HP HP-UX Directory Server Reference Guide
HP-UX Directory Server configuration, command, and file reference
HP-UX Directory Server Version 8.1
HP Part Number: 5900-0313
Published: September 2009
Edition: 1
© Copyright 2009 Hewlett-Packard Development Company, L.P.
Confidential computersoftware. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor's standard commercial license.
The informationcontained hereinis subject to change without notice. Theonly warranties for HPproducts andservices are set forth in the express
warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP
shall not be liable for technical or editorial errors or omissions contained herein.
Table of Contents
1 Introduction...................................................................................................................15
1.1 Directory Server configuration........................................................................................................15
1.2 Directory Server instance file reference...........................................................................................15
1.3 Using Directory Server command-line utilities..............................................................................15
1.4 Using Directory Server command-line scripts................................................................................16
2 Core server configuration reference...........................................................................17
2.1 Overview of the Directory Server configuration.............................................................................17
2.1.1 LDIF and schema configuration files......................................................................................17
2.1.2 How the server configuration is organized............................................................................19
2.1.2.1 Configuration attributes..................................................................................................19
2.1.2.2 Configuration of plug-in functionality...........................................................................19
2.1.2.3 Configuration of databases.............................................................................................20
2.1.2.4 Configuration of indexes.................................................................................................20
2.2 Accessing and modifying server configuration..............................................................................20
2.2.1 Access control for configuration entries..................................................................................20
2.2.2 Changing configuration attributes..........................................................................................21
2.2.2.1 Modifying configuration entries using LDAP................................................................21
2.2.2.2 Restrictions to modifying configuration entries and attributes......................................22
2.2.2.3 Configuration changes requiring server restart..............................................................22
2.3 Core server configuration attributes reference...............................................................................22
2.3.1 cn=config.................................................................................................................................23
2.3.1.1 nsslapd-accesslog (Access log)........................................................................................23
2.3.1.2 nsslapd-accesslog-level (Access log level)......................................................................24
2.3.1.3 nsslapd-accesslog-list (List of access log files)................................................................24
2.3.1.4 nsslapd-accesslog-logbuffering (Log buffering).............................................................24
2.3.1.5 nsslapd-accesslog-logexpirationtime (Access log expiration time)................................25
2.3.1.6 nsslapd-accesslog-logexpirationtimeunit (Access log expiration time unit)..................25
2.3.1.7 nsslapd-accesslog-logging-enabled (Access log enable logging)...................................25
2.3.1.8 nsslapd-accesslog-logmaxdiskspace (Access log maximum disk space).......................26
2.3.1.9 nsslapd-accesslog-logminfreediskspace (Access log minimum free disk space)...........26
2.3.1.10 nsslapd-accesslog-logrotationsync-enabled (Access log rotation sync enabled)..........27
2.3.1.11 nsslapd-accesslog-logrotationsynchour (Access log rotation sync hour).....................27
2.3.1.12 nsslapd-accesslog-logrotationsyncmin (Access log rotation sync minute)...................27
2.3.1.13 nsslapd-accesslog-logrotationtime (Access log rotation time)......................................28
2.3.1.14 nsslapd-accesslog-logrotationtimeunit (Access log rotation time unit)........................28
2.3.1.15 nsslapd-accesslog-maxlogsize (Access log maximum log size)....................................28
2.3.1.16 nsslapd-accesslog-maxlogsperdir (Access log maximum number of log files)............29
2.3.1.17 nsslapd-accesslog-mode (Access log file permission)...................................................29
2.3.1.18 nsslapd-attribute-name-exceptions...............................................................................30
2.3.1.19 nsslapd-auditlog (Audit log).........................................................................................30
2.3.1.20 nsslapd-auditlog-list......................................................................................................31
2.3.1.21 nsslapd-auditlog-logexpirationtime (Audit log expiration time).................................31
2.3.1.22 nsslapd-auditlog-logexpirationtimeunit (Audit log expiration time unit)...................31
2.3.1.23 nsslapd-auditlog-logging-enabled (Audit log enable logging)....................................32
2.3.1.24 nsslapd-auditlog-logmaxdiskspace (Audit log maximum disk space)........................32
2.3.1.25 nsslapd-auditlog-logminfreediskspace (Audit log minimum free disk space)............33
2.3.1.26 nsslapd-auditlog-logrotationsync-enabled (Audit log rotation sync enabled).............33
2.3.1.27 nsslapd-auditlog-logrotationsynchour (Audit log rotation sync hour)........................33
2.3.1.28 nsslapd-auditlog-logrotationsyncmin (Audit log rotation sync minute).....................34
Table of Contents 3
2.3.1.29 nsslapd-auditlog-logrotationtime (Audit log rotation time)........................................34
2.3.1.30 nsslapd-auditlog-logrotationtimeunit (Audit log rotation time unit)..........................34
2.3.1.31 nsslapd-auditlog-maxlogsize (Audit log maximum log size).......................................35
2.3.1.32 nsslapd-auditlog-maxlogsperdir (Audit log maximum number of log files)...............35
2.3.1.33 nsslapd-auditlog-mode (Audit log file permission).....................................................35
2.3.1.34 nsslapd-certdir (Certificate and key database directory)..............................................36
2.3.1.35 nsslapd-certmap-basedn (Certificate map search base)................................................36
2.3.1.36 nsslapd-config...............................................................................................................37
2.3.1.37 nsslapd-conntablesize...................................................................................................37
2.3.1.38 nsslapd-counters............................................................................................................37
2.3.1.39 nsslapd-csnlogging........................................................................................................38
2.3.1.40 nsslapd-ds4-compatible-schema...................................................................................38
2.3.1.41 nsslapd-enquote-sup-oc (Enable superior object class enquoting)...............................38
2.3.1.42 nsslapd-errorlog (Error log)..........................................................................................39
2.3.1.43 nsslapd-errorlog-level (Error log level).........................................................................39
2.3.1.44 nsslapd-errorlog-list......................................................................................................40
2.3.1.45 nsslapd-errorlog-logexpirationtime (Error log expiration time)..................................41
2.3.1.46 nsslapd-errorlog-logexpirationtimeunit (Error log expiration time unit)....................41
2.3.1.47 nsslapd-errorlog-logging-enabled (Enable error logging)............................................41
2.3.1.48 nsslapd-errorlog-logmaxdiskspace (Error log maximum disk space)..........................41
2.3.1.49 nsslapd-errorlog-logminfreediskspace (Error log minimum free disk space)..............42
2.3.1.50 nsslapd-errorlog-logrotationsync-enabled (Error log rotation sync enabled)..............42
2.3.1.51 nsslapd-errorlog-logrotationsynchour (Error log rotation sync hour).........................43
2.3.1.52 nsslapd-errorlog-logrotationsyncmin (Error log rotation sync minute).......................43
2.3.1.53 nsslapd-errorlog-logrotationtime (Error log rotation time)..........................................43
2.3.1.54 nsslapd-errorlog-logrotationtimeunit (Error log rotation time unit)............................44
2.3.1.55 nsslapd-errorlog-maxlogsize (Maximum error log size)..............................................44
2.3.1.56 nsslapd-errorlog-maxlogsperdir (Maximum number of error log files)......................44
2.3.1.57 nsslapd-errorlog-mode (Error log file permission).......................................................45
2.3.1.58 nsslapd-groupevalnestlevel...........................................................................................45
2.3.1.59 nsslapd-idletimeout (Default idle timeout)...................................................................45
2.3.1.60 nsslapd-instancedir (Instance directory).......................................................................46
2.3.1.61 nsslapd-ioblocktimeout (IO block time out).................................................................46
2.3.1.62 nsslapd-lastmod (Track modification time)..................................................................46
2.3.1.63 nsslapd-ldapifilepath (LDAPI socket file path)............................................................47
2.3.1.64 nsslapd-ldapilisten (Enable LDAPI socket)..................................................................47
2.3.1.65 nsslapd-listenhost (Listen to IP address)......................................................................47
2.3.1.66 nsslapd-localhost (Local host).......................................................................................48
2.3.1.67 nsslapd-localuser (Local user).......................................................................................48
2.3.1.68 nsslapd-lockdir (Server lock file directory)...................................................................48
2.3.1.69 nsslapd-maxbersize (Maximum message size).............................................................49
2.3.1.70 nsslapd-maxdescriptors (Maximum file descriptors)...................................................49
2.3.1.71 nsslapd-max-filter-nest-level (Maximum search filter nesting level)...........................50
2.3.1.72 nsslapd-maxsasliosize (Maximum SASL packet size)..................................................50
2.3.1.73 nsslapd-maxthreadsperconn (Maximum threads per connection)...............................51
2.3.1.74 nsslapd-nagle.................................................................................................................51
2.3.1.75 nsslapd-outbound-ldap-io-timeout...............................................................................52
2.3.1.76 nsslapd-plugin...............................................................................................................52
2.3.1.77 nsslapd-port (Port number)...........................................................................................52
2.3.1.78 nsslapd-privatenamespaces..........................................................................................52
2.3.1.79 nsslapd-pwpolicy-local (Enable subtree- and user-level password policy).................53
2.3.1.80 nsslapd-readonly (Read only).......................................................................................53
2.3.1.81 nsslapd-referral (Referral).............................................................................................53
2.3.1.82 nsslapd-referralmode (Referral mode)..........................................................................54
2.3.1.83 nsslapd-reservedescriptors (Reserved file descriptors)................................................54
4 Table of Contents
2.3.1.84 nsslapd-return-exact-case (Return exact case)..............................................................55
2.3.1.85 nsslapd-rewrite-rfc1274.................................................................................................55
2.3.1.86 nsslapd-rootdn (Manager DN)......................................................................................56
2.3.1.87 nsslapd-rootpw (Root password)..................................................................................56
2.3.1.88 nsslapd-rootpwstoragescheme (Root password storage scheme)................................57
2.3.1.89 nsslapd-saslpath............................................................................................................57
2.3.1.90 nsslapd-schema-ignore-trailing-spaces (Ignore trailing spaces in object class
names)........................................................................................................................................57
2.3.1.91 nsslapd-schemacheck (Schema checking).....................................................................58
2.3.1.92 nsslapd-schemadir.........................................................................................................58
2.3.1.93 nsslapd-schemareplace..................................................................................................59
2.3.1.94 nsslapd-securelistenhost...............................................................................................59
2.3.1.95 nsslapd-securePort (Encrypted port number)...............................................................59
2.3.1.96 nsslapd-security (Security)............................................................................................60
2.3.1.97 nsslapd-sizelimit (Size limit).........................................................................................60
2.3.1.98 nsslapd-ssl-check-hostname (Verify host name for outbound connections)................61
2.3.1.99 nsslapd-threadnumber (Thread number).....................................................................61
2.3.1.100 nsslapd-timelimit (Time limit).....................................................................................61
2.3.1.101 nsslapd-tmpdir............................................................................................................62
2.3.1.102 nsslapd-versionstring..................................................................................................62
