies the Directory Server user DN with root permissions such as Directory Manager h host Specifies the hostname of the Directory Server The default value is the full hostname of the machine where Directory Server is installed DN Specifies the entry DN or role DN to activate j filename Specifies the path including the filename to the file that contains the password associated with the user DN p port Specifies the Directory Server s port The default value is the LDAP port of Directory Server specified at installation time w password Specifies the password associated with the user DN W Prompts for the password associated with the user DN Opens the help page Table 7 29 ns activate pl Options 7 4 13 ns inactivate pl Inactivates an Entry or Group of Entries Inactivates and consequently locks an entry or group of entries Syntax ns inactivate pl1 D rootdn w password w j filename p port h host DN 7 Options Option Description D rootdn Specifies the Directory Server user DN with root permissions such as Directory Manager h host Specifies
241. e rsa rc4 40 md5 e rsa rc2 40 md5 e rsa des sha e rsa fips des sha e rsa 3des sha e rsa fips 3des sha For TLS tis rsa_export1024 with rc4 56 sha 76 cn features Parameter Description tls_rsa_export1024 with des cbc sha Default Value Syntax DirectoryString Use the plus symbol to enable or minus symbol to disable followed by the ciphers Blank spaces are not allowed in the list of ciphers To enable all ciphers except rsa null md5 which must be specifically called specify all Example nsslapd SSL3ciphers RSA NULL MD5 RC4 56 SHA RC4 56 SHA For more information see the Managing SSL chapter in the Directory Server Administrator s Guide 2 3 4 cn features There are not attributes for the cn features entry itself This entry is only used as a parent container entry with the nsContainer object class The child entries contain an oid attribute to identify the feature and the directoryServerFeature object class plus optional identifying information about the feature such as specific ACLs For example dn oid 2 16 840 1 113730 3 4 9 cn features cn config objectClass top objectClass directoryServerFeature oid 2 16 840 1 113730 3 4 9 cn VLV Request Control aci targetattr aci version 3 0 acl VLV Request Control allow read search compare proxy userdn ldap all creatorsName cn server cn plugins cn config modifiersName cn s
242. e sets whether to use SSL Syntax DirectoryString Multi or Single Valued Multi valued 2 5 2 14 LDAPReplica Object Class This object class defined replication for 4 x and older servers This object class is defined in Directory Server Superior Class top OID 2 16 840 1 113730 3 2 36 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry 137 Chapter 2 Core Server Configuration Reference Attribute Definition Allowed Attributes Attribute Definition description Gives a text description of the entry localityName Gives the city or geographical location of the entry ou Gives the organizational unit or division to which the account belongs seeAlso Contains a URL to another entry or site with related information replicaroot Stores the root suffix to be replicated replicaHost Stores the replica server s host name replicaPort Stores the replica server s port number replicaBindDn replicaCredentials Stores the bind DN for the replica server Stores a password of replicaBindDn replicaBindMethod replicaUseSSL replicaUpdateSchedule Specifies the bind method Specifies a flag whether or not to use SSL Schedule when the replica update occurs replicaUpdateReplayed replicaUpdateFailedAt Stores the last replicated change number Stores the timestamp of the last failed update attempt replicaBeginORC
243. e the script is running i changelogFile Specifies the path to the changelog file If there is a changelog file and if certain changes in that file are base 64 encoded use this option to decode that changelog o outputFile Specifies the path including the filename for the final result Defaults to STDOUT if omitted p port Specifies the Directory Server s port The default value is 389 P bindCert Specifies the path including the filename to the certificate database that contains the certificate used for binding r replicaRoots Specifies the replica roots whose changelog to dump When specifying multiple roots use 281 Chapter 7 Command Line Scripts Option Description commas to separate roots If the option is omitted all the replica roots will be dumped w bindPassword Specifies the password for the bind DN Table 7 5 cl dump Options For information on the equivalent Perl script see Section 7 4 2 cl dump pl Dumps and Decodes the Changelog 7 3 3 db2bak Creates a Backup of a Database Creates a backup of the current database contents This script can be executed while the server is still running Syntax db2bak backupDirectory For information on the equivalent Perl script see Section 7 4 3 db2bak pl Creates a Backup of a Database 7 3 4 db2idif Exports Database Contents to LDIF Exports the contents of the database to LDIF This script can b
244. eaaeeeeeeeeanees stop slapd Stops the Directory Server ccccceeeeeeeeeeeeeeeeeeeeeeeeeaaeeeeeeeeaaes suffix2instance Maps a Suffix to a Backend Name 0 eeeeeeeeeeeeeeeeeeees vivindex Creates Virtual List View Indexes cceeeeceeeeeeeee ee eeeeaeeeeeeeeeaaees A PENSEI Sna ose Taos tesakings io vatgu tea a Bada ok ta aad ee to dass ead ak Saeed 7 4 1 7 4 2 7 4 3 7 4 4 7 4 5 7 4 6 7 4 7 7 4 8 7 4 9 7 4 10 7 4 11 7 4 12 7 4 13 7 4 14 7 4 15 7 4 16 7 4 17 7 4 18 7 4 19 7 4 20 7 4 21 bak2db pl Restores a Database from Backup cceeeeeeeeeeeeeeeeeeeeeeeeaeeees cl dump pl Dumps and Decodes the Changelog cccceeeeeeeeeeeeeeeeeeeeaaes db2bak pl Creates a Backup of a Database cccceceeeee eect ee eeee ae eeeeeeeeaaes db2index pl Creates and Generates Indexes 00 ceceeeeceeeeeeeeeeeeeaeeeeeeeeaaees db2ldif pl Exports Database Contents to LDIF ccceeeeeeee tees eeeeee ae eeeeeeee es fixup memberof pl Regenerate memberOf Attributes W u u ssessseener nerne ldif2db pl IMPO ana ka ad aat taaa a a aaa A ia aA logconv pl Log Converter W ssssseree rekte kk EL ERE RER E LERET REE RR LERNER RR Lr ner migrat dS Plaisir a ea a a a a a e aeea aa Mea aiai migrate ds admin pl 2 sssseeree ener kt tt ertt RENE tr trr eesaeeee EEEE NEEE EEEE nn EEn EE rr rn ns accountsta
245. eath this entry such as cn task ID cn memberof task cn tasks cn config uses its attributes to define the individual update task basedn This attribute gives the base DN to use to search for the user entries to update the memberOf attribute Parameter Description Entry DN cn task_name cn memberof task cn tasks cn config 119 Chapter 2 Core Server Configuration Reference Parameter Valid Values Description Default Value Syntax DN Example basedn ou people dc example dc com filter This attribute gives an optional LDAP filter to use to select which user entries to update the memberOf attribute Each member of a group has a corresponding user entry in the directory Parameter Description Entry DN cn task name cn memberof task cn tasks cn config Valid Values Any LDAP filter Default Value objectclass Syntax DirectoryString Example filter I Sunnyvale 2 3 16 cn uniqueid generator The unique ID generator configuration attributes are stored under cn uniqueid generator cn config The cn uniqueid generator eniry is an instance of the extensibleObject object class nsState This attribute saves the state of the unique ID generator across server restarts This attribute is maintained by the server Do not edit it Parameter Entry DN Valid Values Description cn uniqueid generator cn config Default Value Syntax Direc
246. ebugging e 4096 Housekeeping thread debugging e 8192 Replication debugging e 16384 Default level of logging used for critical errors and other messages that are always written to the error log for example server startup messages Messages at this level are always included in the error log regardless of the log level setting e 32768 Database cache debugging e 65536 Server plug in debugging It writes an entry to the log file when a server plug in calls slapi 1log error e 131072 Microsecond resolution for timestamps instead of the default seconds 262144 Access control summary information much less verbose than level 128 This value is recommended for use when a summary of access control processing is 30 cn config Parameter Description needed Use 128 for very detailed processing messages Default Value 16384 Syntax Integer Example nsslapd errorlog level 8192 2 3 1 45 nsslapd errorlog list This read only attribute provides a list of error log files Entry DN cn config Valid Values Default Value None Syntax DirectoryString Example nsslapd errorlog list errorlog2 errorlog3 2 3 1 46 nsslapd errorlog logexpirationtime Error Log Expiration Time This attribute sets the maximum age that a log file is allowed to reach before it is deleted This attribute supplies only the number of units The units day week month and so forth are giv
247. echanisms are supported search the root DSE See the b option in Table 6 3 Commonly Used Idapsearch Options 259 Chapter 6 Command Line Utilities Description Specifies SASL options The format is o sas lOption value sas Option can have one of six values mech the SASL authentication mechanism authid the user who is binding to the server Kerberos principal e authzid a proxy authorization ignored by the server since proxy authorization is not supported secProp the security properties realm the Kerberos realm flags The expected values depend on the supported mechanism The o can be used multiple times to pass all of the required SASL information for the mechanism For example o mech DIGEST MD5 o authzid test user o authid test_user Table 6 13 SASL Options See SASL Options for ldapsearch for information on how to use SASL options with ldapmodify Additional ldapmodify Options Description Causes the utility to check every attribute value to determine whether the value is a valid file reference If the value is a valid file reference then the content of the referenced file is used as the attribute value This is often used for specifying a path to a file containing binary data such as JPEG For example to add a jpegPhoto attribute specify the b option on the ldapmodify call In the LDIF provided to ldapmodify include a line like the following
248. ectory Server is installed Specifies the path including the filename to the file that contains the password associated with the user DN p port S suffixDN U userDN Specifies the Directory Server s port The default value is 389 or the LDAP port of Directory Server specified at installation time Specifies the DN of the suffix entry that needs to be updated with subtree level password policy attributes Specifies the DN of the user entry that needs to be updated with user level password policy attributes 312 register ds admin pl Option Description V Verbose mode w password Specifies the password associated with the user DN Opens the help page Table 7 31 ns newpwpolicy pl Options 7 4 15 register ds admin pl The register ds admin p1 script can be used for two things e Registering an existing Directory Server instance with a different Administration Server or Configuration Directory Server Creating a new local Administration Server when only a Directory Server was installed previously IN IMPORTANT The register ds admin pl script does not support external LDAP URLS so the Directory Server instance must be registered against a local Administration Server Syntax register ds admin pl pl debug log name Options Option Alternate Options Description debug d dddd This parameter turns on debugging information For the d flag
249. ectory Server Administrator s Guide 3 1 20 Legacy Replication Plug in Plug in Parameter Plug in Name Description Legacy Replication Plug in DN of Configuration Entry Description cn Legacy Replication plug in cn plugins cn config Enables a current version Directory Server to be a consumer of a 4 x supplier Configurable Options Default Setting Configurable Arguments Dependencies Performance Related Information on off off None This plug in can be disabled if the server is not and never will be a consumer of a 4 x server Database None Further Information 3 1 21 MemberOf Plug in Plug in Information Plug in Name See the Managing Replication chapter in the Directory Server Administrator s Guide Description MemberOf Configuration Entry DN Description cn MemberOf Plugin cn plugins cn config Manages the member Of attribute on user entries based on the member attributes in the group entry Configurable Options Default Setting Configurable Arguments Dependencies on off off memberofattr sets the attribute to generate in people s entries to show their group membership memberofgroupattr sets the attribute to use to identify group member s DNs None Performance Related Information None Further Information Table 3 2 Details of MemberOf Plug in 152 Multi master Replication Plug in 3 1 22 Multi
250. ectory service successfully Those concepts are contained in the Red Hat Directory Server Deployment Guide You should read that book before continuing with this manual When you are familiar with Directory Server concepts and have done some preliminary planning for your directory service install the Directory Server The instructions for installing the various Directory Server components are contained in the Red Hat Directory Server Installation Guide Many of the scripts and commands used to install and administer the Directory Server are explained in detail in the Red Hat Directory Server Configuration Command and File Reference Also Managing Servers with Red Hat Console contains general background information on how to use the Red Hat Console You should read and understand the concepts in that book before you attempt to administer Directory Server The document set for Directory Server contains the following guides Red Hat Directory Server Release Notes contain important information on new features fixed bugs known issues and workarounds and other important deployment information for this specific version of Directory Server Red Hat Directory Server Deployment Guide provides an overview for planning a deployment of the Directory Server Red Hat Directory Server Administrator s Guide contains procedures for the day to day maintenance of the directory service Includes information on configuring server side plug ins Red
251. ecure slapi_ldap_init_ext 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 binddn cn directory manager passwd DES iRDGwYacBXFTnm1zPU01WQ 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 No linger to cancel on the connection 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 Replica was successfully acquired 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 State ready_to_acquire_replica gt sending_updates 09 Jan 2009 13 44 48 0500 csngen_adjust_time gen state before 49679b200002 1231526688 0 0 09 Jan 2009 13 44 48 0500 _cl5PositionCursorForReplay agmt cn example2 alt 13864 Consumer RUV 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 replicageneration 4949df6e000000010000 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 replica 1 ldap server example com 389 494aa17d000000010000 496797f3000000010000 00000000 09 Jan 2009 13 44 48 0500 _cl5PositionCursorForReplay agmt cn example2 alt 13864 Supplier RUV 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 replicageneration 4949df6e000000010000 09 Jan 2009 13 44 48 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 replica 1 ldap server example com 389 494aa17d000000010000 49679b200000000
252. ed operation 223 Chapter 5 Log File Reference ABANDON for abandon operation If the LDAP request resulted in sorting of entries then the message SORT serialno will be recorded in the log followed by the number of candidate entries that were sorted For example 04 May 2009 15 51 46 0700 conn 114 op 68 SORT serialno 1 The number enclosed in parentheses specifies the number of candidate entries that were sorted which in this case is 1 LDAP Response Type The LDAP response type indicates the LDAP response being issued by the LDAP client There are three possible values RESULT ENTRY REFERRAL an LDAP referral or search reference Unindexed Search Indicator The unindexed search indicator notes U indicates that the search performed was unindexed which means that the database itself had to be directly searched instead of the index file Unindexed searches occur in three scenarios When the nsslapd idlistscanlimit was reached within the index file used for the search When no index file existed When the index file was not configured in the way required by the search NOTE An unindexed search indicator is often accompanied by a large et ime value as unindexed searches are generally more time consuming VLV Related Entries When a search involves virtual list views VLVs appropriate entries are logged in the access log file Similar to the other entries VLV specific entries show the reque
253. ed with the guidance of Red Hat Technical Support or Red Hat Professional Services Entry DN cn config cn ldbm database cn plugins cn config Valid Values on off Default Value on Syntax DirectoryString Example nsslapd db circular logging on 3 4 1 8 nsslapd db debug This attribute specifies whether additional error information is to be reported to Directory Server To report error information set the parameter to on This parameter is meant for troubleshooting enabling the parameter may slow down the Directory Server Entry DN cn config cn ldbm database cn plugins cn config Valid Values on off Default Value off Syntax DirectoryString Example nsslapd db debug off 3 4 1 9 nsslapd db durable transactions This attribute sets whether database transaction log entries are immediately written to the disk The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only With durable transactions enabled every directory change will always be physically recorded in the log file and therefore able to be recovered in the event of a system failure However the durable transactions feature may also slow the performance of the Directory Server When durable transactions is disabled all transactions are logically written to the database transaction log but may not be physically written to disk immediately If there were a syste
254. eful to sort according to a matching rule as with an international search In general it is faster to sort on the server rather than on the client Specifies the maximum number of entries to return in response to a search request For example Z 1000 Normally regardless of the value specified here ldapsearch never returns more entries than the number allowed by the server s nsslapd sizelimit attribute unless the authenticated user is the Directory Manager However this limitation can be overridden by binding as the root DN when using this command line argument This is because binding as the root DN causes this option to default to zero 0 The default value for the nsslapd sizelimit attribute is 2000 entries See Section 2 3 1 103 nsslapd sizelimit Size Limit for more information Table 6 3 Commonly Used Idapsearch Options Persistent Search Options A persistent search leaves the search operation open after the initial search results are returned This allows the entries returned in the search to remain in cache and updates to be transmitted and included as they occur Persistent searches leave the ldapsearch open until the client closes the connection Using persistent searches is described in the Finding Directory Entries appendix of the Administrator s Guide ldapsearch r C PS changetype changesonly entrychgcontrols b dc example dc com objectclass In the access logs a persist
255. elpful to increase the number of indexed searches This substring length can be edited based on the position of any wildcard characters The nsSubStrMidd1e attribute sets the required number of characters for an indexed search where a wildcard is used in the middle of a search string For example ab z If the value of this attribute is changed then the index must be regenerated using db2index 193 Chapter 3 Plug in Implemented Server Functionality Reference Parameter Entry DN Description cn attribute name cn index cn database name cn ldbm database cn plugins cn config Valid Values Any integer Default Value 3 Syntax Integer Example nsSubStrMiddle 3 3 4 8 Database Attributes under cn attributeName cn encrypted attributes cn database_name cn ldbm database cn plugins cn config The nsAttributeEncryption object class allows selective encryption of attributes within a database Extremely sensitive information such as credit card numbers and government identification numbers may not be protected enough by routine access control measures Normally these attribute values are stored in CLEAR within the database encrypting them while they are stored adds another layer of protection This object class has one attribute nsEncryptionAlgorithm which sets the encryption cipher used per attribute Each encrypted attribute represents a subentry under the above cn config information
256. ember attribute but it can be any membership related attribute such as uniqueMember or member NOTE Any attribute can be used for the memberofgroupattr value but the MemberOf Plug in only works if the value of the target attribute contains the DN of the member entry For example the member attribute contains the DN of the member s user entry member uid jsmith ou People dc example dc com Some member related attributes do not contain a DN like the memberURL attribute That attribute will not work as a value for memberofgroupattr since the member URL value is a URL and a non DN value cannot work with the MemberOf Plug in Parameter Description Entry DN cn MemberOf Plugin cn plugins cn config Valid Range Any Directory Server attribute Default Value member Syntax DirectoryString Example memberofgroupattr member 212 Chapter 4 Server Instance File Reference This chapter provides an overview of the files that are specific to an instance of Red Hat Directory Server Directory Server the files stored in the etc dirsrv slapd instance_name directory Having an overview of the files and configuration information stored in each instance of Directory Server helps with understanding the file changes or lack of file changes which occur in the course of directory activity It can also help to detect errors and intrusion by indicating what kind of changes to expect and as a result what changes are ab
257. ement object class store the information set in a replication agreement Information on the attributes for this object class are in chapter 2 of the Directory Server Configuration Command and File Reference This object class is defined in Directory Server Superior Class top 124 nsDS5ReplicationAgreement Object Class OID 2 16 840 1 113730 3 2 103 Required Attributes objectClass Defines the object classes for the entry Allowed Attributes description Contains a free text description of the replication agreement nsDS5BeginReplicaRefresh nsds5debugreplicatimeout Initializes a replica manually Gives an alternate timeout period to use when the replication is run with debug logging nsDS5ReplicaBindDN nsDS5ReplicaBindMethod Specifies the DN to use when a supplier server binds to a consumer Specifies the method SSL or simple authentication to use for binding nsDS5ReplicaBusyWaitTime nsDS5ReplicaChangesSentSinceStartup Specifies the amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access The number of changes sent to this replica since the server started nsDS5ReplicaCredentials nsDS5ReplicaHost Specifies the password for the bind DN Specifies the hostname for the consumer replica nsDS5ReplicaLastinitEnd nsDS5ReplicaLastinitStart States when the initialization
258. emporary directory No base 64 encoding is performed on the values regardless of the content U Creates file URLs for the files produced by the t option u Specifies that the user friendly form of the distinguished name be used in the output V Specifies the LDAP version number to be used on the search For example V 2 LDAPv3 is the default An LDAPv3 search cannot be performed against a Directory Server that only supports LDAPv2 V Specifies that the utility is to run in verbose mode W Prompts for the password for the bind DN Y Specifies the proxy DN to use for the search This argument is provided for testing purposes For more information about proxied authorization see the Managing Access Control chapter in the Directory Server Administrator s Guide 255 Chapter 6 Command Line Utilities Description X Specifies the getEffectiveRights control specific attribute list where attributes are separated by spaces For example nsroledn userPassword Table 6 10 Additional Idapsearch Options 6 5 Idapmodify ldapmodify makes changes to directory entries via LDAP e Syntax e Commonly Used Idapmodify Options e SSL Options e SASL Options Additional ldapmodify Options Syntax ldapmodify optional options ldapmodify D binddn w passwd acmnrvFR d debug_level h host p port M auth_mechanism Z ZZ ZZZ V version
259. en by the nsslapd errorlog logexpirationtimeunit attribute Entry DN cn config Valid Range 1 to the maximum 32 bit integer value 2147483647 A value of 1 or 0 means that the log never expires Default Value 1 Syntax Integer Example nsslapd errorlog logexpirationtime 1 2 3 1 47 nsslapd errorlog logexpirationtimeunit Error Log Expiration Time Unit This attribute sets the units for the nsslapd errorlog logexpirationtime attribute If the unit is unknown by the server then the log never expires Parameter Description Valid Values month week day Default Value month 31 Chapter 2 Core Server Configuration Reference Parameter Description Example nsslapd errorlog logexpirationtimeunit week 2 3 1 48 nsslapd errorlog logging enabled Enable Error Logging Turns error logging on and off Parameter Description Entry DN cn config Valid Values on off Default Value on Syntax DirectoryString Example nsslapd errorlog logging enabled on 2 3 1 49 nsslapd errorlog logmaxdiskspace Error Log Maximum Disk Space This attribute sets the maximum amount of disk space in megabytes that the error logs are allowed to consume If this value is exceeded the oldest error log is deleted When setting a maximum disk space consider the total number of log files that can be created due to log file rotation Also remember that there are three different log files acces
260. enabled off For audit logging to be enabled this attribute must have a valid path and parameter and the nsslapd auditlog logging enabled configuration attribute must be switched to on The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging Attribute Value Logging enabled or disabled nsslapd auditlog logging on Disabled enabled empty string nsslapd auditlog nsslapd auditlog logging on Enabled enabled filename nsslapd auditlog nsslapd auditlog logging off Disabled enabled empty string nsslapd auditlog nsslapd auditlog logging off Disabled enabled filename nsslapd auditlog Table 2 5 Possible combinations for nsslapd auditlog and nsslapd auditlog logging enabled Chapter 2 Core Server Configuration Reference 2 3 1 25 nsslapd auditlog logmaxdiskspace Audit Log Maximum Disk Space This attribute sets the maximum amount of disk space in megabytes that the audit logs are allowed to consume If this value is exceeded the oldest audit log is deleted When setting a maximum disk space consider the total number of log files that can be created due to log file rotation Also remember that there are three different log files access log audit log and error log maintained by the Directory Server each of which consumes disk space Compare these considerations with the total amoun
261. ent search is identifies with the tag options persistent Description Runs the ldapsearch as a persistent search r Prints all of the output from the ldapsearch command from the buffer immediately This 7 Jag persistent search html 244 ldapsearch Option Description is useful with the C for persistent searches because it prints any entry modifications without delay and without the search hanging It can also be used with other ldapsearches not only persistent searches PS changetype Specifies which types of changes to entries allow the entry to be returned in the persistent search There are four options e add e delete modify moddn modrdn e all changesonly Sets whether to return all existing entries which match the search filter 0 or only to return matching entries when the entry is modified 1 The default is 1 entrychgcontrols Sets whether to send entry change controls additional information about the modification made to the entry If the value is set to 0 then only the entry is returned If the value is set to 1 then a line is added to the entry as it is returned to the persistent search that lists the changetype performed on the entry The default is 1 Table 6 4 Persistent Search Options SSL Options The following command line options can be used to specify that ldapsearch use LDAPS when communicating with an SSL enabled Directory Server or used for
262. er index maintained by default A branch underneath a root suffix See SNMP subagent Allows for efficient searching against substrings within entries Substring indexes are limited to a minimum of two characters for each entry The name of the entry at the top of the directory tree below which data is stored Multiple suffixes are possible within the same directory Each database only has one suffix The most privileged user available on Unix machines The superuser has complete access privileges to all files on the machine Also called root Server containing the master copy of directory trees or subtrees that are replicated to replica servers In the context of replication a server that holds a replica that is copied to a different server is called a supplier for that replica Replication configuration where supplier servers replicate directory data to any replica servers Encryption that uses the same key for both encrypting and decrypting DES is an example of a symmetric encryption algorithm Cannot be deleted or modified as it is essential to Directory Server operations In the context of access control the target identifies the directory information to which a particular ACI applies The entries within the scope of a CoS Transmission Control Protocol Internet Protocol The main network protocol for the Internet and for enterprise Company networks See CoS template entry Indicates the customary formatting
263. erRoot cn ldbm database cn plugins cn config objectclass top objectclass nsIndex cn aci nsSystemIndex true nsIndexType pres These entries share all of the indexing attributes listed for the default indexes in Section 3 4 5 Database Attributes under cn default indexes cn config cn ldbm database cn plugins cn config For further information about indexes refer to the Managing Indexes chapter in the Directory Server Administrator s Guide 3 4 7 1 nsSubStrBegin By default for a search to be indexed the search string must be at least three characters long without counting any wildcard characters For example the string abc would be an indexed search while ab would not be Indexed searches are significantly faster than unindexed searches so changing the minimum length of the search key is helpful to increase the number of indexed searches This substring length can be edited based on the position of any wildcard characters The nsSubStrBegin attribute sets the required number of characters for an indexed search for the beginning of a search string before the wildcard For example abc 192 4peRoot cn Idbm database cn plugins cn config and cn index cn UserRoot cn Idom database cn plugins cn config If the value of this attribute is changed then the index must be regenerated using db2index Parameter Description Entry DN cn attribute_name cn index cn database_name cn ldbm database cn plugins
264. eration duration This gives microsecond resolution for the Elapsed Time item in the access log This levels are additive so to enable several different kinds of logging add the values of those levels together For example to log internal access operations entry access and referrals set the value of nsslapd accesslog level to 516 512 4 5 1 2 Default Access Logging Content This section describes the access log content in detail based on the default access logging level extract shown below 21 Apr 2009 11 39 51 0700 conn 11 fd 608 slot 608 connection from 207 1 153 51 to 192 18 122 139 21 Apr 2009 11 39 51 0700 conn 11 op 0 BIND dn cn Directory Manager method 128 version 3 21 Apr 2009 11 39 51 0700 conn 11 op 0 RESULT err 0 tag 97 nentries 0 etime 0 21 Apr 2009 11 39 51 0700 conn 11 op 1 SRCH base dc example dc com scope 2 filter mobile 1 123 456 7890 21 Apr 2009 11 39 51 0700 conn 11 op 1 RESULT err 0 tag 101 nentries 1 etime 3 notes U 21 Apr 2009 11 39 51 0700 conn 11 op 2 UNBIND 21 7Apr 2009 11 39 51 0700 conn 11 op 2 fd 608 closed U1 21 Apr 2009 11 39 52 0700 conn 12 fd 634 slot 634 connection from 207 1 153 51 to 192 18 122 139 21 Apr 2009 11 39 52 0700 conn 12 op 0 BIND dn cn Directory Manager method 128 version 3 21 Apr 2009 11 39 52 0700 conn 12 op 0 RESULT err 0 tag 97 nentries 0 etime 0 21 Apr 2009 11 39 52 0700 conn 12 op 1 SRCH base dc example dc com scope 2 filter uid b
265. erver Either the farm server URL must be set to the secure URL ldaps or the nsUseStartTLS attribute must be set to on Additionally the remote server must be configured to map the farm server s certificate to its bind identity Certificate mapping is described in the Administrator s Guide DIGEST MD5 This uses SASL with DIGEST MD5 encryption As with simple authentication this requires the nsMultiplexorBinadDn and nsMultiplexorCredentials attributes to give the bind information GSSAPI This uses Kerberos based authentication over SASL The farm server must be connected over the standard port meaning the URL has ldap because the Directory Server does not support SASL GS API over SSL The farm server must be configured with a Kerberos keytab and the remote server must have a defined SASL mapping for the farm server s bind identity Setting up Kerberos keytabs and SASL mappings is described in the Administrator s Guide Parameter Description Entry DN cn database link name cn chaining database cn plugins cn config Valid Values empty EXTERNAL DIGEST MD5 GSSAPI empty DirectoryString nsBindMechanism GSSAPI Default Value Example 202 Database Link Attributes under cn database_link_name cn chaining database cn plugins cn config 3 5 3 2 nsFarmServerURL This attribute gives the LDAP URL of the remote server A farm server is a server containing data in one or m
266. erver cn plugins cn config createTimestamp 20090129132357Z modifyTimestamp 20090129132357Z 2 3 4 1 oid The oid attribute contains an object identifier assigned to a directory service feature oid is used as the naming attribute for these directory features OID 2 16 840 1 113730 3 1 215 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 77 Chapter 2 Core Server Configuration Reference 2 3 5 Cn mapping tree e Configuration attributes for suffixes replication and Windows synchronization are stored under cn mapping tree cn config Configuration attributes related to suffixes are found under the suffix subentry cn suffix cn mapping tree cn config For example a suffix is the root entry in the directory tree such as dc example dc com Replication configuration attributes are stored under cn replica cn suffix cn mapping tree cn config Replication agreement attributes are stored under cn replicationAgreementName cn replica cn suffix cn mapping tree cn config e Windows synchronization agreement attributes are stored under cn syncAgreementName cn replica cn suffix cn mapping tree cn config 2 3 6 Suffix Configuration Attributes under cn suffixName Suffix configuration attributes are stored under the cn suffix entry The cn suffix entry is an instance of the nsMappingTree object class which inherits from the extensibleObject object class F
267. es common to all plug ins 161 replication agreement configuration attributes 85 replication configuration attributes 79 restrictions to modifying 9 345 Index retro changelog plug in configuration attributes 205 SASL configuration attributes 99 SNMP configuration attributes 100 suffix configuration attributes 78 synchronization agreement attributes 94 task configuration attributes 104 cn backup 114 cn export 111 cn import 105 108 cn index 116 cn memberof task 119 cn restore 115 cn schema reload task 118 uniqueid generator configuration attributes 120 configuration changes requiring server restart 9 configuration entries modifying using LDAP 8 restrictions to modifying 9 configuration files 214 location of 7 configuration information tree dse ldif file 10 connection attribute 97 connection code 229 core configuration attributes passwordAllowChangeTime 58 passwordExpirationTime 60 passwordExpWarned 60 passwordGraceUserTime 61 retryCountResetTime 70 core server configuration attributes backendMonitorDN 99 basedn 119 bytessent 98 cn 85 105 connection 97 current connection 98 currenttime 98 description 85 dTableSize 98 entriessent 98 filter 120 nbackends 99 nsArchiveDir 115 116 nsDatabaseTypes 115 116 nsDS5Oruv 94 nsDS5BeginReplicaRefresh 91 nsDS5Flags 79 nsDS5ReplConflict 80 nsDS5ReplicaBindDN 80 nsDS5ReplicaBindMethod 86 nsDS5ReplicaBusyWaitTime 86
268. es made to this attribute will not take effect until the server is restarted Parameter Entry DN Valid Values Path to plugins directory Description cn config Default Value Platform dependent Syntax DirectoryString Example nsslapd saslpath usr lib sasl2 2 3 1 96 nsslapd schema ignore trailing spaces Ignore Trailing Spaces in Object Class Names Ignores trailing spaces in object class names By default the attribute is turned off If the directory contains entries with object class values that end in one or more spaces turn this attribute on It is preferable to remove the trailing spaces because the LDAP standards do not allow them For performance reasons server restart is required for changes to take effect An error is returned by default when object classes that include trailing spaces are added to an entry Additionally during operations such as add modify and import when object classes are expanded and missing superiors are added trailing spaces are ignored if appropriate This means that even when nsslapd schema ignore trailing spaces is on a value such as top is not added if top is already there An error message is logged and returned to the client if an object class is not found and it contains trailing spaces Parameter Description Entry DN cn config 52 cn config Parameter Description Valid Values Default Value on off off Synta
269. eter specifies a log file to which to write the output If this is not set then the setup information is written to a temporary file To not use a log file set the file name to dev null This parameter updates existing Directory Server instances If an installation is broken in some way this option can be used to update or replace missing packages and then re register all of the local instances with the Configuration Directory Information can be passed with the script or in an inf file If no options are used the setup ds admin p1 launches an interactive configuration program Both the inf parameters and command line arguments are described in the silent configuration section of the Installation Guide Syntax setup ds admin pl debug silent file name keepcache log name update 319 Chapter 7 Command Line Scripts Options silent file name Alternate Options Description This runs the register script in silent mode drawing the configuration information from a file set with the file parameter or from arguments passed in the command line rather than interactively This sets the path and name of the file which contains the configuration settings for the new Directory Server instance This can be used with the silent parameter if used alone it sets the default values for the setup prompts d dddd This parameter turns on de
