Red-hat 8.1 Manuale Utente

Red Hat Directory Server 8.1Configuration and Command ReferenceConfiguring and managing Red Hat Directory Server 8.1 with command-lineutilitiesEdition

Using the Admin Server describes the different tasks and tools associated with the AdministrationServer and how to use the Administration Server with

Multi- or Single-Valued Multi-valuedDefined in Directory Server2.5.2 . Legacy Replication At tributesThese attributes were originally used to configur

Defined in Directory Server2.5.2 .3. cirBindCre dentialsFor consumer-initiated replication, this attribute is used to identify the bind password for t

For consumer initiated replication, this attribute shows the time of the last failed updated attempt.OID 2.16.840.1.113730.3.1.88Syntax DirectoryStrin

replicaCredentials Stores a password of replicaBindDn.replicaBindMethod Specifies the bind method.replicaUseSSL Specifies a flag whether or not to use

OID 2.16.840.1.113730.3.1.202Syntax BinaryMulti- or Single-Valued Multi-valuedDefined in Directory Server2.5.2 .21. replica EntryFilterThis attribute

2.5.2 .28. replica Upda teFailedAtThis attribute contains the time and date of the most recent replication failure.OID 2.16.840.1.113730.3.1.49Syntax

Chapter 3. Plug-in Implemented Server Functionality ReferenceThis chapter contains reference information on Red Hat Directory Server plug-ins.The conf

3.1 .3. ACL Preope ration Plug- inPlug-in Pa ramet er DescriptionPlug-in Name ACL PreoperationDN of Configuration Entry cn=ACL preoperation, cn=plugin

Red Hat recommends leaving this plug-in runningat all times.Further Information3.1 .6. Boolean Syntax Plug-inPlug-in Pa ramet er DescriptionPlug-in Na

"Configuring Directory Databases" chapter in theDirectory Server Administrator's Guide.3.1 .10. Cla ss of Service Plug- inPlug-in Pa ra

Chapter 1. IntroductionDirectory Server is based on an open-systems server protocol called the Lightweight Directory AccessProtocol (LDAP). The Direct

Plug-in Pa ramet er DescriptionPlug-in Name Generalized T ime SyntaxDN of Configuration Entry cn=Generalized Time Syntax, cn=plugins,cn=configDescript

Performance Related Information Do not modify the configuration of this plug-in.Red Hat recommends leaving this plug-in runningat all times.Further In

Table 3.2. Details of MemberOf Plug-inPlug-in Information DescriptionPlug-in Name MemberOfConfiguration Entry DN cn=MemberOf Plugin,cn=plugins,cn=con

3.1 .25. Password Storage SchemesThe cn=Password Storage Schemes entry is a container entry, not a plug-in entry itself. All of theplug-ins used for e

3.1 .26. Posta l Address String Syntax Plug-inPlug-in Pa ramet er DescriptionPlug-in Name Postal Address SyntaxDN of Configuration Entry cn=Postal Add

conflict resolution loops. When enabling the plug-in on chainedservers, be sure to analyze the performance resource andtime needs as well as integrity

3.1 .32. Space Insensitive St ring Synt ax Plug-inPlug-in Pa ramet er DescriptionPlug-in Name Space Insensitive String SyntaxDN of Configuration Entry

Configurable Arguments NoneDependencies NonePerformance Related Information Do not modify the configuration of this plug-in.Red Hat recommends leaving

3.2 .3. nsslapd-pluginInitfuncThis attribute specifies the plug-in function to be initiated.Plug-in Pa ramet er DescriptionEntry DN cn=plug-in name, c

Syntax DirectoryStringExample nsslapd-pluginVendor: Red Hat, Inc.3.2 .9. nsslapd- pluginDescriptionThis attribute provides a description of the plug-i

Chapter 2. Core Server Configuration ReferenceThe configuration information for Red Hat Directory Server is stored as LDAP entries within the director

Entry DN cn=referential integrity postoperation, cn=plugins,cn=configValid Values Class of ServiceDefault ValueSyntax DirectoryStringExamplensslapd-pl

cn=configValid Range 100 to the maximum 32-bit integer value(2147483647) entry IDsDefault Value 4000Syntax IntegerExample nsslapd-idlistscanlimit: 40

cache the indexes (the .db4 files) and other files. This value is passed to the Berkeley DB API function set_cachesize. If automatic cache resizing i

Entry DN cn=config, cn=ldbm database, cn=plugins,cn=configValid Values on | offDefault Value offSyntax DirectoryStringExample nsslapd-db-debug: off3.4

database cache size being configured for the server. If this happens, reduce the size of the databasecache size to a value where the server will start

Parameter Descript ionEntry DN cn=config, cn=ldbm database, cn=plugins,cn=configValid Values Any valid path and directory nameDefault ValueSyntax Dire

WARNINGSetting this value will reduce data consistency and may lead to loss of data. T his is because ifthere is a power outage before the server can

by a process. If nsslapd-dbncache is 0 or 1, the cache will be allocated contiguously in memory. If it isgreater than 1, the cache will be broken up i

database (the ldif2db operation).In Directory Server, the import operation can be run as a server task or exclusively on the command-line.In the task

information on these entries, refer to the "Monitoring Server and Database Activity" chapter in theDirectory Server Administrator's Gui

Table 2.1 . Directory Se rver LDIF Configuration FilesConfigurat ion Filename Purposedse.ldif Contains front-end Directory Specific Entriescreated by

cn=plugins, cn=configValid Range1 to 232-1 on 32-bit systems or 26 3-1 on 64-bitsystems or -1, which means limitlessDefault Value -1Syntax IntegerExam

Entry DN cn=database_name, cn=ldbm database,cn=plugins, cn=configValid Values on | offDefault Value offSyntax DirectoryStringExample nsslapd-readonly:

Parameter Descript ionEntry DN cn=index_name, cn=userRoot, cn=ldbmdatabase, cn=plugins, cn=configValid Values 0 (disabled) | 1 (enabled)Default Value

NOTEThis attribute is only available to user databases like userRoot, not configuration databases likeo=NetscapeRoot.Parameter Descript ionEntry DN cn

Valid Values Any Directory Server attributes, in a space-separated listDefault ValueSyntax DirectoryStringExample vlvSort: cn givenname o ou sn3.4 .3.

nsslapd- db-clean-pagesThis attribute shows the clean pages currently in the cache.nsslapd- db-commit- rateThis attribute shows the number of transact

This attribute shows the clean pages forced from the cache.nsslapd- db-page-rw- evict- rateThis attribute shows the dirty pages forced from the cache.

Attribute Definit ionobjectClass Defines the object classes for the entry.cn Gives the common name of the entry.nsSystemIndex Identify whether or not

Entry DN cn=default indexes, cn=config, cn=ldbmdatabase, cn=plugins, cn=configValid Values true | falseDefault ValueSyntax DirectoryStringExample nsSy

3.4 .7.1 . nsSubStrBe ginBy default, for a search to be indexed, the search string must be at least three characters long, withoutcounting any wildcar

50ns-web.ldif Schema for Netscape Web Server.60pam-plugin.ldif Reserved for future use.99user.ldif User-defined schema maintained by DirectoryServer r

Example nsSubStrMiddle: 33.4 .8. Dat abase Attributes unde r cn=attribut eName, cn=encrypt ed att ributes,cn=dat abase _name, cn=ldbm dat abase , cn=p

(AES) Triple Data Encryption Standard Block Cipher(3DES)Default ValueSyntax DirectoryStringExample nsEncryptionAlgorithm: AES3.5. Database Link Plug-i

This error detection, performance-related attribute specifies the duration of the test issued by thedatabase link to check whether the remote server i

Contrary to what the name suggests, this attribute does not specify the number of times a database linkretries to bind with the remote server but the

Example nsConcurrentOperationsLimit: 53.5 .2.8 . nsConnectionLifeThis attribute specifies connection lifetime. Connections between the database link a

Example nsslapd-sizelimit: 20003.5 .2.1 3. nsTimeLimitThis attribute shows the default search time limit for the database link.Parameter Descript ionE

Default ValueSyntax DirectoryStringExample nsFarmServerURL: ldap://farm1.example.com:389ldap://farm2.example.com:13893.5 .3.3. nsMultiplexorBindDnThis

headcountThis attribute gives the number of add operations received.nsDelete CountThis attribute gives the number of delete operations received.nsModi

This attribute specifies the name of the directory in which the changelog database is created the firsttime the plug-in is run. By default, the databa

Valid Range Any valid LDAP filterDefault Value NoneSyntax DirectoryStringExample dnaFilter: (objectclass=person)3.7 .2. dnaMagicRegenThis attribute se

These entries and their children have many attributes used to configure different database settings, likethe cache sizes, the paths to the index files

Example dnaNextRange: 100-5003.7 .5. dnaNextValueThis attribute gives the next available number which can be assigned. After being initially set in th

This attribute defines a shared identity that the servers can use to transfer ranges to one another. T hisentry is replicated between servers and is m

The MemberOf Plug-in synchronizes the group membership in group members with the members'individual directory entries by identifying changes to a

Chapter 4. Server Instance File ReferenceThis chapter provides an overview of the files that are specific to an instance of Red Hat DirectoryServer (D

Table 4 .3. HP- UX 11i (IA64 )File or Directory Locat ionBackup files /var/opt/dirsrv/slapd-instance/bakConfiguration files /etc/opt/dirsrv/slapd-ins

Exa mple 4 .2. Ne tscapeRoot Database Direct ory Contents./ entrydn.db4* parentid.db4*../ givenName.db4* sn.db4*DBVERSION* id2entry.db4* uid.db4

Lock table is out of available locks), double the value of the nsslapd-db-locks attributein the cn=config,cn=ldbm database,cn=plugins,cn=config entry

4.10. ScriptsDirectory Server command-line scripts are stored in the /etc/dirsrv/slapd-instance_namedirectory. The contents of the /etc/dirsrv/slapd-i

Chapter 5. Log File ReferenceRed Hat Directory Server (Directory Server) provides logs to help monitor directory activity. Monitoringhelps quickly det

Exa mple 5.1. Example Access Log[21/Apr/2009:11:39:51 -0700] conn=11 fd=608 slot=608 connection from 207.1.153.51 to 192.18.122.139[21/Apr/2009:11:39

2.2.2 .1. Modifying Configuration Ent ries Using LDAPThe configuration entries in the directory can be searched and modified using LDAP either via the

Slot NumberThe slot number, in this case slot=608, is a legacy part of the access log which has the samemeaning as file descriptor. Ignore this part o

Table 5.1 . Commonly-Used T agsTag Descript iontag=97 A result from a client bind operation.tag=100 The actual entry being searched for.tag=101 A res

ENT RYREFERRAL, an LDAP referral or search referenceUninde xed Search IndicatorThe unindexed search indicator, notes=U, indicates that the search perf

An extended operation OID, such as EXT oid="2.16.84 0.1.113730.3.5.3" or EXT oid="2.16.84 0.1.113730.3.5.5" in Example 5.1, “Exam

NOTEThe Directory Server operation number starts counting at 0, and, in the majority of LDAPSDK/client implementations, the message ID number starts c

[12/Jul/2009:16:43:02 +0200] conn=306 fd=60 slot=60 connection from 127.0.0.1 to 127.0.0.1 [12/Jul/2009:16:43:02 +0200] conn=306 op=0 SRCH base="

