0% found this document useful (0 votes)

510 views

Red Hat Directory Server-10-Configuration Command and File Reference-en-US PDF

Uploaded by

Munshi H Haque

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

510 views

Red Hat Directory Server-10-Configuration Command and File Reference-en-US PDF

Uploaded by

Munshi H Haque

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 919

Red Hat Directory Server 10

Configuration, Command, and File

Reference

Updated for Directory Server 10.3

Last Updated: 2019-01-07

Red Hat Directory Server 10 Configuration, Command, and File
Reference
Updated for Directory Server 10.3

Marc Muehlfeld
Red Hat Customer Content Services
[email protected]

Petr Bokoč
Red Hat Customer Content Services

Tomáš Čapek
Red Hat Customer Content Services

Petr Kovář
Red Hat Customer Content Services

Ella Deon Ballard

Red Hat Customer Content Services
Legal Notice
Copyright © 2019 Red Hat, Inc.

This document is licensed by Red Hat under the Creative Commons Attribution-
ShareAlike 3.0 Unported License. If you distribute this document, or a modified version
of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If
the document is modified, all Red Hat trademarks must be removed.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to
assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the
Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States
and other countries.

Linux ® is the registered trademark of Linus Torvalds in the United States and other
countries.

Java ® is a registered trademark of Oracle and/or its affiliates.

XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the

United States and/or other countries.

MySQL ® is a registered trademark of MySQL AB in the United States, the European

Union and other countries.

Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally
related to or endorsed by the official Joyent Node.js open source or commercial project.

The OpenStack ® Word Mark and OpenStack logo are either registered
trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in
the United States and other countries and are used with the OpenStack Foundation's
permission. We are not affiliated with, endorsed or sponsored by the OpenStack
Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Abstract
This is a reference for the server schema, files, and command-line tools.
Table of Contents

Table of Contents
.ABOUT
. . . . . THIS
. . . . REFERENCE
............................................................4
.........
1. DIRECTORY SERVER OVERVIEW 4

.CHAPTER
. . . . . . . 1.
. . INTRODUCTION
............................................................5
.........
1.1. DIRECTORY SERVER CONFIGURATION 5
1.2. DIRECTORY SERVER INSTANCE FILE REFERENCE 5
1.3. USING DIRECTORY SERVER COMMAND-LINE UTILITIES 5
1.4. USING DIRECTORY SERVER COMMAND-LINE SCRIPTS 5

.CHAPTER
. . . . . . . 2.
. . FILE
. . . .LOCATIONS
. . . . . . . . . OVERVIEW
...............................................6
.........
2.1. DIRECTORY SERVER INSTANCE-INDEPENDENT FILES AND DIRECTORIES 6
2.2. DIRECTORY SERVER INSTANCE-SPECIFIC FILES AND DIRECTORIES 6
2.3. ADMINISTRATION SERVER FILES AND DIRECTORIES 19

. . . . . . . . 3.
CHAPTER . . CORE
. . . . .SERVER
. . . . . . CONFIGURATION
. . . . . . . . . . . . . .REFERENCE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
..........
3.1. CORE SERVER CONFIGURATION ATTRIBUTES REFERENCE 20
3.2. CONFIGURATION OBJECT CLASSES 227
3.3. ROOT DSE ATTRIBUTES 242
3.4. LEGACY ATTRIBUTES 246

.CHAPTER
. . . . . . . 4.
. . PLUG-IN
. . . . . . .IMPLEMENTED
. . . . . . . . . . . .SERVER
. . . . . . FUNCTIONALITY
. . . . . . . . . . . . .REFERENCE
. . . . . . . . . . . . . . . . . . . . 249
...........
4.1. SERVER PLUG-IN FUNCTIONALITY REFERENCE 249
4.2. LIST OF ATTRIBUTES COMMON TO ALL PLUG-INS 292
4.3. ATTRIBUTES ALLOWED BY CERTAIN PLUG-INS 297
4.4. DATABASE PLUG-IN ATTRIBUTES 300
4.5. DATABASE LINK PLUG-IN ATTRIBUTES (CHAINING ATTRIBUTES) 344
4.6. PAM PASS THROUGH AUTH PLUG-IN ATTRIBUTES 356
4.7. ACCOUNT POLICY PLUG-IN ATTRIBUTES 361
4.8. AD DN PLUG-IN ATTRIBUTES 365
4.9. AUTO MEMBERSHIP PLUG-IN ATTRIBUTES 366
4.10. DISTRIBUTED NUMERIC ASSIGNMENT PLUG-IN ATTRIBUTES 371
4.11. LINKED ATTRIBUTES PLUG-IN ATTRIBUTES 382
4.12. MANAGED ENTRIES PLUG-IN ATTRIBUTES 384
4.13. MEMBEROF PLUG-IN ATTRIBUTES 386
4.14. ATTRIBUTE UNIQUENESS PLUG-IN ATTRIBUTES 389
4.15. POSIX WINSYNC API PLUG-IN ATTRIBUTES 392
4.16. RETRO CHANGELOG PLUG-IN ATTRIBUTES 394
4.17. ROOTDN ACCESS CONTROL PLUG-IN ATTRIBUTES 397

.CHAPTER
. . . . . . . 5.
. . DIRECTORY
. . . . . . . . . ENTRY
. . . . . .SCHEMA
. . . . . . .REFERENCE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
...........
5.1. ABOUT DIRECTORY SERVER SCHEMA 401
5.2. ENTRY ATTRIBUTE REFERENCE 411
5.3. ENTRY OBJECT CLASS REFERENCE 522

.CHAPTER
. . . . . . . 6.
. . OPERATIONAL
. . . . . . . . . . . .ATTRIBUTES
. . . . . . . . . .AND
. . . OBJECT
. . . . . . CLASSES
. . . . . . . . . . . . . . . . . . . . . . . . . . . 621
...........
6.1. ACCOUNTUNLOCKTIME 621
6.2. ACI 621
6.3. ALTSERVER 621
6.4. CREATETIMESTAMP 622
6.5. CREATORSNAME 622
6.6. DITCONTENTRULES 622
6.7. DITSTRUCTURERULES 623
6.8. ENTRYUSN 623

1
Configuration, Command, and File Reference

6.9. INTERNALCREATORSNAME 623

6.10. INTERNALMODIFIERSNAME 624
6.11. HASSUBORDINATES 624
6.12. LASTLOGINTIME 624
6.13. LASTMODIFIEDBY 625
6.14. LASTMODIFIEDTIME 625
6.15. LDAPSUBENTRY 625
6.16. LDAPSYNTAXES 626
6.17. MATCHINGRULES 626
6.18. MATCHINGRULEUSE 627
6.19. MODIFYTIMESTAMP 627
6.20. MODIFIERSNAME 627
6.21. NAMEFORMS 627
6.22. NSACCOUNTLOCK 628
6.23. NSAIMSTATUSGRAPHIC 628
6.24. NSAIMSTATUSTEXT 628
6.25. NSBACKENDSUFFIX 628
6.26. NSCPENTRYDN 629
6.27. NSDS5REPLCONFLICT 629
6.28. NSICQSTATUSGRAPHIC 629
6.29. NSICQSTATUSTEXT 630
6.30. NSIDLETIMEOUT 630
6.31. NSIDLISTSCANLIMIT 630
6.32. NSLOOKTHROUGHLIMIT 630
6.33. NSPAGEDIDLISTSCANLIMIT 631
6.34. NSPAGEDLOOKTHROUGHLIMIT 631
6.35. NSPAGEDSIZELIMIT 632
6.36. NSPARENTUNIQUEID 632
6.37. NSROLE 632
6.38. NSROLEDN 632
6.39. NSROLEFILTER 633
6.40. NSSCHEMACSN 633
6.41. NSSIZELIMIT 634
6.42. NSTIMELIMIT 634
6.43. NSTOMBSTONE (OBJECT CLASS) 634
6.44. NSUNIQUEID 635
6.45. NSYIMSTATUSGRAPHIC 635
6.46. NSYIMSTATUSTEXT 635
6.47. NUMSUBORDINATES 636
6.48. PASSWORDGRACEUSERTIME 636
6.49. PASSWORDRETRYCOUNT 636
6.50. PWDPOLICYSUBENTRY 637
6.51. PWDUPDATETIME 637
6.52. SUBSCHEMASUBENTRY 637
6.53. GLUE (OBJECT CLASS) 637
6.54. PASSWORDOBJECT (OBJECT CLASS) 638
6.55. SUBSCHEMA (OBJECT CLASS) 639

. . . . . . . . 7.
CHAPTER . . LOG
. . . .FILE
. . . REFERENCE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
...........
7.1. ACCESS LOG REFERENCE 641
7.2. ERROR LOG REFERENCE 657
7.3. AUDIT LOG REFERENCE 667
7.4. LDAP RESULT CODES 669

2
Table of Contents

7.5. REPLACING LOG FILES WITH A NAMED PIPE 670

.CHAPTER
. . . . . . . 8.
. . CONFIGURATION
. . . . . . . . . . . . . FILE
. . . . REFERENCE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
...........
8.1. CERTMAP.CONF 675

. . . . . . . . 9.
CHAPTER . . COMMAND-LINE
. . . . . . . . . . . . .UTILITIES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
...........
9.1. COMMAND-LINE UTILITIES QUICK REFERENCE 678
9.2. LDIF 678
9.3. DBSCAN 679
9.4. DS-LOGPIPE.PY 683
9.5. DN2RDN 687

. . . . . . . . 10.
CHAPTER . . .COMMAND-LINE
. . . . . . . . . . . . .SCRIPTS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
...........
10.1. FINDING AND EXECUTING COMMAND-LINE SCRIPTS 688
10.2. COMMAND-LINE SCRIPTS QUICK REFERENCE 688
10.3. SHELL SCRIPTS 692
10.4. PERL SCRIPTS 719

.CHAPTER
. . . . . . . 11.
. . .GUI
. . . UTILITIES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
...........
11.1. REDHAT-IDM-CONSOLE 765

. . . . . . . . .A.
APPENDIX . .USING
. . . . . THE
. . . .NS-SLAPD
. . . . . . . . COMMAND-LINE
. . . . . . . . . . . . .UTILITIES
. . . . . . . . . . . . . . . . . . . . . . . . . . . 767
...........
A.1. OVERVIEW OF NS-SLAPD 767
A.2. FINDING AND EXECUTING THE NS-SLAPD COMMAND-LINE UTILITIES 767
A.3. UTILITIES FOR EXPORTING DATABASES: DB2LDIF 767
A.4. UTILITIES FOR RESTORING AND BACKING UP DATABASES: LDIF2DB 769
A.5. UTILITIES FOR RESTORING AND BACKING UP DATABASES: ARCHIVE2DB 771
A.6. UTILITIES FOR RESTORING AND BACKING UP DATABASES: DB2ARCHIVE 771
A.7. UTILITIES FOR CREATING AND REGENERATING INDEXES: DB2INDEX 772

.APPENDIX
. . . . . . . .B.
. .TESTING
. . . . . . .SCRIPTS
. . . . . . .AVAILABLE
. . . . . . . . .WITH
. . . . .DIRECTORY
. . . . . . . . .SERVER
. . . . . . . . . . . . . . . . . . . . 774
...........
B.1. LDCLT (LOAD STRESS TESTS) 774
B.2. RSEARCH (SEARCH STRESS TESTS) 791

. . . . . . . . .C.
APPENDIX . .ADMINISTRATION
. . . . . . . . . . . . . .SERVER
. . . . . . COMMAND-LINE
. . . . . . . . . . . . . TOOLS
. . . . . . . . . . . . . . . . . . . . . . . . 803
...........
C.1. SEC-ACTIVATE 803
C.2. MODUTIL 803

. . . . . . . . .D.
APPENDIX . .REPLICATION
. . . . . . . . . . .AGREEMENT
. . . . . . . . . .STATUS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818
...........

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822
GLOSSARY ...........

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840
INDEX ...........

. . . . . . . . .E.
APPENDIX . .REVISION
. . . . . . . .HISTORY
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914
...........

3
Configuration, Command, and File Reference

ABOUT THIS REFERENCE

Red Hat Directory Server (Directory Server) is a powerful and scalable distributed directory
server based on the industry-standard Lightweight Directory Access Protocol (LDAP).
Directory Server is the cornerstone for building a centralized and distributed data repository
that can be used in an intranet, over an extranet with trading partners, or over the public
Internet to reach customers.

This reference covers the server configuration and the command-line utilities. It is designed
primarily for directory administrators and experienced directory users who want to use the
command-line to access the directory. After configuring the server, use this reference to
help maintain it.

The Directory Server can also be managed through the Directory Server Console, a
graphical user interface. The Red Hat Directory Server Administration Guide describes how
to do this and explains individual administration tasks more fully.

1. DIRECTORY SERVER OVERVIEW

The major components of Directory Server include:

An LDAP server – The LDAP v3-compliant network daemon.

Directory Server Console – A graphical management console that dramatically

reduces the effort of setting up and maintaining your directory service.

SNMP agent – Can monitor the Directory Server using the Simple Network
Management Protocol (SNMP).

4
CHAPTER 1. INTRODUCTION

CHAPTER 1. INTRODUCTION
Directory Server is based on an open-systems server protocol called the Lightweight
Directory Access Protocol (LDAP). The Directory Server is a robust, scalable server designed
to manage large scale directories to support an enterprise-wide directory of users and
resources, extranets, and e-commerce applications over the Internet. The Directory Server
runs as the ns-slapd process or service on the machine. The server manages the directory
databases and responds to client requests.

Most Directory Server administrative tasks can be performed through the

Directory Server Console, the graphical user interface provided with the Directory Server.
For information on the use of the Directory Server Console, see the Red Hat
Directory Server Administration Guide.

This reference deals with the other methods of managing the Directory Server by altering
the server configuration attributes using the command line and using command-line utilities
and scripts.

1.1. DIRECTORY SERVER CONFIGURATION

The format and method for storing configuration information for Directory Server and a
listing for all server attributes are found in two chapters, Chapter 3, Core Server
Configuration Reference and Chapter 4, Plug-in Implemented Server Functionality
Reference.

1.2. DIRECTORY SERVER INSTANCE FILE REFERENCE

Section 2.1, “Directory Server Instance-independent Files and Directories” has an overview
of the files and configuration information stored in each instance of Directory Server. This is
useful reference to helps administrators understand the changes or absence of changes in
the course of directory activity. From a security standpoint, this also helps users detect
errors and intrusion by highlighting normal changes and abnormal behavior.

1.3. USING DIRECTORY SERVER COMMAND-LINE UTILITIES

Directory Server comes with a set of configurable command-line utilities that can search
and modify entries in the directory and administer the server. Chapter 9, Command-Line
Utilities describes these command-line utilities and contains information on where the
utilities are stored and how to access them. In addition to these command-line utilities,
Directory Server also provides ns-slapd command-line utilities for performing directory
operations, as described in Appendix A, Using the ns-slapd Command-Line Utilities.

1.4. USING DIRECTORY SERVER COMMAND-LINE SCRIPTS

In addition to command-line utilities, several non-configurable scripts are provided with the
Directory Server that make it quick and easy to perform routine server administration tasks
from the command-line. Chapter 10, Command-Line Scripts lists the most frequently used
scripts and contains information on where the scripts are stored and how to access them.

5
Configuration, Command, and File Reference

CHAPTER 2. FILE LOCATIONS OVERVIEW

Red Hat Directory Server is compatible with the Filesystem Hierarchy Standards (FHS). For
further information on the FHS, see http://refspecs.linuxfoundation.org/fhs.shtml.

2.1. DIRECTORY SERVER INSTANCE-INDEPENDENT FILES

AND DIRECTORIES
The following are the Directory Server's instance-independent default file and directory
locations:

Type Location

Command-line utilities /usr/bin/

/usr/sbin/

Systemd unit files /usr/lib/systemd/system/dirsrv.target

/etc/systemd/system/dirsrv.target.wants/

2.2. DIRECTORY SERVER INSTANCE-SPECIFIC FILES AND

DIRECTORIES
To separate multiple instances running on the same host, certain files and directories
contain the name of the instance. You set the instance name during the Directory Server
setup. By default, this is the host name without domain name. For example, if your fully-
qualified domain name is server.example.com, the default instance name is server.

The following are the Directory Server's instance-specific default file and directory
locations:

Type Location

Backup files /var/lib/dirsrv/slapd-instance_name/bak/

Configuration files /etc/dirsrv/slapd-instance_name/

Certificate and key /etc/dirsrv/slapd-instance_name/

databases

Database files /var/lib/dirsrv/slapd-instance_name/db/

LDIF files /var/lib/dirsrv/slapd-instance/ldif/

Lock files /var/lock/dirsrv/slapd-instance_name/

Log files /var/log/dirsrv/slapd-instance_name/

6
CHAPTER 2. FILE LOCATIONS OVERVIEW

Type Location

PID file /var/run/dirsrv/instance_name.pid

Instance-specific scripts [a] /usr/lib64/dirsrv/slapd-instance_name/

Systemd unit files /etc/systemd/system/dirsrv.target.wants/dirsrv@inst

ance_name.service

[a] Deprecated. For details, see Section 2.2.8, “Scripts”.

2.2.1. Configuration Files

Each Directory Server instance stores its configuration files in the
/etc/dirsrv/slapd-instance directory.

The configuration information for Red Hat Directory Server is stored as LDAP entries within
the directory itself. Therefore, changes to the server configuration must be implemented
through the use of the server itself rather than by simply editing configuration files. The
principal advantage of this method of configuration storage is that it allows a directory
administrator to reconfigure the server using LDAP while it is still running, thus avoiding the
need to shut the server down for most configuration changes.

2.2.1.1. Overview of the Directory Server Configuration

When the Directory Server is set up, its default configuration is stored as a series of LDAP
entries within the directory, under the subtree cn=config. When the server is started, the
contents of the cn=config subtree are read from a file (dse.ldif) in LDIF format. This
dse.ldif file contains all of the server configuration information. The latest version of this
file is called dse.ldif, the version prior to the last modification is calleddse.ldif.bak, and
the latest file with which the server successfully started is called dse.ldif.startOK.

Many of the features of the Directory Server are designed as discrete modules that plug
into the core server. The details of the internal configuration for each plug-in are contained
in separate entries under cn=plugins,cn=config. For example, the configuration of the
Telephone Syntax Plug-in is contained in this entry:

cn=Telephone Syntax,cn=plugins,cn=config

Similarly, database-specific configuration is stored under cn=ldbm

database,cn=plugins,cn=config for local databases and cn=chaining
database,cn=plugins,cn=config for database links.

The following diagram illustrates how the configuration data fits within the cn=config
directory information tree.

7
Configuration, Command, and File Reference

Figure 2.1. Directory Information Tree Showing Configuration Data

2.2.1.1.1. LDIF and Schema Configuration Files

The Directory Server configuration data are stored in LDIF files in the
/etc/dirsrv/slapd-instance directory. Thus, if a server identifier is phonebook, then for a
Directory Server on Red Hat Enterprise Linux 7, the configuration LDIF files are all stored
under /etc/dirsrv/slapd-phonebook.

This directory also contains other server instance-specific configuration files.

Schema configuration is also stored in LDIF format, and these files are located in the
/etc/dirsrv/schema directory.

The following table lists all of the configuration files that are supplied with the
Directory Server, including those for the schema of other compatible servers. Each file is
preceded by a number which indicates the order in which they should be loaded (in
ascending numerical and then alphabetical order).

Table 2.1. Directory Server LDIF Configuration Files

Configuration Filename Purpose

dse.ldif Contains front-end Directory Specific Entries

created by the directory at server startup.
These include the Root DSE ( "") and the
contents of cn=config and cn=monitor (acis
only).

00core.ldif Contains only those schema definitions

necessary for starting the server with the bare
minimum feature set (no user schema, no
schema for any non-core features). The rest of
the schema used by users, features, and
applications is found in 01common.ldif and
the other schema files. Do not modify this file.

8
CHAPTER 2. FILE LOCATIONS OVERVIEW

Configuration Filename Purpose

01common.ldif Contains LDAPv3 standard operational

schema, such as subschemaSubentry,
LDAPv3 standard user and organization
schema defined in RFC 2256 (based on
X.520/X.521), inetOrgPerson and other
widely-used attributes, and the operational
attributes used by Directory Server
configuration. Modifying this file causes
interoperability problems. User-defined
attributes should be added through the
Directory Server Console.

05rfc2247.ldif Schema from RFC 2247 and related pilot

schema, from "Using Domains in LDAP/X500
Distinguished Names."

05rfc2927.ldif Schema from RFC 2927, "MIME Directory

Profile for LDAP Schema." Contains the
ldapSchemas operational attribute required
for the attribute to show up in the subschema
subentry.

10presence.ldif Legacy. Schema for instant messaging

presence (online) information; the file lists the
default object classes with the allowed
attributes that must be added to a user's entry
in order for instant-messaging presence
information to be available for that user.

10rfc2307.ldif Schema from RFC 2307, "An Approach for

Using LDAP as a Network Information Service."
This may be superseded by 10rfc2307bis,
the new version of rfc2307, when that
schema becomes available.

20subscriber.ldif Contains new schema elements and the Nortel

subscriber interoperability specification. Also
contains the adminRole and memberOf
attributes and inetAdmin object class,
previously stored in the 50ns-delegated-
admin.ldif file.

25java-object.ldif Schema from RFC 2713, "Schema for

Representing Java® Objects in an LDAP
Directory."

9
Configuration, Command, and File Reference

Configuration Filename Purpose

28pilot.ldif Contains pilot directory schema from RFC

1274, which is no longer recommended for
new deployments. Future RFCs which succeed
RFC 1274 may deprecate some or all of
28pilot.ldif attribute types and classes.

30ns-common.ldif Schema that contains objects classes and

attributes common to the
Directory Server Console framework.

50ns-admin.ldif Schema used by Red Hat

Administration Server.

50ns-certificate.ldif Schema for Red Hat Certificate Management

System.

50ns-directory.ldif Contains additional configuration schema used

by Directory Server 4.12 and earlier versions of
the directory, which is no longer applicable to
current releases of Directory Server. This
schema is required for replicating between
Directory Server 4.12 and current releases.

50ns-mail.ldif Schema used by Netscape Messaging Server to

define mail users and mail groups.

50ns-value.ldif Schema for servers' value item attributes.

50ns-web.ldif Schema for Netscape Web Server.

60pam-plugin.ldif Reserved for future use.

99user.ldif User-defined schema maintained by

Directory Server replication consumers which
contains the attributes and object classes from
the suppliers.

2.2.1.1.2. How the Server Configuration Is Organized

The dse.ldif file contains all configuration information including directory-specific entries
created by the directory at server startup, such as entries related to the database. The file
includes the root Directory Server entry (or DSE, named by "") and the contents of
cn=config and cn=monitor.

When the server generates the dse.ldif file, it lists the entries in hierarchical order in the
order that the entries appear in the directory under cn=config, which is usually the same
order in which an LDAP search of subtree scope for base cn=config returns the entries.

10
CHAPTER 2. FILE LOCATIONS OVERVIEW

dse.ldif also contains the cn=monitor entry, which is mostly read-only, but can have ACIs
set on it.

NOTE

The dse.ldif file does not contain every attribute incn=config. If the
attribute has not been set by the administrator and has a default value, the
server will not write it to dse.ldif. To see every attribute incn=config, use
ldapsearch.

2.2.1.1.2.1. Configuration Attributes

Within a configuration entry, each attribute is represented as an attribute name. The value
of the attribute corresponds to the attribute's configuration.

The following code sample is an example of part of the dse.ldif file for a Directory Server.
The example shows, among other things, that schema checking has been enabled; this is
represented by the attribute nsslapd-schemacheck, which takes the value on.

dn: cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsslapdConfig
nsslapd-accesslog-logging-enabled: on
nsslapd-enquote-sup-oc: off
nsslapd-localhost: phonebook.example.com
nsslapd-schemacheck: on
nsslapd-port: 389
nsslapd-localuser: dirsrv
...

2.2.1.1.2.2. Configuration of Plug-in Functionality

The configuration for each part of Directory Server plug-in functionality has its own
separate entry and set of attributes under the subtree cn=plugins,cn=config. The
following code sample is an example of the configuration entry for an example plug-in, the
Telephone Syntax plug-in.

dn: cn=Telephone Syntax,cn=plugins,cn=config

objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: Telephone Syntax
nsslapd-pluginType: syntax
nsslapd-pluginEnabled: on

Some of these attributes are common to all plug-ins, and some may be particular to a
specific plug-in. Check which attributes are currently being used by a given plug-in by
performing an ldapsearch on the cn=config subtree.

For a list of plug-ins supported by Directory Server, general plug-in configuration

information, the plug-in configuration attribute reference, and a list of plug-ins requiring
restart for configuration changes, see Chapter 4, Plug-in Implemented Server Functionality
Reference.

11
Configuration, Command, and File Reference

2.2.1.1.2.3. Configuration of Databases

The o=NetscapeRoot and cn=UserRoot subtrees under the database plug-in entry contain
configuration data for the databases containing the o=NetscapeRoot suffix and the default
suffix created during setup, such as dc=example,dc=com.

These entries and their children have many attributes used to configure different database
settings, like the cache sizes, the paths to the index files and transaction logs, entries and
attributes for monitoring and statistics; and database indexes.

2.2.1.1.2.4. Configuration of Indexes

Configuration information for indexing is stored as entries in the Directory Server under the
following information-tree nodes:

cn=index,o=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config

cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config

cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config

For more information about indexes in general, see the Red Hat Directory Server
Administration Guide. For information about the index configuration attributes, see
Section 4.4.1, “Database Attributes under cn=config,cn=ldbm
database,cn=plugins,cn=config”.

2.2.1.2. Accessing and Modifying Server Configuration

This section discusses access control for configuration entries and describes the various
ways in which the server configuration can be viewed and modified. It also covers
restrictions to the kinds of modification that can be made and discusses attributes that
require the server to be restarted for changes to take effect.

2.2.1.2.1. Access Control for Configuration Entries

When the Directory Server is installed, a default set of access control instructions (ACIs) is
implemented for all entries under cn=config. The following code sample is an example of
these default ACIs.

aci: (targetattr = "*")(version 3.0; acl "Configuration Administrators

Group"; allow (all)
groupdn = "ldap:///cn=Configuration
Administrators,u=Groups,ou=TopologyManagement,o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator";
allow (all)
userdn =
"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"
;)
aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators
Group"; allow (all)
groupdn = "ldap:///ou=Directory Administrators,dc=example,dc=com";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow(all)
groupdn = "ldap:///cn=slapd-phonebook,cn=Red Hat Directory Server,
cn=Server
Group,cn=phonebook.example.com,dc=example,dc=com,o=NetscapeRoot";)

12
CHAPTER 2. FILE LOCATIONS OVERVIEW

These default ACIs allow all LDAP operations to be carried out on all configuration attributes
by the following users:

Members of the Configuration Administrators group.

The user acting as the administrator, the admin account that was configured at
setup. By default, this is the same user account which is logged into the Console.

Members of local Directory Administrators group.

The SIE (Server Instance Entry) group, usually assigned using the Set Access
Permissions process the main console.

For more information on access control, see the Red Hat Directory Server
Administration Guide.

2.2.1.2.2. Changing Configuration Attributes

Server attributes can be viewed and changed in one of three ways: through the
Directory Server Console, by performing ldapsearch and ldapmodify commands, or by
manually editing the dse.ldif file.

NOTE

Before editing the dse.ldif file, the server must be stopped; otherwise, the
changes are lost. Editing the dse.ldif file is recommended only for changes
to attributes which cannot be altered dynamically. See Section 2.2.1.2.2.3,
“Configuration Changes Requiring Server Restart” for further information.

The following sections describe how to modify entries using LDAP (both by using
Directory Server Console and by using the command line), the restrictions that apply to
modifying entries, the restrictions that apply to modifying attributes, and the configuration
changes requiring restart.

2.2.1.2.2.1. Modifying Configuration Entries Using LDAP

The configuration entries in the directory can be searched and modified using LDAP either
using the Directory Server Console or by performing ldapsearch and ldapmodify
operations in the same way as other directory entries. The advantage of using LDAP to
modify entries is changes can be made while the server is running.

For further information, see the "Creating Directory Entries" chapter in the Red Hat
Directory Server Administration Guide. However, certain changes do require the server to
be restarted before they are taken into account. See Section 2.2.1.2.2.3, “Configuration
Changes Requiring Server Restart” for further information.

NOTE

As with any set of configuration files, care should be taken when changing or
deleting nodes in the cn=config subtree as this risks affecting
Directory Server functionality.

The entire configuration, including attributes that always take default values, can be
viewed by performing an ldapsearch operation on the cn=config subtree:

13
Configuration, Command, and File Reference

# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -b

"cn=config" -s sub -x "(objectclass=*)"

bindDN is the DN chosen for the Directory Manager when the server was installed
(cn=Directory Manager by default).

password is the password chosen for the Directory Manager.

To disable a plug-in, use ldapmodify to edit the nsslapd-pluginEnabled attribute:

# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: cn=Telephone Syntax,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: off

2.2.1.2.2.2. Restrictions to Modifying Configuration Entries and Attributes

Certain restrictions apply when modifying server entries and attributes:

The cn=monitor entry and its child entries are read-only and cannot be modified,
except to manage ACIs.

If an attribute is added to cn=config, the server ignores it.

If an invalid value is entered for an attribute, the server ignores it.

Because ldapdelete is used for deleting an entire entry, useldapmodify to remove

an attribute from an entry.

2.2.1.2.2.3. Configuration Changes Requiring Server Restart

Some configuration attributes cannot be altered while the server is running. In these cases,
for the changes to take effect, the server needs to be shut down and restarted. The
modifications should be made either through the Directory Server Console or by manually
editing the dse.ldif file. Some of the attributes that require a server restart for any
changes to take effect are listed below. This list is not exhaustive; to see a complete list,
run ldapsearch and search for the nsslapd-requiresrestart attribute. For example:

# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -b

"cn=config" -s sub -x "(objectclass=*)" | grep nsslapd-requiresrestart

nsslapd-cachesize nsslapd-certdir

nsslapd-dbcachesize nsslapd-dbncache

nsslapd-plugin nsslapd-changelogdir

nsslapd-changelogmaxage nsslapd-changelogmaxentries

nsslapd-port nsslapd-schemadir

14
CHAPTER 2. FILE LOCATIONS OVERVIEW

nsslapd-saslpath nsslapd-secureport

nsslapd-tmpdir nsSSL2

nsSSL3 nsSSLclientauth

nsSSLSessionTimeout nsslapd-conntablesize

nsslapd-lockdir nsslapd-maxdescriptors

nsslapd-reservedescriptors nsslapd-listenhost

nsslapd-schema-ignore-trailing- nsslapd-securelistenhost
spaces

nsslapd-workingdir nsslapd-return-exact-case

nsslapd-maxbersize [a]

[a] Although this attribute requires a restart, it is not returned in the search.

2.2.1.2.2.4. Deleting Configuration Attributes

All core configuration attributes are present, even if they are not written in the
/etc/dirsrv/slapd-instance-name/dse.ldif file, because they all have default values
used by the server.

For details about deleting core configuration attributes and a list of attributes that cannot
be deleted, see the corresponding section in the Red Hat Directory Server
Administration Guide.

2.2.2. Database Files

Each Directory Server instance contains the /var/lib/dirsrv/slapd-instance/db
directory for storing all of the database files. The following is a sample listing of the
/var/lib/dirsrv/slapd-instance/db directory contents.

Example 2.1. Database Directory Contents

db.001 db.003 __db.005 NetscapeRoot/

__db.002 __db.004 DBVERSION log.0000000007 userRoot/

db.00x files — Used internally by the database and should not be moved, deleted,
or modified in any way.

log.xxxxxxxxxx files — Used to store the transaction logs per database.

DBVERSION — Used for storing the version of the database.

15
Configuration, Command, and File Reference

NetscapeRoot — Stores the o=NetscapeRoot database created by default when the

setup-ds-admin.pl script is run.

userRoot — Stores the user-defined suffix (user-defined databases) created at

setup; for example, dc=example,dc=com.

NOTE

If a new database is created (for example, testRoot) to store the directory

tree under a new suffix, the directory named testRoot also appears in the
/var/lib/dirsrv/slapd-instance/db directory.

The following is a sample listing of the NetscapeRoot directory contents.

Example 2.2. NetscapeRoot Database Directory Contents

./ entrydn.db* parentid.db*
../ givenName.db* sn.db*
DBVERSION* id2entry.db* uid.db*
aci.db* nsUniqueId.db* uniquemember.db*
ancestorid.db* numsubordinates.db*
cn.db* objectclass.db*

The NetscapeRoot subdirectories contain an index_name.db file for every index currently
defined in the database. In addition to these files, the NetscapeRoot and userRoot
subdirectories contain the following files:

ancestorid.db — Contains a list of IDs to find the ID of the entry's ancestor.

entrydn.db — Contains a list of full DNs to find any ID.

id2entry.db — Contains the actual directory database entries. All other database
files can be recreated from this one, if necessary.

nsuniqueid.db — Contains a list of unique IDs to find any ID.

numsubordinates.db — Contains IDs that have child entries.

objectclass.db — Contains a list of IDs which have a particular object class.

parentid.db — Contains a list of IDs to find the ID of the parent.

2.2.3. LDIF Files

Sample LDIF files are stored in the /var/lib/dirsrv/slapd-instance/ldif directory for
storing LDIF-related files. Example 2.3, “LDIF Directory Contents” lists the /ldif directory
contents.

Example 2.3. LDIF Directory Contents

European.ldif
Example.ldif
Example-roles.ldif

16
CHAPTER 2. FILE LOCATIONS OVERVIEW

Example-views.ldif

European.ldif — Contains European character samples.

Example.ldif — Is a sample LDIF file.

Example-roles.ldif — Is a sample LDIF file similar toExample.ldif, except that it

uses roles and class of service instead of groups for setting access control and
resource limits for directory administrators.

NOTE

The LDIF files exported by db2ldif or db2ldif.pl scripts in the instance

directory are stored in /var/lib/dirsrv/slapd-instance/ldif.

2.2.4. Lock Files

Each Directory Server instance contains a /var/lock/dirsrv/slapd-instance directory
for storing lock-related files. The following is a sample listing of the locks directory
contents.

Example 2.4. Lock Directory Contents

exports/ imports/ server/

The lock mechanisms control how many copies of the Directory Server process can be
running at one. For example, if there is an import job, then a lock is placed in the imports/
directory to prevent any other ns-slapd (normal), ldif2db (another import), or db2ldif
(export) operations from running. If the server is running as normal, there is a lock in the
server/ directory, which prevents import operations (but not export operations), while if
there is an export operation, the lock in the exports/ directory allows normal server
operations but prevents import operations.

The number of available locks can affect overall Directory Server performance. The number
of locks is set in the nsslapd-db-locks attribute. Tuning that attribute value is described in
the Performance Tuning Guide.

2.2.5. Log Files

Each Directory Server instance contains a /var/log/dirsrv/slapd-instance directory for
storing log files. The following is a sample listing of the /logs directory contents.

Example 2.5. Log Directory Contents

access access.20190228-171925 errors

access.20190221-162824 access.rotationinfo errors.20190221-162824
access.20190223-171949 audit errors.rotationinfo
access.20190227-171818 audit.rotationinfo slapd.stats

17
Configuration, Command, and File Reference

The content of the access, audit, and error log files is dependent on the log
configuration.

The slapd.stats file is a memory-mapped file which cannot be read by an editor. It

contains data collected by the Directory Server SNMP data collection component.
This data is read by the SNMP subagent in response to SNMP attribute queries and is
communicated to the SNMP master agent responsible for handling Directory Server
SNMP requests.

Chapter 7, Log File Reference contains a solid overview of the access, error, and audit log
file formats and the information in them.

2.2.6. PID Files

slapd-serverID.pid and slapd-serverID.startpid files are created in the
/var/run/dirsrv directory when the server is up and running. Both files store the server's
process ID.

2.2.7. Tools
Directory Server tools are stored in these directories on Red Hat Enterprise Linux 7:

/usr/bin

/usr/sbin

The contents of those directories are listed below. Chapter 9, Command-Line Utilities has
more information on command-line scripts.

Example 2.6. /bin Contents

dbscan ldif
dbscan-bin ldif-bin

Example 2.7. /sbin Contents

ds_removal migrate-ds-admin.pl remove-ds.pl setup-ds-

admin.pl
ds_unregister register-ds-admin.pl remove-ds-admin.pl setup-ds.pl

2.2.8. Scripts
On Red Hat Enterprise Linux 7.3 and later, the command-line scripts Directory Server uses
are stored in the /usr/sbin/ directory. Use the -Z instance_name option with the
commands in order to set the instance the script should be executed on.

18
CHAPTER 2. FILE LOCATIONS OVERVIEW

NOTE

The /usr/lib64/dirsrv/slapd-instance/ directory previously used for

command-line scripts is deprecated. However, until the instance-specific
scripts are removed in a future Directory Server release, existing scripts in this
directory are updated when running the setup-ds.pl --update command.

For further details and a list of scripts, see Chapter 10, Command-Line Scripts.

2.2.9. Backup Files

Each Directory Server instance contains the following directory and file for storing backup-
related files:

/var/lib/dirsrv/slapd-instance/bak — This contains a directory dated with the

instance, time and date of the database backup, such asinstance-
2019_05_02_16_56_05/, which in turn holds the database backup copy.

/etc/dirsrv/slapd-instance/dse_original.ldif — This is a backup copy of the

dse.ldif configuration file from the time of installation.

2.3. ADMINISTRATION SERVER FILES AND DIRECTORIES

The following are the Administration Server's default file and directory locations:

Type Location

Log files /var/log/dirsrv/admin-serv/

Configuration files /etc/dirsrv/admin-serv/

Certificate and key /etc/dirsrv/admin-serv/

databases

Runtime files: /var/run/dirsrv/admin-serv.*

Systemd unit file /etc/systemd/system/multi-user.target.wants/dirsrv-

admin.service

Command-line Utilities /usr/bin/

/usr/sbin/

19
Configuration, Command, and File Reference

CHAPTER 3. CORE SERVER CONFIGURATION

REFERENCE
The chapter provides an alphabetical reference for all core (server-related) attributes.
Section 2.2.1.1, “Overview of the Directory Server Configuration”contains a good overview
of the Red Hat Directory Server configuration files.

3.1. CORE SERVER CONFIGURATION ATTRIBUTES

REFERENCE
This section contains reference information on the configuration attributes that are relevant
to the core server functionality. For information on changing server configuration, see
Section 2.2.1.2, “Accessing and Modifying Server Configuration”. For a list of server
features that are implemented as plug-ins, see Section 4.1, “Server Plug-in Functionality
Reference”. For help with implementing custom server functionality, contact
Directory Server support.

The configuration information stored in the dse.ldif file is organized as an information tree
under the general configuration entry cn=config, as shown in the following diagram.

Figure 3.1. Directory Information Tree Showing Configuration Data

Most of these configuration tree nodes are covered in the following sections.

The cn=plugins node is covered in Chapter 4, Plug-in Implemented Server Functionality

Reference. The description of each attribute contains details such as the DN of its directory
entry, its default value, the valid range of values, and an example of its use.

NOTE

Some of the entries and attributes described in this chapter may change in
future releases of the product.

3.1.1. cn=config
General configuration entries are stored in the cn=config entry. The cn=config entry is an
instance of the nsslapdConfig object class, which in turn inherits fromextensibleObject
object class.

3.1.1.1. nsslapd-accesslog (Access Log)

20
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

This attribute specifies the path and filename of the log used to record each LDAP access.
The following information is recorded by default in the log file:

IP address (IPv4 or IPv6) of the client machine that accessed the database.

Operations performed (for example, search, add, and modify).

Result of the access (for example, the number of entries returned or an error code).

For more information on turning access logging off, see the "Monitoring Server and
Database Activity" chapter in the Red Hat Directory Server Administration Guide.

For access logging to be enabled, this attribute must have a valid path and parameter, and
the nsslapd-accesslog-logging-enabled configuration attribute must be switched to on.
The table lists the four possible combinations of values for these two configuration
attributes and their outcome in terms of disabling or enabling of access logging.

Table 3.1. dse.ldif File Attributes

Attribute Value Logging enabled or

disabled

nsslapd-accesslog-logging- on Disabled
enabled
empty string
nsslapd-accesslog

nsslapd-accesslog-logging- on Enabled
enabled
filename
nsslapd-accesslog

nsslapd-accesslog-logging- off Disabled

enabled
empty string
nsslapd-accesslog

nsslapd-accesslog-logging- off Disabled

enabled
filename
nsslapd-accesslog

Parameter Description

Entry DN cn=config

Valid Values Any valid filename.

Default Value /var/log/dirsrv/slapd-instance/access

Syntax DirectoryString

21
Configuration, Command, and File Reference

Parameter Description

Example nsslapd-accesslog:
/var/log/dirsrv/slapd-instance/access

3.1.1.2. nsslapd-accesslog-level (Access Log Level)

This attribute controls what is logged to the access log.

Parameter Description

Entry DN cn=config

Valid Values
0 - No access logging

4 - Logging for internal access

operations

256 - Logging for connections,

operations, and results

512 - Logging for access to an entry

and referrals

131072 - Provides microsecond

operation timing

These values can be added together to

provide the exact type of logging
required; for example, 516 (4 + 512)
to obtain internal access operation,
entry access, and referral logging.

Default Value 256

Syntax Integer

Example nsslapd-accesslog-level: 256

3.1.1.3. nsslapd-accesslog-list (List of Access Log Files)

This read-only attribute, which cannot be set, provides a list of access log files used in
access log rotation.

Parameter Description

Entry DN cn=config

Valid Values

22
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Default Value None

Syntax DirectoryString

Example nsslapd-accesslog-list: accesslog2,accesslog3

3.1.1.4. nsslapd-accesslog-logbuffering (Log Buffering)

When set to off, the server writes all access log entries directly to disk. Buffering allows
the server to use access logging even when under a heavy load without impacting
performance. However, when debugging, it is sometimes useful to disable buffering in
order to see the operations and their results right away instead of having to wait for the log
entries to be flushed to the file. Disabling log buffering can severely impact performance in
heavily loaded servers.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nsslapd-accesslog-logbuffering: off

3.1.1.5. nsslapd-accesslog-logexpirationtime (Access Log Expiration Time)

This attribute specifies the maximum age that a log file is allowed to reach before it is
deleted. This attribute supplies only the number of units. The units are provided by the
nsslapd-accesslog-logexpirationtimeunit attribute.

Parameter Description

Entry DN cn=config

Valid Range -1 to the maximum 32 bit integer value

(2147483647)

A value of -1 or 0 means that the log never

expires.

Default Value -1

Syntax Integer

23
Configuration, Command, and File Reference

Parameter Description

Example nsslapd-accesslog-logexpirationtime: 2

3.1.1.6. nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration

Time Unit)

This attribute specifies the units for nsslapd-accesslog-logexpirationtime attribute. If

the unit is unknown by the server, then the log never expires.

Parameter Description

Entry DN cn=config

Valid Values month | week | day

Default Value month

Syntax DirectoryString

Example nsslapd-accesslog-logexpirationtimeunit: week

3.1.1.7. nsslapd-accesslog-logging-enabled (Access Log Enable Logging)

Disables and enables accesslog logging but only in conjunction with the nsslapd-
accesslog attribute that specifies the path and parameter of the log used to record each
database access.

For access logging to be enabled, this attribute must be switched to on, and the nsslapd-
accesslog configuration attribute must have a valid path and parameter. The table lists the
four possible combinations of values for these two configuration attributes and their
outcome in terms of disabling or enabling of access logging.

Table 3.2. dse.ldif Attributes

Attribute Value Logging Enabled or

Disabled

nsslapd-accesslog-logging- on Disabled
enabled
empty string
nsslapd-accesslog

nsslapd-accesslog-logging- on Enabled
enabled
filename
nsslapd-accesslog

24
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Attribute Value Logging Enabled or

Disabled

nsslapd-accesslog-logging- off Disabled

enabled
empty string
nsslapd-accesslog

nsslapd-accesslog-logging- off Disabled

enabled
filename
nsslapd-accesslog

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nsslapd-accesslog-logging-enabled: off

3.1.1.8. nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk

Space)

This attribute specifies the maximum amount of disk space in megabytes that the access
logs are allowed to consume. If this value is exceeded, the oldest access log is deleted.

When setting a maximum disk space, consider the total number of log files that can be
created due to log file rotation. Also, remember that there are three different log files
(access log, audit log, and error log) maintained by the Directory Server, each of which
consumes disk space. Compare these considerations to the total amount of disk space for
the access log.

Parameter Description

Entry DN cn=config

Valid Range -1 | 1 to the maximum 32 bit integer value

(2147483647), where a value of -1 means that
the disk space allowed to the access log is
unlimited in size.

Default Value -1

Syntax Integer

25
Configuration, Command, and File Reference

Parameter Description

Example nsslapd-accesslog-logmaxdiskspace: 100000

3.1.1.9. nsslapd-accesslog-logminfreediskspace (Access Log Minimum

Free Disk Space)

This attribute sets the minimum allowed free disk space in megabytes. When the amount of
free disk space falls below the value specified on this attribute, the oldest access logs are
deleted until enough disk space is freed to satisfy this attribute.

Parameter Description

Entry DN cn=config

Valid Range -1 | 1 to the maximum 32 bit integer value

(2147483647)

Default Value -1

Syntax Integer

Example nsslapd-accesslog-logminfreediskspace: -1

3.1.1.10. nsslapd-accesslog-logrotationsync-enabled (Access Log Rotation

Sync Enabled)

This attribute sets whether access log rotation is to be synchronized with a particular time
of the day. Synchronizing log rotation this way can generate log files at a specified time
during a day, such as midnight to midnight every day. This makes analysis of the log files
much easier because they then map directly to the calendar.

For access log rotation to be synchronized with time-of-day, this attribute must be enabled
with the nsslapd-accesslog-logrotationsynchour and nsslapd-accesslog-
logrotationsyncmin attribute values set to the hour and minute of the day for rotating log
files.

For example, to rotate access log files every day at midnight, enable this attribute by
setting its value to on, and then set the values of thensslapd-accesslog-
logrotationsynchour and nsslapd-accesslog-logrotationsyncmin attributes to 0.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

26
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Entry DN cn=config

Valid Range -1 | 1 to the maximum 32 bit integer value

(2147483647), where a value of -1 means that
the time between access log file rotation is
unlimited.

Default Value 1

Syntax Integer

Example nsslapd-accesslog-logrotationtime: 100

3.1.1.14. nsslapd-accesslog-logrotationtimeunit (Access Log Rotation Time

Unit)

This attribute sets the units for the nsslapd-accesslog-logrotationtime attribute.

Parameter Description

Entry DN cn=config

Valid Values month | week | day | hour | minute

Default Value day

Syntax DirectoryString

Example nsslapd-accesslog-logrotationtimeunit: week

3.1.1.15. nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size)

This attribute sets the maximum access log size in megabytes. When this value is reached,
the access log is rotated. That means the server starts writing log information to a new log

28
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

file. If the nsslapd-accesslog-maxlogsperdir attribute is set to 1, the server ignores this

attribute.

When setting a maximum log size, consider the total number of log files that can be
created due to log file rotation. Also, remember that there are three different log files
(access log, audit log, and error log) maintained by the Directory Server, each of which
consumes disk space. Compare these considerations to the total amount of disk space for
the access log.

Parameter Description

Entry DN cn=config

Valid Range -1 | 1 to the maximum 32 bit integer value

(2147483647), where a value of -1 means the
log file is unlimited in size.

Default Value 100

Syntax Integer

Example nsslapd-accesslog-maxlogsize: 100

3.1.1.16. nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number

of Log Files)

This attribute sets the total number of access logs that can be contained in the directory
where the access log is stored. Each time the access log is rotated, a new log file is created.
When the number of files contained in the access log directory exceeds the value stored in
this attribute, then the oldest version of the log file is deleted. For performance reasons,
Red Hat recommends not setting this value to 1 because the server does not rotate the log,
and it grows indefinitely.

If the value for this attribute is higher than 1, then check the nsslapd-accesslog-
logrotationtime attribute to establish whether log rotation is specified. If thensslapd-
accesslog-logrotationtime attribute has a value of -1, then there is no log rotation. See
Section 3.1.1.13, “nsslapd-accesslog-logrotationtime (Access Log Rotation Time)” for more
information.

Parameter Description

Entry DN cn=config

Valid Range 1 to the maximum 32 bit integer value

(2147483647)

Default Value 10

Syntax Integer

29
Configuration, Command, and File Reference

Parameter Description

Example nsslapd-accesslog-maxlogsperdir: 10

3.1.1.17. nsslapd-accesslog-mode (Access Log File Permission)

This attribute sets the access mode or file permission with which access log files are to be
created. The valid values are any combination of 000 to 777 (these mirror the numbered or
absolute UNIX file permissions). The value must be a 3-digit number, the digits varying from
0 through 7:

0 - None

1 - Execute only

2 - Write only

3 - Write and execute

4 - Read only

5 - Read and execute

6 - Read and write

7 - Read, write, and execute

In the 3-digit number, the first digit represents the owner's permissions, the second digit
represents the group's permissions, and the third digit represents everyone's permissions.
When changing the default value, remember that 000 does not allow access to the logs and
that allowing write permissions to everyone can result in the logs being overwritten or
deleted by anyone.

The newly configured access mode only affects new logs that are created; the mode is set
when the log rotates to a new file.

Parameter Description

Entry DN cn=config

Valid Range 000 through 777

Default Value 600

Syntax Integer

Example nsslapd-accesslog-mode: 600

3.1.1.18. nsslapd-allow-anonymous-access

If a user attempts to connect to the Directory Server without supplying any bind DN or
password, this is an anonymous bind. Anonymous binds simplify common search and read

30
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

operations, like checking the directory for a phone number or email address, by not
requiring users to authenticate to the directory first.

However, there are risks with anonymous binds. Adequate ACIs must be in place to restrict
access to sensitive information and to disallow actions like modifies and deletes.
Additionally, anonymous binds can be used for denial of service attacks or for malicious
people to gain access to the server.

Anonymous binds can be disabled to increase security (off). By default, anonymous binds
are allowed (on) for search and read operations. This allows access to regular directory
entries, which includes user and group entries as well as configuration entries like the root
DSE. A third option, rootdse, allows anonymous search and read access to search the root
DSE itself, but restricts access to all other directory entries.

Optionally, resource limits can be placed on anonymous binds using the nsslapd-
anonlimitsdn attribute as described in Section 3.1.1.22, “nsslapd-anonlimitsdn”.

Changes to this value will not take effect until the server is restarted.

Parameter Description

Entry DN cn=config

Valid Values on | off | rootdse

Default Value on

Syntax DirectoryString

Example nsslapd-allow-anonymous-access: on

3.1.1.19. nsslapd-allow-hashed-passwords

This parameter disables the pre-hashed password checks. By default, the Directory Server
does not allow pre-hashed passwords to be set by anyone other than the Directory
Manager. You can delegate this privilege to other users when you add them to the
Password Administrators group. However in some scenarios, like when the replication
partner already controls the pre-hashed passwords checking, this feature has to be
disabled on the Directory Server.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

31
Configuration, Command, and File Reference

Parameter Description

Example nsslapd-allow-hashed-passwords: off

3.1.1.20. nsslapd-allow-unauthenticated-binds

Unauthenticated binds are connections to Directory Server where a user supplies an empty
password. Using the default settings, Directory Server denies access in this scenario for
security reasons.


WARNING

Red Hat recommends not enabling unauthenticated binds. This

authentication method enables users to bind without supplying a
password as any account, including the Directory Manager. After the
bind, the user can access all data with the permissions of the account
used to bind.

You do not have to restart the server for this setting to take effect.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-allow-unauthenticated-binds: off

3.1.1.21. nsslapd-allowed-sasl-mechanisms

Per default, the root DSE lists all mechanisms the SASL library supports. However in some
environments only certain ones are preferred. The nsslapd-allowed-sasl-mechanisms
attribute allows you to enable only some defined SASL mechanisms.

The mechanism names must consist of uppercase letters, numbers, and underscores. Each
mechanism can be separated by commas or spaces.

32
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

NOTE

The EXTERNAL mechanism is actually not used by any SASL plug-in. It is

internal to the server, and is mainly used for TLS client authentication. Hence,
the EXTERNAL mechanism cannot be restricted or controlled. It will always
appear in the supported mechanisms list, regardless what is set in the
nsslapd-allowed-sasl-mechanisms attribute.

This setting does not require a server restart to take effect.

Parameter Description

Entry DN cn=config

Valid Values Any valid SASL mechanism

Default Value None (all SASL mechanisms allowed)

Syntax DirectoryString

Example nsslapd-allowed-sasl-mechanisms: GSSAPI,

DIGEST-MD5, OTP

3.1.1.22. nsslapd-anonlimitsdn

Resource limits can be set on authenticated binds. The resource limits can set a cap on how
many entries can be searched in a single operation (nsslapd-sizeLimit), a time limit
(nsslapd-timelimit) and time out period (nsslapd-idletimeout) for searches, and the
total number of entries that can be searched (nsslapd-lookthroughlimit). These
resource limits prevent denial of service attacks from tying up directory resources and
improve overall performance.

Resource limits are set on a user entry. An anonymous bind, obviously, does not have a user
entry associated with it. This means that resource limits usually do not apply to anonymous
operations.

Default Value off

Syntax DirectoryString

Example nsslapd-attribute-name-exceptions: on

3.1.1.24. nsslapd-auditlog (Audit Log)

This attribute sets the path and filename of the log used to record changes made to each
database.

Parameter Description

Entry DN cn=config

Valid Values Any valid filename

Default Value /var/log/dirsrv/slapd-instance/audit

Syntax DirectoryString

Example nsslapd-auditlog:
/var/log/dirsrv/slapd-instance/audit

For audit logging to be enabled, this attribute must have a valid path and parameter, and
the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on.
The table lists the four possible combinations of values for these two configuration
attributes and their outcome in terms of disabling or enabling of audit logging.

expires.

Default Value -1

Syntax Integer

Example nsslapd-auditlog-logexpirationtime: 1

3.1.1.27. nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration

Time Unit)

This attribute sets the units for the nsslapd-auditlog-logexpirationtime attribute. If the
unit is unknown by the server, then the log never expires.

Parameter Description

Entry DN cn=config

Valid Values month | week | day

Default Value week

Syntax DirectoryString

Example nsslapd-auditlog-logexpirationtimeunit: day

3.1.1.28. nsslapd-auditlog-logging-enabled (Audit Log Enable Logging)

Turns audit logging on and off.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-auditlog-logging-enabled: off

36
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

For audit logging to be enabled, this attribute must have a valid path and parameter and
the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on.
The table lists the four possible combinations of values for these two configuration
attributes and their outcome in terms of disabling or enabling of audit logging.

Table 3.4. Possible combinations for nsslapd-auditlog and nsslapd-auditlog-

logging-enabled

Attribute Value Logging enabled or

disabled

nsslapd-auditlog-logging- on Disabled
enabled
empty string
nsslapd-auditlog

nsslapd-auditlog-logging- on Enabled
enabled
filename
nsslapd-auditlog

nsslapd-auditlog-logging- off Disabled

enabled
empty string
nsslapd-auditlog

nsslapd-auditlog-logging- off Disabled

enabled
filename
nsslapd-auditlog

3.1.1.29. nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk

Space)

This attribute sets the maximum amount of disk space in megabytes that the audit logs are
allowed to consume. If this value is exceeded, the oldest audit log is deleted.

When setting a maximum disk space, consider the total number of log files that can be
created due to log file rotation. Also remember that there are three different log files
(access log, audit log, and error log) maintained by the Directory Server, each of which
consumes disk space. Compare these considerations with the total amount of disk space
for the audit log.

Parameter Description

Entry DN cn=config

Valid Range -1 | 1 to the maximum 32 bit integer value

(2147483647), where a value of -1 means that
the disk space allowed to the audit log is
unlimited in size.

Default Value -1

37
Configuration, Command, and File Reference

Parameter Description

Syntax Integer

Example nsslapd-auditlog-logmaxdiskspace: 10000

3.1.1.30. nsslapd-auditlog-logminfreediskspace (Audit Log Minimum Free

Disk Space)

This attribute sets the minimum permissible free disk space in megabytes. When the
amount of free disk space falls below the value specified by this attribute, the oldest audit
logs are deleted until enough disk space is freed to satisfy this attribute.

Parameter Description

Entry DN cn=config

Valid Range -1 (unlimited) | 1 to the maximum 32 bit

integer value (2147483647)

Default Value -1

Syntax Integer

Example nsslapd-auditlog-logminfreediskspace: -1

3.1.1.31. nsslapd-auditlog-logrotationsync-enabled (Audit Log Rotation

Sync Enabled)

This attribute sets whether audit log rotation is to be synchronized with a particular time of
the day. Synchronizing log rotation this way can generate log files at a specified time
during a day, such as midnight to midnight every day. This makes analysis of the log files
much easier because they then map directly to the calendar.

For audit log rotation to be synchronized with time-of-day, this attribute must be enabled
with the nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-
logrotationsyncmin attribute values set to the hour and minute of the day for rotating log
files.

For example, to rotate audit log files every day at midnight, enable this attribute by setting
its value to on, and then set the values of thensslapd-auditlog-logrotationsynchour
and nsslapd-auditlog-logrotationsyncmin attributes to 0.

Parameter Description

Entry DN cn=config

Valid Values on | off

38
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Default Value off

Syntax DirectoryString

Example nsslapd-auditlog-logrotationsync-enabled: on

3.1.1.32. nsslapd-auditlog-logrotationsynchour (Audit Log Rotation Sync

Hour)

This attribute sets the hour of the day for rotating audit logs. This attribute must be used in
conjunction with nsslapd-auditlog-logrotationsync-enabled and nsslapd-auditlog-
logrotationsyncmin attributes.

Parameter Description

Entry DN cn=config

Valid Range 0 through 23

Default Value None (because nsslapd-auditlog-

logrotationsync-enabled is off)

Syntax Integer

Example nsslapd-auditlog-logrotationsynchour: 23

3.1.1.33. nsslapd-auditlog-logrotationsyncmin (Audit Log Rotation Sync

Minute)

This attribute sets the minute of the day for rotating audit logs. This attribute must be used
in conjunction with nsslapd-auditlog-logrotationsync-enabled and nsslapd-
auditlog-logrotationsynchour attributes.

Parameter Description

Entry DN cn=config

Valid Range 0 through 59

Default Value None (because nsslapd-auditlog-

logrotationsync-enabled is off)

Syntax Integer

Example nsslapd-auditlog-logrotationsyncmin: 30

39
Configuration, Command, and File Reference

3.1.1.34. nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)

This attribute sets the time between audit log file rotations. The audit log is rotated when
this time interval is up, regardless of the current size of the audit log. This attribute
supplies only the number of units. The units (day, week, month, and so forth) are given by
the nsslapd-auditlog-logrotationtimeunit attribute. If the nsslapd-auditlog-
maxlogsperdir attribute is set to 1, the server ignores this attribute.

Although it is not recommended for performance reasons to specify no log rotation, as the
log grows indefinitely, there are two ways of specifying this. Either set the nsslapd-
auditlog-maxlogsperdir attribute value to 1 or set the nsslapd-auditlog-
logrotationtime attribute to -1. The server checks the nsslapd-auditlog-
maxlogsperdir attribute first, and, if this attribute value is larger than1, the server then
checks the nsslapd-auditlog-logrotationtime attribute. See Section 3.1.1.37, “nsslapd-
auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)” for more information.

Parameter Description

Entry DN cn=config

Valid Range -1 | 1 to the maximum 32 bit integer value

(2147483647), where a value of -1 means that
the time between audit log file rotation is
unlimited.

Default Value 1

Syntax Integer

Example nsslapd-auditlog-logrotationtime: 100

3.1.1.35. nsslapd-auditlog-logrotationtimeunit (Audit Log Rotation Time

Unit)

This attribute sets the units for the nsslapd-auditlog-logrotationtime attribute.

Parameter Description

Entry DN cn=config

Valid Values month | week | day | hour | minute

Default Value week

Syntax DirectoryString

Example nsslapd-auditlog-logrotationtimeunit: day

3.1.1.36. nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size)

40
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

This attribute sets the maximum audit log size in megabytes. When this value is reached,
the audit log is rotated. That means the server starts writing log information to a new log
file. If nsslapd-auditlog-maxlogsperdir to 1, the server ignores this attribute.

Parameter Description

Entry DN cn=config

Valid Range -1 | 1 to the maximum 32 bit integer value

(2147483647), where a value of -1 means the
log file is unlimited in size.

Default Value 100

Syntax Integer

Example nsslapd-auditlog-maxlogsize: 50

3.1.1.37. nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of

Log Files)

This attribute sets the total number of audit logs that can be contained in the directory
where the audit log is stored. Each time the audit log is rotated, a new log file is created.
When the number of files contained in the audit log directory exceeds the value stored on
this attribute, then the oldest version of the log file is deleted. The default is 1 log. If this
default is accepted, the server will not rotate the log, and it grows indefinitely.

If the value for this attribute is higher than 1, then check the nsslapd-auditlog-
logrotationtime attribute to establish whether log rotation is specified. If thensslapd-
auditlog-logrotationtime attribute has a value of -1, then there is no log rotation. See
Section 3.1.1.34, “nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)” for more
information.

Parameter Description

Entry DN cn=config

Valid Range 1 to the maximum 32 bit integer value

(2147483647)

Default Value 1

Syntax Integer

41
Configuration, Command, and File Reference

Parameter Description

Example nsslapd-auditlog-maxlogsperdir: 10

3.1.1.38. nsslapd-auditlog-mode (Audit Log File Permission)

This attribute sets the access mode or file permissions with which audit log files are to be
created. The valid values are any combination of 000 to 777 since they mirror numbered or
absolute UNIX file permissions. The value must be a combination of a 3-digit number, the
digits varying from 0 through 7:

0 - None

1 - Execute only

2 - Write only

3 - Write and execute

4 - Read only

5 - Read and execute

6 - Read and write

7 - Read, write, and execute

The newly configured access mode only affects new logs that are created; the mode is set
when the log rotates to a new file.

Parameter Description

Entry DN cn=config

Valid Range 000 through 777

Default Value 600

Syntax Integer

Example nsslapd-auditlog-mode: 600

3.1.1.39. nsslapd-auditfaillog (Audit Fail Log)

This attribute sets the path and filename of the log used to record failed LDAP
modifications.

42
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

If nsslapd-auditfaillog-logging-enabled is enabled, and nsslapd-auditfaillog is not

set, the audit fail events are logged to the file specified in nsslapd-auditlog.

If you set the nsslapd-auditfaillog parameter to the same path asnsslapd-auditlog,

both are logged in the same file.

Parameter Description

Entry DN cn=config

Valid Values Any valid filename

Default Value /var/log/dirsrv/slapd-instance/audit

Syntax DirectoryString

Example nsslapd-auditfaillog:
/var/log/dirsrv/slapd-instance/audit

To enable the audit fail log, this attribute must have a valid path and the nsslapd-
auditfaillog-logging-enabled attribute must be set to on

3.1.1.40. nsslapd-auditfaillog-list

Provides a list of audit fail log files.

Parameter Description

Entry DN cn=config

Valid Values

Default Value None

Syntax DirectoryString

Example nsslapd-auditfaillog-list:
auditfaillog2,auditfaillog3

3.1.1.41. nsslapd-auditfaillog-logexpirationtime (Audit Fail Log Expiration

Time)

This attribute sets the maximum age of a log file before it is removed. It supplies to the
number of units. Specify the units, such as day, week, month, and so forth in the nsslapd-
auditfaillog-logexpirationtimeunit attribute.

43
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=config

Valid Range -1 to the maximum 32 bit integer value

(2147483647)

A value of -1 or 0 means that the log never

expires.

Default Value -1

Syntax Integer

Example nsslapd-auditfaillog-logexpirationtime: 1

3.1.1.42. nsslapd-auditfaillog-logexpirationtimeunit (Audit Fail Log

Expiration Time Unit)

This attribute sets the units for the nsslapd-auditfaillog-logexpirationtime attribute.

If the unit is unknown by the server, the log never expires.

Parameter Description

Entry DN cn=config

Valid Values month | week | day

Default Value week

Syntax DirectoryString

Example nsslapd-auditfaillog-logexpirationtimeunit: day

3.1.1.43. nsslapd-auditfaillog-logging-enabled (Audit Fail Log Enable

Logging)

Turns on and off logging of failed LDAP modifications.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

44
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Syntax DirectoryString

Example nsslapd-auditfaillog-logging-enabled: off

3.1.1.44. nsslapd-auditfaillog-logmaxdiskspace (Audit Fail Log Maximum

Disk Space)

This attribute sets the maximum amount of disk space in megabytes the audit fail logs are
can consume. If the size exceed the limit, the oldest audit fail log is deleted.

Parameter Description

Entry DN cn=config

Valid Range -1 | 1 to the maximum 32 bit integer value

(2147483647), where a value of -1 means that
the disk space allowed to the audit fail log is
unlimited in size.

Default Value -1

Syntax Integer

Example nsslapd-auditfaillog-logmaxdiskspace: 10000

3.1.1.45. nsslapd-auditfaillog-logminfreediskspace (Audit Fail Log

Minimum Free Disk Space)

This attribute sets the minimum permissible free disk space in megabytes. When the
amount of free disk space is lower than the specified value, the oldest audit fail logs are
deleted until enough disk space is freed.

Parameter Description

Entry DN cn=config

Valid Range -1 (unlimited) | 1 to the maximum 32 bit

integer value (2147483647)

Default Value -1

Syntax Integer

Example nsslapd-auditfaillog-logminfreediskspace: -1

45
Configuration, Command, and File Reference

3.1.1.46. nsslapd-auditfaillog-logrotationsync-enabled (Audit Fail Log

Rotation Sync Enabled)

This attribute sets whether audit fail log rotation is to be synchronized with a particular time
of the day. Synchronizing log rotation this way can generate log files at a specified time
during a day, such as midnight to midnight every day. This makes analysis of the log files
much easier because they then map directly to the calendar.

For audit fail log rotation to be synchronized with time-of-day, this attribute must be
enabled with the nsslapd-auditfaillog-logrotationsynchour and nsslapd-
auditfaillog-logrotationsyncmin attribute values set to the hour and minute of the day
for rotating log files.

For example, to rotate audit fail log files every day at midnight, enable this attribute by
setting its value to on, and then set the values of thensslapd-auditfaillog-
logrotationsynchour and nsslapd-auditfaillog-logrotationsyncmin attributes to 0.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-auditfaillog-logrotationsync-enabled:
on

3.1.1.47. nsslapd-auditfaillog-logrotationsynchour (Audit Fail Log Rotation

Sync Hour)

This attribute sets the hour of the day the audit fail log is rotated. This attribute must be
used in conjunction with nsslapd-auditfaillog-logrotationsync-enabled and nsslapd-
auditfaillog-logrotationsyncmin attributes.

Parameter Description

Entry DN cn=config

Valid Range 0 through 23

Default Value None (because nsslapd-auditfaillog-

logrotationsync-enabled is off)

Syntax Integer

Example nsslapd-auditfaillog-logrotationsynchour: 23

46
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

3.1.1.48. nsslapd-auditfaillog-logrotationsyncmin (Audit Fail Log Rotation

Sync Minute)

This attribute sets the minute the audit fail log is rotated. This attribute must be used in
conjunction with nsslapd-auditfaillog-logrotationsync-enabled and nsslapd-
auditfaillog-logrotationsynchour attributes.

Parameter Description

Entry DN cn=config

Valid Range 0 through 59

Default Value None (because nsslapd-auditfaillog-

logrotationsync-enabled is off)

Syntax Integer

Example nsslapd-auditfaillog-logrotationsyncmin: 30

3.1.1.49. nsslapd-auditfaillog-logrotationtime (Audit Fail Log Rotation

Time)

This attribute sets the time between audit fail log file rotations. The audit fail log is rotated
when this time interval ends, regardless of the current size of the audit fail log. This
attribute supplies only the number of units. The units (day, week, month, and so forth) are
given by the nsslapd-auditfaillog-logrotationtimeunit attribute. If the nsslapd-
auditfaillog-maxlogsperdir attribute is set to 1, the server ignores this attribute.

Although it is not recommended for performance reasons to specify no log rotation, as the
log grows indefinitely, there are two ways of specifying this. Either set the nsslapd-
auditfaillog-maxlogsperdir attribute value to 1 or set the nsslapd-auditfaillog-
logrotationtime attribute to -1. The server checks the nsslapd-auditfaillog-
maxlogsperdir attribute first, and, if this attribute value is larger than1, the server then
checks the nsslapd-auditfaillog-logrotationtime attribute. See Section 3.1.1.52,
“nsslapd-auditfaillog-maxlogsperdir (Audit Fail Log Maximum Number of Log Files)” for
more information.

Parameter Description

Entry DN cn=config

Valid Range -1 | 1 to the maximum 32 bit integer value

(2147483647), where a value of -1 means the
time between audit fail log file rotation is
unlimited.

Default Value 1

Syntax Integer

47
Configuration, Command, and File Reference

Parameter Description

Example nsslapd-auditfaillog-logrotationtime: 100

3.1.1.50. nsslapd-auditfaillog-logrotationtimeunit (Audit Fail Log Rotation

Time Unit)

This attribute sets the units for the nsslapd-auditfaillog-logrotationtime attribute.

Parameter Description

Entry DN cn=config

Valid Values month | week | day | hour | minute

Default Value week

Syntax DirectoryString

Example nsslapd-auditfaillog-logrotationtimeunit: day

3.1.1.51. nsslapd-auditfaillog-maxlogsize (Audit Fail Log Maximum Log

Size)

This attribute sets the maximum audit fail log size in megabytes. When this value is
reached, the audit fail log is rotated. That means the server starts writing log information to
a new log file. If the nsslapd-auditfaillog-maxlogsperdir parameter is set to 1, the
server ignores this attribute.

Parameter Description

Entry DN cn=config

Valid Range -1 | 1 to the maximum 32 bit integer value

(2147483647), where a value of -1 means the
log file is unlimited in size.

Default Value 100

Syntax Integer

Example nsslapd-auditfaillog-maxlogsize: 50

3.1.1.52. nsslapd-auditfaillog-maxlogsperdir (Audit Fail Log Maximum

Number of Log Files)

This attribute sets the total number of audit fail logs that can be contained in the directory

48
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

where the audit log is stored. Each time the audit fail log is rotated, a new log file is
created. When the number of files contained in the audit log directory exceeds the value
stored on this attribute, then the oldest version of the log file is deleted. The default is 1
log. If this default is accepted, the server will not rotate the log, and it grows indefinitely.

If the value for this attribute is higher than 1, then check the nsslapd-auditfaillog-
logrotationtime attribute to establish whether log rotation is specified. If thensslapd-
auditfaillog-logrotationtime attribute has a value of -1, then there is no log rotation.
See Section 3.1.1.49, “nsslapd-auditfaillog-logrotationtime (Audit Fail Log Rotation Time)”
for more information.

Parameter Description

Entry DN cn=config

Valid Range 1 to the maximum 32 bit integer value

(2147483647)

Default Value 1

Syntax Integer

Example nsslapd-auditfaillog-maxlogsperdir: 10

3.1.1.53. nsslapd-auditfaillog-mode (Audit Fail Log File Permission)

This attribute sets the access mode or file permissions with which audit fail log files are to
be created. The valid values are any combination of 000 to 777 since they mirror numbered
or absolute UNIX file permissions. The value must be a combination of a 3-digit number, the
digits varying from 0 through 7:

0 - None

1 - Execute only

2 - Write only

3 - Write and execute

4 - Read only

5 - Read and execute

6 - Read and write

7 - Read, write, and execute

49
Configuration, Command, and File Reference

The newly configured access mode only affects new logs that are created; the mode is set
when the log rotates to a new file.

Parameter Description

Entry DN cn=config

Valid Range 000 through 777

Default Value 600

Syntax Integer

Example nsslapd-auditfaillog-mode: 600

3.1.1.54. nsslapd-certdir (Certificate and Key Database Directory)

This is the full path to the directory holding the certificate and key databases for a
Directory Server instance. This directory must contain only the certificate and key
databases for this instance and no other instances. This directory must be owned and allow
read-write access for the server user ID. No other user should have read-right access to this
directory. The default location is the configuration file directory,
/etc/dirsrv/slapd-instance.

Changes to this value will not take effect until the server is restarted.

Parameter Description

Entry DN cn=config

Valid Values Absolute path to any directory which is owned

by the server user ID and only allows read and
write access to the server user ID

Default Value /etc/dirsrv/slapd-instance

Syntax DirectoryString

Example /etc/dirsrv/slapd-phonebook

3.1.1.55. nsslapd-certmap-basedn (Certificate Map Search Base)

This attribute can be used when client authentication is performed using TLS certificates in
order to avoid limitations of the security subsystem certificate mapping, configured in the
/etc/dirsrv/slapd-instance_name/certmap.conf file. Depending on the configuration in
this file, the certificate mapping may be done using a directory subtree search based at the
root DN. If the search is based at the root DN, then the nsslapd-certmap-basedn attribute
may force the search to be based at some entry other than the root. The valid value for
this attribute is the DN of the suffix or subtree to use for certificate mapping.

50
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Entry DN cn=config

Valid Values Any valid DN

Default Value

Syntax DirectoryString

Example nsslapd-certmap-basedn:
ou=People,dc=example,dc=com

3.1.1.56. nsslapd-config

This read-only attribute is the config DN.

Parameter Description

Entry DN cn=config

Valid Values Any valid configuration DN

Default Value

Syntax DirectoryString

Example nsslapd-config: cn=config

3.1.1.57. nsslapd-cn-uses-dn-syntax-in-dns

This parameter allows you to enable a DN inside a CN value.

Syntax Integer

Example nsslapd-connection-buffer: 1

3.1.1.59. nsslapd-connection-nocanon

This option allows you to enable or disable the SASL NOCANON flag. Disabling avoids the
Directory Server looking up DNS reverse entries for outgoing connections.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

52
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Example nsslapd-connection-nocanon: on

3.1.1.60. nsslapd-conntablesize

This attribute sets the connection table size, which determines the total number of
connections supported by the server.

The server has to be restarted for changes to this attribute to go into effect.

Parameter Description

Entry DN cn=config

Valid Values Operating-system dependent

Default Value The default value is the system's max

descriptors, which can be configured using the
nsslapd-maxdescriptors attribute as
described in Section 3.1.1.115, “nsslapd-
maxdescriptors (Maximum File Descriptors)”

Syntax Integer

Example nsslapd-conntablesize: 4093

Increase the value of this attribute if Directory Server is refusing connections because it is
out of connection slots. When this occurs, the Directory Server's error log file records the
message Not listening for new connections -- too many fds open.

A server restart is required for the change to take effect.

It may be necessary to increase the operating system limits for the number of open files
and number of open files per process, and it may be necessary to increase the ulimit for
the number of open files (ulimit -n) in the shell that starts the Directory Server. See
Section 3.1.1.115, “nsslapd-maxdescriptors (Maximum File Descriptors)” for more
information.

3.1.1.61. nsslapd-counters

The nsslapd-counters attribute enables and disables Directory Server database and server
performance counters.

There can be a performance impact by keeping track of the larger counters. Turning off 64-
bit integers for counters can have a minimal improvement on performance, although it
negatively affects long term statistics tracking.

This parameter is enabled by default. To disable counters, stop the Directory Server, edit
the dse.ldif file directly, and restart the server.

53
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nsslapd-counters: on

3.1.1.62. nsslapd-csnlogging

This attribute sets whether change sequence numbers (CSNs), when available, are to be
logged in the access log. By default, CSN logging is turned on.

Parameter Description

Entry DN cn=config

Default Value 60

Syntax Integer

Example nsslapd-disk-monitoring-grace-period: 45

3.1.1.66. nsslapd-disk-monitoring-logging-critical

55
Configuration, Command, and File Reference

Sets whether to shut down the server if the log directories pass the halfway point set in the
disk space limit, nsslapd-disk-monitoring-threshold.

If this is enabled, then logging is not disabled and rotated logs arenot deleted as means of
reducing disk usage by the server. The server simply goes toward a shutdown process.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-disk-monitoring-logging-critical: on

3.1.1.67. nsslapd-disk-monitoring-threshold

Sets the threshold, in bytes, to use to evaluate whether the server has enough available
disk space. Once the space reaches half of this threshold, then the server begins a shut
down process.

For example, if the threshold is 2MB (the default), then once the available disk space
reaches 1MB, the server will begin to shut down.

By default, the threshold is evaluated backs on the disk space used by the configuration,
transaction, and database directories for the Directory Server instance. If the nsslapd-disk-
monitoring-logging-critical attribute is enabled, then the log directory is included in the
evaluation.

Parameter Description

Entry DN cn=config

Valid Values
0 to the maximum 32-bit integer value
(2147483647) on 32-bit systems

0 to the maximum 64-bit integer value

(9223372036854775807) on 64-bit systems

Default Value 2000000 (2MB)

Syntax DirectoryString

Example nsslapd-disk-monitoring-threshold: 2000000

56
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

3.1.1.68. nsslapd-dn-validate-strict

The nsslapd-syntaxcheck attribute enables the server to verify that any new or modified
attribute value matches the required syntax for that attribute.

However, the syntax rules for DNs have grown increasingly strict. Attempting to enforce DN
syntax rules in RFC 4514 could break many servers using older syntax definitions. By
default, then nsslapd-syntaxcheck validates DNs using RFC 1779 or RFC 2253.

The nsslapd-dn-validate-strict attribute explicitly enables strict syntax validation for

DNs, according to section 3 in RFC 4514. If this attribute is set tooff (the default), the
server normalizes the value before checking it for syntax violations.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-dn-validate-strict: off

3.1.1.69. nsslapd-ds4-compatible-schema

Makes the schema in cn=schema compatible with 4.x versions of Directory Server.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-ds4-compatible-schema: off

3.1.1.70. nsslapd-enable-nunc-stans

This parameter enables or disables the nunc-stans framework. If this framework is

enabled, Directory Server is able to handle a significantly larger number of connections
without performance degradation.

57
Configuration, Command, and File Reference


WARNING

Enabling this parameter can cause stability issues.

The service must be restarted for changes to this attribute to take effect.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-enable-nunc-stans: off

3.1.1.71. nsslapd-enable-turbo-mode

This parameter allows you to enable or disable the turbo mode feature.

The connection code contains a turbo mode feature, that lets a worker thread continuously
read a connection, without passing it back to the polling mechanism. This can enhance
performance on very active connections. If single operations like adding entries take a long
time, disabling the turbo mode can improve the speed by applying the operations in
parallel.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nsslapd-enable-turbo-mode: off

3.1.1.72. nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting)

This attribute is deprecated and will be removed in a future version of Directory Server.

This attribute controls whether quoting in the objectclass attributes contained in the

58
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

cn=schema entry conforms to the quoting specified by Internet draft RFC 2252. By default,
the Directory Server conforms to RFC 2252, which indicates that this value should not be
quoted. Only very old clients need this value set to on, so leave it off.

Turning this attribute on or off does not affect Directory Server Console.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-enquote-sup-oc: off

3.1.1.73. nsslapd-entryusn-global

The nsslapd-entryusn-global parameter defines if the USN plug-in assigns unique

update sequence numbers (USN) across all back end databases or to each database
individually. For unique USNs across all back end databases, set this parameter to on.

For further details, see Section 6.8, “entryusn”.

You do not have to restart the server for this setting to take effect.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-entryusn-global: off

3.1.1.74. nsslapd-entryusn-import-initval

Entry update sequence numbers (USNs) are not preserved when entries are exported from
one server and imported into another, including when initializing a database for replication.
By default, the entry USNs for imported entries are set to zero.

It is possible to configure a different initial value for entry USNs using nsslapd-entryusn-
import-initval. This sets a starting USN which is used for all imported entries.

There are two possible values for nsslapd-entryusn-import-initval:

59
Configuration, Command, and File Reference

An integer, which is the explicit start number used for every imported entry.

next, which means that every imported entry uses whatever the highest entry USN
value was on the server before the import operation, incremented by one.

Parameter Description

Entry DN cn=config

Valid Values Any integer | next

Default Value

Syntax DirectoryString

Example nsslapd-entryusn-import-initval: next

3.1.1.75. nsslapd-errorlog (Error Log)

This attribute sets the path and filename of the log used to record error messages
generated by the Directory Server. These messages can describe error conditions, but more
often they contain informative conditions, such as:

Server startup and shutdown times.

The port number that the server uses.

This log contains differing amounts of information depending on the current setting of the
Log Level attribute. See Section 3.1.1.76, “nsslapd-errorlog-level (Error Log Level)” for more
information.

Parameter Description

Entry DN cn=config

Valid Values Any valid filename

Default Value /var/log/dirsrv/slapd-instance/errors

Syntax DirectoryString

Example nsslapd-errorlog:
/var/log/dirsrv/slapd-instance/errors

For error logging to be enabled, this attribute must have a valid path and filename, and the
nsslapd-errorlog-logging-enabled configuration attribute must be switched to on. The
table lists the four possible combinations of values for these two configuration attributes
and their outcome in terms of disabling or enabling of error logging.

Table 3.5. Possible Combinations for nsslapd-errorlog Configuration Attributes

60
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Attributes in dse.ldif Value Logging enabled or

disabled

nsslapd-errorlog-logging- on Disabled
enabled
empty string
nsslapd-errorlog

nsslapd-errorlog-logging- on Enabled
enabled
filename
nsslapd-errorlog

nsslapd-errorlog-logging- off Disabled

enabled
empty string
nsslapd-errorlog

nsslapd-errorlog-logging- off Disabled

enabled
filename
nsslapd-errorlog

3.1.1.76. nsslapd-errorlog-level (Error Log Level)

This attribute sets the level of logging for the Directory Server. The log level is additive;
that is, specifying a value of 3 includes both levels 1 and 2.

The default value for nsslapd-errorlog-level is 16384.

Parameter Description

Entry DN cn=config

61
Configuration, Command, and File Reference

Parameter Description

Valid Values
1 — Trace function calls. Logs a
message when the server enters and
exits a function.

2 — Debug packet handling.

4 — Heavy trace output debugging.

8 — Connection management.

16 — Print out packets sent/received.

32 — Search filter processing.

64 — Config file processing.

128 — Access control list processing.

1024 — Log communications with shell

databases.

2048 — Log entry parsing debugging.

4096 — Housekeeping thread

debugging.

8192 — Replication debugging.

16384 — Default level of logging used

for critical errors and other messages
that are always written to the error
log; for example, server startup
messages. Messages at this level are
always included in the error log,
regardless of the log level setting.

32768 — Database cache debugging.

65536 — Server plug-in debugging. It

writes an entry to the log file when a
server plug-in calls slapi-log-
error.

262144 — Access control summary

information, much less verbose than
level 128. This value is recommended
for use when a summary of access
control processing is needed. Use 128
for very detailed processing messages.

Default Value 16384

Syntax Integer

Example nsslapd-errorlog-level: 8192

62
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

3.1.1.77. nsslapd-errorlog-list

This read-only attribute provides a list of error log files.

Parameter Description

Entry DN cn=config

Valid Values

Default Value None

Syntax DirectoryString

Example nsslapd-errorlog-list: errorlog2,errorlog3

3.1.1.78. nsslapd-errorlog-logexpirationtime (Error Log Expiration Time)

This attribute sets the maximum age that a log file is allowed to reach before it is deleted.
This attribute supplies only the number of units. The units (day, week, month, and so forth)
are given by the nsslapd-errorlog-logexpirationtimeunit attribute.

Parameter Description

Entry DN cn=config

Valid Range -1 to the maximum 32 bit integer value

(2147483647)

A value of -1 or 0 means that the log never

expires.

Default Value -1

Syntax Integer

Example nsslapd-errorlog-logexpirationtime: 1

3.1.1.79. nsslapd-errorlog-logexpirationtimeunit (Error Log Expiration

Time Unit)

This attribute sets the units for the nsslapd-errorlog-logexpirationtime attribute. If the
unit is unknown by the server, then the log never expires.

Parameter Description

Entry DN cn=config

63
Configuration, Command, and File Reference

Parameter Description

Valid Values month | week | day

Default Value month

Syntax DirectoryString

Example nsslapd-errorlog-logexpirationtimeunit: week

3.1.1.80. nsslapd-errorlog-logging-enabled (Enable Error Logging)

Turns error logging on and off.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nsslapd-errorlog-logging-enabled: on

integer value (2147483647)

Default Value -1

Syntax Integer

Example nsslapd-errorlog-logminfreediskspace: -1

3.1.1.83. nsslapd-errorlog-logrotationsync-enabled (Error Log Rotation

Sync Enabled)

This attribute sets whether error log rotation is to be synchronized with a particular time of
the day. Synchronizing log rotation this way can generate log files at a specified time
during a day, such as midnight to midnight every day. This makes analysis of the log files
much easier because they then map directly to the calendar.

For error log rotation to be synchronized with time-of-day, this attribute must be enabled
with the nsslapd-errorlog-logrotationsynchour and nsslapd-errorlog-
logrotationsyncmin attribute values set to the hour and minute of the day for rotating log
files.

For example, to rotate error log files every day at midnight, enable this attribute by setting
its value to on, and then set the values of thensslapd-errorlog-logrotationsynchour
and nsslapd-errorlog-logrotationsyncmin attributes to 0.

Parameter Description

Entry DN cn=config

65
Configuration, Command, and File Reference

Parameter Description

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-errorlog-logrotationsync-enabled: on

3.1.1.84. nsslapd-errorlog-logrotationsynchour (Error Log Rotation Sync

Hour)

This attribute sets the hour of the day for rotating error logs. This attribute must be used in
conjunction with nsslapd-errorlog-logrotationsync-enabled and nsslapd-errorlog-
logrotationsyncmin attributes.

Parameter Description

Entry DN cn=config

Valid Range 0 through 23

Default Value 0

Syntax Integer

Example nsslapd-errorlog-logrotationsynchour: 23

3.1.1.85. nsslapd-errorlog-logrotationsyncmin (Error Log Rotation Sync

Minute)

This attribute sets the minute of the day for rotating error logs. This attribute must be used
in conjunction with nsslapd-errorlog-logrotationsync-enabled and nsslapd-
errorlog-logrotationsynchour attributes.

Parameter Description

Entry DN cn=config

Valid Range 0 through 59

Default Value 0

Syntax Integer

66
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Example nsslapd-errorlog-logrotationsyncmin: 30

3.1.1.86. nsslapd-errorlog-logrotationtime (Error Log Rotation Time)

This attribute sets the time between error log file rotations. The error log is rotated when
this time interval is up, regardless of the current size of the error log. This attribute supplies
only the number of units. The units (day, week, month, and so forth) are given by the
nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit) attribute.

Although it is not recommended for performance reasons to specify no log rotation, as the
log grows indefinitely, there are two ways of specifying this. Either set the nsslapd-
errorlog-maxlogsperdir attribute value to 1 or set the nsslapd-errorlog-
logrotationtime attribute to -1. The server checks the nsslapd-errorlog-
maxlogsperdir attribute first, and, if this attribute value is larger than1, the server then
checks the nsslapd-errorlog-logrotationtime attribute. See Section 3.1.1.89, “nsslapd-
errorlog-maxlogsperdir (Maximum Number of Error Log Files)” for more information.

Parameter Description

Entry DN cn=config

Valid Range -1 | 1 to the maximum 32 bit integer value

(2147483647), where a value of -1 means that
the time between error log file rotation is
unlimited).

Default Value 1

Syntax Integer

Example nsslapd-errorlog-logrotationtime: 100

3.1.1.87. nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time

Unit)

Default Value 100

Syntax Integer

Example nsslapd-errorlog-maxlogsize: 100

3.1.1.89. nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log

Files)

This attribute sets the total number of error logs that can be contained in the directory
where the error log is stored. Each time the error log is rotated, a new log file is created.
When the number of files contained in the error log directory exceeds the value stored on
this attribute, then the oldest version of the log file is deleted. The default is 1 log. If this
default is accepted, the server does not rotate the log, and it grows indefinitely.

If the value for this attribute is higher than 1, then check the nsslapd-errorlog-
logrotationtime attribute to establish whether log rotation is specified. If thensslapd-
errorlog-logrotationtime attribute has a value of -1, then there is no log rotation. See
Section 3.1.1.86, “nsslapd-errorlog-logrotationtime (Error Log Rotation Time)” for more
information.

68
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Entry DN cn=config

Valid Range 1 to the maximum 32 bit integer value

(2147483647)

Default Value 1

Syntax Integer

Example nsslapd-errorlog-maxlogsperdir: 10

3.1.1.90. nsslapd-errorlog-mode (Error Log File Permission)

This attribute sets the access mode or file permissions with which error log files are to be
created. The valid values are any combination of 000 to 777 since they mirror numbered or
absolute UNIX file permissions. That is, the value must be a combination of a 3-digit
number, the digits varying from 0 through 7:

0 - None

1 - Execute only

2 - Write only

3 - Write and execute

4 - Read only

5 - Read and execute

6 - Read and write

7 - Read, write, and execute

The newly configured access mode only affects new logs that are created; the mode is set
when the log rotates to a new file.

Parameter Description

Entry DN cn=config

Valid Range 000 through 777

69
Configuration, Command, and File Reference

Parameter Description

Default Value 600

Syntax Integer

Example nsslapd-errorlog-mode: 600

3.1.1.91. nsslapd-force-sasl-external

When establishing a TLS connection, a client sends its certificate first and then issues a
BIND request using the SASL/EXTERNAL mechanism. Using SASL/EXTERNAL tells the
Directory Server to use the credentials in the certificate for the TLS handshake. However,
some clients do not use SASL/EXTERNAL when they send their BIND request, so the
Directory Server processes the bind as a simple authentication request or an anonymouse
request and the TLS connection fails.

The nsslapd-force-sasl-external attribute forces clients in certificate-based

authentication to send the BIND request using the SASL/EXTERNAL method.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax String

Example nsslapd-force-sasl-external: on

3.1.1.92. nsslapd-groupevalnestlevel

This attribute is deprecated, and documented here only for historical purposes.

The Access Control Plug-in does not use the value specified by the nsslapd-
groupevalnestlevel attribute to set the number of levels of nesting that access control
performs for group evaluation. Instead, the number of levels of nesting is hardcoded as 5.

Parameter Description

Entry DN cn=config

Valid Range 0 to 5

Default Value 5

70
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Syntax Integer

Example nsslapd-groupevalnestlevel: 5

3.1.1.93. nsslapd-idletimeout (Default Idle Timeout)

This attribute sets the amount of time in seconds after which an idle LDAP client connection
is closed by the server. A value of 0 means that the server never closes idle connections.
This setting applies to all connections and all users. Idle timeout is enforced when the
connection table is walked, when poll() does not return zero. Therefore, a server with a
single connection never enforces the idle timeout.

Use the nsIdleTimeout operational attribute, which can be added to user entries, to
override the value assigned to this attribute. For details, see the "Setting Resource Limits
Based on the Bind DN" section in the Red Hat Directory Server Administration Guide.

NOTE

For very large databases, with millions of entries, this attribute must have a
high enough value that the online initialization process can complete or
replication will fail when the connection to the server times out. Alternatively,
the nsIdleTimeout attribute can be set to a high value on the entry used as
the supplier bind DN.

Parameter Description

Entry DN cn=config

Valid Range 0 to the maximum 32 bit integer value

(2147483647)

Default Value 0

Syntax Integer

Example nsslapd-idletimeout: 0

3.1.1.94. nsslapd-ignore-virtual-attrs

This parameter allows to disable the virtual attribute lookup in a search entry.

If you do not require virtual attributes, you can disable virtual attribute lookups in search
results to increase the speed of searches.

71
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-ignore-virtual-attrs: off

3.1.1.95. nsslapd-instancedir (Instance Directory)

This attribute is deprecated. There are now separate configuration parameters for instance-
specific paths, such as nsslapd-certdir and nsslapd-lockdir. See the documentation for
the specific directory path that is set.

3.1.1.96. nsslapd-ioblocktimeout (IO Block Time Out)

This attribute sets the amount of time in milliseconds after which the connection to a
stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not
made any I/O progress for read or write operations.

Parameter Description

Entry DN cn=config

Valid Range 0 to the maximum 32 bit integer value

(2147483647) in ticks

Default Value 1800000

Syntax Integer

Example nsslapd-ioblocktimeout: 1800000

3.1.1.97. nsslapd-lastmod (Track Modification Time)

This attribute sets whether the Directory Server maintains the creatorsName,
createTimestamp, modifiersName, and modifyTimestamp operational attributes for newly
created or updated entries.

IMPORTANT

Red Hat recommends not disabling tracking these attributes. If disabled,

entries do not get a unique ID assigned in the nsUniqueID attribute and
replication does not work.

72
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

You do not have to restart the server for this setting to take effect.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nsslapd-lastmod: on

3.1.1.98. nsslapd-ldapiautobind (Enable Autobind)

The nsslapd-ldapiautobind sets whether the server will allow users to autobind to
Directory Server using LDAPI. Autobind maps the UID or GUID number of a system user to a
Directory Server user, and automatically authenticates the user to Directory Server based
on those credentials. The Directory Server connection occurs over UNIX socket.

Along with enabling autobind, configuring autobind requires configuring mapping entries.
The nsslapd-ldapimaprootdn maps a root user on the system to the Directory Manager.
The nsslapd-ldapimaptoentries maps regular users to Directory Server users, based on
the parameters defined in the nsslapd-ldapiuidnumbertype, nsslapd-
ldapigidnumbertype, and nsslapd-ldapientrysearchbase attributes.

Autobind can only be enabled if LDAPI is enabled, meaning the nsslapd-ldapilisten is on

and the nsslapd-ldapifilepath attribute is set to an LDAPI socket.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-ldapiautobind: off

3.1.1.99. nsslapd-ldapientrysearchbase (Search Base for LDAPI

Authentication Entries)

With autobind, it is possible to map system users to Directory Server user entries, based on
the system user's UID and GUID numbers. This requires setting Directory Server
parameters for which attribute to use for the UID number (nsslapd-ldapiuidnumbertype)
and GUID number (nsslapd-ldapigidnumbertype) and setting the search base to use to
search for matching user entries.

73
Configuration, Command, and File Reference

The nsslapd-ldapientrysearchbase gives the subtree to search for user entries to use for
autobind.

Parameter Description

Entry DN cn=config

Valid Values DN

Default Value The suffix created when the server instance

was created, such as dc=example,dc=com

Syntax DN

Example nsslapd-ldapientrysearchbase:
ou=people,dc=example,dc=om

3.1.1.100. nsslapd-ldapifilepath (File Location for LDAPI Socket)

LDAPI connects a user to an LDAP server over a UNIX socket rather than TCP. In order to
configure LDAPI, the server must be configured to communicate over a UNIX socket. The
UNIX socket to use is set in the nsslapd-ldapifilepath attribute.

Parameter Description

Entry DN cn=config

Valid Values Any directory path

Default Value /var/run/dirsrv/slapd-example.socket

Syntax Case-exact string

Example nsslapd-ldapifilepath: /var/run/slapd-

example.socket

3.1.1.101. nsslapd-ldapigidnumbertype (Attribute Mapping for System

GUID Number)

Autobind can be used to authenticate system users to the server automatically and connect
to the server using a UNIX socket. To map the system user to a Directory Server user for
authentication, the system user's UID and GUID numbers should be mapped to be a
Directory Server attribute. The nsslapd-ldapigidnumbertype attribute points to the
Directory Server attribute to map system GUIDs to user entries.

Users can only connect to the server with autobind if LDAPI is enabled (nsslapd-
ldapilisten and nsslapd-ldapifilepath), autobind is enabled (nsslapd-
ldapiautobind), and autobind mapping is enabled for regular users (nsslapd-

74
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

ldapimaptoentries).

Parameter Description

Entry DN cn=config

Valid Values Any Directory Server attribute

Default Value gidNumber

Syntax DirectoryString

Example nsslapd-ldapigidnumbertype: gidNumber

3.1.1.102. nsslapd-ldapilisten (Enable LDAPI)

The nsslapd-ldapilisten enables LDAPI connections to the Directory Server. LDAPI allows
users to connect to the Directory Server over a UNIX socket rather than a standard TCP
port. Along with enabling LDAPI by setting nsslapd-ldapilisten to on, there must also be
a UNIX socket set for LDAPI in the nsslapd-ldapifilepath attribute.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-ldapilisten: off

3.1.1.103. nsslapd-ldapimaprootdn (Autobind Mapping for Root User)

With autobind, a system user is mapped to a Directory Server user and then automatically
authenticated to the Directory Server over a UNIX socket.

The root system user (the user with a UID of 0) is mapped to whatever Directory Server
entry is specified in the nsslapd-ldapimaprootdn attribute.

Parameter Description

Entry DN cn=config

Valid Values Any DN

75
Configuration, Command, and File Reference

Parameter Description

Default Value cn=Directory Manager

Syntax DN

Example nsslapd-ldapimaprootdn: cn=Directory

Manager

3.1.1.104. nsslapd-ldapimaptoentries (Enable Autobind Mapping for

Regular Users)

With autobind, a system user is mapped to a Directory Server user and then automatically
authenticated to the Directory Server over a UNIX socket. This mapping is automatic for
root users, but it must be enabled for regular system users through the nsslapd-
ldapimaptoentries attribute. Setting this attribute toon enables mapping for regular
system users to Directory Server entries. If this attribute is not enabled, then only root
users can use autobind to authenticate to the Directory Server, and all other users connect
anonymously.

The mappings themselves are configured through the nsslapd-ldapiuidnumbertype and

nsslapd-ldapigidnumbertype attributes, which map Directory Server attributes to the
user's UID and GUID numbers.

Users can only connect to the server with autobind if LDAPI is enabled (nsslapd-
ldapilisten and nsslapd-ldapifilepath) and autobind is enabled (nsslapd-
ldapiautobind).

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-ldapimaptoentries: on

3.1.1.105. nsslapd-ldapiuidnumbertype

Autobind can be used to authenticate system users to the server automatically and connect
to the server using a UNIX socket. To map the system user to a Directory Server user for
authentication, the system user's UID and GUID numbers must be mapped to be a
Directory Server attribute. The nsslapd-ldapiuidnumbertype attribute points to the
Directory Server attribute to map system UIDs to user entries.

Users can only connect to the server with autobind if LDAPI is enabled (nsslapd-
ldapilisten and nsslapd-ldapifilepath), autobind is enabled (nsslapd-

76
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

ldapiautobind), and autobind mapping is enabled for regular users (nsslapd-

ldapimaptoentries).

Parameter Description

Entry DN cn=config

Valid Values Any Directory Server attribute

Default Value uidNumber

Syntax DirectoryString

Example nsslapd-ldapiuidnumbertype: uidNumber

3.1.1.106. nsslapd-ldifdir

Directory Server exports files in LDAP Data Interchange Format (LDIF) format to the
directory set in this parameter when using the db2ldif or db2ldif.pl. The directory must
be owned by the Directory Server user and group. Only this user and group must have read
and write access in this directory.

The service must be restarted for changes to this attribute to take effect.

Parameter Description

Entry DN cn=config

Valid Values Any directory writable by the Directory Server

user

Default Value /var/lib/dirsrv/slapd-instance_name/ldif/

Syntax DirectoryString

Example nsslapd-ldifdir:
/var/lib/dirsrv/slapd-instance_name/ldif/

3.1.1.107. nsslapd-listen-backlog-size

This attribute sets the maximum of the socket connection backlog. The listen service sets
the number of sockets available to receive incoming connections. The backlog setting sets
a maximum length for how long the queue for the socket (sockfd) can grow before refusing
connections.

Parameter Description

Entry DN cn=config

77
Configuration, Command, and File Reference

Parameter Description

Valid Values The maximum 64-bit integer value

(9223372036854775807)

Default Value 128

Syntax Integer

Example nsslapd-listen-backlog-size: 128

3.1.1.108. nsslapd-listenhost (Listen to IP Address)

This attribute allows multiple Directory Server instances to run on a multihomed machine
(or makes it possible to limit listening to one interface of a multihomed machine). There
can be multiple IP addresses associated with a single hos tname, and these IP addresses
can be a mix of both IPv4 and IPv6. This parameter can be used to restrict the
Directory Server instance to a single IP interface.

This is the full path to the directory the server uses for lock files. The default value is
/var/lock/dirsrv/slapd-instance. Changes to this value will not take effect until the
server is restarted.

Parameter Description

Entry DN cn=config

Valid Values Absolute path to a directory owned by the

server user ID with write access to the server
ID

79
Configuration, Command, and File Reference

Parameter Description

Default Value /var/lock/dirsrv/slapd-instance

Syntax DirectoryString

Example nsslapd-lockdir: /var/lock/dirsrv/slapd-instance

3.1.1.112. nsslapd-localssf

The nsslapd-localssf parameter sets the security strength factor (SSF) for LDAPI
connections. Directory Server allows LDAPI connections only if the value set in nsslapd-
localssf is greater or equal than the value set in thensslapd-minssf parameter.
Therefore, LDAPI connections meet the minimum SSF set in nsslapd-minssf.

You do not have to restart the server for this setting to take effect.

Parameter Description

Entry DN cn=config

Valid Values 0 to the maximum 32-bit integer value

(2147483647)

Default Value 71

Syntax Integer

Example nsslapd-localssf: 71

3.1.1.113. nsslapd-logging-hr-timestamps-enabled (Enable or Disable

High-resolution Log Timestamps)

Controls whether logs will use high resolution timestamps with nanosecond precision, or
standard resolution timestamps with one second precision. Enabled by default. Set this
option to off to revert log timestamps back to one second precision, which was used in
Red Hat Directory Server 10.0 and earlier.

This setting does not require restarting the server to take effect.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

80
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Syntax DirectoryString

Example nsslapd-logging-hr-timestamps-enabled: on

3.1.1.114. nsslapd-maxbersize (Maximum Message Size)

Defines the maximum size in bytes allowed for an incoming message. This limits the size of
LDAP requests that can be handled by the Directory Server. Limiting the size of requests
prevents some kinds of denial of service attacks.

The limit applies to the total size of the LDAP request. For example, if the request is to add
an entry and if the entry in the request is larger than the configured value or the default,
then the add request is denied. However, the limit is not applied to replication processes.
Be cautious before changing this attribute.

This setting does not require a server restart to take effect.

Parameter Description

Entry DN cn=config

Valid Range 0 - 2 gigabytes (2,147,483,647 bytes)

Zero 0 means that the default value should be

used.

Default Value 2097152

Syntax Integer

Example nsslapd-maxbersize: 2097152

3.1.1.115. nsslapd-maxdescriptors (Maximum File Descriptors)

This attribute sets the maximum, platform-dependent number of file descriptors that the
Directory Server tries to use. A file descriptor is used whenever a client connects to the
server and also for some server activities, such as index maintenance. File descriptors are
also used by access logs, error logs, audit logs, database files (indexes and transaction
logs), and as sockets for outgoing connections to other servers for replication and chaining.

The number of descriptors available for TCP/IP to serve client connections is determined by
nsslapd-conntablesize, and is equal to thensslapd-maxdescriptors attribute minus the
number of file descriptors used by the server as specified in the nsslapd-
reservedescriptors attribute for non-client connections, such as index management and
managing replication. The nsslapd-reservedescriptors attribute is the number of file
descriptors available for other uses as described above. See Section 3.1.1.141, “nsslapd-
reservedescriptors (Reserved File Descriptors)”.

81
Configuration, Command, and File Reference

The number given here should not be greater than the total number of file descriptors that
the operating system allows the ns-slapd process to use. This number differs depending on
the operating system.

If this value is set too high, the Directory Server queries the operating system for the
maximum allowable value, and then use that value. It also issues a warning in the error
log. If this value is set to an invalid value remotely, by using the Directory Server Console
or ldapmodify, the server rejects the new value, keep the old value, and respond with an
error.

Some operating systems let users configure the number of file descriptors available to a
process. See the operating system documentation for details on file descriptor limits and
configuration. The dsktune program (explained in the Red Hat Directory Server
Installation Guide) can be used to suggest changes to the system kernel or TCP/IP tuning
attributes, including increasing the number of file descriptors if necessary. Increased the
value on this attribute if the Directory Server is refusing connections because it is out of file
descriptors. When this occurs, the following message is written to the Directory Server's
error log file:

Not listening for new connections -- too many fds open

See Section 3.1.1.60, “nsslapd-conntablesize” for more information about increasing the
number of incoming connections.

NOTE

UNIX shells usually have configurable limits on the number of file descriptors.
See the operating system documentation for further information about limit
and ulimit, as these limits can often cause problems.

The server has to be restarted for changes to this attribute to go into effect.

Parameter Description

Entry DN cn=config

Valid Range 1 to 65535

Default Value 1024

Syntax Integer

Example nsslapd-maxdescriptors: 1024

3.1.1.116. nsslapd-maxsasliosize (Maximum SASL Packet Size)

When a user is authenticated to the Directory Server over SASL GSS-API, the server must
allocate a certain amount of memory to the client to perform LDAP operations, according to
how much memory the client requests. It is possible for an attacker to send such a large
packet size that it crashes the Directory Server or ties it up indefinitely as part of a denial of
service attack.

82
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

The packet size which the Directory Server will allow for SASL clients can be limited using
the nsslapd-maxsasliosize attribute. This attribute sets the maximum allowed SASL IO
packet size that the server will accept.

When an incoming SASL IO packet is larger than the nsslapd-maxsasliosize limit, the
server immediately disconnects the client and logs a message to the error log, so that an
administrator can adjust the setting if necessary.

This attribute value is specified in bytes.

Parameter Description

Entry DN cn=config

Valid Range
-1 (unlimited) to the maximum 32-bit integer
value (2147483647) on 32-bit systems

-1 (unlimited) to the maximum 64-bit integer

value (9223372036854775807) on 64-bit
systems

Default Value 2000000 (2MB)

Syntax Integer

Example nsslapd-maxsasliosize: 5000000

3.1.1.117. nsslapd-maxthreadsperconn (Maximum Threads per

Connection)

Defines the maximum number of threads that a connection should use. For normal
operations where a client binds and only performs one or two operations before unbinding,
use the default value. For situations where a client binds and simultaneously issues many
requests, increase this value to allow each connection enough resources to perform all the
operations. This attribute is not available from the server console.

Parameter Description

Entry DN cn=config

Valid Range 1 to maximum threadnumber

Default Value 5

Syntax Integer

Example nsslapd-maxthreadsperconn: 5

83
Configuration, Command, and File Reference

3.1.1.118. nsslapd-minssf

A security strength factor is a relative measurement of how strong a connection is

according to its key strength. The SSF determines how secure an TLS or SASL connection is.
The nsslapd-minssf attribute sets a minimum SSF requirement for any connection to the
server; any connection attempts that are weaker than the minimum SSF are rejected.

TLS and SASL connections can be mixed in a connection to the Directory Server. These
connections generally have different SSFs. The higher of the two SSFs is used to compare
to the minimum SSF requirement.

Setting the SSF value to 0 means that there is no minimum setting.

Parameter Description

Entry DN cn=config

Valid Values Any positive integer

Default Value 0 (off)

Syntax DirectoryString

Example nsslapd-minssf: 128

3.1.1.119. nsslapd-minssf-exclude-rootdse

A security strength factor is a relative measurement of how strong a connection is

according to its key strength. The SSF determines how secure an TLS or SASL connection is.

The nsslapd-minssf-exclude-rootdse attribute sets a minimum SSF requirement for any

connection to the server except for queries for the root DSE . This enforces appropriate
SSF values for most connections, while still allowing clients to get required information
about the server configuration from the root DSE without having to establish a secure
connection first.

Parameter Description

Entry DN cn=config

Valid Values Any positive integer

Default Value 0 (off)

Syntax DirectoryString

Example nsslapd-minssf-exclude-rootdse: 128

3.1.1.120. nsslapd-moddn-aci

84
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

This parameter controls the ACI checks when directory entries are moved from one subtree
to another and using source and target restrictions in moddn operations. For backward
compatibility, you can disable the ACI checks.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nsslapd-moddn-aci: on

3.1.1.121. nsslapd-malloc-mmap-threshold

If a Directory Server instance is started as a service using the systemctl utility,

environment variables are not passed to the server unless you set them in the
/etc/sysconfig/dirsrv or /etc/sysconfig/dirsrv-instance_name file. For further
details, see the systemd.exec(3) man page.

Instead of manually editing the service files to set the M_MMAP_THRESHOLD environment
variable, the nsslapd-malloc-mmap-threshold parameter enables you to set the value in
the Directory Server configuration. For further details, see the M_MMAP_THRESHOLD
parameter description in the mallopt(3) man page.

This setting does not require restarting the server to take effect.

Parameter Description

Entry DN cn=config

Valid Range 0 - 33554432

Default Value See the M_MMAP_THRESHOLD parameter

description in the mallopt(3) man page.

Syntax Integer

Example nsslapd-malloc-mmap-threshold: 33554432

3.1.1.122. nsslapd-malloc-mxfast

If a Directory Server instance is started as a service using the systemctl utility,

environment variables are not passed to the server unless you set them in the
/etc/sysconfig/dirsrv or /etc/sysconfig/dirsrv-instance_name file. For further
details, see the systemd.exec(3) man page.

85
Configuration, Command, and File Reference

Instead of manually editing the service files to set the M_MXFAST environment variable, the
nsslapd-malloc-mxfast parameter enables you to set the value in the Directory Server
configuration. For further details, see the M_MXFAST parameter description in the mallopt(3)
man page.

This setting does not require restarting the server to take effect.

Parameter Description

Entry DN cn=config

Valid Range 0 - 80 * (sizeof(size_t) / 4)

Default Value See the M_MXFAST parameter description in

the mallopt(3) man page.

Syntax Integer

Example nsslapd-malloc-mxfast: 1048560

3.1.1.123. nsslapd-malloc-trim-threshold

If a Directory Server instance is started as a service using the systemctl utility,

environment variables are not passed to the server unless you set them in the
/etc/sysconfig/dirsrv or /etc/sysconfig/dirsrv-instance_name file. For further
details, see the systemd.exec(3) man page.

Instead of manually editing the service files to set the M_TRIM_THRESHOLD environment
variable, the nsslapd-malloc-trim-threshold parameter enables you to set the value in
the Directory Server configuration. For further details, see the M_TRIM_THRESHOLD
parameter description in the mallopt(3) man page.

This setting does not require restarting the server to take effect.

Parameter Description

Entry DN cn=config

Valid Range 0 to 2^31-1

Default Value See the M_TRIM_THRESHOLD parameter

description in the mallopt(3) man page.

Syntax Integer

Example nsslapd-malloc-trim-threshold: 131072

3.1.1.124. nsslapd-nagle

When the value of this attribute is off, the TCP_NODELAY option is set so that LDAP

86
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

responses (such as entries or result messages) are sent back to a client immediately. When
the attribute is turned on, default TCP behavior applies; specifically, sending data is delayed
so that additional data can be grouped into one packet of the underlying network MTU size,
typically 1500 bytes for Ethernet.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nsslapd-nagle: off

3.1.1.125. nsslapd-ndn-cache-enabled

Normalizing distinguished names (DN) is a resource intensive task. If the nsslapd-ndn-

cache-enabled parameter is enabled, Directory Server caches normalized DNs in memory.
Update the nsslapd-ndn-cache-max-size parameter to set the maximum size of this
cache.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nsslapd-ndn-cache-enabled: on

3.1.1.126. nsslapd-ndn-cache-max-size

Normalizing distinguished names (DN) is a resource intensive task. If the nsslapd-ndn-

cache-enabled parameter is enabled, Directory Server caches normalized DNs in memory.
The nsslapd-ndn-cache-max-size parameter sets the maximum size of this cache.

If a DN requested is not cached already, it is normalized and added. When the cache size
limit is exceeded, Directory Server removes the least recently used 10,000 DNs from the
cache. However, a minimum of 10,000 DNs is always kept cached.

87
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=config

Valid Values 0 to the maximum 32-bit integer value

(2147483647)

Default Value 20971520

Syntax Integer

Example nsslapd-ndn-cache-max-size: 20971520

3.1.1.127. nsslapd-outbound-ldap-io-timeout

This attribute limits the I/O wait time for all outbound LDAP connections. The default is
300000 milliseconds (5 minutes). A value of 0 means that the server does not impose a limit
on I/O wait time.

Parameter Description

Entry DN cn=config

Valid Range 0 to the maximum 32-bit integer value

(2147483647)

Default Value 300000

Syntax DirectoryString

Example nsslapd-outbound-ldap-io-timeout: 300000

3.1.1.128. nsslapd-pagedsizelimit (Size Limit for Simple Paged Results

Searches)

Valid Range on | off

Default Value off

Syntax DirectoryString

Example nsslapd-plugin-logging: off

3.1.1.132. nsslapd-port (Port Number)

This attribute gives the TCP/IP port number used for standard LDAP communications. To run
TLS over this port, use the Start TLS extended operation. This selected port must be unique
on the host system; make sure no other application is attempting to use the same port
number. Specifying a port number of less than 1024 means the Directory Server has to be
started as root.

The server sets its uid to the nsslapd-localuser value after startup. When changing the
port number for a configuration directory, the corresponding server instance entry in the
configuration directory must be updated.

The server has to be restarted for the port number change to be taken into account.

Parameter Description

Entry DN cn=config

Valid Range 1 to 65535

Default Value 389

Syntax Integer

90
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Example nsslapd-port: 389

NOTE

Set the port number to zero (0) to disable the LDAP port if the LDAPS port is
enabled.

3.1.1.133. nsslapd-privatenamespaces

This read-only attribute contains the list of the private naming contexts cn=config,
cn=schema, and cn=monitor.

Parameter Description

Entry DN cn=config

Valid Values cn=config, cn=schema, and cn=monitor

Default Value

Syntax DirectoryString

Example nsslapd-privatenamespaces: cn=config

3.1.1.134. nsslapd-pwpolicy-inherit-global (Inherit Global Password

Syntax)

When the fine-grained password syntax is not set, new or updated passwords are not
checked even though the global password syntax is configured. To inherit the global fine-
grained password syntax, set this attribute to on.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-pwpolicy-inherit-global: off

91
Configuration, Command, and File Reference

3.1.1.135. nsslapd-pwpolicy-local (Enable Subtree- and User-Level

Password Policy)

Turns fine-grained (subtree- and user-level) password policy on and off.

If this attribute has a value of off, all entries (except for cn=Directory Manager) in the
directory are subjected to the global password policy; the server ignores any defined
subtree/user level password policy.

If this attribute has a value of on, the server checks for password policies at the subtree-
and user-level and enforce those policies.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-pwpolicy-local: off

3.1.1.136. nsslapd-readonly (Read Only)

This attribute sets whether the whole server is in read-only mode, meaning that neither
data in the databases nor configuration information can be modified. Any attempt to modify
a database in read-only mode returns an error indicating that the server is unwilling to
perform the operation.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-readonly: off

3.1.1.137. nsslapd-referral (Referral)

This multi-valued attribute specifies the LDAP URLs to be returned by the suffix when the
server receives a request for an entry not belonging to the local tree; that is, an entry
whose suffix does not match the value specified on any of the suffix attributes. For
example, assume the server contains only entries:

92
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

ou=People,dc=example,dc=com

but the request is for this entry:

ou=Groups,dc=example,dc=com

In this case, the referral would be passed back to the client in an attempt to allow the LDAP
client to locate a server that contains the requested entry. Although only one referral is
allowed per Directory Server instance, this referral can have multiple values.

NOTE

To use TLS communications, the referral attribute should be in the form

ldaps://server-location.

Start TLS does not support referrals.

For more information on managing referrals, see the "Configuring Directory Databases"
chapter in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Values Any valid LDAP URL

Default Value

Syntax DirectoryString

Example nsslapd-referral:
ldap://ldap.example.com/dc=example,dc=com

3.1.1.138. nsslapd-referralmode (Referral Mode)

When set, this attribute sends back the referral for any request on any suffix.

Parameter Description

Entry DN cn=config

Valid Values Any valid LDAP URL

Default Value

Syntax DirectoryString

93
Configuration, Command, and File Reference

Parameter Description

Example nsslapd-referralmode:
ldap://ldap.example.com

3.1.1.139. nsslapd-require-secure-binds

This parameter requires that a user authenticate to the directory over a protected
connection such as TLS, StartTLS, or SASL, rather than a regular connection.

NOTE

This only applies to authenticated binds. Anonymous binds and

unauthenticated binds can still be completed over a standard channel, even if
nsslapd-require-secure-binds is turned on.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-require-secure-binds: on

3.1.1.140. nsslapd-requiresrestart

This parameter lists what other core configuration attributes require that the server be
restarted after a modification. This means that if any attribute listed in nsslapd-
requiresrestart is changed, the new setting does not take effect until after the server is
restarted. The list of attributes can be returned in an ldapsearch:

ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -b

"cn=config" -s sub -x "(objectclass=*)" | grep nsslapd-requiresrestart

This attribute is multi-valued.

Parameter Description

Entry DN cn=config

Valid Values Any core server configuration attribute

Default Value

94
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Syntax DirectoryString

Example nsslapd-requiresrestart: nsslapd-cachesize

3.1.1.141. nsslapd-reservedescriptors (Reserved File Descriptors)

This attribute specifies the number of file descriptors that Directory Server reserves for
managing non-client connections, such as index management and managing replication.
The number of file descriptors that the server reserves for this purpose subtracts from the
total number of file descriptors available for servicing LDAP client connections (See
Section 3.1.1.115, “nsslapd-maxdescriptors (Maximum File Descriptors)”).

Most installations of Directory Server should never need to change this attribute. However,
consider increasing the value on this attribute if all of the following are true:

The server is replicating to a large number of consumer servers (more than 10), or
the server is maintaining a large number of index files (more than 30).

The server is servicing a large number of LDAP connections.

There are error messages reporting that the server is unable to open file descriptors
(the actual error message differs depending on the operation that the server is
attempting to perform), but these error messages are not related to managing
client LDAP connections.

Increasing the value on this attribute may result in more LDAP clients being unable to
access the directory. Therefore, the value on this attribute is increased, also increase the
value on the nsslapd-maxdescriptors attribute. It may not be possible to increase the
nsslapd-maxdescriptors value if the server is already using the maximum number of file
descriptors that the operating system allows a process to use; see the operating system
documentation for details. If this is the case, then reduce the load on the server by causing
LDAP clients to search alternative directory replicas. See Section 3.1.1.60, “nsslapd-
conntablesize” for information about file descriptor usage for incoming connections.

To assist in computing the number of file descriptors set for this attribute, use the following
formula:

nsslapd-reservedescriptor = 20 + (NldbmBackends * 4) + NglobalIndex +

ReplicationDescriptor + ChainingBackendDescriptors + PTADescriptors +
SSLDescriptors

NldbmBackends is the number of ldbm databases.

NglobalIndex is the total number of configured indexes for all databases including
system indexes. (By default 8 system indexes and 17 additional indexes per
database).

ReplicationDescriptor is eight (8) plus the number of replicas in the server that can
act as a supplier or hub (NSupplierReplica).

95
Configuration, Command, and File Reference

ChainingBackendDescriptors is NchainingBackend times the

nsOperationConnectionsLimit (a chaining or database link configuration attribute;10
by default).

PTADescriptors is 3 if PTA is configured and 0 if PTA is not configured.

SSLDescriptors is 5 (4 files + 1 listensocket) if TLS is configured and0 if TLS is not

configured.

The server has to be restarted for changes to this attribute to go into effect.

Parameter Description

Entry DN cn=config

Valid Range 1 to 65535

Default Value 64

Syntax Integer

Example nsslapd-reservedescriptors: 64

3.1.1.142. nsslapd-return-exact-case (Return Exact Case)

Returns the exact case of attribute type names as requested by the client. Although
LDAPv3-compliant clients must ignore the case of attribute names, some client applications
require attribute names to match exactly the case of the attribute as it is listed in the
schema when the attribute is returned by the Directory Server as the result of a search or
modify operation. However, most client applications ignore the case of attributes;
therefore, by default, this attribute is disabled. Do not modify it unless there are legacy
clients that can check the case of attribute names in results returned from the server.

The server has to be restarted for changes to this attribute to go into effect.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nsslapd-return-exact-case: off

3.1.1.143. nsslapd-rewrite-rfc1274

This attribute is deprecated and will be removed in a later version.

96
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

This attribute is used only for LDAPv2 clients that require attribute types to be returned
with their RFC 1274 names. Set the value to on for those clients. The default isoff.

3.1.1.144. nsslapd-rootdn (Manager DN)

This attribute sets the distinguished name (DN) of an entry that is not subject to access
control restrictions, administrative limit restrictions for operations on the directory, or
resource limits in general. There does not have to be an entry corresponding to this DN,
and by default there is not an entry for this DN, thus values like cn=Directory Manager are
acceptable.

For information on changing the root DN, see the "Creating Directory Entries" chapter in
the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Values Any valid distinguished name

Default Value

Syntax DN

Example nsslapd-rootdn: cn=Directory Manager

3.1.1.145. nsslapd-rootpw (Root Password)

This attribute sets the password associated with the Manager DN. When the root password
is provided, it is encrypted according to the encryption method selected for the nsslapd-
rootpwstoragescheme attribute. When viewed from the server console, this attribute
shows the value *****. When viewed from the dse.ldif file, this attribute shows the
encryption method followed by the encrypted string of the password. The example shows
the password as displayed in the dse.ldif file, not the actual password.


WARNING

When the root DN is configred at server setup, a root password is

required. However, it is possible for the root password to be deleted from
dse.ldif by directly editing the file. In this situation, the root DN can
only obtain the same access to the directory is allowed for anonymous
access. Always make sure that a root password is defined in dse.ldif
when a root DN is configured for the database. The pwdhash command-
line utility can create a new root password. For more information, see
Section 10.3.14, “pwdhash (Encrypts Passwords)”.

97
Configuration, Command, and File Reference

IMPORTANT

When resetting the Directory Manager's password from the command line, do
not use curly braces ({}) in the password. The root password is stored in the
format {password-storage-scheme}hashed_password. Any characters in curly
braces are interpreted by the server as the password storage scheme for the
root password. If that text is not a valid storage scheme or if the password that
follows is not properly hashed, then the Directory Manager cannot bind to the
server.

Parameter Description

Entry DN cn=config

Valid Values Any valid password, encrypted by any one of

the encryption methods which are described in
Section 4.1.43, “Password Storage Schemes”.

Default Value

Syntax DirectoryString {encryption_method

}encrypted_Password

Example nsslapd-rootpw: {SSHA}9Eko69APCJfF

3.1.1.146. nsslapd-rootpwstoragescheme (Root Password Storage

Entry DN cn=config

99
Configuration, Command, and File Reference

Parameter Description

Valid Values 0 to the maximum 32 bit integer value

(2147483647)

Default Value 67108864 (64 kilobytes)

Syntax Integer

Example nsslapd-sasl-max-buffer-size: 67108864

3.1.1.150. nsslapd-saslpath

Sets the absolute path to the directory containing the Cyrus-SASL SASL2 plug-ins. Setting
this attribute allows the server to use custom or non-standard SASL plug-in libraries. This is
usually set correctly during installation, and Red Hat strongly recommends not changing
this attribute. If the attribute is not present or the value is empty, this means the
Directory Server is using the system provided SASL plug-in libraries which are the correct
version.

If this parameter is set, the server uses the specified path for loading SASL plug-ins. If this
parameter is not set, the server uses the SASL_PATH environment variable. If neither
nsslapd-saslpath or SASL_PATH are set, the server attempts to load SASL plug-ins from
the default location, /usr/lib/sasl2.

Changes made to this attribute will not take effect until the server is restarted.

Parameter Description

Entry DN cn=config

Valid Values Path to plug-ins directory.

Default Value Platform dependent

Syntax DirectoryString

Example nsslapd-saslpath: /usr/lib/sasl2

3.1.1.151. nsslapd-schema-ignore-trailing-spaces (Ignore Trailing Spaces

in Object Class Names)

Ignores trailing spaces in object class names. By default, the attribute is turned off. If the
directory contains entries with object class values that end in one or more spaces, turn this
attribute on. It is preferable to remove the trailing spaces because the LDAP standards do
not allow them.

For performance reasons, server restart is required for changes to take effect.

An error is returned by default when object classes that include trailing spaces are added to

100
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

an entry. Additionally, during operations such as add, modify, and import (when object
classes are expanded and missing superiors are added) trailing spaces are ignored, if
appropriate. This means that even when nsslapd-schema-ignore-trailing-spaces is on,
a value such as top is not added if top is already there. An error message is logged and
returned to the client if an object class is not found and it contains trailing spaces.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-schema-ignore-trailing-spaces: on

3.1.1.152. nsslapd-schemacheck (Schema Checking)

This attribute sets whether the database schema is enforced when entries are added or
modified. When this attribute has a value of on, Directory Server will not check the schema
of existing entries until they are modified. The database schema defines the type of
information allowed in the database. The default schema can be extended using the object
classes and attribute types. For information on how to extend the schema using the
Directory Server Console, see the "Extending the Directory Schema" chapter in the Red Hat
Directory Server Administration Guide.


WARNING

Red Hat strongly discourages turning off schema checking. This can lead
to severe interoperability problems. This is typically used for very old or
non-standard LDAP data that must be imported into the Directory Server.
If there are not a lot of entries that have this problem, consider using the
extensibleObject object class in those entries to disable schema
checking on a per entry basis.

101
Configuration, Command, and File Reference

NOTE

Schema checking works by default when database modifications are made

using an LDAP client, such as ldapmodify or when importing a database from
LDIF using ldif2db. If schema checking is turned off, every entry has to be
verified manually to see that they conform to the schema. If schema checking
is turned on, the server sends an error message listing the entries which do
not match the schema. Ensure that the attributes and object classes created
in the LDIF statements are both spelled correctly and identified in dse.ldif.
Either create an LDIF file in the schema directory or add the elements to
99user.ldif.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Default Value replication-only

Parameter Description

Entry DN cn=config

Valid Range 1 to 65535

Default Value 636

Syntax Integer

Example nsslapd-securePort: 636

3.1.1.159. nsslapd-security (Security)

This attribute sets whether the Directory Server is to accept TLS communications on its
encrypted port. This attribute should be set to on for secure connections. To run with
security on, the server must be configured with a private key and server certificate in
addition to the other TLS configuration.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-security: off

3.1.1.160. nsslapd-sizelimit (Size Limit)

This attribute sets the maximum number of entries to return from a search operation. If this
limit is reached, ns-slapd returns any entries it has located that match the search request,
as well as an exceeded size limit error.

When no limit is set, ns-slapd returns every matching entry to the client regardless of the
number found. To set a no limit value whereby the Directory Server waits indefinitely for
the search to complete, specify a value of -1 for this attribute in the dse.ldif file.