2.3.1.103 nsslapd-workingdir.....................................................................................................62
2.3.1.104 passwordChange (Password change)..........................................................................62
2.3.1.105 passwordCheckSyntax (Check password syntax).......................................................63
2.3.1.106 passwordExp (Password expiration)...........................................................................63
2.3.1.107 passwordGraceLimit (Password expiration)...............................................................64
2.3.1.108 passwordHistory (Password history)..........................................................................64
2.3.1.109 passwordInHistory (Number of passwords to remember).........................................64
2.3.1.110 passwordIsGlobalPolicy (Password policy and replication).......................................65
2.3.1.111 passwordLockout (Account lockout)..........................................................................65
2.3.1.112 passwordLockoutDuration (Lockout duration)..........................................................65
2.3.1.113 passwordMaxAge (Password maximum age).............................................................66
2.3.1.114 passwordMaxFailure (Maximum password failures).................................................66
2.3.1.115 passwordMaxRepeats (Password syntax)...................................................................66
2.3.1.116 passwordMin8Bit (Password syntax)..........................................................................67
2.3.1.117 passwordMinAge (Password minimum age)..............................................................67
2.3.1.118 passwordMinAlphas (Password syntax).....................................................................68
2.3.1.119 passwordMinCategories (Password syntax)...............................................................68
2.3.1.120 PasswordMinDigits (Password syntax).......................................................................68
2.3.1.121 passwordMinLength (Password minimum length)....................................................68
2.3.1.122 PasswordMinLowers (Password syntax)....................................................................69
2.3.1.123 PasswordMinSpecials (Password syntax)...................................................................69
2.3.1.124 PasswordMinTokenLength (Password syntax)...........................................................69
2.3.1.125 PasswordMinUppers (Password syntax)....................................................................70
2.3.1.126 passwordMustChange (Password must change)........................................................70
2.3.1.127 passwordResetFailureCount (Reset password failure count after).............................70
2.3.1.128 passwordStorageScheme (Password storage scheme)................................................70
2.3.1.129 passwordUnlock (Unlock account).............................................................................71
2.3.1.130 passwordWarning (Send warning)..............................................................................71
2.3.2 cn=changelog5,cn=config.........................................................................................................72
2.3.2.1 nsslapd-changelogdir......................................................................................................72
2.3.2.2 nsslapd-changelogmaxage (Max changelog age)...........................................................73
2.3.2.3 nsslapd-changelogmaxentries (Max changelog records)................................................73
2.3.3 cn=encryption,cn=config.........................................................................................................73
2.3.3.1 nssslsessiontimeout.........................................................................................................73
2.3.3.2 nssslclientauth.................................................................................................................74
Table of Contents 5
2.3.3.3 nsSSL2.............................................................................................................................74
2.3.3.4 nsSSL3.............................................................................................................................74
2.3.3.5 nsssl3ciphers....................................................................................................................75
2.3.4 cn=features,cn=config..............................................................................................................75
2.3.5 cn=mapping tree,cn=config.....................................................................................................75
2.3.6 Suffix configuration attributes under cn="suffixName".........................................................75
2.3.6.1 nsslapd-state....................................................................................................................76
2.3.6.2 nsslapd-backend..............................................................................................................76
2.3.7 Replication attributes under cn=replica, cn="suffixDN", cn=mapping tree, cn=config..........76
2.3.7.1 nsDS5Flags......................................................................................................................77
2.3.7.2 nsDS5ReplicaBindDN.....................................................................................................77
2.3.7.3 nsDS5ReplicaChangeCount............................................................................................77
2.3.7.4 nsDS5ReplicaId...............................................................................................................78
2.3.7.5 nsDS5ReplicaLegacyConsumer......................................................................................78
2.3.7.6 nsDS5ReplicaName.........................................................................................................78
2.3.7.7 nsDS5ReplicaPurgeDelay................................................................................................78
2.3.7.8 nsDS5ReplicaReferral......................................................................................................79
2.3.7.9 nsDS5ReplicaRoot...........................................................................................................79
2.3.7.10 nsDS5ReplicaTombstonePurgeInterval.........................................................................79
2.3.7.11 nsDS5ReplicaType.........................................................................................................80
2.3.7.12 nsDS5ReplicaReapActive..............................................................................................80
2.3.7.13 nsState............................................................................................................................80
2.3.7.14 nsDS5ReplConflict.........................................................................................................81
2.3.8 Replication attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName",
cn=mapping tree, cn=config.............................................................................................................81
2.3.8.1 cn.....................................................................................................................................81
2.3.8.2 description.......................................................................................................................81
2.3.8.3 nsDS5ReplicaBindDN.....................................................................................................82
2.3.8.4 nsDS5ReplicaBindMethod..............................................................................................82
2.3.8.5 nsDS5ReplicaBusyWaitTime...........................................................................................82
2.3.8.6 nsDS5ReplicaChangesSentSinceStartup.........................................................................83
2.3.8.7 nsDS5ReplicaCredentials................................................................................................83
2.3.8.8 nsDS5ReplicaHost...........................................................................................................83
2.3.8.9 nsDS5ReplicaLastInitEnd................................................................................................84
2.3.8.10 nsDS5ReplicaLastInitStart.............................................................................................84
2.3.8.11 nsDS5ReplicaLastInitStatus...........................................................................................84
2.3.8.12 nsDS5ReplicaLastUpdateEnd.......................................................................................85
2.3.8.13 nsDS5ReplicaLastUpdateStart......................................................................................85
2.3.8.14 nsDS5ReplicaLastUpdateStatus....................................................................................85
2.3.8.15 nsDS5ReplicaPort..........................................................................................................85
2.3.8.16 nsDS5ReplicaPriority....................................................................................................86
2.3.8.17 nsDS5ReplicaReapActive..............................................................................................86
2.3.8.18 nsDS5BeginReplicaRefresh...........................................................................................87
2.3.8.19 nsDS5ReplicaRoot.........................................................................................................87
2.3.8.20 nsDS5ReplicaSessionPauseTime...................................................................................87
2.3.8.21 nsDS5ReplicatedAttributeList.......................................................................................88
2.3.8.22 nsDS5ReplicaTimeout...................................................................................................88
2.3.8.23 nsDS5ReplicaTransportInfo...........................................................................................89
2.3.8.24 nsDS5ReplicaUpdateInProgress....................................................................................89
2.3.8.25 nsDS5ReplicaUpdateSchedule......................................................................................89
2.3.8.26 nsDS50ruv.....................................................................................................................90
2.3.9 Synchronization attributes under cn=syncAgreementName, cn=Replica,cn="suffixName",
cn=mapping tree, cn=config.............................................................................................................90
2.3.9.1 nsds7DirectoryReplicaSubtree........................................................................................91
2.3.9.2 nsds7DirsyncCookie........................................................................................................91
6 Table of Contents
2.3.9.3 nsds7NewWinGroupSyncEnabled.................................................................................91
2.3.9.4 nsds7NewWinUserSyncEnabled.....................................................................................91
2.3.9.5 nsds7WindowsDomain...................................................................................................92
2.3.9.6 nsds7WindowsReplicaSubtree........................................................................................92
2.3.9.7 winSyncInterval..............................................................................................................92
2.3.10 cn=monitor.............................................................................................................................92
2.3.11 cn=replication........................................................................................................................94
2.3.12 cn=SNMP,cn=config...............................................................................................................94
2.3.12.1 nssnmpenabled..............................................................................................................94
2.3.12.2 nssnmpname.................................................................................................................94
2.3.12.3 nssnmporganization......................................................................................................95
2.3.12.4 nssnmplocation..............................................................................................................95
2.3.12.5 nssnmpcontact...............................................................................................................95
2.3.12.6 nssnmpdescription........................................................................................................95
2.3.12.7 nssnmpmasterhost.........................................................................................................96
2.3.12.8 nssnmpmasterport.........................................................................................................96
2.3.13 SNMP statistic attributes.......................................................................................................96
2.3.14 cn=tasks,cn=config.................................................................................................................97
2.3.14.1 Task invocation attributes for entries under cn=tasks...................................................98
2.3.14.2 cn=import,cn=tasks,cn=config.....................................................................................100
2.3.14.3 cn=export,cn=tasks,cn=config......................................................................................103
2.3.14.4 cn=backup,cn=tasks,cn=config.....................................................................................106
2.3.14.5 cn=restore,cn=tasks,cn=config.....................................................................................107
2.3.14.6 cn=index,cn=tasks,cn=config.......................................................................................108
2.3.14.7 cn=schema reload task,cn=tasks,cn=config..................................................................109
2.3.14.8 cn=memberof task,cn=tasks,cn=config........................................................................110
2.3.15 cn=uniqueid generator,cn=config........................................................................................111
3 Plug-in implemented server functionality reference................................................113
3.1 Server plug-in functionality reference...........................................................................................113
3.1.1 7-bit check plug-in.................................................................................................................113
3.1.2 ACL plug-in...........................................................................................................................114
