HP-UX Directory Server configuration, command, and file reference HP-UX Directory Server Version 8.
© Copyright 2009 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 Introduction...................................................................................................................15 1.1 Directory Server configuration........................................................................................................15 1.2 Directory Server instance file reference...........................................................................................15 1.3 Using Directory Server command-line utilities..................................
2.3.1.29 nsslapd-auditlog-logrotationtime (Audit log rotation time)........................................34 2.3.1.30 nsslapd-auditlog-logrotationtimeunit (Audit log rotation time unit)..........................34 2.3.1.31 nsslapd-auditlog-maxlogsize (Audit log maximum log size).......................................35 2.3.1.32 nsslapd-auditlog-maxlogsperdir (Audit log maximum number of log files)...............35 2.3.1.33 nsslapd-auditlog-mode (Audit log file permission)...................................
2.3.1.84 nsslapd-return-exact-case (Return exact case)..............................................................55 2.3.1.85 nsslapd-rewrite-rfc1274.................................................................................................55 2.3.1.86 nsslapd-rootdn (Manager DN)......................................................................................56 2.3.1.87 nsslapd-rootpw (Root password)..................................................................................56 2.3.1.
2.3.3.3 nsSSL2.............................................................................................................................74 2.3.3.4 nsSSL3.............................................................................................................................74 2.3.3.5 nsssl3ciphers....................................................................................................................75 2.3.4 cn=features,cn=config.............................................................
2.3.9.3 nsds7NewWinGroupSyncEnabled.................................................................................91 2.3.9.4 nsds7NewWinUserSyncEnabled.....................................................................................91 2.3.9.5 nsds7WindowsDomain...................................................................................................92 2.3.9.6 nsds7WindowsReplicaSubtree........................................................................................92 2.3.9.
3.1.25 Password Storage Schemes..................................................................................................122 3.1.26 Postal address string syntax plug-in...................................................................................123 3.1.27 PTA plug-in..........................................................................................................................124 3.1.28 Referential integrity postoperation plug-in.......................................................
3.4.1.27 nsslapd-mode..............................................................................................................143 3.4.1.28 nsslapd-search-bypass-filter-test.................................................................................144 3.4.1.29 nsslapd-search-use-vlv-index......................................................................................144 3.4.1.30 nsslapd-serial-lock...............................................................................................
3.5.3 Database link attributes under cn=database_link_name, cn=chaining database, cn=plugins, cn=config........................................................................................................................................159 3.5.3.1 nsBindMechanism.........................................................................................................159 3.5.3.2 nsFarmServerURL.........................................................................................................160 3.5.
5.1.2.8 Tag number....................................................................................................................175 5.1.2.9 Number of entries..........................................................................................................176 5.1.2.10 Elapsed time................................................................................................................176 5.1.2.11 LDAP request type............................................................................
6.8.1 ldif syntax..............................................................................................................................212 6.8.2 ldif options.............................................................................................................................212 6.9 dbscan............................................................................................................................................212 6.9.1 dbscan syntax.............................................
8.2.1 HP-UX Directory Server documentation set.........................................................................240 8.2.2 HP-UX documentation set.....................................................................................................241 8.2.3 Troubleshooting resources....................................................................................................241 8.3 Typographic conventions.............................................................................................
1 Introduction The HP-UX Directory Server is based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). The Directory Server is a robust, scalable server designed to manage large scale directories to support an enterprise-wide directory of users and resources, extranets, and e-commerce applications over the Internet. The Directory Server runs as the ns-slapd process or service on the machine. The server manages the directory databases and responds to client requests.
1.4 Using Directory Server command-line scripts In addition to command-line utilities, several non-configurable scripts are provided with the Directory Server that make it quick and easy to perform routine server administration tasks from the command-line. Chapter 7 “Command-line scripts” lists the most frequently used scripts and contains information on where the scripts are stored and how to access them.
2 Core server configuration reference The configuration information for the HP-UX Directory Server is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files.
This directory also contains other server instance-specific configuration files. Schema configuration is also stored in LDIF format. The master schema directory is /etc/opt/ dirsrv/schema, and the instance-specific schema directory is /etc/opt/dirsrv/slapd-instance_name/schema. The following table lists all the configuration files that are supplied with the Directory Server, including those for the schema of other compatible servers.
Table 2-1 Directory Server LDIF configuration files (continued) Configuration file name Purpose 50ns-mail.ldif Schema used by Netscape Messaging Server to define mail users and mail groups. 50ns-value.ldif Schema for servers' value item attributes. 50ns-web.ldif Schema for Netscape Web Server. 60pam-plugin.ldif Reserved for future use. 99user.ldif User-defined schema maintained by Directory Server replication consumers which contains the attributes and object classes from the suppliers. 2.1.
objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginType: syntax nsslapd-pluginEnabled: on Some of these attributes are common to all plug-ins, and some may be particular to a specific plug-in. Check which attributes are currently being used by a given plug-in by performing a search with the ldapsearch utility on the cn=config subtree.
• • Members of local Directory Administrators group. The SIE (Server Instance Entry) group, usually assigned using the Set Access Permissions process the main console. For more information on access control, see the HP-UX Directory Server administrator guide. 2.2.2 Changing configuration attributes Server attributes can be viewed and changed in one of three ways: through the Directory Server Console, by performing ldapsearch and ldapmodify commands, or by manually editing the dse.ldif file.
2.2.2.2 Restrictions to modifying configuration entries and attributes Certain restrictions apply when modifying server entries and attributes: • • • • The cn=monitor entry and its child entries are read-only and cannot be modified, except to manage ACIs. If an attribute is added to cn=config, the server ignores it. If an invalid value is entered for an attribute, the server ignores it.
Figure 2-2 Directory information tree showing configuration data Most of these configuration tree nodes are covered in the following sections. The cn=plugins node is covered in Chapter 3 “Plug-in implemented server functionality reference”. The description of each attribute contains details such as the DN of its directory entry, its default value, the valid range of values, and an example of its use.
For access logging to be enabled, the nsslapd-accesslog attribute must contain a valid path, and the nsslapd-accesslog-logging-enabled configuration attribute must be switched to on. Table 2-2 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
flushed to the file. Disabling log buffering can severely impact performance in heavily loaded servers. Parameter Description Entry DN cn=config Valid Values on or off Default Value on Syntax Directory String Example nsslapd-accesslog-logbuffering: off 2.3.1.5 nsslapd-accesslog-logexpirationtime (Access log expiration time) This attribute specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units.
Parameter Description Syntax DirectoryString Example nsslapd-accesslog-logging-enabled: off For access logging to be enabled, this attribute must be switched to on, and the nsslapd-accesslog configuration attribute must have a valid path and parameter. Table 2-3 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
2.3.1.10 nsslapd-accesslog-logrotationsync-enabled (Access log rotation sync enabled) This attribute sets whether access log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way can generate log files at a specified time during a day, such as midnight to midnight every day. This makes analysis of the log files much easier because they then map directly to the calendar.
2.3.1.13 nsslapd-accesslog-logrotationtime (Access log rotation time) This attribute sets the time between access log file rotations. The access log is rotated when this time interval is up, regardless of the current size of the access log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-accesslog-logrotationtimeunit attribute.
Parameter Description Syntax Integer Example nsslapd-accesslog-maxlogsize: 100 2.3.1.16 nsslapd-accesslog-maxlogsperdir (Access log maximum number of log files) This attribute sets the total number of access logs that can be contained in the directory where the access log is stored. Each time the access log is rotated, a new log file is created. When the number of files contained in the access log directory exceeds the value stored in this attribute, then the oldest version of the log file is deleted.
NOTE: Any umask set for the runtime user of the Directory Server causes the effective mode to be more restrictive. Parameter Description Entry DN cn=config ValidRange 000 through 777 Default Value 600 Syntax Integer Example nsslapd-accesslog-mode: 600 2.3.1.18 nsslapd-attribute-name-exceptions This attribute allows non-standard characters in attribute names to be used for backwards compatibility with older servers, such as "_" in schema-defined attributes.
Table 2-4 Attribute values for enabling or disabling audit logging (continued) Value of the nsslapd-auditlog Attribute Value of the nsslapd-auditlog-logging-enabled Attribute Resulting logging state empty string off Disabled filename off Disabled 2.3.1.20 nsslapd-auditlog-list Provides a list of audit log files. Parameter Description Entry DN cn=config Valid Values Default Value None Syntax DirectoryString Example nsslapd-auditlog-list: auditlog2,auditlog3 2.3.1.
2.3.1.23 nsslapd-auditlog-logging-enabled (Audit log enable logging) Turns audit logging on and off. Parameter Description Entry DN cn=config Valid Values on or off Default Value off Syntax DirectoryString Example nsslapd-auditlog-logging-enabled: off For audit logging to be enabled, this attribute must have a valid path and parameter and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on.
2.3.1.25 nsslapd-auditlog-logminfreediskspace (Audit log minimum free disk space) This attribute sets the minimum permissible free disk space in megabytes. When the amount of free disk space falls below the value specified by this attribute, the oldest audit logs are deleted until enough disk space is freed to satisfy this attribute.
2.3.1.28 nsslapd-auditlog-logrotationsyncmin (Audit log rotation sync minute) This attribute sets the minute of the day for rotating audit logs. This attribute must be used in conjunction with nsslapd-auditlog-logrotationsync-enabled and nsslapd-auditlog-logrotationsynchour attributes. Parameter Description Entry DN cn=config Valid Range 0 through 59 Default Value None (because nsslapd-auditlog-logrotationsync-enabled is off) Syntax Integer Example nsslapd-auditlog-logrotationsyncmin: 30 2.3.1.
2.3.1.31 nsslapd-auditlog-maxlogsize (Audit log maximum log size) This attribute sets the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That means the server starts writing log information to a new log file. If nsslapd-auditlog-maxlogsperdir to 1, the server ignores this attribute. When setting a maximum log size, consider the total number of log files that can be created due to log file rotation.
Digit Description Digit Description 2 Write only 6 Read and write 3 Write and execute 7 Read, write, and execute In the 3-digit number, the first digit represents the owner's permissions, the second digit represents the group's permissions, and the third digit represents everyone's permissions. When changing the default value, remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
to use for certificate mapping. For further information on configuring for SSL, see the "Managing SSL" chapter in the HP-UX Directory Server administrator guide. 2.3.1.36 nsslapd-config This read-only attribute is the config DN. Parameter Description Entry DN cn=config Valid Values Any valid configuration DN Default Value Syntax DirectoryString Example nsslapd-config: cn=config 2.3.1.
This parameter is enabled by default. To disable statistics tracking, stop the Directory Server, edit the dse.ldif file directly, and restart Directory Server. Parameter Description Entry DN cn=config Valid Values on or off Default Value on Syntax DirectoryString Example nsslapd-counters: on 2.3.1.39 nsslapd-csnlogging This attribute sets whether change sequence numbers (CSNs), when available, are to be logged in the access log. By default, CSN logging is turned on.
Parameter Description Syntax DirectoryString Example nsslapd-enquote-sup-oc: off 2.3.1.42 nsslapd-errorlog (Error log) This attribute sets the path and file name of the log used to record error messages generated by the Directory Server. These messages can describe error conditions, but more often they contain informative conditions, such as: • • Server startup and shutdown times. The port number that the server uses.
The default value for nsslapd-errorlog-level is 16384. Parameter Description Entry DN cn=config Valid Values 1 Trace function calls. Logs a message when the server enters and exits a function. 2 Debug packet handling. 4 Heavy trace output debugging. 8 Connection management. 16 Print out packets sent/received. 32 Search filter processing. 64 Config file processing. 128 Access control list processing. 1024 Log communications with shell databases. 2048 Log entry parsing debugging.
2.3.1.45 nsslapd-errorlog-logexpirationtime (Error log expiration time) This attribute sets the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logexpirationtimeunit attribute. Parameter Description Entry DN cn=config Valid Range -1 to the maximum 32-bit integer value (2147483647) A value of -1 or 0 means that the log never expires.
log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the error log. Parameter Description Entry DN cn=config Valid Range -1 | 1 to the maximum 32-bit integer value (2147483647), where a value of -1 means that the disk space allowed to the error log is unlimited in size. Default Value 500 Syntax Integer Example nsslapd-errorlog-logmaxdiskspace: 500 2.3.1.