This limit applies to everyone, regardless of their organization.

105
Configuration, Command, and File Reference

NOTE

A value of -1 on this attribute in dse.ldif file is the same as leaving the

attribute blank in the server console, in that it causes no limit to be used. This
cannot have a null value in dse.ldif file, as it is not a valid integer. It is
possible to set it to 0, which returns size limit exceeded for every search.

The corresponding user-level attribute is nsSizeLimit.

Parameter Description

Entry DN cn=config

Valid Range -1 to the maximum 32 bit integer value

(2147483647)

Default Value 2000

Syntax Integer

Example nsslapd-sizelimit: 2000

3.1.1.161. nsslapd-snmp-index

This parameter controls the SNMP index number of the Directory Server instance.

If you have multiple Directory Server instances on the same host listening all on port 389
but on different network interfaces, this parameter allows you to set different SNMP index
numbers for each instance.

Parameter Description

Entry DN cn=config

Valid Value 0 to the maximum 32 bit integer value

(2147483647)

Default Value 0

Syntax Integer

Example nsslapd-snmp-index: 0

3.1.1.162. nsslapd-SSLclientAuth

106
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

NOTE

The nsslapd-SSLclientAuth parameter will be deprecated in a future release

and is currently maintained for backward compatibility. Use the new
parameter nsSSLClientAuth, stored under cn=encryption,cn=config,
instead. See Section 3.1.4.9, “nsSSLClientAuth”.

3.1.1.163. nsslapd-ssl-check-hostname (Verify Hostname for Outbound

Connections)

This attribute sets whether an TLS-enabled Directory Server should verify authenticity of a
request by matching the host name against the value assigned to the common name (cn)
attribute of the subject name (subjectDN field) in the certificate being presented. By
default, the attribute is set to on. If it is on and if the host name does not match thecn
attribute of the certificate, appropriate error and audit messages are logged.

For example, in a replicated environment, messages similar to the following are logged in
the supplier server's log files if it finds that the peer server's host name does not match the
name specified in its certificate:

[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape

runtime error -12276 -
Unable to communicate securely with peer: requested domain name does not
match the server's certificate.)

[DATE] NSMMReplicationPlugin - agmt="cn=SSL Replication Agreement to

host1" (host1.example.com:636):
Replication bind with SSL client authentication failed:
LDAP error 81 (Can't contact LDAP server)

Red Hat recommends turning this attribute on to protect Directory Server's outbound TLS
connections against a man in the middle (MITM) attack.

NOTE

DNS and reverse DNS must be set up correctly in order for this to work;
otherwise, the server cannot resolve the peer IP address to the host name in
the subject DN in the certificate.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nsslapd-ssl-check-hostname: on

107
Configuration, Command, and File Reference

3.1.1.164. nsslapd-syntaxcheck

This attribute validates all modifications to entry attributes to make sure that the new or
changed values conform to the required syntax for that attribute type. Any changes which
do not conform to the proper syntax are rejected, when this attribute is enabled. All
attribute values are validated against the syntax definitions in RFC 4514.

By default, this is turned on.

Syntax validation is only run against new or modified attributes; it does not validate the
syntax of existing attribute values. Syntax validation is triggered for LDAP operations such
as adds and modifies; it does not happen after operations like replication, since the validity
of the attribute syntax should be checked on the originating supplier.

This validates all supported attribute types for Directory Server, with the exception of
binary syntaxes (which cannot be verified) and non-standard syntaxes, which do not have a
defined required format. The unvalidated syntaxes are as follows:

Fax (binary)

OctetString (binary)

JPEG (binary)

Binary (non-standard)

Space Insensitive String (non-standard)

URI (non-standard)

The nsslapd-syntaxcheck attribute sets whether to validate and reject attribute

modifications. This can be used with the nsslapd-syntaxlogging attribute to write warning
messages about invalid attribute values to the error logs.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nnsslapd-syntaxcheck: on

3.1.1.165. nsslapd-syntaxlogging

This attribute sets whether to log syntax validation failures to the errors log. By default,
this is turned off.

If the nsslapd-syntaxcheck attribute is enabled (the default) and thensslapd-

syntaxlogging attribute is also enabled, then any invalid attribute change is rejected and
written to the errors log. If only nsslapd-syntaxlogging is enabled and nsslapd-

108
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

syntaxcheck is disabled, then invalid changes are allowed to proceed, but a warning
message is written to the error log.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nnsslapd-syntaxlogging: off

3.1.1.166. nsslapd-threadnumber (Thread Number)

This performance tuning-related value sets the number of threads, Directory Server creates
at startup. If the value is set to -1 (default), Directory Server enables the optimized auto-
tuning based on the available hardware. Note that if auto-tuning is enabled, the nsslapd-
threadnumber shows the auto-generated number of threads while Directory Server is
running.

NOTE

Red Hat recommends to use the auto-tuning setting for optimized

performance.

For further details, see the corresponding section in the Red Hat Directory Server
Performance Tuning Guide.

Parameter Description

Entry DN cn=config

Valid Range -1 to the maximum number of threads

supported by the system's thread and
processor. limits

Default Value -1

Syntax Integer

Example nsslapd-threadnumber: -1

3.1.1.167. nsslapd-timelimit (Time Limit)

109
Configuration, Command, and File Reference

This attribute sets the maximum number of seconds allocated for a search request. If this
limit is reached, Directory Server returns any entries it has located that match the search
request, as well as an exceeded time limit error.

When no limit is set, ns-slapd returns every matching entry to the client regardless of the
time it takes. To set a no limit value whereby Directory Server waits indefinitely for the
search to complete, specify a value of -1 for this attribute in the dse.ldif file. A value of
zero (0) causes no time to be allowed for searches. The smallest time limit is 1 second.

NOTE

A value of -1 on this attribute in thedse.ldif is the same as leaving the

attribute blank in the server console in that it causes no limit to be used.
However, a negative integer cannot be set in this field in the server console,
and a null value cannot be used in the dse.ldif entry, as it is not a valid
integer.

The corresponding user-level attribute is nsTimeLimit.

Parameter Description

Entry DN cn=config

Valid Range -1 to the maximum 32 bit integer value

(2147483647) in seconds

Default Value 3600

Syntax Integer

Example nsslapd-timelimit: 3600

3.1.1.168. nsslapd-tmpdir

This is the absolute path of the directory the server uses for temporary files. The directory
must be owned by the server user ID and the user must have read and write access. No
other user ID should have read or write acces to the directory. The default value is /tmp.

Changes made to this attribute will not take effect until the server is restarted.

3.1.1.169. nsslapd-validate-cert

If the Directory Server is configured to run in TLS and its certificate expires, then the
Directory Server cannot be started. The nsslapd-validate-cert parameter sets how the
Directory Server should respond when it attempts to start with an expired certificate:

warn allows the Directory Server to start successfully with an expired certificate, but
it sends a warning message that the certificate has expired. This is the default
setting.

on validates the certificate and will prevent the server from restarting if the
certificate is expired. This sets a hard failure for expired certificates.

110
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

off disables all certificate expiration validation, so the server can start with an
expired certificate without logging a warning.

Parameter Description

Entry DN cn=config

Valid Values warn | on | off

Default Value warn

Syntax DirectoryString

Example nsslapd-validate-cert: warn

3.1.1.170. nsslapd-versionstring

This attribute sets the server version number. The build data is automatically appended
when the version string is displayed.

Parameter Description

Entry DN cn=config

Valid Values Any valid server version number.

Default Value

Syntax DirectoryString

Example nsslapd-versionstring: Red Hat-Directory/10.3

3.1.1.171. nsslapd-workingdir

This is the absolute path of the directory that the server uses as its current working
directory after startup. This is the value that the server would return as the value of the
getcwd() function, and the value that the system process table shows as its current
working directory. This is the directory a core file is generated in. The server user ID must
have read and write access to the directory, and no other user ID should have read or write
access to it. The default value for this attribute is the same directory containing the error
log, which is usually /var/log/dirsrv/slapd-instance.

Changes made to this attribute will not take effect until the server is restarted.

3.1.1.172. passwordAllowChangeTime

This attribute specifies the length of time that must pass before the user is allowed to
change his password.

111
Configuration, Command, and File Reference

For more information on password policies, see the "Managing User Authentication" chapter
in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Values Any integer

Default Value

Syntax DirectoryString

Example passwordAllowChangeTime: 5h

3.1.1.173. passwordChange (Password Change)

Indicates whether users may change their passwords.

This can be abbreviated to pwdAllowUserChange.

For more information on password policies, see the "Managing User Authentication" chapter
in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example passwordChange: on

3.1.1.174. passwordCheckSyntax (Check Password Syntax)

This attribute sets whether the password syntax is checked before the password is saved.
The password syntax checking mechanism checks that the password meets or exceeds the
password minimum length requirement and that the string does not contain any trivial
words, such as the user's name or user ID or any attribute value stored in the uid, cn, sn,
givenName, ou, or mail attributes of the user's directory entry.

Password syntax includes several different categories for checking:

The length of string or tokens to use to compare when checking for trivial words in
the password (for example, if the token length is three, then no string of three
sequential characters in the user's UID, name, email address, or other parameters
can be used in the password)

112
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Minimum number of number characters (0-9)

Minimum number of uppercase ASCII alphabetic characters

Minimum number of lowercase ASCII alphabetic characters

Minimum number of special ASCII characters, such as !@#$

Minimum number of 8-bit characters

Minimum number of character categories required per password; a category can be

upper- or lower-case letters, special characters, digits, or 8-bit characters

This can be abbreviated to pwdCheckSyntax.

For more information on password policies, see the "Managing User Authentication" chapter
in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example passwordCheckSyntax: off

3.1.1.175. passwordExp (Password Expiration)

Indicates whether user passwords expire after a given number of seconds. By default, user
passwords do not expire. Once password expiration is enabled, set the number of seconds
after which the password expires using the passwordMaxAge attribute.

For more information on password policies, see the "Managing User Accounts" chapter in
the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example passwordExp: on

113
Configuration, Command, and File Reference

3.1.1.176. passwordExpirationTime

This attribute specifies the length of time that passes before the user’s password expires.

Parameter Description

Entry DN cn=config

Valid Values Any date, in integers

Default Value none

Syntax GeneralizedTime

Example passwordExpirationTime: 201909011953

3.1.1.177. passwordExpWarned

This attribute indicates that a password expiration warning has been sent to the user.

Parameter Description

Entry DN cn=config

Valid Values true | false

Default Value none

Syntax DirectoryString

Example passwordExpWarned: true

3.1.1.178. passwordGraceLimit (Password Expiration)

This attribute is only applicable if password expiration is enabled. After the user's password
has expired, the server allows the user to connect for the purpose of changing the
password. This is called a grace login. The server allows only a certain number of attempts
before completely locking out the user. This attribute is the number of grace logins allowed.
A value of 0 means the server does not allow grace logins.

Parameter Description

Entry DN cn=config

Valid Values 0 (off) to any reasonable integer

Default Value 0

114
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Syntax Integer

Example passwordGraceLimit: 3

3.1.1.179. passwordHistory (Password History)

Enables password history. Password history refers to whether users are allowed to reuse
passwords. By default, password history is disabled, and users can reuse passwords. If this
attribute is set to on, the directory stores a given number of old passwords and prevents
users from reusing any of the stored passwords. Set the number of old passwords the
Directory Server stores using the passwordInHistory attribute.

For more information on password policies, see the "Managing User Authentication" chapter
in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example passwordHistory: on

3.1.1.180. passwordInHistory (Number of Passwords to Remember)

Indicates the number of passwords the Directory Server stores in history. Passwords that
are stored in history cannot be reused by users. By default, the password history feature is
disabled, meaning that the Directory Server does not store any old passwords, and so users
can reuse passwords. Enable password history using the passwordHistory attribute.

To prevent users from rapidly cycling through the number of passwords that are tracked,
use the passwordMinAge attribute.

This can be abbreviated to pwdInHistory.

For more information on password policies, see the "Managing User Authentication" chapter
in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Range 1 to 24 passwords

115
Configuration, Command, and File Reference

Parameter Description

Default Value 6

Syntax Integer

Example passwordInHistory: 7

3.1.1.181. passwordIsGlobalPolicy (Password Policy and Replication)

This attribute controls whether password policy attributes are replicated.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example passwordIsGlobalPolicy: off

3.1.1.182. passwordLegacyPolicy

Enables legacy password behavior. Older LDAP clients expected to receive an error to lock
a user account once the maximum failure limit was exceeded. For example, if the limit were
three failures, then the account was locked at the fourth failed attempt. Newer clients,
however, expect to receive the error message when the failure limit is reached. For
example, if the limit is three failures, then the account should be locked at the third failed
attempt.

Because locking the account when the failure limit is exceeded is the older behavior, it is
considered legacy behavior. It is enabled by default, but can be disabled to allow the new
LDAP clients to receive the error at the expected time.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

116
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Example passwordLegacyPolicy: on

3.1.1.183. passwordLockout (Account Lockout)

Indicates whether users are locked out of the directory after a given number of failed bind
attempts. By default, users are not locked out of the directory after a series of failed bind
attempts. If account lockout is enabled, set the number of failed bind attempts after which
the user is locked out using the passwordMaxFailure attribute.

This can be abbreviated to pwdLockOut.

For more information on password policies, see the "Managing User Authentication" chapter
in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example passwordLockout: off

3.1.1.184. passwordLockoutDuration (Lockout Duration)

Indicates the amount of time in seconds during which users are locked out of the directory
after an account lockout. The account lockout feature protects against hackers who try to
break into the directory by repeatedly trying to guess a user's password. Enable and
disable the account lockout feature using the passwordLockout attribute.

This can be abbreviated to pwdLockoutDuration.

For more information on password policies, see the "Managing User Authentication" chapter
in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Range 1 to the maximum 32 bit integer value

(2147483647) in seconds

Default Value 3600

117
Configuration, Command, and File Reference

Parameter Description

Syntax Integer

Example passwordLockoutDuration: 3600

3.1.1.185. passwordMaxAge (Password Maximum Age)

Indicates the number of seconds after which user passwords expire. To use this attribute,
password expiration has to be enabled using the passwordExp attribute.

This can be abbreviated to pwdMaxAge.

For more information on password policies, see the "Managing User Authentication" chapter
in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Range 1 to the maximum 32 bit integer value

(2147483647) in seconds

Default Value 8640000 (100 days)

Syntax Integer

Example passwordMaxAge: 100

Syntax Integer

Example passwordMaxRepeats: 1

3.1.1.188. passwordMin8Bit (Password Syntax)

This sets the minimum number of 8-bit characters the password must contain.

NOTE

The 7-bit checking for userPassword must be disabled to use this.

Parameter Description

Entry DN cn=config

Valid Range 0 to 64

Default Value 0

Syntax Integer

Example passwordMin8Bit: 0

3.1.1.189. passwordMinAge (Password Minimum Age)

119
Configuration, Command, and File Reference

Indicates the number of seconds that must pass before a user can change their password.
Use this attribute in conjunction with the passwordInHistory (number of passwords to
remember) attribute to prevent users from quickly cycling through passwords so that they
can use their old password again. A value of zero (0) means that the user can change the
password immediately.

This can be abbreviated to pwdMaxFailure.

For more information on password policies, see the "Managing User Authentication" chapter
in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Range 0 to valid maximum integer

Default Value 0

Syntax Integer

Example passwordMinAge: 150

3.1.1.190. passwordMinAlphas (Password Syntax)

This attribute sets the minimum number of alphabetic characters password must contain.

Parameter Description

Entry DN cn=config

Valid Range 0 to 64

Default Value 0

Syntax Integer

Example passwordMinAlphas: 4

3.1.1.191. passwordMinCategories (Password Syntax)

This sets the minimum number of character categories that are represented in the
password. The categories are:

Lowercase alphabetic characters

Uppercase alphabetic characters

Numbers

120
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Special ASCII charactes, such as $ and punctuation marks

8-bit characters

For example, if the value of this attribute were set to 2, and the user tried to change the
password to aaaaa, the server would reject the password because it contains only lower
case characters, and therefore contains characters from only one category. A password of
aAaAaA would pass because it contains characters from two categories, uppercase and
lowercase.

The default is 3, which means that if password syntax checking is enabled, valid passwords
have to have three categories of characters.

Parameter Description

Entry DN cn=config

Valid Range 0 to 5

Default Value 0

Syntax Integer

Example passwordMinCategories: 2

3.1.1.192. PasswordMinDigits (Password Syntax)

This sets the minimum number of digits a password must contain.

Parameter Description

Entry DN cn=config

Valid Range 0 to 64

Default Value 0

Syntax Integer

Example passwordMinDigits: 3

3.1.1.193. passwordMinLength (Password Minimum Length)

This attribute specifies the minimum number of characters that must be used in
Directory Server user password attributes. In general, shorter passwords are easier to
crack. Directory Server enforces a minimum password of eight characters. This is long
enough to be difficult to crack but short enough that users can remember the password
without writing it down.

This can be abbreviated to pwdMinLength.

121
Configuration, Command, and File Reference

For more information on password policies, see the "Managing User Authentication" chapter
in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Range 2 to 512 characters

Default Value 6

Syntax Integer

Example passwordMinLength: 6

3.1.1.194. PasswordMinLowers (Password Syntax)

This attribute sets the minimum number of lower case letters password must contain.

Parameter Description

Entry DN cn=config

Valid Range 0 to 64

Default Value 0

Syntax Integer

Example passwordMinLowers: 1

3.1.1.195. PasswordMinSpecials (Password Syntax)

This attribute sets the minimum number of special, or not alphanumeric, characters a
password must contain.

Parameter Description

Entry DN cn=config

Valid Range 0 to 64

Default Value 0

Syntax Integer

122
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Example passwordMinSpecials: 1

3.1.1.196. PasswordMinTokenLength (Password Syntax)

This attribute sets the smallest attribute value length that is used for trivial words checking.
For example, if the PasswordMinTokenLength is set to 3, then a givenName of DJ does not
result in a policy that rejects DJ from being in the password, but the policy rejects a
password comtaining the givenName of Bob.

Parameter Description

Entry DN cn=config

Valid Range 1 to 64

Default Value 3

Syntax Integer

Example passwordMinTokenLength: 3

3.1.1.197. PasswordMinUppers (Password Syntax)

This sets the minimum number of uppercase letters password must contain.

Parameter Description

Entry DN cn=config

Valid Range 0 to 64

Default Value 0

Syntax Integer

Example passwordMinUppers: 2

3.1.1.198. passwordMustChange (Password Must Change)

Indicates whether users must change their passwords when they first bind to the
Directory Server or when the password has been reset by the Manager DN.

This can be abbreviated to pwdMustChange.

For more information on password policies, see the "Managing User Authentication" chapter
in the Red Hat Directory Server Administration Guide.

123
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example passwordMustChange: off

3.1.1.199. passwordResetFailureCount (Reset Password Failure Count

After)

Indicates the amount of time in seconds after which the password failure counter resets.
Each time an invalid password is sent from the user's account, the password failure counter
is incremented. If the passwordLockout attribute is set to on, users are locked out of the
directory when the counter reaches the number of failures specified by the
passwordMaxFailure attribute (within 600 seconds by default). After the amount of time
specified by the passwordLockoutDuration attribute, the failure counter is reset to zero
(0).

This can be abbreviated to pwdFailureCountInterval.

For more information on password policies, see the "Managing User Authentication" chapter
in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Range 1 to the maximum 32 bit integer value

(2147483647) in seconds

Default Value 600

Syntax Integer

Example passwordResetFailureCount: 600

3.1.1.200. passwordSendExpiringTime

When a client requests the password expiring control, Directory Server returns the "time to
expire" value only if the password is within the warning period. To provide compatibility
with existing clients that always expect this value to be returned - regardless if the
password expiration time is within the warning period - the passwordSendExpiringTime
parameter can be set to on.

124
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example passwordSendExpiringTime: off

3.1.1.201. passwordStorageScheme (Password Storage Scheme)

This attribute sets the method used to encrypt user passwords stored in userPassword
attributes. For further details, such as recommended strong password storage schemes,
see Section 4.1.43, “Password Storage Schemes”.

NOTE

Red Hat recommends not setting this attribute. I the value is not set,
Directory Server automatically uses the strongest supported password storage
scheme available. If a future Directory Server update changes the default
value to increase security, passwords will be automatically encrypted using
the new storage scheme if a user set a passwords.

This setting does not require restarting the server to take effect.

Parameter Description

Entry DN cn=config

Valid Values See Section 4.1.43, “Password Storage

Schemes”.

Default Value SSHA512

Syntax DirectoryString

Example passwordStorageScheme: SSHA512

3.1.1.202. passwordTrackUpdateTime

Sets whether to record a separate timestamp specifically for the last time that the
password for an entry was changed. If this is enabled, then it adds the pwdUpdateTime
operational attribute to the user account entry (separate from other update times, like
modifyTime).

125
Configuration, Command, and File Reference

Using this timestamp can make it easier to synchronize password changes between
different LDAP stores, such as Active Directory.

For more information on password policies, see the "Managing User Authentication" chapter
in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example passwordTrackUpdateTime: off

3.1.1.203. passwordUnlock (Unlock Account)

Indicates whether users are locked out of the directory for a specified amount of time or
until the administrator resets the password after an account lockout. The account lockout
feature protects against hackers who try to break into the directory by repeatedly trying to
guess a user's password. If this passwordUnlock attribute is set to off and the operational
attribute accountUnlockTime has a value of 0, then the account is locked indefinitely.

For more information on password policies, see the "Managing User Authentication" chapter
in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example passwordUnlock: off

3.1.1.204. passwordWarning (Send Warning)

Indicates the number of seconds before a user's password is due to expire that the user
receives a password expiration warning control on their next LDAP operation. Depending on
the LDAP client, the user may also be prompted to change their password at the time the
warning is sent.

This can be abbreviated to pwdExpireWarning.

126
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

For more information on password policies, see the "Managing User Authentication" chapter
in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config

Valid Range 1 to the maximum 32 bit integer value

(2147483647) in seconds

Default Value 86400 (1 day)

Syntax Integer

Example passwordWarning: 86400

3.1.1.205. retryCountResetTime

This attribute specifies the length of time that passes before the passwordRetryCount
attribute is reset.

Parameter Description

Entry DN cn=config

Valid Range 1 to any reasonable integer

Default Value none

Syntax Integer

Example retryCountResetTime: 15

3.1.2. cn=changelog5,cn=config
Multi-master replication changelog configuration entries are stored under the
cn=changelog5 entry. The cn=changelog5,cn=config entry is an instance of the
extensibleObject object class.

The cn=changelog5 entry must contain the following object classes:

top

extensibleObject

127
Configuration, Command, and File Reference

NOTE

Two different types of changelogs are maintained by Directory Server. The

first type, which is stored here and referred to as the changelog, is used by
multi-master replication; the second changelog, which is actually a plug-in and
referred to as the retro changelog, is for compatibility with some legacy
applications. See Section 4.1.48, “Retro Changelog Plug-in” for further
information about the Retro Changelog Plug-in.

3.1.2.1. cn

This required attribute sets the relative distinguished name (RDN) of a changelog entry.

Parameter Description

Entry DN cn=changelog5,cn=config

Valid Values Any string

Default Value changelog5

Syntax DirectoryString

Example cn=changelog5

3.1.2.2. nsslapd-changelogcompactdb-interval

The Berkeley database does not reuse free pages unless the database is explicitly
compacted. The compact operation returns the unused pages to the file system and the
database file size shrinks. This parameter defines the interval in seconds when the
changelog database is compacted. Note that compacting the database is resource-
intensive, and thus should not be done to frequently.

This setting does not require a server restart to take effect.

Parameter Description

Entry DN cn=changelog5,cn=config

Valid Values 0 (no compaction) to 2147483647 seconds

Default Value 2592000 (30 days)

Syntax Integer

Example nsslapd-changelogcompactdb-interval:
2592000

3.1.2.3. nsslapd-changelogdir

128
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

This required attribute specifies the name of the directory in which the changelog entry is
created. Whenever a changelog configuration entry is created, it must contain a valid
directory; otherwise, the operation is rejected. The GUI proposes by default that this entry
be stored in /var/lib/dirsrv/slapd-instance/changelogdb/.


WARNING

If the cn=changelog5 entry is removed, the directory specified in the

nsslapd-changelogdir parameter, including any subdirectories, are
removed, with all of their contents.

The server has to be restarted for changes to this attribute to go into effect.

Parameter Description

Entry DN cn=changelog5,cn=config

Valid Values Any valid path to the directory storing the

changelog

Default Value None

Syntax DirectoryString

Example nsslapd-changelogdir:
/var/lib/dirsrv/slapd-instance/changelogdb/

3.1.2.4. nsslapd-changelogmaxage (Max Changelog Age)

When synchronizing with a consumer, each update is stored in the changelog with a time
stamp. The nsslapd-changelogmaxage parameter sets the maximum age of a record
stored in the changelog. Older records, that were successfully transferred to all replicas,
are removed automatically. If the nsslapd-changelogmaxage and nsslapd-
changelogmaxentries parameters are not set, all records are kept.

NOTE

The file size of the replication changelog is not automatically reduced if you set
a lower value in the nsslapd-changelogmaxentries parameter. For further
details, see the corresponding sections in the
Red Hat Directory Administration Guide.

The nsslapd-changelogmaxage parameter additionally sets the maximum age of entries in

the retro changelog. The size of the retro changelog is automatically reduced when you set
a lower value.

129
Configuration, Command, and File Reference

The trim operation is executed in intervals set in the nsslapd-changelog-trim-interval

parameter.

The server has to be restarted for changes to this attribute to go into effect.

Parameter Description

Entry DN cn=changelog5,cn=config

Valid Range 0 (meaning that entries are not removed

according to their age) to maximum 32-bit
integer (2147483647)

Default Value 0

Syntax DirectoryString IntegerAgeID where AgeID is s

for seconds, m for minutes, h for hours, d for
days, and w for weeks

Example nsslapd-changelogmaxage: 30d

3.1.2.5. nsslapd-changelogmaxentries (Max Changelog Records)

When synchronizing with a consumer, each update is stored in the changelog. The
nsslapd-changelogmaxentries parameter sets the maximum number of records stored in
the changelog. The oldest records, that were successfully transferred to all replicas and
exceeding this number, are removed automatically. If the nsslapd-changelogmaxentries
and nsslapd-changelogmaxage parameters are not set, all records are kept.

NOTE

The trim operation is executed in intervals set in the nsslapd-changelog-trim-interval

parameter.

The server has to be restarted for changes to this attribute to go into effect.

Parameter Description

Entry DN cn=changelog5,cn=config

Valid Range 0 (meaning that the only maximum limit is the

disk size) to maximum 32-bit integer
(2147483647)

Default Value 0

130
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Syntax Integer

Example nsslapd-changelogmaxentries: 5000

3.1.2.6. nsslapd-changelogmaxconcurrentwrites (Max Concurrent

Rewrites)

This attribute specifies the value used to initialize the new semaphore that controls the
concurrent writes to the changelog. For information on the changelog, see Section 3.1.2.3,
“nsslapd-changelogdir”.

The server has to be restarted for changes to this attribute to go into effect.

Parameter Description

Entry DN cn=changelog5,cn=config

Valid Range Maximum number of concurrent changelog

writes

Default Value 2

Syntax DirectoryString

Example nsslapd-changelogmaxconcurrentwrites: 4

3.1.2.7. nsslapd-changelogtrim-interval (Replication Changelog Trimming

Interval)

Directory Server repeatedly runs a trimming process on the changelog. To change the time
between two runs, update the nsslapd-changelogtrim-interval parameter and set the
interval in seconds.

This setting does not require a server restart to take effect.

Parameter Description

Entry DN cn=changelog5,cn=config

Valid Range 0 to the maximum 32 bit integer value

(2147483647)

Default Value 300 (5 minutes)

Syntax DirectoryString

131
Configuration, Command, and File Reference

Parameter Description

Example nsslapd-changelogtrim-interval: 300

3.1.2.8. nsslapd-encryptionalgorithm (Encryption Algorithm)

This attribute specifies the encryption algorithm used to encrypt the changelog. To enable
the changelog encryption, the server certificate must be installed on the directory server.
For information on the changelog, see Section 3.1.2.3, “nsslapd-changelogdir”.

The server has to be restarted for changes to this attribute to go into effect.

Parameter Description

Entry DN cn=changelog5,cn=config

Valid Range AES or 3DES

Default Value None

Syntax DirectoryString

Example nsslapd-encryptionalgorithm: AES

3.1.2.9. nsSymmetricKey

This attribute stores the internally-generated symmetric key. For information on the
changelog, see Section 3.1.2.3, “nsslapd-changelogdir”.

The server has to be restarted for changes to this attribute to go into effect.

Parameter Description

Entry DN cn=changelog5,cn=config

Valid Range Base 64-encoded key

Default Value None

Syntax DirectoryString

Example None

3.1.3. Changelog Attributes

The changelog attributes contain the changes logged in the changelog.

132
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

3.1.3.1. changes

This attribute contains the changes made to the entry for add and modify operations in
LDIF format.

OID 2.16.840.1.113730.3.1.8

Syntax Binary

Multi- or Single-Valued Multi-valued

Defined in Changelog Internet Draft

3.1.3.2. changeLog

This attribute contains the distinguished name of the entry which contains the set of
entries comprising the server’s changelog.

OID 2.16.840.1.113730.3.1.35

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in Changelog Internet Draft

3.1.3.3. changeNumber

This attribute is always present. It contains an integer which uniquely identifies each
change made to a directory entry. This number is related to the order in which the change
occurred. The higher the number, the later the change.

OID 2.16.840.1.113730.3.1.5

Syntax Integer

Multi- or Single-Valued Multi-valued

Defined in Changelog Internet Draft

3.1.3.4. changeTime

This attribute defines a time, in a YYMMDDHHMMSS format, when the entry was added.

OID 2.16.840.1.113730.3.1.77

Syntax DirectoryString

133
Configuration, Command, and File Reference

Multi- or Single-Valued Multi-valued

Defined in Directory Server

3.1.3.5. changeType

This attribute specifies the type of LDAP operation, add, delete, modify, or modrdn. For
example:

changeType: modify

OID 2.16.840.1.113730.3.1.7

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Changelog Internet Draft

3.1.3.6. deleteOldRdn

In the case of modrdn operations, this attribute specifies whether the old RDN was deleted.

A value of zero (0) will delete the old RDN. Any other non-zero value will keep the old RDN.
(Non-zero values can be negative or positive integers.)

OID 2.16.840.1.113730.3.1.10

Syntax Boolean

Multi- or Single-Valued Multi-valued

Defined in Changelog Internet Draft

3.1.3.7. filterInfo

This is used by the changelog for processing replication.

OID 2.16.840.1.113730.3.1.206

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

134
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

3.1.3.8. newRdn

In the case of modrdn operations, this attribute specifies the new RDN of the entry.

OID 2.16.840.1.113730.3.1.9

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in Changelog Internet Draft

3.1.3.9. newSuperior

In the case of modrdn operations, this attribute specifies the new parent (superior) entry for
the moved entry.

OID 2.16.840.1.113730.3.1.11

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in Changelog Internet Draft

3.1.3.10. targetDn

This attribute contains the DN of the entry that was affected by the LDAP operation. In the
case of a modrdn operation, the targetDn attribute contains the DN of the entry before it
was modified or moved.

OID 2.16.840.1.113730.3.1.6

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in Changelog Internet Draft

3.1.4. cn=encryption
Encryption related attributes are stored under the cn=encryption,cn=config entry. The
cn=encryption,cn=config entry is an instance of the nsslapdEncryptionConfig object
class.

3.1.4.1. allowWeakCipher

135
Configuration, Command, and File Reference

This attribute controls whether weak ciphers are allowed or rejected. The default depends
on the value set in the nsSSL3Ciphers parameter.

Ciphers are considered weak, if:

They are exportable.

Exportable ciphers are labeled EXPORT in the cipher name. For example, in
TLS_RSA_EXPORT_WITH_RC4_40_MD5.

They are symmetrical and weaker than the 3DES algorithm.

Symmetrical ciphers use the same cryptographic keys for both encryption and
decryption.

The key length is shorter than 128 bits.

The server has to be restarted for changes to this attribute to take effect.

Entry DN cn=encryption,cn=config

Valid Values on | off

Default Value off, if the value in the nsSSL3Ciphers

parameter is set to +all or default.

on, if the value in the nsSSL3Ciphers

parameter contains a user-specific cipher list.

Syntax DirectoryString

Example allowWeakCipher: on

3.1.4.2. allowWeakDHParam

The network security services (NSS) libraries linked with Directory Server requires minimum
of 2048-bit Diffie-Hellman (DH) parameters. However, some clients connecting to
Directory Server, such as Java 1.6 and 1.7 clients, only support 1024-bit DH parameters.
The allowWeakDHParam parameter allows you to enable support for weak 1024-bit DH
parameters in Directory Server.

The server has to be restarted for changes to this attribute to take effect.

Parameter Description

Entry DN cn=encryption,cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

136
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Example allowWeakDHParam: off

3.1.4.3. nsSSL2

This parameter previously enabled SSL version 2 connections.

NOTE

The SSLv2 protocol is no longer supported in Directory Server and the nsSSL2
parameter is ignored if set. Use TLS v1.1 or higher for secure communications.

3.1.4.4. nsSSL2Ciphers

This attribute previously specified the set of encryption ciphers Directory Server used
during SSL communications.

NOTE

The SSLv2 protocol is no longer supported in Directory Server and the

nsSSL2Ciphers parameter is ignored if set. Use TLS v1.1 or higher for secure
communications.

3.1.4.5. nsSSL3

Enables SSL version 3.


WARNING

The SSLv2 and SSLv3 protocols are deprecated due to the CVE-2014-3566
(POODLE) vulnerability, and Red Hat strongly discourages using it. Use
TLS v1.1 or higher for secure communications.

If the sslVersionMin and sslVersionMax parameters are set in conjunction with nsSSL3
and nsTLS1, Directory Server selects the most secure settings from these parameters.

The server has to be restarted for changes to this attribute to take effect.

Parameter Description

Entry DN cn=encryption,cn=config

137
Configuration, Command, and File Reference

Parameter Description

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsSSL3: on

3.1.4.6. nsSSL3Ciphers

This attribute specifies the set of SSLv3 and TLS encryption ciphers Directory Server uses
during encrypted communications.

The value set in this parameter influences the default value of the allowWeakCipher
parameter. For details, see Section 3.1.4.1, “allowWeakCipher”.


WARNING

The SSLv2 and SSLv3 protocols are deprecated due to the CVE-2014-3566
(POODLE) vulnerability, and Red Hat strongly discourages using it. Use
TLS v1.1 or higher for secure communications.

Parameter Description

Entry DN cn=encryption,cn=config

Valid Values Comma separated list of NSS supported

ciphers. Additionally, the following parameters
are possible:

default: Enables the default ciphers

advertised by NSS except weak
ciphers. For further information, see
List supported cipher suites for SSL
connections.

+all: All ciphers are enabled. This

includes weak ciphers, if the
allowWeakCipher parameter is
enabled.

-all: All ciphers are disabled.

Default Value default

138
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Syntax DirectoryString

Use the plus (+ ) symbol to enable or minus (- )

symbol to disable, followed by the ciphers.
Blank spaces are not allowed in the list of
ciphers.

To enable all ciphers — except

rsa_null_md5, which must be specifically
called — specify +all.

Example nsSSL3Ciphers:
+TLS_RSA_AES_128_SHA,+TLS_RSA_AES_256_S
HA,+TLS_RSA_WITH_AES_128_GCM_SHA256,-
RSA_NULL_SHA

For details how to list all supported ciphers, see the corresponding section in the Red Hat
Directory Server Administration Guide.

3.1.4.7. nsSSL3SessionTimeout

This attribute sets the lifetime duration of an SSLv3 connection. The minimum timeout
value is 5 seconds. If a smaller value is set, then it is automatically replaced by5 seconds.
A value greater than the maximum value in the valid range below is replaced by the
maximum value in the range.

The server has to be restarted for changes to this attribute to go into effect.


WARNING

The SSLv2 and SSLv3 protocols are deprecated due to the CVE-2014-3566
(POODLE) vulnerability, and Red Hat strongly discourages using it. Use
TLS v1.1 or higher for secure communications.

Entry DN cn=encryption,cn=config

Valid Range 5 seconds to 24 hours

Default Value 0, which means use the maximum value in the

valid range above.

Syntax Integer

Example nsSSL3SessionTimeout: 5

139
Configuration, Command, and File Reference

3.1.4.8. nsSSLActivation

This attribute shows whether an TLS cipher family is enabled for a given security module.

Entry DN cn=encryptionType,cn=encryption,cn=config

Valid Values on | off

Default Value

Syntax DirectoryString

Example nsSSLActivation: on

3.1.4.9. nsSSLClientAuth

This attribute shows how the Directory Server enforces client authentication. It accepts the
following values:

off - the Directory Server will not accept client authentication

allowed (default) - the Directory Server will accept client authentication, but not
require it

required - all clients must use client authentication.

IMPORTANT

The Directory Server Console does not support client authentication.

Therefore, if the nsSSLClientAuth attribute is set to required, the
Console cannot be used to manage the instance.

The server has to be restarted for changes to this attribute to go into effect.

Parameter Description

Entry DN cn=config

Valid Values off | allowed | required

Default Value allowed

Syntax DirectoryString

Example nsSSLClientAuth: allowed

3.1.4.10. nsSSLEnabledCiphers

Directory Server generates the multi-valued nsSSLEnabledCiphers attribute automatically.

140
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

The attribute is read-only and displays the ciphers Directory Server currently uses. The list
might not be the same as you set in the nsSSL2Ciphers and nsSSL3Ciphers attribute. For
example, if you set weak ciphers in the nsSSL3Ciphers attribute, but allowWeakCipher is
disabled, the nsSSLEnabledCiphers attribute neither lists the weak ciphers nor does
Directory Server use them.

Parameter Description

Entry DN cn=config

Valid Values The values of this attribute are auto-generated

and read-only.

Default Value

Syntax DirectoryString

Example nsSSLClientAuth:
TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1:
:256

3.1.4.11. nsSSLPersonalitySSL

This attribute contains the certificate name to use for SSL.

Entry DN cn=encryption,cn=config

Valid Values A certificate nickname

Default Value

Syntax DirectoryString

Example: nsSSLPersonalitySSL: Server-Cert

3.1.4.12. nsSSLSessionTimeout

This attribute sets the lifetime duration of a TLS connection. The minimum timeout value is
5 seconds. If a smaller value is set, then it is automatically replaced by5 seconds. A value
greater than the maximum value in the valid range below is replaced by the maximum
value in the range.

The server has to be restarted for changes to this attribute to go into effect.

Parameter Description

Entry DN cn=encryption,cn=config

141
Configuration, Command, and File Reference

Parameter Description

Valid Range 5 seconds to 24 hours

Default Value 0, which means use the maximum value in the

valid range above.

Syntax Integer

Example nsSSLSessionTimeout: 5

3.1.4.13. nsSSLSupportedCiphers

This attribute contains the supported ciphers for the server.


WARNING

The SSLv2 and SSLv3 protocols are deprecated due to the CVE-2014-3566
(POODLE) vulnerability, and Red Hat strongly discourages using it. Use
TLS v1.1 or higher for secure communications.

Entry DN cn=encryption,cn=config

Valid Values A specific family, cipher, and strength string

Default Value

Syntax DirectoryString

Example: nsSSLSupportedCiphers:
TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1:
:256

3.1.4.14. nsSSLToken

This attribute contains the name of the token (security module) used by the server.

Entry DN cn=encryption,cn=config

Valid Values A module name

Default Value

142
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Syntax DirectoryString

Example: nsSSLToken: internal (software)

3.1.4.15. nsTLS1

Enables TLS version 1. The ciphers used with TLS are defined along with the SSLv3 ciphers
in the nsSSL3Ciphers attribute.

If the sslVersionMin and sslVersionMax parameters are set in conjunction with nsSSL3
and nsTLS1, Directory Server selects the most secure settings from these parameters.

The server has to be restarted for changes to this attribute to go into effect.

Parameter Description

Entry DN cn=encryption,cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nsTLS1: on

3.1.4.16. sslVersionMin

Sets the minimum version of the SSL or TLS protocol to be used.

The server has to be restarted for changes to this attribute to go into effect.


WARNING

The SSLv2 and SSLv3 protocols are deprecated due to the CVE-2014-3566
(POODLE) vulnerability, and Red Hat strongly discourages using it. Use
TLS v1.1 or higher for secure communications.

If the sslVersionMin and sslVersionMax parameters are set in conjunction with nsSSL3
and nsTLS1, Directory Server selects the most secure settings from these parameters.

Entry DN cn=encryption,cn=config

Valid Values SSL or TLS protocol version such as TLS1.0

143
Configuration, Command, and File Reference

Default Value TLS1.0

Syntax DirectoryString

Example: sslVersionMin: TLS1.1

3.1.4.17. sslVersionMax

Sets the maximum version of the SSL or TLS protocol to be used. By default this value is
set to the newest available protocol version in the NSS library installed on the system.

The server has to be restarted for changes to this attribute to go into effect.


WARNING

The SSLv2 and SSLv3 protocols are deprecated due to the CVE-2014-3566
(POODLE) vulnerability, and Red Hat strongly discourages using it. Use
TLS v1.1 or higher for secure communications.

If the sslVersionMin and sslVersionMax parameters are set in conjunction with nsSSL3
and nsTLS1, Directory Server selects the most secure settings from these parameters.

Entry DN cn=encryption,cn=config

Valid Values SSL or TLS protocol version such as TLS1.0

Default Value Newest available protocol version in the NSS

library installed on the system

Syntax DirectoryString

Example: sslVersionMax: TLS1.2

3.1.5. cn=features
There are not attributes for the cn=features entry itself. This entry is only used as a
parent container entry, with the nsContainer object class.

The child entries contain an oid attribute to identify the feature and the
directoryServerFeature object class, plus optional identifying information about the
feature, such as specific ACLs. For example:

dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature

144
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

oid: 2.16.840.1.113730.3.4.9
cn: VLV Request Control
aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow(
read, search, compare, proxy ) userdn = "ldap:///all";)
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config
createTimestamp: 20190129132357Z
modifyTimestamp: 20190129132357Z

3.1.5.1. oid

The oid attribute contains an object identifier assigned to a directory service feature.oid is
used as the naming attribute for these directory features.

OID 2.16.840.1.113730.3.1.215

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

3.1.6. cn=mapping tree

Configuration attributes for suffixes, replication, and Windows synchronization are
stored under cn=mapping tree,cn=config. Configuration attributes related to
suffixes are found under the suffix subentry cn=suffix, cn=mapping tree,cn=config.

For example, a suffix is the root entry in the directory tree, such as
dc=example,dc=com.

Replication configuration attributes are stored under cn=replica,cn=suffix,

cn=mapping tree,cn=config.

Replication agreement attributes are stored under cn=replicationAgreementName,

cn=replica,cn=suffix,cn=mapping tree,cn=config.

Windows synchronization agreement attributes are stored under

cn=syncAgreementName, cn=replica,cn=suffix,cn=mapping tree,cn=config.

3.1.7. Suffix Configuration Attributes under cn=suffix_DN

Suffix configurations are stored under the cn="suffix_DN",cn=mapping tree,cn=config
entry. These entries are instances of the nsMappingTree object class. The
extensibleObject object class enables entries that belong to it to hold any user attribute.
For suffix configuration attributes to be taken into account by the server, these object
classes, in addition to the top object class, must be present in the entry.

You must write the suffix DN in quotes because it contains characters such as equals signs
(=), commas (,), and space characters. By using quotes, the DN appears correctly as a
value in another DN. For example: cn="dc=example,dc=com",cn=mapping
tree,cn=config

145
Configuration, Command, and File Reference

For further details, see the corresponding section in the Directory Server Administration
Guide.

3.1.7.1. cn

This mandatory attribute sets the relative distinguished name (RDN) of a new suffix.

Parameter Description

Entry DN cn=suffix_DN,cn=mapping tree,cn=config

Valid Values Any valid LDAP DN

Default Value

Syntax DirectoryString

Example cn: dn=example,dc=com

3.1.7.2. nsslapd-backend

This parameter sets the name of the database or database link used to process requests. It
is multi-valued, with one database or database link per value. This attribute is required
when the value of the nsslapd-state attribute is set to backend or referral on update.

Set the value to the name of the back-end database entry instance under cn=ldbm
database,cn=plugins,cn=config. For example: o=NetscapeRoot,cn=ldbm
database,cn=plugins,cn=config

Parameter Description

Entry DN cn=suffix_DN,cn=mapping tree,cn=config

Valid Values Any valid partition name

Default Value

Syntax DirectoryString

Example nsslapd-backend: userRoot

Valid Values Any valid LDAP URL

Default Value

Syntax DirectoryString

Example nssldap-referral: ldap://example.com/

3.1.7.7. nsslapd-state

This parameter determines how a suffix handles operations. The attribute takes the
following values:

backend: The back-end database processes all operations.

disabled: The database is not available for processing operations. The server
returns a No such search object error in response to requests made by client
applications.

referral: Directory Server returns a referral URL for requests to this suffix.

referral on update: The database is used for all operations. Only for update
requests is a referral sent.

Parameter Description

Entry DN cn=suffix_DN,cn=mapping tree,cn=config

148
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Valid Values backend | disabled | referral | referral on

update

Default Value backend

Syntax DirectoryString

Example nsslapd-state: backend

3.1.8. Replication Attributes under

cn=replica,cn=suffixDN,cn=mapping tree,cn=config
Replication configuration attributes are stored under cn=replica,cn=suffix, cn=mapping
tree,cn=config. The cn=replica entry is an instance of the nsDS5Replica object class.
For replication configuration attributes to be taken into account by the server, this object
class (in addition to the top object class) must be present in the entry. For further
information about replication, see the "Managing Replication" chapter in the Red Hat
Directory Server Administration Guide.

The cn=replica,cn=suffix,cn=mapping tree,cn=config entry must contain the

following object classes:

top

extensibleObject

nsds5replica

3.1.8.1. cn

Sets the naming attribute for the replica. The cn attribute must be set to replica.

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

Valid Values The value must be set to replica.

Default Value replica

Syntax DirectoryString

Example cn=replica

3.1.8.2. nsds5DebugReplicaTimeout

This attribute gives an alternate timeout period to use when the replication is run with

149
Configuration, Command, and File Reference

debug logging. This can set only the time or both the time and the debug level:

nsds5debugreplicatimeout: seconds[:debuglevel]

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

Valid Values Any numeric string

Default Value

Syntax DirectoryString

Example nsds5debugreplicatimeout: 60:8192

3.1.8.3. nsDS5Flags

This attribute sets replica properties that were previously defined in flags. At present only
one flag exists, which sets whether the log changes.

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

Valid Values 0|1

0: The replica does not write to the changelog;

this is the default for consumers.

1: The replica writes to the changelog; this is

the default for hubs and suppliers.

Default Value 0

Syntax Integer

Example nsDS5Flags: 0

3.1.8.4. nsDS5ReplConflict

Although this attribute is not in the cn=replica entry, it is used in conjunction with
replication. This multi-valued attribute is included on entries that have a change conflict
that cannot be resolved automatically by the synchronization process. To check for
replication conflicts requiring administrator intervention, perform an LDAP search for
(nsDS5ReplConflict=*). For example:

150
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

-s sub -b dc=example,dc=com "(|(objectclass=nsTombstone)
(nsDS5ReplConflict=*))" dn nsDS5ReplConflict nsUniqueID

Using the search filter "(objectclass=nsTombstone)" also shows tombstone (deleted)

entries. The value of the nsDS5ReplConflict contains more information about which
entries are in conflict, usually by referring to them by their nsUniqueID. It is possible to
search for a tombstone entry by its nsUniqueID. For example:

# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

-s sub -b dc=example,dc=com "(|(objectclass=nsTombstone)
(nsUniqueID=66a2b699-1dd211b2-807fa9c3-a58714648))"

3.1.8.5. nsDS5ReplicaAutoReferral

This attribute sets whether the Directory Server follows configured referrals for the
database.

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

Valid Values on | off

Default Value

Syntax DirectoryString

Example nsDS5ReplicaAutoReferral: on

3.1.8.6. nsState

This attribute stores information on the state of the clock. It is designed only for internal
use to ensure that the server cannot generate a change sequence number (csn) inferior to
existing ones required for detecting backward clock errors.

3.1.8.7. nsDS5ReplicaAbortCleanRUV

This read-only attribute specifies whether the background task that removes old RUV
entries for obsolete or missing suppliers is being aborted. See Section 3.1.16.13, “cn=abort
cleanallruv” for more information about this task. A value of 0 means that the task is
inactive, and a value of 1 means that the task is active.

This attribute is present to allow the abort task to be resumed after a server restart. When
the task completes, the attribute is deleted.

The server ignores the modify request if this value is set manually.

151
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

Valid Values 0|1

Default Value None

Syntax Integer

Example nsDS5ReplicaAbortCleanRUV: 1

3.1.8.8. nsds5ReplicaBackoffMin and nsds5ReplicaBackoffMax

These attributes are used in environments with heavy replication traffic, where updates
need to be sent as fast as possible.

By default, if a remote replica is busy, the replication protocol will go into a "back off" state,
and it will retry to send it updates at the next interval of the back-off timer. By default, the
timer starts at 3 seconds, and has a maximum wait period of 5 minutes. As these default
settings maybe not be sufficient under certain circumstances, you can use
nsds5ReplicaBackoffMin and nsds5ReplicaBackoffMax to configure the minimum and
maximum wait times.

The configuration settings can be applied while the server is online, and do not require a
server restart. If invalid settings are used, then the default values are used instead. The
configuration must be handled through CLI tools.

3.1.8.9. nsDS5ReplicaBindDN

This multi-valued attribute specifies the DN to use when binding. Although there can be
more than one value in this cn=replica entry, there can only be one supplier bind DN per
replication agreement. Each value should be the DN of a local entry on the consumer
server. If replication suppliers are using client certificate-based authentication to connect to
the consumers, configure the certificate mapping on the consumer to map the subjectDN
in the certificate to a local entry.

IMPORTANT

For security reasons, do set this attribute to cn=Directory Manager.

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

Valid Values Any valid DN

152
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Default Value

Syntax DirectoryString

Example nsDS5ReplicaBindDN: cn=replication

manager,cn=config

3.1.8.10. nsDS5ReplicaBindDNGroup

The nsDS5ReplicaBindDNGroup attribute specifies a group DN. This group is then expanded
and its members, including the members of its subgroups, are added to the
replicaBindDNs attribute at startup or when the replica object is modified. This extends
the current functionality provided by the nsDS5ReplicaBindDN attribute, as it allows to set
a group DN.

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

Valid Values Any valid group DN

Default Value

Syntax DirectoryString

Example nsDS5ReplicaBindDNGroup:
cn=sample_group,ou=groups,dc=example,dc=c
om

3.1.8.11. nsDS5ReplicaBindDNGroupCheckInterval

Directory Server checks for any changes in the groups specified in the
nsDS5ReplicaBindDNGroup attribute and automatically rebuilds the list for the
replicaBindDN parameter accordingly. These operations have a negative effect on
performance and are therefore performed only at a specified interval set in the
nsDS5ReplicaBindDNGroupCheckInterval attribute.

This attribute accepts the following values:

-1: Disables the dynamic check at runtime. The administrator must restart the
instance when the nsDS5ReplicaBindDNGroup attribute changes.

0: Directory Server rebuilds the lists immediately after the groups are changed.

Any positive 32-bit integer value: Minimum number of seconds that are required to
pass since the last rebuild.

153
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

Valid Values -1 to maximum 32-bit integer (2147483647)

Default Value -1

Syntax Integer

Example nsDS5ReplicaBindDNGroupCheckInterval: 0

3.1.8.12. nsDS5ReplicaChangeCount

This read-only attribute shows the total number of entries in the changelog and whether
they still remain to be replicated. When the changelog is purged, only the entries that are
still to be replicated remain.

See Section 3.1.8.18, “nsDS5ReplicaPurgeDelay” and Section 3.1.8.23,

“nsDS5ReplicaTombstonePurgeInterval” for more information about purge operation
properties.

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

Valid Range -1 to maximum 32-bit integer (2147483647)

Default Value

Syntax Integer

Example nsDS5ReplicaChangeCount: 675

3.1.8.13. nsDS5ReplicaCleanRUV

Default Value false

Syntax DirectoryString

155
Configuration, Command, and File Reference

Parameter Description

Example nsDS5ReplicaLegacyConsumer: false

3.1.8.16. nsDS5ReplicaName

This attribute specifies the name of the replica with a unique identifier for internal
operations. If it is not specified, this unique identifier is allocated by the server when the
replica is created.

NOTE

It is recommended that the server be permitted to generate this name.

However, in certain circumstances, for example, in replica role changes
(master to hub etc.), this value needs to be specified. Otherwise, the server
will not use the correct changelog database, and replication fails.

This attribute is destined for internal use only.

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

Valid Values

Default Value

Syntax DirectoryString (a UID identifies the replica)

Example nsDS5ReplicaName: 66a2b699-1dd211b2-

807fa9c3-a58714648

3.1.8.17. nsds5ReplicaProtocolTimeout

When stopping the server, disabling replication, or removing a replication agreement, there
is a timeout on how long to wait before stopping replication when the server is under load.
The nsds5ReplicaProtocolTimeout attribute can be used to configure this timeout and its
default value is 120 seconds.

There may be scenarios where a timeout of 2 minutes is too long, or not long enough. For
example, a particular replication agreement may need more time before ending a
replication session during a shutdown.

This attribute can be added to the main replication configuration entry for a back end:

156
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Entry DN cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=
mapping tree,cn=config

Valid Range 0 to maximum 32-bit integer (2147483647) in

seconds

Default value 120

Syntax Integer

Example nsds5ReplicaProtocolTimeout: 120

The nsds5ReplicaProtocolTimeout attribute can also be added to a replication

agreement. The replication agreement protocol timeout overrides the timeout set in the
main replica configuration entry. This allows different timeouts for different replication
agreements. If a replication session is in progress, a new timeout will abort that session and
allow the server to shutdown.

3.1.8.18. nsDS5ReplicaPurgeDelay

This attribute controls the maximum age of deleted entries (tombstone entries) and state
information.

The Directory Server stores tombstone entries and state information so that when a conflict
occurs in a multi-master replication process, the server resolves the conflicts based on the
timestamp and replica ID stored in the change sequence numbers.

An internal Directory Server housekeeping operation periodically removes tombstone

entries which are older than the value of this attribute (in seconds). State information
which is older than the nsDS5ReplicaPurgeDelay value is removed when an entry which
contains the state information is modified.

Not every tombstone and state information may be removed because, with multi-master
replication, the server may need to keep a small number of the latest updates to prime
replication, even if they are older than the value of the attribute.

This attribute specifies the interval, in seconds, to perform internal purge operations on an
entry. When setting this attribute, ensure that the purge delay is longer than the longest
replication cycle in the replication policy to preserve enough information to resolve
replication conflicts and to prevent the copies of data stored in different servers from
diverging.

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

Valid Range 0 (keep forever) to maximum 32-bit integer

(2147483647)

157
Configuration, Command, and File Reference

Parameter Description

Default Value 604800 [1 week (60x60x24x7)]

Syntax Integer

Example nsDS5ReplicaPurgeDelay: 604800

3.1.8.19. nsDS5ReplicaReapActive

This read-only attribute specifies whether the background task that removes old
tombstones (deleted entries) from the database is active. See Section 3.1.8.23,
“nsDS5ReplicaTombstonePurgeInterval” for more information about this task. A value of 0
means that the task is inactive, and a value of 1 means that the task is active. The server
ignores the modify request if this value is set manually.

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

Valid Values 0|1

Default Value

Syntax Integer

Example nsDS5ReplicaReapActive: 0

3.1.8.20. nsDS5ReplicaReferral

This multi-valued attribute specifies the user-defined referrals. This should only be defined
on a consumer. User referrals are only returned when a client attempts to modify data on a
read-only consumer. This optional referral overrides the referral that is automatically
configured by the consumer by the replication protocol.

The URL can use the format ldap[s]://host_name:port_number or

ldap[s]://IP_address:port_number, with an IPv4 or IPv6 address.

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

Valid Values Any valid LDAP URL

Default Value

158
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Syntax DirectoryString

Example nsDS5ReplicaReferral:
ldap://server.example.com:389

3.1.8.21. nsDS5ReplicaReleaseTimeout

This attribute, when used on masters and hubs in multi-master scenarios, determines a
timeout period (in seconds) after which a master will release a replica. This is useful in
situations when problems such as a slow network connection causes one master to acquire
access to a replica and hold it for a long time, preventing all other masters from accessing
it and sending updates. If this attribute is set, replicas are released by masters after the
specified period, resulting in improved replication performance.

Setting this attribute to 0 disables the timeout. Any other value determines the length of
the timeout in seconds.

IMPORTANT

Avoid setting this attribute to values between 1 and 30. In most scenarios,
short timeouts decrease the replication performance.

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

Valid Values 0 to maximum 32-bit integer (2147483647) in

seconds

Default Value 60

Syntax Integer

Example nsDS5ReplicaReleaseTimeout: 60

3.1.8.22. nsDS5ReplicaRoot

This attribute sets the DN at the root of a replicated area. This attribute must have the
same value as the suffix of the database being replicated and cannot be modified.

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

159
Configuration, Command, and File Reference

Parameter Description

Valid Values Suffix of the database being replicated, which

is the suffix DN

Default Value

Syntax DirectoryString

cleanruv: Removes a Replica Update Vector (RUV) from the master where you run
the operation.

cleanallruv: Removes RUVs from all servers in a replication topology.

You do not have to restart the server for this setting to take effect.

Parameter Description

Entry DN cn=replica,cn=suffixDN,cn=mapping
tree,cn=config

161
Configuration, Command, and File Reference

Parameter Description

Valid Values
cl2ldif

ldif2cl

cleanruv

cleanallruv

Default Value

certificates are used)

Default Value

Syntax DirectoryString

Example nsDS5ReplicaBindDN: cn=replication

manager,cn=config

3.1.9.4. nsDS5ReplicaBindMethod

This attribute sets the method for the server to use to bind to the consumer server.

The nsDS5ReplicaBindMethod supports the following values:

Empty or SIMPLE: The server uses password-based authentication. When using this
bind method, additionally, set the nsds5ReplicaBindDN and
nsds5ReplicaCredentials parameters to provide a user name and password.

SSLCLIENTAUTH: Enables certificate-based authentication between the supplier and

consumer. For this, the consumer server must have a certificate mapping configured
to map the supplier's certificate to the replication manager entry.

163
Configuration, Command, and File Reference

SASL/GSSAPI: Enables Kerberos authentication using SASL. This requires that the
supplier server have a Kerberos keytab, and the consumer server a SASL mapping
entry configured to map the supplier's Kerberos principal to the replication manager
entry.

For further details, see the following sections in the Red Hat Directory Server
Administration Guide:

About the KDC Server and Keytabs

Configuring SASL Identity Mapping from the Console

SASL/DIGEST-MD5: Enables password-based authentication using SASL with the

DIGEST-MD5 mechanism. When using this bind method, additionally, set the
nsds5ReplicaBindDN and nsds5ReplicaCredentials parameters to provide a user
name and password.

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Values SIMPLE | SSLCLIENTAUTH | SASL/GSSAPI |

SASL/DIGGEST

Default Value SIMPLE

Syntax DirectoryString

Example nsDS5ReplicaBindMethod: SIMPLE

3.1.9.7. nsDS5ReplicaCredentials

This attribute sets the credentials for the bind DN (specified in the nsDS5ReplicaBindDN
attribute) on the remote server containing the consumer replica. The value for this attribute
can be modified. When certificate-based authentication is used, this attribute may not have
a value. The example shows the dse.ldif entry, not the actual password. If this value over
LDAP or using the Console, set it to the cleartext credentials, and let the server encrypt the
value.

165
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Values Any valid password, which is then encrypted

using the DES reversible password encryption
schema.

Default Value

Syntax DirectoryString {DES} encrypted_password

167
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Values Any valid host server name

Default Value

Syntax DirectoryString

Example nsDS5ReplicaHost: ldap2.example.com

3.1.9.12. nsDS5ReplicaLastInitEnd

This optional, read-only attribute states when the initialization of the consumer replica
ended.

3.1.9.17. nsds5replicaLastUpdateStatus

In the read-only nsds5replicaLastUpdateStatus attribute of each replication agreement,

Directory Server displays the latest status of the agreement. For a list of status, see
Appendix D, Replication Agreement Status.

170
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Values See Appendix D, Replication Agreement

Status.

Default Value

Syntax DirectoryString

Example nsds5replicaLastUpdateStatus: Error (0)

Replica acquired successfully: Incremental
update succeeded

3.1.9.18. nsDS5ReplicaPort

This attribute sets the port number for the remote server containing the replica. Once this
attribute has been set, it cannot be modified.

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Values Port number for the remote server containing

the replica

Default Value

Syntax Integer

Example nsDS5ReplicaPort:389

3.1.9.19. nsDS5ReplicaReapActive

This read-only attribute specifies whether the background task that removes old
tombstones (deleted entries) from the database is active. See Section 3.1.8.23,
“nsDS5ReplicaTombstonePurgeInterval” for more information about this task. A value of
zero (0) means that the task is inactive, and a value of1 means that the task is active. If
this value is set manually, the server ignores the modify request.

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

171
Configuration, Command, and File Reference

Parameter Description

Valid Values 0|1

Default Value

Syntax Integer

Example nsDS5ReplicaReapActive: 0

3.1.9.20. nsDS5BeginReplicaRefresh

Initializes the replica. This attribute is absent by default. However, if this attribute is added
with a value of start, then the server initializes the replica and removes the attribute
value. To monitor the status of the initialization procedure, poll for this attribute. When
initialization is finished, the attribute is removed from the entry, and the other monitoring
attributes can be used for detailed status inquiries.

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Values stop | start

Default Value

Syntax DirectoryString

Example nsDS5BeginReplicaRefresh: start

3.1.9.21. nsDS5ReplicaRoot

This attribute sets the DN at the root of a replicated area. This attribute must have the
same value as the suffix of the database being replicated and cannot be modified.

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Values Suffix of the database being replicated - same

as suffixDN above

Default Value

Syntax DirectoryString

172
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Example nsDS5ReplicaRoot: "dc=example,dc=com"

3.1.9.22. nsDS5ReplicaSessionPauseTime

This attribute sets the amount of time in seconds a supplier should wait between update
sessions. The default value is 0. If the attribute is set to a negative value, Directory Server
sends the client a message and an LDAP_UNWILLING_TO_PERFORM error code.

The nsDS5ReplicaSessionPauseTime attribute works in conjunction with the

nsDS5ReplicaBusyWaitTime attribute. The two attributes are designed so that the
nsDS5ReplicaSessionPauseTime interval is always at least one second longer than the
interval specified for nsDS5ReplicaBusyWaitTime. The longer interval gives waiting
suppliers a better chance to gain consumer access before the previous supplier can re-
access the consumer.

If either attribute is specified but not both, nsDS5ReplicaSessionPauseTime is set

automatically to 1 second more than nsDS5ReplicaBusyWaitTime.

If both attributes are specified, but nsDS5ReplicaSessionPauseTime is less than or

equal to nsDS5ReplicaBusyWaitTime, nsDS5ReplicaSessionPauseTime is set
automatically to 1 second more than nsDS5ReplicaBusyWaitTime.

When setting the values, ensure that the nsDS5ReplicaSessionPauseTime interval is at

least 1 second longer than the interval specified fornsDS5ReplicaBusyWaitTime. Increase
the interval as needed until there is an acceptable distribution of consumer access among
the suppliers.

Set the nsDS5ReplicaSessionPauseTime attribute at any time by using

changetype:modify with the replace operation. The change takes effect for the next
update session if one is already in progress.

If Directory Server has to reset the value of nsDS5ReplicaSessionPauseTime

automatically, the value is changed internally only. The change is not visible to clients, and
it is not saved to the configuration file. From an external viewpoint, the attribute value
appears as originally set.

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Values Any valid integer

Default Value 0

Syntax Integer

Example nsDS5ReplicaSessionPauseTime: 0

173
Configuration, Command, and File Reference

3.1.9.23. nsds5ReplicaStripAttrs

Fractional replication allows a list of attributes which are removed from replication updates
(nsDS5ReplicatedAttributeList). However, a change to an excluded attribute still
triggers a modify event and generates an empty replication update.

The nsds5ReplicaStripAttrs attribute adds a list of attributes which cannot be sent in an

empty replication event and are stripped from the update sequence. This logically includes
operational attribtes like modifiersName.

If a replication event is not empty, the stripped attributes are replicated. These attributes
are removed from updates only if the event would otherwise be emtpy.

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Range A space-separated list of any supported

directory attribute

Default Value

Syntax DirectoryString

Example nsds5ReplicaStripAttrs: modifiersname

modifytimestamp

3.1.9.24. nsDS5ReplicatedAttributeList

This allowed attribute specifies any attributes that are not replicated to a consumer server.
Fractional replication allows databases to be replicated across slow connections or to less
secure consumers while still protecting sensitive information. By default, all attributes are
replicated, and this attribute is not present. For more information on fractional replication,
see the "Managing Replication" chapter in the Red Hat Directory Server
Administration Guide.

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Range

Default Value

Syntax DirectoryString

Example nsDS5ReplicatedAttributeList: (objectclass=*)

$ EXCLUDE accountlockout memberof

174
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

3.1.9.25. nsDS5ReplicatedAttributeListTotal

This allowed attribute specifies any attributes that are not replicated to a consumer server
during a total update.

Fractional replication only replicates specified attributes. This improves the overall network
performance. However, there may be times when administrators want to restrict some
attributes using fractional replication during an incremental update but allow those
attributes to be replicated during a total update (or vice versa).

By default, all attributes are replicated. nsDS5ReplicatedAttributeList sets the

incremental replication list; if only nsDS5ReplicatedAttributeList is set, then this list
applies to total updates as well.

nsDS5ReplicatedAttributeListTotal sets the list of attributes to exclude only from a

total update.

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Range

Default Value

Syntax DirectoryString

Example nsDS5ReplicatedAttributeListTotal:
(objectclass=*) $ EXCLUDE accountlockout

3.1.9.26. nsDS5ReplicaTimeout

This allowed attribute specifies the number of seconds outbound LDAP operations waits for
a response from the remote replica before timing out and failing. If the server writes
Warning: timed out waiting messages in the error log file, then increase the value of
this attribute.

Find out the amount of time the operation actually lasted by examining the access log on
the remote machine, and then set the nsDS5ReplicaTimeout attribute accordingly to
optimize performance.

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Range 0 to maximum 32-bit integer value

(2147483647) in seconds

Default Value 600

175
Configuration, Command, and File Reference

Parameter Description

Syntax Integer

Example nsDS5ReplicaTimeout: 600

3.1.9.27. nsDS5ReplicaTransportInfo

This attribute sets the type of transport used for transporting data to and from the replica.
This attribute cannot be modified once it is set.

The attribute takes the following values:

TLS: The connection uses encryption using the StartTLS command.

SSL: The connection uses TLS or SSL encryption.

LDAP: The connection uses the unencrypted LDAP protocol. This value is also used, if
the nsDS5ReplicaTransportInfo attribute is not set.

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Values TLS | SSL | LDAP

Default Value absent

Syntax DirectoryString

Example nsDS5ReplicaTransportInfo: TLS

3.1.9.28. nsDS5ReplicaUpdateInProgress

This read-only attribute states whether or not a replication update is in progress.

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Values true | false

Default Value

Syntax DirectoryString

176
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Example nsDS5ReplicaUpdateInProgress: true

3.1.9.29. nsDS5ReplicaUpdateSchedule

This multi-valued attribute specifies the replication schedule and can be modified. Changes
made to this attribute take effect immediately. Modifying this value can be useful to pause
replication and resume it later. For example, if this value to 0000-0001 0, this in effect
causes the server to stop sending updates for this replication agreement. The server
continues to store them for replay later. If the value is later changed back to 0000-2359
0123456, this makes replication immediately resume and sends all pending changes.

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Range Time schedule presented as XXXX-YYYY

0123456, where XXXX is the starting hour,
YYYY is the finishing hour, and the numbers
0123456 are the days of the week starting
with Sunday.

Default Value 0000-2359 0123456 (all the time)

Syntax Integer

Example nsDS5ReplicaUpdateSchedule: 0000-2359

0123456

3.1.9.30. nsDS5ReplicaWaitForAsyncResults

In a replication environment, the nsDS5ReplicaWaitForAsyncResults parameter sets the

time in milliseconds for which a supplier waits if the consumer is not ready before resending
data.

Note that if you set the parameter to 0, the default value is used.

Parameter Description

Entry DN cn=ReplicationAgreementName,cn=replica,cn
=suffixDN,cn=mapping tree,cn=config

Valid Range 0 to maximum 32-bit integer (2147483647)

Default Value 100

177
Configuration, Command, and File Reference

Parameter Description

Syntax Integer

Example nsDS5ReplicaWaitForAsyncResults: 100

3.1.9.31. nsDS50ruv

This attribute stores the last replica update vector (RUV) read from the consumer of this
replication agreement. It is always present and must not be changed.

3.1.9.32. nsruvReplicaLastModified

This attribute contains the most recent time that an entry in the replica was modified and
the changelog was updated.

3.1.9.33. nsds5ReplicaProtocolTimeout

This attribute can be added to the main replication configuration entry for a back end:

Parameter Description

Entry DN cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=
mapping tree,cn=config

Valid Range 0 to maximum 32-bit integer (2147483647) in

seconds

Default value 120

Syntax Integer

Example nsds5ReplicaProtocolTimeout: 120

The nsds5ReplicaProtocolTimeout attribute can also be added to a replication

3.1.10. Synchronization Attributes under

178
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

cn=syncAgreementName,cn=WindowsReplica,cn=suffixName,cn=mapping
tree,cn=config
The synchronization attributes that concern the synchronization agreement are stored
under cn=syncAgreementName, cn=WindowsReplica,cn=suffixDN, cn=mapping
tree,cn=config. The cn=syncAgreementName entry is an instance of the
nsDSWindowsReplicationAgreement object class. For synchronization agreement
configuration attributes to be taken into account by the server, this object class (in addition
to the top object class) must be present in the entry. Synchronization agreements are
configured only on databases that are enabled to synchronize with Windows Active
Directory servers.

Table 3.6. List of Attributes Shared Between Replication and Synchronization

Agreements

cn nsDS5ReplicaLastUpdateEnd

description nsDS5ReplicaLastUpdateStart

nsDS5ReplicaBindDN (the Windows sync nsDS5ReplicaLastUpdateStatus

manager ID)

nsDS5ReplicaBindMethod nsDS5ReplicaPort

nsDS5ReplicaBusyWaitTime nsDS5ReplicaRoot

nsDS5ReplicaChangesSentSinceStartup nsDS5ReplicaSessionPauseTime

nsDS5ReplicaCredentials (the Windows sync nsDS5ReplicaTimeout

manager password)

nsDS5ReplicaHost (the Windows host) nsDS5ReplicaTransportInfo

nsDS5ReplicaLastInitEnd nsDS5ReplicaUpdateInProgress

nsDS5ReplicaLastInitStart nsDS5ReplicaUpdateSchedule

nsDS5ReplicaLastInitStatus nsDS50ruv

180
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Default Value

Syntax DirectoryString

Example nsDS7NewWinGroupSyncEnabled: on

3.1.10.4. nsds7NewWinUserSyncEnabled

This attribute sets whether a new entry created in the Windows sync peer is automatically
synchronized by creating a new entry on the Directory Server.

Parameter Description

Entry DN cn=syncAgreementName,cn=replica,cn=suffix
DN,cn=mapping tree,cn=config

Valid Values on | off

Default Value

Syntax DirectoryString

Example nsDS7NewWinUserSyncEnabled: on

3.1.10.5. nsds7WindowsDomain

This attribute sets the name of the Windows domain to which the Windows sync peer
belongs.

Parameter Description

Entry DN cn=syncAgreementName,cn=replica,cn=suffix
DN,cn=mapping tree,cn=config

Valid Values Any valid domain name

Default Value

Syntax DirectoryString

Example nsDS7WinndowsDomain: DOMAINWORLD

3.1.10.6. nsds7WindowsReplicaSubtree

The suffix or DN of the Windows subtree that is being synchronized.

181
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=syncAgreementName,cn=replica,cn=suffix
DN,cn=mapping tree,cn=config

Valid Values Any valid suffix or subsuffix

Default Value

Syntax DirectoryString

Example nsDS7WindowsReplicaSubtree:
cn=Users,dc=domain,dc=com

3.1.10.7. oneWaySync

This attribute sets which direction to perform synchronization. This can either be from the
Active Directory server to the Directory Server or from the Directory Server to the
Active Directory server.

If this attribute is absent (the default), then the synchronization agreement is bi-directional,
so changes made in both domains are synchronized.

Parameter Description

Entry DN cn=syncAgreementName,cn=replica,cn=suffix
DN,cn=mapping tree,cn=config

Valid Values toWindows | fromWindows | null

Default Value

Syntax DirectoryString

Example oneWaySync: fromWindows

3.1.10.8. winSyncInterval

This attribute sets how frequently, in seconds, the Directory Server polls the Windows sync
peer to look for changes in the Active Directory entries. If this entry is not set, the
Directory Server checks the Windows server every five (5) minutes, meaning the default
value is 300 (300 seconds).

This value can be set lower to write Active Directory changes over to the Directory Server
faster or raised if the directory searches are taking too long.

182
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Entry DN cn=syncAgreementName,cn=replica,cn=suffix
DN,cn=mapping tree,cn=config

Valid Values 1 to the maximum 32-bit integer value

(2147483647)

Default Value 300

Syntax Integer

Example winSyncInterval: 600

3.1.10.9. winSyncMoveAction

The synchronization process starts at the root DN to begin evaluating entries for
synchronization. Entries are correlated based on the samAccount in the Active Directory
and the uid attribute in Directory Server. The synchronization plug-in notes if a previously
synced entry (based on the samAccount/uid relationship) is removed from the synced
subtree either because it is deleted or moved, then the synchronization plug-in recognizes
that the entry is no longer to be synced.

The winSyncMoveAction attribute for the synchronization agreement sets instructions on

how to handle these moved entries:

none takes no action, so if a synced Directory Server entry exists, it may be synced
over to or create an Active Directory entry within scope. If no synced
Directory Server entry exists, nothing happens at all (this is the default behavior).

unsync removes any sync-related attributes (ntUser or ntGroup) from the

Directory Server entry but otherwise leaves the Directory Server entry intact. The
Active Directory and Directory Server entries exist in tandem.

IMPORTANT

There is a risk when unsyncing entries that the Active Directory entry
may be deleted at a later time, and the Directory Server entry will be
left intact. This can create data inconsistency issues, especially if the
Directory Server entry is ever used to recreate the entry on the
Active Directory side later.

delete deletes the corresponding entry on the Directory Server side, regardless of
whether it was ever synced with Active Directory (this was the default behavior in
9.0).

IMPORTANT

You almost never want to delete a Directory Server entry without

deleting the corresponding Active Directory entry. This option is
available only for compatibility with Directory Server 9.0 systems.

183
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=syncAgreementName,cn=replica,cn=suffix
DN,cn=mapping tree,cn=config

Valid Values none | delete | unsync

Default Value none

Syntax DirectoryString

Example winSyncMoveAction: unsync

3.1.11. cn=monitor
Information used to monitor the server is stored under cn=monitor. This entry and its
children are read-only; clients cannot directly modify them. The server updates this
information automatically. This section describes the cn=monitor attributes. The only
attribute that can be changed by a user to set access control is the aci attribute.

If the nsslapd-counters attribute in cn=config is set to on (the default setting), then all of
the counters kept by the Directory Server instance increment using 64-bit integers, even on
32-bit machines or with a 32-bit version of Directory Server. For the cn=monitor entry, the
64-bit integers are used with the opsinitiated, opscompleted, entriessent, and
bytessent counters.

NOTE

The nsslapd-counters attribute enables 64-bit support for these specific

database and server counters. The counters which use 64-bit integers are not
configurable; the 64-bit integers are either enabled for all the allowed
counters or disabled for all allowed counters.

connection
This attribute lists open connections. These are given in the following format:

connection: A:YYYYMMDDhhmmssZ:B:C:D:E

For example:

connection: 31:20010201164808Z:45:45::cn=Directory Manager

A is the connection number, which is the number of the slot in the connection table
associated with this connection. This is the number logged as slot=A in the access
log message when this connection was opened, and usually corresponds to the file
descriptor associated with the connection. The attribute dTableSize shows the total
size of the connection table.

YYYYMMDDhhmmssZ is the date and time, in GeneralizedTime form, at which the

connection was opened. This value gives the time in relation to Greenwich Mean
Time.

184
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

B is the number of operations received on this connection.

C is the number of completed operations.

D is r if the server is in the process of reading BER from the network, empty
otherwise. This value is usually empty (as in the example).

E this is the bind DN. This may be empty or have value ofNULLDN for anonymous
connections.

currentConnections
This attribute shows the number of currently open and active Directory Server connections.

totalConnections
This attribute shows the total number of Directory Server connections. This number
includes connections that have been opened and closed since the server was last started in
addition to the currentConnections.

dTableSize
This attribute shows the size of the Directory Server connection table. Each connection is
associated with a slot in this table, and usually corresponds to the file descriptor used by
this connection. See Section 3.1.1.60, “nsslapd-conntablesize” for more information.

readWaiters
This attribute shows the number of connections where some requests are pending and not
currently being serviced by a thread in Directory Server.

opsInitiated
This attribute shows the number of Directory Server operations initiated.

opsCompleted
This attribute shows the number of Directory Server operations completed.

entriesSent
This attribute shows the number of entries sent by Directory Server.

bytesSent
This attribute shows the number of bytes sent by Directory Server.

currentTime
This attribute shows the current time, given in Greenwich Mean Time (indicated by
generalizedTime syntax Z notation; for example, 20190202131102Z).

startTime
This attribute shows the Directory Server start time given in Greenwich Mean Time,
indicated by generalizedTime syntax Z notation. For example, 20190202131102Z.

version
This attribute shows the Directory Server vendor, version, and build number. For example,
Red Hat/10.3.1 B2019.274.08.

threads

185
Configuration, Command, and File Reference

This attribute shows the number of threads used by the Directory Server. This should
correspond to nsslapd-threadnumber in cn=config.

nbackEnds
This attribute shows the number of Directory Server database back ends.

backendMonitorDN
This attribute shows the DN for each Directory Server database backend. For further
information on monitoring the database, see the following sections:

Section 4.4.9, “Database Attributes under cn=attributeName,cn=encrypted

attributes,cn=database_name,cn=ldbm database,cn=plugins,cn=config”

Section 4.4.5, “Database Attributes under cn=monitor,cn=database,cn=ldbm

database,cn=plugins,cn=config”

Section 4.4.7, “Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm

database,cn=plugins,cn=config”

Section 4.5.4, “Database Link Attributes under cn=monitor,cn=database instance

name,cn=chaining database,cn=plugins,cn=config”

3.1.12. cn=replication
This entry has no attributes. When configuring legacy replication, those entries are stored
under this cn=replication node, which serves as a placeholder.

3.1.13. cn=sasl
Entries which contain SASL mapping configurations are stored under
cn=mapping,cn=sasl,cn=config. The cn=sasl entry is an instance of the nsContainer
object class. Each mapping underneath it is an instance of the nsSaslMapping object class.

3.1.13.1. nsSaslMapBaseDNTemplate

This attribute contains the search base DN template used in SASL identity mapping.

Parameter Description

Entry DN cn=mapping_name,cn=mapping,cn=sasl,cn=co
nfig

Valid Values Any valid DN

Default Value

Syntax IA5String

Example nsSaslMapBaseDNTemplate:
ou=People,dc=example,dc=com

186
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

3.1.13.2. nsSaslMapFilterTemplate

This attribute contains the search filter template used in SASL identity mapping.

Parameter Description

Entry DN cn=mapping_name,cn=mapping,cn=sasl,cn=co
nfig

Valid Values Any string

Default Value

Syntax IA5String

Example nsSaslMapFilterTemplate: (cn=\1)

3.1.13.3. nsSaslMapPriority

Directory Server enables you to set multiple simple authentication and security layer (SASL)
mappings. If SASL fallback is enabled by the nsslapd-sasl-mapping-fallback parameter,
you can set the nsSaslMapPriority attribute to prioritize the individual SASL mappings.

This setting does not require a server restart to take effect.

Parameter Description

Entry DN cn=mapping_name,cn=mapping,cn=sasl,cn=co
nfig

Valid Values 1 (highest priority) - 100 (lowest priority)

Default Value 100

Syntax Integer

Example nsSaslMapPriority: 100

3.1.13.4. nsSaslMapRegexString

This attribute contains a regular expression used to map SASL identity strings.

Parameter Description

Entry DN cn=mapping_name,cn=mapping,cn=sasl,cn=co
nfig

Valid Values Any valid regular expression

187
Configuration, Command, and File Reference

Parameter Description

Default Value

Syntax IA5String

Example nsSaslMapRegexString: $.*$

3.1.14. cn=SNMP
SNMP configuration attributes are stored under cn=SNMP,cn=config. The cn=SNMP entry is
an instance of the nsSNMP object class.

3.1.14.1. nssnmpenabled

This attribute sets whether SNMP is enabled.

Parameter Description

Entry DN cn=SNMP,cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nssnmpenabled: off

3.1.14.2. nssnmporganization

This attribute sets the organization to which the Directory Server belongs.

Entry DN cn=SNMP,cn=config

Valid Values Contact email address

Default Value

Syntax DirectoryString

Example nssnmpcontact: [email protected]

3.1.14.5. nssnmpdescription

Provides a unique description of the Directory Server instance.

Parameter Description

Entry DN cn=SNMP,cn=config

Valid Values Description

Default Value

Syntax DirectoryString

189
Configuration, Command, and File Reference

Parameter Description

Example nssnmpdescription: Employee directory

instance

3.1.14.6. nssnmpmasterhost

nssnmpmasterhost is deprecated. This attribute is deprecated with the introduction ofnet-

snmp. The attribute still appears indse.ldif but without a default value.

Parameter Description

Entry DN cn=SNMP,cn=config

Valid Values machine host name or localhost

Default Value <blank>

Syntax DirectoryString

Example nssnmpmasterhost: localhost

3.1.14.7. nssnmpmasterport

The nssnmpmasterport attribute was deprecated with the introduction ofnet-snmp. The
attribute still appears in dse.ldif but without a default value.

Parameter Description

Entry DN cn=SNMP,cn=config

Valid Values Operating system dependent port number. See

the operating system documentation for
further information.

Default Value <blank>

Syntax Integer

Example nssnmpmasterport: 199

3.1.15. SNMP Statistic Attributes

Table 3.7, “SNMP Statistic Attributes” contains read-only attributes which list the statistics
available for LDAP and SNMP clients. Unless otherwise noted, the value for the given
attribute is the number of requests received by the server or results returned by the server

190
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

since startup. Some of these attributes are not used by or are not applicable to the
Directory Server but are still required to be present by SNMP clients.

If the nsslapd-counters attribute in cn=config is set to on (the default setting), then all of
the counters kept by the Directory Server instance increment using 64-bit integers, even on
32-bit machines or with a 32-bit version of Directory Server. All of the SNMP statistics
attributes use the 64-bit integers, if it is configured.

NOTE

The nsslapd-counters attribute enables 64-bit integers for these specific

database and server counters. The counters which use 64-bit integers are not
configurable; 64-bit integers are either enabled for all the allowed counters or
disabled for all allowed counters.

Table 3.7. SNMP Statistic Attributes

Attribute Description

AnonymousBinds This shows the number of anonymous bind

requests.

UnAuthBinds This shows the number of unauthenticated

(anonymous) binds.

SimpleAuthBinds This shows the number of LDAP simple bind

requests (DN and password).

StrongAuthBinds This shows the number of LDAP SASL bind

requests, for all SASL mechanisms.

BindSecurityErrors This shows the number of number of times an

invalid password was given in a bind request.

InOps This shows the total number of all requests

received by the server.

ReadOps Not used. This value is always 0 .

CompareOps This shows the number of LDAP compare

requests.

AddEntryOps This shows the number of LDAP add requests.

RemoveEntryOps This shows the number of LDAP delete

requests.

ModifyEntryOps This shows the number of LDAP modify

requests.

191
Configuration, Command, and File Reference

Attribute Description

ModifyRDNOps This shows the number of LDAP modify RDN

(modrdn) requests.

ListOps Not used. This value is always 0 .

SearchOps This shows the number of LDAP search

requests.

OneLevelSearchOps This shows the number of one-level search

operations.

WholeSubtreeSearchOps This shows the number of subtree-level search

operations.

Referrals This shows the number of LDAP referrals

returned.

Chainings Not used. This value is always 0 .

SecurityErrors This shows the number of errors returned that

were security related, such as invalid
passwords, unknown or invalid authentication
methods, or stronger authentication required.

Errors This shows the number of errors returned.

Connections This shows the number of currently open

connections.

ConnectionSeq This shows the total number of connections

opened, including both currently open and
closed connections.

BytesRecv This shows the number of bytes received.

BytesSent This shows the number of bytes sent.

EntriesReturned This shows the number of entries returned as

search results.

ReferralsReturned This provides information on referrals returned

as search results (continuation references).

MasterEntries Not used. This value is always 0 .

CopyEntries Not used. This value is always 0 .

192
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Attribute Description

CacheEntries[a] If the server has only one database back end,

this is the number of entries cached in the
entry cache. If the server has more than one
database back end, this value is 0 , and see the
monitor entry for each one for more
information.

CacheHits[a] If the server has only one database back end,

this is the number of entries returned from the
entry cache, rather than from the database,
for search results. If the server has more than
one database back end, this value is 0 , and
see the monitor entry for each one for more
information.

SlaveHits Not used. This value is always 0 .

[a] CacheEntries and CacheHits are updated every ten (10) seconds. Red Hat strongly encourages
using the database back end specific monitor entries for this and other database information.

3.1.16. cn=tasks
Some core Directory Server tasks can be initiated by editing a directory entry using LDAP
tools. These task entries are contained in cn=tasks. Each task can be invoked by updating
an entry such as the following:

dn: cn=task_id,cn=task_type,cn=tasks,cn=config
...

In Red Hat Directory Server deployments before Directory Server 8.0, many
Directory Server tasks were managed by the Administration Server. These tasks were
moved to the core Directory Server configuration in version 8.0 and are invoked and
administered by Directory Server under the cn=tasks entry.

There following tasks are managed under the cn=tasks entry:

cn=import

cn=export

cn=backup

cn=restore

cn=index

cn=schema reload task

cn=memberof task

cn=fixup linked attributes

193
Configuration, Command, and File Reference

cn=syntax validate

cn=USN tombstone cleanup task

cn=cleanallruv

cn=abort cleanallruv

cn=automember rebuild membership

cn=automember export updates

cn=automember map updates

The common attributes for these tasks are listed in Section 3.1.16.1, “Task Invocation
Attributes for Entries under cn=tasks”.

The cn=tasks entry itself has no attributes and serves as the parent and container entry for
the individual task entries.

IMPORTANT

Task entries are not permanent configuration entries. They only exist in the
configuration file for as long as the task operation is running or until the ttl
period expires. Then, the entry is deleted automatically by the server.

3.1.16.1. Task Invocation Attributes for Entries under cn=tasks

Five tasks which administer Directory Server instances have configuration entries which
initiate and identify individual operations. These task entries are instances of the same
object class, extensibleObject, and have certain common attributes which describe the
state and behavior of Directory Server tasks. The task types can be import, export, backup,
restore, index, schema reload, and memberof.

cn
The cn attribute identifies a new task operation to initiate. Thecn attribute value can be
anything, as long as it defines a new task.

Parameter Description

Entry DN cn=task_name,cn=task_type,cn=tasks,cn=conf
ig

Valid Values Any string

Default Value

Syntax DirectoryString

Example cn: example task entry name

nsTaskStatus

194
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

This attribute contains changing information about the status of the task, such as
cumulative statistics or its current output message. The entire contents of the attribute
may be updated periodically for as long as the process is running.

This attribute value is set by the server and should not be edited.

Parameter Description

Entry DN cn=task_name,cn=task_type,cn=tasks,cn=conf
ig

Valid Values Any string

Default Value

Syntax case-exact string

Example nsTaskStatus: Loading entries....

nsTaskLog
This entry contains all of the log messages for the task, including bothwarning and
information messages. New messages are appended to the end of the entry value, so this
attribute value grows larger, without erasing the original contents, by default.

Successful task operations, which have an nsTaskExitCode of 0, are only recorded in the
nsTaskLog attribute. Any non-zero response, which indicates an error, may be recorded in
the error log as an error, but the error message is only recorded in the nsTaskLog attribute.
For this reason, use the information in the nsTaskLog attribute to find out what errors
actuall occurred.

This attribute value is set by the server and should not be edited.

Parameter Description

Entry DN cn=task_name,cn=task_type,cn=tasks,cn=conf
ig

Valid Values Any string

Default Value

Syntax Case-exact string

Example nsTaskLog: example...

nsTaskExitCode
This attribute contains the exit code for the task. This attribute only exists after the task is
completed and any value is only valid if the task is complete. The result code can be any
LDAP exit code, as listed in Section 7.4, “LDAP Result Codes”, but only a 0 value equals

195
Configuration, Command, and File Reference

success; any other result code is an error.

This attribute value is set by the server and should not be edited.

Parameter Description

Entry DN cn=task_name,cn=task_type,cn=tasks,cn=conf
ig

Valid Values 0 (success) to 97[a]

Default Value

Syntax Integer

Example nsTaskExitCode: 0

[a] Any response other than 0 is an error.

nsTaskCurrentItem
This attribute shows the number of subtask which the task operation has completed,
assuming the task can be broken down into subtasks. If there is only one task, then
nsTaskCurrentItem is 0 while the task is running, and 1 when the task is complete. In this
way, the attribute is analogous to a progress bar. When the nsTaskCurrentItem attribute
has the same value as nsTaskTotalItems, then the task is completed.

This attribute value is set by the server and should not be edited.

Parameter Description

Entry DN cn=task_name,cn=task_type,cn=tasks,cn=conf
ig

Valid Values 0 to the maximum 32 bit integer value

(2147483647)

Default Value

Syntax Integer

Example nsTaskCurrentItem: 148

nsTaskTotalItems
This attribute shows the total number of subtasks that must be completed for the task
operation. When the nsTaskCurrentItem attribute has the same value as
nsTaskTotalItems, then the task is completed.

This attribute value is set by the server and should not be edited.

196
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Entry DN cn=task_name,cn=task_type,cn=tasks,cn=conf
ig

Valid Values 0 to the maximum 32 bit integer value

(2147483647)

Default Value

Syntax Integer

Example nsTaskTotalItems: 152

nsTaskCancel
This attribute allows a task to be aborted while in progress. This attribute can be modified
by users.

Parameter Description

Entry DN cn=task_name,cn=task_type,cn=tasks,cn=conf
ig

Valid Values true | false

Default Value

Syntax Case-insensitive string

Example nsTaskCancel: true

ttl
This attribute sets the amount of time (in seconds) the task entry will remain in the DSE
after the task has finished or aborted. Setting a ttl attribute allows the task entry to be
polled for new status information without missing the exit code. Setting the ttl attribute to
0 means that the entry is not cached.

Parameter Description

Entry DN cn=task_name,cn=task_type,cn=tasks,cn=conf
ig

Valid Values 0 (cannot be cached) to the maximum 32 bit

integer value (2147483647)

Default Value

197
Configuration, Command, and File Reference

Parameter Description

Syntax DirectoryString

Example ttl: 120

3.1.16.2. cn=import

An LDIF file or multiple LDIF files can be imported through the command line by creating a
special task entry which defines the parameters of the task and initiates the task. As soon
as the task is complete, the task entry is removed from the directory.

The cn=import entry is a container entry for import task operations. Thecn=import entry
itself has no attributes, but each of the task entries within this entry, such as cn=task_ID,
cn=import, cn=tasks, cn=config, uses the following attributes to define the import task.

An import task entry under cn=import must contain the LDIF file to import (in the
nsFilename attribute) and the name of the instance into which to import the file (in the
nsInstance attribute). Additionally, it must contain a uniquecn to identify the task. For
example:

dn: cn=example import,cn=import,cn=tasks,cn=config

objectclass: extensibleObject
cn: example import
nsFilename: /home/files/example.ldif
nsInstance: userRoot

As the import operation runs, the task entry will contain all of the server-generated task
attributes listed in Section 3.1.16.1, “Task Invocation Attributes for Entries under
cn=tasks”.

There are some optional attributes which can be used to refine the import operation,
similar to the options for the ldif2db and ldif2db.pl scripts:

nsIncludeSuffix, which is analogous to the -s option to specify the suffix to import

nsExcludeSuffix, analogous to the -x option to specify a suffix or subtree to exclude

from the import

nsImportChunkSize, analogous to the -c option to override starting a new pass

during the import and merge the chunks

nsImportIndexAttrs, which sets whether to import attribute indexes (with no

corollary in the script options)

nsUniqueIdGenerator, analogous to the -g option to generate unique ID numbers for

the entries

nsUniqueIdGeneratorNamespace, analogous to the -G option to generate a unique,

name-based ID for the entries

nsFilename

198
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

The nsFilename attribute contains the path and filenames of the LDIF files to import into
the Directory Server instance. To import multiple files, add multiple instances of this
attribute. For example:

nsFilename: file1.ldif
nsFilename: file2.ldif

Parameter Description

Entry DN cn=task_name,cn=import,cn=tasks,cn=config

Valid Values Any string

Default Value

Syntax Case-exact string, multi-valued

Example nsFilename: /home/jsmith/example.ldif

nsInstance
This attribute supplies the name of the database instance into which to import the files,
such as NetscapeRoot or slapd-example.

Parameter Description

Entry DN cn=task_name,cn=import,cn=tasks,cn=config

Valid Values The name of a Directory Server instance

database (any string)

Default Value

Syntax Case-exact string

Example nsInstance: userRoot

nsIncludeSuffix
This attribute identifies a specific suffix or subtree to import from the LDIF file.

Parameter Description

Entry DN cn=task_name,cn=import,cn=tasks,cn=config

Valid Values Any DN

Default Value

199
Configuration, Command, and File Reference

Parameter Description

Syntax DN, multi-valued

Default Value true

Syntax Case-insensitive string

Example nsImportIndexAttrs: true

nsUniqueIdGenerator
This sets whether to generate a unique ID for the imported entries. By default, this attribute
generates time-based IDs.

Parameter Description

Entry DN cn=task_name,cn=import,cn=tasks,cn=config

Valid Values none (no unique ID) | empty (time-based ID) |

deterministic namespace (name-based ID)

Default Value empty

Syntax Case-insensitive string

Example nsUniqueIdGenerator:

nsUniqueIdGeneratorNamespace
This attribute defines how to generate name-based IDs; the attribute sets the namespace
to use to generate the IDs. This option is useful to import the same LDIF file into two
Directory Server instances when the entries need to have the same IDs.

Parameter Description

Entry DN cn=task_name,cn=import,cn=tasks,cn=config

Valid Values Any string

Default Value

Syntax Case-insensitive string

Example nsUniqueIdGeneratorNamespace: example

201
Configuration, Command, and File Reference

3.1.16.3. cn=export

A database or multiple databases can be exported through the command line by creating a
special task entry which defines the parameters of the task and initiates the task. As soon
as the task is complete, the task entry is removed from the directory.

The cn=export,cn=tasks,cn=config entry is a container for export task operations. These

tasks are stored within this container and named
cn=task_name,cn=export,cn=tasks,cn=config.

While the export operation is running, the task entry contains all of the server-generated
task attributes listed in Section 3.1.16.1, “Task Invocation Attributes for Entries under
cn=tasks”.

You can create export tasks manually or use the db2ldif.pl command. The following table
displays the db2ldif.pl command-line options and their corresponding attributes:

db2ldif.pl Task attribute Description

option

-a nsFilename Sets the path to the exported LDIF file.

-C nsUseId2Entr If enabled, use only the main database file only.

-M nsUseOneFile If enabled, store output in multiple files.

-n nsInstance Sets the database name.

-N nsPrintKey Enables you to suppress printing the sequence number.

-r nsExportRepl If set, the export will include attributes to initialize a

ica replica.

-s nsIncludeSuf Sets the suffix to include in the exported file.

fix

-u nsDumpUniqId Enables you not to export the unique ID.

-U nsNoWrap If set, long lines are not wrapped.

-x nsExcludeSuf Sets the suffix to exclude in the exported file.

fix

nsFilename
The nsFilename attribute contains the path and filenames of the LDIF files to which to
export the Directory Server instance database.

202
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Entry DN cn=task_name,cn=export,cn=tasks,cn=config

Valid Values Any string

Default Value

Syntax Case-exact string, multi-valued

Example nsFilename: /home/jsmith/example.ldif

nsInstance
This attribute supplies the name of the database instance from which to export the
database, such as NetscapeRoot or userRoot.

Parameter Description

Entry DN cn=task_name,cn=export,cn=tasks,cn=config

Valid Values The name of a Directory Server instance (any

string)

Default Value

Syntax Case-exact string, multi-valued

Example nsInstance: userRoot

nsIncludeSuffix
This attribute identifies a specific suffix or subtree to export to an LDIF file.

Parameter Description

Entry DN cn=task_name,cn=export,cn=tasks,cn=config

Valid Values Any DN

Default Value

Syntax DN, multi-valued

Example nsIncludeSuffix:
ou=people,dc=example,dc=com

203
Configuration, Command, and File Reference

nsExcludeSuffix
This attribute identifies suffixes or subtrees in the database to exclude from the exported
LDIF file.

Parameter Description

Entry DN cn=task_name,cn=export,cn=tasks,cn=config

Valid Values Any DN

Default Value

Syntax DN, multi-valued

Example nsExcludeSuffix:
ou=machines,dc=example,dc=com

nsUseOneFile
This attribute sets whether to export all Directory Server instances to a single LDIF file or
separate LDIF files.

Parameter Description

Entry DN cn=task_name,cn=export,cn=tasks,cn=config

Valid Values true | false

Default Value true

Syntax Case-insensitive string

Example nsUseOneFile: true

nsExportReplica
This attribute identifies whether the exported database will be used in replication. For
replicas, the proper attributes and settings will be included with the entry to initialize the
replica automatically.

Default Value true

Syntax Case-insensitive string

Example nsPrintKey: false

nsUseId2Entry
The nsUseId2Entry attribute uses the main database index,id2entry, to define the
exported LDIF entries.

Parameter Description

Entry DN cn=task_name,cn=export,cn=tasks,cn=config

Valid Values true | false

Default Value false

Syntax Case-insensitive string

Example nsUseId2Entry: true

nsNoWrap
This attribute sets whether to wrap long lines in the LDIF file.

Parameter Description

Entry DN cn=task_name,cn=export,cn=tasks,cn=config

205
Configuration, Command, and File Reference

Parameter Description

Valid Values true | false

Default Value false

Syntax Case-insensitive string

Example nsNoWrap: false

nsDumpUniqId
This attribute sets that the unique IDs for the exported entries are not exported.

Parameter Description

Entry DN cn=task_name,cn=export,cn=tasks,cn=config

Valid Values true | false

Default Value true

Syntax Case-insensitive string

Example nsDumpUniqId: true

3.1.16.4. cn=backup

A database can be backed up through the command line by creating a special task entry
which defines the parameters of the task and initiates the task. As soon as the task is
complete, the task entry is removed from the directory.

The cn=backup entry is a container entry for backup task operations. Thecn=backup entry
itself has no attributes, but each of the task entries within this entry, such as cn=task_ID,
cn=backup, cn=tasks, cn=config, uses the following attributes to define the backup task.

A backup task entry under cn=backup must contain the location of the directory to which to
copy the archive copy (in the nsArchiveDir attribute) and the type of database being
backed up (in the nsDatabaseType attribute). Additionally, it must contain a uniquecn to
identify the task. For example:

dn: cn=example backup,cn=backup,cn=tasks,cn=config

objectclass: extensibleObject
cn: example backup
nsArchiveDir: /export/backups/
nsDatabaseType: ldbm database

As the backup operation runs, the task entry will contain all of the server-generated task
attributes listed in Section 3.1.16.1, “Task Invocation Attributes for Entries under
cn=tasks”.

206
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

nsArchiveDir
This attribute gives the location of the directory to which to write the backup.

If this attribute is not included with the cn=backup task, the task will fail with an LDAP
object class violation error (65).

Parameter Description

Entry DN cn=task_name,cn=backup,cn=tasks,cn=config

Valid Values Any local directory location

Default Value

Syntax Case-exact string

Example nsArchiveDir: /export/backups

nsDatabaseType
This attribute gives the kind of database being archived. Setting the database types signals
what kind of backup plug-in the Directory Server should use to archive the database.

Parameter Description

Entry DN cn=task_name,cn=backup,cn=tasks,cn=config

Valid Values ldbm database

Default Value ldbm database

Syntax Case-exact string

Example nsDatabaseType: ldbm database

3.1.16.5. cn=restore

A database can be restored through the command line by creating a special task entry
which defines the parameters of the task and initiates the task. As soon as the task is
complete, the task entry is removed from the directory.

The cn=restore entry is a container entry for task operations to restore a database. The
cn=restore entry itself has no attributes, but each of the task entries within this entry,
such as cn=task_ID, cn=restore, cn=tasks, cn=config, uses the following attributes to
define the restore task.

A restore task entry under cn=restore must contain the location of the directory from
which to retrieve the archive copy (in the nsArchiveDir attribute) and the type of database
being restored (in the nsDatabaseType attribute). Additionally, it must contain a uniquecn
to identify the task. For example:

207
Configuration, Command, and File Reference

dn: cn=example restore,cn=restore,cn=tasks,cn=config

objectclass: extensibleObject
cn: example restore
nsArchiveDir: /export/backups/
nsDatabaseType: ldbm database

As the restore operation runs, the task entry will contain all of the server-generated task
attributes listed in Section 3.1.16.1, “Task Invocation Attributes for Entries under
cn=tasks”.

nsArchiveDir
This attribute gives the location of the directory to which to write the backup.

Parameter Description

Entry DN cn=task_name,cn=restore,cn=tasks,cn=config

Valid Values Any local directory location

Default Value

Syntax Case-exact string

Example nsArchiveDir: /export/backups

nsDatabaseType
This attribute gives the kind of database being archived. Setting the database types signals
what kind of backup plug-in the Directory Server should use to archive the database.

Parameter Description

Entry DN cn=task_name,cn=restore,cn=tasks,cn=config

Valid Values ldbm database

Default Value ldbm database

Syntax Case-exact string

Example nsDatabaseType: ldbm database

3.1.16.6. cn=index

Directory attributes can be indexed though the command line by creating a special task
entry which defines the parameters of the task and initiates the task. As soon as the task is
complete, the task entry is removed from the directory.

208
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

The cn=index entry is a container entry for index task operations. Thecn=index entry itself
has no attributes, but each of the task entries within this entry, such as cn=task_ID,
cn=index, cn=tasks, cn=config, uses the following attributes to define the backup task.

An index task entry under cn=index can create a standard index by identifying the
attribute to be indexed and the type of index to create, both defined in the
nsIndexAttribute attribute.

Alternatively, the index task can be used to generate virtual list view (VLV) indexes for an
attribute using the nsIndexVLVAttribute attribute. This is the same as running the
vlvindex script.

For example:

dn: cn=example presence index,cn=index,cn=tasks,cn=config

objectclass: top
objectclass: extensibleObject
cn: example presence index
nsInstance: userRoot
nsIndexAttribute: "cn:pres"

dn: cn=example VLV index,cn=index,cn=tasks,cn=config

objectclass: extensibleObject
cn: example VLV index
nsIndexVLVAttribute: "by MCC ou=people,dc=example,dc=com"

As the index operation runs, the task entry will contain all of the server-generated task
attributes listed in Section 3.1.16.1, “Task Invocation Attributes for Entries under
cn=tasks”.

nsIndexAttribute
This attribute gives the name of the attribute to index and the types of indexes to apply.
The format of the attribute value is the attribute name and a comma-separated list of index
types, enclosed in double quotation marks. For example:

nsIndexAttribute: attribute:index1,index2

Parameter Description

Entry DN cn=task_name,cn=index,cn=tasks,cn=config

Valid Values
Any attribute

The index type, which can bepres (presence),

eq (equality), approx (approximate), and sub
(substring)

Default Value

Syntax Case-insensitive string, multi-valued

209
Configuration, Command, and File Reference

Parameter Description

Example
nsIndexAttribute: "cn:pres,eq"

nsIndexAttribute: "description:sub"

nsIndexVLVAttribute
This attribute gives the name of the target entry for a VLV index. A virtual list view is based
on a browsing index entry (as described in the Administration Guide), which defines the
virtual list base DN, scope, and filter. The nsIndexVLVAttribute value is the browsing
index entry, and the VLV creation task is run according to the browsing index entry
parameters.

Parameter Description

Entry DN cn=task_name,cn=index,cn=tasks,cn=config

Valid Values RDN of the subentry of the VLV entry definition

Default Value

Syntax DirectoryString

Example nsIndexVLVAttribute: "browsing index sort

identifier"

3.1.16.7. cn=schema reload task

The directory schema is loaded when the directory instance is started or restarted. Any
changes to the directory schema, including adding custom schema elements, are not
loaded automatically and available to the instance until the server is restarted or by
initiating a schema reload task.

Custom schema changes can be reloaded dynamically, without having to restart the
Directory Server instance. This is done by initiating a schema reload task through creating a
new task entry under the cn=tasks entry.

The custom schema file can be located in any directory; if not specified with the schemadir
attribute, the server reloads the schema from the default
/etc/dirsrv/slapd-instance/schema directory.

IMPORTANT

Any schema loaded from another directory must be copied into the schema
directory or the schema will be lost when the server.

210
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

The schemd reload task is initiated though the command line by creating a special task
entry which defines the parameters of the task and initiates the task. As soon as the task is
complete, the task entry is removed from the directory. For example:

dn: cn=example schema reload,cn=schema reload task,cn=tasks,cn=config

objectclass: extensibleObject
cn:example schema reload
schemadir: /export/schema

The cn=schema reload task entry is a container entry for schema reload operations. The
cn=schema reload task entry itself has no attributes, but each of the task entries within
this entry, such as cn=task_ID, cn=schema reload task, cn=tasks, cn=config, uses the
schema reload attributes to define the individual reload task.

cn
The cn attribute identifies a new task operation to initiate. Thecn attribute value can be
anything, as long as it defines a new task.

Parameter Description

Entry DN cn=task_name,cn=schema reload

task,cn=tasks,cn=config

Valid Values Any string

Default Value

Syntax DirectoryString

Example cn: example reload task ID

schemadir
This contains the full path to the directory containing the custom schema file.

Parameter Description

Entry DN cn=task_name,cn=schema reload

task,cn=tasks,cn=config

Valid Values Any local directory path

Default Value /etc/dirsrv/schema

Syntax DirectoryString

Example schemadir: /export/schema/

3.1.16.8. cn=memberof task

211
Configuration, Command, and File Reference

The memberOf attribute is created and managed by the Directory Server automatically to
display group membership on the members' user entries. When the member attribute on a
group entry is changed, all of the members' associated directory entries are automatically
updated with their corresponding memberOf attributes.

The cn=memberof task (and the related fixup-memberof.pl script) is used to create the
initial memberOf attributes on the member's user entries in the directory. After the
memberOf attributes are created, then the MemberOf Plug-in manages the memberOf
attributes automatically.

The memberOf update task must give the DN of the entry or subtree to run the update task
against (set in the basedn attribute). Optionally, the task can include a filter to identify the
members' user entries to update (set in the filter attribute). For example:

dn: cn=example memberOf,cn=memberof task,cn=tasks,cn=config

objectclass: extensibleObject
cn:example memberOf
basedn: ou=people,dc=example,dc=com
filter: (objectclass=groupofnames)

When the task is complete, the task entry is removed from the directory.

The cn=memberof task entry is a container entry formemberOf update operations. The
cn=memberof task entry itself has no attributes, but each of the task entries beneath this
entry, such as cn=task_ID, cn=memberof task, cn=tasks, cn=config, uses its attributes to
define the individual update task.

basedn
This attribute gives the base DN to use to search for the user entries to update the
memberOf attribute.

Parameter Description

Entry DN cn=task_name,cn=memberof
task,cn=tasks,cn=config

Valid Values Any DN

Default Value

Syntax DN

Example basedn: ou=people,dc=example,dc=com

filter
This attribute gives an optional LDAP filter to use to select which user entries to update the
memberOf attribute. Each member of a group has a corresponding user entry in the
directory.

212
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Entry DN cn=task_name,cn=memberof
task,cn=tasks,cn=config

Valid Values Any LDAP filter

Default Value (objectclass=*)

Syntax DirectoryString

Example filter: (l=Sunnyvale)

3.1.16.9. cn=fixup linked attributes

The Directory Server has a Linked Attributes Plug-in which allows one attribute, set in one
entry, to update another attribute in another entry automatically. Both entries have DNs for
values. The DN value in the first entry points to the entry for the plug-in to update; the
attribute in the second entry contains a DN back-pointer to the first entry.

This is similar to the way that the MemberOf Plug-in uses the member attribute in group
entries to set memberOf attribute in user entries. With linked attributes, any attribute can be
defined as a "link," and then another attribute is "managed" in affected entries.

The cn=fixup linked attributes (and the related fixup-linkedattrs.pl script) creates
the managed attributes — based on link attributes that already exist in the database — in
the user entries once the linking plug-in instance is created. After the linked and managed
attributes are set, the Linked Attributes Plug-in maintains the managed attributes
dynamically, as users change the link attributes.

The linked attributes update task can specify which linked attribute plug-in instance to
update, set in the optional linkdn attribute. If this attribute is not set on the task entry, then
all configured linked attributes are updated.

dn: cn=example,cn=fixup linked attributes,cn=tasks,cn=config

objectclass: extensibleObject
cn:example
linkdn: cn=Example Link,cn=Linked Attributes,cn=plugins,cn=config

When the task is complete, the task entry is removed from the directory.

The cn=fixup linked attributes entry is a container entry for any linked attribute
update operation. The cn=fixup linked attributes entry itself has no attributes related
to individual tasks, but each of the task entries beneath this entry, such as cn=task_ID,
cn=fixup linked attributes, cn=tasks, cn=config, uses its attributes to define the
individual update task.

linkdn
Each linked-managed attribute pair is configured in a linked attributes plug-in instance. The
linkdn attribute sets the specific linked attribute plug-in used to update the entries by
giving the plug-in instance DN. For example:

213
Configuration, Command, and File Reference

linkdn: cn=Manager Attributes,cn=Linked Attributes,cn=plugins,cn=config

If no plug-in instance is given, then all linked attributes are updated.

Parameter Description

Entry DN cn=task_name,cn=fixup linked

attributes,cn=tasks,cn=config

Valid Values A DN (for an instance of the Linked Attributes

plug-in)

Default Value None

Syntax DN

Example linkdn: cn=Manager Links,cn=Linked

Attributes,cn=plugins,cn=config

3.1.16.10. cn=syntax validate

Syntax validation checks every modification to attributes to make sure that the new value
has the required syntax for that attribute type. Attribute syntaxes are validated against the
definitions in RFC 4514.

Syntax validation is enabled by default. However, syntax validation only audits changes to
attribute values, such as when an attribute is added or modified. It does not validate the
syntax of existing attribute values.

Validation of the existing syntax can be done with the syntax validation task. This task
checks entries under a specified subtree (in the basedn attribute) and, optionally, only
entries which match a specified filter (in the filter attribute).

dn: cn=example,cn=syntax validate,cn=tasks,cn=config

objectclass: extensibleObject
cn:example
basedn: ou=people,dc=example,dc=com
filter: "(objectclass=inetorgperson)"

When the task is complete, the task entry is removed from the directory.

If syntax validation is disabled or if a server is migrated, then there may be data in the
server which does not conform to attribute syntax requirements. The syntax validation task
can be run to evaluate those existing attribute values before enabling syntax validation.

The cn=syntax validate entry is a container entry for any syntax validation operation.
The cn=syntax validate entry itself has no attributes that are specific to any task. Each of
the task entries beneath this entry, such as cn=task_ID, cn=syntax validate, cn=tasks,
cn=config, uses its attributes to define the individual update task.

basedn
Gives the subtree against which to run the syntax validation task. For example:

214
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

basedn: ou=people,dc=example,dc=com

Parameter Description

Entry DN cn=task_name,cn=syntax
validate,cn=tasks,cn=config

Valid Values Any DN

Default Value None

Syntax DN

Example basedn: dc=example,dc=com

filter
Contains an optional LDAP filter which can be used to identify specific entries beneath the
given basedn against which to run the syntax validation task. If this attribute is not set on
the task, then every entry within the basedn is audited. For example:

filter: "(objectclass=person)"

Parameter Description

Entry DN cn=task_name,cn=syntax
validate,cn=tasks,cn=config

Valid Values Any LDAP filter

Default Value "(objectclass=*)"

Syntax DirectoryString

Example filter: "(objectclass=*)"

3.1.16.11. cn=USN tombstone cleanup task

If the USN Plug-in is enabled, then update sequence numbers (USNs) are set on every entry
whenever a directory write operation, like add or modify, occurs on that entry. This is
reflected in the entryUSN operational attribute. This USN is set even when an entry is
deleted, and the tombstone entries are maintained by the Directory Server instance.

The cn=USN tombstone cleanup task (and the related usn-tombstone-cleanup.pl script)
deletes the tombstone entries maintained by the instance according to the back end
database (in the backend attribute) or the suffix (in thesuffix attribute). Optionally, only a
subset of tombstone entries can be deleted by specifying a maximum USN to delete (in the
max_usn_to_delete attribute), which preserves the most recent tombstone entries.

215
Configuration, Command, and File Reference

dn: cn=example,cn=USN tombstone cleanup task,cn=tasks,cn=config

objectclass: extensibleObject
cn:example
backend: userroot
max_usn_to_delete: 500

IMPORTANT

This task can only be launched if replication is not enabled. Replication

maintains its own tombstone store, and these tombstone entries cannot be
deleted by the USN Plug-in; they must be maintained by the replication
processes. Thus, Directory Server prevents users from running the cleanup
task for replicated databases.

Attempting to create this task entry for a replicated back end will return this
error in the command line:

ldap_add: DSA is unwilling to perform

In the error log, there is a more explicit message that the suffix cannot have
tombstone removed because it is replicated.

[...] usn-plugin - Suffix dc=example,dc=com is replicated.

Unwilling to perform cleaning up tombstones.

When the task is complete, the task entry is removed from the directory.

The cn=USN tombstone cleanup task entry is a container entry for all USN tombstone
delete operations. The cn=USN tombstone cleanup task entry itself has no attributes
related to any individual task, but each of the task entries beneath this entry, such as
cn=task_ID, cn=USN tombstone cleanup task, cn=tasks, cn=config, uses its attributes to
define the individual update task.

backend
This gives the Directory Server instance back end, or database, to run the cleanup
operation against. If the back end is not specified, then the suffix must be specified.

Parameter Description

Entry DN cn=task_name,cn=USN tombstone cleanup

task,cn=tasks,cn=config

Valid Values Database name

Default Value None

Syntax DirectoryString

Example backend: userroot

216
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

max_usn_to_delete
This gives the highest USN value to delete when removing tombstone entries. All
tombstone entries up to and including that number are deleted. Tombstone entries with
higher USN values (that means more recent entries) are not deleted.

Parameter Description

Entry DN cn=task_name,cn=USN tombstone cleanup

task,cn=tasks,cn=config

Valid Values Any integer

Default Value None

Syntax Integer

Example max_usn_to_delete: 500

suffix
This gives the suffix or subtree in the Directory Server to run the cleanup operation against.
If the suffix is not specified, then the back end must be given.

Parameter Description

Entry DN cn=task_name,cn=USN tombstone cleanup

task,cn=tasks,cn=config

Valid Values Any subtree DN

Default Value None

Syntax DN

Example suffix: dc=example,dc=com

3.1.16.12. cn=cleanallruv

Information about the replication topology — all of the suppliers which are supplying
updates to each other and other replicas within the same replication group — is contained
in a set of metadata called the replica update vector (RUV). The RUV contains information
about the supplier like its ID and URL, its latest change state number for changes made on
the local server, and the CSN of the first change. Both suppliers and consumers store RUV
information, and they use it to control replication updates.

When one supplier is removed from the replication topology, it may remain in another
replica's RUV. When the other replica is restarted, it can record errors in its log that the
replication plug-in does not recognize the (removed) supplier.

217
Configuration, Command, and File Reference

[09/Sep/2019:09:03:43 -0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV

[changelog max RUV] does not
contain element [{replica 55 ldap://server.example.com:389}
4e6a27ca000000370000 4e6a27e8000000370000]
which is present in RUV [database RUV]
......
[09/Sep/2019:09:03:43 -0600] NSMMReplicationPlugin -
replica_check_for_data_reload: Warning: for replica
dc=example,dc=com there were some differences between the changelog max
RUV and the database RUV. If
there are obsolete elements in the database RUV, you should remove them
using the CLEANRUV task. If they
are not obsolete, you should check their status to see why there are no
changes from those servers in the changelog.

When the supplier is permanently removed from the topology, then any lingering metadata
about that supplier should be purged from every other supplier's RUV entry.

The cn=cleanallruv task propagates through all servers in the replication topology and
removes the RUV entries associated with the specified missing or obsolete supplier.

When the task is complete, the task entry is removed from the directory.

The cn=cleanallruv entry is a container entry for all clean RUV operations. The
cn=cleanallruv entry itself has no attributes related to any individual task, but each of
the task entries beneath this entry, such as cn=task_ID,cn=cleanallruv,
cn=tasks,cn=config, uses its attributes to define the individual update task.

Each clean RUV task must specify the replica ID number of the replica RUV entries to
remove, the based DN of the replicated database, and whether remaining updates from the
missing supplier should be applied before removing the RUV data.

dn: cn=clean 55,cn=cleanallruv,cn=tasks,cn=config

objectclass: extensibleObject
replica-base-dn: dc=example,dc=com
replica-id: 55
replica-force-cleaning: no
cn: clean 55

replica-base-dn
This gives the Directory Server base DN associated with the replicated database. This is the
base DN for the replicated suffix.

Default Value None

Syntax Integer

Example replica-id: 55

replica-force-cleaning
This sets whether any outstanding updates from the replica to be removed should be
applied (no) or whether the clean RUV operation should force-continue and lose any
remaining updates (yes).

Parameter Description

Entry DN cn=task_name,cn=cleanallruv,cn=tasks,cn=con
fig

Valid Values no | yes

Default Value None

Syntax DirectoryString

Example replica-force-cleaning: no

3.1.16.13. cn=abort cleanallruv

The Section 3.1.16.12, “cn=cleanallruv” task can take several minutes to propagate among
all servers in the replication topology, even longer if the task processes all updates first. For
performance or other maintenance considerations, it is possible to terminate a clean RUV

219
Configuration, Command, and File Reference

task, and that termination is also propagated across all servers in the replication topology.

The termination task is an isntance of the cn=abort cleanallruv entry.

When the task is complete, the task entry is removed from the directory.

The cn=abort cleanallruv entry is a container entry for all clean RUV operations. The
cn=abort cleanallruv entry itself has no attributes related to any individual task, but
each of the task entries beneath this entry, such as cn=task_ID,cn=abort cleanallruv,
cn=tasks,cn=config, uses its attributes to define the individual update task.

Each clean RUV task must specify the replica ID number of the replica RUV entries to which
are currently being removed, the based DN of the replicated database, and whether the
terminate task should complete when it has completed on all servers in the topology or just
locally.

dn: cn=abort 55,cn=abort cleanallruv,cn=tasks,cn=config

objectclass: extensibleObject
replica-base-dn: dc=example,dc=com
replica-id: 55
replica-certify-all: yes
cn: abort 55

replica-base-dn
This gives the Directory Server base DN associated with the replicated database. This is the
base DN for the replicated suffix.

Parameter Description

Entry DN cn=task_name,cn=abort
cleanallruv,cn=tasks,cn=config

Valid Values Directory suffix DN

Default Value None

Syntax DirectoryString

Example replica-base-dn: dc=example,dc=com

replica-id
This gives the replica ID (defined in the nsDS5ReplicaId attribute for the replica
configuration entry) of the replica in the process of being removed from the replication
topology.

Parameter Description

Entry DN cn=task_name,cn=abort
cleanallruv,cn=tasks,cn=config

220
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Valid Values 0 to 65534

Default Value None

Syntax Integer

Example replica-id: 55

replica-certify-all
This sets whether the task should complete successfully on all servers in the replication
topology before completing the task locally (yes) or whether the task should show
complete as soon as it completes locally (no).

Parameter Description

Entry DN cn=task_name,cn=abort
cleanallruv,cn=tasks,cn=config

Valid Values no | yes

Default Value None

Syntax DirectoryString

Example replica-certify-all: yes

3.1.16.14. cn=automember rebuild membership

The Auto Member Plug-in only runs when new entries are added to the directory. The plug-
in ignores existing entries or entries which are edited to match an automembership rule.

The cn=automember rebuild membership task runs the current automembership rules
against existing entries to update or rebuild group membership. All configured
automembership rules are run against the identified entries (though not all rules may apply
to a given entry).

basedn
This gives the Directory Server base DN to use to search for user entries. The entries in the
specified DN are then updated according to the automembership rules.

Parameter Description

Entry DN cn=task_name,cn=automember rebuild

membership,cn=tasks,cn=config

221
Configuration, Command, and File Reference

Parameter Description

Valid Values Directory suffix DN

Default Value None

Syntax DirectoryString

Example basedn: dc=example,dc=com

filter
This attribute gives an LDAP filter to use to identify which user entries to update according
to the configured automembership rules.

Parameter Description

Entry DN cn=task_name,cn=automember rebuild

membership,cn=tasks,cn=config

Valid Values Any LDAP filter

Default Value None

Syntax DirectoryString

Example filter: (uid=*)

scope
This attribute gives an LDAP search scope to use when searching the given base DN.

Parameter Description

Entry DN cn=task_name,cn=automember rebuild

membership,cn=tasks,cn=config

Valid Values sub | base | one

Default Value None

Syntax DirectoryString

Example scope: sub

3.1.16.15. cn=automember export updates

222
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

This task runs against existing entries in the directory and exports the results of what users
would have been added to what groups, based on the rules. This is useful for testing
existing rules against existing users to see how your real deployment are performing.

The automembership-related changes are not executed. The proposed changes are written
to a specified LDIF file.

basedn
This gives the Directory Server base DN to use to search for user entries. A test-run of the
automembership rules will be run against the identified entries.

Parameter Description

Entry DN cn=task_name,cn=automember export

updates,cn=tasks,cn=config

Valid Values Directory suffix DN

Default Value None

Syntax DirectoryString

Example basedn: dc=example,dc=com

filter
This attribute gives an LDAP filter to use to identify which user entries to test-run the
automembership rules.

Parameter Description

Entry DN cn=task_name,cn=automember export

updates,cn=tasks,cn=config

Valid Values Any LDAP filter

Default Value None

Syntax DirectoryString

Example filter: (uid=*)

scope
This attribute gives an LDAP search scope to use when searching the given base DN.

Parameter Description

223
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=task_name,cn=automember export

updates,cn=tasks,cn=config

Valid Values sub | base | one

Default Value None

Syntax DirectoryString

Example scope: sub

ldif
This attribute sets the full path and filename of an LDIF file to which to write the proposed
changes from the test-run of the automembership rules. This file must be local to the
system from which the task is initiated.

Parameter Description

Entry DN cn=task_name,cn=automember export

updates,cn=tasks,cn=config

Valid Values Local path and filename

Default Value None

Syntax DirectoryString

Example ldif: /tmp/automember-results.ldif

3.1.16.16. cn=automember map updates

This task runs against entries within an LDIF file (new entries or, potentially, test entries)
and then writes the proposed changes to those user entries to an LDIF file. This can be
very useful for testing a new rule, before applying it to (real) new or existing user entries.

The automembership-related changes are not executed. The proposed changes are written
to a specified LDIF file.

ldif_in
This attribute sets the full path and filename of an LDIF file from which to import entries to
test with the configured automembership rules. These entries are not imported into the
directory and the changes are not performed. The entries are loaded and used by the test-
run only.

This file must be local to the system from which the task is initiated.

224
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Parameter Description

Entry DN cn=task_name,cn=automember map

updates,cn=tasks,cn=config

Valid Values Local path and filename

Default Value None

Syntax DirectoryString

Example ldif_in: /tmp/automember-test-users.ldif

ldif_out
This attribute sets the full path and filename of an LDIF file to which to write the proposed
changes from the test-run of the automembership rules. This file must be local to the
system from which the task is initiated.

Parameter Description

Entry DN cn=task_name,cn=automember map

updates,cn=tasks,cn=config

Valid Values Local path and filename

Default Value None

Syntax DirectoryString

Example ldif_out: /tmp/automember-results.ldif

3.1.16.17. cn=des2aes

This task searches for all reversible password entries in the specified user database which
are encoded using the outdated DES cipher, and converts them to the more secure AES
cipher.

Previously, this task was being performed automatically on all suffixes during
Directory Server startup. However, since the search for DES passwords was typically
unindexed, it could take a very long time to perform on suffixes containing large amounts
of entries, which in turn caused Directory Server to time out and fail to start. For that
reason, the search is now performed only on cn=config, but to convert passwords in any
other database you must run this task manually.

suffix
This multivalued attribute specifies a suffix to check for DES passwords and convert them
to AES. If this attribute is omitted then all the back ends/suffixes are checked.

225
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=task_name,cn=des2aes,cn=tasks,cn=config

Valid Values Directory suffix DN

Default Value None

Syntax DirectoryString

Example suffix: dc=example,dc=com

3.1.17. cn=uniqueid generator

The unique ID generator configuration attributes are stored under cn=uniqueid
generator,cn=config. The cn=uniqueid generator entry is an instance of the
extensibleObject object class.

nsstate
This attribute saves the state of the unique ID generator across server restarts. This
attribute is maintained by the server. Do not edit it.