3.1.3 ACL preoperation plug-in.....................................................................................................114
3.1.4 Attribute uniqueness plug-in................................................................................................114
3.1.5 Binary syntax plug-in............................................................................................................115
3.1.6 Boolean syntax plug-in..........................................................................................................115
3.1.7 Case exact string syntax plug-in............................................................................................116
3.1.8 Case ignore string syntax plug-in.........................................................................................116
3.1.9 Chaining database plug-in....................................................................................................116
3.1.10 Class of service plug-in........................................................................................................117
3.1.11 Country string syntax plug-in.............................................................................................117
3.1.12 Distinguished name syntax plug-in....................................................................................117
3.1.13 Distributed numeric assignment plug-in............................................................................118
3.1.14 Generalized time syntax plug-in.........................................................................................118
3.1.15 HTTP client plug-in.............................................................................................................119
3.1.16 Integer syntax plug-in..........................................................................................................119
3.1.17 Internationalization plug-in................................................................................................119
3.1.18 JPEG syntax plug-in.............................................................................................................120
3.1.19 ldbm database plug-in.........................................................................................................120
3.1.20 Legacy replication plug-in...................................................................................................120
3.1.21 MemberOf plug-in...............................................................................................................121
3.1.22 Multi-master replication plug-in.........................................................................................121
3.1.23 Octet string syntax plug-in..................................................................................................122
3.1.24 OID syntax plug-in..............................................................................................................122
Table of Contents 7
3.1.25 Password Storage Schemes..................................................................................................122
3.1.26 Postal address string syntax plug-in...................................................................................123
3.1.27 PTA plug-in..........................................................................................................................124
3.1.28 Referential integrity postoperation plug-in.........................................................................124
3.1.29 Retro Changelog plug-in.....................................................................................................125
3.1.30 Roles plug-in........................................................................................................................125
3.1.31 Schema reload plug-in.........................................................................................................126
3.1.32 Space insensitive string syntax plug-in...............................................................................126
3.1.33 State change plug-in............................................................................................................126
3.1.34 Telephone syntax plug-in....................................................................................................127
3.1.35 URI syntax plug-in...............................................................................................................127
3.1.36 Views plug-in.......................................................................................................................127
3.1.37 Account policy plug-in........................................................................................................128
3.2 List of attributes common to all plug-ins......................................................................................128
3.2.1 nsslapd-pluginPath................................................................................................................128
3.2.2 nsslapd-pluginInitfunc..........................................................................................................129
3.2.3 nsslapd-pluginType...............................................................................................................129
3.2.4 nsslapd-pluginEnabled..........................................................................................................129
3.2.5 nsslapd-pluginId...................................................................................................................129
3.2.6 nsslapd-pluginVersion..........................................................................................................130
3.2.7 nsslapd-pluginVendor...........................................................................................................130
3.2.8 nsslapd-pluginDescription....................................................................................................130
3.3 Attributes allowed by certain plug-ins..........................................................................................130
3.3.1 nsslapd-pluginLoadNow......................................................................................................130
3.3.2 nsslapd-pluginLoadGlobal....................................................................................................131
3.3.3 nsslapd-plugin-depends-on-type..........................................................................................131
3.3.4 nsslapd-plugin-depends-on-named......................................................................................131
3.4 Database plug-in attributes...........................................................................................................132
3.4.1 Database attributes under cn=config, cn=ldbm database, cn=plugins, cn=config................132
3.4.1.1 nsLookthroughLimit.....................................................................................................132
3.4.1.2 nsslapd-cache-autosize..................................................................................................133
3.4.1.3 nsslapd-cache-autosize-split.........................................................................................133
3.4.1.4 nsslapd-dbcachesize......................................................................................................134
3.4.1.5 nsslapd-db-checkpoint-interval....................................................................................134
3.4.1.6 nsslapd-db-circular-logging..........................................................................................135
3.4.1.7 nsslapd-db-debug..........................................................................................................135
3.4.1.8 nsslapd-db-durable-transactions...................................................................................135
3.4.1.9 nsslapd-db-home-directory...........................................................................................136
3.4.1.10 nsslapd-db-idl-divisor.................................................................................................136
3.4.1.11 nsslapd-db-logbuf-size................................................................................................137
3.4.1.12 nsslapd-db-logdirectory..............................................................................................137
3.4.1.13 nsslapd-db-logfile-size................................................................................................138
3.4.1.14 nsslapd-db-page-size...................................................................................................138
3.4.1.15 nsslapd-db-private-import-mem.................................................................................138
3.4.1.16 nsslapd-db-spin-count.................................................................................................139
3.4.1.17 nsslapd-db-transaction-batch-val................................................................................139
3.4.1.18 nsslapd-db-trickle-percentage.....................................................................................140
3.4.1.19 nsslapd-db-verbose......................................................................................................140
3.4.1.20 nsslapd-dbncache........................................................................................................140
3.4.1.21 nsslapd-directory.........................................................................................................141
3.4.1.22 nsslapd-exclude-from-export......................................................................................141
3.4.1.23 nsslapd-idl-switch.......................................................................................................141
3.4.1.24 nsslapd-idlistscanlimit.................................................................................................142
3.4.1.25 nsslapd-import-cachesize............................................................................................142
3.4.1.26 nsslapd-import-cache-autosize....................................................................................142
8 Table of Contents
3.4.1.27 nsslapd-mode..............................................................................................................143
3.4.1.28 nsslapd-search-bypass-filter-test.................................................................................144
3.4.1.29 nsslapd-search-use-vlv-index......................................................................................144
3.4.1.30 nsslapd-serial-lock.......................................................................................................144
3.4.2 Database attributes under cn=monitor, cn=ldbm database, cn=plugins, cn=config..............144
3.4.3 Database attributes under cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config and
cn=userRoot, cn=ldbm database, cn=plugins, cn=config...............................................................144
3.4.3.1 nsslapd-cachesize..........................................................................................................145
3.4.3.2 nsslapd-cachememsize..................................................................................................145
3.4.3.3 nsslapd-directory...........................................................................................................145
3.4.3.4 nsslapd-readonly...........................................................................................................146
3.4.3.5 nsslapd-require-index...................................................................................................146
3.4.3.6 nsslapd-suffix................................................................................................................146
3.4.4 Database attributes under cn=database, cn=monitor, cn=ldbm database, cn=plugins,
cn=config........................................................................................................................................147
3.4.5 Database attributes under cn=default indexes, cn=config, cn=ldbm database, cn=plugins,
cn=config........................................................................................................................................148
3.4.5.1 cn...................................................................................................................................148
3.4.5.2 description.....................................................................................................................148
3.4.5.3 nsSystemIndex...............................................................................................................148
3.4.5.4 nsIndexType..................................................................................................................149
3.4.5.5 nsMatchingRule.............................................................................................................149
3.4.6 Database attributes under cn=monitor, cn=NetscapeRoot, cn=ldbm database, cn=plugins,
cn=config........................................................................................................................................149
3.4.7 Database attributes under cn=index, cn=NetscapeRoot, cn=ldbm database, cn=plugins,
cn=config and cn=index, cn=UserRoot, cn=ldbm database, cn=plugins, cn=config......................150
3.4.7.1 nsSubStrBegin................................................................................................................150
3.4.7.2 nsSubStrEnd..................................................................................................................151
3.4.7.3 nsSubStrMiddle.............................................................................................................151
3.4.8 Database Attributes under cn=attributeName, cn=encrypted attributes, cn=database_name,
cn=ldbm database, cn=plugins, cn=config.....................................................................................152
3.4.8.1 nsEncryptionAlgorithm................................................................................................153
3.5 Database link plug-in attributes (chaining attributes)..................................................................153
3.5.1 Database link attributes under cn=config, cn=chaining database, cn=plugins, cn=config....153
3.5.1.1 nsActiveChainingComponents.....................................................................................153
3.5.1.2 nsMaxResponseDelay...................................................................................................154
3.5.1.3 nsMaxTestResponseDelay.............................................................................................154
3.5.1.4 nspossiblechainingcomponents....................................................................................154
3.5.1.5 nsTransmittedControls..................................................................................................155
3.5.2 Database link attributes under cn=default instance config, cn=chaining database, cn=plugins,