270. ever most client applications ignore the case of attributes therefore by default this attribute is disabled Do not modify it unless there are legacy clients that can check the case of attribute names in results returned from the server The server has to be restarted for changes to this attribute to go into effect Parameter Description Entry DN cn config Valid Values on off Default Value on Syntax DirectoryString Example nsslapd return exact case off 2 3 1 91 nsslapd rewrite rfc1274 This attribute is deprecated and will be removed in a later version This attribute is used only for LDAPv2 clients that require attribute types to be returned with their RFC 1274 names Set the value to on for those clients The default is off 2 3 1 92 nsslapd rootdn Manager DN This attribute sets the distinguished name DN of an entry that is not subject to access control restrictions administrative limit restrictions for operations on the directory or resource limits in general There does not have to be an entry corresponding to this DN and by default there is not an entry for this DN thus values like cn Directory Manager are acceptable 50 cn config For information on changing the root DN see the Creating Directory Entries chapter in the Directory Server Administrator s Guide Parameter Description Entry DN cn config Valid Values Any valid distinguished name Default Value Syntax DN Exam
271. f installed machine Syntax DirectoryString Example nsslapd localhost phonebook example com 2 3 1 74 nsslapd localuser Local User This attribute sets the user as whom the Directory Server runs The group as which the user runs is derived from this attribute by examining the user s primary group Should the user change then all of the instance specific files and directories for this instance need to be changed to be owned by the new user using a tool such as chown The value for the nsslapd localuser is set initially when the server instance is configured 42 cn config Parameter Description Entry DN cn config Valid Values Any valid user Default Value Syntax DirectoryString Example nsslapd localuser nobody 2 3 1 75 nsslapd lockdir Server Lock File Directory This is the full path to the directory the server uses for lock files The default value is var lock dirsrv slapd instance_name Changes to this value will not take effect until the server is restarted Entry DN cn config Valid Values Absolute path to a directory owned by the server user ID with write access to the server ID Default Value var lock dirsrv slapd instance_name Syntax DirectoryString Example nsslapd lockdir var lock dirsrv slapd instance_name 2 3 1 76 nsslapd maxbersize Maximum Message Size Defines the maximum size in bytes allowed for an incoming message This limits the
272. f the Windows subtree that is being synchronized Parameter Entry DN Valid Values Description cn syncAgreementName cn replica cn suffixDN cn mapping tree cn config Any valid suffix or subsuffix Default Value Syntax Example DirectoryString nsDS7WindowsReplicaSubtree cn Users dc domain dc com 2 3 9 7 winSyncinterval This attribute sets how frequently in seconds the Di look for changes in the Active Directory entries If thi Windows server every five 5 minutes meaning the This value can be set lower to write Active Directory raised if the directory searches are taking too long Parameter rectory Server polls the Windows sync peer to s entry is not set the Directory Server checks the default value is 300 300 seconds changes over to the Directory Server faster or Description Entry DN cn syncAgreementName cn replica cn suffixDN cn mapping tree cn config 96 cn monitor Parameter Description Valid Values 1 to the maximum 32 bit integer value 2147483647 Default Value 300 Syntax Integer Example winSyncinterval 600 2 3 10 cn monitor Information used to monitor the server is stored under cn monitor This entry and its children are read only clients cannot directly modify them The server updates this information automatically This section describes the cn monitor attributes The only attribute that can be changed by a user to set access
273. fault Value absent Syntax DirectoryString Example nsDS5ReplicaTransportinfo LDAP 2 3 8 23 nsDS5ReplicaUpdatelnProgress This read only attribute states whether or not a replication update is in progress Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values true false Default Value Syntax DirectoryString Example nsDS5ReplicaUpdatelnProgress true 2 3 8 24 nsDS5SReplicaUpdateSchedule This multi valued attribute specifies the replication schedule and can be modified Changes made to this attribute take effect immediately Modifying this value can be useful to pause replication and resume it later For example if this value to 0000 0001 O this in effect causes the server to stop sending updates for this replication agreement The server continues to store them for replay later If the value is later changed back to 0000 2359 0123456 this makes replication immediately resume and sends all pending changes Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config 93 Chapter 2 Core Server Configuration Reference Parameter Description Time schedule presented as XXXX YYYY 0123456 where XXXX is the starting hour YYYY is the finishing hour and the numbers 0123456 are the days of the week starting with Sunday 0000 2359 0123456 all the time In
274. fferent operations being performed In this case the difference is not in the format of what is being recorded but what operations it is being recorded for The configuration file processing goes through any conf file printing every line whenever the server starts up This can be used to debug any problems with files outside of the server s normal configuration By default only slapd collations conf file which contains configurations for international language sets is available 09 Jan 2009 16 08 18 0500 reading config file etc dirsrv slapd server slapd collations conf 09 Jan 2009 16 08 18 0500 line 46 collation 1 3 2 16 840 1 113730 3 3 2 0 1 default 09 Jan 2009 16 08 18 0500 line 57 collation en 1 3 2 16 840 1 113730 3 3 2 11 1 en en US 09 Jan 2009 16 08 18 0500 line 58 collation en CA 1 3 2 16 840 1 113730 3 3 2 12 1 en CA 09 Jan 2009 16 08 18 0500 line 59 collation en GB 1 3 2 16 840 1 113730 3 3 2 13 1 en GB Example 5 6 Config File Processing Log Entry There are two levels of ACI logging one for debug information and one for summary Both of these ACI logging levels records some extra information that is not included with other types of plug ins or error logging including connection and operation information Show the name of the plug in the bind DN of the user the operation performed or attempted and the ACI which was applied The debug level shows the series of f
275. for the most recent replication schedule updates The format is a numeric code followed by a short string Zero 0 means success Parameter Entry DN Description cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values 0 no replication sessions started followed by any other error or status message Default Value Syntax DirectoryString Example nsDS5ReplicaLastUpdateStatus 0 replica acquired successfully 2 3 8 15 nsDS5ReplicaPort This attribute sets the port number for the remote server containing the replica Once this attribute has been set it cannot be modified Parameter Entry DN Description cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values Port number for the remote server containing the replica Default Value Syntax Integer nsDS5ReplicaPort 389 Example 2 3 8 16 nsDS5ReplicaReapActive This read only attribute specifies whether the background task that removes old tombstones deleted entries from the database is active See Section 2 3 7 13 nsDS5ReplicaTombstonePurgelnterval for more information about this task A value of zero 0 means that the task is inactive and a value of 1 means that the task is active If this value is set manually the server ignores the modify request Parameter Description Entry DN cn ReplicationAgreementNam
276. from this directory and when the schema is modified through LDAP tools the schema files in this directory are updated This directory must 53 Chapter 2 Core Server Configuration Reference be owned by the server user ID and that user must have read and write permissions to the directory The default value is the schema subdirectory of the Directory Server instance specific configuration directory etc dirsrv slapd instance_name schema Changes made to this attribute will not take effect until the server is restarted 2 3 1 99 nsslapd schemareplace Determines whether modify operations that replace attribute values are allowed on the cn schema entry Parameter Entry DN Valid Values Description cn config on off replication only Default Value replication only Syntax DirectoryString Example nsslapd schemareplace replication only 2 3 1 100 nsslapd securelistenhost This attribute allows multiple Directory Server instances to run on a multinomed machine or makes it possible to limit listening to one interface of a multihomed machine There can be multiple IP addresses associated with a single hostname and these IP addresses can be a mix of both IPv4 and IPv6 This parameter can be used to restrict the Directory Server instance to a single IP interface this parameter also specifically sets what interface to use for SSL TLS traffic rather than regular LDAP conne
277. g cn chaining database cn plugins cn config tree node 3 5 1 1 nsActiveChainingComponents This attribute lists the components using chaining A component is any functional unit in the server The value of this attribute overrides the value in the global configuration attribute To disable chaining on a particular database instance use the value None This attribute also allows the components used to chain to be altered By default no components are allowed to chain which explains why this attribute will probably not appear in a list of cn config cn chaining database cn config attributes as LDAP considers empty attributes to be non existent Parameter Entry DN Description cn config cn chaining database cn plugins cn config Valid Values Any valid component entry Default Value None Syntax DirectoryString Example nsActiveChainingComponents cn uid uniqueness cn plugins cn config 3 5 1 2 nsMaxResponseDelay This error detection performance related attribute specifies the maximum amount of time it can take a remote server to respond to an LDAP operation request made by a database link before an error is suspected Once this delay period has been met the database link tests the connection with the remote server 196 Database Link Attributes under cn config cn chaining database cn plugins cn config Parameter Description Entry DN cn config cn chaining database
278. g on Disabled enabled empty string nsslapd accesslog nsslapd accesslog logging on Enabled enabled filename nsslapd accesslog nsslapd accesslog logging off Disabled enabled empty string nsslapd accesslog nsslapd accesslog logging off Disabled enabled filename nsslapd accesslog Table 2 3 dse ldif Attributes Parameter Entry DN Valid Values Description cn config on off Default Value on Syntax DirectoryString Example nsslapd accesslog logging enabled off 2 3 1 8 nsslapd accesslog logmaxdiskspace Access Log Maximum Disk Space This attribute specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume If this value is exceeded the oldest access log is deleted When setting a maximum disk space consider the total number of log files that can be created due to log file rotation Also remember that there are three different log files access log audit log and error log maintained by the Directory Server each of which consumes disk space Compare these considerations to the total amount of disk space for the access log Parameter Entry DN Valid Range 1 1 to the maximum 32 bit integer value 2147483647 where a value of 1 means that the disk space allowed to the access log is unlimited in size Default Value 1 Description cn config Integer Example nsslapd accesslog logmaxdiskspac
279. g extra reference to the 64 bit tools directory per Bugzilla 554972 Revision 8 1 8 January 11 2010 Ella Deon Lackey Adding section on nsslapd cachememsize and the import buffer size per Bugzilla 531043 Revision 8 1 7 October 10 2009 Ella Deon Lackey Fixing two plug in descriptions Revision 8 1 6 September 19 2009 Ella Deon Lackey Removing the silent configuration parameters for the register ds admin pl script per Bugzilla 514231 xii Documentation History Revision 8 1 5 September 9 2009 Ella Deon Lackey Removing any references to the Directory Server Gateway or Org Chart Revision 8 1 4 September 4 2009 Ella Deon Lackey Correcting the directory paths for configuration LDIF files per Bugzilla 521139 Revision 8 1 3 August 26 2009 Ella Deon Lackey Adding information about setting database and entry cache memory sizes and clarifying the units of measurement for the attributes per Bugzilla 503615 Revision 8 1 2 August 4 2009 Ella Deon Lackey Changed the default on the nsslapd cache autosize parameter to 0 per Bugzilla 514282 Revision 8 1 1 July 19 2009 Ella Deon Lackey Expanding the description of dnaNextRange Bugzilla 512557 Revision 8 1 0 April 28 2009 Ella Deon Lackey dlackey redhat com Initial draft for version 8 1 xiii xiv Chapter 1 Introduction Directory Server is based on an open systems server protocol called the Lightweight Directory Access Protocol LDAP
280. g one of the server s encryption algorithms If a user cannot log in use this script to compare the user s password to the password stored in the directory Perl Shell register ds admin pl remove ds pl Re registers a Directory Server instance with the local Administration Server Removes a Directory Server instance Perl Perl repl monitor repl monitor pl Provides in progress status of replication Provides in progress status of replication Shell Perl setup ds pl setup ds admin pl Creates or recreates a Directory Server instance Creates a new Directory Server instance and local Administration Server instance Perl Perl Table 7 3 Scripts in usr bin 7 3 Shell Scripts This section covers the following scripts Section 7 3 1 bak2db Restores a Database from Backup Section 7 3 2 cl dump Dumps and Decodes the Changelog Section 7 3 3 db2bak Creates a Backup of a Database Section 7 3 4 db2ldif Exports Database Contents to LDIF Section 7 3 5 db2index Reindexes Database Index Files 279 Chapter 7 Command Line Scripts Section 7 3 6 dbverify Checks for Corrupt Databases Section 7 3 7 ds_removal Section 7 3 8 Idif2db Import Section 7 3 9 Idif2idap Performs Import Operation over LDAP e Section 7 3 10 monitor Retrieves Monitoring Information Section
281. g with management information like how to monitor the cache with db stat m NOTE The nsslapd cachememsize attribute also defines the import buffer size The import buffer size is automatically configured to be 80 of whatever the nsslapd cachememsize setting is When importing databases with very large attributes be sure to reset the nsslapd cachememsize value to something high enough so that 80 cacheSize is enough to allow the import to proceed Attempting to set a value that is not a number or is too big for a 32 bit signed integer on 32 bit systems returns an LDAP UNWILLING TO PERFORM error message with additional error information explaining the problem NOTE The performance counter for this setting goes to the highest 64 bit integer even on 32 bit systems but the setting itself is limited on 32 bit systems to the highest 32 bit integer because of how the system addresses memory Parameter Description Entry DN cn database_name cn Idbm database cn plugins cn config Valid Range 500 kilobytes to 22 1 on 32 bit systems and to 284 1 on 64 bit systems Default Value 10 485 760 10 megabytes Syntax Integer Example nsslapd cachememsize 10485760 3 4 3 3 nsslapd directory This attribute specifies the path to the database instance If it is a relative path it starts from the path specified by nsslapd directory in the global database entry cn config cn ldbm database cn plug
282. gelog suffix to clients 157 Chapter 3 Plug in Implemented Server Functionality Reference Plug in Parameter Configurable Options Default Setting Description so that clients Can use this suffix with or without persistent search for simple sync applications on off off Configurable Arguments Dependencies See Section 3 6 Retro Changelog Plug in Attributes for further information on the two configuration attributes for this plug in None Performance Related Information Further Information May slow down Directory Server update performance See the Managing Replication chapter in the Directory Server Administrator s Guide 3 1 30 Roles Plug in Plug in Parameter Plug in Name DN of Configuration Entry Description Roles Plug in cn Roles Plugin cn plugins cn config Description Enables the use of roles in the Directory Server Configurable Options on off Default Setting on Configurable Arguments None Dependencies Database Performance Related Information Further Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times See the Advanced Entry Management chapter in the Directory Server Administrator s Guide 3 1 31 Schema Reload Plug in Plug in Information Plug in Name Configuration Entry DN Description Schema Reload cn Schema Reload cn plugins cn config
283. generator cn encryption cn monitor cn replication cn suffix cn export cn backup cn index cn schema reload cn replica cn import cn restore cn memberof task cn ReplicationAgreementName Figure 2 1 Directory Information Tree Showing Configuration Data 2 1 1 LDIF and Schema Configuration Files The Directory Server configuration data are stored in LDIF files in the etc dirsrv slapd instance_name directory etc opt dirsrv slapd instance_name on HP UX Thus Chapter 2 Core Server Configuration Reference if a server identifier is phonebook then for a Directory Server on Red Hat Enterprise Linux 5 32 bit the configuration LDIF files are all stored under etc dirsrv slapd phonebook This directory also contains other server instance specific configuration files Schema configuration is also stored in LDIF format and these files are located in the etc dirsrv slapd instance_name schema directory etc opt dirsrv slapd gt instance_name on HP UX The following table lists all of the configuration files that are supplied with the Directory Server including those for the schema of other compatible servers Each file is preceded by a number which indicates the order in which they should be loaded in ascending numerical and then alphabetical order Configuration Filename Purpose dse ldif Contains front end Directory Specific Entries created by the directory at server startup These include the Root DSE and the
284. grotationtimeunit week 2 3 1 15 nsslapd accesslog maxlogsize Access Log Maximum Log Size This attribute sets the maximum access log size in megabytes When this value is reached the access log is rotated That means the server starts writing log information to a new log file If the nsslapd accesslog maxlogsperdir attribute is set to 1 the server ignores this attribute When setting a maximum log size consider the total number of log files that can be created due to log file rotation Also remember that there are three different log files access log audit log and error log maintained by the Directory Server each of which consumes disk space Compare these considerations to the total amount of disk space for the access log Parameter Description Entry DN cn config Valid Range 1 1 to the maximum 32 bit integer value 2147483647 where a value of 1 means the log file is unlimited in size Default Value 100 Syntax Integer Example nsslapd accesslog maxlogsize 100 2 3 1 16 nsslapd accesslog maxlogsperdir Access Log Maximum Number of Log Files This attribute sets the total number of access logs that can be contained in the directory where the access log is stored Each time the access log is rotated a new log file is created When the number of files contained in the access log directory exceeds the value stored in this attribute then the oldest version of the log file is deleted For
285. guration for the retro changelog This object class is defined for the Directory Server Superior Class top OID 2 16 840 1 113730 3 2 82 122 nsContainer Object Class Allowed Attributes Attribute Definition cn common Name Gives the common name of the entry 2 4 5 nsContainer Object Class Some entries do not define any specific entity but they create a defined space within the directory tree as a parent entry for similar or related child entries These are container entries and they are identified by the nsContainer object class Superior Class top OID 2 16 840 1 113730 3 2 104 Required Attributes Attribute Definition objectClass Defines the object classes for the entry cn Gives the common name of the entry 2 4 6 nsDS5Replica Object Class This object class is for entries which define a replica in database replication Many of these attributes are set within the backend and cannot be modified Information on the attributes for this object class are listed with the core configuration attributes in chapter 2 of the Directory Server Configuration Command and File Reference This object class is defined in Directory Server Superior Class top OID 2 16 840 1 113730 3 2 108 Required Attributes objectClass Defines the object classes for the entry 123 Chapter 2 Core Server Configuration Reference nsDS5Replicald Specifies the unique ID for suppliers in a
286. he name of the database to export in the nsinstance attribute and the name of the LDIF file to write the output to in the nsFi ename attribute Additionally it must contain a unique cn to identify the task For example dn cn example export cn export cn tasks cn config objectclass extensibleObject cn example export nsInstance userRoot nsFilename home files example 1dif As the export operation runs the task entry will contain all of the server generated task attributes listed in Section 2 3 15 1 Task Invocation Attributes for Entries under cn tasks There are some optional attributes which can be used to refine the export operation similar to the options for the db21dif and db2ldif p1 scripts nsInclude Suffix analogous to the s option to specify the suffixes to include in the exported LDIF files e nsExcludeSuffix analogous to the x option to exclude the specified suffixes from the exported LDIF files e nsUseOneFile analogous to the M option to break up the exported suffixes into individual LDIF files nsExportReplica analogous to the r option to indicate whether the exported database is used in replication nsPrintKey analogous to the N option to set whether to print the entry IDs as the entries are processed by the export operation 111 Chapter 2 Core Server Configuration Reference nsUseld2Entry analogous to the C option to set whether to use only the main index id2entry to
287. he nsslapd localuser value after startup When changing the port number for a configuration directory the corresponding server instance entry in the configuration directory must be updated The server has to be restarted for the port number change to be taken into account Parameter Description Valid Range 1 to 65535 46 cn config Parameter Description Default Value 389 Syntax Integer Example nsslapd port 389 NOTE Set the port number to zero 0 to disable the LDAP port if the LDAPS port is enabled 2 3 1 84 nsslapd privatenamespaces This read only attribute contains the list of the private naming contexts cn config cn schema and cn monitor Parameter Description Entry DN cn config Valid Values cn config cn schema and cn monitor Default Value Syntax DirectoryString Example nsslapd privatenamespaces cn config 2 3 1 85 nsslapd pwpolicy local Enable Subtree and User Level Password Policy Turns fine grained subtree and user level password policy on and off If this attribute has a value of off all entries except for cn Directory Manager in the directory is subjected to the global password policy the server ignores any defined subtree user level password policy If this attribute has a value of on the server checks for password policies at the subtree and user level and enforce those policies Parameter Description E
288. ibute shows the pages created in the cache nsslapd db page read rate This attribute shows the pages read into the cache nsslapd db page ro evict rate This attribute shows the clean pages forced from the cache nsslapd db page rw evict rate This attribute shows the dirty pages forced from the cache nsslapd db page trickle rate This attribute shows the dirty pages written using the memp_trick1e interface nsslapd db page write rate This attribute shows the pages read into the cache nsslapd db pages in use This attribute shows all pages clean or dirty currently in use nsslapd db txn region wait rate This attribute shows the number of times that a thread of control was force to wait before obtaining the region lock 3 4 5 Database Attributes under cn default indexes cn config cn lIdbm database cn plugins cn config The set of default indexes is stored here Default indexes are configured per backend in order to optimize Directory Server functionality for the majority of setup scenarios All indexes except system essential ones can be removed but care should be taken so as not to cause unnecessary disruptions For further information on indexes refer to the Managing Indexes chapter in the Directory Server Administrator s Guide 3 4 5 1 cn This attribute provides the name of the attribute to index 188 Database Attributes under cn default indexes cn config cn ldbm database cn plugins cn config Para
289. ics are computed over the set of all logs so all logs should pertain to the same Directory Server The tool ignores any file with the name access rotationinfo Table 7 26 logconv p l Options Table 7 27 logconv p Options to Display Occurrences describes the options that enable the optional lists of occurrences Specify only those required specifying a large number of options can produce excessive output and affect execution speed These parameters can be specified in any number and in any order but they must all be given together as a single option on the command line such as abcefg The lists are always output in the order in which they appear in the following table regardless of the order in which they are given on the command line Description Lists the most frequent error and return codes f Lists the bind DNs with the most failed logins invalid password 304 migrate ds pl Option Description c Lists the number of occurrences for each type of connection code i Lists the IP addresses and connection codes of the clients with the most connections which detects clients that may be trying to compromise security b Lists the most frequently used bind DNs a Lists the most frequent base DNs when performing operations Lists the most frequently used filter strings for searches t Lists the longest and most frequent etimes elapsed operation time n Lists the la
290. id Values Suffix of the database being replicated which is the suffix DN Default Value Syntax DirectoryString Example nsDS5ReplicaRoot dc example dc com 2 3 7 13 nsDS5ReplicaTombstonePurgelnterval This attribute specifies the time interval in seconds between purge operation cycles Chapter 2 Core Server Configuration Reference Periodically the server runs an internal housekeeping operation to purge old update and state information from the changelog and the main database See Section 2 3 7 10 nsDS5ReplicaPurgeDelay When setting this attribute remember that the purge operation is time consuming especially if the server handles many delete operations from clients and suppliers Parameter Description Entry DN cn replica cn suffixDN cn mapping tree cn config Valid Range 0 to maximum 32 bit integer 2147483647 in seconds Default Value 86400 1 day Syntax Integer Example nsDS5ReplicaTombstonePurgelinterval 86400 2 3 7 14 nsDS5ReplicaType Defines the type of replication relationship that exists between this replica and the others Parameter Entry DN Description cn replica cn suffixDN cn mapping tree cn config Valid Values O 1 2 3 0 means unknown 1 means primary not yet used 2 means consumer read only 3 consumer supplier updatable Default Value Syntax Integer Example nsDS5ReplicaType 2 2 3 7 15 nsDS5Rep
291. id Values true false Description cn task name cn export cn tasks cn config Default Value false Syntax Case insensitive string Example nsUseld2Entry true nsNoWrap This attribute sets whether to wrap long lines in the LDIF file Parameter Entry DN Valid Values true false Description cn task name cn export cn tasks cn config Default Value false Syntax Case insensitive string Example nsNoWrap false nsDumpUniqld This attribute sets that the unique IDs for the exported entries are not exported Parameter Entry DN Valid Values true false Description cn task name cn export cn tasks cn config Default Value false Syntax Case insensitive string Example nsDumpUniqld true 2 3 15 4 cn backup A database can be backed up through the command line by creating a special task entry which defines the parameters of the task and initiates the task As soon as the task is complete the task entry is removed from the directory The cn backup entry is a container entry for backup task operations The cn backup entry itself has no attributes but each of the task entries within this entry such as cn task ID cn backup cn tasks cn config uses the following attributes to define the backup task A backup task entry under cn backup must contain the location of the directory to which to copy the archive c
292. ied by Internet draft RFC 2252 By default the Directory Server conforms to RFC 2252 which indicates that this value should not be quoted Only very old clients need this value set to on so leave it off Turning this attribute on or off does not affect Directory Server Console Parameter Description Valid Values on off 28 cn config Parameter Description Default Value off Syntax DirectoryString Example nsslapd enquote sup oc off 2 3 1 43 nsslapd errorlog Error Log This attribute sets the path and filename of the log used to record error messages generated by the Directory Server These messages can describe error conditions but more often they contain informative conditions such as Server startup and shutdown times The port number that the server uses This log contains differing amounts of information depending on the current setting of the Log Level attribute See Section 2 3 1 44 nsslapd errorlog level Error Log Level for more information Parameter Description Entry DN cn config Valid Values Any valid filename Default Value var log dirsrv slapd ins tance_name errors Syntax DirectoryString Example nsslapd errorlog var log dirsrv slapd instance_name errors For error logging to be enabled this attribute must have a valid path and filename and the nsslapd errorlog logging enabled configuration attribute must be switched to on The table lis
293. igital file that is not transferable and not forgeable and is issued by a third party Authentication certificates are sent from server to client or client to server in order to verify and authenticate the other party See base DN Base distinguished name A search operation is performed on the base DN the DN of the entry and all entries below it in the directory tree See bind DN Distinguished name used to authenticate to Directory Server when performing an operation In the context of access control the bind rule specifies the credentials and conditions that a particular user or client must satisfy in order to get access to directory information An entry that represents the top of a subtree in the directory Software such as Mozilla Firefox used to request and view World Wide Web material stored as HTML files The browser uses the HTTP protocol to communicate with the host server Speeds up the display of entries in the Directory Server Console Browsing indexes can be created on any branch point in the directory tree to improve display performance See Also virtual list view index See Certificate Authority In a cascading replication scenario one server often called the hub supplier acts both as a consumer and a supplier for a particular replica It holds a read only replica and maintains a changelog It receives updates from the supplier server that holds the master copy of the data and in turn supplies those upda
294. iles 5 30ns common Idif Idif files 5 50ns admin ldif Idif files 5 50ns certificate Idif Idif files 5 50ns directory dif Idif files 5 50ns mail ldif Idif files 5 50ns value ldif Idif files 5 50ns web Idif Idif files 5 60pam plugin ldif 5 99user dif Idif files 5 i in LDIF statements 273 A access log connection code 229 Al 229 B1 229 B2 229 B3 229 B4 229 P2 229 T1 229 T2 229 U1 229 contents 219 abandon message ABANDON 226 change sequence number csn 226 connection description conn 228 connection number conn 221 elapsed time etime 223 error number err 222 extended operation OID oid 225 file descriptor fd 221 format 219 LDAP request type 223 LDAP response type 224 message ID msgid 226 method type method 222 number of entries nentries 223 operation number op 221 options description options 228 SASL multi stage binds 227 scope of the search Scope 225 slot number slot 221 sort SORT 224 tag number tag 222 unindexed search indicator notes U 224 version number version 222 VLV related entries 224 LDAP result codes 237 levels 220 227 sample 1 level 256 220 statistics for monitoring and optimizing directory usage 302 alias dereferencing 252 ancestorid db4 file 215 B backendMonitorDN attribute 99 backup files 214 bak2db command line shell script 280 quick reference 27
295. imestamp 20090109181810Z Example 5 8 Audit Log Content The audit log does not have any other log level to set 5 4 LDAP Result Codes LDAP has a set of result codes with which it is useful to be familiar Result Code Defined Value Result Code Defined Value 0 SUCCESS 48 INAPPROPRIATE_AUTHENTICATIC 1 OPERATION_ERROR 49 INVALID CREDENTIAL 2 PROTOCOL ERROR 50 INSUFFICIENT ACCESS RIGHTS 3 TIME LIMIT EXCEEDEP61 BUSY 4 SIZE LIMIT EXCEEDED52 UNAVAILABLE 5 COMPARE_FALSE 53 UNWILLING_TO_PERFORM 6 COMPARE_TRUE 54 LOOP_DEFECT 7 AUTH_METHOD_NOT_S PPORTED NAMING_VIOLATION 8 STRONG AUTH REQUIRED OBJECT CLASS VIOLATION 9 LDAP_PARTIAL_RESULES NOT_ALLOWED_ON_NONLEAF 10 REFERRAL LDAP v3 67 NOT_ALLOWED_ON_RDN 11 ADMIN LIMIT EXCEEDEB ENTRY ALREADY EXIBTS LDAP v3 12 UNAVAILABLE_CRITICAB9EXTENSION OBJECT_CLASS_MOD _PROHIBI LDAP v3 13 CONFIDENTIALITY_REQUIRED AFFECTS MULTIPLE DSAS LDAP v3 LDAP v3 14 SASL BIND IN PROGRESS OTHER 16 NO SUCH ATTRIBUTE 81 SERVER DOWN 17 UNDEFINED ATTRIBUTBSTYPE LDAP TIMEOUT 18 INAPPROPRIATE MATC8 NG PARAM ERROR 19 CONSTRAINT VIOLATION CONNECT ERROR 20 ATTRIBUTE_OR_VALUE9EXISTS LDAP_NOT_SUPPORTED 21 INVALID ATTRIBUTE SY STAX CONTROL NOT FOUND 32 NO SUCH OBJECT 94 NO RESULTS RETURNED 33 ALIAS PROBLEM 95 MORE RESULTS TO RETURN 34 INVALID DN SYNTAX 96 CLIENT LOOP 35 IS LEAF 97 REFERRAL_LIMIT_EXCEEDED 237 Chapter 5 Log Fil
296. imum available system physical memory is used for the database cache during bulk importing optimizes bulk import speed Attempting to set a value that is not a number or is too big for a 32 bit signed integer returns an LDAP UNWILLING TO PERFORM error message with additional error information explaining the problem NOTE A cache is created for each load that occurs For example if the user sets the nsslapd import cachesize attribute to 1 gigabyte then 1 gigabyte is used when loading one database 2 gigabytes is used when loading two databases and so on Ensure there is sufficient physical memory to prevent swapping from occurring as this would result in performance degradation Parameter Description cn config cn ldbm database cn plugins cn config 500 kilobytes to 4 gigabytes for 32 bit platforms and 500 kilobytes to 2 64 1 for 64 bit platforms Default Value 20000000 Syntax Valid Range Integer Example nsslapd import cachesize 20000000 3 4 1 23 nsslapd import cache autosize This performance tuning related attribute automatically sets the size of the import cache importCache to be used during the command line based import process of LDIF files to the database the 1dif2db operation 176 Database Attributes under cn config cn Idbm database cn plugins cn config In Directory Server the import operation can be run as a server task or exclusively on the command lin
297. inc waitfor async results 5 5 09 Jan 2009 13 44 50 0500 repl5 inc result threadmain read result for message id 5 09 Jan 2009 13 44 51 0500 repl5 inc result threadmain exiting 09 Jan 2009 13 44 51 0500 agmt cn example2 alt 13864 session end state 5 load 1 sent 1 skipped 0 09 Jan 2009 13 44 51 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 Successfully released consumer 09 Jan 2009 13 44 51 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 Beginning linger on the connection 09 Jan 2009 13 44 51 0500 NSMMReplicationPlugin agmt cn example2 alt 13864 State sending updates gt wait for changes Example 5 4 Replication Error Log Entry Plug in logging records every the name of the plugin and all of the functions called by the plugin This has a simple format timestamp Plugin name message timestamp function message The information returned can be hundreds of lines long as every step is processed The precise information recorded depends on the plug in itself For example the ACL Plug in includes a connection and operation number as shown in Example 5 5 Example ACL Plug in Error Log Entry with Plug in Logging 09 Jan 2009 13 15 16 0500 NSACLPlugin conn 24826500108779577 op 10 main Allow search on entry cn replication cn config root user 09 Jan 2009 13 15 16 0500 lt slapi vattr filter test 0 09 Jan 2009 13 15 16 0500 NSACLPlugin Root ac
298. indCount 205 nsBindMechanism 202 nsBindRetryLimit 198 nsBindTimeout 199 nsCheckLocalACl 199 nsCompareCount 205 nsConcurrentBindLimit 199 nsConcurrentOperationsLimit 200 nsConnectionLife 200 nsDeleteCount 204 nsFarmServerURL 203 nshoplimit 204 nsMaxResponseDelay 196 nsMaxTestResponseDelay 197 nsModifyCount 204 nsMultiplexorBindDn 203 nsMultiplexorCredentials 203 nsOperationConnectionCount 205 nsOperationConnectionsLimit 200 nsProxiedAuthorization 200 nsReferralOnScopedSearch 201 nsRenameCount 205 nsSearchBaseCount 205 nsSearchOneLevelCount 205 nsSearchSubtreeCount 205 nsSizeLimit 201 nsslapd changelogmaxage 206 nsTimeLimit 201 nsTransmittedControls 197 nsUnbindCount 205 nsUseStartTLS 204 database plug in configuration attributes cn 188 dbcachehitratio 178 dbcachehits 178 dbcachepagein 178 dbcachepageout 178 dbcacheroevict 178 dbcacherwevict 178 348 dbcachetries 178 dbfilecachehit 191 dbfilecachemiss 191 dbfilenamenumber 191 dbfilepagein 191 dbfilepageout 192 description 189 nsIndexType 190 nsLookThroughLimit 166 nsMatchingRule 190 nsslapd cache autosize 166 nsslapd cache autosize split 167 nsslapd cachememsize 180 nsslapd cachesize 179 nsslapd db abort rate 186 nsslapd db active txns 186 nsslapd db cache hit 186 nsslapd db cache region wait rate 186 nsslapd db cache size bytes 186 nsslapd db cache try 186 nsslapd db checkpoint interval 168
299. ine utilities all perform server administration tasks and while it can be argued that they allow a greater degree of flexibility for users Red Hat recommends using the command line scripts described in Chapter 7 Command Line Scripts A 1 Overview of ns slapd ns slapd is used to start the Directory Server process to build a directory database from an LDIF file or to convert an existing database to an LDIF file For more information on starting and stopping the Directory Server importing from LDIF using the command line and exporting to LDIF using the command line refer to the Populating Directory Databases chapter in the Red Hat Directory Server Administrator s Guide A 2 Finding and Executing the ns slapd Command Line Utilities The ns slapd command line utilities are stored in etc dirsrv slapd instance_name NOTE In order to execute the command line utilities set the library paths set in the command line scripts A 3 Utilities for Exporting Databases db2ldif Exports the contents of the database to LDIF Syntax ns slapd db2ldif D configDir a outputFile d debugLevel n backendInstance r s includeSuffix xexcludeSuffix N u U m M E With this command enter the full path to the configuration directory etc dirsrv slapd instance_name Either the n or the s option must be specified Options Description a outputFile Defines the output file in which the server saves the exported LD