Parameter Description

Entry DN cn=uniqueid generator,cn=config

Valid Values

Default Value

Syntax DirectoryString

Example nsstate:
AbId0c3oMIDUntiLCyYNGgAAAAAAAAAA

3.1.18. Root DSE Configuration Parameters

3.1.18.1. nsslapd-return-default-opattr

Directory Server does not display the operational attributes in Root DSE searches. For
example, if you are running the ldapsearch utility with the -s base -b "" parameters,
only the user attributes are displayed. For clients expecting operational attributes in Root
DSE search output, you can enable this behavior to provide backward compatibility:

1. Stop the Directory Server instance.

2. Edit the /etc/dirsrv/slapd-instance_name/dse.ldif file and add the following

parameters to the dn: section:

226
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

nsslapd-return-default-opattr: supportedsaslmechanisms
nsslapd-return-default-opattr: nsBackendSuffix
nsslapd-return-default-opattr: subschemasubentry
nsslapd-return-default-opattr: supportedldapversion
nsslapd-return-default-opattr: supportedcontrol
nsslapd-return-default-opattr: ref
nsslapd-return-default-opattr: vendorname
nsslapd-return-default-opattr: vendorVersion
nsslapd-return-default-opattr: supportedextension
nsslapd-return-default-opattr: namingcontexts

3. Start the Directory Server instance.

Parameter Description

Entry DN Root DSE

Valid Values supportedsaslmechanisms | nsBackendSuffix |

Default Value

Syntax DirectoryString

Example nsslapd-return-default-opattr:
supportedsaslmechanisms

3.2. CONFIGURATION OBJECT CLASSES

Many configuration entries simply use the extensibleObject object class, but some
require other object classes. These configuration object classes are listed here.

3.2.1. changeLogEntry (Object Class)

This object class is used for entries which store changes made to the Directory Server
entries.

To configure Directory Server to maintain a changelog that is compatible with the

changelog implemented in Directory Server 4.1x, enable the Retro Changelog Plug-in. Each
entry in the changelog has the changeLogEntry object class.

This object class is defined in Changelog Internet Draft.

Superior Class
top

OID
2.16.840.1.113730.3.2.1

227
Configuration, Command, and File Reference

Required Attributes

objectClass Defines the object classes for the entry.

changeNumber Contains a number assigned arbitrarily to the

changelog.

changeTime The time at which a change took place.

changeType The type of change performed on an entry.

targetDn The distinguished name of an entry added,

modified or deleted on a supplier server.

Allowed Attributes

changes Changes made to the Directory Server.

deleteOldRdn A flag that defines whether the old Relative

Distinguished Name (RDN) of the entry should
be kept as a distinguished attribute of the
entry or should be deleted.

newRdn New RDN of an entry that is the target of a

modRDN or modDN operation.

newSuperior Name of the entry that becomes the

immediate superior of the existing entry when
processing a modDN operation.

3.2.2. directoryServerFeature (Object Class)

This object class is used specifically for entries which identify a feature of the directory
service. This object class is defined by Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.40

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

228
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Allowed Attributes

Attribute Definition

cn Specifies the common name of the entry.

multiLineDescription Gives a text description of the entry.

oid Specifies the OID of the feature.

3.2.3. nsBackendInstance (Object Class)

This object class is used for the Directory Server back end, or database, instance entry.
This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.109

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

cn Gives the common name of the entry.

3.2.4. nsChangelog4Config (Object Class)

In order for Directory Server 10.3 to replicate between Directory Server 4.x servers, the
Directory Server 10.3 instance must have a special changelog configured. This object class
defines the configuration for the retro changelog.

This object class is defined for the Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.82

Allowed Attributes

229
Configuration, Command, and File Reference

Attribute Definition

cn (common Name) Gives the common name of the entry.

3.2.5. nsDS5Replica (Object Class)

This object class is for entries which define a replica in database replication. Many of these
attributes are set within the back end and cannot be modified.

Information on the attributes for this object class are listed with the core configuration
attributes in chapter 2 of the Directory Server Configuration, Command, and File Reference.

This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.108

Required Attributes

objectClass Defines the object classes for the entry.

nsDS5ReplicaId Specifies the unique ID for suppliers in a

replication environment.

nsDS5ReplicaRoot Specifies the suffix DN at the root of a

replicated area.

Allowed Attributes

cn Gives the name for the replica.

nsDS5Flags Specifies information that has been previously

set in flags.

nsDS5ReplicaAutoReferral Sets whether the server will follow configured

referrals for the Directory Server database.

nsDS5ReplicaBindDN Specifies the DN to use when a supplier server

binds to a consumer.

nsDS5ReplicaChangeCount Gives the total number of entries in the

changelog and whether they have been
replicated.

230
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

nsDS5ReplicaLegacyConsumer Specifies whether the replica is a legacy

consumer.

nsDS5ReplicaName Specifies the unique ID for the replica for

internal operations.

nsDS5ReplicaPurgeDelay Specifies the time in seconds before the

changelog is purged.

nsDS5ReplicaReferral Specifies the URLs for user-defined referrals.

nsDS5ReplicaReleaseTimeout Specifies a timeout after which a master will

release a replica, whether or not it has finished
sending its updates.

nsDS5ReplicaTombstonePurgeInterval Specifies the time interval in seconds between

purge operation cycles.

nsDS5ReplicaType Defines the type of replica, such as a read-only

consumer.

nsDS5Task Launches a replication task, such as dumping

the database contents to LDIF; this is used
internally by the Directory Server supplier.

nsState Stores information on the clock so that proper

change sequence numbers are generated.

3.2.6. nsDS5ReplicationAgreement (Object Class)

Entries with the nsDS5ReplicationAgreement object class store the information set in a
replication agreement. Information on the attributes for this object class are in chapter 2 of
the Directory Server Configuration, Command, and File Reference.

This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.103

Required Attributes

objectClass Defines the object classes for the entry.

cn Used for naming the replication agreement.

Allowed Attributes

231
Configuration, Command, and File Reference

description Contains a free text description of the

replication agreement.

nsDS5BeginReplicaRefresh Initializes a replica manually.

nsds5debugreplicatimeout Gives an alternate timeout period to use when

the replication is run with debug logging.

nsDS5ReplicaBindDN Specifies the DN to use when a supplier server

binds to a consumer.

nsDS5ReplicaBindMethod Specifies the method (SSL or simple

authentication) to use for binding.

nsDS5ReplicaBusyWaitTime Specifies the amount of time in seconds a

supplier should wait after a consumer sends
back a busy response before making another
attempt to acquire access.

nsDS5ReplicaChangesSentSinceStartup The number of changes sent to this replica

since the server started.

nsDS5ReplicaCredentials Specifies the password for the bind DN.

nsDS5ReplicaHost Specifies the host name for the consumer

replica.

nsDS5ReplicaLastInitEnd States when the initialization of the consumer

replica ended.

nsDS5ReplicaLastInitStart States when the initialization of the consumer

replica started.

nsDS5ReplicaLastInitStatus The status for the initialization of the

consumer.

nsDS5ReplicaLastUpdateEnd States when the most recent replication

schedule update ended.

nsDS5ReplicaLastUpdateStart States when the most recent replication

schedule update started.

nsDS5ReplicaLastUpdateStatus Provides the status for the most recent

replication schedule updates.

nsDS5ReplicaPort Specifies the port number for the remote

replica.

232
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

nsDS5ReplicaRoot Specifies the suffix DN at the root of a

replicated area.

nsDS5ReplicaSessionPauseTime Specifies the amount of time in seconds a

supplier should wait between update sessions.

nsDS5ReplicatedAttributeList Specifies any attributes that will not be

replicated to a consumer server.

nsDS5ReplicaTimeout Specifies the number of seconds outbound

LDAP operations will wait for a response from
the remote replica before timing out and
failing.

nsDS5ReplicaTransportInfo Specifies the type of transport used for

transporting data to and from the replica.

nsDS5ReplicaUpdateInProgress States whether a replication schedule update

is in progress.

nsDS5ReplicaUpdateSchedule Specifies the replication schedule.

nsDS50ruv Manages the internal state of the replica using

the replication update vector.

nsruvReplicaLastModified Contains the most recent time that an entry in

the replica was modified and the changelog
was updated.

nsds5ReplicaStripAttrs With fractional replication, an update to an

excluded attribute still triggers a replication
event, but that event is empty. This attribute
sets attributes to strip from the replication
update. This prevents changes to attributes
like internalModifyTimestamp from
triggering an empty replication update.

3.2.7. nsDSWindowsReplicationAgreement (Object Class)

Stores the synchronization attributes that concern the synchronization agreement.
Information on the attributes for this object class are in chapter 2 of the Red Hat
Directory Server Configuration, Command, and File Reference.

This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.503

233
Configuration, Command, and File Reference

Required Attributes

objectClass Defines the object classes for the entry.

cn Gives the name of the synchronization

agreement.

Allowed Attributes

description Contains a text description of the

synchronization agreement.

nsDS5BeginReplicaRefresh Initiates a manual synchronization.

nsds5debugreplicatimeout Gives an alternate timeout period to use when

the synchronization is run with debug logging.

nsDS5ReplicaBindDN Specifies the DN to use when the

Directory Server binds to the Windows server.

nsDS5ReplicaBindMethod Specifies the method (SSL or simple

authentication) to use for binding.

nsDS5ReplicaBusyWaitTime Specifies the amount of time in seconds the

Directory Server should wait after the Windows
server sends back a busy response before
making another attempt to acquire access.

nsDS5ReplicaChangesSentSinceStartup Shows the number of changes sent since the

Directory Server started.

nsDS5ReplicaCredentials Specifies the credentials for the bind DN.

nsDS5ReplicaHost Specifies the host name for the Windows

domain controller of the Windows server being
synchronized.

nsDS5ReplicaLastInitEnd States when the last total update

(resynchronization) of the Windows server
ended.

nsDS5ReplicaLastInitStart States when the last total update

(resynchronization) of the Windows server
started.

nsDS5ReplicaLastInitStatus The status for the total update

(resynchronization) of the Windows server.

nsDS5ReplicaLastUpdateEnd States when the most recent update ended.

234
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

nsDS5ReplicaLastUpdateStart States when the most recent update started.

nsDS5ReplicaLastUpdateStatus Provides the status for the most recent

updates.

nsDS5ReplicaPort Specifies the port number for the Windows

server.

nsDS5ReplicaRoot Specifies the root suffix DN of the

Directory Server.

nsDS5ReplicaSessionPauseTime Specifies the amount of time in seconds the

Directory Server should wait between update
sessions.

nsDS5ReplicaTimeout Specifies the number of seconds outbound

LDAP operations will wait for a response from
the Windows server before timing out and
failing.

nsDS5ReplicaTransportInfo Specifies the type of transport used for

transporting data to and from the Windows
server.

nsDS5ReplicaUpdateInProgress States whether an update is in progress.

nsDS5ReplicaUpdateSchedule Specifies the synchronization schedule.

nsDS50ruv Manages the internal state of the

Directory Server sync peer using the
replication update vector (RUV).

nsds7DirectoryReplicaSubtree Specifies the Directory Server suffix (root or

sub) that is synced.

nsds7DirsyncCookie Contains a cookie set by the sync service that

functions as an RUV.

nsds7NewWinGroupSyncEnabled Specifies whether new Windows group

accounts are automatically created on the
Directory Server.

nsds7NewWinUserSyncEnabled Specifies whether new Windows user accounts

are automatically created on the
Directory Server.

nsds7WindowsDomain Identifies the Windows domain being

synchronized; analogous to
nsDS5ReplicaHost in a replication
agreement.

235
Configuration, Command, and File Reference

nsds7WindowsReplicaSubtree Specifies the Windows server suffix (root or

sub) that is synced.

nsruvReplicaLastModified Contains the most recent time that an entry in

the Directory Server sync peer was modified
and the changelog was updated.

winSyncInterval Sets how frequently, in seconds, the

Directory Server polls the Windows server for
updates to write over. If this is not set, the
default is 300, which is 300 seconds or five (5)
minutes.

winSyncMoveAction Sets how the sync plug-in handles

corresponding entries that are discovered in
Active Directory outside of the synced subtree.
The sync process can ignore these entries
(none, the default) or it can assume that the
entries were moved intentionally to remove
them from synchronization, and it can then
either delete the corresponding
Directory Server entry (delete) or remove the
synchronization attributes and no longer sync
the entry (unsync).

3.2.8. nsEncryptionConfig
The nsEncryptionConfig object class stores the configuration information for allowed
encryption options, such as protocols and cipher suites. This is defined in the
Administrative Services.

Superior Class
top

OID
nsEncryptionConfig-oid

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

cn (commonName) Gives the common name of the device.

Allowed Attributes

236
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Attribute Definition

nsSSL2 Sets whether SSL version 2 is enabled for the

server.

nsSSL2Ciphers Contains a list of all ciphers available to be

used with SSLv2.

nsSSL3 Sets whether SSL version 3 is enabled for the

server.

nsSSL3Ciphers Contains a list of all ciphers available to be

used with SSLv3.

nsSSL3SessionTimeout Sets the timeout period for an SSLv3 cipher

session.

nsSSLClientAuth Sets how the server handles client

authentication. There are three possible
values: allow, disallow, or require.

nsSSLSessionTimeout Sets the timeout period for a cipher session.

nsSSLSupportedCiphers Contains a list of all ciphers available to be

used with secure connections to the server.

nsTLS1 Sets whether TLS version 1 is enabled for the

server.

3.2.9. nsEncryptionModule
The nsEncryptionModule object class stores the encryption module information. This is
defined in the Administrative Services.

Superior Class
top

OID
nsEncryptionModule-oid

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

cn (commonName) Gives the common name of the device.

237
Configuration, Command, and File Reference

Allowed Attributes

Attribute Definition

nsSSLActivation Sets whether to enable a cipher family.

nsSSLPersonalitySSL Contains the name of the certificate used by

the server for SSL.

nsSSLToken Identifies the security token used by the

server.

3.2.10. nsMappingTree (Object Class)

A mapping tree maps a suffix to the back end. Each mapping tree entry uses the
nsMappingTree object class. This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.110

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn Gives the common name of the entry.

3.2.11. nsSaslMapping (Object Class)

This object class is used for entries which contain an identity mapping configuration for
mapping SASL attributes to the Directory Server attributes.

This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.317

Required Attributes

objectClass Defines the object classes for the entry.

238
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

cn Gives the name of the SASL mapping entry.

nsSaslMapBaseDNTemplate Contains the search base DN template.

nsSaslMapFilterTemplate Contains the search filter template.

nsSaslMapRegexString Contains a regular expression to match SASL

identity strings.

3.2.12. nsslapdConfig (Object Class)

The nsslapdConfig object class defines the configuration object,cn=config, for the
Directory Server instance.

This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.39

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

cn Gives the common name of the entry.

3.2.13. passwordPolicy (Object Class)

Both local and global password policies take the passwordPolicy object class. This object
class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.13

Required Attributes

239
Configuration, Command, and File Reference

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

passwordMaxAge (Password Maximum Age) Sets the number of seconds after which user
passwords expire.

passwordExp (Password Expiration) Identifies whether the user's password expires

after an interval given by the
passwordMaxAge attribute.

passwordMinLength (Password Minimum Sets the minimum number of characters that

Length) must be used in passwords.

passwordInHistory (Number of Passwords to Sets the number of passwords the directory

Remember) stores in the history.

passwordChange (Password Change) Identifies whether or not users is allowed to

change their own password.

passwordWarning (Send Warning) Sets the number of seconds before a warning

message is sent to users whose password is
about to expire.

passwordLockout (Account Lockout) Identifies whether or not users are locked out
of the directory after a given number of failed
bind attempts.

passwordMaxFailure (Maximum Password Sets the number of failed bind attempts after
Failures) which a user will be locked out of the
directory.

passwordUnlock (Unlock Account) Identifies whether a user is locked out until the
password is reset by an administrator or
whether the user can log in again after a given
lockout duration. The default is to allow a user
to log back in after the lockout period.

passwordLockoutDuration (Lockout Duration) Sets the time, in seconds, that users will be
locked out of the directory.

passwordCheckSyntax (Check Password Identifies whether the password syntax is

Syntax) checked by the server before the password is
saved.

240
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Attribute Definition

passwordMustChange (Password Must Change) Identifies whether or not to change their

passwords when they first login to the
directory or after the password is reset by the
Directory Manager.

passwordStorageScheme (Password Storage Sets the type of encryption used to store

Scheme) Directory Server passwords.

passwordMinAge (Password Minimum Age) Sets the number of seconds that must pass
before a user can change their password.

passwordResetFailureCount (Reset Password Sets the time, in seconds, after which the
Failure Count After) password failure counter will be reset. Each
time an invalid password is sent from the
user's account, the password failure counter is
incremented.

passwordGraceLimit (Password Expiration) Sets the number of grace logins permitted

when a user's password is expired.

PasswordMinDigits (Password Syntax) Sets the minimum number of numeric

characters (0 through 9) which must be used in
the password.

passwordMinAlphas (Password Syntax) Sets the minimum number of alphabetic

chracters that must be used in the password.

PasswordMinUppers (Password Syntax) Sets the minimum number of upper case

alphabetic characters, A to Z, which must be
used in the password.

PasswordMinLowers (Password Syntax) Sets the minimum number of lower case

alphabetic characters, a to z, which must be
used in the password.

PasswordMinSpecials (Password Syntax) Sets the minimum number of special ASCII

characters, such as !@#$., which must be
used in the password.

passwordMin8Bit (Password Syntax) Sets the minimum number of 8-bit chracters

used in the password.

passwordMaxRepeats (Password Syntax) Sets the maximum number of times that the
same character can be used in row.

passwordMinCategories (Password Syntax) Sets the minimum number of categories which

must be used in the password.

241
Configuration, Command, and File Reference

Attribute Definition

PasswordMinTokenLength (Password Syntax) Sets the length to check for trivial words.

3.3. ROOT DSE ATTRIBUTES

The attributes in this section are used to define the root directory server entry (DSE) for
the server instance. The information defined in the DSE relates to the actual configuration
of the server instance, such as the controls, mechanisms, or features supported in that
version of the server software. It also contains information specific to the instance, like its
build number and installation date.

The DSE is a special entry, outside the normal DIT, and can be returned by searching with a
null search base. For example:

# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

-s base -b "" "objectclass=*"

3.3.1. dataversion
This attribute contains a timestamp which shows the most recent edit time for any data in
the directory.

dataversion: 020090923175302020090923175302

OID

Syntax GeneralizedTime

Multi- or Single-Valued Single-valued

Defined in Directory Server

3.3.2. defaultNamingContext
Corresponds to the naming context, out of all configured naming contexts, which clients
should use by default.

OID

Syntax DN

Multi- or Single-Valued Single-valued

Defined in Directory Server

242
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

3.3.3. lastusn
The USN Plug-in assigns a sequence number to every entry whenever a write operation —
add, modify, delete, and modrdn — is performed for that entry. The USN is assigned in the
entryUSN operational attribute for the entry.

The USN Plug-in has two modes: local and global.

In local mode, each database maintained for a server instance has its own instance of the
USN Plug-in with a separate USN counter per back end database. The most recent USN
assigned for any entry in the database is displayed in the lastusn attribute. When the USN
Plug-in is set to local mode, the lastUSN attribute shows both the database which assigned
the USN and the USN:

lastusn;database_name:USN

For example:

lastusn;example1: 213
lastusn;example2: 207

In global mode, when the database uses a shared USN counter, the lastUSN value shows
the latest USN assigned by any database:

lastusn: 420

NOTE

This attribute does not count internal server operations. Only normal write
operations in the back end database — add, modify, delete, and modrdn —
increment the USN count.

Syntax Integer

Multi- or Single-Valued Multi-valued

Defined in Directory Server

3.3.4. namingContexts
Corresponds to a naming context the server is mastering or shadowing. When the
Directory Server does not master any information (such as when it is an LDAP gateway to a
public X.500 directory), this attribute is absent. When the Directory Server believes it
contains the entire directory, the attribute has a single value, and that value is the empty
string (indicating the null DN of the root).This attribute permits a client contacting a server
to choose suitable base objects for searching.

OID 1.3.6.1.4.1.1466.101.120.5

Syntax DN

243
Configuration, Command, and File Reference

Multi- or Single-Valued Multi-valued

Defined in RFC 2252

3.3.5. netscapemdsuffix
This attribute contains the DN for the top suffix of the directory tree for machine data
maintained in the server. The DN itself points to an LDAP URL. For example:

cn=ldap://dc=server_name,dc=example,dc=com:389

OID 2.16.840.1.113730.3.1.212

Syntax DN

Multi- or Single-Valued Single-valued

Defined in Directory Server

3.3.6. supportedControl
The values of this attribute are the object identifiers (OIDs) that identify the controls
supported by the server. When the server does not support controls, this attribute is
absent.

OID 1.3.6.1.4.1.1466.101.120.13

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2252

3.3.7. supportedExtension
The values of this attribute are the object identifiers (OIDs) that identify the extended
operations supported by the server. When the server does not support extended
operations, this attribute is absent.

OID 1.3.6.1.4.1.1466.101.120.7

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2252

244
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

3.3.8. supportedFeatures
This attribute contains features supported by the current version of Red Hat
Directory Server.

OID 1.3.6.1.4.1.4203.1.3.5

Syntax OID

Multi- or Single-Valued Multi-valued

Defined in RFC 3674

3.3.9. supportedLDAPVersion
This attribute identifies the versions of the LDAP protocol implemented by the server.

OID 1.3.6.1.4.1.1466.101.120.15

Syntax Integer

Multi- or Single-Valued Multi-valued

Defined in RFC 2252

3.4.1. Legacy Server Attributes

These attributes were originally used to configure the server instance entries for
Directory Server 4.x and older servers.

3.4.1.1. LDAPServer (Object Class)

This object class identifies the LDAP server information. It is defined by Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.35

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn Specifies the common name of the entry.

Allowed Attributes

246
CHAPTER 3. CORE SERVER CONFIGURATION REFERENCE

Attribute Definition

description Gives a text description of the entry.

l (localityName) Gives the city or geographical location of the

entry.

ou (organizationalUnitName) Gives the organizational unit or division to

which the account belongs.

seeAlso Contains a URL to another entry or site with

related information.

generation Store the server generation string.

changeLogMaximumAge Specifies changelog maximum age.

changeLogMaximumSize Specifies maximum changelog size.

3.4.1.2. changeLogMaximumAge

This sets the maximum age for the changelog maintained by the server.

OID 2.16.840.1.113730.3.1.200

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

3.4.1.3. changeLogMaximumConcurrentWrites

This attribute sets the maximum number of concurrent writes that can be written to the
changelog.

OID 2.16.840.1.113730.3.1.205

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

3.4.1.4. changeLogMaximumSize

This attribute sets the maximum size for the changelog.

247
Configuration, Command, and File Reference

OID 2.16.840.1.113730.3.1.201

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

3.4.1.5. generation

This attribute contains a byte vector that uniquely identifies that specific server and
version. This number distinguishes between servers during replication.

OID 2.16.840.1.113730.3.1.612

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Directory Server

3.4.1.6. nsSynchUniqueAttribute

This attribute is used for Windows synchonization.

OID 2.16.840.1.113730.3.1.407

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

3.4.1.7. nsSynchUserIDFormat

This attribute is used for Windows synchonization.

OID 2.16.840.1.113730.3.1.406

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

248
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

CHAPTER 4. PLUG-IN IMPLEMENTED SERVER

FUNCTIONALITY REFERENCE
This chapter contains reference information on Red Hat Directory Server plug-ins.

The configuration for each part of Directory Server plug-in functionality has its own
separate entry and set of attributes under the subtree cn=plugins,cn=config.

dn: cn=Telephone Syntax,cn=plugins,cn=config

objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: Telephone Syntax
nsslapd-pluginPath: libsyntax-plugin
nsslapd-pluginInitfunc: tel_init
nsslapd-pluginType: syntax
nsslapd-pluginEnabled: on

Some of these attributes are common to all plug-ins while others may be particular to a
specific plug-in. Check which attributes are currently being used by a given plug-in by
performing an ldapsearch on the cn=config subtree.

All plug-ins are instances of the nsSlapdPlugin object class, which in turn inherits from the
extensibleObject object class. For plug-in configuration attributes to be taken into
account by the server, both of these object classes (in addition to the top object class)
must be present in the entry, as shown in the following example:

dn:cn=ACL Plugin,cn=plugins,cn=config
objectclass:top
objectclass:nsSlapdPlugin
objectclass:extensibleObject

4.1. SERVER PLUG-IN FUNCTIONALITY REFERENCE

The following tables provide a quick overview of the plug-ins provided with
Directory Server, along with their configurable options, configurable arguments, default
setting, dependencies, general performance-related information, and further reading. These
tables assist in weighing plug-in performance gains and costs and choose the optimal
settings for the deployment. The Further Information section cross-references further
reading, where this is available.

4.1.1. 7-bit Check Plug-in

Plug-in Parameter Description

Plug-in ID NS7bitAtt

DN of Configuration Entry cn=7-bit check,cn=plugins,cn=config

Description Checks certain attributes are 7-bit clean

249
Configuration, Command, and File Reference

Plug-in Parameter Description

Type preoperation

Configurable Options on | off

Default Setting on

Configurable Arguments List of attributes (uid mail userpassword)

followed by "," and then suffixes on which the
check is to occur.

Dependencies Database

Performance-Related Information None

Further Information If the Directory Server uses non-ASCII

characters, such as Japanese, turn this plug-in
off.

4.1.2. ACL Plug-in

Plug-in Parameter Description

Plug-in ID acl

DN of Configuration Entry cn=ACL Plugin,cn=plugins,cn=config

Description ACL access check plug-in

Type accesscontrol

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies Database

Performance-Related Information Access control incurs a minimal performance

hit. Leave this plug-in enabled since it is the
primary means of access control for the
server.

250
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Further Information See the "Managing Access Control" chapter in

the Red Hat Directory Server
Administration Guide.

4.1.3. ACL Preoperation Plug-in

Plug-in Parameter Description

Plug-in ID acl

DN of Configuration Entry cn=ACL preoperation,cn=plugins,cn=config

Description ACL access check plug-in

Type preoperation

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies Database

Performance-Related Information Access control incurs a minimal performance

hit. Leave this plug-in enabled since it is the
primary means of access control for the
server.

Further Information See the "Managing Access Control" chapter in

the Red Hat Directory Server
Administration Guide.

4.1.4. Account Policy Plug-in

Plug-in Parameter Description

Plug-in ID none

DN of Configuration Entry cn=Account Policy

Plugin,cn=plugins,cn=config

Description Defines a policy to lock user accounts after a

certain expiration period or inactivity period.

251
Configuration, Command, and File Reference

Plug-in Parameter Description

Type object

Configurable Options on | off

Default Setting off

Configurable Arguments A pointer to a configuration entry which

contains the global account policy settings.

Dependencies Database

Performance-Related Information None

Further Information This plug-in configuration points to a

configuration entry which is used for server-
wide settings on account inactivity and
expiration data. Individual (subtree-level or
user-level) account policies can be defined as
directory entries, as instances of the
acctPolicySubentry object class. These
configuration entries can then be applied to
users or roles through classes of service.

4.1.5. Account Usability Plug-in

Plug-in Parameter Description

Plug-in ID acctusability

DN of Configuration Entry cn=Account Usability

Plugin,cn=plugins,cn=config

Description Checks the authentication status, or usability,

of an account without actually authenticating
as the given user

Type preoperation

Configurable Options on | off

Default Setting on

Dependencies Database

Performance-Related Information None

252
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

4.1.6. AD DN Plug-in

Plug-in Parameter Description

Plug-in ID addn

DN of Configuration Entry cn=addn,cn=plugins,cn=config

Description Enables the usage of Active Directory-

formatted user names, such as user_name
and user_name@domain , for bind operations.

Type preoperation

Configurable Options on | off

Default Setting off

Configurable Arguments addn_default_domain : Sets the default

domain that is automatically appended to user
names without domain.

Dependencies None

Performance-Related Information None

4.1.7. Attribute Uniqueness Plug-in

Plug-in Parameter Description

Plug-in ID NSUniqueAttr

DN of Configuration Entry cn=Attribute

Uniqueness,cn=plugins,cn=config

Description Checks that the values of specified attributes

are unique each time a modification occurs on
an entry. For example, most sites require that
a user ID and email address be unique.

Type preoperation

Configurable Options on | off

Default Setting off

253
Configuration, Command, and File Reference

Plug-in Parameter Description

Configurable Arguments To check for UID attribute uniqueness in all

listed subtrees, enter uid "DN" "DN"....
However, to check for UID attribute uniqueness
when adding or updating entries with the
requiredObjectClass , enter
attribute="uid" MarkerObjectclass =
"ObjectClassName" and, optionally
requiredObjectClass =
"ObjectClassName". This starts checking for
the required object classes from the parent
entry containing the ObjectClass as defined by
the MarkerObjectClass attribute.

Dependencies Database

Performance-Related Information Directory Server provides the UID Uniqueness

Plug-in by default. To ensure unique values for
other attributes, create instances of the
Attribute Uniqueness Plug-in for those
attributes. See the "Using the Attribute
Uniqueness Plug-in" section in the Red Hat
Directory Server Administration Guide for more
information about the Attribute Uniqueness
Plug-in.

The UID Uniqueness Plug-in is off by default

due to operation restrictions that need to be
addressed before enabling the plug-in in a
multi-master replication environment. Turning
the plug-in on may slow down Directory Server
performance.

Further Information See the "Using the Attribute Uniqueness Plug-

in" section in the Red Hat Directory Server
Administration Guide.

4.1.8. Auto Membership Plug-in

Plug-in Parameter Description

Plug-in ID Auto Membership

DN of Configuration Entry cn=Auto Membership,cn=plugins,cn=config

Description Container entry for automember definitions.

Automember definitions search new entries
and, if they match defined LDAP search filters
and regular expression conditions, add the
entry to a specified group automatically.

Type preoperation

254
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Configurable Options on | off

Default Setting off

Configurable Arguments None for the main plug-in entry. The definition
entry must specify an LDAP scope, LDAP filter,
default group, and member attribute format.
The optional regular expression child entry can
specify inclusive and exclusive expressions
and a different target group.

Dependencies Database

Performance-Related Information None.

Further Information See the "Automatically Adding Entries to

Specified Groups" section in the Red Hat
Directory Server Administration Guide.

4.1.9. Binary Syntax Plug-in


WARNING

Binary syntax is deprecated. Use Octet String syntax instead.

Plug-in Parameter Description

Plug-in ID bin-syntax

DN of Configuration Entry cn=Binary Syntax,cn=plugins,cn=config

Description Syntax for handling binary data.

Type syntax

Configurable Options on | off

Default Setting on

255
Configuration, Command, and File Reference

Plug-in Parameter Description

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information

4.1.10. Bit String Syntax Plug-in

Plug-in Parameter Description

Plug-in ID bitstring-syntax

DN of Configuration Entry cn=Bit String Syntax,cn=plugins,cn=config

Description Supports bit string syntax values and related

matching rules from RFC 4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.11. Bitwise Plug-in

Plug-in Parameter Description

Plug-in ID bitwise

DN of Configuration Entry cn=Bitwise Plugin,cn=plugins,cn=config

256
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Description Matching rule for performing bitwise

operations against the LDAP server

Type matchingrule

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information See the "Finding Directory Entries" chapter in

the Administration Guide for performing
searches using bitwise filters.

4.1.12. Boolean Syntax Plug-in

Plug-in Parameter Description

Plug-in ID boolean-syntax

DN of Configuration Entry cn=Boolean Syntax,cn=plugins,cn=config

Description Supports boolean syntax values (TRUE or

FALSE) and related matching rules from RFC
4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

257
Configuration, Command, and File Reference

Plug-in Parameter Description

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.13. Case Exact String Syntax Plug-in

Plug-in Parameter Description

Plug-in ID ces-syntax

DN of Configuration Entry cn=Case Exact String

Syntax,cn=plugins,cn=config

Description Supports case-sensitive matching or Directory

String, IA5 String, and related syntaxes. This is
not a case-exact syntax; this plug-in provides
case-sensitive matching rules for different
string syntaxes.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information

4.1.14. Case Ignore String Syntax Plug-in

Plug-in Parameter Description

Plug-in ID directorystring-syntax

258
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

DN of Configuration Entry cn=Case Ignore String

Syntax,cn=plugins,cn=config

Description Supports case-insensitive matching rules for

Directory String, IA5 String, and related
syntaxes. This is not a case-insensitive syntax;
this plug-in provides case-sensitive matching
rules for different string syntaxes.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information

4.1.15. Chaining Database Plug-in

Plug-in Parameter Description

Plug-in ID chaining database

DN of Configuration Entry cn=Chaining database,cn=plugins,cn=config

Description Enables back end databases to be linked

Type database

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

259
Configuration, Command, and File Reference

Plug-in Parameter Description

Performance-Related Information There are many performance related tuning

parameters involved with the chaining
database. See the "Maintaining Database
Links" section in the Red Hat Directory Server
Administration Guide.

Further Information A chaining database is also known as a

database link. Database links are described in
the "Configuring Directory Databases" chapter
in the Red Hat Directory Server
Administration Guide.

4.1.16. Class of Service Plug-in

Plug-in Parameter Description

Plug-in ID cos

DN of Configuration Entry cn=Class of Service,cn=plugins,cn=config

Description Allows for sharing of attributes between

entries

Type object

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies
Type: Database

Named: State Change Plug-in

Named: Views Plug-in

Performance-Related Information Do not modify the configuration of this plug-in.

Leave this plug-in running at all times.

Further Information See the "Managing Dynamic Attributes"

chapter in the Red Hat Directory Server
Administration Guide.

4.1.17. Content Synchronization Plug-in

260
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Plug-in ID content-sync-plugin

DN of Configuration Entry cn=Content

Synchronization,cn=plugins,cn=config

Description Enables support for the SyncRepl protocol in

Directory Server according to RFC 4533.

Type object

Configurable Options on | off

Default Setting off

Configurable Arguments None

Dependencies Retro Changelog Plug-in

Performance-Related Information If you know which back end or subtree clients

access to synchronize data, limit the scope of
the Retro Changelog plug-in accordingly.

Further Information See the corresponding sections in the

Red Hat Directory Administration Guide.

4.1.18. Country String Syntax Plug-in

Plug-in Parameter Description

Plug-in ID countrystring-syntax

DN of Configuration Entry cn=Country String

Syntax,cn=plugins,cn=config

Description Supports country naming syntax values and

related matching rules from RFC 4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

261
Configuration, Command, and File Reference

Plug-in Parameter Description

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.19. Delivery Method Syntax Plug-in

Plug-in Parameter Description

Plug-in ID delivery-syntax

DN of Configuration Entry cn=Delivery Method

Syntax,cn=plugins,cn=config

Description Supports values that are lists of preferred

deliver methods and related matching rules
from RFC 4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.20. deref Plug-in

Plug-in Parameter Description

Plug-in ID Dereference

DN of Configuration Entry cn=deref,cn=plugins,cn=config

262
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Description For dereference controls in directory searches

Type preoperation

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies Database

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information See the "Finding Directory Entries" chapter in

the Administration Guide for performing
searches using dereference controls.

4.1.21. Distinguished Name Syntax Plug-in

Plug-in Parameter Description

Plug-in ID dn-syntax

DN of Configuration Entry cn=Distinguished Name

Syntax,cn=plugins,cn=config

Description Supports DN value syntaxes and related

matching rules from RFC 4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

263
Configuration, Command, and File Reference

Plug-in Parameter Description

Further Information RFC 4517

4.1.22. Distributed Numeric Assignment Plug-in

Plug-in Information Description

Plug-in ID Distributed Numeric Assignment

Configuration Entry DN cn=Distributed Numeric Assignment

Plugin,cn=plugins,cn=config

Description Distributed Numeric Assignment plugin

Type preoperation

Configurable Options on | off

Default Setting off

Configurable Arguments

Dependencies Database

Performance-Related Information None

Further Information

4.1.23. Enhanced Guide Syntax Plug-in

Plug-in Parameter Description

Plug-in ID enhancedguide-syntax

DN of Configuration Entry cn=Enhanced Guide

Syntax,cn=plugins,cn=config

Description Supports syntaxes and related matching rules

for creating complex criteria, based on
attributes and filters, to build searches; from
RFC 4517.

Type syntax

Configurable Options on | off

264
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.24. Facsimile Telephone Number Syntax Plug-in

Plug-in Parameter Description

Plug-in ID facsimile-syntax

DN of Configuration Entry cn=Facsimile Telephone Number

Syntax,cn=plugins,cn=config

Description Supports syntaxes and related matching rules

for fax numbers; from RFC 4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.25. Fax Syntax Plug-in

265
Configuration, Command, and File Reference

Plug-in Parameter Description

Plug-in ID fax-syntax

DN of Configuration Entry cn=Fax Syntax,cn=plugins,cn=config

Description Supports syntaxes and related matching rules

for storing images of faxed objects; from RFC
4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.26. Generalized Time Syntax Plug-in

Plug-in Parameter Description

Plug-in ID time-syntax

DN of Configuration Entry cn=Generalized Time

Syntax,cn=plugins,cn=config

Description Supports syntaxes and related matching rules

for dealing with dates, times and time zones;
from RFC 4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

266
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information The Generalized Time String consists of a four

digit year, two digit month (for example, 01 for
January), two digit day, two digit hour, two digit
minute, two digit second, an optional decimal
part of a second, and a time zone indication.
Red Hat strongly recommends using the Z
time zone indication, which indicates
Greenwich Mean Time.

4.1.27. Guide Syntax Plug-in


WARNING

This syntax is deprecated. Use Enhanced Guide syntax instead.

Plug-in Parameter Description

Plug-in ID guide-syntax

DN of Configuration Entry cn=Guide Syntax,cn=plugins,cn=config

Description Syntax for creating complex criteria, based on

attributes and filters, to build searches

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

267
Configuration, Command, and File Reference

Plug-in Parameter Description

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information This syntax is obsolete. The Enhanced Guide

Syntax should be used instead.

4.1.28. HTTP Client Plug-in

Plug-in Parameter Description

Plug-in ID http-client

DN of Configuration Entry cn=HTTP Client,cn=plugins,cn=config

Description HTTP client plug-in

Type preoperation

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies Database

Performance-Related Information

Further Information

4.1.29. Integer Syntax Plug-in

Plug-in Parameter Description

Plug-in ID int-syntax

DN of Configuration Entry cn=Integer Syntax,cn=plugins,cn=config

Description Supports integer syntaxes and related

matching rules from RFC 4517.

Type syntax

268
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.30. Internationalization Plug-in

Plug-in Parameter Description

Plug-in ID orderingrule

DN of Configuration Entry cn=Internationalization

Plugin,cn=plugins,cn=config

Description Enables internationalized strings to be ordered

in the directory

Type matchingrule

Configurable Options on | off

Default Setting on

Configurable Arguments The Internationalization Plug-in has one

argument, which must not be modified, which
specifies the location of the
/etc/dirsrv/config/slapd-
collations.conf file. This file stores the
collation orders and locales used by the
Internationalization Plug-in.

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

269
Configuration, Command, and File Reference

Plug-in Parameter Description

Further Information See the "Internationalization" appendix and

the section on "Searching an Internationalized
Directory" in the "Finding Directory Entries"
appendix in the Red Hat Directory Server
Administration Guide.

4.1.31. JPEG Syntax Plug-in

Plug-in Parameter Description

Plug-in ID jpeg-syntax

DN of Configuration Entry cn=JPEG Syntax,cn=plugins,cn=config

Description Supports syntaxes and related matching rules

for JPEG image data; from RFC 4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.32. ldbm database Plug-in

Plug-in Parameter Description

Plug-in ID ldbm-backend

DN of Configuration Entry cn=ldbm database,cn=plugins,cn=config

Description Implements local databases

Type database

270
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Configurable Options

Default Setting on

Configurable Arguments None

Dependencies
Syntax

matchingRule

Performance-Related Information See Section 4.4, “Database Plug-in Attributes”

for further information on database
configuration.

Further Information See the "Configuring Directory Databases"

chapter in the Red Hat Directory Server
Administration Guide.

4.1.33. Linked Attributes Plug-in

Plug-in Parameter Description

Plug-in ID Linked Attributes

DN of Configuration Entry cn=Linked Attributes,cn=plugins,cn=config

Description Container entry for linked-managed attribute

configuration entries. Each configuration entry
under the container links one attribute to
another, so that when one entry is updated
(such as a manager entry), then any entry
associated with that entry (such as a custom
directReports attribute) are automatically
updated with a user-specified corresponding
attribute.

Type preoperation

Configurable Options on | off

Default Setting off

271
Configuration, Command, and File Reference

Plug-in Parameter Description

Configurable Arguments None for the main plug-in entry. Each plug-in
instance has three possible attributes:

linkType, which sets the primary attribute for

the plug-in to monitor

managedType, which sets the attribute which

will be managed dynamically by the plug-in
whenever the attribute in linkType is modified

linkScope, which restricts the plug-in activity to

a specific subtree within the directory tree

Dependencies Database

Performance-Related Information Any attribute set in linkType must only allow

values in a DN format. Any attribute set in
managedType must be multi-valued.

Further Information See the "Managing Attributes" chapter in the

Red Hat Directory Server Administration Guide
and Section 4.11, “Linked Attributes Plug-in
Attributes”.

4.1.34. Managed Entries Plug-in

Plug-in Information Description

Plug-in ID Managed Entries

Configuration Entry DN cn=Managed Entries,cn=plugins,cn=config

Description Container entry for automatically generated

directory entries. Each configuration entry
defines a target subtree and a template entry.
When a matching entry in the target subtree is
created, then the plug-in automatically creates
a new, related entry based on the template.

Type preoperation

Configurable Options on | off

Default Setting off

272
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Information Description

Configurable Arguments None for the main plug-in entry. Each plug-in
instance has four possible attributes:

originScope, which sets the search base

originFilter, which sets the search base for

matching entries

managedScope, which sets the subtree under

which to create new managed entries

managedTemplate, which is the template entry

used to create the managed entries

Dependencies Database

Performance-Related Information None

Further Information

4.1.35. MemberOf Plug-in

Plug-in Information Description

Plug-in ID memberOf

Configuration Entry DN cn=MemberOf Plugin,cn=plugins,cn=config

Description Manages the memberOf attribute on user

entries, based on the member attributes in the
group entry.

Type postoperation

Configurable Options on | off

Default Setting off

Configurable Arguments
memberOfAttr sets the attribute to generate
in people's entries to show their group
membership.

memberOfGroupAttr sets the attribute to

use to identify group member's DNs.

273
Configuration, Command, and File Reference

Plug-in Information Description

Dependencies Database

Performance-Related Information None

Further Information

4.1.36. Multi-master Replication Plug-in

Plug-in Parameter Description

Plug-in ID replication-multimaster

DN of Configuration Entry cn=Multimaster Replication

plugin,cn=plugins,cn=config

Description Enables replication between two current

Directory Servers

Type object

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies
Named: ldbm database

Named: DES

Named: Class of Service

Performance-Related Information

Further Information Turn this plug-in off if one server will never
replicate. See the "Managing Replication"
chapter in the Red Hat Directory Server
Administration Guide.

4.1.37. Name and Optional UID Syntax Plug-in

274
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Plug-in ID nameoptuid-syntax

DN of Configuration Entry cn=Name And Optional UID

Syntax,cn=plugins,cn=config

Description Supports syntaxes and related matching rules

to store and search for a DN with an optional
unique ID; from RFC 4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information The optional UID is used to distinguish

between entries which may have identical DNs
or naming attributes.

4.1.38. Numeric String Syntax Plug-in

Plug-in Parameter Description

Plug-in ID numstr-syntax

DN of Configuration Entry cn=Numeric String

Syntax,cn=plugins,cn=config

Description Supports syntaxes and related matching rules

for strings of numbers and spaces; from RFC
4517.

Type syntax

Configurable Options on | off

275
Configuration, Command, and File Reference

Plug-in Parameter Description

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.39. Octet String Syntax Plug-in

NOTE

Use the Octet String syntax instead of Binary, which is deprecated.

Plug-in Parameter Description

Plug-in ID octetstring-syntax

DN of Configuration Entry cn=Octet String Syntax,cn=plugins,cn=config

Description Supports octet string syntaxes and related

matching rules from RFC 4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.40. OID Syntax Plug-in

276
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Plug-in ID oid-syntax

DN of Configuration Entry cn=OID Syntax,cn=plugins,cn=config

Description Supports object identifier (OID) syntaxes and

related matching rules from RFC 4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.41. PAM Pass Through Auth Plug-in

Plug-in Parameter Description

Plug-in ID pam_passthruauth

DN of Configuration Entry cn=PAM Pass Through

Auth,cn=plugins,cn=config

Description Enables pass-through authentication for PAM,

meaning that a PAM service can use the
Directory Server as its user authentication
store.

Type preoperation

Configurable Options on | off

Default Setting on

Configurable Arguments None

277
Configuration, Command, and File Reference

Plug-in Parameter Description

Dependencies Database

Performance-Related Information

Further Information See the "Using PAM Pass-through

Authentication" section in the Red Hat
Directory Server Administration Guide.

4.1.42. Pass Through Authentication Plug-in

Plug-in Parameter Description

Plug-in ID passthruauth

DN of Configuration Entry cn=Pass Through

Authentication,cn=plugins,cn=config

Description Enables pass-through authentication, the

mechanism which allows one directory to
consult another to authenticate bind requests.

Type preoperation

Configurable Options on | off

Default Setting off

Configurable Arguments ldap://example.com:389/o=example

Dependencies Database

Performance-Related Information Pass-through authentication slows down bind

requests a little because they have to make an
extra hop to the remote server. See the "Using
Pass-through Authentication" chapter in the
Red Hat Directory Server Administration Guide.

Further Information See the "Using the Pass-through

Authentication Plug-in" chapter in the Red Hat
Directory Server Administration Guide.

4.1.43. Password Storage Schemes

Directory Server implements the password storage schemes as plug-ins. However, the
cn=Password Storage Schemes,cn=plugins,cn=config entry itself is just a container, not
a plug-in entry. All password storage scheme plug-ins are stored as a subentry of this

278
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

container.

To display all password storage schemes plug-ins, enter:

# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

\
-b "cn=Password Storage Schemes,cn=plugins,cn=config" -s sub "
(objectclass=*)" dn


WARNING

Red Hat recommends not disabling the password scheme plug-ins nor to
change the configurations of the plug-ins to prevent unpredictable
authentication behavior.

Strong Password Storage Schemes

Red Hat recommends using only the following strong password storage schemes (strongest
first):

PBKDF2_SHA256

The password-based key derivation function 2 (PBKDF2) was designed to expend

resources to counter brute force attacks. PBKDF2 supports a variable number of
iterations to apply the hashing algorithm. Higher iterations improve security but
require more hardware resources. In Directory Server, the PBKDF2_SHA256 scheme is
implemented using 30,000 iterations to apply the SHA256 algorithm. This value is
hard-coded and will be increased in future versions of Directory Server without
requiring interaction by an administrator.

NOTE

The network security service (NSS) database in

Red Hat Enterprise Linux 6 does not support PBKDF2. Therefore you
cannot use this password scheme in a replication topology with
Directory Server 9.

SSHA512 (default)

The salted secure hashing algorithm (SSHA) implements an enhanced version of the
secure hashing algorithm (SHA), that uses a randomly generated salt to increase
the security of the hashed password. SSHA512 implements the hashing algorithm
using 512 bits.

Weak Password Storage Schemes

Besides the recommended strong password storage schemes, Directory Server supports
the following weak schemes for backward compatibility:

AES CLEAR CRYPT

279
Configuration, Command, and File Reference

CRYPT-MD5 CRYPT-SHA256 CRYPT-SHA512

DES MD5 NS-MTA-MD5

[a]

SHA SHA256 SHA384

[b]

SHA512 SMD5 SSHA

[b]

SSHA256 SSHA384

[a] Directory Server only supports authentication using this scheme. You can no longer use it to encrypt
passwords.

[b] 160 bit

IMPORTANT

Only continue using a weak scheme over a short time frame, as it increases
security risks.

4.1.44. Posix Winsync API Plug-in

Plug-in Parameter Description

Plug-in ID posix-winsync-plugin

DN of Configuration Entry cn=Posix Winsync API,cn=plugins,cn=config

Description Enables and configures Windows

synchronization for Posix attributes set on
Active Directory user and group entries.

Type preoperation

280
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Configurable Arguments
on | off

memberUID mapping (groups)

converting and sorting memberUID

values in lower case (groups)

memberOf fix-up tasks with sync

operations

use Windows 2003 Posix schema

Default Setting off

Configurable Arguments None

Dependencies database

4.1.45. Postal Address String Syntax Plug-in

Plug-in Parameter Description

Plug-in ID postaladdress-syntax

DN of Configuration Entry cn=Postal Address

Syntax,cn=plugins,cn=config

Description Supports postal address syntaxes and related

matching rules from RFC 4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

281
Configuration, Command, and File Reference

4.1.46. Printable String Syntax Plug-in

Plug-in Parameter Description

Plug-in ID printablestring-syntax

DN of Configuration Entry cn=Printable String

Syntax,cn=plugins,cn=config

Description Supports syntaxes and matching rules for

alphanumeric and select punctuation strings
(for strings which conform to printable strings
as defined in RFC 4517).

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.47. Referential Integrity Postoperation Plug-in

Plug-in Parameter Description

Plug-in ID referint

DN of Configuration Entry cn=Referential Integrity Postoperation,cn=plugins,cn=config

Description Enables the server to ensure referential integrity

Type postoperation

Configurable Options All configuration and on | off

Default Setting off

282
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Configurable Arguments When enabled, the post-operation Referential Integrity Plug-in

performs integrity updates on the member , uniquemember,
owner, and seeAlso attributes immediately after a delete or
rename operation. The plug-in can be configured to perform
integrity checks on all other attributes. For details, see the
corresponding section in the Directory Server Administration
Guide.

Dependencies Database

Performance-Related The Referential Integrity Plug-in should be enabled only on one

Information master in a multi-master replication environment to avoid
conflict resolution loops. When enabling the plug-in on chained
servers, be sure to analyze the performance resource and time
needs as well as integrity needs; integrity checks can be time
consuming and demanding on memory and CPU. All attributes
specified must be indexed for both presence and equality.

Further Information See the "Managing Indexes" chapter for information about how
to index attributes used for referential integrity checking and
the "Configuring Directory Databases" chapter in the Red Hat
Directory Server Administration Guide.

4.1.48. Retro Changelog Plug-in

Plug-in Parameter Description

Plug-in ID retrocl

DN of Configuration Entry cn=Retro Changelog

Plugin,cn=plugins,cn=config

Description Used by LDAP clients for maintaining

application compatibility with Directory Server
4.x versions. Maintains a log of all changes
occurring in the Directory Server. The retro
changelog offers the same functionality as the
changelog in the 4.x versions of
Directory Server. This plug-in exposes the
cn=changelog suffix to clients, so that clients
can use this suffix with or without persistent
search for simple sync applications.

Type object

Configurable Options on | off

Default Setting off

283
Configuration, Command, and File Reference

Plug-in Parameter Description

Configurable Arguments See Section 4.16, “Retro Changelog Plug-in

Attributes” for further information on the two
configuration attributes for this plug-in.

Dependencies
Type: Database

Named: Class of Service

Performance-Related Information May slow down Directory Server update

performance.

Further Information See the "Managing Replication" chapter in the

Red Hat Directory Server Administration Guide.

4.1.49. Roles Plug-in

Plug-in Parameter Description

Plug-in ID roles

DN of Configuration Entry cn=Roles Plugin,cn=plugins,cn=config

Description Enables the use of roles in the

Directory Server

Type object

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies
Type: Database

Named: State Change Plug-in

Named: Views Plug-in

284
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information See the "Advanced Entry Management"

chapter in the Red Hat Directory Server
Administration Guide.

4.1.50. RootDN Access Control Plug-in

Plug-in Parameter Description

Plug-in ID rootdn-access-control

DN of Configuration Entry cn=RootDN Access

Control,cn=plugins,cn=config

Description Enables and configures access controls to use

for the root DN entry.

Type internalpreoperation

Configurable Options on | off

Default Setting off

Configurable Attributes
rootdn-open-time and rootdn-close-
time for time-based access controls

rootdn-days-allowed for day-based

access controls

rootdn-allow-host, rootdn-deny-host,
rootdn-allow-ip, and rootdn-deny-ip for
host-based access controls

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

286
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Further Information This plug-in enables the Directory Server to

support space and case insensitive values.
This allows applications to search the directory
using entries with ASCII space characters.

For example, a search or compare operation

that uses jOHN Doe will match entries that
contain johndoe, john doe, and John Doe if
the attribute's schema has been configured to
use the space insensitive syntax.

For more information about finding directory

entries, see the "Finding Directory Entries"
chapter in the Red Hat Directory Server
Administration Guide.

4.1.53. State Change Plug-in

Plug-in Parameter Description

Plug-in ID statechange

DN of Configuration Entry cn=State Change Plugin,cn=plugins,cn=config

Description Enables state-change-notification service

Type postoperation

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information

Further Information

4.1.54. Syntax Validation Task Plug-in

Plug-in Parameter Description

Plug-in ID none

287
Configuration, Command, and File Reference

Plug-in Parameter Description

DN of Configuration Entry cn=Syntax Validation

Task,cn=plugins,cn=config

Description Enables syntax validation for attribute values

Type object

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information

Further Information This plug-in implements syntax validation

tasks. The actual process that carries out
syntax validation is performed by each specific
syntax plug-in.

4.1.55. Telephone Syntax Plug-in

Plug-in Parameter Description

Plug-in ID tele-syntax

DN of Configuration Entry cn=Telephone Syntax,cn=plugins,cn=config

Description Supports telephone number syntaxes and

related matching rules from RFC 4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

288
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.56. Teletex Terminal Identifier Syntax Plug-in

Plug-in Parameter Description

Plug-in ID teletextermid-syntax

DN of Configuration Entry cn=Teletex Terminal Identifier

Syntax,cn=plugins,cn=config

Description Supports international telephone number

syntaxes and related matching rules from RFC
4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.57. Telex Number Syntax Plug-in

Plug-in Parameter Description

Plug-in ID telex-syntax

DN of Configuration Entry cn=Telex Number

Syntax,cn=plugins,cn=config

289
Configuration, Command, and File Reference

Plug-in Parameter Description

Description Supports syntaxes and related matching rules

for the telex number, country code, and
answerback code of a telex terminal; from RFC
4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.58. URI Syntax Plug-in

Plug-in Parameter Description

Plug-in ID none

DN of Configuration Entry cn=URI Syntax,cn=plugins,cn=config

Description Supports syntaxes and related matching rules

for unique resource identifiers (URIs), including
unique resource locators (URLs); from RFC
4517.

Type syntax

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies None

290
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information RFC 4517

4.1.59. USN Plug-in

Plug-in Parameter Description

Plug-in ID USN

DN of Configuration Entry cn=USN,cn=plugins,cn=config

Description Sets an update sequence number (USN) on an

entry, for every entry in the directory,
whenever there is a modification, including
adding and deleting entries and modifying
attribute values.

Type object

Configurable Options on | off

Default Setting off

Configurable Arguments None

Dependencies Database

Performance-Related Information For replication, it is recommended that the

entryUSN configuration attribute be excluded
using fractional replication.

Further Information

4.1.60. Views Plug-in

Plug-in Parameter Description

Plug-in ID views

DN of Configuration Entry cn=Views,cn=plugins,cn=config

291
Configuration, Command, and File Reference

Plug-in Parameter Description

Description Enables the use of views in the

Directory Server databases.

Type object

Configurable Options on | off

Default Setting on

Configurable Arguments None

Dependencies
Type: Database

Named: State Change Plug-in

Performance-Related Information Do not modify the configuration of this plug-in.

Red Hat recommends leaving this plug-in
running at all times.

Further Information

4.2. LIST OF ATTRIBUTES COMMON TO ALL PLUG-INS

This list provides a brief attribute description, the entry DN, valid range, default value,
syntax, and an example for each attribute.

4.2.1. nsslapdPlugin (Object Class)

Each Directory Server plug-in belongs to the nsslapdPlugin object class.

This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.41

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

292
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Attribute Definition

cn Gives the common name of the entry.

nsslapd-pluginPath Identifies the plugin library name (without the

library suffix).

nsslapd-pluginInitfunc Identifies an initialization function of the

plugin.

nsslapd-pluginType Identifies the type of plugin.

nsslapd-pluginId Identifies the plugin ID.

nsslapd-pluginVersion Identifies the version of plugin.

nsslapd-pluginVendor Identifies the vendor of plugin.

nsslapd-pluginDescription Identifies the description of the plugin.

nsslapd-pluginEnabled Identifies whether or not the plugin is enabled.

nsslapd-pluginPrecedence Sets the priority for the plug-in in the

execution order.

4.2.2. nsslapd-logAccess
This attribute enables you to log search operations run by the plug-in to the file set in the
nsslapd-accesslog parameter in cn=config.

Plug-in Parameter Description

Entry DN cn=plug-in name,cn=plugins,cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-logAccess: Off

4.2.3. nsslapd-logAudit
This attribute enables you to log and audit modifications to the database originated from
the plug-in.

293
Configuration, Command, and File Reference

Successful modification events are logged in the audit log, if the nsslapd-auditlog-
logging-enabled parameter is enabled in cn=config. To log failed modification database
operations by a plug-in, enable the nsslapd-auditfaillog-logging-enabled attribute in
cn=config.

Plug-in Parameter Description

Entry DN cn=plug-in name,cn=plugins,cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-logAudit: Off

4.2.4. nsslapd-pluginDescription
This attribute provides a description of the plug-in.

Plug-in Parameter Description

Entry DN cn=plug-in name,cn=plugins,cn=config

Valid Values

Default Value None

Syntax DirectoryString

Example nsslapd-pluginDescription: acl access check

plug-in

4.2.5. nsslapd-pluginEnabled
This attribute specifies whether the plug-in is enabled. This attribute can be changed over
protocol but will only take effect when the server is next restarted.

Plug-in Parameter Description

Entry DN cn=plug-in name,cn=plugins,cn=config

Valid Values on | off

Default Value on

294
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Syntax DirectoryString

Example nsslapd-pluginEnabled: on

4.2.6. nsslapd-pluginId
This attribute specifies the plug-in ID.

Plug-in Parameter Description

Entry DN cn=plug-in name,cn=plugins,cn=config

Valid Values Any valid plug-in ID

Default Value None

Syntax DirectoryString

Example nsslapd-pluginId: chaining database

4.2.7. nsslapd-pluginInitfunc
This attribute specifies the plug-in function to be initiated.

Plug-in Parameter Description

Entry DN cn=plug-in name,cn=plugins,cn=config

Valid Values Any valid plug-in function

Default Value None

Syntax DirectoryString

Example nsslapd-pluginInitfunc: NS7bitAttr_Init

4.2.8. nsslapd-pluginPath
This attribute specifies the full path to the plug-in.

Plug-in Parameter Description

Entry DN cn=plug-in name,cn=plugins,cn=config

295
Configuration, Command, and File Reference

Plug-in Parameter Description

Valid Values Any valid path

Default Value None

Syntax DirectoryString

Example nsslapd-pluginPath: uid-plugin

4.2.9. nsslapd-pluginPrecedence
This attribute sets the precedence or priority for the execution order of a plug-in.
Precedence defines the execution order of plug-ins, which allows more complex
environments or interactions since it can enable a plug-in to wait for a completed operation
before being executed. This is more important for pre-operation and post-operation plug-
ins.

Plug-ins with a value of 1 have the highest priority and are run first; plug-ins with a value of
99 have the lowest priority. The default is 50.

Plug-in Parameter Description

Entry DN cn=plug-in name,cn=plugins,cn=config

Valid Values 1 to 99

Default Value 50

Syntax Integer

Example nsslapd-pluginPrecedence: 3

4.2.10. nsslapd-pluginType
This attribute specifies the plug-in type. See Section 4.3.5, “nsslapd-plugin-depends-on-
type” for further information.

Plug-in Parameter Description

Entry DN cn=plug-in name,cn=plugins,cn=config

Valid Values Any valid plug-in type

Default Value None

Syntax DirectoryString

296
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Example nsslapd-pluginType: preoperation

4.2.11. nsslapd-pluginVendor
This attribute specifies the vendor of the plug-in.

Plug-in Parameter Description

Entry DN cn=plug-in name,cn=plugins,cn=config

Valid Values Any approved plug-in vendor

Default Value Red Hat, Inc.

Syntax DirectoryString

Example nsslapd-pluginVendor: Red Hat, Inc.

4.2.12. nsslapd-pluginVersion
This attribute specifies the plug-in version.

Plug-in Parameter Description

Entry DN cn=plug-in name,cn=plugins,cn=config

Valid Values Any valid plug-in version

Default Value Product version number

Syntax DirectoryString

Example nsslapd-pluginVersion: 10.3

4.3. ATTRIBUTES ALLOWED BY CERTAIN PLUG-INS

4.3.1. nsslapd-dynamic-plugins
Directory Server supports dynamic plug-ins that can be enabled without restarting the
server. The nsslapd-dynamic-plugins attribute specifies whether the server is configured
to allow for dynamic plug-ins. By default, dynamic plug-ins are disabled.

Some plug-ins cannot be configured as dynamic, and they require the server to be
restarted.

297
Configuration, Command, and File Reference

Plug-in Parameter Description

Entry DN cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-dynamic-plugins: on

4.3.2. nsslapd-pluginConfigArea
Some plug-in entries are container entries, and multiple instances of the plug-in are
created beneath this container in cn=plugins,cn=config. However, the
cn=plugins,cn=config is not replicated, which means that the plug-in configurations
beneath those container entries must be configured manually, in some way, on every
Directory Server instance.

The nsslapd-pluginConfigArea attribute points to another container entry, in the main

database area, which contains the plug-in instance entries. This container entry can be in a
replicated database, which allows the plug-in configuration to be replicated.

Plug-in Parameter Description

Entry DN cn=plug-in name,cn=plugins,cn=config

Valid Values Any valid DN

Default Value

Syntax DN

Example nsslapd-pluginConfigArea: cn=managed

entries
container,ou=containers,dc=example,dc=com

4.3.3. nsslapd-pluginLoadNow
This attribute specifies whether to load all of the symbols used by a plug-in immediately
(true), as well as all symbols references by those symbols, or to load the symbol the first
time it is used (false).

Plug-in Parameter Description

Entry DN cn=plug-in name,cn=plugins,cn=config

298
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Plug-in Parameter Description

Valid Values true | false

Default Value false

Syntax DirectoryString

Example nsslapd-pluginLoadNow: false

4.3.4. nsslapd-pluginLoadGlobal
This attribute specifies whether the symbols in dependent libraries are made visible locally
(false) or to the executable and to all shared objects t
( rue).

Plug-in Parameter Description

Entry DN cn=plug-in name,cn=plugins,cn=config

Valid Values true | false

Default Value false

Syntax DirectoryString

Example nsslapd-pluginLoadGlobal: false

4.3.5. nsslapd-plugin-depends-on-type
Multi-valued attribute used to ensure that plug-ins are called by the server in the correct
order. Takes a value which corresponds to the type number of a plug-in, contained in the
attribute nsslapd-pluginType. See Section 4.2.10, “nsslapd-pluginType” for further
information. All plug-ins with a type value which matches one of the values in the following
valid range will be started by the server prior to this plug-in. The following postoperation
Referential Integrity Plug-in example shows that the database plug-in will be started prior to
the postoperation Referential Integrity Plug-in.

Plug-in Parameter Description

Entry DN cn=referential integrity

postoperation,cn=plugins,cn=config

Valid Values database

Default Value

Syntax DirectoryString

299
Configuration, Command, and File Reference

Plug-in Parameter Description

Example nsslapd-plugin-depends-on-type: database

4.3.6. nsslapd-plugin-depends-on-named
Multi-valued attribute used to ensure that plug-ins are called by the server in the correct
order. Takes a value which corresponds to the cn value of a plug-in. The plug-in with acn
value matching one of the following values will be started by the server prior to this plug-in.
If the plug-in does not exist, the server fails to start. The following postoperation Referential
Integrity Plug-in example shows that the Views plug-in is started before Roles. If Views is
missing, the server is not going to start.

Plug-in Parameter Description

Entry DN cn=referential integrity

postoperation,cn=plugins,cn=config

Valid Values Class of Service

Default Value

Syntax DirectoryString

Example
nsslapd-plugin-depends-on-named: Views

nsslapd-pluginId: roles

4.4. DATABASE PLUG-IN ATTRIBUTES

The database plug-in is also organized in an information tree, as shown in Figure 4.1,
“Database Plug-in”.

Figure 4.1. Database Plug-in

300
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

All plug-in technology used by the database instances is stored in the cn=ldbm database
plug-in node. This section presents the additional attribute information for each of the
nodes in bold in the cn=ldbm database,cn=plugins,cn=config information tree.

4.4.1. Database Attributes under cn=config,cn=ldbm

database,cn=plugins,cn=config
This section covers global configuration attributes common to all instances are stored in the
cn=config,cn=ldbm database,cn=plugins,cn=config tree node.

4.4.1.1. nsslapd-backend-opt-level

This parameter can trigger experimental code to improve write performance.

Possible values:

0: Disables the parameter.

1: The replication update vector is not written to the database during the
transaction

2: Changes the order of taking the back end lock and starts the transaction

4: Moves code out of the transaction.

All parameters can be combined. For example 7 enables all optimisation features.


WARNING

This parameter is experimental. Never change its value unless you are
specifically told to do so by the Red Hat support.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Values 0|1|2|4

Default Value 0

Syntax Integer

Example nsslapd-backend-opt-level: 0

4.4.1.2. nsslapd-cache-autosize

301
Configuration, Command, and File Reference

This performance tuning-related attribute sets the percentage of free memory that is used
in total for the database and entry cache. For example, if the value is set to 10, 10% of the
system's free RAM is used for both caches. If this value is set to a value greater than 0,
auto-sizing is enabled for the database and entry cache.

For optimized performance, Red Hat recommends not to disable auto-sizing. However, in
certain situations in can be necessary to disable auto-sizing. In this case, set the nsslapd-
cache-autosize attribute to 0 and manually set:

the database cache in the nsslapd-dbcachesize attribute.

the entry cache in the nsslapd-cachememsize attribute.

For further details about auto-sizing, see the corresponding section in the
Red Hat Directory Server Performance Tuning Guide.

NOTE

If the nsslapd-cache-autosize and nsslapd-cache-autosize-split

attribute are both set to high values, such as 100, Directory Server fails to
start. To fix the problem, set both parameters to more reasonable values. For
example:

nsslapd-cache-autosize: 10
nsslapd-cache-autosize-split: 40

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Range 0 to 100. If 0 is set, the default value is used

instead.

Default Value 10

Syntax Integer

Example nsslapd-cache-autosize: 10

4.4.1.3. nsslapd-cache-autosize-split

This performance tuning-related attribute sets the percentage of RAM that is used for the
database cache. The remaining percentage is used for the entry cache. For example, if the
value is set to 40, the database cache uses 40%, and the entry cache the remaining 60% of
the free RAM reserved in the nsslapd-cache-autosize attribute.

For further details about auto-sizing, see the corresponding section in the
Red Hat Directory Server Performance Tuning Guide.

302
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

NOTE

If the nsslapd-cache-autosize and nsslapd-cache-autosize-split

attribute are both set to high values, such as 100, Directory Server fails to
start. To fix the problem, set both parameters to more reasonable values. For
example:

nsslapd-cache-autosize: 10
nsslapd-cache-autosize-split: 40

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Range 0 to 99. If 0 is set, the default value is used

instead.

Default Value 40

Syntax Integer

Example nsslapd-cache-autosize-split: 40

4.4.1.4. nsslapd-dbcachesize

This performance tuning-related attribute specifies the database index cache size, in bytes.
This is one of the most important values for controlling how much physical RAM the
directory server uses.

This is not the entry cache. This is the amount of memory the Berkeley database back end
will use to cache the indexes (the .db files) and other files. This value is passed to the
Berkeley DB API function set_cachesize. If automatic cache resizing is activated, this
attribute is overridden when the server replaces these values with its own guessed values
at a later stage of the server startup.

For more technical information on this attribute, see the cache size section of the Berkeley
DB reference guide at
https://docs.oracle.com/cd/E17076_04/html/programmer_reference/general_am_conf.html#am_conf_ca

Attempting to set a value that is not a number or is too big for a 32-bit signed integer
returns an LDAP_UNWILLING_TO_PERFORM error message with additional error information
explaining the problem.

NOTE

Do not set the database cache size manually. Red Hat recommends to use the
database cache auto-sizing feature for optimized performance. For further see
the corresponding section in the Red Hat Directory Server Performance Tuning
Guide.

303
Configuration, Command, and File Reference

The server has to be restarted for changes to this attribute to go into effect.

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nsslapd-db-circular-logging: on

4.4.1.7. nsslapd-db-compactdb-interval

The Berkeley database does not reuse free pages unless the database is explicitly
compacted. The compact operation returns the unused pages to the file system and the
database file size shrinks. This parameter defines the interval in seconds when the
database is compacted. Note that compacting the database is resource-intensive, and thus
should not be done to frequently.

This setting does not require a server restart to take effect.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Values 0 (no compaction) to 2147483647 seconds

Default Value 2592000 (30 days)

Syntax Integer

Example nsslapd-compactdb-interval: 2592000

4.4.1.8. nsslapd-db-debug

This attribute specifies whether additional error information is to be reported to

Directory Server. To report error information, set the parameter to on. This parameter is
meant for troubleshooting; enabling the parameter may slow down the Directory Server.

305
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-db-debug: off

4.4.1.9. nsslapd-db-durable-transactions

This attribute sets whether database transaction log entries are immediately written to the
disk. The database transaction log contains a sequential listing of all recent database
operations and is used for database recovery only. With durable transactions enabled,
every directory change will always be physically recorded in the log file and, therefore, able
to be recovered in the event of a system failure. However, the durable transactions feature
may also slow the performance of the Directory Server. When durable transactions is
disabled, all transactions are logically written to the database transaction log but may not
be physically written to disk immediately. If there were a system failure before a directory
change was physically written to disk, that change would not be recoverable. The nsslapd-
db-durable-transactions attribute is absent from dse.ldif. To disable durable
transactions, add the attribute to dse.ldif.

For more information on database transaction logging, see the "Monitoring Server and
Database Activity" chapter in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Values on | off

Default Value on

Syntax DirectoryString

Example nsslapd-db-durable-transactions: on

4.4.1.10. nsslapd-db-home-directory

306
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

To move the database to another physical location for performance reasons, use this
parameter to specify the home directory.

This situation will occur only for certain combinations of the database cache size, the size of
physical memory, and kernel tuning attributes. In particular, this situation should not occur
if the database cache size is less than 100 megabytes.

The disk is heavily used (more than 1 megabyte per second of data transfer).

There is a long service time (more than 100ms).

There is mostly write activity.

If these are all true, use the nsslapd-db-home-directory attribute to specify a

subdirectory of a tempfs type filesystem.

The directory referenced by the nsslapd-db-home-directory attribute must be a

subdirectory of a filesystem of type tempfs (such as /tmp). However, Directory Server does
not create the subdirectory referenced by this attribute. This directory must be created
either manually or by using a script. Failure to create the directory referenced by the
nsslapd-db-home-directory attribute will result in Directory Server being unable to start.

Also, if there are multiple Directory Servers on the same machine, their nsslapd-db-home-
directory attributes must be configured with different directories. Failure to do so will
result in the databases for both directories becoming corrupted.

The use of this attribute causes internal Directory Server database files to be moved to the
directory referenced by the attribute. It is possible, but unlikely, that the server will no
longer start after the files have been moved because not enough memory can be allocated.
This is a symptom of an overly large database cache size being configured for the server. If
this happens, reduce the size of the database cache size to a value where the server will
start again.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Values Any valid directory name in a tempfs

filesystem, such as /tmp

Default Value

Syntax DirectoryString

Example nsslapd-db-home-directory: /tmp/slapd-

phonebook

4.4.1.11. nsslapd-db-idl-divisor

This attribute specifies the index block size in terms of the number of blocks per database
page. The block size is calculated by dividing the database page size by the value of this
attribute. A value of 1 makes the block size exactly equal to the page size. The default

307
Configuration, Command, and File Reference

value of 0 sets the block size to the page size minus an estimated allowance for internal
database overhead. For the majority of installations, the default value should not be
changed unless there are specific tuning needs.

Before modifying the value of this attribute, export all databases using the db2ldif script.
Once the modification has been made, reload the databases using the ldif2db script.


WARNING

This parameter should only be used by very advanced users.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Range 0 to 8

Default Value 0

Syntax Integer

Example nsslapd-db-idl-divisor: 2

4.4.1.12. nsslapd-db-locks

Lock mechanisms in Directory Server control how many copies of Directory Server
processes can run at the same time. The nsslapd-db-locks parameter sets the maximum
number of locks.

Only set this parameter to a higher value if Directory Server runs out of locks and logs
libdb: Lock table is out of available locks error messages. If you set a higher
value without a need, this increases the size of the
/var/lib/dirsrv/slapd-instance_name/db__db.* files without any benefit. For more
information about monitoring the logs and determining a realistic value, see the
corresponding section in the Directory Server Performance Tuning Guide.

The service must be restarted for changes to this attribute to take effect.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Range 10000 to 4294967295

308
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Default Value 10000

Syntax Integer

Example nsslapd-db-locks: 10000

4.4.1.13. nsslapd-db-logbuf-size

This attribute specifies the log information buffer size. Log information is stored in memory
until the buffer fills up or the transaction commit forces the buffer to be written to disk.
Larger buffer sizes can significantly increase throughput in the presence of long running
transactions, highly concurrent applications, or transactions producing large amounts of
data. The log information buffer size is the transaction log size divided by four.

The nsslapd-db-logbuf-size attribute is only valid if thensslapd-db-durable-

transactions attribute is set to on.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Range 32K to maximum 32-bit integer (limited to the

amount of memory available on the machine)

Default Value 32K

Syntax Integer

Example nsslapd-db-logbuf-size: 32K

4.4.1.14. nsslapd-db-logdirectory

This attribute specifies the path to the directory that contains the database transaction log.
The database transaction log contains a sequential listing of all recent database operations.
Directory Server uses this information to recover the database after an instance shut down
unexpectedly.

By default, the database transaction log is stored in the same directory as the directory
database. To update this parameter, you must manually update the
/etc/dirsrv/slapd-instance_name/dse.ldif file. For details, see the Changing the
Transaction Log Directory section in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

309
Configuration, Command, and File Reference

Syntax Integer

Example nsslapd-db-spin-count: 0

311
Configuration, Command, and File Reference

4.4.1.18. nsslapd-db-transaction-batch-max-wait

If nsslapd-db-transaction-batch-val is set, the flushing of transactions is done by a separate

thread when the set batch value is reached. However if there are only a few updates, this
process might take too long. This parameter controls when transactions should be flushed
latest, independently of the batch count. The values is defined in milliseconds.


WARNING

This parameter is experimental. Never change its value unless you are
specifically told to do so by the Red Hat support.

support.

If this attribute is not defined or is set to a value of 0, transaction batching will be turned
off, and it will be impossible to make remote modifications to this attribute using LDAP.
However, setting this attribute to a value greater than 0 causes the server to delay
committing transactions until the number of queued transactions is equal to the attribute
value. A value greater than 0 also allows modifications to this attribute remotely using
LDAP. A value of 1 for this attribute allows modifications to the attribute setting remotely
using LDAP, but results in no batching behavior. A value of 1 at server startup is therefore
useful for maintaining normal durability while also allowing transaction batching to be
turned on and off remotely when required. Remember that the value for this attribute may
require modifying the nsslapd-db-logbuf-size attribute to ensure sufficient log buffer
size for accommodating the batched transactions.

NOTE

The nsslapd-db-transaction-batch-val attribute is only valid if the

nsslapd-db-durable-transaction attribute is set to on.

313
Configuration, Command, and File Reference

For more information on database transaction logging, see the "Monitoring Server and
Database Activity" chapter in the Red Hat Directory Server Administration Guide.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Range 0 to 30

Default Value 0 (or turned off)

Syntax Integer

Example nsslapd-db-transaction-batch-val: 5

4.4.1.21. nsslapd-db-trickle-percentage

This attribute sets that at least the specified percentage of pages in the shared-memory
pool are clean by writing dirty pages to their backing files. This is to ensure that a page is
always available for reading in new information without having to wait for a write.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Range 0 to 100

Default Value 40

Syntax Integer

Example nsslapd-db-trickle-percentage: 40

4.4.1.22. nsslapd-db-verbose

This attribute specifies whether to record additional informational and debugging messages
when searching the log for checkpoints, doing deadlock detection, and performing
recovery. This parameter is meant for troubleshooting, and enabling the parameter may
slow down the Directory Server.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

314
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-db-verbose: off

4.4.1.23. nsslapd-dbncache

This attribute can split the LDBM cache into equally sized separate pieces of memory. It is
possible to specify caches that are large enough so that they cannot be allocated
contiguously on some architectures; for example, some systems limit the amount of
memory that may be allocated contiguously by a process. If nsslapd-dbncache is 0 or 1,
the cache will be allocated contiguously in memory. If it is greater than 1, the cache will be
broken up into ncache, equally sized separate pieces of memory.

To configure a dbcache size larger than 4 gigabytes, add the nsslapd-dbncache attribute to
cn=config,cn=ldbm database,cn=plugins,cn=config between the nsslapd-
dbcachesize and nsslapd-db-logdirectory attribute lines.

Set this value to an integer that is one-quarter (1/4) the amount of memory in gigabytes.
For example, for a 12 gigabyte system, set the nsslapd-dbncache value to 3; for an 8
gigabyte system, set it to 2.

This attribute is provided only for system modification/diagnostics and should be changed
only with the guidance of Red Hat technical support or Red Hat professional services.
Inconsistent settings of this attribute and other configuration attributes may cause the
Directory Server to be unstable.

The server has to be restarted for changes to this attribute to go into effect.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Values 1 to 4

Default Value 1

Syntax Integer

Example nsslapd-dbncache: 1

4.4.1.24. nsslapd-directory

This attribute specifies absolute path to database instance. If the database instance is

315
Configuration, Command, and File Reference

manually created then this attribute must be included, something which is set by default
(and modifiable) in the Directory Server Console. Once the database instance is created, do
not modify this path as any changes risk preventing the server from accessing data.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Values Any valid absolute path to the database

instance

Default Value

Syntax DirectoryString

Example nsslapd-directory:
/var/lib/dirsrv/slapd-instance/db

4.4.1.25. nsslapd-exclude-from-export

This attribute contains a space-separated list of names of attributes to exclude from an

entry when a database is exported. This mainly is used for some configuration and
operational attributes which are specific to a server instance.

Do not remove any of the default values for this attribute, since that may affect server
performance.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Values Any valid attribute

Default Value entrydn entryid dncomp parentid

numSubordinates entryusn

Syntax DirectoryString

Example nsslapd-exclude-from-export: entrydn entryid

dncomp parentid numSubordinates entryusn

4.4.1.26. nsslapd-idlistscanlimit

This performance-related attribute, present by default, specifies the number of entry IDs
that are searched during a search operation. Attempting to set a value that is not a number
or is too big for a 32-bit signed integer returns an LDAP_UNWILLING_TO_PERFORM error
message, with additional error information explaining the problem. It is advisable to keep
the default value to improve search performance.

316
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

For further details, see the corresponding sections in the:

Directory Server Performance Tuning Guide

Directory Server Administration Guide

This parameter can be changed while the server is running, and the new value will affect
subsequent searches.

The corresponding user-level attribute is nsIDListScanLimit.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Range 100 to the maximum 32-bit integer value

(2147483647) entry IDs

Default Value 4000

Syntax Integer

Example nsslapd-idlistscanlimit: 4000

4.4.1.27. nsslapd-import-cache-autosize

This performance tuning-related attribute automatically sets the size of the import cache
(importCache) to be used during the command-line-based import process of LDIF files to
the database (the ldif2db operation).

In Directory Server, the import operation can be run as a server task or exclusively on the
command-line. In the task mode, the import operation runs as a general Directory Server
operation. The nsslapd-import-cache-autosize attribute enables the import cache to be
set automatically to a predetermined size when the import operation is run on the
command-line. The attribute can also be used by Directory Server during the task mode
import for allocating a specified percentage of free memory for import cache.

By default, the nsslapd-import-cache-autosize attribute is enabled and is set to a value

of -1. This value autosizes the import cache for theldif2db operation only, automatically
allocating fifty percent (50%) of the free physical memory for the import cache. The
percentage value (50%) is hard-coded and cannot be changed.

Setting the attribute value to 50 (nsslapd-import-cache-autosize: 50) has the same

effect on performance during an ldif2db operation. However, such a setting will have the
same effect on performance when the import operation is run as a Directory Server task.
The -1 value autosizes the import cache just for theldif2db operation and not for any,
including import, general Directory Server tasks.

317
Configuration, Command, and File Reference

NOTE

The purpose of a -1 setting is to enable the ldif2db operation to benefit from

free physical memory but, at the same time, not compete for valuable
memory with the entry cache, which is used for general operations of the
Directory Server.

Setting the nsslapd-import-cache-autosize attribute value to 0 turns off the import

cache autosizing feature - that is, no autosizing occurs during either mode of the import
operation. Instead, Directory Server uses the nsslapd-import-cachesize attribute for
import cache size, with a default value of 20000000.

There are three caches in the context of Directory Server: database cache, entry cache,
and import cache. The import cache is only used during the import operation. The
nsslapd-cache-autosize attribute, which is used for autosizing the entry cache and
database cache, is used during the Directory Server operations only and not during the
ldif2db command-line operation; the attribute value is the percentage of free physical
memory to be allocated for the entry cache and database cache.

If both the autosizing attributes, nsslapd-cache-autosize and nsslapd-import-cache-

autosize, are enabled, ensure that their sum is less than 100.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Range -1, 0 (turns import cache autosizing off) to 100

Default Value -1 (turns import cache autosizing on for ldif2db

only and allocates 50% of the free physical
memory to import cache)

Syntax Integer

Example nsslapd-import-cache-autosize: -1

4.4.1.28. nsslapd-import-cachesize

This performance tuning-related attribute determines the size, in bytes, of the database
cache used in the bulk import process. Setting this attribute value so that the maximum
available system physical memory is used for the database cache during bulk importing
optimizes bulk import speed. Attempting to set a value that is not a number or is too big for
a 32-bit signed integer returns an LDAP_UNWILLING_TO_PERFORM error message, with
additional error information explaining the problem.

318
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

NOTE

A cache is created for each load that occurs. For example, if the user sets the
nsslapd-import-cachesize attribute to 1 gigabyte, then 1 gigabyte is used
when loading one database, 2 gigabytes is used when loading two databases,
and so on. Ensure there is sufficient physical memory to prevent swapping
from occurring, as this would result in performance degradation.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Range 500 kilobytes to 4 gigabytes for 32-bit

platforms and 500 kilobytes to 2^64-1 for 64-
bit platforms

Default Value 20000000

Syntax Integer

Example nsslapd-import-cachesize: 20000000

4.4.1.29. nsslapd-lookthroughlimit

This performance-related attribute specifies the maximum number of entries that the
Directory Server will check when examining candidate entries in response to a search
request. The Directory Manager DN, however, is, by default, unlimited and overrides any
other settings specified here. It is worth noting that binder-based resource limits work for
this limit, which means that if a value for the operational attribute nsLookThroughLimit is
present in the entry as which a user binds, the default limit will be overridden. Attempting
to set a value that is not a number or is too big for a 32-bit signed integer returns an
LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining
the problem.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Range -1 to maximum 32-bit integer in entries (where

-1 is unlimited)

Default Value 5000

Syntax Integer

Example nsslapd-lookthroughlimit: 5000

319
Configuration, Command, and File Reference

4.4.1.30. nsslapd-mode

This attribute specifies the permissions used for newly created index files.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Values Any four-digit octal number. However, mode

0600 is recommended. This allows read and
write access for the owner of the index files
(which is the user as whom the ns-slapd
runs) and no access for other users.

Default Value 600

Syntax Integer

Example nsslapd-mode: 0600

4.4.1.31. nsslapd-pagedidlistscanlimit

This performance-related attribute specifies the number of entry IDs that are searched,
specifically, for a search operation using the simple paged results control.

This attribute works the same as the nsslapd-idlistscanlimit attribute, except that it
only applies to searches with the simple paged results control.

If this attribute is not present or is set to zero, then the nsslapd-idlistscanlimit is used
to paged searches as well as non-paged searches.

The corresponding user-level attribute is nsPagedIDListScanLimit.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Range -1 to maximum 32-bit integer in entries (where

-1 is unlimited)

Default Value 0

Syntax Integer

Example nsslapd-pagedidlistscanlimit: 5000

4.4.1.32. nsslapd-pagedlookthroughlimit

320
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

This performance-related attribute specifies the maximum number of entries that the
Directory Server will check when examining candidate entries for a search which uses the
simple paged results control.

This attribute works the same as the nsslapd-lookthroughlimit attribute, except that it
only applies to searches with the simple paged results control.

If this attribute is not present or is set to zero, then the nsslapd-lookthroughlimit is used
to paged searches as well as non-paged searches.

The corresponding user-level attribute is nsPagedLookThroughLimit.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Range -1 to maximum 32-bit integer in entries (where

-1 is unlimited)

Default Value 0

Syntax Integer

Example nsslapd-pagedlookthroughlimit: 25000

4.4.1.33. nsslapd-rangelookthroughlimit

This performance-related attribute specifies the maximum number of entries that the
Directory Server will check when examining candidate entries in response to a range
search request.

Range searches use operators to set a bracket to search for and return an entire subset of
entries within the directory. For example, this searches for every entry modified at or after
midnight on January 1:

(modifyTimestamp>=20190101010101Z)

The nature of a range search is that it must evaluate every single entry within the directory
to see if it is within the range given. Essentially, a range search is always an all IDs search.

For most users, the look-through limit kicks in and prevents range searches from turning
into an all IDs search. This improves overall performance and speeds up range search
results. However, some clients or administrative users like Directory Manager may not have
a look-through limit set. In that case, a range search can take several minutes to complete
or even continue indefinitely.

The nsslapd-rangelookthroughlimit attribute sets a separate range look-through limit

that applies to all users, including Directory Manager.

This allows clients and administrative users to have high look-through limits while still
allowing a reasonable limit to be set on potentially performance-impaired range searches.

321
Configuration, Command, and File Reference

NOTE

Unlike other resource limits, this applies to searches by any user, including
the Directory Manager, regular users, and other LDAP clients.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Range -1 to maximum 32-bit integer in entries (where

-1 is unlimited)

Default Value 5000

Syntax Integer

Example nsslapd-rangelookthroughlimit: 5000

4.4.1.34. nsslapd-subtree-rename-switch

Every directory entry is stored as a key in an entry index file. The index key maps the
current entry DN to its meta entry in the index. This mapping is done either by the RDN of
the entry or by the full DN of the entry.

When a subtree entry is allowed to be renamed (meaning, an entry with children entries,
effectively renaming the whole subtree), its entries are stored in the entryrdn.db index,
which associates parent and child entries by an assigned ID rather than their DN. If subtree
rename operations are not allowed, then the entryrdn.db index is disabled and the
entrydn.db index is used, which simply uses full DNs, with the implicit parent-child
relationships.

Parameter Description

Entry DN cn=config,cn=ldbm
database,cn=plugins,cn=config

Valid Values off | on

Default Value on

Syntax DirectoryString

Example nsslapd-subtree-rename-switch: on

4.4.2. Database Attributes under cn=monitor,cn=ldbm

database,cn=plugins,cn=config
Global read-only attributes containing database statistics for monitoring activity on the

322
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

databases are stored in the cn=monitor,cn=ldbm database,cn=plugins,cn=config tree

node. For more information on these entries, see the "Monitoring Server and Database
Activity" chapter in the Red Hat Directory Server Administration Guide.

dbcachehits
This attribute shows the requested pages found in the database.

dbcachetries
This attribute shows the total cache lookups.

dbcachehitratio
This attribute shows the percentage of requested pages found in the database cache
(hits/tries).

dbcachepagein
This attribute shows the pages read into the database cache.

dbcachepageout
This attribute shows the pages written from the database cache to the backing file.

dbcacheroevict
This attribute shows the clean pages forced from the cache.

dbcacherwevict
This attribute shows the dirty pages forced from the cache.

4.4.3. Database Attributes under cn=NetscapeRoot,cn=ldbm

database,cn=plugins,cn=config and cn=userRoot,cn=ldbm
database,cn=plugins,cn=config
The cn=NetscapeRoot and cn=userRoot subtrees contain configuration data for, or the
definition of, the databases containing the o=NetscapeRoot and o=userRoot suffixes. The
cn=NetscapeRoot subtree contains the configuration data used by the
Administration Server for authentication and all actions that cannot be performed through
LDAP (such as start/stop), and the cn=userRoot subtree contains all the configuration data
for the user-defined database.

The cn=userRoot subtree is called userRoot by default. However, this is not hard-coded
and, given the fact that there are going to be multiple database instances, this name is
changed and defined by the user as and when new databases are added. The cn=userRoot
database referenced can be any user database.

The following attributes are common to both the cn=NetscapeRoot,cn=ldbm

database,cn=plugins,cn=config and the user database, such ascn=userRoot or
cn=database_name,cn=ldbm database,cn=plugins,cn=config subtrees.

4.4.3.1. nsslapd-cachesize

This attribute has been deprecated. To resize the entry cache, use nsslapd-cachememsize.

This performance tuning-related attribute specifies the cache size in terms of the number of
entries it can hold. However, this attribute is deprecated in favor of the nsslapd-
cachememsize attribute, which sets an absolute allocation of RAM for the entry cache size,

323
Configuration, Command, and File Reference

as described in Section 4.4.3.2, “nsslapd-cachememsize”.

Attempting to set a value that is not a number or is too big for a 32-bit signed integer (on
32-bit systems) returns an LDAP_UNWILLING_TO_PERFORM error message with additional
error information explaining the problem.

The server has to be restarted for changes to this attribute to go into effect.

NOTE

The performance counter for this setting goes to the highest 64-bit integer,
even on 32-bit systems, but the setting itself is limited on 32-bit systems to
the highest 32-bit integer because of how the system addresses memory.

Parameter Description

Entry DN cn=database_name,cn=ldbm
database,cn=plugins,cn=config

Valid Range 1 to 232-1 on 32-bit systems or 263-1 on 64-bit

systems or -1, which means limitless

Default Value -1

Syntax Integer

Example nsslapd-cachesize: -1

4.4.3.2. nsslapd-cachememsize

This performance tuning-related attribute specifies the size, in bytes, for the available
memory space for the entry cache. The simplest method is limiting cache size in terms of
memory occupied. Activating automatic cache resizing overrides this attribute, replacing
these values with its own guessed values at a later stage of the server startup.

The performance counter for this setting goes to the highest 64-bit integer, even on 32-bit
systems, but the setting itself is limited on 32-bit systems to the highest 32-bit integer
because of how the system addresses memory.

NOTE

Do not set the database cache size manually. Red Hat recommends to use the
entry cache auto-sizing feature for optimized performance. For further see the
corresponding section in the Red Hat Directory Server Performance Tuning
Guide.

324
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Entry DN cn=database_name,cn=ldbm
database,cn=plugins,cn=config

Valid Range 500 kilobytes to 264-1 on 64-bit systems

Default Value 209715200 (200 MiB)

Syntax Integer

Example nsslapd-cachememsize: 209715200

4.4.3.3. nsslapd-directory

This attribute specifies the path to the database instance. If it is a relative path, it starts
from the path specified by nsslapd-directory in the global database entry
cn=config,cn=ldbm database,cn=plugins,cn=config. The database instance directory is
named after the instance name and located in the global database directory, by default.
After the database instance has been created, do not modify this path, because any
changes risk preventing the server from accessing data.

Parameter Description

Entry DN cn=database_name,cn=ldbm
database,cn=plugins,cn=config

Valid Values Any valid path to the database instance

Default Value

Syntax DirectoryString

Example nsslapd-directory:
/var/lib/dirsrv/slapd-instance/db/userRoot

4.4.3.4. nsslapd-dncachememsize

This performance tuning-related attribute specifies the size, in bytes, for the available
memory space for the DN cache. The DN cache is similar to the entry cache for a database,
only its table stores only the enrty ID and the entry DN. This allows faster lookups for
rename and moddn operations.

The simplest method is limiting cache size in terms of memory occupied.

325
Configuration, Command, and File Reference

NOTE

Parameter Description

Entry DN cn=database_name,cn=ldbm
database,cn=plugins,cn=config

Valid Range 500 kilobytes to 232-1 on 32-bit systems and to

264-1 on 64-bit systems

Default Value 10,485,760 (10 megabytes)

Syntax Integer

Example nsslapd-dncachememsize: 10485760

4.4.3.5. nsslapd-readonly

This attribute specifies read-only mode for a single back-end instance. If this attribute has a
value of off, then users have all read, write, and execute permissions allowed by their
access permissions.

Parameter Description

Entry DN cn=database_name,cn=ldbm
database,cn=plugins,cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-readonly: off

4.4.3.6. nsslapd-require-index

When switched to on, this attribute allows one to refuse unindexed searches. This
performance-related attribute avoids saturating the server with erroneous searches.

Parameter Description

326
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Entry DN cn=database_name,cn=ldbm
database,cn=plugins,cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsslapd-require-index: off

4.4.3.7. nsslapd-suffix

This attribute specifies the suffix of the database link. This is a single-valued attribute
because each database instance can have only one suffix. Previously, it was possible to
have more than one suffix on a single database instance, but this is no longer the case. As a
result, this attribute is single-valued to enforce the fact that each database instance can
only have one suffix entry. Any changes made to this attribute after the entry has been
created take effect only after the server containing the database link is restarted.

Parameter Description

Entry DN cn=database_name,cn=ldbm
database,cn=plugins,cn=config

Valid Values Any valid DN

Default Value

Syntax DirectoryString

Example nsslapd-suffix: o=NetscapeRoot

4.4.3.8. vlvBase

This attribute sets the base DN for which the browsing or virtual list view (VLV) index is
created.

For more information on VLV indexes, see the indexing chapter in the Administration Guide.

NOTE

This attribute is only available to user databases like userRoot, not

configuration databases like o=NetscapeRoot.

327
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=index_name,cn=userRoot,cn=ldbm
database,cn=plugins,cn=config

Valid Values Any valid DN

Default Value

Syntax DirectoryString

Example vlvBase: ou=People,dc=example,dc=com

4.4.3.9. vlvEnabled

This attribute sets whether the browsing or virtual list view (VLV) index is enabled.

For more information on VLV indexes, see the indexing chapter in the Administration Guide.

NOTE

This attribute is only available to user databases like userRoot, not

configuration databases like o=NetscapeRoot.

Parameter Description

Entry DN cn=index_name,cn=userRoot,cn=ldbm
database,cn=plugins,cn=config

Valid Values 0 (disabled) | 1 (enabled)

Default Value 1

Syntax DirectoryString

Example vlvEnbled: 0

4.4.3.10. vlvFilter

The browsing or virtual list view (VLV) index is created by running a search according to a
filter and including entries which match that filter in the index. The filter is specified in the
vlvFilter attribute.

For more information on VLV indexes, see the indexing chapter in the Administration Guide.

328
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

NOTE

This attribute is only available to user databases like userRoot, not

configuration databases like o=NetscapeRoot.

Parameter Description

Entry DN cn=index_name,cn=userRoot,cn=ldbm
database,cn=plugins,cn=config

Valid Values Any valid LDAP filter

Default Value

Syntax DirectoryString

Example vlvFilter: (|(objectclass=*)

(objectclass=ldapsubentry))

4.4.3.11. vlvIndex (Object Class)

A browsing index or virtual list view (VLV) index dynamically generates an abbreviated
index of entry headers that makes it much faster to visually browse large indexes. A VLV
index definition has two parts: one which defines the index and one which defines the
search used to identify entries to add to the index. The vlvIndex object class defines the
index entry.

This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.42

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

cn Gives the common name of the entry.

vlvSort Identifies the attribute list that the browsing

index (virtual list view index) is sorted on.

Allowed Attributes

329
Configuration, Command, and File Reference

Attribute Definition

vlvEnabled Stores the availability of the browsing index.

vlvUses Contains the count the browsing index is used.

4.4.3.12. vlvScope

This attribute sets the scope of the search to run for entries in the browsing or virtual list
view (VLV) index.

For more information on VLV indexes, see the indexing chapter in the Administration Guide.

NOTE

This attribute is only available to user databases like userRoot, not

configuration databases like o=NetscapeRoot.

Parameter Description

Entry DN cn=index_name,cn=userRoot,cn=ldbm
database,cn=plugins,cn=config

Valid Values
1 (one-level or children search)

2 (subtree search)

Default Value

Syntax Integer

Example vlvScope: 2

4.4.3.13. vlvSearch (Object Class)

This object class is defined in Directory Server.

Superior Class
top

OID

330
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

2.16.840.1.113730.3.2.38

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

vlvBase Identifies base DN the browsing index is

created.

vlvScope Identifies the scope to define the browsing

index.

vlvFilter Identifies the filter string to define the

browsing index.

Allowed Attributes

Attribute Definition

multiLineDescription Gives a text description of the entry.

4.4.3.14. vlvSort

This attribute sets the sort order for returned entries in the browsing or virtual list view
(VLV) index.

NOTE

The entry for this attribute is a vlvIndex entry beneath the vlvSearch entry.

For more information on VLV indexes, see the indexing chapter in the Administration Guide.

NOTE

This attribute is only available to user databases like userRoot, not

configuration databases like o=NetscapeRoot.

Parameter Description

Entry DN cn=index_name,cn=index_name,cn=userRoot,
cn=ldbm database,cn=plugins,cn=config

Valid Values Any Directory Server attributes, in a space-

separated list

331
Configuration, Command, and File Reference

Parameter Description

Default Value

Syntax DirectoryString

Example vlvSort: cn givenName o ou sn

4.4.3.15. vlvUses

This attribute contains the count for the browsing or virtual list view (VLV) index.

For more information on VLV indexes, see the indexing chapter in the Administration Guide.

NOTE

This attribute is only available to user databases like userRoot, not

configuration databases like o=NetscapeRoot.

Parameter Description

Entry DN cn=index_name,cn=userRoot,cn=ldbm
database,cn=plugins,cn=config

Valid Values N/A

Default Value

Syntax DirectoryString

Example vlvUses: 800

4.4.4. Database Attributes under cn=monitor,cn=userRoot,cn=ldbm

database,cn=plugins,cn=config
The attributes in this tree node entry are all read-only, database performance counters.

If the nsslapd-counters attribute in cn=config is set to on, then some of the counters kept
by the Directory Server instance increment using 64-bit integers, even on 32-bit machines
or with a 32-bit version of Directory Server. For database monitoring, the entrycachehits
and entrycachetries counters use 64-bit integers.

NOTE

The nsslapd-counters attribute enables 64-bit support for these specific

database and server counters. The counters which use 64-bit integers are not
configurable; the 64-bit integers are either enabled for all the allowed
counters or disabled for all allowed counters.

332
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

currentNormalizedDNcachecount
Number of normalized cached DNs.

currentNormalizedDNcachesize
Current size of the normalized DN cache in bytes.

normalizedDNcachehitratio
Percentage of the normalized DNs found in the cache.

normalizedDNcachehits
Normalized DNs found within the cache.

normalizedDNcachemisses
Normalized DNs not found within the cache.

normalizedDNcachetries
Total number of cache lookups since the instance was started.

maxNormalizedDNcachesize
Current value of the nsslapd-ndn-cache-max-size parameter. For details how to update
this setting, see Section 3.1.1.126, “nsslapd-ndn-cache-max-size”.

4.4.5. Database Attributes under cn=monitor,cn=database,cn=ldbm

database,cn=plugins,cn=config
The attributes in this tree node entry are all read-only, database performance counters. All
of the values for these attributes are 32-bit integers, except for entrycachehits and
entrycachetries.

If the nsslapd-counters attribute in cn=config is set to on, then some of the counters kept
by the Directory Server instance increment using 64-bit integers, even on 32-bit machines
or with a 32-bit version of Directory Server. For the database monitoring, the
entrycachehits and entrycachetries counters use 64-bit integers.

NOTE

The nsslapd-counters attribute enables 64-bit support for these specific

database and server counters. The counters which use 64-bit integers are not
configurable; the 64-bit integers are either enabled for all the allowed
counters or disabled for all allowed counters.

nsslapd-db-abort-rate
This attribute shows the number of transactions that have been aborted.

nsslapd-db-active-txns
This attribute shows the number of transactions that are currently active.

nsslapd-db-cache-hit
This attribute shows the requested pages found in the cache.

nsslapd-db-cache-try

333
Configuration, Command, and File Reference

This attribute shows the total cache lookups.

nsslapd-db-cache-region-wait-rate
This attribute shows the number of times that a thread of control was forced to wait before
obtaining the region lock.

nsslapd-db-cache-size-bytes
This attribute shows the total cache size in bytes.

nsslapd-db-clean-pages
This attribute shows the clean pages currently in the cache.

nsslapd-db-commit-rate
This attribute shows the number of transactions that have been committed.

nsslapd-db-deadlock-rate
This attribute shows the number of deadlocks detected.

nsslapd-db-dirty-pages
This attribute shows the dirty pages currently in the cache.

nsslapd-db-hash-buckets
This attribute shows the number of hash buckets in buffer hash table.

nsslapd-db-hash-elements-examine-rate
This attribute shows the total number of hash elements traversed during hash table
lookups.

nsslapd-db-hash-search-rate
This attribute shows the total number of buffer hash table lookups.

nsslapd-db-lock-conflicts
This attribute shows the total number of locks not immediately available due to conflicts.

nsslapd-db-lock-region-wait-rate
This attribute shows the number of times that a thread of control was forced to wait before
obtaining the region lock.

nsslapd-db-lock-request-rate
This attribute shows the total number of locks requested.

nsslapd-db-lockers
This attribute shows the number of current lockers.

nsslapd-db-log-bytes-since-checkpoint
This attribute shows the number of bytes written to this log since the last checkpoint.

nsslapd-db-log-region-wait-rate

334
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

This attribute shows the number of times that a thread of control was forced to wait before
obtaining the region lock.

nsslapd-db-log-write-rate
This attribute shows the number of megabytes and bytes written to this log.

nsslapd-db-longest-chain-length
This attribute shows the longest chain ever encountered in buffer hash table lookups.

nsslapd-db-page-create-rate
This attribute shows the pages created in the cache.

nsslapd-db-page-read-rate
This attribute shows the pages read into the cache.

nsslapd-db-page-ro-evict-rate
This attribute shows the clean pages forced from the cache.

nsslapd-db-page-rw-evict-rate
This attribute shows the dirty pages forced from the cache.

nsslapd-db-page-trickle-rate
This attribute shows the dirty pages written using the memp_trickle interface.

nsslapd-db-page-write-rate
This attribute shows the pages read into the cache.

nsslapd-db-pages-in-use
This attribute shows all pages, clean or dirty, currently in use.

nsslapd-db-txn-region-wait-rate
This attribute shows the number of times that a thread of control was force to wait before
obtaining the region lock.

currentdncachecount
This attribute shows the number of DNs currently present in the DN cache.

currentdncachesize
This attribute shows the total size, in bytes, of DNs currently present in the DN cache.

maxdncachesize
This attribute shows the maximum size, in bytes, of DNs that can be maintained in the
database DN cache.

4.4.6. Database Attributes under cn=default

indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
The set of default indexes is stored here. Default indexes are configured per back end in
order to optimize Directory Server functionality for the majority of setup scenarios. All
indexes, except system-essential ones, can be removed, but care should be taken so as not

335
Configuration, Command, and File Reference

to cause unnecessary disruptions. For further information on indexes, see the "Managing
Indexes" chapter in the Red Hat Directory Server Administration Guide.

4.4.6.1. cn

This attribute provides the name of the attribute to index.

Parameter Description

Entry DN cn=default indexes,cn=config,cn=ldbm

database,cn=plugins,cn=config

Valid Values Any valid index cn

Default Value None

Syntax DirectoryString

Example cn: aci

4.4.6.2. nsIndex

This object class defines an index in the back end database. This object is defined in
Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.44

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

cn Gives the common name of the entry.

nsSystemIndex Identify whether or not the index is a system

defined index.

Allowed Attributes

Attribute Definition

336
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Attribute Definition

description Gives a text description of the entry.

nsIndexType Identifies the index type.

nsMatchingRule Identifies the matching rule.

4.4.6.3. nsIndexType

This optional, multi-valued attribute specifies the type of index for Directory Server
operations and takes the values of the attributes to be indexed. Each required index type
has to be entered on a separate line.

Parameter Description

Entry DN cn=default indexes,cn=config,cn=ldbm

database,cn=plugins,cn=config

Valid Values
pres = presence index

eq = equality index

approx = approximate index

sub = substring index

matching rule = international index

index browse = browsing index

Default Value

Syntax DirectoryString

Example nsIndexType: eq

4.4.6.4. nsMatchingRule

This optional, multi-valued attribute specifies the ordering matching rule name or OID used
to match values and to generate index keys for the attribute. This is most commonly used
to ensure that equality and range searches work correctly for languages other than English
(7-bit ASCII).

This is also used to allow range searches to work correctly for integer syntax attributes that
do not specify an ordering matching rule in their schema definition. uidNumber and
gidNumber are two commonly used attributes that fall into this category.

For example, for a uidNumber that uses integer syntax, the rule attribute could be
nsMatchingRule: integerOrderingMatch.

337
Configuration, Command, and File Reference

NOTE

Any change to this attribute will not take effect until the change is saved and
the index is rebuilt using db2index, which is described in more detail in the
"Managing Indexes" chapter of the Red Hat Directory Server
Administration Guide).

Parameter Description

Entry DN cn=default indexes,cn=config,cn=ldbm

database,cn=plugins,cn=config

Valid Values Any valid collation order object identifier (OID)

Default Value None

Syntax DirectoryString

Example nsMatchingRule: 2.16.840.1.113730.3.3.2.3.1

(For Bulgarian)

4.4.6.5. nsSystemIndex

This mandatory attribute specifies whether the index is a system index, an index which is
vital for Directory Server operations. If this attribute has a value of true, then it is system-
essential. System indexes should not be removed, as this will seriously disrupt server
functionality.

Parameter Description

Entry DN cn=default indexes,cn=config,cn=ldbm

database,cn=plugins,cn=config

Valid Values true | false

Default Value

Syntax DirectoryString

Example nssystemindex: true

4.4.7. Database Attributes under

cn=monitor,cn=NetscapeRoot,cn=ldbm
database,cn=plugins,cn=config
This section covers global, read-only entries for monitoring activity on the NetscapeRoot
database. The attributes containing database statistics are given for each file that makes
up the database. For further information, see the "Monitoring Server and Database Activity"

338
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

chapter in the Red Hat Directory Server Administration Guide.

dbfilenamenumber
This attribute gives the name of the file and provides a sequential integer identifier
(starting at 0) for the file. All associated statistics for the file are given this same numerical
identifier.

dbfilecachehit
This attribute gives the number of times that a search requiring data from this file was
performed and that the data were successfully obtained from the cache.

dbfilecachemiss
This attribute gives the number of times that a search requiring data from this file was
performed and that the data could not be obtained from the cache.

dbfilepagein
This attribute gives the number of pages brought to the cache from this file.

dbfilepageout
This attribute gives the number of pages for this file written from cache to disk.

4.4.8. Database Attributes under

cn=index,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
and cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config
In addition to the set of default indexes that are stored under cn=default
indexes,cn=config,cn=ldbm database,cn=plugins,cn=config, custom indexes can be
created for o=NetscapeRoot, o=UserRoot, and user-defined back end instances; these are
stored under cn=index, cn=database_name, cn=ldbm database,cn=plugins,cn=config.
Each indexed attribute represents a subentry under the cn=config information tree nodes,
as shown in the following diagram:

Figure 4.2. Indexed Attribute Representing a Subentry

For example, the index file for the aci attribute under o=UserRoot appears in the
Directory Server as follows:

dn:cn=aci,cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config
objectclass:top
objectclass:nsIndex
cn:aci
nsSystemIndex:true
nsIndexType:pres

339
Configuration, Command, and File Reference

These entries share all of the indexing attributes listed for the default indexes in
Section 4.4.6, “Database Attributes under cn=default indexes,cn=config,cn=ldbm
database,cn=plugins,cn=config”. For further information about indexes, see the "Managing
Indexes" chapter in the Red Hat Directory Server Administration Guide.

4.4.8.1. nsIndexIDListScanLimit

This multi-valued parameter defines a search limit for certain indices or to use no ID list.
For further information, see the corresponding section in the Directory Server Performance
Tuning Guide.

Parameter Description

Entry DN cn=attribute_name,cn=index,cn=database_na
me,cn=ldbm database,cn=plugins,cn=config

Valid Values See the corresponding section in the

Directory Server Performance Tuning Guide.

Default Value

Syntax DirectoryString

Example nsIndexIDListScanLimit: limit=0 type=eq

values=inetorgperson

4.4.8.2. nsSubStrBegin

By default, for a search to be indexed, the search string must be at least three characters
long, without counting any wildcard characters. For example, the string abc would be an
indexed search while ab* would not be. Indexed searches are significantly faster than
unindexed searches, so changing the minimum length of the search key is helpful to
increase the number of indexed searches.

This substring length can be edited based on the position of any wildcard characters. The
nsSubStrBegin attribute sets the required number of characters for an indexed search for
the beginning of a search string, before the wildcard. For example:

abc*

If the value of this attribute is changed, then the index must be regenerated using
db2index.

Parameter Description

Entry DN cn=attribute_name,cn=index,cn=database_na
me,cn=ldbm database,cn=plugins,cn=config

Valid Values Any integer

340
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Default Value 3

Syntax Integer

Example nsSubStrBegin: 2

4.4.8.3. nsSubStrEnd

This substring length can be edited based on the position of any wildcard characters. The
nsSubStrEnd attribute sets the required number of characters for an indexed search for the
end of a search string, after the wildcard. For example:

*xyz

If the value of this attribute is changed, then the index must be regenerated using
db2index.

Parameter Description

Entry DN cn=attribute_name,cn=index,cn=database_na
me,cn=ldbm database,cn=plugins,cn=config

Valid Values Any integer

Default Value 3

Syntax Integer

Example nsSubStrEnd: 2

4.4.8.4. nsSubStrMiddle

This substring length can be edited based on the position of any wildcard characters. The
nsSubStrMiddle attribute sets the required number of characters for an indexed search
where a wildcard is used in the middle of a search string. For example:

341
Configuration, Command, and File Reference

ab*z

If the value of this attribute is changed, then the index must be regenerated using
db2index.

Parameter Description

Entry DN cn=attribute_name,cn=index,cn=database_na
me,cn=ldbm database,cn=plugins,cn=config

Valid Values Any integer

Default Value 3

Syntax Integer

Example nsSubStrMiddle: 3

4.4.9. Database Attributes under cn=attributeName,cn=encrypted

attributes,cn=database_name,cn=ldbm
database,cn=plugins,cn=config
The nsAttributeEncryption object class allows selective encryption of attributes within a
database. Extremely sensitive information such as credit card numbers and government
identification numbers may not be protected enough by routine access control measures.
Normally, these attribute values are stored in CLEAR within the database; encrypting them
while they are stored adds another layer of protection. This object class has one attribute,
nsEncryptionAlgorithm, which sets the encryption cipher used per attribute. Each
encrypted attribute represents a subentry under the above cn=config information tree
nodes, as shown in the following diagram:

Figure 4.3. Encrypted Attributes under the cn=config Node

For example, the database encryption file for the userPassword attribute under o=UserRoot
appears in the Directory Server as follows:

dn:cn=userPassword,cn=encrypted attributes,o=UserRoot,cn=ldbm database,

cn=plugins,cn=config
objectclass:top
objectclass:nsAttributeEncryption

342
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

cn:userPassword
nsEncryptionAlgorithm:AES

To configure database encryption, see the "Database Encryption" section of the

"Configuring Directory Databases" chapter in the Red Hat Directory Server
Administration Guide. For more information about indexes, see the "Managing Indexes"
chapter in the Red Hat Directory Server Administration Guide.

4.4.9.1. nsAttributeEncryption (Object Class)

This object class is used for core configuration entries which identify and encrypt selected
attributes within a Directory Server database.

This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.316

Required Attributes

objectClass Defines the object classes for the entry.

cn Specifies the attribute being encrypted using

its common name.

nsEncryptionAlgorithm The encryption cipher used.

4.4.9.2. nsEncryptionAlgorithm

nsEncryptionAlgorithm selects the cipher used bynsAttributeEncryption. The

algorithm can be set per encrypted attribute.

Parameter Description

Entry DN cn=attributeName,cn=encrypted
attributes,cn=databaseName,cn=ldbm
database,cn=plugins,cn=config

Valid Values The following are supported ciphers:

Advanced Encryption Standard Block

Cipher (AES)

Triple Data Encryption Standard Block

Cipher (3DES)

Default Value

343
Configuration, Command, and File Reference

Parameter Description

Syntax DirectoryString

Example nsEncryptionAlgorithm: AES

4.5. DATABASE LINK PLUG-IN ATTRIBUTES (CHAINING

ATTRIBUTES)
The database link plug-in attributes are also organized in an information tree, as shown in
the following diagram:

Figure 4.4. Database Link Plug-in

All plug-in technology used by the database link instances is stored in the cn=chaining
database plug-in node. This section presents the additional attribute information for the
three nodes marked in bold in the cn=chaining database,cn=plugins,cn=config
information tree in Figure 4.4, “Database Link Plug-in”.

4.5.1. Database Link Attributes under cn=config,cn=chaining

database,cn=plugins,cn=config
This section covers global configuration attributes common to all instances are stored in the
cn=config,cn=chaining database,cn=plugins,cn=config tree node.

4.5.1.1. nsActiveChainingComponents

This attribute lists the components using chaining. A component is any functional unit in
the server. The value of this attribute overrides the value in the global configuration
attribute. To disable chaining on a particular database instance, use the value None. This
attribute also allows the components used to chain to be altered. By default, no
components are allowed to chain, which explains why this attribute will probably not
appear in a list of cn=config,cn=chaining database,cn=config attributes, as LDAP
considers empty attributes to be non-existent.

344
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Entry DN cn=config,cn=chaining
database,cn=plugins,cn=config

Valid Values Any valid component entry

Default Value None

Syntax DirectoryString

Example nsActiveChainingComponents: cn=uid

uniqueness,cn=plugins,cn=config

4.5.1.2. nsMaxResponseDelay

This error detection, performance-related attribute specifies the maximum amount of time
it can take a remote server to respond to an LDAP operation request made by a database
link before an error is suspected. Once this delay period has been met, the database link
tests the connection with the remote server.

Parameter Description

Entry DN cn=config,cn=chaining
database,cn=plugins,cn=config

Valid Values Any valid delay period in seconds

Default Value 60 seconds

Syntax Integer

Example nsMaxResponseDelay: 60

4.5.1.3. nsMaxTestResponseDelay

This error detection, performance-related attribute specifies the duration of the test issued
by the database link to check whether the remote server is responding. If a response from
the remote server is not returned before this period has passed, the database link assumes
the remote server is down, and the connection is not used for subsequent operations.

Parameter Description

Entry DN cn=config,cn=chaining
database,cn=plugins,cn=config

Valid Values Any valid delay period in seconds

345
Configuration, Command, and File Reference

Parameter Description

Default Value 15 seconds

Syntax Integer

Example nsMaxTestResponseDelay: 15

4.5.1.4. nsTransmittedControls

This attribute, which can be both a global (and thus dynamic) configuration or an instance
(that is, cn=database link instance, cn=chaining database,cn=plugins,cn=config)
configuration attribute, allows the controls the database link forwards to be altered. The
following controls are forwarded by default by the database link:

Managed DSA (OID: 2.16.840.1.113730.3.4.2)

Virtual list view (VLV) (OID: 2.16.840.1.113730.3.4.9)

Server side sorting (OID: 1.2.840.113556.1.4.473)

Loop detection (OID: 1.3.6.1.4.1.1466.29539.12)

Other controls, such as dereferencing and simple paged results for searches, can be added
to the list of controls to forward.

Parameter Description

Entry DN cn=config,cn=chaining
database,cn=plugins,cn=config

Valid Values Any valid OID or the above listed controls

forwarded by the database link

Default Value None

Syntax Integer

Example nsTransmittedControls:
1.2.840.113556.1.4.473

4.5.2. Database Link Attributes under cn=default instance

Default Value 3

Valid Range 1 to 50 operations

Default Value 2

database,cn=plugins,cn=config

Valid Values on | off

Default Value off

Syntax DirectoryString

Example nsReferralOnScopedSearch: off

4.5.2.12. nsSizeLimit

This attribute shows the default size limit for the database link in bytes.

Parameter Description

Entry DN cn=default instance config,cn=chaining

database,cn=plugins,cn=config

Valid Range -1 (no limit) to maximum 32-bit integer

(2147483647) entries

Default Value 2000

Syntax Integer

Example nsSizeLimit: 2000

4.5.2.13. nsTimeLimit

This attribute shows the default search time limit for the database link.

351
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=default instance config,cn=chaining

database,cn=plugins,cn=config

Valid Range -1 to maximum 32-bit integer (2147483647)

seconds

Default Value 3600

Syntax Integer

Example nsTimeLimit: 3600

4.5.3. Database Link Attributes under

cn=database_link_name,cn=chaining database,cn=plugins,cn=config
This information node stores the attributes concerning the server containing the data. A
farm server is a server which contains data on databases. This attribute can contain
optional servers for failover, separated by spaces. For cascading chaining, this URL can
point to another database link.

4.5.3.1. nsBindMechanism

This attribute sets a bind mechanism for the farm server to connect to the remote server. A
farm server is a server containing data in one or more databases. This attribute configures
the connection type, either standard, TLS, or SASL.

empty. This performs simple authentication and requires thensMultiplexorBindDn

and nsMultiplexorCredentials attributes to give the bind information.

EXTERNAL. This uses an TLS certificate to authenticate the farm server to the
remote server. Either the farm server URL must be set to the secure URL (ldaps) or
the nsUseStartTLS attribute must be set to on.

Additionally, the remote server must be configured to map the farm server's
certificate to its bind identity. Certificate mapping is described in the
Administration Guide.

DIGEST-MD5. This uses SASL with DIGEST-MD5 encryption. As with simple

authentication, this requires the nsMultiplexorBindDn and
nsMultiplexorCredentials attributes to give the bind information.

GSSAPI. This uses Kerberos-based authentication over SASL. The farm server must
be connected over the standard port, meaning the URL has ldap, because the
Directory Server does not support SASL/GS-API over TLS.

The farm server must be configured with a Kerberos keytab, and the remote server
must have a defined SASL mapping for the farm server's bind identity. Setting up
Kerberos keytabs and SASL mappings is described in the Administration Guide.

352
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Entry DN cn=database_link_name,cn=chaining
database,cn=plugins,cn=config

Valid Values
empty

EXTERNAL

DIGEST-MD5

GSSAPI

Default Value empty

Syntax DirectoryString

Example nsBindMechanism: GSSAPI

4.5.3.2. nsFarmServerURL

This attribute gives the LDAP URL of the remote server. A farm server is a server containing
data in one or more databases. This attribute can contain optional servers for failover,
separated by spaces. If using cascading changing, this URL can point to another database
link.

Parameter Description

Entry DN cn=database_link_name,cn=chaining
database,cn=plugins,cn=config

Valid Values Any valid remote server LDAP URL

Default Value

Syntax DirectoryString

Example nsFarmServerURL: ldap://farm1.example.com

farm2.example.com:389
farm3.example.com:1389/

4.5.3.3. nsMultiplexorBindDN

This attribute gives the DN of the administrative entry used to communicate with the
remote server. The multiplexor is the server that contains the database link and
communicates with the farm server. This bind DN cannot be the Directory Manager, and, if
this attribute is not specified, the database link binds as anonymous.

353
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=database_link_name,cn=chaining
database,cn=plugins,cn=config

Valid Values

Default Value DN of the multiplexor

Syntax DirectoryString

Example nsMultiplexerBindDN: cn=proxy manager

4.5.3.4. nsMultiplexorCredentials

Password for the administrative user, given in plain text. If no password is provided, it
means that users can bind as anonymous. The password is encrypted in the configuration
file. The example below is what is shown, not what is typed.

Parameter Description

Entry DN cn=database_link_name,cn=chaining
database,cn=plugins,cn=config

Valid Values Any valid password, which will then be

encrypted using the DES reversible password
encryption schema

Default Value

Syntax DirectoryString

Example nsMultiplexerCredentials: {DES} 9Eko69APCJfF

4.5.3.5. nshoplimit

This attribute specifies the maximum number of times a database is allowed to chain; that
is, the number of times a request can be forwarded from one database link to another.

Parameter Description

Entry DN cn=database_link_name,cn=chaining
database,cn=plugins,cn=config

Valid Range 1 to an appropriate upper limit for the

deployment

354
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Default Value 10

Syntax Integer

Example nsHopLimit: 3

4.5.3.6. nsUseStartTLS

This attribute sets whether to use Start TLS to initiate a secure, encrypted connection over
an insecure port. This attribute can be used if the nsBindMechanism attribute is set to
EXTERNAL but the farm server URL set to the standard URL l ( dap) or if the
nsBindMechanism attribute is left empty.

Parameter Description

Entry DN cn=database_link_name,cn=chaining
database,cn=plugins,cn=config

Valid Values off | on

Default Value off

Syntax DirectoryString

Example nsUseStartTLS: on

4.5.4. Database Link Attributes under cn=monitor,cn=database

instance name,cn=chaining database,cn=plugins,cn=config
Attributes used for monitoring activity on the instances are stored in the
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config information tree.

nsAddCount
This attribute gives the number of add operations received.

nsDeleteCount
This attribute gives the number of delete operations received.

nsModifyCount
This attribute gives the number of modify operations received.

nsRenameCount
This attribute gives the number of rename operations received.

nsSearchBaseCount

355
Configuration, Command, and File Reference

This attribute gives the number of base level searches received.

nsSearchOneLevelCount
This attribute gives the number of one-level searches received.

nsSearchSubtreeCount
This attribute gives the number of subtree searches received.

nsAbandonCount
This attribute gives the number of abandon operations received.

nsBindCount
This attribute gives the number of bind requests received.

nsUnbindCount
This attribute gives the number of unbinds received.

nsCompareCount
This attribute gives the number of compare operations received.

nsOperationConnectionCount
This attribute gives the number of open connections for normal operations.

nsOpenBindConnectionCount
This attribute gives the number of open connections for bind operations.

4.6. PAM PASS THROUGH AUTH PLUG-IN ATTRIBUTES

Local PAM configurations on Unix systems can leverage an external authentication store for
LDAP users. This is a form of pass-through authentication which allows the Directory Server
to use the externally-stored user credentials for directory access.

PAM pass-through authentication is configured in child entries beneath the PAM Pass
Through Auth Plug-in container entry. All of the possible configuration attributes for PAM
authentication (defined in the 60pam-plugin.ldif schema file) are available to a child
entry; the child entry must be an instance of the PAM configuration object class.

Example 4.1. Example PAM Pass Through Auth Configuration Entries

dn: cn=PAM Pass Through Auth,cn=plugins,cn=config

objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: PAM Pass Through Auth
nsslapd-pluginPath: libpam-passthru-plugin
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginLoadGlobal: true
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: pam_passthruauth

356
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

nsslapd-pluginVersion: 9.0.0
nsslapd-pluginVendor: Red Hat
nsslapd-pluginDescription: PAM pass through authentication plugin

dn: cn=Example PAM Config,cn=PAM Pass Through Auth,cn=plugins,cn=config

objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: Example PAM Config
pamMissingSuffix: ALLOW
pamExcludeSuffix: cn=config
pamExcludeSuffix: o=NetscapeRoot
pamIDMapMethod: RDN ou=people,dc=example,dc=com
pamIDMapMethod: ENTRY ou=engineering,dc=example,dc=com
pamIDAttr: customPamUid
pamFilter: (manager=uid=bjensen,ou=people,dc=example,dc=com)
pamFallback: FALSE
pamSecure: TRUE
pamService: ldapserver

The PAM configuration, at a minimum, must define a mapping method (a way to identify
what the PAM user ID is from the Directory Server entry), the PAM server to use, and
whether to use a secure connection to the service.

pamIDMapMethod: RDN
pamSecure: FALSE
pamService: ldapserver

The configuration can be expanded for special settings, such as to exclude or specifically
include subtrees or to map a specific attribute value to the PAM user ID.

4.6.1. pamConfig (Object Class)

This object class is used to define the PAM configuration to interact with the directory
service. This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.318

Allowed Attributes

pamExcludeSuffix

pamIncludeSuffix

pamMissingSuffix

pamFilter

pamIDAttr

357
Configuration, Command, and File Reference

pamIDMapMethod

pamFallback

pamSecure

pamService

nsslapd-pluginConfigArea

4.6.2. pamExcludeSuffix
This attribute specifies a suffix to exclude from PAM authentication.

OID 2.16.840.1.113730.3.1.2068

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in Directory Server

4.6.3. pamFallback
Sets whether to fallback to regular LDAP authentication if PAM authentication fails.

OID 2.16.840.1.113730.3.1.2072

Syntax Boolean

Multi- or Single-Valued Single-valued

Defined in Directory Server

4.6.4. pamFilter
Sets an LDAP filter to use to identify specific entries within the included suffixes for which
to use PAM pass-through authentication. If not set, all entries within the suffix are targeted
by the configuration entry.

OID 2.16.840.1.113730.3.1.2131

Syntax Boolean

Multi- or Single-Valued Single-valued

4.6.10. pamService
Contains the service name to pass to PAM. This assumes that the service specified has a
configuration file in the /etc/pam.d/ directory.

IMPORTANT

The pam_fprintd.so module cannot be in the configuration file referenced by

the pamService attribute of the PAM Pass-Through Authentication Plug-in
configuration. Using the PAM pam_fprintd.so module causes the
Directory Server to hit the max file descriptor limit and can cause the
Directory Server process to abort.

IMPORTANT

The pam_fprintd.so module cannot be in the configuration file referenced by

the pamService attribute of the PAM Pass-Through Authentication Plug-in
configuration. Using the PAM fprintd module causes the Directory Server to
hit the max file descriptor limit and can cause the Directory Server process to
abort.

OID 2.16.840.1.113730.3.1.2074

Syntax IA5String

Multi- or Single-Valued Single-valued

360
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Defined in Directory Server

4.7. ACCOUNT POLICY PLUG-IN ATTRIBUTES

Account policies can be set that automatically lock an account after a certain amount of
time has elapsed. This can be used to create temporary accounts that are only valid for a
preset amount of time or to lock users which have been inactive for a certain amount of
time.

