How it Works
Red Hat
Loading...
8.1
User Manual
292 pgs2.46 Mb0
User Manual
374 pgs2.26 Mb0

Red Hat 8.1 User Manual

Red Hat Directory Server 8.1
Configuration and Command Reference
Co nfiguring and mana ging Red Ha t Directory Server 8.1 wit h command-line
utilities
Edition 8.1.10
Ella Deon La cke y
Copyright © 2009 Red Hat, Inc.
Legal Notice
Copyright © 2009 Red Hat, Inc..
The text of and illus trations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at
http://creativecommons.org/licens es/by-s a/3.0/. In accordance with CC-BY-SA, if you dis tribute this
document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licens or of this document, waives the right to enforce, and agrees not to as sert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterpris e Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., regis tered in the United States and other countries.
Linux® is the regis tered trademark of Linus T orvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries .
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
All other trademarks are the property of their res pective owners.
180 1 Vars ity Drive Raleigh, NC 2760 6-2072 USA Phone: +1 919 754 370 0 Phone: 888 733 4281 Fax: +1 919 754 3701
April 28, 20 09, updated on February 11, 20 10
Abstract
This reference covers the s erver configuration and the command-line utilities. It is designed primarily for directory administrators and experienced directory users who want to use the command-line to access the directory. After configuring the server, use this reference to help maintain it.
Table of Contents
About T his Reference
1. Directory Server Overview
2. Examples and Formatting
2.1. Command and File Examples
2.2. T ool Locations
2.3. LDAP Locations
2.4. Text Formatting and Styles
3. Additional Reading
4. Giving Feedback
5. Documentation History
1. Introduction
1.1. Directory Server Configuration
1.2. Directory Server Instance File Reference
1.3. Using Directory Server Command-Line Utilities
1.4. Using Directory Server Command-Line Scripts
2. Core Server Configuration Reference
2.1. Overview of the Directory Server Configuration
2.1.1. LDIF and Schema Configuration Files
2.1.2. How the Server Configuration Is Organized
2.2. Accessing and Modifying Server Configuration
2.2.1. Access Control for Configuration Entries
2.2.2. Changing Configuration Attributes
2.3. Core Server Configuration Attributes Reference
2.3.1. cn=config
2.3.2. cn=changelog5
2.3.3. cn=encryption
2.3.4. cn=features
2.3.5. cn=mapping tree
2.3.6. Suffix Configuration Attributes under cn="suffixName"
2.3.7. Replication Attributes under cn=replica, cn="suffixDN", cn=mapping tree, cn=config
2.3.8. Replication Attributes under cn=ReplicationAgreementName, cn=replica, cn="suffixName", cn=mapping tree, cn=config
2.3.9. Synchroniz ation Attributes under cn=s yncAgreementName, cn=WindowsReplica,cn="suffixName", cn=mapping tree, cn=config
2.3.10 . cn=monitor
2.3.11. cn=replication
2.3.12. cn=s as l
2.3.13. cn=SNMP
2.3.14 . SNMP Statistic Attributes
2.3.15. cn=tasks
2.3.16. cn=uniqueid generator
2.4. Configuration Object Class es
2.4.1. changeLogEntry (Object Clas s)
2.4.2. directoryServerFeature (Object Class)
2.4.3. nsBackendInstance (Object Clas s)
2.4.4. ns Changelog4Config (Object Class )
2.4.5. nsContainer (Object Class)
2.4.6. nsDS5Replica (Object Clas s)
2.4.7. nsDS5ReplicationAgreement (Object Clas s)
2.4.8. nsDSWindows ReplicationAgreement (Object Class)
2.4.9. nsMappingTree (Object Class )
2.4.10. nsSaslMapping (Object Clas s)
2.4.11. nss lapdConfig (Object Class )
2.4.12. passwordpolicy (Object Class )
2.5. Legacy Attributes
2.5.1. Legacy Server Attributes
2.5.2. Legacy Replication Attributes
3. Plug-in Implemented Server Functionality Reference
3.1. Server Plug-in Functionality Reference
3.1.1. 7-bit Check Plug-in
3.1.2. ACL Plug-in
3.1.3. ACL Preoperation Plug-in
3.1.4. Attribute Uniquenes s Plug-in
3.1.5. Binary Syntax Plug-in
3.1.6. Boolean Syntax Plug-in
3.1.7. Case Exact String Syntax Plug-in
3.1.8. Case Ignore String Syntax Plug-in
3.1.9. Chaining Database Plug-in
3.1.10 . Class of Service Plug-in
3.1.11. Country String Syntax Plug-in
3.1.12. Distinguished Name Syntax Plug-in
3.1.13. Distributed Numeric Assignment Plug-in
3.1.14 . Generalized T ime Syntax Plug-in
3.1.15. HTTP Client Plug-in
3.1.16. Integer Syntax Plug-in
3.1.17. Internationalization Plug-in
3.1.18. JPEG Syntax Plug-in
3.1.19. ldbm database Plug-in
3.1.20 . Legacy Replication Plug-in
3.1.21. MemberOf Plug-in
3.1.22. Multi-master Replication Plug-in
3.1.23. Octet String Syntax Plug-in
3.1.24 . OID Syntax Plug-in
3.1.25. Pass word Storage Schemes
3.1.26. Postal Address String Syntax Plug-in
3.1.27. PTA Plug-in
3.1.28. Referential Integrity Pos toperation Plug-in
3.1.29. Retro Changelog Plug-in
3.1.30 . Roles Plug-in
3.1.31. Schema Reload Plug-in
3.1.32. Space Insensitive String Syntax Plug-in
3.1.33. State Change Plug-in
3.1.34 . Telephone Syntax Plug-in
3.1.35. URI Syntax Plug-in
3.1.36. Views Plug-in
3.2. List of Attributes Common to All Plug-ins
3.2.1. nsSlapdPlugin
3.2.2. nss lapd-pluginPath
3.2.3. nss lapd-pluginInitfunc
3.2.4. nsslapd-pluginT ype
3.2.5. nss lapd-pluginEnabled
3.2.6. nss lapd-pluginId
3.2.7. nss lapd-pluginVers ion
3.2.8. nss lapd-pluginVendor
3.2.9. nss lapd-pluginDescription
3.3. Attributes Allowed by Certain Plug-ins
3.3.1. nss lapd-pluginLoadNow
3.3.2. nss lapd-pluginLoadGlobal
3.3.3. nss lapd-plugin-depends-on-type
3.3.4. nsslapd-plugin-depends -on-named
3.4. Databas e Plug-in Attributes
3.4.1. Database Attributes under cn= config, cn=ldbm databas e, cn=plugins, cn=config
3.4.2. Database Attributes under cn= monitor, cn=ldbm databas e, cn=plugins, cn=config
3.4.3. Database Attributes under cn= NetscapeRoot, cn=ldbm databas e, cn=plugins, cn=config and cn=userRoot, cn=ldbm database, cn=plugins, cn=config
3.4.4. Database Attributes under cn=database, cn=monitor, cn=ldbm database, cn=plugins, cn=config
3.4.5. Database Attributes under cn= default indexes, cn=config, cn=ldbm databas e, cn=plugins, cn=config
3.4.6. Database Attributes under cn= monitor, cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config
3.4.7. Database Attributes under cn= index, cn=NetscapeRoot, cn=ldbm database, cn=plugins, cn=config and cn=index, cn=UserRoot, cn=ldbm database, cn=plugins, cn=config
3.4.8. Database Attributes under cn= attributeName, cn=encrypted attributes, cn=databas e_name, cn=ldbm databas e, cn=plugins, cn=config
3.5. Database Link Plug-in Attributes (Chaining Attributes)
3.5.1. Databas e Link Attributes under cn=config, cn=chaining database, cn=plugins, cn=config
3.5.2. Databas e Link Attributes under cn=default instance config, cn=chaining database, cn=plugins, cn=config
3.5.3. Databas e Link Attributes under cn=database_link_name, cn=chaining database, cn=plugins, cn=config
3.5.4. Database Link Attributes under cn=monitor, cn=databas e ins tance name, cn=chaining database, cn=plugins, cn=config
3.6. Retro Changelog Plug-in Attributes
3.6.1. nss lapd-changelogdir
3.6.2. nss lapd-changelogmaxage (Max Changelog Age)
3.7. Distributed Numeric Assignment Plug-in Attributes
3.7.1. dnaFilter
3.7.2. dnaMagicRegen
3.7.3. dnaMaxValue
3.7.4. dnaNextRange
3.7.5. dnaNextValue
3.7.6. dnaPrefix
3.7.7. dnaRangeReques tTimeout
3.7.8. dnaScope
3.7.9. dnaSharedCfgDN
3.7.10 . dnaThreshold
3.7.11. dnaT ype
3.8. MemberOf Plug-in Attributes
3.8.1. memberofattr
3.8.2. memberofgroupattr
4. Server Instance File Reference
4.1. Overview of Directory Server Files
4.2. Backup Files
4.3. Configuration Files
4.4. Database Files
4.5. LDIF Files
4.6. Lock Files
4.7. Log Files
4.8. PID Files
4.9. Tools
4.10. Scripts
5. Log File Reference
5.1. Access Log Reference
5.1.1. Access Logging Levels
5.1.2. Default Acces s Logging Content
5.1.3. Access Log Content for Additional Access Logging Levels
5.1.4. Common Connection Codes
5.2. Error Log Reference
5.2.1. Error Log Logging Levels
5.2.2. Error Log Content
5.2.3. Error Log Content for Other Log Levels
5.3. Audit Log Reference
5.4. LDAP Result Codes
