Red Hat Directory Server 8.
Red Hat Directory Server 8.0 This reference documents the server configuration and command-line utilities provided with Red Hat Directory Server 8.0.
Red Hat Directory Server 8.0: Configuration, Command, and File Reference Copyright © 2008 Red Hat, Inc. Copyright © 2008 . This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0 or later with the restrictions noted below (the latest version of the OPL is presently available at http://www.opencontent.org/openpub/).
Red Hat Directory Server 8.
About This Reference ................................................................................................ xi 1. Directory Server Overview .............................................................................. xi 2. Other Reading ............................................................................................... xi 3. Document Conventions ................................................................................. xii 4. We Need Feedback! .................................
Red Hat Directory Server 8.0 1.9. Chaining Database Plug-in ...............................................................112 1.10. Class of Service Plug-in ..................................................................112 1.11. Country String Syntax Plug-in ..........................................................112 1.12. Distinguished Name Syntax Plug-in .................................................113 1.13. Generalized Time Syntax Plug-in .....................................................
cn=config ...............................................................................................146 4.3. Database Attributes under cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config and cn=UserRoot, cn=ldbm database, cn=plugins, cn=config ...............................................................................................147 4.4. Database Attributes under cn=database, cn=monitor, cn=ldbm database, cn=plugins, cn=config ...............................................................
Red Hat Directory Server 8.0 2. Using Special Characters ............................................................................195 3. Command-Line Utilities Quick Reference ......................................................196 4. ldapsearch ..................................................................................................197 5. ldapmodify ..................................................................................................214 6. ldapdelete ............................
3. Utilities for Exporting Databases: db2ldif .......................................................277 4. Utilities for Restoring and Backing up Databases: ldif2db ...............................279 5. Utilities for Restoring and Backing up Databases: archive2db ........................281 6. Utilities for Restoring and Backing up Databases: db2archive ........................282 7. Utilities for Creating and Regenerating Indexes: db2index .............................282 B. Revision History .............
x
About This Reference Red Hat Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in an intranet, over an extranet with trading partners, or over the public Internet to reach customers. This reference covers the server configuration and the command-line utilities.
About This Reference • Red Hat Directory Server Release Notes - Contains important information on new features, fixed bugs, known issues and work arounds, and other important deployment information for this specific version of Directory Server. • Red Hat Directory Server Installation Guide. Contains procedures for installing Directory Server as well as procedures for migrating the Directory Server. • Red Hat Directory Server Administrator's Guide.
We Need Feedback! Additionally, the manual uses different strategies to draw your attention to pieces of information. In order of how critical the information is to you, these items are marked as follows: Note A note is typically information that you need to understand the behavior of the system. Tip A tip is typically an alternative way of performing a task. Important Important information is necessary, but possibly unexpected, such as a configuration change that will not persist after a reboot.
About This Reference If you have a suggestion for improving the documentation, try to be as specific as possible when describing it. If you have found an error, please include the section number and some of the surrounding text so we can find it easily.
Chapter 1. Introduction Directory Server is based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). The Directory Server is a robust, scalable server designed to manage large scale directories to support an enterprise-wide directory of users and resources, extranets, and e-commerce applications over the Internet. The Directory Server runs as the ns-slapd process or service on the machine. The server manages the directory databases and responds to client requests.
2
Chapter 2. Core Server Configuration Reference The configuration information for Red Hat Directory Server is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files.
Chapter 2. Core Server Configuration Reference Figure 2.1. Directory Information Tree Showing Configuration Data 1.1. LDIF and Schema Configuration Files The Directory Server configuration data is automatically output to files in LDIF format that are located in the /var/lib/dirsrv/slapd-instance_name/ldif directory on Red Hat Enterprise Linux and Solaris and /var/opt/dirsrv/slapd-serverID/ldif on HP-UX.
LDIF and Schema Configuration Files Configuration Filename Purpose 01common.ldif Contains LDAPv3 standard operational schema, such as subschemaSubentry, LDAPv3 standard user and organization schema defined in RFC 2256 (based on X.520/X.521), inetOrgPerson and other widely-used attributes, and the operational attributes used by Directory Server configuration. Modifying this file causes interoperability problems. User-defined attributes should be added through the Directory Server Console. 05rfc2247.
Chapter 2. Core Server Configuration Reference Configuration Filename Purpose all of 28pilot.ldif attribute types and classes. 30ns-common.ldif Schema that contains objects classes and attributes common to the Directory Server Console framework. 50ns-admin.ldif Schema used by Red Hat Administration Server. 50ns-certificate.ldif Schema for Red Hat Certificate Management System. 50ns-directory.ldif Contains additional configuration schema used by Directory Server 4.
How the Server Configuration Is Organized NOTE The dse.ldif file does not contain every attribute in cn=config. If the attribute has not been set by the administrator and has a default value, the server will not write it to dse.ldif. To see every attribute in cn=config, use ldapsearch. 1.2.1. Configuration Attributes Within a configuration entry, each attribute is represented as an attribute name. The value of the attribute corresponds to the attribute's configuration.
Chapter 2. Core Server Configuration Reference ldapsearch on the cn=config subtree. For a list of plug-ins supported by Directory Server, general plug-in configuration information, the plug-in configuration attribute reference, and a list of plug-ins requiring restart for configuration changes, see Chapter 3, Plug-in Implemented Server Functionality Reference. 1.2.3.
Changing Configuration Attributes aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn = "ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group"; allow (all) groupdn = "ldap:///ou=Directory Administrators, dc=example,dc=com";) aci: (targetattr = "*")(version 3.
Chapter 2. Core Server Configuration Reference 2.2.1. Modifying Configuration Entries Using LDAP The configuration entries in the directory can be searched and modified using LDAP either via the Directory Server Console or by performing ldapsearch and ldapmodify operations in the same way as other directory entries. The advantage of using LDAP to modify entries is changes can be made while the server is running.
Core Server Configuration Attributes • The cn=monitor entry and its child entries are read-only and cannot be modified, except to manage ACIs. • If an attribute is added to cn=config, the server ignores it. • If an invalid value is entered for an attribute, the server ignores it. • Because ldapdelete is used for deleting an entire entry, use ldapmodify to remove an attribute from an entry. 2.2.3.
Chapter 2. Core Server Configuration Reference “Accessing and Modifying Server Configuration”. For a list of server features that are implemented as plug-ins, see Section 1, “Server Plug-in Functionality Reference”. For help with implementing custom server functionality, contact Directory Server support. The configuration information stored in the dse.ldif file is organized as an information tree under the general configuration entry cn=config, as shown in the following diagram. Figure 2.2.
Reference • Operations performed (for example, search, add, and modify). • Result of the access (for example, the number of entries returned or an error code). For more information on turning access logging off, see the "Monitoring Server and Database Activity" chapter in the Directory Server Administrator's Guide. For access logging to be enabled, this attribute must have a valid path and parameter, and the nsslapd-accesslog-logging-enabled configuration attribute must be switched to on.
Chapter 2.
cn=config However, when debugging, it is sometimes useful to disable buffering in order to see the operations and their results right away instead of having to wait for the log entries to be flushed to the file. Disabling log buffering can severely impact performance in heavily loaded servers. Parameter Description Entry DN cn=config Valid Values on | off Default Value on Syntax DirectoryString Example nsslapd-accesslog-logbuffering: off 3.1.5.
Chapter 2. Core Server Configuration Reference 3.1.7. nsslapd-accesslog-logging-enabled (Access Log Enable Logging) Disables and enables accesslog logging but only in conjunction with the nsslapd-accesslog attribute that specifies the path and parameter of the log used to record each database access. For access logging to be enabled, this attribute must be switched to on, and the nsslapd-accesslog configuration attribute must have a valid path and parameter.
cn=config When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the access log.
Chapter 2. Core Server Configuration Reference For example, to rotate access log files every day at midnight, enable this attribute by setting its value to on, and then set the values of the nsslapd-accesslog-logrotationsynchour and nsslapd-accesslog-logrotationsyncmin attributes to 0. Parameter Description Entry DN cn=config Valid Values on | off Default Value on Syntax DirectoryString Example nsslapd-accesslog-logrotationsync-enabled: on 3.1.11.
cn=config 3.1.13. nsslapd-accesslog-logrotationtime (Access Log Rotation Time) This attribute sets the time between access log file rotations. The access log is rotated when this time interval is up, regardless of the current size of the access log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-accesslog-logrotationtimeunit attribute.
Chapter 2. Core Server Configuration Reference This attribute sets the maximum access log size in megabytes. When this value is reached, the access log is rotated. That means the server starts writing log information to a new log file. If the nsslapd-accesslog-maxlogsperdir attribute is set to 1, the server ignores this attribute. When setting a maximum log size, consider the total number of log files that can be created due to log file rotation.
cn=config 3.1.17. nsslapd-accesslog-mode (Access Log File Permission) This attribute sets the access mode or file permission with which access log files are to be created. The valid values are any combination of 000 to 777 (these mirror the numbered or absolute UNIX file permissions).
Chapter 2. Core Server Configuration Reference Parameter Description Valid Values on | off Default Value off Syntax DirectoryString Example nsslapd-attribute-name-exceptions: on 3.1.19. nsslapd-auditlog (Audit Log) This attribute sets the path and filename of the log used to record changes made to each database.
cn=config Table 2.4. Possible Combinations for nsslapd-auditlog 3.1.20. nsslapd-auditlog-list Provides a list of audit log files. Parameter Description Entry DN cn=config Valid Values Default Value None Syntax DirectoryString Example nsslapd-auditlog-list: auditlog2,auditlog3 3.1.21. nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time) This attribute sets the maximum age that a log file is allowed to be before it is deleted. This attribute supplies only the number of units.
Chapter 2. Core Server Configuration Reference Parameter Description Example nsslapd-auditlog-logexpirationtimeunit: day 3.1.23. nsslapd-auditlog-logging-enabled (Audit Log Enable Logging) Turns audit logging on and off.
cn=config Space) This attribute sets the maximum amount of disk space in megabytes that the audit logs are allowed to consume. If this value is exceeded, the oldest audit log is deleted. When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space.
Chapter 2. Core Server Configuration Reference For audit log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.
cn=config Parameter Description Default Value None (because nsslapd-auditlog-logrotationsync-enabled is off) Syntax Integer Example nsslapd-auditlog-logrotationsyncmin: 30 3.1.29. nsslapd-auditlog-logrotationtime (Audit Log Rotation Time) This attribute sets the time between audit log file rotations. The audit log is rotated when this time interval is up, regardless of the current size of the audit log. This attribute supplies only the number of units.
Chapter 2. Core Server Configuration Reference Parameter Description Default Value week Syntax DirectoryString Example nsslapd-auditlog-logrotationtimeunit: day 3.1.31. nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size) This attribute sets the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That means the server starts writing log information to a new log file. If nsslapd-auditlog-maxlogsperdir to 1, the server ignores this attribute.
cn=config Parameter Description Valid Range 1 to the maximum 32 bit integer value (2147483647) Default Value 1 Syntax Integer Example nsslapd-auditlog-maxlogsperdir: 10 3.1.33. nsslapd-auditlog-mode (Audit Log File Permission) This attribute sets the access mode or file permissions with which audit log files are to be created. The valid values are any combination of 000 to 777 since they mirror numbered or absolute UNIX file permissions.
Chapter 2. Core Server Configuration Reference Parameter Description Example nsslapd-auditlog-mode: 600 3.1.34. nsslapd-certdir (Certificate and Key Database Directory) This is the full path to the directory holding the certificate and key databases for a Directory Server instance. This directory must contain only the certificate and key databases for this instance and no other instances. This directory must be owned and allow read-write access for the server user ID.
cn=config Parameter Description Example nsslapd-config: cn=config 3.1.37. nsslapd-conntablesize This attribute sets the connection table size, which determines the total number of connections supported by the server. The server has to be restarted for changes to this attribute to go into effect. Parameter Description Entry DN cn=config Valid Values Operating-system dependent Default Value The default value is the system's max descriptors, which can be configured using the Section 3.1.
Chapter 2. Core Server Configuration Reference 3.1.39. nsslapd-ds4-compatible-schema Makes the schema in cn=schema compatible with 4.x versions of Directory Server. Parameter Description Entry DN cn=config Valid Values on | off Default Value off Syntax DirectoryString Example nsslapd-ds4-compatible-schema: off 3.1.40. nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting) This attribute is deprecated and will be removed in a future version of Directory Server.
cn=config information. Parameter Description Entry DN cn=config Valid Values Any valid filename Default Value /var/log/dirsrv/slapd-instance_name/errors Syntax DirectoryString Example nsslapd-errorlog: /var/log/dirsrv/slapd-instance_name/errors For error logging to be enabled, this attribute must have a valid path and filename, and the nsslapd-errorlog-logging-enabled configuration attribute must be switched to on.
Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=config Valid Values • 1 — Trace function calls. Logs a message when the server enters and exits a function. • 2 — Debug packet handling. • 4 — Heavy trace output debugging. • 8 — Connection management. • 16 — Print out packets sent/received. • 32 — Search filter processing. • 64 — Config file processing. • 128 — Access control list processing. • 2048 — Log entry parsing debugging. • 4096 — Housekeeping thread debugging.
cn=config Parameter Description Default Value 16384 Syntax Integer Example nsslapd-errorlog-level: 8192 3.1.43. nsslapd-errorlog-list This read-only attribute provides a list of error log files. Parameter Description Entry DN cn=config Valid Values Default Value None Syntax DirectoryString Example nsslapd-errorlog-list: errorlog2,errorlog3 3.1.44.
Chapter 2. Core Server Configuration Reference Parameter Description Default Value month Syntax DirectoryString Example nsslapd-errorlog-logexpirationtimeunit: week 3.1.46. nsslapd-errorlog-logging-enabled (Enable Error Logging) Turns error logging on and off. Parameter Description Entry DN cn=config Valid Values on | off Default Value on Syntax DirectoryString Example nsslapd-errorlog-logging-enabled: on 3.1.47.
cn=config This attribute sets the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest error log is deleted until enough disk space is freed to satisfy this attribute. Parameter Description Entry DN cn=config Valid Range 1 to the maximum 32 bit integer value (2147483647) Default Value 5 Syntax Integer Example nsslapd-errorlog-logminfreediskspace: 5 3.1.49.
Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=config Valid Range 0 through 23 Default Value 0 Syntax Integer Example nsslapd-errorlog-logrotationsynchour: 23 3.1.51. nsslapd-errorlog-logrotationsyncmin (Error Log Rotation Sync Minute) This attribute sets the minute of the day for rotating error logs. This attribute must be used in conjunction with nsslapd-errorlog-logrotationsync-enabled and nsslapd-errorlog-logrotationsynchour attributes.
cn=config Parameter Description Default Value 1 Syntax Integer Example nsslapd-errorlog-logrotationtime: 100 3.1.53. nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit) This attribute sets the units for nsslapd-errorlog-logrotationtime (Error Log Rotation Time). If the unit is unknown by the server, then the log never expires.
Chapter 2. Core Server Configuration Reference This attribute sets the total number of error logs that can be contained in the directory where the error log is stored. Each time the error log is rotated, a new log file is created. When the number of files contained in the error log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1 log. If this default is accepted, the server does not rotate the log, and it grows indefinitely.
cn=config allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone. The newly configured access mode only affects new logs that are created; the mode is set when the log rotates to a new file. Parameter Description Entry DN cn=config Valid Range 000 through 777 Default Value 600 Syntax Integer Example nsslapd-errorlog-mode: 600 3.1.57. nsslapd-groupevalnestlevel This attribute is deprecated, and documented here only for historical purposes.
Chapter 2. Core Server Configuration Reference Parameter Description Valid Range 0 to the maximum 32 bit integer value (2147483647) Default Value 0 Syntax Integer Example nsslapd-idletimeout: 0 3.1.59. nsslapd-instancedir (Instance Directory) This attribute is deprecated. There are now separate configuration parameters for instance-specific paths, such as nsslapd-certdir and nsslapd-lockdir. See the documentation for the specific directory path that is set. 3.1.60.
cn=config Parameter Description Valid Values on | off Default Value on Syntax DirectoryString Example nsslapd-lastmod: on WARNING This attribute should never be turned off. If the nsslapd-lastmod is set to off, then generating nsUniqueIDs is also disabled, replication does not work, and other issues may arise. If for some reason this attribute were set to off, the solution is to export the database to ldif (db2ldif or db2ldif.pl or from the console), set the value to on, and import the data.
Chapter 2. Core Server Configuration Reference NOTE On HP-UX the hostname value can be a relocatable IP address. 3.1.63. nsslapd-localhost (Local Host) This attribute specifies the host machine on which the Directory Server runs. This attribute is used to create the referral URL that forms part of the MMR protocol. In a high-availability configuration with failover nodes, that referral should point to the virtual name of the cluster, not the local hostname.
cn=config Parameter Description Entry DN cn=config Valid Values Absolute path to a directory owned by the server user ID with write access to the server ID Default Value /var/lock/dirsrv/slapd-instance_name Syntax DirectoryString Example nsslapd-lockdir: /var/lock/dirsrv/slapd-instance_name 3.1.66. nsslapd-maxbersize (Maximum Message Size) Defines the maximum size in bytes allowed for an incoming message. This limits the size of LDAP requests that can be handled by the Directory Server.
Chapter 2. Core Server Configuration Reference attribute for non-client connections, such as index management and managing replication. The nsslapd-reservedescriptors attribute is the number of file descriptors available for other uses as described above. See Section 3.1.78, “nsslapd-reservedescriptors (Reserved File Descriptors)”. The number given here should not be greater than the total number of file descriptors that the operating system allows the ns-slapd process to use.
cn=config 3.1.68. nsslapd-maxthreadsperconn (Maximum Threads per Connection) Defines the maximum number of threads that a connection should use. For normal operations where a client binds and only performs one or two operations before unbinding, use the default value. For situations where a client binds and simultaneously issues many requests, increase this value to allow each connection enough resources to perform all the operations. This attribute is not available from the server console.
Chapter 2. Core Server Configuration Reference Parameter Description Default Value 300000 Syntax DirectoryString Example nsslapd-outbound-ldap-io-timeout: 300000 3.1.71. nsslapd-plug-in This read-only attribute lists the DNs of the plug-in entries for the syntax and matching rule plug-ins loaded by the server. 3.1.72. nsslapd-port (Port Number) This attribute gives the TCP/IP port number used for standard LDAP communications. To run SSL/TLS over this port, use the Start TLS extended operation.
cn=config Parameter Description Entry DN cn=config Valid Values cn=config, cn=schema, and cn=monitor Default Value Syntax DirectoryString Example nsslapd-privatenamespaces: cn=config 3.1.74. nsslapd-pwpolicy-local (Enable Subtree- and User-Level Password Policy) Turns fine-grained (subtree- and user-level) password policy on and off.
Chapter 2. Core Server Configuration Reference 3.1.76. nsslapd-referral (Referral) This multi-valued attribute specifies the LDAP URLs to be returned by the suffix when the server receives a request for an entry not belonging to the local tree; that is, an entry whose suffix does not match the value specified on any of the suffix attributes.
cn=config Parameter Description Entry DN cn=config Valid Values Any valid LDAP URL in the form >ldap://server-location Default Value Syntax DirectoryString Example nsslapd-referralmode: ldap://ldap.example.com 3.1.78. nsslapd-reservedescriptors (Reserved File Descriptors) This attribute specifies the number of file descriptors that Directory Server reserves for managing non-client connections, such as index management and managing replication.
Chapter 2. Core Server Configuration Reference • NldbmBackends is the number of ldbm databases. • NglobalIndex is the total number of configured indexes for all databases including system indexes. (By default 8 system indexes and 17 additional indexes per database). • ReplicationDescriptor is eight (8) plus the number of replicas in the server that can act as a supplier or hub (NSupplierReplica).
cn=config Parameter Description Example nsslapd-return-exact-case: off 3.1.80. nsslapd-rewrite-rfc1274 This attribute is deprecated and will be removed in a later version. This attribute is used only for LDAPv2 clients that require attribute types to be returned with their RFC 1274 names. Set the value to on for those clients. The default is off. 3.1.81.
Chapter 2. Core Server Configuration Reference database. The pwdhash command-line utility can create a new root password. For more information, see Section 3.9, “pwdhash (Prints Encrypted Passwords)”. Parameter Description Entry DN cn=config Valid Values Any valid password encrypted by any one of the encryption methods which are described in Section 3.1.123, “passwordStorageScheme (Password Storage Scheme)”.
cn=config nsslapd-saslpath or SASL_PATH are set, the server attempts to load SASL plugins from the default location, /usr/lib/sasl2. Changes made to this attribute will not take effect until the server is restarted. Parameter Description Entry DN cn=config Valid Values Path to plugins directory. Default Value Platform dependent Syntax DirectoryString Example nsslapd-saslpath: /usr/lib/sasl2 3.1.85.
Chapter 2. Core Server Configuration Reference Console, see the "Extending the Directory Schema" chapter in the Directory Server Administrator's Guide. CAUTION Red Hat strongly discourages turning off schema checking. This can lead to severe interoperability problems. This is typically used for very old or non-standard LDAP data that must be imported into the Directory Server.
cn=config 3.1.88. nsslapd-schemareplace Determines whether modify operations that replace attribute values are allowed on the cn=schema entry. Parameter Description Entry DN cn=config Valid Values on | off | replication-only Default Value replication-only Syntax DirectoryString Example nsslapd-schemareplace: replication-only 3.1.89.
Chapter 2. Core Server Configuration Reference and nsslapd-security is set to on; otherwise, it does not listen on this port. The server has to be restarted for the port number change to be taken into account. Parameter Description Entry DN cn=config Valid Range 1 to 65535 Default Value 636 Syntax Integer Example nsslapd-securePort: 636 3.1.91. nsslapd-security (Security) This attribute sets whether the Directory Server is to accept SSL/TLS communications on its encrypted port.
cn=config to 0, which returns size limit exceeded for every search. Parameter Description Entry DN cn=config Valid Range -1 to the maximum 32 bit integer value (2147483647) Default Value 2000 Syntax Integer Example nsslapd-sizelimit: 2000 3.1.93.
Chapter 2. Core Server Configuration Reference subject DN in the certificate. Parameter Description Entry DN cn=config Valid Values on | off Default Value on Syntax DirectoryString Example nsslapd-ssl-check-hostname: on 3.1.94. nsslapd-threadnumber (Thread Number) Defines the number of operation threads that the Directory Server creates at startup.
cn=config NOTE A value of -1 on this attribute in thedse.ldif is the same as leaving the attribute blank in the server console in that it causes no limit to be used. However, a negative integer cannot be set in this field in the server console, and a null value cannot be used in the dse.ldif entry, as it is not a valid integer.
Chapter 2. Core Server Configuration Reference This is the directory a core file is generated in. The server user ID must have read and write access to the directory, and no other user ID should have read or write access to it. The default value for this attribute is the same directory containing the error log, which is usually /var/log/dirsrv/slapd-instance_name. Changes made to this attribute will not take effect until the server is restarted. 3.1.99.
cn=config For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide. Parameter Description Entry DN cn=config Valid Values on | off Default Value off Syntax DirectoryString Example passwordCheckSyntax off 3.1.101. passwordExp (Password Expiration) Indicates whether user passwords expire after a given number of seconds. By default, user passwords do not expire.
Chapter 2. Core Server Configuration Reference 3.1.103. passwordHistory (Password History) Enables password history. Password history refers to whether users are allowed to reuse passwords. By default, password history is disabled, and users can reuse passwords. If this attribute is set to on, the directory stores a given number of old passwords and prevents users from reusing any of the stored passwords. Set the number of old passwords the Directory Server stores using the passwordInHistory attribute.
cn=config Parameter Description Entry DN cn=config Valid Values on | off Default Value off Syntax DirectoryString Example passwordIsGlobalPolicy: off 3.1.106. passwordLockout (Account Lockout) Indicates whether users are locked out of the directory after a given number of failed bind attempts. By default, users are not locked out of the directory after a series of failed bind attempts.
Chapter 2. Core Server Configuration Reference 3.1.108. passwordMaxAge (Password Maximum Age) Indicates the number of seconds after which user passwords expire. To use this attribute, password expiration has to be enabled using the passwordExp attribute. For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
cn=config Parameter Description Default Value 0 Syntax Integer Example passwordMaxRepeats: 1 3.1.111. passwordMin8Bit (Password Syntax) This sets the minimum number of 8-bit characters the password must contain. NOTE The 7-bit checking for userPassword must be disabled to use this. Parameter Description Entry DN cn=config Valid Range 0 to 64 Default Value 0 Syntax Integer Example passwordMin8Bit: 0 3.1.112.
Chapter 2. Core Server Configuration Reference This attribute sets the minimum number of alphabetic characters password must contain. Parameter Description Entry DN cn=config Valid Range 0 to 64 Default Value 0 Syntax Integer Example passwordMinAlphas: 4 3.1.114. passwordMinCategories (Password Syntax) This sets the minimum number of character categories that are represented in the password. The categories are lower, upper, digit, special, and 8-bit.
cn=config This attribute specifies the minimum number of characters that must be used in Directory Server user password attributes. In general, shorter passwords are easier to crack. Directory Server enforces a minimum password of eight characters. This is long enough to be difficult to crack but short enough that users can remember the password without writing it down. For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
Chapter 2. Core Server Configuration Reference example, if the PasswordMinTokenLength is set to 3, then a givenName of DJ does not result in a policy that rejects DJ from being in the password, but the policy rejects a password comtaining the givenName of Bob. Parameter Description Entry DN cn=config Valid Range 1 to 64 Default Value 3 Syntax Integer Example passwordMinTokenLength: 3 3.1.120.
cn=config time an invalid password is sent from the user's account, the password failure counter is incremented. If the passwordLockout attribute is set to on, users are locked out of the directory when the counter reaches the number of failures specified by the passwordMaxFailure attribute (within 600 seconds by default). After the amount of time specified by the passwordLockoutDuration attribute, the failure counter is reset to zero (0).
Chapter 2. Core Server Configuration Reference For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide. 3.1.124. passwordUnlock (Unlock Account) Indicates whether users are locked out of the directory for a specified amount of time or until the administrator resets the password after an account lockout.
cn=changelog5 the ldbm databases.
Chapter 2. Core Server Configuration Reference NOTE For performance reasons, store this database on a different physical disk. The server has to be restarted for changes to this attribute to go into effect. Parameter Description Entry DN cn=changelog5,cn=config Valid Values Any valid path to the directory storing the changelog Default Value None Syntax DirectoryString Example nsslapd-changelogdir: /var/lib/dirsrv/slapd-instance_name/changelogdb 3.2.2.
cn=encryption on the changelog, see Section 3.2.1, “nsslapd-changelogdir”. The server has to be restarted for changes to this attribute to go into effect. Parameter Description Entry DN cn=changelog5,cn=config Valid Range 0 (meaning that the only maximum limit is the disk size) to maximum 32-bit integer (2147483647) Default Value 0 Syntax Integer Example nsslapd-changelogmaxentries: 5000 3.3. cn=encryption Encryption related attributes are stored under the cn=encryption,cn=config entry.
Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=encryption, cn=config Valid Values off | allowed | required off means disallow certificate-based authentication allowed means clients may use certificates or other forms of authentication required means clients must use certificates for authentication Default Value allowed Syntax DirectoryString Example nssslclientauth: allowed 3.3.3. nsSSL2 Supports SSL version 2.
cn=encryption This multi-valued attribute specifies the set of encryption ciphers the Directory Server uses during SSL communications. For more information on the ciphers supported by the Directory Server, see the "Managing SSL" chapter in the Directory Server Administrator's Guide.