Table 5.3. Common Connection CodesConnect ion Code Descript ionA1 Client aborts the connection.B1 Corrupt BER tag encountered. If BER tags, whichenca

Table 5.4 . Error Log LevelsSett ing Console Name Descript ion1 Trace function calls Logs a message when theserver enters and exits afunction.2 Packe

A timestamp, such as [05/Jan/2009:02:27:22 -0500], although the format varies dependingon the platform. The ending four digits, -0500, indicate the ti

Red Hat Directory Server 8.1 Configuration and Command Reference 169

nsslapd-schema-ignore-trailing-spaces nsslapd-securelistenhostnsslapd-workingdir nsslapd-return-exact-casensslapd-maxbersize2.3. Core Server Configura

Exa mple 5.4 . Re plication Error Log Entry[09/Jan/2009:13:44:48 -0500] - _csngen_adjust_local_time: gen state before 496799220001:1231526178:0:0[09/J

Plug-in logging records every the name of the plugin and all of the functions called by the plugin. Thishas a simple format:[timestamp] Plugin_name -

Example 5.7, “Access Control Summary Logging” shows the summary access control log entry.Exa mple 5.7. Access Control Summary Logging[09/Jan/2009:16:0

Exa mple 5.8. Audit Log Content ... modifying an entry ... tim e: 20090108181429 dn: uid=scarter,ou=people,dc=example,dc=com changetype: modify repla

Table 5.5 . LDAP Result CodesResultCodeDefined Value ResultCodeDefined Value0 SUCCESS 48 INAPPROPRIATE_AUTHENTICATION1 OPERAT ION_ERROR 49 INVALID_CR

Chapter 6. Command-Line UtilitiesThis chapter contains reference information on command-line utilities used with Red Hat DirectoryServer (Directory Se

Table 6.1 . Commonly-Used Command-Line Utilit iesCommand-Line Utility Descriptionldapsearch Searches the directory and returns searchresults in LDIF

Table 6.2 . ldapsearch SyntaxOption Descriptionoptional_options A series of command-line options. These must bespecified before the search filter, if

Table 6.3. Commonly-Used ldapsearch OptionsOption Description-b Specifies the starting point for the search. T hevalue specified here must be a disti

The default is 389. If -Z is used, the default is 636.-s Specifies the scope of the search. T he scope canbe one of the following: base searches only

Table 2.2 . dse .ldif File Att ributesAttribute Value Logging enabled or disablednsslapd-accesslog-logging-enablednsslapd-accesslogonempty stringDis

Table 6.4 . Pe rsistent Search OptionsOption Description-C Runs the ldapsearch as a persistent search.-r Prints all of the output from the ldapsearch

Table 6.5 . Additional SSL ldapse arch OptionsOption Description-3 Specifies that hostnames should be checked in SSLcertificates.-I Specifies the SSL

command is aborted immediately.SASL OptionsSASL mechanisms can be used to authenticate a user, using the -o the required SASL information.To learn whi

Table 6.7 . Description of CRAM-MD5 Mechanism OptionsRequiredorOptionalOption Description ExampleRequired mech=CRAM-MD5 Gives the SASL mechanism. -o

Table 6.8 . Description of DIGEST- MD5 SASL Mechanism OptionsRequiredorOptionalOption Description ExampleRequired mech=DIGEST-MD5 Gives the SASL mech

Table 6.9 . Description of GSSAPI SASL Mechanism OptionsRequired orOptionalOption Descript ion Exa mpleRequired mech=GSSAPI Gives the SASLmechanism.N

Table 6.1 0. Additional ldapsearch OptionsOption Description-1 Leaves out the opening version: 1 line fromthe LDIF output.-A Specifies that the searc

characterset.ldapsearch converts the input from thesearguments before it processes the searchrequest. For example, -i no indicates that thebind DN, ba

of the content.-U Creates file URLs for the files produced by the -toption.-u Specifies that the user-friendly form of thedistinguished name be used i

Table 6.1 1. Commonly-Used lda pmodify OptionsOption Description-a Adds LDIF entries to the directory withoutrequiring the changetype:add LDIF update

right away instead of having to wait for the log entries to be flushed to the file. Disabling log buffering canseverely impact performance in heavily

SSL OptionsUse the following command-line options to specify that ldapm odify is to use LDAP over SSL (LDAPS)when communicating with the Directory Ser

Table 6.1 2. lda pmodify SSL OptionsOption Descript ion-3 Specifies that hostnames should be checked in SSLcertificates.-I Specifies the SSL key pass

“Commonly-Used ldapsearch Options”.Table 6.1 3. SASL OptionsOption Description-o Specifies SASL options. T he format is -osaslOption=value. saslOptio

Table 6.1 4 . Additional ldapmodify OptionsOption Description-b Causes the utility to check every attribute value todetermine whether the value is a

-V 2LDAPv3 is the default. An LDAPv3 operationcannot be performed against a Directory Serverthat only supports LDAPv2.-Y Specifies the proxy DN to use

Table 6.1 5. Commonly-Used lda pdelete Opt ionsOption Description-D Specifies the distinguished name with which toauthenticate to the server. T he va

Table 6.1 6. lda pde lete SSL Opt ionsOption Descript ion-3 Specifies that hostnames should be checked in SSLcertificates.-I Specifies the SSL key p

To learn which SASL mechanisms are supported, search the root DSE. See the -b option in T able 6.3,“Commonly-Used ldapsearch Options”.Table 6.1 7. SA

Table 6.1 8. Additional ldapdelete Opt ionsOption Description-c Specifies that the utility must run in continuousoperation mode. Errors are reported,