cn=config........................................................................................................................................155
3.5.2.1 nsAbandonedSearchCheckInterval...............................................................................155
3.5.2.2 nsBindConnectionsLimit...............................................................................................155
3.5.2.3 nsBindRetryLimit..........................................................................................................156
3.5.2.4 nsBindTimeout..............................................................................................................156
3.5.2.5 nsCheckLocalACI..........................................................................................................156
3.5.2.6 nsConcurrentBindLimit.................................................................................................157
3.5.2.7 nsConcurrentOperationsLimit......................................................................................157
3.5.2.8 nsConnectionLife...........................................................................................................157
3.5.2.9 nsOperationConnectionsLimit......................................................................................157
3.5.2.10 nsProxiedAuthorization..............................................................................................158
3.5.2.11 nsReferralOnScopedSearch.........................................................................................158
3.5.2.12 nsSizeLimit..................................................................................................................158
3.5.2.13 nsTimeLimit.................................................................................................................159
Table of Contents 9
3.5.3 Database link attributes under cn=database_link_name, cn=chaining database, cn=plugins,
cn=config........................................................................................................................................159
3.5.3.1 nsBindMechanism.........................................................................................................159
3.5.3.2 nsFarmServerURL.........................................................................................................160
3.5.3.3 nsMultiplexorBindDN...................................................................................................160
3.5.3.4 nsMultiplexorCredentials..............................................................................................161
3.5.3.5 nshoplimit......................................................................................................................161
3.5.3.6 nsUseStartTLS...............................................................................................................161
3.5.4 Database link attributes under cn=monitor, cn=database instance name, cn=chaining
database, cn=plugins, cn=config....................................................................................................161
3.6 Retro changelog plug-in attributes................................................................................................162
3.6.1 nsslapd-changelogdir............................................................................................................162
3.6.2 nsslapd-changelogmaxage (Max changelog age)..................................................................163
3.7 Distributed numeric assignment plug-in attributes......................................................................163
3.7.1 dnaFilter.................................................................................................................................163
3.7.2 dnaMagicRegen.....................................................................................................................163
3.7.3 dnaMaxValue.........................................................................................................................164
3.7.4 dnaNextRange.......................................................................................................................164
3.7.5 dnaNextValue........................................................................................................................164
3.7.6 dnaPrefix................................................................................................................................165
3.7.7 dnaRangeRequestTimeout....................................................................................................165
3.7.8 dnaScope................................................................................................................................166
3.7.9 dnaSharedCfgDN..................................................................................................................166
3.7.10 dnaThreshold.......................................................................................................................166
3.7.11 dnaType...............................................................................................................................167
3.8 MemberOf plug-in attributes........................................................................................................167
3.8.1 memberofattr.........................................................................................................................167
3.8.2 memberofgroupattr...............................................................................................................167
3.9 Account policy plug-in attributes..................................................................................................168
4 Server instance file reference...................................................................................169
4.1 Overview of Directory Server files................................................................................................169
4.2 Backup files....................................................................................................................................169
4.3 Configuration files.........................................................................................................................169
4.4 Database files.................................................................................................................................169
4.5 LDIF files.......................................................................................................................................171
4.6 Lock files........................................................................................................................................171
4.7 Log files..........................................................................................................................................171
4.8 PID files..........................................................................................................................................171
4.9 Tools...............................................................................................................................................172
4.10 Scripts...........................................................................................................................................172
5 Log file reference.......................................................................................................173
5.1 Access log reference.......................................................................................................................173
5.1.1 Access logging levels.............................................................................................................173
5.1.2 Default access logging content..............................................................................................174
5.1.2.1 Connection number.......................................................................................................174
5.1.2.2 File descriptor................................................................................................................174
5.1.2.3 Slot number...................................................................................................................175
5.1.2.4 Operation number.........................................................................................................175
5.1.2.5 Method type..................................................................................................................175
5.1.2.6 Version number.............................................................................................................175
5.1.2.7 Error number.................................................................................................................175
10 Table of Contents
5.1.2.8 Tag number....................................................................................................................175
5.1.2.9 Number of entries..........................................................................................................176
5.1.2.10 Elapsed time................................................................................................................176
5.1.2.11 LDAP request type......................................................................................................176
5.1.2.12 LDAP response type....................................................................................................177
5.1.2.13 Unindexed search indicator.........................................................................................177
5.1.2.14 VLV-related entries......................................................................................................177
5.1.2.15 Search scope.................................................................................................................177
5.1.2.16 Extended operation OID..............................................................................................178
5.1.2.17 Change sequence number...........................................................................................178
5.1.2.18 Abandon message........................................................................................................178
5.1.2.19 Message ID..................................................................................................................179
5.1.2.20 SASL multi-stage bind logging....................................................................................179
5.1.3 Access log content for additional access logging levels........................................................179
5.1.3.1 Connection description.................................................................................................180
5.1.3.2 Options description.......................................................................................................180
5.1.4 Common connection codes...................................................................................................180
5.2 Error log reference.........................................................................................................................181
5.2.1 Error log logging levels.........................................................................................................181
5.2.2 Error log content....................................................................................................................182
5.2.3 Error log content for other log levels.....................................................................................183
5.3 Audit log reference........................................................................................................................186
5.4 LDAP result codes.........................................................................................................................187
6 Command-line utilities...............................................................................................189
6.1 Finding and executing command-line utilities.............................................................................189
6.2 Using special characters................................................................................................................189
6.3 Command-line utilities quick reference........................................................................................189
6.4 ldapsearch......................................................................................................................................190
6.4.1 ldapsearch syntax..................................................................................................................190
6.4.2 Commonly-used ldapsearch options....................................................................................190
6.4.3 Persistent search options.......................................................................................................192
6.4.4 ldapsearch SSL options..........................................................................................................192
6.4.5 ldapsearch SASL options.......................................................................................................193
6.4.6 Additional ldapsearch options..............................................................................................199
6.5 ldapmodify....................................................................................................................................201
6.5.1 ldapmodify syntax.................................................................................................................201
6.5.2 Commonly-used ldapmodify options...................................................................................201
6.5.3 ldapmodify SSL options........................................................................................................202
6.5.4 ldapmodify SASL options.....................................................................................................203
6.5.5 Additional ldapmodify options.............................................................................................204
6.6 ldapdelete......................................................................................................................................204
6.6.1 ldapdelete syntax...................................................................................................................205
6.6.2 Commonly-used ldapdelete options.....................................................................................205
6.6.3 ldapdelete SSL options..........................................................................................................205
6.6.4 ldapdelete SASL options.......................................................................................................206
6.6.5 Additional ldapdelete options...............................................................................................207
6.7 ldappasswd....................................................................................................................................207