6. Command-Line Utilities
6.1. Finding and Executing Command-Line Utilities
6.2. Using Special Characters
6.3. Command-Line Utilities Quick Reference
6.4. ldaps earch
6.5. ldapmodify
6.6. ldapdelete
6.7. ldappass wd
6.8. ldif
6.9. dbs can
7. Command-Line Scripts
7.1. Finding and Executing Command-Line Scripts
7.2. Command-Line Scripts Quick Reference
7.3. Shell Scripts
7.3.1. bak2db (Restores a Databas e from Backup)
7.3.2. cl-dump (Dumps and Decodes the Changelog)
7.3.3. db2bak (Creates a Backup of a Database)
7.3.4. db2ldif (Exports Database Contents to LDIF)
7.3.5. db2index (Reindexes Database Index Files)
7.3.6. dbverify (Checks for Corrupt Databases )
7.3.7. ds_removal
7.3.8. ldif2db (Import)
7.3.9. ldif2ldap (Performs Import Operation over LDAP)
7.3.10 . monitor (Retrieves Monitoring Information)
7.3.11. repl-monitor (Monitors Replication Status)
7.3.12. pwdhas h (Prints Encrypted Passwords)
7.3.13. restart-s lapd (Restarts the Directory Server)
7.3.14 . restoreconfig (Restores Administration Server Configuration)
7.3.15. saveconfig (Saves Administration Server Configuration)
7.3.16. start-slapd (Starts the Directory Server)
7.3.17. stop-slapd (Stops the Directory Server)
7.3.18. suffix2instance (Maps a Suffix to a Backend Name)
7.3.19. vlvindex (Creates Virtual List View Indexes )
7.4. Perl Scripts
7.4.1. bak2db.pl (Res tores a Database from Backup)
7.4.2. cl-dump.pl (Dumps and Decodes the Changelog)
7.4.3. db2bak.pl (Creates a Backup of a Databas e)
7.4.4. db2index.pl (Creates and Generates Indexes)
7.4.5. db2ldif.pl (Exports Database Contents to LDIF)
7.4.6. fixup-memberof.pl (Regenerate memberOf Attributes )
7.4.7. ldif2db.pl (Import)
7.4.8. logconv.pl (Log Converter)
7.4.9. migrate-ds.pl
7.4.10. migrate-ds-admin.pl
7.4.11. ns-accounts tatus .pl (Establishes Account Status)
7.4.12. ns-activate.pl (Activates an Entry or Group of Entries)
7.4.13. ns-inactivate.pl (Inactivates an Entry or Group of Entries)
7.4.14. ns-newpwpolicy.pl (Adds Attributes for Fine-Grained Pass word Policy)
7.4.15. register-ds -admin.pl
7.4.16. remove-ds .pl
7.4.17. repl-monitor.pl (Monitors Replication Status )
7.4.18. schema-reload.pl (Reload Schema Files Dynamically)
7.4.19. setup-ds.pl
7.4.20. setup-ds -admin.pl
7.4.21. verify-db.pl (Check for Corrupt Databases )
A. Using the ns-slapd Command-Line Utilities
A.1. Overview of ns-slapd A.2. Finding and Executing the ns-s lapd Command-Line Utilities A.3. Utilities for Exporting Databas es: db2ldif A.4. Utilities for Restoring and Backing up Databases: ldif2db A.5. Utilities for Restoring and Backing up Databas es: archive2db A.6. Utilities for Restoring and Backing up Databas es: db2archive A.7. Utilities for Creating and Regenerating Indexes: db2index
Glossary
Index
About T his Reference
Red Hat Directory Server (Directory Server) is a powerful and scalable dis tributed directory server based on the indus try-s tandard Lightweight Directory Acces s Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repos itory that can be used in an intranet, over an extranet with trading partners, or over the public Internet to reach customers .
This reference covers the s erver configuration and the command-line utilities. It is designed primarily for directory administrators and experienced directory users who want to use the command-line to access the directory. After configuring the server, use this reference to help maintain it.
The Directory Server can also be managed through the Directory Server Console, a graphical user interface. The Red Hat Directory Server Administrator's Guide describes how to do this and explains individual administration tasks more fully.
1. Directory Server Overview
The major components of Directory Server include:
An LDAP server – The LDAP v3-compliant network daemon.
Directory Server Console – A graphical management console that dramatically reduces the effort of setting up and maintaining your directory service.
SNMP agent – Can monitor the Directory Server using the Simple Network Management Protocol (SNMP).
2. Examples and Formatting
Each of the examples used in this guide, such as file locations and commands , have certain defined conventions.
2.1. C ommand a nd F ile Exa mples
All of the examples for Red Hat Directory Server commands, file locations, and other us age are given for Red Hat Enterpris e Linux 5 (32-bit) s ystems. Be certain to use the appropriate commands and files for your platform.
Exa mple 1. Exa mple Co mmand
To start the Red Hat Directory Server:
service dirsv start
2.2. T ool Locat ions
The tools for Red Hat Directory Server are located in the /usr/bin and the /usr/sbin directories. These tools can be run from any location without specifying the tool location.
2.3. LDAP Locations
There is another important consideration with the Red Hat Directory Server tools. The LDAP tools referenced in this guide are Moz illa LDAP, installed with Red Hat Directory Server in the /usr/lib/mozldap directory on Red Hat Enterprise Linux 5 (32-bit) (or /usr/lib64 /m ozldap for 64-bit systems).
However, Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP in the /usr/bin directory. It is poss ible to use the OpenLDAP commands as shown in the examples, but you must us e the -x argument to disable SASL, which OpenLDAP tools use by default.
2.4 . T ext Forma tting and Styles
Certain words are represented in different fonts, styles, and weights. Different character formatting is used to indicate the function or purpos e of the phras e being highlighted.
Format ting S tyle Purpose
Monospa ce font Monospace is used for commands , package names, files and directory
paths , and any text displayed in a prompt.
Monospace with a background
This type of formatting is used for anything entered or returned in a command prompt.
Italicized text Any text which is italiciz ed is a variable, such as instance_name or
hostname. Occasionally, this is also used to emphas ize a new term or other
phrase.
Bolded text Most phrases which are in bold are application names, such as C ygwin, or
are fields or options in a user interface, such as a User Nam e Here: field or Save button.
Other formatting s tyles draw attention to important text.
NOT E
A note provides additional information that can help illustrate the behavior of the s ystem or provide more detail for a specific issue.
IMPORTANT
Important information is necessary, but pos sibly unexpected, such as a configuration change that will not persis t after a reboot.
WARNING
A warning indicates potential data los s, as may happen when tuning hardware for maximum performance.
3. Additional Reading
The Directory Server Administrator's Guide describes how to set up, configure, and administer Red Hat Directory Server and its contents . this manual does not des cribe many of the bas ic directory and architectural concepts that you need to deploy, install, and administer a directory service success fully. Those concepts are contained in the Red Hat Directory Server Deployment Guide. You should read that book before continuing with this manual.
When you are familiar with Directory Server concepts and have done s ome preliminary planning for your directory service, install the Directory Server. The instructions for installing the various Directory Server components are contained in the Red Hat Directory Server Installation Guide. Many of the scripts and commands used to install and administer the Directory Server are explained in detail in the Red Hat Directory Server Configuration, Command, and F ile Reference.
Also, Managing Servers with Red Hat Console contains general background information on how to use the Red Hat Cons ole. You should read and understand the concepts in that book before you attempt to administer Directory Server.
The document s et for Directory Server contains the following guides:
Red Hat Directory Server Release Notes contain important information on new features, fixed bugs, known is sues and workarounds , and other important deployment information for this specific vers ion of Directory Server.