Chapter 2. Core Server Configuration Reference Guide 3.4. cn=features There are not attributes for this entry. This entry is only used as a parent container entry. See the documentation on the child entries for more information. 3.5. cn=mapping tree • Configuration attributes for suffixes, replication, and Windows synchronization are stored under cn=mapping tree,cn=config. Configuration attributes related to suffixes are found under the suffix subentry cn=suffix, cn=mapping tree,cn=config.
Replication Attributes under cn=replica, Parameter Description disabled means the database is not available for processing operations. The server returns a "No such search object" error in response to requests made by client applications. referral means a referral is returned for requests made to this suffix. referral on update means the database is used for all operations except update requests, which receive a referral.
Chapter 2. Core Server Configuration Reference replication, see the "Managing Replication" chapter in the Directory Server Administrator's Guide. 3.7.1. nsDS5Flags This attribute sets replica properties that were previously defined in flags. At present only one flag exists, which sets whether the log changes.
cn="suffixDN", cn=mapping tree, cn=config “nsDS5ReplicaTombstonePurgeInterval” for more information about purge operation properties. Parameter Description Entry DN cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Range -1 to maximum 32-bit integer (2147483647) Default Value Syntax Integer Example nsDS5ReplicaChangeCount: 675 3.7.4. nsDS5ReplicaId This attribute sets the unique ID for suppliers in a given replication environment.
Chapter 2. Core Server Configuration Reference NOTE It is recommended that the server be permitted to generate this name. However, in certain circumstances, for example, in replica role changes (master to hub etc.), this value needs to be specified. Otherwise, the server will not use the correct changelog database, and replication fails. This attribute is destined for internal use only.
Replication Attributes under cn=replica, Parameter Description Syntax Integer Example nsDS5ReplicaPurgeDelay: 604800 3.7.8. nsDS5ReplicaReferral This multi-valued attribute specifies the user-defined referrals. This should only be defined on a consumer. User referrals are only returned when a client attempts to modify data on a read-only consumer. This optional referral overrides the referral that is automatically configured by the consumer by the replication protocol.
Chapter 2. Core Server Configuration Reference When setting this attribute, remember that the purge operation is time-consuming, especially if the server handles many delete operations from clients and suppliers. Parameter Description Entry DN cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Range 0 to maximum 32-bit integer (2147483647) in seconds Default Value 86400 (1 day) Syntax Integer Example nsDS5ReplicaTombstonePurgeInterval: 86400 3.7.11.
cn="suffixDN", cn=mapping tree, cn=config Parameter Description Default Value Syntax Integer Example nsDS5ReplicaReapActive: 0 3.7.13. nsState This attribute stores information on the state of the clock. It is designed only for internal use to ensure that the server cannot generate a change sequence number (csn) inferior to existing ones required for detecting backward clock errors. 3.7.14.
Chapter 2. Core Server Configuration Reference attribute is required for setting up a replication agreement. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values Any valid cn Default Value Syntax DirectoryString Example cn: MasterAtoMasterB 3.8.2. description Free form text description of the replication agreement. This attribute can be modified.
Replication Attributes under 3.8.4. nsDS5ReplicaBindMethod This attribute sets the method to use for binding. This attribute can be modified. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values SIMPLE | SSLCLIENTAUTH The SIMPLE bind method requires a DN and password. Default Value SIMPLE Syntax DirectoryString Example nsDS5ReplicaBindMethod: SIMPLE 3.8.5.
Chapter 2. Core Server Configuration Reference This read-only attribute shows the number of changes sent to this replica since the server started. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Range 0 to maximum 32-bit integer (2147483647) Default Value Syntax Integer Example nsDS5ReplicaChangesSentSinceStartup: 647 3.8.7.
cn=ReplicationAgreementName, cn=replica, Parameter Description Example nsDS5ReplicaHost: ldap2.example.com 3.8.9. nsDS5ReplicaLastInitEnd This optional, read-only attribute states when the initialization of the consumer replica ended. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values YYYYMMDDhhmmssZ is the date/time in Generalized Time form at which the connection was opened.
Chapter 2. Core Server Configuration Reference This optional, read-only attribute provides status for the initialization of the consumer. There is typically a numeric code followed by a short string explaining the status. Zero (0) means success. Parameter Description Entry DN cn=ReplicationAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values 0 (Consumer Initialization Succeeded), followed by any other status message.
cn="suffixName", cn=mapping tree, Parameter Description connection was opened. This value gives the time in relation to Greenwich Mean Time. The hours are set with a 24-hour clock. The Z at the end indicates that the time is relative to Greenwich Mean Time. Default Value Syntax GeneralizedTime Example nsDS5ReplicaLastUpdateStart: 20070504122055Z 3.8.14. nsDS5ReplicaLastUpdateStatus This read-only attribute provides the status for the most recent replication schedule updates.
Chapter 2. Core Server Configuration Reference 3.8.16. nsDS5ReplicaReapActive This read-only attribute specifies whether the background task that removes old tombstones (deleted entries) from the database is active. See Section 3.7.10, “nsDS5ReplicaTombstonePurgeInterval” for more information about this task. A value of zero (0) means that the task is inactive, and a value of 1 means that the task is active. If this value is set manually, the server ignores the modify request.
cn=config Parameter Description Default Value Syntax DirectoryString Example nsDS5ReplicaRoot: "dc=example,dc=com" 3.8.19. nsDS5ReplicaSessionPauseTime This attribute sets the amount of time in seconds a supplier should wait between update sessions. The default value is 0. If the attribute is set to a negative value, Directory Server sends the client a message and an LDAP_UNWILLING_TO_PERFORM error code.
Chapter 2. Core Server Configuration Reference 3.8.20. nsDS5ReplicatedAttributeList This allowed attribute specifies any attributes that are not replicated to a consumer server. Fractional replication allows databases to be replicated across slow connections or to less secure consumers while still protecting sensitive information. By default, all attributes are replicated, and this attribute is not present.
Replication Attributes under 3.8.22. nsDS5ReplicaTransportInfo This attribute sets the type of transport used for transporting data to and from the replica. The attribute values can be either SSL, which means that the connection is established over SSL, or LDAP, which means that regular LDAP connections are used. If this attribute is absent, then regular LDAP connections are used. This attribute cannot be modified once it is set.
Chapter 2. Core Server Configuration Reference Parameter Description 0123456 are the days of the week starting with Sunday. Default Value 0000-2359 0123456 (all the time) Syntax Integer Example nsDS5ReplicaUpdateSchedule: 0000-2359 0123456 3.8.25. nsDS50ruv This attribute stores the last replica update vector (RUV) read from the consumer of this replication agreement. It is always present and must not be changed. 3.9.
cn=ReplicationAgreementName, cn=replica, Table 2.7. List of attributes shared between replication and synchronization agreements 3.9.1. nsds7DirectoryReplicaSubtree The suffix or DN of the Directory Server subtree that is being synchronized. Parameter Description Entry DN cn=syncAgreementName, cn=replica, cn=suffixDN, cn=mapping tree, cn=config Valid Values Any valid suffix or subsuffix Default Value Syntax DirectoryString Example nsDS7DirectoryReplicaSubtree: ou=People,dc=example,dc=com 3.9.2.
Chapter 2. Core Server Configuration Reference Parameter Description Default Value Syntax DirectoryString Example nsDS7NewWinGroupSyncEnabled: on 3.9.4. nsds7NewWinUserSyncEnabled This attribute sets whether a new entry created in the Windows sync peer is automatically synchronized by creating a new entry on the Directory Server.
cn="suffixName", cn=mapping tree, Parameter Description Example nsDS7WindowsReplicaSubtree: cn=Users, dc=domain, dc=com 3.10. cn=monitor Information used to monitor the server is stored under cn=monitor. This entry and its children are read-only; clients cannot directly modify them. The server updates this information automatically. This section describes the cn=monitor attributes. The only attribute that can be changed by a user to set access control is the aci attribute. connection.
Chapter 2. Core Server Configuration Reference This attribute shows the total number of Directory Server connections. This number includes connections that have been opened and closed since the server was last started in addition to the currentConnections. dTableSize. This attribute shows the size of the Directory Server connection table. Each connection is associated with a slot in this table, and usually corresponds to the file descriptor used by this connection. See Section 3.1.
cn=config nbackEnds. This attribute shows the number of Directory Server database backends. backendMonitorDN. This attribute shows the DN for each Directory Server database backend. For further information on monitoring the database, see the following sections: • Section 4.8, “Database Attributes under cn=attributeName, cn=encrypted attributes, cn=database_name, cn=ldbm database, cn=plugins, cn=config” • Section 4.
Chapter 2. Core Server Configuration Reference Parameter Description Entry DN cn=SNMP, cn=config Valid Values Organization name Default Value Syntax DirectoryString Example nssnmporganization: Red Hat, Inc. 3.12.3. nssnmplocation This attribute sets the location within the company or organization where the Directory Server resides. Parameter Description Entry DN cn=SNMP, cn=config Valid Values Location Default Value Syntax DirectoryString Example nssnmplocation: B14 3.12.4.
SNMP Statistic Attributes Parameter Description Syntax DirectoryString Example nssnmpdescription: Employee directory instance 3.12.6. nssnmpmasterhost nssnmpmasterhost is deprecated. This attribute is deprecated with the introduction of net-snmp. The attribute still appears in dse.ldif but without a default value. Parameter Description Entry DN cn=SNMP, cn=config Valid Values machine hostname or localhost Default Value Syntax DirectoryString Example nssnmpmasterhost: localhost 3.
Chapter 2. Core Server Configuration Reference Attribute Description requests. UnAuthBinds This shows the number of unauthenticated (anonymous) binds. SimpleAuthBinds This shows the number of LDAP simple bind requests (DN and password). StrongAuthBinds This shows the number of LDAP SASL bind requests, for all SASL mechanisms. BindSecurityErrors This shows the number of number of times an invalid password was given in a bind request.
cn=tasks Attribute Description ConnectionSeq This shows the total number of connections opened, including both currently open and closed connections. BytesRecv This shows the number of bytes received. BytesSent This shows the number of bytes sent. EntriesReturned This shows the number of entries returned as search results. ReferralsReturned This provides information on referrals returned as search results (continuation references). MasterEntries Not used. This value is always 0.
Chapter 2. Core Server Configuration Reference nsstate. This attribute saves the state of the unique ID generator across server restarts. This attribute is maintained by the server. Do not edit it.
Chapter 3. Plug-in Implemented Server Functionality Reference This chapter contains reference information on Red Hat Directory Server plug-ins. The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins, cn=config.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Description Checks certain attributes are 7-bit clean Configurable Options on | off Default Setting on Configurable Arguments List of attributes (uid mail userpassword) followed by "," and then suffixes on which the check is to occur. Dependencies None Performance Related Information None Further Information If the Directory Server uses non-ASCII characters, such as Japanese, turn this plug-in off.
Attribute Uniqueness Plug-in Plug-in Parameter Description Configurable Arguments None Dependencies Database Performance Related Information Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server. Further Information See the "Managing Access Control" chapter in the Directory Server Administrator's Guide. 1.4.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Server Administrator's Guide for more information about the Attribute Uniqueness Plug-in. The UID Uniqueness Plug-in is off by default due to operation restrictions that need to be addressed before enabling the plug-in in a multi-master replication environment. Turning the plug-in on may slow down Directory Server performance.
Case Exact String Syntax Plug-in Plug-in Parameter Description Dependencies None Performance Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. Further Information 1.7.
Chapter 3. Plug-in Implemented Server Functionality Reference 1.9. Chaining Database Plug-in Plug-in Parameter Description Plug-in Name Chaining Database DN of Configuration Entry cn=Chaining database, cn=plugins, cn=config Description Syntax for handling DNs Configurable Options on | off Default Setting on Configurable Arguments None Dependencies None Performance Related Information There are many performance related tuning parameters involved with the chaining database.
Distinguished Name Syntax Plug-in Plug-in Parameter Description Plug-in Name Country String Syntax Plug-in DN of Configuration Entry cn=Country String Syntax, cn=plugins, cn=config Description Syntax for handling countries Configurable Options on | off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. Further Information 1.12.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Configurable Options on | off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Internationalization Plug-in Plug-in Parameter Description Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. Further Information 1.16.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Configurable Options on | off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. Further Information 1.18.
Multi-master Replication Plug-in Plug-in Parameter Description server is not (and never will be) a consumer of a 4.x server. Dependencies Database Performance Related Information None Further Information See the "Managing Replication" chapter in the Directory Server Administrator's Guide. 1.20.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Red Hat recommends leaving this plug-in running at all times. Further Information 1.22. OID Syntax Plug-in Plug-in Parameter Description Plug-in Name OID Syntax Plug-in DN of Configuration Entry cn=OID Syntax,cn=plugins,cn=config Description Syntax for object identifiers (OID).
NS-MTA-MD5 Password Storage Scheme 1.24. CRYPT Password Storage Plug-in Plug-in Parameter Description Plug-in Name CRYPT DN of Configuration Entry cn=CRYPT, cn=Password Storage Schemes, cn=plugins, cn=config Description CRYPT password storage scheme used for password encryption Configurable Options on | off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description See the "User Account Management" chapter in the Directory Server Administrator's Guide. 1.26.
Plug-in Plug-in Parameter Description cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config Description SSHA password storage scheme for password encryption Configurable Options on | off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Description Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests. Configurable Options on | off Default Setting off Configurable Arguments ldap://example.
Retro Changelog Plug-in Plug-in Parameter Description integrity is queued and processed at a later stage. This positive integer serves as a wake-up call for the thread to process the request at intervals corresponding to the integer (number of seconds) specified. • Log file for storing the change; for example /var/log/dirsrv/slapd-instance_name/referint. • All the additional attribute names to be checked for referential integrity.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description cn=changelog suffix to clients, so that clients can use this suffix with or without persistent search for simple sync applications. Configurable Options on | off Default Setting off Configurable Arguments See Section 6, “Retro Changelog Plug-in Attributes” for further information on the two configuration attributes for this plug-in.