The Account Policy Plug-in itself only accept on argument, which points to a plug-in
configuration entry.

dn: cn=Account Policy Plugin,cn=plugins,cn=config

...
nsslapd-pluginarg0: cn=config,cn=Account Policy
Plugin,cn=plugins,cn=config

The account policy configuration entry defines, for the entire server, what attributes to use
for account policies. Most of the configuration defines attributes to use to evaluate account
policies and expiration times, but the configuration also defines what object class to use to
identify subtree-level account policy definitions.

dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

objectClass: top
objectClass: extensibleObject
cn: config

... attributes for evaluating accounts ...

alwaysRecordLogin: yes
stateattrname: lastLoginTime
altstateattrname: createTimestamp

... attributes for account policy entries ...

specattrname: acctPolicySubentry
limitattrname: accountInactivityLimit

One the plug-in is configured globally, account policy entries can be created within the user
subtrees, and then these policies can be applied to users and to roles through classes of
service.

Example 4.2. Account Policy Definition

dn: cn=AccountPolicy,dc=example,dc=com
objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
# 86400 seconds per day * 30 days = 2592000 seconds
accountInactivityLimit: 2592000
cn: AccountPolicy

Any entry, both individual users and roles or CoS templates, can be an account policy

361
Configuration, Command, and File Reference

subentry. Every account policy subentry has its creation and login times tracked against
any expiration policy.

Example 4.3. User Account with Account Policy

dn: uid=scarter,ou=people,dc=example,dc=com
...
lastLoginTime: 20060527001051Z
acctPolicySubentry: cn=AccountPolicy,dc=example,dc=com

4.7.1. altstateattrname
Account expiration policies are based on some timed criteria for the account. For example,
for an inactivity policy, the primary criteria may be the last login time, lastLoginTime.
However, there may be instances where that attribute does not exist on an entry, such as a
user who never logged into his account. The altstateattrname attribute provides a
backup attribute for the server to reference to evaluate the expiration time.

Parameter Description

Entry DN cn=config,cn=Account Policy

Plugin,cn=plugins,cn=config

Valid Range Any time-based entry attribute

Default Value None

Syntax DirectoryString

Example altstateattrname: createTimeStamp

4.7.2. alwaysRecordLogin
By default, only entries which have an account policy directly applied to them — meaning,
entries with the acctPolicySubentry attribute — have their login times tracked. If account
policies are applied through classes of service or roles, then the acctPolicySubentry
attribute is on the template or container entry, not the user entries themselves.

The alwaysRecordLogin attribute sets that every entry records its last login time. This
allows CoS and roles to be used to apply account policies.

Parameter Description

Entry DN cn=config,cn=Account Policy

Plugin,cn=plugins,cn=config

Valid Range yes | no

362
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Default Value no

Syntax DirectoryString

Example alwaysRecordLogin: no

4.7.3. alwaysRecordLoginAttr
The Account Policy plug-in uses the attribute name set in thealwaysRecordLoginAttr
parameter to store the time of the last successful login in this attribute in the user's
directory entry. For further information, see the corresponding section in the
Directory Server Administration Guide.

Parameter Description

Entry DN cn=config,cn=Account Policy

Plugin,cn=plugins,cn=config

Valid Range Any valid attribute name

Default Value stateAttrName

Syntax DirectoryString

Example alwaysRecordLoginAttr: lastLoginTime

4.7.4. limitattrname
The account policy entry in the user directory defines the time limit for the account lockout
policy. This time limit can be set in any time-based attribute, and a policy entry could have
multiple time-based attributes in ti. The attribute within the policy to use for the account
inactivation limit is defined in the limitattrname attribute in the Account Policy Plug-in,
and it is applied globally to all account policies.

Parameter Description

Entry DN cn=config,cn=Account Policy

Plugin,cn=plugins,cn=config

Valid Range Any time-based entry attribute

Default Value None

Syntax DirectoryString

363
Configuration, Command, and File Reference

Parameter Description

Example limitattrname: accountInactivityLimit

4.7.5. specattrname
There are really two configuration entries for an account policy: the global settings in the
plug-in configuration entry and then yser- or subtree-level settings in an entry within the
user directory. An account policy can be set directly on a user entry or it can be set as part
of a CoS or role configuration. The way that the plug-in identifies which entries are account
policy configuration entries is by identifying a specific attribute on the entry which flags it
as an account policy. This attribute in the plug-in configuration is is specattrname; its will
usually be set to acctPolicySubentry.

Parameter Description

Entry DN cn=config,cn=Account Policy

Plugin,cn=plugins,cn=config

Valid Range Any time-based entry attribute

Default Value None

Syntax DirectoryString

Example specattrname: acctPolicySubentry

4.7.6. stateattrname
Account expiration policies are based on some timed criteria for the account. For example,
for an inactivity policy, the primary criteria may be the last login time, lastLoginTime. The
primary time attribute used to evaluate an account policy is set in the stateattrname
attribute.

Parameter Description

Entry DN cn=config,cn=Account Policy

Plugin,cn=plugins,cn=config

Valid Range Any time-based entry attribute

Default Value None

Syntax DirectoryString

Example stateattrname: lastLoginTime

364
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

4.8. AD DN PLUG-IN ATTRIBUTES

The AD DN plug-in supports multiple domain configurations. Create one configuration entry
for each domain. For details, see the corresponding section in the Red Hat Directory Server
Administration Guide.

4.8.1. cn
Sets the domain name of the configuration entry. The plug-in uses the domain name from
the authenticating user name to select the corresponding configuration entry.

Parameter Description

Entry DN cn=domain_name,cn=addn,cn=plugins,cn=conf
ig

Valid Entry Any string

Default Value None

Syntax DirectoryString

Example cn: example.com

4.8.2. addn_base
Sets the base DN under which Directory Server searches the user's DN.

Parameter Description

Entry DN cn=domain_name,cn=addn,cn=plugins,cn=conf
ig

Valid Entry Any valid DN

Default Value None

Syntax DirectoryString

Example addn_base: ou=People,dc=example,dc=com

4.8.3. addn_filter
Sets the search filter. Directory Server replaces the %s variable automatically with the non-
domain part of the authenticating user. For example, if the user name in the bind is
[email protected], the filter searches the corresponding DN which is(&
(objectClass=account)(uid=user_name)).

365
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=domain_name,cn=addn,cn=plugins,cn=conf
ig

Valid Entry Any valid DN

Default Value None

Syntax DirectoryString

Example addn_filter: (&(objectClass=account)(uid=%s))

4.9. AUTO MEMBERSHIP PLUG-IN ATTRIBUTES

Automembership essentially allows a static group to act like a dynamic group. Different
automembership definitions create searches that are automatically run on all new directory
entries. The automembership rules search for and identify matching entries — much like
the dynamic search filters — and then explicitly add those entries as members to the
specified static group.

The Auto Membership Plug-in itself is a container entry. Each automember definition is a
child of the Auto Membership Plug-in. The automember definition defines the LDAP search
base and filter to identify entries and a default group to add them to.

dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config

objectclass: autoMemberDefinition
cn: Hostgroups
autoMemberScope: dc=example,dc=com
autoMemberFilter: objectclass=ipHost
autoMemberDefaultGroup:
cn=systems,cn=hostgroups,ou=groups,dc=example,dc=com
autoMemberGroupingAttr: member:dn

Each automember definition can have its own child entry that defines additional conditions
for assigning the entry to group. Regular expressions can be used to include or exclude
entries and assign them to specific groups based on those conditions.

dn: cn=webservers,cn=Hostgroups,cn=Auto Membership

Plugin,cn=plugins,cn=config
objectclass: autoMemberRegexRule
description: Group for webservers
cn: webservers
autoMemberTargetGroup: cn=webservers,cn=hostgroups,dc=example,dc=com
autoMemberInclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com

If the entry matches the main definition and not any of the regular expression conditions,
then it uses the group in the main definition. If it matches a regular expression condition,
then it is added to the regular expression condition group.

4.9.1. autoMemberDefinition (Object Class)

366
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

This attribute identifies the entry as an automember definition. This entry must be a child
of the Auto Membership Plug-in, cn=Auto Membership Plugin,cn=plugins,cn=config.

Allowed Attributes

autoMemberScope

autoMemberFilter

autoMemberDefaultGroup

autoMemberGroupingAttr

4.9.2. autoMemberDefaultGroup
This attribute sets a default or fallback group to add the entry to as a member. If only the
definition entry is used, then this is the group to which all matching entries are added. If
regular expression conditions are used, then this group is used as a fallback if an entry
which matches the LDAP search filter do not match any of the regular expressions.

Parameter Description

Entry DN cn=Auto Membership

Plugin,cn=plugins,cn=config

Valid Range Any existing Directory Server group

Default Value None

Single- or Multi-Valued Single

Syntax DirectoryString

Example autoMemberDefaultGroup:
cn=hostgroups,ou=groups,dc=example,dc=com

4.9.3. autoMemberFilter
This attribute sets a standard LDAP search filter to use to search for matching entries.

Parameter Description

Entry DN cn=Auto Membership

Plugin,cn=plugins,cn=config

Valid Range Any valid LDAP search filter

Default Value None

Single- or Multi-Valued Single

367
Configuration, Command, and File Reference

Parameter Description

Syntax DirectoryString

Example autoMemberFilter:objectclass=ntUser

4.9.4. autoMemberGroupingAttr
This attribute gives the name of the member attribute in the group entry and the attribute
in the object entry that supplies the member attribute value, in the format
group_member_attr:entry_attr.

This structures how the Automembership Plug-in adds a member to the group, depending
on the group configuration. For example, for a groupOfUniqueNames user group, each
member is added as a uniqueMember attribute. The value of uniqueMember is the DN of the
user entry. In essence, each group member is identified by the attribute-value pair of
uniqueMember: user_entry_DN. The member entry format, then, isuniqueMember:dn.

Parameter Description

Entry DN cn=Auto Membership

Plugin,cn=plugins,cn=config

Valid Range Any Directory Server attribute

Default Value None

Single- or Multi-Valued Single

Syntax DirectoryString

Example autoMemberGroupingAttr: member:dn

4.9.5. autoMemberScope
This attribute sets the subtree DN to search for entries. This is the search base.

Parameter Description

Entry DN cn=Auto Membership

Plugin,cn=plugins,cn=config

Valid Range Any Directory Server subtree

Default Value None

Single- or Multi-Valued Single

368
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Syntax DirectoryString

Example autoMemberScope: dc=example,dc=com

4.9.6. autoMemberRegexRule (Object Class)

This attribute identifies the entry as a regular expression rule. This entry must be a child of
an automember definition (objectclass: autoMemberDefinition).

Allowed Attributes

autoMemberInclusiveRegex

autoMemberExclusiveRegex

autoMemberTargetGroup

4.9.7. autoMemberExclusiveRegex
This attribute sets a single regular expression to use to identify entries to exclude. If an
entry matches the exclusion condition, then it is not included in the group. Multiple regular
expressions could be used, and if an entry matches any one of those expressions, it is
excluded in the group.

The format of the expression is a Perl-compatible regular expression (PCRE). For more
information on PCRE patterns, see the pcresyntax(3) man page.

NOTE

Exclude conditions are evaluated first and take precedence over include
conditions.

Parameter Description

Entry DN cn=Auto Membership

Plugin,cn=plugins,cn=config

Valid Range Any regular expression

Default Value None

Single- or Multi-Valued Multi-valued

Syntax DirectoryString

Example autoMemberExclusiveRegex:
fqdn=^www\.web[0-9]+\.example\.com

369
Configuration, Command, and File Reference

4.9.8. autoMemberInclusiveRegex
This attribute sets a single regular expression to use to identify entries to include. Multiple
regular expressions could be used, and if an entry matches any one of those expressions, it
is included in the group (assuming it does not match an exclude expression).

The format of the expression is a Perl-compatible regular expression (PCRE). For more
information on PCRE patterns, see the pcresyntax(3) man page.

Parameter Description

Entry DN cn=Auto Membership

Plugin,cn=plugins,cn=config

Valid Range Any regular expression

Default Value None

Single- or Multi-Valued Multi-valued

Syntax DirectoryString

Example autoMemberInclusiveRegex:
fqdn=^www\.web[0-9]+\.example\.com

4.9.9. autoMemberTargetGroup
This attribute sets which group to add the entry to as a member, if it meets the regular
expression conditions.

Parameter Description

Entry DN cn=Auto Membership

Plugin,cn=plugins,cn=config

Valid Range Any Directory Server group

Default Value None

Single- or Multi-Valued Single

Syntax DirectoryString

Example autoMemberTargetGroup:
cn=webservers,cn=hostgroups,ou=groups,dc=e
xample,dc=com

370
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

4.10. DISTRIBUTED NUMERIC ASSIGNMENT PLUG-IN

ATTRIBUTES
The Distributed Numeric Assignment Plug-in manages ranges of numbers and assigns
unique numbers within that range to entries. By breaking number assignments into ranges,
the Distributed Numeric Assignment Plug-in allows multiple servers to assign numbers
without conflict. The plug-in also manages the ranges assigned to servers, so that if one
instance runs through its range quickly, it can request additional ranges from the other
servers.

Distributed numeric assignment can be configured to work with single attribute types or
multiple attribute types, and is only applied to specific suffixes and specific entries within
the subtree.

Distributed numeric assignment is handled per-attribute and is only applied to specific

suffixes and specific entries within the subtree.

4.10.1. dnaPluginConfig (Object Class)

This object class is used for entries which configure the DNA Plug-in and numeric ranges to
assign to entries.

This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.324

Allowed Attributes

dnaType

dnaPrefix

dnaNextValue

dnaMaxValue

dnaInterval

dnaMagicRegen

dnaFilter

dnaScope

dnaSharedCfgDN

dnaThreshold

dnaNextRange

dnaRangeRequestTimeout

371
Configuration, Command, and File Reference

4.10.2. dnaFilter
This attribute sets an LDAP filter to use to search for and identify the entries to which to
apply the distributed numeric assignment range.

The dnaFilter attribute is required to set up distributed numeric assignment for an

attribute.

Parameter Description

Entry DN cn=DNA_config_entry,cn=Distributed Numeric

Assignment Plugin,cn=plugins,cn=config

Valid Range Any valid LDAP filter

Default Value None

Syntax DirectoryString

Example dnaFilter: (objectclass=person)

4.10.3. dnaInterval
This attribute sets an interval to use to increment through numbers in a range. Essentially,
this skips numbers at a predefined rate. If the interval is 3 and the first number in the range
is 1, then the next number used in the ragen is 4, then 7, then 10, incrementing by three
for every new number assignment.

Parameter Description

Entry DN cn=DNA_config_entry,cn=Distributed Numeric

Assignment Plugin,cn=plugins,cn=config

Valid Range Any integer

Default Value None

Syntax Integer

Example dnaInterval: 3

4.10.4. dnaMagicRegen
This attribute sets a user-defined value that instructs the plug-in to assign a new value for
the entry. The magic value can be used to assign new unique numbers to existing entries
or as a standard setting when adding new entries.

372
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

The magic entry should be outside of the defined range for the server so that it cannot be
triggered by accident. Note that this attribute does not have to be a number when used on
a DirectoryString or other character type. However, in most cases the DNA plug-in is used
on attributes which only accept integer values, and in such cases the dnamagicregen value
must also be an integer.

Parameter Description

Entry DN cn=DNA_config_entry,cn=Distributed Numeric

Assignment Plugin,cn=plugins,cn=config

Valid Range Any string

Default Value None

Syntax DirectoryString

Example dnaMagicRegen: -1

4.10.5. dnaMaxValue
This attribute sets the maximum value that can be assigned for the range. The default is -
1, which is the same as setting the highest 64-bit integer.

Parameter Description

Entry DN cn=DNA_config_entry,cn=Distributed Numeric

Assignment Plugin,cn=plugins,cn=config

Valid Range 1 to the maximum 32-bit integer on 32-bit

systems and to the maximum 64-bit integer on
64-bit systems; -1 is unlimited

Default Value -1

Syntax Integer

Example dnaMaxValue: 1000

4.10.6. dnaNextRange
This attribute defines the next range to use when the current range is exhausted. This
value is automatically set when range is transferred between servers, but it can also be
manually set to add a range to a server if range requests are not used.

The dnaNextRange attribute should be set explicitly only if a separate, specific range has to
be assigned to other servers. Any range set in the dnaNextRange attribute must be unique
from the available range for the other servers to avoid duplication. If there is no request

373
Configuration, Command, and File Reference

from the other servers and the server where dnaNextRange is set explicitly has reached its
set dnaMaxValue, the next set of values (part of the dnaNextRange) is allocated from this
deck.

The dnaNextRange allocation is also limited by thednaThreshold attribute that is set in the
DNA configuration. Any range allocated to another server for dnaNextRange cannot violate
the threshold for the server, even if the range is available on the deck of dnaNextRange.

NOTE

If the dnaNextRange attribute is handled internally if it is not set explicitly.

When it is handled automatically, the dnaMaxValue attribute serves as upper
limit for the next range.

The attribute sets the range in the format lower_range-upper_range.

Parameter Description

Entry DN cn=DNA_config_entry,cn=Distributed Numeric

Assignment Plugin,cn=plugins,cn=config

Valid Range 1 to the maximum 32-bit integer on 32-bit

systems and to the maximum 64-bit integer on
64-bit systems for the lower and upper ranges

Default Value None

Syntax DirectoryString

Example dnaNextRange: 100-500

4.10.7. dnaNextValue
This attribute gives the next available number which can be assigned. After being initially
set in the configuration entry, this attribute is managed by the Distributed Numeric
Assignment Plug-in.

The dnaNextValue attribute is required to set up distributed numeric assignment for an

attribute.

Parameter Description

Entry DN cn=DNA_config_entry,cn=Distributed Numeric

Assignment Plugin,cn=plugins,cn=config

Valid Range 1 to the maximum 32-bit integer on 32-bit

systems and to the maximum 64-bit integer on
64-bit systems

Default Value -1

374
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Syntax Integer

Example dnaNextValue: 1

4.10.8. dnaPrefix
This attribute defines a prefix that can be prepended to the generated number values for
the attribute. For example, to generate a user ID such as user1000, the dnaPrefix setting
would be user.

dnaPrefix can hold any kind of string. However, some possible values fordnaType (such as
uidNumber and gidNumber) require only integer values. To use a prefix string, consider
using a custom attribute for dnaType which allows strings.

Parameter Description

Entry DN cn=DNA_config_entry,cn=Distributed Numeric

Assignment Plugin,cn=plugins,cn=config

Valid Range Any string

Default Value None

Example dnaPrefix: id

4.10.9. dnaRangeRequestTimeout
One potential situation with the Distributed Numeric Assignment Plug-in is that one server
begins to run out of numbers to assign. The dnaThreshold attribute sets a threshold of
available numbers in the range, so that the server can request an additional range from the
other servers before it is unable to perform number assignments.

The dnaRangeRequestTimeout attribute sets a timeout period, in seconds, for range

requests so that the server does not stall waiting on a new range from one server and can
request a range from a new server.

For range requests to be performed, the dnaSharedCfgDN attribute must be set.

Parameter Description

Entry DN cn=DNA_config_entry,cn=Distributed Numeric

Assignment Plugin,cn=plugins,cn=config

375
Configuration, Command, and File Reference

Parameter Description

Valid Range 1 to the maximum 32-bit integer on 32-bit

systems and to the maximum 64-bit integer on
64-bit systems

Default Value 10

Syntax Integer

Example dnaRangeRequestTimeout: 15

4.10.10. dnaScope
This attribute sets the base DN to search for entries to which to apply the distributed
numeric assignment. This is analogous to the base DN in an ldapsearch.

Parameter Description

Entry DN cn=DNA_config_entry,cn=Distributed Numeric

Assignment Plugin,cn=plugins,cn=config

Valid Range Any Directory Server entry

Default Value None

Syntax DirectoryString

Example dnaScope: ou=people,dc=example,dc=com

4.10.11. dnaSharedCfgDN
This attribute defines a shared identity that the servers can use to transfer ranges to one
another. This entry is replicated between servers and is managed by the plug-in to let the
other servers know what ranges are available. This attribute must be set for range transfers
to be enabled.

NOTE

The shared configuration entry must be configured in the replicated subtree,

so that the entry can be replicated to the servers. For example, if the
ou=People,dc=example,dc=com subtree is replicated, then the configuration
entry must be in that subtree, such as ou=UID Number Ranges,
ou=People,dc=example,dc=com.

The entry identified by this setting must be manually created by the administrator. The
server will automatically contain a sub-entry beneath it to transfer ranges.

376
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Entry DN cn=DNA_config_entry,cn=Distributed Numeric

Assignment Plugin,cn=plugins,cn=config

Valid Range Any DN

Default Value None

Syntax DN

Example dnaSharedCfgDN: cn=range transfer

user,cn=config

4.10.12. dnaThreshold
One potential situation with the Distributed Numeric Assignment Plug-in is that one server
begins to run out of numbers to assign, which can cause problems. The Distributed Numeric
Assignment Plug-in allows the server to request a new range from the available ranges on
other servers.

So that the server can recognize when it is reaching the end of its assigned range, the
dnaThreshold attribute sets a threshold of remaining available numbers in the range. When
the server hits the threshold, it sends a request for a new range.

For range requests to be performed, the dnaSharedCfgDN attribute must be set.

Parameter Description

Entry DN cn=DNA_config_entry,cn=Distributed Numeric

Assignment Plugin,cn=plugins,cn=config

Valid Range 1 to the maximum 32-bit integer on 32-bit

systems and to the maximum 64-bit integer on
64-bit systems

Default Value 100

Syntax Integer

Example dnaThreshold: 100

4.10.13. dnaType
This attribute sets which attributes have unique numbers being generated for them. In this
case, whenever the attribute is added to the entry with the magic number, an assigned
value is automatically supplied.

This attribute is required to set a distributed numeric assignment for an attribute.

377
Configuration, Command, and File Reference

If the dnaPrefix attribute is set, then the prefix value is prepended to whatever value is
generated by dnaType. The dnaPrefix value can be any kind of string, but some reasonable
values for dnaType (such as uidNumber and gidNumber) require only integer values. To use
a prefix string, consider using a custom attribute for dnaType which allows strings.

Parameter Description

Entry DN cn=DNA_config_entry,cn=Distributed Numeric

Assignment Plugin,cn=plugins,cn=config

Valid Range Any Directory Server attribute

Default Value None

Example dnaType: uidNumber

4.10.14. dnaSharedConfig (Object Class)

This object class is used to configure the shared configuration entry that is replicated
between masters that are all using the same DNA Plug-in configuration for numeric
assignements.

This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.325

Allowed Attributes

dnaHostname

dnaPortNum

dnaSecurePortNum

dnaRemainingValues

4.10.15. dnaHostname
This attribute identifies the host name of a server in a shared range, as part of the DNA
range configuration for that specific host in multi-master replication. Available ranges are
tracked by host and the range information is replicated among all masters so that if any
master runs low on available numbers, it can use the host information to contact another
master and request an new range.

Parameter Description

378
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Entry DN cn=DNA_config_entry,cn=Distributed Numeric

Assignment Plugin,cn=plugins,cn=config

Syntax DirectoryString

Valid Range Any valid host name

Default Value None

Example dnahostname: ldap1.example.com

4.10.16. dnaPortNum
This attribute gives the standard port number to use to connect to the host identified in
dnaHostname.

Parameter Description

Entry DN cn=DNA_config_entry,cn=Distributed Numeric

Assignment Plugin,cn=plugins,cn=config

Syntax Integer

Valid Range 0 to 65535

Default Value 389

Example dnaPortNum: 389

4.10.17. dnaRemainingValues
This attribute contains the number of values that are remaining and available to a server to
assign to entries.

Parameter Description

Entry DN dnaHostname=host_name+dnaPortNum=port_
number,ou=ranges,dc=example,dc=com

Syntax Integer

Valid Range Any integer

Default Value None

379
Configuration, Command, and File Reference

Syntax DirectoryString

Valid Values Any valid Replication Manager DN.

Default Value

Example dnaRemoteBindDN: cn=replication

manager,cn=config

4.10.20. dnaRemoteBindMethod
Specifies the remote bind method. If you set a bind method in this attribute that requires
authentication, additionally set the dnaRemoteBindDN and dnaRemoteBindCred parameter
for every server in the replication deployment in the plug-in configuration entry under the
cn=config entry.

A server restart is required for the change to take effect.

Parameter Description

Entry DN dnaHostname=host_name+dnaPortNum=port_
number,ou=ranges,dc=example,dc=com

Syntax DirectoryString

Valid Values SIMPLE | SSL | SASL/GSSAPI |

SASL/DIGEST-MD5

Default Value

Example dnaRemoteBindMethod: SIMPLE

4.10.21. dnaRemoteConnProtocol
Specifies the remote connection protocol.

A server restart is required for the change to take effect.

Parameter Description

Entry DN dnaHostname=host_name+dnaPortNum=port_
number,ou=ranges,dc=example,dc=com

Syntax DirectoryString

381
Configuration, Command, and File Reference

Parameter Description

Valid Values LDAP, SSL, or TLS

Default Value

Example dnaRemoteConnProtocol: LDAP

4.10.22. dnaSecurePortNum
This attribute gives the secure (TLS) port number to use to connect to the host identified in
dnaHostname.

Parameter Description

Entry DN dnaHostname=host_name+dnaPortNum=port_
number,ou=ranges,dc=example,dc=com

Syntax Integer

Valid Range 0 to 65535

Default Value 636

Example dnaSecurePortNum: 636

4.11. LINKED ATTRIBUTES PLUG-IN ATTRIBUTES

Many times, entries have inherent relationships to each other (such as managers and
employees, document entries and their authors, or special groups and group members).
While attributes exist that reflect these relationships, these attributes have to be added
and updated on each entry manually. That can lead to a whimsically inconsistent set of
directory data, where these entry relationships are unclear, outdated, or missing.

The Linked Attributes Plug-in allows one attribute, set in one entry, to update another
attribute in another entry automatically. The first attribute has a DN value, which points to
the entry to update; the second entry attribute also has a DN value which is a back-pointer
to the first entry. The link attribute which is set by users and the dynamically-updated
"managed" attribute in the affected entries are both defined by administrators in the
Linked Attributes Plug-in instance.

Conceptually, this is similar to the way that the MemberOf Plug-in uses the member attribute
in group entries to set memberOf attribute in user entries. Only with the Linked Attributes
Plug-in, all of the link/managed attributes are user-defined and there can be multiple
instances of the plug-in, each reflecting different link-managed relationships.

There are a couple of caveats for linking attributes:

382
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Both the link attribute and the managed attribute must have DNs as values. The DN
in the link attribute points to the entry to add the managed attribute to. The
managed attribute contains the linked entry DN as its value.

The managed attribute must be multi-valued. Otherwise, if multiple link attributes

point to the same managed entry, the managed attribute value would not be
updated accurately.

4.11.1. linkScope
This restricts the scope of the plug-in, so it operates only in a specific subtree or suffix. If
no scope is given, then the plug-in will update any part of the directory tree.

Parameter Description

Entry DN cn=plugin_instance,cn=Linked
Attributes,cn=plugins,cn=config

Valid Range Any DN

Default Value None

Syntax DN

Example linkScope: ou=People,dc=example,dc=com

4.11.2. linkType
This sets the user-managed attribute. This attribute is modified and maintained by users,
and then when this attribute value changes, the linked attribute is automatically updated in
the targeted entries.

Parameter Description

Entry DN cn=plugin_instance,cn=Linked
Attributes,cn=plugins,cn=config

Valid Range Any Directory Server attribute

Default Value None

Syntax DirectoryString

Example linkType: directReport

4.11.3. managedType
This sets the managed, or plug-in maintained, attribute. This attribute is managed
dynamically by the Linked Attributes Plug-in instance. Whenever a change is made to the

383
Configuration, Command, and File Reference

managed attribute, then the plug-in updates all of the linked attributes on the targeted
entries.

Parameter Description

Entry DN cn=plugin_instance,cn=Linked
Attributes,cn=plugins,cn=config

Valid Range Any Directory Server attribute

Default Value None

Syntax DN

Example managedType: manager

4.12. MANAGED ENTRIES PLUG-IN ATTRIBUTES

In some unique circumstances, it is useful to have an entry created automatically when
another entry is created. For example, this can be part of Posix integration by creating a
specific group entry when a new user is created. Each instance of the Managed Entries
Plug-in identifies two areas:

The scope of the plug-in, meaning the subtree and the search filter to use to
identify entries which require a corresponding managed entry

A template entry that defines what the managed entry should look like

4.12.1. managedBase
This attribute sets the subtree under which to create the managed entries. This can be any
entry in the directory tree.

Parameter Description

Entry DN cn=instance_name,cn=Managed Entries

Plugin,cn=plugins,cn=config

Valid Values Any Directory Server subtree

Default Value None

Syntax DirectoryString

Example managedBase:
ou=groups,dc=example,dc=com

4.12.2. managedTemplate

384
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

This attribute identifies the template entry to use to create the managed entry. This entry
can be located anywhere in the directory tree; however, it is recommended that this entry
is in a replicated suffix so that all masters and consumers in replication are using the same
template.

The attributes used to create the managed entry template are described in the Red Hat
Directory Server 10 Configuration, Command, and File Reference.

Parameter Description

Entry DN cn=instance_name,cn=Managed Entries

Plugin,cn=plugins,cn=config

Valid Values Any Directory Server entry of the

mepTemplateEntry object class

Default Value None

Syntax DirectoryString

Example managedTemplate: cn=My

Template,ou=Templates,dc=example,dc=com

4.12.3. originFilter
This attribute sets the search filter to use to search for and identify the entries within the
subtree which require a managed entry. The filter allows the managed entries behavior to
be limited to a specific type of entry or subset of entries. The syntax is the same as a
regular search filter.

Parameter Description

Entry DN cn=instance_name,cn=Managed Entries

Plugin,cn=plugins,cn=config

Valid Values Any valid LDAP filter

Default Value None

Syntax DirectoryString

Example originFilter: objectclass=posixAccount

4.12.4. originScope
This attribute sets the scope of the search to use to see which entries the plug-in monitors.
If a new entry is created within the scope subtree, then the Managed Entries Plug-in
creates a new managed entry that corresponds to it.

385
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=instance_name,cn=Managed Entries

Plugin,cn=plugins,cn=config

Valid Values Any Directory Server subtree

Default Value None

Syntax DirectoryString

Example originScope: ou=people,dc=example,dc=com

4.13. MEMBEROF PLUG-IN ATTRIBUTES

Group membership is defined within group entries using attributes such as member.
Searching for the member attribute makes it easy to list all of the members for the group.
However, group membership is not reflected in the member's user entry, so it is impossible
to tell to what groups a person belongs by looking at the user's entry.

The MemberOf Plug-in synchronizes the group membership in group members with the
members' individual directory entries by identifying changes to a specific member attribute
(such as member) in the group entry and then working back to write the membership
changes over to a specific attribute in the members' user entries.

4.13.1. cn
Sets the name of the plug-in instance.

Parameter Description

Entry DN cn=MemberOf Plugin,cn=plugins,cn=config

Valid Values Any valid string

Default Value

Syntax DirectoryString

Example cn: Example MemberOf Plugin Instance

4.13.2. memberOfAllBackends
This attribute specifies whether to search the local suffix for user entries or all available
suffixes. This can be desirable in directory trees where users may be distributed across
multiple databases so that group membership is evaluated comprehensively and
consistently.

386
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Entry DN cn=MemberOf Plugin,cn=plugins,cn=config

Valid Values on | off

Default Value memberOf

Syntax DirectoryString

Example memberOfAllBackends: on

4.13.3. memberOfAttr
This attribute specifies the attribute in the user entry for the Directory Server to manage to
reflect group membership. The MemberOf Plug-in generates the value of the attribute
specified here in the directory entry for the member. There is a separate attribute for every
group to which the user belongs.

Parameter Description

Entry DN cn=MemberOf Plugin,cn=plugins,cn=config

Valid Range Any Directory Server attribute

Default Value memberOf

Syntax DirectoryString

Example memberOfAttr: memberOf

4.13.4. memberOfAutoAddOC
To enable the memberOf plug-in to add the memberOf attribute to a user, the user object
must contain an object class that allows this attribute. If an entry does not have an object
class that allows the memberOf attribute then the memberOf plugin will automatically add
the object class listed in the memberOfAutoAddOC parameter.

This setting does not require restarting the server to take effect.

Parameter Description

Entry DN cn=MemberOf Plugin,cn=plugins,cn=config

Valid Value Any Directory Server object class

Default Value nsMemberOf

387
Configuration, Command, and File Reference

Parameter Description

Syntax DirectoryString

Example memberOfAutoAddOC: nsMemberOf

4.13.5. memberOfEntryScope
If you configured several back ends or multiple-nested suffixes, the multi-valued
memberOfEntryScope parameter enables you to set what suffixes theMemberOf plug-in
works on. If the parameter is not set, the plug-in works on all suffixes. The value set in the
memberOfEntryScopeExcludeSubtree parameter has a higher priority than values set in
memberOfEntryScope.

For further details, see the corresponding section in the Directory Server Administration
Guide.

This setting does not require restarting the server to take effect.

Parameter Description

Entry DN cn=MemberOf Plugin,cn=plugins,cn=config

Valid Range Any Directory Server entry DN.

Default Value

Syntax DirectoryString

Example memberOfEntryScope:
ou=people,dc=example,dc=com

4.13.6. memberOfEntryScopeExcludeSubtree
If you configured several back ends or multiple-nested suffixes, the multi-valued
memberOfEntryScopeExcludeSubtree parameter enables you to set what suffixes the
MemberOf plug-in excludes. The value set in thememberOfEntryScopeExcludeSubtree
parameter has a higher priority than values set in memberOfEntryScope. If the scopes set in
both parameters overlap, the MemberOf plug-in only works on the non-overlapping directory
entries.

For further details, see the corresponding section in the Directory Server Administration
Guide.

This setting does not require restarting the server to take effect.

Parameter Description

Entry DN cn=MemberOf Plugin,cn=plugins,cn=config

388
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Valid Range Any Directory Server entry DN.

Default Value

Syntax DirectoryString

Example memberOfEntryScopeExcludeSubtree:
ou=sample,dc=example,dc=com

4.13.7. memberOfGroupAttr
This attribute specifies the attribute in the group entry to use to identify the DNs of group
members. By default, this is the member attribute, but it can be any membership-related
attribute that contains a DN value, such as uniquemember or member.

NOTE

Any attribute can be used for the memberOfGroupAttr value, but the
MemberOf Plug-in only works if the value of the target attribute contains the
DN of the member entry. For example, the member attribute contains the DN of
the member's user entry:

member: uid=jsmith,ou=People,dc=example,dc=com

Some member-related attributes do not contain a DN, like the memberURL

attribute. That attribute will not work as a value for memberOfGroupAttr. The
memberURL value is a URL, and a non-DN value cannot work with the
MemberOf Plug-in.

Parameter Description

Entry DN cn=MemberOf Plugin,cn=plugins,cn=config

Valid Range Any Directory Server attribute

Default Value member

Entry DN cn=attribute_uniqueness_configuration_record_
name,cn=plugins,cn=config

Valid Value Any valid subtree DN

390
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Default Value None

Syntax DirectoryString

Example uniqueness-subtrees:
ou=Sales,dc=example,dc=com

4.14.4. uniqueness-across-all-subtrees
If enabled (on), the plug-in checks that the attribute is unique across all subtrees set. If you
set the attribute to off, uniqueness is only enforced within the subtree of the updated
entry.

Parameter Description

Entry DN cn=attribute_uniqueness_configuration_record_
name,cn=plugins,cn=config

Valid Value on | off

Default Value off

Syntax DirectoryString

Example uniqueness-across-all-subtrees: off

4.14.5. uniqueness-top-entry-oc
Directory Server searches this object class in the parent entry of the updated object. If it
was not found, the search continues at the next higher level entry up to the root of the
directory tree. If the object class was found, Directory Server verifies that the value of the
attribute set in uniqueness-attribute-name is unique in this subtree.

Parameter Description

Entry DN cn=attribute_uniqueness_configuration_record_
name,cn=plugins,cn=config

Valid Value Any valid object class

Default Value None

Syntax DirectoryString

Example uniqueness-top-entry-oc: nsContainer

391
Configuration, Command, and File Reference

4.14.6. uniqueness-subtree-entries-oc
Optionally, when using the uniqueness-top-entry-oc parameter, you can configure that
the Attribute Uniqueness plug-in only verifies if an attribute is unique, if the entry
contains the object class set in this parameter.

Parameter Description

Entry DN cn=attribute_uniqueness_configuration_record_
name,cn=plugins,cn=config

Valid Value Any valid object class

Default Value None

Syntax DirectoryString

Example uniqueness-subtree-entries-oc: inetOrgPerson

4.15. POSIX WINSYNC API PLUG-IN ATTRIBUTES

By default, Posix-related attributes are not synchronized between Active Directory and
Red Hat Directory Server. On Linux systems, system users and groups are identified as
Posix entries, and LDAP Posix attributes contain that required information. However, when
Windows users are synced over, they have ntUser and ntGroup attributes automatically
added which identify them as Windows accounts, but no Posix attributes are synced over
(even if they exist on the Active Directory entry) and no Posix attributes are added on the
Directory Server side.

The Posix Winsync API Plug-in synchronizes POSIX attributes between Active Directory and
Directory Server entries.

NOTE

All POSIX attributes (such as uidNumber, gidNumber, and homeDirectory) are

synchronized between Active Directory and Directory Server entries. However,
if a new POSIX entry or POSIX attributes are added to an existing entry in the
Directory Server, only the POSIX attributes are synchronized over to the
Active Directory corresponding entry. The POSIX object class (posixAccount
for users and posixGroup for groups) is not added to the Active Directory
entry.

This plug-in is disabled by default and must be enabled before any Posix
attributes will be synchronized from the Active Directory entry to the
Directory Server entry.

4.15.1. posixWinsyncCreateMemberOfTask
This attribute sets whether to run the memberOf fix-up task immediately after a sync run in
order to update group memberships for synced users. This is disabled by default because
the memberOf fix-up task can be resource-intensive and cause performance issues if it is

392
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

4.15.4. posixWinsyncMapNestedGrouping

393
Configuration, Command, and File Reference

The posixWinsyncMapNestedGrouping parameter manages if nested groups are updated

when memberUID attributes in an Active Directory POSIX group change. Updating nested
groups is supported up a depth of five levels.

Parameter Description

Entry DN cn=Posix Winsync API

Plugin,cn=plugins,cn=config

Valid Range true | false

Default Value false

Example posixWinsyncMapNestedGrouping: false

4.15.5. posixWinsyncMsSFUSchema
This attribute sets whether to the older Microsoft System Services for Unix 3.0 (msSFU30)
schema when syncing Posix attributes from Active Directory. By default, the Posix Winsync
API Plug-in uses Posix schema for modern Active Directory servers: 2005, 2008, and later
versions. There are slight differences between the modern Active Directory Posix schema
and the Posix schema used by Windows Server 2003 and older Windows servers. If an
Active Directory domain is using the older-style schema, then the older-style schema can
be used instead.

Parameter Description

Entry DN cn=Posix Winsync API

Plugin,cn=plugins,cn=config

Valid Range true | false

Default Value false

Example posixWinsyncMsSFUSchema: true

4.16. RETRO CHANGELOG PLUG-IN ATTRIBUTES

Two different types of changelogs are maintained by Directory Server. The first type,
referred to as simply a changelog, is used by multi-master replication, and the second
changelog, a plug-in referred to as the retro changelog, is intended for use by LDAP clients
for maintaining application compatibility with Directory Server 4.x versions.

This Retro Changelog Plug-in is used to record modifications made to a supplier server.
When the supplier server's directory is modified, an entry is written to the Retro Changelog
that contains both of the following:

A number that uniquely identifies the modification. This number is sequential with
respect to other entries in the changelog.

394
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

The modification action; that is, exactly how the directory was modified.

It is through the Retro Changelog Plug-in that the changes performed to the
Directory Server are accessed using searches to cn=changelog suffix.

4.16.1. isReplicated
This optional attribute sets a flag to indicate on a change in the changelog whether the
change is newly made on that server or whether it was replicated over from another server.

Parameter Description

OID 2.16.840.1.113730.3.1.2085

Entry DN cn=Retro Changelog

Plugin,cn=plugins,cn=config

Valid Values true | false

Default Value None

Syntax Boolean

Example isReplicated: true

4.16.2. nsslapd-attribute
This attribute explicitly specifies another Directory Server attribute which must be included
in the retro changelog entries.

Many operational attributes and other types of attributes are commonly excluded from the
retro changelog, but these attributes may need to be present for a third-party application
to use the changelog data. This is done by listing the attribute in the retro changelog plug-
in configuration using the nsslapd-attribute parameter.

It is also possible to specify an optional alias for the specified attribute within the nsslapd-
attribute value.

nsslapd-attribute: attribute:alias

Using an alias for the attribute can help avoid conflicts with other attributes in an external
server or application which may use the retro changelog records.

NOTE

Setting the value of the nsslapd-attribute attribute to isReplicated is a

way of indicating, in the retro changelog entry itself, whether the modification
was done on the local server (that is, whether the change is an original
change) or whether the change was replicated over to the server.

395
Configuration, Command, and File Reference

Parameter Description

Entry DN cn=Retro Changelog

Plugin,cn=plugins,cn=config

Valid Values Any valid directory attribute (standard or

custom)

Default Value None

Syntax DirectoryString

Example nsslapd-attribute: nsUniqueId: uniqueID

4.16.3. nsslapd-changelogdir
This attribute specifies the name of the directory in which the changelog database is
created the first time the plug-in is run. By default, the database is stored with all the other
databases under /var/lib/dirsrv/slapd-instance/changelogdb.

NOTE

For performance reasons, store this database on a different physical disk.

The server has to be restarted for changes to this attribute to go into effect.

Parameter Description

Entry DN cn=Retro Changelog

Plugin,cn=plugins,cn=config

Valid Values Any valid path to the directory

Default Value None

Syntax DirectoryString

Example nsslapd-changelogdir:
/var/lib/dirsrv/slapd-instance/changelogdb

4.16.4. nsslapd-changelogmaxage (Max Changelog Age)

This attribute specifies the maximum age of any entry in the changelog. The changelog
contains a record for each directory modification and is used when synchronizing consumer
servers. Each record contains a timestamp. Any record with a timestamp that is older than
the value specified in this attribute is removed. If this attribute is absent, there is no age
limit on changelog records, which is the default behavior since this attribute is not present
by default.

396
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

NOTE

Expired changelog records will not be removed if there is an agreement that

has fallen behind further than the maximum age.

Parameter Description

Entry DN cn=Retro Changelog

Plugin,cn=plugins,cn=config

Valid Range 0 (meaning that entries are not removed

according to their age) to the maximum 32 bit
integer value (2147483647)

Default Value 0

Syntax DirectoryString Integer AgeID

AgeID is s for seconds, m for minutes, h for

hours, d for days, or w for weeks.

Example nsslapd-changelogmaxage: 30d

4.17. ROOTDN ACCESS CONTROL PLUG-IN ATTRIBUTES

The root DN, cn=Directory Manager, is a special user entry that is defined outside the
normal user database. Normal access control rules are not applied to the root DN, but
because of the powerful nature of the root user, it can be beneficial to apply some kind of
access control rules to the root user.

The RootDN Access Control Plug-in sets normal access controls — host and IP address
restrictions, time-of-day restrictions, and day of week restrictions — on the root user.

This plug-in is disabled by default.

4.17.1. rootdn-allow-host
This sets what hosts, by fully-qualified domain name, the root user is allowed to use to
access the Directory Server. Any hosts not listed are implicitly denied.

Wild cards are allowed.

This attribute can be used multiple times to specify multiple hosts, domains, or subdomains.

Parameter Description

Entry DN cn=RootDN Access Control

Plugin,cn=plugins,cn=config

397
Configuration, Command, and File Reference

Parameter Description

Valid Range Any valid host name or domain, including

asterisks (*) for wildcards

Default Value None

Syntax DirectoryString

Example rootdn-allow-host: *.example.com

4.17.2. rootdn-allow-ip
This sets what IP addresses, either IPv4 or IPv6, for machines the root user is allowed to use
to access the Directory Server. Any IP addresses not listed are implicitly denied.

Wild cards are allowed.

This attribute can be used multiple times to specify multiple addresses, domains, or
subnets.

Parameter Description

Entry DN cn=RootDN Access Control

Plugin,cn=plugins,cn=config

Valid Range Any valid IPv4 or IPv6 address, including

asterisks (*) for wildcards

Default Value None

Syntax DirectoryString

Example rootdn-allow-ip: 192.168..

4.17.3. rootdn-close-time
This sets part of a time period or range when the root user is allowed to access the
Directory Server. This sets when the time-based access ends, when the root user is no
longer allowed to access the Directory Server.

This is used in conjunction with the rootdn-open-time attribute.

Parameter Description

Entry DN cn=RootDN Access Control

Plugin,cn=plugins,cn=config

398
CHAPTER 4. PLUG-IN IMPLEMENTED SERVER FUNCTIONALITY REFERENCE

Parameter Description

Valid Range Any valid time, in a 24-hour format

Default Value None

Syntax Integer

Example rootdn-close-time: 1700

4.17.4. rootdn-days-allowed
This gives a comma-separated list of what days the root user is allowed to use to access the
Directory Server. Any days listed are implicitly denied. This can be used with rootdn-
close-time and rootdn-open-time to combine time-based access and days-of-week or it
can be used by itself (with all hours allowed on allowed days).

Parameter Description

Entry DN cn=RootDN Access Control

Plugin,cn=plugins,cn=config

Valid Values
Sun

Mon

Tue

Wed

Thu

Fri

Sat

Default Value None

Syntax DirectoryString

Example rootdn-days-allowed: Mon, Tue, Wed, Thu, Fri

4.17.5. rootdn-deny-ip
This sets what IP addresses, either IPv4 or IPv6, for machines the root user is not allowed to
use to access the Directory Server. Any IP addresses not listed are implicitly allowed.

399
Configuration, Command, and File Reference

NOTE

Deny rules supercede allow rules, so if an IP address is listed in both the

rootdn-allow-ip and rootdn-deny-ip attributes, it is denied access.

Wild cards are allowed.

This attribute can be used multiple times to specify multiple addresses, domains, or
subnets.

Parameter Description

Entry DN cn=RootDN Access Control

Plugin,cn=plugins,cn=config

Valid Range Any valid IPv4 or IPv6 address, including

asterisks (*) for wildcards

Default Value None

Syntax DirectoryString

Example rootdn-deny-ip: 192.168.0.0

4.17.6. rootdn-open-time
This sets part of a time period or range when the root user is allowed to access the
Directory Server. This sets when the time-based access begins.

This is used in conjunction with the rootdn-close-time attribute.

Parameter Description

Entry DN cn=RootDN Access Control

Plugin,cn=plugins,cn=config

Valid Range Any valid time, in a 24-hour format

Default Value None

Syntax Integer

Example rootdn-open-time: 0800

400
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

5.1. ABOUT DIRECTORY SERVER SCHEMA

This chapter provides an overview of some of the basic concepts of the directory schema
and lists the files in which the schema is described. It describes object classes, attributes,
and object identifiers (OIDs) and briefly discusses extending server schema and schema
checking.

5.1.1. Schema Definitions

The directory schema is a set of rules that defines how data can be stored in the directory.
Directory information is stored discrete entries, and each entry is comprised of a set of
attributes and their values. The kind of identity being described in the entry is defined in
the entry's object classes. An object class specifies the kind of object the entry describes
through the defined set of attributes for the object class.

Basically, the schema files are lists of the kinds of entries that can be create (the object
classes) and the ways that those entries can be described (theattributes). The schema
defines what the object classes and attributes are. The schema also defines the format that
the attribute values contain (the attribute's syntax) and whether there can only be a single
instance of that attribute.

Additional schema files can be added to the Directory Server configuration and loaded in
the server, so the schema is customizable and can be extended as required.

For more detailed information about object classes, attributes, and how the
Directory Server uses the schema, see the Deployment Guide.


WARNING

The Directory Server fails to start if the schema definitions contain too
few or too many characters. Use exactly one space in those places where
the LDAP standards allow the use of zero or many spaces; for example,
the place between the NAME keyword and the name of an attribute type.

5.1.1.1. Object Classes

In LDAP, an object class defines the set of attributes that can be used to define an entry.
The LDAP standard provides object classes for many common types of entries, such as
people (person and inetOrgPerson), groups (groupOfUniqueNames), locations (locality),
organizations and divisions (organization and organizationalUnit), and equipment
(device).

In a schema file, an object class is identified by the objectclasses line, then followed by
its OID, name, a description, its direct superior object class (an object class which is
required to be used in conjunction with the object class and which shares its attributes with
this object class), and the list of required (MUST) and allowed (MAY) attributes.

This is shown in Example 5.1, “person Object Class Schema Entry”.

401
Configuration, Command, and File Reference

Example 5.1. person Object Class Schema Entry

objectClasses: ( 2.5.6.6 NAME 'person' DESC 'Standard LDAP objectclass'

SUP top MUST ( sn $ cn ) MAY ( description $ seeAlso $ telephoneNumber $
userPassword ) X-ORIGIN 'RFC 2256' )

5.1.1.1.1. Required and Allowed Attributes

Every object class defines a number of required attributes and of allowed attributes.
Required attributes must be present in entries using the specified object class, while
allowed attributes are permissible and available for the entry to use, but are not required
for the entry to be valid.

As in Example 5.1, “person Object Class Schema Entry”, the person object class requires
the cn, sn, and objectClass attributes and allows the description, seeAlso,
telephoneNumber, and userPassword attributes.

NOTE

All entries require the objectClass attribute, which lists the object classes
assigned to the entry.

5.1.1.1.2. Object Class Inheritance

An entry can have more than one object class. For example, the entry for a person is
defined by the person object class, but the same person may also be described by
attributes in the inetOrgPerson and organizationalPerson object classes.

Additionally, object classes can be hierarchical. An object class can inherit attributes from
another class, in addition to its own required and allowed attributes. The second object
class is the superior object class of the first.

The server's object class structure determines the list of required and allowed attributes for
a particular entry. For example, a user's entry has to have the inetOrgPerson object class.
In that case, the entry must also include the superior object class for inetOrgPerson,
organizationalPerson, and the superior object class fororganizationalPerson, which is
person:

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson

When the inetOrgPerson object class is assigned to an entry, the entry automatically
inherits the required and allowed attributes from the superior object classes.

5.1.1.2. Attributes

Directory entries are composed of attributes and their values. These pairs are called
attribute-value assertions or AVAs. Any piece of information in the directory is associated
with a descriptive attribute. For instance, the cn attribute is used to store a person's full
name, such as cn: John Smith.

402
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Additional attributes can supply additional information about John Smith:

givenname: John
surname: Smith
mail: [email protected]

In a schema file, an attribute is identified by the attributetypes line, then followed by its
OID, name, a description, syntax (allowed format for its value), optionally whether the
attribute is single- or multi-valued, and where the attribute is defined.

This is shown in Example 5.2, “description Attribute Schema Entry”.

Example 5.2. description Attribute Schema Entry

attributetypes: ( 2.5.4.13 NAME 'description' DESC 'Standard LDAP

attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 2256'
)

Some attributes can be abbreviated. These abbreviations are listed as part of the attribute
definition:

attributetypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' ) ...

5.1.1.2.1. Directory Server Attribute Syntaxes

The attribute's syntax defines the format of the values which the attribute allows; as with
other schema elements, the syntax is defined for an attribute using the syntax's OID in the
schema file entry. In the Directory Server Console, the syntax is referenced by its friendly
name.

The Directory Server uses the attribute's syntax to perform sorting and pattern matching
on entries.

For more information about LDAP attribute syntaxes, see RFC 4517.

Table 5.1. Supported LDAP Attribute Syntaxes

Name OID Definition

Binary 1.3.6.1.4.1.1466.115.121.1.5 Deprecated. Use Octet string

instead.

Bit String 1.3.6.1.4.1.1466.115.121.1.6 For values which are bitstings,

such as '0101111101'B.

Boolean 1.3.6.1.4.1.1466.115.121.1.7 For attributes with only two

allowed values, TRUE or
FALSE.

403
Configuration, Command, and File Reference

Name OID Definition

Country String 1.3.6.1.4.1.1466.115.121.1.11 For values which are limited

to exactly two printable string
characters; for example, US
for the United States.

DN 1.3.6.1.4.1.1466.115.121.1.12 For values which are

distinguished names (DNs).

Delivery Method 1.3.6.1.4.1.1466.115.121.1.14 For values which are

contained a preferred method
of delivering information or
contacting an entity. The
different values are separated
by a dollar sign ($). For
example:

telephone $ physical

Directory String 1.3.6.1.4.1.1466.115.121.1.15 For values which are valid

UTF-8 strings. These values
are not necessarily case-
insensitive. Both case-
sensitive and case-insensitive
matching rules are available
for Directory String and
related syntaxes.

Enhanced Guide 1.3.6.1.4.1.1466.115.121.1.21 For values which contain

complex search parameters
based on attributes and
filters.

Facsimile 1.3.6.1.4.1.1466.115.121.1.22 For values which contain fax

numbers.

Fax 1.3.6.1.4.1.1466.115.121.1.23 For values which contain the

images of transmitted faxes.

Generalized Time 1.3.6.1.4.1.1466.115.121.1.24 For values which are encoded

as printable strings. The time
zone must be specified. It is
strongly recommended to use
GMT time.

Guide 1.3.6.1.4.1.1466.115.121.1.25 Obsolete. For values which

contain complex search
parameters based on
attributes and filters.

404
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Name OID Definition

IA5 String 1.3.6.1.4.1.1466.115.121.1.26 For values which are valid

strings. These values are not
necessarily case-insensitive.
Both case-sensitive and case-
insensitive matching rules are
available for IA5 String and
related syntaxes.

Integer 1.3.6.1.4.1.1466.115.121.1.27 For values which are whole

numbers.

JPEG 1.3.6.1.4.1.1466.115.121.1.28 For values which contain

image data.

Name and Optional UID 1.3.6.1.4.1.1466.115.121.1.34 For values which contain a

combination value of a DN
and (optional) unique ID.

Numeric String 1.3.6.1.4.1.1466.115.121.1.36 For values which contain a

string of both numerals and
spaces.

OctetString 1.3.6.1.4.1.1466.115.121.1.40 For values which are binary;

this replaces the binary
syntax.

Object Class Description 1.3.6.1.4.1.1466.115.121.1.37 For values which contain

object class definitions.

OID 1.3.6.1.4.1.1466.115.121.1.38 For values which contain OID

definitions.

405
Configuration, Command, and File Reference

Name OID Definition

Postal Address 1.3.6.1.4.1.1466.115.121.1.41 For values which are encoded

in the format postal-
address = dstring * ("$"
dstring) . For example:

1234 Main
St.$Raleigh, NC
12345$USA

Each dstring component is

encoded as a DirectoryString
value. Backslashes and dollar
characters, if they occur, are
quoted, so that they will not
be mistaken for line
delimiters. Many servers limit
the postal address to 6 lines
of up to thirty characters.

Printable String 1.3.6.1.4.1.1466.115.121.1.44 For values which contain

printable strings.

Space-Insensitive String 2.16.840.1.113730.3.7.1 For values which contain

space-insensitive strings.

TelephoneNumber 1.3.6.1.4.1.1466.115.121.1.50 For values which are in the

form of telephone numbers. It
is recommended to use
telephone numbers in
international form.

Teletex Terminal Identifier 1.3.6.1.4.1.1466.115.121.1.51 For values which contain an

international telephone
number.

Telex Number 1.3.6.1.4.1.1466.115.121.1.52 For values which contain a

telex number, country code,
and answerback code of a
telex terminal.

URI For values in the form of a

URL, introduced by a string
such as http://, https://,
ftp:// , ldap://, and
ldaps://. The URI has the
same behavior as IA5 String.
See RFC 4517 for more
information on this syntax.

5.1.1.2.2. Single- and Multi-Valued Attributes

406
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

By default, most attributes are multi-valued. This means that an entry can contain the
same attribute multiple times, with different values. For example:

dn: uid=jsmith,ou=marketing,ou=people,dc=example,dc=com
ou: marketing
ou: people

The cn, tel, and objectclass attributes, for example, all can have more than one value.
Attributes that are single-valued — that is, only one instance of the attribute can be
specified — are specified in the schema as only allowing a single value. For example,
uidNumber can only have one possible value, so its schema entry has the termSINGLE-
VALUE. If the attribute is multi-valued, there is no value expression.

5.1.2. Default Directory Server Schema Files

Template schema definitions for Directory Server are stored in the /etc/dirsrv/schema
directory. These default schema files are used to generate the schema files for new
Directory Server instances. Each server instance has its own instance-specific schema
directory in /etc/dirsrv/slapd-instance/schema. The schema files in the instance
directory are used only by that instance.

To modify the directory schema, create new attributes and new object classes in the
instance-specific schema directory. Because the default schema is used for creating new
instances and each individual instance has its own schema files, it is possible to have
slightly different schema for each instance, matching the use of each instance.

Any custom attributes added using the Directory Server Console or LDAP commands are
stored in the 99user.ldif file; other custom schema files can be added to the
/etc/dirsrv/slapd-instance/schema directory for each instance. Do not make any
modifications with the standard files that come with Red Hat Directory Server.

For more information about how the Directory Server stores information and suggestions
for planning directory schema, see the Deployment Guide.

Table 5.2. Schema Files

Schema File Purpose

00core.ldif Recommended core schema from the X.500

and LDAP standards (RFCs). This schema is
used by the Directory Server itself for the
instance configuration and to start the server
instance.

01core389.ldif Recommended core schema from the X.500

and LDAP standards (RFCs). This schema is
used by the Directory Server itself for the
instance configuration and to start the server
instance.

02common.ldif Standard-related schema from RFC 2256,

LDAPv3, and standard schema defined by
Directory Server which is used to configure
entries.

407
Configuration, Command, and File Reference

Schema File Purpose

05rfc2927.ldif Schema from RFC 2927, "MIME Directory

Profile for LDAP Schema."

05rfc4523.ldif Schema definitions for X.509 certificates.

05rfc4524.ldif Cosine LDAP/X.500 schema.

06inetorgperson.ldif inetorgperson schema elements from RFC

2798, RFC 2079, and part of RFC 1274.

10rfc2307.ldif Schema from RFC 2307, "An Approach for

Using LDAP as a Network Information Service."

20subscriber.ldif Common schema element for Directory Server-

Nortel subscriber interoperability.

25java-object.ldif Schema from RFC 2713, "Schema for

Representing Java Objects in an LDAP
Directory."

28pilot.ldif Schema from the pilot RFCs, especially RFC

1274, that are no longer recommended for use
in new deployments.

30ns-common.ldif Common schema.

50ns-admin.ldif Schemas used by the Administration Server.

50ns-certificate.ldif Schemas used by Red Hat Certificate System.

50ns-directory.ldif Schema used by legacy Directory Server 4.x

servers.

50ns-mail.ldif Schema for mail servers.

50ns-value.ldif Schema for value items in Directory Server.

50ns-web.ldif Schema for web servers.

60autofs.ldif Object classes for automount configuration;

this is one of several schema files used for NIS
servers.

60eduperson.ldif Schema elements for education-related people

and organization entries.

408
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Schema File Purpose

60mozilla.ldif Schema elements for Mozilla-related user

profiles.

60nss-ldap.ldif Schema elements for GSS-API service names.

60pam-plugin.ldif Schema elements for integrating directory

services with PAM modules.

60pureftpd.ldif Schema elements for defining FTP user

accounts.

60rfc2739.ldif Schema elements for calendars and vCard

properties.

60rfc3712.ldif Schema elements for configuring printers.

60sabayon.ldif Schema elements for defining sabayon user

entries.

60sudo.ldif Schema elements for defining sudo users and

roles.

60trust.ldif Schema elements for defining trust

relationships for NSS or PAM.

99user.ldif Custom schema elements added through the

Directory Server Console.

5.1.3. Object Identifiers (OIDs)

All schema elements have object identifiers (OIDs) assigned to them, including attributes
and object classes. An OID is a sequence of integers, usually written as a dot-separated
string. All custom attributes and classes must conform to the X.500 and LDAP standards.


WARNING

If an OID is not specified for a schema element, Directory Server

automatically uses ObjectClass_name-oid and attribute_name-oid.
However, using text OIDs instead of numeric OIDs can lead to problems
with clients, server interoperability, and server behavior, assigning a
numeric OID is strongly recommended.

OIDs can be built on. The base OID is a root number which is used for every schema

409
Configuration, Command, and File Reference

element for an organization, and then schema elements can be incremented from there. For
example, a base OID could be 1. The company then uses1.1 for attributes, so every new
attribute has an OID of 1.1.x. It uses 1.2 for object classes, so every new object class has
an OID of 1.2.x.

For Directory Server-defined schema elements, the base OIDs are as follows:

The Netscape base OID is 2.16.840.1.113730.

The Directory Server base OID is 2.16.840.1.113730.3.

All Netscape-defined attributes have the base OID 2.16.840.1.113370.3.1.

All Netscape-defined object classes have the base OID 2.16.840.1.113730.3.2.

For more information about OIDs or to request a prefix, go to the Internet Assigned Number
Authority (IANA) website at http://www.iana.org/.

5.1.4. Extending the Schema

The Directory Server schema includes hundreds of object classes and attributes that can be
used to meet most of directory requirements. This schema can be extended with new
object classes and attributes that meet evolving requirements for the directory service in
the enterprise by creating custom schema files.

When adding new attributes to the schema, a new object class should be created to contain
them. Adding a new attribute to an existing object class can compromise the
Directory Server's compatibility with existing LDAP clients that rely on the standard LDAP
schema and may cause difficulties when upgrading the server.

For more information about extending server schema, see the Deployment Guide.

5.1.5. Schema Checking

Schema checking means that the Directory Server checks every entry when it is created,
modified, or in a database imported using LDIF to make sure that it complies with the
schema definitions in the schema files. Schema checking verifies three things:

Object classes and attributes used in the entry are defined in the directory schema.

Attributes required for an object class are contained in the entry.

Only attributes allowed by the object class are contained in the entry.

You should run Directory Server with schema checking turned on. For information on
enabling schema checking, see the Administration Guide.

5.1.6. Syntax Validation

Syntax validation means that the Directory Server checks that the value of an attribute
matches the required syntax for that attribute. For example, syntax validation will confirm
that a new telephoneNumber attribute actually has a valid telephone number for its value.

With its basic configuration, syntax validation (like schema checking) will check any
directory modification to make sure the attribute value matches the required syntax and
will reject any modifications that violate the syntax. Optionally, syntax validation can be

410
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

configured to log warning messages about syntax violations, and either reject the change
or allow the modification process to succeed.

All syntaxes are validated against RFC 4514, except for DNs. By default, DNs are validated
against RFC 1779 or RFC 2253, which are less strict thanRFC 4514. Strict validation for DNs
has to be explicitly configured.

This feature checks all attribute syntaxes listed in Table 5.1, “Supported LDAP Attribute
Syntaxes”, with the exception of binary syntaxes (which cannot be verified) and non-
standard syntaxes, which do not have a defined required format. The unvalidated syntaxes
are as follows:

Fax (binary)

OctetString (binary)

JPEG (binary)

Binary (non-standard)

Space Insensitive String (non-standard)

URI (non-standard)

When syntax validation is enabled, new attribute values are checked whenever an attribute
is added or modified to an entry. (This does not include replication changes, since the
syntax would have been checked on the supplier server.) It is also possible to check existing
attribute values for syntax violations by running the syntax-validation.pl script.

For information on options for syntax validation, see the Administration Guide.

5.2. ENTRY ATTRIBUTE REFERENCE

The attributes listed in this reference are manually assigned or available to directory
entries. The attributes are listed in alphabetical order with their definition, syntax, and OID.

5.2.1. abstract
The abstract attribute contains an abstract for a document entry.

OID 0.9.2342.19200300.102.1.9

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Internet White Pages Pilot

5.2.2. accessTo
This attribute defines what specific hosts or servers a user is allowed to access.

411
Configuration, Command, and File Reference

OID 5.3.6.1.1.1.1.1

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in nss_ldap/pam_ldap

5.2.3. accountInactivityLimit
The accountInactivityLimit attribute sets the time period, in seconds, from the last login
time of an account before that account is locked for inactivity.

OID 1.3.6.1.4.1.11.1.3.2.1.3

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Directory Server

5.2.4. acctPolicySubentry
The acctPolicySubentry attribute identifies any entry which belongs to an account policy
(specifically, an account lockout policy). The value of this attribute points to the account
policy which is applied to the entry.

This can be set on an individual user entry or on a CoS template entry or role entry.

OID 1.3.6.1.4.1.11.1.3.2.1.2

Syntax DN

Multi- or Single-Valued Single-valued

Defined in Directory Server

5.2.5. administratorContactInfo
This attribute contains the contact information for the LDAP or server administrator.

OID 2.16.840.1.113730.3.1.74

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

412
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Defined in Netscape Administration Services

5.2.6. adminRole
This attribute contains the role assigned to the user identified in the entry.

OID 2.16.840.1.113730.3.1.601

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape Administration Services

5.2.7. adminUrl
This attribute contains the URL of the Administration Server.

OID 2.16.840.1.113730.3.1.75

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Netscape Administration Services

5.2.8. aliasedObjectName
The aliasedObjectName attribute is used by the Directory Server to identify alias entries.
This attribute contains the DN (distinguished name) for the entry for which this entry is the
alias. For example:

aliasedObjectName: uid=jdoe,ou=people,dc=example,dc=com

OID 2.5.4.1

Syntax DN

Multi- or Single-Valued Single-valued

Defined in RFC 2256

5.2.9. associatedDomain
The associatedDomain attribute contains the DNS domain associated with the entry in the
directory tree. For example, the entry with the distinguished name c=US,o=Example

413
Configuration, Command, and File Reference

Corporation has the associated domain of EC.US. These domains should be represented in
RFC 822 order.

associatedDomain:US

OID 0.9.2342.19200300.100.1.37

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.10. associatedName
The associatedName identifies an organizational directory tree entry associated with a DNS
domain. For example:

associatedName: c=us

OID 0.9.2342.19200300.100.1.38

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.11. attributeTypes
This attribute is used in a schema file to identify an attribute defined within the subschema.

OID 2.5.21.5

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2252

5.2.12. audio
The audio attribute contains a sound file using a binary format. This attribute uses au-law
encoded sound data. For example:

audio:: AAAAAA==

414
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

OID 0.9.2342.19200300.100.1.55

Syntax Binary

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.13. authorCn
The authorCn attribute contains the common name of the document's author. For example:

authorCn: John Smith

OID 0.9.2342.19200300.102.1.11

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Internet White Pages Pilot

5.2.14. authorityRevocationList
The authorityRevocationList attribute contains a list of revoked CA certificates. This
attribute should be requested and stored in a binary format, like
authorityRevocationList;binary. For example:

authorityrevocationlist;binary:: AAAAAA==

OID 2.5.4.38

Syntax Binary

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.15. authorSn
The authorSn attribute contains the last name or family name of the author of a document
entry. For example:

authorSn: Smith

415
Configuration, Command, and File Reference

OID 0.9.2342.19200300.102.1.12

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Internet White Pages Pilot

5.2.16. automountInformation
This attribute contains information used by the autofs automounter.

NOTE

The automountInformation attribute is defined in 60autofs.ldif in the

Directory Server. To use the updated RFC 2307 schema, remove the
60autofs.ldif file and copy the 10rfc2307bis.ldif file from the
/usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

OID 1.3.6.1.1.1.1.33

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in RFC 2307

5.2.17. bootFile
This attribute contains the boot image file name.

NOTE

The bootFile attribute is defined in 10rfc2307.ldif in the Directory Server.

To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and
copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory
to the /etc/dirsrv/slapd-instance/schema directory.

OID 1.3.6.1.1.1.1.24

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in RFC 2307

416
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

5.2.18. bootParameter
This attribute contains the value for rpc.bootparamd.

NOTE

The bootParameter attribute is defined in 10rfc2307.ldif in the

Directory Server. To use the updated RFC 2307 schema, remove the
10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the
/usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

OID 1.3.6.1.1.1.1.23

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in RFC 2307

5.2.19. buildingName
The buildingName attribute contains the building name associated with the entry. For
example:

buildingName: 14

OID 0.9.2342.19200300.100.1.48

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.20. businessCategory
The businessCategory attribute identifies the type of business in which the entry is
engaged. The attribute value should be a broad generalization, such as a corporate division
level. For example:

businessCategory: Engineering

OID 2.5.4.15

Syntax DirectoryString

417
Configuration, Command, and File Reference

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.21. c (countryName)
The countryName, or c, attribute contains the two-character country code to represent the
country names. The country codes are defined by the ISO. For example:

countryName: GB
c: US

OID 2.5.4.6

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in RFC 2256

5.2.22. cACertificate
The cACertificate attribute contains a CA certificate. The attribute should be requested
and stored binary format, such as cACertificate;binary. For example:

cACertificate;binary:: AAAAAA==

OID 2.5.4.37

Syntax Binary

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.23. carLicense
The carLicense attribute contains an entry's automobile license plate number. For
example:

carLicense: 6ABC246

OID 2.16.840.1.113730.3.1.1

Syntax DirectoryString

418
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Multi- or Single-Valued Multi-valued

Defined in RFC 2798

5.2.24. certificateRevocationList
The certificateRevocationList attribute contains a list of revoked user certificates. The
attribute value is to be requested and stored in binary form, as
certificateACertificate;binary. For example:

certificateRevocationList;binary:: AAAAAA==

OID 2.5.4.39

Syntax Binary

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.25. cn (commonName)
The commonName attribute contains the name of an entry. For user entries, thecn attribute is
typically the person's full name. For example:

commonName: John Smith

cn: Bill Anderson

5.2.28. cosIndirectSpecifier
The cosIndirectSpecifier specifies the attribute values used by an indirect CoS to
identify the template entry.

OID 2.16.840.1.113730.3.1.577

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Directory Server

5.2.29. cosPriority
The cosPriority attribute specifies which template provides the attribute value when CoS
templates compete to provide an attribute value. This attribute represents the global
priority of a template. A priority of zero is the highest priority.

OID 2.16.840.1.113730.3.1.569

420
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Syntax Integer

Multi- or Single-Valued Single-valued

421
Configuration, Command, and File Reference

Defined in Directory Server

5.2.33. crossCertificatePair
The value for the crossCertificatePair attribute must be requested and stored in binary
format, such as certificateCertificateRepair;binary. For example:

crossCertificatePair;binary:: AAAAAA==

OID 2.5.4.40

Syntax Binary

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.34. dc (domainComponent)
The dc attribute contains one component of a domain name. For example:

dc: example
domainComponent: example

OID 0.9.2342.19200300.100.1.25

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in RFC 2247

5.2.35. deltaRevocationList
The deltaRevocationList attribute contains a certificate revocation list (CRL). The
attribute value is requested and stored in binary format, such as
deltaRevocationList;binary.

OID 2.5.4.53

Syntax Binary

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

422
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

5.2.36. departmentNumber
The departmentNumber attribute contains an entry's department number. For example:

departmentNumber: 2604

OID 2.16.840.1.113730.3.1.2

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2798

5.2.37. description
The description attribute provides a human-readable description for an entry. Forperson
or organization object classes, this can be used for the entry's role or work assignment.
For example:

description: Quality control inspector for the ME2873 product line.

OID 2.5.4.13

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.38. destinationIndicator
The destinationIndicator attribute contains the city and country associated with the
entry. This attribute was once required to provide public telegram service and is generally
used in conjunction with the registeredAddress attribute. For example:

destinationIndicator: Stow, Ohio, USA

OID 2.5.4.27

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

423
Configuration, Command, and File Reference

5.2.39. displayName
The displayName attributes contains the preferred name of a person to use when
displaying that person's entry. This is especially useful for showing the preferred name for
an entry in a one-line summary list. Since other attribute types, such as cn, are multi-
valued, they cannot be used to display a preferred name. For example:

displayName: John Smith

OID 2.16.840.1.113730.3.1.241

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in RFC 2798

5.2.40. dITRedirect
The dITRedirect attribute indicates that the object described by one entry now has a
newer entry in the directory tree. This attribute may be used when an individual's place of
work changes, and the individual acquires a new organizational DN.

dITRedirect: cn=jsmith,dc=example,dc=com

OID 0.9.2342.19200300.100.1.54

Syntax DN

Defined in RFC 1274

5.2.41. dmdName
The dmdName attribute value specifies a directory management domain (DMD), the
administrative authority that operates the Directory Server.

OID 2.5.4.54

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in RFC 2256

5.2.42. dn (distinguishedName)
The dn attribute contains an entry's distinguished name. For example:

424
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

dn: uid=Barbara Jensen,ou=Quality Control,dc=example,dc=com

OID 2.5.4.49

Syntax DN

Defined in RFC 2256

5.2.43. dNSRecord
The dNSRecord attribute contains DNS resource records, including type A (Address), type
MX (Mail Exchange), type NS (Name Server), and type SOA (Start of Authority) resource
records. For example:

dNSRecord: IN NS ns.uu.net

OID 0.9.2342.19200300.100.1.26

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Internet Directory Pilot

5.2.44. documentAuthor
The documentAuthor attribute contains the DN of the author of a document entry. For
example:

documentAuthor: uid=Barbara Jensen,ou=People,dc=example,dc=com

OID 0.9.2342.19200300.100.1.14

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.45. documentIdentifier
The documentIdentifier attribute contains a unique identifier for a document. For
example:

5.2.51. drink (favouriteDrink)

The favouriteDrink attribute contains a person's favorite beverage. This can be shortened
to drink. For example:

favouriteDrink: iced tea

drink: cranberry juice

OID 0.9.2342.19200300.100.1.5

Syntax DirectoryString

427
Configuration, Command, and File Reference

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.52. dSAQuality
The dSAQuality attribute contains the rating of the directory system agents' (DSA) quality.
This attribute allows a DSA manager to indicate the expected level of availability of the
DSA. For example:

dSAQuality: high

OID 0.9.2342.19200300.100.1.49

Syntax Directory-String

Multi- or Single-Valued Single-valued

Defined in RFC 1274

5.2.53. employeeNumber
The employeeNumber attribute contains the employee number for the person. For example:

employeeNumber: 3441

OID 2.16.840.1.113730.3.1.3

Syntax Directory-String

Multi- or Single-Valued Single-valued

Defined in RFC 2798

5.2.54. employeeType
The employeeType attribute contains the employment type for the person. For example:

employeeType: Full time

OID 2.16.840.1.113730.3.1.4

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

428
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Defined in RFC 2798

5.2.55. enhancedSearchGuide
The enhancedSearchGuide attribute contains information used by an X.500 client to
construct search filters. For example:

enhancedSearchGuide: (uid=bjensen)

OID 2.5.4.47

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2798

5.2.56. fax (facsimileTelephoneNumber)

The facsimileTelephoneNumber attribute contains the entry's facsimile number; this
attribute can be abbreviated as fax. For example:

facsimileTelephoneNumber: +1 415 555 1212

fax: +1 415 555 1212

OID 2.5.4.23

Syntax TelephoneNumber

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.57. gecos
The gecos attribute is used to determine the GECOS field for the user. This is comparable to
the cn attribute, although using a gecos attribute allows additional information to be
embedded in the GECOS field aside from the common name. This field is also useful if the
common name stored in the directory is not the user's full name.

gecos: John Smith

429
Configuration, Command, and File Reference

NOTE

The gecos attribute is defined in 10rfc2307.ldif in the Directory Server. To

use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy
the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to
the /etc/dirsrv/slapd-instance/schema directory.

OID 1.3.6.1.1.1.1.2

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in RFC 2307

5.2.58. generationQualifier
The generationQualifier attribute contains the generation qualifier for a person's name,
which is usually appended as a suffix to the name. For example:

generationQualifier:III

OID 2.5.4.44

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.59. gidNumber
The gidNumber attribute contains a unique numeric identifier for a group entry or to identify
the group for a user entry. This is analogous to the group number in Unix.

gidNumber: 100

NOTE

The gidNumber attribute is defined in 10rfc2307.ldif in the Directory Server.

To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and
copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory
to the /etc/dirsrv/slapd-instance/schema directory.

OID 1.3.6.1.1.1.1.1

430
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Syntax Integer

Multi- or Single-Valued Single-valued

Defined in RFC 2307

5.2.60. givenName
The givenName attribute contains an entry's given name, which is usually the first name. For
example:

givenName: Rachel

OID 2.5.4.42

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.61. homeDirectory
The homeDirectory attribute contains the path to the user's home directory.

homeDirectory: /home/jsmith

NOTE

The homeDirectory attribute is defined in 10rfc2307.ldif in the

OID 1.3.6.1.1.1.1.3

Syntax IA5String

Multi- or Single-Valued Single-valued

Defined in RFC 2307

5.2.62. homePhone
The homePhone attribute contains the entry's residential phone number. For example:

431
Configuration, Command, and File Reference

homePhone: 415-555-1234

NOTE

Although RFC 1274 defines both homeTelephoneNumber and homePhone as

names for the residential phone number attribute, Directory Server only
implements the homePhone name.

OID 0.9.2342.19200300.100.1.20

Syntax TelephoneNumber

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.63. homePostalAddress
The homePostalAddress attribute contains an entry's home mailing address. Since this
attribute generally spans multiple lines, each line break has to be represented by a dollar
sign ($). To represent an actual dollar sign ($ ) or backslash (\) in the attribute value, use
the escaped hex values \24 and \5c, respectively. For example:

homePostalAddress: 1234 Ridgeway Drive$Santa Clara, CA$99555

To represent the following string:

The dollar ($) value can be found

in the c:\cost file.

The entry value is:

The dollar (\24) value can be found$in the c:\c5cost file.

OID 0.9.2342.19200300.100.1.39

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.64. host
The host contains the host name of a computer. For example:

host: labcontroller01

432
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

OID 0.9.2342.19200300.100.1.9

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.65. houseIdentifier
The houseIdentifier contains an identifier for a specific building at a location. For
example:

houseIdentifier: B105

OID 2.5.4.51

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.66. inetDomainBaseDN
This attribute identifies the base DN of user subtree for a DNS domain.

OID 2.16.840.1.113730.3.1.690

Syntax DN

Multi- or Single-Valued Single-valued

Defined in Subscriber interoperability

5.2.67. inetDomainStatus
This attribute shows the current status of the domain. A domain has a status of active,
inactive, or deleted.

OID 2.16.840.1.113730.3.1.691

Syntax DirectoryString

Multi- or Single-Valued Single-valued

433
Configuration, Command, and File Reference

Defined in Subscriber interoperability

5.2.68. inetSubscriberAccountId
This attribute contains the a unique attribute used to link the user entry for the subscriber
to a billing system.

OID 2.16.840.1.113730.3.1.694

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Subscriber interoperability

5.2.69. inetSubscriberChallenge
The inetSubscriberChallenge attribute contains some kind of question or prompt, the
challenge phrase, which is used to confirm the identity of the user in the
subscriberIdentity attribute. This attribute is used in conjunction with the
inetSubscriberResponse attribute, which contains the response to the challenge.

OID 2.16.840.1.113730.3.1.695

Syntax IA5String

Multi- or Single-Valued Single-valued

Defined in Subscriber interoperability

5.2.70. inetSubscriberResponse
The inetSubscriberResponse attribute contains the answer to the challenge question in
the inetSubscriberChallenge attribute to verify the user in thesubscriberIdentity
attribute.

OID 2.16.840.1.113730.3.1.696

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Subscriber interoperability

5.2.71. inetUserHttpURL

434
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

This attribute contains the web addresses associated with the user.

OID 2.16.840.1.113730.3.1.693

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Subscriber interoperability

5.2.72. inetUserStatus
This attribute shows the current status of the user (subscriber). A user has a status of
active, inactive, or deleted.

OID 2.16.840.1.113730.3.1.692

Syntax DirectoryString

Multi- or Single-Valued Single-Valued

Defined in Subscriber interoperability

5.2.73. info
The info attribute contains any general information about an object. Avoid using this
attribute for specific information and rely instead on specific, possibly custom, attribute
types. For example:

info: not valid

OID 0.9.2342.19200300.100.1.4

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.74. initials
The initials contains a person's initials; this does not contain the entry's surname. For
example:

initials: BAJ

Directory Server and Active Directory handle the initials attribute differently. The

435
Configuration, Command, and File Reference

Directory Server allows a practically unlimited number of characters, while Active Directory
has a restriction of six characters. If an entry is synced with a Windows peer and the value
of the initials attribute is longer than six characters, then the value is automatically
truncated to six characters when it is synchronized. There is no information written to the
error log to indicate that synchronization changed the attribute value, either.

OID 2.5.4.43

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.75. installationTimeStamp
This contains the time that the server instance was installed.

OID 2.16.840.1.113730.3.1.73

Syntax DirectoryString

Multi- or Single-Valued Multi-Valued

Defined in Netscape Administration Services

5.2.76. internationalISDNNumber
The internationalISDNNumber attribute contains the ISDN number of a document entry.
This attribute uses the internationally recognized format for ISDN addresses given in CCITT
Rec. E. 164.

OID 2.5.4.25

Syntax IA5String

Multi- or Single-Valued Multi-valued

Syntax DirectoryString

Multi- or Single-Valued Single-Valued

Defined in RFC 2307

5.2.80. ipProtocolNumber
This attribute identifies the IP protocol version number.

NOTE

The ipProtocolNumber attribute is defined in 10rfc2307.ldif in the

OID 1.3.6.1.1.1.1.17

Syntax Integer

Multi- or Single-Valued Single-Valued

Defined in RFC 2307

5.2.81. ipServicePort
This attribute gives the port used by the IP service.

NOTE

The ipServicePort attribute is defined in 10rfc2307.ldif in the

OID 1.3.6.1.1.1.1.15

Syntax Integer

Multi- or Single-Valued Single-Valued

438
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Defined in RFC 2307

5.2.82. ipServiceProtocol
This identifies the protocol used by the IP service.

NOTE

The ipServiceProtocol attribute is defined in 10rfc2307.ldif in the

OID 1.3.6.1.1.1.1.16

Syntax DirectoryString

Multi- or Single-Valued Multi-Valued

Defined in RFC 2307

5.2.83. janetMailbox
The janetMailbox contains a JANET email address, usually for users located in the United
Kingdom who do not use RFC 822 email address. Entries with this attribute must also
contain the rfc822Mailbox attribute.

OID 0.9.2342.19200300.100.1.46

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.84. jpegPhoto
The jpegPhoto attribute contains a JPEG photo, a binary value. For example:

jpegPhoto:: AAAAAA==

OID 0.9.2342.19200300.100.1.60

Syntax Binary

439
Configuration, Command, and File Reference

Multi- or Single-Valued Multi-valued

Defined in RFC 2798

5.2.85. keyWords
The keyWord attribute contains keywords associated with the entry. For example:

keyWords: directory LDAP X.500

OID 0.9.2342.19200300.102.1.7

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Internet White Pages Pilot

5.2.86. knowledgeInformation
This attribute is no longer used.

OID 2.5.4.2

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.87. l (localityName)
The localityName, or l, attribute contains the county, city, or other geographical
designation associated with the entry. For example:

localityName: Santa Clara

l: Santa Clara

OID 2.5.4.7

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

440
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

5.2.88. labeledURI
The labeledURI contains a Uniform Resource Identifier (URI) which is related, in some way,
to the entry. Values placed in the attribute should consist of a URI (currently only URLs are
supported), optionally followed by one or more space characters and a label.

labeledURI: http://home.example.com
labeledURI: http://home.example.com Example website

OID 1.3.6.1.4.1.250.1.57

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in RFC 2709

5.2.89. loginShell
The loginShell attribute contains the path to a script that is launched automatically when
a user logs into the domain.

loginShell: c:\scripts\jsmith.bat

NOTE

The loginShell attribute is defined in 10rfc2307.ldif in the

OID 1.3.6.1.1.1.1.4

Syntax IA5String

Multi- or Single-Valued Single-valued

Defined in RFC 2307

5.2.90. macAddress
This attribute gives the MAC address for a server or piece of equipment.

441
Configuration, Command, and File Reference

NOTE

The macAddress attribute is defined in 10rfc2307.ldif in the

OID 1.3.6.1.1.1.1.22

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2307

5.2.91. mail
The mail attribute contains a user's primary email address. This attribute value is retrieved
and displayed by whitepage applications. For example:

mail: [email protected]

OID 0.9.2342.19200300.100.1.3

Syntax DirectyString

Multi- or Single-Valued Single-valued

Defined in RFC 1274

5.2.92. mailAccessDomain
This attribute lists the domain which a user can use to access the messaging server.

OID 2.16.840.1.113730.3.1.12

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.93. mailAlternateAddress

442
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

The mailAlternateAddress attribute contains additional email addresses for a user. This
attribute does not reflect the default or primary email address; that email address is set by
the mail attribute.

For example:

mailAlternateAddress: [email protected]
mailAlternateAddress: [email protected]

OID 2.16.840.1.113730.3.1.13

Syntax DirectyString

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.94. mailAutoReplyMode
This attribute sets whether automatic replies are enabled for the messaging server.

OID 2.16.840.1.113730.3.1.14

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.95. mailAutoReplyText
This attribute stores the text to used in an auto-reply email.

OID 2.16.840.1.113730.3.1.15

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.96. mailDeliveryOption
This attribute defines the mail delivery mechanism to use for the mail user.

OID 2.16.840.1.113730.3.1.16

443
Configuration, Command, and File Reference

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.97. mailEnhancedUniqueMember
This attribute contains the DN of a unique member of a mail group.

OID 2.16.840.1.113730.3.1.31

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.98. mailForwardingAddress
This attribute contains an email address to which to forward a user's email.

OID 2.16.840.1.113730.3.1.17

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.99. mailHost
The mailHost attribute contains the host name of a mail server. For example:

mailHost: mail.example.com

OID 2.16.840.1.113730.3.1.18

Syntax DirectyString

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.100. mailMessageStore

444
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

This identifies the location of a user's email box.

OID 2.16.840.1.113730.3.1.19

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.101. mailPreferenceOption
The mailPreferenceOption defines whether a user should be included on a mailing list,
both electronic and physical. There are three options.

0 Does not appear in mailing lists.

1 Add to any mailing lists.

2 Added only to mailing lists which the provider

views as relevant to the user interest.

If the attribute is absent, then the default is to assume that the user is not included on any
mailing list. This attribute should be interpreted by anyone using the directory to derive
mailing lists and its value respected. For example:

mailPreferenceOption: 0

OID 0.9.2342.19200300.100.1.47

Syntax Integer

Multi- or Single-Valued Single-valued

Defined in RFC 1274

5.2.102. mailProgramDeliveryInfo
This attribute contains any commands to use for programmed mail delivery.

OID 2.16.840.1.113730.3.1.20

Syntax IA5String

Multi- or Single-Valued Multi-valued

445
Configuration, Command, and File Reference

Defined in Netscape Messaging Server

5.2.103. mailQuota
This attribute sets the amount of disk space allowed for a user's mail box.

OID 2.16.840.1.113730.3.1.21

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.104. mailRoutingAddress
This attribute contains the routing address to use when forwarding the emails received by
the user to another messaging server.

OID 2.16.840.1.113730.3.1.24

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.105. manager
The manager contains the distinguished name (DN) of the manager for the person. For
example:

manager: cn=Bill Andersen,ou=Quality Control,dc=example,dc=com

OID 0.9.2342.19200300.100.1.10

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.106. member
The member attribute contains the distinguished names (DNs) of each member of a group.
For example:

446
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

member: cn=John Smith,dc=example,dc=com

OID 2.5.4.31

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.107. memberCertificateDescription
This attribute is a multi-valued attribute where each value is a description, a pattern, or a
filter matching the subject DN of a certificate, usually a certificate used for TLS client
authentication.

memberCertificateDescription matches any certificate that contains a subject DN with

the same attribute-value assertions (AVAs) as the description. The description may contain
multiple ou AVAs. A matching DN must contain those same ou AVAs, in the same order,
although it may be interspersed with other AVAs, including other ou AVAs. For any other
attribute type (not ou), there should be at most one AVA of that type in the description. If
there are several, all but the last are ignored.

A matching DN must contain that same AVA but no other AVA of the same type nearer the
root (later, syntactically).

AVAs are considered the same if they contain the same attribute description (case-
insensitive comparison) and the same attribute value (case-insensitive comparison, leading
and trailing whitespace ignored, and consecutive whitespace characters treated as a single
space).

To be considered a member of a group with the following memberCertificateDescription

value, a certificate needs to include ou=x, ou=A, and dc=example, but not dc=company.

memberCertificateDescription: {ou=x,ou=A,dc=company,dc=example}

To match the group's requirements, a certificate's subject DNs must contain the same ou
attribute types in the same order as defined in the memberCertificateDescription
attribute.

OID 2.16.840.1.113730.3.1.199

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Directory Server

5.2.108. memberNisNetgroup

447
Configuration, Command, and File Reference

This attribute merges the attribute values of another netgroup into the current one by
listing the name of the merging netgroup.

NOTE

The memberNisNetgroup attribute is defined in 10rfc2307.ldif in the

OID 1.3.6.1.1.1.1.13

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in RFC 2307

5.2.109. memberOf
This attribute contains the name of a group to which the user is a member.

memberOf is the default attribute generated by the MemberOf Plug-in on the user entry of a
group member. This attribute is automatically synchronized to the listed member attributes
in a group entry, so that displaying group membership for entries is managed by
Directory Server.

NOTE

This attribute is only synchronized between group entries and the

corresponding members' user entries if the MemberOf Plug-in is enabled and is
configured to use this attribute.

OID 1.2.840.113556.1.2.102

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in Netscape Delegated Administrator

5.2.110. memberUid
The memberUid attribute contains the login name of the member of a group; this can be
different than the DN identified in the member attribute.

memberUID: jsmith

448
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

NOTE

The memberUID attribute is defined in 10rfc2307.ldif in the Directory Server.

To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and
copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory
to the /etc/dirsrv/slapd-instance/schema directory.

OID 1.3.6.1.1.1.1.12

Syntax IA5String

Multi- or Single-Valued Single-valued

Defined in RFC 2307

5.2.111. memberURL
This attribute identifies a URL associated with each member of a group. Any type of labeled
URL can be used.

memberURL: ldap://cn=jsmith,ou=people,dc=example,dc=com

OID 2.16.840.1.113730.3.1.198

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Directory Server

5.2.112. mepManagedBy
This attribute contains a pointer in an automatically-generated entry that points back to the
DN of the originating entry. This attribute is set by the Managed Entries Plug-in and cannot
be modified manually.

OID 2.16.840.1.113730.3.1.2086

Syntax DN

Multi- or Single-Valued Single-valued

Defined in Directory Server

5.2.113. mepManagedEntry

449
Configuration, Command, and File Reference

This attribute contains a pointer to an automatically-generated entry which corresponds to

the current entry. This attribute is set by the Managed Entries Plug-in and cannot be
modified manually.

OID 2.16.840.1.113730.3.1.2087

Syntax DN

Multi- or Single-Valued Single-valued

Defined in Directory Server

5.2.114. mepMappedAttr
This attribute sets an attribute in the Managed Entries template entry which must exist in
the generated entry. The mapping means that some value of the originating entry is used
to supply the given attribute. The values of these attributes will be tokens in the form
attribute: $attr. For example:

mepMappedAttr: gidNumber: $gidNumber

As long as the syntax of the expanded token of the attribute does not violate the required
attribute syntax, then other terms and strings can be used in the attribute. For example:

mepMappedAttr: cn: Managed Group for $cn

OID 2.16.840.1.113730.3.1.2089

Syntax OctetString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

5.2.115. mepRDNAttr
This attribute sets which attribute to use as the naming attribute in the automatically-
generated entry created by the Managed Entries Plug-in. Whatever attribute type is given
in the naming attribute should be present in the managed entries template entry as a
mepMappedAttr.

OID 2.16.840.1.113730.3.1.2090

Syntax DirectoryString

Multi- or Single-Valued Single-valued

450
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Defined in Directory Server

5.2.116. mepStaticAttr
This attribute sets an attribute with a defined value that must be added to the
automatically-generated entry managed by the Managed Entries Plug-in. This value will be
used for every entry generated by that instance of the Managed Entries Plug-in.

mepStaticAttr: posixGroup

OID 2.16.840.1.113730.3.1.2088

Syntax OctetString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

5.2.117. mgrpAddHeader
This attribute contains information about the header in the messages.

OID 2.16.840.1.113730.3.1.781

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.118. mgrpAllowedBroadcaster
This attribute sets whether to allow the user to send broadcast messages.

OID 2.16.840.1.113730.3.1.22

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.119. mgrpAllowedDomain
This attribute sets the domains for the mail group.

451
Configuration, Command, and File Reference

OID 2.16.840.1.113730.3.1.23

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.120. mgrpApprovePassword
This attribute sets whether a user must approve a password used to access their email.

OID mgrpApprovePassword-oid

Syntax IA5String

Multi- or Single-Valued Single-valued

Defined in Netscape Messaging Server

5.2.121. mgrpBroadcasterPolicy
This attribute defines the policy for broadcasting emails.

OID 2.16.840.1.113730.3.1.788

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.122. mgrpDeliverTo
This attribute contains information about the delivery destination for email.

OID 2.16.840.1.113730.3.1.25

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.123. mgrpErrorsTo

452
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

This attribute contains information about where to deliver error messages for the
messaging server.

OID 2.16.840.1.113730.3.1.26

Syntax IA5String

Multi- or Single-Valued Single-valued

Defined in Netscape Messaging Server

5.2.124. mgrpModerator
This attribute contains the contact name for the mailing list moderator.

OID 2.16.840.1.113730.3.1.33

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.125. mgrpMsgMaxSize
This attribute sets the maximum size allowed for email messages.

OID 2.16.840.1.113730.3.1.32

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape Messaging Server

5.2.126. mgrpMsgRejectAction
This attribute defines what actions the messaging server should take for rejected
messages.

OID 2.16.840.1.113730.3.1.28

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

453
Configuration, Command, and File Reference

Defined in Netscape Messaging Server

5.2.127. mgrpMsgRejectText
This attribute sets the text to use for rejection notifications.

OID 2.16.840.1.113730.3.1.29

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.128. mgrpNoDuplicateChecks
This attribute defines whether the messaging server checks for duplicate emails.

OID 2.16.840.1.113730.3.1.789

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape Messaging Server

5.2.129. mgrpRemoveHeader
This attribute sets whether the header is removed in reply messages.

OID 2.16.840.1.113730.3.1.801

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.130. mgrpRFC822MailMember
This attribute identifies the member of a mail group.

OID 2.16.840.1.113730.3.1.30

454
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.131. mobile
The mobile, or mobileTelephoneNumber, contains the entry's mobile or cellular phone
number. For example:

mobileTelephoneNumber: 415-555-4321

OID 0.9.2342.19200300.100.1.41

Syntax TelephoneNumber

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.132. mozillaCustom1
This attribute is used by Mozilla Thunderbird to manage a shared address book.

OID 1.3.6.1.4.1.13769.4.1

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Mozilla Address Book

5.2.133. mozillaCustom2
This attribute is used by Mozilla Thunderbird to manage a shared address book.

OID 1.3.6.1.4.1.13769.4.2

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Mozilla Address Book

455
Configuration, Command, and File Reference

5.2.134. mozillaCustom3
This attribute is used by Mozilla Thunderbird to manage a shared address book.

OID 1.3.6.1.4.1.13769.4.3

Syntax DirectoryString

Multi- or Single-Valued Single-valued

456
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Multi- or Single-Valued Single-valued

Defined in Mozilla Address Book

5.2.142. mozillaHomeUrl
This attribute contains a URL used by Mozilla Thunderbird in a shared address book.

OID 1.3.6.1.4.1.13769.3.7

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Mozilla Address Book

5.2.143. mozillaNickname (xmozillanickname)

This attribute contains a nickname used by Mozilla Thunderbird for a shared address book.

OID 1.3.6.1.4.1.13769.2.1

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Mozilla Address Book

5.2.144. mozillaSecondEmail (xmozillasecondemail)

This attribute contains an alternate or secondary email address for an entry in a shared
address book for Mozilla Thunderbird.

OID 1.3.6.1.4.1.13769.2.2

Syntax IA5String

Multi- or Single-Valued Single-valued

Defined in Mozilla Address Book

5.2.145. mozillaUseHtmlMail (xmozillausehtmlmail)

458
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

This attribute sets an email type preference for an entry in a shared address book in Mozilla
Thunderbird.

OID 1.3.6.1.4.1.13769.2.3

Syntax Boolean

Multi- or Single-Valued Single-valued

Defined in Mozilla Address Book

5.2.146. mozillaWorkStreet2
This attribute contains a street address for a workplace or office for an entry in Mozilla
Thunderbird's shared address book.

OID 1.3.6.1.4.1.13769.3.8

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Mozilla Address Book

5.2.147. mozillaWorkUrl
This attribute contains a URL for a work site in an entry in a shared address book in Mozilla
Thunderbird.

OID 1.3.6.1.4.1.13769.3.9

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Mozilla Address Book

5.2.148. multiLineDescription
This attribute contains a description of an entry which spans multiple lines in the LDIF file.

OID 1.3.6.1.4.1.250.1.2

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

459
Configuration, Command, and File Reference

Defined in Internet White Pages Pilot

5.2.149. name
The name attribute identifies the attribute supertype which can be used to form string
attribute types for naming.

It is unlikely that values of this type will occur in an entry. LDAP server implementations
that do not support attribute subtyping do not need to recognize this attribute in requests.
Client implementations should not assume that LDAP servers are capable of performing
attribute subtyping.

OID 2.5.4.41

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.150. netscapeReversiblePassword
This attribute contains the password for HTTP Digest/MD5 authentication.

OID 2.16.840.1.113730.3.1.812

Syntax OctetString

Multi- or Single-Valued Multi-valued

Defined in Netscape Web Server

5.2.151. NisMapEntry
This attribute contains the information for a NIS map to be used by Network Information
Services.

NOTE

This attribute is defined in 10rfc2307.ldif in the Directory Server. To use the

updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the
10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

OID 1.3.6.1.1.1.1.27

460
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Syntax IA5String

Multi- or Single-Valued Single-valued

Defined in RFC 2307

5.2.152. nisMapName
This attribute contains the name of a mapping used by a NIS server.

OID 1.3.6.1.1.1.1.26

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2307

5.2.153. nisNetgroupTriple
This attribute contains information on a netgroup used by a NIS server.

NOTE

This attribute is defined in 10rfc2307.ldif in the Directory Server. To use the

updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the
10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

OID 1.3.6.1.1.1.1.14

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in RFC 2307

5.2.154. nsAccessLog
This entry identifies the access log used by a server.

Multi- or Single-Valued Multi-valued

Defined in Netscape Administration Services

5.2.163. nsAdminGroupName
This attribute gives the name of the admin guide.

OID nsAdminGroupName-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Administration Services

5.2.164. nsAdminOneACLDir
This attribute gives the directory path to the directory containing access control lists for the
Administration Server.

OID nsAdminOneACLDir-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Administration Services

5.2.165. nsAdminSIEDN
This attribute contains the DN of the serer instance entry (SIE) for the
Administration Server.

OID nsAdminSIEDN-oid

Syntax DN

464
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Multi- or Single-Valued Multi-valued

Defined in Netscape Administration Services

5.2.166. nsAdminUsers
This attribute gives the path and name of the file which contains the information for the
Administration Server admin user.

OID nsAdminUsers-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Administration Services

5.2.167. nsAIMid
This attribute contains the AOL Instant Messaging user ID for the user.

OID 2.16.840.1.113730.3.2.300

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

5.2.168. nsBaseDN
This contains the base DN used in the Directory Server's server instance definition entry.

OID nsBaseDN-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

5.2.169. nsBindDN
This attribute contains the bind DN defined in the Directory Server SIE.

465
Configuration, Command, and File Reference

466
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

This attribute defines the configuration for the Red Hat Certificate System.

OID nsCertConfig-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Certificate System

5.2.174. nsClassname

OID nsClassname-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.175. nsConfigRoot
This attribute contains the root DN of the configuration directory.

OID nsConfigRoot-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.176. nscpAIMScreenname
This attribute gives the AIM screen name of a user.

OID 1.3.6.1.4.1.13769.2.4

Syntax TelephoneString

Multi- or Single-Valued Multi-valued

Defined in Mozilla Address Book

5.2.177. nsDefaultAcceptLanguage

467
Configuration, Command, and File Reference

This attribute contains the language codes which are accepted for HTML clients.

OID nsDefaultAcceptLanguage-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.178. nsDefaultObjectClass
This attribute stores object class information in a container entry.

OID nsDefaultObjectClass-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Administration Services

5.2.179. nsDeleteclassname

OID nsDeleteclassname-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Administration Services

5.2.180. nsDirectoryFailoverList
This attribute contains a list of Directory Servers to use for failover.

OID nsDirectoryFailoverList-oid

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.181. nsDirectoryInfoRef

468
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

This attribute refers to a DN of an entry with information about the server.

OID nsDirectoryInfoRef-oid

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.182. nsDirectoryURL
This attribute contains the Directory Server URL.

OID nsDirectoryURL-oid

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.183. nsDisplayName
This attribute contains a display name.

OID nsDisplayName-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Administration Services

5.2.184. nsErrorLog
This attribute identifies the error log used by the server.

OID nsErrorLog-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

469
Configuration, Command, and File Reference

5.2.188. nsHardwarePlatform
This attribute indicates the hardware on which the server is running. The value of this
attribute is the same as the output from uname -m. For example:

nsHardwarePlatform:i686

5.2.192. nsInstalledLocation

471
Configuration, Command, and File Reference

5.2.195. nsLicensedFor
The nsLicensedFor attribute identifies the server the user is licensed to use.
Administration Server expects each nsLicenseUser entry to contain zero or more instances
of this attribute. Valid keywords for this attribute include the following:

slapd for a licensed Directory Server client.

mail for a licensed mail server client.

news for a licensed news server client.

cal for a licensed calender server client.

472
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

For example:

nsLicensedFor: slapd

OID 2.16.840.1.113730.3.1.36

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Administration Server

5.2.196. nsLicenseEndTime
Reserved for future use.

OID 2.16.840.1.113730.3.1.38

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Administration Server

5.2.197. nsLicenseStartTime
Reserved for future use.

OID 2.16.840.1.113730.3.1.37

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Administration Server

5.2.198. nsLogSuppress
This attribute sets whether to suppress server logging.

OID nsLogSuppress-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

473
Configuration, Command, and File Reference

Defined in Netscape

5.2.199. nsmsgDisallowAccess
This attribute defines access to a messaging server.

OID nsmsgDisallowAccess-oid

Syntax IA5String

Multi- or Single-Valued Multi-valued

Multi- or Single-Valued Multi-valued

Defined in Administration Services

5.2.204. nsOsVersion
This attribute contains the version number of the operating system for the host on which
the server is running.

OID nsOsVersion-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape

5.2.205. nsPidLog

OID nsPidLog-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape

5.2.206. nsPreference
This attribute stores the Console preference settings.

OID nsPreference-oid

475
Configuration, Command, and File Reference

This attribute contains the TLS port for the Directory Server.

NOTE

Defined in Netscape

5.2.214. nsServerID
This contains the server's instance name. For example:

nsServerID: slapd-example

OID nsServerID-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape

5.2.215. nsServerMigrationClassname
This attribute contains the name of the class to use when migrating a server.

OID nsServerMigrationClassname-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape

5.2.216. nsServerPort
This attribute contains the standard LDAP port for the Directory Server.

NOTE

This attribute does not configure the standard port for the Directory Server.
This is configured in nsslapd-port configuration attribute in the
Directory Server's dse.ldif file. Configuration attributes are described in the
Configuration, Command, and File Reference.

478
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

OID nsServerPort-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape

5.2.217. nsServerSecurity
This shows whether the Directory Server requires a secure TLS or SSL connection.

OID nsServerSecurity-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape

5.2.218. nsSNMPContact
This attribute contains the contact information provided by the SNMP.

OID 2.16.840.1.113730.3.1.235

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

5.2.219. nsSNMPDescription
This contains a description of the SNMP service.

OID 2.16.840.1.113730.3.1.236

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

5.2.220. nsSNMPEnabled

479
Configuration, Command, and File Reference

480
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

481
Configuration, Command, and File Reference

Defined in Netscape Administration Services

5.2.228. nsUserIDFormat
This attribute sets the format to use to generate the uid attribute from the givenname and
sn attributes.

OID nsUserIDFormat-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Administration Services

5.2.229. nsUserRDNComponent
This attribute sets the attribute type to set the RDN for user entries.

OID nsUserRDNComponent-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Administration Services

5.2.230. nsValueBin

OID 2.16.840.1.113730.3.1.247

Syntax Binary

Multi- or Single-Valued Multi-valued

Defined in Netscape servers — value item

5.2.231. nsValueCES

OID 2.16.840.1.113730.3.1.244

Syntax IA5String

Multi- or Single-Valued Multi-valued

482
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Defined in Netscape servers — value item

5.2.232. nsValueCIS

OID 2.16.840.1.113730.3.1.243

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape servers — value item

5.2.233. nsValueDefault

OID 2.16.840.1.113730.3.1.250

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape servers — value item

5.2.234. nsValueDescription

OID 2.16.840.1.113730.3.1.252

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape servers — value item

5.2.235. nsValueDN

OID 2.16.840.1.113730.3.1.248

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in Netscape servers — value item

5.2.236. nsValueFlags

483
Configuration, Command, and File Reference

OID 2.16.840.1.113730.3.1.251

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape servers — value item

5.2.237. nsValueHelpURL

OID 2.16.840.1.113730.3.1.254

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Netscape servers — value item

5.2.238. nsValueInt

OID 2.16.840.1.113730.3.1.246

Syntax Integer

Multi- or Single-Valued Multi-valued

Defined in Netscape servers — value item

5.2.239. nsValueSyntax

OID 2.16.840.1.113730.3.1.253

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape servers — value item

5.2.240. nsValueTel

OID 2.16.840.1.113730.3.1.245

Syntax TelephoneString

484
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Multi- or Single-Valued Multi-valued

Defined in Netscape servers — value item

5.2.241. nsValueType

OID 2.16.840.1.113730.3.1.249

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape servers — value item

5.2.242. nsVendor
This contains the name of the server vendor.

OID nsVendor-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape

5.2.243. nsViewConfiguration
This attribute stores the view configuration used by Console.

OID nsViewConfiguration-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Administration Services

5.2.244. nsViewFilter
This attribute sets the attribute-value pair which is used to identify entries belonging to the
view.

OID 2.16.840.1.113730.3.1.3023

485
Configuration, Command, and File Reference

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Directory Server

5.2.245. nsWellKnownJarfiles

OID nsWellKnownJarfiles-oid

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Administration Services

5.2.246. nswmExtendedUserPrefs
This attribute is used to store user preferences for accounts in a messaging server.

OID 2.16.840.1.113730.3.1.520

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Messaging Server

5.2.247. nsYIMid
This attribute contains the Yahoo instant messaging user name for the user.

OID 2.16.840.1.113730.3.1.2015

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

5.2.248. ntGroupAttributes
This attribute points to a binary file which contains information about the group. For
example:

486
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

ntGroupAttributes::
IyEvYmluL2tzaAoKIwojIGRlZmF1bHQgdmFsdWUKIwpIPSJgaG9zdG5hb

OID 2.16.840.1.113730.3.1.536

Syntax Binary

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.249. ntGroupCreateNewGroup
The ntGroupCreateNewGroup attribute is used by Windows Sync to determine whether the
Directory Server should create new group entry when a new group is created on a Windows
server. true creates the new entry; false ignores the Windows entry.

OID 2.16.840.1.113730.3.1.45

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.250. ntGroupDeleteGroup
The ntGroupDeleteGroup attribute is used by Windows Sync to determine whether the
Directory Server should delete a group entry when the group is deleted on a Windows sync
peer server. true means the account is deleted; false ignores the deletion.

OID 2.16.840.1.113730.3.1.46

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.251. ntGroupDomainId
The ntGroupDomainID attribute contains the domain ID string for a group.

ntGroupDomainId: DS HR Group

OID 2.16.840.1.113730.3.1.44

487
Configuration, Command, and File Reference

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.252. ntGroupId
The ntGroupId attribute points to a binary file which identifies the group. For example:

ntGroupId: IOUnHNjjRgghghREgfvItrGHyuTYhjIOhTYtyHJuSDwOopKLhjGbnGFtr

OID 2.16.840.1.113730.3.1.110

Syntax Binary

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.253. ntGroupType
In Active Directory, there are two major types of groups: security and distribution. Security
groups are most similar to groups in Directory Server, since security groups can have
policies configured for access controls, resource restrictions, and other permissions.
Distribution groups are for mailing distribution. These are further broken down into global
and local groups. The Directory Server ntGroupType supports all four group types:

The ntGroupType attribute identifies the type of Windows group. The valid values are as
follows:

-21483646 for global/security

-21483644 for domain local/security

2 for global/distribution

4 for domain local/distribution

This value is set automatically when the Windows groups are synchronized. To determine
the type of group, you must manually configure it when the group gets created. By default,
Directory Server groups do not have this attribute and are synchronized as global/security
groups.

5.2.256. ntUserAuthFlags
This attribute contains authorization flags set for the Windows account.

OID 2.16.840.1.113730.3.1.60

Syntax Binary

Multi- or Single-Valued Single-valued

489
Configuration, Command, and File Reference

Defined in Netscape NT Synchronization

5.2.257. ntUserBadPwCount
This attribute sets the number of bad password failures are allowed before an account is
locked.

OID 2.16.840.1.113730.3.1.531

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.258. ntUserCodePage
The ntUserCodePage attribute contains the code page for the user's language of choice.
For example:

ntUserCodePage: AAAAAA==

OID 2.16.840.1.113730.3.1.533

Syntax Binary

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.259. ntUserComment
This attribute contains a text description or note about the user entry.

OID 2.16.840.1.113730.3.1.522

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.260. ntUserCountryCode
This attribute contains the two-character country code for the country where the user is
located.

490
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

OID 2.16.840.1.113730.3.1.532

Syntax DirectoryString

Multi- or Single-Valued Single-valued

491
Configuration, Command, and File Reference

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.264. ntUserFlags
This attribute contains additional flags set for the Windows account.

OID 2.16.840.1.113730.3.1.523

Syntax Binary

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.265. ntUserHomeDir
The ntUserHomeDir attribute contains an ASCII string representing the Windows user's
home directory. This attribute can be null. For example:

ntUserHomeDir: c:\jsmith

OID 2.16.840.1.113730.3.1.521

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.266. ntUserHomeDirDrive
This attribute contains information about the drive on which the user's home directory is
stored.

OID 2.16.840.1.113730.3.1.535

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.267. ntUserLastLogoff

492
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

The ntUserLastLogoff attribute contains the time of the last logoff. This value is stored as
a string in GMT format.

If security logging is turned on, then this attribute is updated on synchronization only if
some other aspect of the user's entry has changed.

ntUserLastLogoff: 20191015203415Z

OID 2.16.840.1.113730.3.1.527

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.268. ntUserLastLogon
The ntUserLastLogon attribute contains the time that the user last logged into the
Windows domain. This value is stored as a string in GMT format. If security logging is turned
on, then this attribute is updated on synchronization only if some other aspect of the user's
entry has changed.

Defined in Netscape NT Synchronization

5.2.271. ntUserMaxStorage
The ntUserMaxStorage attribute contains the maximum amount of disk space available for
the user.

ntUserMaxStorage: 4294967295

OID 2.16.840.1.113730.3.1.529

Syntax Binary

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.272. ntUserNumLogons
This attribute shows the number of successful logons to the Active Directory domain for the
user.

OID 2.16.840.1.113730.3.1.64

Syntax Binary

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.273. ntUserParms
The ntUserParms attribute contains a Unicode string reserved for use by applications.

OID 2.16.840.1.113730.3.1.62

494
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.274. ntUserPasswordExpired
This attribute shows whether the password for the Active Directory account has expired.

OID 2.16.840.1.113730.3.1.68

Syntax Binary

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.275. ntUserPrimaryGroupId
The ntUserPrimaryGroupId attribute contains the group ID of the primary group to which
the user belongs.

OID 2.16.840.1.113730.3.1.534

Syntax Binary

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.276. ntUserPriv
This attribute shows the type of privileges allowed for the user.

OID 2.16.840.1.113730.3.1.59

Syntax Binary

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.277. ntUserProfile

495
Configuration, Command, and File Reference

The ntUserProfile attribute contains the path to a user's profile. For example:

ntUserProfile: c:\jsmith\profile.txt

OID 2.16.840.1.113730.3.1.67

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.278. ntUserScriptPath
The ntUserScriptPath attribute contains the path to an ASCII script used by the user to log
into the domain.

Defined in Netscape NT Synchronization

5.2.281. ntUserUsrComment
The ntUserUsrComment attribute contains additional comments about the user.

OID 2.16.840.1.113730.3.1.61

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.282. ntUserWorkstations
The ntUserWorkstations attribute contains a list of names, in ASCII strings, of work
stations which the user is allowed to log in to. There can be up to eight work stations listed,
separated by commas. Specify null to permit users to log on from any workstation. For
example:

ntUserWorkstations: firefly

OID 2.16.840.1.113730.3.1.525

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape NT Synchronization

5.2.283. o (organizationName)
The organizationName, or o, attribute contains the organization name. For example:

5.2.286. obsoletedByDocument
The obsoletedByDocument attribute contains the distinguished name of a document which
obsoletes the current document entry.

OID 0.9.2342.19200300.102.1.4

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in Internet White Pages Pilot

5.2.287. obsoletesDocument

498
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

The obsoletesDocument attribute contains the distinguished name of a documented which

is obsoleted by the current document entry.

OID 0.9.2342.19200300.102.1.3

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in Internet White Pages Pilot

5.2.288. oncRpcNumber
The oncRpcNumber attribute contains part of the RPC map and stores the RPC number for
UNIX RPCs.

NOTE

The oncRpcNumber attribute is defined in 10rfc2307.ldif in the

OID 1.3.6.1.1.1.1.18

Syntax Integer

Multi- or Single-Valued Single-valued

Defined in RFC 2307

5.2.289. organizationalStatus
The organizationalStatus identifies the person's category within an organization.

organizationalStatus: researcher

OID 0.9.2342.19200300.100.1.45

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

499
Configuration, Command, and File Reference

5.2.290. otherMailbox
The otherMailbox attribute contains values for email types other than X.400 and RFC 822.

otherMailbox: internet $ [email protected]

OID 0.9.2342.19200300.100.1.22

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.291. ou (organizationalUnitName)
The organizationalUnitName, or ou, contains the name of an organizational division or a
subtree within the directory hierarchy.

organizationalUnitName: Marketing
ou: Marketing

OID 2.5.4.11

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.292. owner
The owner attribute contains the DN of the person responsible for an entry. For example:

owner: cn=John Smith,ou=people,dc=example,dc=com

OID 2.5.4.32

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.293. pager
The pagerTelephoneNumber, or pager, attribute contains a person's pager phone number.

500
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

pagerTelephoneNumber: 415-555-6789
pager: 415-555-6789

OID 0.9.2342.19200300.100.1.42

Syntax TelephoneNumber

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.294. parentOrganization
The parentOrganization attribute identifies the parent organization of an organization or
organizational unit.

OID 1.3.6.1.4.1.1466.101.120.41

Syntax DN

5.2.298. physicalDeliveryOfficeName
The physicalDeliveryOffice contains the city or town in which a physical postal delivery
office is located.

physicalDeliveryOfficeName: Raleigh

OID 2.5.4.19

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.299. postalAddress
The postalAddress attribute identifies the entry's mailing address. This field is intended to
include multiple lines. When represented in LDIF format, each line should be separated by a
dollar sign ($).

To represent an actual dollar sign ($) or backslash (\) within the entry text, use the escaped
hex values \24 and \5c respectively. For example, to represent the string:

502
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

The dollar ($) value can be found

in the c:\cost file.

provide the string:

503
Configuration, Command, and File Reference

The preferredDeliveryMethod contains an entry's preferred contact or delivery method.

For example:

preferredDeliveryMethod: telephone

OID 2.5.4.28

504
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

OID 1.3.6.1.4.1.1466.101.120.43

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Netscape

5.2.306. presentationAddress
The presentationAddress attribute contains the OSI presentation address for an entry.
This attribute includes the OSI Network Address and up to three selectors, one each for use
by the transport, session, and presentation entities. For example:

presentationAddress: TELEX+00726322+RFC-1006+02+130.59.2.1

OID 2.5.4.29

Syntax IA5String

Multi- or Single-Valued Single-valued

Defined in RFC 2256

5.2.307. protocolInformation
The protocolInformation attribute, used together with thepresentationAddress
attribute, provides additional information about the OSO network service.

OID 2.5.4.48

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.308. ref
The ref attribute is used to support LDAPv3 smart referrals. The value of this attribute is an
LDAP URL:

ldap: host_name:port_number/subtree_dn

The port number is optional.

For example:

505
Configuration, Command, and File Reference

ref: ldap://server.example.com:389/ou=People,dc=example,dc=com

OID 2.16.840.1.113730.3.1.34

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in LDAPv3 Referrals Internet Draft

5.2.309. registeredAddress
This attribute contains a postal address for receiving telegrams or expedited documents.
The recipient's signature is usually required on delivery.

OID 2.5.4.26

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.310. roleOccupant
This attribute contains the distinguished name of the person acting in the role defined in
the organizationalRole entry.

roleOccupant: uid=bjensen,dc=example,dc=com

OID 2.5.4.33

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.311. roomNumber
This attribute specifies the room number of an object. The cn attribute should be used for
naming room objects.

roomNumber: 230

506
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

OID 0.9.2342.19200300.100.1.6

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.312. searchGuide
The searchGuide attribute specifies information for suggested search criteria when using
the entry as the base object in the directory tree for a search operation. When constructing
search filters, use the enhancedSearchGuide attribute instead.

OID 2.5.4.14

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.313. secretary
The secretary attribute identifies an entry's secretary or administrative assistant.

secretary: cn=John Smith,dc=example,dc=com

OID 0.9.2342.19200300.100.1.21

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.314. seeAlso
The seeAlso attribute identifies another Directory Server entry that may contain
information related to this entry.

seeAlso: cn=Quality Control Inspectors,ou=manufacturing,dc=example,dc=com

OID 2.5.4.34

507
Configuration, Command, and File Reference

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.315. serialNumber
The serialNumber attribute contains the serial number of a device.

508
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

5.2.318. serverRoot
This attribute is obsolete.

This attribute shows the installation directory (server root) of Directory Servers version 7.1
or older.

OID 2.16.840.1.113730.3.1.70

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Netscape Administration Services

5.2.319. serverVersionNumber
The serverVersionNumber attribute contains the server version number.

OID 2.16.840.1.113730.3.1.72

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Red Hat Administration Services

5.2.320. shadowExpire
The shadowExpire attribute contains the date that the shadow account expires. The format
of the date is in the number days since EPOCH, in UTC. To calculate this on the system, run
a command like the following, using -d for the current date and -u to specify UTC:

$ echo `date -u -d 20100108 +%s` /24/60/60 |bc

14617

The result (14617 in the example) is then the value of shadowExpire.

shadowExpire: 14617

NOTE

The shadowExpire attribute is defined in 10rfc2307.ldif in the

509
Configuration, Command, and File Reference

OID 1.3.6.1.1.1.1.10

Syntax Integer

Multi- or Single-Valued Single-valued

Defined in RFC 2307

5.2.321. shadowFlag
The shadowFlag attribute identifies what area in the shadow map stores the flag values.

shadowFlag: 150

NOTE

The shadowFlag attribute is defined in 10rfc2307.ldif in the

OID 1.3.6.1.1.1.1.11

Syntax Integer

Multi- or Single-Valued Single-valued

Defined in RFC 2307

5.2.322. shadowInactive
The shadowInactive attribute sets how long, in days, the shadow account can be inactive.

shadowInactive: 15

NOTE

The shadowInactive attribute is defined in 10rfc2307.ldif in the

OID 1.3.6.1.1.1.1.9

510
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Syntax Integer

Multi- or Single-Valued Single-valued

Defined in RFC 2307

5.2.323. shadowLastChange
The shadowLastChange attribute contains the number of days between January 1, 1970 and
the day when the user password was last set. For example, if an account's password was
last set on Nov 4, 2016, the shadowLastChange attribute is set to 0

The following exceptions are existing:

When the passwordMustChange parameter is enabled in the cn=config entry, new

accounts have 0 set in the shadowLastChange attribute.

When you create an account without password, the shadowLastChange attribute is

not added.

The shadowLastChange attribute is automatically updated for accounts synchronized from

Active Directory.

NOTE

The shadowLastChange attribute is defined in 10rfc2307.ldif in the

OID 1.3.6.1.1.1.1.5

Syntax Integer

Multi- or Single-Valued Single-valued

Defined in RFC 2307

5.2.324. shadowMax
The shadowMax attribute sets the maximum number of days that a shadow password is
valid.

shadowMax: 10

511
Configuration, Command, and File Reference

NOTE

The shadowMax attribute is defined in 10rfc2307.ldif in the Directory Server.

Defined in RFC 1274

5.2.328. sn (surname)
The surname, or sn, attribute contains an entry's surname, also called a last name or family
name.

surname: Jensen
sn: Jensen

OID 2.5.4.4

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.329. st (stateOrProvinceName)

513
Configuration, Command, and File Reference

The stateOrProvinceName, or st, attributes contains the entry's state or province.

stateOrProvinceName: California
st: California

OID 2.5.4.8

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.330. street
The streetAddress, or street, attribute contains an entry's street name and residential
address.

streetAddress: 1234 Ridgeway Drive

street: 1234 Ridgeway Drive

OID 2.5.4.9

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.331. subject
The subject attribute contains information about the subject matter of the document entry.

subject: employee option grants

OID 0.9.2342.19200300.102.1.8

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Internet White Pages Pilot

5.2.332. subtreeMaximumQuality

514
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

The subtreeMaximumQuality attribute specifies the purported maximum data quality for a
directory subtree.

OID 0.9.2342.19200300.100.1.52

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in RFC 1274

5.2.333. subtreeMinimumQuality
The subtreeMinimumQuality specifies the purported minimum data quality for a directory
subtree.

OID 0.9.2342.19200300.100.1.51

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in RFC 1274

5.2.334. supportedAlgorithms
The supportedAlgorithms attribute contains algorithms which are requested and stored in
a binary form, such as supportedAlgorithms;binary.

supportedAlgorithms:: AAAAAA==

OID 2.5.4.52

Syntax Binary

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.335. supportedApplicationContext
This attribute contains the identifiers of OSI application contexts.

OID 2.5.4.30

Syntax DirectoryString

515
Configuration, Command, and File Reference

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.336. telephoneNumber
The telephoneNumber contains an entry's phone number. For example:

telephoneNumber: 415-555-2233

OID 2.5.4.20

Syntax TelephoneNumber

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.337. teletexTerminalIdentifier
The teletexTerminalIdentifier attribute contains an entry's teletex terminal identifier.
The first printable string in the example is the encoding of the first portion of the teletex
terminal identifier to be encoded, and the subsequent 0 or more octet strings are
subsequent portions of the teletex terminal identifier:

teletex-id = ttx-term 0*("$" ttx-param)

ttx-term = printablestring
ttx-param = ttx-key ":" ttx-value
ttx-key = "graphic" / "control" / "misc" / "page" / "private"
ttx-value = octetstring

OID 2.5.4.22

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.338. telexNumber
This attribute defines the telex number of the entry. The format of the telex number is as
follows:

actual-number "$" country "$" answerback

516
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

actual-number is the syntactic representation of the number portion of the telex

number being encoded.

country is the TELEX country code.

answerback is the answerback code of a TELEX terminal.

OID 2.5.4.21

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.339. title
The title attribute contains a person's title within the organization.

title: Senior QC Inspector

OID 2.5.4.12

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.340. ttl (TimeToLive)

The TimeToLive, or ttl, attribute contains the time, in seconds, that cached information
about an entry should be considered valid. Once the specified time has elapsed, the
information is considered out of date. A value of zero (0) indicates that the entry should not
be cached.

TimeToLive: 120
ttl: 120

OID 1.3.6.1.4.250.1.60

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in LDAP Caching Internet Draft

517
Configuration, Command, and File Reference

5.2.341. uid (userID)

The userID, more commonly uid, attribute contains the entry's unique user name.

userID: jsmith
uid: jsmith

OID 0.9.2342.19200300.100.1.1

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.342. uidNumber
The uidNumber attribute contains a unique numeric identifier for a user entry. This is
analogous to the user number in Unix.

uidNumber: 120

NOTE

The uidNumber attribute is defined in 10rfc2307.ldif in the Directory Server.

To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and
copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory
to the /etc/dirsrv/slapd-instance/schema directory.

OID 1.3.6.1.1.1.1.0

Syntax Integer

Multi- or Single-Valued Single-valued

Defined in RFC 2307

5.2.343. uniqueIdentifier
This attribute identifies a specific item used to distinguish between two entries when a
distinguished name has been reused. This attribute is intended to detect any instance of a
reference to a distinguished name that has been deleted. This attribute is assigned by the
server.

uniqueIdentifier:: AAAAAA==

OID 0.9.2342.19200300.100.1.44

518
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.344. uniqueMember
The uniqueMember attribute identifies a group of names associated with an entry where
each name was given a uniqueIdentifier to ensure its uniqueness. A value for the
uniqueMember attribute is a DN followed by theuniqueIdentifier.

OID 2.5.4.50

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.345. updatedByDocument
The updatedByDocument attribute contains the distinguished name of a document that is an
updated version of the document entry.

OID 0.9.2342.19200300.102.1.6

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in Internet White Pages Pilot

5.2.346. updatesDocument
The updatesDocument attribute contains the distinguished name of a document for which
this document is an updated version.

OID 0.9.2342.19200300.102.1.5

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in Internet White Pages Pilot

519
Configuration, Command, and File Reference

5.2.347. userCertificate
This attribute is stored and requested in the binary form, as userCertificate;binary.

userCertificate;binary:: AAAAAA==

OID 2.5.4.36

Syntax Binary

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.2.348. userClass
This attribute specifies a category of computer user. The semantics of this attribute are
arbitrary. The organizationalStatus attribute makes no distinction between computer
users and other types of users users and may be more applicable.

userClass: intern

OID 0.9.2342.19200300.100.1.8

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

5.2.349. userPassword
This attribute identifies the entry's password and encryption method in the format
{encryption method}encrypted password. For example:

userPassword: {sha}FTSLQhxXpA05

Transferring cleartext passwords is strongly discouraged where the underlying transport

service cannot guarantee confidentiality. Transferring in cleartext may result in disclosure
of the password to unauthorized parties.