Red Hat Directory Server Deployment Guide provides an overview for planning a deployment of the Directory Server.
Red Hat Directory Server Administrator's Guide contains procedures for the day-to-day maintenance of the directory service. Includes information on configuring server-side plug-ins.
Red Hat Directory Server Configuration, Command, and File Reference provides reference information on the command-line scripts, configuration attributes, and log files shipped with Directory Server.
Red Hat Directory Server Installation Guide contains procedures for ins talling your Directory Server as well as procedures for migrating from a previous ins tallation of Directory Server.
Red Hat Directory Server Schema Reference provides reference information about the Directory Server schema.
Red Hat Directory Server Plug-in Programmer's Guide describes how to write server plug-ins in order to cus tomize and extend the capabilities of Directory Server.
Using Red Hat Console gives an overview of the primary us er interface and how it interacts with the Directory Server and Administration Server, as well as how to perform bas ic management tasks through the main Console window.
Using the Admin Server describes the different tas ks and tools as sociated with the Administration Server and how to use the Administration Server with the Configuration and Us er Directory Server instances.
For the latest information about Directory Server, including current releas e notes, complete product documentation, technical notes, and deployment information, see the Red Hat Directory Server documentation site at http://www.redhat.com/docs/manuals/dir-server/.
4. Giving Feedback
If there is any error in this Configuration, Command, and File Reference or there is any way to improve the documentation, pleas e let us know. Bugs can be filed agains t the documentation for Red Hat Directory Server through Bugzilla, http://bugz illa.redhat.com/bugz illa. Make the bug report as specific as possible, so we can be more effective in correcting any issues:
Select the Red Hat Directory Server product.
Set the component to D oc - cli -guide.
Set the version number to 8.1.
For errors, give the page number (for the PDF) or URL (for the HT ML), and give a succinct description of the problem, such as incorrect procedure or typo.
For enhancements, put in what information needs to be added and why.
Give a clear title for the bug. For example, "Inc orrect com m and exam pl e for setup scri pt options" is better than "Bad exam ple" .
We appreciate receiving any feedback — reques ts for new s ections , corrections, improvements , enhancements, even new ways of delivering the documentation or new styles of docs. You are welcome to contact Red Hat Content Services directly at mailto:docs@redhat.com.
5. Documentation History
Revision 8.1 .1 0 July 29 , 2 01 0 Ella Deon La cke y
Adding information about setting an idle timeout period for large databases for the replication user, per Bugzilla #6180 55.
Revision 8.1 .9 Fe bruary 11, 2 0 10 Ella Deon La cke y
Clarifying how passwordUnlock works, per Bugz illa #552377. Changing thens DirectoryServerT ask object class to extensibleObject, per Bugzilla #555787. Adding extra reference to the 64 -bit tools directory, per Bugzilla #554972.
Revision 8.1 .8 Janua ry 1 1 , 201 0 Ella Deon La cke y
Adding s ection on nsslapd-cachememsiz e and the import buffer size, per Bugzilla #531043.
Revision 8.1 .7 October 10, 20 09 Ella Deon La cke y
Fixing two plug-in des criptions .
Revision 8.1 .6 Se pt ember 19 , 2 009 Ella Deon La cke y
Removing the silent configuration parameters for the register-ds-admin.pl script, per Bugzilla #514 231.
Revision 8.1 .5 Se pt ember 9, 20 09 Ella Deon La cke y
Removing any references to the Directory Server Gateway or Org Chart.
Revision 8.1 .4 Se pt ember 4 , 2 009 Ella Deon La cke y
Correcting the directory paths for configuration LDIF files, per Bugz illa #521139.
Revision 8.1 .3 August 26 , 2 009 Ella Deon La cke y
Adding information about setting database and entry cache memory s izes and clarifying the units of measurement for the attributes, per Bugzilla #50 3615.
Revision 8.1 .2 August 4 , 200 9 Ella Deon La cke y
Changed the default on the nsslapd-cache-autosiz e parameter to 0 , per Bugz illa #514282.
Revision 8.1 .1 July 19 , 2 00 9 Ella Deon La cke y
Expanding the des cription of dnaNextRange, Bugzilla #512557.
Revision 8.1 .0 April 28 , 2 009 Ella Deon La cke y
Initial draft for vers ion 8.1.
Chapter 1. Introduction
Directory Server is bas ed on an open-sys tems s erver protocol called the Lightweight Directory Access Protocol (LDAP). The Directory Server is a robust, scalable server designed to manage large s cale directories to support an enterprise-wide directory of us ers and resources, extranets, and e-commerce applications over the Internet. The Directory Server runs as the n s-slapd proces s or service on the machine. The server manages the directory databases and responds to client requests.
This reference deals with the other methods of managing the Directory Server by altering the server configuration attributes using the command line and us ing command-line utilities and scripts.
1.1. Directory Server Configuration
The format and method for storing configuration information for Directory Server and a listing for all server attributes are found in two chapters , Chapter 2, Core Server Configuration Reference and
Chapter 3, Plug-in Implemented Server Functionality Reference.
1.2. Directory Server Instance File Reference
Chapter 4, Server Instance File Reference has an overview of the files and configuration information
stored in each instance of Directory Server. This is useful reference to helps administrators unders tand the changes or abs ence of changes in the cours e of directory activity. From a security s tandpoint, this also helps users detect errors and intrusion by highlighting normal changes and abnormal behavior.
1.3. Using Directory Server Command-Line Utilities
Directory Server comes with a s et of configurable command-line utilities that can s earch and modify entries in the directory and administer the server. Chapter 6, Command-Line Utilities describes these command-line utilities and contains information on where the utilities are stored and how to access them. In addition to these command-line utilities, Directory Server als o provides ns-slapd command-line utilities for performing directory operations , as described in Appendix A, Using the ns-slapd Command-
Line Utilities.
1.4. Using Directory Server Command-Line Scripts
In addition to command-line utilities , several non-configurable scripts are provided with the Directory Server that make it quick and eas y to perform routine server administration tasks from the command-line.
Chapter 7, Command-Line Scripts lists the most frequently used scripts and contains information on
where the scripts are stored and how to access them.
Chapter 2. Core Server Configuration Reference
The configuration information for Red Hat Directory Server is s tored as LDAP entries within the directory itself. T herefore, changes to the server configuration mus t be implemented through the us e of the server itself rather than by simply editing configuration files. T he principal advantage of this method of configuration s torage is that it allows a directory administrator to reconfigure the server using LDAP while it is still running, thus avoiding the need to shut the s erver down for most configuration changes.
This chapter gives details on how the configuration is organiz ed and how to alter it. The chapter also provides an alphabetical reference for all attributes.
2.1. Overview of the Directory Server Configuration
When the Directory Server is set up, its default configuration is stored as a s eries of LDAP entries within the directory, under the subtree cn=con fig . When the s erver is s tarted, the contents of the cn=config subtree are read from a file (dse.ld if) in LDIF format. This dse.ldif file contains all of the s erver configuration information. The latest version of this file is called dse.ldif, the vers ion prior to the last modification is called dse.ldif .bak, and the latest file with which the server s ucces sfully started is called dse.ldi f.startOK.
Many of the features of the Directory Server are des igned as dis crete modules that plug into the core server. The details of the internal configuration for each plug-in are contained in separate entries under cn=plugins,cn=confi g. For example, the configuration of the T elephone Syntax Plug-in is contained in this entry:
cn=Telephone Syntax,cn=plugins,cn=config
Similarly, database-specific configuration is stored under cn=ldbm database,cn=plugi ns,cn=config for local databases and cn=chaini ng database,cn=plugi ns,cn=config for databas e links .
The following diagram illustrates how the configuration data fits within the cn=conf ig directory information tree.
Figu re 2.1. D ire ct ory Informat ion Tree Showing Configura tion D ata
2.1.1 . LD IF a nd Schema Configuratio n Files
The Directory Server configuration data are stored in LDIF files in the /etc/di rsrv/slap d-instance_name directory (/etc/opt/dirsrv/slapd -instance_name on HP- UX). Thus, if a server identifier is phoneboo k, then for a Directory Server on Red Hat Enterprise Linux 5 (32-bit), the configuration LDIF files are all stored under /etc/dirsrv/slapd-phonebook.
This directory also contains other s erver instance-specific configuration files.
Schema configuration is also stored in LDIF format, and these files are located in the /etc/di rsrv/slap d-instance_name/schema directory (/etc/opt/dirsrv/slapd ->instance_name on HP-UX).
The following table lists all of the configuration files that are s upplied with the Directory Server, including thos e for the schema of other compatible s ervers. Each file is preceded by a number which indicates the order in which they should be loaded (in ascending numerical and then alphabetical order).