6.7.1 ldappasswd syntax................................................................................................................207
6.7.2 ldappasswd-specific options.................................................................................................208
6.7.3 General ldappasswd options.................................................................................................208
6.7.4 ldappasswd SASL options.....................................................................................................209
6.7.5 ldappasswd examples...........................................................................................................210
6.8 ldif..................................................................................................................................................211
Table of Contents 11
6.8.1 ldif syntax..............................................................................................................................212
6.8.2 ldif options.............................................................................................................................212
6.9 dbscan............................................................................................................................................212
6.9.1 dbscan syntax........................................................................................................................212
6.9.2 dbscan options.......................................................................................................................213
6.9.3 dbscan examples....................................................................................................................213
7 Command-line scripts................................................................................................215
7.1 Finding and executing command-line scripts...............................................................................215
7.2 Command-line scripts quick reference..........................................................................................215
7.3 Shell scripts....................................................................................................................................216
7.3.1 bak2db (Restores a database from backup)...........................................................................217
7.3.2 cl-dump (Dumps and decodes the changelog).....................................................................217
7.3.3 dbverify (Checks for corrupt databases)...............................................................................218
7.3.4 db2bak (Creates a backup of a database)..............................................................................219
7.3.5 db2ldif (Exports database contents to LDIF).........................................................................219
7.3.6 db2index (Reindexes database index files)...........................................................................220
7.3.7 ldif2db (Import).....................................................................................................................220
7.3.8 ldif2ldap (Performs import operation over LDAP)...............................................................221
7.3.9 pwdhash (Prints encrypted passwords)................................................................................221
7.3.10 monitor (Retrieves monitoring information).......................................................................222
7.3.11 repl-monitor (Monitors replication status)..........................................................................222
7.3.12 restart-slapd (Restarts the Directory Server).......................................................................224
7.3.13 restoreconfig (Restores Administration Server configuration)...........................................224
7.3.14 saveconfig (Saves Administration Server configuration)....................................................224
7.3.15 start-slapd (Starts the Directory Server)..............................................................................225
7.3.16 stop-slapd (Stops the Directory Server)...............................................................................225
7.3.17 suffix2instance (Maps a suffix to a backend name).............................................................225
7.3.18 vlvindex (Creates virtual list view indexes)........................................................................225
7.4 Perl scripts.....................................................................................................................................226
7.4.1 bak2db.pl (Restores a database from backup)......................................................................226
7.4.2 cl-dump.pl (Dumps and decodes the changelog).................................................................227
7.4.3 db2bak.pl (Creates a backup of a database)..........................................................................227
7.4.4 db2index.pl (Creates and generates indexes)........................................................................228
7.4.5 db2ldif.pl (Exports database contents to LDIF).....................................................................228
7.4.6 fixup-memberof.pl (Regenerate memberOf attributes)........................................................229
7.4.7 ldif2db.pl (Import).................................................................................................................230
7.4.8 logconv.pl (Log converter).....................................................................................................231
7.4.9 ns-accountstatus.pl (Establishes account status)...................................................................233
7.4.10 ns-activate.pl (Activates an entry or group of entries)........................................................234
7.4.11 ns-inactivate.pl (Inactivates an entry or group of entries)..................................................234
7.4.12 ns-newpwpolicy.pl (Adds attributes for fine-grained password policy)............................234
7.4.13 repl-monitor.pl (Monitors replication status)......................................................................235
7.4.14 schema-reload.pl (Reload schema files dynamically).........................................................237
7.4.15 verify-db.pl (Check for corrupt databases).........................................................................237
8 Support and other resources....................................................................................239
8.1 Contacting HP...............................................................................................................................239
8.1.1 Information to collect before contacting HP.........................................................................239
8.1.2 How to contact HP technical support...................................................................................239
8.1.3 HP authorized resellers.........................................................................................................239
8.1.4 Documentation feedback.......................................................................................................239
8.2 Related information.......................................................................................................................240
12 Table of Contents
8.2.1 HP-UX Directory Server documentation set.........................................................................240
8.2.2 HP-UX documentation set.....................................................................................................241
8.2.3 Troubleshooting resources....................................................................................................241
8.3 Typographic conventions..............................................................................................................241
A Using the ns-slapd command-line utilities...............................................................243
A.1 Overview of ns-slapd....................................................................................................................243
A.2 Finding and executing the ns-slapd command-line utilities........................................................243
A.3 Utilities for exporting databases: db2ldif.....................................................................................243
A.4 Utilities for restoring and backing up databases: ldif2db............................................................244
A.5 Utilities for restoring and backing up databases: archive2db......................................................245
A.6 Utilities for restoring and backing up databases: db2archive......................................................245
A.7 Utilities for creating and regenerating indexes: db2index...........................................................245
Glossary.........................................................................................................................247
Index...............................................................................................................................257
Table of Contents 13
14
1 Introduction
The HP-UX Directory Server is based on an open-systems server protocol called the Lightweight
Directory Access Protocol (LDAP). The Directory Server is a robust, scalable server designed to
manage large scale directories to support an enterprise-wide directory of users and resources,
extranets, and e-commerce applications over the Internet. The Directory Server runs as the
ns-slapd process or service on the machine. The server manages the directory databases and
responds to client requests.
This reference covers the server configuration and the command-line utilities. It is designed
primarily for directory administrators and experienced directory users who want to use the
command-line to access the directory. After configuring the server, use this reference to help
maintain it.
The Directory Server can also be managed through the Directory Server Console, a graphical
user interface. The HP-UX Directory Server administrator guide describes how to do this and
explains individual administration tasks more fully.
The major components of Directory Server include:
• An LDAP server
The LDAP v3-compliant network daemon.
• Directory Server Console
A graphical management console that dramatically reduces the effort of setting up and
maintaining your directory service.
• SNMP agent
Can monitor theDirectory Server using the Simple Network Management Protocol (SNMP).
• Administration Server
Required for managing the Directory Server using the Directory Server Console.
1.1 Directory Server configuration
The format and method for storing configuration information for Directory Server and a listing
for all server attributes are found in two chapters, Chapter 2 “Core server configuration reference”
and Chapter 3 “Plug-in implemented server functionality reference”.
1.2 Directory Server instance file reference
Chapter 4 “Server instance file reference” has an overview of the files and configuration
information stored in each instance of Directory Server. This reference helps administrators
understand the changes or absence of changes in the course of directory activity. From a security
standpoint, this also helps users detect errors and intrusion by highlighting normal changes and
abnormal behavior.
1.3 Using Directory Server command-line utilities
Directory Server comes with a set of configurable command-line utilities that can search and
modify entries in the directory and administer the server. Chapter 6 “Command-line utilities”
describes these command-line utilities and contains information on where the utilities are stored
and how to access them. In addition to thesecommand-line utilities, Directory Server also provides
ns-slapd command-line utilities for performing directory operations, as described in
Appendix A “Using the ns-slapd command-line utilities”.
1.1 Directory Server configuration 15
1.4 Using Directory Server command-line scripts
In addition to command-line utilities, several non-configurable scripts are provided with the
Directory Server that make it quick and easy to perform routine server administration tasks from
the command-line. Chapter 7 “Command-line scripts” lists the most frequently used scripts and
contains information on where the scripts are stored and how to access them.
16 Introduction
2 Core server configuration reference
The configuration information for the HP-UX Directory Server is stored as LDAP entries within
the directory itself. Therefore, changes to the server configuration must be implemented through
the use of the server itself rather than by simply editing configuration files. The principal
advantage of this method of configuration storage is that it allows a directory administrator to
reconfigure the server using LDAP while it is still running, thus avoiding the need to shut the
server down for most configuration changes.
This chapter gives details on how the configuration is organized and how to alter it. The chapter
also provides an alphabetical reference for all attributes.
2.1 Overview of the Directory Server configuration
When the Directory Server is set up, its default configuration is stored as a series of LDAP entries
within the directory, under the subtree cn=config. When the server is started, the contents of
the cn=config subtree are read from a file (dse.ldif) in LDIF format. This dse.ldif file
contains all the server configuration information. The latest version of this file is called dse.ldif,
the version prior to the last modification is called dse.ldif.bak, and the latest file with which
the server successfully started is called dse.ldif.startOK.
Many of the features of the Directory Server are designed as discrete modules that plug into the
core server. The details of the internal configuration for each plug-in are contained in separate
entries undercn=plugins,cn=config. For example, the configuration of the Telephone Syntax
Plug-in is contained in this entry:
cn=Telephone Syntax,cn=plugins,cn=config
Similarly, database-specific configuration is stored under cn=ldbm
database,cn=plugins,cn=config for local databases and cn=chaining
database,cn=plugins,cn=config for database links.
The following diagram illustrates how the configuration data fits within the cn=config directory
information tree.
Figure 2-1 Directory information tree showing configuration data
2.1.1 LDIF and schema configuration files
The Directory Server configuration data is automatically output to files in LDIF format that are
located in the /etc/opt/dirsrv/slapd-instance_name directory. Thus, if a server identifier
is phonebook, then for a Directory Server, the configuration LDIF files are all stored under
/etc/opt/dirsrv/slapd-phonebook.
2.1 Overview of the Directory Server configuration 17
This directory also contains other server instance-specific configuration files.
Schema configuration is also stored in LDIF format. The master schema directory is /etc/opt/
dirsrv/schema, and the instance-specific schema directory is
/etc/opt/dirsrv/slapd-instance_name/schema.