OID 2.5.4.35

Syntax Binary

Multi- or Single-Valued Multi-valued

Multi- or Single-Valued Multi-valued

Defined in RFC 2256

5.3. ENTRY OBJECT CLASS REFERENCE

This reference is an alphabetical list of the object classes accepted by the default schema.
It gives a definition of each object class and lists its required and allowed attributes. The
object classes listed are available to support entry information.

The required attributes listed for an object class must be present in the entry when that
object class is added to the directory's ldif file. If an object class has a superior object
class, both of these object classes with all required attributes must be present in the entry.
If required attributes are not listed in the ldif file, than the server will not restart.

522
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

NOTE

The LDAP RFCs and X.500 standards allow for an object class to have more
than one superior object class. This behavior is not currently supported by
Directory Server.

5.3.1. account
The account object class defines entries for computer accounts. This object class is defined
in RFC 1274.

Superior Class
top

OID
0.9.2342.19200300.100.4.5

Required Attributes

Attribute Definition

objectClass Gives the object classes for the entry.

uid (userID) Gives the defined account's user ID.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

host Gives the host name for the machine on which

the account resides.

l (localityName) Gives the city or geographical location of the

entry.

o (organizationName) Gives the organization to which the account

belongs.

ou (organizationalUnitName) Gives the organizational unit or division to

which the account belongs.

seeAlso Contains a URL to another entry or site with

related information.

5.3.2. accountpolicy

523
Configuration, Command, and File Reference

The accountpolicy object class defines entries for account inactivation or expiration
policies. This is used for a user directory configuration entry, which works in conjunction
with the Account Policy Plug-in configuration.

Superior Class
top

OID
1.3.6.1.4.1.11.1.3.2.2.1

Allowed Attributes

Attribute Definition

accountInactivityLimit Sets the period, in seconds, from the last login

time of an account before that account is
locked for inactivity.

5.3.3. alias
The alias object class points to other directory entries. This object class is defined inRFC
2256.

NOTE

Aliasing entries is not supported in Red Hat Directory Server.

Superior Class
top

OID
2.5.6.1

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

aliasedObjectName Gives the distinguished name of the entry for

which this entry is an alias.

5.3.4. bootableDevice
The bootableDevice object class points to a device with boot parameters. This object class
is defined in RFC 2307.

524
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

NOTE

This object class is defined in 10rfc2307.ldif in the Directory Server. To use

the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the
10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

Superior Class
top

OID
1.3.6.1.1.1.2.12

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

cn (commonName) Gives the common name of the device.

Allowed Attributes

Attribute Definition

bootFile Gives the boot image file.

bootParameter Gives the parameters used by the boot

process for the device.

description Gives a text description of the entry.

l (localityName) Gives the city or geographical location of the

entry.

o (organizationName) Gives the organization to which the device

belongs.

ou (organizationalUnitName) Gives the organizational unit or division to

which the device belongs.

owner Gives the DN (distinguished name) of the

person responsible for the device.

seeAlso Contains a URL to another entry or site with

related information.

serialNumber Contains the serial number of the device.

525
Configuration, Command, and File Reference

5.3.5. cacheObject
The cacheObject is an object that contains the time to live t
( tl) attribute type. This object
class is defined in the LDAP Caching Internet Draft.

Superior Class
top

OID
1.3.6.1.4.1.250.3.18

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

Allowed Attributes

Attribute Definition

ttl (TimeToLive) The time that the object remains (lives) in the
cache.

5.3.6. cosClassicDefinition
The cosClassicDefinition object class defines a class of service template entry using the
entry's DN (distinguished name), given in the cosTemplateDn attribute, and the value of
one of the target attributes, specified in the cosSpecifier attribute.

This object class is defined in RFC 1274.

Superior Class
cosSuperDefinition

OID
2.16.840.1.113730.3.2.100

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cosAttribute Provides the name of the attribute for which

the CoS generates a value. There can be more
than one cosAttribute value specified.

Allowed Attributes

526
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

cn (commonName) Gives the common name of the entry.

cosSpecifier Specifies the attribute value used by a classic

CoS, which, along with the template entry's
DN, identifies the template entry.

cosTemplateDn Provides the DN of the template entry which is

associated with the CoS definition.

description Gives a text description of the entry.

5.3.7. cosDefinition
The cosDefinition object class defines which class of service is being used; this object
class provide compatibility with the DS4.1 CoS Plug-in.

This object class is defined in RFC 1274.

Superior Class
top

OID
2.16.840.1.113730.3.2.84

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

aci Evaluates what rights are granted or denied

when the Directory Server receives an LDAP
request from a client.

cn (commonName) Gives the common name of the entry.

cosAttribute Provides the name of the attribute for which

the CoS generates a value. There can be more
than one cosAttribute value specified.

527
Configuration, Command, and File Reference

Attribute Definition

cosSpecifier Specifies the attribute value used by a classic

CoS, which, along with the template entry's
DN, identifies the template entry.

cosTargetTree Defines the subtrees in the directory to which

the CoS schema applies.

cosTemplateDn Provides the DN of the template entry which is

associated with the CoS definition.

uid (userID) Gives the user ID for the entry.

5.3.8. cosIndirectDefinition
The cosIndirectDefinition defines the template entry using the value of one of the
target entry's attributes. The attribute of the target entry is specified in the
cosIndirectSpecifier attribute.

This object class is defined by Directory Server.

Superior Class
cosSuperDefinition

OID
2.16.840.1.113730.3.2.102

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cosAttribute Provides the name of the attribute for which

the CoS generates a value. There can be more
than one cosAttribute value specified.

Allowed Attributes

Attribute Definition

cn (commonName) Gives the common name of the entry.

cosIndirectSpecifier Specifies the attribute value used by an

indirect CoS to identify the template entry.

description Gives a text description of the entry.

528
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

5.3.9. cosPointerDefinition
This object class identifies the template entry associated with the CoS definition using the
template entry's DN value. The DN of the template entry is specified in the
cosIndirectSpecifier attribute.

This object class is defined by Directory Server.

Superior Class
cosSuperDefinition

OID
2.16.840.1.113730.3.2.101

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cosAttribute Provides the name of the attribute for which

the CoS generates a value. There can be more
than one cosAttribute value specified.

Allowed Attributes

Attribute Definition

cn (commonName) Gives the common name of the entry.

cosTemplateDn Provides the DN of the template entry which is

associated with the CoS definition.

description Gives a text description of the entry.

5.3.10. cosSuperDefinition
All CoS definition object classes inherit from the cosSuperDefinition object class.

This object class is defined by Directory Server.

Superior Class
LDAPsubentry

OID
2.16.840.1.113730.3.2.99

Required Attributes

529
Configuration, Command, and File Reference

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cosAttribute Provides the name of the attribute for which

the CoS generates a value. There can be more
than one cosAttribute value specified.

Allowed Attributes

Attribute Definition

cn (commonName) Gives the common name of the entry.

description Gives a text description of the entry.

5.3.11. cosTemplate
The cosTemplate object class contains a list of the shared attribute values for the CoS.

This object class is defined by Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.128

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

cn (commonName) Gives the common name of the entry.

cosPriority Specifies which template provides the

attribute value when CoS templates compete
to provide an attribute value.

5.3.12. country

530
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

The country object class defines entries which represent countries. This object class is
defined in RFC 2256.

Superior Class
top

OID
2.5.6.2

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

c (countryName) Contains the two-character code representing

country names, as defined by ISO, in the
directory.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

searchGuide Specifies information for suggested search

criteria when using the entry as the base
object in the directory tree for a search.

5.3.13. dcObject
The dcObject object class allows domain components to be defined for an entry. This
object class is defined as auxiliary because it is commonly used in combination with
another object class, such as o (organization), ou (organizationalUnit), or l (locality).

For example:

dn: dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
objectClass: dcObject
dc: example
ou: Example Corporation

This object class is defined in RFC 2247.

Superior Class
top

OID

entry.

o (organizationName) Gives the organization to which the device

belongs.

ou (organizationalUnitName) Gives the organizational unit or division to

audio Stores a sound file in binary format.

authorCn Gives the author's common name or given

name.

authorSn Gives the author's surname.

cn (commonName) Gives the common name of the entry.

description Gives a text description of the entry.

dITRedirect Contains the DN (distinguished name) of the

entry to use as a redirect for the document
entry.

533
Configuration, Command, and File Reference

Attribute Definition

documentAuthor Contains the DN (distinguished name) of the

author.

documentLocation Gives the location of the original document.

documentPublisher Identifies the person or organization that

published the document.

documentStore

documentTitle Contains the title of the document.

documentVersion Gives the version number of the document.

info Contains information about the document.

jpegPhoto Stores a JPG image.

keyWords Contains keywords related to the document.

l (localityName) Gives the city or geographical location of the

entry.

lastModifiedBy Gives the DN (distinguished name) of the last

user which modified the document entry.

lastModifiedTime Gives the time of the last modification.

manager Gives the DN (distinguished name) of the

entry's manager.

o (organizationName) Gives the organization to which the document

belongs.

obsoletedByDocument Gives the DN (distinguished name) of another

document entry which obsoletes this
document.

obsoletesDocument Gives the DN (distinguished name) of another

document entry which is obsoleted by this
document.

ou (organizationalUnitName) Gives the organizational unit or division to

which the document belongs.

534
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

photo Stores a photo of the document in binary

format.

seeAlso Contains a URL to another entry or site with

related information.

subject Describes the subject of the document.

uniqueIdentifier Distinguishes between two entries when a

distinguished name has been reused.

updatedByDocument Gives the DN (distinguished name) of another

document entry which updates this document.

updatesDocument Gives the DN (distinguished name) of another

document entry which is updated by this
document.

5.3.16. documentSeries
The documentSeries object class defines an entry that represents a series of documents.
This object class is defined in RFC 1274.

Superior Class
top

OID
0.9.2342.19200300.100.4.9

series belongs.

ou (organizationalUnitName) Gives the organizational unit or division to

which the series belongs.

seeAlso Contains a URL to another entry or site with

related information.

telephoneNumber Gives the telephone number of the person

responsible for the document series.

5.3.17. domain
The domain object class defines directory entries that represent DNS domains. Use thedc
(domainComponent) attribute to name entries of this object class.

This object class is also used for Internet domain names, such as example.com.

The domain object class can only be used for a directory entry which doesnot correspond
to an organization, organizational unit, or any other object which has an object class
defined for it. object for which an object class has been defined.

This object class is defined in RFC 2252.

Superior Class
top

OID
0.9.2342.19200300.100.4.13

description Gives a text description of the entry.

destinationIndicator Gives the country and city associated with the

entry; this was once required to provide public
telegram service.

fax (facsimileTelephoneNumber) Gives the fax number for the domain.

internationalISDNNumber Gives the ISDN number for the domain.

l (localityName) Gives the city or geographical location of the

entry.

o (organizationName) Gives the organization to which the entry

belongs.

physicalDeliveryOfficeName Gives a location where physical deliveries can

be made.

postOfficeBox Gives the post office box number for the

domain.

postalAddress Contains the mailing address for the domain.

postalCode Gives the postal code for the domain, such as

the zip code in the United States.

preferredDeliveryMethod Shows the person's preferred method of

contact or message delivery.

registeredAddress Gives a postal address suitable to receive

expedited documents when the recipient must
verify delivery.

searchGuide Specifies information for suggested search

criteria when using the entry as the base
object in the directory tree for a search.

seeAlso Contains a URL to another entry or site with

related information.

st (stateOrProvinceName) Gives the state or province where the domain

is located.

537
Configuration, Command, and File Reference

Attribute Definition

street Gives the street name and address number for

the domain's physical location.

telephoneNumber Gives the phone number for the domain.

teletexTerminalIdentifier Gives the ID for a domain's teletex terminal.

telexNumber Gives the telex number for the domain.

userPassword Stores the password with which the entry can

bind to the directory.

x121Address Gives the X.121 address for the domain.

5.3.18. domainRelatedObject
The domainRelatedObject object class defines entries that represent DNS or NRS domains
which are equivalent to an X.500 domain, such as an organization or organizational unit.

This object class is defined in RFC 1274.

Superior Class
top

OID
0.9.2342.19200300.100.4.17

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

associatedDomain Specifies a DNS domain associated with an

object in the directory tree.

5.3.19. dSA
The dSA object class defines entries that represent DSAs.

This object class is defined in RFC 1274.

Superior Class
top

OID

538
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

2.5.6.13

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

presentationAddress Contains the entry's OSI presentation address.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

knowledgeInformation

l (localityName) Gives the city or geographical location of the

entry.

o (organizationName) Gives the organization to which the entry

belongs.

ou (organizationalUnitName) Gives the organizational unit or division to

which the entry belongs.

seeAlso Contains a URL to another entry or site with

related information.

supportedApplicationContext Contains the identifiers of OSI application

contexts.

5.3.20. extensibleObject
When present in an entry, extensibleObject permits the entry to hold optionally any
attribute. The allowed attribute list of this class is implicitly the set of all attributes known to
the server.

This object class is defined in RFC 2252.

Superior Class
top

OID
1.3.6.1.4.1.1466.101.120.111

539
Configuration, Command, and File Reference

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes
All attributes known to the server.

5.3.21. friendlyCountry
The friendlyCountry object class defines country entries within the directory. This object
class allows more friendly names than the country object class.

This object class is defined in RFC 1274.

Superior Class
top

OID
0.9.2342.19200300.100.4.18

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

co (friendlyCountryName) Stores the human-readable country name.

c (countryName) Contains the two-character code representing

country names, as defined by ISO, in the
directory.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

searchGuide Specifies information for suggested search

criteria when using the entry as the base
object in the directory tree for a search.

5.3.22. groupOfCertificates

540
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

The groupOfCertificates object class describes a set of X.509 certificates. Any certificate
that matches one of the memberCertificateDescription values is considered a member of
the group.

Superior Class
top

OID
2.16.840.1.113730.3.2.31

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

businessCategory Gives the type of business in which the group

is engaged.

description Gives a text description of the entry.

memberCertificateDescription Contains the values used to determine if a

particular certificate is a member of this group.

o (organizationName) Gives the organization to which the entry

belongs.

ou (organizationalUnitName) Gives the organizational unit or division to

which the entry belongs.

owner Contains the DN (distinguished name) of the

person responsible for the group.

seeAlso Contains a URL to another entry or site with

related information.

5.3.23. groupOfMailEnhancedUniqueNames
The groupOfMailEnhancedUniqueNames object class is used for a mail group which must
have unique members. This object class is defined for Netscape Messaging Server.

Superior Class
top

541
Configuration, Command, and File Reference

OID
2.16.840.1.113730.3.2.5

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

businessCategory Gives the type of business in which the group

is engaged.

description Gives a text description of the entry.

mailEnhancedUniqueMember Contains a unique DN value to identify a

member of the mail group.

o (organizationName) Gives the organization to which the entry

belongs.

ou (organizationalUnitName) Gives the organizational unit or division to

which the entry belongs.

owner Contains the DN (distinguished name) of the

person responsible for the group.

seeAlso Contains a URL to another entry or site with

related information.

5.3.24. groupOfNames
The groupOfNames object class contains entries for a group of names. This object class is
defined in RFC 2256.

NOTE

The definition for this object class in Directory Server differs from the standard
definition. In the standard definition, member is a required attribute, while in
Directory Server it is an allowed attribute. Directory Server, therefore, allows a
group to have no members.

Superior Class

542
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

top

OID
2.5.6.9

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

businessCategory Gives the type of business in which the entry

is engaged.

description Gives a text description of the entry.

member Contains the DN (distinguished name) of a

group member.

o (organizationName) Gives the organization to which the entry

belongs.

ou (organizationalUnitName) Gives the organizational unit or division to

which the entry belongs.

owner Contains the DN (distinguished name) of the

person responsible for the group.

seeAlso Contains a URL to another entry or site with

related information.

5.3.25. groupOfUniqueNames
The groupOfUniqueNames object class defines a group which contains unique names.

NOTE

The definition for this object class in Directory Server differs from the standard
definition. In the standard definition, uniqueMember is a required attribute,
while in Directory Server it is an allowed attribute. Directory Server, therefore,
allows a group to have no members.

543
Configuration, Command, and File Reference

This object class is defined in RFC 2256.

Superior Class
top

OID
2.5.6.17

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

businessCategory Gives the type of business in which the entry

is engaged.

description Gives a text description of the entry.

o (organizationName) Gives the organization to which the entry

belongs.

ou (organizationalUnitName) Gives the organizational unit or division to

which the entry belongs.

owner Contains the DN (distinguished name) of the

person responsible for the group.

seeAlso Contains a URL to another entry or site with

related information.

uniqueMember Contains the DN (distinguished name) of a

member of the group; this DN must be unique.

5.3.26. groupOfURLs
The groupOfURLs object class is an auxiliary object class for thegroupOfUniqueNames and
groupOfNames object classes. This group consists of a list of labeled URLs.

Superior Class
top

OID

544
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

2.16.840.1.113730.3.2.33

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

businessCategory Gives the type of business in which the group

is engaged.

description Gives a text description of the entry.

memberURL Contains a URL associated with each member

of the group.

o (organizationName) Gives the organization to which the entry

belongs.

ou (organizationalUnitName) Gives the organizational unit or division to

which the entry belongs.

owner Contains the DN (distinguished name) of the

person responsible for the group.

seeAlso Contains a URL to another entry or site with

related information.

5.3.27. ieee802Device
The ieee802Device object class points to a device with a MAC address. This object class is
defined in RFC 2307.

NOTE

This object class is defined in 10rfc2307.ldif in the Directory Server. To use

the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the
10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

Superior Class
top

545
Configuration, Command, and File Reference

OID
1.3.6.1.1.1.2.11

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

cn (commonName) Gives the common name of the device.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

l (localityName) Gives the city or geographical location of the

entry.

macAddress Gives the MAC address of the device.

o (organizationName) Gives the organization to which the device

belongs.

ou (organizationalUnitName) Gives the organizational unit or division to

which the device belongs.

owner Gives the DN (distinguished name) of the

person responsible for the device.

seeAlso Contains a URL to another entry or site with

related information.

serialNumber Contains the serial number of the device.

5.3.28. inetAdmin
The inetAdmin object class is a marker for an administrative group or user. This object
class is defined for the Netscape Delegated Administrator.

Superior Class
top

OID
2.16.840.1.113730.3.2.112

Required Attributes

546
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

adminRole Identifies a role to which the administrative

user belongs.

memberOf Contains a group name to which the

administrative user belongs. This is
dynamically managed by the MemberOf Plug-
in.

5.3.29. inetDomain
The inetDomain object class is a auxiliary class for virtual domain nodes. This object class
is defined for the Netscape Delegated Administrator.

Superior Class
top

OID
2.16.840.1.113730.3.2.129

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

inetDomainBaseDN Defines the base DN of the user subtree for a

DNS domain.

inetDomainStatus Gives the status of the domain. The status can

be active, inactive, or deleted.

5.3.30. inetOrgPerson

547
Configuration, Command, and File Reference

The inetOrgPerson object class defines entries representing people in an organization's

enterprise network. This object class inherits the cn (commonName) and sn (surname)
attributes from the person object class.

This object class is defined in RFC 2798.

Superior Class
person

OID
2.16.840.1.113730.3.2.2

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

sn (surname) Gives the person's family name or last name.

Allowed Attributes

Attribute Definition

audio Stores a sound file in binary format.

businessCategory Gives the type of business in which the entry

is engaged.

carLicense Gives the license plate number of the person's

vehicle.

departmentNumber Gives the department for which the person

works.

description Gives a text description of the entry.

destinationIndicator Gives the country and city associated with the

entry; this was once required to provide public
telegram service.

displayName Shows the preferred name of a person to use

when displaying entries.

employeeNumber Contains the person's employee number.

548
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

employeeType Shows the person's type of employment (for

example, full time).

fax (facsimileTelephoneNumber) Contains the person's fax number.

givenName Contains the person's first name.

homePhone Gives the person's home phone number.

homePostalAddress Gives the person's home mailing address.

initials Gives the person's initials.

internationalISDNNumber Contains the ISDN number for the entry.

jpegPhoto Stores a JPG image.

l (localityName) Gives the city or geographical location of the

entry.

labeledURI Contains a URL which is relevant to the entry.

mail Contains the person's email address.

manager Contains the DN (distinguished name) of the

direct supervisor of the person entry.

mobile Gives the person's mobile phone number.

o (organizationName) Gives the organization to which the entry

belongs.

ou (organizationalUnitName) Gives the organizational unit or division to

which the entry belongs.

pager Gives the person's pager number.

photo Stores a photo of a person, in binary format.

physicalDeliveryOfficeName Gives a location where physical deliveries can

be made.

postOfficeBox Gives the post office box number for the

entry.

postalAddress Contains the mailing address for the entry.

549
Configuration, Command, and File Reference

Attribute Definition

postalCode Gives the postal code for the entry, such as

the zip code in the United States.

preferredDeliveryMethod Shows the person's preferred method of

contact or message delivery.

preferredLanguage Gives the person's preferred written or spoken

language.

registeredAddress Gives a postal address suitable to receive

expedited documents when the recipient must
verify delivery.

roomNumber Gives the room number where the person is

located.

secretary Contains the DN (distinguished name) of the

person's secretary or administrative assistant.

seeAlso Contains a URL to another entry or site with

related information.

st (stateOrProvinceName) Gives the state or province where the entry is

located.

street Gives the street name and number for the

person's physical location.

telephoneNumber Gives the telephone number for the entry.

teletexTerminalIdentifier Gives the identifier for the person's teletex

terminal.

telexNumber Gives the telex number associated with the

entry.

title Shows the person's job title.

uid (userID) Contains the person's user ID (usually his

logon ID).

userCertificate Stores a user's certificate in cleartext (not

used).

userPassword Stores the password with which the entry can

bind to the directory.

550
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

userSMIMECertificate Stores the person's certificate in binary form

so it can be used by S/MIME clients.

x121Address Gives the X.121 address for the person.

x500UniqueIdentifier Reserved for future use.

5.3.31. inetSubscriber
The inetSubscriber object class is used for general user account management. This object
class is defined for the Netscape subscriber interoperability.

Superior Class
top

OID
2.16.840.1.113730.3.2.134

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

inetSubscriberAccountId Contains a unique attribute linking the

subscriber to a billing system.

inetSubscriberChallenge Contains some kind of question or prompt, the

challenge phrase, which is used to confirm the
identity of the user.

inetSubscriberResponse Contains the answer to the challenge question.

5.3.32. inetUser
The inetUser object class is an auxiliary class which must be present in an entry in order
to deliver subscriber services. This object class is defined for the Netscape subscriber
interoperability.

Superior Class
top

551
Configuration, Command, and File Reference

OID
2.16.840.1.113730.3.2.130

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

inetUserHttpURL Contains web addresses associated with the

user.

inetUserStatus Gives the status of the user. The status can be

active, inactive, or deleted.

memberOf Contains a group name to which the user

belongs. This is dynamically managed by the
MemberOf Plug-in.

uid (userID) Contains the person's user ID (usually his

logon ID).

userPassword Stores the password with which the user can

use to access the user account.

5.3.33. ipHost
The ipHost object class stores IP information about a host. This object class is defined in
RFC 2307.

NOTE

This object class is defined in 10rfc2307.ldif in the Directory Server. To use

the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the
10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

Superior Class
top

OID
1.3.6.1.1.1.2.6

Required Attributes

552
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

objectClass Defines the object classes for the entry.

cn (commonName) Gives the common name of the device.

ipHostNumber Contains the IP address of the device or host.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

l (localityName) Gives the city or geographical location of the

entry.

manager Contains the DN (distinguished name) of the

maintainer or supervisor of the entry.

o (organizationName) Gives the organization to which the device

belongs.

ou (organizationalUnitName) Gives the organizational unit or division to

which the device belongs.

owner Gives the DN (distinguished name) of the

person responsible for the device.

seeAlso Contains a URL to another entry or site with

related information.

serialNumber Contains the serial number of the device.

5.3.34. ipNetwork
The ipNetwork object class stores IP information about a network. This object class is
defined in RFC 2307.

NOTE

This object class is defined in 10rfc2307.ldif in the Directory Server. To use

the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the
10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

Superior Class
top

553
Configuration, Command, and File Reference

OID
1.3.6.1.1.1.2.7

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

cn (commonName) Gives the common name of the device.

ipNetworkNumber Contains the IP number for the network.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

l (localityName) Gives the city or geographical location of the

entry.

manager Contains the DN (distinguished name) of the

maintainer or supervisor of the entry.

ipNetmaskNumber Contains the IP netmask for the network.

5.3.35. ipProtocol
The ipProtocol object class shows the IP protocol version. This object class is defined in
RFC 2307.

NOTE

This object class is defined in 10rfc2307.ldif in the Directory Server. To use

the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the
10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

Superior Class
top

OID
1.3.6.1.1.1.2.4

Required Attributes

554
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

objectClass Defines the object classes for the entry.

cn (commonName) Gives the common name of the device.

ipProtocolNumber Contains the IP protocol number for the

network.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

5.3.36. ipService
The ipService object class stores information about the IP service. This object class is
defined in RFC 2307.

NOTE

This object class is defined in 10rfc2307.ldif in the Directory Server. To use

the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the
10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

Superior Class
top

OID
1.3.6.1.1.1.2.3

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

cn (commonName) Gives the common name of the device.

ipServicePort Gives the port number used by the IP service.

ipServiceProtocol Contains the IP protocol number for the

service.

Allowed Attributes

This object class is defined in RFC 2256.

Superior Class
top

OID
2.5.6.3

Required Attributes

556
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

l (localityName) Gives the city or geographical location of the

entry.

searchGuide Specifies information for suggested search

criteria when using the entry as the base
object in the directory tree for a search.

seeAlso Contains a URL to another entry or site with

related information.

st (stateOrProvinceName) Gives the state or province associated with the

locality.

street Gives a street and number associated with the

locality.

5.3.39. mailGroup
The mailGroup object class defines the mail attributes for a group. This object is defined in
the schema for the Netscape Messaging Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.4

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

557
Configuration, Command, and File Reference

Attribute Definition

cn (commonName) Gives the common name of the entry.

mail Stores email addresses for the group.

mailAlternateAddress Contains secondary email addresses for the

group.

mailHost Contains the host name of the mail server.

owner Contains the DN (distinguished name) of the

person responsible for the group.

5.3.40. mailRecipient
The mailRecipient object class defines a mail account for a user. This object is defined in
the schema for the Netscape Messaging Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.3

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

cn (commonName) Gives the common name of the entry.

mail Stores email addresses for the group.

mailAccessDomain Contains the domain from which the user can

access the messaging server.

mailAlternateAddress Contains secondary email addresses for the

group.

mailAutoReplyMode Specifies whether autoreply mode for the

account is enabled.

558
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

mailAutoReplyText Contains the text use for automatic reply

emails.

mailDeliveryOption Specifies the mail delivery mechanism to be

used for the mail user.

mailForwardingAddress Specifies the mail delivery mechanism to use

for the mail user.

mailHost Contains the host name of the mail server.

mailMessageStore Specifies the location of the user's mail box.

mailProgramDeliveryInfo Specifies the commands used for programmed

mail delivery.

mailQuota Specifies the disk space allowed for the user's

mail box.

mailRoutingAddress Contains a routing address to use when

forwarding the mail from this entry's account
to another messaging server.

multiLineDescription Contains a text description of the entry which

cn (commonName) Gives the common name of the entry.

560
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

mepMappedAttr Contains an attribute-token pair that the plug-

in uses to create an attribute in the managed
entry with a value taken from the originating
entry.

mepRDNAttr Specifies which attribute to use as the naming

attribute in the managed entry.

mepStaticAttr Contains an attribute-value pair that will be

used, with that specified value, in the
managed entry.

5.3.44. netscapeCertificateServer
The netscapeCertificateServer object class stores information about a Netscape
certificate server. This object is defined in the schema for the Netscape Certificate
Management System.

Superior Class
top

OID
2.16.840.1.113730.3.2.18

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

5.3.45. netscapeDirectoryServer
The netscapeDirectoryServer object class stores information about a Directory Server
instance. This object is defined in the schema for the Netscape Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.23

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

561
Configuration, Command, and File Reference

5.3.46. NetscapeLinkedOrganization
NetscapeLinkedOrganization is an auxiliary object class. This object is defined in the
schema for the Netscape server suite.

Superior Class
top

OID
1.3.6.1.4.1.1466.101.120.141

Allowed Attributes

Attribute Definition

parentOrganization Identifies the parent organization for the linked

organization defined for the server suite.

5.3.47. netscapeMachineData
The netscapeMachineData object class distinguishes between machine data and non-
machine data. This object is defined in the schema for the Netscape Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.32

5.3.48. NetscapePreferences
NetscapePreferences is an auxiliary object class which stores the user preferences. This
object is defined by Netscape.

Superior Class
top

OID
1.3.6.1.4.1.1466.101.120.142

Required Attributes

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

563
Configuration, Command, and File Reference

Attribute Definition

administratorContactInfo Contains the contact information for the

server administrator.

adminUrl Contains the URL for the Administration Server

used by the instance.

description Gives a text description of the entry.

installationTimeStamp Contains the time that the server instance was

installed.

serverHostName Contains the host name of the server on which

the Directory Server instance is running.

serverProductName Contains the product name of the server type.

serverRoot Specifies the top directory where the server

product is installed.

serverVersionNumber Contains the product version number.

userPassword Stores the password with which the entry can

bind to the directory.

5.3.51. netscapeWebServer
The netscapeWebServer object class identifies an installed Netscape Web Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.29

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

nsServerID Contains the server's name or ID.

Allowed Attributes

564
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

description Gives a text description of the entry.

nsServerPort Contains the server's port number.

5.3.52. newPilotPerson
The newPilotPerson object class is a subclass of the person to allow additional attributes
to be assigned to entries of the person object class. This object class inherits thecn
(commonName) and sn (surname) attributes from the person object class.

This object class is defined in Internet White Pages Pilot.

Superior Class
person

OID
0.9.2342.19200300.100.4.4

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

sn (surname) Gives the person's family name or last name.

Allowed Attributes

Attribute Definition

businessCategory Gives the type of business in which the entry

is engaged.

description Gives a text description of the entry.

drink (favouriteDrink) Gives the person's favorite drink.

homePhone Gives the person's home phone number.

homePostalAddress Gives the person's home mailing address.

565
Configuration, Command, and File Reference

Attribute Definition

janetMailbox Gives the person's email address; this is

primarily for use in Great Britain or
organizations which do no use RFC 822 mail
addresses.

mail Contains the person's email address.

mailPreferenceOption Indicates the user's preference for including

his name on mailing lists (electronic or
physical).

mobile Gives the person's mobile phone number.

organizationalStatus Gives the common job category for a person's

function.

otherMailbox Contains values for electronic mailbox types

other than X.400 and RFC 822.

pager Gives the person's pager number.

personalSignature Contains the person's signature file.

personalTitle Gives the person's honorific.

preferredDeliveryMethod Shows the person's preferred method of

contact or message delivery.

roomNumber Gives the room number where the person is

located.

secretary Contains the DN (distinguished name) of the

person's secretary or administrative assistant.

seeAlso Contains a URL to another entry or site with

related information.

telephoneNumber Gives the telephone number for the entry.

uid (userID) Contains the person's user ID (usually his

logon ID).

userClass Describes the type of computer user this entry

is.

userPassword Stores the password with which the entry can

bind to the directory.

566
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

5.3.53. nisMap
This object class points to a NIS map.

This object class is defined in RFC 2307, which defines object classes and attributes to use
LDAP as a network information service.

NOTE

This object class is defined in 10rfc2307.ldif in the Directory Server. To use

the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the
10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

Superior Class
top

OID
1.3.6.1.1.1.2.13

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

nisMapName Contains the NIS map name.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

5.3.54. nisNetgroup
This object class contains a netgroup used within a NIS domain. Adding this object class
allows administrators to use netgroups to control login and service authentication in NIS.

This object class is defined in RFC 2307, which defines object classes and attributes to use
LDAP as a network information service.

NOTE

This object class is defined in 10rfc2307.ldif in the Directory Server. To use

the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the
10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

567
Configuration, Command, and File Reference

Superior Class
top

OID
1.3.6.1.1.1.2.8

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

memberNisNetgroup Merges the attribute values of another

netgroup into the current one by listing the
name of the merging netgroup.

nisNetgroupTriple Contains a user name

(,bobby,example.com) or a machine name
(shellserver1,,example.com).

5.3.55. nisObject
This object class contains information about an object in a NIS domain.

This object class is defined in RFC 2307, which defines object classes and attributes to use
LDAP as a network information service.

NOTE

This object class is defined in 10rfc2307.ldif in the Directory Server. To use

the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the
10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

Superior Class
top

OID
1.3.6.1.1.1.2.10

Required Attributes

568
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

NisMapEntry Identifies the NIS map entry.

nisMapName Contains the name of the NIS map.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

5.3.56. nsAdminConfig
This object class stores the configuration parameters for the Administration Server. This
object is defined for the Administration Services.

Superior Class
nsConfig

OID
nsAdminConfig-oid

Allowed Attributes

Attribute Definition

nsAdminAccessAddresses Identifies the Administration Server IP

addresses.

nsAdminAccessHosts Contains the Administration Server host name

or a list of Administration Server host names.

nsAdminCacheLifetime Notes the length of the cache timeout period.

nsAdminCgiWaitPid Contains the PID of the CGI process the server

is waiting for.

nsAdminEnableEnduser Sets whether to allow or disallow end user

access to the Administration Server web
services pages.

569
Configuration, Command, and File Reference

Attribute Definition

nsAdminOneACLDir Contains the path of the local ACL directory for

the Administration Server.

nsAdminUsers Points to the file which contains the admin user

info.

5.3.57. nsAdminConsoleUser
This object class stores the configuration parameters for the Administration Server. This
object is defined for the Administration Services.

Superior Class
top

OID
nsAdminConsoleUser-oid

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

nsPreference Stores preference information for console

settings.

5.3.58. nsAdminDomain
This object class stores user information to access Admin Console. This object is defined for
the Administration Services.

Superior Class
organizationalUnit

OID
nsAdminDomain-oid

Allowed Attributes

570
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

nsAdminDomainName Identifies the administration domain for the

servers.

5.3.59. nsAdminGlobalParameters
This object class stores the configuration parameters for the Administration Server. This
object is defined for the Administration Services.

Superior Class
top

OID
nsAdminGlobalParameters-oid

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

nsAdminEndUserHTMLIndex Sets whether to allow or disallow end-user

access to the HTML index pages.

nsNickName Gives the nickname for the application.

5.3.60. nsAdminGroup
This object class stores group information for administrator users in the
Administration Server. This object is defined for the Administration Services.

Superior Class
top

OID
nsAdminGroup-oid

Required Attributes

571
Configuration, Command, and File Reference

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

nsAdminGroupName Contains the name for the admin group.

nsAdminSIEDN Shows the DN of the server instance entry

(SIE) for the Administration Server instance.

nsConfigRoot Gives the full path to the

Administration Server instance's configuration
directory.

5.3.61. nsAdminObject
This object class contains information about an object used by Administration Server, such
as a task. This object is defined for the Administration Services.

Superior Class
top

OID
nsAdminObject-oid

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

572
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

nsClassname Contains the class name associated with the

task or resource editor for the
Administration Server.

nsJarfilename Gives the name of the JAR file used by the

Administration Server Console to access the
object.

5.3.62. nsAdminResourceEditorExtension
This object class contains an extension used by the Console Resource Editor. This object is
defined for the Administration Services.

Superior Class
nsAdminObject

OID
nsAdminResourceEditorExtension-oid

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

nsAdminAccountInfo Contains information about the

Administration Server account.

nsDeleteclassname Contains the name of a class to be deleted.

5.3.63. nsAdminServer
This object class defines the Administration Server instance. This object is defined for the
Administration Services.

Superior Class
top

OID

573
Configuration, Command, and File Reference

nsAdminServer-oid

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

nsServerID Contains the Directory Server ID, such as

slapd-example.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

5.3.64. nsAIMpresence
nsAIMpresence is an auxiliary object class which defines the status of an AOL instance
messaging account. This object is defined for the Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.300

Allowed Attributes

Attribute Definition

nsAIMid Contains the AIM user ID for the entry.

nsAIMStatusGraphic Contains a pointer to the graphic image which

indicates the AIM account's status.

nsAIMStatusText Contains the text to indicate the AIM account's

status.

5.3.65. nsApplication
nsApplication defines an application or server entry. This is defined by Netscape.

Superior Class
top

574
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

OID
nsApplication-oid

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

installationTimeStamp Contains the time that the server instance was

installed.

nsBuildNumber Contains the build number for the server

instance.

nsBuildSecurity Contains the level of security used to make

the build.

nsExpirationDate Contains the date that the license for the

application expires.

nsInstalledLocation For servers which are version 7.1 or older,

shows the installation directory for the server.

nsLdapSchemaVersion Gives the version of the LDAP schema files

used by the Directory Server.

nsNickName Gives the nickname for the application.

nsProductName Gives the name of the server product.

nsProductVersion Shows the version number of the server

product.

nsRevisionNumber Contains the revision number (minor version)

for the product.

nsSerialNumber Gives the serial number assigned to the server

product.

575
Configuration, Command, and File Reference

Attribute Definition

nsServerMigrationClassname Gives the class to use to migrate a server

instance.

nsServerCreationClassname Gives the class to use to create a server

instance.

nsVendor Contains the name of the vendor who

designed the server.

5.3.66. nsCertificateServer
The nsCertificateServer object class stores information about a Red Hat Certificate
System instance. This object is defined in the schema for the Certificate System.

Superior Class
top

OID
nsCertificateServer-oid

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

nsServerID Contains the server's name or ID.

Allowed Attributes

Attribute Definition

nsCertConfig Contains configuration settings for a Red Hat

Certificate System instance.

nsServerPort Contains the server's port number.

serverHostName Contains the host name of the server on which

the Directory Server instance is running.

5.3.67. nsComplexRoleDefinition
Any role that is not a simple role is, by definition, a complex role.

This object class is defined by Directory Server.

576
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Superior Class
nsRoleDefinition

OID
2.16.840.1.113730.3.2.95

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

cn (commonName) Gives the common name of the entry.

description Gives a text description of the entry.

Attribute Definition

nsDefaultObjectClass Contains an object class to assign by default to

an object type.

5.3.71. nsDirectoryInfo
nsDirectoryInfo contains information about a directory instance. This is defined for
Administration Services.

Superior Class
top

OID
nsDirectoryInfo-oid

578
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

cn (commonName) Gives the common name of the device.

Allowed Attributes

Attribute Definition

nsBindDN Contains the bind DN defined for the server in

its server instance entry.

nsBindPassword Contains the password for the bind identity in

the SIE.

nsDirectoryFailoverList Contains a list of URLs of other

Directory Server instances to use for failover
support if the instance in nsDirectoryURL is
unavailable.

nsDirectoryInfoRef Contains a reference to a distinguished name

(DN) in the directory.

nsDirectoryURL Contains a URL to access the Directory Server

instance.

5.3.72. nsDirectoryServer
nsDirectoryServer is the defining object class for a Directory Server instance. This is
defined for the Directory Server.

Superior Class
top

OID
nsDirectoryServer-oid

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

nsServerID Contains the server's name or ID.

579
Configuration, Command, and File Reference

Allowed Attributes

Attribute Definition

nsBaseDN Contains the base DN for the server instance.

nsBindDN Contains the bind DN defined for the server in

its server instance entry.

nsBindPassword Contains the password for the bind identity in

the SIE.

nsSecureServerPort Contains the server's TLS port number.

nsServerPort Contains the server's port number.

serverHostName Contains the host name of the server on which

the Directory Server instance is running.

5.3.73. nsFilteredRoleDefinition
The nsFilteredRoleDefinition object class defines how entries are assigned to the role,
depending upon the attributes contained by each entry.

This object class is defined in Directory Server.

Superior Class
nsComplexRoleDefinition

OID
2.16.840.1.113730.3.2.97

This object class is defined in Administrative Services.

Superior Class
top

OID
nsGlobalParameters-oid

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

nsGroupRDNComponent Defines the default attribute type used in the

RDN of the group entry.

nsUniqueAttribute Defines a unique attribute in the preferences.

nsUserIDFormat Sets the format to generate the user ID from

the givenname and sn attributes.

nsUserRDNComponent Sets the attribute type to use as the naming

component in the user DN.

nsNYR Not used.

nsWellKnownJarfiles Not used.

5.3.75. nsHost
The nsHost object class stores information about the server host.

581
Configuration, Command, and File Reference

This object class is defined in Administrative Services.

Superior Class
top

OID
nsHost-oid

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

l (localityName) Gives the city or geographical location of the

entry.

nsHardwarePlatform Identifies the hardware platform for the host

on which the Directory Server instance is
running. This is the same information as
running uname -m.

nsHostLocation Gives the location of the server host.

nsOsVersion Contains the operating system version of the

server host.

serverHostName Contains the host name of the server on which

the Directory Server instance is running.

5.3.76. nsICQpresence
nsICQpresence is an auxiliary object class which defines the status of an ICQ messaging
account. This object is defined for the Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.301

582
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Allowed Attributes

Attribute Definition

nsICQid Contains the ICQ user ID for the entry.

nsICQStatusGraphic Contains a pointer to the graphic image which

indicates the ICQ account's status.

nsICQStatusText Contains the text to indicate the ICQ account's

status.

5.3.77. nsLicenseUser
The nsLicenseUser object class tracks tracks licenses for servers that are licensed on a
per-client basis. nsLicenseUser is intended to be used with theinetOrgPerson object
class. You can manage the contents of this object class through the Users and Groups
area of the Administration Server.

This object class is defined in the Administration Server schema.

Superior Class
top

OID
2.16.840.1.113730.3.2.7

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

nsLicensedFor Identifies the server that the user is licensed to

use.

nsLicenseEndTime Reserved for future use.

nsLicenseStartTime Reserved for future use.

5.3.78. nsManagedRoleDefinition
The nsManagedRoleDefinition object class specifies the member assignments of a role to
an explicit, enumerated list of members.

583
Configuration, Command, and File Reference

This object class is defined in Directory Server.

Superior Class
nsComplexRoleDefinition

OID
2.16.840.1.113730.3.2.96

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

cn (commonName) Gives the common name of the entry.

description Gives a text description of the entry.

5.3.79. nsMessagingServerUser
nsICQpresence is an auxiliary object class that describes a messaging server user. This
object class is defined for Netscape Messaging Server.

Superior Class
top

OID
2.16.840.113730.3.2.37

Required Attributes

Attribute Definition

objectClass Gives the object classes for the entry.

Allowed Attributes

Attribute Definition

cn (commonName) Gives the common name of the entry.

584
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

mailAccessDomain Contains the domain from which the user can

access the messaging server.

mailAlternateAddress Contains secondary email addresses for the

group.

mailAutoReplyMode Specifies whether autoreply mode for the

account is enabled.

mailAutoReplyText Contains the text use for automatic reply

emails.

mailDeliveryOption Specifies the mail delivery mechanism to be

used for the mail user.

mailForwardingAddress Specifies the mail delivery mechanism to use

for the mail user.

mailMessageStore Specifies the location of the user's mail box.

mailProgramDeliveryInfo Specifies the commands used for programmed

mail delivery.

mailQuota Specifies the disk space allowed for the user's

mail box.

nsmsgDisallowAccess Sets limits on the mail protocols available to

the user.

nsmsgNumMsgQuota Specifies the number of messages allowed for

the user's mail box.

nswmExtendedUserPrefs Stores the extended preferences for the user.

vacationEndDate Contains the end date for a vacation period.

vacationStartDate Contains the start date for a vacation period.

5.3.80. nsMSNpresence
nsMSNpresence is an auxiliary object class which defines the status of an MSN instance
messaging account. This object is defined for the Directory Server.

Superior Class
top

OID

585
Configuration, Command, and File Reference

2.16.840.1.113730.3.2.303

Allowed Attributes

Attribute Definition

nsMSNid Contains the MSN user ID for the entry.

5.3.81. nsNestedRoleDefinition
The nsNestedRoleDefinition object class specifies one or more roles, of any type, are
included as members within the role.

This object class is defined in Directory Server.

Superior Class
nsComplexRoleDefinition

OID
2.16.840.1.113730.3.2.98

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

nsRoleDn Specifies the roles assigned to an entry.

Allowed Attributes

Attribute Definition

cn (commonName) Gives the common name of the entry.

description Gives a text description of the entry.

5.3.82. nsResourceRef
The nsNestedRoleDefinition object class configures a resource reference.

This object class is defined in the Administration Services.

Superior Class
top

OID
nsResourceRef-oid

586
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

seeAlso Contains a URL to another entry or site with

related information.

5.3.83. nsRoleDefinition
All role definition object classes inherit from the nsRoleDefinition object class.

This object class is defined by Directory Server.

Superior Class
LDAPsubentry

OID
2.16.840.1.113730.3.2.93

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

cn (commonName) Gives the common name of the entry.

description Gives a text description of the entry.

5.3.84. nsSimpleRoleDefinition
Roles containing this object class are called simple roles because they have a deliberately
limited flexibility, which makes it easy to:

Enumerate the members of a role.

587
Configuration, Command, and File Reference

Determine whether a given entry possesses a particular role.

Enumerate all the roles possessed by a given entry.

Assign a particular role to a given entry.

Remove a particular role from a given entry.

This object class is defined by Directory Server.

Superior Class
nsRoleDefinition

OID
2.16.840.1.113730.3.2.94

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

cn (commonName) Gives the common name of the entry.

description Gives a text description of the entry.

5.3.85. nsSNMP
This object class defines the configuration for the SNMP plug-in object used by the
Directory Server.

This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.41

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

588
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

cn (commonName) Gives the common name of the entry.

nsSNMPEnabled Sets whether SNMP is enabled for the

Directory Server instance.

Allowed Attributes

Attribute Definition

nsSNMPContact Contains the contact information provided by

the SNMP agent.

nsSNMPDescription Contains a text description of the SNMP setup.

nsSNMPLocation Contains the location information or

configuration for the SNMP agent.

nsSNMPMasterHost Contains the host name for the server where

the SNMP master agent is located.

nsSNMPMasterPort Contains the port to access the SNMP

subagent.

nsSNMPOrganization Contains the organization name or information

provided by the SNMP service.

5.3.86. nsTask
This object class defines the configuration for tasks performed by the Directory Server.

This object class is defined for the Administrative Services.

Superior Class
top

OID
nsTask-oid

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

589
Configuration, Command, and File Reference

Allowed Attributes

Attribute Definition

nsExecRef Contains a reference to the program which will

perform the task.

nsHelpRef Contains a reference to an online (HTML) help

file associated with the task window.

nsLogSuppress Sets whether to suppress logging for the task.

nsTaskLabel Contains a label associated with the task in the

Console.

5.3.87. nsTaskGroup
This object class defines the information for a group of tasks in the Console.

This object class is defined for the Administrative Services.

Superior Class
top

OID
nsTaskGroup-oid

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

This object class is defined for the Administrative Services.

Superior Class
nsAdminObject

OID
nsTopologyPlugin-oid

5.3.90. nsValueItem
This object class defines a value item object configuration, which is used to specify
information that is dependent on the value type of an entry. A value item relates to the
allowed attribute value syntax for an entry attribute, such as binary or case-sensitive
string.

This object class is defined in Netscape Servers - Value Item.

Superior Class
top

OID
2.16.840.1.113730.3.2.45

Required Attributes

591
Configuration, Command, and File Reference

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

nsValueBin Contains information or operations related to

the binary value type.

nsValueCES Contains information or operations related to

the case-exact string (CES) value type.

nsValueCIS Contains information or operations related to

the case-insensitive (CIS) value type.

nsValueDefault Sets the default value type to use for an

attribute or configuration parameter.

nsValueDescription Gives a text description of the value item

setting.

nsValueDN Contains information or operations related to

the DN value type.

nsValueFlags Sets flags for the value item object.

nsValueHelpURL Contains a reference to an online (HTML) help

file associated with the value item object.

nsValueInt Contains information or operations related to

the integer value type.

nsValueSyntax Defines the syntax to use for the value item

object.

nsValueTel Contains information or operations related to

the telephone string value type.

nsValueType Sets which value type to apply.

5.3.91. nsView
This object class is used for a view entry in the directory tree.

592
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.304

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

nsViewFilter Identifies the filter used by the view plug-in.

5.3.92. nsYIMpresence
nsYIMpresence is an auxiliary object class which defines the status of a Yahoo instance
messaging account. This object is defined for the Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.302

Allowed Attributes

Attribute Definition

nsYIMid Contains the Yahoo user ID for the entry.

nsYIMStatusGraphic Contains a pointer to the graphic image which

indicates the Yahoo account's status.

nsYIMStatusText Contains the text to indicate the Yahoo

account's status.

593
Configuration, Command, and File Reference

5.3.93. ntGroup
The ntGroup object class holds data for a group entry stored in a Windows Active Directory
server. Several Directory Server attributes correspond directly to or are mapped to match
Windows group attributes. When you create a new group in the Directory Server that is to
be synchronized with a Windows server group, Directory Server attributes are assigned to
the Windows entry. These attributes may then be added, modified, or deleted in the entry
through either directory service.

This object class is defined in Netscape NT Synchronization.

Superior Class
top

OID
2.16.840.1.113730.3.2.9

Required Object Classes

Object Class Definition

mailGroup Allows the mail attribute to be synchronized

between Windows and Directory Server
groups.

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

ntUserDomainId Contains the Windows domain login ID for the

group account.

Allowed Attributes

Attribute Definition

cn (commonName) Gives the common name of the entry; this

corresponds to the Windows name field.

description Gives a text description of the entry;

corresponds to the Windows comment field.

l (localityName) Gives the city or geographical location of the

entry.

member Specifies the members of the group.

594
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

ntGroupCreateNewGroup Specifies whether a Windows account should

be created when an entry is created in the
Directory Server.

ntGroupDeleteGroup Specifies whether a Windows account should

be deleted when an entry is deleted in the
Directory Server.

ntGroupDomainId Gives the domain ID string for the group.

ntGroupType Defines what kind of Windows domain group

the entry is.

ntUniqueId Contains a generated ID number used by the

server for operations and identification.

ou (organizationalUnitName) Gives the organizational unit or division to

which the entry belongs.

seeAlso Contains a URL to another entry or site with

related information.

5.3.94. ntUser
The ntUser entry holds data for a user entry stored in a Windows Active Directory server.
Several Directory Server attributes correspond directly to or are mapped to match Windows
user account fields. When you create a new person entry in the Directory Server that is to
be synchronized with a Windows server, Directory Server attributes are assigned to
Windows user account fields. These attributes may then be added, modified, or deleted in
the entry through either directory service.

This object class is defined in Netscape NT Synchronization.

Superior Class
top

OID
2.16.840.1.113730.3.2.8

corresponds to the Windows comment field.

destinationIndicator Gives the country and city associated with the

entry; this was once required to provide public
telegram service.

fax (facsimileTelephoneNumber) Gives the fax number for the user.

givenName Contains the person's first name.

homePhone Gives the person's home phone number.

homePostalAddress Gives the person's home mailing address.

initials Gives the person's initials.

l (localityName) Gives the city or geographical location of the

entry.

mail Contains the person's email address.

manager Contains the DN (distinguished name) of the

direct supervisor of the person entry.

mobile Gives the person's mobile phone number.

ntUserAcctExpires Identifies when the user's Windows account

will expire.

ntUserCodePage Gives the user's code page.

ntUserCreateNewAccount Specifies whether a Windows account should

be created when this entry is created in the
Directory Server.

ntUserDeleteAccount Specifies whether a Windows account should

be deleted when this entry is deleted in the
Directory Server.

596
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

ntUserHomeDir Gives the path to the user's home directory.

ntUserLastLogoff Gives the time of the user's last logoff from

the Windows server.

ntUserLastLogon Gives the time of the user's last logon to the

Windows server.

ntUserMaxStorage Shows the maximum disk space available to

the user in the Windows server.

ntUserParms Contains a Unicode string reserved for use by

applications.

ntUserProfile Contains the path to the user's Windows

profile.

ntUserScriptPath Contains the path to the user's Windows login

script.

ntUserWorkstations Contains a list of Windows workstations from

which the user is allowed to log into the
Windows domain.

o (organizationName) Gives the organization to which the entry

belongs.

ou (organizationalUnitName) Gives the organizational unit or division to

which the entry belongs.

pager Gives the person's pager number.

postalAddress Contains the mailing address for the entry.

postalCode Gives the postal code for the entry, such as

the zip code in the United States.

postOfficeBox Gives the post office box number for the

entry.

registeredAddress Gives a postal address suitable to receive

expedited documents when the recipient must
verify delivery.

seeAlso Contains a URL to another entry or site with

related information.

597
Configuration, Command, and File Reference

Attribute Definition

sn (surname) Gives the person's family name or last name.

st (stateOrProvinceName) Gives the state or province where the person is

located.

street Gives the street name and address number for

the person's physical location.

telephoneNumber Gives the telephone number for the entry.

teletexTerminalIdentifier Gives the identifier for the person's teletex

terminal.

telexNumber Gives the telex number associated with the

entry.

title Shows the person's job title.

userCertificate Stores a user's certificate in cleartext (not

used).

x121Address Gives the X.121 address for the entry.

5.3.95. oncRpc
The oncRpc object class defines an abstraction of an Open Network Computing Remote
Procedure Call (ONC RPC). This object class is defined in RFC 2307.

NOTE

This object class is defined in 10rfc2307.ldif in the Directory Server. To use

the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the
10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

Superior Class
top

OID
1.3.6.1.1.1.2.5

Required Attributes

Attribute Definition

objectClass Defines the object classes for the entry.

598
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

cn (commonName) Gives the common name of the entry.

oncRpcNumber Contains part of the RPC map and stores the

RPC number for UNIX RPCs.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

5.3.96. organization
The organization attributes defines entries that represent organizations. An organization
is generally assumed to be a large, relatively static grouping within a larger corporation or
enterprise.

This object class is defined in RFC 2256.

Superior Class
top

OID
2.5.6.4

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

o (organizationName) Gives the organization to which the entry

belongs.

Allowed Attributes

Attribute Definition

businessCategory Gives the type of business in which the entry

is engaged.

description Gives a text description of the entry.

599
Configuration, Command, and File Reference

Attribute Definition

destinationIndicator Gives the country and city associated with the

entry; this was once required to provide public
telegram service.

fax (facsimileTelephoneNumber) Contains the fax number for the entry.

internationalISDNNumber Contains the ISDN number for the entry.

l (localityName) Gives the city or geographical location of the

entry.

physicalDeliveryOfficeName Gives a location where physical deliveries can

be made.

postalAddress Contains the mailing address for the entry.

postalCode Gives the postal code for the entry, such as

the zip code in the United States.

postOfficeBox Gives the post office box number for the

entry.

preferredDeliveryMethod Shows the preferred method of contact or

message delivery for the entry.

registeredAddress Gives a postal address suitable to receive

expedited documents when the recipient must
verify delivery.

searchGuide Specifies information for suggested search

criteria when using the entry as the base
object in the directory tree for a search.

seeAlso Contains a URL to another entry or site with

related information.

st (stateOrProvinceName) Gives the state or province where the person is

located.

street Gives the street name and number for the

person's physical location.

telephoneNumber Gives the telephone number of the person

responsible for the organization.

teletexTerminalIdentifier Gives the ID for an entry's teletex terminal.

600
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

telexNumber Gives the telex number associated with the

entry.

userPassword Gives the password with which the entry can

bind to the directory.

x121Address Gives the X.121 address for the entry.

5.3.97. organizationalPerson
The organizationalPerson object class defines entries for people employed or affiliated
with the organization. This object class inherits the cn (commonName) and sn (surname)
attributes from the person object class.

This object class is defined in RFC 2256.

Superior Class
person

OID
2.5.6.7

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

sn (surname) Gives the person's family name or last name.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

destinationIndicator Gives the country and city associated with the

entry; this was once required to provide public
telegram service.

fax (facsimileTelephoneNumber) Contains the fax number for the entry.

internationalISDNNumber Contains the ISDN number for the entry.

601
Configuration, Command, and File Reference

Attribute Definition

l (localityName) Gives the city or geographical location of the

entry.

ou (organizationalUnitName) Gives the organizational unit or division to

which the entry belongs.

physicalDeliveryOfficeName Gives a location where physical deliveries can

be made.

postalAddress Contains the mailing address for the entry.

postalCode Gives the postal code for the entry, such as

the zip code in the United States.

postOfficeBox Gives the post office box number for the

entry.

preferredDeliveryMethod Shows the person's preferred method of

contact or message delivery.

registeredAddress Gives a postal address suitable to receive

expedited documents when the recipient must
verify delivery.

seeAlso Contains a URL to another entry or site with

related information.

st (stateOrProvinceName) Gives the state or province where the person is

located.

street Gives the street name and number for the

person's physical location.

telephoneNumber Gives the telephone number for the entry.

teletexTerminalIdentifier Gives the ID for an entry's teletex terminal.

telexNumber Gives the telex number associated with the

entry.

title Shows the person's job title.

userPassword Stores the password with which the entry can

bind to the directory.

x121Address Gives the X.121 address for the entry.

602
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

5.3.98. organizationalRole
The organizationalRole object class is used to define entries for roles held by people
within an organization.

This object class is defined in RFC 2256.

Superior Class
top

OID
2.5.6.8

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

destinationIndicator Gives the country and city associated with the

entry; this was once required to provide public
telegram service.

fax (facsimileTelephoneNumber) Contains the fax number for the entry.

internationalISDNNumber Contains the ISDN number for the entry.

l (localityName) Gives the city or geographical location of the

entry.

ou (organizationalUnitName) Gives the organizational unit or division to

which the entry belongs.

physicalDeliveryOfficeName Gives a location where physical deliveries can

be made.

postalAddress Contains the mailing address for the entry.

postalCode Gives the postal code for the entry, such as

the zip code in the United States.

603
Configuration, Command, and File Reference

Attribute Definition

postOfficeBox Gives the post office box number for the

entry.

preferredDeliveryMethod Shows the role's preferred method of contact

or message delivery.

registeredAddress Gives a postal address suitable to receive

expedited documents when the recipient must
verify delivery.

roleOccupant Contains the DN (distinguished name) of the

person in the role.

seeAlso Contains a URL to another entry or site with

related information.

st (stateOrProvinceName) Gives the state or province where the entry is

located.

street Gives the street name and number for the

role's physical location.

telephoneNumber Gives the telephone number for the entry.

teletexTerminalIdentifier Gives the ID for an entry's teletex terminal.

telexNumber Gives the telex number associated with the

entry.

x121Address Gives the X.121 address for the entry.

5.3.99. organizationalUnit
The organizationalUnit object class defines entries that representorganizational units,
generally understood to be a relatively static grouping within a larger organization.

This object class is defined in RFC 2256.

Superior Class
top

OID
2.5.6.5

Required Attributes

604
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

objectClass Gives the object classes assigned to the entry.

ou (organizationalUnitName) Gives the organizational unit or division to

which the entry belongs.

Allowed Attributes

Attribute Definition

businessCategory Gives the type of business in which the entry

is engaged.

description Gives a text description of the entry.

destinationIndicator Gives the country and city associated with the

entry; this was once required to provide public
telegram service.

fax (facsimileTelephoneNumber) Contains the fax number for the entry.

internationalISDNNumber Contains the ISDN number for the entry.

l (localityName) Gives the city or geographical location of the

entry.

physicalDeliveryOfficeName Gives a location where physical deliveries can

be made.

postalAddress Contains the mailing address for the entry.

postalCode Gives the postal code for the entry, such as

the zip code in the United States.

postOfficeBox Gives the post office box number for the

entry.

preferredDeliveryMethod Gives the preferred method of being

contacted.

registeredAddress Gives a postal address suitable to receive

expedited documents when the recipient must
verify delivery.

searchGuide Specifies information for suggested search

criteria when using the entry as the base
object in the directory tree for a search.

605
Configuration, Command, and File Reference

Attribute Definition

seeAlso Contains a URL to another entry or site with

related information.

st (stateOrProvinceName) Gives the state or province where the person is

located.

street Gives the street name and number for the

role's physical location.

telephoneNumber Gives the telephone number for the entry.

teletexTerminalIdentifier Gives the ID for an entry's teletex terminal.

telexNumber Gives the telex number associated with the

entry.

userPassword Stores the password with which the entry can

bind to the directory.

x121Address Gives the X.121 address for the entry.

5.3.100. person
The person object class represents entries for generic people. This is the base object class
for the organizationalPerson object class.

This object class is defined in RFC 2256.

Superior Class
top

OID
2.5.6.6

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

sn (surname) Gives the person's family name or last name.

Allowed Attributes

606
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

description Gives a text description of the entry.

seeAlso Contains a URL to another entry or site with

related information.

telephoneNumber Gives the telephone number for the entry.

userPassword Stores the password with which the entry can

bind to the directory.

5.3.101. pilotObject
The pilotObject is a subclass to allow additional attributes to be assigned to entries of all
other object classes.

This object class is defined in RFC 1274.

Superior Class
top

OID
0.9.2342.19200300.100.4.3

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

audio Stores a sound file in a binary format.

dITRedirect Contains the DN (distinguished name) of the

entry to use as a redirect for the entry.

info Contains information about the entry.

jpegPhoto Stores a JPG image.

lastModifiedBy Gives the DN (distinguished name) of the last

user which modified the document entry.

607
Configuration, Command, and File Reference

Attribute Definition

lastModifiedTime Gives the time the object was most recently

modified.

manager Gives the DN (distinguished name) of the

entry's manager.

photo Stores a photo of the document in binary

format.

uniqueIdentifier Distinguishes between two entries when a

distinguished name has been reused.

5.3.102. pilotOrganization
The pilotOrganization object class is a subclass used to add attributes toorganization
and organizationalUnit object class entries.

This object class is defined in RFC 1274.

Superior Class
top

OID
0.9.2342.19200300.100.4.20

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

o (organizationName) Gives the organization to which the entry

belongs.

ou (organizationalUnitName) Gives the organizational unit or division to

which the entry belongs.

Allowed Attributes

Attribute Definition

buildingName Gives the name of the building where the

entry is located.

businessCategory Gives the type of business in which the entry

is engaged.

608
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

description Gives a text description of the entry.

destinationIndicator Gives the country and city associated with the

entry; this was once required to provide public
telegram service.

fax (facsimileTelephoneNumber) Contains the fax number for the entry.

internationalISDNNumber Contains the ISDN number for the entry.

l (localityName) Gives the city or geographical location of the

entry.

physicalDeliveryOfficeName Gives a location where physical deliveries can

be made.

postalAddress Contains the mailing address for the entry.

postalCode Gives the postal code for the entry, such as

the zip code in the United States.

postOfficeBox Gives the post office box number for the

entry.

preferredDeliveryMethod Gives the preferred method of being

contacted.

registeredAddress Gives a postal address suitable to receive

expedited documents when the recipient must
verify delivery.

searchGuide Specifies information for suggested search

criteria when using the entry as the base
object in the directory tree for a search.

seeAlso Contains a URL to another entry or site with

related information.

st (stateOrProvinceName) Gives the state or province where the person is

located.

street Gives the street name and address number for

the person's physical location.

telephoneNumber Gives the telephone number for the entry.

teletexTerminalIdentifier Gives the ID for an entry's teletex terminal.

609
Configuration, Command, and File Reference

Attribute Definition

telexNumber Gives the telex number associated with the

entry.

userPassword Stores the password with which the entry can

bind to the directory.

x121Address Gives the X.121 address for the entry.

5.3.103. pkiCA
The pkiCA auxiliary object class contains required or available certificates that are
configured for a certificate authority. This object class is defined in RFC 4523, which defines
object classes and attributes for LDAP to use to manage X.509 certificates and related
certificate services.

Superior Class
top

OID
2.5.6.22

Allowed Attributes

Attribute Definition

authorityRevocationList Contains a list of revoked CA certificates.

cACertificate Contains a CA certificate.

certificateRevocationList Contains a list of certificates that have been

revoked.

crossCertificatePair Contains a pair of certificates that are used to

cross-certify a pair of CAs in a FBCA-style
bridge CA configuration.

5.3.104. pkiUser
The pkiUser auxiliary object class contains required certificates for a user or client that
connects to a certificate authority or element in the public key infrastructure. This object
class is defined in RFC 4523, which defines object classes and attributes for LDAP to use to
manage X.509 certificates and related certificate services.

Superior Class
top

OID

610
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

2.5.6.21

Allowed Attributes

Attribute Definition

userCertificate Stores a user's certificate, usually in binary

form.

5.3.105. posixAccount
The posixAccount object class defines network accounts which use POSIX attributes. This
object class is defined in RFC 2307, which defines object classes and attributes to use LDAP
as a network information service.

NOTE

This object class is defined in 10rfc2307.ldif in the Directory Server. To use

the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the
10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

Superior Class
top

OID
1.3.6.1.1.1.2.0

Required Attributes

Attribute Definition

cn (commonName) Gives the common name of the entry.

gidNumber Contains a unique numeric identifier for a

group entry or to identify the group for a user
entry, analogous to the group number in Unix.

homeDirectory Contains the path to the user's home

directory.

objectClass Gives the object classes assigned to the entry.

uid (userID) Gives the defined account's user ID.

uidNumber Contains a unique numeric identifier for a user

entry, analogous to the user number in Unix.

Allowed Attributes

611
Configuration, Command, and File Reference

Attribute Definition

description Gives a text description of the entry.

gecos Used to determine the GECOS field for the

user; this is based on a common name, with
additional information embedded.

loginShell Contains the path to a script that is launched

automatically when a user logs into the
domain.

userPassword Stores the password with which the entry can

bind to the directory.

5.3.106. posixGroup
The posixGroup object class defines a group of network accounts which use POSIX
attributes. This object class is defined in RFC 2307, which defines object classes and
attributes to use LDAP as a network information service.

Superior Class
top

OID
1.3.6.1.1.1.2.2

Required Attributes

Attribute Definition

gidNumber Contains the path to a script that is launched

automatically when a user logs into the
domain.

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

memberUid Gives the login name of the group member;

this possibly may not be the same as the
member's DN.

612
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

userPassword Contains the login name of the member of a

group.

5.3.107. referral
The referral object class defines an object which supports LDAPv3 smart referrals. This
object class is defined in LDAPv3 referrals Internet Draft.

Superior Class
top

OID
2.16.840.1.113730.3.2.6

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

ref Contains information for an LDAPv3 smart

referral.

5.3.108. residentialPerson
The residentialPerson object class manages a person's residential information.

This object class is defined in RFC 2256.

Superior Class
top

OID
2.5.6.10

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

613
Configuration, Command, and File Reference

Attribute Definition

cn (commonName) Gives the common name of the entry.

l (localityName) Gives the city or geographical location of the

entry.

sn (surname) Gives the person's family name or last name.

Allowed Attributes

Attribute Definition

businessCategory Gives the type of business in which the entry

is engaged.

description Gives a text description of the entry.

destinationIndicator Gives the country and city associated with the

entry; this was once required to provide public
telegram service.

fax (facsimileTelephoneNumber) Contains the fax number for the entry.

internationalISDNNumber Contains the ISDN number for the entry.

physicalDeliveryOfficeName Gives a location where physical deliveries can

be made.

postalAddress Contains the mailing address for the entry.

postalCode Gives the postal code for the entry, such as

the zip code in the United States.

postOfficeBox Gives the post office box number for the

entry.

preferredDeliveryMethod Shows the person's preferred method of

contact or message delivery.

registeredAddress Gives a postal address suitable to receive

expedited documents when the recipient must
verify delivery.

seeAlso Contains a URL to another entry or site with

related information.

614
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

st (stateOrProvinceName) Gives the state or province where the person is

located.

street Gives the street name and address number for

the person's physical location.

telephoneNumber Gives the telephone number for the entry.

teletexTerminalIdentifier Gives the ID for an entry's teletex terminal.

telexNumber Gives the telex number associated with the

entry.

userPassword Stores the password with which the entry can

bind to the directory.

x121Address Gives the X.121 address for the entry.

5.3.109. RFC822LocalPart
The RFC822LocalPart object class defines entries that represent the local part of RFC 822
mail addresses. The directory treats this part of an RFC822 address as a domain.

This object class is defined by the Internet Directory Pilot.

Superior Class
domain

destinationIndicator Gives the country and city associated with the

entry; this was once required to provide public
telegram service.

fax (facsimileTelephoneNumber) Contains the fax number for the entry.

internationalISDNNumber Contains the ISDN number for the entry.

l (localityName) Gives the city or geographical location of the

entry.

o (organizationName) Gives the organization to which the account

belongs.

physicalDeliveryOfficeName Gives a location where physical deliveries can

be made.

postalAddress Contains the mailing address for the entry.

postalCode Gives the postal code for the entry, such as

the zip code in the United States.

postOfficeBox Gives the post office box number for the

entry.

preferredDeliveryMethod Shows the person's preferred method of

contact or message delivery.

registeredAddress Gives a postal address suitable to receive

expedited documents when the recipient must
verify delivery.

searchGuide Specifies information for suggested search

criteria when using the entry as the base
object in the directory tree for a search.

616
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

seeAlso Contains a URL to another entry or site with

related information.

sn (surname) Gives the person's family name or last name.

st (stateOrProvinceName) Gives the state or province where the person is

located.

street Gives the street name and address number for

the person's physical location.

telephoneNumber Gives the telephone number for the entry.

teletexTerminalIdentifier Gives the identifier for the person's teletex

terminal.

telexNumber Gives the telex number associated with the

entry.

userPassword Stores the password with which the entry can

bind to the directory.

x121Address Gives the X.121 address for the entry.

5.3.110. room
The room object class stores information in the directory about rooms.

Superior Class
top

OID
0.9.2342.19200300.100.4.7

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

cn (commonName) Gives the common name of the entry.

Allowed Attributes

617
Configuration, Command, and File Reference

Attribute Definition

description Gives a text description of the room.

roomNumber Contains the room's number.

seeAlso Contains a URL to another entry or site with

related information.

telephoneNumber Gives the telephone number for the entry.

5.3.111. shadowAccount
The shadowAccount object class allows the LDAP directory to be used as a shadow
password service. Shadow password services relocate the password files on a host to a
shadow file with tightly restricted access.

This object class is defined in RFC 2307, which defines object classes and attributes to use
LDAP as a network information service.

NOTE

This object class is defined in 10rfc2307.ldif in the Directory Server. To use

the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the
10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the
/etc/dirsrv/slapd-instance/schema directory.

Superior Class
top

OID
1.3.6.1.1.1.2.1

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

uid (userID) Gives the defined account's user ID.

Allowed Attributes

Attribute Definition

description Gives a text description of the entry.

618
CHAPTER 5. DIRECTORY ENTRY SCHEMA REFERENCE

Attribute Definition

shadowExpire Contains the date that the shadow account

expires.

shadowFlag Identifies what area in the shadow map stores

the flag values.

shadowInactive Sets how long the shadow account can be

inactive.

shadowLastChange Contains the time and date of the last

modification to the shadow account.

shadowMax Sets the maximum number of days that a

shadow password is valid.

shadowMin Sets the minimum number of days that must

pass between changing the shadow password.

shadowWarning Sets how may days in advance of password

expiration to send a warning to the user.

userPassword Stores the password with which the entry can

bind to the directory.

5.3.112. simpleSecurityObject
The simpleSecurityObject object class allow an entry to contain theuserPassword
attribute when an entry's principal object classes do not allow a password attribute.
Reserved for future use.

This object class is defined in RFC 1274.

Superior Class
top

OID
0.9.2342.19200300.100.4.19

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

userPassword Stores the password with which the entry can

bind to the directory.

619
Configuration, Command, and File Reference

5.3.113. strongAuthenticationUser
The strongAuthenticationUser object class stores a user's certificate in the directory.

This object class is defined in RFC 2256.

Superior Class
top

OID
2.5.6.15

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

userCertificate Stores a user's certificate, usually in binary

form.

620
CHAPTER 6. OPERATIONAL ATTRIBUTES AND OBJECT CLASSES

CHAPTER 6. OPERATIONAL ATTRIBUTES AND OBJECT

CLASSES
Operational attributes are attributes used to perform directory operations and are available
for every entry in the directory, regardless of whether they are defined for the object class
of the entry. Operational attributes are only returned in an ldapsearch operation if
specifically requested. To return all operational attributes of an object, specify +.

Operational attributes are created and managed by Directory Server on entries, such as the
time the entry is created or modified and the creator's name. These attributes can be set
on any entry, regardless of other attributes or object classes on the entry.

6.1. ACCOUNTUNLOCKTIME
This refers to the amount of time that must pass after an account lockout before the user
can bind to the directory again.

OID 2.16.840.1.113730.3.1.95

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

6.2. ACI
This attribute is used by the Directory Server to evaluate what rights are granted or denied
when it receives an LDAP request from a client.

OID 2.16.840.1.113730.3.1.55

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in Directory Server

6.3. ALTSERVER
The values of this attribute are URLs of other servers which may be contacted when this
server becomes unavailable. If the server does not know of any other servers which could
be used, this attribute is absent. This information can be cached in case the preferred LDAP
server later becomes unavailable.

OID 1.3.6.1.4.1.1466.101.120.6

621
Configuration, Command, and File Reference

Syntax IA5String

Multi- or Single-Valued Multi-valued

Defined in RFC 2252

6.4. CREATETIMESTAMP
This attribute contains the date and time that the entry was initially created.

OID 2.5.18.1

Syntax GeneralizedTime

Multi- or Single-Valued Single-valued

Defined in RFC 1274

6.5. CREATORSNAME
This attribute contains the name of the user which created the entry.

OID 2.5.18.3

Syntax DN

Multi- or Single-Valued Single-valued

Defined in RFC 1274

6.6. DITCONTENTRULES
This attribute defines the DIT content rules which are in force within a subschema. Each
value defines one DIT content rule. Each value is tagged by the object identifier of the
structural object class to which it pertains.

OID 2.5.21.2

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2252

622
CHAPTER 6. OPERATIONAL ATTRIBUTES AND OBJECT CLASSES

6.7. DITSTRUCTURERULES
This attribute defines the DIT structure rules which are in force within a subschema. Each
value defines one DIT structure rule.

OID 2.5.21.1

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in RFC 2252

6.8. ENTRYUSN
When the USN Plug-in is enabled, the server automatically assigns an update sequence
number to entries every time a write operation (add, modify, modrdn, or delete) is
performed. The USN is stored in the entryUSN operational attribute on the entry; the
entryUSN, then, shows the number for the most recent change on any entry.

NOTE

6.11. HASSUBORDINATES
This attribute indicates whether the entry has subordinate entries.

OID 1.3.6.1.4.1.1466.115.121.1.7

Syntax Boolean

Multi- or Single-Valued Single-valued

Defined in numSubordinates Internet Draft

6.12. LASTLOGINTIME
The lastLoginTime attribute contains a timestamp of the last time that the given account
authenticated to the directory, in the format YYYMMDDHHMMSSZ. For example:

624
CHAPTER 6. OPERATIONAL ATTRIBUTES AND OBJECT CLASSES

lastLoginTime: 20190527001051Z

This is used to evaluate account lockout policies based on account inactivity.

OID 2.16.840.1.113719.1.1.4.1.35

Syntax GeneralizedTime

Multi- or Single-Valued Multi-valued

Defined in Directory Server

6.13. LASTMODIFIEDBY
The lastModifiedBy attribute contains the distinguished name (DN) of the user who last
edited the entry. For example:

lastModifiedBy: cn=Barbara Jensen,ou=Engineering,dc=example,dc=com

OID 0.9.2342.19200300.100.1.24

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

6.14. LASTMODIFIEDTIME
The lastModifiedTime attribute contains the time, in UTC format, an entry was last
modified. For example:

lastModifiedTime: Thursday, 22-Sep-93 14:15:00 GMT

OID 0.9.2342.19200300.100.1.23

Syntax DirectyString

Multi- or Single-Valued Multi-valued

Defined in RFC 1274

6.15. LDAPSUBENTRY
These entries hold operational data. This object class is defined in the LDAP Subentry
Internet Draft.

625
Configuration, Command, and File Reference

Superior Class
top

OID
2.16.840.1.113719.2.142.6.1.1

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

Multi- or Single-Valued Multi-valued

Defined in RFC 2252

6.19. MODIFYTIMESTAMP
This attribute contains the date and time that the entry was most recently modified.

OID 2.5.18.2

Syntax GeneralizedTime

Multi- or Single-Valued Single-valued

Defined in RFC 1274

6.20. MODIFIERSNAME
This attribute contains the name of the user which last modified the entry.

OID 2.5.18.4

Syntax DN

Multi- or Single-Valued Single-valued

Defined in RFC 1274

6.21. NAMEFORMS
This attribute defines the name forms used in a subschema. Each value defines one name
form.

OID 2.5.21.7

Syntax DirectoryString

627
Configuration, Command, and File Reference

Multi- or Single-Valued Multi-valued

Defined in RFC 2252

6.22. NSACCOUNTLOCK
This attribute shows whether the account is active or inactive.

OID 2.16.840.1.113730.3.1.610

Syntax DirectoryString

Multi- or Single-Valued Multi-valued

Defined in Directory Server

6.23. NSAIMSTATUSGRAPHIC
This attribute contains a path pointing to the graphic which illustrates the AIM user status.

OID 2.16.840.1.113730.3.1.2018

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Directory Server

6.24. NSAIMSTATUSTEXT
This attribute contains the text which indicates the current AIM user status.

OID 2.16.840.1.113730.3.1.2017

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Directory Server

6.25. NSBACKENDSUFFIX
This contains the suffix used by the back end.

628
CHAPTER 6. OPERATIONAL ATTRIBUTES AND OBJECT CLASSES

OID 2.16.840.1.113730.3.1.2022

Syntax DirectoryString

Multi- or Single-Valued Single-valued

629
Configuration, Command, and File Reference

6.37. NSROLE
This attribute is a computed attribute that is not stored with the entry itself. It identifies to
which roles an entry belongs.

OID 2.16.840.1.113730.3.1.574

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in Directory Server

6.38. NSROLEDN

632
CHAPTER 6. OPERATIONAL ATTRIBUTES AND OBJECT CLASSES

This attribute contains the distinguished name of all roles that apply to an entry.
Membership of a managed role is granted upon an entry by adding the role’s DN to the
entry’s nsRoleDN attribute. For example:

dn: cn=staff,ou=employees,dc=example,dc=com
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsSimpleRoleDefinition
objectclass: nsManagedRoleDefinition

dn: cn=userA,ou=users,ou=employees,dc=example,dc=com
objectclass: top
objectclass: person
sn: uA
userpassword: secret
nsroledn: cn=staff,ou=employees,dc=example,dc=com

A nested role specifies containment of one or more roles of any type. In that case,
nsRoleDN defines the DN of the contained roles. For example:

dn: cn=everybody,ou=employees,dc=example,dc=com
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsNestedRoleDefinition
nsroledn: cn=manager,ou=employees,dc=example,dc=com
nsroledn: cn=staff,ou=employees,dc=example,dc=com

OID 2.16.840.1.113730.3.1.575

Syntax DN

Multi- or Single-Valued Multi-valued

Defined in Directory Server

6.39. NSROLEFILTER
This attribute sets the filter identifies entries which belong to the role.

OID 2.16.840.1.113730.3.1.576

Syntax IA5String

Multi- or Single-Valued Single-valued

Defined in RFC 2252

6.40. NSSCHEMACSN

633
Configuration, Command, and File Reference

6.43. NSTOMBSTONE (OBJECT CLASS)

Tombstone entries are entries which have been deleted from Directory Server. For
replication and restore operations, these deleted entries are saved so that they can be
resurrected and replaced if necessary. Each tombstone entry has the nsTombstone object
class, automatically.

This object class is defined in Directory Server.

Superior Class
top

OID

634
CHAPTER 6. OPERATIONAL ATTRIBUTES AND OBJECT CLASSES

2.16.840.1.113730.3.2.113

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition

nsParentUniqueId Identifies the unique ID of the parent entry of

the original entry.

nscpEntryDN Identifies the orignal entry DN in a tombstone

entry.

6.44. NSUNIQUEID
This attribute identifies or assigns a unique ID to a server entry.

OID 2.16.840.1.113730.3.1.542

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Directory Server

6.45. NSYIMSTATUSGRAPHIC
This attribute contains a path pointing to the graphic which illustrates the Yahoo IM user
status.

OID 2.16.840.1.113730.3.1.2020

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Directory Server

6.46. NSYIMSTATUSTEXT

635
Configuration, Command, and File Reference

This attribute contains the text for the current Yahoo IM user status.

OID 2.16.840.1.113730.3.1.2019

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Directory Server

6.47. NUMSUBORDINATES
This attribute indicates now many immediate subordinates an entry has. For example,
numSubordinates=0 in a leaf entry.

OID 1.3.1.1.4.1.453.16.2.103

Syntax Integer

Multi- or Single-Valued Single-valued

Defined in numSubordinates Internet Draft

6.48. PASSWORDGRACEUSERTIME
This attribute counts the number of attempts the user has made with the expired password.

OID 2.16.840.1.113730.3.1.998

Syntax DirectoryString

Multi- or Single-Valued Single-valued

Defined in Directory Server

6.49. PASSWORDRETRYCOUNT
This attribute counts the number of consecutive failed attempts at entering the correct
password.

OID 2.16.840.1.113730.3.1.93

Syntax DirectoryString

Multi- or Single-Valued Single-valued

636
CHAPTER 6. OPERATIONAL ATTRIBUTES AND OBJECT CLASSES

Multi- or Single-Valued Single-valued

Defined in RFC 2252

6.53. GLUE (OBJECT CLASS)

The glue object class defines an entry in a special state: resurrected due to a replication
conflict.

637
Configuration, Command, and File Reference

This object class is defined by Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.30

Required Attributes

Attribute Definition

objectClass Gives the object classes assigned to the entry.

6.54. PASSWORDOBJECT (OBJECT CLASS)

This object class is used for entries which store password information for a user in the
directory.

This object class is defined in Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.12

Required Attributes

objectClass Defines the object classes for the entry.

Allowed Attributes

accountUnlockTime Refers to the amount of time that must pass

after an account lockout before the user can
bind to the directory again.

passwordAllowChangeTime Specifies the length of time that must pass

before users are allowed to change their
passwords.

passwordExpirationTime Specifies the length of time that passes before

the user’s password expires.

passwordExpWarned Indicates that a password expiration warning

has been sent to the user.

638
CHAPTER 6. OPERATIONAL ATTRIBUTES AND OBJECT CLASSES

passwordGraceUserTime Specifies the number of login attempts that

are allowed to a user after the password has
expired.

passwordHistory (Password History) Contains the history of the user’s previous

passwords.

passwordRetryCount Counts the number of consecutive failed

attempts at entering the correct password.

pwdpolicysubentry Points to the entry DN of the new password

policy.

retryCountResetTime Specifies the length of time that passes before

the passwordRetryCount attribute is reset.

6.55. SUBSCHEMA (OBJECT CLASS)

This identifies an auxiliary object class subentry which administers the subschema for the
subschema administrative area. It holds the operational attributes representing the policy
parameters which express the subschema.

This object class is defined in RFC 2252.

Superior Class
top

OID
2.5.20.1

Required Attributes

objectClass Defines the object classes for the entry.

Allowed Attributes

attributeTypes Attribute types used within a subschema.

dITContentRules Defines the DIT content rules which are in

force within a subschema.

dITStructureRules Defines the DIT structure rules which are in

force within a subschema.

matchingRuleUse Indicates the attribute types to which a

matching rule applies in a subschema.

639
Configuration, Command, and File Reference

matchingRules Defines the matching rules used within a

subschema.

nameForms Defines the name forms used in a subschema.

objectClasses Defines the object classes used in a

subschema.

640
CHAPTER 7. LOG FILE REFERENCE

CHAPTER 7. LOG FILE REFERENCE

Red Hat Directory Server (Directory Server) provides logs to help monitor directory activity.
Monitoring helps quickly detecting and remedying failures and, where done proactively,
anticipating and resolving potential problems before they result in failure or poor
performance. Part of monitoring the directory effectively is understanding the structure and
content of the log files.

This chapter does not provide an exhaustive list of log messages. However, the information
presented in this chapter serves as a good starting point for common problems and for
better understanding the information in the access, error, and audit logs.

Logs are kept per Directory Server instances and are located in the
/var/log/dirsrv/slapd-instance directory.

7.1. ACCESS LOG REFERENCE

The Directory Server access log contains detailed information about client connections to
the directory. A connection is a sequence of requests from the same client with the
following structure:

Connection record, which gives the connection index and the IP address of the
client.

Bind record.

Bind result record.

Sequence of operation request/operation result pairs of records (or individual

records in the case of connection, closed, and abandon records).

Unbind record.

Closed record.

Every line begins with a timestamp — [21/Apr/2019:11:39:51 -0700] — the format of

which may vary depending on the platform. -0700 indicates the time difference in relation
to GMT. Apart from the connection, closed, and abandon records, which appear
individually, all records appear in pairs, consisting of a request for service record followed
by a result record. These two records frequently appear on adjacent lines, but this is not
always the case.

The access logs have different levels of logging, set in the nsslapd-accesslog-level
attribute. This section provides an overview of the default access logging content, log
levels, and the content logged at different logging levels.

Section 7.1.1, “Access Logging Levels”

Section 7.1.2, “Default Access Logging Content”

Section 7.1.3, “Access Log Content for Additional Access Logging Levels”

641
Configuration, Command, and File Reference

NOTE

Directory Server provides a script, logconv.pl, which can analyze access logs
to extract usage statistics and count the occurrences of significant events. For
details about this script, see Section 10.4.10, “logconv.pl (Log Converter)”.

7.1.1. Access Logging Levels

Different levels of access logging generate different amounts of detail and record different
kinds of operations. The log level is set in the instance's nsslapd-accesslog-level (Access
Log Level) configuration attribute. The default level of logging is level 256, which logs
access to an entry, but there are five different log levels available:

0 = No access logging.

4 = Logging for internal access operations.

256 = Logging for access to an entry.

512 = Logging for access to an entry and referrals.

131072 = Precise timing of operation duration. This gives microsecond resolution for
the Elapsed Time item in the access log.

This levels are additive, so to enable several different kinds of logging, add the values of
those levels together. For example, to log internal access operations, entry access, and
referrals, set the value of nsslapd-accesslog-level to 516 (512+4).

7.1.2. Default Access Logging Content

This section describes the access log content in detail based on the default access logging
level extract shown below.

Example 7.1. Example Access Log

[21/Apr/2019:11:39:51 -0700] conn=11 fd=608 slot=608 connection from

207.1.153.51 to 192.18.122.139
[21/Apr/2019:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory Manager"
method=128 version=3
[21/Apr/2019:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0
etime=0
[21/Apr/2019:11:39:51 -0700] conn=11 op=1 SRCH base="dc=example,dc=com"
scope=2 filter="(mobile=+1 123 456-7890)"
[21/Apr/2019:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101
nentries=1 etime=3 notes=U
[21/Apr/2019:11:39:51 -0700] conn=11 op=2 UNBIND
[21/Apr/2019:11:39:51 -0700] conn=11 op=2 fd=608 closed - U1
[21/Apr/2019:11:39:52 -0700] conn=12 fd=634 slot=634 connection from
207.1.153.51 to 192.18.122.139
[21/Apr/2019:11:39:52 -0700] conn=12 op=0 BIND dn="cn=Directory Manager"
method=128 version=3
[21/Apr/2019:11:39:52 -0700] conn=12 op=0 RESULT err=0 tag=97 nentries=0
etime=0
[21/Apr/2019:11:39:52 -0700] conn=12 op=1 SRCH base="dc=example,dc=com"
scope=2 filter="(uid=bjensen)"

642
CHAPTER 7. LOG FILE REFERENCE

[21/Apr/2019:11:39:52 -0700] conn=12 op=2 ABANDON targetop=1 msgid=2

nentries=0 etime=0
[21/Apr/2019:11:39:52 -0700] conn=12 op=3 UNBIND
[21/Apr/2019:11:39:52 -0700] conn=12 op=3 fd=634 closed - U1
[21/Apr/2019:11:39:53 -0700] conn=13 fd=659 slot=659 connection from
207.1.153.51 to 192.18.122.139
[21/Apr/2019:11:39:53 -0700] conn=13 op=0 BIND dn="cn=Directory Manager"
method=128 version=3
[21/Apr/2019:11:39:53 -0700] conn=13 op=0 RESULT err=0 tag=97 nentries=0
etime=0
[21/Apr/2019:11:39:53 -0700] conn=13 op=1 EXT
oid="2.16.840.1.113730.3.5.3"
[21/Apr/2019:11:39:53 -0700] conn=13 op=1 RESULT err=0 tag=120
nentries=0 etime=0
[21/Apr/2019:11:39:53 -0700] conn=13 op=2 ADD dn="cn=Sat Apr 21 11:39:51
MET DST 2019,dc=example,dc=com"
[21/Apr/2019:11:39:53 -0700] conn=13 op=2 RESULT err=0 tag=105
nentries=0 etime=0 csn=3b4c8cfb000000030000
[21/Apr/2019:11:39:53 -0700] conn=13 op=3 EXT
oid="2.16.840.1.113730.3.5.5"
[21/Apr/2019:11:39:53 -0700] conn=13 op=3 RESULT err=0 tag=120
nentries=0 etime=0
[21/Apr/2019:11:39:53 -0700] conn=13 op=4 UNBIND
[21/Apr/2019:11:39:53 -0700] conn=13 op=4 fd=659 closed - U1
[21/Apr/2019:11:39:55 -0700] conn=14 fd=700 slot=700 connection from
207.1.153.51 to 192.18.122.139
[21/Apr/2019:11:39:55 -0700] conn=14 op=0 BIND dn="" method=sasl
version=3 mech=DIGEST-MD5
[21/Apr/2019:11:39:55 -0700] conn=14 op=0 RESULT err=14 tag=97
nentries=0 etime=0, SASL bind in progress
[21/Apr/2019:11:39:55 -0700] conn=14 op=1 BIND
dn="uid=jdoe,dc=example,dc=com" method=sasl version=3 mech=DIGEST-MD5
[21/Apr/2019:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97nentries=0
etime=0 dn="uid=jdoe,dc=example,dc=com"
[21/Apr/2019:11:39:55 -0700] conn=14 op=2 UNBIND
[21/Apr/2019:11:39:53 -0700] conn=14 op=2 fd=700 closed - U1

Connection Number
Every external LDAP request is listed with an incremental connection number, in this case
conn=11, starting at conn=0 immediately after server startup.

[21/Apr/2019:11:39:51 -0700] conn=11 fd=608 slot=608 connection from

207.1.153.51 to 192.18.122.139

Internal LDAP requests are not recorded in the access log by default. To activate the
logging of internal access operations, specify access logging level 4 on the nsslapd-
accesslog-level (Access Log Level) configuration attribute.

File Descriptor
Every connection from an external LDAP client to Directory Server requires a file descriptor
or socket descriptor from the operating system, in this case fd=608. fd=608 indicates that it
was file descriptor number 608 out of the total pool of available file descriptors which was
used.

643
Configuration, Command, and File Reference

[21/Apr/2019:11:39:51 -0700] conn=11 fd=608 slot=608 connection from

207.1.153.51 to 192.18.122.139

Slot Number
The slot number, in this case slot=608, is a legacy part of the access log which has the
same meaning as file descriptor. Ignore this part of the access log.

[21/Apr/2019:11:39:51 -0700] conn=11 fd=608 slot=608 connection from

207.1.153.51 to 192.18.122.139

Operation Number
To process a given LDAP request, Directory Server will perform the required series of
operations. For a given connection, all operation request and operation result pairs are
given incremental operation numbers beginning with op=0 to identify the distinct operations
being performed.

[21/Apr/2019:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0

etime=0

In Section 7.1.2, “Default Access Logging Content”, we have op=0 for the bind operation
request and result pair, then op=1 for the LDAP search request and result pair, and so on.
The entry op=-1 in the access log generally means that the LDAP request for this
connection was not issued by an external LDAP client but, instead, initiated internally.

Method Type
The method number, in this case method=128, indicates which LDAPv3 bind method was
used by the client.

[21/Apr/2019:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory Manager"

method=128 version=3

There are three possible bind method values:

0 for authentication

128 for simple bind with user password

sasl for SASL bind using external authentication mechanism

Version Number
The version number, in this case version=3, indicates the LDAP version number (either
LDAPv2 or LDAPv3) that the LDAP client used to communicate with the LDAP server.

[21/Apr/2019:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory Manager"

method=128 version=3

Error Number
The error number, in this case err=0, provides the LDAP result code returned from the
LDAP operation performed. The LDAP error number 0 means that the operation was
successful. For a more comprehensive list of LDAP result codes, see Section 7.4, “LDAP
Result Codes”.

644
CHAPTER 7. LOG FILE REFERENCE

[21/Apr/2019:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0

etime=0

Tag Number
The tag number, in this case tag=97, indicates the type of result returned, which is almost
always a reflection of the type of operation performed. The tags used are the BER tags
from the LDAP protocol.

[21/Apr/2019:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0

etime=0

Table 7.1. Commonly-Used Tags

Tag Description

tag=97 Result from a client bind operation.

tag=100 The actual entry being searched for.

tag=101 Result from a search operation.

tag=103 Result from a modify operation.

tag=105 Result from an add operation.

tag=107 Result from a delete operation.

tag=109 Result from a moddn operation.

tag=111 Result from a compare operation.

tag=115 Search reference when the entry on which the search was performed holds a
referral to the required entry. Search references are expressed in terms of a
referral.

tag=120 Result from an extended operation.

tag=121 Result from an intermediate operation.

NOTE

tag=100 and tag=115 are not result tags as such, and so it is unlikely that they
will be recorded in the access log.

Number of Entries
nentries shows the number of entries, in this casenentries=0, that were found matching
the LDAP client's request.

645
Configuration, Command, and File Reference

[21/Apr/2019:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0

etime=0

Elapsed Time
etime shows the elapsed time, in this caseetime=3, or the amount of time (in seconds)
that it took the Directory Server to perform the LDAP operation.

[21/Apr/2019:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101 nentries=1

etime=3 notes=U

An etime value of 0 means that the operation actually took milliseconds to perform. To
have microsecond resolution for this item in the access log, enter a value of 131328
(256+131072) in the nsslapd-accesslog-level configuration attribute.

LDAP Request Type

The LDAP request type indicates the type of LDAP request being issued by the LDAP client.
Possible values are:

SRCH for search

MOD for modify

DEL for delete

ADD for add

MODDN for moddn

EXT for extended operation

ABANDON for abandon operation

If the LDAP request resulted in sorting of entries, then the message SORT serialno will be
recorded in the log, followed by the number of candidate entries that were sorted. For
example:

[04/May/2019:15:51:46 -0700] conn=114 op=68 SORT serialno (1)

The number enclosed in parentheses specifies the number of candidate entries that were
sorted, which in this case is 1.

LDAP Response Type

The LDAP response type indicates the LDAP response being issued by the LDAP client.
There are three possible values:

RESULT

ENTRY

REFERRAL, an LDAP referral or search reference

Search Indicators
Directory Server provides additional information on searches in the notes field of log
entries. For example:

646
CHAPTER 7. LOG FILE REFERENCE

[21/Apr/2016:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101 nentries=1

etime=3 notes=U

The following search indicators exist:

Paged Search Indicator: notes=P

LDAP clients with limited resources can control the rate at which an LDAP server returns
the results of a search operation. When the search performed used the LDAP control
extension for simple paging of search results, Directory Server logs the notes=P paged
search indicator. This indicator is informational and no further actions are required.

For more details, see RFC 2696.

Unindexed Search Indicators: notes=A and notes=U

When attributes are not indexed, Directory Server must search them in the database
directly. This procedure is more resource-intensive than searching the index file.

The following unindexed search indicators can be logged:

notes=A

All candidate attributes in the filter were unindexed and a full table scan was
required. This can exceed the value set in the nsslapd-lookthroughlimit
parameter.

notes=U

This state is set in the following situations:

At least one of the search terms is unindexed.

The limit set in the nsslapd-idlistscanlimit parameter was reached during

the search operation. For details, see Section 4.4.1.26, “nsslapd-
idlistscanlimit”.

Unindexed searches occur in the following scenarios:

The nsslapd-idlistscanlimit parameter's value was reached within the index

file used for the search.

No index file existed.

The index file was not configured in the way required by the search.

To optimize future searches, add frequently searched unindexed attributes to the index.
For details, see the corresponding section in the Directory Server Administration Guide.

NOTE

An unindexed search indicator is often accompanied by a large etime value,

as unindexed searches are generally more time consuming.

Beside a single value, the notes field can have the following value combinations:
notes=P,A and notes=U,P.

647
Configuration, Command, and File Reference

VLV-Related Entries
When a search involves virtual list views (VLVs), appropriate entries are logged in the
access log file. Similar to the other entries, VLV-specific entries show the request and
response information side by side:

VLV RequestInformation ResponseInformation

RequestInformation has the following form:

beforeCount:afterCount:index:contentCount

If the client uses a position-by-value VLV request, the format for the first part, the request
information would be beforeCount: afterCount: value.

ResponseInformation has the following form:

targetPosition:contentCount (resultCode)

The example below highlights the VLV-specific entries:

[07/May/2019:11:43:29 -0700] conn=877 op=8530 SRCH base="(ou=People)"

scope=2 filter="(uid=*)"
[07/May/2019:11:43:29 -0700] conn=877 op=8530 SORT uid
[07/May/2019:11:43:29 -0700] conn=877 op=8530 VLV 0:5:0210 10:5397 (0)
[07/May/2019:11:43:29 -0700] conn=877 op=8530 RESULT err=0 tag=101
nentries=1 etime=0

In the above example, the first part, 0:5:0210, is the VLV request information:

The beforeCount is 0.

The afterCount is 5.

The value is 0210.

The second part, 10:5397 (0), is the VLV response information:

The targetPosition is 10.

The contentCount is 5397.

The (resultCode) is (0).

Search Scope
The entry scope=n defines the scope of the search performed, andn can have a value of 0,
1, or 2.

0 for base search

1 for one-level search

2 for subtree search

Extended Operation OID

648
CHAPTER 7. LOG FILE REFERENCE

An extended operation OID, such as EXT oid="2.16.840.1.113730.3.5.3" or EXT

oid="2.16.840.1.113730.3.5.5" in Example 7.1, “Example Access Log”, provides the OID
of the extended operation being performed. Table 7.2, “LDAPv3 Extended Operations
Supported by Directory Server” provides a partial list of LDAPv3 extended operations and
their OIDs supported in Directory Server.

Table 7.2. LDAPv3 Extended Operations Supported by Directory Server

Extended Operation Name Description OID

Directory Server Start Sent by a replication initiator 2.16.840.1.113730.3.5.3

Replication Request to indicate that a replication
session is requested.

Directory Server Replication Sent by a replication 2.16.840.1.113730.3.5.4

Response responder in response to a
Start Replication Request
Extended Operation or an End
Replication Request Extended
Operation.

Directory Server End Sent to indicate that a 2.16.840.1.113730.3.5.5

Replication Request replication session is to be
terminated.

Directory Server Replication Carries an entry, along with 2.16.840.1.113730.3.5.6

Entry Request its state information (csn and
UniqueIdentifier) and is
used to perform a replica
initialization.

Directory Server Bulk Import Sent by the client to request a 2.16.840.1.113730.3.5.7

Start bulk import together with the
suffix being imported to and
sent by the server to indicate
that the bulk import may
begin.

Directory Server Bulk Import Sent by the client to signal 2.16.840.1.113730.3.5.8

Finished the end of a bulk import and
sent by the server to
acknowledge it.

Change Sequence Number

The change sequence number, in this case csn=3b4c8cfb000000030000, is the replication
change sequence number, indicating that replication is enabled on this particular naming
context.

Abandon Message
The abandon message indicates that an operation has been aborted.

649
Configuration, Command, and File Reference

[21/Apr/2019:11:39:52 -0700] conn=12 op=2 ABANDON targetop=1 msgid=2

nentries=0 etime=0

nentries=0 indicates the number of entries sent before the operation was aborted,
etime=0 value indicates how much time (in seconds) had elapsed, andtargetop=1
corresponds to an operation value from a previously initiated operation (that appears
earlier in the access log).

There are two possible log ABANDON messages, depending on whether the message ID
succeeds in locating which operation was to be aborted. If the message ID succeeds in
locating the operation (the targetop) then the log will read as above. However, if the
message ID does not succeed in locating the operation or if the operation had already
finished prior to the ABANDON request being sent, then the log will read as follows:

[21/Apr/2019:11:39:52 -0700] conn=12 op=2 ABANDON targetop=NOTFOUND

msgid=2

targetop=NOTFOUND indicates the operation to be aborted was either an unknown operation

or already complete.

Message ID
The message ID, in this case msgid=2, is the LDAP operation identifier, as generated by the
LDAP SDK client. The message ID may have a different value than the operation number
but identifies the same operation. The message ID is used with an ABANDON operation and
tells the user which client operation is being abandoned.

[21/Apr/2019:11:39:52 -0700] conn=12 op=2 ABANDON targetop=NOTFOUND

msgid=2

NOTE

The Directory Server operation number starts counting at 0, and, in the

majority of LDAP SDK/client implementations, the message ID number starts
counting at 1, which explains why the message ID is frequently equal to the
Directory Server operation number plus 1.

SASL Multi-Stage Bind Logging

In Directory Server, logging for multi-stage binds is explicit. Each stage in the bind process
is logged. The error codes for these SASL connections are really return codes. In
Example 7.1, “Example Access Log”, the SASL bind is currently in progress so it has a
return code of err=14, meaning the connection is still open, and there is a corresponding
progress statement, SASL bind in progress.

[21/Apr/2019:11:39:55 -0700] conn=14 op=0 BIND dn="" method=sasl version=3

mech=DIGEST-MD5
[21/Apr/2019:11:39:55 -0700] conn=14 op=0 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress

In logging a SASL bind, the sasl method is followed by the LDAPVersion Number and the
SASL mechanism used, as shown below with the GSS-API mechanism.

650
CHAPTER 7. LOG FILE REFERENCE

[21/Apr/2019:12:57:14 -0700] conn=32 op=0 BIND dn="" method=sasl version=3

mech=GSSAPI

NOTE

The authenticated DN (the DN used for access control decisions) is now logged
in the BIND result line as opposed to the bind request line, as was previously
the case:

[21/Apr/2019:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97

nentries=0 etime=0 dn="uid=jdoe,dc=example,dc=com"

For SASL binds, the DN value displayed in the bind request line is not used by
the server and, as a consequence, is not relevant. However, given that the
authenticated DN is the DN which, for SASL binds, must be used for audit
purposes, it is essential that this be clearly logged. Having this authenticated
DN logged in the bind result line avoids any confusion as to which DN is which.

7.1.3. Access Log Content for Additional Access Logging Levels

This section presents the additional access logging levels available in the Directory Server
access log.

In Example 7.2, “Access Log Extract with Internal Access Operations Level (Level 4)”,
access logging level 4, which logs internal operations, is enabled.

Example 7.2. Access Log Extract with Internal Access Operations Level (Level
4)

[12/Jul/2019:16:45:46 +0200] conn=Internal op=-1 SRCH

base="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"scope=0
filter="objectclass=nsMappingTree"attrs="nsslapd-referral"
options=persistent
[12/Jul/2019:16:45:46 +0200] conn=Internal op=-1 RESULT err=0 tag=48
nentries=1etime=0
[12/Jul/2019:16:45:46 +0200] conn=Internal op=-1 SRCH
base="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"scope=0
filter="objectclass=nsMappingTree" attrs="nsslapd-state"
[12/Jul/2019:16:45:46 +0200] conn=Internal op=-1 RESULT err=0 tag=48
nentries=1etime=0

Access log level 4 enables logging for internal operations, which log search base, scope,
filter, and requested search attributes, in addition to the details of the search being
performed.

In the following example, access logging level 768 is enabled (512 + 256), which logs
access to entries and referrals. In this extract, six entries and one referral are returned in
response to the search request, which is shown on the first line.

[12/Jul/2019:16:43:02 +0200] conn=306 fd=60 slot=60 connection from

127.0.0.1 to 127.0.0.1
[12/Jul/2019:16:43:02 +0200] conn=306 op=0 SRCH base="dc=example,dc=com"

651
Configuration, Command, and File Reference

scope=2 filter="(description=*)" attrs=ALL

[12/Jul/2019:16:43:02 +0200] conn=306 op=0 ENTRY dn="ou=Special
[12/Jul/2019:16:43:02 +0200] conn=306 op=0 ENTRY dn="cn=Accounting
Managers,ou=groups,dc=example,dc=com"
[12/Jul/2019:16:43:02 +0200] conn=306 op=0 ENTRY dn="cn=HR
Managers,ou=groups,dc=example,dc=com"
[12/Jul/2019:16:43:02 +0200] conn=306 op=0 ENTRY dn="cn=QA
Managers,ou=groups,dc=example,dc=com"
[12/Jul/2019:16:43:02 +0200] conn=306 op=0 ENTRY dn="cn=PD
Managers,ou=groups,dc=example,dc=com"
[12/Jul/2019:16:43:02 +0200] conn=306 op=0 ENTRY dn="ou=Red Hat
Servers,dc=example,dc=com"
[12/Jul/2019:16:43:02 +0200] conn=306 op=0 REFERRAL

Connection Description
The connection description, in this case conn=Internal, indicates that the connection is an
internal connection. The operation number op=-1 also indicates that the operation was
initiated internally.

[12/Jul/2019:16:45:46 +0200] conn=Internal op=-1 ENTRY

dn="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"

Options Description
The options description (options=persistent) indicates that a persistent search is being
performed, as distinguished from a regular search operation. Persistent searches can be
used as a form of monitoring and configured to return changes to given configurations as
changes occur.

Both log levels 512 and 4 are enabled for this example, so both internal access operations
and entry access and referrals being logged.

[12/Jul/2019:16:45:46 +0200] conn=Internal op=-1 SRCH

base="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"scope=0
filter="objectclass=nsMappingTree"attrs="nsslapd-referral"
options=persistent

7.1.4. Common Connection Codes

A connection code is a code that is added to the closed log message to provide additional
information related to the connection closure.

Table 7.3. Common Connection Codes

Connection Code Description

A1 Client aborts the connection.

652
CHAPTER 7. LOG FILE REFERENCE

Connection Code Description

B1 Corrupt BER tag encountered. If BER tags,

which encapsulate data being sent over the
wire, are corrupt when they are received, a B1
connection code is logged to the access log.
BER tags can be corrupted due to physical
layer network problems or bad LDAP client
operations, such as an LDAP client aborting
before receiving all request results.

B2 BER tag is longer than the nsslapd-

maxbersize attribute value. For further
information about this configuration attribute,
see Section 3.1.1.114, “nsslapd-maxbersize
(Maximum Message Size)”.

B3 Corrupt BER tag encountered.

B4 Server failed to flush data response back to

client.

P2 Closed or corrupt connection has been

detected.

T1 Client does not receive a result within the

specified idletimeout period. For further
information about this configuration attribute,
see Section 3.1.1.93, “nsslapd-idletimeout
(Default Idle Timeout)”.

T2 Server closed connection after

ioblocktimeout period was exceeded. For
further information about this configuration
attribute, see Section 3.1.1.96, “nsslapd-
ioblocktimeout (IO Block Time Out)”.

U1 Connection closed by server after client sends

an unbind request. The server will always
close the connection when it sees an unbind
request.

7.1.5. Getting Access Log Statistics

The logconv.pl script parses the access log and returns summary information on different
users and operations that have been run on the server.

At its simplest, the script simply parses the access log (or logs):

logconv.pl /relative/path/to/accessLog

653
Configuration, Command, and File Reference

The script can accept wildcards to parse multiple access logs, which is useful if log rotation
is used.

logconv.pl /var/log/dirsrv/slapd-instance/access*

The different options for logconv.pl are covered in the manpage and inSection 10.4.10,
“logconv.pl (Log Converter)”.

There are several different ways that logconv.pl can be used to pull general usage
information from the access logs.

At its simplest, logconv.pl prints a list of total operations, total number of connections,
counts per each operation type, counts for some extended operations like persistent
searches, and bind information.

# logconv.pl access

Access Log Analyzer 6.0

Command : logconv.pl access

Processing 1 Access Log(s)...

Filename Total Lines Lines processed

---------------------------------------------------------------
access 7 7

----------- Access Log Output ------------

Restarts: 0

Total Connections: 0
Peak Concurrent Connections: 1
Total Operations: 2
Total Results: 2
Overall Performance: 100.0%

Searches: 1
Modifications: 0
Adds: 0
Compares 0
Deletes: 0
Mod RDNs: 0
Mod DNs: 0

Persistent Searches: 0
Internal Operations: 0
Entry Operations: 0
Extended Operations: 0
Abandoned Requests: 0
Smart Referrals Received: 0

VLV Operations: 0
VLV Unindexed Searches: 0
SORT Operations: 0

654
CHAPTER 7. LOG FILE REFERENCE

SSL Connections: 0

Entire Search Base Queries: 1

Unindexed Searches: 0

FDs Taken: 1
FDs Returned: 1
Highest FD Taken: 64

Broken Pipes: 0
Connections Reset By Peer: 0
Resource Unavailable: 0

Binds: 1
Unbinds: 1

LDAP v2 Binds: 0
LDAP v3 Binds: 1
SSL Client Binds: 0
Failed SSL Client Binds: 0
SASL Binds: 0

Directory Manager Binds: 1

Anonymous Binds: 0
Proxy Auth Binds: 0
Other Binds: 0

In addition to the summary information for operations and connections, more detailed
summary information for all of the connections to the server. This information includes
things like most common IP addresses used to connect to the server, DNs with the most
failed login attempts, total bind DNs used to access the server, and the most common error
or return codes.

Additional connection summaries are passed as a single option. For example, listing the
number of DNs used to connect to the server (b) and the total connection codes returned
by the server (c) are passed as -bc.

# logconv.pl -bc access

... 8< ...

----- Total Connection Codes -----

U1 3 Cleanly Closed Connections

B1 1 Bad Ber Tag Encountered

----- Top 20 Bind DN's -----

Number of Unique Bind DN's: 212

1801 cn=Directory Manager

1297 Anonymous Binds
311 uid=jsmith,ou=people...
87 uid=bjensen,ou=peopl...
85 uid=mreynolds,ou=peo...

655
Configuration, Command, and File Reference

69 uid=jrockford,ou=peo...
55 uid=sspencer,ou=peop...
... 8< ...

The data can be limited to entries after a certain start time (-S), before a certain end time
(-E), or within a range. When start and end times are set, thelogconv.pl first prints the
time range given, then the summary for that period.

# logconv.pl -S "[01/Jul/2012:16:11:47.000000000 -0400]" -E "

[01/Jul/2012:17:23:08.999999999 -0400]" access

Access Log Analyzer 6.0

Command : logconv.pl -S [01/Jul/2012:16:11:47.000000000 -0400] -E

[01/Jul/2012:17:23:08.999999999 -0400] access

Processing 1 Access Log(s)...

Filename Total Lines Lines processed

---------------------------------------------------------------
access 25 20

----------- Access Log Output ------------

Start of Log: 01/Jul/2012:16:11:47

End of Log: 01/Jul/2012:17:23:08

... 8< ...

The start and end period onlys sets time limits for the data used to generate the total
summary counts. It still shows aggregated, or total, counts. To get a view of the patterns in
connections and operations to the Directory Server, it is possible to output data with counts
per minute (-M) or per second (-m). In this case, the data are printed, in time unit
increments, to a specified CSV output file.

# logconv.pl -m|-M outputFile accessLogFile

For example:

# logconv.pl -M /home/output/statsPerMin.txt
/var/log/dirsrv/slapd-instance/access*

The -M|-m options can also be used with the-S and -E arguments, to get per-minute or
per-second counts within a specific time period.

Each row in the file represents one unit of time, either minute or second, with total counts
for that time period. The CSV file (for both per-minute and per-second statistics) contains
the following columns, in order:

Time,time_t,Results,Search,Add,Mod,Modrdn,Delete,Abandon,Connections,SSL
Conns,Bind,Anon Bind,Unbind,Unindexed

The CSV file can be manipulated in any spreadsheet program, like OpenOffice Calc, and in

656
CHAPTER 7. LOG FILE REFERENCE

many other business applications. The procedures for importing the CSV data and
generating charts or other metrics depends on the application itself.

For example, to create a chart in OpenOffice Calc:

1. Open the CSV file.

2. Click the Insert menu, and select Chart.

3. In the Chart Type area, set the chart type to XY (Scatter).

1. Set the subtype to lines only.

2. Select the option to sort by X values.

4. Accept the defaults in the other screens (particularly, to use the data series in
columns and to set the first row and first column as labels), and create the chart.

7.2. ERROR LOG REFERENCE

The Directory Server error log records messages for Directory Server transactions and
operations. These may be error messages for failed operations, but it also contains general
information about the processes of Directory Server and LDAP tasks, such as server startup
messages, logins and searches of the directory, and connection information.

7.2.1. Error Log Logging Levels

The error log can record different amounts of detail for operations, as well as differentkinds
of information depending on the type of error logging enabled.

The logging level is set in the nsslapd-errorlog-level (Error Log Level) configuration
attribute. The default log level is 16384, which included critical error messages and
standard logged messages, like LDAP results codes and startup messages. As with access
logging, error logging levels are additive. To enable both replication logging (8192) and
plug-in logging (65536), set the log level to 73728 (8192 + 65536).

657
Configuration, Command, and File Reference

NOTE

Enabling high levels of debug logging can significantly erode server

performance. Debug log levels, such as replication (8192) should only be
enabled for troubleshooting, not for daily operations.

Table 7.4. Error Log Levels

Setting Console Name Description

1 Trace function calls Logs a message when the

server enters and exits a
function.

2 Packeting handlings Logs debug information for

packets processed by the
server.

4 Heavy trace output Logs when the server enters

and exits a function, with
additional debugging
messages.

8 Connection management Logs the current connection

status, including the
connection methods used for
a SASL bind.

16 Packets sent/received Print out the numbers of

packets sent and received by
the server.

32 Search filter processing Logs all of the functions called

by a search operation.

64 Config file processing Prints any .conf

configuration files used with
the server, line by line, when
the server is started. By
default, only slapd-
collations.conf is
available and processed.

128 Access control list processing

2048 Log entry parsing. Logs schema parsing

debugging information.

4096 Housekeeping Housekeeping thread

debugging.

658
CHAPTER 7. LOG FILE REFERENCE

Setting Console Name Description

8192 Replication Logs detailed information

about every replication-
related operation, including
updates and errors, which is
important for debugging
replication problems.

16384 Default Default level of logging used

for critical errors and other
messages that are always
written to the error log, such
as server startup messages.
Messages at this level are
always included in the error
log, regardless of the log level
setting.

32768 Entry cache Database entry cache

debugging.

65536 Plug-ins Writes an entry to the log file

when a server plug-in calls
slapi-log-error, so this is
used for server plug-in
debugging.

262144 Access control summary Summarizes information

about access to the server,
much less verbose than level
128. This value is
recommended for use when a
summary of access control
processing is needed. Use
128 for very detailed
processing messages.

7.2.2. Error Log Content

The format of the error log differs compared from that of the access log:

Log entries written by the server

Entries that the server writes to the file, use the following format:

time_stamp - severity_level - function_name - message

For example:

[24/Mar/2017:11:31:38.781466443 +0100] - ERR - no_diskspace - No enough

space left on device (/var/lib/dirsrv/slapd-instance_name/db) (40009728
bytes); at least 145819238 bytes space is needed for db region files

659
Configuration, Command, and File Reference

Log entries written by plug-ins

Entries that plug-ins write to the file, use the following format:

time_stamp - severity_level - plug-in_name - function_name - message

For example:

[24/Mar/2017:11:42:17.628363848 +0100] - ERR - NSMMReplicationPlugin -

multimaster_extop_StartNSDS50ReplicationRequest - conn=19 op=3
repl="o=example.com": Excessive clock skew from supplier RUV

Error log entries contain the following columns:

Time stamp: The format can differ depending on your local settings. If high-
resolution time stamps are enabled in the nsslapd-logging-hr-timestamps-
enabled attribute in the cn=config entry (default), the time stamp is exact to the
nanosecond.

Severity level: The following severity levels are used:

EMERG: This level is logged when the server fails to start.

ALERT: The server is in a critical state and possible action must be taken.

CRIT: Severe error.

ERR: General error.

WARNING: A warning message, that is not necessarily an error.

NOTICE: A normal, but significant condition occurred. For example, this is logged
for expected behavior.

INFO: Informational messages, such as startup, shutdown, import, export,

backup, restore.

DEBUG: Debug-level messages. This level is also used by default when using a
verbose logging level, such as Trace function calls (1), Access control
list processing (128), and Replication (8192). For a list of error log levels,
see Table 7.4, “Error Log Levels”.

You can use the severity levels to filter your log entries. For example, to display only
log entries using the ERR severity:

# grep ERR /var/log/dirsrv/slapd-instance_name/errors

[24/Mar/2017:11:31:38.781466443 +0100] - ERR - no_diskspace - No
enough space left on device (/var/lib/dirsrv/slapd-instance_name/db)
(40009728 bytes); at least 145819238 bytes space is needed for db
region files
[24/Mar/2017:11:31:38.815623298 +0100] - ERR - ldbm_back_start -
Failed to init database, err=28 No space left on device
[24/Mar/2017:11:31:38.828591835 +0100] - ERR -

660
CHAPTER 7. LOG FILE REFERENCE

plugin_dependency_startall - Failed to start database plugin ldbm

database
...

Plug-in name: If a plug-in logged the entry, this column displays the name of the
plug-in. If the server logged the entry, this column does not appear.

Function name: Functions that the operation or the plug-in called.

Message: The output that the operation or plug-in returned. This message contains
additional information, such as LDAP error codes and connection information.

7.2.3. Error Log Content for Other Log Levels

The different log levels return not only different levels of detail, but also information about
different types of server operations. Some of these are summarized here, but there are
many more combinations of logging levels possible.

Replication logging is one of the most important diagnostic levels to implement. This
logging level records all operations related to replication and Windows synchronization,
including processing modifications on a supplier and writing them to the changelog, sending
updates, and changing replication agreements.

Whenever a replication update is prepared or sent, the error log identifies the replication or
synchronization agreement being specified, the consumer host and port, and the current
replication task.

[timestamp] NSMMReplicationPlugin - agmt="name"

(consumer_host:consumer_port): current_task

For example:

[09/Jan/2019:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2"

(alt:13864): {replicageneration} 4949df6e000000010000

{replicageneration} means that the new information is being sent, and

4949df6e000000010000 is the change sequence number of the entry being replicated.

Example 7.3, “Replication Error Log Entry” shows the complete process of sending a single
entry to a consumer, from adding the entry to the changelog to releasing the consumer
after replication is complete.

Example 7.3. Replication Error Log Entry

[29/May/2017:14:15:30.539817639 +0200] - DEBUG -

_csngen_adjust_local_time - gen state before 592c103d0000:1496059964:0:1
[29/May/2017:14:15:30.562983285 +0200] - DEBUG -
_csngen_adjust_local_time - gen state after 592c10e20000:1496060129:0:1
[29/May/2017:14:15:30.578828393 +0200] - DEBUG - NSMMReplicationPlugin -
ruv_add_csn_inprogress - Successfully inserted csn 592c10e2000000020000
into pending list
[29/May/2017:14:15:30.589917123 +0200] - DEBUG - NSMMReplicationPlugin -
changelog program - _cl5GetDBFileByReplicaName - found DB object
0x558ddfe1f720 for database /var/lib/dirsrv/slapd-
master_2/changelogdb/d3de3e8d-446611e7-a89886da-

661
Configuration, Command, and File Reference

6a37442d_592c0e0b000000010000.db
[29/May/2017:14:15:30.600044236 +0200] - DEBUG - NSMMReplicationPlugin -
changelog program - cl5WriteOperationTxn - Successfully written entry
with csn (592c10e2000000020000)
[29/May/2017:14:15:30.615923352 +0200] - DEBUG - NSMMReplicationPlugin -
changelog program - _cl5GetDBFileByReplicaName - found DB object
0x558ddfe1f720 for database /var/lib/dirsrv/slapd-
master_2/changelogdb/d3de3e8d-446611e7-a89886da-
6a37442d_592c0e0b000000010000.db
[29/May/2017:14:15:30.627443305 +0200] - DEBUG - NSMMReplicationPlugin -
csnplCommitALL: committing all csns for csn 592c10e2000000020000
[29/May/2017:14:15:30.632713657 +0200] - DEBUG - NSMMReplicationPlugin -
csnplCommitALL: processing data csn 592c10e2000000020000
[29/May/2017:14:15:30.652621188 +0200] - DEBUG - NSMMReplicationPlugin -
ruv_update_ruv - Successfully committed csn 592c10e2000000020000
[29/May/2017:14:15:30.669666453 +0200] - DEBUG - NSMMReplicationPlugin -
repl5_inc_run - agmt="cn=meTo_localhost:39001" (localhost:39001): State:
wait_for_changes -> wait_for_changes
[29/May/2017:14:15:30.685259483 +0200] - DEBUG - NSMMReplicationPlugin -
repl5_inc_run - agmt="cn=meTo_localhost:39001" (localhost:39001): State:
wait_for_changes -> ready_to_acquire_replica
[29/May/2017:14:15:30.689906327 +0200] - DEBUG - NSMMReplicationPlugin -
conn_connect - agmt="cn=meTo_localhost:39001" (localhost:39001) - Trying
non-secure slapi_ldap_init_ext
[29/May/2017:14:15:30.700259799 +0200] - DEBUG - NSMMReplicationPlugin -
conn_connect - agmt="cn=meTo_localhost:39001" (localhost:39001) - binddn
= cn=replrepl,cn=config, passwd = {AES-
TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUmlZVFUzTnpRMk55
MDBaR1ZtTXpobQ0KTWkxaE9XTTRPREpoTlMwME1EaGpabVUxWmdBQ0FRSUNBU0F3Q2dZSUtv
WklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCRGhwMnNLcEZ2ZWE2RzEwWG10OU41Tg==
}+36owaI7oTmvWhxRzUqX5w==
[29/May/2017:14:15:30.712287531 +0200] - DEBUG - NSMMReplicationPlugin -
conn_cancel_linger - agmt="cn=meTo_localhost:39001" (localhost:39001) -
No linger to cancel on the connection
[29/May/2017:14:15:30.736779494 +0200] - DEBUG -
_csngen_adjust_local_time - gen state before 592c10e20001:1496060129:0:1
[29/May/2017:14:15:30.741909244 +0200] - DEBUG -
_csngen_adjust_local_time - gen state after 592c10e30000:1496060130:0:1
[29/May/2017:14:15:30.880287041 +0200] - DEBUG - NSMMReplicationPlugin -
acquire_replica - agmt="cn=meTo_localhost:39001" (localhost:39001):
Replica was successfully acquired.
[29/May/2017:14:15:30.897500049 +0200] - DEBUG - NSMMReplicationPlugin -
repl5_inc_run - agmt="cn=meTo_localhost:39001" (localhost:39001): State:
ready_to_acquire_replica -> sending_updates
[29/May/2017:14:15:30.914417773 +0200] - DEBUG - csngen_adjust_time -
gen state before 592c10e30001:1496060130:0:1
[29/May/2017:14:15:30.926341721 +0200] - DEBUG - NSMMReplicationPlugin -
changelog program - _cl5GetDBFile - found DB object 0x558ddfe1f720 for
database /var/lib/dirsrv/slapd-master_2/changelogdb/d3de3e8d-446611e7-
a89886da-6a37442d_592c0e0b000000010000.db
[29/May/2017:14:15:30.943094471 +0200] - DEBUG - NSMMReplicationPlugin -
changelog program - _cl5PositionCursorForReplay -
(agmt="cn=meTo_localhost:39001" (localhost:39001)): Consumer RUV:
[29/May/2017:14:15:30.949395331 +0200] - DEBUG - NSMMReplicationPlugin -
agmt="cn=meTo_localhost:39001" (localhost:39001): {replicageneration}
592c0e0b000000010000

662
CHAPTER 7. LOG FILE REFERENCE

[29/May/2017:14:15:30.961118175 +0200] - DEBUG - NSMMReplicationPlugin -

agmt="cn=meTo_localhost:39001" (localhost:39001): {replica 1
ldap://localhost:39001} 592c0e17000000010000 592c0e1a000100010000
00000000
[29/May/2017:14:15:30.976680025 +0200] - DEBUG - NSMMReplicationPlugin -
agmt="cn=meTo_localhost:39001" (localhost:39001): {replica 2
ldap://localhost:39002} 592c103c000000020000 592c103c000000020000
00000000
[29/May/2017:14:15:30.990404183 +0200] - DEBUG - NSMMReplicationPlugin -
changelog program - _cl5PositionCursorForReplay -
(agmt="cn=meTo_localhost:39001" (localhost:39001)): Supplier RUV:
[29/May/2017:14:15:31.001242624 +0200] - DEBUG - NSMMReplicationPlugin -
agmt="cn=meTo_localhost:39001" (localhost:39001): {replicageneration}
592c0e0b000000010000
[29/May/2017:14:15:31.017406105 +0200] - DEBUG - NSMMReplicationPlugin -
agmt="cn=meTo_localhost:39001" (localhost:39001): {replica 2
ldap://localhost:39002} 592c103c000000020000 592c10e2000000020000
592c10e1
[29/May/2017:14:15:31.028803190 +0200] - DEBUG - NSMMReplicationPlugin -
agmt="cn=meTo_localhost:39001" (localhost:39001): {replica 1
ldap://localhost:39001} 592c0e1a000100010000 592c0e1a000100010000
00000000
[29/May/2017:14:15:31.040172464 +0200] - DEBUG -
agmt="cn=meTo_localhost:39001" (localhost:39001) - clcache_get_buffer -
found thread private buffer cache 0x558ddf870f00
[29/May/2017:14:15:31.057495165 +0200] - DEBUG -
agmt="cn=meTo_localhost:39001" (localhost:39001) - clcache_get_buffer -
_pool is 0x558ddfe294d0 _pool->pl_busy_lists is 0x558ddfab84c0 _pool-
>pl_busy_lists->bl_buffers is 0x558ddf870f00
[29/May/2017:14:15:31.063015498 +0200] - DEBUG -
agmt="cn=meTo_localhost:39001" (localhost:39001) -
clcache_initial_anchorcsn - agmt="cn=meTo_localhost:39001"
(localhost:39001) - (cscb 0 - state 0) - csnPrevMax () csnMax
(592c10e2000000020000) csnBuf (592c103c000000020000) csnConsumerMax
(592c103c000000020000)
[29/May/2017:14:15:31.073252305 +0200] - DEBUG -
clcache_initial_anchorcsn - anchor is now: 592c103c000000020000
[29/May/2017:14:15:31.089915209 +0200] - DEBUG - NSMMReplicationPlugin -
changelog program - agmt="cn=meTo_localhost:39001" (localhost:39001):
CSN 592c103c000000020000 found, position set for replay
[29/May/2017:14:15:31.095825439 +0200] - DEBUG -
agmt="cn=meTo_localhost:39001" (localhost:39001) -
clcache_get_next_change - load=1 rec=1 csn=592c10e2000000020000
[29/May/2017:14:15:31.100123762 +0200] - DEBUG - NSMMReplicationPlugin -
repl5_inc_result_threadmain - Starting
[29/May/2017:14:15:31.115749709 +0200] - DEBUG - NSMMReplicationPlugin -
repl5_inc_result_threadmain - Read result for message_id 0
[29/May/2017:14:15:31.125866330 +0200] - DEBUG - NSMMReplicationPlugin -
replay_update - agmt="cn=meTo_localhost:39001" (localhost:39001):
Sending add operation (dn="cn=user,ou=People,dc=example,dc=com"
csn=592c10e2000000020000)
[29/May/2017:14:15:31.142339398 +0200] - DEBUG - NSMMReplicationPlugin -
repl5_inc_result_threadmain - Read result for message_id 0
[29/May/2017:14:15:31.160456597 +0200] - DEBUG - NSMMReplicationPlugin -
replay_update - agmt="cn=meTo_localhost:39001" (localhost:39001):
Consumer successfully sent operation with csn 592c10e2000000020000

663
Configuration, Command, and File Reference

[29/May/2017:14:15:31.172399536 +0200] - DEBUG - NSMMReplicationPlugin -

repl5_inc_result_threadmain - Read result for message_id 0
[29/May/2017:14:15:31.188857336 +0200] - DEBUG -
agmt="cn=meTo_localhost:39001" (localhost:39001) -
clcache_adjust_anchorcsn - agmt="cn=meTo_localhost:39001"
(localhost:39001) - (cscb 0 - state 1) - csnPrevMax
(592c10e2000000020000) csnMax (592c10e2000000020000) csnBuf
(592c10e2000000020000) csnConsumerMax (592c10e2000000020000)
[29/May/2017:14:15:31.199605024 +0200] - DEBUG -
agmt="cn=meTo_localhost:39001" (localhost:39001) - clcache_load_buffer -
rc=-30988
[29/May/2017:14:15:31.210800816 +0200] - DEBUG - NSMMReplicationPlugin -
send_updates - agmt="cn=meTo_localhost:39001" (localhost:39001): No more
updates to send (cl5GetNextOperationToReplay)
[29/May/2017:14:15:31.236214134 +0200] - DEBUG - NSMMReplicationPlugin -
repl5_inc_waitfor_async_results - 0 5
[29/May/2017:14:15:31.246755544 +0200] - DEBUG - NSMMReplicationPlugin -
repl5_inc_result_threadmain - Read result for message_id 0
[29/May/2017:14:15:31.277705986 +0200] - DEBUG - NSMMReplicationPlugin -
repl5_inc_result_threadmain - Read result for message_id 0
[29/May/2017:14:15:31.303530336 +0200] - DEBUG - NSMMReplicationPlugin -
repl5_inc_result_threadmain - Read result for message_id 5
[29/May/2017:14:15:31.318259308 +0200] - DEBUG - NSMMReplicationPlugin -
repl5_inc_result_threadmain - Result 1, 0, 0, 5, (null)
[29/May/2017:14:15:31.335263462 +0200] - DEBUG - NSMMReplicationPlugin -
repl5_inc_result_threadmain - Read result for message_id 5
[29/May/2017:14:15:31.364551307 +0200] - DEBUG - NSMMReplicationPlugin -
repl5_inc_waitfor_async_results - 5 5
[29/May/2017:14:15:31.376301820 +0200] - DEBUG - NSMMReplicationPlugin -
repl5_inc_result_threadmain exiting
[29/May/2017:14:15:31.393707037 +0200] - DEBUG -
agmt="cn=meTo_localhost:39001" (localhost:39001) - clcache_return_buffer
- session end: state=5 load=1 sent=1 skipped=0 skipped_new_rid=0
skipped_csn_gt_cons_maxcsn=0 skipped_up_to_date=0 skipped_csn_gt_ruv=0
skipped_csn_covered=0
[29/May/2017:14:15:31.398134114 +0200] - DEBUG - NSMMReplicationPlugin -
consumer_connection_extension_acquire_exclusive_access - conn=4 op=3
Acquired consumer connection extension
[29/May/2017:14:15:31.423099625 +0200] - DEBUG - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=4 op=3
repl="dc=example,dc=com": Begin incremental protocol
[29/May/2017:14:15:31.438899389 +0200] - DEBUG - csngen_adjust_time -
gen state before 592c10e30001:1496060130:0:1
[29/May/2017:14:15:31.443800884 +0200] - DEBUG - csngen_adjust_time -
gen state after 592c10e40001:1496060130:1:1
[29/May/2017:14:15:31.454123488 +0200] - DEBUG - NSMMReplicationPlugin -
replica_get_exclusive_access - conn=4 op=3 repl="dc=example,dc=com":
Acquired replica
[29/May/2017:14:15:31.469698781 +0200] - DEBUG - NSMMReplicationPlugin -
release_replica - agmt="cn=meTo_localhost:39001" (localhost:39001):
Successfully released consumer
[29/May/2017:14:15:31.475096195 +0200] - DEBUG - NSMMReplicationPlugin -
conn_start_linger -agmt="cn=meTo_localhost:39001" (localhost:39001) -
Beginning linger on the connection
[29/May/2017:14:15:31.485281588 +0200] - DEBUG - NSMMReplicationPlugin -
repl5_inc_run - agmt="cn=meTo_localhost:39001" (localhost:39001): State:

664
CHAPTER 7. LOG FILE REFERENCE

sending_updates -> wait_for_changes

[29/May/2017:14:15:31.495865065 +0200] - DEBUG - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=4 op=3
repl="dc=example,dc=com": StartNSDS90ReplicationRequest: response=0 rc=0
[29/May/2017:14:15:31.501617765 +0200] - DEBUG - NSMMReplicationPlugin -
consumer_connection_extension_relinquish_exclusive_access - conn=4 op=3
Relinquishing consumer connection extension
[29/May/2017:14:15:31.716627741 +0200] - DEBUG - NSMMReplicationPlugin -
consumer_connection_extension_acquire_exclusive_access - conn=4 op=4
Acquired consumer connection extension
[29/May/2017:14:15:31.735431913 +0200] - DEBUG - NSMMReplicationPlugin -
replica_relinquish_exclusive_access - conn=4 op=4
repl="dc=example,dc=com": Released replica held by locking_purl=conn=4
id=3
[29/May/2017:14:15:31.745841821 +0200] - DEBUG - NSMMReplicationPlugin -
consumer_connection_extension_relinquish_exclusive_access - conn=4 op=4
Relinquishing consumer connection extension

Plug-in logging records every the name of the plug-in and all of the functions called by the
plug-in. This has a simple format:

[timestamp] Plugin_name - message

[timestamp] - function - message

The information returned can be hundreds of lines long as every step is processed. The
precise information recorded depends on the plug-in itself. For example, the ACL Plug-in
includes a connection and operation number, as shown in Example 7.4, “Example ACL Plug-
in Error Log Entry with Plug-in Logging”.