Table 2 .1 . Directory Server LDIF Config ura t ion F iles
Configu ra tion Filename Purpose
dse.ldif Contains front-end Directory Specific Entries
created by the directory at server startup. These include the Root DSE ("") and the contents of cn=config and cn=monitor (ACIs only).
00core.ldif Contains only those schema definitions
neces sary for s tarting the s erver with the bare minimum feature set (no user s chema, no s chema for any non-core features). T he rest of the schema used by users, features, and applications is found in 01co mmon.ld if and the other schema files. Do not modify this file.
01common.ldif Contains LDAPv3 standard operational schema,
such as subschema Subentry, LDAPv3 standard user and organization schema defined in RFC 2256 (based on X.520/X.521), inetOrg Person and other widely-us ed attributes, and the operational attributes used by Directory Server configuration. Modifying this file causes interoperability problems. User-defined attributes s hould be added through the Directory Server Console.
05rfc224 7.ldif Schema from RFC 224 7 and related pilot schema,
from "Using Domains in LDAP/X500 Distinguished Names."
05rfc2927.ldif Schema from RFC 2927, "MIME Directory Profile
for LDAP Schema." Contains the ldapSchemas operational attribute required for the attribute to show up in the subschema subentry.
10presence.ldif Legacy. Schema for ins tant messaging pres ence
(online) information; the file lis ts the default object classes with the allowed attributes that must be added to a us er's entry in order for ins tant­mess aging presence information to be available for that user.
10rfc230 7.ldif Schema from RFC 230 7, "An Approach for Using
LDAP as a Network Information Service." T his may be supers eded by 10rfc2307bi s, the new vers ion of r fc2 307, when that schema becomes available.
20subscriber.ldif Contains new s chema elements and the Nortel
subscriber interoperability specification. Also contains the adminRole and memberOf attributes and inetAdm in object class , previous ly stored in the 5 0ns-delegated-adm in.ldif file.
25java-object.ldif Schema from RFC 2713, "Schema for
Repres enting Java® Objects in an LDAP Directory."
28pilot.ldif Contains pilot directory s chema from RFC 1274 ,
which is no longer recommended for new deployments . Future RFCs which succeed RFC 1274 may deprecate s ome or all of 28pilot.ldif attribute types and class es.
30ns-common.ldif Schema that contains objects classes and
attributes common to the Directory Server Console framework.
50ns-admin.ldif Schema used by Red Hat Administration Server.
50ns-certificate.ldif Schema for Red Hat Certificate Management
System.
50ns-directory.ldif Contains additional configuration s chema us ed by
Directory Server 4 .12 and earlier versions of the directory, which is no longer applicable to current releas es of Directory Server. This s chema is required for replicating between Directory Server
4.12 and current releas es.
50ns-mail.ldif Schema used by Nets cape Messaging Server to
define mail users and mail groups .
50ns-value.ldif Schema for s ervers' value item attributes.
50ns-web.ldif Schema for Netscape Web Server.
60pam-plugin.ldif Reserved for future us e.
99us er.ldif User-defined schema maintained by Directory
Server replication consumers which contains the attributes and object class es from the s uppliers .
2.1.2 . How the S er ver Configura tion Is Organize d
The dse.ldif file contains all configuration information including directory-specific entries created by the directory at server startup, such as entries related to the databas e. The file includes the root Directory Server entry (or DSE, named by "") and the contents of cn=confi g and cn= monitor.
When the server generates the dse.ldi f file, it lists the entries in hierarchical order in the order that the entries appear in the directory under cn =config, which is usually the s ame order in which an LDAP search of s ubtree scope for base cn=con fig returns the entries.
dse.ldif also contains the cn=m onitor entry, which is mostly read-only, but can have ACIs s et on it.
NOT E
The dse.ldif file does not contain every attribute in cn=config. If the attribute has not been set by the administrator and has a default value, the server will not write it to dse.ldi f. To see every attribute in cn= con fig, use l dapsear ch.
2.1.2 .1 . Co nfigura tion At tribute s
Within a configuration entry, each attribute is represented as an attribute name. The value of the attribute corresponds to the attribute's configuration.
The following code sample is an example of part of the dse.ldif file for a Directory Server. The example s hows, among other things, that s chema checking has been enabled; this is represented by the attribute nsslapd-schemacheck, which takes the value on.
dn: cn=config objectclass: top objectclass: extensibleObject objectclass: nsslapdConfig nsslapd-accesslog-logging-enabled: on nsslapd-enquote-sup-oc: off nsslapd-localhost: phonebook.example.com nsslapd-schemacheck: on nsslapd-port: 389 nsslapd-localuser: nobody ...
2.1.2 .2 . Co nfigura tion of Plug-in Functiona lit y
The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=p lugins,cn= config. The following code sample is an example of the configuration entry for an example plug-in, the Telephone Syntax plug-in.
dn: cn=Telephone Syntax,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginType: syntax nsslapd-pluginEnabled: on
Some of thes e attributes are common to all plug-ins, and some may be particular to a specific plug-in. Check which attributes are currently being used by a given plug-in by performing an lda psearch on the cn=conf ig subtree.
For a list of plug-ins s upported by Directory Server, general plug-in configuration information, the plug-in configuration attribute reference, and a list of plug-ins requiring res tart for configuration changes, see
Chapter 3, Plug-in Implemented Server Functionality Reference.
2.1.2 .3. C onfigurat ion of D at a ba ses
The o=Netsca peRoot and cn=UserRoot subtrees under the database plug-in entry contain configuration data for the databases containing the o=Netscape Root suffix and the default s uffix created during setup, such as dc =example,dc=com .
These entries and their children have many attributes used to configure different database settings, like the cache siz es, the paths to the index files and transaction logs, entries and attributes for monitoring and s tatistics; and databas e indexes.
2.1.2 .4 . Configurat ion of Indexes
Configuration information for indexing is stored as entries in the Directory Server under the following information-tree nodes:
cn=index,o=Netsca peRoot,cn=ldbm da tabase,cn= plugins,cn =config
cn=index,cn=UserRoot,cn= ldbm datab ase,cn=plugins,cn=config
cn=default indexes,cn=config,cn=ldbm database,cn=p lugins,cn= config
For more information about indexes in general, see the Directory Server Administrator's Guide. For information about the index configuration attributes, see Section 3.4.1, “Databas e Attributes under
cn=config, cn=ldbm database, cn=plugins, cn=config”.
2.2. Accessing and Modifying Server Configuration
This s ection discus ses access control for configuration entries and describes the various ways in which the s erver configuration can be viewed and modified. It also covers res trictions to the kinds of modification that can be made and discus ses attributes that require the server to be restarted for changes to take effect.
2.2.1 . Acce ss Control for Configura tion Entries
When the Directory Server is installed, a default set of access control instructions (ACIs) is implemented for all entries under cn=con fig. The following code sample is an example of thes e default ACIs.
aci: (targetattr = "*")(version 3.0; acl "Configuration Adm inistrators Group"; allow (all) groupdn = "ldap:///cn=Configuration Adm inistrators,u=Groups, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Configuration Adm inistrator"; allow (all) userdn = "ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Local Directory Adm inistrators Group"; allow (all) groupdn = "ldap:///ou=Directory Adm inistrators, dc=example,dc=com";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow(all) groupdn = "ldap:///cn=slapd-phonebook, cn=Red Hat Directory Server, cn=Server Group, cn=phonebook.example.com, dc=example,dc=com, o=NetscapeRoot";)
These default ACIs allow all LDAP operations to be carried out on all configuration attributes by the following users:
Members of the Configuration Administrators group.
The user acting as the administrator, the a dm in account that was configured at s etup. By default, this is the same us er account which is logged into the Console.
Members of local Directory Administrators group.
The SIE (Server Instance Entry) group, us ually as signed using the S et Access Perm issions process the main console.
For more information on access control, see the Directory Server Administrator's Guide.
2.2.2 . Changing Configura tion At tribute s
Server attributes can be viewed and changed in one of three ways: through the Directory Server Console, by performing lda psearch and ldap modi fy commands, or by manually editing the dse.ldif file.
NOT E
Before editing the dse.ldif file, the s erver must be stopped; otherwis e, the changes are lost. Editing the dse.ldif file is recommended only for changes to attributes which cannot be altered dynamically. See Section 2.2.2.3, “Configuration Changes Requiring Server Restart” for further information.
The following sections describe how to modify entries using LDAP (both by using Directory Server Console and by using the command line), the restrictions that apply to modifying entries , the res trictions that apply to modifying attributes , and the configuration changes requiring restart.