The following table lists all the configuration files that are supplied with the Directory Server,
including those for the schema of other compatible servers. Each file is preceded by a number
which indicates the order in which they should be loaded (in ascending numerical, then
alphabetical order).
Table 2-1 Directory Server LDIF configuration files
PurposeConfiguration file name
dse.ldif
00core.ldif
01common.ldif
05rfc2247.ldif
05rfc2927.ldif
10presence.ldif
10rfc2307.ldif
Contains front-end Directory Specific Entries created by the directory at server
startup. These include the Root DSE ("") and the contents of cn=config and
cn=monitor (acis only).
Contains only those schema definitions necessary for starting the server with the
bare minimum feature set (no user schema, no schema for any non-core features).
The rest of the schema used by users, features, and applications is found in
01common.ldif and the other schema files. Do not modify this file.
Contains LDAPv3 standard operational schema, such as subschemaSubentry,
LDAPv3 standard user and organization schema defined in RFC 2256 (based on
X.520/X.521), inetOrgPersonand other widely-used attributes, and the operational
attributes used by Directory Server configuration. Modifying this file causes
interoperability problems. User-defined attributes should be added through the
Directory Server Console.
Schema from RFC 2247 and related pilot schema, from "Using Domains in
LDAP/X500 Distinguished Names."
Schema from RFC 2927, "MIME Directory Profile for LDAP Schema." Contains the
ldapSchemas operational attribute required for the attribute to show up in the
subschema subentry.
Legacy. Schema for instant messaging presence (online) information; the file lists
the default object classes with the allowed attributes that must be added to a user's
entry in order for instant-messaging presence information to be available for that
user.
Schema from RFC 2307, "An Approach for Using LDAP as a Network Information
Service." Thismay be superseded by 10rfc2307bis, the new version of rfc2307,
when that schema becomes available.
20subscriber.ldif
25java-object.ldif
28pilot.ldif
30ns-common.ldif
50ns-admin.ldif
50ns-certificate.ldif
50ns-directory.ldif
18 Core server configuration reference
Contains new schema elements and the Nortel subscriber interoperability
specification. Also contains the adminRole and memberOfattributes and
inetAdmin object class, previously stored in the 50ns-delegated-admin.ldif
file.
Schema from RFC 2713, "Schema for Representing Java®Objects in an LDAP
Directory."
Contains pilot directory schema from RFC 1274, which is no longer recommended
for new deployments. Future RFCs which succeed RFC 1274 may deprecate some
of or all 28pilot.ldif attribute types and classes.
Schema that contains objects classes and attributes common to the Directory Server
Console framework.
Schema used by the Administration Server.
Schema for Dogtag Certificate System.
Contains additional configuration schema used by DirectoryServer 4.16 and earlier
versions of the directory, which is no longer applicable to current releases of
Directory Server. This schema is required for replicating between Directory Server
4.16 and current releases.
Table 2-1 Directory Server LDIF configuration files (continued)
PurposeConfiguration file name
50ns-mail.ldif
50ns-value.ldif
50ns-web.ldif
60pam-plugin.ldif
99user.ldif
Schema used by Netscape Messaging Server to define mail users and mail groups.
Schema for servers' value item attributes.
Schema for Netscape Web Server.
Reserved for future use.
User-defined schema maintained by Directory Server replication consumers which
contains the attributes and object classes from the suppliers.
2.1.2 How the server configuration is organized
The dse.ldif file contains all configuration information including directory-specific entries
created by the directory at server startup, such as entries related tothe database. The file includes
the root Directory Server entry (or DSE, named by "") and the contents of cn=config and
cn=monitor.
When the server generates the dse.ldif file, it lists the entries in hierarchical order in the order
that the entries appear in the directory under cn=config, which is usually the same order in
which an LDAP search of subtree scope for base cn=config returns the entries.
dse.ldif also contains the cn=monitor entry, which is mostly read-only, but can have ACIs
set on it.
NOTE:
The dse.ldif file does not contain every attribute in cn=config. If the attribute has not been
set by the administrator and has a default value, the server will not write it to dse.ldif. To see
every attribute in cn=config, use the ldapsearch command.
2.1.2.1 Configuration attributes
Within a configuration entry, each attribute is represented as an attribute name. The value of the
attribute corresponds to the attribute's configuration.
The following code sample is an example of part of the dse.ldif file for a Directory Server.
The example shows, among other things, that schema checking has been enabled; this is
represented by the attribute nsslapd-schemacheck, which takes the value on.
dn: cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsslapdConfig
nsslapd-accesslog-logging-enabled: on
nsslapd-enquote-sup-oc: off
nsslapd-localhost: phonebook.example.com
nsslapd-schemacheck: on
nsslapd-port: 389
nsslapd-localuser: www
...
2.1.2.2 Configuration of plug-in functionality
The configuration for each part of Directory Server plug-in functionality has its own separate
entry and set of attributes under the subtree cn=plugins,cn=config. The following code
sample is an example of the configuration entry for an example plug-in, the Telephone Syntax
plug-in.
dn: cn=Telephone Syntax,cn=plugins,cn=config
objectclass: top
2.1 Overview of the Directory Server configuration 19
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: Telephone Syntax
nsslapd-pluginType: syntax
nsslapd-pluginEnabled: on
Some of these attributes are common to all plug-ins, and some may be particular to a specific
plug-in. Check which attributes are currently being used by a given plug-in by performing a
search with the ldapsearch utility on the cn=config subtree.
For a list of plug-ins supported by Directory Server, general plug-in configuration information,
the plug-in configuration attribute reference, and a list of plug-ins requiring restart for
configuration changes, see Chapter 3 “Plug-in implemented server functionality reference”.
2.1.2.3 Configuration of databases
The cn=NetscapeRoot and cn=UserRoot subtrees under the database plug-in entry contain
configuration data for the databases containing the o=NetscapeRoot suffix and the default
suffix created during setup, such as dc=example,dc=com.
These entries and their children have many attributes used to configure different database settings,
like the cache sizes, the paths to the index files and transaction logs, entries and attributes for
monitoring and statistics; and database indexes.
2.1.2.4 Configuration of indexes
Configuration information for indexing is stored as entries in the Directory Server under the
following information-tree nodes:
• cn=index,cn=backend_instance,cn=ldbm database,cn=plugins,cn=config
• cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
For more information about indexes in general, see the HP-UX Directory Server administrator
guide. For information about the index configuration attributes, see “Database attributes under
cn=config, cn=ldbm database, cn=plugins, cn=config”.
2.2 Accessing and modifying server configuration
This section discusses access control for configuration entries and describes the various ways in
which the server configuration can be viewed and modified. It also covers restrictions to the
kinds of modification that can be made and discusses attributes that require the server to be
restarted for changes to take effect.
2.2.1 Access control for configuration entries
When the Directory Server is installed, a default set of access control instructions (ACIs) is
implemented for all entries under cn=config. The following code sample is an example of these
default ACIs.
aci: (targetattr = "*")(version 3.0; acl "Configuration Administrators Group"; allow (all)
groupdn = "ldap:///cn=Configuration Administrators,u=Groups, ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow (all)
userdn = "ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group"; allow (all)
groupdn = "ldap:///ou=Directory Administrators, dc=example,dc=com";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow(all)
groupdn = "ldap:///cn=slapd-phonebook, cn=HP-UX Directory Server,
cn=Server Group, cn=phonebook.example.com, dc=example,dc=com, o=NetscapeRoot";)
These default ACIs allow all LDAP operations to be carried out on all configuration attributes
by the following users:
• Members of the Configuration Administrators group.
• The user acting as the administrator, the admin account that was configured at setup. By
default, this is the same user account which is logged into the Console.
20 Core server configuration reference
• Members of local Directory Administrators group.
• The SIE (Server Instance Entry) group, usually assigned using the Set Access Permissions
process the main console.
For more information on access control, see the HP-UX Directory Server administrator guide.
2.2.2 Changing configuration attributes
Server attributes can be viewed and changed in one of three ways: through the Directory Server
Console, by performing ldapsearch and ldapmodify commands, or by manually editing the
dse.ldif file.
NOTE:
You must stop the server before editing the dse.ldif file; otherwise, the changes are lost.
Editing the dse.ldif file is recommended only for changes to attributes which cannot be altered
dynamically. See “Configuration changes requiring server restart” for further information.
The following sections describe how to modify entries using LDAP (both by using Directory
Server Console and by using the command line), the restrictions that apply to modifying entries,
the restrictions that apply to modifying attributes, and the configuration changes requiring
restart.
2.2.2.1 Modifying configuration entries using LDAP
The configuration entries in the directory can be searched and modified using LDAP either
through the Directory Server Console or by performing the ldapsearch and ldapmodify
operations in the same way as other directory entries. The advantage of using LDAP to modify
entries is changes can be made while the server is running.