Example 7.4. Example ACL Plug-in Error Log Entry with Plug-in Logging

[29/May/2017:14:38:19.133878244 +0200] - DEBUG - get_filter_internal -

==>
[29/May/2017:14:38:19.153942547 +0200] - DEBUG - get_filter_internal -
PRESENT
[29/May/2017:14:38:19.177908064 +0200] - DEBUG - get_filter_internal -
<= 0
[29/May/2017:14:38:19.193547449 +0200] - DEBUG -
slapi_vattr_filter_test_ext_internal - =>
[29/May/2017:14:38:19.198121765 +0200] - DEBUG -
slapi_vattr_filter_test_ext_internal - <=
[29/May/2017:14:38:19.214342752 +0200] - DEBUG -
slapi_vattr_filter_test_ext_internal - PRESENT
[29/May/2017:14:38:19.219886104 +0200] - DEBUG - NSACLPlugin -
acl_access_allowed - conn=15 op=1 (main): Allow search on
entry(cn=replication,cn=config): root user
[29/May/2017:14:38:19.230152526 +0200] - DEBUG -
slapi_vattr_filter_test_ext_internal - <= 0
[29/May/2017:14:38:19.240971955 +0200] - DEBUG - NSACLPlugin -
acl_read_access_allowed_on_entry - Root access (read) allowed on
entry(cn=replication,cn=config)
[29/May/2017:14:38:19.246456160 +0200] - DEBUG - cos-plugin -
cos_cache_vattr_types - Failed to get class of service reference
[29/May/2017:14:38:19.257200851 +0200] - DEBUG - NSACLPlugin - Root

665
Configuration, Command, and File Reference

access (read) allowed on entry(cn=replication,cn=config)

[29/May/2017:14:38:19.273534025 +0200] - DEBUG - NSACLPlugin - Root
access (read) allowed on entry(cn=replication,cn=config)
[29/May/2017:14:38:19.289474926 +0200] - DEBUG - slapi_filter_free -
type 0x87

NOTE

Example 7.4, “Example ACL Plug-in Error Log Entry with Plug-in Logging”
shows both plug-in logging and search filter processing (log level 65696).

Many other kinds of logging have similar output to the plug-in logging level, only for
different kinds of internal operations. Heavy trace output (4), access control list processing
(128), schema parsing (2048), and housekeeping (4096) all record the functions called by
the different operations being performed. In this case, the difference is not in the format of
what is being recorded, but what operations it is being recorded for.

The configuration file processing goes through any .conf file, printing every line, whenever
the server starts up. This can be used to debug any problems with files outside of the
server's normal configuration. By default, only slapd-collations.conf file, which contains
configurations for international language sets, is available.

Example 7.5. Config File Processing Log Entry

[29/May/2017:15:26:48.897935879 +0200] - DEBUG - collation_read_config -

Reading config file /etc/dirsrv/slapd-master_1/slapd-collations.conf
[29/May/2017:15:26:48.902606586 +0200] - DEBUG - collation-plugin -
collation_read_config - line 16: collation "" "" "" 1 3
2.16.840.1.113730.3.3.2.0.1 default
[29/May/2017:15:26:48.918493657 +0200] - DEBUG - collation-plugin -
collation_read_config - line 17: collation ar "" "" 1 3
2.16.840.1.113730.3.3.2.1.1 ar
[29/May/2017:15:26:48.932550086 +0200] - DEBUG - collation-plugin -
collation_read_config - line 18: collation be "" "" 1 3
2.16.840.1.113730.3.3.2.2.1 be be-BY
...

There are two levels of ACI logging, one for debug information and one for summary. Both
of these ACI logging levels records some extra information that is not included with other
types of plug-ins or error logging, including Connection Number and Operation Number
information. Show the name of the plug-in, the bind DN of the user, the operation
performed or attempted, and the ACI which was applied. The debug level shows the series
of functions called in the course of the bind and any other operations, as well.

Example 7.6, “Access Control Summary Logging” shows the summary access control log
entry.

Example 7.6. Access Control Summary Logging

[29/May/2017:15:34:52.742034888 +0200] - DEBUG - NSACLPlugin -

acllist_init_scan - Failed to find root for base: cn=features,cn=config

666
CHAPTER 7. LOG FILE REFERENCE

[29/May/2017:15:34:52.761702767 +0200] - DEBUG - NSACLPlugin -

acllist_init_scan - Failed to find root for base: cn=config
[29/May/2017:15:34:52.771907825 +0200] - DEBUG - NSACLPlugin -
acl_access_allowed - #### conn=6 op=1
binddn="cn=user,ou=people,dc=example,dc=com"
[29/May/2017:15:34:52.776327012 +0200] - DEBUG - NSACLPlugin -
************ RESOURCE INFO STARTS *********
[29/May/2017:15:34:52.786397852 +0200] - DEBUG - NSACLPlugin -
Client DN: cn=user,ou=people,dc=example,dc=com
[29/May/2017:15:34:52.797004451 +0200] - DEBUG - NSACLPlugin -
resource type:256(search target_DN )
[29/May/2017:15:34:52.807135945 +0200] - DEBUG - NSACLPlugin -
Slapi_Entry DN: cn=features,cn=config
[29/May/2017:15:34:52.822877838 +0200] - DEBUG - NSACLPlugin - ATTR:
objectClass
[29/May/2017:15:34:52.827250828 +0200] - DEBUG - NSACLPlugin -
rights:search
[29/May/2017:15:34:52.831603634 +0200] - DEBUG - NSACLPlugin -
************ RESOURCE INFO ENDS *********
[29/May/2017:15:34:52.847183276 +0200] - DEBUG - NSACLPlugin -
acl__scan_for_acis - Num of ALLOW Handles:0, DENY handles:0
[29/May/2017:15:34:52.857857195 +0200] - DEBUG - NSACLPlugin -
print_access_control_summary - conn=6 op=1 (main): Deny search on
entry(cn=features,cn=config).attr(objectClass) to
cn=user,ou=people,dc=example,dc=com: no aci matched the resource

7.3. AUDIT LOG REFERENCE

The audit log records changes made to the server instance. Unlike the error and access
log, the audit log does not record access to the server instance, so searches against the
database are not logged.

The audit log is formatted differently than the access and error logs and is like a time-
stamped LDIF file. The operations recorded in the audit log are formatted as LDIF
statements:

timestamp: date
dn: modified_entry
changetype: action
action:attribute
attribute:new_value
-
replace: modifiersname
modifiersname: dn
-
replace: modifytimestamp
modifytimestamp: date
-

LDIF files and formats are described in more detail in the "LDAP Data Interchange Format"
appendix of the Administration Guide.

Several different kinds of audit entries are shown in Example 7.7, “Audit Log Content”.

667
Configuration, Command, and File Reference

Example 7.7. Audit Log Content

... modifying an entry ...

time: 20190108181429
dn: uid=scarter,ou=people,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}8EcJhJoIgBgY/E5j8JiVoj6W3BLyj9Za/rCPOw==
-
replace: modifiersname
modifiersname: cn=Directory Manager
-
replace: modifytimestamp
modifytimestamp: 20190108231429Z
-

... modifications to o=NetscapeRoot from logging into the Console ...

time: 20190108182758
dn: cn=general,ou=1.1,ou=console,ou=cn=Directory
Manager,ou=userpreferences,ou=example.com,o=netscaperoot
changetype: modify
replace: nsPreference
nsPreference::
IwojVGh1IEphbiAwOCAxODoyNzo1OCBFU1QgMjAwOQpXaWR0aD03NzAKU2hvd1
N0YXR1c0Jhcj10cnVlClNob3dCYW5uZXJCYXI9dHJ1ZQpZPTI3OApYPTI5OApIZWlnaHQ9N
TE4Cg
==
-
replace: modifiersname
modifiersname: cn=Directory Manager
-
replace: modifytimestamp
modifytimestamp: 20190108232758Z
-

... sending a replication update ...

time: 20190109131811
dn: cn=example2,cn=replica,cn="dc=example,dc=com",cn=mapping
tree,cn=config
changetype: modify
replace: nsds5BeginReplicaRefresh
nsds5BeginReplicaRefresh: start
-
replace: modifiersname
modifiersname: cn=Directory Manager
-
replace: modifytimestamp
modifytimestamp: 20190109181810Z
-

The audit log does not have any other log level to set.

668
CHAPTER 7. LOG FILE REFERENCE

7.4. LDAP RESULT CODES

Directory Server uses the following LDAP result codes:

Table 7.5. LDAP Result Codes

Hex Constants Hex Constants

Values Values

0x00 LDAP_SUCCESS 0x31 LDAP_INVALID_CREDENTIALS

0x01 LDAP_OPERATIONS_ERROR 0x32 LDAP_INSUFFICIENT_ACCESS

0x02 LDAP_PROTOCOL_ERROR 0x33 LDAP_BUSY

0x03 LDAP_TIMELIMIT_EXCEEDED 0x34 LDAP_UNAVAILABLE

0x04 LDAP_SIZELIMIT_EXCEEDED 0x35 LDAP_UNWILLING_TO_PERFORM

0x05 LDAP_COMPARE_FALSE 0x40 LDAP_NAMING_VIOLATION

0x06 LDAP_COMPARE_TRUE 0x41 LDAP_OBJECT_CLASS_VIOLATION

0x07 LDAP_AUTH_METHOD_NOT_SUPPO 0x42 LDAP_NOT_ALLOWED_ON_NONLE

RTED AF

0x08 LDAP_STRONG_AUTH_REQUIRED 0x43 LDAP_NOT_ALLOWED_ON_RDN

0x09 LDAP_PARTIAL_RESULTS 0x44 LDAP_ALREADY_EXISTS

0x0a LDAP_REFERRAL [a] 0x45 LDAP_NO_OBJECT_CLASS_MODS

0x0b LDAP_ADMINLIMIT_EXCEEDED [a] 0x46 LDAP_RESULTS_TOO_LARGE [b]

0x0c LDAP_UNAVAILABLE_CRITICAL_EX 0x47 LDAP_AFFECTS_MULTIPLE_DSAS

TENSION [a] [a]

0x0d LDAP_CONFIDENTIALITY_REQUIRE 0x4C LDAP_VIRTUAL_LIST_VIEW_ERROR

D [a]

0x0e LDAP_SASL_BIND_IN_PROGRESS 0x50 LDAP_OTHER

[a]

0x10 LDAP_NO_SUCH_ATTRIBUTE 0x51 LDAP_SERVER_DOWN

0x11 LDAP_UNDEFINED_TYPE 0x52 LDAP_LOCAL_ERROR

0x12 LDAP_INAPPROPRIATE_MATCHING 0x53 LDAP_ENCODING_ERROR

669
Configuration, Command, and File Reference

Hex Constants Hex Constants

Values Values

0x13 LDAP_CONSTRAINT_VIOLATION 0x54 LDAP_DECODING_ERROR

0x14 LDAP_TYPE_OR_VALUE_EXISTS 0x55 LDAP_TIMEOUT

0x15 LDAP_INVALID_SYNTAX 0x56 LDAP_AUTH_UNKNOWN

0x20 LDAP_NO_SUCH_OBJECT 0x57 LDAP_FILTER_ERROR

0x21 LDAP_ALIAS_PROBLEM 0x58 LDAP_USER_CANCELLED

0x22 LDAP_INVALID_DN_SYNTAX 0x5A LDAP_NO_MEMORY

0x23 LDAP_IS_LEAF [c] 0x5C LDAP_NOT_SUPPORTED

0x24 LDAP_ALIAS_DEREF_PROBLEM 0x76 LDAP_CANCELLED

0x30 LDAP_INAPPROPRIATE_AUTH

[a] LDAPv3

[b] Reserved for CLDAP

[c] Not used in LDAPv3

7.5. REPLACING LOG FILES WITH A NAMED PIPE

Many administrators want to do some special configuration or operation with logging data,
like configuring an access log to record only certain events. This is not possible using the
standard Directory Server log file configuration attributes, but it is possible by sending the
log data to a named pipe, and then using another script to process the data. Using a
named pipe for the log simplifies these special tasks, like:

Logging certain events, like failed bind attempts or connections from specific users
or IP addresses

Logging entries which match a specific regular expression pattern

Keeping the log to a certain length (logging only the last number of lines)

Sending a notification, such as an email, when an event occurs

Replacing a log file with a pipe improves performance, especially on servers with a high rate
of operations.

The named pipe is different than using a script to extract data from the logs because of how
data are handled in the log buffer.

670
CHAPTER 7. LOG FILE REFERENCE

If a log is buffered, server performance is good, but important data are not written to disk
(the log file) as soon as the event occurs. If the server is having a problem with crashing, it
may crash before the data is written to disk — and there is no data for the script to extract.

If a log is not buffered[1], the writes are flushed to disk with each operation, causing a lot of
disk I/O and performance degradation.

Replacing the log disk file with a pipe has the benefits of buffering, since the script that
reads from the pipe can buffer the incoming log data in memory (which is not possible with
a simple script).

The usage and option details for the script is covered in Section 9.4, “ds-logpipe.py”. The
basic format is:

ds-logpipe.py /path/to/named_pipe [ --user pipe_user ] [ --maxlines number ] [[ --

serverpidfile file.pid ] | [ --serverpid PID ]] [ --servertimeout seconds ] [ --
plugin=/path/to/plugin.py | [ pluginfile.arg=value ]]

7.5.1. Using the Named Pipe for Logging

The Directory Server instance can use a named pipe for its logging simply by running the
named pipe log script and giving the name of the pipe. (If the server is already running,
then the log has to be reopened, but there is no configuration required otherwise.)

# ds-logpipe.py /var/log/dirsrv/slapd-example/access

Running the ds-logpipe.py in this way has the advantage of being simple to implement
and not requiring any Directory Server configuration changes. This is useful for fast
debugging or monitoring, especially if you are looking for a specific type of event.

If the Directory Server instance will frequently or permanently use the named pipe rather
than a real file for logging, then it is possible to reconfigure the instance to create the
named pipe and use it for logging (as it does by default for the log files).

Three things need to be configured for the log configuration for the instance:

The log file to use has to be changed to the pipe (nsslapd-*log, where the * can be
access, error, or audit[2], depending on the log type being configured)

Buffering should be disabled because the script already buffers the log entries
(nsslapd-*log-logbuffering)

Log rotation should be disabled so that the server does not attempt to rotate the
named pipe (nsslapd-*log-maxlogsperdir, nsslapd-*log-logexpirationtime,
and nsslapd-*log-logrotationtime)

These configuration changes can be made in the Directory Server Console or using
ldapmodify.

For example, this switches the access log to access.pipe:

# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: cn=config
changetype: modify
replace: nsslapd-accesslog

671
Configuration, Command, and File Reference

nsslapd-accesslog: /var/log/dirsrv/slapd-instance/access.pipe
-
replace: nsslapd-accesslog-logbuffering
nsslapd-accesslog-logbuffering: off
-
replace: nsslapd-accesslog-maxlogsperdir
nsslapd-accesslog-maxlogsperdir: 1
-
replace: nsslapd-accesslog-logexpirationtime
nsslapd-accesslog-logexpirationtime: -1
-
replace: nsslapd-accesslog-logrotationtime
nsslapd-accesslog-logrotationtime: -1

NOTE

Making these changes causes the server to close the current log file and
switch to the named pipe immediately. This can be very helpful for debugging
a running server and sifting the log output for specific messages.

7.5.2. Starting the Named Pipe with the Server

The named pipe can be started and shut down along with the Directory Server instance by
editing the instance's init script configuration file.

NOTE

The named pipe script has to be specifically configured in the instance's

dse.ldif file before it can be called at server startup.

1. Open the instance configuration file for the server system.

/etc/sysconfig/dirsrv-instance_name


WARNING

Do not edit the /etc/sysconfig/dirsrv file.

2. At the end of the file, there will be a line that reads:

# Put custom instance specific settings below here.

Below that line, insert the ds-logpipe.py command to launch when the server
starts. For example:

# only keep the last 1000 lines of the error log

python /usr/bin/ds-logpipe.py /var/log/dirsrv/slapd-

672
CHAPTER 7. LOG FILE REFERENCE

example/errors.pipe -m 1000 -u dirsrv -s /var/run/dirsrv/slapd-

example.pid > /var/log/dirsrv/slapd-example/errors &

# only log failed binds

python /usr/bin/ds-logpipe.py /var/log/dirsrv/slapd-
example/access.pipe -u dirsrv -s /var/run/dirsrv/slapd-example.pid -
-plugin=/usr/share/dirsrv/data/failedbinds.py
failedbinds.logfile=/var/log/dirsrv/slapd-example/access.failedbinds
&

NOTE

The -s option both specifies the .pid file for the server to write its PID
to and sets the script to start and stop with the server process.

7.5.3. Using Plug-ins with the Named Pipe Log

A plug-in can be called to read the log data from the named pipe and perform some
operation on it. There are some considerations with using plug-ins with the named pipe log
script:

The plug-in function is called for every line read from the named pipe.

The plug-in function must be a Python script and must end in .py.

Any plug-in arguments are passed in the command line to the named pipe log
script.

A pre-operation function can be specified for when the plug-in is loaded.

A post-operation function can be called for when the script exits.

7.5.3.1. Loading Plug-ins with the Named Pipe Log Script

There are two options with ds-logpipe.py to use for plug-ins:

The --plugin option gives the path to the plug-in file (which must be a Python script
and must end in .py).

The plugin.arg option passes plug-in arguments to the named pipe log script. The
plug-in file name (without the .py extension) is plugin and any argument allowed in
that plug-in can be arg .

For example:

ds-logpipe.py /var/log/dirsrc/slapd-example/errors.pipe --
plugin=/usr/share/dirsrv/data/example-funct.py example-
funct.regex="warning" > warnings.txt

If there are more than one values passed for the same argument, then they are converted
into a list of values in the plug-in dict. For example, this script gives two values for arg1:

--plugin=/path/to/pluginname.py pluginname.arg1=foo pluginname.arg1=bar

pluginname.arg2=baz

673
Configuration, Command, and File Reference

In the plug-in, this is converted to:

{'arg1': ['foo', 'bar'],

'arg2': 'baz'}

This is a Python dict object with two keys. The first key is the stringarg1, and its value is a
Python list object with two elements, the strings foo and bar. The second key is the string
arg2, and its value is the string baz. If an argument has only a single value, it is left as a
simple string. Multiple values for a single argument name are converted into a list of
strings.

7.5.3.2. Writing Plug-ins to Use with the Named Pipe Log Script

The ds-logpipe.py command expects up to three functions in any plug-in:plugin (), pre
(), and post ().

Any plug-in used with the ds-logpipe.py command must specify the plugin function.

The plugin () function is performed against every line in the log data, while thepre ()
and post () functions are run when the script is started and stopped, respectively.

Each function can have any arguments defined for it, and these arguments can then be
passed to the script using the plugin.arg option. Additionally, each function can have its
own return values and actions defined for it.

Example 7.8. Simple Named Pipe Log Plug-in

def pre(myargs):
retval = True
myarg = myargs['argname']
if isinstance(myarg, list): # handle list of values
else: # handle single value
if bad_problem:
retval = False
return retval

def plugin(line):
retval = True
# do something with line
if something_is_bogus:
retval = False
return retval

def post(): # no arguments

# do something
# no return value

[1] Server performance suffers when log buffering is disabled on the access log, when the log level is
changed on the error log, or with audit logging.

[2] The audit log is not enabled by default, so this log has to be enabled before a named pipe can be
used to replace it.

674
CHAPTER 8. CONFIGURATION FILE REFERENCE

CHAPTER 8. CONFIGURATION FILE REFERENCE

Most Directory Server feature you configure are in the cn=config entry in the directory.
However, for certain features, Directory Server reads settings from configuration files. This
chapter describe these files and their settings.

8.1. CERTMAP.CONF
If you set up certificate-based authentication, the
/etc/dirsrv/slapd-instance_name/certmap.conf file manages how Directory Server
dynamically maps a certificate to a user entry.

The /etc/dirsrv/slapd-instance_name/certmap.conf file uses the following format:

certmap alias_name certificate_issuer_DN

alias_name:parameter_name value

You can specify individual settings for different certificate issuer Distinguished Names (DN).
For issuer DNs that do not have a separate configuration, the settings from the default
entry will be used. The following is the required minimum configuration for the default
entry:

certmap default default

Additionally, you can set all available parameters for the default entry. Directory Server
will use them if they are not specified in individual configurations for issuer DNs.

Example 8.1. Configuration for the default Entry and a Specific Issuer DN

The following configuration sets individual settings for certificates having the o=Example
Inc.,c=US issuer DN set. Other certificates will use the settings from thedefault entry.

certmap default default

default:DNComps dc
default:FilterComps mail, cn
default:VerifyCert on

certmap example o=Example Inc.,c=US

example:DNComps

You can set the following parameters:

DNComps
The DNComps parameter determines how Directory Server generates the base DN used to
search for a user in the directory:

If attributes in the subject field of the certificate match the base DN, set the
DNComps parameter to these attributes. Separate multiple attribute with commas.
However, the order of the attributes in the DNComps parameter must match the
order in the subject of the certificate.

For example, if your certificate's subject is

[email protected],cn=user_name,o=Example Inc.,c=US, and you want

675
Configuration, Command, and File Reference

Directory Server to use cn=user_name,o=Example Inc.,c=US as base DN when

searching for the user, set the DNComps parameter to cn, o, c.

IMPORTANT

The values of attributes set in the DNComps parameter must be

unique in the database.

Set the parameter to an empty value if the base DN cannot be generated from
the subject field of the certificate. In this situation, Directory Server searches
the for user in the entire directory using a filter generated from the setting in the
FilterComps parameter.

For example, if the certificate's subject is

[email protected],cn=user_name,o=Example Inc.,c=US, but
Directory Server stores its data in the dc=example,dc=com entry, Directory Server
cannot generate a valid base DN from the subject of the certificate, because the
required components are not part of the subject. In this case, set DNComps to an
empty string to search for the user in the entire directory.

Comment out or do not set this parameter, if either the subject field of the
certificate matches exactly the DN of the user in Directory Server or if you want
to use the setting from the CmapLdapAttr parameter.

Alternatively, set the nsslapd-certmap-basedn parameter in the cn=config entry to

use a hard-coded base DN.

FilterComps
This parameter sets which attributes from the subject field of the certificate
Directory Server uses to generate the search filter to locate the user:

Set this parameter to a comma-separated list of attributes used in the

certificate's subject. Directory Server will use these attributes in an AND operation
in the filter.

NOTE

Certificate Subjects use the e attribute for the email address, which
does not exist in the default Directory Server schema. For this
reason, Directory Server automatically maps this attribute to the
mail attribute. This means, if you use themail attribute in the
FilterComps parameter, Directory Server reads the value of the e
attribute from the subject of the certificate.

For example, if the subject of a certificate is

[email protected],cn=user_name,dc=example,dc=com,o=Example
Inc.,c=US and you want to dynamically generate the(&
(mail=username@domain)(cn=user_name)) filter, set the FilterComps
parameter to mail,cn.

If the parameter is commented out or set to an empty value, the

(objectclass=*) filter will be used.

verifycert

676
CHAPTER 8. CONFIGURATION FILE REFERENCE

Directory Server always verifies if the certificate has been issued by a trusted Certificate
Authority (CA). However, if you additionally set the verifycert parameter to on,
Directory Server additionally verifies that the certificate matches the Distinguished
Encoding Rules (DER)-formatted certificate stored in the userCertificate binary
attribute of the user.

If you do not set this parameter, verifycert is disabled.

CmapLdapAttr
If your user entries contain an attribute that stores the subject DN of the user certificate,
set the CmapLdapAttr to this attribute name. Directory Server will use this attribute and
the subject DN to locate the user. In this case the no filter is generated based on the
attributes in the FilterComps parameter.

library
Sets the path name to a shared library or Dynamic Link Library (DLL) file. Use this
setting only if you create your own properties using the certificate API. This parameter is
deprecated and will be removed in a future release.

InitFn
Sets the name of the init function, if you use a custom library. Use this setting only if
you create your own properties using the certificate API. This parameter is deprecated
and will be removed in a future release.

IMPORTANT

When Directory Server searches the matching user, the search must return
exactly one entry. If the search returns multiple entries, Directory Server logs
a multiple matches error and authentication fails.

For further details, see the corresponding section in the Directory Server Administration
Guide.

677
Configuration, Command, and File Reference

CHAPTER 9. COMMAND-LINE UTILITIES

This chapter contains reference information on command-line utilities used with Red Hat
Directory Server (Directory Server). These command-line utilities make it easy to perform
administration tasks on the Directory Server.

9.1. COMMAND-LINE UTILITIES QUICK REFERENCE

The following table provides a summary of the command-line utilities provided for
Directory Server.

Table 9.1. Commonly-Used Command-Line Utilities

Command-Line Utility Description

ldif Automatically formats LDIF files and creates

base 64-encoded attribute values. For details
on this tool, see appendix A in the Red Hat
Directory Server Administration Guide.

dbscan Analyzes and extracts information from a

Directory Server database file.

ds-logpipe.py Writes Directory Server log data to a named

pipe.

dn2rdn For Directory Server instances upgraded from

a version older than 9.0, this converts the
id2entry.db4 database and entrydn index
(formatted by the full entry DN) into the
id2entry.db database with the entryrdn
index (formatted by the RDN).

9.2. LDIF
ldif automatically formats LDIF files and creates base-64 encoded attribute values. Base-
64 encoding makes it possible to represent binary data, such as a JPEG image, in LDIF.
Base-64 encoded data is represented using a double colon (::) symbol. For example:

jpegPhoto:: encoded data

In addition to binary data, other values that must be base-64 encoded can identified with
other symbols, including the following:

Any value that begins with a space.

Any value that begins with a single colon (:).

Any value that contains non-ASCII data, including newlines.

678
CHAPTER 9. COMMAND-LINE UTILITIES

The ldif command-line utility will take any input and format it with the correct line
continuation and appropriate attribute information. The ldif utility also senses whether the
input requires base-64 encoding.

Syntax

Options

Syntax
The ldif command has the following format:

ldif [ -b ] [ attrtypes ] [ optional_options ]

Options

Table 9.2. ldif Options

Option Description

-b Specifies that the ldif utility should interpret

the entire input as a single binary value. If -b
is not present, each line is considered to be a
separate input value.

As an alternative to the -b option, use the :<

URL specifier notation. For example:

jpegphoto:<
file:///tmp/myphoto.jpg

Although the official notation requires three

///, the use of one / is accepted.

NOTE

The :< URL specifier notation

only works if LDIF statement is
version 1 or later, meaning
version: 1 is inserted in the
LDIF file. Otherwise, the file URL
is appended as the attribute
value rather than the contents
of the file.

9.3. DBSCAN
The dbscan tool analyzes and extracts information from a Directory Server database file.
There are four kinds of database files that can be scanned with dbscan:

id2entry.db, the main database file for a user database

entryrdn.db for a user database

679
Configuration, Command, and File Reference

secondary index files for a user database, like cn.db

numeric_string.db for the changelog in

/var/lib/dirsrv/slapd-instance/changelogdb

See Section 2.2.2, “Database Files” for more information on database files.

Database files use the .db2, .db3, .db4, and .db extensions in their filename, depending on
the version of Directory Server.

Syntax

Options

Examples

Syntax

dbscan -f filename [ options ]

Options

Table 9.3. Common Options

Option Description

-f filename Specifies the name of the database file, the

contents of which are to be analyzed and
extracted. This option is required.

-R Dump the database as raw data.

-t size Specifies the entry truncate size (in bytes).

NOTE

The options listed in Table 9.4, “Entry File Options” are meaningful only when
the database file is the primary database file, id2entry.db.

Table 9.4. Entry File Options

Option Description

-K entry_id Specifies the entry ID to look up.

NOTE

The index file options, listed in Table 9.5, “Index File Options ”, are meaningful
only when the database file is the secondary index file.

680
CHAPTER 9. COMMAND-LINE UTILITIES

Table 9.5. Index File Options

Option Description

-k key Specifies the key to look up in the secondary

index file.

-l size Sets the maximum length of the dumped ID

list. The valid range is from 40 to 1048576
bytes. The default value is 4096.

-G n Sets only to display those index entries with ID

lists exceeding the specified length.

-n Sets only to display the length of the ID list.

-r Sets to display the contents of the ID list.

-s Gives the summary of index counts.

Examples
The following are command-line examples of different situations using dbscan to examine
the Directory Server databases.

Example 9.1. Dumping the Entry File

dbscan -f /var/lib/dirsrv/slapd-instance/db/userRoot/id2entry.db

Example 9.2. Displaying the Index Keys in cn.db

dbscan -f /var/lib/dirsrv/slapd-instance/db/userRoot/cn.db

Example 9.3. Displaying the Index Keys and the Count of Entries with the Key
in mail.db

# dbscan -r -f /var/lib/dirsrv/slapd-instance/db/userRoot/mail.db

Example 9.4. Displaying the Index Keys and the All IDs with More Than 20 IDs
in sn.db

# dbscan -r -G 20 -f /var/lib/dirsrv/slapd-instance/db/userRoot/sn.db

Example 9.5. Displaying the Summary of objectclass.db

681
Configuration, Command, and File Reference

# dbscan -s -f /var/lib/dirsrv/slapd-instance/db/userRoot/objectclass.db

Example 9.6. Displaying VLV Index File Contents

# dbscan -r -f
/var/lib/dirsrv/slapd-instance/db/userRoot/vlv#bymccoupeopledcpeopledcco
m.db

Example 9.7. Displaying the Changelog File Contents

# dbscan -f /var/lib/dirsrv/slapd-instance/changelogdb/c1a2fc02-1d11b2-
8018afa7-fdce000_424c8a000f00.db

Example 9.8. Dumping the Index File uid.db with Raw Mode

# dbscan -R -f /var/lib/dirsrv/slapd-instance/db/userRoot/uid.db

Example 9.9. Displaying the entryID with the Common Name Key "=hr
managers"

In this example, the common name key is =hr managers, and the equals sign (=) means
the key is an equality index.

# dbscan -k "=hr managers" -r -f

/var/lib/dirsrv/slapd-instance/db/userRoot/cn.db

=hr%20managers 7

Example 9.10. Displaying an Entry with the entry ID of 7

# dbscan -K 7 -f /var/lib/dirsrv/slapd-instance/db/userRoot/id2entry.db

id 7 dn: cn=HR Managers,ou=groups,dc=example,dc=com

objectClass: top
objectClass: groupOfUniqueNames
cn: HR Manager
ou: groups
description: People who can manage HR entries
creatorsName: cn=Directory Manager
modifiersName: cn=Directory Manager
createTimestamp: 20050408230424Z
modifyTimestamp: 20050408230424Z
nsUniqueId: 8b465f73-1dd211b2-807fd340-d7f40000 parentid: 3
entryid: 7
entrydn: cn=hr managers,ou=groups,dc=example,dc=com

682
CHAPTER 9. COMMAND-LINE UTILITIES

Example 9.11. Displaying the Contents of entryrdn Index

# dbscan -f /var/lib/dirsrv/slapd-instance/db/userRoot/entryrdn.db -k
"dc=example,dc=com"

dc=example,dc=com
ID: 1; RDN: "dc=example,dc=com"; NRDN: "dc=example,dc=com"
C1:dc=example,dc=com
ID: 2; RDN: "cn=Directory Administrators"; NRDN: "cn=directory
administrators"
2:cn=directory administrators
ID: 2; RDN: "cn=Directory Administrators"; NRDN: "cn=directory
administrators"
P2:cn=directory administrators
ID: 1; RDN: "dc=example,dc=com"; NRDN: "dc=example,dc=com"
C1:dc=example,dc=com
ID: 3; RDN: "ou=Groups"; NRDN: "ou=groups"
3:ou=groups
ID: 3; RDN: "ou=Groups"; NRDN: "ou=groups"
[...]

9.4. DS-LOGPIPE.PY
The named pipe log script can replace any of the Directory Server log files (access, errors,
and audit) with a named pipe. That pipe can be attached to another script which can
process the log data before sending it to output, such as only writing lines that match a
certain pattern or are of a certain event type.

Using a named pipe script provides flexibility:

The error log level can be set very high for diagnosing an issue to create a log of
only the last few hundred or thousand log messages, without a performance hit.

Messages can be filtered to keep only certain events of interest. For example, the
named pipe script can record only failed BIND attempts in the access log, and other
events are discarded.

The script can be used to send notifications when events happen, like adding or
deleting a user entry or when a specific error occurs.

Syntax

ds-logpipe.py /path/to/named_pipe [ --user pipe_user ] [ --maxlines number ] [[ --

serverpidfile file.pid ] | [ --serverpid PID ]] [ --servertimeout seconds ] [ --
plugin=/path/to/plugin.py | [ pluginfile.arg=value ]]

Options
Several of the options that can be used with ds-logpipe.py have abbreviated arguments.

Table 9.6. ds-logpipe.py Options

683
Configuration, Command, and File Reference

Option Abbreviation Description

/path/to/named_pipe Required. The fully path and

name of the pipe to which the
server will send the logging
data. If SELinux is in enforcing
mode, then the named pipe
must be in the instance's
default log directory
(/var/log/dirsrv/slapd-
instance) so that the
Directory Server can access
and run the pipe file without
violating SELinux rules.

--user -u The user ID to which the

named pipe will be chowned.
Any files created by plug-ins
will also be owned by that
user.

--maxlines -m The number of lines to keep in

the buffer. The default is
1000.

--serverpidfile -s The name of the file which

contains the PID of the server.
By default, this is
/var/run/dirsrv/slapd-i
nstance.pid. This option
allows you to start and stop
the named pipe with the
server process.

--serverpid The process ID for the server.

The server must already be
running to use this argument.

--servertimeout -t The amount of time, in

seconds, to wait for the PID
file to be created and for the
process to be running. The
default is 60 (seconds).

684
CHAPTER 9. COMMAND-LINE UTILITIES

Option Abbreviation Description

--plugin Gives the name of a plug-in to

call which defines a function
to call with each line read
from the pipe. An optional
pre-function can be given to
call when the plug-in is
loaded, and an optional post-
function can be given to run
when the script exits. This file
must be a Python script and
must end in .py. Arguments
can be passed to the plug-in
using the pluginfile.arg
option.

pluginfile.arg Defines a plug-in argument.

pluginfile is the name of the
plug-in and each arg is the
name of the argument for that
plug-in. For example, to pass
an argument name ldifinput to
a plug-in named exampleplug,
the argument would be
exampleplug.ldifinput.

Examples
The procedures for configuring the server for named pipe logging are covered in
Section 7.5, “Replacing Log Files with a Named Pipe”.

The most basic usage of the named pipe log script points to only the named pipe.

Example 9.12. Basic Named Pipe Log Script

# ds-logpipe.py /var/log/dirsrc/slapd-example/errors.pipe

NOTE

When the script exits (either because it completes or because it is terminated

through a SIGTERM or Ctrl+C), the script dumps the last 1000 lines of the
error log to standard output.

The script can be run in the background, and you can interactively monitor the output. In
that case, the command kill -1 %1 can be used to tell the script to dump the last 1000
lines of the buffer to stdout, and continue running in the background.

Example 9.13. Running the Named Pipe Log Script in the Background

# ds-logpipe.py /var/log/dirsrc/slapd-example/errors.pipe &

685
Configuration, Command, and File Reference

To simply dump the last 1000 lines when the script exits (or is killed or interrupted) and
save the output to a file automatically, redirect the script output to a user-defined file.

Example 9.14. Saving the Output from the Named Pipe Log Script

# ds-logpipe.py /var/log/dirsrc/slapd-example/errors.pipe >

/etc/dirsrv/myerrors.log 2>&1

The named pipe script can be configured to start and stop automatically with the
Directory Server process. This requires the name of the server's PID file to which to write
the script's PID when the script is running, with the -s argument. The PID for the server can
be reference either by pointing to the server PID file or by giving the actual process ID
number (if the server process is already running).

Example 9.15. Specifying the Serve PID

# ds-logpipe.py /var/log/dirsrc/slapd-example/errors.pipe --
serverpidfile /var/run/dirsrv/slapd-example.pid

A plug-in can be called to read the log data from the named pipe and perform some
operation on it.

Example 9.16. Named Pipe Log Script with a Related Plug-in

# ds-logpipe.py /var/log/dirsrc/slapd-example/errors.pipe --
plugin=/usr/share/dirsrv/data/logregex.py logregex.regex="warning"

In Example 9.16, “Named Pipe Log Script with a Related Plug-in”, only log lines containing
the string warning are stored in the internal buffer and printed when the script exits.

If no plug-in is passed with the script arguments, the script just buffers 1000 log lines (by
default) and prints them upon exit. There are two plug-ins provided with the script:

logregex.py keeps only log lines that match the given regular expression. The
plug-in argument has the format logregex.regex=pattern to specify the string or
regular expression to use. There can be multiple logregex.regex arguments which
are all treated as AND statements. The error log line must match all given
arguments. To allow any matching log lines to be records (OR), use a single
logregex.regex argument with a pipe (|) between the strings or expressions. See
the pcre or Python regular expression documentation for more information about
regular expressions and their syntax.

failedbinds.py logs only failed BIND attempts, so this plug-in is only used for the
access log. This takes the option failedbinds.logfile=/path/to/access.log, which
is the file that the actual log messages are written to. This plug-in is an example of a
complex plug-in that does quite a bit of processing and is a good place to reference
to do other types of access log processing.

686
CHAPTER 9. COMMAND-LINE UTILITIES

9.5. DN2RDN
Versions of Directory Server older than 9.0 used the entrydn index to help map the entry
IDs in the id2entry.db4 database to the full DNs of the entry. (One side effect of this was
that modrdn operations could only be done on leaf entries, because there was no way to
identify the children of an entry and update their DNs if the parent DN changed.) When
subtree-level renames are allowed, then the ID-to-entry mapping is done using the
entryrdn index with the id2entry.db database.

After an upgrade, instances of Directory Server may still be using the entrydn index. The
dn2rdn tool has one purpose: to convert the entry index mapping from a DN-based format
to an RDN-based format, by converting the entrydn index to entryrdn.

NOTE

The dn2rdn tool is in the /usr/sbin/ directory, since it is always run on the
local Directory Server instance.

Syntax

Examples

Syntax

dn2rdn

dn2rdn does not have any options.

Examples
Beside -Z instance_name, the dn2rdn tool takes no options, since it always converts the
local entrydn index to entryrdn.

# dn2rdn -Z instance_name

687
Configuration, Command, and File Reference

CHAPTER 10. COMMAND-LINE SCRIPTS

This chapter provides information on the scripts for managing Red Hat Directory Server,
such as backing-up and restoring the database. Scripts are a shortcut way of executing the
ns-slapd interface commands that are documented inAppendix A, Using the ns-slapd
Command-Line Utilities.

10.1. FINDING AND EXECUTING COMMAND-LINE SCRIPTS

In Red Hat Directory Server 10, the scripts are located in the following directories:

The core scripts are located in the /usr/sbin/ and /usr/bin/ directories.

Scripts running on instances are stored in the /usr/sbin/ directory. Use the -Z
instance_name option with the commands in order to set the instance the script
should be executed on.

NOTE

The /usr/lib64/dirsrv/slapd-instance/ directory previously used for

For further details and a list of scripts, see Chapter 10, Command-Line Scripts.

All the instance-specific scripts also exist in /usr/sbin/. All the other scripts are only
located in /usr/bin/.

When scripts request either a directory name or a file name, always provide the absolute
path. The scripts expect the dse.ldif file is located in the /etc/dirsrv/slapd-instance/
directory.

Table 10.1, “Shell Scripts” and Table 10.2, “Perl Scripts” list the available Directory Server
scripts and specify their exact locations.

10.2. COMMAND-LINE SCRIPTS QUICK REFERENCE

Specifying the Server Instance and Protocol
You can update any instance on the system and control the protocol used to connect to the
LDAP server by calling a single script. The following command-line options can be used with
core scripts:

-Z
This option takes one parameter, the server instance identifier. The script uses the
identifier to get information such as the server location, or necessary configuration
settings including port number, root DN, and security settings. The server instance
identifier can be retrieved as part of the directory name in /etc/dirsrv/. For example, if
your instance is located in /etc/dirsrv/slapd-localhost/, then localhost is the
identifier:

# db2ldif -Z localhost -a /tmp/db.ldif -n userRoot

688
CHAPTER 10. COMMAND-LINE SCRIPTS

The instance-specific scripts use -Z automatically by default.

-P
This option only applies to Perl scripts and takes a protocol name as a parameter. If you
do not supply the -P option or supply an invalid protocol name, the script attempts to
use the most secure protocol available to the server instance. The supported protocols
are StartTLS, LDAPS, LDAPI, and LDAP; this sequence also defines the order the script
uses if fallback is needed.

Table 10.1. Shell Scripts

Script Name Description Location

bak2db Restores the database from the /usr/sbin/

most recent archived backup.

cl-dump Dumps and decodes the change log. /usr/bin/

db2bak Creates a backup of the current /usr/sbin/

database contents.

db2ldif Exports the contents of the /usr/sbin/

database to LDIF.

db2index Reindexes the database index files. /usr/sbin/

dbverify Checks back end database files. /usr/sbin/

ds_removal Removes a server instance. /usr/bin/

ldif2db Imports LDIF files to the database. /usr/sbin/

Runs the ns-slapd command-line
utility with the ldif2db keyword.

ldif2ldap Performs an import operation over /usr/sbin/

LDAP to the Directory Server.

monitor Retrieves performance monitoring /usr/sbin/

information using the ldapsearch
command-line utility.

pwdhash Prints the encrypted form of a /usr/bin/

password using one of the server's
encryption algorithms. If a user
cannot log in, use this script to
compare the user's password to the
password stored in the directory.

repl-monitor Provides in-progress status of /usr/bin/

replication.

689
Configuration, Command, and File Reference

Script Name Description Location

restart-dirsrv Restarts a single Directory Server /usr/sbin/

instance or all Directory Server
instances.

restart-ds-admin Restarts the Administration Server /usr/sbin/

instance.

restart-slapd Restarts Directory Server. /usr/sbin/

restoreconfig Restores by default the most /usr/sbin/

recently saved Administration Server
configuration to NetscapeRoot
partition.

saveconfig Saves Administration Server /usr/sbin/

configuration stored in the
NetscapeRoot database to the
/var/lib/dirsrv/slapd-instan
ce/bak directory.

start-slapd Starts Directory Server. /usr/sbin/

start-dirsrv Starts a single Directory Server /usr/sbin/

instance or all Directory Server
instances.

start-ds-admin Starts the Administration Server /usr/sbin/

instance.

stop-dirsrv Stops a single Directory Server /usr/sbin/

instance or all Directory Server
instances.

stop-ds-admin Stops the Administration Server /usr/sbin/

instance.

stop-slapd Stops Directory Server. /usr/sbin/

suffix2instance Maps a suffix to a back end name. /usr/sbin/

upgradednforma Migrates older DN syntax formats to /usr/sbin/

t RFC 4514 compliant formats.

vlvindex Creates and generates virtual list /usr/sbin/

view (VLV) indexes.

Table 10.2. Perl Scripts

690
CHAPTER 10. COMMAND-LINE SCRIPTS

Script Name Description Location

bak2db.pl Restores the database from the /usr/sbin/

most recent archived backup.

cl-dump.pl Dumps and decodes the change log. /usr/bin/

db2bak.pl Creates a backup of the current /usr/sbin/

database contents.

db2index.pl Creates and regenerates indexes. /usr/sbin/

db2ldif.pl Exports the contents of the /usr/sbin/

database to LDIF.

fixup- Goes through all of the linked /usr/sbin/

linkedattrs.pl attributes in entries and updates the
corresponding entries to have the
correct managed attributes (and
values).

fixup- Regenerates the memberOf on user /usr/sbin/

memberof.pl entries to reflect changes in group
membership.

ldif2db.pl Imports LDIF files to a database and /usr/sbin/

runs the ns-slapd command-line
utility with the ldif2db keyword.

logconv.pl Analyzes the access logs of a /usr/bin/

Directory Server to extract usage
statistics and count the occurrences
of significant events.

migrate-ds- Migrates a Directory Server 7.1 /usr/bin/

admin.pl instance.

ns- Provides account status information /usr/sbin/

accountstatus.pl to establish whether an entry or
group of entries is locked.

ns-activate.pl Activates an entry or a group of /usr/sbin/

entries by unlocking them.

ns-inactivate.pl Deactivates an entry or a group of /usr/sbin/

entries.

ns- Adds relevant entries required for /usr/sbin/

newpwpolicy.pl the fine-grained (user- and subtree-
level) password policy.

691
Configuration, Command, and File Reference

Script Name Description Location

register-ds- Re-registers a Directory Server /usr/sbin/

admin.pl instance with the local
Administration Server.

remove-ds.pl Removes a Directory Server /usr/sbin/

instance.

remove-ds- Removes a Directory Server instance /usr/sbin/

admin.pl and its associated
Administration Server instance.

repl-monitor.pl Provides in-progress status of /usr/bin/

replication.

setup-ds.pl Creates or recreates a /usr/sbin/

Directory Server instance.

setup-ds- Creates a new Directory Server /usr/sbin/

admin.pl instance and local
Administration Server instance.

schema- Reloads schema dynamically into /usr/sbin/

reload.pl the server instance.

syntax- Checks existing data in a database /usr/sbin/

validate.pl to find any syntax violations in the
attribute values.

usn-tombstone- Deletes tombstone entries managed /usr/sbin/

cleanup.pl by the update sequence number
plug-in for a server instance (as
opposed to the replication
tombstone entries).

verify-db.pl Checks back end database files. /usr/sbin/

10.3. SHELL SCRIPTS

This section covers the following scripts:

Section 10.3.1, “bak2db (Restores a Database from Backup)”

Section 10.3.2, “cl-dump (Dumps and Decodes the Changelog)”

Section 10.3.3, “db2bak (Creates a Backup of a Database)”

Section 10.3.4, “db2ldif (Exports Database Contents to LDIF)”

Section 10.3.5, “db2index (Reindexes Database Index Files)”

692
CHAPTER 10. COMMAND-LINE SCRIPTS

Section 10.3.7, “dbverify (Checks for Corrupt Databases)”

Section 10.3.8, “ds_removal”

Section 10.3.9, “ds-replcheck (Check Replication Status Between Two Databases)”

Section 10.3.10, “ldif2db (Import)”

Section 10.3.11, “ldif2ldap (Performs Import Operation over LDAP)”

Section 10.3.12, “monitor (Retrieves Monitoring Information)”

Section 10.3.14, “pwdhash (Encrypts Passwords)”

Section 10.3.13, “repl-monitor (Monitors Replication Status)”

Section 10.3.15, “restart-dirsrv (Restarts the Directory Server)”

Section 10.3.16, “restart-ds-admin (Restarts the Administration Server)”

Section 10.3.17, “restart-slapd (Restarts the Directory Server)”

Section 10.3.18, “restoreconfig (Restores Administration Server Configuration)”

Section 10.3.19, “saveconfig (Saves Administration Server Configuration)”

Section 10.3.20, “start-dirsrv (Starts the Directory Server)”

Section 10.3.21, “start-ds-admin (Starts the Administration Server)”

Section 10.3.22, “start-slapd (Starts the Directory Server)”

Section 10.3.24, “stop-dirsrv (Stops the Directory Server)”

Section 10.3.25, “stop-ds-admin (Stops the Administration Server)”

Section 10.3.26, “stop-slapd (Stops the Directory Server)”

Section 10.3.27, “suffix2instance (Maps a Suffix to a Backend Name)”

Section 10.3.28, “upgradednformat”

Section 10.3.29, “vlvindex (Creates Virtual List View Indexes)”

Some of the shell scripts can be executed while the server is running. For others, the server
must be stopped. The description of each script below indicates whether the server must be
stopped or if it can continue to run while executing the script.

When a shell script has a Perl equivalent, there is a cross-reference to the section
describing the equivalent Perl script.

10.3.1. bak2db (Restores a Database from Backup)

Restores the database from the most recent archived backup. To run this script, the server
must be stopped.

693
Configuration, Command, and File Reference

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

bak2db backupDirectory

Options

Table 10.3. bak2db Options

Option Description

backupDirectory Gives the backup directory path.

For information on the equivalent Perl script, see Section 10.4.1, “bak2db.pl (Restores a
Database from Backup)”. For more information on restoring databases, see the "Populating
Directory Databases" chapter in the Red Hat Directory Server Administration Guide. For
more information on using filesystem replica initialization, see the "Managing Replication"
chapter in the Red Hat Directory Server Administration Guide.

10.3.2. cl-dump (Dumps and Decodes the Changelog)

Troubleshoots replication-related problems. cl-dump is a shell script wrapper of cl-dump.pl
to set the appropriate library path.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

cl-dump -h host -p port -D bindDn [ -w bindPassword | -P bindCert ] -r replicaRoots -o

outputFile [ -c ] [ -v ]

cl-dump [ -i changelogFile ] [ -o outputFile ] [ -c ]

Options
Without the -i option, the script must be run when the Directory Server is running from a
location from which the server's changelog directory is accessible.

Table 10.4. cl-dump Options

Option Description

694
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Description

-c Dumps and interprets CSN only. This option

can be used with or without the -i option.

-D bindDn Specifies the Directory Server's bind DN.

Defaults to cn=Directory Manager if the
option is omitted.

-h host Specifies the Directory Server's host. This

defaults to the server where the script is
running.

-i changelogFile Specifies the path to the changelog file. If

there is a changelog file and if certain changes
in that file are base-64 encoded, use this
option to decode that changelog.

-o outputFile Specifies the path, including the filename, for

the final result. Defaults to STDOUT if omitted.

-p port Specifies the Directory Server's port. The

default value is 389.

-P bindCert Specifies the path, including the filename, to

the certificate database that contains the
certificate used for binding.

-r replicaRoots Specifies the replica-roots whose changelog to

dump. When specifying multiple roots, use
commas to separate roots. If the option is
omitted, all the replica roots will be dumped.

-v Prints the version of the script.

-w bindPassword Specifies the password for the bind DN.

For information on the equivalent Perl script, see Section 10.4.2, “cl-dump.pl (Dumps and
Decodes the Changelog)”.

10.3.3. db2bak (Creates a Backup of a Database)

Creates a backup of the current database contents. This script can be executed while the
server is running or stopped.

695
Configuration, Command, and File Reference

IMPORTANT

If the database being backed up is a master database, meaning it keeps a

changelog, then it must be backed up using the db2bak.pl Perl script or using
the Directory Server Console if the server is kept running. The changelog only
writes its RUV entries to the database when the server is shut down; while the
server is running, the changelog keeps its changes in memory. For the Perl
script and the Console, these changelog RUVs are written to the database
before the backup process runs. However, that step is not performed by the
command-line script.

The db2bak should not be run on a running master server. Either use the Perl
script or stop the server before performing the backup.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

db2bak [ backupDirectory ]

For information on the equivalent Perl script, see Section 10.4.4, “db2bak.pl (Creates a
Backup of a Database)”.

10.3.4. db2ldif (Exports Database Contents to LDIF)

Exports the contents of the database to LDIF. This script can be executed while the server
is still running, except with the -r option. To export the replication state information, shut
down the server first, then run db2ldif with -r.

NOTE

db2ldif uses the entryrdn index to order the parent-child entries when it
exports the database; this enables the exported LDIF file to be used for
import, since the proper hierarchy of parent and child entries is preserved. If
the entryrdn index is unavailable for some reason, thendb2ldif uses the
parentid key for each entry to identify the parent and export it before the
child entry. This second method allows the export operation to succeed, but
the operation may take a long time to complete.

For information on the equivalent Perl script, see Section 10.4.6, “db2ldif.pl (Exports
Database Contents to LDIF)”.

For the shell scripts, the script runs the ns-slapd command-line utility with the db2ldif
keyword. Ellipses (...) indicate that multiple occurrences are allowed.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

696
CHAPTER 10. COMMAND-LINE SCRIPTS

Syntax

db2ldif [[ -n backendInstance ] | [ -s includeSuffix ]] [ [ -x excludeSuffix ] ] [ -r ] [ -C ] [ -u ] [

-U ] [ -m ] [ M ] [ -a outputFile ] [ -1 ] [ -N ] [ -E ]

Options
Either the -n or the -s option must be specified. By default, the output LDIF will be stored
in one file. To specify the use of several files, use the option -M.

Table 10.5. db2ldif Options

Option Description

-1 Deletes, for reasons of backward compatibility,

the first line of the LDIF file which gives the
version of the LDIF standard.

-a outputFile Gives the name of the output LDIF file.

-C Uses only the main database file.

-E Decrypts encrypted data during export. This

option is used only if database encryption is
enabled.

-m Sets minimal base-64 encoding.

-M Uses multiple files for storing the output LDIF,

with each instance stored in instance filename
(where filename is the filename specified for -
a option).

-n backendInstance Gives the instance to be exported.

-N Specifies that the entry IDs are not to be

included in the LDIF output. The entry IDs are
necessary only if the db2ldif output is to be
used as input to db2index.

-r Exports the information required to initialize a

replica when the LDIF is imported. Using this
option requires that the server be stopped
first, then run the db2ldif command.

The LDIF file which is created with db2ldif

can be imported using ldif2db. When it is
imported, if the -r option was used, than the
database is automatically initialized as a
replica.

See Section 10.3.10, “ldif2db (Import)” for

information on importing an LDIF file.

697
Configuration, Command, and File Reference

Option Description

-s suffix_name Names the suffixes to be included or the

subtrees to be included if -n has been used.

-u Requests that the unique ID is not exported.

-U Requests that the output LDIF is not folded.

-x suffix_name Names the suffixes to be excluded.

10.3.5. db2index (Reindexes Database Index Files)

Reindexes the database index files. Ellipses indicate that multiple occurrences are allowed.

NOTE

db2index uses the entryrdn index to order the parent-child entries when it
indexes the database to preserve the proper hierarchy of parent and child
entries. If the entryrdn index is unavailable for some reason, thendb2index
uses the parentid key for each entry to identify the parent. This second
method allows the index operation to succeed, but the operation may take a
long time to complete.

For information on the equivalent Perl script, see Section 10.4.5, “db2index.pl (Creates and
Generates Indexes)”.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

db2index [[ -n backendInstance ] | [ -s includeSuffix ]] [ -t

[attributeName{:indextypes(:mathingrules)}] ] [ -T vlvAttribute ]

Usage
Here are a few sample commands:

Reindex all the database index files:

# db2index

Reindex cn and givenname in the database instance userRoot:

# db2index -n userRoot -t cn -t givenname

Reindex cn in the database where the root suffix isdc=example,dc=com:

698
CHAPTER 10. COMMAND-LINE SCRIPTS

# db2index -s "dc=example,dc=com" -t cn

Options

Table 10.6. db2index Options

Option Description

-n backendInstance Gives the name of the instance to be

reindexed.

-s includeSuffix Gives suffixes to be included or the subtrees

to be included if -n has been used.

-t attributeName{:indextypes(:mathingrules)} Names of the attributes to be reindexed.

Optionally, this can include the index type ( eq,
pres, sub, approx ) and a matching rule OID.

-T vlvAttributeName Gives the names of the VLV attributes to be

reindexed. The name is the VLV index object's
common name in cn=config.

10.3.6. dbmon.sh (Database Monitoring and Entry Cache Usage)

The dbmon.sh script enables you to monitor the Directory Server database and entry cache
usage. You can use the values the script displays to tune the database, entry and DN
cache.

When running, dbmon.sh continuously returns database information until you terminate the
script by pressing the Ctrl+C keyboard shortcut.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax
[ INCR=seconds ] [ SERVID=server_identifier ] [ BINDDN=bind_DN ] [
BINDPW=bind_password ] [ DBLIST=databases ] [ INDEXLIST=indexes ] [ VERBOSE=level
] dbmon.sh

Options
The dbmon.sh script does not take any command-line options. You can specify additional
options by using environment variables. For example:

# SERVID=slapd-instance_name BINDPW=password dbmon.sh

699
Configuration, Command, and File Reference

Option Parameter Description

INCR seconds Returns output every period set in this option. Default: 1
second

SERVID server_identif Sets the server instance name. Using the instance name,
ier Directory Server automatically uses secure connections to the
server, if encryption is enabled on the instance.

BINDDN bind_DN DN used to bind to the directory. The account specified must
have read permissions for the cn=config entry and sub
entries. Default: cn=Directory Manager

BINDPW bind_passwor Password for the bind DN. Default: secret

DBLIST databases Space-separated list of databases to check. Enter the list in

quotes or escape spaces. Default: all databases

INDEXLIST indexes Space-separated list of indexes to show for every database.

Enter the list in quotes or escape spaces. To display all
indexes, set the parameter to all. Default: none

VERBOSE level Sets the output level. Default: 0

Available values:

0 : Standard output that is suitable for parsing by a

script.

1 : In addition, show column headings.

2 : In addition, show column headings and detailed

description of the data.

10.3.7. dbverify (Checks for Corrupt Databases)

Verifies the backend database files. If the server crashes because of a corrupted database,
this command can be used to verify the integrity of the different database files to help
isolate any problems.

700
CHAPTER 10. COMMAND-LINE SCRIPTS

IMPORTANT

Never run dbverify when a modify operation is in progress. This command

calls the BerkeleyDB utility db_verify and does not perform any locking. This
can lead to data corruption if the script is run at the same time as a modify. If
that occurs, an entry will be recorded in the error log:

DB ERROR: db_verify: Page 3527: out-of-order key at entry 42

DB ERROR: db_verify: DB->verify: db/mstest2/uid.db:
DB_VERIFY_BAD: Database
verification failed
Secondary index file uid.db in db/mstest2 is corrupted.
Please run db2index(.pl) for reindexing.

Run db2index -t uid to avoid rebuilding all of the indexes or export and
reimport all of the databases using db2ldif and ldif2db.

dbverify is a shell script wrapper of verify-db.pl to set the appropriate library path.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

dbverify [ -a /path/to/database_directory ]

Options

Table 10.7. dbverify Options

Option Description

-a path Gives the path to the database directory. If

this option is not passed with the verify-
db.pl command, then it uses the default
database directory,
/var/lib/dirsrv/slapd-instance/db.

For information on the equivalent Perl script, see Section 10.4.26, “verify-db.pl (Check for
Corrupt Databases)”.

10.3.8. ds_removal
The ds_removal tool removes a single instance of Directory Server. The server instance
usually must be running when this script is run so that the script can bind to the instance. It
is also possible to force the script to run, which may be necessary if there was an
interrupted installation process or the instance is corrupted or broken so that it cannot run.

701
Configuration, Command, and File Reference

When the instance is removed, it is shutdown and all of its configuration files are removed.
Certificate database files, like cert8.db and key3.db, are not removed, so the remaining
instance directory is renamed removed.slapd-instance.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

ds_removal [ -f ] -s instance_name -w manager_password

Options

Option Parameter Description

-f Forces the removal of the

instance. This can be useful if
the instance is not running
but must be removed
anyway.

-s instance_name The name of the instance to

remove.

-w manager_password The Directory Manager

password to use to bind to the
instance.

10.3.9. ds-replcheck (Check Replication Status Between Two

Databases)
The ds-replcheck utility compares two Directory Server instances or LDIF-formatted files
to identify if they are synchronized. For further details, see the Comparing Two Directory
Server Instances section in the Red Hat Directory Server Administration Guide.

Syntax
ds-replcheck [ -h ] [ -v ] [ -o file_name ] [ -D bind_DN ] [ -w bind_password ] [ -W ] [ -m
LDAP_URL_of_master ] [ -r LDAP_URL_of_replica ] [ -b suffix ] [ -l lag_time ] [ -c ] [ -Z
certificate_directory ] [ -i attribute_list ] [ -p page_size ] [ -M master_LDIF_file ] [ -R
replica_LDIF_file ]

Options

Option Parameter Description

-h Displays usage information.

-v Enables the verbose mode.

702
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Parameter Description

-D bind_DN Sets the DN used to bind to the directory.

-w bind_passwor Sets the password for the bind DN.

-W Asks for the password for the bind DN.

-m LDAP_URL_of Sets the URL to the master server.

_master

-r LDAP_URL_of Sets the URL to the replica server.

_replica

-b suffix Sets the LDAP suffix to compare.

-l lag_time Sets the amount of time in seconds to ignore inconsistencies.

Default: 300 seconds

-c Displays verbose conflict information.

-Z certificate_dir Sets the path to the certificate database directory for secure
ectory connections.

-i attribute_list Specifies a comma-separated list of attributes to ignore.

-p page_size Sets the number of entries per page that is displayed.

-M master_LDIF_ Sets the path to the master LDIF file when comparing two files.
file

-R replica_LDIF_f Sets the path to the replica LDIF file when comparing two files.
ile

10.3.10. ldif2db (Import)

Runs the ns-slapd command-line utility with the ldif2db keyword. To run this script, the
server must be stopped. Ellipses indicate that multiple occurrences are allowed.

For information on the equivalent Perl script, see Section 10.4.9, “ldif2db.pl (Import)”.

703
Configuration, Command, and File Reference

NOTE

ldif2db supports LDIF version 1 specifications. An attribute can also be loaded

using the :< URL specifier notation; for example:

jpegphoto:< file:///tmp/myphoto.jpg

Although the official notation requires three ///, the use of one/ is accepted.
For further information on the LDIF format, see the "Managing Directory
Entries" chapter in the Red Hat Directory Server Administration Guide.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

ldif2db [ -Z instance_name ] [[ -n backendInstance ] | [ [ -s includeSuffix ] ...]] [ -x

excludeSuffix ] [ -i ldifFile ] [ -O ] [ -g string ] [ -G namespaceId ] [ -E ] [ -q ] [ -h ]

Options

Table 10.8. ldif2db Options

Option Description

-c Merges chunk size.

-E Encrypts data during import. This option is

used only if database encryption is enabled.

704
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Description

-g string Generates a unique ID. Type none for no

unique ID to be generated and
deterministic for the generated unique ID
to be name-based.

By default, a time-based unique ID is

generated. When using the deterministic
generation to have a name-based unique ID, it
is also possible to specify the namespace for
the server to use, as follows:

-g deterministic namespace_id

namespace_id is a string of characters in the

format 00-xxxxxxxx-xxxxxxxx-xxxxxxxx-
xxxxxxxx.

Use this option to import the same LDIF file

into two different Directory Servers and the
contents of both directories should have the
same set of unique IDs. If unique IDs already
exist in the LDIF file being imported, then the
existing IDs are imported to the server,
regardless of the options specified.

-G namespaceId Generates a namespace ID as a name-based

unique ID. This is the same as specifying the -
g deterministic option.

-h Displays the usage information.

-i ldifFile Gives the names of the input LDIF files. When

multiple files are imported, they are imported
in the order they are specified on the
command line.

-n backendInstance Gives the instance to be imported. Ensure that

the specified instance corresponds to the suffix
contained by the LDIF file; otherwise, the data
contained by the database is deleted, and the
import fails.

-O Requests that only the core database is

created, without attribute indexes.

-q Enables the quiet mode and suppresses the

output.

-s includeSuffix Gives the suffixes to be included or to specify

the subtrees to be included if -n has been
used.

705
Configuration, Command, and File Reference

Option Description

-x excludeSuffix Gives the suffixes to be excluded.

-Z instance_name Sets the name of the instance.

10.3.11. ldif2ldap (Performs Import Operation over LDAP)

Performs an import operation over LDAP to the Directory Server. To run this script, the
server must be running.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

ldif2ldap [ -D rootdn ] [ -w password ] [ -f filename ]

Options

Table 10.9. ldif2ldap Options

Option Description

-D rootdn Gives a user DN with root permissions, such

as Directory Manager.

-f filename Gives the name of the file to be imported.

When importing multiple files, the files are
imported in the order they are specified on the
command line.

-w password Gives the password associated with the user

DN.

10.3.12. monitor (Retrieves Monitoring Information)

Retrieves performance monitoring information using the ldapsearch command-line utility.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax
monitor

706
CHAPTER 10. COMMAND-LINE SCRIPTS

monitor Options
There are no options for this script.

10.3.13. repl-monitor (Monitors Replication Status)

Shows in-progress status of replication. repl-monitor is a shell script wrapper of repl-
monitor.pl to set the appropriate library path.

For more information on the Perl script, see Section 10.4.20, “repl-monitor.pl (Monitors
Replication Status)”.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

repl-monitor [ -h host ] [ -s ] [ -p port ] [ -f configFile ] [ -u refreshUrl ] [ -t refreshInterval ] [

-r ] [ -v ]

Options

Table 10.10. repl-monitor Options

Option Description

-h host Specifies the initial replication supplier's host.

The default value is the current host name.

-f configFile Specifies the absolute path to the

configuration file, which defines the
connection parameters used to connect to
LDAP servers to get replication information.
For more information about the configuration
file, see Configuration File Format.

-p port Specifies the initial replication supplier's port.

The default value is 389.

-r If specified, causes the routine to be entered

without printing the HTML header information.
This is suitable when making multiple calls to
this routine — such as specifying multiple,
different, unrelated supplier servers — and
expecting a single HTML output.

-s Prints the report in plain text instead of in

HTML format.

707
Configuration, Command, and File Reference

Option Description

-t refreshInterval Specifies the refresh interval in seconds. The

default value is 300 seconds. This option must
be used with the -u option.

-u refreshUrl Specifies the refresh URL. The output HTML file

may invoke a CGI program periodically. If this
CGI program in turn calls this script, the effect
is that the output HTML file would
automatically refresh itself. This is useful for
continuous monitoring. See also the -t option.
The script has been integrated into Red Hat
Administration Express, so that the replication
status can be monitored through a web
browser.

-v Prints the version of this script.

Configuration File Format

The configuration file defines the following:

The connection parameters for connecting to the LDAP servers to get replication
information; specifying this information is mandatory.

The server alias for more readable server names; specifying this information is
optional.

The color thresholds for time lags; specifying this information is optional.

The format for the configuration file is shown below.

[connection]
host:port:binddn:bindpwd:bindcert
host:port:binddn:bindpwd:bindcert
...

[alias]
alias = host:port
alias = host:port
...

[color]
lowmark = color
lowmark = color

The connection section defines how this tool may connect to each LDAP server in the
replication topology to get the replication-agreement information. The default binddn is
cn=Directory Manager. Simple bind will be used unlessbindcert is specified with the path
of a certificate database.

A server may have a dedicated or shared entry in the connection section. The script will
find out the most matched entry for a given server. For example, if all the LDAP servers

708
CHAPTER 10. COMMAND-LINE SCRIPTS

except host1 share the same binddn and bindpassword, the connection section will need to
contain just two entries:

[connection]
*:*:binddn:bindpassword:
host1:*:binddn1:bindpassword1:

In the optional alias section, use aliases such as Supplier1, Supplier2, and Hub1, to
identify the servers in the replication topology. If used, the output shows these aliases,
instead of http(s)://hostname:port.

The CSN time lags between suppliers and consumers can be displayed in different colors
based on their range. The default color set is green for 0-5 minutes lag, yellow for 5-60
minutes lag, and pink for a lag of 60 minutes or more.

The connection parameters for all the servers in a replication topology must be specified
within one configuration file. One configuration file, however, may contain information for
multiple replication topologies.

Because of the connection parameters, the replication monitoring tool does not need to
perform DES decryption of the credentials stored in the Directory Server. Each line in this
file could either be a comment started with the # character or a connection entry of the
format:

host:port:binddn:bindpwd:bindcert

host, port, and binddn can be replaced with relevant values or *, or omitted
altogether. If host is null or *, the entry may apply to any host that does not have a
dedicated entry in the file. If port is null or *, the port will default to the port stored
in the current replication agreement. If binddn is null or *, it defaults to
cn=Directory Manager.

bindcert can be replaced with the full path to the certificate database, null, or*. If
bindcert is omitted or replaced with *, the connection will be a simple bind.

For example, the configuration file may appear as follows:

#Configuration File for Monitoring Replication Via Admin Express

[connection]
*:*:*:mypassword

[alias]
M1 = host1.example.com:10011
C1 = host4.example.com:10021
C2 = host2.example.com:10022

[color]
0 = #ccffcc
5 = #FFFFCC
60 = #FFCCCC

A shadow port can be set in the replication monitor configuration file. For example:

host:port=shadowport:binddn:bindpwd:bindcert

709
Configuration, Command, and File Reference

When the replication monitor finds a replication agreement that uses the specified port, it
will use the shadow port to connect to retrieve statistics.

10.3.14. pwdhash (Encrypts Passwords)

The pwdhash utility encrypts a specified plain text password. If a user or the Directory
Manager cannot log in, use pwdhash to compare the encrypted passwords. You can also use
the generated hash to manually reset the Directory Manager's password.

The pwdhash utility uses the following storage scheme to encrypt the password:

If you pass the -s storage_scheme parameter to pwdhash, the specified scheme

will be used.

If you pass the -D config_directory parameter to pwdhash, the scheme set in the
nsslapd-rootpwstoragescheme attribute will be used.

If you neither specify the path to a valid Directory Server configuration directory nor
pass a scheme to pwdhash, the utility uses the Directory Server default storage
scheme.

For further details about storage schemes, a list of supported values, and the default
settings, see Section 4.1.43, “Password Storage Schemes”.

Syntax

pwdhash [ -D config_directory ] [ -s storage_scheme ] [ -c password_to_compare ] [ -H ]

password

Options

Table 10.11. pwdhash Options

Option Description

-D config_directory Sets the full path to the configuration directory.

-c Sets the encrypted password string to which to compare specified plain

password_to_compare text password.

-s storage_scheme Sets the storage scheme to hash the given password.

-H Displays the usage information.

10.3.15. restart-dirsrv (Restarts the Directory Server)

Restarts either all instances of the Directory Server or a specific Directory Server instance.

Syntax
restart-dirsrv [instance_name]

Options

710
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Description

instance_name A name of a specific Directory Server instance

to restart. If the instance name is not given,
then all local Directory Server instances are
restarted.

Exit Status Codes

Exit Code Description

0 Server restarted successfully.

1 Server could not be started.

2 Server restarted successfully but was already

stopped.

3 Server could not be stopped.

10.3.16. restart-ds-admin (Restarts the Administration Server)

Restarts the Administration Server instance.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax
restart-ds-admin

Options
There are no options for this script.

10.3.17. restart-slapd (Restarts the Directory Server)

Restarts the Directory Server.

This script is a wrapper for restart-dirsrv and automatically supplies the instance name
to the restart-dirsrv script.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

711
Configuration, Command, and File Reference

restart-slapd

Options
There are no options for this script.

Exit Status

Table 10.12. restart-slapd Exit Status Codes

Exit Code Description

0 Server restarted successfully.

1 Server could not be started.

2 Server restarted successfully but was already

stopped.

3 Server could not be stopped.

10.3.18. restoreconfig (Restores Administration Server

Configuration)
Restores, by default, the most recently saved Administration Server configuration
information to the NetscapeRoot partition under the /etc/dirsrv/slapd-instance/
directory.

To restore the Administration Server configuration, do the following:

1. Stop the Directory Server.

2. Run the restoreconfig script.

3. Restart the Directory Server.

4. Restart the Administration Server for the changes to be taken into account.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax
restoreconfig

Options
There are no options for this script.

10.3.19. saveconfig (Saves Administration Server Configuration)

712
CHAPTER 10. COMMAND-LINE SCRIPTS

Saves Administration Server configuration information to

/var/lib/dirsrv/slapd-instance/bak directory.

This script will only run if the server is running.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax
saveconfig

Options
There are no options for this script.

10.3.20. start-dirsrv (Starts the Directory Server)

Starts either all instances of the Directory Server or a specific Directory Server instance.

It's a good idea to check whether the server has been effectively started using the ps
command because it could sometimes be that the script returned a message while the
startup process was still on-going, resulting in a confusing message.

Syntax
start-dirsrv [instance_name]

Options

Option Description

instance_name A name of a specific Directory Server instance

to start. If the instance name is not given,
then all local Directory Server instances are
started.

Exit Status Codes

Exit Code Description

0 Server started successfully.

1 Server could not be started.

2 Server was already running.

10.3.21. start-ds-admin (Starts the Administration Server)

Starts the Administration Server instance.

713
Configuration, Command, and File Reference

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax
start-ds-admin

Options
There are no options for this script.

10.3.22. start-slapd (Starts the Directory Server)

Starts the Directory Server. It's a good idea to check whether the server has been
effectively started using the ps command because it could sometimes be that the script
returned a message while the startup process was still on-going, resulting in a confusing
message.

This script is a wrapper for start-dirsrv and automatically supplies the instance name to
the start-dirsrv script.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax
start-slapd

Options
There are no options for this script.

Exit Status Codes

Table 10.13. start-slapd Exit Status Codes

Exit Code Description

0 Server started successfully.

1 Server could not be started.

2 Server was already started.

10.3.23. status-dirsrv (Obtains the Status of the Directory Server)

Shows the status of all Directory Server instances on the system, or one instance if
specified.

Syntax

714
CHAPTER 10. COMMAND-LINE SCRIPTS

status-dirsrv [instance_name]

Options

Option Description

instance_name A name of a specific Directory Server instance

to return the status of. If no instance name is
given, then the status of all local
Directory Server instances is returned.

Exit Status Codes

Exit Code Description

0 If you specified an instance name, the

specified instance is running. If you did not
specify an instance name, all Directory Server
instances are running.

1-254 The number of instances which are not

running. If you specified an instance name and
this instance exists but is not running,
status-dirsrv returns 1 .

255 The specified instance does not exist. (Only if

you specified an instance name.)

10.3.24. stop-dirsrv (Stops the Directory Server)

Stops either all instances of the Directory Server or a specific Directory Server instance.

It's a good idea to check whether the server has been effectively stopped using the ps
command because it could sometimes be that the script returned a success message while
the shutdown process was still on-going, resulting in a confusing message.

Syntax
stop-dirsrv [instance_name]

Options

Option Description

instance_name A name of a specific Directory Server instance

to stop. If the instance name is not given, then
all local Directory Server instances are
stopped.

Exit Status Codes

715
Configuration, Command, and File Reference

Exit Code Description

0 Server stopped successfully.

1 Server could not be stopped.

2 Server was already stopped.

10.3.25. stop-ds-admin (Stops the Administration Server)

Stops the Administration Server instance.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax
stop-ds-admin

Options
There are no options for this script.

10.3.26. stop-slapd (Stops the Directory Server)

Stops the Directory Server. It's a good idea to check whether the server has been
effectively stopped using the ps command because it could sometimes be that the script
returned a message while the shutdown process was still on-going, resulting in a confusing
message.

This script is a wrapper for stop-dirsrv and automatically supplies the instance name to
the stop-dirsrv script.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax
stop-slapd

Options
There are no options for this script.

Exit Status

Table 10.14. stop-slapd Exit Status Codes

716
CHAPTER 10. COMMAND-LINE SCRIPTS

Exit Code Description

0 Server stopped successfully.

1 Server could not be stopped.

2 Server was already stopped.

10.3.27. suffix2instance (Maps a Suffix to a Backend Name)

Maps a suffix to a back end name.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

suffix2instance [ -s suffix ]

Options

Table 10.15. suffix2instance Options

Option Description

-s Suffix to be mapped to the back end.

10.3.28. upgradednformat
Updates older-style DN syntaxes to RFC 4514-style DN syntaxes for migrated databases.

NOTE

This script is run automatically by setup-ds-admin.pl -u when a

Directory Server instance is upgraded. It is not likely that this script will need
to be run manually.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

upgradednformat [ -N ] -n backendInstance [ -a /path/to/database/directory ]

Options

717
Configuration, Command, and File Reference

Either the -N or both -n and -a must be specified.

Table 10.16. upgradednformat Options

Option Description

-a /path/to/database/directory Gives the full path to the database directory.

-N Checks whether any DNs in the database need

to be updated.

-n backendInstance Gives the name of the database containing

the entries to index.

10.3.29. vlvindex (Creates Virtual List View Indexes)

To run the vlvindex script, the server must be stopped. Thevlvindex script creates virtual
list view (VLV) indexes, known in the Directory Server Console as browsing indexes. VLV
indexes introduce flexibility in the way search results are viewed. VLV indexes can organize
search results alphabetically or in reverse alphabetical order, making it easy to scroll
through the list of results. VLV index configuration must already exist prior to running this
script.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

vlvindex [ -d debugLevel ] [ -n backendInstance ] | [ -s suffix ] [ -T vlvTag ]

Options
Either the -n or the -s option must be specified.

Table 10.17. vlvindex Options

Option Description

-d debugLevel Specifies the debug level to use during index

creation. Debug levels are defined in
Section 3.1.1.76, “nsslapd-errorlog-level (Error
Log Level)”

-n backendInstance Gives the name of the database containing

the entries to index.

-s suffix Gives the name of the suffix containing the

entries to index.

718
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Description

-T vlvTag VLV index identifier to use to create VLV

indexes. The Console can specify VLV index
identifier for each database supporting the
directory tree, as described in the Red Hat
Directory Server Administration Guide. Define
additional VLV tags by creating them in LDIF
and adding them to Directory Server's
configuration, as described in the Red Hat
Directory Server Administration Guide. Red Hat
recommends using the DN of the entry for
which to accelerate the search sorting.

10.4. PERL SCRIPTS

This section describes the following Perl scripts:

Section 10.4.1, “bak2db.pl (Restores a Database from Backup)”

Section 10.4.2, “cl-dump.pl (Dumps and Decodes the Changelog)”

Section 10.4.3, “cleanallruv.pl (Cleans RUV data)”

Section 10.4.4, “db2bak.pl (Creates a Backup of a Database)”

Section 10.4.5, “db2index.pl (Creates and Generates Indexes)”

Section 10.4.6, “db2ldif.pl (Exports Database Contents to LDIF)”

Section 10.4.7, “fixup-linkedattrs.pl (Regenerate Linked and Managed Attributes)”

Section 10.4.8, “fixup-memberof.pl (Regenerate memberOf Attributes)”

Section 10.4.9, “ldif2db.pl (Import)”

Section 10.4.10, “logconv.pl (Log Converter)”

Section 10.4.11, “migrate-ds.pl”

Section 10.4.12, “migrate-ds-admin.pl”

Section 10.4.13, “ns-accountstatus.pl (Establishes Account Status)”

Section 10.4.14, “ns-activate.pl (Activates an Entry or Group of Entries)”

Section 10.4.15, “ns-inactivate.pl (Inactivates an Entry or Group of Entries)”

Section 10.4.16, “ns-newpwpolicy.pl (Adds Attributes for Fine-Grained Password

Policy)”

Section 10.4.17, “register-ds-admin.pl”

Section 10.4.18, “remove-ds.pl”

719
Configuration, Command, and File Reference

Section 10.4.19, “remove-ds-admin.pl”

Section 10.4.20, “repl-monitor.pl (Monitors Replication Status)”

Section 10.4.21, “schema-reload.pl (Reload Schema Files Dynamically)”

Section 10.4.22, “setup-ds.pl”

Section 10.4.23, “setup-ds-admin.pl”

Section 10.4.24, “syntax-validate.pl (Validate Attribute Values)”

Section 10.4.25, “usn-tombstone-cleanup.pl (Remove Deleted Entries)”

Section 10.4.26, “verify-db.pl (Check for Corrupt Databases)”

10.4.1. bak2db.pl (Restores a Database from Backup)

Restores a database from a backup.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

bak2db.pl -D rootdn -w password | -w - | -j filename -a backupDirectory [ -t databaseType ]

Options
The script bak2db.pl creates an entry in the directory that launches this dynamic task. The
entry is generated based upon the values provided for each option.

Table 10.18. bak2db.pl Options

Option Description

-a backupDirectory The directory of the backup files.

-D rootdn Gives the user DN with root permissions, such

as Directory Manager. The default is the DN of
the Directory Manager, which is read from the
nsslapd-root attribute under cn=config.

-j filename The name of the file containing the password.

-t databaseType The database type. The only possible database

type is ldbm.

-w password The password associated with the user DN.

720
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Description

-w - Prompts for the password associated with the

user DN.

10.4.2. cl-dump.pl (Dumps and Decodes the Changelog)

Troubleshoots replication-related problems.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

cl-dump.pl [ -h host ] [ -p port ] [ -D bindDn ] [ -w bindPassword | -P bindCert ] [ -r

replicaRoots ] [ -o outputFile ] [ -c ]

cl-dump.pl -i changelogFile [ -o outputFile ] [ -c ]

Options
Without the -i option, the script must be run when the Directory Server is running from a
location from which the server's changelog directory is accessible.

Table 10.19. cl-dump.pl command options

Option Description

-c Dumps and interprets change sequence

numbers (CSN) only. This option can be used
with or without the -i option.

-D bindDn Specifies the Directory Server's bind DN.

Defaults to cn=Directory Manager if the
option is omitted.

-h host Specifies the Directory Server's host. Defaults

to the server where the script is running.

-i changelogFile Specifies the path to the changelog file. If

there is a changelog file and if certain changes
in that file are base-64 encoded, use this
option to decode that changelog.

-o outputFile Specifies the path, including the filename, for

the final result. Defaults to STDOUT if omitted.

-p port Specifies the Directory Server's port. The

default value is 389.

721
Configuration, Command, and File Reference

Option Description

-P bindCert Specifies the path, including the filename, to

the certificate database that contains the
certificate used for binding.

-r replicaRoots Specifies the replica-roots whose changelog to

dump. When specifying multiple roots, use
commas to separate roots. If the option is
omitted, all the replica roots will be dumped.

-w bindPassword Specifies the password for the bind DN.

10.4.3. cleanallruv.pl (Cleans RUV data)

The cleanallruv.pl Perl script creates and adds a cleanAllRUV task to the
Directory Server. Additionally, the script is able to abort currently running cleanAllRUV
tasks.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

cleanallruv.pl [ -Z instance_name ] [ -D root_DN ] [ -w bind_password | -w - | -j file_name ]

[ -b base_DN ] [ -r replica_ID ] [ -P protocol ] [ -A ] [ -h ]

Table 10.20. cleanallruv.pl command options

Option Description

-Z instance_name Sets the name of the Directory Server instance, the script works on. If
there is only one instance running on the system, you can skip this
option.

-D root_DN Specifies the distinguished name (DN) used to bind to Directory Server.
This is usually the cn=Directory Manager or root DN account. If you
do not set this parameter, the script searches the Directory Server
instance configuration for the value.

-w password Sets the password for the bind DN.

-w - Prompts for the bind DN's password.

-j file_name Reads the password for the bind DN account from the file passed to the
parameter.

-b base_DN Sets the suffix of the replica that is cleaned up.

722
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Description

-r replica_ID Sets the replica ID to remove.

-P protocol Sets the protocol used to connect to Directory Server. Valid options:
STARTTLS, LDAPS, LDAPI, and LDAP. If the parameter is not set, the
most secure protocol available is used.

-A Abort a cleanAllRUV task that is currently running.

-h Displays the usage information of the script.

10.4.4. db2bak.pl (Creates a Backup of a Database)

Creates a backup of the database. This Perl script can only be executed when the server is
running.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

db2bak.pl -D rootdn -w password | -w - | -j filename [ -a symbolic_link ] [ -A symbolic_link ] [ -

t db_type ]

Options
The script db2bak.pl creates an entry in the directory that launches this dynamic task. The
entry is generated based upon the values provided for each option. Currently, the only
possible database type is ldbm.

Table 10.21. db2bak.pl Options

Option Description

-a symbolic_link The db2bak.pl utility stores backups in a subdirectory of the

/var/lib/dirsrv/slapd-instance_name/bak/ directory.
If you specify the -a symbolic_link option, db2bak.pl
creates the specified directory name in the backup location and
a symbolic link to this location.

For example, if you pass the -a /tmp/example option to the

utility, db2bak.pl stores the backup in the
/var/lib/dirsrv/slapd-instance_name/bak/example/
directory and creates the /tmp/example symbolic link, which
refers to the target directory.

723
Configuration, Command, and File Reference

Option Description

-A symbolic_link The db2bak.pl utility stores backups in a subdirectory of the

/var/lib/dirsrv/slapd-instance_name/bak/ directory.
If you specify the -A symbolic_link option, db2bak.pl
creates a directory named with the instance name and a time
stamp in the backup location and a symbolic link to this
location.

For example, if you pass the -A /tmp/ option to the utility,

db2bak.pl stores the backup in the
/var/lib/dirsrv/slapd-instance_name/bak/instance_
name_time_stamp/ directory and creates the
/tmp/instance_name_time_stamp symbolic link, which
refers to the target directory.

-D rootdn The user DN with root permissions, such as Directory Manager.

The default is the DN of the Directory Manager, which is read
from the nsslapd-root attribute under cn=config.

-j filename The name of the file containing the password.

-t The database type. Currently, the only possible database type is

ldbm.

-w password The password associated with the user DN.

-w - Prompts for the password associated with the user DN.

10.4.5. db2index.pl (Creates and Generates Indexes)

Creates and generates the new set of indexes to be maintained following the modification
of indexing entries in the cn=config configuration file.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

724
CHAPTER 10. COMMAND-LINE SCRIPTS

db2index.pl -D rootdn -w password | -w - | -j filename -n backendInstance [ -t

attributeName(:indextypes(:mathingrules)) ] [ -T vlvAttributeName ]

Options
The script db2index.pl creates an entry in the directory that launches this dynamic task.
The entry is generated based upon the values provided for each option.

Table 10.22. db2index.pl Options

Option Description

-D rootdn Gives the user DN with root permissions, such

as Directory Manager.

-j filename The name of the file containing the password.

-n backendInstance Gives the instance to be indexed. If the

instance is not specified, the script reindexes
all instances.

-t attributeName{:indextypes(:mathingrules)} Gives the name of the attribute to be indexed.

If omitted, all the indexes defined for the
specified instance are generated. Optionally,
this can include the index type (eq, pres, sub,
approx ) and a matching rule OID.

-T vlvAttributeName Gives the names of the VLV attributes to be

reindexed. The name is the VLV index object's
common name in cn=config.

-w password Gives the password associated with the user

DN.

-w - Prompts for the password associated with the

user DN.

10.4.6. db2ldif.pl (Exports Database Contents to LDIF)

Exports the contents of the database to LDIF. This script creates an entry in the directory
that launches this dynamic task. The entry is generated based upon the values provided for
each option. Ellipses indicate that multiple occurrences are allowed.

NOTE

db2ldif.pl uses the entryrdn index to order the parent-child entries when it
exports the database; this enables the exported LDIF file to be used for
import, since the proper hierarchy of parent and child entries is preserved. If
the entryrdn index is unavailable for some reason, thendb2ldif.pl uses the
parentid key for each entry to identify the parent and export it before the
child entry. This second method allows the export operation to succeed, but
the operation may take a long time to complete.

725
Configuration, Command, and File Reference

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

db2ldif.pl -D rootdn -w password | -w - | -j filename -n backendInstance | -s includeSuffix ...

[ -x excludeSuffix ... ] [ -a outputFile ] [ -N ] [ -r ] [ -C ] [ -u ] [ -U ] [ -m ] [ -E ] [ -1 ] [ M ]

Options
To run this script, the server must be running, and either the -n or -s option is required.

Table 10.23. db2ldif.pl Options

Option Description

-1 Deletes, for reasons of backward compatibility,

the first line of the LDIF file that gives the
version of the LDIF standard.

-a outputFile Gives the filename of the output LDIF file.

-C Uses only the main database file.

-D rootdn Gives the user DN with root permissions, such

as Directory Manager.

-E Decrypts encrypted data during export. This

option is used only if database encryption is
enabled.

-j filename The name of the file containing the password.

-m Sets minimal base-64 encoding.

-M Uses multiple files for storing the output LDIF,

with each instance stored in instance filename
(where filename is the filename specified for -
a option).

-n backendInstance Gives the instance to be exported.

-N Suppresses printing sequential numbers.

726
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Description

-r Exports the information required to initialize a

replica when the LDIF is imported.

The LDIF file which is created with

db2ldif.pl can be imported using
ldif2db.pl. When it is imported, if the -r
option was used, than the database is
automatically initialized as a replica.

See Section 10.4.9, “ldif2db.pl (Import)” for

information on importing an LDIF file.

-s includeSuffix Gives suffixes to be included or the subtrees

to be included if -n has been used.

-u Requests that the unique ID is not exported.

-U Requests that the output LDIF is not folded.

-w password Gives the password associated with the user

DN.

-w - Prompts for the password associated with the

user DN.

-x excludeSuffix Gives suffixes to be excluded.

10.4.7. fixup-linkedattrs.pl (Regenerate Linked and Managed

Attributes)
The Directory Server has a Linked Attributes Plug-in which allows one attribute, set in one
entry, to update another attribute in another entry automatically. Both entries have DNs for
values. The DN value in the first entry points to the entry for the plug-in to update; the
attribute in the second entry contains a DN back-pointer to the first entry.

The fixup-linkedattrs.pl script creates the managed attributes in the user entries once
the linking plug-in instance is created or updates the managed attributes to keep
everything in sync after operations like replication or synchronization.

To run this script, the server must be running. The script creates an entry in the directory
that launches this dynamic task.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

727
Configuration, Command, and File Reference

fixup-linkedattrs.pl -D rootdn -w password | -w - | -j filename [ -l DN ]

Options

Table 10.24. fixup-linkedattrs.pl Options

Option Description

-D rootdn Gives the user DN with root permissions, such

as Directory Manager. The default is the DN of
the Directory Manager, which is read from the
nsslapd-root attribute under cn=config.

-j filename The name of the file containing the password.

-l DN Gives the target DN for which to update the

linked attributes. If this is not set, then the
default is to update all linked and managed
attributes for the entire subtree or directory
tree.

-w password The password associated with the user DN.

-w - Prompts for the password associated with the

user DN.

10.4.8. fixup-memberof.pl (Regenerate memberOf Attributes)

Regenerates and updates memberOf on user entries to coordinate changes in group
membership.

To run this script, the server must be running. The script creates an entry in the directory
that launches this dynamic task.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

option is used only if database encryption is
enabled.

-g string Generates a unique ID. Type none for no

unique ID to be generated and
deterministic for the generated unique ID
to be name-based. By default, a time-based
unique ID is generated.

When using the deterministic generation

to have a name-based unique ID, it is also
possible to specify the namespace for the
server to use, as follows:

-g deterministic namespaceId

namespaceId is a string of characters in the

format 00-xxxxxxxx-xxxxxxxx-xxxxxxxx-
xxxxxxxx.

Use this option to import the same LDIF file

-G namespaceId Generates a namespace ID as a name-based

unique ID. This is the same as specifying the -
g deterministic option.

-h Displays the usage information.

-i filename Specifies the filename of the input LDIF files.

When multiple files are imported, they are
imported in the order they are specified on the
command line.

-j filename Specifies the path, including the filename, to

the file that contains the password associated
with the user DN.

-n backendInstance Specifies the instance to be imported.

-O Requests that only the core database is

created without attribute indexes.

730
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Description

-P protocol Sets the protocol the utility uses to connect to

Directory Server. Valid values are STARTTLS,
LDAPS, and LDAP. For LDAPI mode, set the
value to AUTOBIND. If you skip this option, the
utility auto-selects the most secure protocol
that is supported by the server.

-s includeSuffix Specifies the suffixes to be included or

specifies the subtrees to be included if -n has
been used.

-w password Specifies the password associated with the

user DN.

-w - Prompts for the password associated with the

user DN.

-x excludeSuffix Specifies the suffixes to be excluded.

-Z instance_name Sets the name of the instance.

10.4.10. logconv.pl (Log Converter)

Analyzes the access logs of a Directory Server to extract usage statistics and count the
occurrences of significant events. It is compatible with log formats from previous releases
of Directory Server. For information on access logs, see Section 7.1, “Access Log
Reference”.

NOTE

logconv.pl is in the /usr/bin directory.

The tool will extract the following information from access logs:

Table 10.27. Information Extracted from Access Logs

731
Configuration, Command, and File Reference

Number of restarts Entire database searches

Total number of connections Unindexed searches (details optional)

Total operations requested FDs (file descriptors) taken

Total results returned FDs returned

Results to requests ratio Highest FD taken

Number of searches Disruptions:

Number of modifications Broken pipes

Number of adds Connections reset by peer

Number of deletes Unavailable resources (and detail)

Performance statistics of searches Total binds and types of binds

Performance statistics of modifications Most frequent occurrence lists

(optional)
Performance statistics of adds
Error and return codes
Performance statistics of deletes
Failed logins
Number of modified RDNs
Connection codes
Persistent searches
Client IP addresses and connection
Internal operations (with verbose logs) codes

Entry operations (with verbose logs) Bind DNs

Extended operations Base DNs for searching

Abandoned requests Search filters

Smart referrals received (verbose logs) Etimes (elapsed operation time)

VLV (virtual list view) operations Longest etimes

VLV unindexed searches Nentries (number of entries in result)

Server-side sorting operations Largest Nentries

TLS connections Extended operations

Performance lowering operations: Most requested attributes

Recommendations (optional)

The logconv.pl tool displays two types of statistics useful for monitoring and optimizing
directory usage:

Simple counts of events such as the total number of binds, connections separated
by TLS protocol versions, and the number of searches provide overall usage
information. This is the basic information that the tool will always print.

Lists of the most frequently occurring parameters in LDAP requests provide insight
into how the directory information is being accessed. For example, lists of the top

732
CHAPTER 10. COMMAND-LINE SCRIPTS

ten bind DNs, base DNs, filter strings, and attributes returned can help
administrators optimize the directory for its users. These lists are optional because
they are computation intensive: specify only the command-line options required
(see Options).

Some information that is extracted by the logconv.pl script is available only in logs from
current releases of Directory Server; the corresponding values will be zero when analyzing
logs from older versions. In addition, some information will only be present in the logs if
verbose logging is enabled in the Directory Server. For more information, see
Section 3.1.1.2, “nsslapd-accesslog-level (Access Log Level)”.

The following issues will affect the output and performance of this tool:

Some data extracted from logs depend on connection and operation numbers that
are reset and no longer unique after a server restarts. Therefore, to obtain the most
accurate counts, the logs to be analyzed should not span the restart of the
Directory Server.

Due to changes in access log format in current releases of Directory Server that
affected operation numbers, the tool will be more accurate logs from current
versions when processing large amounts of access logs.

For performance reasons, it is not recommended to run more than one gigabyte of
access logs through the script at any one time.

Syntax

logconv.pl [ -S startTimestamp ] [ -E endTimestamp ] [ -d mgrDN ] [ -D tmp_directory ] [ -X

ipAddress ] [ -m ] [ -M ] [ -h ] [ -s size_limit ] [ -V ] [ -efcibaltnxgjuyp ] [ accessLog ]

The lists are always output in the order in which they appear in the following table,
regardless of the order in which they are given on the command line.

Table 10.29. logconv.pl Options to Display Occurrences

Option Description

e Lists the most frequent error and return codes.

f Lists the bind DNs with the most failed logins

(invalid password).

c Lists the number of occurrences for each type

of connection code.

i Lists the IP addresses and connection codes of

the clients with the most connections, which
detects clients that may be trying to
compromise security.

b Lists the most frequently used bind DNs.

a Lists the most frequent base DNs when

performing operations.

l Lists the most frequently used filter strings for

searches.

t Lists the longest and most frequent etimes

(elapsed operation time).

735
Configuration, Command, and File Reference

Option Description

n Lists the largest and most frequent nentries

(entries per result).

x Lists the number and OID of all extended

operations.

r Lists the names of the most requested

attributes.

g Lists the details of all abandoned operations.

j Gives recommendations based on data

collected from the log file.

u Gives operation details about unindexed

searches.

y Lists connection latency details, which

indicates the overall connection latency.

p Lists open connection ID statistics, which

indicates the FDs that are not yet closed.

10.4.11. migrate-ds.pl


WARNING

There is no direct migration path from Red Hat Directory Server 7.1 to
Red Hat Directory Server 10.3, but it is possible to migrate the data by
migrating 7.1 to 8.2, and then migrating 8.2 to 10.3.

An 8.2 migration procedure, using this script, is described in the

migration chapter of the Installation Guide.

It is possible to use this script to migrate directly from 7.1 to 10.3.

However, this migration path is not fully supported. Please contact
Red Hat Support Services before attempting to perform a direct 7.1 to
10.3 migration.

The migrate-ds.pl script is used to migrate a Directory Server 7.1 instance. Migration can
happen between instances on on the same machine, on different machines, or on different
platforms. This script only migrates a Directory Server instance, not an
Administration Server.

736
CHAPTER 10. COMMAND-LINE SCRIPTS

Do not run setup-ds-admin.pl for the Directory Server 8.2 instance before running the
migration script if you are migrating from a 7.1 server.

Information can be passed with the script or in an .inf file, same as the setup scripts. Both
the .inf parameters and command-line arguments are described in the silent configuration
section of the Installation Guide.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

migrate-ds.pl --oldsroot=server_directory [ --actualsroot=server_directory ] [ --

instance=instance_name ] [ --file=name ] [ --cross ] [ --debug ] [ --log=name ]
General.ConfigDirectoryAdminPwd=password

Options

Option Alternate Options Description

General.ConfigDirectoryAdmin Required. This is the

Pwd=password password for the
configuration directory
administrator of the old
Directory Server (the default
user name is admin).

--oldsroot -o Required. This is the path to

the server root directory in
the old 7.1 Directory Server
installation. The default path
in 7.1 servers is
/opt/redhat-ds/.

737
Configuration, Command, and File Reference

Option Alternate Options Description

--actualsroot -a This is used for migrating

between two machines to
specify the real path to the
current server root directory
in the old 7.1 Directory Server
installation if that directory is
mounted on a networked
drive or tarballed and moved
to a relative directory. In that
case, the oldsroot
parameter sets the directory
from which the migration is
run (such as
machine_new:/migrate/op
t/redhat-ds/), while the
actualsroot parameter sets
the server root,
(/opt/redhat-ds/).

--instance -i This parameter specifies a

specific instance to migrate.
This parameter can be used
multiple time to migrate
several instances
simultaneously. By default,
the migration script migrates
all Directory Server instances
on the machine.

--file=name -f name This sets the path and name

of the .inf file provided with
the migration script. The only
parameter is the
General.ConfigDirectory
AdminPwd parameter, which
is the configuration directory
administrator's password. Any
other configuration setting is
ignored by the migration
script.

738
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Alternate Options Description

--cross -c or -x This parameter is used when

the Directory Server is being
migrated from one machine to
another with a different
architecture. For cross-
platform migrations, only
certain data are migrated.
This migration action takes
database information
exported to LDIF and imports
into the 8.2 databases.
Changelog information is not
migrated. If a supplier or hub
is migrated, then all its
replicas must be reinitialized.

--debug -d[dddd] This parameter turns on

debugging information. For
the -d flag, increasing the
number of d's increases the
debug level.

--logfile name -l This parameter specifies a log

file to which to write the
output. If this is not set, then
the migration information is
written to a temporary file,
named
/tmp/migrateXXXXX.log.

To disable logging, set

/dev/null as the logfile.

10.4.12. migrate-ds-admin.pl

739
Configuration, Command, and File Reference


WARNING

There is no direct migration path from Red Hat Directory Server 7.1 to
Red Hat Directory Server 10.3, but it is possible to migrate the data by
migrating 7.1 to 8.2, and then migrating 8.2 to 10.3.

An 8.2 migration procedure, using this script, is described in the

migration chapter of the Installation Guide.

It is possible to use this script to migrate directly from 7.1 to 10.3.

However, this migration path is not fully supported. Please contact
Red Hat Support Services before attempting to perform a direct 7.1 to
10.3 migration.

The migrate-ds-admin.pl script is used to migrate a Directory Server 7.1 instance.

Migration can happen between instances on on the same machine, on different machines,
or on different platforms. This script migrates both the Directory Server instances and the
Administration Server for the 7.1 deployment.

Do not run setup-ds-admin.pl for the Directory Server 8.2 instance before running the
migration script if you are migrating from a 7.1 server.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

migrate-ds-admin.pl --oldsroot=server_directory [ --actualsroot=server_directory ] [ --

instance=instance_name ] [ --file=name ] [ --cross ] [ --debug ] [ --log=name ]
General.ConfigDirectoryAdminPwd=password

Options

Option Alternate Options Description

General.ConfigDirectoryAdmin Required. This is the

Pwd=password password for the
configuration directory
administrator of the old
Directory Server (the default
user name is admin).

740
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Alternate Options Description

--oldsroot -o Required. This is the path to

the server root directory in
the old 7.1 Directory Server
installation. The default path
in 7.1 servers is
/opt/redhat-ds/.

--actualsroot -a This is used for migrating

--instance -i This parameter specifies a

--file=name -f name This sets the path and name

741
Configuration, Command, and File Reference

Option Alternate Options Description

--cross -c or -x This parameter is used when

--debug -d[dddd] This parameter turns on

debugging information. For
the -d flag, increasing the
number of d's increases the
debug level.

--logfile name -l This parameter specifies a log

file to which to write the
output. If this is not set, then
the migration information is
written to a temporary file,
named
/tmp/migrateXXXXX.log.

To disable logging, set

/dev/null as the logfile.

10.4.13. ns-accountstatus.pl (Establishes Account Status)

Provides account status information to establish whether an entry or group of entries is
inactivated.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

ns-accountstatus.pl [ -b base ] [ -D rootdn ] [ -f filter ] [ -g time ] [ -h host ] [ -i ] [ -I DN ] [ -

p port ] [ -s suffix ] [ -V ] [[ -w password ] | [ -w - ] | [ -j filename ]] [ -? ]

Options

Table 10.30. ns-accountstatus.pl Options

742
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Description

-b search base Specify a search base when retrieving the

status of multiple users - for example, -
b "ou=people,dc=example,dc=com". This
will cause the -I option to be ignored.

-D rootdn Specifies the Directory Server user DN with

root permissions, such as Directory Manager.

-f filter Specify a filter when retrieving the status of

many users - for example, -f "(&
(objectclass=PosixAccount)(uid=*))".
This will cause the -I option to be ignored.

-g time (s) Return only accounts which will become

deactivated due to inactivity (exceeding the
inactivity threshold set by the Account Policy
plug-in) in the time period specified in time (in
seconds). For example, to see which accounts
will become deactivated in the next 24 hours
(86400 seconds), use -g 86400.

-h host Specifies the host name of the

Directory Server. The default value is the full
host name of the machine where
Directory Server is installed.

-i Only display inactive entries.

-I DN Specifies the entry DN or role DN whose status

is required.

-j filename Specifies the path, including the filename, to

the file that contains the password associated
with the user DN.

-p port Specifies the Directory Server's port. The

default value is the LDAP port of
Directory Server specified at installation time.

-s scope Specify a scope when retrieving the status of

many users. The scope can be one of base,
one or sub (default). This will cause the -I
option to be ignored.

-V Enables verbose output.

-w password Specifies the password associated with the

user DN.

743
Configuration, Command, and File Reference

Option Description

-w - Prompts for the password associated with the

user DN.

-? Opens the help page.

Entry State Messages

Table 10.31. ns-accountstatus.pl Entry State Messages

Message Meaning

activated This user is active and not restricted from

authenticating.

inactivated This user is inactive and cannot authenticate

to the server.

inactivated through ROLE_DN This user account is inactivated because it is

assigned to the ROLE_DN.

inactivated (probably directly) Usually seen with role DNs.

inactivated (inactivity limit This account was deactivated because it

exceeded) exceeded the inactivity limit set by the
Account Policy plug-in.

10.4.14. ns-activate.pl (Activates an Entry or Group of Entries)

Activates an entry or group of entries.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

ns-activate.pl [ -D rootdn ] [ -h host ] [ -I DN ] [ -p port ] [[ -w password ] | [ -w - ] | [ -j

filename ]] [ -? ]

Options

Table 10.32. ns-activate.pl Options

Option Description

744
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Description

-D rootdn Specifies the Directory Server user DN with

root permissions, such as Directory Manager.

-h host Specifies the host name of the

Directory Server. The default value is the full
host name of the machine where
Directory Server is installed.

-I DN Specifies the entry DN or role DN to activate.

-j filename Specifies the path, including the filename, to

the file that contains the password associated
with the user DN.

-p port Specifies the Directory Server's port. The

default value is the LDAP port of
Directory Server specified at installation time.

-w password Specifies the password associated with the

user DN.

-w - Prompts for the password associated with the

user DN.

-? Opens the help page.

10.4.15. ns-inactivate.pl (Inactivates an Entry or Group of Entries)

Inactivates, and consequently locks, an entry or group of entries.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

ns-inactivate.pl [ -D rootdn ] [ -w password | -w - | -j filename ] [ -p port ] [ -h host ] -I DN [

-? ]

Options

Table 10.33. ns-inactivate.pl Options

Option Description

-D rootdn Specifies the Directory Server user DN with

root permissions, such as Directory Manager.

745
Configuration, Command, and File Reference

Option Description

-h host Specifies the host name of the

Directory Server. The default value is the full
host name of the machine where
Directory Server is installed.

-I DN Specifies the entry DN or role DN to

deactivate.

-j filename Specifies the path, including the filename, to

the file that contains the password associated
with the user DN.

-p port Specifies the Directory Server's port. The

default value is the LDAP port of
Directory Server specified at installation time.

-w password Specifies the password associated with the

user DN.

-w - Prompts for the password associated with the

user DN.

-? Opens the help page.

10.4.16. ns-newpwpolicy.pl (Adds Attributes for Fine-Grained

Password Policy)
Adds entries required for implementing the user- and subtree-level password policy. For
instructions on how to enable this feature, see the Red Hat Directory Server
Administration Guide.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

ns-newpwpolicy.pl [ -D rootdn ] [ -w password | -j filename ] [ -p port ] [ -h host ] -U userDN

-S suffixDN [ -? ]

Options

Table 10.34. ns-newpwdpolicy.pl Options

Option Description

746
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Description

-D rootdn Specifies the Directory Server user DN with

root permissions, such as Directory Manager.
The default value is cn=Directory Manager.

-h host Specifies the host name of the

Directory Server. The default value is
localhost or the full host name of the
machine where Directory Server is installed.

-j filename Specifies the path, including the filename, to

the file that contains the password associated
with the user DN.

-p port Specifies the Directory Server's port. The

default value is 389 or the LDAP port of
Directory Server specified at installation time.

-S suffixDN Specifies the DN of the suffix entry that needs

to be updated with subtree-level password
policy attributes.

-U userDN Specifies the DN of the user entry that needs

to be updated with user-level password policy
attributes.

-w password Specifies the password associated with the

user DN.

-? Opens the help page.

10.4.17. register-ds-admin.pl
The register-ds-admin.pl script can be used for two things:

Registering an existing Directory Server instance with a different

Administration Server or Configuration Directory Server.

Creating a new, local Administration Server when only a Directory Server was
installed previously.

IMPORTANT

The register-ds-admin.pl script does not support external LDAP URLs, so

the Directory Server instance must be registered against a local
Administration Server.

747
Configuration, Command, and File Reference

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

register-ds-admin.pl.pl [ --debug ] [ --log=name ]

Options

Option Alternate Options Description

--debug -d[dddd] This parameter turns on

debugging information. For
the -d flag, increasing the
number of d's increases the
debug level.

--logfile name -l This parameter specifies a log

file to which to write the
output. If this is not set, then
the setup information is
written to a temporary file. To
not use a log file, set the file
name to /dev/null.

10.4.18. remove-ds.pl
The remove-ds.pl script removes a single instance of Directory Server. The server instance
usually must be running when this script is run so that the script can bind to the instance. It
is also possible to force the script to run, which may be necessary if there was an
interrupted installation process or the instance is corrupted or broken so that it cannot run.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

remove-ds.pl [ -f ] -i instance_name [ -a ]

Options

748
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Parameter Description

-a Removes the certificate

database files and the backup
directory of the configuration
files
(slapd- instance.removed)
as part of the removal
procedure.

-f Forces the removal of the

instance. This can be useful if
the instance is not running
but must be removed
anyway.

-i instance_name The name of the instance to

remove.

10.4.19. remove-ds-admin.pl
The remove-ds-admin.pl script removes every instance of Directory Server on a system
and the associated Administration Server. The server instances usually must be running
when this script is run so that the script can bind to the instances.

It is also possible to force the script to run, which may be necessary if there was an
interrupted installation process or the instance is corrupted or broken so that it cannot run.

Directory Server Removal Information

When a Directory Server instance is removed, it is shut down and all of its configuration
files are removed.

By default, the certificate database files, like cert8.db and key3.db, are not removed. The
remaining Directory Server instance directory (containing the security databases) is
renamed slapd-instance.removed. Using the -a option with the script removes the security
databases as well.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Administration Server Removal Information

When an Administration Server instance is removed, it is shut down and most of its
configuration files are removed.

The nss.conf file for the Administration Server instance is preserved in an archvied
instance directory.

By default, the certificate database files, like cert8.db and key3.db, are not removed and
are preserved in an archived instance directory. Using the -a option with the script
removes the security databases for the Administration Server (as well as the

749
Configuration, Command, and File Reference

Directory Server).

Syntax

remove-ds-admin.pl -y [ -f ] [ -a ]

Options

Option Description

-a Removes the certificate database files as part

of the removal procedure and reverts the
configuration files back to their initial state.

-f Forces the removal of the instance. This can

be useful if the instance is not running but
must be removed anyway.

-y Performs the removal operation. This is

required; otherwise, the script essential
performs a dry-run and does not remove any
Administration Server or Directory Server
instances.

10.4.20. repl-monitor.pl (Monitors Replication Status)

Shows in-progress status of replication.

NOTE

repl-monitor.pl is in the /usr/bin directory.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

repl-monitor.pl [ -h host ] [ -s ] [ -p port ] [ -f configFile ] [ -u refreshUrl ] [ -t

refreshInterval ] [ -r ]

Options

Table 10.35. repl-monitor.pl Options

Option Description

750
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Description

-f configFile Specifies the absolute path to the

-h host Specifies the initial replication supplier's host.

The default value is the current host name.

-p port Specifies the initial replication supplier's port.

The default value is 389.

-r If specified, causes the routine to be entered

-s Prints the report in plain text instead of in

HTML format.

-t refreshInterval Specifies the refresh interval in seconds. The

default value is 300 seconds. This option must
be used with the -u option.

-u refreshUrl Specifies the refresh URL. The output HTML file

Configuration File Format

The configuration file defines the following:

The connection parameters for connecting to the LDAP servers to get replication
information; specifying this information is mandatory.

The server alias for more readable server names; specifying this information is
optional.

The color thresholds for time lags; specifying this information is optional.

The format for the configuration file is shown below.

751
Configuration, Command, and File Reference

[connection]
host:port:binddn:bindpwd:bindcert
host:port:binddn:bindpwd:bindcert
...

[alias]
alias = host:port
alias = host:port
...

[color]
lowmark = color
lowmark = color

A server may have a dedicated or shared entry in the connection section. The script will
find out the most matched entry for a given server. For example, if all the LDAP servers
except host1 share the same binddn and bindpassword, the connection section will need to
contain just two entries:

[connection]
*:*:binddn:bindpassword:
host1:*:binddn1:bindpassword1:

host:port:binddn:bindpwd:bindcert

bindcert can be replaced with the full path to the certificate database, null, or*. If
bindcert is omitted or replaced with *, the connection will be a simple bind.

752
CHAPTER 10. COMMAND-LINE SCRIPTS

For example, the configuration file may appear as follows:

#Configuration File for Monitoring Replication Via Admin Express

[connection]
*:*:*:mypassword

[alias]
M1 = host1.example.com:10011
C1 = host4.example.com:10021
C2 = host2.example.com:10022

[color]
0 = #ccffcc
5 = #FFFFCC
60 = #FFCCCC

A shadow port can be set in the replication monitor configuration file. For example:

host:port=shadowport:binddn:bindpwd:bindcert

When the replication monitor finds a replication agreement that uses the specified port, it
will use the shadow port to connect to retrieve statistics.

10.4.21. schema-reload.pl (Reload Schema Files Dynamically)

Manually reloads the schema files used by the Red Hat Directory Server instance either in
the default location or in user-specified locations.

To run this script, the server must be running. The script creates an entry in the directory
that launches this dynamic task.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

schema-reload.pl -D rootdn -w password | -w - | -j filename [ -d schema_directory ]

Options

Table 10.36. schema-reload.pl Options

Option Description

753
Configuration, Command, and File Reference

Option Description

-d schema_directory Gives the full path to the directory where the

schema file is located. If this is not specified,
the script uses the default schema directory,
/etc/dirsrv/schema.

IMPORTANT

If schema files are not in the

default directory, then
Directory Server will not use
them the next time it restarts
unless schema-reload.pl is
run again.

-D rootdn Gives the user DN with root permissions, such

as Directory Manager. The default is the DN of
the Directory Manager, which is read from the
nsslapd-root attribute under cn=config.

-j filename The name of the file containing the password.

-w password The password associated with the user DN.

-w - Prompts for the password associated with the

user DN.

10.4.22. setup-ds.pl
The setup-ds.pl script is used to create a Directory Server instance. Running this script
with the -u option after the instances are configured updates the configuration with the
latest installed packages.

NOTE

This script only creates a Directory Server instance, not an

Administration Server. For the new instance to work, there has to be an
Administration Server and Configuration Directory Server installed on another
machine.

Information can be passed with the script or in an .inf file. If no options are used, the
setup-ds.pl launches an interactive configuration program.

Both the .inf parameters and command-line arguments are described in the silent
configuration section of the Installation Guide.

754
CHAPTER 10. COMMAND-LINE SCRIPTS

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

setup-ds.pl [ --debug ] [ --silent ] [ --file=name ] [ --keepcache ] [ --log=name ] [ --update ]

[ slapd.InstScriptsEnabled=boolean ]

Options

Option Alternate Options Description

--silent -s This runs the register script in

silent mode, drawing the
configuration information
from a file (set with the --
file parameter) or from
arguments passed in the
command line rather than
interactively.

--file=name -f name This sets the path and name

of the file which contains the
configuration settings for the
new Directory Server
instance. This can be used
with the --silent
parameter; if used alone, it
sets the default values for the
setup prompts.

--debug -d[dddd] This parameter turns on

debugging information. For
the -d flag, increasing the
number of d's increases the
debug level.

755
Configuration, Command, and File Reference

Option Alternate Options Description

--keepcache -k This saves the temporary

installation file ( .inf) that is
created when the register
script is run. This file can then
be reused for a silent setup.
This file is always generated,
but is usually deleted once
the install is complete. The file
is created as a log file named
/tmp/setuprandom.inf,
like
/tmp/setuplGCZ8H.inf.


WARNI
NG

The cache
file
contains
the
cleartext
passwords
supplied
during
setup. Use
appropriat
e caution
and
protection
with this
file.

--logfile name -l This parameter specifies a log

file to which to write the
output. If this is not set, then
the setup information is
written to a temporary file. To
not use a log file, set the file
name to /dev/null.

756
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Alternate Options Description

--update -u This parameter updates

existing Directory Server
instances. If an installation is
broken in some way, this
option can be used to update
or replace missing packages
and then re-register all of the
local instances with the
Configuration Directory.

slapd.InstScriptsEnabled=true This parameter determines if

|false ds-admin.pl creates the
instance-specific scripts in the
/usr/lib64/dirsrv/slapd
-instance_name/ directory.
The default is false.
However, existing scripts in
this directory are updated
when running the setup-
ds.pl --update command.
Regardless of the setting, the
instance-independent script
versions are installed in the
/usr/sbin/ directory.

10.4.23. setup-ds-admin.pl
The setup-ds-admin.pl script is used to create a Directory Server instance and a new
Administration Server instance. Running this script with the -u option after the instances
are configured updates the configuration with the latest installed packages.

Information can be passed with the script or in an .inf file. If no options are used, the
setup-ds-admin.pl launches an interactive configuration program.

Both the .inf parameters and command-line arguments are described in the silent
configuration section of the Installation Guide.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

setup-ds-admin.pl [ --debug ] [ --silent ] [ --file=name ] [ --keepcache ] [ --log=name ] [ --

update ] [ slapd.InstScriptsEnabled=boolean ]

Options

757
Configuration, Command, and File Reference

Option Alternate Options Description

--silent -s This runs the register script in

silent mode, drawing the
configuration information
from a file (set with the --
file parameter) or from
arguments passed in the
command line rather than
interactively.

--file=name -f name This sets the path and name

--debug -d[dddd] This parameter turns on

debugging information. For
the -d flag, increasing the
number of d's increases the
debug level.

758
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Alternate Options Description

--keepcache -k This saves the temporary


WARNI
NG

The cache
file
contains
the
cleartext
passwords
supplied
during
setup. Use
appropriat
e caution
and
protection
with this
file.

759
Configuration, Command, and File Reference

Option Alternate Options Description

--logfile name -l This parameter specifies a log

file to which to write the
output. If this is not set, then
the setup information is
written to a temporary file. To
not use a log file, set the file
name to /dev/null.

--update -u This parameter updates

slapd.InstScriptsEnabled=true This parameter determines if

|false setup-ds-admin.pl creates
the instance-specific scripts in
the
/usr/lib64/dirsrv/slapd
-instance_name/ directory.
The default is false.
However, existing scripts in
this directory are updated
when running the setup-
ds.pl --update command.
Regardless of the setting, the
instance-independent script
versions are installed in the
/usr/sbin/ directory.

10.4.24. syntax-validate.pl (Validate Attribute Values)

Syntax validation checks every modification to attributes to make sure that the new value
has the required syntax for that attribute type. All attribute syntaxes are validated against
the definitions in RFC 4514.

Validation of existing attribute values can be done with the syntax validation script. This
script checks entries under a specified subtree (in the -b option) and, optionally, only
entries which match a specified filter (in the -f option).

If syntax validation is disabled or if a server is migrated, then there may be data in the
server which does not conform to attribute syntax requirements. The syntax validation
script can be run to evaluate those existing attribute values before enabling syntax
validation.

760
CHAPTER 10. COMMAND-LINE SCRIPTS

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

syntax-validate.pl -D rootdn -w password | -w - | -j filename -b baseDN [ -f LDAP_filter ]

Options

Table 10.37. syntax-validate.pl Options

Option Description

-b baseDN Gives the base DN for the entries to validate.

-D rootdn Gives the user DN with root permissions, such

as Directory Manager or whatever the value of
the nsslapd-root attribute is under
cn=config.

-f LDAP_filter Contains a search filter to use to select a

subset of entries to validate. If this is not
given, then all entries under the base DN are
checked.

-j filename The name of the file containing the password.

-w password The password associated with the user DN.

-w - Prompts for the password associated with the

user DN.

10.4.25. usn-tombstone-cleanup.pl (Remove Deleted Entries)

If the USN Plug-in is enabled, then update sequence numbers (USNs) are set on every entry
whenever a normal directory operation, like add or modify, occurs on that entry. This is
reflected in the entryUSN operational attribute. This USN is set even when an entry is
deleted, and the tombstone entries are maintained by the Directory Server instance.

The usn-tombstone-cleanup.pl script deletes the tombstone entries maintained by the

instance if the USN Plug-in is enabled.

To run this script, the server must be running. The script creates an entry in the directory
that launches this dynamic task.

761
Configuration, Command, and File Reference

IMPORTANT

This tool can only be run if replication is not enabled. Replication maintains its
own tombstone store, and these tombstone entries cannot be deleted by the
USN Plug-in; they must be maintained by the replication processes. Thus,
Directory Server prevents users from running this script on replicated
databases.

Running usn-tombstone-cleanup.pl on a replicated back end will return this

error in the command line:

ldap_add: DSA is unwilling to perform

In the error log, there is a more explicit message that the suffix cannot have
tombstone removed because it is replicated.

[...] usn-plugin - Suffix dc=example,dc=com is replicated.