2.2.2 .1 . Modifying Configu ra tion Entries Using LDAP
The configuration entries in the directory can be searched and modified using LDAP either via the Directory Server Console or by performing ld apsearc h and lda pm od ify operations in the same way as other directory entries. T he advantage of using LDAP to modify entries is changes can be made while the s erver is running.
For further information, see the "Creating Directory Entries " chapter in the Directory Server Administrator's Guide. However, certain changes do require the server to be restarted before they are taken into account. See Section 2.2.2.3, “Configuration Changes Requiring Server Res tart” for further information.
NOT E
As with any set of configuration files, care s hould be taken when changing or deleting nodes in the cn=conf ig subtree as this risks affecting Directory Server functionality.
The entire configuration, including attributes that always take default values, can be viewed by performing an ldapsearc h operation on the cn=conf ig subtree:
ldapsearch -b cn=config -D bindDN -w password
bindDN is the DN chosen for the Directory Manager when the server was ins talled (cn=Directory Manager by default).
password is the password chosen for the Directory Manager.
For more information on using l dapsear ch, see Section 6.4, “ldaps earch”.
To disable a plug-in, use l dapm odify to edit the nsslapd-pluginEnabled attribute:
ldapmodify -D cn="directory m anager" -w password dn: cn=Telephone Syntax,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off
2.2.2 .2 . Restr ict ions to Modifying Configurat ion Entries and Attribut e s
Certain restrictions apply when modifying server entries and attributes :
The cn=m onitor entry and its child entries are read-only and cannot be modified, except to manage ACIs.
If an attribute is added to cn=con fig , the server ignores it.
If an invalid value is entered for an attribute, the s erver ignores it.
Because ldapd ele te is used for deleting an entire entry, use ldapmodify to remove an attribute from an entry.
2.2.2 .3. C onfigurat ion Chang es Requiring Se rver Rest a rt
Some configuration attributes cannot be altered while the s erver is running. In these cases, for the changes to take effect, the s erver needs to be shut down and restarted. The modifications should be made either through the Directory Server Console or by manually editing the dse.ldif file. Some of the attributes that require a s erver restart for any changes to take effect are listed below. This lis t is not exhaus tive; to see a complete list, run l dapsear ch and search for the nsslapd-requiresrestart attribute. For example:
ldapsearch -p 389 -D "cn=directory m anager" -w password -s sub -b "cn=config" "(objectclass=*)" | grep nsslapd-requiresrestart
nsslapd-caches ize nss lapd-certdir
nsslapd-dbcachesize nsslapd-dbncache
nsslapd-plugin nsslapd-changelogdir
nsslapd-changelogmaxage nsslapd-changelogmaxentries
nsslapd-port nsslapd-schemadir
nsslapd-sas lpath nsslapd-secureport
nsslapd-tmpdir nsSSL2
nsSSL3 nsSSLclientauth
nsSSLSessionT imeout nsslapd-conntablesize
nsslapd-lockdir nsslapd-maxdescriptors
nsslapd-reservedes criptors nsslapd-listenhost
nsslapd-schema-ignore-trailing-s paces nss lapd-s ecurelistenhost
nsslapd-workingdir nsslapd-return-exact-case
nsslapd-maxbersize
2.3. Core Server Configuration Attributes Reference
This s ection contains reference information on the configuration attributes that are relevant to the core server functionality. For information on changing server configuration, see Section 2.2, “Accessing and
Modifying Server Configuration”. For a lis t of s erver features that are implemented as plug-ins, see Section 3.1, “Server Plug-in Functionality Reference”. For help with implementing custom server
functionality, contact Directory Server support.
The configuration information stored in the dse.ldif file is organized as an information tree under the general configuration entry cn=config, as s hown in the following diagram.
Figu re 2.2. D ire ct ory Informat ion Tree Showing Configura tion D ata
Most of these configuration tree nodes are covered in the following sections.
The cn=pl ugins node is covered in Chapter 3, Plug-in Implemented Server Functionality Reference. The des cription of each attribute contains details such as the DN of its directory entry, its default value, the valid range of values, and an example of its use.
NOT E
Some of the entries and attributes des cribed in this chapter may change in future releases of the product.
2.3.1. cn=config
General configuration entries are stored in the cn=co nfig entry. The cn=con fig entry is an instance of the nsslapdConfi g object class, which in turn inherits from extensibleObjec t object clas s.
2.3.1.1. nsslapd- accesslog (Acce ss Log)
This attribute s pecifies the path and filename of the log used to record each LDAP acces s. T he following information is recorded by default in the log file:
IP address of the client machine that accessed the databas e.
Operations performed (for example, search, add, and modify).
Result of the access (for example, the number of entries returned or an error code).
For more information on turning access logging off, see the "Monitoring Server and Database Activity" chapter in the Directory Server Administrator's Guide.
For acces s logging to be enabled, this attribute must have a valid path and parameter, and the nsslapd-accesslog-logging-enabled configuration attribute must be switched to o n. The table lists the four pos sible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
Table 2 .2 . dse .ldif File At tribut e s
Attribut e Valu e Logging enabled or disabled
nsslapd-accesslog-logging­enabled
nsslapd-accesslog
on
empty string
Disabled
nsslapd-accesslog-logging­enabled
nsslapd-accesslog
on
filename
Enabled
nsslapd-accesslog-logging­enabled
nsslapd-accesslog
off
empty string
Disabled
nsslapd-accesslog-logging­enabled
nsslapd-accesslog
off
filename
Disabled
Pa ra met e r De script ion
Entry DN cn=config
Valid Values Any valid filename.
Default Value /var/log/dirs rv/slapd-instance_name/access
Syntax DirectoryString
Example nsslapd-accesslog:
/var/log/dirsrv/slapd-instance_name/acces s
2.3.1.2. nsslapd- accesslog-le ve l (Access Log L evel)
This attribute controls what is logged to the access log.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values
0 - No access logging 4 - Logging for internal access operations 256 - Logging for connections, operations, and results 512 - Logging for access to an entry and referrals 1310 72 - Provides microsecond operation timing These values can be added together to provide the exact type of logging required; for example, 516 (4 + 512) to obtain internal acces s operation, entry access , and referral logging.
Default Value 256
Syntax Integer
Example nsslapd-accesslog-level: 256
2.3.1.3. nsslapd -a cce sslog- list (List of Acce ss Log Files)
This read-only attribute, which cannot be s et, provides a lis t of access log files used in access log rotation.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values
Default Value None
Syntax DirectoryString
Example nsslapd-accesslog-list: accesslog2,accesslog3
2.3.1.4 . nsslapd-accesslog- logb uffe ring (Log B uffe ring)
When s et to o ff, the s erver writes all access log entries directly to disk. Buffering allows the server to use access logging even when under a heavy load without impacting performance. However, when debugging, it is s ometimes useful to disable buffering in order to s ee the operations and their results
right away instead of having to wait for the log entries to be flushed to the file. Disabling log buffering can severely impact performance in heavily loaded servers.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values on | off
Default Value on
Syntax DirectoryString
Example nsslapd-accesslog-logbuffering: off
2.3.1.5. nsslapd- accesslog-logexpira t iont ime (Acce ss Log Expira t ion Time )
This attribute s pecifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units are provided by the nsslapd-accesslog- logexpirationtimeunit attribute.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range -1 to the maximum 32 bit integer value
(214 74 8364 7)
A value of -1 or 0 means that the log never expires .
Default Value -1
Syntax Integer
Example nsslapd-accesslog-logexpirationtime: 2
2.3.1.6. nsslapd- accesslog-logexpira t iont ime unit (Access Log Expiration T ime Unit)
This attribute s pecifies the units for nsslapd-accesslog-logexpirationtime attribute. If the unit is unknown by the s erver, then the log never expires.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values month | week | day
Default Value month
Syntax DirectoryString
Example nsslapd-accesslog-logexpirationtimeunit: week
2.3.1.7. nsslapd- accesslog-logging-enabled (Acce ss Log Enable Logging)
Disables and enables accesslog logging but only in conjunction with the nsslapd-accesslog attribute that s pecifies the path and parameter of the log used to record each databas e acces s.
For acces s logging to be enabled, this attribute must be switched to on, and the nsslapd-accesslog configuration attribute must have a valid path and parameter. The table lists the four poss ible combinations of values for thes e two configuration attributes and their outcome in terms of dis abling or enabling of acces s logging.