2.3.1.51 nsslapd-errorlog-logrotationsynchour (Error log rotation sync hour) This attribute sets the hour of the day for rotating error logs. This attribute must be used in conjunction with nsslapd-errorlog-logrotationsync-enabled and nsslapd-errorlog-logrotationsyncmin attributes. Parameter Description Entry DN cn=config Valid Range 0 through 23 Default Value 0 Syntax Integer Example nsslapd-errorlog-logrotationsynchour: 23 2.3.1.
2.3.1.54 nsslapd-errorlog-logrotationtimeunit (Error log rotation time unit) This attribute sets the units for nsslapd-errorlog-logrotationtime (Error Log Rotation Time). If the unit is unknown by the server, then the log never expires. Parameter Description Entry DN cn=config Valid Values month | week | day | hour | minute Default Value week Syntax DirectoryString Example nsslapd-errorlog-logrotationtimeunit: day 2.3.1.
2.3.1.57 nsslapd-errorlog-mode (Error log file permission) This attribute sets the access mode or file permissions with which error log files are to be created. The valid values are any combination of 000 to 777 because they mirror numbered or absolute UNIX file permissions.
Use the nsIdleTimeout operational attribute, which can be added to user entries, to override the value assigned to this attribute. For details, see the "Setting Resource Limits Based on the Bind DN" section in the HP-UX Directory Server administrator guide. Parameter Description Entry DN cn=config Valid Range 0 to the maximum 32-bit integer value (2147483647) Default Value 0 Syntax Integer Example nsslapd-idletimeout: 0 2.3.1.
CAUTION: This attribute should never be turned off. If the nsslapd-lastmod is set to off, then generating nsUniqueIDs is also disabled, replication does not work, and other issues may arise. If for some reason this attribute were set to off, the solution is to export the database to ldif (db2ldif or db2ldif.pl or from the console), set the value to on, and import the data. The import process assigns each entry a unique id. 2.3.1.
Parameter Description Default Value Syntax DirectoryString Example nsslapd-listenhost: ldap.example.com NOTE: The host name value can be a relocatable IP address. 2.3.1.66 nsslapd-localhost (Local host) This attribute specifies the host machine on which the Directory Server runs. This attribute is used to create the referral URL that forms part of the MMR protocol.
Parameter Description Default Value /var/opt/dirsrv/slapd-instance_name/lock Syntax DirectoryString Example nsslapd-lockdir: /var/opt/dirsrv/slapd-example/lock 2.3.1.69 nsslapd-maxbersize (Maximum message size) Defines the maximum size in bytes allowed for an incoming message. This limits the size of LDAP requests that can be handled by the Directory Server. Limiting the size of requests prevents some kinds of denial of service attacks. The limit applies to the total size of the LDAP request.
is refusing connections because it is out of file descriptors. When this occurs, the following message is written to the Directory Server's error log file: Not listening for new connections -- too many fds open See “nsslapd-conntablesize” for more information about increasing the number of incoming connections. NOTE: UNIX shells usually have configurable limits on the number of file descriptors.
This attribute value is specified in bytes. Parameter Description Entry DN cn=config Valid Range -1 (unlimited) to the maximum 32-bit integer value (2147483647) on 32-bit systems -1 (unlimited) to the maximum 64-bit integer value (9223372036854775807) on 64-bit systems Default Value 2097152 (2MB) Syntax Integer Example nsslapd-maxsasliosize: 5000000 2.3.1.73 nsslapd-maxthreadsperconn (Maximum threads per connection) Defines the maximum number of threads that a connection can use.
2.3.1.75 nsslapd-outbound-ldap-io-timeout This attribute limits the I/O wait time for all outbound LDAP connections such as those established for replication. The default is 300000 milliseconds (5 minutes). A value of 0 means that the server does not impose a limit on I/O wait time. Parameter Description Entry DN cn=config Valid Range 0 to the maximum 32-bit integer value (2147483647) Default Value 300000 Syntax DirectoryString Example nsslapd-outbound-ldap-io-timeout: 300000 2.3.1.
Parameter Description Syntax DirectoryString Example nsslapd-privatenamespaces: cn=config 2.3.1.79 nsslapd-pwpolicy-local (Enable subtree- and user-level password policy) Turns fine-grained (subtree- and user-level) password policy on and off. If this attribute has a value of off, all entries (except for cn=Directory Manager) in the directory is subjected to the global password policy; the server ignores any defined subtree/user level password policy.
NOTE: To use SSL and TLS communications, the referral attribute should be in the form ldaps://server-location. Start TLS does not support referrals. For more information on managing referrals, see the "Configuring Directory Databases" chapter in the HP-UX Directory Server administrator guide. Parameter Description Entry DN cn=config Valid Values Any valid LDAP URL in the form ldap://server-location Default Value Syntax DirectoryString Example nsslapd-referral: ldap://ldap.example.com 2.3.1.
clients to search alternative directory replicas. See “nsslapd-conntablesize” for information about file descriptor usage for incoming connections. To assist in computing the number of file descriptors set for this attribute, use the following formula: nsslapd-reservedescriptor = 20 + (NldbmBackends * 4) + NglobalIndex + ReplicationDescriptor + ChainingBackendDescriptors + PTADescriptors + SSLDescriptors Where: • • • • • • NldbmBackends is the number of ldbm databases.
This attribute is used only for LDAPv2 clients that require attribute types to be returned with their RFC 1274 names. Set the value to on for those clients. The default is off. 2.3.1.86 nsslapd-rootdn (Manager DN) This attribute sets the distinguished name (DN) of an entry that is not subject to access control restrictions, administrative limit restrictions for operations on the directory, or resource limits in general.
2.3.1.88 nsslapd-rootpwstoragescheme (Root password storage scheme) This attribute sets the encryption method used for the root password. Parameter Description Entry DN cn=config Valid Values Any encryption method as described in “passwordStorageScheme (Password storage scheme)”. Default Value SSHA Syntax DirectoryString Example nsslapd-rootpwstoragescheme: SSHA 2.3.1.89 nsslapd-saslpath Sets the absolute path to the directory containing the Cyrus-SASL SASL2 plug-ins.
Parameter Description Default Value off Syntax DirectoryString Example nsslapd-schema-ignore-trailing-spaces: on 2.3.1.91 nsslapd-schemacheck (Schema checking) This attribute sets whether the database schema is enforced when entries are added or modified. When this attribute has a value of on, Directory Server will not check the schema of existing entries until they are modified. The database schema defines the type of information allowed in the database.
2.3.1.93 nsslapd-schemareplace Determines whether modify operations that replace attribute values are allowed on the cn=schema entry. The default setting allows only the replication protocol to perform a complete schema replacement; normal clients are limited to adding and deleting individual schema definitions. HP recommends that the default setting not be modified.
The server has to be restarted for the port number change to be taken into account. Parameter Description Entry DN cn=config Valid Range 1 to 65535 Default Value 636 Syntax Integer Example nsslapd-securePort: 636 2.3.1.96 nsslapd-security (Security) This attribute sets whether the Directory Server is to accept TLS/SSL communications on its encrypted port. This attribute should be set to on for secure connections.
2.3.1.98 nsslapd-ssl-check-hostname (Verify host name for outbound connections) This attribute determines whether an SSL-enabled Directory Server should verify authenticity of peer servers by matching their host name against the value assigned to the common name (cn) attribute of the subject name (subjectDN field) in the certificate being presented. By default, the attribute is set to on.
When no limit is set, ns-slapd returns every matching entry to the client regardless of the time it takes. To set a no limit value whereby Directory Server waits indefinitely for the search to complete, specify a value of -1 for this attribute in the dse.ldif file. A value of zero (0) causes no time to be allowed for searches. The smallest time limit is 1 second. NOTE: A value of -1 on this attribute in thedse.
For more information on password policies, see the "Managing Users and Passwords" chapter in the HP-UX Directory Server administrator guide. Parameter Description Entry DN cn=config Valid Values on or off Default Value on Syntax DirectoryString Example passwordChange: on 2.3.1.105 passwordCheckSyntax (Check password syntax) This attribute sets whether the password syntax is checked before the password is saved.
For more information on password policies, see the "Managing Users and Passwords" chapter in the HP-UX Directory Server administrator guide. Parameter Description Entry DN cn=config Valid Values on or off Default Value off Syntax DirectoryString Example passwordExp: on 2.3.1.107 passwordGraceLimit (Password expiration) This attribute is only applicable if password expiration is enabled.
To prevent users from rapidly cycling through the number of passwords that are tracked, use the passwordMinAge attribute. For more information on password policies, see the "Managing Users and Passwords" chapter in the HP-UX Directory Server administrator guide. Parameter Description Entry DN cn=config Valid Range 2 to 24 passwords Default Value 6 Syntax Integer Example passwordInHistory: 7 2.3.1.
For more information on password policies, see the "Managing Users and Passwords" chapter in the HP-UX Directory Server administrator guide. Parameter Description Entry DN cn=config Valid Range 1 to the maximum 32 bit integer value (2147483647) in seconds Default Value 3600 Syntax Integer Example passwordLockoutDuration: 3600 2.3.1.113 passwordMaxAge (Password maximum age) Indicates the number of seconds after which user passwords expire.
times; for example, 1 rejects characters that are used more than once (aa) and 2 rejects characters used more than twice (aaa). Parameter Description Entry DN cn=config Valid Range 0 to 64 Default Value 0 Syntax Integer Example passwordMaxRepeats: 1 2.3.1.116 passwordMin8Bit (Password syntax) This sets the minimum number of 8-bit characters the password must contain. NOTE: For the userPassword attribute to use this password policy constraint, the 7-bit checking plug-in must be disabled.
2.3.1.118 passwordMinAlphas (Password syntax) This attribute sets the minimum number of alphabetic characters password must contain. Parameter Description Entry DN cn=config Valid Range 0 to 64 Default Value 0 Syntax Integer Example passwordMinAlphas: 4 2.3.1.119 passwordMinCategories (Password syntax) This sets the minimum number of character categories that are represented in the password. The categories are lower, upper, digit, special, and 8-bit.
For more information on password policies, see the "Managing Users and Passwords" chapter in the HP-UX Directory Server administrator guide. Parameter Description Entry DN cn=config Valid Range 2 to 512 characters Default Value 8 Syntax Integer Example passwordMinLength: 6 2.3.1.122 PasswordMinLowers (Password syntax) This attribute sets the minimum number of lower case letters password must contain.
2.3.1.125 PasswordMinUppers (Password syntax) This sets the minimum number of uppercase letters password must contain. Parameter Description Entry DN cn=config Valid Range 0 to 64 Default Value 0 Syntax Integer Example passwordMinUppers: 2 2.3.1.126 passwordMustChange (Password must change) Indicates whether users must change their passwords when they first bind to the Directory Server after the password has been created or reset by the Directory Manager.
The following encryption types are supported by the Directory Server: • • • • • CLEAR means the password is stored in cleartext, with no hashing or encryption. This scheme must be used in order to use SASL DIGEST-MD5. SSHA (Salted Secure Hash Algorithm), the default, is the recommended method because it is the most secure. There are several bit sizes available: 140 bits (the default), 256, 384, and 512. SHA (Secure Hash Algorithm) is included only for backward compatibility with 4.
2.3.2 cn=changelog5,cn=config Replication changelog configuration is stored in the cn=changelog5,cn=config entry. The changelog behaves much like a database, and it has many of attributes also used by the ldbm databases.
2.3.2.2 nsslapd-changelogmaxage (Max changelog age) This attribute sets the maximum age of any entry in the changelog. The changelog contains a record for each directory modification and is used when synchronizing consumer servers. Each record contains a timestamp. Any record with a timestamp that is older than the value specified in this attribute is removed. If this attribute is absent, there is no age limit on changelog records. For information on the changelog, see “nsslapd-changelogdir”.