State Change Plug-in Plug-in Parameter Description Description Syntax for handling space-insensitive values Configurable Options on | off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. Further Information This plug-in enables the Directory Server to support space and case insensitive values.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Plug-in Name Telephone Syntax DN of Configuration Entry cn=Telephone Syntax, cn=plugins, cn=config Description Syntax for handling telephone numbers Configurable Options on | off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
List of Attributes Common to All Plug-ins Plug-in Parameter Description Default Setting on Configurable Arguments None Dependencies Database Performance Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. Further Information 2. List of Attributes Common to All Plug-ins This list provides a brief attribute description, the entry DN, valid range, default value, syntax, and an example for each attribute. 2.1.
Chapter 3. Plug-in Implemented Server Functionality Reference This attribute specifies the plug-in type. See Section 3.3, “nsslapd-plugin-depends-on-type” for further information. Plug-in Parameter Description Entry DN cn=plug-in name, cn=plugins, cn=config Valid Values Any valid plug-in type Default Value None Syntax DirectoryString Example nsslapd-pluginType: preoperation 2.4. nsslapd-pluginEnabled This attribute specifies whether the plug-in is enabled.
nsslapd-pluginVendor Plug-in Parameter Description Entry DN cn=plug-in name, cn=plugins, cn=config Valid Values Any valid plug-in version Default Value Product version number Syntax DirectoryString Example nsslapd-pluginVersion: 8.0 2.7. nsslapd-pluginVendor This attribute specifies the vendor of the plug-in. Plug-in Parameter Description Entry DN cn=plug-in name, cn=plugins, cn=config Valid Values Any approved plug-in vendor Default Value Red Hat, Inc.
Chapter 3. Plug-in Implemented Server Functionality Reference Plug-in Parameter Description Entry DN cn=plug-in name, cn=plugins, cn=config Valid Values true | false Default Value false Syntax DirectoryString Example nsslapd-pluginLoadNow: false 3.2. nsslapd-pluginLoadGlobal This attribute specifies whether the symbols in dependent libraries are made visible locally (false) or to the executable and to all shared objects (true).
Database Plug-in Attributes 3.4. nsslapd-plugin-depends-on-named Multi-valued attribute used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the cn value of a plug-in. The plug-in with a cn value matching one of the following values will be started by the server prior to this plug-in. If the plug-in does not exist, the server fails to start.
Chapter 3. Plug-in Implemented Server Functionality Reference This section covers global configuration attributes common to all instances are stored in the cn=config, cn=ldbm database, cn=plugins, cn=config tree node. 4.1.1. nsLookthroughLimit This performance-related attribute specifies the maximum number of entries that the Directory Server will check when examining candidate entries in response to a search request.
Database Attributes under cn=config, 4.1.3. nsslapd-cache-autosize This performance tuning-related attribute, which is turned off by default, specifies the percentage of free memory to use for all the combined caches. For example, if the value is set to 80, then 80 percent of the remaining free memory would be claimed for the cache. To run other servers on the machine, then set the value lower.
Chapter 3. Plug-in Implemented Server Functionality Reference nsslapd-cache-autosize and nsslapd-cache-autosize-split attributes to a more reasonable level. For example: nsslapd-cache-autosize: 60 nsslapd-cache-autosize-split: 60 Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Range 0 to 99 Default Value 50 (This will not necessarily optimize operations.) Syntax Integer Example nsslapd-cache-autosize-split: 50 4.1.5.
cn=ldbm database, cn=plugins, cn=config Parameter Description Example nsslapd-dbcachesize: 10,000,000 NOTE On Solaris, the nsslapd-dbcachesize attribute has no effect on performance because the disk/filesystem cache overrides it. 4.1.6. nsslapd-db-checkpoint-interval This sets the amount of time in seconds after which the Directory Server sends a checkpoint entry to the database transaction log.
Chapter 3. Plug-in Implemented Server Functionality Reference be modified with the guidance of Red Hat Technical Support or Red Hat Professional Services. Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Values on | off Default Value on Syntax DirectoryString Example nsslapd-db-circular-logging: on 4.1.8. nsslapd-db-debug This attribute specifies whether additional error information is to be reported to Directory Server.
Database Attributes under cn=config, Database Activity" chapter in the Directory Server Administrator's Guide. Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Values on | off Default Value on Syntax DirectoryString Example nsslapd-db-durable-transactions: on 4.1.10. nsslapd-db-home-directory This is usually applicable to Solaris only, and is used to fix a situation in Solaris where the operating system endlessly flushes pages.
Chapter 3. Plug-in Implemented Server Functionality Reference do so will result in the databases for both directories becoming corrupted. The use of this attribute causes internal Directory Server database files to be moved to the directory referenced by the attribute. It is possible, but unlikely, that the server will no longer start after the files have been moved because not enough memory can be allocated. This is a symptom of an overly large database cache size being configured for the server.
cn=ldbm database, cn=plugins, cn=config 4.1.12. nsslapd-db-logbuf-size This attribute specifies the log information buffer size. Log information is stored in memory until the buffer fills up or the transaction commit forces the buffer to be written to disk. Larger buffer sizes can significantly increase throughput in the presence of long running transactions, highly concurrent applications, or transactions producing large amounts of data.
Chapter 3. Plug-in Implemented Server Functionality Reference 4.1.14. nsslapd-db-logfile-size This attribute specifies the maximum size of a single file in the log in bytes. By default, or if the value is set to 0, a maximum size of 10 megabytes is used. The maximum size is an unsigned 4-byte value. Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Range 0 to unsigned 4-byte integer Default Value 10MB Syntax Integer Example nsslapd-db-logfile-size: 10 MB 4.
Database Attributes under cn=config, Berkeley DB or are specifically told to do so by Red Hat support. Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Range 0 to 2^31-1 Default Value 0 Syntax Integer Example nsslapd-db-spin-count: 0 4.1.17. nsslapd-db-transaction-batch-val This attribute specifies how many transactions will be batched before being committed. This attribute can improve update performance when full transaction durability is not required.
Chapter 3. Plug-in Implemented Server Functionality Reference NOTE The nsslapd-db-transaction-batch-val attribute is only valid if the nsslapd-db-durable-transaction attribute is set to on. For more information on database transaction logging, refer to the "Monitoring Server and Database Activity" chapter in the Directory Server Administrator's Guide.
cn=ldbm database, cn=plugins, cn=config Parameter Description Valid Values on | off Default Value off Syntax DirectoryString Example nsslapd-db-verbose: off 4.1.20. nsslapd-dbncache This attribute can split the LDBM cache into equally sized separate pieces of memory.
Chapter 3. Plug-in Implemented Server Functionality Reference as any changes risk preventing the server from accessing data. Parameter Description Entry DN cn=config, cn=ldbm database, cn=plugins, cn=config Valid Values Any valid absolute path to the database instance Default Value Syntax DirectoryString Example nsslapd-directory: /var/lib/dirsrv/slapd-instance_name/db 4.1.22.
Database Attributes under cn=config, This performance tuning-related attribute automatically sets the size of the import cache (importCache) to be used during the command-line-based import process of LDIF files to the database (the ldif2db operation). In Directory Server, the import operation can be run as a server task or exclusively on the command-line. In the task mode, the import operation runs as a general Directory Server operation.
Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Valid Range -1, 0 (turns import cache autosizing off) to 100 Default Value -1 (turns import cache autosizing on for ldif2db only and allocates 50% of the free physical memory to importCache) Syntax Integer Example nsslapd-import-cache-autosize: -1 4.1.24. nsslapd-mode This attribute specifies the permissions used for newly created index files.
cn=ldbm database, cn=plugins, cn=config dbcachepagein. This attribute shows the pages read into the database cache. dbcachepageout. This attribute shows the pages written from the database cache to the backing file. dbcacheroevict. This attribute shows the clean pages forced from the cache. dbcacherwevict. This attribute shows the dirty pages forced from the cache. 4.3.
Chapter 3. Plug-in Implemented Server Functionality Reference Parameter Description Valid Range 1 to 2,147,483,647 (or -1, which means limitless) entries Default Value -1 Syntax Integer Example nsslapd-cachesize: -1 4.3.2. nsslapd-cachememsize This performance tuning-related attribute specifies the cache size in terms of available memory space. The simplest method is limiting cache size in terms of memory occupied.
Database Attributes under Parameter Description Syntax DirectoryString Example nsslapd-directory: /var/lib/dirsrv/slapd-instance_name/db/userRoot 4.3.4. nsslapd-readonly This attribute specifies read-only mode for a single back-end instance. If this attribute has a value of off, then users have all read, write, and execute permissions allowed by their access permissions.
Chapter 3. Plug-in Implemented Server Functionality Reference server containing the database link is restarted. Parameter Description Entry DN cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config or cn=UserRoot, cn=ldbm database, cn=plugins, cn=config Valid Values Any valid DN Default Value Syntax DirectoryString Example nsslapd-suffix: o=NetscapeRoot 4.4.
cn=NetscapeRoot, cn=ldbm database, This attribute shows the number of transactions that have been committed. nsslapd-db-deadlock-rate. This attribute shows the number of deadlocks detected. nsslapd-db-dirty-pages. This attribute shows the dirty pages currently in the cache. nsslapd-db-hash-buckets. This attribute shows the number of hash buckets in buffer hash table. nsslapd-db-hash-elements-examine-rate. This attribute shows the total number of hash elements traversed during hash table lookups.
Chapter 3. Plug-in Implemented Server Functionality Reference nsslapd-db-longest-chain-length. This attribute shows the longest chain ever encountered in buffer hash table lookups. nsslapd-db-page-create-rate. This attribute shows the pages created in the cache. nsslapd-db-page-read-rate. This attribute shows the pages read into the cache. nsslapd-db-page-ro-evict-rate. This attribute shows the clean pages forced from the cache. nsslapd-db-page-rw-evict-rate.
cn=plugins, cn=config and cn=UserRoot, System indexes should not be removed, as this will seriously disrupt server functionality. Parameter Description Entry DN cn=default indexes, cn=config, cn=ldbm database, cn=plugins, cn=config Valid Values true | false Default Value Syntax DirectoryString Example nssystemindex: true 4.5.2. nsIndexType This optional, multi-valued attribute specifies the type of index for Directory Server operations and takes the values of the attributes to be indexed.
Chapter 3. Plug-in Implemented Server Functionality Reference two commonly used attributes that fall into this category. For example, for a uidNumber that uses integer syntax, the rule attribute could be nsMatchingRule: integerOrderingMatch. NOTE Any change to this attribute will not take effect until the change is saved and the index is rebuilt using db2index, which is described in more detail in the "Managing Indexes" chapter of the Directory Server Administrator's Guide).
cn=ldbm database, cn=plugins, cn=config Parameter Description Syntax DirectoryString Example description:substring index 4.6. Database Attributes under cn=monitor, cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config This section covers global, read-only entries for monitoring activity on the NetscapeRoot database. The attributes containing database statistics are given for each file that makes up the database.
Chapter 3. Plug-in Implemented Server Functionality Reference Figure 3.2. Indexed Attribute Representing a Subentry For example, the index file for the aci attribute under o=UserRoot appears in the Directory Server as follows: dn:cn=aci, cn=index, cn=UserRoot, cn=ldbm database, cn=plugins, cn=config objectclass:top objectclass:nsIndex cn:aci nssystemindex:true nsindextype:pres For details regarding the five possible indexing attributes, see the section Section 4.
Database Link Plug-in Attributes (Chaining Figure 3.3.
Chapter 3. Plug-in Implemented Server Functionality Reference 5. Database Link Plug-in Attributes (Chaining Attributes) The database link plug-in attributes are also organized in an information tree, as shown in the following diagram: Figure 3.4. Database Link Plug-in All plug-in technology used by the database link instances is stored in the cn=chaining database plug-in node.
Attributes) Parameter Description Default Value None Syntax DirectoryString Example nsActiveChainingComponents: cn=uid uniqueness, cn=plugins, cn=config 5.1.2. nsMaxResponseDelay This error detection, performance-related attribute specifies the maximum amount of time it can take a remote server to respond to an LDAP operation request made by a database link before an error is suspected. Once this delay period has been met, the database link tests the connection with the remote server.
Chapter 3. Plug-in Implemented Server Functionality Reference following controls are forwarded by default by the database link: • Managed DSA (OID: 2.16.840.1.113730.3.4.2) • Virtual list view (VLV) (OID: 2.16.840.1.113730.3.4.9) • Server side sorting (OID: 1.2.840.113556.1.4.
Database Link Attributes under cn=default Parameter Description Entry DN cn=default instance config, cn=chaining database, cn=plugins, cn=config Valid Range 1 to 50 connections Default Value 3 Syntax Integer Example nsBindConnectionsLimit: 3 5.2.3. nsBindRetryLimit Contrary to what the name suggests, this attribute does not specify the number of times a database link retries to bind with the remote server but the number of times it tries to bind with the remote server.
Chapter 3. Plug-in Implemented Server Functionality Reference 5.2.5. nsCheckLocalACI Reserved for advanced use only. This attribute controls whether ACIs are evaluated on the database link as well as the remote data server. Changes to this attribute only take effect once the server has been restarted. Parameter Description Entry DN cn=default instance config, cn=chaining database, cn=plugins, cn=config Valid Values on | off Default Value off Syntax DirectoryString Example nsCheckLocalACI: on 5.
instance config, cn=chaining database, This attribute specifies connection lifetime. Connections between the database link and the remote server can be kept open for an unspecified time or closed after a specific period of time. It is faster to keep the connections open, but it uses more resources. When the value is 0 and a list of failover servers is provided in the nsFarmServerURL attribute, the main server is never contacted after failover to the alternate server.