Table 2 .3. dse.ldif At t ribu tes
Attribut e Valu e Logging Ena ble d or Disab led
nsslapd-accesslog-logging­enabled
nsslapd-accesslog
on
empty string
Disabled
nsslapd-accesslog-logging­enabled
nsslapd-accesslog
on
filename
Enabled
nsslapd-accesslog-logging­enabled
nsslapd-accesslog
off
empty string
Disabled
nsslapd-accesslog-logging­enabled
nsslapd-accesslog
off
filename
Disabled
Pa ra met e r De script ion
Entry DN cn=config
Valid Values on | off
Default Value on
Syntax DirectoryString
Example nsslapd-accesslog-logging-enabled: off
2.3.1.8. nsslapd- accesslog-logmaxdiskspace (Access Log Maximum Disk Spa ce )
This attribute s pecifies the maximum amount of disk space in megabytes that the access logs are allowed to consume. If this value is exceeded, the oldest access log is deleted.
When s etting a maximum disk space, cons ider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (acces s log, audit log, and error log) maintained by the Directory Server, each of which cons umes disk s pace. Compare these considerations to the total amount of disk space for the access log.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range -1 | 1 to the maximum 32 bit integer value
(214 74 8364 7), where a value of -1 means that the dis k space allowed to the access log is unlimited in s ize.
Default Value -1
Syntax Integer
Example nsslapd-accesslog-logmaxdisks pace: 1000 00
2.3.1.9. nsslapd- accesslog-logminfree diskspace (Acce ss Log Minimum Fre e Disk Spa ce )
This attribute s ets the minimum allowed free disk space in megabytes . When the amount of free disk space falls below the value specified on this attribute, the oldest access logs are deleted until enough disk space is freed to s atisfy this attribute.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range -1 | 1 to the maximum 32 bit integer value
(214 74 8364 7)
Default Value -1
Syntax Integer
Example nsslapd-accesslog-logminfreedis kspace: -1
2.3.1.10 . nsslapd-accesslog- logrot ationsync-e na ble d (Access Log Rot ation Sync Enabled)
This attribute s ets whether access log rotation is to be synchroniz ed with a particular time of the day. Synchronizing log rotation this way can generate log files at a specified time during a day, such as midnight to midnight every day. This makes analysis of the log files much eas ier because they then map directly to the calendar.
For acces s log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-accesslog-logrotationsynchour and nsslapd-accesslog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.
For example, to rotate acces s log files every day at midnight, enable this attribute by setting its value to
on, and then set the values of the nsslapd-accesslog-logrotationsynchour and nsslapd- accesslog-logrotationsyncmin attributes to 0.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values on | off
Default Value off
Syntax DirectoryString
Example nsslapd-accesslog-logrotationsync-enabled: on
2.3.1.11 . nsslapd-accesslog- logrot ationsynchour (Acce ss Log Rota t ion S ync Ho ur)
This attribute s ets the hour of the day for rotating access logs . This attribute must be us ed in conjunction with nsslapd-accesslog-logrotationsync-enabled and nsslapd-accesslog- logrotationsyncmin attributes.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range 0 through 23
Default Value 0
Syntax Integer
Example nsslapd-accesslog-logrotationsynchour: 23
2.3.1.12 . nsslapd-accesslog- logrot ationsyncmin (Acce ss L og Rota t ion S ync Minut e )
This attribute s ets the minute of the day for rotating acces s logs. T his attribute must be used in conjunction with nsslapd-accesslog-logrotationsync-enabled and nsslapd-accesslog- logrotationsynchour attributes .
Pa ra met e r De script ion
Entry DN cn=config
Valid Range 0 through 59
Default Value 0
Syntax Integer
Example nsslapd-accesslog-logrotationsyncmin: 30
2.3.1.13. nssla pd- a cce sslog-logrota t iont ime (Acce ss Log Rota tion T ime )
This attribute s ets the time between acces s log file rotations. T he acces s log is rotated when this time interval is up, regardless of the current size of the access log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-accesslog- logrotationtimeunit attribute.
Although it is not recommended for performance reasons to s pecify no log rotation since the log grows indefinitely, there are two ways of specifying this. Either s et the nsslapd-accesslog-maxlogsperdir attribute value to 1 or set the nsslapd-accesslog-logrotationtime attribute to -1. The server checks the nsslapd-accesslog-maxlogsperdir attribute first, and, if this attribute value is larger than 1, the s erver then checks the nsslapd-accesslog-logrotationtime attribute. See Section 2.3.1.16,
“ns slapd-acces slog-maxlogsperdir (Access Log Maximum Number of Log Files)” for more information.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range -1 | 1 to the maximum 32 bit integer value
(214 74 8364 7), where a value of -1 means that the time between acces s log file rotation is unlimited.
Default Value 1
Syntax Integer
Example nsslapd-accesslog-logrotationtime: 10 0
2.3.1.14 . nssla pd- a cce sslog-logrota t iont ime unit (Access Log Rotat ion Time Unit)
This attribute s ets the units for the nsslapd-accesslog-logrotationtime attribute.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values month | week | day | hour | minute
Default Value day
Syntax DirectoryString
Example nsslapd-accesslog-logrotationtimeunit: week
2.3.1.15 . nsslapd-accesslog- maxlogsiz e (Acce ss Log Ma ximum Log Size )
This attribute s ets the maximum access log size in megabytes. When this value is reached, the access log is rotated. That means the server starts writing log information to a new log file. If the nsslapd- accesslog-maxlogsperdir attribute is set to 1, the s erver ignores this attribute.
When s etting a maximum log size, cons ider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (acces s log, audit log, and error log) maintained by the Directory Server, each of which cons umes disk s pace. Compare these considerations to the total amount of disk space for the access log.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range -1 | 1 to the maximum 32 bit integer value
(214 74 8364 7), where a value of -1 means the log file is unlimited in size.
Default Value 10 0
Syntax Integer
Example nsslapd-accesslog-maxlogsiz e: 100
2.3.1.16 . nsslapd-accesslog- maxlogsperdir (Access Log Ma ximum Numbe r of Log File s)
This attribute s ets the total number of access logs that can be contained in the directory where the acces s log is s tored. Each time the access log is rotated, a new log file is created. When the number of files contained in the access log directory exceeds the value s tored in this attribute, then the oldes t vers ion of the log file is deleted. For performance reasons, Red Hat recommends not setting this value to 1 because the server does not rotate the log, and it grows indefinitely.
If the value for this attribute is higher than 1, then check the nsslapd-accesslog-logrotationtime attribute to es tablish whether log rotation is specified. If the nsslapd-accesslog-logrotationtime attribute has a value of -1, then there is no log rotation. See Section 2.3.1.13, “nsslapd-accesslog-
logrotationtime (Acces s Log Rotation T ime)” for more information.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range 1 to the maximum 32 bit integer value
(214 74 8364 7)
Default Value 10
Syntax Integer
Example nsslapd-accesslog-maxlogsperdir: 10
2.3.1.17 . nsslapd-accesslog- mode (Access Log File Pe rmission)
This attribute s ets the access mode or file permiss ion with which acces s log files are to be created. The valid values are any combination of 000 to 777 (thes e mirror the numbered or absolute UNIX file permissions ). The value mus t be a 3-digit number, the digits varying from 0 through 7:
0 - None
1 - Execute only
2 - Write only
3 - Write and execute
4 - Read only
5 - Read and execute
6 - Read and write
7 - Read, write, and execute
In the 3-digit number, the first digit repres ents the owner's permissions , the second digit repres ents the group's permissions, and the third digit represents everyone's permissions. When changing the default value, remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
The newly configured access mode only affects new logs that are created; the mode is set when the log rotates to a new file.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range 00 0 through 777
Default Value 60 0
Syntax Integer
Example nsslapd-accesslog-mode: 600
2.3.1.18 . nsslapd-allow-una ut he nt ica te d- binds
An unauthenticated bind is a bind where the user supplies a username but not a pas sword. For example, running an ld apsearch without supplying a password option:
/usr/lib/mozldap/ldapsearch -D "cn=directory m anager" -b "dc=example,dc=com" -s sub "(objectclass=*)"
When unauthenticated binds are allowed, the bind attempt goes through as an anonymous bind (as suming anonymous access is allowed).