Parameter Description Syntax Integer Example nssslsessiontimeout: 5 2.3.3.2 nssslclientauth This attribute sets how clients may use certificates to authenticate to the Directory Server for SSL connections. If this attribute is set to required, which enforces clients to use authentication certification, you cannot set the Console to require SSL. Certificate-based authentication is not supported with the Console The server has to be restarted for changes to this attribute to go into effect.
2.3.3.5 nsssl3ciphers This multi-valued attribute specifies the set of encryption ciphers the Directory Server uses during SSL communications. For more information on the ciphers supported by the Directory Server, see the "Managing SSL" chapter in the HP-UX Directory Server administrator guide.
object class. For suffix configuration attributes to be taken into account by the server, these object classes (in addition to the top object class) must be present in the entry. The suffix DN should be quoted because the suffix DN contains characters such as equals signs (=), commas (,), and space characters that must be quoted or escaped to appear as a value in another DN. 2.3.6.1 nsslapd-state Determines how the suffix handles operations.
2.3.7.1 nsDS5Flags This attribute sets replica properties that were previously defined in flags. At present only one flag exists, which sets whether the log changes. Parameter Description Entry DN cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values One of the following: 0 Means no changes are logged. 1 Means changes are logged. Default Value 0 Syntax Integer Example nsDS5Flags: 0 2.3.7.2 nsDS5ReplicaBindDN This multi-valued attribute specifies the DN to use when binding.
2.3.7.4 nsDS5ReplicaId This attribute sets the unique ID for suppliers and consumers in a given replication environment. Parameter Description Entry DN cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Range 1 to 65534 for suppliers, and 65535 for consumers Default Value Syntax Integer Example nsDS5ReplicaId: 1 2.3.7.5 nsDS5ReplicaLegacyConsumer If this attribute is absent or has a value of false, then it means that the replica is not a legacy consumer.
An internal Directory Server housekeeping operation periodically removes tombstone entries which are older than the value of this attribute (in seconds). State information which is older than the nsDS5ReplicaPurgeDelay value is removed when an entry which contains the the state information is modified.
Periodically, the server runs an internal housekeeping operation to purge old update and state information from the main database. For more information, see “nsDS5ReplicaPurgeDelay”. When setting this attribute, remember that the purge operation is time-consuming, especially if the server handles many delete operations from clients and suppliers.
2.3.7.14 nsDS5ReplConflict Although this attribute is not in the cn=replica entry, it is used in conjunction with replication. This multi-valued attribute is included on entries that have a change conflict that cannot be resolved automatically by the synchronization process. To check for replication conflicts requiring administrator intervention, perform an LDAP search for (nsDS5ReplConflict=*).
2.3.8.3 nsDS5ReplicaBindDN This attribute sets the DN to use when binding to the consumer during replication. The value of this attribute must be the same as the one in cn=replica on the consumer replica. This may be empty if certificate-based authentication is used, in which case the DN used is the subject DN of the certificate, and the consumer must have appropriate client certificate mapping enabled. This can also be modified.
Parameter Description Syntax Integer Example nsDS5ReplicaBusyWaitTime: 3 2.3.8.6 nsDS5ReplicaChangesSentSinceStartup This read-only attribute shows the number of changes sent to this replica since the server started. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Range 0 to maximum 32-bit integer (2147483647) Default Value Syntax Integer Example nsDS5ReplicaChangesSentSinceStartup: 647 2.3.8.
2.3.8.9 nsDS5ReplicaLastInitEnd This optional, read-only attribute states when the initialization of the consumer replica ended. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values YYYYMMDDhhmmssZ is the date/time in Generalized Time form at which the connection was opened. This value gives the time in relation to Greenwich Mean Time. The hours are set with a 24-hour clock.
2.3.8.12 nsDS5ReplicaLastUpdateEnd This read-only attribute states when the most recent replication schedule update ended. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values YYYYMMDDhhmmssZ is the date/time in Generalized Time form at which the connection was opened. This value gives the time in relation to Greenwich Mean Time. The hours are set with a 24-hour clock.
Parameter Description Default Value Syntax Integer Example nsDS5ReplicaPort:389 2.3.8.16 nsDS5ReplicaPriority This attribute assigns a priority to replication agreements, controlling their rate of updates relative to peer agreements. Prioritizing agreements is useful for a set of replicas that need to be updated in a particular order.
more information about this task. A value of zero (0) means that the task is inactive, and a value of 1 means that the task is active. If this value is set manually, the server ignores the modify request. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values 0 or 1 Default Value Syntax Integer Example nsDS5ReplicaReapActive: 0 2.3.8.18 nsDS5BeginReplicaRefresh Initializes the replica. This attribute is absent by default.
interval specified for nsDS5ReplicaBusyWaitTime. The longer interval gives waiting suppliers a better chance to gain consumer access before the previous supplier can re-access the consumer. • • If either attribute is specified but not both, nsDS5ReplicaSessionPauseTime is set automatically to 1 second more than nsDS5ReplicaBusyWaitTime.
Find out the amount of time the operation actually lasted by examining the access log on the remote machine, then set the nsDS5ReplicaTimeout attribute accordingly to optimize performance. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Range 0 to maximum 32-bit integer value (2147483647) in seconds Default Value 600 Syntax Integer Example nsDS5ReplicaTimeout: 600 seconds 2.3.8.
them for replay later. If the value is later changed back to 0000-2359 0123456, this makes replication immediately resume and sends all pending changes. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Range Time schedule presented as XXXX-YYYY 0123456, where XXXX is the starting hour, YYYY is the finishing hour, and the numbers 0123456 are the days of the week starting with Sunday.
2.3.9.1 nsds7DirectoryReplicaSubtree The suffix or DN of the Directory Server subtree that is being synchronized. Parameter Description Entry DN cn=syncAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values Any valid suffix or subsuffix Default Value Syntax DirectoryString Example nsDS7DirectoryReplicaSubtree: ou=People,dc=example,dc=com 2.3.9.
Parameter Description Syntax DirectoryString Example nsDS7NewWinUserSyncEnabled: on 2.3.9.5 nsds7WindowsDomain This attribute sets the name of the Windows domain to which the Windows sync peer belongs. Parameter Description Entry DN cn=syncAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values Any valid domain name Default Value Syntax DirectoryString Example nsDS7WinndowsDomain: DOMAINWORLD 2.3.9.
If the nsslapd-counters attribute in cn=config is set to on (the default setting), then all the counters kept by the Directory Server instance increment using 64-bit integers, even on 32-bit machines or with a 32-bit version of Directory Server. For the cn=monitor entry, the 64-bit integers are used with the opsinitiated, opscompleted, entriessent, bytessent, and totalconnections counters. NOTE: The nsslapd-counters attribute enables 64-bit support for these specific database and server counters.
version This attribute shows the Directory Server vendor, version, and build number. For example, HP-UX-Directory/8.1.0 B2009.176.2042. threads This attribute shows the number of threads used by the Directory Server. This should correspond to nsslapd-threadnumber in cn=config. nbackEnds This attribute shows the number of Directory Server database backends. backendMonitorDN This attribute shows the DN for each Directory Server database backend.
2.3.12.3 nssnmporganization This attribute sets the organization to which the Directory Server belongs. Parameter Description Entry DN cn=SNMP, cn=config Valid Values Organization name Default Value Syntax DirectoryString Example nssnmporganization: Example, Inc. 2.3.12.4 nssnmplocation This attribute sets the location within the company or organization where the Directory Server resides.
2.3.12.7 nssnmpmasterhost nssnmpmasterhost is deprecated. This attribute is deprecated with the introduction of net-snmp. The attribute still appears in dse.ldif but without a default value. Parameter Description Entry DN cn=SNMP, cn=config Valid Values machine host name or localhost Default Value Syntax DirectoryString Example nssnmpmasterhost: localhost 2.3.12.8 nssnmpmasterport The nssnmpmasterport attribute was deprecated with the introduction of net-snmp.
Table 2-8 SNMP statistic attributes (continued) Attribute Description RemoveEntryOps This shows the number of LDAP delete requests. ModifyEntryOps This shows the number of LDAP modify requests. ModifyRDNOps This shows the number of LDAP modify RDN (modrdn) requests. ListOps Not used. This value is always 0. SearchOps This shows the number of LDAP search requests. OneLevelSearchOps This shows the number of one-level search operations.
There are seven tasks that are managed under the cn=tasks entry: • • • • • • • cn=import cn=export cn=backup cn=restore cn=index cn=schema reload task cn=memberof task The common attributes for these tasks are listed in “Task invocation attributes for entries under cn=tasks”. The cn=tasks entry itself has no attributes and serves as the parent and container entry for the individual task entries. IMPORTANT: Task entries are not permanent configuration entries.
nsTaskLog This entry contains all the log messages for the task, including bothwarning and information messages. New messages are appended to the end of the entry value, so this attribute value grows larger, without erasing the original contents, by default. Successful task operations, which have an nsTaskExitCode of 0, are only recorded in the nsTaskLog attribute.
nsTaskTotalItems This attributes shows the total number of subtasks that must be completed for the task operation. When the nsTaskCurrentItem attribute has the same value as nsTaskTotalItems, then the task is completed. This attribute value is set by the server and should not be edited.
dn: cn=example import, cn=import, cn=tasks, cn=config objectclass: nsDirectoryServerTask cn: example import nsFilename: /home/files/example.ldif nsInstance: userRoot As the import operation runs, the task entry will contain all the server-generated task attributes listed in “Task invocation attributes for entries under cn=tasks”. There are some optional attributes which can be used to refine the import operation, similar to the options for the ldif2db and ldif2db.
nsIncludeSuffix This attribute identifies a specific suffix or subtree to import from the LDIF file. Parameter Description Entry DN cn=task_name, cn=import, cn=tasks, cn=config Valid Values Any DN Default Value Syntax DN, multi-valued Example nsIncludeSuffix: ou=people,dc=example,dc=com nsExcludeSuffix the import.
nsUniqueIdGenerator This sets whether to generate a unique ID for the imported entries. By default, this attribute generates time-based IDs.
• • • • • “nsExportReplica”, analagous to the -r option, to indicate whether the exported database is used in replication “nsPrintKey”, analagous to the -N option, to set whether to print the entry IDs as the entries are processed by the export operation “nsUseId2Entry”, analagous to the -C option, to set whether to use only the main index, id2entry, to list the entries to export “nsNoWrap”, analagous to the -U option, to set whether to wrap long lines in the LDIF file “nsDumpUniqId”, analagous to the -u o
Parameter Description Default Value Syntax DN, multi-valued Example nsExcludeSuffix: ou=machines,dc=example,dc=com nsUseOneFile This attribute sets whether to export all Directory Server instances to a single LDIF file or separate LDIF files.
Parameter Description Syntax Case-insensitive string Example nsUseId2Entry: true nsNoWrap This attribute sets whether to wrap long lines in the LDIF file. Parameter Description Entry DN cn=task_name, cn=export, cn=tasks, cn=config Valid Values true | false Default Value false Syntax Case-insensitive string Example nsNoWrap: false nsDumpUniqId This attribute sets that the unique IDs for the exported entries are not exported.
If this attribute is not included with the cn=backup task, the task will fail with an LDAP object class violation error (65). Parameter Description Entry DN cn=task_name, cn=backup, cn=tasks, cn=config Valid Values Any local directory location Default Value Syntax Case-exact string Example nsArchiveDir: /export/backups nsDatabaseTypes This attribute gives the kind of database being archived.
Parameter Description Syntax Case-exact string Example nsArchiveDir: /home/exports nsDatabaseTypes This attribute gives the kind of database being archived. Setting the database types signals what kind of backup plug-in the Directory Server should use to archive the database. Parameter Description Entry DN cn=task_name, cn=restore, cn=tasks, cn=config Valid Values ldbm database Default Value ldbm database Syntax Case-exact string Example nsDatabaseType: ldbm database 2.3.14.
nsIndexAttribute: attribute:index1,index2 Parameter Description Entry DN cn=task_name, cn=index, cn=tasks, cn=config Valid Values Any attribute The index type, which can be: pres (presence), eq (equality), approx (approximate), and sub (substring) Default Value Syntax Case-insensitive string, multi-valued Example nsIndexAttribute: "cn:pres,eq" nsIndexAttribute: "description:sub" nsIndexVLVAttribute This attribute gives the name of the target entry for a VLV index.