Table 6.1 9. lda ppa sswd-specific Opt ionsOption Description-A Specifies that the command should prompt for theuser's existing password.-a Spe

Legal NoticeCopyright © 20 09 Red Hat, Inc..The text of and illustrations in this document are licensed by Red Hat under a Creative CommonsAttributio

Parameter Descript ionEntry DN cn=configValid Values on | offDefault Value onSyntax DirectoryStringExample nsslapd-accesslog-logging-enabled: off2.3.1

Table 6.2 0. General ldappasswd OptionsOption Descript ion-3 Specifies that hostnames should be checked in SSLcertificates.-D Specifies the distingui

for the browser. For example:-P /security/cert.dbThe client security files can also be stored on theDirectory Server in the /etc/dirsrv/slapd-instance

Table 6.2 1. SASL OptionsOption Description-o Specifies SASL options. T he format is -osaslOption=value. saslOption can have one of sixvalues: mech,

Exa mple 6.4 . User Authenticating Wit h a User Certifica te a nd Changing His PasswordA user, tuser4 , authenticates with the user certificate and ch

Table 6.2 2. ldif Opt ionsOption Description-b Specifies that the ldif utility should interpret theentire input as a single binary value. If -b is no

NOTEThe index file options, listed in Table 6.25, “Index File Options ”, are meaningful only when thedatabase file is the secondary index file.Table

Exa mple 6.13. Displaying the Change log File Cont entsdbscan -f /var/lib/dirsrv/slapd-instance_name/changelogdb/c1a2fc02-1d11b2-8018afa7-fdce000_424c

Chapter 7. Command-Line ScriptsThis chapter provides information on the scripts for managing Red Hat Directory Server, such asbacking-up and restoring

Table 7.2 . Pe rl Scripts in /usr/lib/dirsrv/slapd- instance_name or/usr/lib64 /dirsrv/slapd-instance_namePerl Script Descript ionbak2db.pl Restores

This section covers the following scripts:Section 7.3.1, “bak2db (Restores a Database from Backup)”Section 7.3.2, “cl-dump (Dumps and Decodes the Chan

Parameter Descript ionEntry DN cn=configValid Range 0 through 23Default Value 0Syntax IntegerExample nsslapd-accesslog-logrotationsynchour: 232.3.1.12

OptionsWithout the -i option, the script must be run when the Directory Server is running from a location fromwhich the server's changelog direct

Either the -n or the -s option must be specified. By default, the output LDIF will be stored in one file. Tospecify the use of several files, use the

Table 7.7 . db2index Opt ionsOption Description-n backendInstance Gives the name of the instance to be reindexed.-s includeSuffix Gives suffixes to

Synta xds_removal [ -f ] -s instance_name -w manager_passwordOptions Option Pa ramet er Descript ion-f Forces the removal of theinstance. This can be

Table 7.9 . ldif2db OptionsOption Description-c Merges chunk size.-E Encrypts data during import. T his option is usedonly if database encryption is

Retrieves performance monitoring information using the ldapsearch command-line utility.Synta xm onitormonitor OptionsThere are no options for this scr

[connection]host:port:binddn:bindpwd:bindcerthost:port:binddn:bindpwd:bindcert...[alias]alias = host:portalias = host:port...[color]lowmark = colorlow

log in, use this script to compare the user's password to the password stored in the directory.Synta xpwdhash [ -D config_directory ] [ -H ] [[ -

Synta xsaveconfigOptionsThere are no options for this script.7.3.16. start- slapd (St arts the Directory Server)Starts the Directory Server. It might

7.3.19. vlvindex (Creat es Virtual List View Inde xes)To run the vlvindex script, the server must be stopped. The vlvindex script creates virtual list

Valid Range -1 | 1 to the maximum 32 bit integer value(2147483647), where a value of -1 means the logfile is unlimited in size.Default Value 100Syntax

Synta xbak2db.pl [ -v ] -D rootdn { -w password | -w - | -j filename } -a backupDirectory [ -t databaseType ] [ -n backend ]OptionsThe script bak2db.p

Table 7.1 9. cl-dump.pl comma nd opt ionsOption Description-c Dumps and interprets change sequence numbers(CSN) only. This option can be used with or

Synta xdb2index.pl [ -v ] -D rootdn { -w password | -w - | -j filename } -n backendInstance [ -t attributeName(:indextypes(:mathingrules)) ] [ -T vlvA

Table 7.2 2. db2ldif.pl Opt ionsOption Description-1 Deletes, for reasons of backward compatibility,the first line of the LDIF file that gives the ve

Table 7.2 3. fixup-memberof.pl OptionsOption Description-b baseDN The DN of the subtree containing the entries toupdate.-D rootdn Gives the user DN w

Table 7.2 4 . ldif2db.pl Opt ionsOption Description-c Merges chunk size.-D rootdn Specifies the user DN with root permissions,such as Directory Manag

Table 7.2 5. Informat ion Extracted from Access Logs Number of restarts Total number of connections Total operations requested Total results returned

Table 7.2 6. logconv.pl OptionsOption Description-d mgrDN Specifies the distinguished name (DN) of theDirectory Manger in the logs being analyzed. Th

Table 7.2 7. logconv.pl Options to Displa y OccurrencesOption Descriptione Lists the most frequent error and return codes.f Lists the bind DNs with t

Option Alternat eOptionsDescript ionGeneral.ConfigDirectoryAdminPwd=password Required. This is the password for theconfiguration directory administrat

The nsslapd-allow-unauthenticated-binds attribute sets whether to allow an unauthenticated bindto succeed as an anonymous bind. By default, unauthenti