For further information, see the chapter titled “Creating Directory Entries” in the HP-UX Directory
Server administrator guide. However, certain changes do require the server to be restarted before
they are taken into account. See “Configuration changes requiring server restart” for further
information.
NOTE:
As with any set of configuration files, care should be taken when changing or deleting nodes in
the cn=config subtree as this risks affecting Directory Server functionality.
The entire configuration, including attributes that are set to default values, can be viewed by
performing an ldapsearch operation on the cn=config subtree:
# ldapsearch -b cn=config -D bindDN -w password
Where:
bindDN
is the DN chosen for the Directory Manager when the server was installed
(cn=Directory Manager by default).
password
is the password chosen for the Directory Manager.
For more information on using the ldapsearch command, see “ldapsearch”.
To disable a plug-in, use the ldapmodify command to edit the nsslapd-pluginEnabled
attribute:
# ldapmodify -D "cn=directory manager" -w password
dn: cn=Telephone Syntax,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: off
2.2 Accessing and modifying server configuration 21
2.2.2.2 Restrictions to modifying configuration entries and attributes
Certain restrictions apply when modifying server entries and attributes:
• The cn=monitor entry and its child entries are read-only and cannot be modified, except
to manage ACIs.
• If an attribute is added to cn=config, the server ignores it.
• If an invalid value is entered for an attribute, the server ignores it.
• Because the ldapdelete command is used for deleting an entire entry, use the ldapmodify
command to remove an attribute from an entry.
2.2.2.3 Configuration changes requiring server restart
Some configuration attributes cannot be altered while the server is running. In these cases, for
the changes to take effect, the server needs to be shut down and restarted. The modifications
should bemade either through the Directory Server Console or by manually editing the dse.ldif
file. Some of the attributes that require a server restart for any changes to take effect are listed
below.
nsslapd-certdirnsslapd-cachesize
nsslapd-dbncachensslapd-dbcachesize
nsslapd-changelogdirnsslapd-plugin
nsslapd-changelogmaxentriesnsslapd-changelogmaxage
nsslapd-schemadirnsslapd-port
nsslapd-secureportnsslapd-saslpath
nsSSL2nsslapd-tmpdir
nsSSLclientauthnsSSL3
nsslapd-conntablesizensSSLSessionTimeout
nsslapd-maxdescriptorsnsslapd-lockdir
nsslapd-listenhostnsslapd-reservedescriptors
nsslapd-securelistenhostnsslapd-schema-ignore-trailing-spaces
nsslapd-return-exact-casensslapd-workingdir
This list is not exhaustive; to see a complete list, run the ldapsearch command and search for
the nsslapd-requiresrestart attribute. For example:
# ldapsearch -p 389 -D "cn=directory manager" \
-w password -s sub -b "cn=config" \
"(objectclass=*)" | grep nsslapd-requiresrestart
2.3 Core server configuration attributes reference
This section contains reference information on the configuration attributes that are relevant to
the core server functionality. For information on changing server configuration, see “Accessing
and modifying server configuration”. For a list of server features that are implemented as plug-ins,
see “Server plug-in functionality reference”. For help with implementing custom server
functionality, contact HP support.
The configuration information stored in the dse.ldif file is organized as an information tree
under the general configuration entry cn=config, as shown in . Figure 2-1
22 Core server configuration reference
Figure 2-2 Directory information tree showing configuration data
Most of these configuration tree nodes are covered in the following sections.
The cn=plugins node is covered in Chapter 3 “Plug-in implemented server functionality
reference”. The description of each attribute contains details such as the DN of its directory entry,
its default value, the valid range of values, and an example of its use.
NOTE:
Some of the entries and attributes described in this chapter may change in future releases of the
product.
2.3.1 cn=config
General configuration entries are stored in the cn=config entry. The cn=config entry is an
instance of the nsslapdConfig object class, which in turn inherits from extensibleObject
object class.
2.3.1.1 nsslapd-accesslog (Access log)
This attribute specifies the path and file name of the log used to record each LDAP access. The
following information is recorded by default in the log file:
• IP address of the client machine that accessed the database.
• Operations performed (for example, search, add, and modify).
• Result of the access (for example, the number of entries returned or an error code).
The following table describes the attribute parameters:
DescriptionParameter
cn=configEntry DN
Any valid file name.ValidValues
Default Value
/var/opt/dirsrv/slapd-instance_name/log/access
DirectoryStringSyntax
nsslapd-accesslog: /var/opt/dirsrv/slapd-example/log/accessExample
For more information on turning access logging off, see the "Monitoring Server and Database
Activity" chapter in the HP-UX Directory Server administrator guide.
2.3 Core server configuration attributes reference 23
For access logging to be enabled, the nsslapd-accesslog attribute must contain a valid path,
and the nsslapd-accesslog-logging-enabled configuration attribute must be switched
to on. Table 2-2 lists the four possible combinations of values for these two configuration attributes
and their outcome in terms of disabling or enabling of access logging.
Table 2-2 Attribute values for enabling or disabling access logging
Value of the
Value of the nsslapd-accesslog
attribute
nsslapd-accesslog-logging-enabled
attribute
Resulting logging state
empty string
empty string
2.3.1.2 nsslapd-accesslog-level (Access log level)
This attribute controls what is logged to the access log.
DescriptionParameter
Entry DN
Valid Values
cn=config
0 No access logging
4 Logging for internal access operations
256 Logging for connections, operations, and results
512 Logging for access to an entry and referrals
131072 Provides microsecond operation timing
These values can be added together to provide the exact type of logging required; for
example, 516 (4 + 512) to obtain internal access operation, entry access, and referral logging.
256Default Value
on
onfilename
off
offfilename
Disabled
Enabled
Disabled
Disabled
IntegerSyntax
nsslapd-accesslog-level: 256Example
2.3.1.3 nsslapd-accesslog-list (List of access log files)
This read-only attribute, which cannot be set, provides a list of access log files used in access log
rotation.
DescriptionParameter
Entry DN
Valid Values
cn=config
NoneDefault Value
DirectoryStringSyntax
nsslapd-accesslog-list: accesslog2,accesslog3Example
2.3.1.4 nsslapd-accesslog-logbuffering (Log buffering)
When set to off, the server writes all access log entries directly to disk. Buffering allows the
server to use access logging even when under a heavy load without significantly impacting
performance. However, when debugging, it is sometimes useful to disable buffering in order to
see the operations and their results right away instead of having to wait for the log entries to be
24 Core server configuration reference
flushed to the file. Disabling log buffering can severely impact performance in heavily loaded
servers.
DescriptionParameter
Entry DN
Valid Values
cn=config
on or off
onDefault Value
Directory StringSyntax
nsslapd-accesslog-logbuffering: offExample
2.3.1.5 nsslapd-accesslog-logexpirationtime (Access log expiration time)
This attribute specifies the maximum age that a log file is allowed to reach before it is deleted.
This attribute supplies only the number of units. The units are provided by the
nsslapd-accesslog-logexpirationtimeunit attribute.
DescriptionParameter
Entry DN
Valid Range
cn=config
–1 to the maximum 32-bit integer value (2147483647)
A value of -1 or 0 means that the log never expires.
–1Default Value
IntegerSyntax
nsslapd-accesslog-logexpirationtime: 2Example
2.3.1.6 nsslapd-accesslog-logexpirationtimeunit (Access log expiration time unit)
This attribute specifies the units for nsslapd-accesslog-logexpirationtime attribute. If
the unit is unknown by the server, then the log never expires.
DescriptionParameter
cn=configEntry DN
month |week|dayValid Values
monthDefault Value
Directory StringSyntax
nsslapd-accesslog-logexpirationtimeunit: weekExample
2.3.1.7 nsslapd-accesslog-logging-enabled (Access log enable logging)
Disables and enables accesslog logging but only in conjunction with the nsslapd-accesslog
attribute that specifies the path and parameter of the log used to record each database access.
The following table describes the attribute parameters.
DescriptionParameter
Entry DN
cn=config
Valid Values
on or off
onDefault Value
2.3 Core server configuration attributes reference 25
DescriptionParameter
DirectoryStringSyntax
nsslapd-accesslog-logging-enabled: offExample
For access logging to be enabled, this attribute must be switched to on, and the
nsslapd-accesslog configuration attribute must have a valid path and parameter. Table 2-3
lists the four possible combinations of values for these two configuration attributes and their
outcome in terms of disabling or enabling of access logging.
Table 2-3 Attribute values for enabling or disabling access logging
Value of the
nsslapd-accesslog-logging-enabled
attribute
Value of the nsslapd-accesslog
attribute
Resulting logging state
on
filenameon
off
filenameoff
2.3.1.8 nsslapd-accesslog-logmaxdiskspace (Access log maximum disk space)
This attribute specifies the maximum amount of disk space in megabytes that the access logs are
allowed to consume. If this value is exceeded, the oldest access log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created
due to log file rotation. Also, remember that there are three different log files (access log, audit
log, and error log) maintained by the Directory Server, each of which consumes disk space.