IMPORTANT: Any schema loaded from another directory must be copied into the schema directory or the schema will be lost when the server. The schema reload task is initiated though the command line by creating a special task entry which defines the parameters of the task and initiates the task. As soon as the task is complete, the task entry it removed from the directory.
cn:example memberof basedn: ou=people,dc=example,dc=com filter: (objectclass=groupofnames) As soon as the task is complete, the task entry it removed from the directory. The cn=memberof task entry is a container entry for memberOf update operations. The cn=memberof task entry itself has no attributes, but each of the task entries beneath this entry, such as cn=task_ID, cn=memberof task, cn=tasks, cn=config, uses its attributes to define the individual update task.
3 Plug-in implemented server functionality reference This chapter contains reference information on HP-UX Directory Server plug-ins. The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins, cn=config.
3.1.2 ACL plug-in Plug-in parameter Description Plug-in Name ACL Plug-in DN of Configuration Entry cn=ACL Plugin, cn=plugins, cn=config Description ACL access check plug-in Configurable Options on or off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Access control incurs a minimal performance hit. Leave this plug-in enabled because it is the primary means of access control for the server.
Plug-in parameter Description Configurable Arguments To check for UID attribute uniqueness in all listed subtrees, enter uid "DN" "DN".... However, to check for UID attribute uniqueness when adding or updating entries with the requiredObjectClass, enter attribute="uid" MarkerObjectclass = "ObjectClassName" and, optionally requiredObjectClass = "ObjectClassName".
Plug-in parameter Description Performance Related Information Do not modify the configuration of this plug-in. HP recommends leaving this plug-in running at all times. Further Information 3.1.
Plug-in parameter Description Dependencies None Performance Related Information There are many performance related tuning parameters involved with the chaining database. See the "Maintaining Database Links" section in the HP-UX Directory Server administrator guide. Further Information A chaining database is also known as a database link. Database links are described in the "Configuring Directory Databases" chapter in the HP-UX Directory Server administrator guide. 3.1.
Plug-in parameter Description Description Syntax for handling DNs Configurable Options on or off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in. HP recommends leaving this plug-in running at all times. Further Information 3.1.
3.1.15 HTTP client plug-in Plug-in parameter Description Plug-in Name HTTP Client DN of Configuration Entry cn=HTTP Client, cn=plugins, cn=config Description HTTP client plug-in Configurable Options on or off Default Setting on Configurable Arguments None Dependencies Database Performance Related Information Further Information 3.1.
Plug-in parameter Description Performance Related Information Do not modify the configuration of this plug-in. HP recommends leaving this plug-in running at all times. Further Information See the "Internationalization" appendix and the section on "Searching an Internationalized Directory" in the "Finding Directory Entries" appendix in the HP-UX Directory Server administrator guide. 3.1.
Plug-in parameter Description Default Setting off Configurable Arguments None. This plug-in can be disabled if the server is not (and never will be) a consumer of a 4.x server. Dependencies Database Performance Related Information None Further Information See the "Managing Replication" chapter in the HP-UX Directory Server administrator guide. 3.1.
3.1.23 Octet string syntax plug-in Plug-in parameter Description Plug-in Name Octet String Syntax DN of Configuration Entry cn=Octet String Syntax, cn=plugins, cn=config Description Syntax for handling octet strings Configurable Options on or off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in. HP recommends leaving this plug-in running at all times. Further Information 3.1.
For more information on using the different password storage schemes, see the "User Account Management" chapter in the HP-UX Directory Server administrator guide CAUTION: Do not modify the configuration of the password scheme plug-ins. HP recommends leaving these plug-ins running at all times. Table 3-3 Password storage plugins Storage scheme name Usage notes CLEAR This encryption method is required for using SASL/DIGEST-MD5.
Plug-in parameter Description Performance Related Information Do not modify the configuration of this plug-in. HP recommends leaving this plug-in running at all times. Further Information 3.1.
Plug-in parameter Description Performance Related Information The Referential Integrity Plug-in should be enabled only on one master in a multimaster replication environment to avoid conflict resolution loops. When enabling the plug-in on chained servers, be sure to analyze the performance resource and time needs as well as integrity needs; integrity checks can be time consuming and demanding on memory and CPU. All attributes specified must be indexed for both presence and equality.
3.1.31 Schema reload plug-in Table 3-4 Details of schema reload plug-in Plug-in information Description Plug-in Name Schema Reload Configuration Entry DN cn=Schema Reload,cn=plugins,cn=config Description Task plug-in to reload schema files Configurable Options on or off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Further Information 3.1.
Plug-in parameter Description Dependencies None Performance Related Information Further Information 3.1.34 Telephone syntax plug-in Plug-in parameter Description Plug-in Name Telephone Syntax DN of Configuration Entry cn=Telephone Syntax, cn=plugins, cn=config Description Syntax for handling telephone numbers Configurable Options on or off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in.
Plug-in parameter Description Default Setting on Configurable Arguments None Dependencies Database Performance Related Information Do not modify the configuration of this plug-in. HP recommends leaving this plug-in running at all times. Further Information 3.1.37 Account policy plug-in Plug-in parameter Description Plug-in Name Account Policy Plug-in DN of Configuration Entry cn=Account Policy Plug-in,cn=plugins,cn=config Description Provides account inactivity limit policy.
3.2.2 nsslapd-pluginInitfunc This attribute specifies the plug-in function to be initiated. Plug-in parameter Description Entry DN cn=plug-in name, cn=plugins, cn=config Valid Values Any valid plug-in function Default Value None Syntax DirectoryString Example nsslapd-pluginInitfunc: NS7bitAttr_Init 3.2.3 nsslapd-pluginType This attribute specifies the plug-in type. See “nsslapd-plugin-depends-on-type” for further information.
3.2.6 nsslapd-pluginVersion This attribute specifies the plug-in version. Plug-in parameter Description Entry DN cn=plug-in name, cn=plugins, cn=config Valid Values Any valid plug-in version Default Value Product version number Syntax DirectoryString Example nsslapd-pluginVersion: 8.1 3.2.7 nsslapd-pluginVendor This attribute specifies the vendor of the plug-in.
Plug-in parameter Description Syntax DirectoryString Example nsslapd-pluginLoadNow: false 3.3.2 nsslapd-pluginLoadGlobal This attribute specifies whether the symbols in dependent libraries are made visible locally (false) or to the executable and to all shared objects (true). Plug-in parameter Description Entry DN cn=plug-in name, cn=plugins, cn=config Valid Values true | false Default Value false Syntax DirectoryString Example nsslapd-pluginLoadGlobal: false 3.3.
Plug-in parameter Description Syntax DirectoryString Example nsslapd-plugin-depends-on-named: Views nsslapd-plugin-depends-on-named: Roles Plugin 3.4 Database plug-in attributes The database plug-in is also organized in an information tree, as shown in Figure 3-1 “Database plug-in”. Figure 3-1 Database plug-in All plug-in technology used by the database instances is stored in the cn=ldbm database plug-in node.
3.4.1.2 nsslapd-cache-autosize This performance tuning-related attribute, which is turned off by default, specifies the percentage of free memory to use for all the combined caches. For example, if the value is set to 80, then 80 percent of the remaining free memory would be claimed for the cache. To run other servers on the machine, then set the value lower. Setting the value to 0 turns off the cache autosizing and uses the normal nsslapd-cachememsize and nsslapd-dbcachesize attributes.
3.4.1.4 nsslapd-dbcachesize This performance tuning-related attribute specifies the database index cache size, and is one of the most important values for controlling how much physical RAM the directory server uses. This is not the entry cache. This is the amount of memory the Berkeley database backend will use to cache the indexes (the .db4 files) and other files. This value is passed to the Berkeley DB API function set_cachesize.
3.4.1.6 nsslapd-db-circular-logging This attribute specifies circular logging for the transaction log files. If this attribute is switched off, old transaction log files are not removed and are kept renamed as old log transaction files. Turning circular logging off can severely degrade server performance and, as such, should only be modified with the guidance of HP Technical Support or HP Professional Services.
Parameter Description Syntax DirectoryString Example nsslapd-db-durable-transactions: on 3.4.1.9 nsslapd-db-home-directory To move the database to another physical location for performance reasons, use this parameter to specify the home directory. This situation will occur only for certain combinations of the database cache size, the size of physical memory, and kernel tuning attributes. In particular, this situation should not occur if the database cache size is less than 100 megabytes.
Before modifying the value of this attribute, export all databases using the db2ldif script. After the modification has been made, reload the databases using the ldif2db script. CAUTION: This parameter should only be used by very advanced users. Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Range 0 to 8 Default Value 0 Syntax Integer Example nsslapd-db-idl-divisor: 2 3.4.1.
Parameter Description Syntax DirectoryString Example nsslapd-db-logdirectory: /logs/txnlog 3.4.1.13 nsslapd-db-logfile-size This attribute specifies the maximum size of a single file in the log in bytes. By default, or if the value is set to 0, a maximum size of 10 megabytes is used. The maximum size is an unsigned 4-byte value.
3.4.1.16 nsslapd-db-spin-count This attribute specifies the number of times that test-and-set mutexes should spin without blocking. CAUTION: Never touch this value unless you are very familiar with the inner workings of Berkeley DB or are specifically told to do so by HP support. Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Range 0 to 2^31-1 Default Value 0 Syntax Integer Example nsslapd-db-spin-count: 0 3.4.1.
NOTE: The nsslapd-db-transaction-batch-val attribute is only valid if the nsslapd-db-durable-transaction attribute is set to on. For more information on database transaction logging, refer to the "Monitoring Server and Database Activity" chapter in the HP-UX Directory Server administrator guide. Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Range 0 to 30 Default Value 0 (or turned off) Syntax Integer Example nsslapd-db-transaction-batch-val: 5 3.4.1.
To configure a dbcache size larger than 4 gigabytes, add the nsslapd-dbncache attribute to cn=config, cn=ldbm database, cn=plugins, cn=config between the nsslapd-dbcachesize and nsslapd-db-logdirectory attribute lines. Set this value to an integer that is one-quarter (1/4) the amount of memory in gigabytes. For example, for a 12 gigabyte system, set the nsslapd-dbncache value to 3; for an 8 gigabyte system, set it to 2.
3.4.1.24 nsslapd-idlistscanlimit This performance-related attribute, present by default, specifies the number of entry IDs that are searched during a search operation. Attempting to set a value that is not a number or is too big for a 32-bit signed integer returns an LDAP_UNWILLING_TO_PERFORM error message, with additional error information explaining the problem. It is advisable to keep the default value to improve search performance.
be set automatically to a predetermined size when the import operation is run on the command-line. The attribute can also be used by Directory Server during the task mode import for allocating a specified percentage of free memory for importCache. By default, the nsslapd-import-cache-autosize attribute is enabled and is set to a value of -1. This value autosizes importCache for the ldif2db operation only, automatically allocating fifty percent (50%) of the free physical memory for importCache.
Parameter Description Syntax Integer Example nsslapd-mode: 0600 3.4.1.28 nsslapd-search-bypass-filter-test This attribute determines whether the backend database should take the shortest path, relying on indexes instead of filters when assessing whether entries should be returned in response to a search. In some cases, the backend still performs filter tests on the entry, such as when responding to an All IDs search, or when the filter contains substrings. The default setting is on.
The following attributes are common to both the cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config and the user database, such as cn=userRoot or cn=database_name, cn=ldbm database, cn=plugins, and cn=config subtrees. 3.4.3.1 nsslapd-cachesize This performance tuning-related attribute specifies the cache size in terms of the entries it can hold. However, it is simpler to limit by memory size only (as in “nsslapd-cachememsize”).