Chapter 3. Plug-in Implemented Server Functionality Reference 5.2.11. nsReferralOnScopedSearch This attribute controls whether referrals are returned by scoped searches. This attribute can be used to optimize the directory because returning referrals in response to scoped searches is more efficient. A referral is returned to all the configured farm servers.
cn=plugins, cn=config 5.3. Database Link Attributes under cn=database link instance name, cn=chaining database, cn=plugins, cn=config This information node stores the attributes concerning the server containing the data. A farm server is a server which contains data on databases. This attribute can contain optional servers for failover, separated by spaces. For cascading chaining, this URL can point to another database link. 5.3.1. nsFarmServerURL This attribute gives the LDAP URL of the remote server.
Chapter 3. Plug-in Implemented Server Functionality Reference example below is what is shown, not what is typed. Parameter Description Entry DN cn=database link instance name, cn=chaining database, cn=plugins, cn=config Valid Values Any valid password, which will then be encrypted using the DES reversible password encryption schema Default Value Syntax DirectoryString Example nsMultiplexerCredentials: {DES} 9Eko69APCJfF 5.3.4.
Retro Changelog Plug-in Attributes This attribute gives the number of modify operations received. nsRenameCount. This attribute gives the number of rename operations received. nsSearchBaseCount. This attribute gives the number of base level searches received. nsSearchOneLevelCount. This attribute gives the number of one-level searches received. nsSearchSubtreeCount. This attribute gives the number of subtree searches received. nsAbandonCount.
Chapter 3. Plug-in Implemented Server Functionality Reference contains both of the following: • A number that uniquely identifies the modification. This number is sequential with respect to other entries in the changelog. • The modification action; that is, exactly how the directory was modified. It is through the Retro Changelog Plug-in that the changes performed to the Directory Server are accessed using searches to cn=changelog suffix. 6.1.
nsslapd-changelogmaxage (Max Changelog NOTE Expired changelog records will not be removed if there is an agreement that has fallen behind further than the maximum age.
170
Chapter 4. Server Instance File Reference This chapter provides an overview of the files that are specific to an instance of Red Hat Directory Server (Directory Server) — the files stored in the 1 /usr/lib/dirsrv/slapd-instance_name directory. Having an overview of the files and configuration information stored in each instance of Directory Server helps with understanding the file changes (or lack of file changes) which occur in the course of directory activity.
Chapter 4. Server Instance File Reference Table 4.1.
Backup Files File or Directory Location Database files /var/opt/dirsrv/slapd-instance/db Runtime files /var/opt/dirsrv/instance LDIF files /var/opt/dirsrv/slapd-instance/ldif Log files /var/opt/log/dirsrv/slapd-instance Tools /opt/dirsrv/bin/ /opt/dirsrv/sbin/ Instance directory /opt/dirsrv/slapd-instance Libraries /opt/dirsrv/lib/ Table 4.4. HP-UX 11i (IA64) 2.
Chapter 4. Server Instance File Reference Example 4.1. Database Directory Contents • db.00x files — Used internally by the database and should not be moved, deleted, or modified in any way. • log.xxxxxxxxxx files — Used to store the transaction logs per database. • DBVERSION — Used for storing the version of the database. • NetscapeRoot — Stores the o=NetscapeRoot database created by default when the setup-ds-admin.pl script is run.
LDIF Files • entrydn.db4 — Contains a list of full DNs to find any ID. • id2entry.db4 — Contains the actual directory database entries. All other database files can be recreated from this one, if necessary. • nsuniqueid.db4 — Contains a list of unique IDs to find any ID. • numsubordinates.db4 — Contains IDs that have child entries. • objectclass.db4 — Contains a list of IDs which have a particular object class. • parentid.db4 — Contains a list of IDs to find the ID of the parent. 5.
Chapter 4. Server Instance File Reference 6. Lock Files Each Directory Server instance contains a /var/lock/dirsrv/slapd-instance_name directory for storing lock-related files. The following is a sample listing of the locks directory contents. exports/ imports/ server/ Example 4.4. Lock Directory Contents The lock mechanisms stored in the exports, imports, and server subdirectories prevent multiple, simultaneous operations from conflicting with each other.
PID Files • The content of the access, audit, and error log files is dependent on the log configuration. • The slapd.stats file is a memory-mapped file which cannot be read by an editor. It contains data collected by the Directory Server SNMP data collection component. This data is read by the SNMP subagent in response to SNMP attribute queries and is communicated to the SNMP master agent responsible for handling Directory Server SNMP requests. 8. PID Files slapd-serverID.pid and slapd-serverID.
Chapter 4. Server Instance File Reference Example 4.8. LDAP Tool Directory Contents 10. Scripts Directory Server command-line scripts are stored in the /usr/lib/dirsrv/slapd-instance_name directory. The contents of the /usr/lib/dirsrv/slapd-instance_name directory are listed in Example 4.9, “Instance Directory Contents”. Chapter 7, Command-Line Scripts has more information on command-line scripts. bak2db db2index.pl start-slapd bak2db.pl db2ldif db2bak db2ldif.pl suffix2instance db2bak.
Chapter 5. Access Log and Connection Code Reference Red Hat Directory Server (Directory Server) provides logs to help monitor directory activity. Monitoring helps quickly detecting and remedying failures and, where done proactively, anticipating and resolving potential problems before they result in failure or poor performance. Part of monitoring the directory effectively is understanding the structure and content of the log files. This chapter does not provide an exhaustive list of error messages.
Chapter 5. Access Log and Connection Code Reference NOTE Directory Server provides a script which can analyze access logs to extract usage statistics and count the occurrences of significant events. For details about this script, see Section 4.7, “logconv.pl (Log Converter)”. 1.1. Access Logging Levels Different levels of access logging exist, and changing the value of the nsslapd-accesslog-level configuration attribute sets the exact type of logging required. See Section 3.1.
Default Access Logging Content [21/Apr/2007:11:39:53 -0700] conn=13 op=2 ADD dn="cn=Sat Apr 21 11:39:51 MET DST 2007, dc=example,dc=com" [21/Apr/2007:11:39:53 -0700] conn=13 op=2 RESULT err=0 tag=105 nentries=0 etime=0 csn=3b4c8cfb000000030000 [21/Apr/2007:11:39:53 -0700] conn=13 op=3 EXT oid="2.16.840.1.113730.3.5.
Chapter 5. Access Log and Connection Code Reference 1.2.3. Slot Number The slot number, in this case slot=608, is a legacy part of the access log which has the same meaning as file descriptor. Ignore this part of the access log. [21/Apr/2007:11:39:51 -0700] conn=11 fd=608 slot=608 connection from 207.1.153.51 to 192.18.122.139 1.2.4. Operation Number To process a given LDAP request, Directory Server will perform the required series of operations.
Default Access Logging Content method=128 version=3 1.2.7. Error Number The error number, in this case err=0, provides the LDAP result code returned from the LDAP operation performed. The LDAP error number 0 means that the operation was successful. For a more comprehensive list of LDAP result codes, see Section 3, “LDAP Result Codes”. [21/Apr/2007:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0 1.2.8.
Chapter 5. Access Log and Connection Code Reference NOTE tag=100 and tag=115 are not result tags as such, and so it is unlikely that they will be recorded in the access log. 1.2.9. Number of Entries nentries shows the number of entries, in this case nentries=0, that were found matching the LDAP client's request. [21/Apr/2007:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0 1.2.10.
Default Access Logging Content If the LDAP request resulted in sorting of entries, then the message SORT serialno will be recorded in the log, followed by the number of candidate entries that were sorted. For example: [04/May/2007:15:51:46 -0700] conn=114 op=68 SORT serialno (1) The number enclosed in parentheses specifies the number of candidate entries that were sorted, which in this case is 1. 1.2.12.
Chapter 5. Access Log and Connection Code Reference RequestInformation has the following form: beforeCount:afterCount:index:contentCount If the client uses a position-by-value VLV request, the format for the first part, the request information would be beforeCount: afterCount: value.
Default Access Logging Content • 2 for subtree search For more information about search scopes, see "Using ldapsearch" in Appendix B, "Finding Directory Entries", in the Red Hat Directory Server Administrator's Guide. 1.2.16. Extended Operation OID An extended operation OID, in this case either EXT oid="2.16.840.1.113730.3.5.3" or EXT oid="2.16.840.1.113730.3.5.5", provides the OID of the extended operation being performed.
Chapter 5. Access Log and Connection Code Reference 1.2.17. Change Sequence Number The change sequence number, in this case csn=3b4c8cfb000000030000, is the replication change sequence number, indicating that replication is enabled on this particular naming context. 1.2.18. Abandon Message The abandon message indicates that an operation has been aborted.
Access Log Content for Additional Access 1.2.20. SASL Multi-Stage Bind Logging In Directory Server, logging for multi-stage binds is explicit. Each stage in the bind process is logged, and, where appropriate, the progress statement SASL bind in progress is included. In logging a SASL bind, the sasl method is followed by the LDAP version number (see Section 1.2.6, “Version Number”) and the SASL mechanism used, as shown below with the GSS-API mechanism.
Chapter 5. Access Log and Connection Code Reference Access log level 4 enables logging for internal operations, which log search base, scope, filter, and requested search attributes, in addition to the details of the search being performed. In the following example, access logging level 768 is enabled (512 + 256), which logs access to entries and referrals. In this extract, six entries and one referral are returned in response to the search request, which is shown on the first line.
Logging Levels access operations and entry access and referrals being logged. 2. Common Connection Codes A connection code is a code that is added to the closed log message to provide additional information related to the connection closure. Common connection codes include: Connection Code Description A1 Client aborts the connection. B1 Corrupt BER tag encountered.
Chapter 5. Access Log and Connection Code Reference Table 5.3. Common Connection Codes 3. LDAP Result Codes LDAP has a set of result codes with which it is useful to be familiar.
LDAP Result Codes Result Code Defined Value Result Code Defined Value 97 REFERRAL_LIMIT_EXCEEDED Table 5.4.
194
Chapter 6. Command-Line Utilities This chapter contains reference information on command-line utilities used with Red Hat Directory Server (Directory Server). These command-line utilities make it easy to perform administration tasks on the Directory Server. 1.
Chapter 6. Command-Line Utilities contain characters that have special meaning to the command-line interpreter, such as space ( ), asterisk (*), and backslash (\). When this situation occurs, enclose the value in quotation marks (""). For example: -D "cn=Barbara Jensen, ou=Product Development, dc=example,dc=com" Depending on the command-line interpreter, use either single or double quotation marks for this purpose. See the operating system documentation for more information.
ldapsearch Command-Line Utility Description on this tool, see appendix A in the Directory Server Administrator's Guide. dbscan Analyzes and extracts information from a Directory Server database file. Table 6.1. Commonly-Used Command-Line Utilities 4. ldapsearch ldapsearch is a configurable utility that locates and retrieves directory entries via LDAP.
Chapter 6. Command-Line Utilities Option Description optional_list_of_attributes A list of space-separated attributes that reduce the scope of the attributes returned in the search results. This list of attributes must appear after the search filter. For a usage example, see the Directory Server Administrator's Guide. If a list of attributes is not specified, the search returns values for all attributes permitted by the access control set in the directory with the exception of operational attributes.
ldapsearch Option Description -D Specifies the distinguished name with which to authenticate to the server. This option is optional if anonymous access is supported by the server. If specified, this value must be a DN recognized by the Directory Server, and it must also have the authority to search for the entries. For example: -D "uid=bjensen, dc=example,dc=com" -g Specifies that the password policy request control not be sent with the bind request.
Chapter 6. Command-Line Utilities Option Description Regardless of the value specified here, ldapsearch will never wait longer than is allowed by the server's nsslapd-timelimit attribute, unless the authenticated user is the Directory Manager. The default value for the nsslapd-timelimit attribute is 3600 seconds. See Section 3.1.95, “nsslapd-timelimit (Time Limit)” for more information. -p Specifies the TCP port number that the Directory Server uses. For example: -p 1049 The default is 389.
ldapsearch Option Description If a dash (-) is used as the password value, the utility prompts for the password after the command is entered. This avoids having the password on the command line. -x Specifies that the search results are sorted on the server rather than on the client. This is useful to sort according to a matching rule, as with an international search. In general, it is faster to sort on the server rather than on the client.
Chapter 6. Command-Line Utilities specify the following: ldapsearch { -Z, -ZZ, -ZZZ } [ -p secure_port ] [ -P certificate_database ] [ -N certificate_name ] [ -K key_database ] [ -W key database password ] NOTE To run ldapsearch over TLS/SSL, either the -Z option is required (for SSL) or the -ZZ or -ZZZ option is required (for Start TLS). Option Description -3 Specifies that hostnames should be checked in SSL certificates. -I Specifies the SSL key password file that contains the token:password pair.
ldapsearch Option Description option, of the certificate database of the client. This option is used only with the -Z option. When used on a machine where an SSL-enabled web browser is configured, the path specified on this option can be that of the certificate database for the browser. For example: -P /security/cert.db The client security files can also be stored on the Directory Server in the /etc/dirsrv/slapd-instance_name directory.
Chapter 6. Command-Line Utilities Option Description must respond that the request was successful. If the server does not support Start TLS, such as Start TLS is not enabled or the certificate information is incorrect, the command is aborted immediately. Table 6.4. Additional SSL ldapsearch Options SASL Options. SASL mechanisms can be used to authenticate a user, using the -o the required SASL information. To learn which SASL mechanisms are supported, search the root DSE. See the -b option in Table 6.
ldapsearch There are three SASL mechanisms supported in Red Hat Directory Server: • CRAM-MD5, described in Table 6.6, “Description of CRAM-MD5 Mechanism Options” • DIGEST-MD5, described in Table 6.7, “Description of DIGEST-MD5 SASL Mechanism Options” • GSSAPI, described in Table 6.8, “Description of GSSAPI SASL Mechanism Options” Required or Optional Option Description Example Required mech=CRAM-MD5 Gives the SASL mechanism.