300. ined in DirectoryString Multi valued Directory Server 2 5 2 29 replicaUpdateReplayed This attribute stores the change number of the most recently replicated change OID 2 16 840 1 113730 3 1 51 Syntax Multi or Single Valued Defined in DirectoryString Multi valued Directory Server 2 5 2 30 replicaUpdateSchedule This contains the replication schedule OID 2 16 840 1 113730 3 1 52 Syntax Multi or Single Valued Multi valued DirectoryString 141 Chapter 2 Core Server Configuration Reference Defined in Directory Server 2 5 2 31 replicaUseSSL This attribute sets whether to use a secure connection SSL for replication OID 2 16 840 1 113730 3 1 54 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 142 Chapter 3 Plug in Implemented Server Functionality Reference This chapter contains reference information on Red Hat Directory Server plug ins The configuration for each part of Directory Server plug in functionality has its own separate entry and set of attributes under the subtree cn plugins cn config dn cn Telephone Syntax cn plugins cn config objectclass top objectclass nsSlapdPlugin objectclass extensibleObject cn Telephone Syntax nsslapd pluginPath libsyntax plugin nsslapd pluginInitfunc tel_init nsslapd pluginType syntax nsslapd pluginEnabled on S
301. ined in OID 2 16 840 1 113730 3 1 408 Syntax Integer Multi or Single Valued Multi valued Directory Server 2 5 2 24 replicaNickName This attribute contains the friendly name for the replication agreement OID 2 16 840 1 113730 3 1 204 Syntax Multi or Single Valued Defined in DirectoryString Multi valued Directory Server 2 5 2 25 replicaPort This attribute contains the port number of the replica server OID 2 16 840 1 113730 3 1 48 Syntax Multi or Single Valued DirectoryString Multi valued 140 Legacy Replication Attributes Defined in Directory Server 2 5 2 26 replicaRoot This attribute sets the DN at the root of a replicated area This attribute must have the same value as the suffix of the database being replicated and cannot be modified OID 2 16 840 1 113730 3 1 57 Syntax Multi or Single Valued Defined in DN Multi valued Directory Server 2 5 2 27 replicatedAttributeList This attribute specifies any attributes that are replicated to a consumer server OID 2 16 840 1 113730 3 1 240 Syntax Multi or Single Valued Defined in DirectoryString Multi valued Directory Server 2 5 2 28 replicaUpdateFailedAt This attribute contains the time and date of the most recent replication failure OID 2 16 840 1 113730 3 1 49 Syntax Multi or Single Valued Def
302. iner Object Class W W W u ssssssserrer ket tk ERE RE LENE RENE RENE REE E REE E RER E REE REEL EDER 123 2 4 6 nsDS5Replica Object Class 2 0 00 ccceecece ee eeeeceeeee ee eeee eee aeeeeeaeeeeeeeeeaaeeeeaeeeeaeees 123 2 4 7 nSDS5ReplicationAgreement Object Class cecceceeceeeeeeeeeeeeeeeeeeeeeeeeesaeees 124 Configuration and Command Reference 2 4 8 nsDSWindowsReplicationAgreement Object Class u u u d dss seen reen kerne 126 2 4 9 nSMappingTree Object Class cecccceeceeeeeeeee ce eeee eee eeeeeeaeeeeeeeeeaaeeeeaeeeeaeees 128 2 4 10 nsSaslIMapping Object Class u u u u dvss seeren er ee eee se eeee ae ELIE TELE ERE ERNE 128 2 4 11 nsslapdConfig Object Class W W u sssesserrse kk kk eects eee ee eeee ae eeeeeeeeaaeeeeaeeesaeees 129 2 4 12 passwordpolicy Object Class u u u dv ss seeren kreere renerne rer ERE rn nes 129 2 5 Legacy Attributes 5252323 fr series tanddvertadeedechues dies datadvenaad a a rn atol Ad abon NEN A 131 2 5 1 Legacy Server AttriDUteS 0 2 0 iniiai tees ce ee dar ube aa anigi 132 2 5 2 Legacy Replication Attributes c ccc eeeeeee eee ee etree eee se etern eter eee ktr kraner 134 3 Plug in Implemented Server Functionality Reference 143 3 1 Server Plug in Functionality Reference 0cccccececeeeee nee ee tk ERE ae eeeeeeeeaaeeeeaeeesaeeeea 143 3 11 7 Dit Check PIUG IM yasana e abe aa a a a aa lA berede 143 3 1 2 ACE PIUQ
303. ingle Valued Multi valued Defined in Directory Server 2 3 2 8 changeType This attribute specifies the type of LDAP operation add delete modify or modrdn For example changeType modify Syntax DirectoryString Chapter 2 Core Server Configuration Reference Multi or Single Valued Multi valued Defined in Changelog Internet Draft 2 3 2 9 deleteOldRdn In the case of modrdn operations this attribute specifies whether the old RDN was deleted OID 2 16 840 1 113730 3 1 10 Syntax Boolean Multi or Single Valued Multi valued Defined in Changelog Internet Draft 2 3 2 10 filterInfo This is used by the changelog for processing replication OID 2 16 840 1 113730 3 1 206 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 3 2 11 newRdn In the case of modrdn operations this attribute specifies the new RDN of the entry OID 2 16 840 1 113730 3 1 9 Syntax DN Multi or Single Valued Multi valued Defined in Changelog Internet Draft 2 3 2 12 newSuperior In the case of modrdn operations this attribute specifies the newSuperior attribute of the entry OID 2 16 840 1 113730 3 1 11 Syntax DN Multi or Single Valued Multi valued Defined in Changelog Internet Draft 2 3 2 13 targetDn This attribute contains the DN of the entry that was affected by the LDAP o
304. ins cn config The database instance directory is named after the instance name and located in the global database directory by default After the database instance has been created do not modify this path because any changes risk preventing the server from accessing data I http www oracle com technology documentation berkeley db db ref am_conf cachesize html 180 cn NetscapeRoot cn Idbm database cn plugins cn config and cn userRoot cn ldbm database cn plugins cn config Parameter Description Entry DN cn database_name cn ldbm database cn plugins cn config Valid Values Any valid path to the database instance Default Value Syntax DirectoryString Example nsslapd directory var lib dirsrv slapd instance_name db userRoot 3 4 3 4 nsslapd readonly This attribute specifies read only mode for a single back end instance If this attribute has a value of off then users have all read write and execute permissions allowed by their access permissions Entry DN cn database_name cn ldbm database cn plugins cn config Valid Values on off Default Value off Syntax DirectoryString Example nsslapd readonly off 3 4 3 5 nsslapd require index When switched to on this attribute allows one to refuse unindexed searches This performance related attribute avoids saturating the server with erroneous searches Entry DN cn database_name cn ldbm database cn plugins cn config Va
305. ion closed and abandon records which appear individually all records appear in pairs consisting of a request for service record followed by a result record These two records frequently appear on adjacent lines but this is not always the case The access logs have different levels of logging set in the nsslapd accesslog level attribute This section provides an overview of the default access logging content log levels and the content logged at different logging levels Section 5 1 1 Access Logging Levels Section 5 1 2 Default Access Logging Content Section 5 1 3 Access Log Content for Additional Access Logging Levels NOTE Directory Server provides a script which can analyze access logs to extract usage statistics and count the occurrences of significant events For details about this script al section 219 Chapter 5 Log File Reference 5 1 1 Access Logging Levels Different levels of access logging generate different amounts of detail and record different kinds of operations The log level is set in the instance s nsslapd accesslog level configuration attribute The default level of logging is level 256 which logs access to an entry but there are five different log levels available 0 No access logging e 4 Logging for internal access operations e 256 Logging for access to an entry 512 Logging for access to an entry and referrals e 131072 Precise timing of op
306. ionPauseTime attribute at any time by using changetype modify with the replace operation The change takes effect for the next update session if one is already in progress If Directory Server has to reset the value of nsDS5ReplicaSessionPauseTime automatically the value is changed internally only The change is not visible to clients and it is not saved to the configuration file From an external viewpoint the attribute value appears as originally set Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values Any valid integer Default Value 0 Syntax Integer Example nsDS5ReplicaSessionPauseTime 0 2 3 8 20 nsDS5ReplicatedAttributeList This allowed attribute specifies any attributes that are not replicated to a consumer server Fractional replication allows databases to be replicated across slow connections or to less secure consumers while still protecting sensitive information By default all attributes are replicated and this attribute is not present For more information on fractional replication see the Managing Replication chapter in the Directory Server Administrator s Guide Parameter Entry DN Description cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Range Default Value Syntax DirectoryString Example nsDS5ReplicatedAttributeList objectclass EXCLUDE salary
307. irationtimeunit attribute Parameter Description Entry DN cn config Valid Range 1 to the maximum 32 bit integer value 2147483647 A value of 1 or 0 means that the log never expires Default Value 1 Syntax Integer Example nsslapd accesslog logexpirationtime 2 2 3 1 6 nsslapd accesslog logexpirationtimeunit Access Log Expiration Time Unit This attribute specifies the units for nsslapd accesslog logexpirationtime attribute If the unit is unknown by the server then the log never expires Parameter Description Entry DN cn config Valid Values month week day Default Value month Syntax DirectoryString Example nsslapd accesslog logexpirationtimeunit week 2 3 1 7 nsslapd accesslog logging enabled Access Log Enable Logging Disables and enables accesslog logging but only in conjunction with the nsslapd accesslog attribute that specifies the path and parameter of the log used to record each database access For access logging to be enabled this attribute must be switched to on and the nsslapd accesslog configuration attribute must have a valid path and parameter The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging 13 Chapter 2 Core Server Configuration Reference Attribute Logging Enabled or Disabled nsslapd accesslog loggin
308. irectory server In pass through authentication the URL that defines the authenticating directory server pass through subtree s and optional parameters Random access memory The physical semiconductor based memory in a computer Information stored in RAM is lost when the computer is shut down A file on Unix machines that describes programs that are run when the machine starts It is also called etc rc local because of its location The name of the actual entry itself before the entry s ancestors have been appended to the string to form the full distinguished name Also relative distinguished name A replica that refers all update operations to read write replicas A server can hold any number of read only replicas A replica that contains a master copy of directory information and can be updated A server can hold any number of read write replicas 338 referential integrity referral relative distinguished name replica replica initiated replication replication replication agreement RFC role role based attributes root root suffix SASL schema Mechanism that ensures that relationships between related entries are maintained within the directory 1 When a server receives a search or update request from an LDAP client that it cannot process it usually sends back to the client a pointer to the LDAP sever that can process the request 2 In the context of replication when a read only replica
309. is connection Cis the number of completed operations Dis r if the server is in the process of reading BER from the network empty otherwise This value is usually empty as in the example 97 Chapter 2 Core Server Configuration Reference E this is the bind DN This may be empty or have value of NULLDN for anonymous connections currentConnections This attribute shows the number of currently open and active Directory Server connections totalConnections This attribute shows the total number of Directory Server connections This number includes connections that have been opened and closed since the server was last started in addition to the currentConnections dTableSize This attribute shows the size of the Directory Server connection table Each connection is associated with a slot in this table and usually corresponds to the file descriptor used by this connection See Section 2 3 1 38 nsslapd conntablesize for more information readWaiters This attribute shows the number of connections where some requests are pending and not currently being serviced by a thread in Directory Server opsinitiated This attribute shows the number of Directory Server operations initiated opscompleted This attribute shows the number of Directory Server operations completed entriessent This attribute shows the number of entries sent by Directory Server bytessent This attribute shows the number of bytes sent by Direc
310. is value is always 0 CopyEntries Not used This value is always 0 CacheEntries If the server has only one database backend this is the number of entries cached in the entry cache If the server has more than one database backend this value is 0 and see the monitor entry for each one for more information CacheHits If the server has only one database backend this is the number of entries returned from the entry cache rather than from the database for search results If the server has more than one database backend this value is 0 and see the monitor entry for each one for more information SlaveHits Not used This value is always 0 t CacheEntries and CacheHits are updated every ten 10 seconds Red Hat strongly encourages using the database backend specific monitor entries for this and other database information Table 2 8 SNMP Statistic Attributes 2 3 15 cn tasks Some core Directory Server tasks can be initiated by editing a directory entry using LDAP tools These task entries are contained in cn tasks Each task can be invoked by updating an entry such as the following dn cn task_id cn task_type cn tasks cn config In Red Hat Directory Server deployments before Directory Server 8 0 many Directory Server tasks were managed by the Administration Server These tasks were moved to the core Directory Server configuration in version 8 0 and are invoked and administered by Directory Server under the cn task
311. ity with older servers such as _ in schema defined attributes Entry DN cn config Valid Values on off Default Value off Syntax DirectoryString Example nsslapd attribute name exceptions on 2 3 1 20 nsslapd auditlog Audit Log This attribute sets the path and filename of the log used to record changes made to each database Entry DN cn config Valid Values Any valid filename Default Value var log dirsrv slapd ins tance_name audit Syntax DirectoryString Example nsslapd auditlog var log dirsrv slapd instance_name audit For audit logging to be enabled this attribute must have a valid path and parameter and the nsslapd auditlog logging enabled configuration attribute must be switched to on The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging 19 Chapter 2 Core Server Configuration Reference Attributes in dse ldif nsslapd auditlog logging on enabled empty string nsslapd auditlog Logging enabled or disabled Disabled nsslapd auditlog nsslapd auditlog logging on Enabled enabled fiename nsslapd auditlog nsslapd auditlog logging off Disabled enabled empty string nsslapd auditlog nsslapd auditlog logging off Disabled enabled fiename Table 2 4 Possible Combinations for nsslapd auditlog 2 3 1 21 nsslapd
312. jensen 21 Apr 2009 11 39 52 0700 conn 12 op 2 ABANDON targetop 1 msgid 2 nentries 0 etime 0 21 Apr 2009 11 39 52 0700 conn 12 op 3 UNBIND 21 Apr 2009 11 39 52 0700 conn 12 op 3 fd 634 closed U1 21 Apr 2009 11 39 53 0700 conn 13 fd 659 slot 659 connection from 207 1 153 51 to 192 18 122 139 21 Apr 2009 11 39 53 0700 conn 13 op 0 BIND dn cn Directory Manager method 128 version 3 21 Apr 2009 11 39 53 0700 conn 13 op 0 RESULT err 0 tag 97 nentries 0 etime 0 21 Apr 2009 11 39 53 0700 conn 13 op 1 EXT oid 2 16 840 1 113730 3 5 3 21 Apr 2009 11 39 53 0700 conn 13 op 1 RESULT err 0 tag 120 nentries 0 etime 0 21 Apr 2009 11 39 53 0700 conn 13 op 2 ADD dn cn Sat Apr 21 11 39 51 MET DST 2009 dc example dc com 21 Apr 2009 11 39 53 0700 conn 13 op 2 RESULT err 0 tag 105 nentries 0 etime 0 csn 3b4c8cfb000000030000 21 Apr 2009 11 39 53 0700 conn 13 op 3 EXT oid 2 16 840 1 113730 3 5 5 Configuration Command File Reference Core Server Configuration Reference Core Server Configuration Attributes Reference htmit Configuration Command File Reference cnconfig nsslapd accesslog level 220 Default Access Logging Content 21 Apr 2009 11 39 53 0700 conn 13 op 3 RESULT err 0 tag 120 nentries 0 etime 0 21 Apr 2009 11 39 53 0700 conn 13 op 4 UNBIND 21 Apr 2009 11 39 53 0700 conn 13 op 4 fd 659 closed U1 21 Apr 2009 11 39 55 0700 conn 14 fd 700 slot 700 connection from 207 1 153 51 to 192 18 122 1
313. kCurrentltem 148 nsTaskTotalltems This attributes shows the total number of subtasks that must be completed for the task operation When the nsTaskCurrentItem attribute has the same value as nsTaskTotalItems then the task is completed This attribute value is set by the server and should not be edited Entry DN cn task_name cn task_type cn tasks cn config Valid Values 0 to the maximum 32 bit integer value 2147483647 Default Value Syntax Integer Example nsTaskTotalltems 152 nsTaskCancel This attribute allows a task to be aborted while in progress This attribute can be modified by users Parameter Description Entry DN cn task_name cn task_type cn tasks cn config Valid Values true false Default Value Syntax Case insensitive string Example nsTaskCancel true ttl This attribute sets the amount of time in seconds the task entry will remain in the DSE after the task has finished or aborted Setting a ttl attribute allows the task entry to be polled for new status 107 Chapter 2 Core Server Configuration Reference information without missing the exit code Setting the ttl attribute to means that the entry is not cached Parameter Description Entry DN cn task name cn task type cn tasks cn config Valid Values 0 cannot be cached to the maximum 32 bit integer value 2147483647 Default Value Syntax DirectoryString Example ttl 120
314. kendDescriptors PTADescriptors SSLDescriptors e NidbmBackends is the number of Idbm databases Nglobalindex is the total number of configured indexes for all databases including system indexes By default 8 system indexes and 17 additional indexes per database ReplicationDescriptor is eight 8 plus the number of replicas in the server that can act as a supplier or hub NSupplierReplica 49 Chapter 2 Core Server Configuration Reference ChainingBackendDescriptors is NchainingBackend times the nsOperationConnectionsLimit a chaining or database link configuration attribute 10 by default PTADescriptors is 3 if PTA is configured and 0 if PTA is not configured SSLDescriptors is 5 4 files 1 listensocket if SSL is configured and 0 if SSL is not configured The server has to be restarted for changes to this attribute to go into effect Parameter Description Entry DN cn config Valid Range 1 to 65535 Default Value 64 Syntax Integer Example nsslapd reservedescriptors 64 2 3 1 90 nsslapd return exact case Return Exact Case Returns the exact case of attribute type names as requested by the client Although LDAPv3 compliant clients must ignore the case of attribute names some client applications require attribute names to match exactly the case of the attribute as it is listed in the schema when the attribute is returned by the Directory Server as the result of a search or modify operation How
315. licaReapActive This read only attribute specifies whether the background task that removes old tombstones deleted entries from the database is active See Section 2 3 7 13 nsDS5ReplicaTombstonePurgelnterval for more information about this task A value of means that the task is inactive and a value of 1 means that the task is active The server ignores the modify request if this value is set manually Parameter Description Entry DN cn replica cn suffixDN cn mapping tree cn config Valid Values 0 1 Default Value Syntax Integer Example nsDS5ReplicaReapActive 0 84 Replication Attributes under cn ReplicationAgreementName cn replica cn suffixName cn mapping tree cn config 2 3 7 16 nsdsSTask This attribute is used to launch a replication task such as dumping the database contents to LDIF This is used internally by the Directory Server supplier 2 3 17 nsState This attribute stores information on the state of the clock It is designed only for internal use to ensure that the server cannot generate a change sequence number csn inferior to existing ones required for detecting backward clock errors 2 3 8 Replication Attributes under cn ReplicationAgreementName cn replica cn suffixName cn mapping tree cn config The replication attributes that concern the replication agreement are stored under cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config The cn
316. lid Values on off Default Value off Syntax DirectoryString Example nsslapd require index off 3 4 3 6 nsslapd suffix This attribute specifies the suffix of the database link This is a single valued attribute because each database instance can have only one suffix Previously it was possible to have more than one suffix on a single database instance but this is no longer the case As a result this attribute is single valued to enforce the fact that each database instance can only have one suffix entry Any changes made to this attribute after the entry has been created take effect only after the server containing the database link is restarted 181 Chapter 3 Plug in Implemented Server Functionality Reference Parameter Description Entry DN cn database name cn ldbm database cn plugins cn config Valid Values Any valid DN Default Value Syntax DirectoryString Example nsslapd suffix o NetscapeRoot 3 4 3 7 vivBase This attribute sets the base DN for which the browsing or virtual list view VLV index is created For more information on VLV indexes see the indexing chapter in the Administrator s Guide NOTE This attribute is only available to user databases like userRoot not configuration databases like o NetscapeRoot Parameter Description Entry DN cn index name cn userRoot cn Idbm database cn plugins cn config Valid Values Any valid DN Default Value
317. lier1 Supplier2 and Hub1 to identify the servers in the replication topology If used the output shows these aliases instead of http s hostname port The CSN time lags between suppliers and consumers can be displayed in different colors based on their range The default color set is green for 0 5 minutes lag yellow for 5 60 minutes lag and pink for a lag of 60 minutes or more The connection parameters for all the servers in a replication topology must be specified within one configuration file One configuration file however may contain information for multiple replication topologies Because of the connection parameters the replication monitoring tool does not need to perform DES decryption of the credentials stored in the Directory Server Each line in this file could either be a comment started with the character or a connection entry of the following format host port binddn bindpwd bindcert host port and binddn can be replaced with relevant values or or omitted altogether If host is null or the entry may apply to any host that does not have a dedicated entry in the file If port is null or the port will default to the port stored in the current replication agreement If binddn is null or it defaults to cn Directory Manager bindcert can be replaced with the full path to the certificate database null or If bindcert is omitted or replaced with the connection will be a simple bind For example
318. limited Default Value 1 Syntax Integer Example nsslapd errorlog logrotationtime 100 2 3 1 55 nsslapd errorlog logrotationtimeunit Error Log Rotation Time Unit This attribute sets the units for nsslapd errorlog logrotationtime Error Log Rotation Time If the unit is unknown by the server then the log never expires Parameter Description Entry DN cn config 34 cn config Parameter Description Valid Values month week day hour minute Default Value week Syntax DirectoryString Example nsslapd errorlog logrotationtimeunit day 2 3 1 56 nsslapd errorlog maxlogsize Maximum Error Log Size This attribute sets the maximum error log size in megabytes When this value is reached the error log is rotated and the server starts writing log information to a new log file If nsslapd errorlog maxlogsperdir is set to 1 the server ignores this attribute When setting a maximum log size consider the total number of log files that can be created due to log file rotation Also remember that there are three different log files access log audit log and error log maintained by the Directory Server each of which consumes disk space Compare these considerations to the total amount of disk space for the error log Parameter Description Entry DN cn config Valid Range 1 1 to the maximum 32 bit integer value 2147483647 where a value of 1 means the log file is
319. liosize limit the server immediately disconnects the client and logs a message to the error log so that an administrator can adjust the setting if necessary This attribute value is specified in bytes Parameter Description Entry DN cn config Valid Range 1 unlimited to the maximum 32 bit integer value 2147483647 on 32 bit systems 1 unlimited to the maximum 64 bit integer value 9223372036854775807 on 64 bit systems Default Value 2000000 2MB Syntax Integer Example nsslapd maxsasliosize 5000000 2 3 1 79 nsslapd maxthreadsperconn Maximum Threads per Connection Defines the maximum number of threads that a connection should use For normal operations where a client binds and only performs one or two operations before unbinding use the default value For situations where a client binds and simultaneously issues many requests increase this value to allow each connection enough resources to perform all the operations This attribute is not available from the server console Parameter Description Entry DN cn config Valid Range 1 to maximum threadnumber Default Value 5 Syntax Integer Example nsslapd maxthreadsperconn 5 45 Chapter 2 Core Server Configuration Reference 2 3 1 80 nsslapd nagle When the value of this attribute is of f the TCP_NODELAY option is set so that LDAP responses such as entries or result messages are sent back to a client immediately When the attri
320. load p1 is run again D rootdn Gives the user DN with root permissions such as Directory Manager The default is the DN of the Directory Manager which is read from the nsslapd root attribute under cn config j filename The name of the file containing the password V Verbose mode w password The password associated with the user DN W Prompts for the password associated with the user DN Table 7 33 schema reload pl Options 7 4 19 setup ds pl The setup ds p1 script is used to create a Directory Server instance Running this script with the u option after the instances are configured updates the configuration with the latest installed packages 317 Chapter 7 Command Line Scripts NOTE This script only creates a Directory Server instance not an Administration Server For the new instance to work there has to be an Administration Server and Configuration Directory Server installed on another machine Information can be passed with the script or in an inf file If no options are used the setup ds p1 launches an interactive configuration program Both the inf parameters and command line arguments are described in the silent configuration section of the nstallation Guide Syntax setup ds p1 debug silent file name keepcache log name update Options Alternate Options Description silent This runs the register script in silent mode dr
321. look like the examples in the documentation The OpenLDAP tools require a x argument to disable SASL so that it can be used for a simple bind meaning the D and w arguments or an anonymous bind The OpenLDAP tools arguments for using TLS SSL and SASL are quite different than the Mozilla LDAP arguments See the OpenLDAP documentation for instructions on those arguments The ldif and dbscan command line utilities are stored in the usr bin directory 6 2 Using Special Characters When using the ldapsearch command line utility it may be necessary to specify values that contain characters that have special meaning to the command line interpreter such as space asterisk and backslash When this situation occurs enclose the value in quotation marks For example D cn Barbara Jensen ou Product Development dc example dc com Depending on the command line interpreter use either single or double quotation marks for this purpose See the operating system documentation for more information Additionally commas in DN values must be escaped with a backslash For example 239 Chapter 6 Command Line Utilities D cn Patricia Fuentes ou people dc example dc Bolivia S A 6 3 Command Line Utilities Quick Reference The following table provides a summary of the command line utilities provided for Directory Server Command Line Utility Description Idapsearch Searches the directory and returns se
322. lue stored in the uid cn sn givenname ou or mail attributes of the user s directory entry Password syntax includes several different categories for checking Minimum number of digit characters 0 9 Minimum number of ASCII alphabetic characters both upper and lower case Minimum number of uppercase ASCII alphabetic characters Minimum number of lowercase ASCII alphabetic characters e Minimum number of special ASCII characters such as Minimum number of 8 bit characters Maximum number of times that the same character can be immediately repeated such as aaabbb Minimum number of character categories required per password a category can be upper or lower case letters special characters digits or 8 bit characters This can be abbreviated to pwdCheckSyntax For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Description off Default Value 59 Chapter 2 Core Server Configuration Reference Parameter Description Example passwordCheckSyntax off 2 3 1 114 passwordExp Password Expiration Indicates whether user passwords expire after a given number of seconds By default user passwords do not expire Once password expiration is enabled set the number of seconds after which the password expires using the passwordMaxAge attribute For more information on password policies see the M
323. luginid nsslapd plugin Version Identifies the type of plugin Identifies the version of plugin Identifies the plugin ID nsslapd plugin Vendor nsslapd pluginDescription nsslapd pluginEnabled Identifies the description of the plugin Identifies whether or not the plugin is enabled Identifies the vendor of plugin 161 Chapter 3 Plug in Implemented Server Functionality Reference 3 2 2 nsslapd pluginPath This attribute specifies the full path to the plug in Plug in Parameter Description Entry DN cn plug in name cn plugins cn config Valid Values Any valid path Default Value None Syntax DirectoryString Example nsslapd pluginPath uid plugin 3 2 3 nsslapd plugininitfunc This attribute specifies the plug in function to be initiated Plug in Parameter Entry DN Valid Values Description cn plug in name cn plugins cn config Any valid plug in function Default Value None Syntax DirectoryString Example nsslapd pluginInitfunc NS7bitAttr_Init 3 2 4 nsslapd pluginType This attribute specifies the plug in type See Section 3 3 3 nsslapd plugin depends on type for further information Plug in Parameter Description Entry DN cn plug in name cn plugins cn config Valid Values Any valid plug in type Default Value None Syntax DirectoryString Example nsslapd pluginType preoperation 3 2 5 nssl
324. lute allocation of RAM for the entry cache size as described in Section 3 4 3 2 nsslapd cachememsize Attempting to set a value that is not a number or is too big for a 32 bit signed integer on 32 bit systems returns an LDAP UNWILLING TO PERFORM error message with additional error information explaining the problem The server has to be restarted for changes to this attribute to go into effect NOTE The performance counter for this setting goes to the highest 64 bit integer even on 32 bit systems but the setting itself is limited on 32 bit systems to the highest 32 bit integer because of how the system addresses memory Parameter Description Entry DN cn database_name cn ldbm database cn plugins cn config Valid Range 1 to 2 1 on 32 bit systems or 268 1 on 64 bit systems or 1 which means limitless Default Value 1 Syntax Integer Example nsslapd cachesize 1 179 Chapter 3 Plug in Implemented Server Functionality Reference 3 4 3 2 nsslapd cachememsize This performance tuning related attribute specifies the size in bytes for the available memory space for the entry cache The simplest method is limiting cache size in terms of memory occupied Activating automatic cache resizing overrides this attribute replacing these values with its own guessed values at a later stage of the server startup The BerkeleyDB documentation offers a good explanation of what the entry cache is alon
325. ly for system modification diagnostics and should be changed only with the guidance of Red Hat technical support or Red Hat professional services Inconsistent settings of this attribute and other configuration attributes may cause the Directory Server to be unstable The server has to be restarted for changes to this attribute to go into effect Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Values 1to4 Default Value 1 Syntax Integer Example nsslapd dbncache 1 175 Chapter 3 Plug in Implemented Server Functionality Reference 3 4 1 21 nsslapd directory This attribute specifies absolute path to database instance If the database instance is manually created then this attribute must be included something which is set by default and modifiable in the Directory Server Console Once the database instance is created do not modify this path as any changes risk preventing the server from accessing data Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Values Any valid absolute path to the database instance Default Value Syntax DirectoryString Example nsslapd directory var lib dirsrv slapd instance_name db 3 4 1 22 nsslapd import cachesize This performance tuning related attribute determines the size in bytes of the database cache used in the bulk import process Setting this attribute value so that the max
326. m failure before a directory change was physically written to disk that change would not be recoverable The nsslapd db durable transactions attribute is absent from dse 1dif To disable durable transactions add the attribute to dse Idif 169 Chapter 3 Plug in Implemented Server Functionality Reference This attribute is provided only for system modification diagnostics and should be changed only with the guidance of Red Hat Technical Support or Red Hat Professional Services Inconsistent settings of this attribute and other configuration attributes may cause the Directory Server to be unstable For more information on database transaction logging refer to the Monitoring Server and Database Activity chapter in the Directory Server Administrator s Guide Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Values on off Default Value on Syntax DirectoryString Example nsslapd db durable transactions on 3 4 1 10 nsslapd db home directory This is usually applicable to Solaris only and is used to fix a situation in Solaris where the operating system endlessly flushes pages This flushing can be so excessive that performance of the entire system is severely degraded For users of other systems to move the database to another physical location for performance reasons use this parameter to specify the home directory This situation will occur only for certain combinations of
327. mbertype Attribute Mapping for System GUID Number Autobind can be used to authenticate system users to the server automatically and connect to the server using a UNIX socket To map the system user to a Directory Server user for authentication the system user s UID and GUID numbers should be mapped to be a Directory Server attribute The nsslapd 1ldapigidnumbertype attribute points to the Directory Server attribute to map system GUIDs to user entries Users can only connect to the server with autobind if LDAPI is enabled nsslapd ldapilisten and nsslapd ldapifilepath autobind is enabled nsslapd ldapiautobind and autobind mapping is enabled for regular users Nsslapd ldapimaptoentries Parameter Entry DN Valid Values Description cn config Any Directory Server attribute Default Value gidNumber Syntax DirectoryString Example nsslapd Idapigidnumbertype gidNumber 2 3 1 68 nsslapd Idapilisten Enable LDAPI The nsslapd 1dapilisten enables LDAPI connections to the Directory Server LDAPI allows users to connect to the Directory Server over a UNIX socket rather than a standard TCP port Along with enabling LDAPI by setting nsslapd 1dapilisten to on there must also be a UNIX socket set for LDAPI in the nsslapd ldapifilepath attribute Parameter Entry DN Valid Values Description cn config on off off Default Value Syntax DirectoryString
328. means disallow certificate based authentication allowed means clients may use certificates or other forms of authentication required means clients must use certificates for authentication Default Value allowed Syntax DirectoryString Example nsSSLclientauth allowed 2 3 3 3 NSSSL2 Supports SSL version 2 SSLv2 is deprecated and Red Hat strongly discourages using it The server has to be restarted for changes to this attribute to go into effect Chapter 2 Core Server Configuration Reference Parameter Entry DN Valid Values Default Value off Description cn encryption cn config on off Syntax DirectoryString nsSSL2 off Example 2 3 3 4 NSSSL3 Supports SSL version 3 The server has to be restarted for changes to this attribute to go into effect Parameter Entry DN Valid Values Description cn encryption cn config on off Default Value on Syntax DirectoryString nsSSL3 on Example 2 3 3 5 NSSSL3ciphers This multi valued attribute specifies the set of encryption ciphers the Directory Server uses during SSL communications For more information on the ciphers supported by the Directory Server see the Managing SSL chapter in the Directory Server Administrator s Guide Parameter Description Entry DN cn encryption cn config Valid Values For SSLv3 e rsa_null_md5 e rsa rc4 128 md5
329. meter Description Entry DN cn default indexes cn config cn Idbm database cn plugins cn config Valid Values Any valid index cn Default Value None Syntax DirectoryString Example cn aci 3 4 5 2 description This optional attribute provides a free hand text description of what the index actually performs Entry DN cn default indexes cn config cn Idbm database cn plugins cn config Valid Values Default Value None Syntax DirectoryString Example description substring index 3 4 5 3 nsIndex This object class defines an index in the backend database This object is defined in Directory Server Superior Class top OID 2 16 840 1 113730 3 2 44 Required Attributes Attribute Definition cn Gives the common name of the entry nsSystem ndex Identify whether or not the index is a system defined index Allowed Attributes Attribute Definition description Gives a text description of the entry nsIndexType Identifies the index type 189 Chapter 3 Plug in Implemented Server Functionality Reference Attribute Definition nsMatchingRule Identifies the matching rule 3 4 5 4 nsIndexType This optional multi valued attribute specifies the type of index for Directory Server operations and takes the values of the attributes to be indexed Each desired index type has to be entered ona separate line Parameter Description Entry DN cn default in