IMPORTANTDo not run setup-ds-adm in.pl for the new Directory Server 8.1 instance before running themigration script if you are migrating from a 7.1 se

number of d's increases the debug level.--logfile name -l T his parameter specifies a log file to whichto write the output. If this is not set, t

Table 7.2 9. ns-act ivate.pl Opt ionsOption Description-D rootdn Specifies the Directory Server user DN with rootpermissions, such as Directory Manag

Table 7.31. ns-newpwpolicy.pl Opt ionsOption Description-D rootdn Specifies the Directory Server user DN with rootpermissions, such as Directory Mana

database files, like cert8.db and key3.db, are not removed, so the remaining instance directory isrenamed removed.slapd-instance.Synta xrem ove-ds.pl

Configurat ion File FormatThe configuration file defines the following:The connection parameters for connecting to the LDAP servers to get replication

A shadow port can be set in the replication monitor configuration file. For example:host:port=shadowport:binddn:bindpwd:bindcertWhen the replication m

Options Option Alt ernate Opt ions Description--silent -s This runs the register script insilent mode, drawing theconfiguration information from afile

Synta xsetup-ds-admin.pl [ --debug ] [ --silent ] [ --file=name ] [ --keepcache ] [ --log=name ] [ --update ]Options Option Alt ernate Opt ions Descri

IMPORTANTNever run verify-db.pl when a modify operation is in progress. T his command calls theBerkeleyDB utility db_verify and does not perform any l

Example nsslapd-auditlog-list: auditlog2,auditlog32.3.1.22. nsslapd- auditlog-logexpirationtime (Audit Log Expira tion T ime)This attribute sets the m

Using the ns-slapd Command-Line UtilitiesChapter 7, Command-Line Scripts discussed the scripts for performing routine administration tasks onthe Red H

Table A.1. db2 ldif OptionsOption Description-a outputFile Defines the output file in which the server savesthe exported LDIF. This file is stored by

OptionsTable A.2. ldif2db Opt ionsOption Description-d debugLevel Specifies the debug level to use during runtime.For further information, refer to S

ns-slapd archive2db -D configDir -a archiveDirOptionsTable A.3. archive2db OptionsOption Description-D configDir Specifies the location of the server

Table A.5. db2 index Opt ionsOption Description-d debugLevel Specifies the debug level to use during indexcreation. For further information, refer to

All IDs ThresholdReplaced with the ID list scan limit in Directory Server version 7.1. A size limit which is globallyapplied to every index key manage

bind distinguished nameSee bind DN.bind DNDistinguished name used to authenticate to Directory Server when performing an operation.bind ruleIn the con

supplier server then replays these modifications on the replicas stored on replica servers or onother masters, in the case of multi-master replication

DdaemonA background process on a Unix machine that is responsible for a particular system task.Daemon processes do not need human intervention to cont

DNSDomain Name System. T he system used by machines on a network to associate standard IPaddresses (such as 198.93.93.10) with hostnames (such as www.

This attribute sets the maximum amount of disk space in megabytes that the audit logs are allowed toconsume. If this value is exceeded, the oldest aud

Generic Security Services. The generic access protocol that is the native way for UNIX-basedsystems to access and authenticate Kerberos services; also

location of a machine on the Internet (for example, 198.93.93.10).ISOInternational Standards Organization.Kknowle dge re fe rencePointers to directory

managed objectA standard value which the SNMP agent can access and send to the NMS. Each managedobject is identified with an official name and a numer

The server containing the database link that communicates with the remote server.Nn + 1 directory problemThe problem of managing multiple instances o

requested.Pparent accessWhen granted, indicates that users have access to entries below their own in the directory treeif the bind DN is the parent of

PTAMechanism by which one Directory Server consults another to check bind credentials. Alsopass-through authentication.PTA directory serverIn pass-thr

Replication configuration where replica servers, either hub or consumer servers, pull directorydata from supplier servers. This method is available on

Serve r ConsoleJava-based application that allows you to perform administrative management of your DirectoryServer from a GUI.server daemonThe server

master agent. Also called a subagent.SSLA software library establishing a secure connection between two parties (client and server)used to implement H

target entryThe entries within the scope of a CoS.TCP/IPTransmission Control Protocol/Internet Protocol. T he main network protocol for the Internet a

2.3.1.29. nsslapd- auditlog-logrotat ionsyncmin (Audit Log Rotat ion Sync Minute)This attribute sets the minute of the day for rotating audit logs. T

01common.ldif- ldif files, LDIF and Schema Configuration Files05rfc224 7.ldif- ldif files, LDIF and Schema Configuration Files05rfc2927.ldif- ldif fil

- B4 , Common Connection Codes- P2 , Common Connection Codes- T1 , Common Connection Codes- T2 , Common Connection Codes- U1 , Common Connection Codes

changeLog, changeLogchangelog configura tion at tributes- changelogmaxentries, nsslapd-changelogmaxentries (Max Changelog Records)- nsslapd-changelogd

- nsInstance, cn=export- nsNoWrap, cn=export- nsPrintKey, cn=export- nsUseId2Entry, cn=export- nsUseOneFile, cn=export- configuration entry, cn=export

- SNMP configuration entries, cn=SNMPcn=t asks- attributes- cn, Task Invocation Attributes for Entries under cn=tasks- nsTaskCancel, T ask Invocation

- restoreconfg , restoreconfig (Restores Administration Server Configuration)- saveconfig , saveconfig (Saves Administration Server Configuration)- st

configurat ion entrie s- modifying using LDAP, Modifying Configuration Entries Using LDAP- restrictions to modifying, Restrictions to Modifying Config

- nsDumpUniqId, cn=export- nsExcludeSuffix, cn=import, cn=export- nsExportReplica, cn=export- nsFilename, cn=import, cn=export- nsImportChunkSize, cn=