Chapter 6. Command-Line Utilities Required or Optional Option Description susceptible to active attacks. • nodict — Do not permit mechanisms susceptible to passive dictionary attacks. • forwardsec — Require forward secrecy. • passcred — Attempt to pass client credentials. • noanonymous — Do not permit mechanisms that allow anonymous access. • minssf — Require a minimum security strength; this option needs a numeric value specifying bits of encryption.
ldapsearch Required or Optional Option Description Example the maximum receive buffer size the client will accept when using integrity or privacy settings. Table 6.6. Description of CRAM-MD5 Mechanism Options Required or Optional Option Description Example Required mech=DIGEST-MD5 Gives the SASL mechanism. -o “mech=DIGEST-MD5” Required authid=authid_value Gives the ID used to authenticate to the server. authid_value can be the following: -o “authid=dn:uid=msmith,ou=People,o=exam • UID.
Chapter 6. Command-Line Utilities Required or Optional Option Description Example simple passive attack. • noanonymous — Do not permit mechanisms that allow anonymous access. • minssf — Require a minimum security strength; this option needs a numeric value specifying bits of encryption. A value of - 1 means integrity is provided without privacy. • maxssf — Require a maximum security strength; this option needs a numeric value specifying bits of encryption.
ldapsearch Required or Optional Option Description Example NOTE Have the Kerberos ticket before issuing a GSS-API request. Optional secprop=value The secprop attribute -o sets the security “secprop=noplain,noanonymous, properties for the maxssf=56,minssf=56” connection. The secprop value can be any of the following: • None • noplain — Do not permit mechanisms susceptible to simple passive attack. • noanonymous — Do not permit mechanisms that allow anonymous access.
Chapter 6. Command-Line Utilities Required or Optional Option Description Example • maxssf — Require a maximum security strength; this option needs a numeric value specifying bits of encryption. A value of - 1 means integrity is provided without privacy. The maximum value is 56. Table 6.8. Description of GSSAPI SASL Mechanism Options Additional ldapsearch Options. Option Description -A Specifies that the search retrieve the attributes only, not the attribute values.
ldapsearch Option Description corresponding value. For example: -F + -f Specifies the file containing the search filters to be used in the search. For example: -f search_filters option to supply a search filter directly to the command line. For more information about search filters, see Appendix B, "Finding Directory Entries", in the Directory Server Administrator's Guide. -G Conducts a virtual list view search.
Chapter 6. Command-Line Utilities Option Description environment variable setting. This argument can input the bind DN, base DN, and the search filter pattern in the specified characterset. ldapsearch converts the input from these arguments before it processes the search request. For example, -i no indicates that the bind DN, base DN, and search filter are provided in Norwegian.
ldapsearch Option Description Databases" chapter in the Directory Server Administrator's Guide. -n Specifies that the search is not actually to be performed, but that ldapsearch is to show what it would do with the specified input. -O Specifies the maximum number of referral hops ldapsearch should automatically follow. For example: -O 2 -R Specifies that referrals are not to be followed automatically. By default, referrals are followed automatically.
Chapter 6. Command-Line Utilities Option Description LDAPv3 is the default. An LDAPv3 search cannot be performed against a Directory Server that only supports LDAPv2. -Y Specifies the proxy DN to use for the search. This argument is provided for testing purposes. For more information about proxied authorization, see the "Managing Access Control" chapter in the Directory Server Administrator's Guide.
ldapmodify Commonly-Used ldapmodify Options. Option Description -a Adds LDIF entries to the directory without requiring the changetype:add LDIF update statement. This provides a simplified method of adding entries to the directory. This option also allows directly adding a file created by ldapmodify. -B Specifies the suffix under which the new entries will be added. -D Specifies the distinguished name with which to authenticate to the server.
Chapter 6. Command-Line Utilities Option Description false to ensure that all LDAPv3 servers that do not understand the control can ignore it. To suppress sending of the request control with the bind request, include -g on the command-line. -h Specifies the name of the host on which the server is running. For example: -h cyclops -p Specifies the port number that the server uses. For example: -p 1049 The default is 389. If -Z is used, the default is 636.
ldapmodify Option Description -3 Specifies that hostnames should be checked in SSL certificates. -I Specifies the SSL key password file that contains the token:password pair. -K Specifies the path, including the filename, of the private key database of the client. Either the absolute or relative (to the server root) path can be specified. The -K option must be used when the key database has a different name than key3.
Chapter 6. Command-Line Utilities Option Description /client-cert.db -Q Specifies the token and certificate name, which is separated by a semicolon (:) for PKCS11. -W Specifies the password for the certificate database identified on the -P option. For example: -W serverpassword -Z Specifies that SSL is to be used for the directory request. -ZZ Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one.
ldapmodify Option Description • authid • authzid • secProp • realm • flags The expected values depend on the supported mechanism. The -o can be used multiple times to pass all of the required SASL information for the mechanism. For example: -o "mech=DIGEST-MD5" -o "authzid=test_user" -o "authid=test_user" Table 6.12. SASL Options See SASL Options for information on how to use SASL options with ldapmodify. Additional ldapmodify Options.
Chapter 6. Command-Line Utilities Option Description photo.jpeg file into the jpegPhoto attribute being added to the entry. As an alternative to the -b option, use the :< URL specifier notation, which is simpler. For example: jpegphoto:< file:///tmp/myphoto.jpg Although the official notation requires three ///, the use of one / is accepted. NOTE The :< URL specifier notation only works if LDIF statement is version 1 or later, meaning version: 1 is inserted in the lDIF file.
ldapdelete Option Description -n Specifies that the entries are not actually to be modified but that ldapmodify is to show what it would do with the specified input. -O Specifies the maximum number of referral hops to follow. For example: -O 2 -R Specifies that referrals are not to be followed automatically. -v Specifies that the utility is to run in verbose mode. -V Specifies the LDAP version number to be used on the operation. For example: -V 2 LDAPv3 is the default.
Chapter 6. Command-Line Utilities Syntax. ldapdelete [ optional_options ] Commonly-Used ldapdelete Options. Option Description -D Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to delete the entries. For example: -D "uid=bjensen, dc=example,dc=com" For more information on access control, see the "Managing Access Control" chapter in the Directory Server Administrator's Guide.
ldapdelete Option Description default is 636. -w Specifies the password associated with the distinguished name specified in the -D option. For example: -w mypassword The default is "", or anonymous. If a password is not sent on the command line and the server requires one, the command prompts for one. It is more secure not to provide a password on the command line so that it does not show up in clear text in a listing of commands. Table 6.14. Commonly-Used ldapdelete Options SSL Options.
Chapter 6. Command-Line Utilities Option Description certificate-based client authentication. For example: -N Server-Cert If this option is specified, then the -Z and -W options are required. Also, if this option is specified, then the -D and -w options must not be specified, or certificate-based authentication will not occur, and the bind operation will use the authentication credentials specified on -D and -w.
ldapdelete Option Description -Z Specifies that SSL is to be used for the delete request. -ZZ Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one. If the server does not support Start TLS, the command does not need to be aborted; it will continue in plain text. -ZZZ Enforces the Start TLS request. The server must respond that the request was successful.
Chapter 6. Command-Line Utilities Option Description information for the mechanism. For example: -o "mech=DIGEST-MD5" -o "authzid=test_user" -o "authid=test_user" Table 6.16. SASL Options See SASL Options for information on how to use SASL options with ldapdelete. Additional ldapdelete Options. Option Description -c Specifies that the utility must run in continuous operation mode. Errors are reported, but the utility continues with deletions. The default is to quit after reporting an error.
ldappasswd Option Description -O 2 There is no maximum number of referral hops. -R Specifies that referrals are not to be followed automatically. By default, the server follows referrals. -v Specifies that the utility is to run in verbose mode. -V Specifies the LDAP version number to be used on the operation. For example: -V 2 LDAPv3 is the default. An LDAPv3 operation cannot be performed against a Directory Server that only supports LDAPv2.
Chapter 6. Command-Line Utilities ldappasswd [ options ] [ user ] user is the authentication identity, typically a DN. If not specified, the distinguished name specified by the -D option (bind name) is used. ldappasswd-specific Options. Option Description -A Specifies that the command should prompt for the user's existing password. -a Specifies the user's existing password. For example: -a old_password -S Specifies that the command should prompt for a new password for the user.
ldappasswd NOTE The ldappasswd utility requires confidentiality. If the messages are not encrypted with SSL, TLS, or an appropriate SASL mechanism, the server will not perform the request. Option Description -3 Specifies that hostnames should be checked in SSL certificates. -D Specifies the distinguished name with which to authenticate to the server. This value must be a DN recognized by the Directory Server, and it must also have the authority to delete the entries.
Chapter 6. Command-Line Utilities Option Description server is running. For example: -h cyclops The default is localhost. -I Specifies the SSL key password file that contains the token:password pair. -K Specifies the path, including the filename, of the private key database of the client. This can be the absolute or relative (to the server root) path. The -K option must be used when the key database is not called key3.
ldappasswd Option Description example: -P /security/cert.db The client security files can also be stored on the Directory Server in the /etc/dirsrv/slapd-instance_name directory. In this case, the -P option would call out a path and filename similar to the following: -P /etc/dirsrv/slapd-instance_name/client-cert.db -p Specifies the port number that the server uses. The default is 389. If -Z is used, the default is 636.
Chapter 6. Command-Line Utilities Option Description search request. -ZZ Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one. If the server does not support Start TLS, the command does not need to be aborted; it will continue in cleartext. -ZZZ Enforces the Start TLS request. The server must respond that the request was successful.
ldappasswd NOTE For more information on newly-generated passwords, see the "Managing the Password Policy" section of the Directory Server Administrator's Guide. A user, tuser3, changes the password from old_newpassword to new_password over SSL. ldappasswd -Z -h myhost -P /etc/dirsrv/slapd-instance_name/cert8.db -D "uid=tuser3,pu=People,dc=example,dc=com" -w old_password -a old_password -s new_password Example 6.3.
Chapter 6. Command-Line Utilities Example 6.6. User Already Authenticating by Kerberos Prompts for a New Password 8. ldif ldif automatically formats LDIF files and creates base-64 encoded attribute values. Base-64 encoding makes it possible to represent binary data, such as a JPEG image, in LDIF. Base-64 encoded data is represented using a double colon (::) symbol.
dbscan Option Description is not present, each line is considered to be a separate input value. As an alternative to the -b option, use the :< URL specifier notation. For example: jpegphoto:< file:///tmp/myphoto.jpg Although the official notation requires three ///, the use of one / is accepted. NOTE The :< URL specifier notation only works if LDIF statement is version 1 or later, meaning version: 1 is inserted in the lDIF file.
Chapter 6. Command-Line Utilities Options. Option Parameter Description -f filename Specifies the name of the database file, the contents of which are to be analyzed and extracted. This option is required. Dump the database as raw data. -R size -t Specifies the entry truncate size (in bytes). Table 6.21. Common Options NOTE The options listed in Table 6.22, “Entry File Options” are meaningful only when the database file is id2entry.db4.
dbscan Option Parameter Description bytes. The default value is 4096. -G n Sets only to display those index entries with ID lists exceeding the specified length. -n Sets only to display the length of the ID list. -r Sets to display the contents of the ID list. -s Gives the summary of index counts. Table 6.23. Index File Options Examples. The following are command-line examples of different situations using dbscan to examine the Directory Server databases.
Chapter 6. Command-Line Utilities dbscan -r -G 20 -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/sn.db4 Example 6.10. Displaying the Index Keys and the All IDs with More Than 20 IDs in sn.db4 dbscan -s -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/objectclass.db4 Example 6.11. Displaying the Summary of objectclass.db4 dbscan -r -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/vlv#bymccoupeopledcpeopledccom.db4 Example 6.12.
dbscan Example 6.15. Displaying the entryID with the Common Name Key "=hr managers" dbscan -K 7 -f id2entry.
240
Chapter 7. Command-Line Scripts This chapter provides information on the scripts for managing Red Hat Directory Server, such as backing-up and restoring the database. Scripts are a shortcut way of executing the ns-slapd interface commands that are documented in Appendix A, Using the ns-slapd Command-Line Utilities. 1. Finding and Executing Command-Line Scripts Most scripts are located in the /usr/lib/dirsrv/slapd-instance_name directory, though a few are located in the /usr/bin directory.
Chapter 7. Command-Line Scripts Shell Script Description /var/lib/dirsrv/slapd-instance_name/bak directory. start-slapd Starts Directory Server. stop-slapd Stops Directory Server. suffix2instance Maps a suffix to a backend name. verify-db.pl Checks backend database files. vlvindex Creates and generates virtual list view (VLV) indexes. Table 7.1. Shell Scripts in /usr/lib/dirsrv/slapd-instance_name Perl Script Description bak2db.pl Restores the database from the most recent archived backup.
Shell Scripts Script Name Description Perl or Shell Script cl-dump.pl Dumps and decodes the changelog. Perl logconv.pl Analyzes the access logs of a Perl Directory Server to extract usage statistics and count the occurrences of significant events. pwdhash Prints the encrypted form of a password using one of the server's encryption algorithms. If a user cannot log in, use this script to compare the user's password to the password stored in the directory.
Chapter 7. Command-Line Scripts • Section 3.9, “pwdhash (Prints Encrypted Passwords)” • Section 3.11, “repl-monitor (Monitors Replication Status)” • Section 3.12, “restart-slapd (Restarts the Directory Server)” • Section 3.13, “restoreconfig (Restores Administration Server Configuration)” • Section 3.14, “saveconfig (Saves Administration Server Configuration)” • Section 3.15, “start-slapd (Starts the Directory Server)” • Section 3.16, “stop-slapd (Stops the Directory Server)” • Section 3.
cl-dump (Dumps and Decodes the For information on the equivalent Perl script, see Section 4.1, “bak2db.pl (Restores a Database from Backup)”. For more information on restoring databases, see the "Populating Directory Databases" chapter in the Red Hat Directory Server Administrator's Guide. For more information on using filesystem replica initialization, see the "Managing Replication" chapter in the Red Hat Directory Server Administrator's Guide. 3.2.