Unwilling to perform cleaning up tombstones.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

usn-tombstone-cleanup.pl -D rootdn -w password | -w - | -j filename -n backendInstance | -

s suffix [ -m maximum_USN ]

Options
Either the -n or the -s option must be specified.

Table 10.38. usn-tombstone-cleanup.pl Options

Option Description

-D rootdn Gives the user DN with root permissions, such

as Directory Manager. The default is the DN of
the Directory Manager, which is read from the
nsslapd-root attribute under cn=config.

-j filename The name of the file containing the password.

-m maximum_USN Sets the upper bound for entries to delete. All

tombstone entries with an entryUSN value up
to the specified maximum (inclusive) are
deleted, but not past that USN value. If no
maximum USN value is set, then all back end
tombstone entries are deleted.

-n backendInstance Gives the name of the database containing

the entries to clean (delete).

762
CHAPTER 10. COMMAND-LINE SCRIPTS

Option Description

-s suffix Gives the name of the suffix containing the

entries to clean (delete).

-w password The password associated with the user DN.

-w - Prompts for the password associated with the

user DN.

10.4.26. verify-db.pl (Check for Corrupt Databases)

Verifies the back end database files. If the server crashes because of a corrupted database,
this script can be used to verify the integrity of the different database files to help isolate
any problems.

IMPORTANT

Never run verify-db.pl when a modify operation is in progress. This

command calls the BerkeleyDB utility db_verify and does not perform any
locking. This can lead to data corruption if the script is run at the same time as
a modify. If that occurs, an entry will be recorded in the error log:

DB ERROR: db_verify: Page 3527: out-of-order key at entry 42

DB ERROR: db_verify: DB->verify: db/mstest2/uid.db:
DB_VERIFY_BAD: Database
verification failed
Secondary index file uid.db in db/mstest2 is corrupted.
Please run db2index(.pl) for reindexing.

Run db2index -t uid to avoid rebuilding all of the indexes or export and
reimport all of the databases using db2ldif and ldif2db.

NOTE

This script is deprecated and will be removed in the next major version of
Red Hat Directory Server.

Syntax

verify-db.pl [ -a /path/to/database_directory ] [ -? ]

Options

Table 10.39. verify-db.pl Options

763
Configuration, Command, and File Reference

Option Description

-a path Gives the path to the database directory. If

this option is not passed with the verify-
db.pl command, then it uses the default
database directory,
/var/lib/dirsrv/slapd-instance/db.

-? Opens the help page.

764
CHAPTER 11. GUI UTILITIES

CHAPTER 11. GUI UTILITIES

This chapter provides information on the graphical user interface (GUI) utilities for
managing Directory Server.

11.1. REDHAT-IDM-CONSOLE
The redhat-idm-console command starts the Red Hat Directory Server Management
Console.

For further details about the Management Console, see the corresponding section in the
Red Hat Directory Server Administration Guide.

Syntax
redhat-idm-console [ -a admin_server_base_URL ] [ -f file_name ] [ -h ] [ -l language_code ]
[ -s instance_name ] [ -u user_DN ] [ -w password ] [ -x options ] [ -y password_file ]

Options

Table 11.1. redhat-idm-console Options

Option Description

-a Sets the base URL for the instance of the Administration Server to log
admin_server_base_U into.
RL

-f file_name Logs errors and system messages to the file_name.

-h Displays the available command-line options and short descriptions.

-l language_code Sets the language code. For example, fr or gr.

-s Sets the instance to access, either by the DN of the server instance

instance_name|DN entry (SIE) or the instance name, such as slapd-instance_name.

-w - Reads the password from standard output.

-w password Sets the password to use to log into the Directory Server Console.

-x options Available options:

nowinpos: Displays the window in the upper-left corner of the

screen.

nologo : Prevents the splash screen from being displayed. The

application opens with the login dialog.

javalaf: Enables the Java look and feel for the interface
instead of using the platform-specific style.

To set multiple options, separate them with a comma.

765
Configuration, Command, and File Reference

Option Description

-x password_file Reads the password from the specified file.

766
APPENDIX A. USING THE NS-SLAPD COMMAND-LINE UTILITIES

APPENDIX A. USING THE NS-SLAPD COMMAND-LINE

UTILITIES
Chapter 10, Command-Line Scripts discussed the scripts for performing routine
administration tasks on the Red Hat Directory Server (Directory Server). This appendix
discusses the ns-slapd command-line utilities that can be used to perform the same tasks.

The ns-slapd command-line utilities all perform server administration tasks, and, while it
can be argued that they allow a greater degree of flexibility for users, Red Hat recommends
using the command-line scripts described in Chapter 10, Command-Line Scripts

A.1. OVERVIEW OF NS-SLAPD

ns-slapd is used to start the Directory Server process, to build a directory database from
an LDIF file, or to convert an existing database to an LDIF file. For more information on
starting and stopping the Directory Server, importing from LDIF using the command-line,
and exporting to LDIF using the command-line, see the "Populating Directory Databases"
chapter in the Red Hat Directory Server Administration Guide.

A.2. FINDING AND EXECUTING THE NS-SLAPD COMMAND-

LINE UTILITIES
The ns-slapd command-line utilities are stored in /usr/sbin/

NOTE

In order to execute the command-line utilities, set the library paths set in the
command-line scripts.

A.3. UTILITIES FOR EXPORTING DATABASES: DB2LDIF

Exports the contents of the database to LDIF.

Syntax

ns-slapd db2ldif -D configDir -a outputFile [ -d debugLevel ] [ -n backendInstance ] [ -r ] [ -

s includeSuffix ] [ -x excludeSuffix ] [ -N ] [ -u ] [ -U ] [ -m ] [ -M ] [ -E ]

With this command, enter the full path to the configuration directory,
/etc/dirsrv/slapd-instance. Either the -n or the -s option must be specified.

Options

Table A.1. db2ldif Options

Option Description

-a outputFile Defines the output file in which the server

saves the exported LDIF. This file is stored by
default in the directory where the command-
line utility resides.

767
Configuration, Command, and File Reference

Option Description

-d debugLevel Specifies the debug level to use during the

db2ldif runtime. For further information, see
Section 3.1.1.76, “nsslapd-errorlog-level (Error
Log Level)”.

-D configDir Specifies the location of the server

configuration directory that contains the
configuration information for the export
process. This must be the full path to the
configuration directory,
/etc/dirsrv/slapd-instance.

-E Decrypts an encrypted database during

export. This option is used only if database
encryption is enabled.

-m Sets minimal base-64 encoding.

-M Uses several files to store the output LDIF,

with each instance stored in instance filename,
where filename is the filename specified in
option -a.

-n backendInstance Specifies the name of the back end instance to

be exported.

-N Specifies that entry IDs are not to be included

in the LDIF output. The entry IDs are
necessary only if the db2ldif output is to be
used as input to db2index.

-r Exports replication state information. The

server must be shut down before exporting
using this option.

-s includeSuffix Specifies the suffix or suffixes to include in the

export. There can be multiple -s arguments.

-u Specifies that the unique ID will not be

included in the LDIF output. By default, the
server includes the unique ID for all entries
with a unique ID in the exported LDIF file. Only
use this option to use the exported LDIF to
initialize a 4.x consumer server; otherwise, this
option does not cause the server to create a
unique ID for entries but simply takes what
already exists in the database.

768
APPENDIX A. USING THE NS-SLAPD COMMAND-LINE UTILITIES

Option Description

-U Outputs the contents of the database without

wrapping lines.

-x excludeSuffix Specifies a suffix or suffixes to exclude in the

export. There can be multiple -x arguments. If
neither -s or -x is not specified, the server
exports all suffixes within the database. When
using both -x and -s options with the same
suffix, the -x operation takes precedence.
Exclusion always takes precedence over
inclusion. If the LDIF file will be imported into
the configuration directory, do not exclude
o=NetscapeRoot .

A.4. UTILITIES FOR RESTORING AND BACKING UP

DATABASES: LDIF2DB
Imports LDIF files to the database.

Syntax

ns-slapd ldif2db -D configDir -i ldifFile [ -d debugLevel ] [ -g string ] [ -n backendInstance ]

[ -O ] [ -s includeSuffix ] [ -x excludeSuffix ] [ -E ]

Enter the full path to the server configuration directory (configdir). ldifFile is the name of
the file containing the LDIF to be imported. There is an example LDIF file under the
/var/lib/dirsrv/slapd-instance/ldif directory. Either the -n or the -s option must be
specified.

Options

Table A.2. ldif2db Options

Option Description

-d debugLevel Specifies the debug level to use during

runtime. For further information, see
Section 3.1.1.76, “nsslapd-errorlog-level (Error
Log Level)”.

-D configDir Specifies the location of the server

configuration directory that contains the
configuration information for the import
process. This must be the full path to the
configuration directory,
/etc/dirsrv/slapd-instance.

-E Decrypts an encrypted database during

export. This option is used only if database
encryption is enabled.

769
Configuration, Command, and File Reference

Option Description

-g string Generates a unique ID. Type none for no

unique ID to be generated and
deterministic for the generated unique ID
to be name-based. By default, a time-based
unique ID is generated.

When using the deterministic generation

to have a name-based unique ID, it is also
possible to specify the namespace for the
server to use, as follows:

-g deterministic namespaceId

namespaceId is a string of characters in the

format 00-xxxxxxxx-xxxxxxxx-xxxxxxxx-
xxxxxxxx.

Use this option to import the same LDIF file

-i ldifFile Specifies the LDIF file to be imported. This

option is required. There can be multiple -i
arguments to import more than one LDIF file at
a time. When importing multiple files, the
server imports the LDIF files in the order they
are specified on the command line.

-n backendInstance Specifies the name of the back end to be

imported.

-O Specifies that no attribute indexes are created

for the imported database. If this option is
specified and the indexes need to be restored
later, the indexes have to be recreated by
hand. See the Red Hat Directory Server
Administration Guide for further information.

-s includeSuffix Specifies the suffix or suffixes within the LDIF

file to import.

770
APPENDIX A. USING THE NS-SLAPD COMMAND-LINE UTILITIES

Option Description

-x excludeSuffix Specifies suffixes within the LDIF file to

exclude during the import. There can be
multiple -x arguments. This option can
selectively import portions of the LDIF file. If
both -x and -s are used with the same suffix,
-x takes precedence. Exclusion always takes
precedence over inclusion. If -x or -s are not
specified, then all available suffixes will be
imported from the LDIF file. To import the LDIF
file into the configuration directory, do not
exclude o=NetscapeRoot .

A.5. UTILITIES FOR RESTORING AND BACKING UP

DATABASES: ARCHIVE2DB
Restores database from the archives.

Syntax

ns-slapd archive2db -D configDir -a archiveDir

Options

Table A.3. archive2db Options

Option Description

-D configDir Specifies the location of the server

configuration directory that contains the
configuration information for the index
creation process. This must be the full path to
the configuration directory,
/etc/dirsrv/slapd-instance.

-a archiveDir Specifies the archive directory.

A.6. UTILITIES FOR RESTORING AND BACKING UP

DATABASES: DB2ARCHIVE
Backs up all databases to the archives.

Syntax

ns-slapd db2archive -D configDir -a archiveDir

Options

Table A.4. db2archive Options

771
Configuration, Command, and File Reference

Option Description

-D configDir Specifies the location of the server

configuration directory that contains the
configuration information for the index
creation process. This must be the full path to
the configuration directory,
/etc/dirsrv/slapd-instance.

-a archiveDir Specifies the archive directory.

A.7. UTILITIES FOR CREATING AND REGENERATING

INDEXES: DB2INDEX
Creates and regenerates indexes.

Syntax

ns-slapd db2index -D configDir [ -d debugLevel ] -n backendName -t

attributeName[:indexTypes{:matchingRules}] [ -T vlvTag ]

Options

Table A.5. db2index Options

Option Description

-d debugLevel Specifies the debug level to use during index

creation. For further information, see
Section 3.1.1.76, “nsslapd-errorlog-level (Error
Log Level)”.

-D configDir Specifies the location of the server

configuration directory that contains the
configuration information for the index
creation process. This must be the full path to
the configuration directory,
/etc/dirsrv/slapd-instance.

-n backendName Specifies the name of the back end containing

the entries to index.

772
APPENDIX A. USING THE NS-SLAPD COMMAND-LINE UTILITIES

Option Description

-t attributeName[:indextypes(:mathingrules)] Specifies the attribute to be indexed as well as

the types of indexes to create and matching
rules to apply, if any. If the matching rule is
specified, an index type must be specified.
This option cannot be used with -T.
indexTypes specifies a comma-separated list
of indexes to be created for the attributes.
matchingRules is an optional, comma-
separated list of the OIDs for the languages in
which the attribute will be indexed. This option
is used to create international indexes. For
information on supported locales and collation
order OIDs, see the Appendix
"Internationalization" in the Red Hat
Directory Server Administration Guide.

-T vlvTag Specifies the VLV tag to use to create VLV

indexes. The Console can be used to specify
VLV tags for each database supporting the
directory tree, as described in the Red Hat
Directory Server Administration Guide.
Additional VLV tags can be defined by creating
them in LDIF and adding them in the
Directory Server configuration. This options
cannot be used with -t.

773
Configuration, Command, and File Reference

APPENDIX B. TESTING SCRIPTS AVAILABLE WITH

DIRECTORY SERVER
Red Hat Directory Server provides two scripts which can be used to test Directory Server
performance in different stress or load conditions. The test scripts simulate different
environments which allow administrators to assess configuration or machine changes
before putting them in production.

Both ldclt and rsearch are located in the /usr/bin directory.

B.1. LDCLT (LOAD STRESS TESTS)

The LDAP client script (ldclt) establishes multiple client connections to a server, under
user-defined scenarios, to load-test the Directory Server. Client operations include directory
adds, searches, modifies, modRDNs, and deletes, as well setup operations like generating
LDIF files. Operations can be randomized — binding and unbinding as random users,
performing random tasks — to simulate more realistic usage environments for the
directory.

The ldclt tool measures the completion time of continuously-repeated operations to

measure Directory Server performance. Using multiple threads makes it possible to test
performance under high loads. Each test performs the same type of LDAP operation, but
with different settings (like different user credentials, different attribute types or sizes, and
different target subtrees).

Along with defining the LDAP operation variables, administrators can control the thread
performance in order to set a specific load on the server.

The ldclt tool is specifically intended to be used for automated tests, so its options are
extensive, flexible, and easily scripted, even for complex test operations.

NOTE

Remember that ldclt is a load test, and therefore uses a significant amount
of system resources. The tool uses a minimum of 8 MB of memory. Depending
on the numbers of threads, types of operations, and other configuration
settings, it can use much more memory.

Depending on the type of operations and the directory data used for those
operations, ldclt may set its own resource limits. For information on
managing system resource limits, see the man pages for ulimit and
getrlimit.

The ldclt utility is located in the /usr/bin directory.

B.1.1. Syntax
ldlt [ -q | -Q | -v | -V ] [ -E max_errors ] [ -b base_DN ] [ -h host ] [ -p port ] [ -t timeout ] [ -D
bind_DN ] [ -w password ] [ -o SASL_options ] [ -e execution_params ] [ -a max_pending ] [ -n
number_of_threads ] [ -i inactivity_times ] [ -N number_of_samples ] [ -I error_code ] [ -T
total_number_of_operations ] [ -r low_range ] [ -R high_range ] [ -f filter ] [ -s scope ] [ -S
consumer ] [ -P supplier_port ] [ -W wait_time ] [ -Z certificate_file ]

774
APPENDIX B. TESTING SCRIPTS AVAILABLE WITH DIRECTORY SERVER

B.1.2. ldclt Options

Table B.1. ldclt Options

Option Description

-a max_pending_ops Runs the tool in asynchronous mode with a

defined maximum number of pending
operations.

-b base_dn Gives the base DN to use for running the LDAP

operation tests. If not given, the default value
is dc=example,dc=com.

-D bind_dn Gives the bind DN for the ldclt utility to use

to connect to the server.

-E max_errors Sets the maximum number of errors that are

allowed to occur in test LDAP operations before
the tool exits. The default is 1000.

-e execution_params Specifies the type of operation and other test

environment parameters to use for the tests.
The possible values for -e are listed in
Table B.2, “Execution Parameters”. This option
can accept multiple values, in a comma-
separated list.

-f filter Gives an LDAP search filter to use for search

testing.

-h Specifies the host name or IP address of the

Directory Server to run tests against. If a host
is not specified, ldclt uses the local host.

-I error_code Tells ldclt to ignore any errors encountered

that match a certain response code. For
example, -I 89 tells the server to ignore
error code 89.

-i inactivity_times Sets a number of intervals that the tool can be

inactive before exiting. By default, this setting
is 3, which translates into 30 seconds (each
operations interval being 10 seconds long).

-N number_of_samples Sets the number of iterations to run, meaning

how many ten-second test periods to run. By
default, this is infinite and the tool only exits
when it is manually stopped.

775
Configuration, Command, and File Reference

Option Description

-n number_of_threads Sets the number of threads to run

simultaneously for operations. The default
value is 10.

-o SASL_option Tells the tool to connect to the server using

SASL and gives the SASL mechanism to use.
The format is -o saslOption=value.
saslOption can have one of six values:

mech, the SASL authentication

mechanism

authid, the user who is binding to the

server (Kerberos principal)

authzid, a proxy authorization (ignored

by the server since proxy authorization
is not supported)

secProp, the security properties

realm, the Kerberos realm

flags

The expected values depend on the supported

mechanism. The -o can be used multiple
times to pass all of the required SASL
information for the mechanism. For example:

-o "mech=DIGEST-MD5" -o
"authzid=test_user" -o
"authid=test_user"

-P master_port Gives the port to use to connect to a supplier

server for replication testing. The default, if
one is not given, is 16000.

-p port Gives the server port number of the

Directory Server instance that is being tested.

-Q Runs the tool in "super" quiet mode. This

ignores any errors that are encountered in
operations run by ldclt.

-q Runs the tool in quiet mode.

-R number Sets the high number for a range.

-r number Sets the low number of a range.

776
APPENDIX B. TESTING SCRIPTS AVAILABLE WITH DIRECTORY SERVER

Option Description

-S consumer_name Gives the host name of a consumer server to

connect to run replication tests.

-s scope Gives the search scope. As with ldapsearch,

the values can be subtree, one, or base.

-T ops_per_thread Sets a maximum number of operations

allowed per thread.

-t timeout Sets a timeout period for LDAP operations. The

default is 30 seconds.

-V Runs the tool in very verbose mode.

-v Runs the tool in verbose mode.

-W wait_time Sets a time, in seconds, for the ldclt tool to

wait after one operation finishes to start the
next operation. The default is 0, which means
there is no wait time.

-w password Gives the password to use, with the -D

identity, to bind to the Directory Server for
testing.

-Z /path/to/cert.db Enables TLS for the test connections and

points to the file to use as the certificate
database.

The -e option sets execution parameters for the ldclt test operations. Multiple parameters
can be configured, in a comma-separated list. For example:

-e
add,bindeach,genldif=/var/lib/dirsrv/slapd-instance/ldif/generated.ldif,in
etOrgPerson

Table B.2. Execution Parameters

Parameter Description

abandon Initiates abandon operatons for asynchronous

search requests.

add Adds entries to the directory (ldapadd).

append Appends entries to the end of the LDIF file

generated with the genldif option.

777
Configuration, Command, and File Reference

Parameter Description

ascii Generates ASCII 7-bit strings.

attreplace=name:mask Run modify operations that replace an

attribute (name) in an existing entry.

attrlist=name:name:name Specifies a list of attributes to return in a

search operation.

attrsonly=# Used with search operations, to set whether to

read the attribute values. The possible values
are 0 (read values) or 1 (do not read values).

bindeach Tells the ldclt tool to bind with each

operation it attempts.

bindonly Tells the ldclt tool to only run bind/unbind

operations. No other operation is performed.

close Tells the tool to close the connection rather

than perform an unbind operation.

cltcertname=name Gives the name of the TLS client certificate to

use for TLS connections.

commoncounter Makes all threads opened by the ldclt tool to

share the same counter.

counteach Tells the tool to count each operation, not only

successful ones.

delete Initiates delete operations.

deref Adds the dereference control to search

operations (esearch). With adds, this tells
ldclt to add the secretary attribute to new
entries, to allow dereference searches.

dontsleeponserverdown Causes the tool to loop very fast if server

down.

emailPerson This adds the emailPerson object class to

generated entries. This is only valid with the
add operation (-e add ).

esearch Performs an exact search.

778
APPENDIX B. TESTING SCRIPTS AVAILABLE WITH DIRECTORY SERVER

Parameter Description

genldif=filename Generates an LDIF file to use with the

operations.

imagesdir=path Gives a location for images to use with tests.

incr Enables incremental values.

inetOrgPerson This adds the inetOrgPerson object class to

generated entries. This is only valid with the
add operation (-e add ).

keydbfile=file Contains the path and file name of the key

database to use with TLS connections.

keydbpin=password Contains the token password to access the key

database.

noglobalstats Tells the tool not to print periodical global

statistics.

noloop Does not loop the incremental numbers.

object=filename Builds entry objects from an input file.

person This adds the person object class to

generated entries. This is only valid with the
add operation (-e add ).

random Tells the ldclt utility to use all random

elements, such as random filters and random
base DNS.

randomattrlist=name:name:name Tells the ldclt utility to select random

attributes from the given list.

randombase Tells the ldclt utility to select a random base

DN from the directory.

randombaselow=value Sets the low value for the random generator.

randombasehigh=value Sets the high value for the random generator.

randombinddn Tells the ldclt utility to use a random bind

DN.

779
Configuration, Command, and File Reference

Parameter Description

randombinddnfromfile=file Tells the ldclt utility to use a random bind

DN, selected from a file. Each entry in the file
must have the appropriate DN–password pair.

randombinddnlow=value Sets the low value for the random generator.

randombinddnhigh=value Sets the high value for the random generator.

rdn=attrname:value Gives an RDN to use as the search filter. This

is used instead of the -f filter.

referral=value Sets the referral behavior for operations. There

are three options: on (allow referrals), off
(disallow referrals), or rebind (attempt to
connect again).

smoothshutdown Tells the ldclt utility not to shut down its

main thread until the worker threads exit.

string Tells the ldclt utility to create random

strings rather than random numbers.

v2 Tells the ldclt utility to use LDAPv2 for test

operations.

withnewparent Performs a modRDN operation, renaming an

entry with newparent set as an argument.

randomauthid Uses a random SASL authentication ID.

randomauthidlow=value Sets the low value for a random SASL

authentication ID.

randomauthidhigh=value Sets the high value for the random SASL

authentication ID.

B.1.3. Results from ldclt

ldclt continuously runs whatever operation is specified, over the specified number of
threads. By default, it prints the performance statistics to the screen every ten (10)
seconds.

The results show the average number of operations per thread and per second and then
the total number of operations that were run in that ten-second window.

ldclt[process_id] Average rate: number_of_ops/thr (number_of_ops/sec),

total: total_number_of_ops

780
APPENDIX B. TESTING SCRIPTS AVAILABLE WITH DIRECTORY SERVER

For example:

ldclt[22774]: Average rate: 10298.20/thr (15447.30/sec), total: 154473

ldclt prints cumulative averages and totals every 15 minutes and when the tool is exited.

ldclt[22774]: Global average rate: 821203.00/thr (16424.06/sec), total:

12318045
ldclt[22774]: Global number times "no activity" reports: never
ldclt[22774]: Global no error occurs during this session.
Catch SIGINT - exit...
ldclt[22774]: Ending at Wed Feb 24 18:39:38 2010
ldclt[22774]: Exit status 0 - No problem during execution.

Some operations (like adds) and using verbose output options like -v or -V output
additional data to the screen. The kind of information depends on the type of operation,
but it generally shows the thread performing the operation and the plug-ins called by the
operation. For example:

ldclt -b ou=people,dc=example,dc=com -D "cn=Directory Manager" -w secret12

-e add,person,incr,noloop,commoncounter -r90000 -R99999 -f "cn=testXXXXX"
-V

...
ldclt[11176]: T002: After ldap_simple_bind_s (cn=Directory Manager,
secret12)
ldclt[11176]: T002: incremental mode:filter="cn=test00009"
ldclt[11176]: T002: tttctx->bufFilter="cn=test00009"
ldclt[11176]: T002: attrs[0]=("objectclass" , "person")
ldclt[11176]: T002: attrs[1]=("cn" , "test00009")
ldclt[11176]: T002: attrs[2]=("sn" , "toto sn")
...
ldclt[11176]: Average rate: 195.00/thr ( 195.00/sec), total: 1950
ldclt[10627]: Global average rate: 238.80/thr (238.80/sec), total:
2388
ldclt[10627]: Global number times "no activity" reports: never
ldclt[10627]: Global no error occurs during this session.
Catch SIGINT - exit...
ldclt[10627]: Ending at Tue Feb 23 11:46:04 2010
ldclt[10627]: Exit status 0 - No problem during execution.

Most errors are handled by ldclt without interrupting the test. Any fatal errors that are
encountered are listed with the tool's exit status and returned in the cumulative total.

Global no error occurs during this session.

Any LDAP operations errors that occur are handled within the thread. A connection error
kills the thread without affecting the overall test. The ldclt utility does count the number
of times each LDAP error is encountered; if the total number of errors that are logged hits
more than 1000 (by default), then the script itself will error out.

The way that ldclt responds to LDAP errors can be configured. Using the-E option sets a
different threshold for the script to error out after encountering LDAP errors. Using the -I
option tells the script to ignore the specified LDAP error codes in all threads. Changing the

781
Configuration, Command, and File Reference

error exit limit and ignoring certain error codes can allow you to tweak and improve test
scripts or test configuration.

B.1.4. Exiting ldclt and ldclt Exit Codes

The ldclt command runs indefinitely. The script can stop itself in a handful of situations,
like encountering a fatal runtime or initialization error, hitting the limit of LDAP errors,
having all threads die, or hitting the operation or time limit.

The statistics for the run are not displayed until the command completes, either through
the script exiting or by a user terminating the script. There are two ways to interrupt the
ldclt script.

Hitting control—backslash (^\) or kill -3 prints the current statistics without

exiting the script.

Hitting control—C (^C) or kill -2 exits the script and prints the global statistics.

When the ldclt script exits or is interrupted, it returns an exit code along with the
statistics and error information.

Table B.3. ldclt Exit Codes

Exit Code Description

0 Success (no errors).

1 An operation encountered a serious fatal error.

2 There was an error in the parameters passed

with the tool.

3 The tool hit the maximum number of LDAP

errors.

4 The tool could not bind to the Directory Server

instance.

5 The tool could not load the TLS libraries to

connect over TLS.

6 There was a multithreading (mutex) error.

7 There was an initialization problem.

8 The tool hit a resource limit, such as a memory

allocation error.

99 The script encountered an unknown error.

B.1.5. Usage Scenarios

782
APPENDIX B. TESTING SCRIPTS AVAILABLE WITH DIRECTORY SERVER

These provide general examples of using ldclt to test Directory Server. Test scripts with
more complex examples are available in the ldclt source files. This can be downloaded
from the 389 Directory Server Project,
https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/slapd/tools/ldclt/examples.

Every ldclt command requires a set of execution parameters (which varies depending on
the type of test) and connection parameters (which are the same for every type of
operation). For example:

# ldclt -e execution_parameters -h localhost -p 389 -D "cn=Directory

Manager" -w secret -b "ou=people,dc=example,dc=com"

When ldclt runs, it first prints all of the configured parameters for that test.

Process ID = 1464
Host to connect = localhost
Port number = 389
Bind DN = cn=Directory Manager
Passwd = secret
Referral = on
Base DN = ou=people,dc=example,dc=com
Filter = "cn=MrXXX"
Max times inactive = 3
Max allowed errors = 1000
Number of samples = -1
Number of threads = 10
Total op. req. = -1
Running mode = 0xa0000009
Running mode = quiet verbose random exact_search
LDAP oper. timeout = 30 sec
Sampling interval = 10 sec
Scope = subtree
Attrsonly = 0
Values range = [0 , 1000000]
Filter's head = "cn=Mr"
Filter's tail = ""

B.1.5.1. Generating LDIFs

The ldclt tool itself can be used to generate LDIF files that can be used for testing.

NOTE

When generating an LDIF file, the ldclt tool does not attempt to connect to a
server or run any operations.

Generating an LDIF file requires a basic template file that the tool uses to create entries (-
e object), and then a specified output file (-e genldif).

The template file can give explicit values for entry attributes or can use variables. If you
want a simple way to supply unique values for entry attributes, the
/usr/share/dirsrv/data directory contains three data files to generate surnames, first
names, and organizational units. These lists of values can be used to create test users and

783
Configuration, Command, and File Reference

directory trees (dbgen-FamilyNames, dbgen-GivenNames, and dbgen-OrgUnits,

respectively). These files can be used with the rndfromfile, incrfromfile, or
incrfromfilenoloop options.

The basic format of the template file is:

# comment

attribute: string | variable=keyword(value)

The variable can be any letter from A to H. The possible keywords are listed in Table B.4,
“ldclt Template LDIF File Keywords”

Some variables and keywords can be passed with the -e object option and other available
parameters (like rdn).

-e object=inet.txt,rdn='uid:[A=INCRNNOLOOP(0;99999;5)]'

Table B.4. ldclt Template LDIF File Keywords

Keyword Description Format

RNDN Generates a random value RNDN(low;high;length)

within the specified range
(low - high) and of the given
length.

RNDFROMFILE Pulls a random value from RNDFROMFILE(filename)

any of the ones available in
the specified file.

INCRN Creates sequential values INCRN(low;high;length)

within the specified range
(low - high) and of the given
length.

INCRNOLOOP Creates sequential values INCRNOLOOP(low;high;length)

within the specified range
(low - high) and of the given
length — without looping
through the incremental
range.

INCRFROMFILE Creates values by INCRFROMFILE(filename)

incrementing through the
values in the specified file.

INCRFROMFILENOLOOP Creates values by INCRFROMFILENOLOOP(filena

incrementing through the me)
values in the file, without
looping back through the
values.

784
APPENDIX B. TESTING SCRIPTS AVAILABLE WITH DIRECTORY SERVER

Keyword Description Format

RNDS Generates random values of a RNDS(length)

given length.

For example, this template file pulls names from sample files in the
/usr/share/dirsrv/data and builds other attributes dynamically.

Example B.1. Example Template File

objectclass: inetOrgPerson
sn: [B=RNDFROMFILE(/usr/share/dirsrv/data/dbgen-FamilyNames)]
cn: [C=RNDFROMFILE(/usr/share/dirsrv/data/dbgen-GivenNames)] [B]
password: test[A]
description: user id [A]
mail: [C].[B]@example.com
telephonenumber: (555) [RNDN(0;999;3)]-[RNDN(0;9999;4)]

The ldclt command, then, uses that template to build an LDIF file with 100,000 entries:

# ldclt -b "ou=people,dc=csb" -e object=inet.txt,rdn='uid:

[A=INCRNNOLOOP(0;99999;5)]' -e genldif=100Kinet.ldif,commoncounter

B.1.5.2. Adding Entries

The ldclt tool can add entries that match either of two templates:

person

inetorgperson

The -f filter sets the format of the naming attribute for the user entries. For example,-f
"cn=MrXXXXX" creates a name like -f "cn=Mr01234". Using the person or inetorgperson
parameter with -f creates a basic entry.

objectclass: person
sn: ex sn
cn: Mr01234

More complex entries (which are good for search and modify testing) can be created using
the rdn parameter and an object file. The full range of options for the entries is covered in
Section B.1.5.1, “Generating LDIFs”. The rdn and object parameters provide the format for
the entries to add or edit in the directory. The rdn execution parameter takes a keyword
pattern (as listed in Table B.4, “ldclt Template LDIF File Keywords”) and draws its entry
pool from the entries listed in a text file.

-e rdn='uid:[A=INCRNNOLOOP(0;99999;5)]',object=inet.txt

The ldclt tool creates entries in a numeric sequence. That means that the method of
adding those entries and of counting the sequence have to be defined as well. Some
possible options for this include:

785
Configuration, Command, and File Reference

-r and -R to set the numeric range for entries

incr or random to set the method of assigning numbers (these are only used with -f)

-r and -R to set the numeric range for entries

noloop, to stop the add operations when it hits the end of the range rather than
looping back

Example B.2. Adding Entries

# ldclt -b ou=people,dc=example,dc=com -D "cn=Directory Manager" -w

secret -e add,person,incr,noloop,commoncounter -r0 -R99999 -f
"cn=MrXXXXX" -v -q

The add operation can also be used to build a directory tree for more complex testing.
Whenever an entry is added to the directory that belongs to a non-existent branch, the
ldclt tool automatically creates that branch entry.

NOTE

The first time that an entry is added that is the child of non-existent branch,
the branch entry is added to the directory. However, the entry itself is not
added. Subsequent entries will be added to the new branch.

For a branch entry to be added automatically, its naming attribute must be cn, o, or ou.

Example B.3. Creating the Directory Tree

# ldclt -b ou=DeptXXX,dc=example,dc=com -D "cn=Directory Manager" -w

secret -e add,person,incr,noloop,commoncounter -r0 -R99999 -f
"cn=MrXXXXX" -v -q

B.1.5.3. Search Operations

The most basic ldclt search test simply looks for all entries within the given base DN. This
uses two execution parameters: esearch and random.

Example B.4. Basic Search Operation

# ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret -b

"ou=people,dc=example,dc=com" -f uid=testXXXXX -e esearch,random -r0 -
R99999 -I 32

IMPORTANT

A search that returns all entries can use a large amount of memory per thread,
as much as 1 GB. ldclt is designed to perform searches that return one entry.

786
APPENDIX B. TESTING SCRIPTS AVAILABLE WITH DIRECTORY SERVER

The search results can be expanded to return attributes contained in the entries.
(Section B.1.5.1, “Generating LDIFs” has information on generating entries that contain
multiple attributes.) To return a specific list of attributes for entries, use the attrlist
execution parameter and a colon-separated list of attributes.

Example B.5. Searching for a List of Attributes

# ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -f

uid=XXXXX -e esearch,random -r0 -R99999 -I 32 -e attrlist=cn:mail

Alternatively, the ldclt search operation can return attribute values for attributes
randomly selected from the search list. The list is given in the randomattrlist execution
parameter with a colon-separated list of attributes.

Example B.6. Searching for a List of Random Attributes

# ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -f

uid=XXXXX -e esearch,random -r0 -R99999 -I 32 -e
randomattrlist=cn:sn:ou:uid:mail:mobile:description

The filter used to match entries can target other entry attributes, not just naming
attributes. It depends on the attributes in the generated LDIF.

Example B.7. Searches with Alternate Filters

# ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -f

[email protected] -e esearch,random -r0 -R99999 -I 32 -e
randomattrlist=cn:sn:ou:uid:mail:mobile:description

The search operation can also use the RDN-style filter to search for entries. The rdn and
object execution parameters provide the format for the entries to add or edit in the
directory. The rdn execution parameter takes a keyword pattern (as listed inTable B.4,
“ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a
text file.

Example B.8. Searches with RDN Filters

# ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -e

rdn='mail:[RNDN(0;99999;5)]@example.com',object="inet.txt" -e
attrlist=cn:telephonenumber

B.1.5.4. Modify Operations

The attreplace execution parameter replaces specific attributes in the entries.

The modify operation uses the RDN filter to search for the entries to update. The rdn and
object parameters provide the format for the entries to add or edit in the directory. The
rdn execution parameter takes a keyword pattern (as listed inTable B.4, “ldclt Template

787
Configuration, Command, and File Reference

LDIF File Keywords”) and draws its entry pool from the entries listed in a text file.

Example B.9. Modify Operation

# ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret -b

"ou=people,dc=example,dc=com" -e rdn='uid:[RNDN(0;99999;5)]' -I 32 -e
attreplace='description: random modify XXXXX'

B.1.5.5. modrdn Operations

The ldclt command supports two kinds of modrdn operations:

Renaming entries

Moving an entry to a new parent

The ldclt utility creates the new entry name or parent from a randomly-selected DN.

The basic rename operation requires three execution parameters:

rename

rdn='pattern'

object=file

The rdn and object parameters provide the format for the entries to add or edit in the
directory. The rdn execution parameter takes a keyword pattern (as listed inTable B.4,
“ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a
text file.

Example B.10. Simple Rename Operation

# ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret -b

"ou=people,dc=example,dc=com" -I 32 -I 68 -e rename,rdn='uid:
[RNDN(0;999;5)]',object="inet.txt"

Using the withnewparent execution parameter renames the entry and moves it beneath a
new parent entry. If the parent entry does not exist, then the ldclt tool creates it.[3]

Example B.11. Renaming an Entry and Moving to a New Parent

# ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret12 -b

"ou=DeptXXX,dc=example,dc-com" -I 32 -I 68 -e
rename,withnewparent,rdn='uid:Mr[RNDN(0;99999;5)]',object="inet.txt"

B.1.5.6. Delete Operations

The ldclt delete operation is exactly the reverse of the add operation. As with the add,
delete operations can remove entries in several different ways:

788
APPENDIX B. TESTING SCRIPTS AVAILABLE WITH DIRECTORY SERVER

Randomly (-e delete,random)

RDN-ranges (-e delete,rdn=[pattern])

Sequentially (-e delete,incr)

Random deletes are configured to occur within the specified range of entries. This requires
the following options:

-e delete,random

-r and -R for the range bounds

-f for the filter to match the entries

Example B.12. Random Delete Operations

# ldclt -b "ou=people,dc=example,dc=com" -D "cn=Directory Manager" -w

secret -e delete,random -r0 -R99999 -f "uid=XXXXXX" -I 32 -v -q

RDN-based deletes use the rdn execution parameter with a keyword (as listed inTable B.4,
“ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a
text file. This format requires three execution parameters:

-e delete

-e rdn='pattern'

-e object='file'

Example B.13. RDN-Based Delete Operations

# ldclt -b "ou=people,dc=example,dc=com" -D "cn=Directory Manager" -w

secret -e delete,rdn='uid:[INCRNNOLOOP(0;99999;5)]',object="inet.txt" -I
32 -v -q

The last delete operation format is much like the random delete format, only it moves
sequentially through the given range, rather than randomly:

-e delete,incr

-r and -R for the range bounds

-f for the filter to match the entries

Example B.14. Sequential Delete Operations

# ldclt -b "ou=people,dc=example,dc=com" -D "cn=Directory Manager" -w

secret -e delete,incr -r0 -R99999 -f "uid=XXXXXX" -I 32 -v -q

B.1.5.7. Bind Operations

789
Configuration, Command, and File Reference

By default, each ldclt thread binds once to the server and then runs all of its operations in
a single session. The -e bindeach can be used with any other operation to instruct the
ldclt tool to bind for each operation and then unbind before initiating the next operation.

-e add,bindeach ...

To test only bind and unbind operations, use the -e bindeach,bindonly execution
parameters and no other operation information. For example:

# ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -e

bindeach,bindonly -e bind_info

The bind operation can specify a single user to use for testing by using the -D and -w user
name-password pair in the connection parameters.

NOTE

Use the -e close option with the bind parameters to test the affect that
dropping connections has on the Directory Server, instead of unbinding
cleanly.

Example B.15. Bind Only and Close Tests

# ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret -e

bindeach,bindonly,close

There are also execution parameters which can be used to select a random bind identity
from a given file (randombinddnfromfile) or using a DN selected randomly from within a
range (-e randombinddn,randombinddnlow=X,randombinddnhigh=Y).

Example B.16. Random Binds from Identities in a File

# ldclt -h localhost -p 389 -e bindeach,bindonly -e

randombinddnfromfile=/tmp/testbind.txt

Binding with a random identity is useful if identities have been added from a generated LDIF
or using -e add, where the accounts were added in a range. Theldclt tool can
autogenerate values using X as a variable and incrementing through the specified range.

Example B.17. Random Binds from Random Base DN

# ldclt -h localhost -p 389 -e bindeach,bindonly -D

"uid=XXXXX,dc=example,dc=com" -w testXXXXX -e
randombinddn,randombinddnlow=0,randombinddnhigh=99999

B.1.5.8. Running Operations on Random Base DNs

790
APPENDIX B. TESTING SCRIPTS AVAILABLE WITH DIRECTORY SERVER

Any operation can be run against randomly-selected base DNs. The trio of randombase
parameters set the range of organizational units to select from. A variable in the -b base
entry sets the format of the base DN.

-b "ou=DeptXXX,dc=example,dc=com" -e
randombase,randombaselow=0,randombasehigh=999 ...

B.1.5.9. TLS Authentication

Every operation can be run over TLS to test secure authentication and performance for
secure connections. There are two parameters required for TLS authentication.

The connection parameters, -Z, which gives the path to the security databases for
the Directory Server

The execution parameters, cltcertname, keydbfile, and keydbpin, which contains

the information that the server will prompt to access the TLS databases

For example, this runs bind tests over TLS:

# ldclt -h host -p port -e bindeach,bindonly -Z certPath -e

cltcertname=certName,keydbfile=filename,keydbpin=password

B.1.5.10. Abandon Operations

The -e abandon parameter opens and then cancels operations on the server. This can be
run by itself or with other types of operations (like -e add or -e esearch).

# ldclt -e abandon -h localhost -p 389 -D "cn=Directory Manager" -w secret

-v -q -b "ou=people,dc=example,dc=com"

B.2. RSEARCH (SEARCH STRESS TESTS)

The rsearch utility opens multiple threads that perform the same operation, quickly and
repeatedly, in a loop against the specified Directory Server instance, according to the
parameters set in the command.

At its simplest, rsearch emulates multiple client connections for search operations. With
additional options, rsearch can be expanded to perform compare, modify, delete, and
bind/unbind operations along with search operations.

The tool also tracks the performance of the operations and outputs a running stream of
averaged results.

NOTE

The results of rsearch tests naturally depend on the performance of the

Directory Server and its host machine. Optimize the configuration of the
Directory Server and machine first through performance tuning (as in the
Red Hat Directory Server Performance Tuning Guide).

The rsearch utility is located in the /usr/bin directory.

791
Configuration, Command, and File Reference

B.2.1. Syntax
rsearch -D bind_dn -w password -s suffix -f filter [ -h host ] [ -p port ] [ -S scope ] [ -b ] [ -u ] [
-L ] [ -N ] [ -v ] [ -y ] [ -q ] [ -l ] [ -m ] [ -M ] [ -d ] [ -c ] [ -i file_for_filters ] [ -B DN_or_uid_file ] [
A attributes ] [ -a file_of_attributes ] [ -n ] [ -o search_time_limits ] [ -j sample_interval ] [ -t
threads ] [ -T timelimit ] [ -V ] [ -C number_of_samples ] [ -R reconnect_interval ] [ -x ] [ -W
password ] [ -U text ] [ -\? or -H ]

B.2.2. Options

Table B.5. rsearch Options

Option Description

-A attributes Contains a list of attributes to be used with the

search request. This cannot be used with -a.

-a file_of_attributes Points to a file which contains a list of

attributes to be used with the search request.
Each attribute must be on a separate line in
the file. For example:

attr1
attr2
...

This cannot be used with -A.

-B DN_or_uid_file Contains a list of either DNs or UIDs which are

used to bind to the server. For DNs, each entry
has two lines, one for the DN and one for the
UID (which is used as the default password):

DN: dn
UID: uid
...

The UID files simple has one UID per line:

UID: uid1
UID: uid2
...

-b Tells the utility to bind before every operation.

-C sample_numbers Gives the number of samples to take and then

exits the utility.

-c Specifies a compare operation. If this is used,

then the -B option must be used.

792
APPENDIX B. TESTING SCRIPTS AVAILABLE WITH DIRECTORY SERVER

Option Description

-D bind_dn Gives the bind DN for the rsearch utility to

use to connect to the server; if no other
identity is supplied in a DN file (-B -x), this is
the identity used to run tests.

-d Specifies a delete operation. If this is used,

then the -B option must be used.

-f filter Contains the search filter to be used with

search operations.

-h host Gives the host name of the LDAP server to

connect to. The default, if not given, is
localhost.

-i file Refers to a file that contains the names to be

appended to the search filter passed with the
-f option. The name file is a list, with each
name on a separate line. For example:

joe
jane

A filter option that can be used with this file is,

for example, -f "uid=%s" , which results in
filters of both "uid=joe" and "uid=jane"
randomly being used.

-j sample_interval Specifies an interval, in seconds, to wait before

collecting a sample.

-L Sets the connection to linger. The connection

is discarded when the utility closes.

-l Logs the utility output.

-M Specifies a modify operation for an indexed

attribute ( telephonenumber). This requires
the -B option.

-m Specifies a modify operation for an unindexed

attribute ( description ). This requires the -B
option.

-N Specifies that the tool will only bind to the

server, without running any other operation.

-n Reserved for future use.

793
Configuration, Command, and File Reference

Option Description

-o search_time_limit Gives the time limit, in seconds, to use for

search operations.

-p port Gives the port to use to connect to the

Directory Server instance. If this is not used,
the default is 389.

-q Runs the tool quietly.

-R reconnect_interval Tells the utility to drop the connection to

server and reconnect after the specified
number of searches (reconnect_interval).

-S scope Sets the search scope. The allowed values are

0, 1, and 2, corresponding to one-level, base,
and subtree, respectively. The default is 2.

-s suffix Gives the suffix in the Directory Server against

which to run all of the tests.

-T timelimit Sets a total time limit for the rsearch tests.

Once the utility hits that limit, the tool closes.

-t threads Sets the number of threads for the utility to

open. The default is 1.

-U Passes a filter to use with the bind file. If -x is

not used, this option is ignored. The default
value is '(uid=%s)'.

-u Tells the utility not to unbind from the server,

but simply to close the connection.

-V Shows the running averages of the rsearch

results.

-v Runs the command in verbose mode.

-W Gives the password to use to bind with

identities in the -B file. If this is not given, the
default is the UID value.

-x Tells the utility to use the contents of the -B

file for binding. If this is not used, than the -B
option is ignored.

-y Runs the command with no delay between

tests.

794
APPENDIX B. TESTING SCRIPTS AVAILABLE WITH DIRECTORY SERVER

Option Description

-\? or -H Prints the usage for the tool.

B.2.3. Usage Scenarios

The rsearch utility can be used to measure the performance of any LDAP operation. The
following examples show how to use rsearch for a variety of common test scenarios.

NOTE

Even though rsearch requires arguments for search parameters like filter and
scope, these arguments can be left empty to perform tests for other kinds of
LDAP operations. For example:

# rsearch -D "cn=Directory Manager" -w secret -s "" -f ""

B.2.3.1. Allowed Configuration Files

Most of the time, the rsearch tool uses the information passed in the command line to
connect to the server. The rsearch tool can accept two different configuration files to use
in place of the passed arguments:

A DN or UID file, which contains a list of either UIDs or both DNs and UIDs. The
DN/UID file allows rsearch to connect using multiple, randomly-selected bind
identities. Any operation test can be combined with a bind/unbind test.


WARNING

Random bind identities should not be used with a delete test

because the command may attempt to bind with an identity in the
DN/UID file that has already been deleted from the directory.

DN/UID files are used with the -B option to pass the file and then an operation
option (-c, -d, -m, or -x).

A name file, which contains a list of names to use as part of the given LDAP filters.
The filter in the file can be more complex than the ones specified in the -f option.
The filter file can be used to run a number of different search tests. For example,
having only a few filters means that the tool will begin retrieving results from cache,
while using invalid filter can test search failures. It can also test filter performance,
such as exact matches, complex filters, or attribute searches.

When using a filter file, the -f option must be passed with a placeholder value. The

795
Configuration, Command, and File Reference

placeholder can be used to replace only an attribute value, such as cn=%s, which
tells the command to pull the attribute value variable from the filter file. The
placeholder can also replace the filter itself (-f "%s") to supply randomly-selected
filters from the file.

The -i option pass the name file to use for the search filters. Every line in the file is
appended to whatever filter is given with the -f option. There are a couple of
different ways that these two options can be used together:

The simplest scenario leaves the -f option empty, so it is just a placeholder. In

this case, the filters are taken directly from the file passed with the -i option.

Alternatively, the entries in the file could simply be a list of names, and a partial
filter can be given for the -f option. For example, the name file could have a list
of UIDs (jsmith, bjensen, amorrow) and the -f filter could be "uid=". rsearch
automatically appends the name to complete the search filter.

B.2.3.2. Results from rsearch

Periodically (every ten seconds by default), rsearch returns the current running average
for the operations run by the script.

The results first show the number of operations performed within that interval. The two
ratios in the parenthesis show the total number of operations per second and then the
amount of time, in milliseconds, spent on each operation (1 second divided by the total
number of operations, multiplied by 1000).

date timestamp - Rate: num_ops/thr (ops/sec = num ms/op), total: ops

(number thr)

For example:

# rsearch -D "cn=Directory Manager" -w password -s

"ou=people,dc=example,dc=com" -f "objectclass=%s" -i /home/filter.txt
rsearch: 1 threads launched.

20100209 20:20:40 - Rate: 65961.00/thr (6596.10/sec = 0.1516ms/op), total:

65961 (1 thr)

B.2.3.3. Search Testing

The core usage of rsearch is search testing. Measuring search performance can be done
using only the required arguments with rsearch, without any optional arguments:

# rsearch -D bind_dn -w password -s suffix -f filter

Options can be used to measure specific performance or use a specific environment.

Search filters (in the command line or through a file with the -i file) can test different kinds
of indexed attributes:

Filters without wildcards show the performance for exact matches

Filters with wildcards give performance for substring indexes

796
APPENDIX B. TESTING SCRIPTS AVAILABLE WITH DIRECTORY SERVER

Filters with operators (=, >=, <=, ~=) show the performance for approximate
indexes

Example B.18. Basic Search

# rsearch -D "cn=test user,cn=config" -w secret -s "dc=example,dc=com" -

f "sn=*smith*"

A basic search (which covers caching, since there is only one filter given and multiple
search operations) uses the following arguments:

-D, which gives the bind identity

-w, which gives the bind password

-s, which gives the search target (scope)

-f, which gives the search filter

Example B.19. Searches for Specific Attributes

# rsearch -D "cn=test user,cn=config" -w secret -s "dc=example,dc=com" -

f "sn=%s" -i /home/filter.txt -A givenname,mail,uid

Along with the required arguments, this command searches for three specific attributes
in the entries, using the -A option.

The -i filter_file option is required if you use the%s variable in the -f filter
option.

B.2.3.4. Authentication Testing

The rsearch utility uses the user DN and password in the (required)-D and -w arguments
to bind to the server. To test authentication performance, these credentials can be left
blank, can be passed a list of credentials that are randomly selected, or be set to a special
user, like the Directory Manager.

Example B.20. Anonymous Binds

# rsearch -D "" -w "" -s "dc=example,dc=com" -f "sn=%s" -i

/home/filter.txt

The -D and -w arguments have emtpy values, so the tool does not have any bind
credentials to use to connect to the server. This initiates an anonymous bind.

Example B.21. Random User Authentication

# rsearch -D "" -w "" -s "dc=example,dc=com" -f "sn=%s" -i

/home/filter.txt -B /home/uids.txt -x

797
Configuration, Command, and File Reference

Rather than using the credentials in the -D and -w arguments, the rsearch tool can be
instructed to pull random bind identities from a list of given UIDs or DNs. This requires
two options:

-B points to a file with a list of bind identities. For a UID file, this is simply a list of
UIDs, one per line:

UID: uid1
UID: uid2
...

For DNs, each entry has two lines, one for the DN and one for the UID (which is
used as the default password):

DN: dn
UID: uid
...

-x forces the tool to use the file from the-B argument.

For DNs, the tool uses the DN line for the DN and the UID line as the password. The -U
option tells the tool to use an attribute other than the UID as the entry naming attribute
and -W passes a different password (which, by default, is the UID).

# rsearch -D "" -w "" -s "dc=example,dc=com" -f "sn=%s" -i

/home/filter.txt -B /home/uids.txt -x -U "(cn=*)" -W newpassword

B.2.3.5. Modify Operation Testing

rsearch can be used to measure the performance of modify operations on two kinds of
attributes: indexed and unindexed. The modify operation is signaled by using either the -M
or the -m option. A list of entries to run modify operations against is passed using the-B
option.

NOTE

Running a modify operation requires a DN file, which has the format:

DN: dn1
UID: uid1

DN: dn2
UID: uid2
...

Using the -b option measures the rate of each set of bind-modify operations. If the-b
option is not used, then there is only one bind operation, and the test shows the average of
all modify operations that are run.

Example B.22. Modify Operations on Unindexed Attributes

798
APPENDIX B. TESTING SCRIPTS AVAILABLE WITH DIRECTORY SERVER

# rsearch -D "cn=test user,cn=config" -w secret -s "" -f "" -m -B

/home/dns.txt -v

Modify operations against unindexed attributes are done by using the-m option. The
command performs modify operations on the description attribute for each entry
selected from the DN file.

The test will run successfully even if the description attribute is indexed, so make sure
that the attribute is not indexed before running the test.

Example B.23. Modify Operations on Indexed Attributes

# rsearch -D "cn=test user,cn=config" -w secret -s "" -f "" -M -B

/home/dns.txt -v

Modify operations against indexed attributes are done by using the-M option. The
command performs modify operations on the telephoneNumber attribute for each entry
selected from the DN file.

The test will run successfully even if the telephoneNumber attribute is not indexed, so
make sure that the attribute is indexed before running the test.

B.2.3.6. Compare Operation Testing

The ldapcompare operation can be tested using rsearch by passing the -c option. The tool
runs compare operations against the UID attribute, based on the list of UIDs passed in the -
B option.

NOTE

Running a compare operation requires a DN file, which has the format:

DN: dn1
UID: uid1

DN: dn2
UID: uid2
...

Example B.24. Compare Operations

# rsearch -D "cn=test user,cn=config" -w secret -s "" -f "" -c -B

/home/dns.txt -v

The -c argument tells the command to perform compare operations. This is required.
Two other arguments are useful for measuring the performance of compare operations:

-B (without the -x), which provides a list of entries that the server can run
compare operations for.

799
Configuration, Command, and File Reference

-v, which runs rsearch in verbose mode and prints the results of each bind
attempt and compare operation.

B.2.3.7. Delete Operation Testing

Only one option is required with the delete performance testing: -d, which tells the
command to run delete operations. As with other operations, the -B argument can be used
to pass a file which contains a list of entries to be randomly selected and deleted.

NOTE

Do not use the -B -x option pair with delete operations, because the
command may attempt to bind to the server with an identity which has
already been deleted.

Example B.25. Delete Operations

# rsearch -D "cn=test user,cn=config" -w secret -s "" -f "" -d -B

/home/dns.txt

If the -B argument is used to supply a list of entries available to delete, then it must be
a DN file, which has the format:

DN: dn1
UID: uid1

DN: dn2
UID: uid2
...

B.2.3.8. Changing Time Limits

As with many performance tests, rsearch has several time-based metrics:

The period that operations are run for gathering one round of statistics (by default,
ten seconds)

How long the tool runs (by default, indefinitely)

How long the tool maintains a connection to the server (by default, indefinitely)

All three time limits can be reset.

Example B.26. Setting the Operations Interval

# rsearch -D "cn=test user,cn=config" -w secret -s "dc=example,dc=com" -

f "cn=%s" -i /home/filter.txt -b -j 20

The rsearch tool prints the results for the operations performed in the immediate
interval. The default interval is ten (10) seconds, so every line in the output represents
the statistics for the operations run in the preceding ten second. This interval can be

800
APPENDIX B. TESTING SCRIPTS AVAILABLE WITH DIRECTORY SERVER

changed using the -j option.

This resets the test interval to 20 seconds.

Example B.27. Setting the Test Time Limit

# rsearch -D "cn=test user,cn=config" -w secret -s "dc=example,dc=com" -

f "cn=%s" -i /home/filter.txt -b -T 600

...

20100210 18:36:21 - Rate: 68561.00/thr (6856.10/sec = 0.1459ms/op),

total: 68561 (1 thr)
20100210 18:36:31 - Rate: 78016.00/thr (7801.60/sec = 0.1282ms/op),
total: 78016 (1 thr)
Final Average rate: 7328.85/sec = 0.1364msec/op, total: 78016

Normally, the command runs indefinitely, until the command is interrupted. The -T
option sets a time limit (in seconds) for the test to run and then exit cleanly. When the
tool exits, it prints a final summary of the averages of all test run intervals.

Example B.28. Setting a Reconnect Interval

# rsearch -D "cn=test user,cn=config" -w secret -s "dc=example,dc=com" -

f "cn=%s" -i /home/filter.txt -b -R 30

The tool usually opens one connection to the server. The reconnect option, -R, sets a
time interval for the tool to reconnect to the Directory Server.

B.2.3.9. Bind Testing with Any Operation

Bind and unbind rates can be checked with any operation (search, modify, delete, compare)
which is measured by rsearch. This requires one option,-b, which tells the tool to bind to
the server with every operation.

Two other attributes can be used with bind testing: -L (which sets the tool to linger) and -N
(which tells the tool to bind and unbind without performing any other operations).

Example B.29. Binding and Unbinding with Every Operation

# rsearch -D "cn=test user,cn=config" -w secret -s "dc=example,dc=com" -

f "cn=%s" -i /home/filter.txt -b -L

Two options are used to initiate bind and unbind operations for every operation
performed by rsearch:

-b (required)

-L (recommended)

801
Configuration, Command, and File Reference

The -i filter_file option is required if you use the%s variable in the -f filter
option.

Example B.30. Testing Anonymous Bind Operations

# rsearch -D "" -w "" -s "" -f "" -N -b -L

To test the anonymous bind rate, simply use the -b option and leave the values for the -
D and -w options empty. The -N option ensures that the command only attempts bind
and unbind operations.

Example B.31. Testing Random Bind Operations

# rsearch -D "" -w "" -s "" -f "" -B /home/uids.txt -x -N -b -L

As with anonymous bind operations, the required arguments can be left blank. The -N
option ensures that the command only attempts bind and unbind operations, while the -
B and -x options supply a list of random bind credentials for the command to select
from.

Example B.32. Testing Using a Filter with Bind Operations

# rsearch -D "" -w "" -s "" -f "" -B /home/uids.txt -x -U "(uid=*son)"

-N -b -L

Normally, any identity contained in the bind file (UID or DN) can be used for bind testing.
The default filter is "(uid=%s)", which every identity entry has. To use only a subset of
the identities in the file, the -U option can be used to pass an alternate filter.

B.2.3.10. Performing Multi-Threaded Testing

Example B.33. Multiple Threads

# rsearch -D "cn=test user,cn=config" -w secret -s "dc=example,dc=com" -

f "sn=%s" -i /home/filter.txt -t 5

By default, rsearch opens one thread for operations. The-t option allows a multiple
threads to be opened.

[3] As with the add operation, the first time that the parent is referenced by the tool, the parent
entry is created, but the entry which prompted the add operation is not created.

802
APPENDIX C. ADMINISTRATION SERVER COMMAND-LINE TOOLS

APPENDIX C. ADMINISTRATION SERVER COMMAND-

LINE TOOLS
Red Hat Administration Server has command-line utilities which make it easier to manage
the Administration Server without having to launch the Admin Console.

This chapter explains where to find and how to use the Administration Server tools.

C.1. SEC-ACTIVATE
The sec-activate tool activates and deactivates TLS for the Administration Server.

The sec-activate tool is located in the /usr/lib/dirsrv/cgi-bin/ directory.

Syntax:

ldlt [ Admin_Server_Configuration_Directory ] [ on|off ]

For example:

# sec-activate /etc/dirsrv/admin-serv on

C.2. MODUTIL
The modutil tool is a command-line utility for managing PKCS #11 module information
stored in secmod.db files or hardware tokens.modutil can perform a variety of security
database operations:

Adding and deleting PKCS #11 modules

Changing passwords

Setting defaults

Listing module contents

Enabling or disabling slots

Enabling or disabling Federal Information Processing Standard (FIPS) 140-2

compliance

Assigning default providers for cryptographic operations

Creating key3.db, cert8.db, and secmod.db security databases.

Security module database management is part of a process that typically involves

managing key databases (key3.db files) and certificate databases (cert8.db files). The
key, certificate, and PKCS #11 module management process generally begins with creating
the keys and key database necessary to generate and manage certificates and the
certificate database.

Location
The modutil tool is located in the /usr/bin folder.

803
Configuration, Command, and File Reference

Syntax

modutil task [option]

task is one of the commands listed in Table C.1, “Task Commands for modutil”and option is
from Table C.2, “Options for modutil”. Each modutil command can take one task and one
option.

Tasks and Options

You can use the modutil tool to perform a number of different tasks. These tasks are
specified through the use of commands and options. Commands specify the task to
perform. Options modify a task command.

NOTE

Each modutil command can take one task and one option.

Table C.1, “Task Commands for modutil”describes what the modutil commands do and
what options are available for each. Table C.2, “Options for modutil” defines what the
options do.

Table C.1. Task Commands for modutil

Tasks Description Allowed Options

-add moduleName Adds the named PKCS #11

-libfile libraryFile
module to the database.

-mechanisms mechanismList

-changepw token Changes the password for the

-pwfile passwordFile
named token. If the token has
not been initialized, this
option initializes it with the -newpwfile newPasswordFile
supplied password. In this
context, the term password is
equivalent to a personal
identification number (PIN).

-create Creates new secmod.db,

-dbdir dbFolder
key3.db, and cert8.db
files. If any of these security
databases already exist in a
specified directory, the
modutil tool displays an
error message.

-default moduleName Sets the security mechanisms

-mechanisms mechanismList
for which the named module
is a default provider.

804
APPENDIX C. ADMINISTRATION SERVER COMMAND-LINE TOOLS

Tasks Description Allowed Options

-delete moduleName Deletes the named module.

You cannot delete the
internal PKCS #11 module.

-disable moduleName Disables all slots on the

-slot slotName
named module. To disable a
specific slot, use the -slot
option.

-enable moduleName Enables all slots on the

-slot slotName
named module. To enable a
specific slot, use the -slot
option.

-fips true|false Enables or disables the FIPS

140-2 compliance mode in
Directory Server. For details,
see Managing FIPS Mode
Support in the
Directory Server
Administration Guide

-force Disables the modutil tool's

interactive prompts so it can
be run from a script. Use this
command only after manually
testing each planned
operation to check for
warnings and to ensure that
bypassing the prompts will
cause no security lapses or
loss of database integrity.

-jar JARfile Adds a new PKCS #11 module

to the database. The module -installdir
must be contained in the installation_directory
named JAR file.
-tempdir temporaryFolder
The JAR file identifies all files
to install, the module name,
and mechanism flags. It
should also contain any files
to be installed on the target
machine, including the PKCS
#11 module library and other
files, such as documentation.

The JAR file uses the

Netscape Server PKCS #11
JAR format. See JAR
Information File for more
information on creating JAR
files.

805
Configuration, Command, and File Reference

Tasks Description Allowed Options

-list [moduleName] Shows basic information

about the contents of the
secmod.db file. To display
detailed information about a
particular module, including
its slots and tokens, specify a
value for moduleName.

-undefault moduleName Specifies the security

-mechanisms mechanismList
mechanisms for which the
named module will not be a
default provider.

Table C.2, “Options for modutil” describes the different options for themodutil task
commands.

Table C.2. Options for modutil

Option Description

-dbdir dbFolder Specifies a folder in which to access or create

security module database files. This argument
is required for every command. This should
point to the Administration Server
configuration directory. For example:

-dbdir /etc/dirsrv/admin-serv

-installdir installation_directory Specifies the root installation folder for the

files supplied with the -jar JAR-file task. The
installation_directory folder should be one in
which it is appropriate to store dynamic library
files.

-libfile libraryFile Specifies the library file which contains the

PKCS #11 module that is being added to the
database. Use the full path to identify the file.

806
APPENDIX C. ADMINISTRATION SERVER COMMAND-LINE TOOLS

Option Description

-mechanisms mechanismList Specifies the security mechanisms for which a

particular module is the default provider. The
mechanismList is a colon-separated list of
mechanism names. Enclose this list in
quotation marks if it contains spaces. The
module becomes a default provider for the
listed mechanisms when those mechanisms
are enabled. If more than one module is
assigned as a mechanism's default provider,
the mechanism's default provider is listed as
undefined. The following mechanisms are
currently available:

RSA

DSA

RC2, RC4, and RC5

AES

DES

SHA1 and SHA256

SSL and TLS

MD2 and MD5

RANDOM (for random number

generation)

FRIENDLY (for certificates that are

publicly readable).

-newpwfile newPasswordFile Specifies a text file containing a token's new

password. This allows the password to be
automatically updated when using the -
changepw command.

807
Configuration, Command, and File Reference

Option Description

-nocertdb Instructs modutil not to open the certificate

or key databases. This has several effects:

When used with the -changepw

command, no one is able to set or
change the password on the internal
module, because the password is
stored in key3.db.

When used with the -create

command, only a secmod.db file will
be created; cert8.db and key3.db
will not be created.

When used with the -jar command,

signatures on the JAR file will not be
checked.

-pwfile passwordFile Specifies a text file containing a token's

current password. This allows automatic entry
of the password when using the -changepw
command.

-slot slotName Specifies a particular slot to enable or disable

when using the -enable or -disable
commands.

-tempdir temporaryFolder Specifies a folder in which to store temporary

files created by the -jar command. If a
temporary folder is not specified, the current
folder is used.

JAR Information File

JAR (Java Archive) is a platform-independent file format that aggregates many files into one.
JAR files are used by modutil to install PKCS #11 modules. Whenmodutil uses a JAR file, a
special JAR information file must be included. This information file contains special scripting
instructions and must be specified in the JAR file's MANIFEST file. Although the information
file can have any name, it is specified using the Pkcs11_install_script METAINFO
command.

For details on how to declare this METAINFO command in the MANIFEST, see
https://docs.oracle.com/cd/E19957-01/816-6164-10/.

If a PKCS #11 installer script is stored in the information file pk11install, the text file for
the Signing Tool contains the following METAINFO tag:

+ Pkcs11_install_script: pk11install

The JAR information file in Example C.1, “Example JAR File” has instructions for installing a
PKCS #11 module on different platforms.

808
APPENDIX C. ADMINISTRATION SERVER COMMAND-LINE TOOLS

Example C.1. Example JAR File

ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc }

Platforms {
Linux:2.0.32:x86 {
ModuleName { "Fortezza Module" }
ModuleFile { win32/fort32.dll }
DefaultMechanismFlags{0x00000001 }
CipherEnableFlags{ 0x00000001 }
Files {
win32/setup.exe {
Executable
RelativePath { %temp%/setup.exe }
}
win32/setup.hlp {
RelativePath { %temp%/setup.hlp }
}
win32/setup.cab {
RelativePath { %temp%/setup.cab }
}
}
}
Linux:2.0.32:x86 {
EquivalentPlatform {WINNT::x86}
}
SUNOS:5.5.1:sparc {
ModuleName { "Fortezza UNIX Module" }
ModuleFile { unix/fort.so }
DefaultMechanismFlags{ 0x00000001 }
CipherEnableFlags{ 0x00000001 }
Files {
unix/fort.so {
RelativePath{%root%/lib/fort.so}
AbsolutePath{/usr/local/Red Hat/lib/fort.so}
FilePermissions{555}
}
xplat/instr.html {
RelativePath{%root%/docs/inst.html}
AbsolutePath{/usr/local/Red Hat/docs/inst.html}
FilePermissions{555}
}
}
}
IRIX:6.2:mips {
EquivalentPlatform { SUNOS:5.5.1:sparc}
}
}

Creating a JAR information file involves writing a script that specifies which tasks to perform
when installing a module. Keys, predefined commands, and options that modutil interprets
can be used to specify different module installation procedures for different platforms.

Keys are case-insensitive strings that are grouped into three categories:

809
Configuration, Command, and File Reference

Global Keys

Per-Platform Keys

Per-File Keys

Global Keys
Global keys define the platform-specific sections of the JAR information file. There are two
global keys: ForwardCompatible and Platforms.

ForwardCompatible is an optional key that specifies a list of system architectures and

operating systems that are compatible with later versions of the same architectures and
operating systems. If the platform that modutil is installing the module on is not specified
by the Platforms key, then the ForwardCompatible list is checked for any platforms that
have the same OS and architecture in an earlier version. If one is found, its attributes are
used for the current platform.

The ForwardCompatible key uses the following format:

ForwardCompatible { Solaris:5.5.1:sparc }

The platforms listed between the braces must have entries within the Platforms key.

Platforms is a required key that specifies a list of platforms. Each entry in the list is itself a
key-value pair: the key is the name of the platform and the value list contains various
attributes of the platform. The ModuleName, ModuleFile, and Files attributes must be
specified for each platform unless an EquivalentPlatform attribute is specified. For more
information, see Per-Platform Keys.

The platform string is in the following format:

system name:OS release:architecture

The modutil program obtains the system name, release number, and architecture values
from the system on which the modutil tool is running. The following system names and
platforms are currently recognized:

HP-UX (hppa1.1)

Linux (x86) is x86_64 recognized?

Solaris (sparc)

For example:

Linux:5.2.0:x86

Per-Platform Keys
These keys have meaning only within an entry in the Platforms list.

ModuleName is a required key that specifies the common name for the module. This name
acts as a reference to the module for Red Hat Communicator, the modutil tool, servers, or
any other program that uses the Red Hat security module database.

810
APPENDIX C. ADMINISTRATION SERVER COMMAND-LINE TOOLS

ModuleFile is a required key that names the PKCS #11 module file .so) ( for this platform.
The file name should be a path that is relative to the JAR file location.

DefaultMechanismFlags is an optional key that specifies mechanisms for which this

module is a default provider. This key-value pair is a bitstring specified in hexadecimal (0x)
format. It is constructed as a bitwise OR of the string constants listed in Table C.3,
“Mechanisms and Default Mechanism Flags”. Omitting the DefaultMechanismFlags entry
causes the value to default to 0x0.

Table C.3. Mechanisms and Default Mechanism Flags

Mechanism Hexadecimal Bitstring Value

RSA 0x00000001

DSA 0x00000002

RC2 0x00000004

RC4 0x00000008

DES 0x00000010

DH 0x00000020

FORTEZZA 0x00000040

RC5 0x00000080

SHA1 0x00000100

MD5 0x00000200

MD2 0x00000400

RANDOM 0x08000000

FRIENDLY 0x10000000

OWN_PW_DEFAULTS 0x20000000

DISABLE 0x40000000

Files is a required key that lists the files that need to be installed for this module. Each
entry in the file list is a key-value pair. The key includes the path to the file that is
contained in the JAR archive and the value list contains the attributes of the file. At a
minimum, you must specify either RelativePath or AbsolutePath for each file. If required,
you can specify additional attributes. For more information, see Per-File Keys.

811
Configuration, Command, and File Reference

The EquivalentPlatform key specifies that the attributes of the named platform should
also be used for the current platform. Using this key saves time when more than one
platform uses the same settings.

Per-File Keys
These keys have meaning only within an entry in a Files list. At a minimum, RelativePath
or AbsolutePath must be specified. If both are specified, the relative path is tried first, and
the absolute path is used only if a relative root folder is not provided by modutil.

The RelativePath key specifies the destination path of the file, relative to a folder
indicated at installation. You can assign values for two variables in the relative path,
%root% and %temp%. At run time, %root% is replaced with a folder in which files should be
installed, such as the server's root folder. The %temp% folder is created at the beginning of
the installation and destroyed at the end.

The purpose of %temp% is to hold executable files (such as setup programs) or files that are
used by these programs. Files destined for the temporary folder are in place before any
executable file is launched. They are not deleted until all executable files have finished.

The AbsolutePath key specifies the destination of the file as an absolute path. If both
RelativePath and AbsolutePath are specified, modutil attempts to use the relative path.
If it is unable to determine a relative path, it uses the absolute path.

The Executable key specifies that a file is to be executed during the course of the
installation. Typically, this key is used to identify a setup program provided by a module
vendor. The setup program itself is specified by the RelativePath or AbsolutePath key.

For example, to specify that the setup.exe program (located in the %temp% folder) is an
executable file, include the following lines in your JAR information file:

Executable
RelativePath { %temp%/setup.exe }

More than one file can be specified as executable, in which case the files are run in the
order in which they are listed in the script file. Use the Executable key before a
RelativePath or AbsolutePath key to indicate

The FilePermissions key specifies the access permissions to apply to a file. Themodutil
program interprets the key as a string of octal digits, following the standard UNIX format.
This key is a bitwise OR of the string constants listed in Table C.4, “File Permissions
Specified Using FilePermissions”. For example, to specify read and execute access for all
users, enter 555 (bitwise 400 + 100 + 040 + 010 + 004 + 001).

The following table lists the file permissions that can be specified using FilePermissions.

Table C.4. File Permissions Specified Using FilePermissions

File Permission Bitstring Value

User Read 400

User Write 200

User Execute 100

812
APPENDIX C. ADMINISTRATION SERVER COMMAND-LINE TOOLS

File Permission Bitstring Value

Group Read 040

GroupWrite 020

Group Execute 010

Other Write 002

Other Execute 001

Some platforms may not understand these permissions. The permissions are applied only if
they make sense for the current platform. If this key is omitted, a default value of 777
(read, write, and execute for all users) is assumed.

Examples of Using modutil

Example C.2, “Creating Database Files”

Example C.3, “Displaying Module Information”

Example C.4, “Setting a Default Provider”

Example C.5, “Enabling a Slot”

Example C.6, “Enabling FIPS Compliance”

Example C.7, “Adding a Cryptographic Module”

Example C.8, “Installing a Cryptographic Module from a JAR File”

Example C.9, “Changing the Password on a Token”

Example C.2. Creating Database Files

To create a set of security management database files in a directory:

# modutil -create -dbdir /etc/dirsrv/admin-serv

WARNING: Performing this operation while the browser is running could

cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Creating "/etc/dirsrv/admin-serv/key3.db"...done.
Creating "/etc/dirsrv/admin-serv/cert8.db"...done.
Creating "/etc/dirsrv/admin-serv/secmod.db"...done.

813
Configuration, Command, and File Reference

Example C.3. Displaying Module Information

To retrieve detailed information about a specific module:

# modutil -list -dbdir /etc/dirsrv/admin-serv

Using database directory /etc/dirsrv/admin-serv...

Listing of PKCS #11 Modules

-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded

slot: NSS Internal Cryptographic Services

token: NSS Generic Crypto Services

slot: NSS User Private Key and Certificate Services

token: NSS Certificate DB
-----------------------------------------------------------

Example C.4. Setting a Default Provider

To make a specific module the default provider for the RSA, DSA, and RC2 security
mechanisms:

# modutil -default "Cryptographic Module" -dbdir /etc/dirsrv/admin-serv

-mechanisms RSA:DSA:RC2

WARNING: Performing this operation while the browser is running could

cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Using database directory /etc/dirsrv/admin-serv...

Successfully changed defaults.

Example C.5. Enabling a Slot

To enable a particular slot in a module:

# modutil -enable "Cryptographic Module" -slot "Cryptographic Reader" -

dbdir /etc/dirsrv/admin-serv

WARNING: Performing this operation while the browser is running could

cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type

814
APPENDIX C. ADMINISTRATION SERVER COMMAND-LINE TOOLS

'q <enter>' to abort, or <enter> to continue:

Using database directory /etc/dirsrv/admin-serv...

Slot "Cryptographic Reader" enabled.

Example C.6. Enabling FIPS Compliance

To enable FIPS-140-2 compliance in the Administration Server's internal module:

# modutil -fips true

WARNING: Performing this operation while the browser is running could

cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

FIPS mode enabled.

Example C.7. Adding a Cryptographic Module

To add a new cryptographic module to the database:

# modutil -dbdir "/etc/dirsrv/admin-serv" -add "Cryptorific Module" -

libfile "/crypto.dll" -mechanisms RSA:DSA:RC2:RANDOM

WARNING: Performing this operation while the browser is running could

cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Using database directory /etc/dirsrv/admin-serv...

Module "Cryptorific Module" added to database.

Example C.8. Installing a Cryptographic Module from a JAR File

To install a module using a JAR file, first create the JAR file script. For example:

Platforms {
Linux:2.0.32:x86 {
ModuleName { "SuperCrypto Module" }
ModuleFile { crypto.dll }
DefaultMechanismFlags{0x0000}
CipherEnableFlags{0x0000}
Files {
crypto.dll {
RelativePath{ %root%/system32/crypto.dll }

815
Configuration, Command, and File Reference

}
setup.exe {
Executable
RelativePath{ %temp%/setup.exe }
}
}
}
Win95::x86 {
EquivalentPlatform { Winnt::x86 }
}
}

To install from the script, use the following command.

# modutil -dbdir "/etc/dirsrv/admin-serv" -jar install.jar -installdir

"/etc"

WARNING: Performing this operation while the browser is running could

cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Using database directory /etc/dirsrv/admin-serv...

This installation JAR file was signed by:

----------------------------------------------

**SUBJECT NAME**

C=US, ST=California, L=Mountain View, CN=SuperCrypto Inc.,

OU=Digital ID Class 3 - Red Hat Object Signing,
OU="www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)9 6",
OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,
OU=VeriSign Object Signing CA - Class 3 Organization, OU="VeriSign,
Inc.", O=VeriSign Trust Network **ISSUER NAME**,
OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,
OU=VeriSign Object Signing CA - Class 3 Organization, OU="VeriSign,
Inc.", O=VeriSign Trust Network

----------------------------------------------

Do you wish to continue this installation? (y/n)

Using installer script "installer_script"

Successfully parsed installation script
Current platform is Linux:2.0.32:x86
Using installation parameters for platform Linux:2.0.32:x86
Installed file crypto.dll to /winnt/system32/crypto.dll
Installed file setup.exe to ./pk11inst.dir/setup.exe
Executing "./pk11inst.dir/setup.exe"... "./pk11inst.dir/setup.exe"
executed successfully
Installed module "SuperCrypto Module" into module database
Installation completed successfully

816
APPENDIX C. ADMINISTRATION SERVER COMMAND-LINE TOOLS

Example C.9. Changing the Password on a Token

To change the password for a security device in use by a module.

# modutil -dbdir "/etc/dirsrv/admin-serv" -changepw

"Administration Server Certificate DB"

WARNING: Performing this operation while the browser is running could

cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Using database directory /etc/dirsrv/admin-serv...

Enter old password:
Enter new password:
Re-enter new password:

Token "Administration Server Certificate DB" password changed

successfully.

817
Configuration, Command, and File Reference

APPENDIX D. REPLICATION AGREEMENT STATUS

In the read-only nsds5replicaLastUpdateStatus attribute of each replication agreement,
Directory Server displays the latest status of the agreement. The following is a list of
possible statuses:

Disabled agreements
If a replication agreement is disabled, the nsds5replicaLastUpdateStatus parameter is
no longer updated and can display the following status:

The replication agreement was already disabled when the server started:

Error (0) No replication sessions started since server startup

The agreement was disabled during run time.

Error (0) Replica acquired successfully: agreement disabled

General agreement status

The replication agreement was stopped:

Error (0) Replica acquired successfully: Protocol stopped

An incremental update was started:

Error (0) Replica acquired successfully: Incremental update

started

An incremental update succeeded:

Error (0) Replica acquired successfully: Incremental update

succeeded

Replication succeeded, but the consumer ended the session to be able to get
acquired by another supplier:

Error (0) Replica acquired successfully: Incremental update

succeeded and yielded

Error messages in the ACQUIRING_REPLICA state

During the first part of a replication session, the supplier acquires the consumer,
establishes the connection, binds to the consumer, verifies that the consumer is not
already updated by another supplier, and performs additional checks. The following error
codes can be displayed in this state:

Failures during establishing a connection with the consumer:

Error (result_code) Problem connecting to replica - LDAP error:

ldap_error_message

818
APPENDIX D. REPLICATION AGREEMENT STATUS

Error (result_code) Problem connecting to replica (SSL not

enabled) - LDAP error: ldap_error_message

The result code and error message indicates the reason why the connection
could not be established.

An internal error occurred on the consumer:

Error (8) :Failed to acquire replica: Internal error occurred on

the remote replica

This error is caused by a failure related to the change sequence number (CSN)
generator on the consumer. See the consumer log files for further details.

The identity used to authenticate to the consumer was neither a valid replication
bind distinguished name (DN) nor a member of a bind DN group:

Error (3) :Unable to acquire replica: permission denied. The bind

dn does not have permission to supply replication updates to the
replica. Will retry later.

No valid replica was defined for the suffix on the consumer:

Error (6) :Unable to acquire replica: there is no replicated area

on the consumer server. Replication is aborting.

Decoding error of the replication control sent to the consumer:

Error (4) :Unable to acquire replica: the consumer was unable to

decode the startReplicationRequest extended operation sent by the
supplier. Replication is aborting.

The replica is currently updated by a different supplier:

Error (1) :Unable to acquire replica: the replica is currently

being updated by another supplier.

The supplier and consumer use the same replica ID:

Error (11) :Unable to aquire replica: the replica has the same
Replica ID as this one. Replication is aborting.

The supplier or the consumer is incorrectly configured. Set a unique replica ID in

the replication configuration to fix the problem.

The supplier was set into backoff mode:

Error (14) :Unable to acquire replica: the replica instructed us

to go into backoff mode. Will retry later.

This state is only displayed when a custom replication hook is implemented.

Decoding errors of the replication control received from the consumer:

819
Configuration, Command, and File Reference

Error (extop_result) :Unable to acquire replica

Error (4) Unable to parse the response to the startReplication

extended operation. Replication is aborting.

Error (16) Unable to receive the response for a startReplication

extended operation to consumer. Will retry later.

Error (0) Unable to obtain current CSN. " "Replication is

aborting.

Error messages in the SENDING_UPDATES state

After a replica was successfully acquired, the session starts sending updates. In this
state, the following messages can be displayed in the respective steps:

1. Examining the replica update vector (RUV):

The replica has no update vector configured or replication was not enabled on
the consumer:

Error (19) : Replica is not initialized

The consumer was not initialized using the same database generation as the
supplier:

Error (19) : Replica has different database generation ID,

remote replica may need to be initialized

To fix the problem, initialize either the supplier or the consumer.

2. Updating the change state number (CSN) generator:

The time difference between the local and the remove server is too big:

Error (2) : fatal error - too much time skew between replicas

Directory Server failed to update the CSN generator:

Error (2) : fatal internal error updating the CSN generator

3. Initial changelog positioning:

General error in case that the changelog cannot be processed:

Error (15) : Unexpected format encountered in changelog

database

This error is logged, for example, if the path to the changelog file does not
exist.

820
APPENDIX D. REPLICATION AGREEMENT STATUS

Parsing an entry in the changelog failed:

Error (15) : Unexpected format encountered in changelog

database

Errors related to the database layer of the changelog:

Error (15) : Changelog database was in an incorrect state

Error (15) : Incorrect dbversion found in changelog database

Error (15) : Changelog database error was encountered

For further details, see the /var/log/dirsrv/slapd-instance_name/errors

log file.

Directory Server failed to allocate memory:

Error (15) : changelog memory allocation error occurred

This error is logged, for example, if the changelog buffer or changelog iterator
failed to allocate memory.

The supplier is ahead of the consumer and wants to send updates, but cannot
find the starting point in the changelog:

Error (15) : Data required to update replica has been purged

from the changelog. " "The replica must be reinitialized.

Error (15) : Changelog data is missing

Directory Server treats these errors as fatal, but they can be resolved if the
consumer receives the updates from a different supplier. In this case, it is
treated as transient.

4. Sending the next update:

Creating a result thread failed:

Error (result_code) : Failed to create result thread

The result code indicates the reason why the thread was not created.

General error in case that the changelog cannot be processed:

Error (15) : Invalid parameter passed to

cl5GetNextOperationToReplay

This error is logged, for example, if the path to the changelog file does not
exist.

A database error occurred while reading the change log:

821
Configuration, Command, and File Reference

Error (15) : Database error occurred while getting the next

operation to replay

This event is logged, for example, if Directory Server access a locked

database page.

Directory Server ran out The creation :

Error (15) : Memory allocation error occurred

(cl5GetNextOperationToReplay)

5. Sub-entry update:

The creation of the replica keep alive entry failed:

Error (-1) : Agreement is corrupted: missing suffix

General status in the SEND_UPDATES state:

A non-fatal error occurred on the local server while processing the changelog:

Error (18) : Incremental update transient error. Backing off,

will retry update later.

See the /var/log/dirsrv/slapd-instance_name/errors file for further details.

A replication connection was disconnected after the connection was established:

Error (16) : Incremental update connection error. Backing off,

will retry update later.

A timeout appeared on an existing replication connection:

Error (17) : Incremental update timeout error. Backing off, will

retry update later.

The replication automatically tries to resume later.

GLOSSARY
A
access control instruction
See ACI.
access control list
See ACL.
access rights
In the context of access control, specify the level of access granted or denied. Access
rights are related to the type of operation that can be performed on the directory. The
following rights can be granted or denied: read, write, add, delete, search, compare,

822
GLOSSARY

selfwrite, proxy and all.

account inactivation
Disables a user account, group of accounts, or an entire domain so that all
authentication attempts are automatically rejected.

ACI
An instruction that grants or denies permissions to entries in the directory.

All IDs Threshold

Replaced with the ID list scan limit in Directory Server version 7.1.A size limit which is
globally applied to every index key managed by the server. When the size of an
individual ID list reaches this limit, the server replaces that ID list with an All IDs token.

All IDs token

A mechanism which causes the server to assume that all directory entries match the
index key. In effect, the All IDs token causes the server to behave as if no index was
available for the search request.

anonymous access
When granted, allows anyone to access directory information without providing
credentials, and regardless of the conditions of the bind.

approximate index
Allows for efficient approximate or "sounds-like" searches.

attribute
Holds descriptive information about an entry. Attributes have a label and a value. Each
attribute also follows a standard syntax for the type of information that can be stored as
the attribute value.

attribute list
A list of required and optional attributes for a given entry type or object class.

authenticating directory server

In pass-through authentication (PTA), the authenticating Directory Server is the Directory
Server that contains the authentication credentials of the requesting client. The PTA-
enabled host sends PTA requests it receives from clients to the host.

authentication

823
Configuration, Command, and File Reference

(1) Process of proving the identity of the client user to the Directory Server. Users must
provide a bind DN and either the corresponding password or certificate in order to be
granted access to the directory. Directory Server allows the user to perform functions or
access files and directories based on the permissions granted to that user by the
directory administrator.

(2) Allows a client to make sure they are connected to a secure server, preventing
another computer from impersonating the server or attempting to appear secure when it
is not.

authentication certificate
Digital file that is not transferable and not forgeable and is issued by a third party.
Authentication certificates are sent from server to client or client to server in order to
verify and authenticate the other party.

B
base distinguished name
See base DN.
base DN
Base distinguished name. A search operation is performed on the base DN, the DN of the
entry and all entries below it in the directory tree.

bind distinguished name

See bind DN.
bind DN
Distinguished name used to authenticate to Directory Server when performing an
operation.

bind rule
In the context of access control, the bind rule specifies the credentials and conditions
that a particular user or client must satisfy in order to get access to directory
information.

branch entry
An entry that represents the top of a subtree in the directory.

browser
Software, such as Mozilla Firefox, used to request and view World Wide Web material
stored as HTML files. The browser uses the HTTP protocol to communicate with the host
server.

browsing index
Speeds up the display of entries in the Directory Server Console. Browsing indexes can
be created on any branch point in the directory tree to improve display performance.

CoS definition entry

Identifies the type of CoS you are using. It is stored as an LDAP subentry below the
branch it affects.

CoS template entry

Contains a list of the shared attribute values.

International Standards Organization

See ISO.
IP address
Also Internet Protocol address. A set of numbers, separated by dots, that specifies the
actual location of a machine on the Internet (for example, 198.93.93.10).

ISO

829
Configuration, Command, and File Reference

International Standards Organization.

K
knowledge reference
Pointers to directory information stored in different databases.

L
LDAP
Lightweight Directory Access Protocol. Directory service protocol designed to run over
TCP/IP and across multiple platforms.

LDAP client
Software used to request and view LDAP entries from an LDAP Directory Server.

LDAP Data Interchange Format

See LDAP Data Interchange Format.
LDAP URL
Provides the means of locating Directory Servers using DNS and then completing the
query using LDAP. A sample LDAP URL is ldap://ldap.example.com.

LDAPv3
Version 3 of the LDAP protocol, upon which Directory Server bases its schema format.

LDBM database
A high-performance, disk-based database consisting of a set of large files that contain all
of the data assigned to it. The primary data store in Directory Server.

LDIF
LDAP Data Interchange Format. Format used to represent Directory Server entries in
text form.

leaf entry
An entry under which there are no other entries. A leaf entry cannot be a branch point in
a directory tree.

Lightweight Directory Access Protocol

See LDAP.
locale
Identifies the collation order, character type, monetary format and time / date format
used to present data for users of a specific region, culture, and custom. This includes
information on how data of a given language is interpreted, stored, or collated. The
locale also indicates which code page should be used to represent a given language.

830
GLOSSARY

M
managed object
A standard value which the SNMP agent can access and send to the NMS. Each
managed object is identified with an official name and a numeric identifier expressed in
dot-notation.

managed role
Allows creation of an explicit enumerated list of members.

management information base

See MIB.
mapping tree
A data structure that associates the names of suffixes (subtrees) with databases.

master
See supplier.
master agent
See SNMP master agent.
matching rule
Provides guidelines for how the server compares strings during a search operation. In an
international search, the matching rule tells the server what collation order and operator
to use.

MD5
A message digest algorithm by RSA Data Security, Inc., which can be used to produce a
short digest of data that is unique with high probability and is mathematically extremely
hard to produce; a piece of data that will produce the same message digest.

MD5 signature
A message digest produced by the MD5 algorithm.

MIB
Management Information Base. All data, or any portion thereof, associated with the
SNMP network. We can think of the MIB as a database which contains the definitions of
all SNMP managed objects. The MIB has a tree-like hierarchy, where the top level
contains the most general information about the network and lower levels deal with
specific, separate network areas.

MIB namespace
Management Information Base namespace. The means for directory data to be named
and referenced. Also called the directory tree.

monetary format
Specifies the monetary symbol used by specific region, whether the symbol goes before
or after its value, and how monetary units are represented.

multi-master replication

831
Configuration, Command, and File Reference

An advanced replication scenario in which two servers each hold a copy of the same
read-write replica. Each server maintains a changelog for the replica. Modifications
made on one server are automatically replicated to the other server. In case of conflict,
a time stamp is used to determine which server holds the most recent version.

multiplexor
The server containing the database link that communicates with the remote server.

N
n + 1 directory problem
The problem of managing multiple instances of the same information in different
directories, resulting in increased hardware and personnel costs.

name collisions
Multiple entries with the same distinguished name.

nested role
Allows the creation of roles that contain other roles.

network management application

Network Management Station component that graphically displays information about
SNMP managed devices, such as which device is up or down and which and how many
error messages were received.

network management station

See NMS.
NIS
Network Information Service. A system of programs and data files that Unix machines
use to collect, collate, and share specific information about machines, users, filesystems,
and network parameters throughout a network of computers.

NMS
Powerful workstation with one or more network management applications installed. Also
network management station.

ns-slapd
Red Hat's LDAP Directory Server daemon or service that is responsible for all actions of
the Directory Server.

protocol data unit

See PDU.
proxy authentication
A special form of authentication where the user requesting access to the directory does
not bind with its own DN but with a proxy DN.

proxy DN
Used with proxied authorization. The proxy DN is the DN of an entry that has access
permissions to the target on which the client-application is attempting to perform an
operation.

PTA
Mechanism by which one Directory Server consults another to check bind credentials.
Also pass-through authentication.

PTA directory server

In pass-through authentication (PTA), the PTA Directory Server is the server that sends
(passes through) bind requests it receives to the authenticating directory server.

PTA LDAP URL

In pass-through authentication, the URL that defines the authenticating directory server,
pass-through subtree(s), and optional parameters.

R
RAM
Random access memory. The physical semiconductor-based memory in a computer.
Information stored in RAM is lost when the computer is shut down.

rc.local
A file on Unix machines that describes programs that are run when the machine starts. It
is also called /etc/rc.local because of its location.

RDN
The name of the actual entry itself, before the entry's ancestors have been appended to
the string to form the full distinguished name. Also relative distinguished name.

read-only replica
A replica that refers all update operations to read-write replicas. A server can hold any
number of read-only replicas.

read-write replica
A replica that contains a master copy of directory information and can be updated. A
server can hold any number of read-write replicas.

834
GLOSSARY

referential integrity
Mechanism that ensures that relationships between related entries are maintained
within the directory.

referral
(1) When a server receives a search or update request from an LDAP client that it cannot
process, it usually sends back to the client a pointer to the LDAP sever that can process
the request.

(2) In the context of replication, when a read-only replica receives an update request, it
forwards it to the server that holds the corresponding read-write replica. This forwarding
process is called a referral.

relative distinguished name

See RDN.
replica
A database that participates in replication.

replication
Act of copying directory trees or subtrees from supplier servers to replica servers.

replication agreement
Set of configuration parameters that are stored on the supplier server and identify the
databases to replicate, the replica servers to which the data is pushed, the times during
which replication can occur, the DN and credentials used by the supplier to bind to the
consumer, and how the connection is secured.

RFC
Request for Comments. Procedures or standards documents submitted to the Internet
community. People can send comments on the technologies before they become
accepted standards.

role
An entry grouping mechanism. Each role has members, which are the entries that
possess the role.

role-based attributes
Attributes that appear on an entry because it possesses a particular role within an
associated CoS template.

root
The most privileged user available on Unix machines. The root user has complete access
privileges to all files on the machine.

root suffix
The parent of one or more sub suffixes. A directory tree can contain more than one root
suffix.

835
Configuration, Command, and File Reference

S
SASL
An authentication framework for clients as they attempt to bind to a directory. Also
Simple Authentication and Security Layer .

schema
Definitions describing what types of information can be stored as entries in the directory.
When information that does not match the schema is stored in the directory, clients
attempting to access the directory may be unable to display the proper results.

schema checking
Ensures that entries added or modified in the directory conform to the defined schema.
Schema checking is on by default, and users will receive an error if they try to save an
entry that does not conform to the schema.

Secure Sockets Layer

See SSL.
self access
When granted, indicates that users have access to their own entries if the bind DN
matches the targeted entry.

Server Console
Java-based application that allows you to perform administrative management of your
Directory Server from a GUI.

server daemon
The server daemon is a process that, once running, listens for and accepts requests from
clients.

Server Selector
Interface that allows you select and configure servers using a browser.

server service
A process on Windows that, once running, listens for and accepts requests from clients.
It is the SMB server on Windows NT.

service
A background process on a Windows machine that is responsible for a particular system
task. Service processes do not need human intervention to continue functioning.

SIE
Server Instance Entry. The ID assigned to an instance of Directory Server during
installation.

Simple Authentication and Security Layer

See SASL.
Simple Network Management Protocol

836
GLOSSARY

See SNMP.
single-master replication
The most basic replication scenario in which multiple servers, up to four, each hold a
copy of the same read-write replicas to replica servers. In a single-master replication
scenario, the supplier server maintains a changelog.

SIR
See supplier-initiated replication.
slapd
LDAP Directory Server daemon or service that is responsible for most functions of a
directory except replication.

SNMP master agent

Software that exchanges information between the various subagents and the NMS.

SNMP subagent
Software that gathers information about the managed device and passes the information
to the master agent. Also called a subagent.

SSL
A software library establishing a secure connection between two parties (client and
server) used to implement HTTPS, the secure version of HTTP. Also called Secure Sockets
Layer.

standard index
index maintained by default.

sub suffix
A branch underneath a root suffix.

subagent
See SNMP subagent.
substring index
Allows for efficient searching against substrings within entries. Substring indexes are
limited to a minimum of two characters for each entry.

suffix
The name of the entry at the top of the directory tree, below which data is stored.
Multiple suffixes are possible within the same directory. Each database only has one
suffix.

superuser

837
Configuration, Command, and File Reference

The most privileged user available on Unix machines. The superuser has complete
access privileges to all files on the machine. Also called root.

supplier
Server containing the master copy of directory trees or subtrees that are replicated to
replica servers.

supplier server
In the context of replication, a server that holds a replica that is copied to a different
server is called a supplier for that replica.

supplier-initiated replication
Replication configuration where supplier servers replicate directory data to any replica
servers.

symmetric encryption
Encryption that uses the same key for both encrypting and decrypting. DES is an
example of a symmetric encryption algorithm.

system index
Cannot be deleted or modified as it is essential to Directory Server operations.

T
target
In the context of access control, the target identifies the directory information to which a
particular ACI applies.

target entry
The entries within the scope of a CoS.

TCP/IP
Transmission Control Protocol/Internet Protocol. The main network protocol for the
Internet and for enterprise (company) networks.

template entry
See CoS template entry.
time/date format
Indicates the customary formatting for times and dates in a specific region.

TLS
The new standard for secure socket layers; a public key based protocol. Also Transport
Layer Security.

topology
The way a directory tree is divided among physical servers and how these servers link
with one another.

838
GLOSSARY

Transport Layer Security

See TLS.

U
uid
A unique number associated with each user on a Unix system.

URL
Uniform Resource Locater. The addressing system used by the server and the client to
request documents. It is often called a location. The format of a URL is
protocol://machine:port/document. The port number is necessary only on selected
servers, and it is often assigned by the server, freeing the user of having to place it in
the URL.

V
virtual list view index
Speeds up the display of entries in the Directory Server Console. Virtual list view indexes
can be created on any branch point in the directory tree to improve display
performance.

60pam-plugin.ldif, LDIF and Schema Configuration Files

99user.ldif
ldif files, LDIF and Schema Configuration Files

::, in LDIF statements, ldif

A
access log
connection code, Common Connection Codes
A1 , Common Connection Codes
B1 , Common Connection Codes
B2 , Common Connection Codes
B3 , Common Connection Codes
B4 , Common Connection Codes
P2 , Common Connection Codes
T1 , Common Connection Codes
T2 , Common Connection Codes
U1 , Common Connection Codes

contents, Access Log Reference, Default Access Logging Content

abandon message (ABANDON) , Default Access Logging Content
change sequence number (csn) , Default Access Logging Content
connection description (conn) , Access Log Content for Additional Access
Logging Levels
connection number (conn) , Default Access Logging Content
elapsed time (etime) , Default Access Logging Content
error number (err) , Default Access Logging Content
extended operation OID (oid) , Default Access Logging Content
file descriptor (fd) , Default Access Logging Content
format , Access Log Reference
LDAP request type , Default Access Logging Content
LDAP response type , Default Access Logging Content
message ID (msgid) , Default Access Logging Content
method type (method) , Default Access Logging Content
number of entries (nentries) , Default Access Logging Content
operation number (op) , Default Access Logging Content
options description (options) , Access Log Content for Additional Access
Logging Levels
paged search indicator (notes=P), Default Access Logging Content
SASL multi-stage binds , Default Access Logging Content
scope of the search (scope) , Default Access Logging Content

841
Configuration, Command, and File Reference

search indicator, Default Access Logging Content

slot number (slot) , Default Access Logging Content
sort (SORT) , Default Access Logging Content
tag number (tag) , Default Access Logging Content
version number (version) , Default Access Logging Content
VLV-related entries , Default Access Logging Content

LDAP result codes, LDAP Result Codes

levels, Access Logging Levels, Access Log Content for Additional Access
Logging Levels
sample 1 (level 256) , Default Access Logging Content

statistics for monitoring and optimizing directory usage, logconv.pl (Log

Converter)

account, account
account policy
altstateattrname, altstateattrname
alwaysRecordLogin, alwaysRecordLogin
alwaysRecordLoginAttr, alwaysRecordLoginAttr
limitattrname, limitattrname
plug-in configuration attributes, Account Policy Plug-in Attributes
specattrname, specattrname
stateattrname, stateattrname

accountpolicy, accountpolicy
accountUnlockTime, accountUnlockTime
aci, aci
AD DN
addn_base, addn_base
addn_filter, addn_filter
cn, cn
plug-in configuration attributes, AD DN Plug-in Attributes

alias, alias
aliasedObjectName, aliasedObjectName
altServer, altServer
ancestorid.db file, Database Files
associatedDomain, associatedDomain
associatedName, associatedName
attributes
allowed, Required and Allowed Attributes
defined, Attributes
multi-valued, Single- and Multi-Valued Attributes

842
INDEX

required, Required and Allowed Attributes

single-valued, Single- and Multi-Valued Attributes
syntax, Directory Server Attribute Syntaxes
syntax validation, Syntax Validation

attributeTypes, attributeTypes
audio, audio
authorCn, authorCn
authorSn, authorSn
auto membership plug-in configuration attributes
autoMemberDefaultGroup, autoMemberDefaultGroup
autoMemberDefinition, autoMemberDefinition (Object Class)
autoMemberExclusiveRegex, autoMemberExclusiveRegex
autoMemberFilter, autoMemberFilter
autoMemberGroupingAttr, autoMemberGroupingAttr
autoMemberInclusiveRegex, autoMemberInclusiveRegex
autoMemberRegexRule, autoMemberRegexRule (Object Class)
autoMemberScope, autoMemberScope
autoMemberTargetGroup, autoMemberTargetGroup

automountInformation, automountInformation

B
backend, cn=USN tombstone cleanup task
backendMonitorDN attribute, cn=monitor
backup files, Backup Files
bak2db
command-line shell script, bak2db (Restores a Database from Backup)
quick reference, Command-Line Scripts Quick Reference

bak2db.pl
command-line perl script, bak2db.pl (Restores a Database from Backup)

base, ldif
base 64 encoding, ldif
basedn, cn=memberof task, cn=syntax validate, cn=automember rebuild
membership, cn=automember export updates
binary data, LDIF and, ldif
bootableDevice, bootableDevice
bootFile, bootFile
bootParameter, bootParameter
Browsing Indexes, vlvindex (Creates Virtual List View Indexes)
buildingName, buildingName
businessCategory, businessCategory

843
Configuration, Command, and File Reference

bytessentattribute, cn=monitor

C
c, c (countryName)
cACertificate, cACertificate
cacheObject, cacheObject
carLicense, carLicense
certificateRevocationList, certificateRevocationList
changelog
multi-master replication changelog, cn=changelog5,cn=config

changeLog, changeLog
changelog configuration attributes
changelogmaxconcurrentwrites, nsslapd-changelogmaxconcurrentwrites (Max
Concurrent Rewrites)
changelogmaxentries, nsslapd-changelogmaxentries (Max Changelog Records)
changelogtrim-interval, nsslapd-changelogtrim-interval (Replication Changelog
Trimming Interval)
nsslapd-changelogcompactdb-interval, nsslapd-changelogcompactdb-interval
nsslapd-changelogdir, nsslapd-changelogdir
nsslapd-changelogmaxage, nsslapd-changelogmaxage (Max Changelog Age)
nsslapd-encryptionalgorithm, nsslapd-encryptionalgorithm (Encryption
Algorithm)
nsSymmetricKey, nsSymmetricKey

changelog configuration entries

cn=changelog5, cn=changelog5,cn=config

changeLogEntry, changeLogEntry (Object Class)

changeNumber, changeNumber
changes, changes
changeTime, changeTime
changeType, changeType
cl-dump
command-line shell script, cl-dump (Dumps and Decodes the Changelog)

cl-dump.pl
command-line perl script, cl-dump.pl (Dumps and Decodes the Changelog)

cleanallruv.pl
command-line perl script, cleanallruv.pl (Cleans RUV data)

cn, Task Invocation Attributes for Entries under cn=tasks , cn (commonName)

cn attribute, cn, cn
cn=abort cleanallruv

844
INDEX

configuration entry, cn=abort cleanallruv

cn=abort cleanallruv task

attributes
replica-base-dn, cn=abort cleanallruv
replica-certify-all, cn=abort cleanallruv
replica-id, cn=abort cleanallruv

cn=automember export updates

configuration entry, cn=automember export updates

cn=automember export updates task

attributes
basedn, cn=automember export updates
filter, cn=automember export updates
ldif, cn=automember export updates
scope, cn=automember export updates

cn=automember map updates

configuration entry, cn=automember map updates

cn=automember map updates task

attributes
ldif_in, cn=automember map updates
ldif_out, cn=automember map updates

cn=automember rebuild membership

configuration entry, cn=automember rebuild membership

cn=automember rebuild membership task

attributes
basedn, cn=automember rebuild membership
filter, cn=automember rebuild membership
scope, cn=automember rebuild membership

cn=backup
attributes
nsArchiveDir, cn=backup
nsDatabaseType, cn=backup

configuration entry, cn=backup

cn=changelog5
changelog configuration entries, cn=changelog5,cn=config

845
Configuration, Command, and File Reference

object classes, cn=changelog5,cn=config

cn=cleanallruv
configuration entry, cn=cleanallruv

cn=cleanallruv task
attributes
replica-base-dn, cn=cleanallruv
replica-force-cleaning, cn=cleanallruv
replica-id, cn=cleanallruv

cn=config
general, Overview of the Directory Server Configuration
general configuration entries, cn=config
object classes, cn=config

cn=config Directory Information Tree

configuration data, Overview of the Directory Server Configuration

cn=des2aes
configuration entry, cn=des2aes

cn=encrypted attributes, Database Attributes under

cn=attributeName,cn=encrypted attributes,cn=database_name,cn=ldbm
database,cn=plugins,cn=config
attribute, Database Attributes under cn=attributeName,cn=encrypted
attributes,cn=database_name,cn=ldbm database,cn=plugins,cn=config
object class, Database Attributes under cn=attributeName,cn=encrypted
attributes,cn=database_name,cn=ldbm database,cn=plugins,cn=config

cn=encryption
encryption configuration entries, cn=encryption
object classes, cn=encryption

cn=export
attributes
nsDumpUniqId, cn=export
nsExcludeSuffix, cn=export
nsExportReplica, cn=export
nsFilename, cn=export
nsIncludeSuffix, cn=export
nsInstance, cn=export
nsNoWrap, cn=export
nsPrintKey, cn=export
nsUseId2Entry, cn=export

846
INDEX

nsUseOneFile, cn=export

configuration entry, cn=export

cn=fixup linked attributes task

attributes
linkdn, cn=fixup linked attributes

configuration entry, cn=fixup linked attributes

cn=import
attributes
nsExcludeSuffix, cn=import
nsFilename, cn=import
nsImportChunkSize, cn=import
nsImportIndexAttrs, cn=import
nsIncludeSuffix, cn=import
nsInstance, cn=import
nsUniqueIdGenerator, cn=import
nsUniqueIdGeneratorNamespace, cn=import

configuration entry, Task Invocation Attributes for Entries under cn=tasks ,

cn=import

cn=index
attributes
nsIndexAttribute, cn=index
nsIndexVLVAttribute, cn=index

configuration entry, cn=index

cn=mapping tree
object classes, cn=mapping tree
suffix and replication configuration entries, cn=mapping tree

cn=memberof task
attributes
basedn, cn=memberof task
filter, cn=memberof task

configuration entry, cn=memberof task

cn=monitor
object classes, cn=monitor
read-only monitoring configuration entries, cn=monitor

cn=restore

847
Configuration, Command, and File Reference

attributes
nsArchiveDir, cn=restore
nsDatabaseType, cn=restore

configuration entry, cn=restore

cn=sasl
object classes, cn=sasl
SASL configuration entries, cn=sasl

cn=schema reload task

attributes
schemadir, cn=schema reload task

configuration entry, cn=schema reload task

cn=SNMP
object classes, cn=SNMP
SNMP configuration entries, cn=SNMP

cn=syntax validate attributes task

configuration entry, cn=syntax validate

cn=syntax validate task

attributes
basedn, cn=syntax validate
filter, cn=syntax validate

cn=tasks
attributes
cn, Task Invocation Attributes for Entries under cn=tasks
nsTaskCancel, Task Invocation Attributes for Entries under cn=tasks
nsTaskCurrentItem, Task Invocation Attributes for Entries under cn=tasks
nsTaskExitCode, Task Invocation Attributes for Entries under cn=tasks
nsTaskLog, Task Invocation Attributes for Entries under cn=tasks
nsTaskStatus, Task Invocation Attributes for Entries under cn=tasks
ttl, Task Invocation Attributes for Entries under cn=tasks

cn=abort cleanallruv, cn=abort cleanallruv

cn=automember export updates, cn=automember export updates
cn=automember map updates, cn=automember map updates
cn=automember rebuild membership, cn=automember rebuild membership
cn=cleanallruv, cn=cleanallruv
cn=des2aes, cn=des2aes
entries, cn=tasks

848
INDEX

task invocation configuration entries, cn=tasks

cn=backup, cn=backup
cn=export, cn=export
cn=import, Task Invocation Attributes for Entries under cn=tasks ,
cn=import
cn=index, cn=index
cn=restore, cn=restore

cn=uniqueid generator
object classes, cn=uniqueid generator
uniqueid generator configuration entries, cn=uniqueid generator

cn=UserRoot
configuration, Configuration of Databases

cn=USN tombstone cleanup task

attributes
backend, cn=USN tombstone cleanup task
max_usn_to_delete, cn=USN tombstone cleanup task
suffix, cn=USN tombstone cleanup task

configuration entry, cn=USN tombstone cleanup task

co, co (friendlyCountryName)
command-line scripts, Command-Line Scripts
finding and executing, Finding and Executing Command-Line Scripts
location of shell scripts, Command-Line Scripts Quick Reference
migrate-ds-admin.pl, migrate-ds-admin.pl
migrate-ds.pl, migrate-ds.pl
perl scripts, Perl Scripts
bak2db.pl , bak2db.pl (Restores a Database from Backup)
cl-dump.pl , cl-dump.pl (Dumps and Decodes the Changelog)
cleanallruv.pl, cleanallruv.pl (Cleans RUV data)
db2bak.pl, db2bak.pl (Creates a Backup of a Database)
db2index.pl , db2index.pl (Creates and Generates Indexes)
db2ldif.pl , db2ldif.pl (Exports Database Contents to LDIF)
fixup-linkedattrs.pl, fixup-linkedattrs.pl (Regenerate Linked and Managed
Attributes)
fixup-memberof.pl, fixup-memberof.pl (Regenerate memberOf Attributes)
ldif2db.pl , ldif2db.pl (Import)
ns-accountstatus.pl , ns-accountstatus.pl (Establishes Account Status)
ns-activate.pl , ns-activate.pl (Activates an Entry or Group of Entries)
ns-inactivate.pl , ns-inactivate.pl (Inactivates an Entry or Group of Entries)

849
Configuration, Command, and File Reference

ns-newpwpolicy.pl , ns-newpwpolicy.pl (Adds Attributes for Fine-Grained

Password Policy)
repl-monitor.pl , repl-monitor.pl (Monitors Replication Status)
schema-reload.pl , schema-reload.pl (Reload Schema Files Dynamically)
syntax-validate.pl, syntax-validate.pl (Validate Attribute Values)
usn-tombstone-cleanup.pl, usn-tombstone-cleanup.pl (Remove Deleted
Entries)
verify-db.pl , verify-db.pl (Check for Corrupt Databases)

quick reference, Command-Line Scripts Quick Reference

register-ds-admin.pl, register-ds-admin.pl
remove-ds-admin.pl, remove-ds-admin.pl
remove-ds.pl, remove-ds.pl
setup-ds-admin.pl, setup-ds-admin.pl
setup-ds.pl, setup-ds.pl
shell scripts, Shell Scripts
bak2db, bak2db (Restores a Database from Backup)
cl-dump , cl-dump (Dumps and Decodes the Changelog)
db2bak , db2bak (Creates a Backup of a Database)
db2index , db2index (Reindexes Database Index Files)
db2ldif , db2ldif (Exports Database Contents to LDIF)
dbverify, dbverify (Checks for Corrupt Databases)
ldif2db, ldif2db (Import)
ldif2ldap , ldif2ldap (Performs Import Operation over LDAP)
monitor, monitor (Retrieves Monitoring Information)
pwdhash , pwdhash (Encrypts Passwords)
repl-monitor, repl-monitor (Monitors Replication Status)
restart-dirsrv , restart-dirsrv (Restarts the Directory Server)
restart-ds-admin , restart-ds-admin (Restarts the Administration Server)
restart-slapd , restart-slapd (Restarts the Directory Server)
restoreconfg , restoreconfig (Restores Administration Server Configuration)
saveconfig , saveconfig (Saves Administration Server Configuration)
start-dirsrv , start-dirsrv (Starts the Directory Server)
start-ds-admin , start-ds-admin (Starts the Administration Server)
start-slapd , start-slapd (Starts the Directory Server)
status-dirsrv , status-dirsrv (Obtains the Status of the Directory Server)
stop-dirsrv , stop-dirsrv (Stops the Directory Server)
stop-ds-admin , stop-ds-admin (Stops the Administration Server)
stop-slapd, stop-slapd (Stops the Directory Server)
suffix2instance , suffix2instance (Maps a Suffix to a Backend Name)
upgradednformat, upgradednformat
vlvindex , vlvindex (Creates Virtual List View Indexes)

850
INDEX

command-line utilities
dbmon.sh, dbmon.sh (Database Monitoring and Entry Cache Usage)
dbscan, dbscan
dn2rdn, dn2rdn
ds-replcheck, ds-replcheck (Check Replication Status Between Two Databases)
ds_removal, ds_removal
ldif, ldif

configuration
access control, Access Control for Configuration Entries
accessing and modifying, Accessing and Modifying Server Configuration
changing attributes, Changing Configuration Attributes
cn=UserRoot, Configuration of Databases
database-specific, Overview of the Directory Server Configuration
o=NetscapeRoot, Configuration of Databases
overview, Overview of the Directory Server Configuration
plug-in functionality, Configuration of Plug-in Functionality

configuration attributes
changelog5 configuration attributes, cn=changelog5,cn=config
changing, Changing Configuration Attributes
core server configuration attributes, Core Server Configuration Attributes
Reference
database link plug-in configuration attributes, Database Link Plug-in
Attributes (Chaining Attributes)
database plug-in configuration attributes, Database Plug-in Attributes
encryption configuration attributes, cn=encryption
mapping tree configuration attributes, cn=mapping tree
monitoring configuration attributes, cn=monitor
overview, Configuration Attributes
plug-in functionality configuration attributes, List of Attributes Common to All
Plug-ins
plug-in functionality configuration attributes allowed by certain plug-ins,
Attributes Allowed by Certain Plug-ins
plug-in functionality configuration attributes common to all plug-ins, List of
Attributes Common to All Plug-ins
replication agreement configuration attributes, Replication Attributes under
cn=ReplicationAgreementName,cn=replica,cn=suffixName,cn=mapping
tree,cn=config
replication configuration attributes, Replication Attributes under
cn=replica,cn=suffixDN,cn=mapping tree,cn=config
restrictions to modifying, Restrictions to Modifying Configuration Entries and
Attributes
retro changelog plug-in configuration attributes, Retro Changelog Plug-in
Attributes

851
Configuration, Command, and File Reference

root dse onfiguration attributes, Root DSE Configuration Parameters

rootdn access control plug-in configuration attributes, RootDN Access Control
Plug-in Attributes
SASL configuration attributes, cn=sasl
SNMP configuration attributes, cn=SNMP
suffix configuration attributes, Suffix Configuration Attributes under
cn=suffix_DN
synchronization agreement attributes, Synchronization Attributes under
cn=syncAgreementName,cn=WindowsReplica,cn=suffixName,cn=mapping
tree,cn=config
task configuration attributes, cn=tasks
cn=abort cleanallruv, cn=abort cleanallruv
cn=automember export updates, cn=automember export updates
cn=automember map updates, cn=automember map updates
cn=automember rebuild membership, cn=automember rebuild membership
cn=backup, cn=backup
cn=cleanallruv, cn=cleanallruv
cn=des2aes, cn=des2aes
cn=export, cn=export
cn=fixup linked attributes, cn=fixup linked attributes
cn=import, Task Invocation Attributes for Entries under cn=tasks ,
cn=import
cn=index, cn=index
cn=memberof task, cn=memberof task
cn=restore, cn=restore
cn=schema reload task, cn=schema reload task
cn=syntax validate attributes, cn=syntax validate
cn=USN tombstone cleanup task, cn=USN tombstone cleanup task

uniqueid generator configuration attributes, cn=uniqueid generator

configuration changes
deleting core server configuration attributes, Deleting Configuration
Attributes
requiring server restart, Configuration Changes Requiring Server Restart

configuration entries
modifying using LDAP, Modifying Configuration Entries Using LDAP
restrictions to modifying, Restrictions to Modifying Configuration Entries and
Attributes

configuration files, Configuration Files

location of, Accessing and Modifying Server Configuration

configuration information tree

dse.ldif file, Core Server Configuration Attributes Reference

852
INDEX

connection attribute, cn=monitor

connection code, Common Connection Codes
core configuration attributes
passwordAllowChangeTime, passwordAllowChangeTime
passwordExpirationTime, passwordExpirationTime
passwordExpWarned, passwordExpWarned
retryCountResetTime, retryCountResetTime

core server configuration attributes

backend, cn=USN tombstone cleanup task
backendMonitorDN, cn=monitor
basedn, cn=memberof task, cn=syntax validate, cn=automember rebuild
membership, cn=automember export updates
bytessent, cn=monitor
cn, cn, Task Invocation Attributes for Entries under cn=tasks
connection, cn=monitor
currentconnection, cn=monitor
currenttime, cn=monitor
deleting, Deleting Configuration Attributes
description, description
dtablesize, cn=monitor
entriessent, cn=monitor
filter, cn=memberof task, cn=syntax validate, cn=automember rebuild
membership, cn=automember export updates
ldif, cn=automember export updates
ldif_in, cn=automember map updates
ldif_out, cn=automember map updates
linkdn, cn=fixup linked attributes
max_usn_to_delete, cn=USN tombstone cleanup task
nbackends, cn=monitor
nsArchiveDir, cn=backup, cn=restore
nsDatabaseType, cn=backup, cn=restore
nsDS50ruv, nsDS50ruv
nsDS5BeginReplicaRefresh, nsDS5BeginReplicaRefresh
nsDS5Flags, nsDS5Flags
nsDS5ReplConflict, nsDS5ReplConflict
nsDS5ReplicaBindDN, nsDS5ReplicaBindDN
nsDS5ReplicaBindDNGroup, nsDS5ReplicaBindDNGroup
nsDS5ReplicaBindDNGroupCheckInterval,
nsDS5ReplicaBindDNGroupCheckInterval
nsDS5ReplicaBindMethod, nsDS5ReplicaBindMethod
nsDS5ReplicaBusyWaitTime, nsDS5ReplicaBusyWaitTime
nsDS5ReplicaChangeCount, nsDS5ReplicaChangeCount

853
Configuration, Command, and File Reference

nsDS5ReplicaChangesSentSinceStartup,
nsDS5ReplicaChangesSentSinceStartup
nsDS5ReplicaCredentials, nsDS5ReplicaCredentials
nsds5ReplicaEnabled, nsds5ReplicaEnabled
nsDS5ReplicaHost, nsDS5ReplicaHost
nsDS5ReplicaID, nsDS5ReplicaId
nsDS5ReplicaLastInitEnd, nsDS5ReplicaLastInitEnd
nsDS5ReplicaLastInitStart, nsDS5ReplicaLastInitStart
nsDS5ReplicaLastInitStatus, nsDS5ReplicaLastInitStatus
nsDS5ReplicaLastUpdateEnd, nsDS5ReplicaLastUpdateEnd
nsDS5ReplicaLastUpdateStart, nsDS5ReplicaLastUpdateStart
nsds5replicaLastUpdateStatus, nsds5replicaLastUpdateStatus
nsDS5ReplicaLegacyConsumer, nsDS5ReplicaLegacyConsumer
nsDS5ReplicaName, nsDS5ReplicaName
nsDS5ReplicaPort, nsDS5ReplicaPort
nsDS5ReplicaPurgeDelay, nsDS5ReplicaPurgeDelay
nsDS5ReplicaReapActive, nsDS5ReplicaReapActive
nsDS5ReplicaReferral, nsDS5ReplicaReferral
nsDS5ReplicaReleaseTimeout, nsDS5ReplicaReleaseTimeout
nsDS5ReplicaRoot, nsDS5ReplicaRoot
nsDS5ReplicaSessionPauseTime, nsDS5ReplicaSessionPauseTime
nsds5ReplicaStripAttrs, nsds5ReplicaStripAttrs
nsDS5ReplicatedAttributeList, nsDS5ReplicatedAttributeList
nsDS5ReplicatedAttributeListTotal, nsDS5ReplicatedAttributeListTotal
nsDS5ReplicaTimeout, nsDS5ReplicaTimeout
nsDS5ReplicaTombstonePurgeInterval, nsDS5ReplicaTombstonePurgeInterval
nsDS5ReplicaTransportInfo, nsDS5ReplicaTransportInfo
nsDS5ReplicaType, nsDS5ReplicaType
nsDS5ReplicaUpdateInProgress, nsDS5ReplicaUpdateInProgress
nsDS5ReplicaUpdateSchedule, nsDS5ReplicaUpdateSchedule
nsDS5ReplicaWaitForAsyncResults , nsDS5ReplicaWaitForAsyncResults
nsds5Task, nsds5Task
nsDumpUniqId, cn=export
nsExcludeSuffix, cn=import, cn=export
nsExportReplica, cn=export
nsFilename, cn=import, cn=export
nsImportChunkSize, cn=import
nsImportIndexAttrs, cn=import
nsIncludeSuffix, cn=import, cn=export
nsIndexAttribute, cn=index
nsIndexVLVAttribute, cn=index
nsInstance, cn=import, cn=export

854
INDEX

nsNoWrap, cn=export
nsPrintKey, cn=export
nsruvReplicaLastModified, nsruvReplicaLastModified
nsSaslMapBaseDNTemplate, nsSaslMapBaseDNTemplate
nsSaslMapFilterTemplate, nsSaslMapFilterTemplate
nsSaslMapPriority, nsSaslMapPriority
nsSaslMapRegexString, nsSaslMapRegexString
nsslapd-accesslog, nsslapd-accesslog (Access Log)
nsslapd-accesslog-level, nsslapd-accesslog-level (Access Log Level)
nsslapd-accesslog-list, nsslapd-accesslog-list (List of Access Log Files)
nsslapd-accesslog-logbuffering, nsslapd-accesslog-logbuffering (Log
Buffering)
nsslapd-accesslog-logexpirationtime, nsslapd-accesslog-logexpirationtime
(Access Log Expiration Time)
nsslapd-accesslog-logexpirationtimeunit, nsslapd-accesslog-
logexpirationtimeunit (Access Log Expiration Time Unit)
nsslapd-accesslog-logging-enabled, nsslapd-accesslog-logging-enabled
(Access Log Enable Logging)
nsslapd-accesslog-logmaxdiskspace, nsslapd-accesslog-logmaxdiskspace
(Access Log Maximum Disk Space)
nsslapd-accesslog-logminfreediskspace, nsslapd-accesslog-
logminfreediskspace (Access Log Minimum Free Disk Space)
nsslapd-accesslog-logrotationsync-enabled, nsslapd-accesslog-
logrotationsync-enabled (Access Log Rotation Sync Enabled)
nsslapd-accesslog-logrotationsynchour, nsslapd-accesslog-
logrotationsynchour (Access Log Rotation Sync Hour)
nsslapd-accesslog-logrotationsyncmin, nsslapd-accesslog-logrotationsyncmin
(Access Log Rotation Sync Minute)
nsslapd-accesslog-logrotationtime, nsslapd-accesslog-logrotationtime (Access
Log Rotation Time)
nsslapd-accesslog-maxlogsize, nsslapd-accesslog-maxlogsize (Access Log
Maximum Log Size)
nsslapd-accesslog-maxlogsperdir, nsslapd-accesslog-maxlogsperdir (Access
Log Maximum Number of Log Files)
nsslapd-accesslog-mode, nsslapd-accesslog-mode (Access Log File Permission)
nsslapd-allow-anonymous-access, nsslapd-allow-anonymous-access
nsslapd-allow-hashed-passwords, nsslapd-allow-hashed-passwords
nsslapd-allow-unauthenticated-binds, nsslapd-allow-unauthenticated-binds
nsslapd-allowed-sasl-mechanisms, nsslapd-allowed-sasl-mechanisms
nsslapd-anonlimitsdn, nsslapd-anonlimitsdn
nsslapd-attribute-name-exceptions, nsslapd-attribute-name-exceptions
nsslapd-auditfaillog-list, nsslapd-auditfaillog-list
nsslapd-auditfaillog-logexpirationtime, nsslapd-auditfaillog-logexpirationtime
(Audit Fail Log Expiration Time)

855
Configuration, Command, and File Reference

nsslapd-auditfaillog-logexpirationtimeunit, nsslapd-auditfaillog-
logexpirationtimeunit (Audit Fail Log Expiration Time Unit)
nsslapd-auditfaillog-logging-enabled, nsslapd-auditfaillog-logging-enabled
(Audit Fail Log Enable Logging)
nsslapd-auditfaillog-logmaxsdiskspace, nsslapd-auditfaillog-logmaxdiskspace
(Audit Fail Log Maximum Disk Space)
nsslapd-auditfaillog-logminfreediskspace, nsslapd-auditfaillog-
logminfreediskspace (Audit Fail Log Minimum Free Disk Space)
nsslapd-auditfaillog-logrotationsync-enabled, nsslapd-auditfaillog-
logrotationsync-enabled (Audit Fail Log Rotation Sync Enabled)
nsslapd-auditfaillog-logrotationsynchour, nsslapd-auditfaillog-
logrotationsynchour (Audit Fail Log Rotation Sync Hour)
nsslapd-auditfaillog-logrotationsyncmin, nsslapd-auditfaillog-
logrotationsyncmin (Audit Fail Log Rotation Sync Minute)
nsslapd-auditfaillog-logrotationtime, nsslapd-auditfaillog-logrotationtime
(Audit Fail Log Rotation Time)
nsslapd-auditfaillog-logrotationtimeunit, nsslapd-auditfaillog-
logrotationtimeunit (Audit Fail Log Rotation Time Unit)
nsslapd-auditfaillog-maxlogsize, nsslapd-auditfaillog-maxlogsize (Audit Fail
Log Maximum Log Size)
nsslapd-auditfaillog-maxlogsperdir, nsslapd-auditfaillog-maxlogsperdir (Audit
Fail Log Maximum Number of Log Files)
nsslapd-auditfaillog-mode, nsslapd-auditfaillog-mode (Audit Fail Log File
Permission)
nsslapd-auditlog-list, nsslapd-auditlog-list
nsslapd-auditlog-logexpirationtime, nsslapd-auditlog-logexpirationtime (Audit
Log Expiration Time)
nsslapd-auditlog-logexpirationtimeunit, nsslapd-auditlog-
logexpirationtimeunit (Audit Log Expiration Time Unit)
nsslapd-auditlog-logging-enabled, nsslapd-auditlog-logging-enabled (Audit
Log Enable Logging)
nsslapd-auditlog-logmaxsdiskspace, nsslapd-auditlog-logmaxdiskspace (Audit
Log Maximum Disk Space)
nsslapd-auditlog-logminfreediskspace, nsslapd-auditlog-logminfreediskspace
(Audit Log Minimum Free Disk Space)
nsslapd-auditlog-logrotationsync-enabled, nsslapd-auditlog-logrotationsync-
enabled (Audit Log Rotation Sync Enabled)
nsslapd-auditlog-logrotationsynchour, nsslapd-auditlog-logrotationsynchour
(Audit Log Rotation Sync Hour)
nsslapd-auditlog-logrotationsyncmin, nsslapd-auditlog-logrotationsyncmin
(Audit Log Rotation Sync Minute)
nsslapd-auditlog-logrotationtime, nsslapd-auditlog-logrotationtime (Audit Log
Rotation Time)
nsslapd-auditlog-logrotationtimeunit, nsslapd-auditlog-logrotationtimeunit
(Audit Log Rotation Time Unit)
nsslapd-auditlog-maxlogsize, nsslapd-auditlog-maxlogsize (Audit Log
Maximum Log Size)