- nsslapd-changelogmaxentries, nsslapd-changelogmaxentries (Max Changelog Records)- nsslapd-config, nsslapd-config- nsslapd-conntablesize, nsslapd-con

- nsslapd-schema-ignore-trailing-spaces, nsslapd-schema-ignore-trailing-spaces (IgnoreTrailing Spaces in Object Class Names)- nsslapd-schemacheck, nss

2.3.1.33. nsslapd-audit log-maxlogsperdir (Audit Log Ma ximum Number of Log Files)This attribute sets the total number of audit logs that can be conta

- nsAttributeEncryption, Database Attributes under cn=attributeName, cn=encryptedattributes, cn=database_name, cn=ldbm database, cn=plugins, cn=config

- dbcachetries, Database Attributes under cn=monitor, cn=ldbm database, cn=plugins,cn=config- dbfilecachehit, Database Attributes under cn=monitor, cn

cn=ldbm database, cn=plugins, cn=config- nsslapd-db-page-rw-evict-rate, Database Attributes under cn=database, cn=monitor,cn=ldbm database, cn=plugins

- quick reference, Command-Line Scripts Quick Referencedbcachehit ratio attribute, Da tabase Attribut e s under cn=monit or, cn=ldbm database,cn=plugi

- quick reference, Command-Line Scripts Quick Referenceds_re moval command-line utility- options, ds_removal- syntax, ds_removaldTableSize att ribute

- configuration of, Configuration of IndexesJjpeg images, ldifLLDAP- modifying configuration entries, Modifying Configuration Entries Using LDAPLDAP D

- 20subscriber.ldif, LDIF and Schema Configuration Files- 25java-object.ldif, LDIF and Schema Configuration Files- 28pilot.ldif, LDIF and Schema Confi

mult i-mast er replication change log- changelog, cn=changelog5Nnba ckends at t ribute, cn=monitornewRdn, newRdnnewSuperior, newSuperiorns-accountst a

nsDatabaseType s, cn=backup, cn=rest orensDelete Count at tribute , Da tabase Link At tributes under cn=monitor, cn=databaseinst ance name, cn=chainin

nshoplimit att ribute, nshoplimitnsImport ChunkSize, cn=importnsImport IndexAt trs, cn=importnsIncludeSuffix, cn=import, cn=exportnsIndexAt tribute, c

Example /etc/dirsrv/slapd-phonebook2.3.1.36. nsslapd-ce rtmap- base dn (Certificate Map Se arch Base)This attribute can be used when client authentica

nsslapd- accesslog-logrotationt ime att ribute, nsslapd-accesslog-logrotat iontime(Access Log Rotat ion Time)nsslapd- accesslog-maxlogsize attribute,

cn=monitor, cn=ldbm dat abase , cn=plugins, cn=confignsslapd- db-cache-try att ribute, Dat abase Attributes unde r cn=database , cn=monit or,cn=ldbm d

nsslapd- db-verbose at tribute, nsslapd- db-verbosensslapd- dbcache size attribute, nsslapd- dbcache sizensslapd- dbncache attribute, nsslapd-dbncach

nsslapd- maxsasliosize att ribute, nsslapd- maxsasliosize (Maximum SASL Packet Size)nsslapd- maxthreadsperconn a ttribute , nsslapd-maxt hreadspercon

nssnmplocation a ttribut e, nssnmplocationnssnmpmast erhost a ttribut e, nssnmpmaste rhostnssnmpmast erport att ribute, nssnmpmast erportnssnmporganiz

passwordInHistory attribut e, passwordInHistory (Number of Passwords to Remember)passwordLockout at t ribute, passwordLockout (Account Lockout)passwo

name, cn=chaining database, cn=plugins, cn=config- nsAbandonedSearchCheckInterval, nsAbandonedSearchCheckInterval- nsActiveChainingComponents, nsActiv

database, cn=plugins, cn=config- nsslapd-db-durable-transactions, nsslapd-db-durable-transactions- nsslapd-db-hash-buckets, Database Attributes under

- nsTimeLimit, nsTimeLimit- nsTransmittedControls, nsT ransmittedControls- nsUnbindCount, Database Link Attributes under cn=monitor, cn=database insta

repl-monit or.pl- command-line perl script, repl-monitor.pl (Monitors Replication Status)- quick reference, Command-Line Scripts Quick Referencereplic

This attribute sets whether change sequence numbers (CSNs), when available, are to be logged in theaccess log. By default, CSN logging is turned on.Pa

retro changelog plug-in configuration a ttribute s- nsslapd-changelogdir, nsslapd-changelogdirretryCountReset T ime, retryCount ResetTimeSSASL configu

SNMP configura tion at tributes- nssnmpcontact, nssnmpcontact- nssnmpdescription, nssnmpdescription- nssnmpenabled, nssnmpenabled- nssnmplocation, nss

TtargetDn, t argetDntotalConnections att ribute, cn=monit ortrailing space s in object class names, nsslapd- schema- ignore -tra iling-spaces (IgnoreT

AbstractThis reference covers the server configuration and the command-line utilities. It is designed primarily fordirectory administrators and experi

Table 2.6 . Possible Combinat ions for nsslapd-errorlog Configura tion Att ributesAttribute s in dse.ldif Value Logging enabled or disablednsslapd-er

Entry DN cn=configValid ValuesDefault Value NoneSyntax DirectoryStringExample nsslapd-errorlog-list: errorlog2,errorlog32.3.1.4 6. nsslapd- errorlog-l

This attribute sets the minimum allowed free disk space in megabytes. When the amount of free diskspace falls below the value specified on this attrib

attribute value to 1 or set the nsslapd-errorlog-logrotationtime attribute to -1. The server checksthe nsslapd-errorlog-maxlogsperdir attribute first,