Parameter Description Default Value Syntax DirectoryString Example nsslapd-directory: /var/opt/dirsrv/slapd-instance_name/db/userRoot 3.4.3.4 nsslapd-readonly This attribute specifies read-only mode for a single back-end instance. If this attribute has a value of off, then users have all read, write, and execute permissions allowed by their access permissions.
3.4.4 Database attributes under cn=database, cn=monitor, cn=ldbm database, cn=plugins, cn=config The attributes in this tree node entry are all read-only, database performance counters. All the values for these attributes are 32-bit integers, except for entrycachehits, entrycachetries, currententrycachesize, and maxentrycachesize. If the nsslapd-counters attribute in cn=config is set to off, then the 64-bit counters are not maintainted.
nsslapd-db-pages-in-use This attribute shows all pages, clean or dirty, currently in use. nsslapd-db-txn-region-wait-rate This attribute shows the number of times that a thread of control was force to wait before obtaining the region lock. 3.4.5 Database attributes under cn=default indexes, cn=config, cn=ldbm database, cn=plugins, cn=config The set of default indexes is stored here.
3.4.5.4 nsIndexType This optional, multi-valued attribute specifies the type of index for Directory Server operations and takes the values of the attributes to be indexed. Each desired index type has to be entered on a separate line.
dbfilenamenumber This attribute gives the name of the file and provides a sequential integer identifier (starting at 0) for the file. All associated statistics for the file are given this same numerical identifier. dbfilecachehit This attribute gives the number of times that a search requiring data from this file was performed and that the data were successfully obtained from the cache.
abc* If the value of this attribute is changed, then the index must be regenerated using the db2index command. Parameter Description Entry DN cn=attribute_name, cn=index, cn=database_name, cn=ldbm database, cn=plugins, cn=config Valid Values Any integer Default Value 3 Syntax Integer Example nsSubStrBegin: 2 3.4.7.2 nsSubStrEnd By default, for a search to be indexed, the search string must be at least three characters long, without counting any wildcard characters.
If the value of this attribute is changed, then the index must be regenerated using the db2index command. Parameter Description Entry DN cn=attribute_name, cn=index, cn=database_name, cn=ldbm database, cn=plugins, cn=config Valid Values Any integer Default Value 3 Syntax Integer Example nsSubStrMiddle: 3 3.4.
3.4.8.1 nsEncryptionAlgorithm nsEncryptionAlgorithm selects the cipher used by nsAttributeEncryption. The algorithm can be set per encrypted attribute.
cn=chaining database, cn=config attributes, as LDAP considers empty attributes to be non-existent. Parameter Description Entry DN cn=config, cn=chaining database, cn=plugins, cn=config Valid Values Any valid component entry Default Value None Syntax DirectoryString Example nsActiveChainingComponents: cn=uid uniqueness, cn=plugins, cn=config 3.5.1.
Parameter Description Default Value nspossiblechainingcomponents: cn=certificate-based authentication,cn=components,cn=config Syntax DN Example nspossiblechainingcomponents: cn=example plugin,cn=plugins,cn=config 3.5.1.
Parameter Description Default Value 3 Syntax Integer Example nsBindConnectionsLimit: 3 3.5.2.3 nsBindRetryLimit Contrary to what the name suggests, this attribute does not specify the number of times a database link retries to bind with the remote server but the number of times it tries to bind with the remote server. A value of 1 here indicates that the database link only attempts to bind once.
3.5.2.6 nsConcurrentBindLimit This attribute shows the maximum number of concurrent bind operations per TCP connection. Parameter Description Entry DN cn=default instance config, cn=chaining database, cn=plugins, cn=config Valid Range 1 to 25 binds Default Value 10 Syntax Integer Example nsConcurrentBindLimit: 10 3.5.2.7 nsConcurrentOperationsLimit This attribute specifies the maximum number of concurrent operations allowed.
Parameter Description Syntax Integer Example nsOperationConnectionsLimit: 10 3.5.2.10 nsProxiedAuthorization Reserved for advanced use only. This attribute can disable proxied authorization with a value of off. Parameter Description Entry DN cn=default instance config, cn=chaining database, cn=plugins, cn=config Valid Values on or off Default Value on Syntax DirectoryString Example nsProxiedAuthorization: on 3.5.2.
3.5.2.13 nsTimeLimit This attribute specifies the default search time limit for the database link. Parameter Description Entry DN cn=default instance config, cn=chaining database, cn=plugins, cn=config Valid Range -1 to maxmum 32-bit integer (2147483647) seconds Default Value 3600 Syntax Integer Example nsslapd-timelimit: 3600 3.5.
The farm server must be configured with a Kerberos keytab, and the remote server must have a defined SASL mapping for the farm server's bind identity. Setting up Kerberos keytabs and SASL mappings is described in the HP-UX Directory Server administrator guide. Parameter Description Entry DN cn=database_link_name, cn=chaining database, cn=plugins, cn=config Valid Values empty EXTERNAL DIGEST-MD5 GSSAPI Default Value empty Syntax DirectoryString Example nsBindMechanism: GSSAPI 3.5.3.
3.5.3.4 nsMultiplexorCredentials Password for the administrative user, given in plain text. If no password is provided, it means that users can bind as anonymous. The password is encrypted in the configuration file. The example below is what is shown, not what is typed.
nsModifyCount This attribute gives the number of modify operations received. nsRenameCount This attribute gives the number of rename operations received. nsSearchBaseCount This attribute gives the number of base level searches received. nsSearchOneLevelCount nsSearchSubtreeCount nsAbandonCount nsBindCount This attribute gives the number of one-level searches received. This attribute gives the number of subtree searches received. This attribute gives the number of abandon operations received.
3.6.2 nsslapd-changelogmaxage (Max changelog age) This attribute specifies the maximum age of any entry in the changelog. The changelog contains a record for each directory modification and is used when synchronizing consumer servers. Each record contains a timestamp. Any record with a timestamp that is older than the value specified in this attribute is removed.
The magic entry should be outside of the defined range for the server so that it cannot accidentally be triggered. This attribute also does not have to a number, which can make it easier to assign. Parameter Description Entry DN cn=Distributed Numeric Assignment Plugin, cn=plugins, cn=config Valid Range Any string Default Value None Syntax DirectoryString Example naMagicRegen: magic 3.7.3 dnaMaxValue This attribute sets the maximum value that can be assigned for the range.
The dnaNextValue attribute is required to set up distributed numeric assignment for an attribute. Parameter Description Entry DN cn=Distributed Numeric Assignment Plugin, cn=plugins, cn=config Valid Range -1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems Default Value -1 Syntax Integer Example dnaNextValue: 1 3.7.6 dnaPrefix This attributes defines a prefix that can be prepended to the generated number values for the attribute.
3.7.8 dnaScope This attribute sets the base DN to search for entries to which to apply the distributed numeric assignment. This is analogous to the base DN in an ldapsearch. Parameter Description Entry DN cn=Distributed Numeric Assignment Plugin, cn=plugins, cn=config Valid Range Any Directory Server entry Default Value None Syntax DirectoryString Example dnaScope: ou=people,dc=example,dc=com 3.7.
Parameter Description Default Value 100 Syntax Integer Example dnaThreshold: 100 3.7.11 dnaType This attribute sets which attribute has unique numbers being generated for it. In this case, whenever the attribute is added to the entry without a value or with the magic number, an assigned value is automatically supplied. This is required to set up distributed numeric assignments for an attributes.
NOTE: Any attribute can be used for the memberofgroupattr value, but the MemberOf Plug-in only works if the value of the target attribute contains the DN of the member entry. For example, the member attribute contains the DN of the member's user entry: member: uid=jsmith,ou=People,dc=example,dc=com Some member-related attributes do not contain a DN, like the memberURL attribute.
4 Server instance file reference This chapter provides an overview of the files that are specific to an instance of the HP-UX Directory Server (Directory Server).Having an overview of the files and configuration information stored in each instance of Directory Server helps with understanding the file changes (or lack of file changes) which occur in the course of directory activity.
Example 4-1 Database directory contents __db.001 __db.002 __db.003 __db.004 __db.005 DBVERSION NetscapeRoot/ log.0000000007 userRoot/ db.00x files Used internally by the database and should not be moved, deleted, or modified in any way. log.xxxxxxxxxx files Used to store the transaction logs per database. DBVERSION Used for storing the version of the database. NetscapeRoot Stores the o=NetscapeRoot database created by default when the setup-ds-admin.pl script is run.
4.5 LDIF files The LDIF files exported by db2ldif or db2ldif.pl scripts in the instance directory are stored in /var/opt/dirsrv/slapd-instance_name/ldif. 4.6 Lock files Each Directory Server instance contains a /var/opt/dirsrv/slapd-instance_name/lock directory for storing lock-related files. The following is a sample listing of the locks directory contents.
4.9 Tools The Directory Server tools are stored in the following directories: • /opt/dirsrv/bin • /opt/dirsrv/sbin The contents of those directories are listed below. Chapter 6 “Command-line utilities” has more information on command-line scripts. Example 4-5 /opt/dirsrv/bin contents dbscan dbscan-bin ldif ldif-bin Example 4-6 /opt/dirsrv/sbin contents ds_removal ds_unregister migrate-ds-admin.pl register-ds-admin.pl setup-ds-admin.pl setup-ds.
5 Log file reference The HP-UX Directory Server (Directory Server) provides logs to help monitor directory activity. Monitoring helps quickly detecting and remedying failures and, where done proactively, anticipating and resolving potential problems before they result in failure or poor performance. Part of monitoring the directory effectively is understanding the structure and content of the log files. This chapter does not provide an exhaustive list of log messages.
256 Logging for access to an entry. 512 Logging for access to an entry and referrals. 131072 Precise timing of operation duration. This gives microsecond resolution for the Elapsed Time item in the access log. These levels are additive, so to enable several different kinds of logging, add the values of those levels together. For example, to log internal access operations, entry access, and referrals, set the value of nsslapd-accesslog-level to 516 (512+4). 5.1.
5.1.2.3 Slot number The slot number, in this case slot=608, is a legacy part of the access log; it has the same meaning as file descriptor. Ignore this part of the access log. [21/Apr/2009:11:39:51 -0700] conn=11 fd=608 slot=608 connection from xxx.xxx.xxx.xxx to 192.18.122.139 5.1.2.4 Operation number To process a given LDAP request, Directory Server will perform the required series of operations.
Table 5-1 Commonly-used tags (continued) Tag Description tag=107 A result from a delete operation. tag=109 A result from a moddn operation. tag=111 A result from a compare operation. tag=115 A search reference when the entry on which the search was performed holds a referral to the required entry. Search references are expressed in terms of a referral. tag=120 A result from an extended operation.
5.1.2.12 LDAP response type The LDAP response type indicates the LDAP response being issued by the LDAP client. There are three possible values: • • • RESULT ENTRY REFERRAL, an LDAP referral or search reference 5.1.2.13 Unindexed search indicator The unindexed search indicator, notes=U, indicates that the search performed was unindexed, which means that the database itself had to be directly searched instead of the index file.
1 For one-level search 2 For subtree search For more information about search scopes, see "Using ldapsearch" in Appendix B, "Finding Directory Entries", in the HP-UX Directory Server administrator guide. XXX 5.1.2.16 Extended operation OID An extended operation OID, in this case either EXT oid="2.16.840.1.113730.3.5.3" or EXT oid="2.16.840.1.113730.3.5.5", provides the OID of the extended operation being performed.
targetop=NOTFOUND indicates the operation to be aborted was either an unknown operation or already complete. 5.1.2.19 Message ID The message ID, in this case msgid=2, is the LDAP operation identifier, as generated by the LDAP SDK client. The message ID may have a different value from the operation number but it iidentifies the same operation. The message ID is used with an ABANDON operation and tells the user which client operation is being abandoned.