330. missions When changing the default value remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone The newly configured access mode only affects new logs that are created the mode is set when the log rotates to a new file Parameter Entry DN Valid Range Description cn config 000 through 777 Default Value 600 Syntax Integer Example nsslapd accesslog mode 600 2 3 1 18 nsslapd allow unauthenticated binds An unauthenticated bind is a bind where the user supplies a username but not a password For example running an ldapsearch without supplying a password option 18 cn config usr lib mozldap ldapsearch D cn directory manager b dc example dc com s sub objectclass When unauthenticated binds are allowed the bind attempt goes through as an anonymous bind assuming anonymous access is allowed The nsslapd allow unauthenticated binds attribute sets whether to allow an unauthenticated bind to succeed as an anonymous bind By default unauthenticated binds are disabled Entry DN cn config Valid Values on off Default Value off Syntax DirectoryString Example nsslapd allow unauthenticated binds on 2 3 1 19 nsslapd attribute name exceptions This attribute allows non standard characters in attribute names to be used for backwards compatibil
331. mport may begin Directory Server Bulk Import Sent by the client to signal the 2 16 840 1 113730 3 5 8 Finished end of a bulk import and sent by the server to acknowledge it Table 5 2 LDAPv3 Extended Operations Supported by Directory Server Change Sequence Number The change sequence number in this case csn 3b4c8cfb000000030068 is the replication change sequence number indicating that replication is enabled on this particular naming context Abandon Message The abandon message indicates that an operation has been aborted 21 Apr 2009 11 39 52 0700 conn 12 op 2 ABANDON targetop 1 msgid 2 nentries 0 etime 0 nentries 60 indicates the number of entries sent before the operation was aborted etime 0 value indicates how much time in seconds had elapsed and targetop 1 corresponds to an operation value from a previously initiated operation that appears earlier in the access log There are two possible log ABANDON messages depending on whether the message ID succeeds in locating which operation was to be aborted If the message ID succeeds in locating the operation the targetop then the log will read as above However if the message ID does not succeed in locating the operation or if the operation had already finished prior to the ABANDON request being sent then the log will read as follows 21 Apr 2009 11 39 52 0700 conn 12 op 2 ABANDON targetop NOTFOUND msgid 2 targetop NOTFOUND indicates the operation to be a
332. msmith ou Peo The secprop attribute sets the security properties for the connection The secprop value can be any of the following e None noplain Do not permit mechanisms susceptible to simple passive attack noanonymous Do not permit mechanisms that allow anonymous access minssf Require a minimum security strength this option needs a numeric value specifying bits of encryption A value of 1 means integrity is provided without privacy authid dn uid msmith qu People o examp ple o example com 0O secprop noplain noanonymous maxssf 128 minssf 128 250 ldapsearch Required or Optional Option Description Example maxssf Require a maximum security strength this option needs a numeric value specifying bits of encryption A value of 1 means integrity is provided without privacy The maximum value is 128 Table 6 8 Description of DIGEST MD5 SASL Mechanism Options Required or Optional Required Optional Option mech GSSAPI secprop value Description Gives the SASL mechanism NOTE Have the Kerberos ticket before issuing a GSS API request The secprop attribute sets the security properties for the connection The secprop value can be any of the following None noplain Do not permit mechanisms susceptible to simple passive attack noanonymous Do not permit mecha
333. n 3600 2 3 1 125 passwordMaxAge Password Maximum Age Indicates the number of seconds after which user passwords expire To use this attribute password expiration has to be enabled using the passwordExp attribute This can be abbreviated to pwdMaxAge For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Description Entry DN cn config Valid Range 1 to the maximum 32 bit integer value 2147483647 in seconds Default Value 8640000 100 days Syntax Integer 63 Chapter 2 Core Server Configuration Reference Parameter Description 2 3 1 126 passwordMaxFailure Maximum Password Failures Indicates the number of failed bind attempts after which a user is locked out of the directory By default account lockout is disabled Enable account lockout by modifying the passwordLockout attribute This can be abbreviated to pwdMaxFailure For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Entry DN Valid Range Description cn config 1 to maximum integer bind failures Default Value 3 Syntax Integer Example passwordMaxFailure 3 2 3 1 127 passwordMaxRepeats Password Syntax Maximum number of times the same character can appear sequentially in the password Zero 0
334. n Description b Specifies that the 1dif utility should interpret the entire input as a single binary value If b is not present each line is considered to be a separate input value As an alternative to the b option use the lt URL specifier notation For example jpegphoto lt file tmp myphoto jpg Although the official notation requires three the use of one is accepted 273 Chapter 6 Command Line Utilities Description NOTE The lt URL specifier notation only works if LDIF statement is version 1 or later meaning version 1 is inserted in the LDIF file Otherwise the file URL is appended as the attribute value rather than the contents of the file Table 6 22 Idif Options 6 9 dbscan The dbscan tool analyzes and extracts information from a Directory Server database file See Section 4 4 Database Files for more information on database files Database files use the db2 db3 and db4 extensions in their filename depending on the version of Directory Server e Syntax Options Syntax dbscan f filename options Options Parameter Description filename Specifies the name of the database file the contents of which are to be analyzed and extracted This option is required Dump the database as raw data Specifies the entry truncate size in bytes Table 6 23 Common Options NOTE The options li
335. n Internal op 1 RESULT err 0 tag 48 nentries 1etime 0 12 Ju1 2009 16 45 46 0200 conn Internal op 1 SRCH base cn 22dc example dc com 22 cn mapping tree cn config scope 0 filter objectclass nsMappingTree attrs nsslapd state 12 7Ju1 2009 16 45 46 0200 conn Internal op 1 RESULT err 0 tag 48 nentries 1etime 0 Example 5 2 Access Log Extract with Internal Access Operations Level Level 4 Access log level 4 enables logging for internal operations which log search base scope filter and requested search attributes in addition to the details of the search being performed In the following example access logging level 768 is enabled 512 256 which logs access to entries and referrals In this extract six entries and one referral are returned in response to the search request which is shown on the first line 12 Ju1 2009 16 43 02 0200 conn 306 fd 60 slot 60 connection from 127 0 0 1 to 127 0 0 1 12 Ju1 2009 16 43 02 0200 conn 306 op 0 SRCH base dc example dc com scope 2 filter description attrs ALL 12 Ju1 2009 16 43 02 0200 conn 306 op 0 ENTRY dn ou Special 12 7 Ju1 2009 16 43 02 0200 conn 306 op 0 ENTRY dn cn Accounting Managers ou groups dc example dc com 12 Ju1 2009 16 43 02 0200 conn 306 op 0 ENTRY dn cn HR Managers ou groups dc example dc com 12 Ju1 2009 16 43 02 0200 conn 306 op 0 ENTRY dn cn QA Managers ou groups dc example dc com 12 Ju1 2009 16 43 02 0200 conn 306 op 0
336. n turned on and configured for the Directory Server For more information on certificate based authentication and on creating a certificate database for use with LDAP clients see the Managing SSL chapter in the Directory Server Administrator s Guide Ensure that the Directory Server s encrypted port is specified when using these options Description Specifies that hostnames should be checked in SSL certificates Specifies the SSL key password file that contains the token password pair Specifies the path including the filename of the private key database of the client Either the absolute or relative to the server root path can be specified The K option must be used when the key database has a different name than key3 db or when the key database is not under the same directory as the certificate database the cert8 db file the path for which is specified with the P option Specifies the certificate name to use for certificate based client authentication For example N Server Cert If this option is specified then the Z and W options are required Also if this option is specified then the D and w options must not be specified or certificate based authentication will not occur and the bind operation will use the 258 ldapmodify Option Description authentication credentials specified on D and w Specifies the absolute path including the filename of the certificate da
337. name Purpose 10rfc2307 ldif Schema from RFC 2307 An Approach for Using LDAP as a Network Information Service This may be superseded by 10rfc2307bis the new version of rfc2307 when that schema becomes available 20subscriber dif 25java object ldif Contains new schema elements and the Nortel subscriber interoperability specification Also contains the adminRole and memberOf attributes and inetAdmin object class previously stored in the 50ns delegated admin 1dif file Schema from RFC 2713 Schema for Representing Java Objects in an LDAP Directory 28pilot ldif Contains pilot directory schema from RFC 1274 which is no longer recommended for new deployments Future RFCs which succeed RFC 1274 may deprecate some or all of 28pilot 1dif attribute types and classes 30ns common ldif 50ns admin dif Schema that contains objects classes and attributes common to the Directory Server Console framework Schema used by Red Hat Administration Server 50ns certificate Idif 50ns directory dif 50ns mail ldif Schema for Red Hat Certificate Management System Contains additional configuration schema used by Directory Server 4 12 and earlier versions of the directory which is no longer applicable to current releases of Directory Server This schema is required for replicating between Directory Server 4 12 and current releases Schema used by Netscape Messaging Server to define mail users an
338. nfig 3 4 3 Database Attributes under cn NetscapeRoot cn Idbm database cn plugins cn config and cn userRoot cn Idbm database cn plugins cn config The cn NetscapeRoot and cn userRoot subtrees contain configuration data for or the definition of the databases containing the o NetscapeRoot and o userRoot suffixes The cn NetscapeRoot subtree contains the configuration data used by the Administration Server for authentication and all actions that cannot be performed through LDAP such as start stop and the cn userRoot subtree contains all the configuration data for the user defined database The cn userRoot subtree is called userRoot by default However this is not hard coded and given the fact that there are going to be multiple database instances this name is changed and defined by the user as and when new databases are added The cn userRoot database referenced can be any user database The following attributes are common to both the cn NetscapeRoot cn ldbm database cn plugins cn config and the user database such as cn userRoot or cn database_name cn ldbm database cn plugins cn config subtrees 3 4 3 1 nsslapd cachesize This attribute has been deprecated To resize the entry cache use nsslapd cachememsize This performance tuning related attribute specifies the cache size in terms of the number of entries it can hold However this attribute is deprecated in favor of the nsslapd cachememsize attribute which sets an abso
339. ng It is stored as an LDAP subentry below the branch it affects Contains a list of the shared attribute values See Also template entry A background process on a Unix machine that is responsible for a particular system task Daemon processes do not need human intervention to continue functioning Directory Access Protocol The ISO X 500 standard protocol that provides client access to the directory The server that is the master source of a particular piece of data An implementation of chaining The database link behaves like a database but has no persistent storage Instead it points to data stored remotely One of a set of default indexes created per database instance Default indexes can be modified although care should be taken before removing them as certain plug ins may depend on them See CoS definition entry See DAP The privileged database administrator comparable to the root user in UNIX Access control does not apply to the Directory Manager A database application designed to manage descriptive attribute based information about people and resources within an organization The logical representation of the information stored in the directory It mirrors the tree model used by most filesystems with the tree s root point appearing at the top of the hierarchy Also known as DIT String representation of an entry s name and location in an LDAP directory See directory tree See Directory Manager See di
340. ng the db21dif script Once the modification has been made reload the databases using the 1dif2db script WARNING A This parameter should only be used by very advanced users Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Range Oto8 Default Value 0 Syntax Integer Example nsslapd db idl divisor 2 3 4 1 12 nsslapd db logbuf size This attribute specifies the log information buffer size Log information is stored in memory until the buffer fills up or the transaction commit forces the buffer to be written to disk Larger buffer sizes can significantly increase throughput in the presence of long running transactions highly concurrent applications or transactions producing large amounts of data The log information buffer size is the transaction log size divided by four 171 Chapter 3 Plug in Implemented Server Functionality Reference The nsslapd db logbuf size attribute is only valid if the nsslapd db durable transactions attribute is set to on Parameter Entry DN Description cn config cn ldbm database cn plugins cn config Valid Range 32K to maximum 32 bit integer limited to the amount of memory available on the machine Default Value 32K Syntax Integer Example nsslapd db logbuf size 32K 3 4 1 13 nsslapd db logdirectory This attribute specifies the path and directory name of the directory containing the da
341. nges master to hub etc this value needs to be specified Otherwise the server will not use the correct changelog database and replication fails This attribute is destined for internal use only Parameter Description Entry DN cn replica cn suffixDN cn mapping tree cn config Valid Values Default Value Syntax DirectoryString a UID identifies the replica Example nsDS5ReplicaName 66a2b699 1dd211b2 807fa9c3 a58714648 2 3 7 10 nsDS5ReplicaPurgeDelay This attribute controls the maximum age of deleted entries tombstone entries and state information The Directory Server stores tombstone entries and state information so that when a conflict occurs ina multi master replication process the server resolves the conflicts based on the timestamp and replica ID stored in the change sequence numbers An internal Directory Server housekeeping operation periodically removes tombstone entries which are older than the value of this attribute in seconds State information which is older than the nsDS5ReplicaPurgeDelay value is removed when an entry which contains the the state information is modified Not every tombstone and state information may be removed because with multi master replication the server may need to keep a small number of the latest updates to prime replication even if they are older than the value of the attribute 82 Replication Attributes under cn replica cn suffixDN cn mapping tree
342. nisms that allow anonymous access Example o mech GSSAPI 0 secprop noplain noanonymous maxssf 56 minssf 56 251 Chapter 6 Command Line Utilities Required or Optional Option Description Example minssf Require a minimum security strength this option needs a numeric value specifying bits of encryption A value of 1 means integrity is provided without privacy maxssf Require a maximum security strength this option needs a numeric value specifying bits of encryption A value of 1 means integrity is provided without privacy The maximum value is 56 Table 6 9 Description of GSSAPI SASL Mechanism Options Additional Idapsearch Options Option 1 Description Leaves out the opening version 1 line from the LDIF output Specifies that the search retrieve the attributes only not the attribute values This option is useful to determine if an attribute is present for an entry and the value is not important Specifies how alias dereferencing is completed Values can be never always search or find The default value is never Print non ASCII values using the old output format attrName attrValue Specifies the getEffectiveRights control authzid For example dn uid bjensen dc example dc com A value of means the authorization ID for the operation A value of dn means anonymous Reports the bind identity used for the search
343. normal 4 1 Overview of Directory Server Files NOTE In examples and sample code paths assume that the Directory Server is installed in on Red Hat Enterprise Linux 5 32 bit which has an instance directory of etc dirsrv slapd instance_name If the Directory Server in a different platform adjust the paths accordingly The files tools and scripts used by Directory Server are in the locations listed in the following directories Backup files File or Directory Location var lib dirsrv slapd ins tance_name bak Configuration files Database files etc dirsrv slapd instance_name var lib dirsrv slapd ins tance_name db LDIF files var lib dirsrv slapd ins tance_namelldif Lock files var lock dirsrv slapd instance_name Log files var log dirsrv slapd ins tance_name PID files var run dirsrv Tools usr bin usr sbin usr lib mozidap Instance directory etc dirsrv slapd instance_name Table 4 1 Red Hat Enterprise Linux 4 and 5 x86 File or Directory Backup files Location var lib dirsrv slapd ins tance_name bak Configuration files etc dirsrv slapd instance_name Database files LDIF files var lib dirsrv slapd ins tance_name db var lib dirsrv slapd instance_namelldif Lock file var lock dirsrv slapd ins tance_name The lib directory only applies to Red Hat Enterprise Linux 32 bit systems On Red Hat Enterprise Linux 64 bit systems th
344. nsslapd accesslog logrotationsyncmin attributes to 0 Entry DN cn config Valid Values on off Default Value off Syntax DirectoryString Example nsslapd accesslog logrotationsync enabled on 2 3 1 11 nsslapd accesslog logrotationsynchour Access Log Rotation Sync Hour This attribute sets the hour of the day for rotating access logs This attribute must be used in conjunction with nsslapd accesslog logrotationsync enabled and nsslapd accesslog logrotationsyncmin attributes Parameter Entry DN Description cn config Chapter 2 Core Server Configuration Reference Parameter Description Valid Range O through 23 Default Value 0 Syntax Integer Example nsslapd accesslog logrotationsynchour 23 2 3 1 12 nsslapd accesslog logrotationsyncmin Access Log Rotation Sync Minute This attribute sets the minute of the day for rotating access logs This attribute must be used in conjunction with nsslapd accesslog logrotationsync enabled and nsslapd accesslog logrotationsynchour attributes Parameter Entry DN cn config Valid Range 0 through 59 Default Value 0 Description Syntax Integer Example nsslapd accesslog logrotationsyncmin 30 2 3 1 13 nsslapd accesslog logrotationtime Access Log Rotation Time This attribute sets the time between access log file rotations The access log is rotated when this time interval i
345. nssnmpcontact 101 347 Index nssnmpdescription 101 nssnmpenabled 100 nssnmplocation 101 nssnmpmasterhost 101 nssnmpmasterport 102 nssnmporganization 100 nsSSL2 attribute 75 nsSSL3 attribute 76 nsSSL3ciphers attribute 76 nsSSLclientauth 58 nsSSLclientauth attribute 75 nsSSLSessionTimeout attribute 75 nsState 85 120 nsTaskCancel 107 nsTaskCurrentltem 106 nsTaskExitCode 106 nsTaskLog 106 nsTaskStatus 105 107 nsUniqueldGenerator 110 nsUniqueldGeneratorNamespace 111 nsUseld2Entry 114 nsUseOneFile 113 opscompleted 98 opsinitiated 98 passwordCheckSyntax 59 passwordExp 60 passwordHistory 61 passwordinHistory 61 passwordLockout 62 passwordLockoutDuration 63 passwordMaxAge 63 passwordMaxFailure 64 passwordMinAge 65 passwordMinLength 66 passwordMustChange 67 passwordResetDuration 68 passwordResetFailureCount 68 passwordStorageScheme 69 passwordUnlock 69 passwordWarning 70 readWaiters 98 schemadir 119 startTime 98 totalConnections 98 ttl 107 currentConnections attribute 98 currenttime attribute 98 D database exporting 282 reindexing index files 283 database encryption nsAttributeEncryption 194 nsEncryptionAlgorithm 194 database files 214 database link plug in configuration attributes nsAbandonCount 205 nsAbandonedSearchCheckinterval 198 nsActiveChainingComponents 196 nsAddCount 204 nsBindConnectionCount 205 nsBindConnectionsLimit 198 nsB
346. nstance config cn chaining database cn plugins cn config Valid Range 1 to 25 binds Default Value 10 Syntax Integer Example nsConcurrentBindLimit 10 199 Chapter 3 Plug in Implemented Server Functionality Reference 3 5 2 7 nsConcurrentOperationsLimit This attribute specifies the maximum number of concurrent operations allowed Parameter Entry DN Description cn default instance config cn chaining database cn plugins cn config Valid Range Default Value 2 1 to 50 operations Syntax Integer Example nsConcurrentOperationsLimit 5 3 5 2 8 nsConnectionLife This attribute specifies connection lifetime Connections between the database link and the remote server can be kept open for an unspecified time or closed after a specific period of time It is faster to keep the connections open but it uses more resources When the value is 0 and a list of failover servers is provided in the nsFarmServerURL attribute the main server is never contacted after failover to the alternate server Parameter Entry DN Description cn default instance config cn chaining database cn plugins cn config Valid Range 0 to limitless seconds where 0 means forever Default Value Syntax Integer nsConnectionLife 0 Example 3 5 2 9 nsOperationConnectionsLimit This attribute shows the maximum number of LDAP connections the database
347. nt of the cache space and split the remaining 40 percent between the backend entry caches That is if there were two databases each of them would receive 20 percent This attribute only applies when the nsslapd cache autosize attribute has a value of 0 NOTE If the nsslapd cache autosize attribute and nsslapd cache autosize split attribute are both set to high values such as 106 then the Directory Server may fail to start and return error message To fix this issue reset the nsslapd cache autosize and nsslapd cache autosize split attributes to a more reasonable level For example nsslapd cache autosize 60 nsslapd cache autosize split 60 Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Range 0 to 99 Default Value 50 This will not necessarily optimize operations Syntax Integer Example nsslapd cache autosize split 50 167 Chapter 3 Plug in Implemented Server Functionality Reference 3 4 1 5 nsslapd dbcachesize This performance tuning related attribute specifies the database index cache size in bytes This is one of the most important values for controlling how much physical RAM the directory server uses This is not the entry cache This is the amount of memory the Berkeley database backend will use to cache the indexes the db4 files and other files This value is passed to the Berkeley DB API function set_cachesize If automatic cache resizing i
348. ntry DN cn config Valid Values on off Default Value off Syntax DirectoryString Example nsslapd pwpolicy local off 2 3 1 86 nsslapd readonly Read Only This attribute sets whether the whole server is in read only mode meaning that neither data in the databases nor configuration information can be modified Any attempt to modify a database in read only mode returns an error indicating that the server is unwilling to perform the operation 47 Chapter 2 Core Server Configuration Reference Parameter Description cn config Valid Values on off Default Value off Syntax DirectoryString Example nsslapd readonly off 2 3 1 87 nsslapd referral Referral This multi valued attribute specifies the LDAP URLs to be returned by the suffix when the server receives a request for an entry not belonging to the local tree that is an entry whose suffix does not match the value specified on any of the suffix attributes For example assume the server contains only entries ou People dc example dc com but the request is for this entry ou Groups dc example dc com In this case the referral would be passed back to the client in an attempt to allow the LDAP client to locate a server that contains the requested entry Although only one referral is allowed per Directory Server instance this referral can have multiple values NOTE To use SSL and TLS communications the refe
349. nts db2ldif Exports the contents of the database to LDIF db2index Reindexes the database index files dbverify Checks backend database files Idif2db Imports LDIF files to the database Runs the ns slapd command line utility with the dif2db keyword Idif2ldap Performs an import operation over LDAP to the Directory Server monitor Retrieves performance monitoring information using the ldapsearch command line utility restart slapd Restarts Directory Server restoreconfig Restores by default the most recently saved Administration Server configuration to NetscapeRoot partition saveconfig Saves Administration Server configuration stored in the NetscapeRoot database to the var 277 Chapter 7 Command Line Scripts Shell Script start slapd stop slapd Description lib dirsrv slapd instance name bak directory Starts Directory Server Stops Directory Server suffix2instance verify db pl vivindex Maps a suffix to a backend name Checks backend database files Creates and generates virtual list view VLV indexes Table 7 1 Shell Scripts in usr lib dirsrv slapd ins tance_name or usr lib64 dirsrv slapd instance_name Perl Script Description bak2db pl Restores the database from the most recent archived backup db2bak pl Creates a backup of the current database contents db2index pl Creates and regenerates indexes db2ldif pl Exports the contents of the database
350. o the NMS Each managed object is identified with an official name and a numeric identifier expressed in dot notation Allows creation of an explicit enumerated list of members See MIB A data structure that associates the names of suffixes Subtrees with databases 335 Glossary master master agent matching rule MD5 MD5 signature MIB MIB namespace monetary format multi master replication multiplexor N n 1 directory problem name collisions nested role network management application network management station See supplier See SNMP master agent Provides guidelines for how the server compares strings during a search operation In an international search the matching rule tells the server what collation order and operator to use A message digest algorithm by RSA Data Security Inc which can be used to produce a short digest of data that is unique with high probability and is mathematically extremely hard to produce a piece of data that will produce the same message digest A message digest produced by the MD5 algorithm Management Information Base All data or any portion thereof associated with the SNMP network We can think of the MIB as a database which contains the definitions of all SNMP managed objects The MIB has a tree like hierarchy where the top level contains the most general information about the network and lower levels deal with specific separate network a
351. of this plug in Red Hat recommends leaving this plug in running at all times 3 1 36 Views Plug in Plug in Parameter Plug in Name Description DN of Configuration Entry Views Plug in cn Views cn plugins cn config 160 List of Attributes Common to All Plug ins Plug in Parameter Description Description Enables the use of views in the Directory Server databases Configurable Options on off Default Setting on Configurable Arguments None Dependencies Database Performance Related Information Further Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times 3 2 List of Attributes Common to All Plug ins This list provides a brief attribute description the entry DN valid range default value syntax and an example for each attribute 3 2 1 nsSlapdPlugin Each Directory Server plug in belongs to the nsSlapdPlugin object class This object class is defined in Directory Server Superior Class top OID 2 16 840 1 113730 3 2 41 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry cn Gives the common name of the entry nsslapd pluginPatht nsslapd plugininitfunc Identifies an initialization function of the plugin Identifies the plugin library name without the library suffix nsslapd plugin Type nsslapd p
352. og logrotationsynchour 33 nsslapd errorlog logrotationsyncmin 34 nsslapd errorlog logrotationtime 34 nsslapd errorlog logrotationtimeunit 34 nsslapd errorlog maxlogsize 35 nsslapd errorlog maxlogsperdir 35 nsslapd errorlog mode 36 nsslapd groupvalnestlevel 36 nsslapd idletimeout 37 nsslapd instancedir 37 nsslapd ioblocktimeout 37 nsslapd lastmod 38 nsslapd Idapiautobind 38 nsslapd Idapientrysearchbase 39 nsslapd Idapifilepath 39 nsslapd Idapigidnumbertype 40 nsslapd Idapilisten 40 nsslapd Idapimaprootdn 40 nsslapd Idapimaptoentries 41 nsslapd Idapiuidnumbertype 41 nsslapd listenhost 42 nsslapd localhost 42 nsslapd localuser 42 nsslapd maxbersize 43 nsslapd maxdescriptors 44 nsslapd maxsasliosize 45 nsslapd maxthreadsperconn 45 nsslapd nagle 46 nsslapd outbound Idap io timeout 46 nsslapd plug in 46 nsslapd port 46 nsslapd privatenamespaces 47 nsslapd pwpolicy local 47 nsslapd readonly 47 nsslapd referral 48 nsslapd referralmode 48 nsslapd reservedescriptors 49 nsslapd return exact case 50 nsslapd rootdn 50 nsslapd rootpw 51 nsslapd rootpwstoragescheme 51 nsslapd saslpath 52 nsslapd schema ignore trailing spaces 52 nsslapd schemacheck 53 nsslapd schemareplace 54 nsslapd securelistenhost 54 nsslapd securePort 54 nsslapd security 55 nsslapd sizelimit 55 nsslapd ssl check hostname 56 56 nsslapd state 78 nsslapd timelimit 57 nsslapd versionstring 57 nsslapd workingdir 58
353. ogfile name l This parameter specifies a log file to which to write the output 309 Chapter 7 Command Line Scripts Alternate Options Description If this is not set then the migration information is written to a temporary file named tmp migratexxxxx 1log To disable logging set dev null as the logfile 7 4 11 ns accountstatus pl Establishes Account Status Provides account status information to establish whether an entry or group of entries is inactivated Syntax ns accountstatus pl1 D rootdn w password w j filename p port h host l DN Options Option Description D rootdn Specifies the Directory Server user DN with root permissions such as Directory Manager h host Specifies the hostname of the Directory Server The default value is the full hostname of the machine where Directory Server is installed DN Specifies the entry DN or role DN whose status is required j filename Specifies the path including the filename to the file that contains the password associated with the user DN p port Specifies the Directory Server s port The default value is the LDAP port of Directory Server specified at installation time w password Specifies the password associated with the user DN W Prompts for the password associated with the user DN Opens the help page Table 7 28 ns accountstatus pl Options 7 4 12 ns activat
354. ogging Levels n pr innnan idis ainan aniidae iaai 5 2 2 Eror Log GONE ste vec reece treenaan a a aa a a cae rE wets 5 2 3 Error Log Content for Other Log Levels cccceeeeeeeeeeeee renerne teen renerne 5 3 Audit Log RETErENCes ici raa Ban aa Gaacheabialecess ihaveens ea decces RR LER ts earn raa ts SA LDAP Result Codes i svat Bek ackn be cae ate tae ivedik oheds Saale bones aner eve ae ae 6 Command Line Utilities 6 1 6 2 6 3 6 4 6 5 6 6 6 7 6 8 6 9 Finding and Executing Command Line Utilities cece eee ce neces eee kreere Using Special Characters dieien an aa iaa A aa sner Moes ar Command Line Utilities Quick Reference s ssssrssresrrrresrrrrssrerrsrrsrrnrrsrrrrsrrrrerenrrnn ldapsearch eriari aiaa a a seed tee aa e aa a aa eee dae ata ldapmodi e RSS SERENE SEES SER ES SEES SS REE dessin a a ESBEN a d aara ai Enui Idapdelete nineio e a a a oaa a ao a IDAPPASSWO EAEE T E E A T AT REE a A A Na UHSE Aea a aa a a clay a aa A 7 Command Line Scripts 7 1 Finding and Executing Command Line Scripts ccccecceeeeeeeee ee eeee ae eeseeeeeaaeeeeeeeeaaes 7 2 Command Line Scripts Quick Reference ce ceceee cece cece cece ee eeee ae eeee ee eesaeeeeaaeeeeeeeeaaees 3 Sle ll SEMMPts aces cast sek aa ev eace Tact en ak a earn ner esate ARS Tae het a A n 7 3 1 bak2db Restores a Database from Backup cceceeeeeeeeeee tees ee eeee ae eeeneeeeas 7 3 2 cl d
355. ome of these attributes are common to all plug ins while others may be particular to a specific plug in Check which attributes are currently being used by a given plug in by performing an ldapsearch on the cn config subtree All plug ins are instances of the nsSlapdPlugin object class which in turn inherits from the extensibleObject object class For plug in configuration attributes to be taken into account by the server both of these object classes in addition to the top object class must be present in the entry as shown in the following example dn cn ACL Plugin cn plugins cn config objectclass top objectclass nsSlapdPlugin objectclass extensibleObject 3 1 Server Plug in Functionality Reference The following tables provide a quick overview of the plug ins provided with Directory Server along with their configurable options configurable arguments default setting dependencies general performance related information and further reading These tables assist in weighing plug in performance gains and costs and choose the optimal settings for the deployment The Further Information section cross references further reading where this is available 3 1 1 7 bit Check Plug in Plug in Parameter Description Plug in Name 7 bit check NS7bitAtt DN of Configuration Entry cn 7 bit check cn plugins cn config Description Checks certain attributes are 7 bit clean Configurable Options on off Default Setting on 143
356. on Status Syntax repl monitor h host p port f configFile u refreshUr1 t refreshInterval r v Options Description h host Specifies the initial replication supplier s host The default value is the current hostname f configFile Specifies the absolute path to the configuration file which defines the connection parameters used to connect to LDAP servers to get 288 repl monitor Monitors Replication Status Option Description replication information For more information about the configuration file see Configuration File Format p port Specifies the initial replication supplier s port The default value is 389 r If specified causes the routine to be entered without printing the HTML header information This is suitable when making multiple calls to this routine such as specifying multiple different unrelated supplier servers and expecting a single HTML output t refreshinterval Specifies the refresh interval in seconds The default value is 300 seconds This option must be used with the u option u refreshUrl Specifies the refresh URL The output HTML file may invoke a CGI program periodically If this CGI program in turn calls this script the effect is that the output HTML file would automatically refresh itself This is useful for continuous monitoring See also the t option The script has been integrated into Red Hat Administration Express so
357. ond changelog a plug in referred to as the retro changelog is intended for use by LDAP clients for maintaining application compatibility with Directory Server 4 x versions This Retro Changelog Plug in is used to record modifications made to a supplier server When the supplier server s directory is modified an entry is written to the Retro Changelog that contains both of the following A number that uniquely identifies the modification This number is sequential with respect to other entries in the changelog 205 Chapter 3 Plug in Implemented Server Functionality Reference The modification action that is exactly how the directory was modified It is through the Retro Changelog Plug in that the changes performed to the Directory Server are accessed using searches to cn changelog suffix 3 6 1 nsslapd changelogdir This attribute specifies the name of the directory in which the changelog database is created the first time the plug in is run By default the database is stored with all the other databases under var 1ib dirsrv slapd instance_name changelogdb NOTE For performance reasons store this database on a different physical disk The server has to be restarted for changes to this attribute to go into effect Parameter Description Entry DN cn Retro Changelog Plugin cn plugins cn config Valid Values Any valid path to the directory Default Value None Syntax DirectoryString
358. one Dependencies Database Performance Related Information Further Information 3 1 16 Integer Syntax Plug in Plug in Parameter Description Plug in Name Integer Syntax DN of Configuration Entry Description cn Integer Syntax cn plugins cn config Syntax for handling integers Configurable Options on off Default Setting Configurable Arguments on None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information 3 1 17 Internationalization Plug in Plug in Parameter Plug in Name DN of Configuration Entry Description Internationalization Plug in cn Internationalization Plugin cn plugins cn config Description Configurable Options Enables internationalized strings to be ordered in the directory on off Default Setting on Configurable Arguments The Internationalization Plug in has one argument which must not be modified which 150 JPEG Syntax Plug in Plug in Parameter Description specifies the location of the etc dirsrv config slapd collations conf file This file stores the collation orders and locales used by the Internationalization Plug in Dependencies None Performance Related Information Do not modif
359. one for no unique ID to be generated and deterministic for the generated unique ID to be name based 286 Idif2ldap Performs Import Operation over LDAP Option Description By default a time based unique ID is generated When using the deterministic generation to have a name based unique ID it is also possible to specify the namespace for the server to use as follows g deterministic namespace_id namespace_id is a string of characters in the format 00 XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX Use this option to import the same LDIF file into two different Directory Servers and the contents of both directories should have the same set of unique IDs If unique IDs already exist in the LDIF file being imported then the existing IDs are imported to the server regardless of the options specified G namespaceld Generates a namespace ID as a name based unique ID This is the same as specifying the g deterministic option i IdifFile n backendInstance O Gives the names of the input LDIF files When multiple files are imported they are imported in the order they are specified on the command line Gives the instance to be imported Ensure that the specified instance corresponds to the suffix contained by the LDIF file otherwise the data contained by the database is deleted and the import fails Requests that only the core database is created without attribute indexes s in
360. only connect to the server with autobind if LDAPI is enabled nsslapd ldapilisten and nsslapd ldapifilepath and autobind is enabled nsslapd ldapiautobind Parameter Description Entry DN cn config Valid Values on off Default Value off Syntax DirectoryString Example nsslapd Idapimaptoentries on 2 3 1 71 nsslapd Idapiuidnumbertype Autobind can be used to authenticate system users to the server automatically and connect to the server using a UNIX socket To map the system user to a Directory Server user for authentication the system user s UID and GUID numbers must be mapped to be a Directory Server attribute The nsslapd ldapiuidnumber type attribute points to the Directory Server attribute to map system UIDs to user entries Users can only connect to the server with autobind if LDAPI is enabled nsslapd ldapilisten and nsslapd ldapifilepath autobind is enabled nsslapd ldapiautobind and autobind mapping is enabled for regular users Nsslapd ldapimaptoentries Parameter Description Entry DN cn config Valid Values Any Directory Server attribute Default Value uidNumber Syntax DirectoryString Example nsslapd Idapiuidnumbertype uidNumber 41 Chapter 2 Core Server Configuration Reference 2 3 1 72 nsslapd listenhost Listen to IP Address This attribute allows multiple Directory Server instances to run on a multihomed machine or makes it possible to limit listening to