Compare these considerations to the total amount of disk space for the access log.
DescriptionParameter
cn=configEntryDN
Valid Range
-1 | 1 to the maximum 32-bit integer value (2147483647), where a value of -1 means that the
disk space allowed to the access log is unlimited in size.
500Default Value
IntegerSyntax
Disabledempty string
Enabled
Disabledempty string
Disabled
nsslapd-accesslog-logmaxdiskspace: 200Example
2.3.1.9 nsslapd-accesslog-logminfreediskspace (Access log minimum free disk space)
This attribute sets the minimum allowed free disk space in megabytes. When the amount of free
disk space falls below the value specified on this attribute, the oldest access logs are deleted until
enough disk space is freed to satisfy this attribute.
DescriptionParameter
cn=configEntryDN
1 to the maximum 32-bit integer value (2147483647)Valid Range
5Default Value
IntegerSyntax
nsslapd-accesslog-logminfreediskspace: 4Example
26 Core server configuration reference
2.3.1.10 nsslapd-accesslog-logrotationsync-enabled (Access log rotation sync enabled)
This attribute sets whether access log rotation is to be synchronized with a particular time of the
day. Synchronizing log rotation this way can generate log files at a specified time during a day,
such as midnight to midnight every day. This makes analysis of the log files much easier because
they then map directly to the calendar.
For access log rotation to be synchronized with time-of-day, this attribute must be enabled with
the nsslapd-accesslog-logrotationsynchour and
nsslapd-accesslog-logrotationsyncmin attribute values set to the hour and minute of
the day for rotating log files.
For example, to rotate access log files every day at midnight, enable this attribute by setting its
value to on, then set the values of the nsslapd-accesslog-logrotationsynchour and
nsslapd-accesslog-logrotationsyncmin attributes to 0.
DescriptionParameter
Entry DN
Valid Values
Default Value
cn=config
on or off
off
DirectoryStringSyntax
nsslapd-accesslog-logrotationsync-enabled: onExample
2.3.1.11 nsslapd-accesslog-logrotationsynchour (Access log rotation sync hour)
This attribute sets the hour of the day for rotating access logs. This attribute must be used in
conjunction with nsslapd-accesslog-logrotationsync-enabled and
nsslapd-accesslog-logrotationsyncmin attributes.
DescriptionParameter
cn=configEntry DN
0 through 23Valid Range
0Default Value
IntegerSyntax
nsslapd-accesslog-logrotationsynchour: 23Example
2.3.1.12 nsslapd-accesslog-logrotationsyncmin (Access log rotation sync minute)
This attribute sets the minute of the day for rotating access logs. This attribute must be used in
conjunction with nsslapd-accesslog-logrotationsync-enabled and
nsslapd-accesslog-logrotationsynchour attributes.
DescriptionParameter
cn=configEntry DN
0 through 59Valid Range
0Default Value
IntegerSyntax
nsslapd-accesslog-logrotationsyncmin: 30Example
2.3 Core server configuration attributes reference 27
2.3.1.13 nsslapd-accesslog-logrotationtime (Access log rotation time)
This attribute sets the time between access log file rotations. The access log is rotated when this
time interval is up, regardless of the current size of the access log. This attribute supplies only
the number of units. The units (day, week, month, and so forth) are given by the
nsslapd-accesslog-logrotationtimeunit attribute.
Although it is not recommended for performance reasons to specify no log rotation because the
log grows indefinitely, there are two ways of specifying this. Either set the
nsslapd-accesslog-maxlogsperdir attribute value to 1 or set the
nsslapd-accesslog-logrotationtime attribute to -1. The server checks the
nsslapd-accesslog-maxlogsperdir attribute first,and, if this attribute value islarger than
1, the server then checks the nsslapd-accesslog-logrotationtime attribute. See
“nsslapd-accesslog-maxlogsperdir (Access log maximum number of log files)” for more
information.
DescriptionParameter
Entry DN
Valid Range
cn=config
-1 | 1 to the maximum 32-bit integer value (2147483647), where a value of -1 means that the
time between access log file rotation is unlimited.
1Default Value
IntegerSyntax
nsslapd-accesslog-logrotationtime: 100Example
2.3.1.14 nsslapd-accesslog-logrotationtimeunit (Access log rotation time unit)
This attribute sets the units for the nsslapd-accesslog-logrotationtime attribute.
DescriptionParameter
Entry DN
cn=config
month | week | day | hour | minuteValid Values
dayDefault Value
DirectoryStringSyntax
nsslapd-accesslog-logrotationtimeunit: weekExample
2.3.1.15 nsslapd-accesslog-maxlogsize (Access log maximum log size)
This attribute sets the maximum access log size in megabytes. When this value is reached, the
access log is rotated. That means the server starts writing log information to a new log file. If the
nsslapd-accesslog-maxlogsperdir attribute is set to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due
to log file rotation. Also, remember that there are three different log files (access log, audit log,
and error log) maintained by the Directory Server, each of which consumes disk space. Compare
these considerations to the total amount of disk space for the access log.
DescriptionParameter
cn=configEntry DN
Valid Range
28 Core server configuration reference
-1 | 1 to the maximum 32-bit integer value (2147483647), where a value of -1 means the log
file is unlimited in size.
100DefaultValue
DescriptionParameter
IntegerSyntax
nsslapd-accesslog-maxlogsize: 100Example
2.3.1.16 nsslapd-accesslog-maxlogsperdir (Access log maximum number of log files)
This attribute sets the total number of access logs that can be contained in the directory where
the access log is stored. Each time the access log is rotated, a new log file is created. When the
number of files contained in the access log directory exceeds the value stored in this attribute,
then the oldest version of the log file is deleted.
NOTE: For performance reasons, HP recommends not setting this value to 1 because the server
does not rotate the log, and it grows indefinitely.
If the value for this attribute is higher than 1, then check the
nsslapd-accesslog-logrotationtime attribute to establish whether log rotationis specified.
If the nsslapd-accesslog-logrotationtime attribute has a value of -1, then there is no
log rotation. See “nsslapd-accesslog-logrotationtime (Access log rotation time)” for more
information.
DescriptionParameter
Entry DN
cn=config
1 to the maximum 32-bit integer value (2147483647)Valid Range
10DefaultValue
IntegerSyntax
nsslapd-accesslog-maxlogsperdir: 10Example
2.3.1.17 nsslapd-accesslog-mode (Access log file permission)
This attribute sets the access mode or file permission with which access log files are to be created.
The valid values are any combination of 000 to 777 (these mirror the numbered or absolute
UNIX file permissions). The value must be a 3-digit number, the digits varying from 0 through
7:
0
1
2
3
None
Execute only
Write only
Write and execute
DescriptionDigitDescriptionDigit
4
5
6
7
Read only
Read and execute
Read and write
Read, write, and execute
In the 3-digit number, the first digitrepresents the owner's permissions, the second digit represents
the group's permissions, and the third digit represents everyone's permissions. When changing
the default value, remember that 000 prevents access to the logs and that allowing write
permissions to everyone can result in the logs being overwritten or deleted by anyone.
The newly configured access mode takes effect immediately for any open log file, as well as for
any log files that are created subsequently.
2.3 Core server configuration attributes reference 29
NOTE:
Any umask set for the runtime user of the Directory Server causes the effective mode to be more
restrictive.
DescriptionParameter
Entry DN
cn=config
000 through 777ValidRange
600Default Value
IntegerSyntax
nsslapd-accesslog-mode: 600Example
2.3.1.18 nsslapd-attribute-name-exceptions
This attribute allows non-standard characters in attribute names to be used for backwards
compatibility with older servers, such as "_" in schema-defined attributes.
DescriptionParameter
Entry DN
Valid Values
cn=config
on or off
offDefault Value
DirectoryStringSyntax
nsslapd-attribute-name-exceptions: onExample
2.3.1.19 nsslapd-auditlog (Audit log)
This attribute sets the path and file name of the log used to record changes made to each database.
DescriptionParameter
Entry DN
Default Value
cn=config
Any valid file nameValid Values
/var/opt/dirsrv/slapd-instance_name/log/audit
DirectoryStringSyntax
nsslapd-auditlog: /var/opt/dirsrv/slapd-example/log/auditExample
For audit logging to be enabled, this attribute must have a valid path and parameter, and the
nsslapd-auditlog-logging-enabled configuration attribute must be switched to on.
Table 2-4 lists the four possible combinations of values for these two configuration attributes
and their outcome in terms of disabling or enabling of audit logging.
Table 2-4 Attribute values for enabling or disabling audit logging
Value of the
nsslapd-auditlog-logging-enabled
Resulting logging state
Disabled
Enabled
empty string
AttributeValue of the nsslapd-auditlog Attribute
on
onfilename
30 Core server configuration reference
Loading...