Example 5-2 Access log extract with internal access operations level (level 4) [12/Jul/2009:16:45:46 +0200] conn=Internal op=-1 SRCH base="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"scope=0 fil\ ter="objectclass=nsMappingTree"attrs="nsslapd-referral" op\ tions=persistent [12/Jul/2009:16:45:46 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1etime=0 [12/Jul/2009:16:45:46 +0200] conn=Internal op=-1 SRCH base="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"scope=0 fil\ ter="objectclass=
Table 5-3 Common connection codes Connection code Description A1 Client aborts the connection. B1 Corrupt BER tag encountered. If BER tags, which encapsulate data being sent over the wire, are corrupt when they are received, a B1 connection code is logged to the access log. BER tags can be corrupted due to physical layer network problems or bad LDAP client operations, such as an LDAP client aborting before receiving all request results.
Table 5-4 Error log levels (continued) Setting Console name Description Connection management Logs the current connection status, including the connection methods used for a SASL bind. 16 Packets sent/received Print out the numbers of packets sent and received by the server. 32 Search filter processing Logs all the functions called by a search operation. 64 Config file processing Prints any .conf configuration files used with the server, line by line, when the server is started.
Example 5-3 Error log excerpt [05/Aug/2009:02:27:22 -0500] slapi_ldap_bind - Error: could not send bind request for id [cn=repl manager,cn=config] mech [SIMPLE]: error 91 (Can't connect to the LDAP server) [06/Aug/2009:17:52:04 -0500] schemareload - Schema reload task starts (schema dir: default) ... [06/Aug/2009:17:52:04 -0500] schemareload - Schema validation passed. [06/Aug/2009:17:52:04 -0500] schemareload - Schema reload task finished.
Example 5-4 Replication error log entry [09/Aug/2009:13:44:48 -0500] - _csngen_adjust_local_time: gen state be\ fore 496799220001:1231526178:0:0 [09/Aug/2009:13:44:48 -0500] - _csngen_adjust_local_time: gen state after 49679b200000:1231526688:0:0 [09/Aug/2009:13:44:48 -0500] NSMMReplicationPlugin ruv_add_csn_inprogress: successfully inserted csn 49679b20000000010000 into pending list [09/Aug/2009:13:44:48 -0500] NSMMReplicationPlugin - Purged state inform\ ation from entry uid=mreynolds,ou=People, dc=exampl
Plug-in logging records every the name of the plugin and all the functions called by the plugin. This has a simple format: [timestamp] Plugin_name - message [timestamp] - function - message The information returned can be hundreds of lines long as every step is processed. The precise information recorded depends on the plug-in itself. For example, the ACL Plug-in includes a connection and operation number, as shown in Example 5-5 “Example ACL plug-in error log entry with plug-in logging”.
Example 5-6 Config file processing log entry [09/Aug/2009:16:08:18 -0500] - reading config file /etc/opt/dirsrv/slapd-instance_name/slapd-collations.conf [09/Aug/2009:16:08:18 -0500] - line 46: collation "" "" "" 2.16.840.1.113730.3.3.2.0.1 default [09/Aug/2009:16:08:18 -0500] - line 57: collation en "" "" 2.16.840.1.113730.3.3.2.11.1 en en-US [09/Aug/2009:16:08:18 -0500] - line 58: collation en CA "" 2.16.840.1.113730.3.3.2.12.1 en-CA [09/Aug/2009:16:08:18 -0500] - line 59: collation en GB "" 2.16.840.1.
Example 5-8 Audit log content ... modifying an entry ... time: 20090108181429 dn: uid=scarter,ou=people,dc=example,dc=com changetype: modify replace: userPassword userPassword: {SSHA}8EcJhJoIgBgY/E5j8JiVoj6W3BLyj9Za/rCPOw== replace: modifiersname modifiersname: cn=directory manager replace: modifytimestamp modifytimestamp: 20090108231429Z ... modifications to o=NetscapeRoot from logging into the Console ... time: 20090108182758 dn: cn=general,ou=1.
Table 5-5 LDAP result codes (continued) 188 Result code Defined value Result code Defined value 3 TIME_LIMIT_EXCEEDED 50 INSUFFICIENT_ACCESS_RIGHTS 4 SIZE_LIMIT_EXCEEDED 51 BUSY 5 COMPARE_FALSE 52 UNAVAILABLE 6 COMPARE_TRUE 53 UNWILLING_TO_PERFORM 7 AUTH_METHOD_NOT_SUPPORTED 54 LOOP_DEFECT 8 STRONG_AUTH_REQUIRED 64 NAMING_VIOLATION 9 LDAP_PARTIAL_RESULTS 65 OBJECT_CLASS_VIOLATION 10 REFERRAL (LDAP v3) 66 NOT_ALLOWED_ON_NONLEAF 11 ADMIN_LIMIT_EXCEEDED (LDAP v3) 67 NOT
6 Command-line utilities This chapter contains reference information on command-line utilities used with the HP-UX Directory Server (Directory Server). These command-line utilities make it easy to perform administration tasks on the Directory Server. 6.1 Finding and executing command-line utilities For HP-UX Directory Server documentation, the LDAP tools used in the examples, such as ldapsearch and ldapmodify utilities, are the Mozilla LDAP tools.
6.4 ldapsearch The configurable utility named ldapsearch locates and retrieves directory entries through LDAP. This utility opens a connection to the specified server using the specified distinguished name and password and locates entries based on a specified search filter. Search scopes can include a single entry, an entry's immediate subentries, or an entire tree or subtree. Search results are returned in LDIF format.
Table 6-3 Commonly-used ldapsearch options Option Description -b Specifies the starting point for the search. The value specified here must be a distinguished name that currently exists in the database. This option is optional if the LDAP_BASEDN environment variable has been set to a base DN. The value specified in this option should be provided in double quotation marks.
Table 6-3 Commonly-used ldapsearch options (continued) Option Description -x Specifies that the search results are sorted on the server rather than on the client. This is useful to sort according to a matching rule, as with an international search. In general, it is faster to sort on the server rather than on the client. -z Specifies the maximum number of entries to return in response to a search request.
In addition to the standard options to the ldapsearch command, such as the base (-b), scope (-s), and filter, the following options are required to run an ldapsearch command using SSL: • • • • • • -p with the Directory Server secure port -Z to specify to use SSL (or, alternatively, -ZZ or -ZZZ to specify Start TLS) -P to give certificate database's file name and path -N to give the SSL certificate name -K to specify the private key database's file name and path -W to give the password to the private key da
To learn which SASL mechanisms are supported, search the root DSE. See the -b option in Table 6-3 “Commonly-used ldapsearch options”. Table 6-6 SASL options Option Description -o Specifies SASL options. The format is -o saslOption=value.
Table 6-7 Description of CRAM-MD5 mechanism options Required Option or optional Description Example Required mech=CRAM-MD5 Gives the SASL mechanism. -o “mech=CRAM-MD5” Required authid=authid_value Gives the ID used to -o “authid=dn:uid=msmith, ou=People, dc=example, authenticate to the server. dc=com" authid_value can be any of the following: • UID. For example, msmith. • u: uid. For example, u: msmith. • dn: dn_value. For example, see the next column.
Table 6-7 Description of CRAM-MD5 mechanism options (continued) Required Option or optional Description The secprop attribute sets the security properties for the connection. The secprop value can be any of the following: • None • noplain Do not permit mechanisms susceptible to simple passive attack. • noactive Do not permit mechanisms susceptible to active attacks. • nodict Do not permit mechanisms susceptible to passive dictionary attacks. • forwardsec Require forward secrecy.
Table 6-7 Description of CRAM-MD5 mechanism options (continued) Required Option or optional Description Example • maxbufsize Set the maximum receive buffer size the client will accept when using integrity or privacy settings. 6.
Table 6-8 Description of DIGEST-MD5 SASL mechanism options Required Option or optional Description Example Required mech=DIGEST-MD5 Gives the SASL mechanism. -o “mech=DIGEST-MD5” Required authid=authid_value Gives the ID used to -o authenticate to the server. “authid=dn:uid=msmith,ou=People,o=example.com" authid_value can be the following: • UID. For example, msmith. • u: uid. For example, u: msmith. • dn: dn_value. For example, see the next column.
Table 6-9 Description of GSSAPI SASL mechanism options Required or optional Option Description Example Required mech=GSSAPI Gives the SASL mechanism. -o “mech=GSSAPI” NOTE: Have the Kerberos ticket before issuing a GSS-API request. Optional secprop=value The secprop attribute sets the -o “secprop=noplain,noanonymous, security properties for the connection.
Table 6-10 Additional ldapsearch options (continued) Option Description -f Specifies the file containing the search filters to be used in the search. For example: -f search_filters option to supply a search filter directly to the command line. For more information about search filters, see Appendix B, "Finding Directory Entries", in the HP-UX Directory Server administrator guide. -G Conducts a virtual list view search.
Table 6-10 Additional ldapsearch options (continued) Option Description -S Specifies the attribute to use as the sort criteria. For example: -S sn Use multiple -S arguments to further define the sort order. In the following example, the search results will be sorted first by surname, then by given name: -S sn -S givenname The default is not to sort the returned entries. -T Specifies that no line breaks should be used within individual values in the search results.
Table 6-11 Commonly-used ldapmodify options (continued) Option Description -D Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to modify the entries. For example: -D "uid=bjensen, dc=example,dc=com" This option cannot be used with the -N option. -f Option that specifies the file containing the LDIF update statements used to define the directory modifications.
Table 6-12 ldapmodify SSL options (continued) Option Description -N Specifies the certificate name to use for certificate-based client authentication. For example: -N Server-Cert If this option is specified, then the -Z and -W options are required. Also, if this option is specified, then the -D and -w options must not be specified, or certificate-based authentication will not occur, and the bind operation will use the authentication credentials specified on -D and -w.
6.5.5 Additional ldapmodify options Table 6-14 Additional ldapmodify options Option Description -b Causes the utility to check every attribute value to determine whether the value is a valid file reference. If the value is a valid file reference, then the content of the referenced file is used as the attribute value. This is often used for specifying a path to a file containing binary data, such as JPEG. For example, to add a jpegPhoto attribute, specify the -b option on the ldapmodify call.
• • “ldapdelete SASL options” (page 206) “Additional ldapdelete options” (page 207) 6.6.1 ldapdelete syntax ldapdelete [optional_options] 6.6.2 Commonly-used ldapdelete options Table 6-15 Commonly-used ldapdelete options Option Description -D Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to delete the entries.
Table 6-16 ldapdelete SSL options (continued) Option Description -K Specifies the path, including the file name, of the private key database of the client. Either the absolute or relative (to the server root) path can be used. The -K option must be used when the key database has a different name than key3.db or when the key database is not under the same directory as the certificate database, the cert8.db file (the path for which is specified with the -P option).
See “ldapsearch SASL options” for the ldapsearch utility for information on how to use SASL options with the ldapdelete command. 6.6.5 Additional ldapdelete options Table 6-18 Additional ldapdelete options Option Description -c Specifies that the utility must run in continuous operation mode. Errors are reported, but the utility continues with deletions. The default is to quit after reporting an error. -f Specifies the file containing the distinguished names of entries to be deleted.
6.7.2 ldappasswd-specific options Table 6-19 ldappasswd-specific options Option Description -A Specifies that the command should prompt for the user's existing password. -a Specifies the user's existing password. For example: -a old_password -S Specifies that the command should prompt for a new password for the user. -s Specifies a new password for the user. For example: -S new_password -T Specifies a file from which to read the new password. For example: -T new_password.
Table 6-20 General ldappasswd options (continued) Option Description -K Specifies the path, including the file name, of the private key database of the client. This can be the absolute or relative (to the server root) path. The -K option must be used when the key database is not called key3.db or when the key database is not in the same directory as the certificate database (that is, the cert8.db file, the path for which is specified with the -P option).
Table 6-21 SASL options Option Description -o Specifies SASL options. The format is -o saslOption=value. saslOption can have one of six values: • mech, the SASL authentication mechanism • authid, the user who is binding to the server (Kerberos principal) • authzid, a proxy authorization (ignored by the server since proxy authorization is not supported) • secProp, the security properties • realm, the Kerberos realm • flags The expected values depend on the supported mechanism.
Example 6-1 Directory Manager changing a user's password over SSL The Directory Manager changes the password of the user uid=tuser1,ou=People,dc=example,dc=com to new_password over SSL. # ldappasswd -Z -h myhost \ -P /etc/opt/dirsrv/slapd-instance_name/cert8.