361. ons 313 314 syntax 314 repl monitor command line shell script 288 quick reference 278 repl monitor pl command line perl script 314 quick reference 278 replication agreement configuration attributes cn 85 description 85 nsDS5Oruv 94 nsDS5BeginReplicaRefresh 91 nsDS5ReplicaBindDN 85 nsDS5ReplicaBindMethod 86 nsDS5ReplicaBusyWaitTime 86 nsDS5ReplicaChangesSentSinceStartup 87 nsDS5ReplicaCredentials 87 nsDS5ReplicaHost 87 nsDS5ReplicaLastinitEnd 88 nsDS5ReplicaLastinitStart 88 nsDS5ReplicaLastinitStatus 88 nsDS5ReplicaLastUpdateEnd 89 nsDS5ReplicaLastUpdateStart 89 nsDS5ReplicaLastUpdateStatus 90 nsDS5ReplicaPort 90 nsDS5ReplicaReapActive 90 nsDS5ReplicaRoot 91 nsDS5ReplicaSessionPauseTime 91 nsDS5ReplicatedAttributeList 92 nsDS5ReplicaTimeout 92 nsDS5ReplicaTransportinfo 93 nsDS5ReplicaUpdatelinProgress 93 nsDS5ReplicaUpdateSchedule 93 nsruvReplicaLastModified 94 object classes 85 replication configuration attributes nsDS5Flags 79 nsDS5ReplConflict 80 nsDS5ReplicaBindDN 80 nsDS5ReplicaChangeCount 81 nsDS5ReplicalD 81 nsDS5ReplicaLegacyConsumer 81 nsDS5ReplicaName 82 nsDS5ReplicaPurgeDelay 82 nsDS5ReplicaReferral 83 nsDS5ReplicaRoot 83 nsDS5ReplicaTombstonePurgelinterval 83 nsDS5ReplicaType 84 nsds5Task 85 357 Index nsState 85 object classes 79 restart 291 restart slapd command line shell script 291 quick reference 277 restarting server requirement for ce
362. ons to be carried out on all configuration attributes by the following users Members of the Configuration Administrators group The user acting as the administrator the admin account that was configured at setup By default this is the same user account which is logged into the Console Members of local Directory Administrators group The SIE Server Instance Entry group usually assigned using the Set Access Permissions process the main console For more information on access control see the Directory Server Administrator s Guide 2 2 2 Changing Configuration Attributes Server attributes can be viewed and changed in one of three ways through the Directory Server Console by performing ldapsearch and ldapmodify commands or by manually editing the dse 1dif file NOTE Before editing the dse 1dif file the server must be stopped otherwise the changes are lost Editing the dse 1dif file is recommended ae for led og to ennous which cannot be altered ea See Section 222 ation anges Requiring Server Restart for further information The following sections describe how to modify entries using LDAP both by using Directory Server Console and by using the command line the restrictions that apply to modifying entries the restrictions that apply to modifying attributes and the configuration changes requiring restart 2 2 2 1 Modifying Configuration Entries Using LDAP The configuration entries in the director
363. opy in the nsArchiveDir attribute and the type of database being backed up in the nsDatabaseTypes attribute Additionally it must contain a unique cn to identify the task For example 114 cn tasks dn cn example backup cn backup cn tasks cn config objectclass extensibleObject cn example backup nsArchiveDir export backups nsDatabaseType ldbm database As the backup operation runs the task entry will contain all of the server generated task attributes listed in Section 2 3 15 1 Task Invocation Attributes for Entries under cn tasks nsArchiveDir This attribute gives the location of the directory to which to write the backup The backup directory here should usually be the same as the one configured in the nsslapd bakdir attribute If this attribute is not included with the cn backup task the task will fail with an LDAP object class violation error 65 Parameter Description Entry DN cn task_name cn backup cn tasks cn config Valid Values Any local directory location Default Value Syntax Case exact string Example nsArchiveDir export backups nsDatabaseTypes This attribute gives the kind of database being archived Setting the database types signals what kind of backup plug in the Directory Server should use to archive the database Parameter Description Entry DN cn task_name cn backup cn tasks cn config Valid Values Idbm database Default Value Idbm databas
364. or suffix configuration attributes to be taken into account by the server these object classes in addition to the top object class must be present in the entry The suffix DN should be quoted because the suffix DN contains characters such as equals signs commas and space characters that must be quoted or escaped to appear as a value in another DN 2 3 6 1 nsslapd state Determines how the suffix handles operations Parameter Entry DN Valid Values Default Value Syntax Description cn suffix cn mapping tree cn config backend disabled referral referral on update backend means the backend database is used to process all operations disabled means the database is not available for processing operations The server returns a No such search object error in response to requests made by client applications referral means a referral is returned for requests made to this suffix referral on update means the database is used for all operations except update requests which receive a referral backend DirectoryString 78 Replication Attributes under cn replica cn suffixDN cn mapping tree cn config Parameter Description 2 3 6 2 nsslapd backend Gives the name of the database or database link used to process requests This attribute can be multi valued with one database or database link per value This attribute is required when the value of the nsslapd state attribute is
365. or Restoring and Backing up Databases db2archive Options Option Description D configDir Specifies the location of the server configuration directory that contains the configuration information for the index creation process This must be the full path to the configuration directory etc dirsrv slapd instance_name a archiveDir Specifies the archive directory Table A 3 archive2db Options A 6 Utilities for Restoring and Backing up Databases db2archive Backs up all databases to the archives Syntax ns slapd db2archive D configDir a archiveDir Options Option Description D configDir Specifies the location of the server configuration directory that contains the configuration information for the index creation process This must be the full path to the configuration directory etc dirsrv slapd instance_name a archiveDir Specifies the archive directory Table A 4 db2archive Options A 7 Utilities for Creating and Regenerating Indexes db2index Creates and regenerates indexes Syntax ns slapd db2index D configDir d debugLevel n backendName t attributeName indexTypes matchingRules T vlvTag Options Description d debugLevel Specifies the debug level to use during index creation For further information refer to 327 Appendix A Using the ns slapd Command Line Utilities Option D configDir n backendName Description Section 2 3 1 4
366. ore databases This attribute can contain optional servers for failover separated by spaces If using cascading changing this URL can point to another database link Parameter Description Entry DN cn database_link_name cn chaining database cn plugins cn config Valid Values Any valid remote server LDAP URL Default Value Syntax irectoryString Example nsFarmServerURL Idap farm1 example com 389 Idap farm2 example com 1389 3 5 3 3 nsMultiplexorBindDn This attribute gives the DN of the administrative entry used to communicate with the remote server The multiplexor is the server that contains the database link and communicates with the farm server This bind DN cannot be the Directory Manager and if this attribute is not specified the database link binds as anonymous Parameter Description Entry DN cn database_link_name cn chaining database cn plugins cn config Valid Values Default Value DN of the multiplexor Syntax DirectoryString Example nsMultiplexorBindDn cn proxy manager 3 5 3 4 nsMultiplexorCredentials Password for the administrative user given in plain text If no password is provided it means that users can bind as anonymous The password is encrypted in the configuration file The example below is what is shown not what is typed Parameter Description Entry DN cn database_link_name cn chaining database cn plugins cn config Valid Values Any valid passwor
367. ot be reused by users By default the password history feature is disabled meaning that Chapter 2 Core Server Configuration Reference the Directory Server does not store any old passwords and so users can reuse passwords Enable password history using the passwordHistory attribute To prevent users from rapidly cycling through the number of passwords that are tracked use the passwordMinAge attribute This can be abbreviated to pwdInHistory For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Entry DN Description cn config Valid Range Default Value 6 2 to 24 passwords Syntax Integer Example passwordInHistory 7 2 3 1 121 passwordisGlobalPolicy Password Policy and Replication This attribute controls whether password policy attributes are replicated Parameter Description Entry DN Valid Values Default Value off cn config on off Syntax DirectoryString Example passwordlsGlobalPolicy off 2 3 1 122 passwordKeepHistory This attribute sets whether a password history is maintained for users Parameter Description Entry DN cn config Valid Values O no history or 1 keep history Default Value 0 Syntax DirectoryString Example passwordKeepHistory 1 2 3 1 123 passwordLockout Account Lockout Indicate
368. ots o outputFile c v cl dump pl i changelogFile o outputFile c v Options Without the i option the script must be run when the Directory Server is running from a location from which the server s changelog directory is accessible Option Description C Dumps and interprets change sequence numbers CSN only This option can be used with or without the i option D bindDn Specifies the Directory Server s bind DN Defaults to cn Directory Manager if the option is omitted h host Specifies the Directory Server s host Defaults to the server where the script is running i changelogFile Specifies the path to the changelog file If there is a changelog file and if certain changes in that file are base 64 encoded use this option to decode that changelog o outputFile Specifies the path including the filename for the final result Defaults to STDOUT if omitted p port Specifies the Directory Server s port The default value is 389 296 db2bak pl Creates a Backup of a Database Option Description P bindCert Specifies the path including the filename to the certificate database that contains the certificate used for binding r replicaRoots Specifies the replica roots whose changelog to dump When specifying multiple roots use commas to separate roots If the option is omitted all the replica roots will be dumped V Prints the version of the script
369. pd config attribute 27 nsslapd conntablesize attribute 27 nsslapd counters attribute 27 nsslapd csnlogging attribute 28 nsslapd db abort rate attribute 186 nsslapd db active txns attribute 186 nsslapd db cache hit attribute 186 nsslapd db cache region wait rate attribute 186 nsslapd db cache size bytes attribute 186 nsslapd db cache try attribute 186 nsslapd db checkpoint interval attribute 168 nsslapd db circular logging attribute 169 nsslapd db clean pages attribute 187 nsslapd db commit rate attribute 187 nsslapd db deadlock rate attribute 187 nsslapd db debug attribute 169 nsslapd db dirty pages attribute 187 nsslapd db durable transactions attribute 169 nsslapd db hash buckets attribute 187 nsslapd db hash elements examine rate attribute 187 nsslapd db hash search rate attribute 187 nsslapd db home directory attribute 170 nsslapd db idl divisor attribute 171 nsslapd db lock conflicts attribute 187 nsslapd db lock region wait rate attribute 187 nsslapd db lock request rate attribute 187 nsslapd db lockers attribute 187 nsslapd db log bytes since checkpoint attribute 187 nsslapd db log region wait rate attribute 187 nsslapd db log write rate attribute 188 nsslapd db logbuf size attribute 171 nsslapd db logdirectory attribute 172 nsslapd db logfile size attribute 172 nsslapd db longest chain length attribute 188 nsslapd db page create rate attribute 188 nsslapd db page ro evict rate attribute 188
370. peration In the case of a modrdn operation the targetDn attribute contains the DN of the entry before it was modified or moved OID 2 16 840 1 113730 3 1 6 Syntax DN 74 cn encryption Multi or Single Valued Multi valued Defined in Changelog Internet Draft 2 3 3 Cn encryption Encryption related attributes are stored under the cn encryption cn config entry The cn encryption cn config entry is an instance of the nssLapdEncryptionConfig object class 2 3 3 1 nSSSLSessionTimeout This attribute sets the lifetime duration of a TLS SSL The minimum timeout value is 5 seconds If a smaller value is set then it is automatically replaced by 5 seconds A value greater than the maximum value in the valid range below is replaced by the maximum value in the range The server has to be restarted for changes to this attribute to go into effect Parameter Description Entry DN cn encryption cn config Valid Range 5 seconds to 24 hours Default Value 0 which means use the maximum value in the valid range above Syntax Integer Example nsSSLSessionTimeout 5 2 3 3 2 nSSSLclientauth This attribute sets how clients may use certificates to authenticate to the Directory Server for SSL connections The server has to be restarted for changes to this attribute to go into effect Parameter Description Entry DN cn encryption cn config Valid Values off allowed required off
371. performance reasons Red Hat recommends not setting this value to 1 because the server does not rotate the log and it grows indefinitely If the value for this attribute is higher than 1 then check the nsslapd accesslog logrotationtime attribute to establish whether log rotation is specified If the nsslapd accesslog logrotationtime attribute has a value of 1 then there is no log rotation See Section 2 3 1 13 nsslapd accesslog logrotationtime Access Log Rotation Time for more information 17 Chapter 2 Core Server Configuration Reference Parameter Description Entry DN cn config Valid Range 1 to the maximum 32 bit integer value 2147483647 Default Value 10 Syntax Integer Example nsslapd accesslog maxlogsperdir 10 2 3 1 17 nsslapd accesslog mode Access Log File Permission This attribute sets the access mode or file permission with which access log files are to be created The valid values are any combination of 000 to 777 these mirror the numbered or absolute UNIX file permissions The value must be a 3 digit number the digits varying from through 7 e 0 None e 1 Execute only e 2 Write only e 3 Write and execute 4 Read only e 5 Read and execute 6 Read and write 7 Read write and execute In the 3 digit number the first digit represents the owner s permissions the second digit represents the group s permissions and the third digit represents everyone s per
372. ple LDIF file similar to Example 1dif except that it uses roles and class of service instead of groups for setting access control and resource limits for directory administrators NOTE The LDIF files exported by db21dif or db21dif pl scripts in the instance directory are stored in var lib dirsrv slapd instance_name l1dif 4 6 Lock Files Each Directory Server instance contains a var lock dirsrv slapd instance_name directory for storing lock related files The following is a sample listing of the locks directory contents exports imports server Example 4 4 Lock Directory Contents The lock mechanisms stored in the exports imports and server subdirectories prevent multiple simultaneous operations from conflicting with each other The lock mechanisms allow for one server instance to run at a time with possible multiple export jobs They also permit one 1dif2db import operation at a time not ldif2db p1 because multiple 1dif2db p1 operations can be run at any time to the exclusion of all export and slapd server operations If there are error messages indicating that the lock table is out of available locks for example libdb Lock table is out of available locks double the value of the nsslapd db locks attribute in the cn config cn ldbm database cn plugins cn config entry For example if the current value is 10000 set it to 20000 If the problem persists double the number again To monitor the current and maximum num
373. ple nsslapd rootdn cn Directory Manager 2 3 1 93 nsslapd rootpw Root Password This attribute sets the password associated with the Manager DN When the root password is provided it is encrypted according to the encryption method selected for the nsslapd rootpwstoragescheme attribute When viewed from the server console this attribute shows the value When viewed from the dse 1dif file this attribute shows the encryption method followed by the encrypted string of the password The example shows the password as displayed in the dse 1dif file not the actual password WARNING When the root DN is configured at server setup a root password is required However it is possible for the root password to be deleted from dse 1dif by directly editing the file In this situation the root DN can only obtain the same access to the directory is allowed for anonymous access Always make sure that a root password is defined in dse 1dif when a root DN is configured for the database The pwdhash command line utility can create a new root password For more information see Parameter Description Entry DN cn config Valid Values Any valid password encrypted by any one of the encryption methods which are described in Section 2 3 1 142 passwordStorageScheme Password Storage Scheme Default Value Syntax DirectoryString encryption_method Jencrypted Password Example nsslapd rootpw SSHA 9Eko69APCJfF
374. ppress sending of the request control with the bind request include g on the command line Specifies the name of the host on which the server is running For example h cyclops The default is localhost Specifies the SSL key password file that contains the token password pair Specifies the path including the filename of the private key database of the client This can be the absolute or relative to the server root path The K option must be used when the key database is not called key3 db or when the key database is not in the same directory as the certificate database that is the cert8 db file the path for which is specified with the P option Specifies the certificate name to use for certificate based client authentication For example N Server Cert If this option is specified then the Z and W options are required 269 Chapter 6 Command Line Utilities Option Description If this option is specified then the D and w options must not be specified or certificate based authentication will not occur and the bind operation will use the authentication credentials specified by D and w Specifies the absolute path including the filename of the certificate database of the client This option is used only with the Z option When used on a machine where an SSL enabled web browser is configured the path specified on this option can be that of the certificate databa
375. pt A set of rules that governs how passwords are used in a given directory Encoded messages which form the basis of data exchanges between SNMP devices Also protocol data unit 337 Glossary permission pointer CoS presence index protocol protocol data unit proxy authentication proxy DN PTA PTA directory server PTA LDAP URL R RAM rc local RDN read only replica read write replica In the context of access control permission states whether access to the directory information is granted or denied and the level of access that is granted or denied See Also access rights A pointer CoS identifies the template entry using the template DN only Allows searches for entries that contain a specific indexed attribute A set of rules that describes how devices on a network exchange information See PDU A special form of authentication where the user requesting access to the directory does not bind with its own DN but with a proxy DN Used with proxied authorization The proxy DN is the DN of an entry that has access permissions to the target on which the client application is attempting to perform an operation Mechanism by which one Directory Server consults another to check bind credentials Also pass through authentication In pass through authentication PTA the PTA Directory Server is the server that sends passes through bind requests it receives to the authenticating d
376. r cn config 3 7 10 dnaThreshold One potential situation with the Distributed Numeric Assignment Plug in is that one server begins to run out of numbers to assign which can cause problems The Distributed Numeric Assignment Plug in allows the server to request a new range from the available ranges on other servers So that the server can recognize when it is reaching the end of its assigned range the dnaThreshold attribute sets a threshold of remaining available numbers in the range When the server hits the threshold it sends a request for a new range For range requests to be performed the dnaSharedCfgDN attribute must be set Parameter Description Entry DN cn Distributed Numeric Assignment Plugin cn plugins cn config Valid Range 1 to the maximum 32 bit integer on 32 bit systems and to the maximum 64 bit integer on 64 bit systems Default Value 100 Syntax Integer Example dnaThreshold 100 3 7 11 dnaType This attribute sets which attribute has unique numbers being generated for it In this case whenever the attribute is added to the entry without a value or with the magic number an assigned value is automatically supplied This is required to set up distributed numeric assignments for an attributes Parameter Description Entry DN cn Distributed Numeric Assignment Plugin cn plugins cn config Valid Range Any Directory Server attribute Default Value None Syntax DirectoryString Example
377. r LDAP or using the Console set it to the cleartext credentials and let the server encrypt the value Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values Any valid password which is then encrypted using the DES reversible password encryption schema Default Value Syntax DirectoryString DES encrypted_password Example nsDS5ReplicaCredentials DES 9Eko69APCJfFFO8BA0aDOC 2 3 8 8 nSDS5ReplicaHost This attribute sets the hostname for the remote server containing the consumer replica Once this attribute has been set it cannot be modified Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config 87 Chapter 2 Core Server Configuration Reference Parameter Valid Values Description Any valid host server name Default Value Syntax DirectoryString Example nsDS5ReplicaHost Idap2 example com 2 3 8 9 nsDS5ReplicaLastinitEnd This optional read only attribute states when the initialization of the consumer replica ended Parameter Description Entry DN cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values YYYYMMDDhhmmsszZ is the date time in Generalized Time form at which the connection was opened This value gives the time in relation to Greenwich Mean Time The hours are set with
378. r counters can have a minimal improvement on performance although it negatively affects long term statistics tracking This parameter is enabled by default To disable counters stop the Directory Server edit the dse 1dif file directly and restart the server Chapter 2 Core Server Configuration Reference Parameter Entry DN Valid Values Description cn config on off Default Value on Syntax DirectoryString Example nsslapd counters on 2 3 1 40 nsslapd csnlogging This attribute sets whether change sequence numbers CSNs when available are to be logged in the access log By default CSN logging is turned on Parameter Description Entry DN cn config Valid Values on off Default Value on Syntax DirectoryString Example nsslapd csnlogging on 2 3 1 41 nsslapd ds4 compatible schema Makes the schema in cn schema compatible with 4 x versions of Directory Server Parameter Entry DN Valid Values on off Description cn config Default Value off Syntax DirectoryString Example nsslapd ds4 compatible schema off 2 3 1 42 nsslapd enquote sup oc Enable Superior Object Class Enquoting This attribute is deprecated and will be removed in a future version of Directory Server This attribute controls whether quoting in the objectclass attributes contained in the cn schema entry conforms to the quoting specif
379. r error log records messages for Directory Server transactions and operations These may be error messages for failed operations but it also contains general information about the processes of Directory Server and LDAP tasks such as server startup messages logins and searches of the directory and connection information 229 Chapter 5 Log File Reference 5 2 1 Error Log Logging Levels The error log can record different amounts of detail for operations as well as different kinds of information depending on the type of error logging enabled The logging level is set in the nsslapd errorlog level configuration attribute The default log level is 16384 which included critical error messages and standard logged messages like LDAP results codes and startup messages As with access logging error logging levels are additive To enable both replication logging 8192 and plug in logging 65536 set the log level to 73728 8192 65536 NOTE Enabling high levels of debug logging can significantly erode server performance Debug log levels such as replication 8192 should only be enabled for troubleshooting not for daily operations Setting Console Name Trace function calls Packeting handlings Description Logs a message when the server enters and exits a function Logs debug information for packets processed by the server Heavy trace output Logs when the server enters and exits a function wi
380. r in the Directory Server Administrator s Guide Parameter Entry DN Description cn config Valid Range 1 to the maximum 32 bit integer value 2147483647 in seconds Default Value 86400 1 day Syntax Integer Example passwordWarning 86400 2 3 1 145 retryCountResetTime This attribute specifies the length of time that passes before the passwordRetryCount attribute is reset Parameter Description Entry DN cn config Valid Range 1 to any reasonable integer Default Value none Syntax Integer Example retryCountResetTime 15 70 cn changelog5 2 3 2 cn changelog5 Multi master replication changelog configuration entries are stored under the cn changelog5 entry The changelog behaves much like a database and it has many of attributes also used by the Idbm databases The primary cache related memory attribute nsslapd cachememsize has a default value of 10485760 bytes which is 10 MB This parameter is tuned for a single backend replicated to a single consumer When more backends are replicated or when one backend is replicated to more than one consumer tune the nsslapd cachememsize so that its value is 5000000 times the number of replication agreements initiated from the server 5000000 no of repl agreements The relationship between the values assigned to the nsslapd dbcachesize and nsslapd cachememsize parameters should be the same as the relationship th
381. rameter Description Entry DN cn plug in name cn plugins cn config Default Value None 163 Chapter 3 Plug in Implemented Server Functionality Reference Plug in Parameter Description Example nsslapd pluginDescription acl access check plug in 3 3 Attributes Allowed by Certain Plug ins 3 3 1 nsslapd pluginLoadNow This attribute specifies whether to load all of the symbols used by a plug in immediately true as well as all symbols references by those symbols or to load the symbol the first time it is used false Plug in Parameter Description Entry DN cn plug in name cn plugins cn config Valid Values true false Default Value false Syntax DirectoryString Example nsslapd pluginLoadNow false 3 3 2 nsslapd pluginLoadGlobal This attribute specifies whether the symbols in dependent libraries are made visible locally false or to the executable and to all shared objects true Plug in Parameter Description Entry DN cn plug in name cn plugins cn config Valid Values true false Default Value false Syntax DirectoryString Example nsslapd pluginLoadGlobal false 3 3 3 nsslapd plugin depends on type Multi valued attribute used to ensure that plug ins are called by the server in the correct order Takes a value which corresponds to the type number of a plug in contained in the attribute nsslapd pluginType See Section 3 2 4 n
382. reas Management Information Base namespace The means for directory data to be named and referenced Also called the directory tree Specifies the monetary symbol used by specific region whether the symbol goes before or after its value and how monetary units are represented An advanced replication scenario in which two servers each hold a copy of the same read write replica Each server maintains a changelog for the replica Modifications made on one server are automatically replicated to the other server In case of conflict a time stamp is used to determine which server holds the most recent version The server containing the database link that communicates with the remote server The problem of managing multiple instances of the same information in different directories resulting in increased hardware and personnel costs Multiple entries with the same distinguished name Allows the creation of roles that contain other roles Network Management Station component that graphically displays information about SNMP managed devices such as which device is up or down and which and how many error messages were received See NMS 336 NIS NMS ns slapd O object class object identifier OID operational attribute P parent access pass through authentication pass through subtree password file password policy PDU Network Information Service A system of programs and data files that Unix
383. rectoryString Example nsDS7DirsyncCookie kKnDKJFBZsjBDSCkjsdhIU74DJJVBXDh 2 3 9 3 nsSds7NewWinGroupSyncEnabled This attribute sets whether a new group created in the Windows sync peer is automatically synchronized by creating a new group on the Directory Server Parameter Description Entry DN cn syncAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values on off Default Value Syntax DirectoryString Example nsDS7NewWinGroupSyncEnabled on 2 3 9 4 nsds7NewWinUserSyncEnabled This attribute sets whether a new entry created in the Windows sync peer is automatically synchronized by creating a new entry on the Directory Server Chapter 2 Core Server Configuration Reference Parameter Description Entry DN cn syncAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values on off Default Value Syntax DirectoryString Example nsDS7NewWinUserSyncEnabled on 2 3 9 5 nsds7WindowsDomain This attribute sets the name of the Windows domain Parameter Entry DN to which the Windows sync peer belongs Description cn syncAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values Default Value Any valid domain name Syntax DirectoryString Example nsDS7WindowsDomain DOMAINWORLD 2 3 9 6 nsds7WindowsReplicaSubtree The suffix or DN o
384. rgest and most frequent nentries entries per result x Lists the number and OID of all extended operations r Lists the names of the most requested attributes g Lists the details of all abandoned operations j Gives recommendations based on data collected from the log file u Gives operation details about unindexed searches y Lists connection latency details which indicates the overall connection latency p Lists open connection ID statistics which indicates the FDs that are not yet closed Table 7 27 logconv pl Options to Display Occurrences 7 4 9 migrate ds pl The migrate ds pl script is used to migrate a Directory Server 7 1 instance to Directory Server 8 1 Migration can happen between instances on on the same machine on different machines or on different platforms IMPORTANT Do not run setup ds admin pl for the new Directory Server 8 1 instance before running the migration script if you are migrating from a 7 1 server If you are upgrading from a Directory Server 8 0 server do not run migrate ds pl Run setup ds admin pl u instead 305 Chapter 7 Command Line Scripts NOTE This script only migrates a Directory Server instance not an Administration Server Information can be passed with the script or in an inf file same as the setup scripts Both the inf parameters and command line arguments are described in the silent configuration section of the nstallation Guide
385. ribute 176 nsslapd import cachesize attribute 176 nsslapd instancedir attribute 37 nsslapd ioblocktimeout attribute 37 nsslapd lastmod attribute 38 nsslapd Idapiautobind attribute 38 nsslapd Idapientrysearchbase attribute 39 nsslapd Idapifilepath attribute 39 nsslapd Idapigidnumbertype attribute 40 nsslapd Idapilisten attribute 40 nsslapd Idapimaprootdn attribute 40 nsslapd Idapimaptoentries attribute 41 nsslapd Idapiuidnumbertype attribute 41 nsslapd listenhost attribute 42 nsslapd localhost attribute 42 nsslapd localuser attribute 42 nsslapd maxbersize attribute 43 nsslapd maxdescriptors attribute 44 nsslapd maxsasliosize attribute 45 nsslapd maxthreadsperconn attribute 45 nsslapd mode attribute 178 nsslapd nagle attribute 46 nsslapd outbound ldap io timeout attribute 46 nsslapd plug in attribute 46 nsslapd plugin depends on named attribute 165 nsslapd plugin depends on type attribute 164 nsslapd pluginDescription attribute 163 nsslapd pluginEnabled attribute 162 nsslapd pluginld attribute 163 nsslapd pluginInitfunc attribute 162 nsslapd pluginLoadGlobal attribute 164 nsslapd pluginLoadNow attribute 164 nsslapd pluginPath attribute 162 nsslapd pluginType attribute 162 nsslapd pluginVendor attribute 163 nsslapd pluginVersion attribute 163 nsslapd port attribute 46 nsslapd privatenamespaces attribute 47 nsslapd pwpolicy local attribute 47 nsslapd readonly attribute 47 nsslapd referral attribute
386. ribute specifies whether to record additional informational and debugging messages when searching the log for checkpoints doing deadlock detection and performing recovery This parameter is meant for troubleshooting and enabling the parameter may slow down the Directory Server Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Values on off Default Value off Syntax DirectoryString Example nsslapd db verbose off 3 4 1 20 nsslapd dbncache This attribute can split the LDBM cache into equally sized separate pieces of memory It is possible to specify caches that are large enough so that they cannot be allocated contiguously on some architectures for example some systems limit the amount of memory that may be allocated contiguously by a process If nsslapd dbncache is 0 or 1 the cache will be allocated contiguously in memory If it is greater than 1 the cache will be broken up into ncache equally sized separate pieces of memory To configure a dbcache size larger than 4 gigabytes add the nsslapd dbncache attribute to cn config cn ldbm database cn plugins cn config between the nsslapd dbcachesize and nsslapd db logdirectory attribute lines Set this value to an integer that is one quarter 1 4 the amount of memory in gigabytes For example for a 12 gigabyte system set the nsslapd dbncache value to 3 for an 8 gigabyte system set it to 2 This attribute is provided on
387. ries in the directory and administer the server Chapter 6 Command Line Utilities describes these command line utilities and contains information on where the utilities are stored and how to access them In addition to these command line utilities Directory Server also provides ns slapd command line utilities for performing directory operations as described in Appendix A Using the ns slapd Command Line Utilities 1 4 Using Directory Server Command Line Scripts In addition to command line utilities several non configurable scripts are provided with the Directory Server that make it quick and easy to perform routine server administration tasks from the command line Chapter 7 Command Line Scripts lists the most frequently used scripts and contains information on where the scripts are stored and how to access them Chapter 2 Core Server Configuration Reference The configuration information for Red Hat Directory Server is stored as LDAP entries within the directory itself Therefore changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files The principal advantage of this method of configuration storage is that it allows a directory administrator to reconfigure the server using LDAP while it is still running thus avoiding the need to shut the server down for most configuration changes This chapter gives details on how the configuration is organi
388. rmance lowering operations Extended operations Entire database searches Most requested attributes Unindexed searches details optional Recommendations optional Table 7 25 Information Extracted from Access Logs The logconv p1 tool displays two types of statistics useful for monitoring and optimizing directory usage Simple counts of events such as the total number of binds and the total number of searches provide overall usage information This is the basic information that the tool will always print 302 logconv pl Log Converter Lists of the most frequently occurring parameters in LDAP requests provide insight into how the directory information is being accessed For example lists of the top ten bind DNs base DNs filter strings and attributes returned can help administrators optimize the directory for its users These lists are optional because they are computation intensive specify only the command line options required see Options Some information that is extracted by the logconv p1 script is available only in logs from current releases of Directory Server the corresponding values will be zero when analyzing logs from older versions In addition some information will only be present in the logs if verbose logging is enabled in the Directory Server For more information see Section 2 3 1 2 nsslapd accesslog level Access Log Level The following issues will affect the output and performance of
389. rom a delete operation tag 109 A result from a moddn operation tag 111 A result from a compare operation tag 115 A search reference when the entry on which the search was performed holds a referral to the required entry Search references are expressed in terms of a referral tag 120 A result from an extended operation Table 5 1 Commonly Used Tags NOTE tag 100 and tag 115 are not result tags as such and so it is unlikely that they will be recorded in the access log Number of Entries nentries shows the number of entries in this case nentries 60 that were found matching the LDAP client s request 21 Apr 2009 11 39 51 0700 conn 11 op 0 RESULT err 0 tag 97 nentries 0 etime 0 Elapsed Time etime shows the elapsed time in this case etime 3 or the amount of time in seconds that it took the Directory Server to perform the LDAP operation 21 Apr 2009 11 39 51 0700 conn 11 op 1 RESULT err 0 tag 101 nentries 1 etime 3 notes U An etime value of 0 means that the operation actually took milliseconds to perform To have microsecond resolution for this item in the access log enter a value of 131328 256 131072 in the nsslapd accesslog level configuration attribute LDAP Request Type The LDAP request type indicates the type of LDAP request being issued by the LDAP client Possible values are SRCH for search MOD for modify DEL for delete ADD for add MODDN for moddn EXT for extend