The nsslapd-allow-unauthenticated-binds attribute sets whether to allow an unauthenticated bind to succeed as an anonymous bind. By default, unauthenticated binds are disabled.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values on | off
Default Value off
Syntax DirectoryString
Example nsslapd-allow-unauthenticated-binds : on
2.3.1.19 . nsslapd-at t ribute- na me- e xce pt ions
This attribute allows non-standard characters in attribute names to be used for backwards compatibility with older servers, such as "_" in s chema-defined attributes.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values on | off
Default Value off
Syntax DirectoryString
Example nsslapd-attribute-name-exceptions: on
2.3.1.20 . nsslapd-auditlog (Audit Log)
This attribute s ets the path and filename of the log used to record changes made to each databas e.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values Any valid filename
Default Value /var/log/dirs rv/slapd-instance_name/audit
Syntax DirectoryString
Example nsslapd-auditlog:
/var/log/dirsrv/slapd-instance_name/audit
For audit logging to be enabled, this attribute must have a valid path and parameter, and the nsslapd- auditlog-logging-enabled configuration attribute must be s witched to on. T he table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
Table 2 .4 . Possible Combinations for nsslapd-auditlog
Attribut es in dse.ldif Valu e Logging enabled or disabled
nsslapd-auditlog-logging­enabled
nsslapd-auditlog
on
empty string
Disabled
nsslapd-auditlog-logging­enabled
nsslapd-auditlog
on
filename
Enabled
nsslapd-auditlog-logging­enabled
nsslapd-auditlog
off
empty string
Disabled
nsslapd-auditlog-logging­enabled
nsslapd-auditlog
off
filename
Disabled
2.3.1.21 . nsslapd-auditlog- list
Provides a list of audit log files.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values
Default Value None
Syntax DirectoryString
Example nsslapd-auditlog-list: auditlog2,auditlog3
2.3.1.22 . nsslapd-auditlog- logexpira tiont ime (Audit Log Expira t ion T ime )
This attribute s ets the maximum age that a log file is allowed to be before it is deleted. T his attribute supplies only the number of units. The units (day, week, month, and s o forth) are given by the nsslapd- auditlog-logexpirationtimeunit attribute.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range -1 to the maximum 32 bit integer value
(214 74 8364 7)
A value of -1 or 0 means that the log never expires .
Default Value -1
Syntax Integer
Example nsslapd-auditlog-logexpirationtime: 1
2.3.1.23. nssla pd- a udit log-loge xpirat iontimeunit (Audit Log Expira tion T ime Unit )
This attribute s ets the units for the nsslapd-auditlog-logexpirationtime attribute. If the unit is unknown by the s erver, then the log never expires.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values month | week | day
Default Value week
Syntax DirectoryString
Example nsslapd-auditlog-logexpirationtimeunit: day
2.3.1.24 . nssla pd- a udit log-logging- enab led (Audit L og E nable Logging)
Turns audit logging on and off.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values on | off
Default Value off
Syntax DirectoryString
Example nsslapd-auditlog-logging-enabled: off
For audit logging to be enabled, this attribute must have a valid path and parameter and the nsslapd- auditlog-logging-enabled configuration attribute must be s witched to on. T he table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
Table 2 .5 . Possible combinations fo r nsslap d- audit log a nd nssla pd-a uditlog- logging- e nabled
Attribut e Valu e Logging enabled or disabled
nsslapd-auditlog-logging­enabled
nsslapd-auditlog
on
empty string
Disabled
nsslapd-auditlog-logging­enabled
nsslapd-auditlog
on
filename
Enabled
nsslapd-auditlog-logging­enabled
nsslapd-auditlog
off
empty string
Disabled
nsslapd-auditlog-logging­enabled
nsslapd-auditlog
off
filename
Disabled
2.3.1.25 . nsslapd-auditlog- logmaxdiskspa ce (Aud it Log Maximum Disk Spa ce )
This attribute s ets the maximum amount of disk s pace in megabytes that the audit logs are allowed to consume. If this value is exceeded, the oldest audit log is deleted.
When s etting a maximum disk space, cons ider the total number of log files that can be created due to log file rotation. Also remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which cons umes disk s pace. Compare these considerations with the total amount of disk s pace for the audit log.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range -1 | 1 to the maximum 32 bit integer value
(214 74 8364 7), where a value of -1 means that the dis k space allowed to the audit log is unlimited in s ize.
Default Value -1
Syntax Integer
Example nsslapd-auditlog-logmaxdisks pace: 1000 0
2.3.1.26 . nsslapd-auditlog- logminfre e diskspace (Audit Log Minimum Fre e Disk Spa ce)
This attribute s ets the minimum permiss ible free disk space in megabytes . When the amount of free disk space falls below the value specified by this attribute, the oldest audit logs are deleted until enough disk space is freed to satis fy this attribute.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range -1 (unlimited) | 1 to the maximum 32 bit integer
value (2147483647)
Default Value -1
Syntax Integer
Example nsslapd-auditlog-logminfreedis kspace: -1
2.3.1.27 . nsslapd-auditlog- logrot ationsync-enabled (Audit Log Rot a tion Sync Enabled)
This attribute s ets whether audit log rotation is to be synchroniz ed with a particular time of the day. Synchronizing log rotation this way can generate log files at a specified time during a day, such as midnight to midnight every day. This makes analysis of the log files much eas ier because they then map directly to the calendar.
For audit log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.
For example, to rotate audit log files every day at midnight, enable this attribute by setting its value to on, and then set the values of the nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog- logrotationsyncmin attributes to 0 .
Pa ra met e r De script ion
Entry DN cn=config
Valid Values on | off
Default Value off
Syntax DirectoryString
Example nsslapd-auditlog-logrotationsync-enabled: on
2.3.1.28 . nsslapd-auditlog- logrot ationsynchour (Aud it Log Rotat ion Sync Hour)
This attribute s ets the hour of the day for rotating audit logs . This attribute must be used in conjunction with nsslapd-auditlog-logrotationsync-enabled and nsslapd-auditlog-logrotationsyncmin attributes.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range 0 through 23
Default Value None (becaus e nsslapd-auditlog-
logrotationsync-enabled is off)
Syntax Integer
Example nsslapd-auditlog-logrotationsynchour: 23
2.3.1.29 . nsslapd-auditlog- logrot ationsyncmin (Audit Log Rotat ion Sync Minute )
This attribute s ets the minute of the day for rotating audit logs. T his attribute must be used in conjunction with nsslapd-auditlog-logrotationsync-enabled and nsslapd-auditlog- logrotationsynchour attributes .
Pa ra met e r De script ion
Entry DN cn=config
Valid Range 0 through 59
Default Value None (becaus e nsslapd-auditlog-
logrotationsync-enabled is off)
Syntax Integer
Example nsslapd-auditlog-logrotationsyncmin: 30
2.3.1.30. nssla pd- a udit log-logrotat iontime (Audit Log Rota t ion Time )
This attribute s ets the time between audit log file rotations. The audit log is rotated when this time interval is up, regardless of the current size of the audit log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog- logrotationtimeunit attribute. If the nsslapd-auditlog-maxlogsperdir attribute is s et to 1, the server ignores this attribute.
Although it is not recommended for performance reasons to s pecify no log rotation, as the log grows indefinitely, there are two ways of specifying this. Either s et the nsslapd-auditlog-maxlogsperdir attribute value to 1 or set the nsslapd-auditlog-logrotationtime attribute to -1. T he server checks the nsslapd-auditlog-maxlogsperdir attribute firs t, and, if this attribute value is larger than 1, the server then checks the nsslapd-auditlog-logrotationtime attribute. See Section 2.3.1.33,
“ns slapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)” for more information.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range -1 | 1 to the maximum 32 bit integer value
(214 74 8364 7), where a value of -1 means that the time between audit log file rotation is unlimited.
Default Value 1
Syntax Integer
Example nsslapd-auditlog-logrotationtime: 10 0
2.3.1.31. nssla pd- a udit log-logrotat iontime unit (Audit Log Rot ation T ime Unit)
This attribute s ets the units for the nsslapd-auditlog-logrotationtime attribute.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values month | week | day | hour | minute
Default Value week
Syntax DirectoryString
Example nsslapd-auditlog-logrotationtimeunit: day
2.3.1.32. nssla pd- a udit log-maxlogsize (Audit Log Ma ximum Log Siz e)
This attribute s ets the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That means the server s tarts writing log information to a new log file. If nsslapd-auditlog- maxlogsperdir to 1, the s erver ignores this attribute.
When s etting a maximum log size, cons ider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (acces s log, audit log, and error log) maintained by the Directory Server, each of which cons umes disk s pace. Compare these considerations to the total amount of disk space for the audit log.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range -1 | 1 to the maximum 32 bit integer value
(214 74 8364 7), where a value of -1 means the log file is unlimited in size.
Default Value 10 0
Syntax Integer
Example nsslapd-auditlog-maxlogsiz e: 50
2.3.1.33. nsslapd-auditlog- maxlogsperdir (Audit Log Ma ximum Numbe r of Log File s)
This attribute s ets the total number of audit logs that can be contained in the directory where the audit log is stored. Each time the audit log is rotated, a new log file is created. When the number of files contained in the audit log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1 log. If this default is accepted, the server will not rotate the log, and it grows indefinitely.