The ldif command automatically formats LDIF files and creates base-64 encoded attribute values. Base-64 encoding makes it possible to represent binary data, such as a JPEG image, in LDIF. Base-64 encoded data is represented using a double colon (::) symbol. For example: jpegPhoto:: encoded data In addition to binary data, other values that must be base-64 encoded can identified with other symbols, including the following: • • • Any value that begins with a space.
6.9.2 dbscan options Table 6-23 Common options Option Parameter Description -f filename Specifies the name of the database file, the contents of which are to be analyzed and extracted. This option is required. Dump the database as raw data. -R -t size Specifies the entry truncate size (in bytes). NOTE: The options listed in Table 6-24 “Entry file options” are meaningful only when the database file is id2entry.db4.
Example 6-7 Dumping the entry file # dbscan -f /var/opt/dirsrv/slapd-instance_name/db/userRoot/id2entry.db4 Example 6-8 Displaying VLV index file contents # dbscan -r -f /var/opt/dirsrv/slapd-instance_name/db/userRoot/vlv#bymccoupeopledcpeopledccom.db4 Example 6-9 Displaying the index keys in cn.db4 # dbscan -f /var/opt/dirsrv/slapd-instance_name/db/userRoot/cn.db4 Example 6-10 Displaying the index keys and the count of entries with the key in mail.
7 Command-line scripts This chapter provides information on the scripts for managing the HP-UX Directory Server, such as backing-up and restoring the database. Scripts are a shortcut way of executing the ns-slapd interface commands that are documented in Appendix A “Using the ns-slapd command-line utilities”. 7.1 Finding and executing command-line scripts Most scripts are located in the /opt/dirsrv/slapd-instance_name directory, though a few are located in the /opt/dirsrv/bin directory.
Table 7-2 Perl scripts in /opt/dirsrv/slapd-instance_name Perl script Description bak2db.pl Restores the database from the most recent archived backup. db2bak.pl Creates a backup of the current database contents. db2index.pl Creates and regenerates indexes. db2ldif.pl Exports the contents of the database to LDIF. ldif2db.pl Imports LDIF files to a database and runs the ns-slapd command-line utility with the ldif2db keyword. ns-accountstatus.
• • • • “start-slapd (Starts the Directory Server)” “stop-slapd (Stops the Directory Server)” “suffix2instance (Maps a suffix to a backend name)” “vlvindex (Creates virtual list view indexes)” Some of the shell scripts can be executed while the server is running. For others, the server must be stopped. The description of each script below indicates whether the server must be stopped or if it can continue to run while executing the script.
Table 7-5 cl-dump options (continued) Option Description -o outputFile Specifies the path, including the file name, for the final result. Defaults to STDOUT if omitted. -p port Specifies the Directory Server's port. The default value is 389. -P bindCert Specifies the path, including the file name, to the certificate database that contains the certificate used for binding. -r replicaRoots Specifies the replica-roots whose changelog to dump.
7.3.4 db2bak (Creates a backup of a database) Creates a backup of the current database contents. This script can be executed while the server is still running. Syntax db2bak [ backupDirectory] For information on the equivalent Perl script, see “db2bak.pl (Creates a backup of a database)”. 7.3.5 db2ldif (Exports database contents to LDIF) Exports the contents of the database to LDIF. This script can be executed while the server is still running, except with the -r option.
7.3.6 db2index (Reindexes database index files) Reindexes the database index files. Ellipses indicate that multiple occurrences are allowed. For information on the equivalent Perl script, see “db2index.pl (Creates and generates indexes)”.
Table 7-9 ldif2db options Option Description -c Merges chunk size. -E Encrypts data during import. This option is used only if database encryption is enabled. -g string Generates a unique ID. Type none for no unique ID to be generated and deterministic for the generated unique ID to be name-based. By default, a time-based unique ID is generated.
pwdhash [ -D config_directory] [ -H ] [[ -s scheme ] | [ -c comparepwd ]] [ password ] Options Table 7-11 pwdhash options Option Description -D config_directory Gives the full path to the configuration directory. -c password Gives the hashed password string to which to compare the user's password. -s scheme Gives the scheme to hash the given password. -H Shows the help.
• • • The connection parameters for connecting to the LDAP servers to get replication information; specifying this information is mandatory. The server alias for more readable server names; specifying this information is optional. The color thresholds for time lags; specifying this information is optional. The format for the configuration file is shown below. [connection] host:port:binddn:bindpwd:bindcert host:port:binddn:bindpwd:bindcert ... [alias] alias = host:port alias = host:port ...
M1 = host1.example.com:10011 C1 = host4.example.com:10021 C2 = host2.example.com:10022 [color] 0 = #ccffcc 5 = #FFFFCC 60 = #FFCCCC A shadow port can be set in the replication monitor configuration file. For example: host:port=shadowport:binddn:bindpwd:bindcert When the replication monitor finds a replication agreement that uses the specified port, it will use the shadow port to connect to retrieve statistics. 7.3.12 restart-slapd (Restarts the Directory Server) Restarts the Directory Server.
7.3.15 start-slapd (Starts the Directory Server) Starts the Directory Server. It might be a good idea to check whether the server has been effectively started using the ps command because it could sometimes be that the script returned while the startup process was still on-going, resulting in a confusing message. Syntax start-slapd Options There are no options for this script. Exit status codes Table 7-14 start-slapd exit status codes Exit Code Description 0 Server started successfully.
vlvindex [ -d debugLevel] [[ -n backendInstance] | [ -s suffix]] [ -T vlvTag] Options Either the -n or the -s option must be specified. Table 7-17 vlvindex options Option Description -d debugLevel Specifies the debug level to use during index creation. Debug levels are defined in “nsslapd-errorlog-level (Error log level)” -n backendInstance Gives the name of the database containing the entries to index. -s suffix Gives the name of the suffix containing the entries to index.
Table 7-18 bak2db.pl options (continued) Option Description -n backendInstance Specifies the backend name, such as userRoot, which is being restored. This option is only used for filesystem replica initialization or to restore a single database; it is not necessary to use the -n option to restore the entire directory. -t databaseType The database type. The only possible database type is ldbm. -v Verbose mode. -w password The password associated with the user DN. 7.4.2 cl-dump.
Options The script db2bak.pl creates an entry in the directory that launches this dynamic task. The entry is generated based upon the values provided for each option. Currently, the only possible database type is ldbm. Table 7-20 db2bak.pl options Option Description -a dirName The directory where the backup files will be stored. The /var/opt/dirsrv/slapd-instance_name/bak directory is used by default. The backup file is named according to the year-month-day-hour format (YYYY_MM_DD_hhmmss).
db2ldif.pl [ -v] -D rootdn { -w password | -w - | -j filename } { -nbackendInstance | -s includeSuffix ... } [ -x excludeSuffix ... ] [ -a outputFile] [ -N ] [ -r ] [ -C ] [ -u ] [ -U ] [ -m ] [ -E ] [ -1 ] [ M ] Options To run this script, the server must be running, and either the -n or -s option is required. Table 7-22 db2ldif.pl options Option Description -1 Deletes, for reasons of backward compatibility, the first line of the LDIF file that gives the version of the LDIF standard.
Table 7-23 fixup-memberof.pl options Option Description -b baseDN The DN of the subtree containing the entries to update. -D rootdn Gives the user DN with root permissions, such as Directory Manager. The default is the DN of the Directory Manager, which is read from the nsslapd-root attribute under cn=config. -f filter An LDAP query filter to use to select the entries within the subtree to update. If there is no filter set, then the memberOf attribute is regenerated for every entry in the subtree.
Table 7-24 ldif2db.pl options (continued) Option Description -O Requests that only the core database is created without attribute indexes. -s includeSuffix Specifies the suffixes to be included or specifies the subtrees to be included if -n has been used. -v Specifies verbose mode. -w password Specifies the password associated with the user DN. -w - Prompts for the password associated with the user DN. -x excludeSuffix Specifies the suffixes to be excluded. 7.4.8 logconv.
base DNs, filter strings, and attributes returned can help administrators optimize the directory for its users. These lists are optional because they are computation intensive: specify only the command-line options required (see “Options”). Some information that is extracted by the logconv.pl script is available only in logs from current releases of Directory Server; the corresponding values will be zero when analyzing logs from older versions.
Table 7-27 “logconv.pl options to display occurrences” describes the options that enable the optional lists of occurrences. Specify only those required; specifying a large number of options can produce excessive output and affect execution speed. These parameters can be specified in any number and in any order, but they must all be given together as a single option on the command line, such as -abcefg.
7.4.10 ns-activate.pl (Activates an entry or group of entries) Activates an entry or group of entries. Syntax ns-activate.pl [ -D rootdn] [ -w password | -w - | -j filename ] [ -p port] [ -h host] -I DN [ -? ] Options Table 7-29 ns-activate.pl options Option Description -D rootdn Specifies the Directory Server user DN with root permissions, such as Directory Manager. -h host Specifies the host name of the Directory Server.
Table 7-31 ns-newpwdpolicy.pl options Option Description -D rootdn Specifies the Directory Server user DN with root permissions, such as Directory Manager. The default value is cn=directory manager. -h host Specifies the host name of the Directory Server. The default value is localhost or the full host name of the machine where Directory Server is installed. -j filename Specifies the path, including the file name, to the file that contains the password associated with the user DN.
• • • The connection parameters for connecting to the LDAP servers to get replication information; specifying this information is mandatory. The server alias for more readable server names; specifying this information is optional. The color thresholds for time lags; specifying this information is optional. The format for the configuration file is shown below. [connection] host:port:binddn:bindpwd:bindcert host:port:binddn:bindpwd:bindcert ... [alias] alias = host:port alias = host:port ...
[alias] M1 = host1.example.com:10011 C1 = host4.example.com:10021 C2 = host2.example.com:10022 [color] 0 = #ccffcc 5 = #FFFFCC 60 = #FFCCCC A shadow port can be set in the replication monitor configuration file. For example: host:port=shadowport:binddn:bindpwd:bindcert When the replication monitor finds a replication agreement that uses the specified port, it will use the shadow port to connect to retrieve statistics. 7.4.14 schema-reload.
IMPORTANT: Never run the verify-db.pl script when a modify operation is in progress. This command calls the BerkeleyDB utility db_verify and does not perform any locking. This can lead to data corruption if the script is run at the same time as a modify. If that occurs, an entry will be recorded in the error log: DB ERROR: db_verify: Page 3527: out-of-order key at entry 42 DB ERROR: db_verify: DB->verify: db/mstest2/uid.db4: DB_VERIFY_BAD: Data\ base verification failed Secondary index file uid.
8 Support and other resources 8.1 Contacting HP 8.1.1 Information to collect before contacting HP Be sure to have the following information available before you call contact HP: • • • • • • Software product name Hardware product model number Operating system type and version Applicable error message Third-party hardware or software Technical support registration number (if applicable) 8.1.
8.2 Related information 8.2.1 HP-UX Directory Server documentation set • HP-UX Directory Server release notes The release notes contain important information on new features, fixed bugs, known issues and workarounds, and other important information for this specific version of the HP-UX Directory Server. • HP-UX Directory Server administrator guide This guide contains information and procedures you need to perform to maintain your Directory Server.
8.2.2 HP-UX documentation set For the latest information about the HP-UX operating system, including current release notes, complete product documentation, technical notes, and white papers, see the HP-UX Operating Environments documentation sites for the version of HP-UX you use: • • HP-UX 11i v3 Operating Environments: http://docs.hp.com/en/oshpux11iv3.html HP-UX 11i v2 Operating Environments: http://docs.hp.com/en/oshpux11iv2.html 8.2.
TIP 242 Support and other resources An alert that provides helpful information.
A Using the ns-slapd command-line utilities Chapter 7 “Command-line scripts” discusses the scripts for performing routine administration tasks on the HP-UX Directory Server (Directory Server). This appendix discusses the ns-slapd command-line utilities that can be used to perform the same tasks.