390. rotationsync enabled and nsslapd errorlog logrotationsynchour attributes Parameter Description Entry DN cn config Valid Range 0 through 59 Default Value 0 Syntax Integer Example nsslapd errorlog logrotationsyncmin 30 2 3 1 54 nsslapd errorlog logrotationtime Error Log Rotation Time This attribute sets the time between error log file rotations The error log is rotated when this time interval is up regardless of the current size of the error log This attribute supplies only the number of units The units day week month and so forth are given by the nsslapd errorlog logrotationtimeunit Error Log Rotation Time Unit attribute Although it is not recommended for performance reasons to specify no log rotation as the log grows indefinitely there are two ways of specifying this Either set the nsslapd errorlog maxlogsperdir attribute value to 1 or set the nsslapd errorlog logrotationtime attribute to 1 The server checks the nsslapd errorlog maxlogsperdir attribute first and if this attribute value is larger than 1 the server then checks the nsslapd errorlog logrotationtime attribute See Section 2 3 1 57 nsslapd errorlog maxlogsperdir Maximum Number of Error Log Files for more information Parameter Entry DN Description cn config Valid Range 1 1 to the maximum 32 bit integer value 2147483647 where a value of 1 means that the time between error log file rotation is un
391. rral attribute should be in the form 1daps server location Start TLS does not support referrals For more information on managing referrals see the Configuring Directory Databases chapter in the Directory Server Administrator s Guide Parameter Description Entry DN cn config Valid Values Any valid LDAP URL in the form ldap server location Default Value Syntax DirectoryString Example nsslapd referral Idap Idap example com 2 3 1 88 nsslapd referralmode Referral Mode When set this attribute sends back the referral for any request on any suffix 48 cn config Parameter Description Entry DN cn config Valid Values Any valid LDAP URL in the form gt ldap server location Default Value Syntax DirectoryString Example nsslapd referralmode Idap Idap example com 2 3 1 89 nsslapd reservedescriptors Reserved File Descriptors This attribute specifies the number of file descriptors that Directory Server reserves for managing non client connections such as index management and managing replication The number of file descriptors that the server reserves for this purpose subtracts from the total number of file descriptors available for servicing LDAP client connections See Section 2 3 1 77 nsslapd maxdescriptors Maximum File Descriptors Most installations of Directory Server should never need to change this attribute However consider increasing the v
392. rs such as the Mozilla Firefox how to display text position graphics and form items and to display links to other pages Hypertext Transfer Protocol The method for exchanging information between HTTP servers and clients An abbreviation for the HTTP daemon or service a program that serves information using the HTTP protocol The daemon or service is often called an httpd A secure version of HTTP implemented using the Secure Sockets Layer SSL In the context of replication a server that holds a replica that is copied from a different server and in turn replicates it to a third server See Also cascading replication A size limit which is globally applied to any indexed search operation When the size of an individual ID list reaches this limit the server replaces that ID list with an all IDs token Each index that the directory uses is composed of a table of index keys and matching entry ID lists An indirect CoS identifies the template entry using the value of one of the target entry s attributes Speeds up searches for information in international directories See SO Also Internet Protocol address A set of numbers separated by dots that specifies the actual location of a machine on the Internet for example 198 93 93 10 International Standards Organization Pointers to directory information stored in different databases 334 LDAP LDAP client LDAP Data Interchange Format LDAP URL LD
393. rsion 3 There are three possible bind method values e for authentication 128 for simple bind with user password sasl for SASL bind using external authentication mechanism Version Number The version number in this case version 3 indicates the LDAP version number either LDAP v2 or LDAPv3 that the LDAP client used to communicate with the LDAP server 21 Apr 2009 11 39 51 0700 conn 11 op 0 BIND dn cn Directory Manager method 128 version 3 Error Number The error number in this case err 0 provides the LDAP result code returned from the LDAP operation performed The LDAP error number means that the operation was successful For a more comprehensive list of LDAP result codes see Section 5 4 LDAP Result Codes 21 Apr 2009 11 39 51 0700 conn 11 op 0 RESULT err 0 tag 97 nentries 0 etime 0 Tag Number The tag number in this case tag 97 indicates the type of result returned which is almost always a reflection of the type of operation performed The tags used are the BER tags from the LDAP protocol 21 Apr 2009 11 39 51 0700 conn 11 op 0 RESULT err 0 tag 97 nentries 0 etime 0 Tag Description tag 97 A result from a client bind operation tag 100 The actual entry being searched for tag 101 A result from a search operation tag 103 A result from a modify operation tag 105 A result from an add operation 222 Default Access Logging Content Tag Description tag 107 A result f
394. rtain configuration changes 9 restoreconfig command line shell script 292 quick reference 277 retro changelog Meta Directory changelog 71 retro changelog plug in configuration attributes nsslapd changelogdir 206 retryCountResetTime 70 S SASL configuration attributes nsSaslMapBaseDNTemplate 99 nsSaslMapFilterTemplate 100 nsSasiMapRegexstring 100 SASL configuration entries cn sasl 99 saveconfig command line shell script 292 quick reference 277 schema reload pl 317 quick reference 278 related configuration entry 118 schemadir 119 scripts 277 location of perl scripts 278 location of shell scripts 277 perl scripts 294 search filters specifying file 252 search operations limiting entries returned 55 setting time limits 57 server restart after configuration changes 9 setting the location of SASL plugins 52 setup ds admin pl quick reference 278 setup ds admin pl command line script options 320 syntax 319 setup ds pl quick reference 278 setup ds pl command line script options 318 syntax 318 slapd conf file location of 7 smart referrals ldapsearch option 252 SNMP configuration attributes nssnmpcontact 101 nssnmpdescription 101 nssnmpenabled 100 nssnmplocation 101 nssnmpmasterhost 101 nssnmpmasterport 102 nssnmporganization 100 SNMP configuration entries cn SNMP 100 special attributes changeLog 73 changeNumber 73 changes 73 changeTime 73 changeType 73 delete
395. ry DN Description cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values Any valid DN can be empty if client certificates are used Default Value Syntax DirectoryString Example nsDS5ReplicaBindDN cn replication manager cn config 2 3 8 4 nSsDS5ReplicaBindMethod This attribute sets the method for the server to use to bind to the consumer server Parameter Entry DN Description cn ReplicationAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values SIMPLE SSLCLIENTAUTH The SIMPLE bind method requires a DN and password Default Value SIMPLE DirectoryString nsDS5ReplicaBindMethod SIMPLE Syntax Example 2 3 8 5 nsDS5ReplicaBusyWaitTime This attribute sets the amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access The default value is three 3 seconds If the attribute is set to a negative value Directory Server sends the client a message and an LDAP UNWILLING TO PERFORM error code The nsDS5ReplicaBusyWaitTime attribute works in conjunction with the nsDS5ReplicaSessionPauseTime attribute The two attributes are designed so that the nsDS5ReplicaSessionPauseTime interval is always at least one second longer than the interval specified for nsDS5ReplicaBusyWait Time The longer interval
396. s activated this attribute is overridden when the server replaces these values with its own guessed values at a later stage of the server startup For more technical information on this attribute see the cache size section of the Berkeley DB reference guide at http Awww oracle com technology documentation berkeley db db apt_c env_set_cachesize html Attempting to set a value that is not a number or is too big for a 32 bit signed integer returns an LDAP UNWILLING TO PERFORM error message with additional error information explaining the problem The server has to be restarted for changes to this attribute to go into effect Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Range 500 kilobytes to 4 gigabytes for 32 bit platforms and 500 kilobytes to 2 64 1 for 64 bit platforms Default Value 10000000 bytes Syntax Integer Example nsslapd dbcachesize 10000000 3 4 1 6 nsslapd db checkpoint interval This sets the amount of time in seconds after which the Directory Server sends a checkpoint entry to the database transaction log The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only A checkpoint entry indicates which database operations have been physically written to the directory database The checkpoint entries are used to determine where in the database transaction log to begin recovery after a system failure
397. s been effectively started using the ps command because it could sometimes be that the script returned while the startup process was still on going resulting in a confusing message Syntax start slapd 292 stop slapd Stops the Directory Server Options There are no options for this script Exit Status Codes Exit Code Description 0 Server started successfully 1 Server could not be started 2 Server was already started Table 7 14 start slapd Exit Status Codes 7 3 17 stop slapd Stops the Directory Server Stops the Directory Server It might be a good idea to check whether the server has been effectively stopped using the ps command because it could sometimes be that the script returned while the shutdown process was still on going resulting in a confusing message Syntax stop slapd Options There are no options for this script Exit Status Exit Code Description 0 Server stopped successfully 1 Server could not be stopped 2 Server was already stopped Table 7 15 stop slapd Exit Status Codes 7 3 18 suffix2instance Maps a Suffix to a Backend Name Maps a suffix to a backend name Syntax suf fix2instance s suffix Options Option S Description Suffix to be mapped to the backend Table 7 16 suffix2instance Options 293 Chapter 7 Command Line Scripts 7 3 19 vivindex Creates Virtual List View Indexes To run the vlvindex
398. s entry There are seven tasks that are managed under the cn tasks entry cn import cn export e cn backup cn restore cn index cn schema reload task e cn memberof task 104 cn tasks The common attributes for these tasks are listed in Section 2 3 15 1 Task Invocation Attributes for Entries under cn tasks The cn tasks entry itself has no attributes and serves as the parent and container entry for the individual task entries IMPORTANT Task entries are not permanent configuration entries They only exist in the configuration file for as long as the task operation is running or until the tt1 period expires Then the entry is deleted automatically by the server 2 3 15 1 Task Invocation Attributes for Entries under cn tasks Five tasks which administer Directory Server instances have configuration entries which initiate and identify individual operations These task entries are instances of the same object class extensibleObject and have certain common attributes which describe the state and behavior of Directory Server tasks The task types can be import export backup restore index schema reload and memberof cn The cn attribute is used to identify a new task operation to initiate The cn attribute value can be anything as long as it defines a new task Entry DN cn task_name cn task_type cn tasks cn config Valid Values Any string Default Value Syntax DirectoryS
399. s log audit log and error log maintained by the Directory Server each of which consumes disk space Compare these considerations to the total amount of disk space for the error log Parameter Entry DN Valid Range 1 1 to the maximum 32 bit integer value 2147483647 where a value of 1 means that the disk space allowed to the error log is unlimited in size Default Value 1 Description cn config Integer Example nsslapd errorlog logmaxdiskspace 10000 2 3 1 50 nsslapd errorlog logminfreediskspace Error Log Minimum Free Disk Space This attribute sets the minimum allowed free disk space in megabytes When the amount of free disk space falls below the value specified on this attribute the oldest error log is deleted until enough disk space is freed to satisfy this attribute Parameter Description Entry DN cn config 32 cn config Parameter Description Valid Range 1 unlimited 1 to the maximum 32 bit integer value 2147483647 Default Value 1 Syntax Integer Example nsslapd errorlog logminfreediskspace 1 2 3 1 51 nsslapd errorlog logrotationsync enabled Error Log Rotation Sync Enabled This attribute sets whether error log rotation is to be synchronized with a particular time of the day Synchronizing log rotation this way can generate log files at a specified time during a day such as midnight to midnight every day This makes analysis
400. s more secure not to provide a password on the command line so that it does not show up in clear text in a listing of commands Table 6 15 Commonly Used Idapdelete Options 263 Chapter 6 Command Line Utilities SSL Options Use the following options to specify that ldapdelete use LDAPS when communicating with the Directory Server or to use certificate based authentication These options are valid only when LDAPS has been turned on and configured for the Directory Server For more information on certificate based authentication and how to create a certificate database for use with LDAP clients see the Managing SSL and Managing SASL chapters in the Directory Server Administrator s Guide Ensure that the Directory Server s encrypted port is set when using these options Description Specifies that hostnames should be checked in SSL certificates I Specifies the SSL key password file that contains the token password pair K Specifies the path including the filename of the private key database of the client Either the absolute or relative to the server root path can be used The K option must be used when the key database has a different name than key3 db or when the key database is not under the same directory as the certificate database the cert8 db file the path for which is specified with the P option N Specifies the certificate name to use for certificate based client authenti
401. s up regardless of the current size of the access log This attribute supplies only the number of units The units day week month and so forth are given by the nsslapd accesslog logrotationtimeunit attribute Although it is not recommended for performance reasons to specify no log rotation since the log grows indefinitely there are two ways of specifying this Either set the nsslapd accesslog maxlogsperdir attribute value to 1 or set the nsslapd accesslog logrotationtime attribute to 1 The server checks the nsslapd accesslog maxlogsperdir attribute first and if this attribute value is larger than 1 the server then checks the nsslapd accesslog logrotationtime attribute See Section 2 3 1 16 nsslapd accesslog maxlogsperdir Access Log Maximum Number of Log Files for more information Parameter Description Entry DN cn config Valid Range 1 1 to the maximum 32 bit integer value 2147483647 where a value of 1 means that the time between access log file rotation is unlimited Default Value 1 Syntax Integer Example nsslapd accesslog logrotationtime 100 16 cn config 2 3 1 14 nsslapd accesslog logrotationtimeunit Access Log Rotation Time Unit This attribute sets the units for the nsslapd accesslog logrotationtime attribute Parameter Description Entry DN cn config Valid Values month week day hour minute Default Value day Syntax DirectoryString Example nsslapd accesslog lo
402. s whether users are locked out of the directory after a given number of failed bind attempts By default users are not locked out of the directory after a series of failed bind attempts If account lockout is enabled set the number of failed bind attempts after which the user is locked out using the passwordMaxFailure attribute 62 cn config This can be abbreviated to pwdLockOut For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Description Entry DN cn config Valid Values on off Default Value on Syntax DirectoryString Example passwordLockout off 2 3 1 124 passwordLockoutDuration Lockout Duration Indicates the amount of time in seconds during which users are locked out of the directory after an account lockout The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user s password Enable and disable the account lockout feature using the passwordLockout attribute This can be abbreviated to pwdLockoutDuration For more information on password policies see the Managing Users and Passwords chapter in the Directory Server Administrator s Guide Parameter Description Entry DN cn config Valid Range 1 to the maximum 32 bit integer value 2147483647 in seconds Default Value 3600 Syntax Integer Example passwordLockoutDuratio
403. s with DIGEST MD5 and changes the password to new password ldappasswd h myhost o mech DIGEST MD5 o authid dn uid tuser5 ou People dc example dc com w old_password s new_password Example 6 5 User Authenticating with DIGEST_MD5 and Changing His Password A user who has already authenticated by Kerberos prompts for the new password This is not performed over SSL 272 Idif ldappasswd h myhost o mech GSSAPI S Example 6 6 User Already Authenticating by Kerberos Prompts for a New Password 6 8 Idif ldif automatically formats LDIF files and creates base 64 encoded attribute values Base 64 encoding makes it possible to represent binary data such as a JPEG image in LDIF Base 64 encoded data is represented using a double colon symbol For example jpegPhoto encoded data In addition to binary data other values that must be base 64 encoded can identified with other symbols including the following Any value that begins with a space Any value that begins with a single colon Any value that contains non ASCII data including newlines The ldif command line utility will take any input and format it with the correct line continuation and appropriate attribute information The 1dif utility also senses whether the input requires base 64 encoding e Syntax Options Syntax The 1dif command has the following format 1dif b attrtypes optional options Options Optio
404. se for the browser For example P security cert db The client security files can also be stored on the Directory Server in the etc dirsrv slapd instance_name directory In this case the P option would call out a path and filename similar to the following P etc dirsrv slapd instance_name client cert db Specifies the port number that the server uses The default is 389 If Z is used the default is 636 Specifies the token and certificate name which is separated by a semicolon for PKCS11 Specifies the password for the certificate database identified on the P option For example W serverpassword Specifies the password associated with the distinguished name that is specified in the D option For example w diner892 The default is or anonymous If a password is not sent on the command line and the server requires one the command prompts for one It is more secure not to provide a password on the command line so that it does not show up in clear text in a listing of commands 270 Idappasswd Option Description Z Specifies that SSL is to be used for the search request ZZ Specifies the Start TLS request Use this option to make a cleartext connection into a secure one If the server does not support Start TLS the command does not need to be aborted it will continue in cleartext ZZZ Enforces the Start TLS request The server must respond that the request was
405. ser uid tuser1 ou People dc example dc com to new password over SSL ldappasswd Z h myhost P etc dirsrv slapd instance_name cert8 db D cn Directory Manager w admpassword s new password uid tuser1 ou People dc example dc com Example 6 1 Directory Manager Changing a User s Password Over SSL The Directory Manager generates the password of the user uid tuser2 ou People dc example dc com over SSL ldappasswd Z h myhost P etc dirsrv slapd instance_name cert8 db D cn Directory Manager w admpassword uid tuser2 ou People dc example dc com Example 6 2 Directory Manager Generating a User s Password NOTE For more information on newly generated passwords see the Managing the Password Policy section of the Directory Server Administrator s Guide A user tuser3 changes the password from old_newpassword to new password over SSL ldappasswd Z h myhost P etc dirsrv slapd instance_name cert8 db D uid tuser3 ou People dc example dc com w old password a old password s new password Example 6 3 User Changing His Own Password A user tuser4 authenticates with the user certificate and changes the password to new password over SSL ldappasswd Z h myhost P etc dirsrv slapd instance name cert8 db Ww dbpassword N uid tuser4 K etc dirsrv slapd instance_name key3 db s new_password Example 6 4 User Authenticating With a User Certificate and Changing His Password A user tuser5 authenticate
406. set to backend or referral on update The value should be the name of the backend database entry instance under cn 1dbm database cn plugins cn config For example o NetscapeRoot cn ldbm database cn plugins cn config Entry DN cn suffix cn mapping tree cn config Valid Values Any valid partition name Default Value None Syntax DirectoryString Example nsslapd backend userRoot 2 3 7 Replication Attributes under cn replica cn suffixDN cn mapping tree cn config Replication configuration attributes are stored under cn replica cn suffix cn mapping tree cn config The cn replica entry is an instance of the nsDS5Replica object class For replication configuration attributes to be taken into account by the server this object class in addition to the top object class must be present in the entry For further information about replication see the Managing Replication chapter in the Directory Server Administrator s Guide 2 3 7 1 nSDS5Flags This attribute sets replica properties that were previously defined in flags At present only one flag exists which sets whether the log changes Parameter Description Entry DN cn replica cn suffixDN cn mapping tree cn config Valid Values O 1 O means no changes are logged 1 means changes are logged Default Value 0 Syntax Integer Example nsDS5Flags 0 Chapter 2 Core Server Configuration Reference 2 3 7 2 nsdsSDebugReplicaTimeout This
407. sets the base DN to search for entries to which to apply the distributed numeric assignment This is analogous to the base DN in an ldapsearch Parameter Entry DN Description cn Distributed Numeric Assignment Plugin cn plugins cn config Valid Range Any Directory Server entry Default Value None Syntax DirectoryString Example dnaScope ou people dc example dc com 3 7 9 dnaSharedCfgDN This attribute defines a shared identity that the servers can use to transfer ranges to one another This entry is replicated between servers and is managed by the plug in to let the other servers know what ranges are available This attribute must be set for range transfers to be enabled NOTE The shared configuration entry must be configured in the replicated subtree so that the entry can be replicated to the servers For example if the ou People dc example dc com subtree is replicated then the configuration entry must be in that subtree such as ou UID Number Ranges ou People dc example dc com The entry identified by this setting must be manually created by the administrator The server will automatically contain a sub entry beneath it to transfer ranges Parameter Description Entry DN cn Distributed Numeric Assignment Plugin cn plugins cn config Valid Range Default Value None 210 dnaThreshold Parameter Description Example dnaSharedCfgDN cn range transfer use
408. sh is used as the password value the utility prompts for the password after the command is entered This avoids having the password on the command line W Prompts for the password for the token database Z Specifies that SSL is to be used for the search request ZZ Specifies the Start TLS request Use this option to make a cleartext connection into a secure one If the server does not support Start TLS the command does not have to be aborted it will continue in cleartext ZZZ Enforces the Start TLS request The server must respond that the request was successful If the server does not support Start TLS such as Start TLS is not enabled or the certificate information is incorrect the command is aborted immediately Table 6 5 Additional SSL Idapsearch Options SASL Options SASL mechanisms can be used to authenticate a user using the o the required SASL information To learn which SASL mechanisms are supported search the root DSE See the b option in Table 6 3 Commonly Used Idapsearch Options Option Description 0 Specifies SASL options The format is o sas lOption value sas Option can have one of six values mech the SASL authentication mechanism authid the user who is binding to the server Kerberos principal authzid a proxy authorization ignored by the server since proxy authorization is not supported 247 Chapter 6 Command Line Utilities
409. sionPauseTime nsDS5ReplicaCredentials the Windows sync nsDS5ReplicaTimeout manager password nsDS5ReplicaHost the Windows host nsDS5ReplicaTransportinfo nsDS5ReplicaLastinitEnd nsDS5ReplicaUpdatelnProgress nsDS5ReplicaLastinitStart nsDS5ReplicaUpdateSchedule nsDS5ReplicaLastinitStatus nsDS5Oruv Table 2 7 List of Attributes Shared Between Replication and Synchronization Agreements 94 shronization Attributes under cn syncAgreementName cn WindowsReplica cn suffixName cn mapping tree cn config 2 3 9 1 nsds7DirectoryReplicaSubtree The suffix or DN of the Directory Server subtree that is being synchronized Parameter Description Entry DN cn syncAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values Any valid suffix or subsuffix Default Value Syntax DirectoryString Example nsDS7DirectoryReplicaSubtree ou People dc example dc com 2 3 9 2 nSds7DirsyncCookie This string is created by Active Directory Dirsync and gives the state of the Active Directory Server at the time of the last synchronization The old cookie is sent to Active Directory with each Directory Server update a new cookie is returned along with the Windows directory data This means only entries which have changed since the last synchronization are retrieved Entry DN cn syncAgreementName cn replica cn suffixDN cn mapping tree cn config Valid Values Any string Default Value Syntax Di
410. slapd auditlog logrotationsynchour and nsslapd auditlog logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files 22 cn config For example to rotate audit log files every day at midnight enable this attribute by setting its value to on and then set the values of the nsslapd auditlog logrotationsynchour and nsslapd auditlog logrotationsyncmin attributes to 0 Entry DN cn config Valid Values on off Default Value off Syntax DirectoryString Example nsslapd auditlog logrotationsync enabled on 2 3 1 28 nsslapd auditlog logrotationsynchour Audit Log Rotation Sync Hour This attribute sets the hour of the day for rotating audit logs This attribute must be used in conjunction with nsslapd auditlog logrotationsync enabled and nsslapd auditlog logrotationsyncmin attributes Entry DN cn config Valid Range O through 23 Default Value Syntax None because nsslapd auditlog logrotationsync enabled is off Integer Example 2 3 1 29 nsslapd auditlog logrotationsyncmin Audit Log Rotation Sync Minute nsslapd auditlog logrotationsynchour 23 This attribute sets the minute of the day for rotating audit logs This attribute must be used in conjunction with nsslapd auditlog logrotationsync enabled and nsslapd auditlog logrotationsynchour attributes Entry DN cn config Valid Range 0 through 59 Default Value None becaus
411. ss ID 4 9 Tools Directory Server tools are stored in three directories on Red Hat Enterprise Linux 5 32 bit usr bin e usr sbin usr 1ib mozldap The contents of those directories are listed below Chapter 6 Command Line Utilities has more information on command line scripts dbscan ldif dbscan bin ldif bin Example 4 6 bin Contents ds removal migrate ds admin pl setup ds admin pl ds unregister register ds admin pl setup ds pl Example 4 7 sbin Contents 1dapcmp ldapcompare bin ldapmodify ldappasswd bin ldapcmp bin ldapdelete ldapmodify bin ldapsearch 217 Chapter 4 Server Instance File Reference ldapcompare ldapdelete bin ldappasswd ldapsearch bin Example 4 8 LDAP Tool Directory Contents 4 10 Scripts Directory Server command line scripts are stored in the etc dirsrv slapd instance_name directory The contents of the etc dirsrv slapd instance_name directory are listed in Example 4 9 Instance Directory Contents Chapter 7 Command Line Scripts has more information on command line scripts bak2db db2index pl ldif2db pl ns inactivate pl start slapd bak2db pl db21dif ldif2ldap ns newpwpolicy pl stop slapd db2bak db21dif pl monitor restart slapd suffix2instance db2bak pl dbverify ns accountstatus pl restoreconfig verify db pl db2index ldif2db ns activate pl saveconfig vivindex Example 4 9 Instance Directory Contents 218 Chapter 5 Log File Reference Red Hat Directory Ser
412. sslapd conntablesize This attribute sets the connection table size which determines the total number of connections supported by the server The server has to be restarted for changes to this attribute to go into effect Entry DN cn config Valid Values Operating system dependent Default Value The default value is the system s max descriptors which can be configured using the Section 2 3 1 77 nsslapd maxdescriptors Maximum File Descriptors attribute Syntax Integer Example nsslapd conntablesize 4093 Increase the value of this attribute if Directory Server is refusing connections because it is out of connection slots When this occurs the Directory Server s error log file records the message Not listening for new connections too many fds open A server restart is required for the change to take effect It may be necessary to increase the operating system limits for the number of open files and number of open files per process and it may be necessary to increase the ulimit for the number of open files ulimit n in the shell that starts the Directory Server See Section 2 3 1 77 nsslapd maxdescriptors Maximum File Descriptors for more information 2 3 1 39 nsslapd counters The nsslapd counters attribute enables and disables Directory Server database and server performance counters There can be a performance impact by keeping track of the larger counters Turning off 64 bit integers fo
413. sslapd pluginType for further information All plug ins with a type value which matches one of the values in the following valid range will be started by the server prior to this plug in The following postoperation Referential Integrity Plug in example shows that the database plug in will be started prior to the postoperation Referential Integrity Plug in Plug in Parameter Description Entry DN cn referential integrity postoperation cn plugins cn config Default Value 164 nsslapd plugin depends on named Plug in Parameter Description Example nsslapd plugin depends on type database 3 3 4 nsslapd plugin depends on named Multi valued attribute used to ensure that plug ins are called by the server in the correct order Takes a value which corresponds to the cn value of a plug in The plug in with a cn value matching one of the following values will be started by the server prior to this plug in If the plug in does not exist the server fails to start The following postoperation Referential Integrity Plug in example shows that the Views plug in is started before Roles If Views is missing the server is not going to start Plug in Parameter Description Entry DN cn referential integrity postoperation cn plugins cn config Valid Values Class of Service Default Value Syntax DirectoryString Example nsslapd plugin depends on named Views nsslapd pluginld roles 3 4 Database Plug in At
414. sslapd saslpath nsslapd changelogmaxentries nsslapd schemadir nsslapd secureport Chapter 2 Core Server Configuration Reference nsslapd tmpdir nsSSL2 nsSSL3 nsSSLclientauth nsSSLSessionTimeout nsslapd conntablesize nsslapd lockdir nsslapd maxdescriptors nsslapd reservedescriptors nsslapd listenhost nsslapd schema ignore trailing spaces nsslapd securelistenhost nsslapd workingdir nsslapd return exact case nsslapd maxbersize 2 3 Core Server Configuration Attributes Reference This section contains reference information on the configuration attributes that are relevant to the core server functionality For information on changing server configuration see Section 2 2 Accessing and Modifying Server Configuration For a list of server features that are implemented as plug ins see Section 3 1 Server Plug in Functionality Reference For help with implementing custom server functionality contact Directory Server support The configuration information stored in the dse 1dif file is organized as an information tree under the general configuration entry cn config as shown in the following diagram cn changelog5 cn features cn mapping tree cn plugins cn sasl cn SNMP cn tasks cn uniqueid generator 3 cn monitor cn replication cn encryption cn suffix cn export cn backup cn index en schema reload cn replica cn import cn restore cn memberof task cn ReplicationAgreementName
415. st and response information side by side VLV RequestInformation ResponseInformation Requestinformation has the following form beforeCount afterCount index contentCount If the client uses a position by value VLV request the format for the first part the request information would be beforeCount afterCount value Responsel nformation has the following form 224 Default Access Logging Content targetPosition contentCount resultCode The example below highlights the VLV specific entries 07 May 2009 11 43 29 0700 conn 877 op 8530 SRCH base ou People scope 2 filter uid O07 May 2009 11 43 29 0700 conn 877 op 8530 SORT uid 07 May 2009 11 43 29 0700 conn 877 op 8530 VLV 0 5 0210 10 5397 0 07 May 2009 11 43 29 0700 conn 877 op 8530 RESULT err 0 tag 101 nentries 1 etime 0 In the above example the first part 5 0210 is the VLV request information The beforeCount is 0 e The afterCount is 5 e The value is 0210 The second part 10 5397 0 is the VLV response information The targetPosition is 10 e The contentCount is 5397 The resultCode is 0 Search Scope The entry scope n defines the scope of the search performed and n can have a value of O 1 or 2 e 0 for base search e 1 for one level search e 2 for subtree search For more information about search scopes see Using ldapsearch in Appendix B Finding Directory Entries in the Red Hat Directory Server Administra
416. sted in T are meaningful only when the database file is id2entry db4 274 dbscan Parameter Description K entry_id Specifies the entry to ID to look up Table 6 24 Entry File Options NOTE The index file options listed in Tal P l are meaningful only when the database file is the secondary index file Parameter Description k key Specifies the key to look up in the secondary index file 1 size Sets the maximum length of the dumped ID list The valid range is from 40 to 1048576 bytes The default value is 4096 G n Sets only to display those index entries with ID lists exceeding the specified length n Sets only to display the length of the ID list r Sets to display the contents of the ID list S Gives the summary of index counts Table 6 25 Index File Options Examples The following are command line examples of different situations using dbscan to examine the Directory Server databases dbscan f var lib dirsrv slapd instance_name db userRoot id2entry db4 Example 6 7 Dumping the Entry File dbscan f var lib dirsrv slapd instance_name db userRoot cn db4 Example 6 8 Displaying the Index Keys in cn db4 dbscan r f var lib dirsrv slapd instance_name db userRoot mail db4 Example 6 9 Displaying the Index Keys and the Count of Entries with the Key in mail db4 dbscan r G 20 f var lib dirsrv slapd instance_name db userRoot sn db4 Example 6 10
417. stinguished name Domain Name System The system used by machines on a network to associate standard IP addresses such as 198 93 93 10 with hostnames Such as www example com Machines normally get the 332 DNS alias E entry entry distribution entry ID list equality index F file extension file type filter filtered role G general access GSS API IP address for a hostname from a DNS server or they look it up in tables maintained on their systems A DNS alias is a hostname that the DNS server knows points to a different hostUspecifically a DNS CNAME record Machines always have one real name but they can have one or more aliases For example an alias such as www yourdomain domain might point to areal machine called realthing yourdomain domain where the server currently exists A group of lines in the LDIF file that contains information about an object Method of distributing directory entries across more than one server in order to scale to support large numbers of entries Each index that the directory uses is composed of a table of index keys and matching entry ID lists The entry ID list is used by the directory to build a list of candidate entries that may match the client application s search request Allows you to search efficiently for entries containing a specific attribute value The section of a filename after the period or dot that typically defines the typ
418. successful If the server does not support Start TLS such as Start TLS is not enabled or the certificate information is incorrect the command is aborted immediately Table 6 20 General Idappasswd Options SASL Options SASL mechanisms can be used to authenticate a user using the o the required SASL information To learn which SASL mechanisms are supported search the root DSE See the b option in Table 6 3 Commonly Used Idapsearch Options Option Description 0 Specifies SASL options The format is o sas lOption value sas Option can have one of six values mech the SASL authentication mechanism authid the user who is binding to the server Kerberos principal authzid a proxy authorization ignored by the server since proxy authorization is not supported secProp the security properties realm the Kerberos realm flags The expected values depend on the supported mechanism The o can be used multiple times to pass all of the required SASL information for the mechanism For example o mech DIGEST MD5 o authzid test_user o authid test_user Table 6 21 SASL Options See SASL Options for ldapsearch for information on how to use SASL options with ldappasswd 271 Chapter 6 Command Line Utilities Examples The following examples provide show how to perform various tasks using the ldappasswd command The Directory Manager changes the password of the u
419. syntax 256 Idappasswd command line utility changing user password 272 272 272 272 examples 272 generating user password 272 options 267 prompting for new password 272 SASL options 271 syntax 267 ldapsearch command line utility additional options 252 commonly used options 241 persistent search options 244 SASL options 247 ssl options 245 Idif command line utility options 273 syntax 273 LDIF configuration files contents of 6 detailed contents of 4 location of 3 LDIF entries binary data in 273 Idif files OOcore ldif 4 Olcommon ldif 4 O5rfc2247 ldif 4 O5ric2927 dif 4 10presence ldif 4 10rfc2307 ldif 5 20subscriber dif 5 25java object ldif 5 28pilot ldif 5 30ns common ldif 5 50ns admin ldif 5 50ns certificate Idif 5 50ns directory ldif 5 50ns mail ldif 5 50ns value dif 5 50ns web Idif 5 99user ldif 5 dse ldif 4 LDIF files 216 Idif2db command line shell script 286 quick reference 277 Idif2db pl command line perl script 300 quick reference 278 Idif2idap command line shell script 287 quick reference 277 lock files 216 log files 217 access 11 error 29 log xxxxxxxxxx files 215 logconv pl quick reference 278 logconv pl script 302 options 303 M memberOf plug in configuration attributes memberofattr 212 memberofgroupattr 212 Meta Directory changelog retro changelog 71 migrate ds admin pl quick reference 278 migrate ds admin pl command line script