If the value for this attribute is higher than 1, then check the nsslapd-auditlog-logrotationtime attribute to es tablish whether log rotation is specified. If the nsslapd-auditlog-logrotationtime attribute has a value of -1, then there is no log rotation. See Section 2.3.1.30, “ns slapd-auditlog-
logrotationtime (Audit Log Rotation T ime)” for more information.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range 1 to the maximum 32 bit integer value
(214 74 8364 7)
Default Value 1
Syntax Integer
Example nsslapd-auditlog-maxlogsperdir: 10
2.3.1.34 . nsslapd-auditlog- mode (Audit Log File Pe rmission)
This attribute s ets the access mode or file permiss ions with which audit log files are to be created. The valid values are any combination of 000 to 777 since they mirror numbered or absolute UNIX file permissions . The value must be a combination of a 3-digit number, the digits varying from 0 through 7:
0 - None
1 - Execute only
2 - Write only
3 - Write and execute
4 - Read only
5 - Read and execute
6 - Read and write
7 - Read, write, and execute
In the 3-digit number, the first digit repres ents the owner's permissions , the second digit repres ents the group's permissions, and the third digit represents everyone's permissions. When changing the default value, remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
The newly configured access mode only affects new logs that are created; the mode is set when the log rotates to a new file.
Pa ra met e r De script ion
Entry DN cn=config
Valid Range 00 0 through 777
Default Value 60 0
Syntax Integer
Example nsslapd-auditlog-mode: 600
2.3.1.35. nssla pd- ce rt dir (Certificat e and Ke y Dat abase Dire ct ory)
This is the full path to the directory holding the certificate and key databases for a Directory Server instance. This directory must contain only the certificate and key databases for this instance and no other instances. T his directory must be owned and allow read-write access for the server user ID. No other user should have read-right acces s to this directory. The default location is the configuration file directory, /etc/dirsrv/slap d-instance_name.
Changes to this value will not take effect until the server is res tarted.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values Absolute path to any directory which is owned by
the s erver user ID and only allows read and write acces s to the server user ID
Default Value /etc/dirsrv/slapd-instance_name
Syntax DirectoryString
Example /etc/dirsrv/s lapd-phonebook
2.3.1.36. nssla pd- ce rt map-basedn (Certificate Ma p Sea rch Ba se )
This attribute can be us ed when client authentication is performed us ing SSL certificates in order to avoid limitations of the security subsystem certificate mapping, configured in the cer tmap.co nf file. Depending on the cer tma p.conf configuration, the certificate mapping may be done us ing a directory subtree s earch based at the root DN. If the search is based at the root DN, then the nsslapd-certmap- basedn attribute may force the search to be based at some entry other than the root. The valid value for this attribute is the DN of the suffix or subtree to use for certificate mapping. For further information on configuring for SSL, see the " Managing SSL" chapter in the Directory Server Administrator's Guide.
2.3.1.37. nssla pd- config
This read-only attribute is the config DN.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values Any valid configuration DN
Default Value
Syntax DirectoryString
Example nsslapd-config: cn=config
2.3.1.38. nssla pd- connt ablesize
This attribute s ets the connection table siz e, which determines the total number of connections supported by the s erver.
The server has to be res tarted for changes to this attribute to go into effect.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values Operating-system dependent
Default Value T he default value is the sys tem's max
descriptors , which can be configured using the
Section 2.3.1.77, “ns slapd-maxdescriptors (Maximum File Des criptors)” attribute.
Syntax Integer
Example nsslapd-conntablesize: 40 93
Increase the value of this attribute if Directory Server is refusing connections because it is out of connection slots. When this occurs, the Directory Server's error log file records the mess age N ot listening for new connection s -- too m any fds open.
A server restart is required for the change to take effect.
It may be neces sary to increase the operating s ystem limits for the number of open files and number of open files per process, and it may be neces sary to increase the ulimi t for the number of open files (ulimit -n) in the shell that starts the Directory Server. See Section 2.3.1.77, “nss lapd-maxdescriptors
(Maximum File Des criptors)” for more information.
2.3.1.39. nssla pd- count ers
The nsslapd-counters attribute enables and dis ables Directory Server databas e and server performance counters.
There can be a performance impact by keeping track of the larger counters . Turning off 64-bit integers for counters can have a minimal improvement on performance, although it negatively affects long term statistics tracking.
This parameter is enabled by default. To disable counters , stop the Directory Server, edit the dse.ldif file directly, and restart the s erver.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values on | off
Default Value on
Syntax DirectoryString
Example nsslapd-counters: on
2.3.1.4 0. nssla pd- csnlogging
This attribute s ets whether change sequence numbers (CSNs ), when available, are to be logged in the acces s log. By default, CSN logging is turned on.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values on | off
Default Value on
Syntax DirectoryString
Example nsslapd-csnlogging: on
2.3.1.4 1. nssla pd- ds4 -compa tible-schema
Makes the schema in cn=schem a compatible with 4.x vers ions of Directory Server.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values on | off
Default Value off
Syntax DirectoryString
Example nsslapd-ds4 -compatible-schema: off
2.3.1.4 2. nssla pd- e nquot e- sup-oc (Enable Superior O bje ct Class Enquot ing)
This attribute is deprecated and will be removed in a future vers ion of Directory Server.
This attribute controls whether quoting in the ob jectcla ss attributes contained in the cn= schema entry conforms to the quoting specified by Internet draft RFC 2252. By default, the Directory Server conforms to RFC 2252, which indicates that this value s hould not be quoted. Only very old clients need this value set to on, so leave it off.
Turning this attribute on or off does not affect Directory Server Cons ole.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values on | off
Default Value off
Syntax DirectoryString
Example nsslapd-enquote-sup-oc: off
2.3.1.4 3. nsslapd-errorlog (Error Lo g)
This attribute s ets the path and filename of the log used to record error mess ages generated by the Directory Server. These mess ages can describe error conditions , but more often they contain informative conditions , such as:
Server startup and s hutdown times.
The port number that the server uses .
This log contains differing amounts of information depending on the current setting of the Log Level attribute. See Section 2.3.1.44, “nsslapd-errorlog-level (Error Log Level)” for more information.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values Any valid filename
Default Value /var/log/dirs rv/slapd-instance_name/errors
Syntax DirectoryString
Example nsslapd-errorlog:
/var/log/dirsrv/slapd-instance_name/errors
For error logging to be enabled, this attribute must have a valid path and filename, and the nsslapd- errorlog-logging-enabled configuration attribute must be s witched to on. T he table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of error logging.
Table 2 .6 . Possible Combina t ions for nssla pd- e rrorlog Configuration At tribut e s
Attribut es in dse.ldif Valu e Logging enabled or disabled
nsslapd-errorlog-logging­enabled
nsslapd-errorlog
on
empty string
Disabled
nsslapd-errorlog-logging­enabled
nsslapd-errorlog
on
filename
Enabled
nsslapd-errorlog-logging­enabled
nsslapd-errorlog
off
empty string
Disabled
nsslapd-errorlog-logging­enabled
nsslapd-errorlog
off
filename
Disabled
2.3.1.4 4 . nsslap d- er rorlog- le vel (Error Log Level)
This attribute s ets the level of logging for the Directory Server. The log level is additive; that is , specifying a value of 3 includes both levels 1 and 2.
The default value for nsslapd-errorlog-level is 16 384.
Pa ra met e r De script ion
Entry DN cn=config
Valid Values
1 — T race function calls. Logs a message when the server enters and exits a function. 2 — Debug packet handling. 4 — Heavy trace output debugging. 8 — Connection management. 16 — Print out packets s ent/received. 32 — Search filter processing. 64 — Config file proces sing. 128 — Access control list process ing. 10 24 — Log communications with shell databases . 20 48 — Log entry parsing debugging. 4096 — Housekeeping thread debugging. 8192 — Replication debugging. 16384 — Default level of logging us ed for critical errors and other messages that are always written to the error log; for example, server s tartup messages. Mess ages at this level are always included in the error log, regardless of the log level setting. 32768 — Database cache debugging. 65536 — Server plug-in debugging. It writes an entry to the log file when a server plug-in calls slapi -log-error. 1310 72 — Micros econd resolution for timestamps instead of the default s econds. 262144 — Access control summary information, much less verbose than level
128. This value is recommended for us e when a summary of access control processing is needed. Use 128 for very detailed proces sing messages.
Default Value 16384
Syntax Integer
Example nsslapd-errorlog-level: 8192
2.3.1.4 5. nssla pd- e rrorlog -list
This read-only attribute provides a list of error log files.
Pa ra met e r De script ion
Loading...
+ 262 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use