Table A-1 db2ldif options (continued) Option Description -N Specifies that entry IDs are not to be included in the LDIF output. The entry IDs are necessary only if the output of the db2ldif command is to be used as input to the db2index command. -r Exports replication state information. The server must be shut down before exporting using this option. -s includeSuffix Specifies the suffix or suffixes to include in the export. There can be multiple -s arguments.
Table A-2 ldif2db options (continued) Option Description -i ldifFile Specifies the LDIF file to be imported. This option is required. There can be multiple -i arguments to import more than one LDIF file at a time. When importing multiple files, the server imports the LDIF files in the order they are specified on the command line. -n backendInstance Specifies the name of the backend to be imported. -O Specifies that no attribute indexes are created for the imported database.
Options Table A-5 db2index options Option Description -d debugLevel Specifies the debug level to use during index creation. For further information, refer to “nsslapd-errorlog-level (Error log level)”. -D configDir Specifies the location of the server configuration directory that contains the configuration information for the index creation process. This must be the full path to the configuration directory, /etc/opt/dirsrv/slapd-instance_name.
Glossary A access control instruction See ACI. access control list See ACL. access rights In the context of access control, specify the level of access granted or denied. Access rights are related to the type of operation that can be performed on the directory. The following rights can be granted or denied: read, write, add, delete, search, compare, selfwrite, proxy and all.
bind distinguished name See bind DN. bind DN Distinguished name used to authenticate to Directory Server when performing an operation. bind rule In the context of access control, the bind rule specifies the credentials and conditions that a particular user or client must satisfy in order to get access to directory information. branch entry An entry that represents the top of a subtree in the directory.
CoS definition entry Identifies the type of CoS you are using. It is stored as an LDAP subentry below the branch it affects. CoS template entry Contains a list of the shared attribute values. See also template entry. D daemon A background process on a Unix machine that is responsible for a particular system task. Daemon processes do not need human intervention to continue functioning. DAP Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory.
file type The format of a given file. For example, graphics files are often saved in GIF format, while a text file is usually saved as ASCII text format. File types are usually identified by the file extension (for example, .GIF or .HTML). filter A constraint applied to a directory query that restricts the information returned. filtered role Allows you to assign entries to the role depending upon the attribute contained by each entry. You do this by specifying an LDAP filter.
L LDAP Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms. LDAP client Software used to request and view LDAP entries from an LDAP Directory Server. See also browser. LDAP Data Interchange Format See LDAP Data Interchange Format. LDAP URL Provides the means of locating Directory Servers using DNS, then completing the query through LDAP. A sample LDAP URL is ldap://ldap.example.com.
are automatically replicated to the other server. In case of conflict, a time stamp is used to determine which server holds the most recent version. multiplexor The server containing the database link that communicates with the remote server. N n + 1 directory problem The problem of managing multiple instances of the same information in different directories, resulting in increased hardware and personnel costs. name collisions Multiple entries with the same distinguished name.
presence index Allows searches for entries that contain a specific indexed attribute. protocol A set of rules that describes how devices on a network exchange information. protocol data unit See PDU. proxy authentication A special form of authentication where the user requesting access to the directory does not bind with its own DN but with a proxy DN. proxy DN Used with proxied authorization.
S SASL An authentication framework for clients as they attempt to bind to a directory. Also Simple Authentication and Security Layer . schema Definitions describing what types of information can be stored as entries in the directory. When information that does not match the schema is stored in the directory, clients attempting to access the directory may be unable to display the proper results. schema checking Ensures that entries added or modified in the directory conform to the defined schema.
superuser The most privileged user available on Unix machines. The superuser has complete access privileges to all files on the machine. Also called root. supplier Server containing the master copy of directory trees or subtrees that are replicated to replica servers. supplier server In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica.
Index Symbols 00core.ldif ldif files, 18 01common.ldif ldif files, 18 05rfc2247.ldif ldif files, 18 05rfc2927.ldif ldif files, 18 10presence.ldif ldif files, 18 10rfc2307.ldif ldif files, 18 20subscriber.ldif ldif files, 18 25java-object.ldif ldif files, 18 28pilot.ldif ldif files, 18 30ns-common.ldif ldif files, 18 50ns-admin.ldif ldif files, 18 50ns-certificate.ldif ldif files, 18 50ns-directory.ldif ldif files, 18 50ns-mail.ldif ldif files, 19 50ns-value.ldif ldif files, 19 50ns-web.
cl-dump command-line shell script, 217 quick reference, 216 cl-dump.
ns-newpwpolicy.pl , 234 repl-monitor.pl , 235 schema-reload.pl , 237 verify-db.
nsDS5ReplicaPort, 85 nsDS5ReplicaPriority, 86 nsDS5ReplicaPurgeDelay, 78 nsDS5ReplicaReapActive, 80, 86 nsDS5ReplicaReferral, 79 nsDS5ReplicaRoot, 79 nsDS5ReplicaSessionPauseTime, 87 nsDS5ReplicatedAttributeList, 88 nsDS5ReplicaTimeout, 88 nsDS5ReplicaTombstonePurgeInterval, 79 nsDS5ReplicaTransportInfo, 89 nsDS5ReplicaType, 80 nsDS5ReplicaUpdateInProgress, 89 nsDS5ReplicaUpdateSchedule, 89 nsDumpUniqId, 106 nsExcludeSuffix, 102, 104 nsExportReplica, 105 nsFilename, 101, 104 nsImportChunkSize, 102 nsImportI
nsslapd-security, 60 nsslapd-sizelimit, 60 nsslapd-ssl-check-hostname, 61 nsslapd-state, 76 nsslapd-timelimit, 61 nsslapd-versionstring, 62 nsslapd-workingdir, 62 nssnmpcontact, 95 nssnmpdescription, 95 nssnmpenabled, 94 nssnmplocation, 95 nssnmpmasterhost, 96 nssnmpmasterport, 96 nssnmpname, 94 nssnmporganization, 95 nsssl2 attribute, 74 nsssl3 attribute, 74 nsssl3ciphers attribute, 75 nssslclientauth attribute, 74 nssslsessiontimeout attribute, 73 nsState, 80 nsstate, 111 nsTaskCancel, 100 nsTaskCurrentIt
nsIndexType, 149 nsLookThroughLimit, 132 nsMatchingRule, 149 nsslapd-cache-autosize, 133 nsslapd-cache-autosize-split, 133 nsslapd-cachememsize, 145 nsslapd-cachesize, 145 nsslapd-db-abort-rate, 147 nsslapd-db-active-txns, 147 nsslapd-db-cache-hit, 147 nsslapd-db-cache-region-wait-rate, 147 nsslapd-db-cache-size-bytes, 147 nsslapd-db-cache-try, 147 nsslapd-db-checkpoint-interval, 134 nsslapd-db-circular-logging, 135 nsslapd-db-clean-pages, 147 nsslapd-db-commit-rate, 147 nsslapd-db-deadlock-rate, 147 nsslap
dnaFilter, 163 dnaMagicRegen, 163 dnaMaxValue, 164 dnaNextRange, 164 dnaNextValue, 164 dnaPrefix, 165 dnaRangeRequestTimeout, 165 dnaScope, 166 dnaSharedCfgDN, 166 dnaThreshold, 166 dnaType, 167 documentation providing feedback, 239 reporting errors in, 239 dse.ldif configuration information tree, 22 contents of, 17 editing, 22 ldif files, 18 dse.ldif.bak file, 17 dse.ldif.startOK file, 17 dsml2db quick reference, 215 dtablesize attribute, 93 E editing dse.
location of, 17 LDIF entries binary data in, 211 LDIF files, 171 ldif files 00core.ldif, 18 01common.ldif, 18 05rfc2247.ldif, 18 05rfc2927.ldif, 18 10presence.ldif, 18 10rfc2307.ldif, 18 20subscriber.ldif, 18 25java-object.ldif, 18 28pilot.ldif, 18 30ns-common.ldif, 18 50ns-admin.ldif, 18 50ns-certificate.ldif, 18 50ns-directory.ldif, 18 50ns-mail.ldif, 19 50ns-value.ldif, 19 50ns-web.ldif, 19 99user.ldif, 19 dse.ldif, 18 ldif2db command-line shell script, 220 quick reference, 215 ldif2db.
nsDS5ReplicaReapActive attribute, 80, 86 nsDS5ReplicaReferral attribute, 79 nsDS5ReplicaRoot attribute, 79 nsDS5ReplicaSessionPauseTime attribute, 87 nsDS5ReplicatedAttributeList attribute, 88 nsDS5ReplicaTimeout attribute, 88 nsDS5ReplicaTombstonePurgeInterval attribute, 79 nsDS5ReplicaTransportInfo attribute, 89 nsDS5ReplicaType attribute, 80 nsDS5ReplicaUpdateInProgress attribute, 89 nsDS5ReplicaUpdateSchedule attribute, 89 nsds7DirectoryReplicaSubtree, 91 nsds7DirsyncCookie, 91 nsds7NewWinGroupSyncEnabl
nsslapd-db-log-region-wait-rate attribute, 147 nsslapd-db-log-write-rate attribute, 147 nsslapd-db-logbuf-size attribute, 137 nsslapd-db-logdirectory attribute, 137 nsslapd-db-logfile-size attribute, 138 nsslapd-db-longest-chain-length attribute, 147 nsslapd-db-page-create-rate attribute, 147 nsslapd-db-page-ro-evict-rate attribute, 147 nsslapd-db-page-rw-evict-rate attribute, 147 nsslapd-db-page-size attribute, 138 nsslapd-db-page-trickle-rate attribute, 147 nsslapd-db-page-write-rate attribute, 147 nsslap
nsState attribute, 80 nsstate attribute, 111 nsSubStrBegin attribute, 150 nsSubStrEnd attribute, 151 nsSubStrMiddle attribute, 151 nsSystemIndex attribute, 148 nsTaskCancel, 100 nsTaskCurrentItem, 99 nsTaskExitCode, 99 nsTaskLog, 99 nsTaskStatus, 98, 100 nsTimeLimit attribute, 159 nsTransmittedControls attribute, 155 nsUnbindCount attribute, 162 nsuniqueid.
nsslapd-cachememsize, 145 nsslapd-cachesize, 145 nsslapd-changelogdir, 162 nsslapd-changelogmaxage, 163 nsslapd-db-abort-rate, 147 nsslapd-db-active-txns, 147 nsslapd-db-cache-hit, 147 nsslapd-db-cache-region-wait-rate, 147 nsslapd-db-cache-size-bytes, 147 nsslapd-db-cache-try, 147 nsslapd-db-checkpoint-interval, 134 nsslapd-db-circular-logging, 135 nsslapd-db-clean-pages, 147 nsslapd-db-commit-rate, 147 nsslapd-db-deadlock-rate, 147 nsslapd-db-debug, 135 nsslapd-db-dirty-pages, 147 nsslapd-db-durable-trans
cn, 81 description, 81 nsDS50ruv, 90 nsDS5BeginReplicaRefresh, 87 nsDS5ReplicaBindDN, 82 nsDS5ReplicaBindMethod, 82 nsDS5ReplicaBusyWaitTime, 82 nsDS5ReplicaChangesSentSinceStartup, 83 nsDS5ReplicaCredentials, 83 nsDS5ReplicaHost, 83 nsDS5ReplicaLastInitEnd, 84 nsDS5ReplicaLastInitStart, 84 nsDS5ReplicaLastInitStatus, 84 nsDS5ReplicaLastUpdateEnd, 85 nsDS5ReplicaLastUpdateStart, 85 nsDS5ReplicaLastUpdateStatus, 85 nsDS5ReplicaPort, 85 nsDS5ReplicaPriority, 86 nsDS5ReplicaReapActive, 86 nsDS5ReplicaRoot, 87
nsds7WindowsReplicaSubtre, 92 winSyncInterval, 92 T totalconnections attribute, 93 trailing spaces in object class names, 57 ttl, 100 typographic conventions, 241 U uniqueid generator configuration attributes nsstate, 111 uniqueid generator configuration entries cn=uniqueid generator, 111 V verify-db.