420. t class This object class is defined in Directory Server Superior Class top OID 2 16 840 1 113730 3 2 110 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry cn Gives the common name of the entry 2 4 10 nsSasIMapping Object Class This object class is used for entries which contain an identity mapping configuration for mapping SASL attributes to the Directory Server attributes This object class is defined in Directory Server 128 nsslapdConfig Object Class Superior Class top OID 2 16 840 1 113730 3 2 317 Required Attributes objectClass Defines the object classes for the entry cn Gives the name of the SASL mapping entry nsSas MapBaseDNTemplate Contains the search base DN template nsSasiMapFilterTemplate Contains the search filter template nsSas MapRegexString Contains a regular expression to match SASL identity strings 2 4 11 nsslapdConfig Object Class The nsslapdConf ig object class defines the configuration object cn config for the Directory Server instance This object class is defined in Directory Server Superior Class top OID 2 16 840 1 113730 3 2 39 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry Allowed Attributes Attribute Definition cn Gives the common name of the entry 2 4 12 passwordpolicy Obje
421. t of disk space for the audit log Parameter Entry DN Valid Range Description cn config 1 1 to the maximum 32 bit integer value 2147483647 where a value of 1 means that the disk space allowed to the audit log is unlimited in size 1 Default Value Syntax Integer Example nsslapd auditlog logmaxdiskspace 10000 2 3 1 26 nsslapd auditlog logminfreediskspace Audit Log Minimum Free Disk Space This attribute sets the minimum permissible free disk space in megabytes When the amount of free disk space falls below the value specified by this attribute the oldest audit logs are deleted until enough disk space is freed to satisfy this attribute Parameter Description Entry DN cn config Valid Range 1 unlimited 1 to the maximum 32 bit integer value 2147483647 Default Value 1 Syntax Integer Example nsslapd auditlog logminfreediskspace 1 2 3 1 27 nsslapd auditlog logrotationsync enabled Audit Log Rotation Sync Enabled This attribute sets whether audit log rotation is to be synchronized with a particular time of the day Synchronizing log rotation this way can generate log files at a specified time during a day such as midnight to midnight every day This makes analysis of the log files much easier because they then map directly to the calendar For audit log rotation to be synchronized with time of day this attribute must be enabled with the ns
422. tValue 1 3 7 6 dnaPrefix This attributes defines a prefix that can be prepended to the generated number values for the attribute For example to generate a user ID such as user1000 the dnaPrefix setting would be user Entry DN cn Distributed Numeric Assignment Plugin cn plugins cn config Valid Range Any string Default Value None Syntax DirectoryString Example dnaPrefix id 3 7 7 dnaRangeRequestTimeout One potential situation with the Distributed Numeric Assignment Plug in is that one server begins to run out of numbers to assign The dnaThreshold attribute sets a threshold of available numbers in the range so that the server can request an additional range from the other servers before it is unable to perform number assignments The dnaRangeRequestTimeout attribute sets a timeout period in seconds for range requests so that the server does not stall waiting on a new range from one server and can request a range froma new server For range requests to be performed the dnaSharedCfgDN attribute must be set 209 Chapter 3 Plug in Implemented Server Functionality Reference Parameter Description Entry DN cn Distributed Numeric Assignment Plugin cn plugins cn config Valid Range 1 to the maximum 32 bit integer on 32 bit systems and to the maximum 64 bit integer on 64 bit systems Default Value 10 Syntax Integer Example dnaRangeRequestTimeout 15 3 7 8 dnaScope This attribute
423. tabase transaction log The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only By default the database transaction log is stored in the same directory as the directory entries themselves var lib dirsrv slapd instance_name db For fault tolerance and performance reasons move this log file to another physical disk The nsslapd db logdirectory attribute is absent from dse 1dif To change the location of the database transaction log add the attribute to dse 1dif For more information on database transaction logging refer to the Monitoring Server and Database Activity chapter in the Directory Server Administrator s Guide Parameter Entry DN Description cn config cn ldbm database cn plugins cn config Valid Values Any valid path and directory name Default Value Syntax DirectoryString Example nsslapd db logdirectory logs txnlog 3 4 1 14 nsslapd db logfile size This attribute specifies the maximum size of a single file in the log in bytes By default or if the value is set to 0 a maximum size of 10 megabytes is used The maximum size is an unsigned 4 byte value Parameter Entry DN Description cn config cn ldbm database cn plugins cn config Valid Range Default Value 10MB 0 to unsigned 4 byte integer Syntax Integer Example nsslapd db logfile size 10 MB
424. tabase of the client This option is used only with the Z option When used on a machine where an SSL enabled web browser is configured the path specified on this option can be pointed to the certificate database for the web browser For example P security cert db The client security files can be stored on the Directory Server in the etc dirsrv slapd instance_name directory In this case the P option calls out a path and filename similar to the following P etc dirsrv slapd instance_name client cert db Specifies the token and certificate name which is separated by a semicolon for PKCS11 Specifies the password for the certificate database identified on the P option For example W serverpassword Specifies that SSL is to be used for the directory request ZZ Specifies the Start TLS request Use this option to make a cleartext connection into a secure one If the server does not support Start TLS the command does not need aborted it will continue in cleartext ZZZ Enforces the Start TLS request The server must respond that the request was successful If the server does not support Start TLS such as Start TLS is not enabled or the certificate information is incorrect the command is aborted immediately Table 6 12 Idapmodify SSL Options SASL Options SASL mechanisms can be used to authenticate a user using the o the required SASL information To learn which SASL m
425. tc dirsrv slapd instance_name secmod db This option only need to be given if the security module database is in a different directory than the certificate database itself Specifies the certificate name to use for certificate based client authentication such as N Server Cert If this option is specified then the Z P and W options are required Also if this option is specified then the D and w options must not be specified or certificate based authentication will not occur and the bind operation will use the authentication credentials specified on D and w Specifies the absolute path including the option of the certificate database of the client This option is used only with the Z option When used on a machine where an SSL enabled web browser is configured the path specified on this option can be that of the certificate database for the browser For example P security cert db The client security files can also be stored on the Directory Server in the etc dirsrv slapd instance_name directory In this case the P option would call out a path and filename similar to the following P etc dirsrv slapd instance_name client cert db 246 ldapsearch Option Description Q Specifies the token and certificate name which is separated by a semi colon for PKCS11 W Specifies the password for the private key database identified in the P option For example W secret If a da
426. ted if the r option was used than the database is automatically initialized as a replica See Section 7 4 7 Idif2db pl Import for information on importing an LDIF file s includeSuffix Gives suffixes to be included or the subtrees to be included if n has been used x excludeSuffix u Requests that the unique ID is not exported U Requests that the output LDIF is not folded V Verbose mode w password Gives the password associated with the user DN W Prompts for the password associated with the user DN Gives suffixes to be excluded Table 7 22 db2ldif pl Options 299 Chapter 7 Command Line Scripts 7 4 6 fixup memberof pl Regenerate memberOf Attributes Regenerates and updates member Of on user entries to coordinate changes in group membership To run this script the server must be running The script creates an entry in the directory that launches this dynamic task Syntax fixup memberof p1 D rootdn w password w j filename b baseDN f filter v Options Option Description b baseDN The DN of the subtree containing the entries to update D rootdn Gives the user DN with root permissions such as Directory Manager The default is the DN of the Directory Manager which is read from the nsslapd root attribute under cn config f filter An LDAP query filter to use to select the entries within the subtree to update If there is no filter
427. ted States the European Union and other countries All other trademarks are the property of their respective owners 1801 Varsity Drive Raleigh NC 27606 2072 USA Phone 1 919 754 3700 Phone 888 733 4281 Fax 1 919 754 3701 About This Reference ix 1 Directory Server OVErVICW 2 0 2 2 ccccccceccee eee ee nadadaan iua eee ad han sa Ed aeaa naia CE ix 2 Examples and Formatting cccccceceeeeeeeee eee ee cece ee cess ae ee LENE RENE RENE RENE RENEE ERE annt REE RENEE ERE REEL ER ix 2 1 Command and File Examples sssini iaa aai Eee re res at ix 2 2 TOOL LOCALONS e oa seve stes sevecbtcseteahes E renee ix 223 LDAP Locations oeenn ea a ak aen t aa tee dutverbiindtaet iter aRt ix 2 4 Text Formatting and Styles cccccccceeeeeee nee tk kk ERNE ceca eeeeae essa eeesaaeesaeeeeaaeeseaeeeaas x 3 Additonal Reading oesie es et eh aa eee teenie teense ada Mande aegis xi 4 Giving Feedback srren eian adie a aii iea cute saan adaon ADe a a n eee tau SEAE Eaei xii 5 Documentation History c cece PE ee cence ee ee eee ee een ee eae ee ede xii 1 Introduction 1 1 1 Directory Server Configuration 0 ccccccceeeeeee eee eee ee eee REE nets aa ee REEL ERE eeeeeeeaaeeeeaeeeeaenes 1 1 2 Directory Server Instance File Reference cccceceeeeeeeeeeeeeeeeeeeaeeeeeaeeesaeeeeaaeeeseeeaaees 1 1 3 Using Directory Server Command Line Utilities cece eeee eee ee cence ee eeeeae tees ren 1 1
428. ted based upon the values provided for each option Ellipses indicate that multiple occurrences are allowed Syntax db21dif p1 v D rootdn w password w j filename n backendInstance s includeSuf fix x excludeSuf fix a outputFile N r C u U m E 1 M 298 db2ldif pl Exports Database Contents to LDIF Options To run this script the server must be running and either the n or s option is required Option Description n backendInstance 1 Deletes for reasons of backward compatibility the first line of the LDIF file that gives the version of the LDIF standard a outputFile Gives the filename of the output LDIF file C Uses only the main database file D rootdn Gives the user DN with root permissions such as Directory Manager E Decrypts encrypted data during export This option is used only if database encryption is enabled j filename The name of the file containing the password m Sets minimal base 64 encoding M Uses multiple files for storing the output LDIF with each instance stored in instance filename where filename is the filename specified for a option Gives the instance to be exported N Suppresses printing sequential numbers r Exports the information required to initialize a replica when the LDIF is imported The LDIF file which is created with db21dif p1 can be imported using 1dif2db p1 When it is impor
429. teger nsDS5ReplicaUpdateSchedule 0000 2359 0123456 Valid Range Default Value Example 2 3 8 25 nsDS50ruv This attribute stores the last replica update vector RUV read from the consumer of this replication agreement It is always present and must not be changed 2 3 8 26 nsruvReplicaLastModified This attribute contains the most recent time that an entry in the replica was modified and the changelog was updated 2 3 9 Synchronization Attributes under cn syncAgreementName cn WindowsReplica cn suffixName cn mapping tree cn config The synchronization attributes that concern the synchronization agreement are stored under cn syncAgreementName cn WindowsReplica cn suffixDN cn mapping tree cn config The cn syncAgreementName entry is an instance of the nsDSWindowsReplicationAgreement object class For synchronization agreement configuration attributes to be taken into account by the server this object class in addition to the top object class must be present in the entry Synchronization agreements are configured only on databases that are enabled to synchronize with Windows Active Directory servers cn nsDS5ReplicaLastUpdateEnd description nsDS5ReplicaLastUpdateStart nsDS5ReplicaBindDN the Windows sync nsDS5ReplicaLastUpdateStatus manager ID nsDS5ReplicaBindMethod nsDS5ReplicaPort nsDS5ReplicaBusyWaitTime nsDS5ReplicaRoot nsDS5ReplicaChangesSentSinceStartup nsDS5ReplicaSes
430. tents of 3 editing 9 ldif files 4 dse ldif bak file 3 dse ldif startOK file 3 ds_removal quick reference 277 ds_removal command line utility options 286 syntax 285 dTableSize attribute 98 E editing dse ldif file 9 encryption root password 51 specifying password storage scheme 69 encryption configuration attributes nsSSL2 75 nsSSL3 76 nsSSL3ciphers 76 nsSSLclientauth 75 nsSSLSessionTimeout 75 encryption configuration entries cn encryption 75 encryption method for root password 51 entriessent attribute 98 entrydn db4 file 215 error log contents format 232 LDAP result codes 237 F files ancestorid db4 215 containing search filters 252 entrydn db4 215 id2entry db4 215 locating configuration 7 nsuniqueid db4 215 numsubordinates db4 215 objectclass db4 215 parentid db4 215 filter 120 fixup memberof pl quick reference 278 related configuration entry 119 fixup memberof pl pl command line perl script 300 id2entry db4 file 215 Indexes configuration of 7 J jpeg images 273 L LDAP modifying configuration entries 8 LDAP Data Interchange Format LDIF binary data 273 LDAP result codes 237 Idapdelete command line utility 350 additional options 266 commonly used options 262 SASL options 265 ssl options 264 syntax 262 ldapmodify command line utility additional options 260 commonly used options 256 options 256 SASL options 259 ssl options 258
431. tes to the consumer 330 certificate Certificate Authority CGI chaining changelog character type ciphertext class definition class of service classic CoS client code page collation order consumer consumer server A collection of data that associates the public keys of a network user with their DN in the directory The certificate is stored in the directory as user object attributes Company or organization that sells and issues authentication certificates You may purchase an authentication certificate from a Certification Authority that you trust Also known as a CA Common Gateway Interface An interface for external programs to communicate with the HTTP server Programs written to use CGI are called CGI programs or CGI scripts and can be written in many of the common programming languages CGI programs handle forms or perform output parsing that is not done by the server itself A method for relaying requests to another server Results for the request are collected compiled and then returned to the client A changelog is a record that describes the modifications that have occurred on a replica The supplier server then replays these modifications on the replicas stored on replica servers or on other masters in the case of multi master replication Distinguishes alphabetic characters from numeric or other characters and the mapping of upper case to lower case letters Encrypted informa
432. th the connection will be a simple bind For example the configuration file may appear as follows Configuration File for Monitoring Replication Via Admin Express connection mypassword alias M1 host1 example com 10011 ci host4 example com 10021 C2 host2 example com 10022 color ccffcc 5 FFFFCC 290 pwdhash Prints Encrypted Passwords 60 FFCCCC A shadow port can be set in the replication monitor configuration file For example host port shadowport binddn bindpwd bindcert When the replication monitor finds a replication agreement that uses the specified port it will use the shadow port to connect to retrieve statistics 7 3 12 pwdhash Prints Encrypted Passwords Prints the encrypted form of a password using one of the server s encryption algorithms If a user cannot log in use this script to compare the user s password to the password stored in the directory Syntax pwdhash D config directory H s scheme c comparepwa password Options D config_directory Gives the full path to the configuration directory c password Gives the hashed password string to which to compare the user s password s scheme Gives the scheme to hash the given password H Shows the help Table 7 12 pwdhash Options For more information on the different storage schemes such as SSHA SHA CRYPT and CLEAR see the Directory Server Administrator s Guide 7 3 13
433. th additional debugging messages Connection management Packets sent received Search filter processing Logs the current connection status including the connection methods used for a SASL bind Print out the numbers of packets sent and received by the server Logs all of the functions called by a search operation Config file processing Prints any conf configuration files used with the server line by line when the server is started By default only slapd collations conf is available and processed 2048 Access control list processing Log entry parsing Logs schema parsing debugging information Configuration Command File Reference Core Server Configuration Reference Core_Server_Configuration_Attributes_Reference html Configuration_Command_File_Reference cnconfig nsslapd_errorlog_level_Error_Log_Level 230 Error Log Content Setting Console Name Description 4096 Housekeeping Housekeeping thread debugging 8192 Replication Logs detailed information about every replication related operation including updates and errors which is important for debugging replication problems 16384 Default Default level of logging used for critical errors and other messages that are always written to the error log such as server startup messages Messages at this level are always included in the error log regardless of the log level setting 32768 Entry cache Datab
434. that the replication status can be monitored through a web browser V Prints the version of this script Table 7 11 repl monitor Options Configuration File Format The configuration file defines the following The connection parameters for connecting to the LDAP servers to get replication information specifying this information is mandatory The server alias for more readable server names specifying this information is optional The color thresholds for time lags specifying this information is optional The format for the configuration file is shown below connection host port binddn bindpwd bindcert host port binddn bindpwd bindcert alias alias alias host port host port color lowmark color 289 Chapter 7 Command Line Scripts lowmark color The connection section defines how this tool may connect to each LDAP server in the replication topology to get the replication agreement information The default binddn is cn Directory Manager Simple bind will be used unless bindcert is specified with the path of a certificate database A server may have a dedicated or shared entry in the connection section The script will find out the most matched entry for a given server For example if all the LDAP servers except host1 share the same binddn and bindpassword the connection section will need to contain just two entries connection binddn bindpassword host1 binddn1 bindp
435. the LDAP and the SASL mechanism used as shown below with the GSS API mechanism 21 Apr 2009 12 57 14 0700 conn 32 op 0 BIND dn method sasl version 3 mech GSSAPI NOTE The authenticated DN the DN used for access control decisions is now logged in the BIND result line as opposed to the bind request line as was previously the case 21 7Apr 2009 11 39 55 0700 conn 14 op 1 RESULT err 0 tag 97 nentries 0 etime 0 dn uid jdoe dc example dc com For SASL binds the DN value displayed in the bind request line is not used by the server and as a consequence is not relevant However given that the authenticated DN is the DN which for SASL binds must be used for audit purposes it is essential that this be clearly logged Having this authenticated DN logged in the bind result line avoids any confusion as to which DN is which 5 1 3 Access Log Content for Additional Access Logging Levels This section presents the additional access logging levels available in the Directory Server access log In access logging level 4 which logs internal operations is enabled 4 Configuration_Command_File_Reference Default_Access_Logging_Content Version_Number 227 Chapter 5 Log File Reference 12 7Ju1 2009 16 45 46 0200 conn Internal op 1 SRCH base cn 22dc example dc com 22 cn mapping tree cn config scope 0 filter objectclass nsMappingTree attrs nsslapd referral options persistent 12 Ju1 2009 16 45 46 0200 con
436. the hostname of the Directory Server The default value is the full hostname of the machine where Directory Server is installed DN Specifies the entry DN or role DN to deactivate 311 Chapter 7 Command Line Scripts Option j filename Description Specifies the path including the filename to the file that contains the password associated with the user DN p port Specifies the Directory Server s port The default value is the LDAP port of Directory Server specified at installation time w password Specifies the password associated with the user DN W Prompts for the password associated with the user DN Opens the help page Table 7 30 ns inactivate p Options 7 4 14 ns newpwpolicy pl Adds Attributes for Fine Grained Password Policy Adds entries required for implementing the user and subtree level password policy For instructions on how to enable this feature see the Red Hat Directory Server Administrator s Guide Syntax ns newpwpolicy pl1 D rootdn w password j filename p port h host U userDN S suffixDN v Options Option D rootdn h host j filename Description Specifies the Directory Server user DN with root permissions such as Directory Manager The default value is cn directory manager Specifies the hostname of the Directory Server The default value is Localhost or the full hostname of the machine where Dir
437. the instances are stored in the cn monitor cn database instance name cn chaining database cn plugins cn config information tree headcount This attribute gives the number of add operations received nsDeleteCount This attribute gives the number of delete operations received nsModifyCount This attribute gives the number of modify operations received 204 Retro Changelog Plug in Attributes nsRenameCount This attribute gives the number of rename operations received nsSearchBaseCount This attribute gives the number of base level searches received nsSearchOneLevelCount This attribute gives the number of one level searches received nsSearchSubtreeCount This attribute gives the number of subtree searches received nsAbandonCount This attribute gives the number of abandon operations received nsBindCount This attribute gives the number of bind requests received nsUnbindCount This attribute gives the number of unbinds received nsCompareCount This attribute gives the number of compare operations received nsOperationConnectionCount This attribute gives the number of open connections for normal operations nsBindConnectionCount This attribute gives the number of open connections for bind operations 3 6 Retro Changelog Plug in Attributes Two different types of changelogs are maintained by Directory Server The first type referred to as simply a changelog is used by multi master replication and the sec
438. this tool Some data extracted from logs depend on connection and operation numbers that are reset and no longer unique after a server restarts Therefore to obtain the most accurate counts the logs to be analyzed should not span the restart of the Directory Server Due to changes in access log format in current releases of Directory Server that affected operation numbers the tool will be more accurate logs from current versions when processing large amounts of access logs For performance reasons it is not recommended to run more than one gigabyte of access logs through the script at any one time Syntax logconv p1 S startTimestamp E endTimestamp d mgrDN X ipAddress v h s size_limit V efcibaltnxgjuyp accessLog Options Table 7 26 logconv p Options describes the logconv p1 command line options Option Description d mgrDN Specifies the distinguished name DN of the Directory Manger in the logs being analyzed This allows the tool to collect statistics for this special user The mgrDN parameter should be given in double quotes for the shell When this parameter is omitted Logconv p1 will use the default manager DN of the Directory Server cn Directory Manager E endTimestamp Specifies the end timestamp the timestamp must follow the exact format as specified in the access log h Displays the usage help text that briefly describes all options s number Specifies the number of
439. thout providing credentials and regardless of the conditions of the bind Allows for efficient approximate or sounds like searches Holds descriptive information about an entry Attributes have a label and a value Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value A list of required and optional attributes for a given entry type or object class In pass through authentication PTA the authenticating Directory Server is the Directory Server that contains the authentication credentials of the requesting client The PTA enabled host sends PTA requests it receives from clients to the host 329 Glossary authentication authentication certificate B base distinguished name base DN bind distinguished name bind DN bind rule branch entry browser browsing index C CA cascading replication 1 Process of proving the identity of the client user to the Directory Server Users must provide a bind DN and either the corresponding password or certificate in order to be granted access to the directory Directory Server allows the user to perform functions or access files and directories based on the permissions granted to that user by the directory administrator 2 Allows a client to make sure they are connected to a secure server preventing another computer from impersonating the server or attempting to appear secure when it is not D
440. tion Description dn g D uid bjensen dc example dc com For more information on access control see the Managing Access Control chapter in the Directory Server Administrator s Guide The D option cannot be used with the N option Specifies the dn of the entry to delete Specifies that the password policy request control not be sent with the bind request By default the new LDAP password policy request control is sent with bind requests The 1dapdelete tool can parse and display information from the response control if it is returned by a server that is the tool will print an appropriate error or warning message when a server sends the password policy response control with the appropriate value The criticality of the request control is set to false to ensure that all LDAPv3 servers that do not understand the control can ignore it To suppress sending of the request control with the bind request include g on the command line Specifies the name of the host on which the server is running For example h cyclops The default is Localhost Specifies the port number that the server uses The default is 389 If Z is used the default is 636 Specifies the password associated with the distinguished name specified in the D option For example w mypassword The default is or anonymous If a password is not sent on the command line and the server requires one the command prompts for one It i
441. tion parameters for instance specific paths such as nsslapd certdir and nsslapd lockdir See the documentation for the specific directory path that is set 2 3 1 62 nsslapd ioblocktimeout IO Block Time Out This attribute sets the amount of time in milliseconds after which the connection to a stalled LDAP client is closed An LDAP client is considered to be stalled when it has not made any I O progress for read or write operations Parameter Description Entry DN cn config Valid Range 0 to the maximum 32 bit integer value 2147483647 in ticks Default Value 1800000 37 Chapter 2 Core Server Configuration Reference Parameter Description Example nsslapd ioblocktimeout 1800000 2 3 1 63 nsslapd lastmod Track Modification Time This attribute sets whether the Directory Server maintains the modification attributes for Directory Server entries These are operational attributes These attributes include modifiersName The distinguished name of the person who last modified the entry modifyTimestamp The timestamp in GMT format for when the entry was last modified creatorsName The distinguished name of the person who initially created the entry createTimestamp The timestamp for when the entry was created in GMT format Parameter Description Entry DN cn config Valid Values on off Default Value on Syntax DirectoryString Example nsslapd lastmod on WARN
442. tion that cannot be read by anyone without the proper key to decrypt the information Specifies the information needed to create an instance of a particular object and determines how the object works in relation to other objects in the directory See CoS A classic CoS identifies the template entry by both its DN and the value of one of the target entry s attributes See LDAP client An internal table used by a locale in the context of the internationalization plug in that the operating system uses to relate keyboard keys to character font screen displays Provides language and cultural specific information about how the characters of a given language are to be sorted This information might include the sequence of letters in the alphabet or how to compare letters with accents to letters without accents Server containing replicated directory trees or subtrees from a supplier server In the context of replication a server that holds a replica that is copied from a different server is called a consumer for that replica 331 Glossary CoS CoS definition entry CoS template entry D daemon DAP data master database link default index definition entry Directory Access Protocol Directory Manager directory service directory tree distinguished name DIT DM DN DNS A method for sharing attributes between entries in a way that is invisible to applications Identifies the type of CoS you are usi
443. tive directory In that 308 migrate ds admin pl Option Alternate Options Description case the oldsroot parameter sets the directory from which the migration is run Such as machine new migrate opt redhat ds while the actualsroot parameter sets the server root opt redhat ds instance i This parameter specifies a specific instance to migrate This parameter can be used multiple time to migrate several instances simultaneously By default the migration script migrates all Directory Server instances on the machine file name f name This sets the path and name of the inf file provided with the migration script The only parameter is the General ConfigDirectoryAdminPwd parameter which is the configuration directory administrator s password Any other configuration setting is ignored by the migration script Cross C OF X This parameter is used when the Directory Server is being migrated from one machine to another with a different architecture For cross platform migrations only certain data are migrated This migration action takes database information exported to LDIF and imports into the new 8 1 databases Changelog information is not migrated If a supplier or hub is migrated then all its replicas must be reinitialized debug d dddd This parameter turns on debugging information For the d flag increasing the number of d s increases the debug level l
444. to be aborted it will continue in plain text ZZZ Enforces the Start TLS request The server must respond that the request was successful If the server does not support Start TLS such as Start TLS is not enabled or the certificate information is incorrect the command is aborted immediately Table 6 16 Idapdelete SSL Options SASL Options SASL mechanisms can be used to authenticate a user using the o the required SASL information To learn which SASL mechanisms are supported search the root DSE See the b option in Table 6 3 Commonly Used Idapsearch Options Option Description 0 Specifies SASL options The format is o saslOption value saslOption can have one of six values mech the SASL authentication mechanism authid the user who is binding to the server Kerberos principal authzid a proxy authorization ignored by the server since proxy authorization is not supported secProp the security properties 265 Chapter 6 Command Line Utilities Description e realm the Kerberos realm flags The expected values depend on the supported mechanism The o can be used multiple times to pass all of the required SASL information for the mechanism For example o mech DIGEST MD5 o authzid test user o authid test_user Table 6 17 SASL Options See SASL Options for ldapsearch for information on how to use SASL options with ldapdelete
445. to ranges the Distributed Numeric Assignment Plug in allows multiple servers to assign numbers without conflict The plug in also manages the ranges assigned to servers so that if one instance runs through its range quickly it can request additional ranges from the other servers Distributed numeric assignment is handled per attribute and is only applied to specific suffixes and specific entries within the subtree 3 7 1 dnaFilter This attribute sets an LDAP filter to use to search for and identify the entries to which to apply the distributed numeric assignment range The dnaFilter attribute is required to set up distributed numeric assignment for an attribute Parameter Description Entry DN cn Distributed Numeric Assignment Plugin cn plugins cn config Valid Range Any valid LDAP filter Default Value None Syntax DirectoryString Example dnaFilter objectclass person 3 7 2 d naMagicRegen This attribute sets a user defined value that instructs the plug in to assign a new value for the entry The magic value can be used to assign new unique numbers to existing entries or to use as a standard setting when adding new entries The magic entry should be outside of the defined range for the server so that it cannot accidentally be triggered This attribute also does not have to a number which can make it easier to assign Entry DN cn Distributed Numeric Assignment Plugin cn plugins cn config Valid Range
446. tor s Guide Extended Operation OID An extended operation OID such as EXT oid 2 16 840 1 113730 3 5 3 or EXT oid 2 16 840 1 113730 3 5 5 in Example 5 1 Example Access Log provides the OID of the extended operation being performed Table 5 2 LDAPv3 Extended Operations Supported by Directory Server provides a partial list of LDAPv3 extended operations and their OIDs supported in Directory Server Extended Operation Name Description 0 jD Directory Server Start Sent by a replication initiator 2 16 840 1 113730 3 5 3 Replication Request to indicate that a replication session is requested Directory Server Replication Sent by a replication 2 16 840 1 113730 3 5 4 Response responder in response to a Start Replication Request Extended Operation or an End Replication Request Extended Operation 225 Chapter 5 Log File Reference Extended Operation Name Description Directory Server End Sent to indicate that a 2 16 840 1 113730 3 5 5 Replication Request replication session is to be terminated Directory Server Replication Carries an entry along with 2 16 840 1 113730 3 5 6 Entry Request its state information csn and UniqueIdentifier and is used to perform a replica initialization Directory Server Bulk Import Sent by the client to requesta 2 16 840 1 113730 3 5 7 Start bulk import together with the suffix being imported to and sent by the server to indicate that the bulk i
447. tory Server currenttime This attribute shows the current time given in Greenwich Mean Time indicated by GeneralizedTime syntax Z notation for example 20090202131102Z startTime This attribute shows the Directory Server start time given in Greenwich Mean Time indicated by GeneralizedTime syntax Z notation For example 20090202131102Z version This attribute shows the Directory Server vendor version and build number For example Red Hat 8 1 1 B2009 274 08 98 cn replication threads This attribute shows the number of threads used by the Directory Server This should correspond to nsslapd threadnumber in cn config nbackEnds This attribute shows the number of Directory Server database backends backendMonitorDN This attribute shows the DN for each Directory Server database backend For further information on monitoring the database see the following sections e Section 3 4 8 Database Attributes under cn attributeName cn encrypted attributes cn database_name cn ldbm database cn plugins cn config e Section 3 4 4 Database Attributes under cn database cn monitor cn ldbm database cn plugins cn config e Section 3 4 6 Database Attributes under cn monitor cn NetscapeRoot cn ldbm database cn plugins cn config e Section 3 5 4 Database Link Attributes under cn monitor cn database instance name cn chaining database cn plugins cn config 2 3 11 cn replication This en
448. toryString Example nsState Abld0c30MIDUntiLCyYNGgJAAAAAAAAAA 2 4 Configuration Object Classes Many configuration entries simply use the extensibleObject object class but some require other object classes These configuration object classes are listed here 2 4 1 changeLogEntry Object Class This object class is used for entries which store changes made to the Directory Server entries 120 directoryServerFeature Object Class To configure Directory Server to maintain a changelog that is compatible with the changelog implemented in Directory Server 4 1x enable the Retro Changelog Plug in Each entry in the changelog has the changeLogEntry object class This object class is defined in Changelog Internet Draft Superior Class top OID 2 16 840 1 113730 3 2 1 Required Attributes objectClass Defines the object classes for the entry changeNumber Contains a number assigned arbitrarily to the changelog changeTime The time at which a change took place changeType The type of change performed on an entry targetDn The distinguished name of an entry added modified or deleted on a supplier server Allowed Attributes changes Changes made to the Directory Server deleteOldRdn A flag that defines whether the old Relative Distinguished Name RDN of the entry should be kept as a distinguished attribute of the entry or should be deleted newRadn New RDN of an
449. tribute sets whether the consumer deletes its database Its values are either start or stop Syntax DirectoryString Multi or Single Valued Multi valued 2 5 2 3 CirBindCredentials For consumer initiated replication this attribute is used to identify the bind password for the replication identity OID 2 16 840 1 113730 3 1 85 Syntax IA5String Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 4 cirBindDN For consumer initiated replication this attribute gives the username for the server to bind to the supplier as OID 2 16 840 1 113730 3 1 82 Syntax DN Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 5 cirHost For consumer initiated replication this contains the hostname of the supplier server 2 16 840 1 113730 3 1 80 Syntax DirectoryString 135 Chapter 2 Core Server Configuration Reference Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 6 cirLastUpdateApplied For consumer initiated replication this attribute stores the change number of the last change sent to the consumer OID 2 16 840 1 113730 3 1 86 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 7 cirPort In consumer initiated replication this attribute gives the port number of the supplier OID 2 16 840 1 113730 3 1 81 Syntax DirectoryString M