Chapter 7. Command-Line Scripts Option Description to dump. When specifying multiple roots, use commas to separate roots. If the option is omitted, all the replica roots will be dumped. -v Prints the version of the script. -w bindPassword Specifies the password for the bind DN. Table 7.5. cl-dump Options For information on the equivalent Perl script, see Section 4.2, “cl-dump.pl (Dumps and Decodes the Changelog)”. 3.3. dbverify (Checks for Corrupt Databases) Verifies the backend database files.
Changelog) db2bak [ backupDirectory ] For information on the equivalent Perl script, see Section 4.3, “db2bak.pl (Creates a Backup of a Database)”. 3.5. db2ldif (Exports Database Contents to LDIF) Exports the contents of the database to LDIF. This script can be executed while the server is still running, except with the -r option. To export the replication state information, shutdown the server first, then run db2ldif with -r. For information on the equivalent Perl script, see Section 4.5, “db2ldif.
Chapter 7. Command-Line Scripts Option Description used as input to db2index. -r Exports a replica. -s suffix_name Names the suffixes to be included or the subtrees to be included if -n has been used. -u Requests that the unique ID is not exported. -U Requests that the output LDIF is not folded. -x suffix_name Names the suffixes to be excluded. Table 7.7. db2ldif Options 3.6. db2index (Reindexes Database Index Files) Reindexes the database index files.
ldif2db (Import) Option Description -n backendInstance Gives the name of the instance to be reindexed. -s includeSuffix Gives suffixes to be included or the subtrees to be included if -n has been used. -t attributeName{:indextypes(:mathingrules)} Names of the attributes to be reindexed. Optionally, this can include the index type (eq, pres, sub, approx) and a matching rule OID. -T vlvAttributeName Gives the names of the VLV attributes to be reindexed.
Chapter 7. Command-Line Scripts Option Description -E Encrypts data during import. This option is used only if database encryption is enabled. -g string Generates a unique ID. Type none for no unique ID to be generated and deterministic for the generated unique ID to be name-based. By default, a time-based unique ID is generated.
ldif2ldap (Performs Import Operation over Option Description -x excludeSuffix Gives the suffixes to be excluded. Table 7.9. ldif2db Options 3.8. ldif2ldap (Performs Import Operation over LDAP) Performs an import operation over LDAP to the Directory Server. To run this script, the server must be running. Syntax. ldif2ldap -D rootdn -w password -f filename Options. Option Description -D rootdn Gives a user DN with root permissions, such as Directory Manager.
Chapter 7. Command-Line Scripts Option Description -D config_directory Gives the full path to the configuration directory. -c password Gives the hashed password string to which to compare the user's password. -s scheme Gives the scheme to hash the given password. -H Shows the help. Table 7.11. pwdhash Options For more information on the different storage schemes, such as SSHA, SHA, CRYPT, and CLEAR, see the Directory Server Administrator's Guide. 3.10.
LDAP) Option Description The default value is the current hostname. -f configFile Specifies the absolute path to the configuration file, which defines the connection parameters used to connect to LDAP servers to get replication information. For more information about the configuration file, see Configuration File Format. -p port Specifies the initial replication supplier's port. The default value is 389. -r If specified, causes the routine to be entered without printing the HTML header information.
Chapter 7. Command-Line Scripts The format for the configuration file is shown below. [connection] host:port:binddn:bindpwd:bindcert host:port:binddn:bindpwd:bindcert ... [alias] alias = host:port alias = host:port ... [color] lowmark = color lowmark = color The connection section defines how this tool may connect to each LDAP server in the replication topology to get the replication-agreement information. The default binddn is cn=Directory Manager.
restart-slapd (Restarts the Directory Server) • host, port, and binddn can be replaced with relevant values or *, or omitted altogether. If host is null or *, the entry may apply to any host that does not have a dedicated entry in the file. If port is null or *, the port will default to the port stored in the current replication agreement. If binddn is null or *, it defaults to cn=Directory Manager. • bindcert can be replaced with the full path to the certificate database, null, or *.
Chapter 7. Command-Line Scripts Exit Code Description 0 Server restarted successfully. 1 Server could not be started. 2 Server restarted successfully but was already stopped. 3 Server could not be stopped. Table 7.13. restart-slapd Exit Status Codes 3.13. restoreconfig (Restores Administration Server Configuration) Restores, by default, the most recently saved Administration Server configuration information to the NetscapeRoot partition under the /etc/dirsrv/slapd-instance_name/ directory.
start-slapd (Starts the Directory Server) Options. There are no options for this script. 3.15. start-slapd (Starts the Directory Server) Starts the Directory Server. It might be a good idea to check whether the server has been effectively started using the ps command because it could sometimes be that the script returned while the startup process was still on-going, resulting in a confusing message. Syntax. start-slapd Options. There are no options for this script. Exit Status Codes.
Chapter 7. Command-Line Scripts Exit Code Description 1 Server could not be stopped. 2 Server was already stopped. Table 7.15. stop-slapd Exit Status Codes 3.17. suffix2instance (Maps a Suffix to a Backend Name) Maps a suffix to a backend name. Syntax. suffix2instance { -s suffix } Options. Option Description -s Suffix to be mapped to the backend. Table 7.16. suffix2instance Options 3.18. vlvindex (Creates Virtual List View Indexes) To run the vlvindex script, the server must be stopped.
Perl Scripts Option Description -n backendInstance Gives the name of the database containing the entries to index. -s suffix Gives the name of the suffix containing the entries to index. -T vlvTag VLV index identifier to use to create VLV indexes. The Console can specify VLV index identifier for each database supporting the directory tree, as described in the Directory Server Administrator's Guide.
Chapter 7. Command-Line Scripts • Section 4.13, “verify-db.pl (Check for Corrupt Databases)” 4.1. bak2db.pl (Restores a Database from Backup) Restores a database from a backup. Syntax. bak2db.pl [ -v ] -D rootdn -w password [ -a backupDirectory ] [ -t databaseType ] [ -n backend ] Options. The script bak2db.pl creates an entry in the directory that launches this dynamic task. The entry is generated based upon the values provided for each option.
db2bak.pl (Creates a Backup of a Database) replicaRoots ] [ -o outputFile ] [ -c ] [ -v ] cl-dump.pl -i changelogFile [ -o outputFile ] [ -c ] Options. Without the -i option, the script must be run when the Directory Server is running from a location from which the server's changelog directory is accessible. Option Description -c Dumps and interprets CSN only. This option can be used with or without the -i option. -D bindDn Specifies the Directory Server's bind DN.
Chapter 7. Command-Line Scripts db2bak.pl [ -v ] -D rootdn -w password [ -a dirName ] Options. The script db2bak.pl creates an entry in the directory that launches this dynamic task. The entry is generated based upon the values provided for each option. Currently, the only possible database type is ldbm. Option Description -a dirName The directory where the backup files will be stored. The /var/lib/dirsrv/slapd-instance_name/bak directory is used by default.
db2ldif.pl (Exports Database Contents to Option Description -j filename The name of the file containing the password. -n backendInstance Gives the instance to be indexed. If the instance is not specified, the script reindexes all instances. -t attributeName{:indextypes(:mathingrules)} Gives the name of the attribute to be indexed. If omitted, all the indexes defined for the specified instance are generated. Optionally, this can include the index type (eq, pres, sub, approx) and a matching rule OID.
Chapter 7. Command-Line Scripts Option Description -m Sets minimal base-64 encoding. -M Sets the output LDIF is stored in multiple files. -n backendInstance Gives the instance to be exported. -N Suppresses printing sequential numbers. -o Sets the output LDIF to be stored in one file by default with each instance stored in instance_filename. -r Exports a replica. -s includeSuffix -u Requests that the unique ID is not exported. -U Requests that the output LDIF is not folded.
LDIF) Option Description to be name-based. By default, a time-based unique ID is generated. When using the deterministic generation to have a name-based unique ID, it is also possible to specify the namespace for the server to use, as follows: -g deterministic namespaceId namespaceId is a string of characters in the format 00-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx.
Chapter 7. Command-Line Scripts 4.7. logconv.pl (Log Converter) Analyzes the access logs of a Directory Server to extract usage statistics and count the occurrences of significant events. It is compatible with log formats from previous releases of Directory Server. For information on access logs, see Chapter 5, Access Log and Connection Code Reference.
logconv.pl (Log Converter) users. These lists are optional because they are computation intensive: specify only the command-line options required (see Options). Some information that is extracted by the logconv.pl script is available only in logs from current releases of Directory Server; the corresponding values will be zero when analyzing logs from older versions. In addition, some information will only be present in the logs if verbose logging is enabled in the Directory Server.
Chapter 7. Command-Line Scripts Option Description indicates the FDs that are not yet closed. -s number Specifies the number of items in each of the list options below. The default is 20 when this parameter is omitted. For example, -s 10 -i will list the ten client machines that access the Directory Server most often. This parameter will apply to all lists that are enabled, and it will have no effect if none are displayed.
ns-accountstatus.pl (Establishes Account Table 7.26, “logconv.pl Options to Display Occurrences” describes the options that enable the optional lists of occurrences. Specify only those required; specifying a large number of options can produce excessive output and affect execution speed. These parameters can be specified in any number and in any order, but they must all be given together as a single option on the command line, such as -abcefg.
Chapter 7. Command-Line Scripts 4.8. ns-accountstatus.pl (Establishes Account Status) Provides account status information to establish whether an entry or group of entries is inactivated. Syntax. ns-accountstatus.pl [ -D rootdn ] -w password [ -p port ] [ -h host ] -I DN Options. Option Description -D rootdn Specifies the Directory Server user DN with root permissions, such as Directory Manager. -h host Specifies the hostname of the Directory Server.
Status) Option Description Manager. -h host Specifies the hostname of the Directory Server. The default value is the full hostname of the machine where Directory Server is installed. -I DN Specifies the entry DN or role DN to activate. -p port Specifies the Directory Server's port. The default value is the LDAP port of Directory Server specified at installation time. -w password Specifies the password associated with the user DN. Table 7.28. ns-activate.pl Options 4.10. ns-inactivate.
Chapter 7. Command-Line Scripts Table 7.29. ns-inactivate.pl Options 4.11. ns-newpwpolicy.pl (Adds Attributes for Fine-Grained Password Policy) Adds entries required for implementing the user- and subtree-level password policy. For instructions on how to enable this feature, see the Red Hat Directory Server Administrator's Guide. Syntax. ns-newpwdpolicy.pl [ -D rootdn ] { -w password | -w - | -j filename } [ -p port ] [ -h host ] -U userDN -S suffixDN Options.
repl-monitor.pl (Monitors Replication Status) Table 7.30. ns-newpwdpolicy.pl Options 4.12. repl-monitor.pl (Monitors Replication Status) Shows in-progress status of replication. Syntax. repl-monitor.pl -h host -p port -f configFile [ -u refreshUrl ] [ -t refreshInterval ] [ -r ] [ -v ] Options. Option Description -h host Specifies the initial replication supplier's host. The default value is the current hostname.
Chapter 7. Command-Line Scripts Option Description the gateway. -v Prints the version of this script. Table 7.31. repl-monitor.pl Options Configuration File Format. The configuration file defines the following: • The connection parameters for connecting to the LDAP servers to get replication information; specifying this information is mandatory. • The server alias for more readable server names; specifying this information is optional.
repl-monitor.pl (Monitors Replication Status) host1:*:binddn1:bindpassword1: In the optional alias section, use aliases such as Supplier1, Supplier2, and Hub1, to identify the servers in the replication topology. If used, the output shows these aliases, instead of http(s)://hostname:port. The CSN time lags between suppliers and consumers can be displayed in different colors based on their range.
Chapter 7. Command-Line Scripts host:port=shadowport:binddn:bindpwd:bindcert When the replication monitor finds a replication agreement that uses the specified port, it will use the shadow port to connect to retrieve statistics. 4.13. verify-db.pl (Check for Corrupt Databases) Verifies the backend database files. Syntax. verify-db.pl [ -a /path/to/database_directory ] Options. Option Description -a path Gives the path to the database directory. If this option is not passed with the verify-db.
Appendix A. Using the ns-slapd Command-Line Utilities Chapter 7, Command-Line Scripts discussed the scripts for performing routine administration tasks on the Red Hat Directory Server (Directory Server). This appendix discusses the ns-slapd command-line utilities that can be used to perform the same tasks.
Appendix A. Using the ns-slapd Command-Line Utilities Options. Option Description -a outputFile Defines the output file in which the server saves the exported LDIF. This file is stored by default in the directory where the command-line utility resides. -d debugLevel Specifies the debug level to use during the db2ldif runtime. For further information, refer to Section 3.1.42, “nsslapd-errorlog-level (Error Log Level)”.
Utilities for Restoring and Backing up Option Description this option does not cause the server to create a uniqueID for entries but simply takes what already exists in the database. -U Outputs the contents of the database without wrapping lines. -x excludeSuffix Specifies a suffix or suffixes to exclude in the export. There can be multiple -x arguments. If neither -s or -x is not specified, the server exports all suffixes within the database.
Appendix A. Using the ns-slapd Command-Line Utilities Option Description configuration directory that contains the configuration information for the import process. This must be the fulle path to the configuration directory, /etc/dirsrv/slapd-instance_name. -E Decrypts an encrypted database during export. This option is used only if database encryption is enabled. -g string Generates a unique ID. Type none for no unique ID to be generated and deterministic for the generated unique ID to be name-based.
Databases: ldif2db Option Description later, the indexes have to be recreated by hand. See the Directory Server Administrator's Guide for further information. -s includeSuffix Specifies the suffix or suffixes within the LDIF file to import. -x excludeSuffix Specifies suffixes within the LDIF file to exclude during the import. There can be multiple -x arguments. This option can selectively import portions of the LDIF file. If both -x and -s are used with the same suffix, -x takes precedence.