2.3.1.58. nsslapd- errorlog-mode (Error Log File Permission)This attribute sets the access mode or file permissions with which error log files are to

Default Value 0Syntax IntegerExample nsslapd-idletimeout: 02.3.1.61. nsslapd- inst ance dir (Instance Direct ory)This attribute is deprecated. There a

Default Value offSyntax DirectoryStringExample nsslapd-ldapiautobind: off2.3.1.65. nsslapd- ldapientrysearchba se (Sea rch Base for LDAPI Aut hentica

2.3.1.69. nsslapd- ldapimaprootdn (Autobind Mapping for Root Use r)With autobind, a system user is mapped to a Directory Server user and then automat

Parameter Descript ionEntry DN cn=configValid Values Any local hostname, IPv4 or IPv6 addressDefault ValueSyntax DirectoryStringExample nsslapd-listen

Entry DN cn=configValid Range 0 - 2 gigabytes (2,147,483,647 bytes)Zero 0 means that the default value should beused.Default Value 2097152Syntax Integ

Table of ContentsAbout T his Reference1. Directory Server Overview2. Examples and Formatting2.1. Command and File Examples2.2. T ool Locations2.3. LDA

When an incoming SASL IO packet is larger than the nsslapd-maxsasliosize limit, the serverimmediately disconnects the client and logs a message to the

system; make sure no other application is attempting to use the same port number. Specifying a portnumber of less than 1024 means the Directory Serve

entries:ou=People,dc=example,dc=combut the request is for this entry:ou=Groups,dc=example,dc=comIn this case, the referral would be passed back to the

nsslapd-reservedescriptor = 20 + (NldbmBackends * 4) + NglobalIndex +ReplicationDescriptor + ChainingBackendDescriptors + PTADescriptors + SSLDescript

attribute. When viewed from the server console, this attribute shows the value * * * ** . When viewedfrom the dse.ldif file, this attribute shows the

An error is returned by default when object classes that include trailing spaces are added to an entry.Additionally, during operations such as add, mo

Default Value replication-onlySyntax DirectoryStringExample nsslapd-schemareplace: replication-only2.3.1.100. nsslapd-securelistenhostThis attribute a

NOTEA value of -1 on this attribute in dse.ldif file is the same as leaving the attribute blank in theserver console, in that it causes no limit to be

Example nsslapd-threadnumber: 602.3.1.106. nsslapd-timelimit (T ime Limit)This attribute sets the maximum number of seconds allocated for a search req

Syntax DirectoryStringExample nsSSLclientauth: allowed2.3.1.111. passwordAllowChangeT imeThis attribute specifies the length of time that must pass be

3.1.7. Case Exact String Syntax Plug-in3.1.8. Case Ignore String Syntax Plug-in3.1.9. Chaining Database Plug-in3.1.10. Class of Service Plug-in3.1.11.

password expires using the passwordMaxAge attribute.For more information on password policies, see the "Managing Users and Passwords" chapte

stored passwords. Set the number of old passwords the Directory Server stores using the passwordInHistory attribute.For more information on password p

Entry DN cn=configValid Values on | offDefault Value onSyntax DirectoryStringExample passwordLockout: off2.3.1.124 . passwordLockoutDurat ion (Lockout

Valid Range 0 to 64Default Value 0Syntax IntegerExample passwordMaxRepeats: 12.3.1.128. passwordMin8Bit (Password Synt ax)This sets the minimum numbe

2.3.1.132. PasswordMinDigits (Pa ssword Synta x)This sets the minimum number of digits a password must contain.Parameter Descript ionEntry DN cn=confi

2.3.1.137. PasswordMinUppers (Password Synt ax)This sets the minimum number of uppercase letters password must contain.Parameter Descript ionEntry DN

This is an operational attribute, meaning its value is managed by the server and the attribute is notreturned in default searches.Parameter Descript i

Example passwordWarning: 864002.3.1.14 5. retryCountRese t T imeThis attribute specifies the length of time that passes before the passwordRetryCount

2.3.2.2. nsslapd- changelogmaxage (Max Cha ngelog Age )This attribute sets the maximum age of any entry in the changelog. The changelog contains a rec

This attribute defines a time, in a YYMMDDHHMMSS format, when the entry was added.OID 2.16.840.1.113730.3.1.77Syntax DirectoryStringMulti- or Single-V

3.6.2. nsslapd-changelogmaxage (Max Changelog Age)3.7. Distributed Numeric Assignment Plug-in Attributes3.7.1. dnaFilter3.7.2. dnaMagicRegen3.7.3. dna

2.3.3.1 . nsSSLSessionTimeoutThis attribute sets the lifetime duration of a TLS/SSL. T he minimum timeout value is 5 seconds. If asmaller value is set

Parameter Descript ionEntry DN cn=encryption, cn=configValid Values For SSLv3: rsa_null_md5 rsa_rc4_128_md5 rsa_rc4_40 _md5 rsa_rc2_40_md5 rsa_des_sha

Windows synchronization agreement attributes are stored under cn=syncAgreementName, cn=replica, cn=suffix,cn=m apping tree,cn=config.2.3.6. Suffix Con

cn=configValid Values 0 | 10 means no changes are logged1 means changes are loggedDefault Value 0Syntax IntegerExample nsDS5Flags: 02.3.7.2. nsds5Debu

Example nsDS5ReplicaBindDN: cn=replication manager,cn=config2.3.7.6. nsDS5ReplicaChangeCountThis read-only attribute shows the total number of entries

This attribute controls the maximum age of deleted entries (tombstone entries) and state information.The Directory Server stores tombstone entries and

cn=configValid Range 0 to maximum 32-bit integer (2147483647) insecondsDefault Value 864 00 (1 day)Syntax IntegerExample nsDS5ReplicaT ombstonePurgeIn