450. tributes The database plug in is also organized in an information tree as shown in Figure 3 1 Database Plug in cn ldbm database cn plugins cn config cn databaselnstanceName cn NetscapeRoot cn userRoot cn config cn monitor cn default indexes cn database cn index cn monitor cn encrypted attributes cn index cn monitor Figure 3 1 Database Plug in All plug in technology used by the database instances is stored in the cn ldbm database plug in node This section presents the additional attribute information for each of the nodes in bold in the cn ldbm database cn plugins cn config information tree 3 4 1 Database Attributes under cn config cn ldbm database cn plugins cn config This section covers global configuration attributes common to all instances are stored in the cn config cn ldbm database cn plugins cn config tree node 165 Chapter 3 Plug in Implemented Server Functionality Reference 3 4 1 1 nsLookThroughLimit This performance related attribute specifies the maximum number of entries that the Directory Server will check when examining candidate entries in response to a search request The Directory Manager DN however is by default unlimited and overrides any other settings specified here It is worth noting that binder based resource limits work for this limit which means that if a value for the operational attribute nsLookThroughLimit is present in the entry as which a user binds the defa
451. tries it has located that match the search request as well as an exceeded time limit error When no limit is set ns slapd returns every matching entry to the client regardless of the time it takes To set a no limit value whereby Directory Server waits indefinitely for the search to complete specify a value of 1 for this attribute in the dse 1dif file A value of zero 0 causes no time to be allowed for searches The smallest time limit is 1 second NOTE A value of 1 on this attribute in thedse 1dif is the same as leaving the attribute blank in the server console in that it causes no limit to be used However a negative integer cannot be set in this field in the server console and a null value cannot be used in the dse 1dif entry as it is not a valid integer Parameter Description Entry DN cn config Valid Range 1 to the maximum 32 bit integer value 2147483647 in seconds Default Value 3600 Syntax Integer Example nsslapd timelimit 3600 2 3 1 107 nsslapd tmpdir This is the absolute path of the directory the server uses for temporary files The directory must be owned by the server user ID and the user must have read and write access No other user ID should have read or write access to the directory The default value is tmp Changes made to this attribute will not take effect until the server is restarted 2 3 1 108 nsslapd versionstring This attribute sets the server version number The
452. tring Example cn example task entry name nsTaskStatus This attribute contains changing information about the status of the task such as cumulative statistics or its current output message The entire contents of the attribute may be updated periodically for as long as the process is running This attribute value is set by the server and should not be edited Parameter Description Entry DN cn task_name cn task_type cn tasks cn config Valid Values Any string Default Value Syntax case exact string 105 Chapter 2 Core Server Configuration Reference Parameter Description nsTaskLog This entry contains all of the log messages for the task including both warning and information messages New messages are appended to the end of the entry value so this attribute value grows larger without erasing the original contents by default Successful task operations which have an nsTaskExitCode of 0 are only recorded in the nsTaskLog attribute Any non zero response which indicates an error may be recorded in the error log as an error but the error message is only recorded in the nsTaskLog attribute For this reason use the information in the nsTaskLog attribute to find out what errors actually occurred This attribute value is set by the server and should not be edited Parameter Entry DN Description cn task name cn task type cn tasks cn config Valid Values Any string
453. try has no attributes When configuring legacy replication those entries are stored under this cn replication node which serves as a placeholder 2 3 12 cn sasl Entries which contain SASL mapping configurations are stored under cn mapping cn sas1 cn config The cn sas1 entry is an instance of the nsContainer object class Each mapping underneath it is an instance of the nsSas1Mapping object class 2 3 12 1 nsSasIMapBaseDNTemplate This attribute contains the search base DN template used in SASL identity mapping Parameter Description Entry DN cn mapping name cn mapping cn sasl cn config Valid Values Any valid DN Default Value Syntax IA5String Example nsSaslMapBaseDNTemplate ou People dc example dc com 99 Chapter 2 Core Server Configuration Reference 2 3 12 2 nsSasiMapFilterTemplate This attribute contains the search filter template used in SASL identity mapping Parameter Description Entry DN cn mapping name cn mapping cn sasl cn config Valid Values Any string Default Value Syntax IA5String Example nsSaslMapFilterTemplate cn 1 2 3 12 3 nsSaslMapRegexString This attribute contains a regular expression used to map SASL identity strings Parameter Entry DN Description cn mapping_name cn mapping cn sasl cn config Valid Values Any valid regular expression Default Value Syntax IA5String nsSaslMapRegeXxString
454. ts the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of error logging Attributes in dse dif Logging enabled or disabled nsslapd errorlog logging on Disabled enabled empty string nsslapd errorlog nsslapd errorlog logging on Enabled enabled filename nsslapd errorlog nsslapd errorlog logging off Disabled enabled empty string nsslapd errorlog nsslapd errorlog logging off Disabled enabled filename nsslapd errorlog Table 2 6 Possible Combinations for nsslapd errorlog Configuration Attributes 29 Chapter 2 Core Server Configuration Reference 2 3 1 44 nsslapd errorlog level Error Log Level This attribute sets the level of logging for the Directory Server The log level is additive that is specifying a value of 3 includes both levels 1 and 2 The default value for nsslapd errorlog level is 16384 Parameter Description Entry DN Valid Values cn config e 1 Trace function calls Logs a message when the server enters and exits a function e 2 Debug packet handling 4 Heavy trace output debugging 8 Connection management 16 Print out packets sent received 32 Search filter processing e 64 Config file processing 128 Access control list processing e 1024 Log communications with shell databases e 2048 Log entry parsing d
455. ts the path and name of the inf file provided with the migration script The only parameter is the General ConfigDirectoryAdminPwd parameter which is the configuration directory administrator s password Any other configuration setting is ignored by the migration script CrOSS C OF X This parameter is used when the Directory Server is being migrated from one machine to another with a different architecture For cross platform migrations only certain data are migrated This migration action takes database information exported to LDIF and imports into the new 8 1 databases Changelog information is not migrated If a supplier or hub is migrated then all its replicas must be reinitialized debug d dddd This parameter turns on debugging information For the d flag increasing the number of d s increases the debug level logfile name l This parameter specifies a log file to which to write the output If this is not set then the migration information is written to a temporary file named tmp migratexxxxx 1log To disable logging set dev null as the logfile 307 Chapter 7 Command Line Scripts 7 4 10 migrate ds admin pl The migrate ds admin p1 script is used to migrate a Directory Server 7 1 instance to Directory Server 8 1 Migration can happen between instances on on the same machine on different machines or on different platforms This script migrates both the Directory
456. tscanlimit 4000 3 4 1 3 nsslapd cache autosize This performance tuning related attribute which is turned off by default specifies the percentage of free memory to use for all the combined caches For example if the value is set to 80 then 80 percent of the remaining free memory would be claimed for the cache To run other servers on the machine then set the value lower Setting the value to 0 turns off the cache autosizing and uses the normal nsslapd cachememsize and nsslapd dbcachesize attributes 166 Database Attributes under cn config cn ldbm database cn plugins cn config NOTE If the nsslapd cache autosize attribute and nsslapd cache autosize split attribute are both set to high values such as 106 then the Directory Server may fail to start and return an error message To fix this issue reset the nsslapd cache autosize and nsslapd cache autosize split attributes to a more reasonable level For example nsslapd cache autosize 60 nsslapd cache autosize split 60 Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Range 0 turns cache autosizing off to 100 Default Value 0 Syntax Integer Example nsslapd cache autosize 80 3 4 1 4 nsslapd cache autosize split This performance tuning related attribute specifies the percentage of cache space to allocate to the database cache For example setting this to 60 would give the database cache 60 perce
457. ttributes Attribute Definition objectClass Gives the object classes assigned to the entry cn Specifies the common name of the entry Allowed Attributes Attribute description localityName Definition Gives a text description of the entry Gives the city or geographical location of the entry ou organizationalUnitName Gives the organizational unit or division to which the account belongs seeAlso Contains a URL to another entry or site with related information generation Store the server generation string changelogmaximumage Specifies changelog maximum age changeLogMaximumSize Specifies maximum changelog size 2 5 1 2 changeLogMaximumAge This sets the maximum age for the changelog maintained by the server OID 2 16 840 1 113730 3 1 200 Syntax Multi or Single Valued Defined in DirectoryString Multi valued Directory Server 132 Legacy Server Attributes 2 5 1 3 changeLogMaximumConcurrentWrites This attribute sets the maximum number of concurrent writes that can be written to the changelog OID 2 16 840 1 113730 3 1 205 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 1 4 changeLogMaximumSize This attribute sets the maximum size for the changelog Syntax DirectoryString Multi or Single Valued Multi valued 2 5 1 5 generation This attri
458. tup is therefore useful for maintaining normal durability while also allowing transaction batching to be turned on and off remotely when desired Remember that the value for this attribute may require modifying the nsslapd db logbuf size attribute to ensure sufficient log buffer size for accommodating the batched transactions NOTE The nsslapd db transaction batch vaz attribute is only valid if the nsslapd db durable transaction attribute is set to on For more information on database transaction logging refer to the Monitoring Server and Database Activity chapter in the Directory Server Administrator s Guide Parameter Description Entry DN cn config cn ldbm database cn plugins cn config Valid Range 0 to 30 Default Value O or turned off Syntax Integer Example nsslapd db transaction batch val 5 3 4 1 18 nsslapd db trickle percentage This attribute sets that at least the specified percentage of pages in the shared memory pool are clean by writing dirty pages to their backing files This is to ensure that a page is always available for reading in new information without having to wait for a write Parameter Description cn config cn ldbm database cn plugins cn config Valid Range O to 100 Default Value 40 Integer 174 Database Attributes under cn config cn ldbm database cn plugins cn config Parameter Description 3 4 1 19 nsslapd db verbose This att
459. tus pl Establishes Account Status seeeseeeeei serere errereen ns activate pl Activates an Entry or Group of Entries ssseeereerrrrrrree ns inactivate pl Inactivates an Entry or Group of Entries cece ns newpwpolicy pl Adds Attributes for Fine Grained Password Policy lt register dS adMiIN pl wise evecivenvie sar anisi aniio irii i ai oe aE Dyer FreMOVe dS pl EENE EE E AAEE ET EE E E A E E ET repl monitor pl Monitors Replication Status ccceceeeeeeeeeeeeeeeaeeeeeeeeeaes schema reload pl Reload Schema Files Dynamically ceeeeeeeeeeeee eee S tup OS pl EFT T ET set p ds dMIN Pl sesno tarp a a an a aa aaa ei Anaao verify db pl Check for Corrupt Databases ssssisssssssresrrrerirerrerrrerrrerreene A Using the ns slapd Command Line Utilities Overview of ns slapd 3ctii aes ae i a ee Da Finding and Executing the ns slapd Command Line Utilities cc eeeeeeeeeeeeeee eee Utilities for Exporting Databases db2ldif 0 cece cece ee cette eee ee eeeeee ae eeeeeeeeeaeeees Utilities for Restoring and Backing up Databases Idif2db 00 eeeeceeeeeeee teers teers Utilities for Restoring and Backing up Databases archive2db ccceseeeeeeeeeeeeee ee Utilities for Restoring and Backing up Databases db2archive ccceeeeeee tees senses Utilities for Creating and Regenerating Indexes db2indeXx
460. type modify replace nsslapd pluginEnabled nsslapd pluginEnabled off 2 2 2 2 Restrictions to Modifying Configuration Entries and Attributes Certain restrictions apply when modifying server entries and attributes The cn monitor entry and its child entries are read only and cannot be modified except to manage ACls If an attribute is added to cn config the server ignores it If an invalid value is entered for an attribute the server ignores it Because ldapdelete is used for deleting an entire entry use ldapmodify to remove an attribute from an entry 2 2 2 3 Configuration Changes Requiring Server Restart Some configuration attributes cannot be altered while the server is running In these cases for the changes to take effect the server needs to be shut down and restarted The modifications should be made either through the Directory Server Console or by manually editing the dse 1dif file Some of the attributes that require a server restart for any changes to take effect are listed below This list is not exhaustive to see a complete list run ldapsearch and search for the nsslapd requiresrestart attribute For example ldapsearch p 389 D cn directory manager w password s sub b cn config objectclass grep nsslapd requiresrestart nsslapd cachesize nsslapd certdir nsslapd dbcachesize nsslapd plugin nsslapd dbncache nsslapd changelogdir nsslapd changelogmaxage nsslapd port n
461. ues Description Default Value Syntax DirectoryString Example nssnmpdescription Employee directory instance 2 3 13 6 nssnmpmasterhost nssnmpmasterhost is deprecated This attribute is deprecated with the introduction of net snmp The attribute still appears in dse 1dif but without a default value 101 Chapter 2 Core Server Configuration Reference Parameter Description cn SNMP cn config Valid Values machine hostname or localhost Default Value lt blank gt Syntax DirectoryString Example nssnmpmasterhost localhost 2 3 13 7 nssnmpmasterport The nssnmpmasterport attribute was deprecated with the introduction of net snmp The attribute still appears in dse 1dif but without a default value Parameter Entry DN Valid Values Operating system dependent port number See the operating system documentation for further information Description cn SNMP cn config Default Value lt blank gt Syntax Integer Example nssnmpmasterport 199 2 3 14 SNMP Statistic Attributes Table 2 8 SNMP Statistic Attributes contains read only attributes which list the statistics available for LDAP and SNMP clients Unless otherwise noted the value for the given attribute is the number of requests received by the server or results returned by the server since startup Some of these attributes are not used by or are not
462. uffix 109 112 nsExportReplica 113 nsFarmServerURL attribute 203 nsFilename 109 112 nshoplimit attribute 204 nsImportChunkSize 110 nsImportiIndexAttrs 110 nsIncludeSuffix 109 112 nsIndexAttribute 117 nsIndexType attribute 190 nsIndexVLVAttribute 117 nsInstance 109 112 nsLookThroughLimit attribute 166 nsMatchingRule attribute 190 nsMaxResponseDelay attribute 196 nsMaxTestResponseDelay attribute 197 nsModifyCount attribute 204 nsMultiplexorBindDn attribute 203 nsMultiplexorCredentials attribute 203 nsNoWrap 114 352 nsOperationConnectionCount attribute 205 nsOperationConnectionsLimit attribute 200 nsPrintKey 113 nsProxiedAuthorization attribute 200 nsReferralOnScopedSearch attribute 201 nsRenameCount attribute 205 nsruvReplicaLastModified attribute 94 nsSaslMapBaseDNTemplate attribute 99 nsSaslMapFilterTemplate attribute 100 nsSaslMapping 128 nsSaslMapRegexString attribute 100 nsSearchBaseCount attribute 205 nsSearchOneLevelCount attribute 205 nsSearchSubtreeCount attribute 205 nsSizeLimit attribute 201 nsslapd accesslog attribute 11 nsslapd accesslog level attribute 11 nsslapd accesslog list attribute 12 nsslapd accesslog logbuffering attribute 12 nsslapd accesslog logexpirationtime attribute 13 nsslapd accesslog logexpirationtimeunit attribute 13 nsslapd accesslog logging enabled attribute 13 nsslapd accesslog logmaxdiskspace attribute 14 nsslapd accesslog logminfree
463. ult limit will be overridden Attempting to set a value that is not a number or is too big for a 32 bit signed integer returns an LDAP UNWILLING TO PERFORM error message with additional error information explaining the problem Parameter Entry DN Description cn config cn ldbm database cn plugins cn config Valid Range 1 to maximum 32 bit integer in entries where 1 is unlimited Default Value 5000 Syntax Integer Example nsLookThroughLimit 5000 3 4 1 2 nsslapd idlistscanlimit This performance related attribute present by default specifies the number of entry IDs that are searched during a search operation Attempting to set a value that is not a number or is too big for a 32 bit signed integer returns an LDAP UNWILLING TO PERFORM error message with additional error information explaining the problem It is advisable to keep the default value to improve search performance For a more detailed explanation of the effect of ID lists on search performance refer to the Managing Indexes chapter in the Directory Server Administrator s Guide The server has to be restarted for changes to this attribute to go into effect Parameter Entry DN Description cn config cn ldbm database cn plugins cn config Valid Range 100 to the maximum 32 bit integer value 2147483647 entry IDs Default Value 4000 Syntax Integer Example nsslapd idlis
464. ulti or Single Valued Multi valued Defined in Directory Server 2 5 2 8 cirReplicaRoot In consumer initiated replication this attribute gives the DN of the subtree to replicate OID 2 16 840 1 113730 3 1 79 Syntax DN Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 9 cirSyncinterval In consumer initiated replication this sets the time interval between sending updates OID 2 16 840 1 113730 3 1 89 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 10 cirUpdateFailedAt For consumer initiated replication this attribute shows the time of the last failed updated attempt OID 2 16 840 1 113730 3 1 88 136 Legacy Replication Attributes Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 11 cirUpdateSchedule For consumer initiated replication this attribute sets the schedule for replication OID 2 16 840 1 113730 3 1 87 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 12 cirUsePersistentSearch This attribute sets whether to use persistent connections with consumer initiated replication OID 2 16 840 1 113730 3 1 83 Syntax DirectoryString Multi or Single Valued Multi valued Defined in Directory Server 2 5 2 13 cirUseSSL For consumer initiated replication this attribut
465. ump Dumps and Decodes the Changelog 2 ceceeeeeeeeeeeeeeeeeeeeeeaeees 7 3 3 do2bak Creates a Backup of a Database ccccceececeeeee eee eeeeeeaaeeeeaeeeaaes 7 3 4 db2ldif Exports Database Contents to LDIF ccceeeeeeeeeeeeeee neces cesta eeeaeees 7 3 5 do2index Reindexes Database Index Files cceceeeeeeeeeeeeeeeeeeeaeeeeeeeeeaaees 7 3 6 doverify Checks for Corrupt Databases cceceeeeeeeeeeeee eee ee eeeeaeeeeseeeeaaees FA AS TEMOVAll a a ca letesk data ar aa araa anA eret T 3 8 ldif2db IM PO oson en aaa aaaea tags hes a a aaa aiaa anen ities vi 7 3 9 7 3 10 7 3 11 7 3 12 7 3 13 7 3 14 7 3 15 7 3 16 7 3 17 7 3 18 7 3 19 Idif2ldap Performs Import Operation over LDAP c ceceeeeeeeeeeeeeeeeeeeeeeeaee monitor Retrieves Monitoring Information ccceeeeeeeeee eee ee eeeeaeeeeeeeeaaees repl monitor Monitors Replication Status cccceeeeeeeeeeeeeeeeeeeaeeeeeaeeeeaeees pwdhash Prints Encrypted Passwords ccceeeeeeeeeeee ae eeeeeeeeaaeeeeaeeesaeeees restart slapd Restarts the Directory Server c cccceeeeeeeeeeeeeee teeta eeeeeeeeaes restoreconfig Restores Administration Server Configuration saveconfig Saves Administration Server Configuration ceeeeeeeeeeeeees start slapd Starts the Directory Server cccccceee cece eeeee ae eeeeeee
466. unction or purpose of the phrase being highlighted Formatting Style Purpose Monospace font Monospace is used for commands package names files and directory paths and any text displayed in a prompt Monospace This type of formatting is used for anything with a entered or returned in a command prompt background Italicized text Any text which is italicized is a variable such as instance_name or hostname Occasionally this is also used to emphasize a new term or other phrase Bolded text Most phrases which are in bold are application names such as Cygwin or are fields or options in a user interface such as a User Name Here field or Save button Other formatting styles draw attention to important text NOTE A note provides additional information that can help illustrate the behavior of the system or provide more detail for a specific issue IMPORTANT Important information is necessary but possibly unexpected such as a configuration change that will not persist after a reboot WARNING A warning indicates potential data loss as may happen when tuning hardware for maximum performance Additional Reading 3 Additional Reading The Directory Server Administrator s Guide describes how to set up configure and administer Red Hat Directory Server and its contents this manual does not describe many of the basic directory and architectural concepts that you need to deploy install and administer a dir
467. unctions called in the course of the bind and any other operations as well Example 5 7 Access Control Summary Logging shows the summary access control log entry 09 Jan 2009 16 02 01 0500 NSACLPlugin conn 24826547353419844 op 1 binddn uid scarter ou people dc example dc com 09 Jan 2009 16 02 01 0500 NSACLPlugin conn 24826547353419844 op 1 main Allow search on entry ou people dc example dc com attr uid to uid scarter ou people dc example dc com allowed by aci 2 aciname Enable anonymous access acidn dc example dc com Example 5 7 Access Control Summary Logging 5 3 Audit Log Reference The audit log records changes made to the server instance Unlike the error and access log the audit log does not record access to the server instance so searches against the database are not logged The audit log is formatted differently than the access and error logs and is basically like a time stamped LDIF file The operations recorded in the audit log are formatted as LDIF statements logs reference htmi Configuration Command File Reference Default Access Logging Content Connection Number logs reference html Configuration_Command_File_Reference Default_Access_Logging_Content Operation_Number 235 Chapter 5 Log File Reference timestamp date dn modified_entry changetype action action attribute attribute new_value replace modifiersname modifiersname dn replace modifytimestamp modif
468. uration attribute must be switched to on The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging Attribute Value Logging enabled or disabled nsslapd accesslog logging on Disabled enabled empty string nsslapd accesslog nsslapd accesslog logging on Enabled enabled filename nsslapd accesslog nsslapd accesslog logging off Disabled enabled empty string nsslapd accesslog nsslapd accesslog logging off Disabled enabled filename nsslapd accesslog Table 2 2 dse ldif File Attributes Parameter Description Entry DN cn config Valid Values Any valid filename Default Value var log dirsrv slapd ins tance_name access Syntax DirectoryString Example nsslapd accesslog var log dirsrv slapd instance_name access 2 3 1 2 nsslapd accesslog level Access Log Level This attribute controls what is logged to the access log 11 Chapter 2 Core Server Configuration Reference Parameter Description Entry DN cn config Valid Values 0 No access logging e 4 Logging for internal access operations e 256 Logging for connections operations and results e 512 Logging for access to an entry and referrals e 131072 Provides microsecond operation timing These values can be added together to provide the exact type of logging required for example 516 4 512 to obt
469. urned by a server that is the tool will print an appropriate error or warning message when a server sends the password policy response control with an appropriate value The criticality of the request control is set to false to ensure that all LDAPv3 servers that do not understand the control can ignore it To suppress sending of the request control with the bind request include g on the command line h Specifies the name of the host on which the server is running For example h cyclops p Specifies the port number that the server uses For example p 1049 The default is 389 If Z is used the default is 636 q Causes each add to be performed silently as opposed to being echoed to the screen individually 257 Chapter 6 Command Line Utilities Description Specifies the password associated with the distinguished name specified in the D option For example w mypassword If a dash is used as the password value the utility prompts for the password after the command is entered This avoids having the password on the command line Table 6 11 Commonly Used Idapmodify Options SSL Options Use the following command line options to specify that ldapmodify is to use LDAP over SSL LDAPS when communicating with the Directory Server LDAPS encrypts data during transit Also use these options for certificate based authentication These options are valid only when SSL has bee
470. urs the following message is written to the Directory Server s error log file Not listening for new connections too many fds open See Section 2 3 1 38 nsslapd conntablesize for more information about increasing the number of incoming connections NOTE UNIX shells usually have configurable limits on the number of file descriptors See the operating system documentation for further information about Limit and ulimit as these limits can often cause problems The server has to be restarted for changes to this attribute to go into effect Parameter Description Entry DN Valid Range cn config 1 to 65535 Default Value Integer 44 cn config Parameter Description 2 3 1 78 nsslapd maxsasliosize Maximum SASL Packet Size When a user is authenticated to the Directory Server over SASL GSS API the server must allocate a certain amount of memory to the client to perform LDAP operations according to how much memory the client requests It is possible for an attacker to send such a large packet size that it crashes the Directory Server or ties it up indefinitely as part of a denial of service attack The packet size which the Directory Server will allow for SASL clients can be limited using the nsslapd maxsasliosize attribute This attribute sets the maximum allowed SASL IO packet size that the server will accept When an incoming SASL IO packet is larger than the nsslapd maxsas
471. ust be copied into the schema directory or the schema will be lost when the server The schema reload task is initiated though the command line by creating a special task entry which defines the parameters of the task and initiates the task As soon as the task is complete the task entry is removed from the directory For example dn cn example schema reload cn schema reload task cn tasks cn config objectclass extensibleObject cn example schema reload schemadir export schema The cn schema reload task entry is a container entry for schema reload operations The cn schema reload task entry itself has no attributes but each of the task entries within this entry such as cn task_ID cn schema reload task cn tasks cn config uses the schema reload attributes to define the individual reload task cn The cn attribute is used to identify a new task operation to initiate The cn attribute value can be anything as long as it defines a new task Parameter Entry DN Description cn task name cn schema reload task cn tasks cn config Valid Values Default Value Any string DirectoryString 118 cn tasks Parameter Description Example cn example reload task ID schemadir This contains the full path to the directory containing the custom schema file Parameter Description Entry DN cn task_name cn schema reload task cn tasks cn config Valid Values Any local directory
472. ver Directory Server provides logs to help monitor directory activity Monitoring helps quickly detecting and remedying failures and where done proactively anticipating and resolving potential problems before they result in failure or poor performance Part of monitoring the directory effectively is understanding the structure and content of the log files This chapter does not provide an exhaustive list of log messages However the information presented in this chapter serves as a good starting point for common problems and for better understanding the information in the access error and audit logs Logs are kept per Directory Server instances and are located in the var log dirsrv slapd instance_name directory 5 1 Access Log Reference The Directory Server access log contains detailed information about client connections to the directory A connection is a sequence of requests from the same client with the following structure Connection record which gives the connection index and the IP address of the client Bind record Bind result record Sequence of operation request operation result pairs of records or individual records in the case of connection closed and abandon records Unbind record e Closed record Every line begins with a timestamp 21 Apr 2009 11 39 51 0700 the format of which may vary depending on the platform 0700 indicates the time difference in relation to GMT Apart from the connect
473. vivBase 182 vivEnabled 182 vivFilter 183 vivScope 184 vivSort 185 vivUses 185 database schema defined 53 database specific configuration location of 3 db 00x files 215 db2bak command line shell script 282 quick reference 277 db2bak pl command line perl script 297 quick reference 278 db2index 327 command line shell script 283 quick reference 277 db2index pl command line perl script 298 quick reference 278 db2ldif command line shell script 282 quick reference 277 db2ldif pl command line perl script 298 quick reference 278 dbcachehitratio attribute 178 dbcachehits attribute 178 dbcachepagein attribute 178 349 Index dbcachepageout attribute 178 dbcacheroevict attribute 178 dbcacherwevict attribute 178 dbcachetries attribute 178 dbfilecachehit attribute 191 dbfilecachemiss attribute 191 dbfilenamenumber attribute 191 dbfilepagein attribute 191 dbfilepageout attribute 192 dbscan command line utility examples 275 options 274 syntax 274 dbverify command line shell script 284 quick reference 277 deleteOldRdn 74 description attribute 85 distinguished names root 50 distributed numeric assignment plug in configuration attributes dnaFilter 207 dnaMagicRegen 207 dnaMaxValue 208 dnaNextRange 208 dnaNextValue 209 dnaPrefix 209 dnaRangeRequestTimeout 209 dnaScope 210 dnaSharedCfgDN 210 dnaThreshold 211 dnaType 211 dse ldif configuration information tree 10 con
474. x DirectoryString Example nsslapd schema ignore trailing spaces on 2 3 1 97 nsslapd schemacheck Schema Checking This attribute sets whether the database schema is enforced when entries are added or modified When this attri bute has a value of on Directory Server will not check the schema of existing entries until they are modified The database schema defines the type of information allowed in the database The default schema can be extended using the object classes and attribute types For information on how to extend the schema using the Directory Server Console see the Extending the Directory Schema chapter in the Directory Server Administrator s Guide e WARNING Red Hat strongly discourages turning off schema checking This can lead to severe interoperability problems This is typically used for very old or non standard LDAP data that must be imported into the Directory Server If there are not a lot of entries that have this problem consider using the extensible0bject object class in those entries to disable schema checking on a per entry basis Parameter Description Syntax Entry DN cn config Valid Values on off Default Value on DirectoryString Example nsslapd schemacheck on 2 3 1 98 nsslapd schemadir This is the abs olute path to the directory containing the Directory Server instance specific schema files When the server starts up it reads the schema files
475. y can be searched and modified using LDAP either via the Directory Server Console or by performing ldapsearch and ldapmodify operations in the same way as other directory entries The advantage of using LDAP to modify entries is changes can be made while the server is running For further information see the Creating Directory Entries chapter in the Directory Server Administrator s Guide However certain changes do require the server to be restarted before they are taken into account See Section 2 2 2 3 Configuration Changes Requiring Server Restart for further information NOTE As with any set of configuration files care should be taken when changing or deleting nodes in the cn config subtree as this risks affecting Directory Server functionality Changing Configuration Attributes The entire configuration including attributes that always take default values can be viewed by performing an ldapsearch operation on the cn config subtree ldapsearch b cn config D bindDN w password bindDN is the DN chosen for the Directory Manager when the server was installed c n Directory Manager by default e password is the password chosen for the Directory Manager For more information on using ldapsearch see Section 6 4 Idapsearch To disable a plug in use ldapmodify to edit the nsslapd pluginEnabled attribute ldapmodify D cn directory manager w password dn cn Telephone Syntax cn plugins cn config change
476. y the Directory Server instance increment using 64 bit integers even on 32 bit machines or with a 32 bit version of Directory Server For the database monitoring the entrycachehits and entrycachetries counters use 64 bit integers NOTE The nsslapd counters attribute enables 64 bit support for these specific database and server counters The counters which use 64 bit integers are not configurable the 64 bit integers are either enabled for all the allowed counters or disabled for all allowed counters nsslapd db abort rate This attribute shows the number of transactions that have been aborted nsslapd db active txns This attribute shows the number of transactions that are currently active nsslapd db cache hit This attribute shows the requested pages found in the cache nsslapd db cache try This attribute shows the total cache lookups nsslapd db cache region wait rate This attribute shows the number of times that a thread of control was forced to wait before obtaining the region lock nsslapd db cache size bytes This attribute shows the total cache size in bytes 186 Database Attributes under cn database cn monitor cn Idom database cn plugins cn config nsslapd db clean pages This attribute shows the clean pages currently in the cache nsslapd db commit rate This attribute shows the number of transactions that have been committed nsslapd db deadlock rate This attribute shows the number of deadlocks detecte
477. y the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information See the Internationalization appendix and the section on Searching an Internationalized Directory in the Finding Directory Entries appendix in the Directory Server Administrator s Guide 3 1 18 JPEG Syntax Plug in Plug in Parameter Description Plug in Name JPEG Syntax Plug in DN of Configuration Entry cn JPEG Syntax cn plugins cn config Description Syntax for JPEG data Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Red Hat recommends leaving this plug in running at all times Further Information 3 1 19 ldbm database Plug in Plug in Parameter Description Plug in Name Idom database Plug in DN of Configuration Entry cn Idbm database cn plugins cn config Description Implements local databases Configurable Options Default Setting on Configurable Arguments None Dependencies None Performance Related Information See Section 3 4 Database Plug in Attributes for further information on database configuration 151 Chapter 3 Plug in Implemented Server Functionality Reference Plug in Parameter Description Further Information See the Configuring Directory Databases chapter in the Dir
478. ytimestamp date LDIF files and formats are described in more detail in the LDAP Data Interchange Format appendix of the Administrator s Guide Several different kinds of audit entries are shown in Example 5 8 Audit Log Content modifying an entry time 20090108181429 dn uid scarter ou people dc example dc com changetype modify replace userPassword userPassword SSHA 8EcJhJoIgBgY E5j8JiVoj 6W3BLyj 9Za rCPOw replace modifiersname modifiersname cn directory manager replace modifytimestamp modifytimestamp 20090108231429Z modifications to o NetscapeRoot from logging into the Console time 20090108182758 dn cn general ou 1 1 ou console ou cn directory manager ou userpreferences ou example com o netscaperoot changetype modify replace nsPreference nsPreference IwojVGh1IEphbiAwOCAxODoyNzo10CBFU1QgMj AwOQpXaWROaDO3NZAKU2Zhvd1i NOYXR1icOJhcj10cnVIC1Nob3dCYW5uZXJCYXI9dHJ1ZQpZPTI3Z0ApYPTI50ApIZwinaHQONTE4Cg replace modifiersname modifiersname cn directory manager replace modifytimestamp modifytimestamp 20090108232758Z sending a replication update time 20090109131811 dn cn example2 cn replica cn dc example dc com cn mapping tree cn config changetype modify replace nsds5BeginReplicaRefresh nsds5BeginReplicaRefresh start replace modifiersname modifiersname cn directory manager ag LDAP_Data_Interchange_Format html 236 LDAP Result Codes replace modifytimestamp modifyt
479. zed and how to alter it The chapter also provides an alphabetical reference for all attributes 2 1 Overview of the Directory Server Configuration When the Directory Server is set up its default configuration is stored as a series of LDAP entries within the directory under the subtree cn config When the server is started the contents of the cn conf ig subtree are read from a file dse 1dif in LDIF format This dse 1dif file contains all of the server configuration information The latest version of this file is called dse 1dif the version prior to the last modification is called dse 1dif bak and the latest file with which the server successfully started is called dse 1dif startOK Many of the features of the Directory Server are designed as discrete modules that plug into the core server The details of the internal configuration for each plug in are contained in separate entries under cn plugins cn config For example the configuration of the Telephone Syntax Plug in is contained in this entry cn Telephone Syntax cn plugins cn config Similarly database specific configuration is stored under cn ldbm database cn plugins cn conf ig for local databases and cn chaining database cn plugins cn conf ig for database links The following diagram illustrates how the configuration data fits within the cn config directory information tree i ae ara cn features cn mapping tree cn plugins cn sasl cn SNMP cn tasks cn uniqueid
Download Pdf Manuals
Related Search