856
INDEX

nsslapd-auditlog-maxlogsperdir, nsslapd-auditlog-maxlogsperdir (Audit Log

Maximum Number of Log Files)
nsslapd-auditlog-mode, nsslapd-auditlog-mode (Audit Log File Permission)
nsslapd-backend, nsslapd-backend
nsslapd-certmap-basedn, nsslapd-certmap-basedn (Certificate Map Search
Base)
nsslapd-changelogcompactdb-interval, nsslapd-changelogcompactdb-interval
nsslapd-changelogdir, nsslapd-changelogdir
nsslapd-changelogmaxage, nsslapd-changelogmaxage (Max Changelog Age)
nsslapd-changelogmaxconcurrentwrites, nsslapd-
changelogmaxconcurrentwrites (Max Concurrent Rewrites)
nsslapd-changelogmaxentries, nsslapd-changelogmaxentries (Max Changelog
Records)
nsslapd-changelogtrim-interval, nsslapd-changelogtrim-interval (Replication
Changelog Trimming Interval)
nsslapd-cn-uses-dn-syntax-in-dns, nsslapd-cn-uses-dn-syntax-in-dns
nsslapd-config, nsslapd-config
nsslapd-connection-buffer, nsslapd-connection-buffer
nsslapd-connection-nocanon, nsslapd-connection-nocanon
nsslapd-conntablesize, nsslapd-conntablesize
nsslapd-counters, nsslapd-counters
nsslapd-csnlogging, nsslapd-csnlogging
nsslapd-defaultnamingcontext, nsslapd-defaultnamingcontext
nsslapd-disk-monitoring, nsslapd-disk-monitoring
nsslapd-disk-monitoring-grace-period, nsslapd-disk-monitoring-grace-period
nsslapd-disk-monitoring-logging-critical, nsslapd-disk-monitoring-logging-
critical
nsslapd-disk-monitoring-threshold, nsslapd-disk-monitoring-threshold
nsslapd-dn-validate-strict, nsslapd-dn-validate-strict
nsslapd-ds4-compatible-schema, nsslapd-ds4-compatible-schema
nsslapd-enable-nunc-stans, nsslapd-enable-nunc-stans
nsslapd-enable-turbo-mode, nsslapd-enable-turbo-mode
nsslapd-encryptionalgorithm, nsslapd-encryptionalgorithm (Encryption
Algorithm)
nsslapd-entryusn-global, nsslapd-entryusn-global
nsslapd-entryusn-import-initval, nsslapd-entryusn-import-initval
nsslapd-errorlog, nsslapd-errorlog (Error Log)
nsslapd-errorlog-level, nsslapd-errorlog-level (Error Log Level)
nsslapd-errorlog-list, nsslapd-errorlog-list
nsslapd-errorlog-logexpirationtime, nsslapd-errorlog-logexpirationtime (Error
Log Expiration Time)
nsslapd-errorlog-logexpirationtimeunit, nsslapd-errorlog-logexpirationtimeunit
(Error Log Expiration Time Unit)

857
Configuration, Command, and File Reference

nsslapd-errorlog-logging-enabled, nsslapd-errorlog-logging-enabled (Enable

Error Logging)
nsslapd-errorlog-logmaxdiskspace, nsslapd-errorlog-logmaxdiskspace (Error
Log Maximum Disk Space)
nsslapd-errorlog-logminfreediskspace, nsslapd-errorlog-logminfreediskspace
(Error Log Minimum Free Disk Space)
nsslapd-errorlog-logrotationsync-enabled, nsslapd-errorlog-logrotationsync-
enabled (Error Log Rotation Sync Enabled)
nsslapd-errorlog-logrotationsynchour, nsslapd-errorlog-logrotationsynchour
(Error Log Rotation Sync Hour)
nsslapd-errorlog-logrotationsyncmin, nsslapd-errorlog-logrotationsyncmin
(Error Log Rotation Sync Minute)
nsslapd-errorlog-logrotationtime, nsslapd-errorlog-logrotationtime (Error Log
Rotation Time)
nsslapd-errorlog-logrotationtimeunit, nsslapd-errorlog-logrotationtimeunit
(Error Log Rotation Time Unit)
nsslapd-errorlog-maxlogsize, nsslapd-errorlog-maxlogsize (Maximum Error Log
Size)
nsslapd-errorlog-maxlogsperdir, nsslapd-errorlog-maxlogsperdir (Maximum
Number of Error Log Files)
nsslapd-errorlog-mode, nsslapd-errorlog-mode (Error Log File Permission)
nsslapd-force-sasl-external, nsslapd-force-sasl-external
nsslapd-groupvalnestlevel, nsslapd-groupevalnestlevel
nsslapd-idletimeout, nsslapd-idletimeout (Default Idle Timeout)
nsslapd-ignore-virtual-attrs, nsslapd-ignore-virtual-attrs
nsslapd-instancedir, nsslapd-instancedir (Instance Directory)
nsslapd-ioblocktimeout, nsslapd-ioblocktimeout (IO Block Time Out)
nsslapd-lastmod, nsslapd-lastmod (Track Modification Time)
nsslapd-ldapiautobind, nsslapd-ldapiautobind (Enable Autobind)
nsslapd-ldapientrysearchbase, nsslapd-ldapientrysearchbase (Search Base for
LDAPI Authentication Entries)
nsslapd-ldapifilepath, nsslapd-ldapifilepath (File Location for LDAPI Socket)
nsslapd-ldapigidnumbertype, nsslapd-ldapigidnumbertype (Attribute Mapping
for System GUID Number)
nsslapd-ldapilisten, nsslapd-ldapilisten (Enable LDAPI)
nsslapd-ldapimaprootdn, nsslapd-ldapimaprootdn (Autobind Mapping for Root
User)
nsslapd-ldapimaptoentries, nsslapd-ldapimaptoentries (Enable Autobind
Mapping for Regular Users)
nsslapd-ldapiuidnumbertype, nsslapd-ldapiuidnumbertype
nsslapd-ldifdir, nsslapd-ldifdir
nsslapd-listen-backlog-size, nsslapd-listen-backlog-size
nsslapd-listenhost, nsslapd-listenhost (Listen to IP Address)
nsslapd-localhost, nsslapd-localhost (Local Host)
nsslapd-localuser, nsslapd-localuser (Local User)

858
INDEX

nsslapd-malloc-mmap-threshold, nsslapd-malloc-mmap-threshold
nsslapd-malloc-mxfast, nsslapd-malloc-mxfast
nsslapd-malloc-trim-threshold, nsslapd-malloc-trim-threshold
nsslapd-maxbersize, nsslapd-maxbersize (Maximum Message Size)
nsslapd-maxdescriptors, nsslapd-maxdescriptors (Maximum File Descriptors)
nsslapd-maxsasliosize, nsslapd-maxsasliosize (Maximum SASL Packet Size)
nsslapd-maxthreadsperconn, nsslapd-maxthreadsperconn (Maximum Threads
per Connection)
nsslapd-minssf, nsslapd-minssf
nsslapd-minssf-exclude-rootdse, nsslapd-minssf-exclude-rootdse
nsslapd-moddn-aci, nsslapd-moddn-aci
nsslapd-nagle, nsslapd-nagle
nsslapd-ndn-cache-enabled, nsslapd-ndn-cache-enabled
nsslapd-ndn-cache-max-size, nsslapd-ndn-cache-max-size
nsslapd-outbound-ldap-io-timeout, nsslapd-outbound-ldap-io-timeout
nsslapd-pagedsizelimit, nsslapd-pagedsizelimit (Size Limit for Simple Paged
Results Searches)
nsslapd-parent, nsslapd-parent
nsslapd-plug-in, nsslapd-plug-in
nsslapd-plugin-binddn-tracking, nsslapd-plugin-binddn-tracking
nsslapd-plugin-logging, nsslapd-plugin-logging
nsslapd-port, nsslapd-port (Port Number)
nsslapd-privatenamespaces, nsslapd-privatenamespaces
nsslapd-pwpolicy-inherit-global, nsslapd-pwpolicy-inherit-global (Inherit Global
Password Syntax)
nsslapd-pwpolicy-local, nsslapd-pwpolicy-local (Enable Subtree- and User-
Level Password Policy)
nsslapd-readonly, nsslapd-readonly (Read Only)
nsslapd-referral, nsslapd-referral (Referral)
nsslapd-referralmode, nsslapd-referralmode (Referral Mode)
nsslapd-require-secure-binds, nsslapd-require-secure-binds
nsslapd-requiresrestart, nsslapd-requiresrestart
nsslapd-reservedescriptors, nsslapd-reservedescriptors (Reserved File
Descriptors)
nsslapd-return-default-opattr, nsslapd-return-default-opattr
nsslapd-return-exact-case, nsslapd-return-exact-case (Return Exact Case)
nsslapd-rootdn, nsslapd-rootdn (Manager DN)
nsslapd-rootpw, nsslapd-rootpw (Root Password)
nsslapd-rootpwstoragescheme, nsslapd-rootpwstoragescheme (Root Password
Storage Scheme)
nsslapd-rundir, nsslapd-rundir
nsslapd-sasl-mapping-fallback, nsslapd-sasl-mapping-fallback
nsslapd-sasl-max-buffer-size, nsslapd-sasl-max-buffer-size

859
Configuration, Command, and File Reference

nsslapd-saslpath, nsslapd-saslpath
nsslapd-schema-ignore-trailing-spaces, nsslapd-schema-ignore-trailing-spaces
(Ignore Trailing Spaces in Object Class Names)
nsslapd-schemacheck, nsslapd-schemacheck (Schema Checking)
nsslapd-schemamod, nsslapd-schemamod
nsslapd-schemareplace, nsslapd-schemareplace
nsslapd-search-original-type-switch, nsslapd-search-return-original-type-
switch
nsslapd-securelistenhost, nsslapd-securelistenhost
nsslapd-securePort, nsslapd-securePort (Encrypted Port Number)
nsslapd-security, nsslapd-security (Security)
nsslapd-sizelimit, nsslapd-sizelimit (Size Limit)
nsslapd-snmp-index, nsslapd-snmp-index
nsslapd-ssl-check-hostname, nsslapd-ssl-check-hostname (Verify Hostname for
Outbound Connections)
nsslapd-SSLclientAuth, nsslapd-SSLclientAuth
nsslapd-state, cn, nsslapd-state
nsslapd-syntaxcheck, nsslapd-syntaxcheck
nsslapd-syntaxlogging, nsslapd-syntaxlogging
nsslapd-timelimit, nsslapd-timelimit (Time Limit)
nsslapd-validate-cert, nsslapd-validate-cert
nsslapd-versionstring, nsslapd-versionstring
nsslapd-workingdir, nsslapd-workingdir
nssldap-distribution-function, nsslapd-distribution-function
nssldap-distribution-plugin, nsslapd-distribution-plugin
nssldap-referral, nsslapd-referral
nssnmpcontact, nssnmpcontact
nssnmpdescription, nssnmpdescription
nssnmpenabled, nssnmpenabled
nssnmplocation, nssnmplocation
nssnmpmasterhost, nssnmpmasterhost
nssnmpmasterport, nssnmpmasterport
nssnmporganization, nssnmporganization
nsSSL2 attribute, nsSSL2
nsSSL2Ciphers attribute, nsSSL2Ciphers
nsSSL3 attribute, nsSSL3
nsSSL3Ciphers attribute, nsSSL3Ciphers
nsSSL3SessionTimeout attribute, nsSSL3SessionTimeout
nsSSLClientAuth, nsSSLClientAuth
nsSSLEnabledCiphers, nsSSLEnabledCiphers
nsSSLPersonalitySSL attribute, nsSSLPersonalitySSL
nsSSLSessionTimeout attribute, nsSSLSessionTimeout

860
INDEX

nsSSLSupportedCiphers attribute, nsSSLSupportedCiphers

nsSSLToken attribute, nsSSLToken
nsState, nsState
nsstate, cn=uniqueid generator
nsSymmetricKey, nsSymmetricKey
nsTaskCancel, Task Invocation Attributes for Entries under cn=tasks
nsTaskCurrentItem, Task Invocation Attributes for Entries under cn=tasks
nsTaskExitCode, Task Invocation Attributes for Entries under cn=tasks
nsTaskLog, Task Invocation Attributes for Entries under cn=tasks
nsTaskStatus, Task Invocation Attributes for Entries under cn=tasks
nsTLS1 attribute, nsTLS1
nsUniqueIdGenerator, cn=import
nsUniqueIdGeneratorNamespace, cn=import
nsUseId2Entry, cn=export
nsUseOneFile, cn=export
opscompleted, cn=monitor
opsinitiated, cn=monitor
passwordCheckSyntax, passwordCheckSyntax (Check Password Syntax)
passwordExp, passwordExp (Password Expiration)
passwordHistory, passwordHistory (Password History)
passwordInHistory, passwordInHistory (Number of Passwords to Remember)
passwordLegacyPolicy, passwordLegacyPolicy
passwordLockout, passwordLockout (Account Lockout)
passwordLockoutDuration, passwordLockoutDuration (Lockout Duration)
passwordMaxAge, passwordMaxAge (Password Maximum Age)
passwordMaxFailure, passwordMaxFailure (Maximum Password Failures)
passwordMinAge, passwordMinAge (Password Minimum Age)
passwordMinLength, passwordMinLength (Password Minimum Length)
passwordMustChange, passwordMustChange (Password Must Change)
passwordResetFailureCount, passwordResetFailureCount (Reset Password
Failure Count After)
passwordSendExpiringTime, passwordSendExpiringTime
passwordStorageScheme, passwordStorageScheme (Password Storage
Scheme)
passwordTrackUpdateTime, passwordTrackUpdateTime
passwordUnlock, passwordUnlock (Unlock Account)
passwordWarning, passwordWarning (Send Warning)
readwaiters, cn=monitor
replica-base-dn, cn=cleanallruv, cn=abort cleanallruv
replica-certify-all, cn=abort cleanallruv
replica-force-cleaning, cn=cleanallruv
replica-id, cn=cleanallruv, cn=abort cleanallruv

861
Configuration, Command, and File Reference

schemadir, cn=schema reload task

scope, cn=automember rebuild membership, cn=automember export updates
sslVersionMax attribute, sslVersionMax
sslVersionMin attribute, sslVersionMin
starttime, cn=monitor
suffix, cn=USN tombstone cleanup task
totalconnections, cn=monitor
ttl, Task Invocation Attributes for Entries under cn=tasks

cosAttribute, cosAttribute
cosDefinition, cosDefinition
cosIndirectDefinition, cosIndirectDefinition
cosPointerDefinition, cosPointerDefinition
cosPriority, cosPriority
cosSpecifier, cosSpecifier
cosSuperDefinition, cosSuperDefinition
cosTargetTree, cosTargetTree
cosTemplate, cosTemplate
cosTemplateDn, cosTemplateDn
country, country
createTimestamp, createTimestamp
creatorsName, creatorsName
crossCertificatePair, crossCertificatePair
currentconnections attribute, cn=monitor
currentdncachecount, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
currentdncachesize, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
currentNormalizedDNcachecount attribute, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
currentNormalizedDNcachesize attribute, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
currenttime attribute, cn=monitor

D
database
exporting, db2ldif (Exports Database Contents to LDIF)
reindexing index files, db2index (Reindexes Database Index Files)

database encryption
nsAttributeEncryption, Database Attributes under
cn=attributeName,cn=encrypted attributes,cn=database_name,cn=ldbm
database,cn=plugins,cn=config

862
INDEX

nsEncryptionAlgorithm, Database Attributes under

cn=attributeName,cn=encrypted attributes,cn=database_name,cn=ldbm
database,cn=plugins,cn=config

database files, Database Files

database link plug-in configuration attributes
nsAbandonCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsAbandonedSearchCheckInterval, nsAbandonedSearchCheckInterval
nsActiveChainingComponents, nsActiveChainingComponents
nsAddCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsBindConnectionsLimit, nsBindConnectionsLimit
nsBindCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsBindMechanism, nsBindMechanism
nsBindRetryLimit, nsBindRetryLimit
nsBindTimeout, nsBindTimeout
nsCheckLocalACI, nsCheckLocalACI
nsCompareCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsConcurrentBindLimit, nsConcurrentBindLimit
nsConcurrentOperationsLimit, nsConcurrentOperationsLimit
nsConnectionLife, nsConnectionLife
nsDeleteCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsFarmServerURL, nsFarmServerURL
nshoplimit, nshoplimit
nsMaxResponseDelay, nsMaxResponseDelay
nsMaxTestResponseDelay, nsMaxTestResponseDelay
nsModifyCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsMultiplexorBindDN, nsMultiplexorBindDN
nsMultiplexorCredentials, nsMultiplexorCredentials
nsOpenBindConnectionCount, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsOperationConnectionCount, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsOperationConnectionsLimit, nsOperationConnectionsLimit
nsProxiedAuthorization, nsProxiedAuthorization
nsReferralOnScopedSearch, nsReferralOnScopedSearch
nsRenameCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config

863
Configuration, Command, and File Reference

nsSearchBaseCount, Database Link Attributes under cn=monitor,cn=database

instance name,cn=chaining database,cn=plugins,cn=config
nsSearchOneLevelCount, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsSearchSubtreeCount, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsSizeLimit, nsSizeLimit
nsslapd-changelogmaxage, nsslapd-changelogmaxage (Max Changelog Age)
nsTimeLimit, nsTimeLimit
nsTransmittedControls, nsTransmittedControls
nsUndbindCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsUseStartTLS, nsUseStartTLS

database plug-in configuration attributes

cn, cn
dbcachehitratio, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcachehits, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcachepagein, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcachepageout, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcacheroevict, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcacherwevict, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcachetries, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbfilecachehit, Database Attributes under
cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
dbfilecachemiss, Database Attributes under
cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
dbfilenamenumber, Database Attributes under
cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
dbfilepagein, Database Attributes under
cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
dbfilepageout, Database Attributes under
cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
nsIndexIDListScanLimit, nsIndexIDListScanLimit
nsIndexType, nsIndexType
nsMatchingRule, nsMatchingRule
nsslapd-backend-opt-level, nsslapd-backend-opt-level
nsslapd-cache-autosize, nsslapd-cache-autosize

864
INDEX

nsslapd-cache-autosize-split, nsslapd-cache-autosize-split
nsslapd-cachememsize, nsslapd-cachememsize
nsslapd-cachesize, nsslapd-cachesize
nsslapd-db-checkpoint-interval, nsslapd-db-checkpoint-interval
nsslapd-db-circular-logging, nsslapd-db-circular-logging
nsslapd-db-compactdb-interval, nsslapd-db-compactdb-interval
nsslapd-db-debug, nsslapd-db-debug
nsslapd-db-durable-transactions, nsslapd-db-durable-transactions
nsslapd-db-home-directory, nsslapd-db-home-directory
nsslapd-db-idl-divisor, nsslapd-db-idl-divisor
nsslapd-db-locks, nsslapd-db-locks
nsslapd-db-logbuf-size, nsslapd-db-logbuf-size
nsslapd-db-logdirectory, nsslapd-db-logdirectory
nsslapd-db-logfile-size, nsslapd-db-logfile-size
nsslapd-db-page-size, nsslapd-db-page-size
nsslapd-db-spin-count, nsslapd-db-spin-count
nsslapd-db-transaction-batch-max-wait, nsslapd-db-transaction-batch-max-
wait
nsslapd-db-transaction-batch-min-wait, nsslapd-db-transaction-batch-min-wait
nsslapd-db-transaction-batch-val, nsslapd-db-transaction-batch-val
nsslapd-db-trickle-percentage, nsslapd-db-trickle-percentage
nsslapd-db-verbose, nsslapd-db-verbose
nsslapd-dbcachesize, nsslapd-dbcachesize
nsslapd-dbncache, nsslapd-dbncache
nsslapd-directory, nsslapd-directory, nsslapd-directory
nsslapd-dncachememsize, nsslapd-dncachememsize
nsslapd-exclude-from-export, nsslapd-exclude-from-export
nsslapd-idlistscanlimit, nsslapd-idlistscanlimit
nsslapd-import-cache-autosize, nsslapd-import-cache-autosize
nsslapd-import-cachesize, nsslapd-import-cachesize
nsslapd-lookthroughlimit, nsslapd-lookthroughlimit
nsslapd-mode, nsslapd-mode
nsslapd-pagedidlistscanlimit, nsslapd-pagedidlistscanlimit
nsslapd-pagedlookthroughlimit, nsslapd-pagedlookthroughlimit
nsslapd-rangelookthroughlimit, nsslapd-rangelookthroughlimit
nsslapd-readonly, nsslapd-readonly
nsslapd-require-index, nsslapd-require-index
nsslapd-subtree-rename-switch, nsslapd-subtree-rename-switch
nsslapd-suffix, nsslapd-suffix
nsSubStrBegin, nsSubStrBegin
nsSubStrEnd, nsSubStrEnd
nsSubStrMiddle, nsSubStrMiddle

865
Configuration, Command, and File Reference

nsSystemIndex, nsSystemIndex
vlvBase, vlvBase
vlvEnabled, vlvEnabled
vlvFilter, vlvFilter
vlvScope, vlvScope
vlvSort, vlvSort
vlvUses, vlvUses

database plug-in monitoring attributes

currentdncachecount, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
currentdncachesize, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
currentNormalizedDNcachecount, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
currentNormalizedDNcachesize, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
maxdncachesize, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
maxNormalizedDNcachesize, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
normalizedDNcachehitratio , Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
normalizedDNcachehits, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
normalizedDNcachemisses , Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
normalizedDNcachetries, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-abort-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-active-txns, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-cache-hit, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-cache-region-wait-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-cache-size-bytes, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-cache-try, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-clean-pages, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-commit-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-deadlock-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config

866
INDEX

nsslapd-db-dirty-pages, Database Attributes under

cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-hash-buckets, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-hash-elements-examine-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-hash-search-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-lock-conflicts, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-lock-region-wait-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-lock-request-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-lockers, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-log-bytes-since-checkpoint, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-log-region-wait-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-log-write-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-longest-chain-length, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-page-create-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-page-ro-evict-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-page-rw-evict-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-page-trickle-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-page-write-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-pages-in-use, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-txn-region-wait-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config

database schema
defined, nsslapd-schemacheck (Schema Checking)

database-specific configuration
location of, Overview of the Directory Server Configuration

db-replcheck command-line script

syntax, ds-replcheck (Check Replication Status Between Two Databases)

867
Configuration, Command, and File Reference

db.00x files, Database Files

db2bak
command-line shell script, db2bak (Creates a Backup of a Database)
quick reference, Command-Line Scripts Quick Reference

db2bak.pl
command-line perl script, db2bak.pl (Creates a Backup of a Database)

db2index, Utilities for Creating and Regenerating Indexes: db2index

command-line shell script, db2index (Reindexes Database Index Files)
quick reference, Command-Line Scripts Quick Reference

db2index.pl
command-line perl script, db2index.pl (Creates and Generates Indexes)

db2ldif
command-line shell script, db2ldif (Exports Database Contents to LDIF)
quick reference, Command-Line Scripts Quick Reference

db2ldif.pl
command-line perl script, db2ldif.pl (Exports Database Contents to LDIF)

dbcachehitratio attribute, Database Attributes under cn=monitor,cn=ldbm

database,cn=plugins,cn=config
dbcachehits attribute, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcachepagein attribute, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcachepageout attribute, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcacheroevict attribute, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcacherwevict attribute, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcachetries attribute, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbfilecachehit attribute, Database Attributes under
cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
dbfilecachemiss attribute, Database Attributes under
cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
dbfilenamenumber attribute, Database Attributes under
cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
dbfilepagein attribute, Database Attributes under
cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
dbfilepageout attribute, Database Attributes under
cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
dbmon.sh command-line script

868
INDEX

options, dbmon.sh (Database Monitoring and Entry Cache Usage), ds-

replcheck (Check Replication Status Between Two Databases)
syntax, dbmon.sh (Database Monitoring and Entry Cache Usage)

dbscan command-line utility

examples, dbscan
options, dbscan
syntax, dbscan

dbverify
command-line shell script, dbverify (Checks for Corrupt Databases)
quick reference, Command-Line Scripts Quick Reference

dc, dc (domainComponent)
dcObject, dcObject
default schema, Default Directory Server Schema Files
defaultNamingContext, defaultNamingContext
deleteOldRdn, deleteOldRdn
deleting
core server configuration attributes, Deleting Configuration Attributes
dse.ldif file, Deleting Configuration Attributes

deltaRevocationList, deltaRevocationList
departmentNumber, departmentNumber
description, description
description attribute, description
destinationIndicator, destinationIndicator
displayName, displayName
distinguished names
root, nsslapd-rootdn (Manager DN)

distributed numeric assignment

plug-in configuration attributes, Distributed Numeric Assignment Plug-in
Attributes

distributed numeric assignment plug-in configuration attributes

dnaFilter, dnaFilter
dnaHostname, dnaHostname
dnaInterval, dnaInterval
dnaMagicRegen, dnaMagicRegen
dnaMaxValue, dnaMaxValue
dnaNextRange, dnaNextRange
dnaNextValue, dnaNextValue
dnaPortNum, dnaPortNum
dnaPrefix, dnaPrefix

869
Configuration, Command, and File Reference

dnaRangeRequestTimeout, dnaRangeRequestTimeout
dnaRemainingValues, dnaRemainingValues
dnaRemoteBindCred, dnaRemoteBindCred
dnaRemoteBindDN, dnaRemoteBindDN
dnaRemoteBindMethod, dnaRemoteBindMethod
dnaRemoteConnProtocol, dnaRemoteConnProtocol
dnaScope, dnaScope
dnaSecurePortNum, dnaSecurePortNum
dnaSharedCfgDN, dnaSharedCfgDN
dnaThreshold, dnaThreshold
dnaType, dnaType

dITContentRules, dITContentRules
dITRedirect, dITRedirect
dITStructureRules, dITStructureRules
dmdname, dmdName
dn, dn (distinguishedName)
dn2rdn command-line utility
examples, dn2rdn
syntax, dn2rdn

dNSRecord, dNSRecord
documentAuthor, documentAuthor
documentIdentifier, documentIdentifier
documentLocation, documentLocation
documentPublisher, documentPublisher
documentStore, documentStore
documentTitle, documentTitle
documentVersion, documentVersion
domainRelatedObject, domainRelatedObject
drink, drink (favouriteDrink)
ds-logpipe.py, Replacing Log Files with a Named Pipe, ds-logpipe.py
example, ds-logpipe.py
options, ds-logpipe.py
syntax, ds-logpipe.py
using plug-ins, Loading Plug-ins with the Named Pipe Log Script

dSA, dSA
dSAQuality, dSAQuality
dse.ldif
configuration information tree, Core Server Configuration Attributes Reference
contents of, Overview of the Directory Server Configuration
deleting attributes, Deleting Configuration Attributes

870
INDEX

editing, Configuration Changes Requiring Server Restart

ldif files, LDIF and Schema Configuration Files

dse.ldif.bak file, Overview of the Directory Server Configuration

dse.ldif.startOK file, Overview of the Directory Server Configuration
ds_removal
quick reference, Command-Line Scripts Quick Reference

ds_removal command-line utility

options, ds_removal
syntax, ds_removal

dtablesize attribute, cn=monitor

E
editing
dse.ldif file, Configuration Changes Requiring Server Restart

employeeNumber, employeeNumber
employeeType, employeeType
encryption
root password, nsslapd-rootpw (Root Password)
specifying password storage scheme, passwordStorageScheme (Password
Storage Scheme)

encryption configuration attributes

nsSSL2, nsSSL2
nsSSL2Ciphers, nsSSL2Ciphers
nsSSL3, nsSSL3
nsSSL3Ciphers, nsSSL3Ciphers
nsSSL3SessionTimeout, nsSSL3SessionTimeout
nsSSLPersonalitySSL, nsSSLPersonalitySSL
nsSSLSessionTimeout, nsSSLSessionTimeout
nsSSLSupportedCiphers, nsSSLSupportedCiphers
nsSSLToken, nsSSLToken
nsTLS1, nsTLS1
sslVersionMax, sslVersionMax
sslVersionMin, sslVersionMin

encryption configuration entries

cn=encryption, cn=encryption

encryption method, for root password, nsslapd-rootpw (Root Password)

enhancedSearchGuide, enhancedSearchGuide
entriessent attribute, cn=monitor

871
Configuration, Command, and File Reference

entrydn.db file, Database Files

entryusn, entryusn
error log
contents
format, Error Log Content

LDAP result codes, LDAP Result Codes

extending schema, Extending the Schema

F
fax, fax (facsimileTelephoneNumber)
File locations, File Locations Overview
files
ancestorid.db, Database Files
entrydn.db, Database Files
id2entry.db, Database Files
locating configuration, Accessing and Modifying Server Configuration
nsuniqueid.db, Database Files
numsubordinates.db, Database Files
objectclass.db, Database Files
parentid.db, Database Files

Filesystem Hierarchy Standard, File Locations Overview

filter, cn=memberof task, cn=syntax validate, cn=automember rebuild
membership, cn=automember export updates
fixup-linkedattrs.pl
command-line perl script, fixup-linkedattrs.pl (Regenerate Linked and
Managed Attributes)
related configuration entry, cn=fixup linked attributes

fixup-memberof.pl
related configuration entry, cn=memberof task

fixup-memberof.pl.pl
command-line perl script, fixup-memberof.pl (Regenerate memberOf
Attributes)

friendlyCountry, friendlyCountry

G
gecos, gecos
generationQualifier, generationQualifier
gidNumber, gidNumber
givenName, givenName

872
INDEX

groupOfCertificates, groupOfCertificates
groupOfMailEnhancedUniqueNames, groupOfMailEnhancedUniqueNames
groupOfNames, groupOfNames
groupOfURLs, groupOfURLs
GUI utilities, GUI Utilities
redhat-idm-console, redhat-idm-console

H
homeDirectory, homeDirectory
homePhone, homePhone
homePostalAddress, homePostalAddress
host, host
houseIdentifier, houseIdentifier

I
id2entry.db file, Database Files
ieee802Device, ieee802Device
Indexes
configuration of, Configuration of Indexes

inetAdmin, inetAdmin
inetDomain, inetDomain
inetDomainBaseDN, inetDomainBaseDN
inetDomainStatus, inetDomainStatus
inetOrgPerson, inetOrgPerson
inetSubscriber, inetSubscriber
inetSubscriberAccountId, inetSubscriberAccountId
inetSubscriberChallenge, inetSubscriberChallenge
inetSubscriberResponse, inetSubscriberResponse
inetUser, inetUser
inetUserHttpURL, inetUserHttpURL
inetUserStatus, inetUserStatus
info, info
initials, initials
installationTimeStamp, installationTimeStamp
internalCreatorsName, internalCreatorsName
internalModifiersName, internalModifiersName
internationalISDNNumber, internationalISDNNumber
ipHost, ipHost
ipHostNumber, ipHostNumber
ipNetmaskNumber, ipNetmaskNumber
ipNetwork, ipNetwork

873
Configuration, Command, and File Reference

ipNetworkNumber, ipNetworkNumber
ipProtocol, ipProtocol
ipProtocolNumber, ipProtocolNumber
ipService, ipService
ipServicePort, ipServicePort
ipServiceProtocol, ipServiceProtocol

J
janetMailbox, janetMailbox
JAR information file
global keys, modutil
per-file keys, modutil
per-platform keys, modutil
syntax, modutil

jpeg images, ldif

jpegPhoto, jpegPhoto

K
keyWords, keyWords

L
l, l (localityName)
labeledURI, labeledURI
labeledURIObject, labeledURIObject
lastLoginTime, lastLoginTime
lastModifiedBy, lastModifiedBy
lastModifiedTime, lastModifiedTime
LDAP
modifying configuration entries, Modifying Configuration Entries Using LDAP

LDAP Data Interchange Format (LDIF)

binary data, ldif

LDAP result codes, LDAP Result Codes

ldapSyntaxes, ldapSyntaxes
ldclt
location, ldclt (Load Stress Tests)
test script, ldclt (Load Stress Tests)

ldif, cn=automember export updates

ldif command-line utility
options, ldif
syntax, ldif

874
INDEX

LDIF configuration files

contents of, How the Server Configuration Is Organized
detailed contents of, LDIF and Schema Configuration Files
location of, LDIF and Schema Configuration Files

LDIF entries
binary data in, ldif

ldif files
00core.ldif, LDIF and Schema Configuration Files
01common.ldif, LDIF and Schema Configuration Files
05rfc2247.ldif, LDIF and Schema Configuration Files
05rfc2927.ldif, LDIF and Schema Configuration Files
10presence.ldif, LDIF and Schema Configuration Files
10rfc2307.ldif, LDIF and Schema Configuration Files
20subscriber.ldif, LDIF and Schema Configuration Files
25java-object.ldif, LDIF and Schema Configuration Files
28pilot.ldif, LDIF and Schema Configuration Files
30ns-common.ldif, LDIF and Schema Configuration Files
50ns-admin.ldif, LDIF and Schema Configuration Files
50ns-certificate.ldif, LDIF and Schema Configuration Files
50ns-directory.ldif, LDIF and Schema Configuration Files
50ns-mail.ldif, LDIF and Schema Configuration Files
50ns-value.ldif, LDIF and Schema Configuration Files
50ns-web.ldif, LDIF and Schema Configuration Files
99user.ldif, LDIF and Schema Configuration Files
dse.ldif, LDIF and Schema Configuration Files

LDIF files, LDIF Files

ldif2db
command-line shell script, ldif2db (Import)
quick reference, Command-Line Scripts Quick Reference

ldif2db.pl
command-line perl script, ldif2db.pl (Import)

ldif2ldap
command-line shell script, ldif2ldap (Performs Import Operation over LDAP)
quick reference, Command-Line Scripts Quick Reference

ldif_in, cn=automember map updates

ldif_out, cn=automember map updates
linkdn, cn=fixup linked attributes
linked attributes plug-in configuration attributes

875
Configuration, Command, and File Reference

linkScope, linkScope
linkType, linkType
managedType, managedType

locality, locality
lock files, Lock Files
log files, Log Files
access, nsslapd-accesslog (Access Log)
error, nsslapd-errorlog (Error Log)

log.xxxxxxxxxx files, Database Files

logconv.pl script, logconv.pl (Log Converter)
options, logconv.pl (Log Converter)

loginShell, loginShell
logs
named pipe script
plug-ins, Loading Plug-ins with the Named Pipe Log Script

permanently configuring named pipe, Using the Named Pipe for Logging
replacing with named pipe, Replacing Log Files with a Named Pipe

M
macAddress, macAddress
mail, mail
mailAccessDomain, mailAccessDomain
mailAlternateAddress, mailAlternateAddress
mailGroup, mailGroup
mailMessageStore, mailMessageStore
mailPreferenceOption, mailPreferenceOption
mailRecipient, mailRecipient
managed entries plug-in configuration attributes
managedBase, managedBase
managedTemplate, managedTemplate
originFilter, originFilter
originScope, originScope

manager, manager
matchingRules, matchingRules
matchingRuleUse, matchingRuleUse
maxdncachesize, Database Attributes under cn=monitor,cn=database,cn=ldbm
database,cn=plugins,cn=config
maxNormalizedDNcachesize attribute, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config

876
INDEX

max_usn_to_delete, cn=USN tombstone cleanup task

member, member
memberCertificateDescription, memberCertificateDescription
memberNisNetgroup, memberNisNetgroup
memberOf, memberOf
memberOf plug-in configuration attributes
memberOfAllBackends, memberOfAllBackends
memberOfAttr, memberOfAttr
memberOfAutoAddOC, memberOfAutoAddOC
memberOfEntryScope, memberOfEntryScope
memberOfEntryScopeExcludeSubtree, memberOfEntryScopeExcludeSubtree
memberOfGroupAttr, memberOfGroupAttr

memberUid, memberUid
memberURL, memberURL
mepManagedBy, mepManagedBy
mepManagedEntry, mepManagedEntry, mepManagedEntry
mepMappedAttr, mepMappedAttr
mepOriginEntry, mepOriginEntry
mepRDNAttr, mepRDNAttr
mepStaticAttr, mepStaticAttr
mepTemplateEntry, mepTemplateEntry
Meta Directory changelog
retro changelog, cn=changelog5,cn=config

migrate-ds-admin.pl command-line script

options, migrate-ds-admin.pl
syntax, migrate-ds-admin.pl

migrate-ds.pl command-line script

options, migrate-ds.pl
syntax, migrate-ds.pl

mobile, mobile
modifiersName, modifiersName
modifyTimestamp, modifyTimestamp
modutil
commands
add, modutil
changepw, modutil
create, modutil
default, modutil
delete, modutil

877
Configuration, Command, and File Reference

disable, modutil
enable, modutil
fips, modutil
force, modutil
jar, modutil
list, modutil
undefault, modutil

options
dbdir, modutil
installdir, modutil
libfile, modutil
mechanisms, modutil
newpwfile, modutil
nocertdb, modutil
pwfile, modutil
slot, modutil
tempdir, modutil

overview and syntax, modutil

usage examples, modutil
using JAR information file with, modutil

monitor
command-line shell script, monitor (Retrieves Monitoring Information)
quick reference, Command-Line Scripts Quick Reference

mozillaCustom1, mozillaCustom1
multi-master replication changelog
changelog, cn=changelog5,cn=config

N
name, name
named pipe log script
configuring, Replacing Log Files with a Named Pipe

named pipe logging script

configuring in dse.ldif, Using the Named Pipe for Logging

named pipe script

using plug-ins, Loading Plug-ins with the Named Pipe Log Script

nameForms, nameForms
namingContexts, namingContexts

878
INDEX

nbackends attribute, cn=monitor

netscapeCertificateServer, netscapeCertificateServer
netscapeDirectoryServer, netscapeDirectoryServer
NetscapeLinkedOrganization, NetscapeLinkedOrganization
netscapeMachineData, netscapeMachineData
NetscapePreferences, NetscapePreferences
netscapeReversiblePasswordObject, netscapeReversiblePasswordObject
netscapeServer, netscapeServer
netscapeWebServer, netscapeWebServer
newPilotPerson, newPilotPerson
newRdn, newRdn
newSuperior, newSuperior
nisMap, nisMap
nisNetgroup, nisNetgroup
nisObject, nisObject
normalizedDNcachehitratio attribute, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
normalizedDNcachehits attribute, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
normalizedDNcachemisses attribute, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
normalizedDNcachetries attribute, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
ns-accountstatus.pl
command-line perl script, ns-accountstatus.pl (Establishes Account Status)

ns-activate.pl
command-line perl script, ns-activate.pl (Activates an Entry or Group of
Entries)

ns-inactivate.pl
command-line perl script, ns-inactivate.pl (Inactivates an Entry or Group of
Entries)

ns-newpwpolicy.pl
command-line perl script, ns-newpwpolicy.pl (Adds Attributes for Fine-Grained
Password Policy)

ns-slapd command-line utilities

archive2db, Utilities for Restoring and Backing up Databases: archive2db
db2archive, Utilities for Restoring and Backing up Databases: db2archive
db2index, Utilities for Creating and Regenerating Indexes: db2index
db2ldif, Utilities for Exporting Databases: db2ldif
finding and executing, Finding and Executing the ns-slapd Command-Line
Utilities

879
Configuration, Command, and File Reference

ldif2db, Utilities for Restoring and Backing up Databases: ldif2db

nsAbandonCount attribute, Database Link Attributes under

cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsAbandonedSearchCheckInterval attribute, nsAbandonedSearchCheckInterval
nsActiveChainingComponents attribute, nsActiveChainingComponents
nsAddCount attribute, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsAdminConfig, nsAdminConfig
nsAdminConsoleUser, nsAdminConsoleUser
nsAdminDomain, nsAdminDomain
nsAdminGlobalParameters, nsAdminGlobalParameters
nsAdminGroup, nsAdminGroup
nsAdminObject, nsAdminObject
nsAdminResourceEditorExtension, nsAdminResourceEditorExtension
nsAdminServer, nsAdminServer
nsAIMpresence, nsAIMpresence
nsApplication, nsApplication
nsArchiveDir, cn=backup, cn=restore
nsAttributeEncryption, Database Attributes under
cn=attributeName,cn=encrypted attributes,cn=database_name,cn=ldbm
database,cn=plugins,cn=config, nsAttributeEncryption (Object Class)
nsBindConnectionsLimit attribute, nsBindConnectionsLimit
nsBindCount attribute, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsBindMechanism attribute, nsBindMechanism
nsBindRetryLimit attribute, nsBindRetryLimit
nsBindTimeout attribute, nsBindTimeout
nsCertificateServer, nsCertificateServer
nsCheckLocalACI attribute, nsCheckLocalACI
nsCompareCount attribute, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsComplexRoleDefinition, nsComplexRoleDefinition
nsConcurrentBindLimit attribute, nsConcurrentBindLimit
nsConcurrentOperationsLimit attribute, nsConcurrentOperationsLimit
nsConnectionLife attribute, nsConnectionLife
nsCustomView, nsCustomView
nsDatabaseType, cn=backup, cn=restore
nsDefaultObjectClasses, nsDefaultObjectClasses
nsDeleteCount attribute, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsDirectoryInfo, nsDirectoryInfo

880
INDEX

nsDirectoryServer, nsDirectoryServer
nsDS50ruv attribute, nsDS50ruv
nsDS5BeginReplicaRefresh attribute, nsDS5BeginReplicaRefresh
nsDS5Flags attribute, nsDS5Flags
nsDS5ReplConflict attribute, nsDS5ReplConflict
nsDS5Replica, nsDS5Replica (Object Class)
nsDS5ReplicaBindDN attribute, nsDS5ReplicaBindDN
nsDS5ReplicaBindDNGroup attribute, nsDS5ReplicaBindDNGroup
nsDS5ReplicaBindDNGroupCheckInterval attribute,
nsDS5ReplicaBindDNGroupCheckInterval
nsDS5ReplicaBindMethod attribute, nsDS5ReplicaBindMethod
nsDS5ReplicaBusyWaitTime attribute, nsDS5ReplicaBusyWaitTime
nsDS5ReplicaChangeCount attribute, nsDS5ReplicaChangeCount
nsDS5ReplicaChangesSentSinceStartup attribute,
nsDS5ReplicaChangesSentSinceStartup
nsDS5ReplicaCredentials attribute, nsDS5ReplicaCredentials
nsds5ReplicaEnabled attribute, nsds5ReplicaEnabled
nsDS5ReplicaHost attribute, nsDS5ReplicaHost
nsDS5ReplicaID attribute, nsDS5ReplicaId
nsDS5ReplicaLastInitEnd attribute, nsDS5ReplicaLastInitEnd
nsDS5ReplicaLastInitStart attribute, nsDS5ReplicaLastInitStart
nsDS5ReplicaLastInitStatus attribute, nsDS5ReplicaLastInitStatus
nsDS5ReplicaLastUpdateEnd attribute, nsDS5ReplicaLastUpdateEnd
nsDS5ReplicaLastUpdateStart attribute, nsDS5ReplicaLastUpdateStart
nsds5replicaLastUpdateStatus attribute, nsds5replicaLastUpdateStatus
nsDS5ReplicaLegacyConsumer attribute, nsDS5ReplicaLegacyConsumer
nsDS5ReplicaName attribute, nsDS5ReplicaName
nsDS5ReplicaPort attribute, nsDS5ReplicaPort
nsDS5ReplicaPurgeDelay attribute, nsDS5ReplicaPurgeDelay
nsDS5ReplicaReapActive attribute, nsDS5ReplicaReapActive
nsDS5ReplicaReferral attribute, nsDS5ReplicaReferral
nsDS5ReplicaReleaseTimeout attribute, nsDS5ReplicaReleaseTimeout
nsDS5ReplicaRoot attribute, nsDS5ReplicaRoot
nsDS5ReplicaSessionPauseTime attribute, nsDS5ReplicaSessionPauseTime
nsds5ReplicaStripAttrs attribute, nsds5ReplicaStripAttrs
nsDS5ReplicatedAttributeList attribute, nsDS5ReplicatedAttributeList
nsDS5ReplicatedAttributeListTotal attribute, nsDS5ReplicatedAttributeListTotal
nsDS5ReplicaTimeout attribute, nsDS5ReplicaTimeout
nsDS5ReplicationAgreement, nsDS5ReplicationAgreement (Object Class)
nsDS5ReplicaTombstonePurgeInterval attribute,
nsDS5ReplicaTombstonePurgeInterval
nsDS5ReplicaTransportInfo attribute, nsDS5ReplicaTransportInfo

881
Configuration, Command, and File Reference

nsDS5ReplicaType attribute, nsDS5ReplicaType

nsDS5ReplicaUpdateInProgress attribute, nsDS5ReplicaUpdateInProgress
nsDS5ReplicaUpdateSchedule attribute, nsDS5ReplicaUpdateSchedule
nsDS5ReplicaWaitForAsyncResults attribute, nsDS5ReplicaWaitForAsyncResults
nsds5Task attribute, nsds5Task
nsds7DirectoryReplicaSubtree, nsds7DirectoryReplicaSubtree
nsds7DirsyncCookie, nsds7DirsyncCookie
nsds7NewWinGroupSyncEnabled, nsds7NewWinGroupSyncEnabled
nsds7NewWinUserSyncEnabled, nsds7NewWinUserSyncEnabled
nsds7WindowsDomain, nsds7WindowsDomain
nsds7WindowsReplicaSubtree, nsds7WindowsReplicaSubtree
nsDSWindowsReplicationAgreement, nsDSWindowsReplicationAgreement (Object
Class)
nsDumpUniqId, cn=export
nsEncryptionAlgorithm, Database Attributes under
cn=attributeName,cn=encrypted attributes,cn=database_name,cn=ldbm
database,cn=plugins,cn=config
nsEncryptionConfig, nsEncryptionConfig
nsEncryptionModule, nsEncryptionModule
nsExcludeSuffix, cn=import, cn=export
nsExportReplica, cn=export
nsFarmServerURL attribute, nsFarmServerURL
nsFilename, cn=import, cn=export
nsFilteredRoleDefinition, nsFilteredRoleDefinition
nsGlobalParameters, nsGlobalParameters
nshoplimit attribute, nshoplimit
nsHost, nsHost
nsICQpresence, nsICQpresence
nsImportChunkSize, cn=import
nsImportIndexAttrs, cn=import
nsIncludeSuffix, cn=import, cn=export
nsIndexAttribute, cn=index
nsIndexIDListScanLimit attribute, nsIndexIDListScanLimit
nsIndexType attribute, nsIndexType
nsIndexVLVAttribute, cn=index
nsInstance, cn=import, cn=export
nsLicensedFor, nsLicensedFor
nsLicenseEndTime, nsLicenseEndTime
nsLicenseStartTime, nsLicenseStartTime
nsLicenseUser, nsLicenseUser
nsManagedRoleDefinition, nsManagedRoleDefinition
nsMatchingRule attribute, nsMatchingRule

882
INDEX

nsMaxResponseDelay attribute, nsMaxResponseDelay

nsMaxTestResponseDelay attribute, nsMaxTestResponseDelay
nsMessagingServerUser, nsMessagingServerUser
nsModifyCount attribute, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsMSNpresence, nsMSNpresence
nsMultiplexorBindDN attribute, nsMultiplexorBindDN
nsMultiplexorCredentials attribute, nsMultiplexorCredentials
nsNestedRoleDefinition, nsNestedRoleDefinition
nsNoWrap, cn=export
nsnsPrintKey, cn=export
nsOpenBindConnectionCount attribute, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsOperationConnectionCount attribute, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsOperationConnectionsLimit attribute, nsOperationConnectionsLimit
nsProxiedAuthorization attribute, nsProxiedAuthorization
nsReferralOnScopedSearch attribute, nsReferralOnScopedSearch
nsRenameCount attribute, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsResourceRef, nsResourceRef
nsRole, nsRole
nsRoleDefinition, nsRoleDefinition
nsRoleDn, nsRoleDn
nsRoleFilter, nsRoleFilter
nsruvReplicaLastModified attribute, nsruvReplicaLastModified
nsSaslMapBaseDNTemplate attribute, nsSaslMapBaseDNTemplate
nsSaslMapFilterTemplate attribute, nsSaslMapFilterTemplate
nsSaslMapping, nsSaslMapping (Object Class)
nsSaslMapPriority attribute, nsSaslMapPriority
nsSaslMapRegexString attribute, nsSaslMapRegexString
nsSearchBaseCount attribute, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsSearchOneLevelCount attribute, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsSearchSubtreeCount attribute, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsSimpleRoleDefinition, nsSimpleRoleDefinition

883
Configuration, Command, and File Reference

nsSizeLimit attribute, nsSizeLimit

nsslapd-accesslog attribute, nsslapd-accesslog (Access Log)
nsslapd-accesslog-level attribute, nsslapd-accesslog-level (Access Log Level)
nsslapd-accesslog-list attribute, nsslapd-accesslog-list (List of Access Log Files)
nsslapd-accesslog-logbuffering attribute, nsslapd-accesslog-logbuffering (Log
Buffering)
nsslapd-accesslog-logexpirationtime attribute, nsslapd-accesslog-
logexpirationtime (Access Log Expiration Time)
nsslapd-accesslog-logexpirationtimeunit attribute, nsslapd-accesslog-
logexpirationtimeunit (Access Log Expiration Time Unit)
nsslapd-accesslog-logging-enabled attribute, nsslapd-accesslog-logging-enabled
(Access Log Enable Logging)
nsslapd-accesslog-logmaxdiskspace attribute, nsslapd-accesslog-
logmaxdiskspace (Access Log Maximum Disk Space)
nsslapd-accesslog-logminfreediskspace attribute, nsslapd-accesslog-
logminfreediskspace (Access Log Minimum Free Disk Space)
nsslapd-accesslog-logrotationsync-enabled attribute, nsslapd-accesslog-
logrotationsync-enabled (Access Log Rotation Sync Enabled)
nsslapd-accesslog-logrotationsynchour attribute, nsslapd-accesslog-
logrotationsynchour (Access Log Rotation Sync Hour)
nsslapd-accesslog-logrotationsyncmin attribute, nsslapd-accesslog-
logrotationsyncmin (Access Log Rotation Sync Minute)
nsslapd-accesslog-logrotationtime attribute, nsslapd-accesslog-logrotationtime
(Access Log Rotation Time)
nsslapd-accesslog-maxlogsize attribute, nsslapd-accesslog-maxlogsize (Access
Log Maximum Log Size)
nsslapd-accesslog-maxlogsperdir attribute, nsslapd-accesslog-maxlogsperdir
(Access Log Maximum Number of Log Files)
nsslapd-accesslog-mode attribute, nsslapd-accesslog-mode (Access Log File
Permission)
nsslapd-allow-anonmyous-access attribute, nsslapd-allow-anonymous-access
nsslapd-allow-hashed-passwords attribute, nsslapd-allow-hashed-passwords
nsslapd-allow-unauthenticated-binds attribute, nsslapd-allow-unauthenticated-
binds
nsslapd-allowed-sasl-mechanisms attribute, nsslapd-allowed-sasl-mechanisms
nsslapd-anonlimitsdn attribute, nsslapd-anonlimitsdn
nsslapd-attribute-name-exceptions attribute, nsslapd-attribute-name-exceptions
nsslapd-auditfaillog-list attribute, nsslapd-auditfaillog-list
nsslapd-auditfaillog-logexpirationtime attribute, nsslapd-auditfaillog-
logexpirationtime (Audit Fail Log Expiration Time)
nsslapd-auditfaillog-logexpirationtimeunit attribute, nsslapd-auditfaillog-
logexpirationtimeunit (Audit Fail Log Expiration Time Unit)
nsslapd-auditfaillog-logging-enabled attribute, nsslapd-auditfaillog-logging-
enabled (Audit Fail Log Enable Logging)
nsslapd-auditfaillog-logmaxdiskspace attribute, nsslapd-auditfaillog-
logmaxdiskspace (Audit Fail Log Maximum Disk Space)

884
INDEX

nsslapd-auditfaillog-logminfreediskspace attribute, nsslapd-auditfaillog-

logminfreediskspace (Audit Fail Log Minimum Free Disk Space)
nsslapd-auditfaillog-logrotationsync-enabled attribute, nsslapd-auditfaillog-
logrotationsync-enabled (Audit Fail Log Rotation Sync Enabled)
nsslapd-auditfaillog-logrotationsynchour attribute, nsslapd-auditfaillog-
logrotationsynchour (Audit Fail Log Rotation Sync Hour)
nsslapd-auditfaillog-logrotationsyncmin attribute, nsslapd-auditfaillog-
logrotationsyncmin (Audit Fail Log Rotation Sync Minute)
nsslapd-auditfaillog-logrotationtime attribute, nsslapd-auditfaillog-
logrotationtime (Audit Fail Log Rotation Time)
nsslapd-auditfaillog-logrotationtimeunit attribute, nsslapd-auditfaillog-
logrotationtimeunit (Audit Fail Log Rotation Time Unit)
nsslapd-auditfaillog-maxlogsize attribute, nsslapd-auditfaillog-maxlogsize (Audit
Fail Log Maximum Log Size)
nsslapd-auditfaillog-maxlogsperdir attribute, nsslapd-auditfaillog-maxlogsperdir
(Audit Fail Log Maximum Number of Log Files)
nsslapd-auditfaillog-mode attribute, nsslapd-auditfaillog-mode (Audit Fail Log
File Permission)
nsslapd-auditlog-list attribute, nsslapd-auditlog-list
nsslapd-auditlog-logexpirationtime attribute, nsslapd-auditlog-logexpirationtime
(Audit Log Expiration Time)
nsslapd-auditlog-logexpirationtimeunit attribute, nsslapd-auditlog-
logexpirationtimeunit (Audit Log Expiration Time Unit)
nsslapd-auditlog-logging-enabled attribute, nsslapd-auditlog-logging-enabled
(Audit Log Enable Logging)
nsslapd-auditlog-logmaxdiskspace attribute, nsslapd-auditlog-logmaxdiskspace
(Audit Log Maximum Disk Space)
nsslapd-auditlog-logminfreediskspace attribute, nsslapd-auditlog-
logminfreediskspace (Audit Log Minimum Free Disk Space)
nsslapd-auditlog-logrotationsync-enabled attribute, nsslapd-auditlog-
logrotationsync-enabled (Audit Log Rotation Sync Enabled)
nsslapd-auditlog-logrotationsynchour attribute, nsslapd-auditlog-
logrotationsynchour (Audit Log Rotation Sync Hour)
nsslapd-auditlog-logrotationsyncmin attribute, nsslapd-auditlog-
logrotationsyncmin (Audit Log Rotation Sync Minute)
nsslapd-auditlog-logrotationtime attribute, nsslapd-auditlog-logrotationtime
(Audit Log Rotation Time)
nsslapd-auditlog-logrotationtimeunit attribute, nsslapd-auditlog-
logrotationtimeunit (Audit Log Rotation Time Unit)
nsslapd-auditlog-maxlogsize attribute, nsslapd-auditlog-maxlogsize (Audit Log
Maximum Log Size)
nsslapd-auditlog-maxlogsperdir attribute, nsslapd-auditlog-maxlogsperdir (Audit
Log Maximum Number of Log Files)
nsslapd-auditlog-mode attribute, nsslapd-auditlog-mode (Audit Log File
Permission)
nsslapd-backend attribute, nsslapd-backend
nsslapd-backend-opt-level attribute, nsslapd-backend-opt-level

885
Configuration, Command, and File Reference

nsslapd-cache-autosize attribute, nsslapd-cache-autosize

nsslapd-cache-autosize-split attribute, nsslapd-cache-autosize-split
nsslapd-cachememsize attribute, nsslapd-cachememsize
nsslapd-cachesize attribute, nsslapd-cachesize
nsslapd-certmap-basedn attribute, nsslapd-certmap-basedn (Certificate Map
Search Base)
nsslapd-changelogcompactdb-interval attribute, nsslapd-changelogcompactdb-
interval
nsslapd-changelogdir attribute, nsslapd-changelogdir
nsslapd-changelogmaxage attribute, nsslapd-changelogmaxage (Max Changelog
Age)
nsslapd-changelogmaxconcurrentwrites attribute, nsslapd-
changelogmaxconcurrentwrites (Max Concurrent Rewrites)
nsslapd-changelogmaxentries attribute, nsslapd-changelogmaxentries (Max
Changelog Records)
nsslapd-changelogtrim-interval attribute, nsslapd-changelogtrim-interval
(Replication Changelog Trimming Interval)
nsslapd-cn-uses-dn-syntax-in-dns attribute, nsslapd-cn-uses-dn-syntax-in-dns
nsslapd-config attribute, nsslapd-config
nsslapd-connection-buffer attribute, nsslapd-connection-buffer
nsslapd-connection-nocanon attribute, nsslapd-connection-nocanon
nsslapd-conntablesize attribute, nsslapd-conntablesize
nsslapd-counters attribute, nsslapd-counters
nsslapd-csnlogging attribute, nsslapd-csnlogging
nsslapd-db-abort-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-active-txns attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-cache-hit attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-cache-region-wait-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-cache-size-bytes attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-cache-try attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-checkpoint-interval attribute, nsslapd-db-checkpoint-interval
nsslapd-db-circular-logging attribute, nsslapd-db-circular-logging
nsslapd-db-clean-pages attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-commit-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-compactdb-interval attribute, nsslapd-db-compactdb-interval
nsslapd-db-deadlock-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-debug attribute, nsslapd-db-debug

886
INDEX

nsslapd-db-dirty-pages attribute, Database Attributes under

cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-durable-transactions attribute, nsslapd-db-durable-transactions
nsslapd-db-hash-buckets attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-hash-elements-examine-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-hash-search-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-home-directory attribute, nsslapd-db-home-directory
nsslapd-db-idl-divisor attribute, nsslapd-db-idl-divisor
nsslapd-db-lock-conflicts attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-lock-region-wait-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-lock-request-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-lockers attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-locks attribute, nsslapd-db-locks
nsslapd-db-log-bytes-since-checkpoint attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-log-region-wait-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-log-write-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-logbuf-size attribute, nsslapd-db-logbuf-size
nsslapd-db-logdirectory attribute, nsslapd-db-logdirectory
nsslapd-db-logfile-size attribute, nsslapd-db-logfile-size
nsslapd-db-longest-chain-length attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-page-create-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-page-ro-evict-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-page-rw-evict-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-page-size attribute, nsslapd-db-page-size
nsslapd-db-page-trickle-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-page-write-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-pages-in-use attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-spin-count attribute, nsslapd-db-spin-count
nsslapd-db-transaction-batch-max-wait attribute, nsslapd-db-transaction-batch-
max-wait

887
Configuration, Command, and File Reference

nsslapd-db-transaction-batch-min-wait attribute, nsslapd-db-transaction-batch-

min-wait
nsslapd-db-transaction-batch-val attribute, nsslapd-db-transaction-batch-val
nsslapd-db-trickle-percentage attribute, nsslapd-db-trickle-percentage
nsslapd-db-txn-region-wait-rate attribute, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-verbose attribute, nsslapd-db-verbose
nsslapd-dbcachesize attribute, nsslapd-dbcachesize
nsslapd-dbncache attribute, nsslapd-dbncache
nsslapd-defaultnamingcontext, nsslapd-defaultnamingcontext
nsslapd-directory attribute, nsslapd-directory, nsslapd-directory
nsslapd-disk-monitoring, nsslapd-disk-monitoring
nsslapd-disk-monitoring-grace-period, nsslapd-disk-monitoring-grace-period
nsslapd-disk-monitoring-logging-critical, nsslapd-disk-monitoring-logging-critical
nsslapd-disk-monitoring-threshold, nsslapd-disk-monitoring-threshold
nsslapd-dn-validate-strict, nsslapd-dn-validate-strict
nsslapd-dncachememsize attribute, nsslapd-dncachememsize
nsslapd-ds4-compatible-schema attribute, nsslapd-ds4-compatible-schema
nsslapd-dynamic-plugins attribute, nsslapd-dynamic-plugins
nsslapd-enable-nunc-stans attribute, nsslapd-enable-nunc-stans
nsslapd-enable-turbo-mode attribute, nsslapd-enable-turbo-mode
nsslapd-encryptionalgorithm, nsslapd-encryptionalgorithm (Encryption
Algorithm)
nsslapd-entryusn-global attribute, nsslapd-entryusn-global
nsslapd-entryusn-import-initval attribute, nsslapd-entryusn-import-initval
nsslapd-errorlog attribute, nsslapd-errorlog (Error Log)
nsslapd-errorlog-level attribute, nsslapd-errorlog-level (Error Log Level)
nsslapd-errorlog-list attribute, nsslapd-errorlog-list
nsslapd-errorlog-logexpirationtime attribute, nsslapd-errorlog-logexpirationtime
(Error Log Expiration Time)
nsslapd-errorlog-logexpirationtimeunit attribute, nsslapd-errorlog-
logexpirationtimeunit (Error Log Expiration Time Unit)
nsslapd-errorlog-logging-enabled attribute, nsslapd-errorlog-logging-enabled
(Enable Error Logging)
nsslapd-errorlog-logmaxdiskspace attribute, nsslapd-errorlog-logmaxdiskspace
(Error Log Maximum Disk Space)
nsslapd-errorlog-logminfreediskspace attribute, nsslapd-errorlog-
logminfreediskspace (Error Log Minimum Free Disk Space)
nsslapd-errorlog-logrotationsync-enabled attribute, nsslapd-errorlog-
logrotationsync-enabled (Error Log Rotation Sync Enabled)
nsslapd-errorlog-logrotationsynchour attribute, nsslapd-errorlog-
logrotationsynchour (Error Log Rotation Sync Hour)
nsslapd-errorlog-logrotationsyncmin attribute, nsslapd-errorlog-
logrotationsyncmin (Error Log Rotation Sync Minute)
nsslapd-errorlog-logrotationtime attribute, nsslapd-errorlog-logrotationtime

888
INDEX

(Error Log Rotation Time)

nsslapd-errorlog-logrotationtimeunit attribute, nsslapd-errorlog-
logrotationtimeunit (Error Log Rotation Time Unit)
nsslapd-errorlog-maxlogsize attribute, nsslapd-errorlog-maxlogsize (Maximum
Error Log Size)
nsslapd-errorlog-maxlogsperdir attribute, nsslapd-errorlog-maxlogsperdir
(Maximum Number of Error Log Files)
nsslapd-errorlog-mode attribute, nsslapd-errorlog-mode (Error Log File
Permission)
nsslapd-exclude-from-export attribute, nsslapd-exclude-from-export
nsslapd-force-sasl-external attribute, nsslapd-force-sasl-external
nsslapd-groupvalnestlevel attribute, nsslapd-groupevalnestlevel
nsslapd-idletimeout attribute, nsslapd-idletimeout (Default Idle Timeout)
nsslapd-idlistscanlimit attribute, nsslapd-idlistscanlimit
nsslapd-ignore-virtual-attrs attribute, nsslapd-ignore-virtual-attrs
nsslapd-import-cache-autosize attribute, nsslapd-import-cache-autosize
nsslapd-import-cachesize attribute, nsslapd-import-cachesize
nsslapd-instancedir attribute, nsslapd-instancedir (Instance Directory)
nsslapd-ioblocktimeout attribute, nsslapd-ioblocktimeout (IO Block Time Out)
nsslapd-lastmod attribute, nsslapd-lastmod (Track Modification Time)
nsslapd-ldapiautobind attribute, nsslapd-ldapiautobind (Enable Autobind)
nsslapd-ldapientrysearchbase attribute, nsslapd-ldapientrysearchbase (Search
Base for LDAPI Authentication Entries)
nsslapd-ldapifilepath attribute, nsslapd-ldapifilepath (File Location for LDAPI
Socket)
nsslapd-ldapigidnumbertype attribute, nsslapd-ldapigidnumbertype (Attribute
Mapping for System GUID Number)
nsslapd-ldapilisten attribute, nsslapd-ldapilisten (Enable LDAPI)
nsslapd-ldapimaprootdn attribute, nsslapd-ldapimaprootdn (Autobind Mapping
for Root User)
nsslapd-ldapimaptoentries attribute, nsslapd-ldapimaptoentries (Enable
Autobind Mapping for Regular Users)
nsslapd-ldapiuidnumbertype attribute, nsslapd-ldapiuidnumbertype
nsslapd-ldifdir attribute, nsslapd-ldifdir
nsslapd-listen-backlog-size attribute, nsslapd-listen-backlog-size
nsslapd-listenhost attribute, nsslapd-listenhost (Listen to IP Address)
nsslapd-localhost attribute, nsslapd-localhost (Local Host)
nsslapd-localuser attribute, nsslapd-localuser (Local User)
nsslapd-lookthroughlimit attribute, nsslapd-lookthroughlimit
nsslapd-malloc-mmap-threshold attribute, nsslapd-malloc-mmap-threshold
nsslapd-malloc-mxfast attribute, nsslapd-malloc-mxfast
nsslapd-malloc-trim-threshold attribute, nsslapd-malloc-trim-threshold
nsslapd-maxbersize attribute, nsslapd-maxbersize (Maximum Message Size)

889
Configuration, Command, and File Reference

nsslapd-maxdescriptors attribute, nsslapd-maxdescriptors (Maximum File

Descriptors)
nsslapd-maxsasliosize attribute, nsslapd-maxsasliosize (Maximum SASL Packet
Size)
nsslapd-maxthreadsperconn attribute, nsslapd-maxthreadsperconn (Maximum
Threads per Connection)
nsslapd-minssf attribute, nsslapd-minssf
nsslapd-minssf-exclude-rootdse attribute, nsslapd-minssf-exclude-rootdse
nsslapd-moddn-aci attribute, nsslapd-moddn-aci
nsslapd-mode attribute, nsslapd-mode
nsslapd-nagle attribute, nsslapd-nagle
nsslapd-ndn-cache-enabled attribute, nsslapd-ndn-cache-enabled
nsslapd-ndn-cache-size attribute, nsslapd-ndn-cache-max-size
nsslapd-outbound-ldap-io-timeout attribute, nsslapd-outbound-ldap-io-timeout
nsslapd-pagedidlistscanlimit attribute, nsslapd-pagedidlistscanlimit
nsslapd-pagedlookthroughlimit attribute, nsslapd-pagedlookthroughlimit
nsslapd-pagedsizelimit attribute, nsslapd-pagedsizelimit (Size Limit for Simple
Paged Results Searches)
nsslapd-parent attribute, nsslapd-parent
nsslapd-plug-in attribute, nsslapd-plug-in
nsslapd-plugin-binddn-tracking attribute, nsslapd-plugin-binddn-tracking
nsslapd-plugin-depends-on-named attribute, nsslapd-plugin-depends-on-named
nsslapd-plugin-depends-on-type attribute, nsslapd-plugin-depends-on-type
nsslapd-plugin-logging attribute, nsslapd-plugin-logging
nsslapd-pluginAccess attribute, nsslapd-logAccess
nsslapd-pluginAudit attribute, nsslapd-logAudit
nsslapd-pluginConfigArea attribute, nsslapd-pluginConfigArea
nsslapd-pluginDescription attribute, nsslapd-pluginDescription
nsslapd-pluginEnabled attribute, nsslapd-pluginEnabled
nsslapd-pluginId attribute, nsslapd-pluginId
nsslapd-pluginInitFunc attribute, nsslapd-pluginInitfunc
nsslapd-pluginLoadGlobal attribute, nsslapd-pluginLoadGlobal
nsslapd-pluginLoadNow attribute, nsslapd-pluginLoadNow
nsslapd-pluginPath attribute, nsslapd-pluginPath
nsslapd-pluginPrecedence attribute, nsslapd-pluginPrecedence
nsslapd-pluginType attribute, nsslapd-pluginType
nsslapd-pluginVendor attribute, nsslapd-pluginVendor
nsslapd-pluginVersion attribute, nsslapd-pluginVersion
nsslapd-port attribute, nsslapd-port (Port Number)
nsslapd-privatenamespaces attribute, nsslapd-privatenamespaces
nsslapd-pwpolicy-inherit-global attribute, nsslapd-pwpolicy-inherit-global (Inherit
Global Password Syntax)

890
INDEX

nsslapd-pwpolicy-local attribute, nsslapd-pwpolicy-local (Enable Subtree- and

User-Level Password Policy)
nsslapd-rangelookthroughlimit attribute, nsslapd-rangelookthroughlimit
nsslapd-readonly attribute, nsslapd-readonly (Read Only)
nsslapd-referral attribute, nsslapd-referral (Referral)
nsslapd-referralmode attribute, nsslapd-referralmode (Referral Mode)
nsslapd-require-index attribute, nsslapd-require-index
nsslapd-require-secure-binds attribute, nsslapd-require-secure-binds
nsslapd-requiresrestart attribute, nsslapd-requiresrestart
nsslapd-reservedescriptors attribute, nsslapd-reservedescriptors (Reserved File
Descriptors)
nsslapd-return-default-opattr attribute, nsslapd-return-default-opattr
nsslapd-return-exact-case attribute, nsslapd-return-exact-case (Return Exact
Case)
nsslapd-rootdn attribute, nsslapd-rootdn (Manager DN)
nsslapd-rootpw attribute, nsslapd-rootpw (Root Password)
nsslapd-rootpwstoragescheme attribute, nsslapd-rootpwstoragescheme (Root
Password Storage Scheme)
nsslapd-rundir attribute, nsslapd-rundir
nsslapd-sasl-mapping-fallback attribute, nsslapd-sasl-mapping-fallback
nsslapd-sasl-max-buffer-size attribute, nsslapd-sasl-max-buffer-size
nsslapd-saslpath attribute, nsslapd-saslpath
nsslapd-schema-ignore-trailing-spaces attribute, nsslapd-schema-ignore-trailing-
spaces (Ignore Trailing Spaces in Object Class Names)
nsslapd-schemacheck attribute, nsslapd-schemacheck (Schema Checking)
nsslapd-schemamod attribute, nsslapd-schemamod
nsslapd-schemareplace attribute, nsslapd-schemareplace
nsslapd-search-return-original-type-switch attribute, nsslapd-search-return-
original-type-switch
nsslapd-securelistenhost attribute, nsslapd-securelistenhost
nsslapd-securePort attribute, nsslapd-securePort (Encrypted Port Number)
nsslapd-security attribute, nsslapd-security (Security)
nsslapd-sizelimit attribute, nsslapd-sizelimit (Size Limit)
nsslapd-snmp-index attribute, nsslapd-snmp-index
nsslapd-ssl-check-hostname, nsslapd-ssl-check-hostname (Verify Hostname for
Outbound Connections)
nsslapd-SSLclientAuth, nsslapd-SSLclientAuth
nsslapd-state attribute, nsslapd-state
nsslapd-subtree-rename-switch attribute, nsslapd-subtree-rename-switch
nsslapd-suffix attribute, nsslapd-suffix
nsslapd-syntaxcheck, nsslapd-syntaxcheck
nsslapd-syntaxlogging, nsslapd-syntaxlogging
nsslapd-timelimit attribute, nsslapd-timelimit (Time Limit)

891
Configuration, Command, and File Reference

nsslapd-validate-cert attribute, nsslapd-validate-cert

nsslapd-versionstring attribute, nsslapd-versionstring
nsslapd-workingdir attribute, nsslapd-workingdir
nssldap-distribution-function attribute, nsslapd-distribution-function
nssldap-distribution-plugin attribute, nsslapd-distribution-plugin
nssldap-referral attribute, nsslapd-referral
nssnmpcontact attribute, nssnmpcontact
nssnmpdescription attribute, nssnmpdescription
nssnmpenabled attribute, nssnmpenabled
nssnmplocation attribute, nssnmplocation
nssnmpmasterhost attribute, nssnmpmasterhost
nssnmpmasterport attribute, nssnmpmasterport
nssnmporganization attribute, nssnmporganization
nsSSL2 attribute, nsSSL2
nsSSL2Ciphers attribute, nsSSL2Ciphers
nsSSL3 attribute, nsSSL3
nsSSL3Ciphers attribute, nsSSL3Ciphers
nsSSL3SessionTimeout attribute, nsSSL3SessionTimeout
nsSSLClientAuth attribute, nsSSLClientAuth
nsSSLEnabledCiphers attribute, nsSSLEnabledCiphers
nsSSLPersonalitySSL attribute, nsSSLPersonalitySSL
nsSSLSessionTimeout attribute, nsSSLSessionTimeout
nsSSLSupportedCiphers attribute, nsSSLSupportedCiphers
nsSSLToken attribute, nsSSLToken
nsState attribute, nsState
nsstate attribute, cn=uniqueid generator
nsSubStrBegin attribute, nsSubStrBegin
nsSubStrEnd attribute, nsSubStrEnd
nsSubStrMiddle attribute, nsSubStrMiddle
nsSymmetricKey, nsSymmetricKey
nsSystemIndex attribute, nsSystemIndex
nsTaskCancel, Task Invocation Attributes for Entries under cn=tasks
nsTaskCurrentItem, Task Invocation Attributes for Entries under cn=tasks
nsTaskExitCode, Task Invocation Attributes for Entries under cn=tasks
nsTaskLog, Task Invocation Attributes for Entries under cn=tasks
nsTaskStatus, Task Invocation Attributes for Entries under cn=tasks
nsTimeLimit attribute, nsTimeLimit
nsTLS1 attribute, nsTLS1
nsTransmittedControls attribute, nsTransmittedControls
nsUnbindCount attribute, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config

892
INDEX

nsuniqueid.db file, Database Files

nsUniqueIdGenerator, cn=import
nsUniqueIdGeneratorNamespace, cn=import
nsUseId2Entry, cn=export
nsUseOneFile, cn=export
nsUseStartTLS attribute, nsUseStartTLS
nsYIMpresence, nsYIMpresence
ntGroup, ntGroup
ntGroupAttributes, ntGroupAttributes
ntGroupDeleteGroup, ntGroupDeleteGroup
ntGroupDomainId, ntGroupDomainId
ntGroupId, ntGroupId
ntGroupType, ntGroupType
ntUniqueId, ntUniqueId
ntUser, ntUser
ntUserAcctExpires, ntUserAcctExpires
ntUserAuthFlags, ntUserAuthFlags
ntUserBadPwCount, ntUserBadPwCount
ntUserCodePage, ntUserCodePage
ntUserComment, ntUserComment
ntUserCountryCode, ntUserCountryCode
ntUserCreateNewAccount, ntUserCreateNewAccount
ntUserDeleteAccount, ntUserDeleteAccount
ntUserDomainId, ntUserDomainId
ntUserFlags, ntUserFlags
ntUserHomeDir, ntUserHomeDir
ntUserHomeDirDrive, ntUserHomeDirDrive
ntUserLastLogon, ntUserLastLogon
ntUserLogonHours, ntUserLogonHours
ntUserLogonServer, ntUserLogonServer
ntUserMaxStorage, ntUserMaxStorage
ntUserNumLogons, ntUserNumLogons
ntUserParms, ntUserParms
ntUserPasswordExpired, ntUserPasswordExpired
ntUserPrimaryGroupId, ntUserPrimaryGroupId
ntUserPriv, ntUserPriv
ntUserProfile, ntUserProfile
ntUserScriptPath, ntUserScriptPath
ntUserUniqueId, ntUserUniqueId
ntUserUnitsPerWeek, ntUserUnitsPerWeek
ntUserUsrComment, ntUserUsrComment
ntUserWorkstations, ntUserWorkstations

893
Configuration, Command, and File Reference

numSubordinates, numSubordinates
numsubordinates.db file, Database Files

O
o, o (organizationName)
o=NetscapeRoot
configuration, Configuration of Databases

object class
allowed attributes, Required and Allowed Attributes
cacheObject, cacheObject
defined, Object Classes
ieee802Device, ieee802Device
inetAdmin, inetAdmin
inetDomain, inetDomain
inetSubscriber, inetSubscriber
inetUser, inetUser
inheritance, Object Class Inheritance
required attributes, Required and Allowed Attributes

object classes
nsAttributeEncryption, nsAttributeEncryption (Object Class)
nsSaslMapping, nsSaslMapping (Object Class)

object identifiers (OIDs), Object Identifiers (OIDs)

base OID for Directory Server, Object Identifiers (OIDs)
base OID for Netscape, Object Identifiers (OIDs)
base OID for Netscape-defined attributes, Object Identifiers (OIDs)
base OID for Netscape-defined object classes, Object Identifiers (OIDs)

objectClass, objectClass
objectclass.db file, Database Files
objectClasses, objectClasses
obsoletedByDocument, obsoletedByDocument
obsoletesDocument, obsoletesDocument
oncRpc, oncRpc
oncRpcNumber, oncRpcNumber
oneWaySync, oneWaySync
operational attributes
accountUnlockTime, accountUnlockTime
aci, aci
altServer, altServer
attributeTypes, attributeTypes

894
INDEX

createTimestamp, createTimestamp
creatorsName, creatorsName
defaultNamingContext, defaultNamingContext
dITContentRules, dITContentRules
dITStructureRules, dITStructureRules
entryusn, entryusn
internalCreatorsName, internalCreatorsName, internalModifiersName
ldapSyntaxes, ldapSyntaxes
matchingRules, matchingRules
matchingRuleUse, matchingRuleUse
modifiersName, modifiersName
modifyTimestamp, modifyTimestamp
nameForms, nameForms
namingContexts, namingContexts
nsRole, nsRole
nsRoleDn, nsRoleDn
nsRoleFilter, nsRoleFilter
numSubordinates, numSubordinates
passwordGraceUserTime, passwordGraceUserTime
passwordRetryCount, passwordRetryCount
pwdpolicysubentry, pwdpolicysubentry
pwdUpdateTime, pwdUpdateTime
subschemaSubentry, subschemaSubentry
supportedControl, supportedControl
supportedExtension, supportedExtension
supportedFeatures, supportedFeatures
supportedLDAPVersion, supportedLDAPVersion
supportedSASLMechanisms, supportedSASLMechanisms

opscompleted attribute, cn=monitor

opsinitiated attribute, cn=monitor
organization, organization
organizationalPerson, organizationalPerson
organizationalRole, organizationalRole
organizationalStatus, organizationalStatus
organizationalUnit, organizationalUnit
otherMailbox, otherMailbox
ou, ou (organizationalUnitName)
owner, owner

P
pager, pager

895
Configuration, Command, and File Reference

PAM pass through auth

plug-in configuration attributes, PAM Pass Through Auth Plug-in Attributes

parentid.db file, Database Files

parentOrganization, parentOrganization
passswordLockoutDuration attribute, passwordLockoutDuration (Lockout
Duration)
passwordAllowChangeTime, passwordAllowChangeTime
passwordChange attribute, passwordChange (Password Change)
passwordCheckSyntax attribute, passwordCheckSyntax (Check Password Syntax)
passwordExp attribute, passwordExp (Password Expiration)
passwordExpirationTime, passwordExpirationTime
passwordExpWarned, passwordExpWarned
passwordGraceUserTime, passwordGraceUserTime
passwordHistory attribute, passwordHistory (Password History)
passwordInHistory attribute, passwordInHistory (Number of Passwords to
Remember)
passwordLegacyPolicy attribute, passwordLegacyPolicy
passwordLockout attribute, passwordLockout (Account Lockout)
passwordMaxAge attribute, passwordMaxAge (Password Maximum Age)
passwordMaxFailure attribute, passwordMaxFailure (Maximum Password
Failures)
passwordMinAge attribute, passwordMinAge (Password Minimum Age)
passwordMinLength attribute, passwordMinLength (Password Minimum Length)
passwordMustChange attribute, passwordMustChange (Password Must Change)
passwordObject, passwordObject (Object Class)
passwordResetFailureCount attribute, passwordResetFailureCount (Reset
Password Failure Count After)
passwordRetryCount, passwordRetryCount
passwords
root, nsslapd-rootpw (Root Password)

passwordSendExpiringTime attribute, passwordSendExpiringTime

passwordStorageScheme attribute, passwordStorageScheme (Password Storage
Scheme)
passwordTrackUpdateTime attribute, passwordTrackUpdateTime
passwordUnlock attribute, passwordUnlock (Unlock Account)
passwordWarning attribute, passwordWarning (Send Warning)
perl scripts, Perl Scripts
permissions
specifying for index files, nsslapd-mode

person, person
personalSignature, personalSignature

896
INDEX

personalTitle, personalTitle
photo, photo
physicalDeliveryOfficeName, physicalDeliveryOfficeName
pilotObject, pilotObject
pilotOrganization, pilotOrganization
pkiCA, pkiCA
pkiUser, pkiUser
plug-in functionality configuration attributes
addn_base, addn_base, addn_filter
altstateattrname, altstateattrname
alwaysRecordLogin, alwaysRecordLogin
alwaysRecordLoginAttr, alwaysRecordLoginAttr
autoMemberDefaultGroup, autoMemberDefaultGroup
autoMemberDefinition, autoMemberDefinition (Object Class)
autoMemberExclusiveRegex, autoMemberExclusiveRegex
autoMemberFilter, autoMemberFilter
autoMemberGroupingAttr, autoMemberGroupingAttr
autoMemberInclusiveRegex, autoMemberInclusiveRegex
autoMemberRegexRule, autoMemberRegexRule (Object Class)
autoMemberScope, autoMemberScope
autoMemberTargetGroup, autoMemberTargetGroup
cn, cn, cn
dbcachehitratio, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcachehits, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcachepagein, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcachepageout, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcacheroevict, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcacherwevict, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbcachetries, Database Attributes under cn=monitor,cn=ldbm
database,cn=plugins,cn=config
dbfilecachehit, Database Attributes under
cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
dbfilecachemiss, Database Attributes under
cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
dbfilenamenumber, Database Attributes under
cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
dbfilepagein, Database Attributes under
cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
dbfilepageout, Database Attributes under

897
Configuration, Command, and File Reference

cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
dnaFilter, dnaFilter
dnaHostname, dnaHostname
dnaInterval, dnaInterval
dnaMagicRegen, dnaMagicRegen
dnaMaxValue, dnaMaxValue
dnaNextRange, dnaNextRange
dnaNextValue, dnaNextValue
dnaPortNum, dnaPortNum
dnaPrefix, dnaPrefix
dnaRangeRequestTimeout, dnaRangeRequestTimeout
dnaRemainingValues, dnaRemainingValues
dnaRemoteBindCred, dnaRemoteBindCred
dnaRemoteBindDN, dnaRemoteBindDN
dnaRemoteBindMethod, dnaRemoteBindMethod
dnaRemoteConnProtocol, dnaRemoteConnProtocol
dnaScope, dnaScope
dnaSecurePortNum, dnaSecurePortNum
dnaSharedCfgDN, dnaSharedCfgDN
dnaThreshold, dnaThreshold
dnaType, dnaType
isReplicated, isReplicated
limitattrname, limitattrname
linkScope, linkScope
linkType, linkType
managedBase, managedBase
managedTemplate, managedTemplate
managedType, managedType
memberOfAllBackends, memberOfAllBackends
memberOfAttr, memberOfAttr
memberOfAutoAddOC, memberOfAutoAddOC
memberOfEntryScope, memberOfEntryScope
memberOfEntryScopeExcludeSubtree, memberOfEntryScopeExcludeSubtree
memberOfGroupAttr, memberOfGroupAttr
nsAbandonCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsAbandonedSearchCheckInterval, nsAbandonedSearchCheckInterval
nsActiveChainingComponents, nsActiveChainingComponents
nsAddCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsBindConnectionsLimit, nsBindConnectionsLimit

898
INDEX

nsBindCount, Database Link Attributes under cn=monitor,cn=database

instance name,cn=chaining database,cn=plugins,cn=config
nsBindMechanism, nsBindMechanism
nsBindRetryLimit, nsBindRetryLimit
nsBindTimeout, nsBindTimeout
nsCheckLocalACI, nsCheckLocalACI
nsCompareCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsConcurrentBindLimit, nsConcurrentBindLimit
nsConcurrentOperationsLimit, nsConcurrentOperationsLimit
nsConnectionLife, nsConnectionLife
nsDeleteCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsFarmServerURL, nsFarmServerURL
nshoplimit, nshoplimit
nsIndexIDListScanLimit, nsIndexIDListScanLimit
nsIndexType, nsIndexType
nsMatchingRule, nsMatchingRule
nsMaxResponseDelay, nsMaxResponseDelay
nsMaxTestResponseDelay, nsMaxTestResponseDelay
nsModifyCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsMultiplexorBindDN, nsMultiplexorBindDN
nsMultiplexorCredentials, nsMultiplexorCredentials
nsOpenBindConnectionCount, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsOperationConnectionCount, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsOperationConnectionsLimit, nsOperationConnectionsLimit
nsProxiedAuthorization, nsProxiedAuthorization
nsReferralOnScopedSearch, nsReferralOnScopedSearch
nsRenameCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsSearchBaseCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsSearchOneLevelCount, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsSearchSubtreeCount, Database Link Attributes under
cn=monitor,cn=database instance name,cn=chaining
database,cn=plugins,cn=config
nsSizeLimit, nsSizeLimit
nsslapd-attribute, nsslapd-attribute

899
Configuration, Command, and File Reference

nsslapd-backend-opt-level, nsslapd-backend-opt-level
nsslapd-cache-autosize, nsslapd-cache-autosize
nsslapd-cache-autosize-split, nsslapd-cache-autosize-split
nsslapd-cachememsize, nsslapd-cachememsize
nsslapd-cachesize, nsslapd-cachesize
nsslapd-changelogdir, nsslapd-changelogdir
nsslapd-changelogmaxage, nsslapd-changelogmaxage (Max Changelog Age)
nsslapd-db-checkpoint-interval, nsslapd-db-checkpoint-interval
nsslapd-db-circular-logging, nsslapd-db-circular-logging
nsslapd-db-compactdb-interval, nsslapd-db-compactdb-interval
nsslapd-db-debug, nsslapd-db-debug
nsslapd-db-durable-transactions, nsslapd-db-durable-transactions
nsslapd-db-home-directory, nsslapd-db-home-directory
nsslapd-db-idl-divisor, nsslapd-db-idl-divisor
nsslapd-db-locks, nsslapd-db-locks
nsslapd-db-logbuf-size, nsslapd-db-logbuf-size
nsslapd-db-logdirectory, nsslapd-db-logdirectory
nsslapd-db-logfile-size, nsslapd-db-logfile-size
nsslapd-db-page-size, nsslapd-db-page-size
nsslapd-db-spin-count, nsslapd-db-spin-count
nsslapd-db-transaction-batch-max-wait, nsslapd-db-transaction-batch-max-
wait
nsslapd-db-transaction-batch-min-wait, nsslapd-db-transaction-batch-min-wait
nsslapd-db-transaction-batch-val, nsslapd-db-transaction-batch-val
nsslapd-db-trickle-percentage, nsslapd-db-trickle-percentage
nsslapd-db-verbose, nsslapd-db-verbose
nsslapd-dbcachesize, nsslapd-dbcachesize
nsslapd-dbncache, nsslapd-dbncache
nsslapd-directory, nsslapd-directory, nsslapd-directory
nsslapd-dncachememsize, nsslapd-dncachememsize
nsslapd-dynamic-plugins, nsslapd-dynamic-plugins
nsslapd-exclude-from-export, nsslapd-exclude-from-export
nsslapd-idlistscanlimit, nsslapd-idlistscanlimit
nsslapd-import-cache-autosize, nsslapd-import-cache-autosize
nsslapd-import-cachesize, nsslapd-import-cachesize
nsslapd-lookthroughlimit, nsslapd-lookthroughlimit
nsslapd-mode, nsslapd-mode
nsslapd-pagedidlistscanlimit, nsslapd-pagedidlistscanlimit
nsslapd-pagedlookthroughlimit, nsslapd-pagedlookthroughlimit
nsslapd-plugin-depends-on-named, nsslapd-plugin-depends-on-named
nsslapd-plugin-depends-on-type, nsslapd-plugin-depends-on-type
nsslapd-pluginAccess, nsslapd-logAccess

900
INDEX

nsslapd-pluginAudit, nsslapd-logAudit
nsslapd-pluginConfigArea, nsslapd-pluginConfigArea
nsslapd-pluginDescription, nsslapd-pluginDescription
nsslapd-pluginEnabled, nsslapd-pluginEnabled
nsslapd-pluginId, nsslapd-pluginId
nsslapd-pluginInitFunc, nsslapd-pluginInitfunc
nsslapd-pluginLoadGlobal, nsslapd-pluginLoadGlobal
nsslapd-pluginLoadNow, nsslapd-pluginLoadNow
nsslapd-pluginPath, nsslapd-pluginPath
nsslapd-pluginPrecedence, nsslapd-pluginPrecedence
nsslapd-pluginType, nsslapd-pluginType
nsslapd-pluginVendor, nsslapd-pluginVendor
nsslapd-pluginVersion, nsslapd-pluginVersion
nsslapd-rangelookthroughlimit, nsslapd-rangelookthroughlimit
nsslapd-readonly, nsslapd-readonly
nsslapd-require-index, nsslapd-require-index
nsslapd-subtree-rename-switch, nsslapd-subtree-rename-switch
nsslapd-suffix, nsslapd-suffix
nsSubStrBegin, nsSubStrBegin
nsSubStrEnd, nsSubStrEnd
nsSubStrMiddle, nsSubStrMiddle
nsSystemIndex, nsSystemIndex
nsTimeLimit, nsTimeLimit
nsTransmittedControls, nsTransmittedControls
nsUnbindCount, Database Link Attributes under cn=monitor,cn=database
instance name,cn=chaining database,cn=plugins,cn=config
nsUseStartTLS, nsUseStartTLS
originFilter, originFilter
originScope, originScope
posixWinsyncCreateMemberOfTask, posixWinsyncCreateMemberOfTask
posixWinsyncLowerCaseUID, posixWinsyncLowerCaseUID
posixWinsyncMapMemberUID, posixWinsyncMapMemberUID
posixWinsyncMapNestedGrouping, posixWinsyncMapNestedGrouping
posixWinsyncMsSFUSchema, posixWinsyncMsSFUSchema
rootdn-allow-host, rootdn-allow-host
rootdn-allow-ip, rootdn-allow-ip
rootdn-close-time, rootdn-close-time
rootdn-days-allowed, rootdn-days-allowed
rootdn-deny-ip, rootdn-deny-ip
rootdn-open-time, rootdn-open-time
specattrname, specattrname
stateattrname, stateattrname

901
Configuration, Command, and File Reference

vlvBase, vlvBase
vlvEnabled, vlvEnabled
vlvFilter, vlvFilter
vlvScope, vlvScope
vlvSort, vlvSort
vlvUses, vlvUses

plug-in functionality monitoring attributes

currentdncachecount, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
currentdncachesize, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
currentNormalizedDNcachecount, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
currentNormalizedDNcachesize, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
maxdncachesize, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
maxNormalizedDNcachesize , Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
normalizedDNcachehitratio, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
normalizedDNcachehits, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
normalizedDNcachemisses, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
normalizedDNcachetries, Database Attributes under
cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-abort-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-active-txns, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-cache-hit, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-cache-region-wait-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-cache-size-bytes, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-cache-try, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-clean-pages, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-commit-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-deadlock-rate, Database Attributes under
cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config

902
INDEX

nsslapd-db-dirty-pages, Database Attributes under

plug-ins
configuration of, Overview of the Directory Server Configuration
distributed number assignment plug-in, Distributed Numeric Assignment Plug-
in
Managed Entries plug-in, Managed Entries Plug-in
memberOf plug-in, MemberOf Plug-in
schema reload plug-in, Schema Reload Plug-in

port numbers

903
Configuration, Command, and File Reference

less than 1024, nsslapd-port (Port Number)

posix winsync API plug-in configuration attributes

posixWinsyncCreateMemberOfTask, posixWinsyncCreateMemberOfTask
posixWinsyncLowerCaseUID, posixWinsyncLowerCaseUID
posixWinsyncMapMemberUID, posixWinsyncMapMemberUID
posixWinsyncMapNestedGrouping, posixWinsyncMapNestedGrouping
posixWinsyncMsSFUSchema, posixWinsyncMsSFUSchema

posixAccount, posixAccount
posixGroup, posixGroup
postalAddress, postalAddress
postalCode, postalCode
postOfficeBox, postOfficeBox
preferredDeliveryMethod, preferredDeliveryMethod
preferredLanguage, preferredLanguage
preferredLocale, preferredLocale
preferredTimeZone, preferredTimeZone
presentationAddress, presentationAddress
protocolInformation, protocolInformation
pwdhash
command-line shell script, pwdhash (Encrypts Passwords)

pwdpolicysubentry, pwdpolicysubentry
pwdUpdateTime, pwdUpdateTime

R
read-only monitoring configuration attributes
backendMonitorDN, cn=monitor
bytessent, cn=monitor
connection, cn=monitor
currentconnections, cn=monitor
currenttime, cn=monitor
dtablesize, cn=monitor
entriessent, cn=monitor
nbackends, cn=monitor
opscompleted, cn=monitor
opsinitiated, cn=monitor
readwaiters, cn=monitor
starttime, cn=monitor
totalconnections, cn=monitor

read-only monitoring configuration entries

904
INDEX

cn=monitor, cn=monitor

readwaiters attribute, cn=monitor

referral, referral
register-ds-admin.pl command-line script
options, register-ds-admin.pl
syntax, register-ds-admin.pl

registeredAddress, registeredAddress
remove-ds-admin.pl command-line script
options, remove-ds-admin.pl
syntax, remove-ds-admin.pl

remove-ds.pl command-line script

options, remove-ds.pl
syntax, remove-ds.pl

repl-monitor
command-line shell script, repl-monitor (Monitors Replication Status)

repl-monitor.pl
command-line perl script, repl-monitor.pl (Monitors Replication Status)

replica-base-dn, cn=cleanallruv, cn=abort cleanallruv

replica-certify-all, cn=abort cleanallruv
replica-force-cleaning, cn=cleanallruv
replica-id, cn=cleanallruv, cn=abort cleanallruv
replication agreement configuration attributes
cn, cn
description, description
nsDS50ruv, nsDS50ruv
nsDS5BeginReplicaRefresh, nsDS5BeginReplicaRefresh
nsDS5ReplicaBindDN, nsDS5ReplicaBindDN
nsDS5ReplicaBindMethod, nsDS5ReplicaBindMethod
nsDS5ReplicaBusyWaitTime, nsDS5ReplicaBusyWaitTime
nsDS5ReplicaChangesSentSinceStartup,
nsDS5ReplicaChangesSentSinceStartup
nsDS5ReplicaCredentials, nsDS5ReplicaCredentials
nsds5ReplicaEnabled, nsds5ReplicaEnabled
nsDS5ReplicaHost, nsDS5ReplicaHost
nsDS5ReplicaLastInitEnd, nsDS5ReplicaLastInitEnd
nsDS5ReplicaLastInitStart, nsDS5ReplicaLastInitStart
nsDS5ReplicaLastInitStatus, nsDS5ReplicaLastInitStatus
nsDS5ReplicaLastUpdateEnd, nsDS5ReplicaLastUpdateEnd

905
Configuration, Command, and File Reference

nsDS5ReplicaLastUpdateStart, nsDS5ReplicaLastUpdateStart
nsds5replicaLastUpdateStatus, nsds5replicaLastUpdateStatus
nsDS5ReplicaPort, nsDS5ReplicaPort
nsds5ReplicaProtocolTimeout, nsds5ReplicaProtocolTimeout,
nsds5ReplicaProtocolTimeout
nsDS5ReplicaReapActive, nsDS5ReplicaReapActive
nsDS5ReplicaRoot, nsDS5ReplicaRoot
nsDS5ReplicaSessionPauseTime, nsDS5ReplicaSessionPauseTime
nsds5ReplicaStripAttrs, nsds5ReplicaStripAttrs
nsDS5ReplicatedAttributeList, nsDS5ReplicatedAttributeList
nsDS5ReplicatedAttributeListTotal, nsDS5ReplicatedAttributeListTotal
nsDS5ReplicaTimeout, nsDS5ReplicaTimeout
nsDS5ReplicaTransportInfo, nsDS5ReplicaTransportInfo
nsDS5ReplicaUpdateInProgress, nsDS5ReplicaUpdateInProgress
nsDS5ReplicaUpdateSchedule, nsDS5ReplicaUpdateSchedule
nsDS5ReplicaWaitForAsyncResults, nsDS5ReplicaWaitForAsyncResults
nsruvReplicaLastModified, nsruvReplicaLastModified
object classes, Replication Attributes under
cn=ReplicationAgreementName,cn=replica,cn=suffixName,cn=mapping
tree,cn=config

replication configuration attributes

nsDS5Flags, nsDS5Flags
nsDS5ReplConflict, nsDS5ReplConflict
nsds5ReplicaBackoffMin_and_nsds5ReplicaBackoffMax,
nsds5ReplicaBackoffMin and nsds5ReplicaBackoffMax
nsDS5ReplicaBindDN, nsDS5ReplicaBindDN
nsDS5ReplicaBindDNGroup, nsDS5ReplicaBindDNGroup
nsDS5ReplicaBindDNGroupCheckInterval,
nsDS5ReplicaBindDNGroupCheckInterval
nsDS5ReplicaChangeCount, nsDS5ReplicaChangeCount
nsDS5ReplicaID, nsDS5ReplicaId
nsDS5ReplicaLegacyConsumer, nsDS5ReplicaLegacyConsumer
nsDS5ReplicaName, nsDS5ReplicaName
nsds5ReplicaProtocolTimeout, nsds5ReplicaProtocolTimeout,
nsds5ReplicaProtocolTimeout
nsDS5ReplicaPurgeDelay, nsDS5ReplicaPurgeDelay
nsDS5ReplicaReferral, nsDS5ReplicaReferral
nsDS5ReplicaReleaseTimeout, nsDS5ReplicaReleaseTimeout
nsDS5ReplicaRoot, nsDS5ReplicaRoot
nsDS5ReplicaTombstonePurgeInterval, nsDS5ReplicaTombstonePurgeInterval
nsDS5ReplicaType, nsDS5ReplicaType
nsds5Task, nsds5Task
nsState, nsState

906
INDEX

object classes, Replication Attributes under

cn=replica,cn=suffixDN,cn=mapping tree,cn=config

residentialPerson, residentialPerson
restart, restart-dirsrv (Restarts the Directory Server), restart-ds-admin (Restarts
the Administration Server), restart-slapd (Restarts the Directory Server)
restart-dirsrv
command-line shell script, restart-dirsrv (Restarts the Directory Server)
quick reference, Command-Line Scripts Quick Reference

restart-ds-admin
command-line shell script, restart-ds-admin (Restarts the
Administration Server)
quick reference, Command-Line Scripts Quick Reference

restart-slapd
command-line shell script, restart-slapd (Restarts the Directory Server)
quick reference, Command-Line Scripts Quick Reference

restarting server
requirement for certain configuration changes, Configuration Changes
Requiring Server Restart

restoreconfig
command-line shell script, restoreconfig (Restores Administration Server
Configuration)
quick reference, Command-Line Scripts Quick Reference

retro changelog
Meta Directory changelog, cn=changelog5,cn=config

retro changelog plug-in configuration attributes

isReplicated, isReplicated
nsslapd-attribute, nsslapd-attribute
nsslapd-changelogdir, nsslapd-changelogdir

retryCountResetTime, retryCountResetTime
RFC822LocalPart, RFC822LocalPart
roleOccupant, roleOccupant
room, room
roomNumber, roomNumber
root dse configuration entries, Root DSE Configuration Parameters
rootdn access control plug-in configuration attributes
rootdn-allow-host, rootdn-allow-host
rootdn-allow-ip, rootdn-allow-ip
rootdn-close-time, rootdn-close-time

907
Configuration, Command, and File Reference

rootdn-days-allowed, rootdn-days-allowed
rootdn-deny-ip, rootdn-deny-ip
rootdn-open-time, rootdn-open-time

rsearch
location, rsearch (Search Stress Tests)
test script, rsearch (Search Stress Tests)

S
SASL configuration attributes
nsSaslMapBaseDNTemplate, nsSaslMapBaseDNTemplate
nsSaslMapFilterTemplate, nsSaslMapFilterTemplate
nsSaslMapPriority, nsSaslMapPriority
nsSaslMapRegexString, nsSaslMapRegexString

SASL configuration entries

cn=sasl, cn=sasl

saveconfig
command-line shell script, saveconfig (Saves Administration Server
Configuration)
quick reference, Command-Line Scripts Quick Reference

schema
checking, Schema Checking
defined, Schema Definitions
extending, Extending the Schema
supported, Default Directory Server Schema Files

schema-reload.pl, schema-reload.pl (Reload Schema Files Dynamically)

related configuration entry, cn=schema reload task

schemadir, cn=schema reload task

scope, cn=automember rebuild membership, cn=automember export updates
scripts, Command-Line Scripts
location of shell scripts, Command-Line Scripts Quick Reference
perl scripts, Perl Scripts

search operations
limiting entries returned, nsslapd-sizelimit (Size Limit)
limiting entries returned for paged searches, nsslapd-pagedsizelimit (Size
Limit for Simple Paged Results Searches)
setting time limits, nsslapd-timelimit (Time Limit)

searchGuide, searchGuide

908
INDEX

sec-activate, sec-activate
secretary, secretary
seeAlso, seeAlso
serialNumber, serialNumber
server restart
after configuration changes, Configuration Changes Requiring Server Restart

setting the location of SASL plug-ins, nsslapd-saslpath

setup-ds-admin.pl command-line script
options, setup-ds-admin.pl
syntax, setup-ds-admin.pl

setup-ds.pl command-line script

options, setup-ds.pl
syntax, setup-ds.pl

shadowAccount, shadowAccount
shadowExpire, shadowExpire
shadowFlag, shadowFlag
shadowInactive, shadowInactive
shadowLastChange, shadowLastChange
shadowMax, shadowMax
shadowMin, shadowMin
shadowWarning, shadowWarning
simpleSecurityObject, simpleSecurityObject
singleLevelQuality, singleLevelQuality
slapd.conf file
location of, Accessing and Modifying Server Configuration

sn, sn (surname)
SNMP configuration attributes
nssnmpcontact, nssnmpcontact
nssnmpdescription, nssnmpdescription
nssnmpenabled, nssnmpenabled
nssnmplocation, nssnmplocation
nssnmpmasterhost, nssnmpmasterhost
nssnmpmasterport, nssnmpmasterport
nssnmporganization, nssnmporganization

SNMP configuration entries

cn=SNMP, cn=SNMP

special attributes
change, changes

909
Configuration, Command, and File Reference

changeLog, changeLog
changeNumber, changeNumber
changeTime, changeTime
changeType, changeType
deleteOldRdn, deleteOldRdn
newRdn, newRdn
newSuperior, newSuperior
targetDn, targetDn

special object classes

changeLogEntry, changeLogEntry (Object Class)
nsDS5Replica, nsDS5Replica (Object Class)
nsDS5ReplicationAgreement, nsDS5ReplicationAgreement (Object Class)
nsDSWindowsReplicationAgreement, nsDSWindowsReplicationAgreement
(Object Class)
passwordObject, passwordObject (Object Class)
subschema, subschema (Object Class)

sslVersionMax attribute, sslVersionMax

sslVersionMin attribute, sslVersionMin
st, st (stateOrProvinceName)
start, start-dirsrv (Starts the Directory Server), start-ds-admin (Starts the
Administration Server)
start-dirsrv
command-line shell script, start-dirsrv (Starts the Directory Server)
quick reference, Command-Line Scripts Quick Reference

start-ds-admin
command-line shell script, start-ds-admin (Starts the Administration Server)
quick reference, Command-Line Scripts Quick Reference

start-slapd
command-line shell script, start-slapd (Starts the Directory Server)
quick reference, Command-Line Scripts Quick Reference

starttime attribute, cn=monitor

statistics
from access logs, logconv.pl (Log Converter)

status, status-dirsrv (Obtains the Status of the Directory Server)

status-dirsrv
command-line shell script, status-dirsrv (Obtains the Status of the
Directory Server)

stop, stop-dirsrv (Stops the Directory Server), stop-ds-admin (Stops the

Administration Server)

910
INDEX

stop-dirsrv
command-line shell script, stop-dirsrv (Stops the Directory Server)
quick reference, Command-Line Scripts Quick Reference

stop-ds-admin
command-line shell script, stop-ds-admin (Stops the Administration Server)
quick reference, Command-Line Scripts Quick Reference

stop-slapd
command-line shell script, stop-slapd (Stops the Directory Server)
quick reference, Command-Line Scripts Quick Reference

street, street
strongAuthenticationUser, strongAuthenticationUser
subject, subject
subschema, subschema (Object Class)
subschemaSubentry, subschemaSubentry
subtreeMaximumQuality, subtreeMaximumQuality
subtreeMinimumQuality, subtreeMinimumQuality
suffix, cn=USN tombstone cleanup task
suffix and replication configuration entries
cn=mapping tree, cn=mapping tree

suffix configuration attributes

cn, cn
nsslapd-backend, nsslapd-backend
nsslapd-parent, nsslapd-parent
nsslapd-state, nsslapd-state
nssldap-distribution-function, nsslapd-distribution-function
nssldap-distribution-plugin, nsslapd-distribution-plugin
nssldap-referral, nsslapd-referral
object classes, Suffix Configuration Attributes under cn=suffix_DN

suffix2instance
command-line shell script, suffix2instance (Maps a Suffix to a Backend Name)
quick reference, Command-Line Scripts Quick Reference

supported schema, Default Directory Server Schema Files

supportedAlgorithms, supportedAlgorithms
supportedApplicationContext, supportedApplicationContext
supportedControl, supportedControl
supportedExtension, supportedExtension
supportedFeatures, supportedFeatures
supportedLDAPVersion, supportedLDAPVersion

911
Configuration, Command, and File Reference

supportedSASLMechanisms, supportedSASLMechanisms
synchronization agreement attributes
nsds7DirectoryReplicaSubtree, nsds7DirectoryReplicaSubtree
nsds7DirsyncCookie, nsds7DirsyncCookie
nsds7NewWinGroupSyncEnabled, nsds7NewWinGroupSyncEnabled
nsds7NewWinUserSyncEnabled, nsds7NewWinUserSyncEnabled
nsds7WindowsDomain, nsds7WindowsDomain
nsds7WindowsReplicaSubtre, nsds7WindowsReplicaSubtree
oneWaySync, oneWaySync
winSyncInterval, winSyncInterval
winSyncMoveAction, winSyncMoveAction

syntax
validation, Syntax Validation

syntax-validate.pl
command-line perl script, syntax-validate.pl (Validate Attribute Values)
related configuration entry, cn=syntax validate

T
targetDn, targetDn
telephoneNumber, telephoneNumber
teletexTerminalIdentifier, teletexTerminalIdentifier
telexNumber, telexNumber
test scripts
ldclt, ldclt (Load Stress Tests)
rsearch, rsearch (Search Stress Tests)

title, title
totalconnections attribute, cn=monitor
trailing spaces in object class names, nsslapd-schema-ignore-trailing-spaces
(Ignore Trailing Spaces in Object Class Names)
ttl, Task Invocation Attributes for Entries under cn=tasks , ttl (TimeToLive)

U
uid, uid (userID)
uidNumber, uidNumber
uniqueid generator configuration attributes
nsstate, cn=uniqueid generator

uniqueid generator configuration entries

cn=uniqueid generator, cn=uniqueid generator

uniqueIdentifier, uniqueIdentifier

912
INDEX

uniqueMember, uniqueMember
updatedByDocument, updatedByDocument
updatesDocument, updatesDocument
upgradednformat
command-line shell script, upgradednformat
quick reference, Command-Line Scripts Quick Reference

userCertificate, userCertificate
userClass, userClass
userPassword, userPassword
userPKCS12, userPKCS12
usn-tombstone-cleanup.pl
command-line perl script, usn-tombstone-cleanup.pl (Remove Deleted Entries)
related configuration entry, cn=USN tombstone cleanup task

V
verify-db.pl
command-line perl script, verify-db.pl (Check for Corrupt Databases)
quick reference, Command-Line Scripts Quick Reference

vlvBase attribute, vlvBase

vlvEnabled attribute, vlvEnabled
vlvFilter attribute, vlvFilter
vlvindex
command-line shell script, vlvindex (Creates Virtual List View Indexes)
quick reference, Command-Line Scripts Quick Reference

vlvScope attribute, vlvScope

vlvSort attribute, vlvSort
vlvUses attribute, vlvUses

W
winSyncInterval, winSyncInterval
winSyncMoveAction, winSyncMoveAction

X
x121Address, x121Address
x500UniqueIdentifier, x500UniqueIdentifier

913
Configuration, Command, and File Reference

APPENDIX E. REVISION HISTORY

Note that revision numbers relate to the edition of this manual, not to version numbers of
Red Hat Directory Server.

Revision 10.3-1 Wed Oct 24 2018 Marc Muehlfeld

Red Hat Directory Server 10.3 release of the guide.

Revision 10.2-1 Tue Apr 10 2018 Marc Muehlfeld

For version 10.2: Added ds-replcheck script and new password storage schemes. Rewrote pwdhash (Encrypts
Passwords) section.

Revision 10.1-11 Wed Jan 17 2018 Marc Muehlfeld

Removed unused passwordResetDuration and passwordKeepHistory attributes.

Revision 10.1-10 Tue Dec 05 2017 Marc Muehlfeld

Added the certmap.conf file and the nsSSLEnabledCiphers parameter. Updated the nsslapd-db-logdirectory
parameter description

Revision 10.1-9 Tue Sep 05 2017 Marc Muehlfeld

Added AD DN plug-in, nsslapd-rundir, and nsslapd-ldifdir parameters. Updated the default value of nsslapd-
cachememsize introduced by the RHSA-2017:29627 erratum.

Revision 10.1-8 Tue Aug 01 2017 Marc Muehlfeld

For version 10.1.1: Rewrote Password Storage Schemes and Error Log Content. Updated nsslapd-
rootpwstoragescheme, passwordStorageScheme, and auto-tuning-related parameter descriptions.

Revision 10.1-7 Wed Jul 12 2017 Marc Muehlfeld

Added missing attributes to Suffix Configuration Attributes under cn=suffix_DN . Added redhat-idm-console
description.

Revision 10.1-6 Tue Jun 13 2017 Marc Muehlfeld

Added Administration Server and Directory Server-independent locations to File Locations Overview

Revision 10.1-5 Mon May 29 2017 Marc Muehlfeld

Removed incorrect "-v" parameter from Perl scripts. Added "memberOfAutoAddOC".

Revision 10.1-4 Tue Mar 14 2017 Marc Muehlfeld

Added "cleanallruv.pl" Perl script. Other minor fixes.

Revision 10.1-3 Fri Feb 24 2017 Marc Muehlfeld

Added "Replication Agreement Status" appendix. Added multiple parameters.

Revision 10.1-2 Wed Jan 11 2017 Marc Muehlfeld

Updated nsSSL2Ciphers, nsSSL3Ciphers, and allowWeakCipher descriptions. Added multiple parameters.

Revision 10.1-1 Thu Dec 15 2016 Marc Muehlfeld

Removed legacy replication. Added multiple parameters.

Revision 10.1-0 Wed Nov 02 2016 Marc Muehlfeld

Red Hat Directory Server 10.1 release of the guide.

Revision 10.0-6 Mon Jul 25 2016 Petr Bokoč

Added passwordSendExpiringTime and nsDS5ReplicaReleaseTimeout parameter.

Revision 10.0-5 Thu Jun 30 2016 Petr Bokoč

914
APPENDIX E. REVISION HISTORY

Added cn=des2aes task.

Revision 10.0-4 Wed Jun 22 2016 Petr Bokoč

Added multiple configuration parameters to cn=config and cn=config,cn=ldbm database,cn=plugins,cn=config.

Revision 10.0-3 Tue Jun 07 2016 Petr Bokoč

Added high-resolution time stamps example and multiple parameters.

Revision 10.0-2 Wed Mar 09 2016 Petr Bokoč

Added sslVersionMin and sslVersionMax parameter. Other minor fixes.

Revision 10.0-0 Tue Jun 09 2015 Tomáš Čapek

Red Hat Directory Server 10 release of the guide.

915

Chapter 1 MCQs in Introduction To Data Communication
100% (1)
Chapter 1 MCQs in Introduction To Data Communication
11 pages
AvePoint Cloud Backup Slide Deck
No ratings yet
AvePoint Cloud Backup Slide Deck
13 pages
RHEL 8 - Configuring and Managing High Availability Clusters
No ratings yet
RHEL 8 - Configuring and Managing High Availability Clusters
149 pages
Red Hat Enterprise Linux-9-Managing File Systems-En-Us
No ratings yet
Red Hat Enterprise Linux-9-Managing File Systems-En-Us
177 pages
Red Hat Enterprise Linux-8-Managing File systems-en-US
No ratings yet
Red Hat Enterprise Linux-8-Managing File systems-en-US
159 pages
Red Hat Enterprise Linux-9-Managing File Systems
No ratings yet
Red Hat Enterprise Linux-9-Managing File Systems
196 pages
Red Hat Directory Server 9.0 Installation Guide en US
No ratings yet
Red Hat Directory Server 9.0 Installation Guide en US
115 pages
Red Hat Enterprise Linux 9.0 M
No ratings yet
Red Hat Enterprise Linux 9.0 M
197 pages
Red Hat Enterprise Linux 9 Managing storage devices
No ratings yet
Red Hat Enterprise Linux 9 Managing storage devices
202 pages
Red Hat Enterprise Linux-8-Deploying Different Types of Servers-En-Us
No ratings yet
Red Hat Enterprise Linux-8-Deploying Different Types of Servers-En-Us
209 pages
Red Hat Enterprise Linux 6: Storage Administration Guide
No ratings yet
Red Hat Enterprise Linux 6: Storage Administration Guide
209 pages
Red Hat Directory Server 10: Administration Guide
No ratings yet
Red Hat Directory Server 10: Administration Guide
833 pages
Red_hat v9
No ratings yet
Red_hat v9
175 pages
Red Hat Enterprise Linux-8-Managing File systems-en-US
No ratings yet
Red Hat Enterprise Linux-8-Managing File systems-en-US
166 pages
Red Hat Enterprise Linux-8-Managing Storage Devices-En-us
No ratings yet
Red Hat Enterprise Linux-8-Managing Storage Devices-En-us
214 pages
Red Hat Enterprise Linux-7-Storage Administration Guide-En-US
100% (1)
Red Hat Enterprise Linux-7-Storage Administration Guide-En-US
256 pages
Red Hat Enterprise Linux-7-Storage Administration Guide-En-US
100% (1)
Red Hat Enterprise Linux-7-Storage Administration Guide-En-US
256 pages
Red Hat Directory Server-8.2-Performance Tuning Guide-En-US
No ratings yet
Red Hat Directory Server-8.2-Performance Tuning Guide-En-US
44 pages
Red_Hat_Enterprise_Linux-8-Configuring_and_managing_high_availability_clusters-en-US
No ratings yet
Red_Hat_Enterprise_Linux-8-Configuring_and_managing_high_availability_clusters-en-US
161 pages
Red Hat JBoss Enterprise Application Platform-7.1-Configuration Guide-en-US PDF
No ratings yet
Red Hat JBoss Enterprise Application Platform-7.1-Configuration Guide-en-US PDF
479 pages
Red Hat Enterprise Linux-8-System Design Guide-En-US
No ratings yet
Red Hat Enterprise Linux-8-System Design Guide-En-US
1,068 pages
Configuring and Managing File Systems
No ratings yet
Configuring and Managing File Systems
102 pages
Red Hat Enterprise Linux-9-Managing Storage Devices-En-Us
No ratings yet
Red Hat Enterprise Linux-9-Managing Storage Devices-En-Us
199 pages
Red Hat Enterprise Linux-8-Deploying Different Types of Servers-En-US
No ratings yet
Red Hat Enterprise Linux-8-Deploying Different Types of Servers-En-US
190 pages
Redhat 123
No ratings yet
Redhat 123
142 pages
Red Hat Enterprise Linux-7-Storage Administration Guide-En-US
No ratings yet
Red Hat Enterprise Linux-7-Storage Administration Guide-En-US
252 pages
Red Hat Openstack Platform-16.2-Creating and Managing Instances-En-us
No ratings yet
Red Hat Openstack Platform-16.2-Creating and Managing Instances-En-us
48 pages
Red Hat Open Stack Platform 10 Installtion Giud
No ratings yet
Red Hat Open Stack Platform 10 Installtion Giud
140 pages
Red Hat Enterprise Linux-8-System Design Guide-En-US
No ratings yet
Red Hat Enterprise Linux-8-System Design Guide-En-US
1,040 pages
Red Hat Enterprise Linux-8-System Design Guide-En-us
No ratings yet
Red Hat Enterprise Linux-8-System Design Guide-En-us
1,097 pages
Red Hat Enterprise Linux 5 DM Multipath Es ES
No ratings yet
Red Hat Enterprise Linux 5 DM Multipath Es ES
42 pages
Red Hat Openstack Platform-17.1-Installing and Managing Red Hat Openstack Platform With Director-En-Us222
No ratings yet
Red Hat Openstack Platform-17.1-Installing and Managing Red Hat Openstack Platform With Director-En-Us222
192 pages
Creating and Managing Instances With Resize Instances
No ratings yet
Creating and Managing Instances With Resize Instances
49 pages
Red Hat Enterprise Linux-8-Performing A Standard RHEL Installation-En-US
No ratings yet
Red Hat Enterprise Linux-8-Performing A Standard RHEL Installation-En-US
168 pages
Red Hat Enterprise Linux-9-Configuring and Managing Networking-En-Us
No ratings yet
Red Hat Enterprise Linux-9-Configuring and Managing Networking-En-Us
368 pages
Red Hat Enterprise Linux 4: DM Multipath
No ratings yet
Red Hat Enterprise Linux 4: DM Multipath
38 pages
Red Hat Enterprise Linux-8-System Design Guide-En-US
No ratings yet
Red Hat Enterprise Linux-8-System Design Guide-En-US
1,071 pages
Red Hat Global File System Edition 4
No ratings yet
Red Hat Global File System Edition 4
54 pages
Red Hat OpenStack Platform-13-Director Installation and Usage-en-US
No ratings yet
Red Hat OpenStack Platform-13-Director Installation and Usage-en-US
214 pages
Red Hat Enterprise Linux-7-High Availability Add-On Reference-en-US
No ratings yet
Red Hat Enterprise Linux-7-High Availability Add-On Reference-en-US
125 pages
Red Hat OpenStack Platform-13-Director Installation and Usage-en-US
No ratings yet
Red Hat OpenStack Platform-13-Director Installation and Usage-en-US
212 pages
Red Hat Ceph Storage-3-Ceph Object Gateway For Production-En-Us
No ratings yet
Red Hat Ceph Storage-3-Ceph Object Gateway For Production-En-Us
62 pages
JBoss Enterprise Application Platform-5-Administration and Configuration Guide-en-US PDF
No ratings yet
JBoss Enterprise Application Platform-5-Administration and Configuration Guide-en-US PDF
462 pages
Red Hat Enterprise Linux 5 Configuration Example - Fence Devices
No ratings yet
Red Hat Enterprise Linux 5 Configuration Example - Fence Devices
70 pages
Red Hat Enterprise Linux-8-Deploying Different Types of Servers-En-US
No ratings yet
Red Hat Enterprise Linux-8-Deploying Different Types of Servers-En-US
179 pages
red_hat_enterprise_linux-9-managing_networking_infrastructure_services-en-us
No ratings yet
red_hat_enterprise_linux-9-managing_networking_infrastructure_services-en-us
51 pages
Red Hat Enterprise Linux-9-9 (4) .4 Release Notes-En-us
No ratings yet
Red Hat Enterprise Linux-9-9 (4) .4 Release Notes-En-us
202 pages
Red Hat Ceph Storage-4-Dashboard Guide-en-US PDF
No ratings yet
Red Hat Ceph Storage-4-Dashboard Guide-en-US PDF
165 pages
Red Hat Enterprise Linux-6-Configuring The Red Hat High Availability Add-On With Pacemaker-en-US
No ratings yet
Red Hat Enterprise Linux-6-Configuring The Red Hat High Availability Add-On With Pacemaker-en-US
111 pages
Red Hat Jboss Enterprise Application Platform-7.4-Configuration Guide-En-us
No ratings yet
Red Hat Jboss Enterprise Application Platform-7.4-Configuration Guide-En-us
542 pages
OpenShift Online 2.0 REST API Guide en US
No ratings yet
OpenShift Online 2.0 REST API Guide en US
160 pages
Red Hat Enterprise Linux-7-High Availability Add-On Reference-En-US
No ratings yet
Red Hat Enterprise Linux-7-High Availability Add-On Reference-En-US
81 pages
Despliegue de Diferentes Tipos de Servidores
No ratings yet
Despliegue de Diferentes Tipos de Servidores
190 pages
Red Hat Enterprise Linux-6-Configuring The Red Hat High Availability Add-On With Pacemaker-en-US
No ratings yet
Red Hat Enterprise Linux-6-Configuring The Red Hat High Availability Add-On With Pacemaker-en-US
97 pages
Red Hat OpenStack Platform-9-Director Installation and Usage-En-US
No ratings yet
Red Hat OpenStack Platform-9-Director Installation and Usage-En-US
190 pages
Red Hat Enterprise Linux-8-Performing A Standard RHEL installation-en-US
No ratings yet
Red Hat Enterprise Linux-8-Performing A Standard RHEL installation-en-US
208 pages
Red Hat Enterprise Linux-8-Configuring and Managing High Availability Clusters-En-Us
No ratings yet
Red Hat Enterprise Linux-8-Configuring and Managing High Availability Clusters-En-Us
218 pages
Red Hat Enterprise Linux 5 Configuration Example - NFS Over GFS
No ratings yet
Red Hat Enterprise Linux 5 Configuration Example - NFS Over GFS
29 pages
Red Hat Enterprise Linux-8-Performing A Standard RHEL installation-en-US PDF
No ratings yet
Red Hat Enterprise Linux-8-Performing A Standard RHEL installation-en-US PDF
193 pages
Red Hat Enterprise Linux-8-Configuring Basic System Settings-En-us
No ratings yet
Red Hat Enterprise Linux-8-Configuring Basic System Settings-En-us
215 pages
Red Hat Enterprise Linux-9-Configuring and Managing Networking-En-US
No ratings yet
Red Hat Enterprise Linux-9-Configuring and Managing Networking-En-US
392 pages
Oracle Database 10g RMAN Backup & Recovery
From Everand
Oracle Database 10g RMAN Backup & Recovery
Matthew Hart
4.5/5 (1)
Wa0001
No ratings yet
Wa0001
1 page
FTOS Configuration Guide
No ratings yet
FTOS Configuration Guide
1,220 pages
Siebel 7.7 Analytics Training: Proposed Schedule
No ratings yet
Siebel 7.7 Analytics Training: Proposed Schedule
2 pages
File Transfer Multiple Choice Questions and Answers PDF
No ratings yet
File Transfer Multiple Choice Questions and Answers PDF
15 pages
Programming in C - 141-160
No ratings yet
Programming in C - 141-160
20 pages
SharePoint Server 2019 Quick Start Guide
No ratings yet
SharePoint Server 2019 Quick Start Guide
16 pages
Traffic Working
No ratings yet
Traffic Working
141 pages
Redirection & Piping
No ratings yet
Redirection & Piping
16 pages
Eligible Product Categories Detailed
No ratings yet
Eligible Product Categories Detailed
139 pages
Heathrow Airports Presentation at The Microsoft Data Insights Summit
No ratings yet
Heathrow Airports Presentation at The Microsoft Data Insights Summit
13 pages
Nuclie Dirsearch
No ratings yet
Nuclie Dirsearch
4 pages
BK - Hadoop High Availability
No ratings yet
BK - Hadoop High Availability
84 pages
50 - Shreyashree Maity - Computer Assignment - 5 TH July
No ratings yet
50 - Shreyashree Maity - Computer Assignment - 5 TH July
13 pages
Cheat Sheet
No ratings yet
Cheat Sheet
19 pages
Certified Ethical Hacker Course Content
No ratings yet
Certified Ethical Hacker Course Content
36 pages
Database List
0% (10)
Database List
70 pages
EMC Documentum Reporting Services: Development Guide
No ratings yet
EMC Documentum Reporting Services: Development Guide
53 pages
LBlockchainE - A Lightweight Blockchain For Edge IoT-Enabled Maritime Transportation Systems PDF
No ratings yet
LBlockchainE - A Lightweight Blockchain For Edge IoT-Enabled Maritime Transportation Systems PDF
15 pages
Computer Network System Administrator Interview Question
No ratings yet
Computer Network System Administrator Interview Question
4 pages
COMP6771 Advanced C++ Programming: Week 10 Multithreading - Producer/Consumer Problem
No ratings yet
COMP6771 Advanced C++ Programming: Week 10 Multithreading - Producer/Consumer Problem
16 pages
Ubuntu 1404 Server Guide
No ratings yet
Ubuntu 1404 Server Guide
380 pages
COMP F1 Term 1
No ratings yet
COMP F1 Term 1
12 pages
Learn PHP in 5 Days by Darshan Sanandiya
100% (1)
Learn PHP in 5 Days by Darshan Sanandiya
238 pages
Unit II - PPT Slides
No ratings yet
Unit II - PPT Slides
126 pages
Informatica: Case Study-1
No ratings yet
Informatica: Case Study-1
9 pages
Siemens Macro Examples
No ratings yet
Siemens Macro Examples
6 pages
Adding A 3 Node To A RAC 11g: Chapter I - Creating The New VM
No ratings yet
Adding A 3 Node To A RAC 11g: Chapter I - Creating The New VM
17 pages
T.C. Dışişleri Bakanlığı Konsolosluk İşlemleri
No ratings yet
T.C. Dışişleri Bakanlığı Konsolosluk İşlemleri
1 page