Default ValueSyntax DirectoryStringExample cn: MasterAtoMasterB2.3.8.2. de scriptionFree form text description of the replication agreement. T his att

Default Value 3Syntax IntegerExample nsDS5ReplicaBusyWaitT ime: 32.3.8.6. nsDS5ReplicaChangesSe ntSinceStart upThis read-only attribute shows the numb

Parameter Descript ionEntry DN cn=ReplicationAgreementName, cn=replica,cn=suffixDN, cn=mapping tree, cn=configValid Values YYYYMMDDhhmmssZ is the date

7.3.16. start-slapd (Starts the Directory Server)7.3.17. stop-slapd (Stops the Directory Server)7.3.18. suffix2instance (Maps a Suffix to a Backend Na

Parameter Descript ionEntry DN cn=ReplicationAgreementName, cn=replica,cn=suffixDN, cn=mapping tree, cn=configValid Values 0 (no replication sessions

2.3.8.19. nsDS5ReplicaSessionPauseT imeThis attribute sets the amount of time in seconds a supplier should wait between update sessions. T hedefault v

Syntax IntegerExample nsDS5ReplicaT imeout: 6002.3.8.22. nsDS5ReplicaTransportInfoThis attribute sets the type of transport used for transporting data

Windows Active Directory servers.Table 2.7 . List of Attribute s Sha red Betwee n Replication and Synchronizat ion Agreementscn nsDS5ReplicaLastUpdat

Valid Values on | offDefault ValueSyntax DirectoryStringExample nsDS7NewWinUserSyncEnabled: on2.3.9.5. nsds7WindowsDomainThis attribute sets the name

This attribute lists open connections. T hese are given in the following format:connection: A:YYYYMMDDhhmmssZ:B:C:D:EFor example:connection: 31:200102

threadsThis attribute shows the number of threads used by the Directory Server. T his should correspond to nsslapd-threadnumber in cn=config.nba ckEnd

Example nsSaslMapRegexString: \(.*\)2.3.13. cn=SNMPSNMP configuration attributes are stored under cn=SNMP,cn=config. The cn=SNMP entry is aninstance o

Parameter Descript ionEntry DN cn=SNMP, cn=configValid Values machine hostname or localhostDefault Value <blank>Syntax DirectoryStringExample ns

Table 2.8 . SNMP Statistic Att ributesAttribute Descript ionAnonymousBinds This shows the number of anonymous bindrequests.UnAuthBinds This shows the

About This ReferenceRed Hat Directory Server (Directory Server) is a powerful and scalable distributed directory serverbased on the industry-standard

2.3.15. cn=tasksSome core Directory Server tasks can be initiated by editing a directory entry using LDAP tools. Thesetask entries are contained in cn

Syntax case-exact stringExample nsTaskStatus: Loading entries...nsT askLogThis entry contains all of the log messages for the task, including both wa

Parameter Descript ionEntry DN cn=task_name, cn=task_type, cn=tasks,cn=configValid Values 0 to the maximum 32 bit integer value(2147483647)Default Val

nsUniqueIdGenerator, analogous to the -g option to generate unique ID numbers for the entriesnsUniqueIdGeneratorNamespace, analogous to the -G option

Example nsImportChunkSize: 10nsImport IndexAt trsThis attribute sets whether to index the attributes that are imported into database instance.Paramete

nsExportReplica, analogous to the -r option, to indicate whether the exported database is used inreplicationnsPrintKey, analogous to the -N option, to

Valid Values true | falseDefault Value falseSyntax Case-insensitive stringExample nsUseOneFile: truensExport Re plicaThis attribute identifies whether

the parameters of the task and initiates the task. As soon as the task is complete, the task entry isremoved from the directory.The cn=backup entry is

nsArchiveDirThis attribute gives the location of the directory to which to write the backup.Parameter Descript ionEntry DN cn=task_name, cn=restore, c

Syntax Case-insensitive string, multi-valuedExamplensIndexAttribute: "cn:pres,eq"nsIndexAttribute: "description:sub"nsIndexVLVAttr

Monospace with abackgroundThis type of formatting is used for anything entered or returned in acommand prompt.Italicized text Any text which is italic

Syntax DirectoryStringExample cn: example reload task IDsche madirThis contains the full path to the directory containing the custom schema file.Param

The unique ID generator configuration attributes are stored under cn=uniqueid generator,cn=config. T he cn=uniqueid generator entry is an instance of

topOID2.16.840.1.113730.3.2.40Required Attribute sAttribute Definit ionobjectClass Gives the object classes assigned to the entry.Allowed At tributesA

2.16.840.1.113730.3.2.104Required Attribute sAttribute Definit ionobjectClass Defines the object classes for the entry.cn Gives the common name of the

Superior ClasstopOID2.16.840.1.113730.3.2.103Required Attribute sobjectClass Defines the object classes for the entry.cn Used for naming the replicati

attributes for this object class are in chapter 2 of the Red Hat Directory Server Configuration, Command,and File Reference.This object class is defin

(RUV).nsds7DirectoryReplicaSubtree Specifies the Directory Server suffix (root or sub)that is synced.nsds7DirsyncCookie Contains a cookie set by the s

This object class is defined in Directory Server.Superior ClasstopOID2.16.840.1.113730.3.2.39Required Attribute sAttribute Definit ionobjectClass Give

in after the lockout period.passwordLockoutDuration Sets the time, in seconds, that users will belocked out of the directory.passwordCheckSyntax Ident

cn Specifies the common name of the entry.Allowed At tributesAttribute Definit iondescription Gives a text description of the entry.l (localityName) G