Appendix A. Using the ns-slapd Command-Line Utilities 6. Utilities for Restoring and Backing up Databases: db2archive Backs up all databases to the archives. Syntax. ns-slapd db2archive -D configDir -a archiveDir Options. Option Description -D configDir Specifies the location of the server configuration directory that contains the configuration information for the index creation process. This must be the full path to the configuration directory, /etc/dirsrv/slapd-instance_name.
Utilities for Creating and Regenerating Option Description configuration information for the index creation process. This must be the full path to the configuration directory, /etc/dirsrv/slapd-instance_name. -n backendName Specifies the name of the backend containing the entries to index. -t attributeName[:indextypes(:mathingrules)] Specifies the attribute to be indexed as well as the types of indexes to create and matching rules to apply, if any.
284
Appendix B. Revision History Revision History Revision 8.0.0-2 Thursday, January 10, 2008 Ella DeonLackey<> Technical edits to chapters 3, 4, 6, 7, and appendix, and final review. Revision 8.0.0-1 December 2007 JoshuaOakes<> Some XML clean-up and review and technical edits. Revision 8.0.0-0 Wednesday, August 8, 2007 DavidO'Brien<> Initial setup.
286
Glossary A access control instruction See ACI. ACI An instruction that grants or denies permissions to entries in the directory. See Also access control instruction. access control list See ACL. ACL The mechanism for controlling access to your directory. See Also access control list. access rights In the context of access control, specify the level of access granted or denied. Access rights are related to the type of operation that can be performed on the directory.
Glossary value. attribute list A list of required and optional attributes for a given entry type or object class. authenticating directory server In pass-through authentication (PTA), the authenticating Directory Server is the Directory Server that contains the authentication credentials of the requesting client. The PTA-enabled host sends PTA requests it receives from clients to the host. authentication (1) Process of proving the identity of the client user to the Directory Server.
uses the HTTP protocol to communicate with the host server. browsing index Speeds up the display of entries in the Directory Server Console. Browsing indexes can be created on any branch point in the directory tree to improve display performance. See Also virtual list view index . C CA See Certificate Authority. cascading replication In a cascading replication scenario, one server, often called the hub supplier, acts both as a consumer and a supplier for a particular replica.
Glossary ciphertext Encrypted information that cannot be read by anyone without the proper key to decrypt the information. class definition Specifies the information needed to create an instance of a particular object and determines how the object works in relation to other objects in the directory. class of service See CoS. classic CoS A classic CoS identifies the template entry by both its DN and the value of one of the target entry's attributes. client See LDAP client.
data master The server that is the master source of a particular piece of data. database link An implementation of chaining. The database link behaves like a database but has no persistent storage. Instead, it points to data stored remotely. default index One of a set of default indexes created per database instance. Default indexes can be modified, although care should be taken before removing them, as certain plug-ins may depend on them. definition entry See CoS definition entry.
Glossary to a different host#specifically a DNS CNAME record. Machines always have one real name, but they can have one or more aliases. For example, an alias such as www.yourdomain.domain might point to a real machine called realthing.yourdomain.domain where the server currently exists. DSGW See Directory Server Gateway. E entry A group of lines in the LDIF file that contains information about an object.
gateway See Directory Server Gateway. general access When granted, indicates that all authenticated users can access directory information. GSS-API Generic Security Services. The generic access protocol that is the native way for UNIX-based systems to access and authenticate Kerberos services; also supports session encryption. H hostname A name for a machine in the form machine.domain.dom, which is translated into an IP address. For example, www.example.
Glossary indirect CoS An indirect CoS identifies the template entry using the value of one of the target entry's attributes. international index Speeds up searches for information in international directories. International Standards Organization IP address See ISO. ISO International Standards Organization. Also Internet Protocol address. A set of numbers, separated by dots, that specifies the actual location of a machine on the Internet (for example, 198.93.93.10).
Access Protocol See LDAP. locale Identifies the collation order, character type, monetary format and time / date format used to present data for users of a specific region, culture, and/or custom. This includes information on how data of a given language is interpreted, stored, or collated. The locale also indicates which code page should be used to represent a given language. M managed object A standard value which the SNMP agent can access and send to the NMS.
Glossary directory tree. monetary format Specifies the monetary symbol used by specific region, whether the symbol goes before or after its value, and how monetary units are represented. multi-master replication An advanced replication scenario in which two servers each hold a copy of the same read-write replica. Each server maintains a changelog for the replica. Modifications made on one server are automatically replicated to the other server.
object class Defines an entry type in the directory by defining which attributes are contained in the entry. object identifier A string, usually of decimal numbers, that uniquely identifies a schema element, such as an object class or an attribute, in an object-oriented system. Object identifiers are assigned by ANSI, IETF or similar organizations. See Also OID. OID See object identifier.
Glossary protocol A set of rules that describes how devices on a network exchange information. protocol data unit See PDU. proxy authentication A special form of authentication where the user requesting access to the directory does not bind with its own DN but with a proxy DN. proxy DN Used with proxied authorization. The proxy DN is the DN of an entry that has access permissions to the target on which the client-application is attempting to perform an operation.
process is called a referral. read-only replica A replica that refers all update operations to read-write replicas. A server can hold any number of read-only replicas. read-write replica A replica that contains a master copy of directory information and can be updated. A server can hold any number of read-write replicas. relative distinguished name See RDN. replica A database that participates in replication.
Glossary schema Definitions describing what types of information can be stored as entries in the directory. When information that does not match the schema is stored in the directory, clients attempting to access the directory may be unable to display the proper results. schema checking Ensures that entries added or modified in the directory conform to the defined schema. Schema checking is on by default, and users will receive an error if they try to save an entry that does not conform to the schema.
See Also ns-slapd. SNMP Used to monitor and manage application processes running on the servers by exchanging data about network activity. Also Simple Network Management Protocol. SNMP master agent Software that exchanges information between the various subagents and the NMS. SNMP subagent Software that gathers information about the managed device and passes the information to the master agent. Also called a subagent.
Glossary T target In the context of access control, the target identifies the directory information to which a particular ACI applies. target entry The entries within the scope of a CoS. TCP/IP Transmission Control Protocol/Internet Protocol. The main network protocol for the Internet and for enterprise (company) networks. template entry See CoS template entry. time/date format Indicates the customary formatting for times and dates in a specific region.
X.500 standard The set of ISO/ITU-T documents outlining the recommended information model, object classes and attributes used by directory server implementation.
304
Index Symbols 00core.ldif ldif files, 4 01common.ldif ldif files, 5 05rfc2247.ldif ldif files, 5 05rfc2927.ldif ldif files, 5 10presence.ldif ldif files, 5 10rfc2307.ldif ldif files, 5 20subscriber.ldif ldif files, 5 25java-object.ldif ldif files, 5 28pilot.ldif ldif files, 5 30ns-common.ldif ldif files, 6 50ns-admin.ldif ldif files, 6 50ns-certificate.ldif ldif files, 6 50ns-directory.ldif ldif files, 6 50ns-mail.ldif ldif files, 6 50ns-value.ldif ldif files, 6 50ns-web.ldif ldif files, 6 60pam-plugin.
Index backup files, 173 bak2db command-line shell script, 244 quick reference, 241 bak2db.
restart-slapd , 255 restoreconfg , 256 saveconfig , 256 start-slapd , 257 stop-slapd, 257 suffix2instance , 258 vlvindex , 258 command-line utilities dbscan, 235 finding and executing, 195 ldapdelete, 221 ldapmodify, 214 ldappasswd, 227 ldapsearch, 197 ldif, 234 configuration access control, 8 accessing and modifying, 8 changing attributes, 9 cn=NetscapeRoot, 8 cn=UserRoot, 8 database-specific, 3 overview, 3 plug-in functionality, 7 configuration attributes changelog5 configuration attributes, 72 changing,
Index nsDS5ReplicaLegacyConsumer, 81 nsDS5ReplicaName, 81 nsDS5ReplicaPort, 91 nsDS5ReplicaPurgeDelay, 82 nsDS5ReplicaReapActive, 92 nsDS5ReplicaReferral, 83 nsDS5ReplicaRoot, 83 nsDS5ReplicaSessionPauseTime, 93 nsDS5ReplicatedAttributeList, 94 nsDS5ReplicaTimeout, 94 nsDS5ReplicaTombstonePurgeInterval, 83 nsDS5ReplicaTransportInfo, 95 nsDS5ReplicaType, 84 nsDS5ReplicaUpdateInProgress, 95 nsDS5ReplicaUpdateSchedule, 95 nsslapd-accesslog, 12 nsslapd-accesslog-level, 13 nsslapd-accesslog-list, 14 nsslapd-acc
nsslapd-reservedescriptors, 51 nsslapd-return-exact-case, 52 nsslapd-rootdn, 53 nsslapd-rootpw, 53 nsslapd-rootpwstoragescheme, 54 nsslapd-saslpath, 54 nsslapd-schema-ignore-trailing-spaces, 55 nsslapd-schemacheck, 55 nsslapd-schemareplace, 57 nsslapd-securelistenhost, 57 nsslapd-securePort, 57 nsslapd-security, 58 nsslapd-sizelimit, 58 nsslapd-ssl-check-hostname, 59 nsslapd-state, 78 nsslapd-threadnumber, 59 nsslapd-timelimit, 60 nsslapd-versionstring, 61 nssnmpcontact, 102 nssnmpdescription, 102 nssnmpena
Index nsSearchSubtreeCount, 167 nsSizeLimit, 164 nsslapd-changelogmaxage, 168 nsTimeLimit, 164 nsTransmittedControls, 159 nsUndbindCount, 167 database plug-in configuration attributes cn, 154 dbcachehitratio, 146 dbcachehits, 146 dbcachepagein, 147 dbcachepageout, 147 dbcacheroevict, 147 dbcacherwevict, 147 dbcachetries, 146 dbfilecachehit, 155 dbfilecachemiss, 155 dbfilenamenumber, 155 dbfilepagein, 155 dbfilepageout, 155 description, 154 nsIndexType, 153 nsLookThroughLimit, 132 nsMatchingRule, 153 nsslap
quick reference, 241 db2index, 282 command-line shell script, 248 quick reference, 241 db2index.pl command-line perl script, 262 quick reference, 242 db2ldif command-line shell script, 247 quick reference, 241 db2ldif.
Index LDAP result codes, 192 ldapdelete command-line utility additional options, 226 commonly used options, 222 SASL options, 225 ssl options, 223 syntax, 222 ldapmodify command-line utility additional options, 219 commonly used options, 215 options, 214 SASL options, 218 ssl options, 216 syntax, 214 ldappasswd command-line utility changing user password, 232, 233, 233, 233 examples, 232 generating user password, 232 options, 228 prompting for new password, 233 syntax, 227 ldapsearch command-line utility a
command-line perl script, 271 quick reference, 242 ns-newpolicy.pl quick reference, 242 ns-newpwpolicy.
Index nsslapd-accesslog-logbuffering attribute, 14 nsslapd-accesslog-logexpirationtime attribute, 15 nsslapd-accesslog-logexpirationtimeunit attribute, 15 nsslapd-accesslog-logging-enabled attribute, 16 nsslapd-accesslog-logmaxdiskspace attribute, 16 nsslapd-accesslog-logminfreediskspace attribute, 17 nsslapd-accesslog-logrotationsync-enabled attribute, 17 nsslapd-accesslog-logrotationsynchour attribute, 18 nsslapd-accesslog-logrotationsyncmin attribute, 18 nsslapd-accesslog-logrotationtime attribute, 19 n
nsslapd-db-page-size attribute, 140 nsslapd-db-page-trickle-rate attribute, 152 nsslapd-db-page-write-rate attribute, 152 nsslapd-db-pages-in-use attribute, 152 nsslapd-db-spin-count attribute, 140 nsslapd-db-transaction-batch-val attribute, 141 nsslapd-db-trickle-percentage attribute, 142 nsslapd-db-txn-region-wait-rate attribute, 152 nsslapd-db-verbose attribute, 142 nsslapd-dbcachesize attribute, 134 nsslapd-dbncache attribute, 143 nsslapd-directory attribute, 143, 148 nsslapd-ds4-compatible-schema attri
Index nsslapd-versionstring attribute, 61 nssnmpcontact attribute, 102 nssnmpdescription attribute, 102 nssnmpenabled attribute, 101 nssnmplocation attribute, 102 nssnmpmasterhost attribute, 103 nssnmpmasterport attribute, 103 nssnmporganization attribute, 101 nsssl2 attribute, 76 nsssl3 attribute, 76 nsssl3ciphers attribute, 76 nssslclientauth attribute, 75 nssslsessiontimeout attribute, 75 nsState attribute, 85 nsstate attribute, 106 nsSystemIndex attribute, 152 nsTimeLimit attribute, 164 nsTransmittedCo
nsProxiedAuthorization, 163 nsReferralOnScopedSearch, 164 nsRenameCount, 167 nsSearchBaseCount, 167 nsSearchOneLevelCount, 167 nsSearchSubtreeCount, 167 nsSizeLimit, 164 nsslapd-cache-autosize, 133 nsslapd-cache-autosize-split, 133 nsslapd-cachememsize, 148 nsslapd-cachesize, 147 nsslapd-changelogdir, 168 nsslapd-changelogmaxage, 168 nsslapd-db-abort-rate, 150 nsslapd-db-active-txns, 150 nsslapd-db-cache-hit, 150 nsslapd-db-cache-region-wait-rate, 150 nsslapd-db-cache-size-bytes, 150 nsslapd-db-cache-try, 1
Index bytessent, 100 connection, 99 currentconnections, 99 currenttime, 100 dtablesize, 100 entriessent, 100 nbackends, 101 opscompleted, 100 opsinitiated, 100 readwaiters, 100 starttime, 100 totalconnections, 99 read-only monitoring configuration entries cn=monitor, 99 readwaiters attribute, 100 repl-monitor command-line shell script, 252 quick reference, 242 repl-monitor.
after configuration changes, 11 setting the location of SASL plugins, 54 slapd.
320
